[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] Nimrod, NIIA, HIP... as a long term solution?



Hi Robin,

My understanding is the HIP involves 128 bit Host Identifiers, to
which sockets are bound.  From this I understand that HIP can be
installed in the operating system code of an IPv6 stack, so that
IPv6-aware applications can use it.

With respect to 99.99?% of desktop and server computers used by
ordinary folk today, I think your statement doesn't apply, since
their applications do not support IPv6.

Well, firstly, HIP works also with 32-bit "LSI"s, which look like IPv4 addresses. However, such LSIs are not globally unique, i.e., the same LSI can denote different peers at different hosts. Hence, third party referrals (host A referring the identity of host B, identifying it by its LSI, to host C) does not work in the global sense. (But it can be made to work in a closed network, with some care.) There are also HIP implementations that allow using routable IPv4 addresses as LSI, more-or-less similar to the HIP opportunistic mode [1].

Second, a pretty large fraction of apps running on Windows, Mac OS X, and Linux, work already now with IPv6. There are probably small glitches here and there, as the APIs are not used by that many people yet, but basically the mechanisms are there.

Third, as I wrote, it is possible to use HIP with proxies. In that way the local network can continue to use IPv4 or convert to IPv6, independent of what the ISP network uses. But, as I wrote, the details of that hasn't been specified in the form of an internet draft, at least not yet.

Fourth, it must be understood that in the HIP case the "API version" of IP and the "stack version" of IP are really distinct. You can use IPv6 APIs and underlying IPv4 internetworking, or vice versa. You can even use one version of the API in one end and the other version in the other end. For example, already 3-4 years ago we demonstrated at some IETF meeting how one can use IPv4-look-alike LSIs in a telnet client to connect to a telnet server in a way that the telnet server sees the connection coming from the corresponding IPv6-look-alike HIT. The same applies to underlying IP: with something like SPINAT [2] in between you can send packets over IPv4 in the one end and receive them over IPv6 at the other end (and vice versa).

Finally, while the currently only specified way of using HIP is to use ESP as a wrapper for the data traffic, there is nothing architecturally specific to that. In principle, you could use IPv4 +UDP, IPv4+SHIM, or even plain IPv6 wrapping as well, but then you wouldn't get the integrity and confidentiality that HIP provides. (In theory, you probably could use IPv4 without UDP or SHIM too, but that would be pretty brittle due to all those NATs out there; at minimum there would be problems with checksums.)

--Pekka Nikander

[1] http://tools.ietf.org/id/draft-henderson-hip-applications-03.txt
[2] Jukka Ylitalo, Patrik Salmela, and Hannes Tschofenig, "SPINAT: Integrating IPsec into Overlay Routing", in Proc. of the First International Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm'05), Athens, Greece, September 5-9, 2005. http://users.tkk.fi/~jylitalo/publications/SecureComm05- Ylitalo-et-al.pdf


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg