Transcript HIP proxy

HIP proxy
Patrik Salmela
2004-12-01
Contents
Background: ID-locator split
 HIP
 Why a HIP proxy
 Functionality of a HIP proxy
 The prototype
 Performance
 Conclusions

2
2004-12-01
Background: ID – locator split

Currently:
IP address serves 2 purposes
 Locator POW:

• Node moves -> new locator: OK

Identifier POW:
• Node moves -> new identifier: NOT OK

Identifier requirements:
• Stay constant regardless of location and
time
3
2004-12-01
Background (cont.)
Some ID – locator split solutions

GSE proposal for IPv6


FARA



4
Framework for designing new architectures
PeerNet

 I3

Part of address serves as ID, constant
DHT and peer-to-peer thinking
IDs registered at I3 servers
HIP
2004-12-01
The HIP way

ID-locator split
• ID: HI (-> HIT / LSI) locator: IP address
• Packets sent to ID, routed using locator

Security
• IPsec ESP, SAs created during base exchange

Mobility
• Connections between IDs (HITs)
• Location update messages

Multihoming
• Packets sent to ID, the routing is irrelevant

5
The ID is the base for all these features
2004-12-01
HIP (cont.)
6
2004-12-01
Why a HIP proxy?



More HIP hosts -> more use for HIP
It will take time for HIP to spread
A HIP proxy enables HIP between legacy
hosts and HIP hosts
Legacy host
HIP proxy
HIP host
HIP
IPsec ESP
7
2004-12-01
Why a HIP proxy (cont.)

Promotes HIP
• New possibilities to use HIP

Can be used as ”try-then-buy” for HIP
• Easier to enable HIP for hosts in a network
• In the long run an all HIP solution is better;
less configuration, more freedom/features
• If satisfied by services provided by
HIP (proxy) -> upgrade to a HIP host/network
8
2004-12-01
Restrictions for a HIP proxy

No security between proxy and legacy host
• Solution: Proxy on the border of a private network

HIP host unaware of proxy, security problem
• Solution: Add indication into base exchange

Legacy hosts cannot use all HIP features
• Solution: Upgrade to HIP host
9
2004-12-01
Functionality of a HIP proxy

10
Assign, and use, HITs for legacy hosts
HIP connection from HIP host also possible
2004-12-01
The prototype HIP proxy

FreeBSD 5.2, Ericsson Finland’s HIP impl.

IPv6 only

No HIP modified DNS ->
HIT-IP mappings in configuration file

Proxy between two small LANs

Uses ip6fw and divert6
11
2004-12-01
The prototype (cont.)

Packets diverted to proxy for processing

All packets coming from priv. net.
• Locate HIT-IP mappings
• Replace IP addresses with HITs

Packets from pub. net. with HITs in header
• Locate HIT-IP mappings
• Replace HITs with IP addresses
12
2004-12-01
Performance
Using
proxy
Using
HIP
Conn.
Avg. RTT
(20 pkts.)
No
No
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
Yes
Yes
Yes
Yes
1
2
1
2
1
2
4
8
0,624ms
0,616ms
0,698ms
0,684ms
0,851ms
0,832ms
0,822ms
0,872ms
13
+ ~12% (0,070ms)
(proxy)
+ ~22% (0,150ms)
(IPsec)
2004-12-01
Performance (cont.)
Using
proxy
Using
HIP
Hosts/
list
Avg. RTT
(20 pkts.)
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
10
50
100
500
1000
0,676ms
0,693ms
0,705ms
0,730ms
0,770ms
If the host lists are long:
• Configuration file difficult to manage
• (probably) very much traffic through the proxy
-> Delay from looking up mappings is not the main problem
14
2004-12-01
Further work

IP version independent HIP proxy
• Work in progress…

Improve proxy configuration
• E.g. check if configuration file has been
edited
15
2004-12-01
Conclusions

HIP proxy prototype intended as
proof-of-concept
• concept proven
Can be used as base for new,
improved, version
 HIP proxy can be used as a stepping
stone when going legacy -> HIP

16
2004-12-01
Comments / Questions?
17
2004-12-01