| draft-ietf-hip-applications-01.txt | draft-ietf-hip-applications-02.txt | |||
|---|---|---|---|---|
| Network Working Group T. Henderson | Network Working Group T. Henderson | |||
| Internet-Draft The Boeing Company | Internet-Draft The Boeing Company | |||
| Intended status: Informational P. Nikander | Intended status: Informational P. Nikander | |||
| Expires: October 11, 2007 Ericsson Research NomadicLab | Expires: May 21, 2008 Ericsson Research NomadicLab | |||
| April 9, 2007 | M. Komu | |||
| Helsinki Institute for Information | ||||
| Technology | ||||
| November 18, 2007 | ||||
| Using the Host Identity Protocol with Legacy Applications | Using the Host Identity Protocol with Legacy Applications | |||
| draft-ietf-hip-applications-01 | draft-ietf-hip-applications-02 | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 35 | skipping to change at page 1, line 38 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on October 11, 2007. | This Internet-Draft will expire on May 21, 2008. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
| Abstract | Abstract | |||
| The Host Identity Protocol (HIP) and architecture proposes to add a | This document is an informative overview of how legacy applications | |||
| cryptographic name space for network stack names. From an | can be made to work with the Host Identity Protocol (HIP). HIP | |||
| application viewpoint, HIP-enabled systems support a new address | proposes to add a cryptographic name space for network stack names. | |||
| family of host identifiers, but it may be a long time until such HIP- | From an application viewpoint, HIP-enabled systems support a new | |||
| aware applications are widely deployed even if host systems are | address family of host identifiers, but it may be a long time until | |||
| upgraded. This informational document discusses implementation and | such HIP-aware applications are widely deployed even if host systems | |||
| API issues relating to using HIP in situations in which the system is | are upgraded. This informational document discusses implementation | |||
| HIP-aware but the applications are not. | and Application Programming Interface (API) issues relating to using | |||
| HIP in situations in which the system is HIP-aware but the | ||||
| applications are not, and is intended to aid implementors and early | ||||
| adopters in thinking about and locally solving systems issues | ||||
| regarding the incremental deployment of HIP. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Approaches for supporting legacy applications . . . . . . . . 5 | 3. Approaches for supporting legacy applications . . . . . . . . 5 | |||
| 3.1. Using IP addresses in applications . . . . . . . . . . . . 5 | 3.1. Using IP addresses in applications . . . . . . . . . . . . 5 | |||
| 3.2. Using DNS to map domain names to HIs . . . . . . . . . . . 6 | 3.2. Using DNS to map domain names to HIs . . . . . . . . . . . 7 | |||
| 3.3. Connecting directly to a HIT . . . . . . . . . . . . . . . 8 | 3.3. Connecting directly to a HIT . . . . . . . . . . . . . . . 8 | |||
| 3.4. Local address management . . . . . . . . . . . . . . . . . 8 | 3.4. Local address management . . . . . . . . . . . . . . . . . 9 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 | 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 7. Informative References . . . . . . . . . . . . . . . . . . . . 13 | 7. Informative References . . . . . . . . . . . . . . . . . . . . 14 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 | Appendix A. Changes from previous versions . . . . . . . . . . . 15 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 15 | A.1. From version-01 to version-02 (current) . . . . . . . . . 15 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 | ||||
| Intellectual Property and Copyright Statements . . . . . . . . . . 18 | ||||
| 1. Introduction | 1. Introduction | |||
| The Host Identity Protocol (HIP) [1] is an experimental effort in the | The Host Identity Protocol (HIP) [1] is an experimental effort in the | |||
| IETF and IRTF to study a new public-key-based name space for use as | IETF and IRTF to study a new public-key-based name space for use as | |||
| host identifiers in Internet protocols. Fully deployed, the HIP | host identifiers in Internet protocols. Fully deployed, the HIP | |||
| architecture will permit applications to explicitly request the | architecture would permit applications to explicitly request the | |||
| system to send packets to another named host by expressing a | system to send packets to another host by expressing a location- | |||
| location-independent name of the host when the system call to send | independent name of the host when the system call to send packets is | |||
| packets is performed. However, there will be a transition period | performed. However, there will be a transition period during which | |||
| during which systems become HIP-enabled but applications are not. | systems become HIP-enabled but applications are not. This | |||
| informational document does not propose normative specification or | ||||
| even suggest that different HIP implementations use more uniform | ||||
| methods for legacy application support, but is intended instead to | ||||
| aid implementors and early adopters in thinking about and solving | ||||
| systems issues regarding the incremental deployment of HIP. | ||||
| When applications and systems are both HIP-aware, the coordination | When applications and systems are both HIP-aware, the coordination | |||
| between the application and the system can be straightforward. For | between the application and the system can be straightforward. For | |||
| example, using the terminology of the widely used sockets Application | example, using the terminology of the widely used sockets Application | |||
| Programming Interface (API), the application can issue a system call | Programming Interface (API), the application can issue a system call | |||
| to send packets to another host by naming it explicitly, and the | to send packets to another host by naming it explicitly, and the | |||
| system can perform the necessary name-to-address mapping to assign | system can perform the necessary name-to-address mapping to assign | |||
| appropriate routable addresses to the packets. To enable this, a new | appropriate routable addresses to the packets. To enable this, a new | |||
| address family for hosts could be defined, and additional API | address family for hosts could be defined, and additional API | |||
| extensions could be defined (such as allowing IP addresses to be | extensions could be defined (such as allowing IP addresses to be | |||
| passed in the system call, along with the host name, as hints of | passed in the system call, along with the host name, as hints of | |||
| where to initially try to reach the host). | where to initially try to reach the host). | |||
| This note does not define a native HIP API such as described above. | This document does not define a native HIP API such as described | |||
| Rather, this note is concerned with the scenario in which the | above. Rather, this document is concerned with the scenario in which | |||
| application is not HIP-aware and a traditional IP-address-based API | the application is not HIP-aware and a traditional IP-address-based | |||
| is used by the application. To use HIP in such a situation, there | API is used by the application. To use HIP in such a situation, | |||
| are a few basic possibilities: i) allow applications to use IP | there are a few basic possibilities: i) allow applications to use IP | |||
| addresses as before, and provide a mapping from IP address to host | addresses as before, and provide a mapping from IP address to host | |||
| identifier (and back to IP address) within the system, ii) take | identifier (and back to IP address) within the system, ii) take | |||
| advantage of domain name resolution to provide the application with | advantage of domain name resolution to provide the application with | |||
| either an alias for the host identifier or (in the case of IPv6) the | either an alias for the host identifier or (in the case of IPv6) the | |||
| host identity tag (HIT) itself, and iii) support the use of HITs | host identity tag (HIT) itself, and iii) support the use of HITs | |||
| directly (without prior DNS resolution) in place of IPv6 addresses. | directly (without prior DNS resolution) in place of IPv6 addresses. | |||
| This note describes several variations of the above strategies and | This document describes several variations of the above strategies | |||
| suggests some pros and cons to each approach. | and points out tradeoffs with each approach. | |||
| When HITs are used (rather than IP addresses) as peer names at the | When HITs are used (rather than IP addresses) as peer names at the | |||
| system API level, they can provide a type of "channel binding" | system API level, they can provide a type of "channel binding" in | |||
| (Section 1.1.6 of [2]) in that the ESP association formed by HIP is | that the Encapsulating Security Payload (ESP) association formed by | |||
| cryptographically bound to the name (HIT) invoked by the calling | HIP is cryptographically bound to the name (HIT) invoked by the | |||
| application. | calling application. | |||
| 2. Terminology | 2. Terminology | |||
| Host Identity: An abstract concept applied to a computing platform. | Host Identity: An abstract concept applied to a computing platform. | |||
| Host Identifier (HI): A public key of an asymmetric key pair used as | Host Identifier (HI): A public key of an asymmetric key pair used as | |||
| a name for a Host Identity. More details are available in [1]. | a name for a Host Identity. More details are available in [1]. | |||
| Host Identity Tag (HIT): A 128-bit quantity composed with the hash | Host Identity Tag (HIT): A 128-bit quantity composed with the hash | |||
| of a Host Identity. More details are available in [3] and [1]. | of a Host Identity. More details are available in [2] and [1]. | |||
| Local Scope Identifier (LSI): A 32- or 128-bit quantity locally | Local Scope Identifier (LSI): A 32- or 128-bit quantity locally | |||
| representing the Host Identity at the IPv4 or IPv6 API. | representing the Host Identity at the IPv4 or IPv6 API. | |||
| Referral: An event when the application passes what it believes to | Referral: An event when the application passes what it believes to | |||
| be an IP address to another application instance on another host, | be an IP address to another application instance on another host, | |||
| within its application data stream. An example is the FTP PORT | within its application data stream. An example is the FTP PORT | |||
| command. | command. | |||
| Resolver: The system function used by applications to resolve domain | Resolver: The system function used by applications to resolve domain | |||
| names to IP addresses. | names to IP addresses. | |||
| 3. Approaches for supporting legacy applications | 3. Approaches for supporting legacy applications | |||
| This section provides examples of how legacy applications, using | This section provides examples of how legacy applications, using | |||
| legacy APIs, can operate over a HIP-enabled system and use HIP. The | legacy APIs, can operate on a HIP-enabled system and use HIP. The | |||
| examples are organized by the name used by an application (or | examples are organized by the name used by an application (or | |||
| application user) to name the peer system: an IP address, a domain | application user) to name the peer system: an IP address, a domain | |||
| name, or a HIT. Finally, some local address management issues are | name, or a HIT. Finally, some local address management issues are | |||
| discussed. | discussed. | |||
| While the text below concentrates on the use of the sockets connect | Applications use IP addresses as short-lived local handles, long- | |||
| system call, the same argument is also valid for other system calls | lived application associations, callbacks, referrals, and identity | |||
| using socket addresses. | comparisons. Each of the below mechanisms has implications on these | |||
| different uses of IP addresses by legacy applications. | ||||
| Recent work in the shim6 group has categorized the ways in which | ||||
| current applications use IP addresses [4]. These uses include short- | ||||
| lived local handles, long-lived application associations, callbacks, | ||||
| referrals, and identity comparisons. Each of the below mechanisms | ||||
| has implications on these different uses of IP addresses by legacy | ||||
| applications. | ||||
| 3.1. Using IP addresses in applications | 3.1. Using IP addresses in applications | |||
| Consider the case in which an application issues a "connect(ip)" | Consider the case in which an application issues a "connect(ip)" | |||
| system call to set the default destination to a system named by | system call to set the default destination to a system named by | |||
| address "ip", but for which we would like to enable HIP to protect | address "ip", but for which we would like to enable HIP to protect | |||
| the communications. Since the application or user does not (can not) | the communications. Since the application or user can not indicate a | |||
| indicate a desire to use HIP through the standard sockets API, the | desire to use HIP through the standard sockets API when IP addresses | |||
| decision to invoke HIP must be done on the basis of host policy. For | are used, the decision to invoke HIP must be done on the basis of | |||
| example, if an IPsec-like implementation of HIP is being used, a | host policy. For example, when an IPsec-based implementation of HIP | |||
| policy may be entered into the security policy database that mandates | is being used, a policy may be entered into the security policy | |||
| to use or try HIP based on a match on the source or destination IP | database that mandates to use or try HIP based on a match on the | |||
| address, or other factors. The mapping of IP address to host | source or destination IP address, or other factors. The mapping of | |||
| identifier may be implemented by modifying the host operating system | IP address to host identifier may be implemented by modifying the | |||
| or by wrapping the existings sockets API, such as in the TESLA | host operating system or by wrapping the existing sockets API, such | |||
| approach [5]. | as in the TESLA approach [3]. | |||
| There are a number of ways that HIP could be used in such a scenario. | There are a number of ways that HIP could be used in such a scenario. | |||
| Manual configuration: | Manual configuration: | |||
| Pre-existing SAs may be available due to previous administrative | Pre-existing SAs may be available due to previous administrative | |||
| action. | action, or a binding between an IP address and a HIT could be | |||
| stored in a configuration file or database. | ||||
| Opportunistically: | Opportunistically: | |||
| The system could send an I1 to the Responder with an empty value | The system could send an I1 to the Responder with an empty value | |||
| for Responder HIT. | for Responder HIT. | |||
| Using DNS to map IP addresses to HIs: | Using DNS to map IP addresses to HIs: | |||
| If the responder has host identifiers registered in the forward | If the responder has host identifiers registered in the forward | |||
| DNS zone and has a PTR record in the reverse zone, the initiating | DNS zone and has a PTR record in the reverse zone, the Initiator | |||
| system could perform a reverse+forward lookup to learn the HIT | could perform a reverse+forward lookup to learn the HIT associated | |||
| associated with the address. Alternatively, the HIT could be | with the address. Although the approach should work under normal | |||
| stored in some type of HIP name service such as a distributed hash | circumstances, it has not been tested to verify that there are no | |||
| table (DHT), keyed by IP address. Unless secured with DNS | recursion or bootstrapping issues, particularly if HIP is used to | |||
| secure the connection to the DNS servers. Unless secured with DNS | ||||
| security extensions, the use of the reverse DNS map is subject to | security extensions, the use of the reverse DNS map is subject to | |||
| well-known security limitations (an attacker may cause an | well-known security limitations (an attacker may cause an | |||
| incorrect IP address to domain name binding to occur). | incorrect IP address to domain name binding to occur). | |||
| These types of solutions have the benefit of better supporting | Using the opportunistic mode or using DNS in the above fashion can | |||
| applications that use IP addresses for long-lived application | cause additional setup delays compared to using plain IP. For | |||
| associations, callbacks, and referrals. They have weaker security | opportunistic mode, a host must wait to learn whether the peer is | |||
| properties than the approaches outlined in Section 3.2 and | HIP-capable, although the delays may be mitigated in some | |||
| Section 3.3, however, because the binding between host identifier and | implementations by sending initial packets (e.g., TCP SYN) in | |||
| address is weak and not visible to the application or user. In fact, | parallel to the HIP I1 packet. For DNS lookups, there are resolution | |||
| the semantics of the application's "connect(ip)" call may be | latencies. | |||
| Solutions preserving the use of IP addresses in the applications have | ||||
| the benefit of better support for applications that use IP addresses | ||||
| for long-lived application associations, callbacks, and referrals, | ||||
| although it should be noted that applications are discouraged from | ||||
| using IP addresses in this manner due to the frequent presence of | ||||
| NATs [4] and Section 3.3, because the binding between host identifier | ||||
| and address is weak and not visible to the application or user. In | ||||
| fact, the semantics of the application's "connect(ip)" call may be | ||||
| interpreted as "connect me to the system reachable at IP address ip" | interpreted as "connect me to the system reachable at IP address ip" | |||
| but perhaps no stronger semantics than that. HIP can be used in this | but perhaps no stronger semantics than that. HIP can be used in this | |||
| case to provide perfect forward secrecy and authentication, but not | case to provide perfect forward secrecy and authentication, but not | |||
| to strongly authenticate the peer at the onset of communications. | to strongly authenticate the peer at the onset of communications. | |||
| DNS with security extensions (DNSSEC) [6], if trusted, may be able to | DNS with security extensions (DNSSEC) [5] could be used to | |||
| provide some additional initial authentication, but at a cost of | authenticate the bindings between IP address and host identifier, if | |||
| initial resolution latency. Note that this usage does not | the necessary DNSSEC records were available and trusted. | |||
| necessarily reveal to the user of the legacy application that HIP is | ||||
| being used. | The legacy application is unaware of HIP and cannot therefore notify | |||
| the user when the application uses HIP. However, the operating | ||||
| system can notify the user of the usage of HIP through a user agent. | ||||
| Further, it is possible for the user agent to name the network | ||||
| application that caused a HIP-related event. This way, the user is | ||||
| aware when he or she is using HIP even though the legacy network | ||||
| application is not. | ||||
| Using IP addresses at the application layer may not provide the full | Using IP addresses at the application layer may not provide the full | |||
| potential benefits of HIP mobility support. It allows for mobility | potential benefits of HIP mobility support. It allows for mobility | |||
| if one is able to readdress the existing sockets upon a HIP readdress | if the system is able to readdress long-lived, connected sockets upon | |||
| event. However, mobility will break in the connectionless case when | a HIP readdress event. However, as in current systems, mobility will | |||
| an application caches the IP address and repeatedly calls sendto(). | break in the connectionless case, when an application caches the IP | |||
| address and repeatedly calls sendto(), or in the case of TCP when the | ||||
| system later opens additional sockets to the same destination. | ||||
| Section 4.1.6 of the base HIP protocol specification [1] states that | ||||
| implementations that learn of HIT-to-IP address bindings through the | ||||
| use of HIP opportunistic mode must not enforce those bindings on | ||||
| later communications sessions. This implies that when IP addresses | ||||
| are used by the applications, systems that attempt to | ||||
| opportunistically set up HIP must not assume that later sessions to | ||||
| the same address will communicate with the same host. | ||||
| 3.2. Using DNS to map domain names to HIs | 3.2. Using DNS to map domain names to HIs | |||
| In the previous section, it was pointed out that a HIP-enabled system | In the previous section, it was pointed out that a HIP-enabled system | |||
| might make use of DNS to transparently fetch host identifiers prior | might make use of DNS to transparently fetch host identifiers prior | |||
| to the onset of communication. For applications that make use of | to the onset of communication. For applications that make use of | |||
| DNS, the name resolution process is another opportunity to use HIP. | DNS, the name resolution process is another opportunity to use HIP. | |||
| If host identifiers are bound to domain names (with a trusted DNS) | If host identifiers are bound to domain names (with a trusted DNS), | |||
| the following are possible: | the following are possible: | |||
| Return HIP LSIs and HITs instead of IP addresses: | Return HIP LSIs and HITs instead of IP addresses: | |||
| The system resolver could be configured to return a Local Scope | The system resolver could be configured to return a Local Scope | |||
| Identifier (LSI) or HIT rather than an IP address, if HIP | Identifier (LSI) or HIT rather than an IP address, if HIP | |||
| information is available in the DNS that binds a particular domain | information is available in the DNS that binds a particular domain | |||
| name to a host identifier, and otherwise to return an IP address | name to a host identifier, and otherwise to return an IP address | |||
| as usual. The system can then maintain a mapping between LSI and | as usual. The system can then maintain a mapping between LSI and | |||
| host identifier and perform the appropriate conversion at the | host identifier and perform the appropriate conversion at the | |||
| system call interface or below. The application uses the LSI or | system call interface or below. The application uses the LSI or | |||
| HIT as it would an IP address. | HIT as it would an IP address. This technique has been used in | |||
| overlay networking experiments such as the Internet Indirection | ||||
| Infrastructure (i3). | ||||
| Locally use a HIP-specific domain name suffix: | Locally use a HIP-specific domain name prefix: | |||
| One drawback to spoofing the DNS resolution is that some | One drawback to spoofing the DNS resolution is that some | |||
| applications actually may want to fetch IP addresses (e.g., | applications actually may want to fetch IP addresses (e.g., | |||
| diagnostic applications such as ping). One way to provide finer | diagnostic applications such as ping, or processes that generate | |||
| granularity on whether the resolver returns an IP address or an | system log files). One way to provide finer granularity on | |||
| LSI is to distinguish by the presence of a domain name suffix. | whether the resolver returns an IP address or an LSI is to | |||
| Specifically, if the application requests to resolve | distinguish by the presence of a domain name prefix. | |||
| "www.example.com.hip" (or some similar suffix), then the system | Specifically, if the application requests to resolve "HIP- | |||
| www.example.com" (or some similar prefix string), then the system | ||||
| returns an LSI, while if the application requests to resolve | returns an LSI, while if the application requests to resolve | |||
| "www.example.com", IP address(es) are returned as usual. Caution | "www.example.com", IP address(es) are returned as usual. The use | |||
| against the use of domain name suffixes is discussed in [7]. | of a prefix rather than suffix is recommended, and the use of a | |||
| string delimiter that is not a dot (".") is also recommended, to | ||||
| reduce the likelihood that such modified DNS names are mistakenly | ||||
| treated as names rooted at a new top-level domain. | ||||
| Fetch HIP records transparently: | ||||
| A third option would be for the system to opportunistically query | ||||
| for HIP records in parallel to other DNS resource records, and to | ||||
| temporarily cache the HITs returned with a DNS lookup, indexed by | ||||
| the IP addresses returned in the same entry, and pass the IP | ||||
| addresses up to the application as usual. If an application | ||||
| connects to one of those IP addresses within a short time after | ||||
| the lookup, initiate a base exchange using the cached HITs. The | ||||
| benefit is that this removes the uncertainty/delay associated with | ||||
| opportunistic HIP, because the DNS record suggests that the peer | ||||
| is HIP-capable. | ||||
| Since the LSI or HIT is non-routable, a couple of potential hazards | Since the LSI or HIT is non-routable, a couple of potential hazards | |||
| arise, in the case of referrals, callbacks, and long-lived | arise, in the case of referrals, callbacks, and long-lived | |||
| application associations. First, applications that perform referrals | application associations. First, applications that perform referrals | |||
| may pass the LSI to another system that has no system context to | may pass the LSI to another system that has no system context to | |||
| resolve the LSI back to a host identifier or an IP address. Note | resolve the LSI back to a host identifier or an IP address. Note | |||
| that these are the same type of applications that will likely break | that these are the same type of applications that will likely break | |||
| if used over certain types of network address translators (NATs). | if used over certain types of network address translators (NATs). | |||
| Second, applications may cache the results of DNS queries for a long | Second, applications may cache the results of DNS queries for a long | |||
| time, and it may be hard for a HIP system to determine when to | time, and it may be hard for a HIP system to determine when to | |||
| perform garbage collection on the LSI bindings. However, when using | perform garbage collection on the LSI bindings. However, when using | |||
| HITs, the security of using the HITs for identity comparison may be | HITs, the security of using the HITs for identity comparison may be | |||
| stronger than in the case of using IP addresses. | stronger than in the case of using IP addresses. | |||
| It may be possible for an LSI or HIT to be routable or resolvable, | It may be possible for an LSI or HIT to be routable or resolvable, | |||
| either directly or on an overlay. For example, a special IP address | either directly or through an overlay, in which case it would be | |||
| that has some location invariance is the identifier-address discussed | preferable for applications to handle such names instead of IP | |||
| in [8]. A term other than LSI may be needed for these routable | addresses. However, such networks are out of scope of this document. | |||
| identifiers, since they would no longer be locally scoped. When | ||||
| using DNS, returning a routable identifier would avoid the | ||||
| aforementioned problems with referrals. However, the cost of | ||||
| routability may be that the hash binding between the routable | ||||
| identifier and the host identifier would be weakened, since more bits | ||||
| may be allocated to the hierarchical part. | ||||
| 3.3. Connecting directly to a HIT | 3.3. Connecting directly to a HIT | |||
| The previous two sections describe the use of IP addresses and LSIs | The previous two sections describe the use of IP addresses and LSIs | |||
| as local handles to a host identifier. A third approach, for IPv6 | as local handles to host identifiers. A third approach, for IPv6 | |||
| applications, is to configure the application to connect directly to | applications, is to configure the application to connect directly to | |||
| a HIT (e.g., "connect(HIT)" as a socket call). Although more | a HIT (e.g., "connect(HIT)" as a socket call). This scenario has | |||
| cumbersome for human users (due to the flat HIT name space) than | ||||
| using either IPv6 addresses or domain names, this scenario has | ||||
| stronger security semantics, because the application is asking the | stronger security semantics, because the application is asking the | |||
| system to send packets specifically to the named peer system. HITs | system to send packets specifically to the named peer system. HITs | |||
| have been defined as Overlay Routable Cryptographic Hash Identifiers | have been defined as Overlay Routable Cryptographic Hash Identifiers | |||
| (ORCHIDs) such that they cannot be confused with routable IP | (ORCHIDs) such that they cannot be confused with routable IP | |||
| addresses; see [3]. | addresses; see [2]. | |||
| Another challenge with this approach is in actually finding the IP | ||||
| addresses to use, based on the HIT. Some type of HIT resolution | ||||
| service would be needed in this case. | ||||
| A third challenge of this approach is in supporting callbacks and | This approach also has a few challenges. Using HITs can be more | |||
| referrals to possibly non-HIP-aware hosts. However, since most | cumbersome for human users (due to the flat HIT name space) than | |||
| communications in this case would likely be to other HIP-aware hosts | using either IPv6 addresses or domain names, Another challenge with | |||
| (else the initial HIP associations would fail to establish), the | this approach is in actually finding the IP addresses to use, based | |||
| problem may otherwise be that the peer host supports HIP but is not | on the HIT. Some type of HIT resolution service would be needed in | |||
| able to perform HIT resolution for some reason. | this case. A third challenge of this approach is in supporting | |||
| callbacks and referrals to possibly non-HIP-aware hosts. However, | ||||
| since most communications in this case would likely be to other HIP- | ||||
| aware hosts (else the initial HIP associations would fail to | ||||
| establish), the resulting referral problem may be that the peer host | ||||
| supports HIP but is not able to perform HIT resolution for some | ||||
| reason. | ||||
| 3.4. Local address management | 3.4. Local address management | |||
| The previous sections focused mainly on client behavior (HIP | The previous sections focused mainly on client behavior (HIP | |||
| initiator). We must also consider the behavior for servers. | initiator). We must also consider the behavior for servers. | |||
| Typically, a server may bind to a wildcard IP address and well-known | Typically, a server binds to a wildcard IP address and well-known | |||
| port. In the case of HIP use with legacy server implementations, | port. In the case of HIP use with legacy server implementations, | |||
| there are again a few options. As in Section 3.1 above, the system | there are again a few options. As in Section 3.1 above, the system | |||
| may be configured manually to always, optionally (depending on the | may be configured manually to always, optionally (depending on the | |||
| client behavior), or never use HIP with a particular service, as a | client behavior), or never use HIP with a particular service, as a | |||
| matter of policy, when the server specifies a wildcard (IP) address. | matter of policy, when the server specifies a wildcard (IP) address. | |||
| When a system API call such as getaddrinfo [9] is used for resolving | When a system API call such as getaddrinfo [6] is used for resolving | |||
| local addresses, it may also return HITs or LSIs, if the system has | local addresses, it may also return HITs or LSIs, if the system has | |||
| assigned HITs or LSIs to internal virtual interfaces (common in many | assigned HITs or LSIs to internal virtual interfaces (common in many | |||
| HIP implementations). The application may use such identifiers as | HIP implementations). The application may use such identifiers as | |||
| addresses in subsequent socket calls. | addresses in subsequent socket calls. | |||
| In the case when resolvers can return multiple destination | ||||
| identifiers for an application, it may be configured that some of the | ||||
| identifiers can be HIP-based identifiers, and the rest can be IPv4 or | ||||
| IPv6 addresses. The system resolver may return HIP-based identifiers | ||||
| in front of the list of identifiers when the underlying system and | ||||
| policies support HIP. An application processing the identifiers | ||||
| sequentially will then first try a HIP-based connection and only then | ||||
| other non-HIP based connections. However, certain applications may | ||||
| launch the connections in parallel. In such a case, the non-HIP | ||||
| connections may succeed before HIP connections. Based on local | ||||
| system policies, a system may disallow such behaviour and return only | ||||
| HIP-based identifiers when they are found from DNS. | ||||
| Some applications may try to bind a socket to a specific local | Some applications may try to bind a socket to a specific local | |||
| address. If the local address specified is an IP address, again, the | address, or may implement server-side access control lists based on | |||
| underlying system may be configured to still use HIP. If the local | socket calls such as getsockname() and getpeername() in the C-based | |||
| address specified is a HIT (Section 3.3), the system should enforce | socket APIs. If the local address specified is an IP address, again, | |||
| that connections can only come to the specified HIT. If a system has | the underlying system may be configured to still use HIP. If the | |||
| many HITs, an application that binds to a single HIT cannot accept | local address specified is a HIT (Section 3.3), the system should | |||
| connections to the other HITs in the system. It may be possible for | enforce that connections to the local application can only arrive to | |||
| a system to specify a special ORCHID value as a local HIT wildcard | the specified HIT. If a system has many HITs, an application that | |||
| value, if such wildcarding among local HIs is desired. | binds to a single HIT cannot accept connections to the other HITs in | |||
| the system. | ||||
| When a host has multiple HIs and the socket behavior does not | When a host has multiple HIs and the socket behavior does not | |||
| prescribe the use of any particular HI as a source identifier, it is | prescribe the use of any particular HI as a local identifier, it is a | |||
| a matter of local policy as to how to select a HI to serve as a | matter of local policy as to how to select a HI to serve as a local | |||
| source identifier. | identifier. However, systems that bind to a wildcard may face | |||
| problems when multiple HITs or LSIs are defined. These problems are | ||||
| not specific to HIP per se, but are also encountered in non-HIP | ||||
| multihoming scenarios with applications not designed for multihoming. | ||||
| As an example, consider a client application that sends an UDP | ||||
| datagram to a server that is bound to a wildcard. The server | ||||
| application receives the packet using recvfrom() and sends a response | ||||
| using sendto(). The problem here is that sendto() may actually use a | ||||
| different server HIT than the client assumes. The client will drop | ||||
| the response packet when the client implements access control on the | ||||
| UDP socket (e.g. using connect()). | ||||
| Reimplementing the server application using the sendmsg() and | ||||
| recvmsg() to support multihoming (particularly considering the | ||||
| anchillary data) would be the ultimate solution to this problem, but | ||||
| with legacy applications is not an option. As a workaround, we make | ||||
| suggestion for servers providing UDP-based services with non- | ||||
| multihoming capable services. Such servers should announce only the | ||||
| HIT that matches to the default outgoing HIT of the host to avoid | ||||
| such problems. | ||||
| Finally, some applications may create a connection to a local HIT. | ||||
| In such a case, the local system may use NULL encryption to avoid | ||||
| unnecessary encryption overhead, and may be otherwise more permissive | ||||
| than usual such as excluding authentication, Diffie-Hellman exchange, | ||||
| and puzzle. | ||||
| 4. Security Considerations | 4. Security Considerations | |||
| In this section we discuss the security of the system in general | In this section we discuss the security of the system in general | |||
| terms, outlining some of the security properties. However, this | terms, outlining some of the security properties. However, this | |||
| section is not intended to provide a complete risk analysis. Such an | section is not intended to provide a complete risk analysis. Such an | |||
| analysis would, in any case, be dependent on the actual application | analysis would, in any case, be dependent on the actual application | |||
| using HIP, and is therefore considered out of scope. | using HIP, and is therefore considered out of scope. | |||
| The three outlined scenarios differ considerably in their security | The three outlined scenarios differ considerably in their security | |||
| properties. There are further differences related to whether DNSSEC | properties. There are further differences related to whether DNSSEC | |||
| is used or not, and whether the DNSSEC zones are considered | is used or not, and whether the DNSSEC zones are considered | |||
| trustworthy enough from an application point of view. | trustworthy enough. Here we mean that the delegation chain from the | |||
| reverse IP root should be trusted (typical trust anchor issues), and | ||||
| the DNS zone administrators in charge of the netblock should be | ||||
| trusted to put in the right information. | ||||
| When IP addresses are used to represent the peer system, the security | When IP addresses are used to represent the peer system, the security | |||
| properties depend on the the configuration method. With manual | properties depend on the the configuration method. With manual | |||
| configuration, the security of the system is comparable to a non-HIP | configuration, the security of the system is comparable to a non-HIP | |||
| system with similar IPsec policies. The security semantics of an | system with similar IPsec policies. The security semantics of an | |||
| opportunistic key exchange are roughly equal to current non-secured | initial opportunistic key exchange are roughly equal to non-secured | |||
| IP; the exchange is vulnerable to man-in-the-middle attacks. | IP; the exchange is vulnerable to man-in-the-middle attacks. | |||
| However, the system is less vulnerable to connection hijacking | However, the system is less vulnerable to connection hijacking | |||
| attacks. If the DNS is used, if both maps are secured (or the HITs | attacks. If the DNS is used, if both zones are secured (or the HITs | |||
| stored in the reverse DNS record) and the client trusts the DNSSEC | are stored in the reverse DNS record) and the client trusts the | |||
| signatures, the system may provide a fairly high security level. | DNSSEC signatures, the system may provide a fairly high security | |||
| However, much depends on the details of the implementation, the | level. However, much depends on the details of the implementation, | |||
| security and administrative practises used when signing the DNS | the security and administrative practices used when signing the DNS | |||
| zones, and other factors. | zones, and other factors. | |||
| Using the forward DNS to map a domain name into an LSI is a case that | Using the forward DNS to map a domain name into an LSI is a case that | |||
| is closest to the most typical use scenarios today. If DNSSEC is | is closest to the most typical use scenarios today. If DNSSEC is | |||
| used, the result is fairly similar to the current use of certificates | used, the result is fairly similar to the current use of certificates | |||
| with TLS. If DNSSEC is not used, the result is fairly similar to the | with TLS. If DNSSEC is not used, the result is fairly similar to the | |||
| current use of plain IP, with the exception that HIP provides | current use of plain IP, with the exception that HIP provides | |||
| protection against connection hijacking attacks. | protection against connection hijacking attacks. | |||
| If the application is basing its operations on HITs, the connections | If the application is basing its operations on HITs, the connections | |||
| become automatically secured due to the implicit channel bindings in | become automatically secured due to the implicit channel bindings in | |||
| HIP. That is, when the application makes a connect(HIT) system call, | HIP. That is, when the application makes a connect(HIT) system call, | |||
| the resulting packets will either be sent to a node possessing the | the resulting packets will either be sent to a node possessing the | |||
| corresponding private key or the security association will fail to be | corresponding private key or the security association will fail to be | |||
| established. | established. | |||
| When the system provides (spoofs) LSIs or HITs instead of IP | ||||
| addresses as the result of name resolution, the resultant fields may | ||||
| inadvertently show up in user interfaces and system logs, which may | ||||
| cause operational concerns for some network administrators. | ||||
| 5. IANA Considerations | 5. IANA Considerations | |||
| This document has no actions for IANA. | This document has no actions for IANA. | |||
| 6. Acknowledgments | 6. Acknowledgments | |||
| Jeff Ahrenholz, Gonzalo Camarillo, Alberto Garcia, Miika Komu, Teemu | Jeff Ahrenholz, Gonzalo Camarillo, Alberto Garcia, Teemu Koponen, | |||
| Koponen, Julien Laganier, and Jukka Ylitalo have provided comments on | Julien Laganier, and Jukka Ylitalo have provided comments on | |||
| different versions of this draft. | different versions of this draft. Erik Nordmark provided the | |||
| taxonomy of how applications use IP addresses in a previously expired | ||||
| Internet Draft. The document received substantial and useful | ||||
| comments during the review phase from David Black, Pekka Savola, Lars | ||||
| Eggert, and the DNS directorate. | ||||
| 7. Informative References | 7. Informative References | |||
| [1] Moskowitz, R., "Host Identity Protocol", draft-ietf-hip-base-07 | [1] Moskowitz, R., Nikander, P., Jokela, P., and T. Henderson, "Host | |||
| (work in progress), February 2007. | Identity Protocol", draft-ietf-hip-base-10 (work in progress), | |||
| October 2007. | ||||
| [2] Linn, J., "Generic Security Service Application Program | ||||
| Interface Version 2, Update 1", RFC 2743, January 2000. | ||||
| [3] Nikander, P., "An IPv6 Prefix for Overlay Routable Cryptographic | ||||
| Hash Identifiers (ORCHID)", draft-laganier-ipv6-khi-07 (work in | ||||
| progress), February 2007. | ||||
| [4] Nordmark, E., "Shim6 Application Referral Issues", | [2] Nikander, P., Laganier, J., and F. Dupont, "An IPv6 Prefix for | |||
| draft-ietf-shim6-app-refer-00 (work in progress), July 2005. | Overlay Routable Cryptographic Hash Identifiers (ORCHID)", | |||
| RFC 4843, April 2007. | ||||
| [5] Salz, J., Balakrishnan, H., and A. Snoeren, "TESLA: A | [3] Salz, J., Balakrishnan, H., and A. Snoeren, "TESLA: A | |||
| Transparent, Extensible Session-Layer Architecture for End-to- | Transparent, Extensible Session-Layer Architecture for End-to- | |||
| end Network Services", Proceedings of USENIX Symposium on | end Network Services", Proceedings of USENIX Symposium on | |||
| Internet Technologies and Systems (USITS), pages 211-224, | Internet Technologies and Systems (USITS), pages 211-224, | |||
| March 2003. | March 2003. | |||
| [6] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, | [4] Carpenter, B., "Architectural Principles of the Internet", | |||
| RFC 1958, June 1996. | ||||
| [5] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, | ||||
| "DNS Security Introduction and Requirements", RFC 4033, | "DNS Security Introduction and Requirements", RFC 4033, | |||
| March 2005. | March 2005. | |||
| [7] Faltstrom, P., "Design Choices When Expanding DNS", | [6] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W. | |||
| draft-iab-dns-choices-04 (work in progress), October 2006. | ||||
| [8] Bagnulo, M. and E. Nordmark, "Level 3 multihoming shim | ||||
| protocol", draft-ietf-shim6-proto-07 (work in progress), | ||||
| December 2006. | ||||
| [9] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W. | ||||
| Stevens, "Basic Socket Interface Extensions for IPv6", RFC 3493, | Stevens, "Basic Socket Interface Extensions for IPv6", RFC 3493, | |||
| February 2003. | February 2003. | |||
| Appendix A. Changes from previous versions | ||||
| This section is to be removed by the RFC Editor before publication. | ||||
| It summarizes resolution of issues raised in the following reviews: | ||||
| (1) IESG last call, (2) Gen-ART review, and (3) DNS directorate | ||||
| review. Mobility and secdir reviews did not result in actionable | ||||
| comments. | ||||
| A.1. From version-01 to version-02 (current) | ||||
| Better clarity in the abstract and introduction about the goal of the | ||||
| draft; namely, that it is informational to help implementors and | ||||
| early adopters think about and solve deployment issues (comment from | ||||
| Pekka Savola). | ||||
| Delete the second paragraph of 3 about the general applicability of | ||||
| replacing IP addresses with LSIs and HITs at the socket layer. | ||||
| (comment from Pekka Savola). | ||||
| Delete comments in Section 3.2 on routable LSIs, as this is seen to | ||||
| be out of scope and potentially controversial or incomplete (comment | ||||
| from David Black). | ||||
| Delete reference to Erik Nordmark's shim6 application referral draft, | ||||
| since it is a dead draft (comment from David Black). Instead, Erik | ||||
| is cited in the acknowledgments section for providing the taxonomy of | ||||
| IP address usage scenarios. | ||||
| Clarify (and reference the base spec) in Sec. 3.1 that use of the | ||||
| opportunistic mode requires that systems not enforce that the | ||||
| HIT-to-IP address bindings learned will pertain to subsequent | ||||
| sessions to that IP address. | ||||
| Section 3.2 drew comments from several reviewers. First, David Black | ||||
| raised the issue that spoofing IP addresses with HITs or LSIs raises | ||||
| risks that it may turn up in log records; this has been noted in the | ||||
| text. The section on using a DNS suffix to signal the preferred use | ||||
| of HIP was objected to by members of the DNS directorate and others | ||||
| (including the co-author Pekka Nikander), due to concern that queries | ||||
| to a new TLD might leak out. The current draft instead recommends a | ||||
| DNS prefix instead of suffix, due to a suggestion by Thomas Narten. | ||||
| In section 3.1, clarify recursion issues that may arise when doing | ||||
| reverse+forward lookup of HIP records from DNS (comment from Pekka | ||||
| Savola). | ||||
| Clarify more specifically in security considerations section the | ||||
| DNSSEC trust assumptions or security considerations (outline of text | ||||
| provided by Pekka Savola, and similar comment raised by Peter Koch). | ||||
| Clarified in security considerations section that IP address spoofing | ||||
| could cause some operational difficulties if they unexpectedly show | ||||
| up in log files or UIs (comment from David Black). | ||||
| Clarified in Sec. 3.1 that opportunistic and DNS techniques can incur | ||||
| additional latency when compared to plain IP (comment from Lars | ||||
| Eggert) | ||||
| Added third option to Section 3.2 for using DNS (transparently | ||||
| fetching HIP resource records when doing other RR queries), suggested | ||||
| by Lars Eggert and also by Olaf Kolkman. | ||||
| Incorporated last-call comments from Miika Komu, which were all | ||||
| handled in Section 3.4: i) clarify multihoming issue for servers with | ||||
| multiple HITs, when receiving UDP, ii) clarify a problem that might | ||||
| arise for applications that do parallel connect, and iii) suggest | ||||
| that loopback HIP connections could use a NULL encryption. | ||||
| Removed expired references and updated active references. | ||||
| Incorporated additional review comments from Miika Komu, and some | ||||
| suggested replacement text, and added him as a co-author. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Tom Henderson | Thomas Henderson | |||
| The Boeing Company | The Boeing Company | |||
| P.O. Box 3707 | P.O. Box 3707 | |||
| Seattle, WA | Seattle, WA | |||
| USA | USA | |||
| Email: thomas.r.henderson@boeing.com | Email: thomas.r.henderson@boeing.com | |||
| Pekka Nikander | Pekka Nikander | |||
| Ericsson Research NomadicLab | Ericsson Research NomadicLab | |||
| JORVAS FIN-02420 | JORVAS FIN-02420 | |||
| FINLAND | FINLAND | |||
| Phone: +358 9 299 1 | Phone: +358 9 299 1 | |||
| Email: pekka.nikander@nomadiclab.com | Email: pekka.nikander@nomadiclab.com | |||
| Miika Komu | ||||
| Helsinki Institute for Information Technology | ||||
| Metsaenneidonkuja 4 | ||||
| Helsinki FIN-02420 | ||||
| FINLAND | ||||
| Phone: +358503841531 | ||||
| Email: miika@iki.fi | ||||
| Full Copyright Statement | Full Copyright Statement | |||
| Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
| This document is subject to the rights, licenses and restrictions | This document is subject to the rights, licenses and restrictions | |||
| contained in BCP 78, and except as set forth therein, the authors | contained in BCP 78, and except as set forth therein, the authors | |||
| retain all their rights. | retain all their rights. | |||
| This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
| End of changes. 47 change blocks. | ||||
| 158 lines changed or deleted | 331 lines changed or added | |||
This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||