The other day a few of my colleagues and I went to a local Sysadmins and Networking meetup hosted by SEA-TUG.
The topic of the night was Host Identity Protocol (HIP), and Michael Falkenrath of Tempered Networks presented it. While we don’t currently offer any of Tempered’s solutions in our MSSP offerings, the topic of HIP caught my attention, and I figured it might be a good idea to get more familiar with it in general.
What is Host Identity Protocol (HIP)?
HIP is a host identification technology for use on the Internet. HIP separates the end-point identifier and locator roles of IP addresses.
What does HIP do?
HIP allows consenting hosts to securely establish and maintain shared IP-layer state, allowing separation of the identifier and locator roles of IP addresses. HIP uses public key identifiers from a new Host Identity namespace for mutual peer authentication.
The protocol is designed to be resistant to denial-of-service (DoS) and man-in-the-middle (MitM) attacks. When used together with another suitable security protocol, such as the Encapsulated Security Payload (ESP), it provides integrity protection and encryption for upper-layer protocols, such as TCP and UDP.
Who developed HIP?
HIP was developed concurrently by the IETF (Internet Engineering Task Force) and the IRTF (Internet Research Task Force). It was first documented as IETF RFC 5201 (which you can read here: https://tools.ietf.org/html/rfc5201)
HIP has matured over 15 years of research, development, and deployment from companies like Boeing, Verizon, and Ericsson, as well as universities around the world.
How does HIP work?
Let’s start with how traffic/communication moves across the internet. Internet traffic is controlled by Domain Name Services and IP addresses (the two namespaces mentioned above). Those two namespaces have essential responsibilities:
- Managing the overall network interface
- Handling the location-name
IP addresses are responsible for separating and distinguishing between packet delivery to end nodes and individual hosts.
HIP allows for a computer to use mobile computing and multi-homing. Whereas typically the location of any host is responsible for routing data packets according to the IP addresses mentioned against their nodes, HIP handles things differently.
In a HIP network, IP addresses are eliminated and replaced with cryptographic host identifiers, which are self-generated. The cryptographic host identifiers allow for encrypted peer-to-peer connectivity.
Who should be using HIP?
That’s a good question, and I rightly don’t know the answer to it. I can only go with what Tempered mentioned in the demonstration, and that’s…pretty much everybody.
They’ve deployed their solution for educational institutions, healthcare providers; you name it. However, I'm still very unfamiliar with HIP and I'll need to do a bit more research before I can speak more about its benefits/shortcomings.
Until then, what do you think about HIP? Is it right for you? Let us know in the comments!