implications of identifier / locator splitpmrg/nets1a/idlocsplit-04-10-28.pdfpresentation outline...
TRANSCRIPT
![Page 1: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/1.jpg)
Implications of Identifier / Locator Split
Dr. Pekka NikanderEricsson Research Nomadic Lab
![Page 2: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/2.jpg)
Presentation outline
New requirements for TCP/IPPoint Solution PlagueIntroduction to Identifier / Locator SplitAn example: Host Identity Protocol (HIP)Implications and outlookSummary
![Page 3: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/3.jpg)
Presentation outline
New requirements for TCP/IPPoint Solution PlagueIntroduction to Identifier / Locator SplitAn example: Host Identity Protocol (HIP)Implications and outlookSummary
![Page 4: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/4.jpg)
New requirements
Huge growthSecurityMobilityMulti-homing and multi-accessAddress agility
![Page 5: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/5.jpg)
Requirement: growth
Lack of IPv4 addresses➯ NATs➯ Loss of end-to-end connectivity
Routing instability➯ Classless routing➯ Loss of addressing flexibility
![Page 6: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/6.jpg)
Requirements: Security
DoS and DDoS protectionAsymmetric attack/defence games
Raising the bar for attackersE.g. opportunistic encryption
Zero-configuration securityE.g. SSH leap of faith
![Page 7: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/7.jpg)
Requirements: Mobility
IP addresses determined by topologyOtherwise routing tables explode
Mobile hosts change topological locationTheir IP address must change
IP address change breaks connectivityInitial rendezvous; TCP connections
![Page 8: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/8.jpg)
Reqs: Multi-homingDifferent types of multi-homing
Very large corporate multi-homingMedium/large corporate multi-homing SOHO multi-homingMulti-access
Latter three probably best addressed with multi-addressing
![Page 9: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/9.jpg)
Requirements: Address agility generallyMobility requires address agilityMulti-homing becomes easier with address agility
Can be solved by multi-addressingNetwork renumbering too hard today
Address agility would help
![Page 10: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/10.jpg)
Presentation outline
New requirements for TCP/IPPoint Solution PlagueIntroduction to Identifier / Locator SplitAn example: Host Identity Protocol (HIP)Implications and outlookSummary
![Page 11: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/11.jpg)
Point Solution PlagueIETF has focused on separate solutions on the problems
Security: IPsec, TLS, SSH, ...Mobility: MIPv4, MIPv6Multi-homing: multi6 WG
Integrated approaches starting to appearmobike WG, btns BOF,
![Page 12: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/12.jpg)
Why is this problematic?Solutions don’t integrate nicely➯ Added complexity➯ Brittleness
Lots of codeMIPv4 + MIPv6 + IPsec + Teredo + ... = ~ 150000 lines of code
“Fat” headers with lots of repetition
![Page 13: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/13.jpg)
Presentation outline
New requirements for TCP/IPPoint Solution PlagueIntroduction to Identifier / Locator SplitAn example: Host Identity Protocol (HIP)Implications and outlookSummary
![Page 14: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/14.jpg)
Identifier / Locator Split
Important issues in networkingCurrent roles of IP addresses
Roles from networking point of viewID / Loc split idea
Network viewpoint
![Page 15: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/15.jpg)
What is networking?
How to refer to an entity?
How to refer to a route to an entity?
How to deliver packets to the entity?
Naming
Addressing Routing
![Page 16: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/16.jpg)
Two roles combined:End-point Identifiers
Names of interfaces on hostsLocators
Names of topological locationsThis duality makes address agility hard
Roles of IP addresses
![Page 17: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/17.jpg)
Current IP architecture
IP addresses used for both naming and addressing
DNS naming a separate and similar issue
IP address
IP address IP routing
DNS name
DNS
![Page 18: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/18.jpg)
Identifier / Locator splitSeparate the roles of IP addressesDifferent approaches
Use appl layer names as identifiersUse DNS names as identifiersIntroduce a new layerSplit IP addressesMaybe others
![Page 19: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/19.jpg)
Appl layer identifiersUse some sort of application layer names for identifiers
E.g. SIP URLs in IMS
Ties end-to-end connectivity to the specific application
Happening all the time
SIP URL
IP address IP routing
DNS name
DNS
SIP proxies
![Page 20: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/20.jpg)
Push DNS down the stackMake DNS name the stable reference point
Transmit DNS names, not IP addresses, as referrals (e.g. in FTP)
Change the socket API to take DNS names?
DNS name
IP address IP routing
DNS
![Page 21: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/21.jpg)
Introduce a new layer
New identifiers at a new layer
Introduces new security problems
Binding between the new identifiers and IP addresses
New identifier
IP address IP routing
DNS name
DNS
![Page 22: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/22.jpg)
Split IP addresses
Interface ID of IPv6 address encodes a new identifier
DNS still resolves to an IP address
API still uses IP addresses
IP address IP routing
IP address
DNS name
DNS
New identifier
![Page 23: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/23.jpg)
ID / loc split summary
Make host identification and addressing separate from each other
Allow addresses to be agileDifferent approachesOccam’s razor: Which one is simplest?Which one is least brittle?
![Page 24: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/24.jpg)
Presentation outline
New requirements for TCP/IPPoint Solution PlagueIntroduction to Identifier / Locator SplitAn example: Host Identity Protocol (HIP)Implications and outlookSummary
![Page 25: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/25.jpg)
Host Identity ProtocolBeing standarised at the IETFIntegrates mobility, multi-homing and security across IPv4 and IPv6
Much simpler than the point solutions combined (~ 15000 lines of code)
Implements the identifier / locator splitSeparate protocols for control and data
![Page 26: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/26.jpg)
Related IETF WGs and RGs
nsrg
ID/loc split
Mobilitymip6mip4mipshop
Multi-homing
multi6
Security
ipsec
mobike hip
btns
![Page 27: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/27.jpg)
The HIP Idea
A new Name Space of Host Identifiers (HI)
Public crypto keys!
Sockets bound to HIs
not IP addresses
Process
Transport
IP layer
Link layer
IP address
< , port>
Host identity Host ID
Host IDIP addr
![Page 28: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/28.jpg)
New “waist” for TCP/IPv4 app
TCPv4
IPv4
Link layer
TCPv6
IPv6
v6 app v4 app
TCPv4
IPv4
Link layer
TCPv6
IPv6
v6 app
Host identity Host identity
![Page 29: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/29.jpg)
Protocol overviewInitiator Responder
I1 (trigger)
R1 (puzzle, start authentication)
I2 (puzzle solution, authentication)
R2 (complete authentication)
ESP protected data messages
![Page 30: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/30.jpg)
How it works today
IKE IKE
Server app
socket API socket API
IPsecSAD
IPsecSPD
IPsecSPD
IPsecSAD
connect(IPS)
TCP SYN to IPS
DNS query
ESP protected TCP SYNto IPaddrS
TCP SYN from IPC
DNS serverDNS reply
Client appIP
DNS library
![Page 31: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/31.jpg)
One way to do HIP
HIP daemon HIP daemon
Server app
socket API socket API
IPsecSAD
IPsecSPD
IPsecSPD
IPsecSAD
TCP SYN to HITS
DNS query
ESP protected TCP SYNto IPaddrS
convert HITs to IP addresses convert IP addresses to HITs
TCP SYN from HITC
DNS serverDNS reply
Client appHIT
DNS library
HIT ----- > {IP addresses}connect(HITS)
![Page 32: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/32.jpg)
Mobility and multi-homing become duals of each other
Mobility: many addresses over timeMulti-homing: many addresses now
Leads to a Virtual Interface ModelReal and virtual interfacesSubsumes MIP “Home Agent” concept
HIP Mobility & Multi-homing
![Page 33: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/33.jpg)
Virtual Interface Model
![Page 34: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/34.jpg)
Mobility protocolMobile Corresponding
REA: HITs, oldSPIM, newSPIM, new IP addrs, sig
REA: HITs, oldSPIC, newSPIC, sig
ESP on new SPIC
ESP on new SPIM new and SPIC
![Page 35: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/35.jpg)
HIs currently stored in the DNSRetrieved with IP addressesDoes not work if you have only a HIT
How to get data based on HIT only?HITs look like random numbers
Maybe use DHT based overlay like i3
Infrastructure research
![Page 36: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/36.jpg)
Distributed Hash Tables
Distributed directory for flat dataSeveral different ways to implementEach server maintains a partial mapOverlay addresses for finding the serverResilience with parallel mappingsUsed to create overlay networks
![Page 37: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/37.jpg)
How it might work
i3 overlay basedinfrastructure
ID R
![Page 38: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/38.jpg)
Presentation outline
New requirements for TCP/IPPoint Solution PlagueIntroduction to Identifier / Locator SplitAn example: Host Identity Protocol (HIP)Implications and outlookSummary
![Page 39: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/39.jpg)
Basic implicationsIP layer mobility becomes easierMulti-address multi-homing gets easierNew security problems emergeMore freedom to routing
Better possibilities to re-consider division of information between addresses and routing table
![Page 40: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/40.jpg)
HIP-slanted approachSolve the new security problems by having self-certified identifiers
No need for security infrastructureProvide handles to secure identifiers to upper layers for channel bindingMore research needed on rendezvous
Should use i3 or something else?
![Page 41: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/41.jpg)
HIP-slanted implications
Restoration of end-to-end connectivityNew end-point names
First class citizensApplication and DNS independent Self certifying
Layer 3.5 connectivity possible
![Page 42: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/42.jpg)
Open research topicsHow to run large scale DHTs in practice?
Not for p2p but for infrastructureSecurity, performance, and dependability problems in DHTsNew routing with agile addressesArchitectural implications to other functions (e.g. congestion control)
![Page 43: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/43.jpg)
Presentation outline
New requirements for TCP/IPPoint Solution PlagueIntroduction to Identifier / Locator SplitAn example: Host Identity Protocol (HIP)Implications and outlookSummary
![Page 44: Implications of Identifier / Locator Splitpmrg/NETS1a/IdLocSplit-04-10-28.pdfPresentation outline New requirements for TCP/IP Point Solution Plague Introduction to Identifier / Locator](https://reader031.vdocuments.site/reader031/viewer/2022030901/5b3d01a57f8b9a26728db949/html5/thumbnails/44.jpg)
SummaryNew requirements mandate some sort of identifier / locator split in the future
Real need to get end-to-end backMuch controversy about the approach
Right now IMS strong in 3GPP / ETSIHIP one possible future direction
Lots of interesting open research topics