RFC 5201
Host Identity Protocol
6. Packet Processing
Each host is assumed to have a single HIP protocol implementation that manages the host's HIP associations and handles requests for new ones. Each HIP association is governed by a conceptual state machine, with states defined above in Section 4.4. The HIP implementation can simultaneously maintain HIP associations with more than one host. Furthermore, the HIP implementation may have more than one active HIP association with another host; in this case, HIP associations are distinguished by their respective HITs. It is not possible to have more than one HIP association between any given pair of HITs. Consequently, the only way for two hosts to have more than one parallel association is to use different HITs, at least at one end. The processing of packets depends on the state of the HIP association(s) with respect to the authenticated or apparent originator of the packet. A HIP implementation determines whether it has an active association with the originator of the packet based on the HITs. In the case of user data carried in a specific transport format, the transport format document specifies how the incoming packets are matched with the active associations.6.1. Processing Outgoing Application Data
In a HIP host, an application can send application-level data using an identifier specified via the underlying API. The API can be a backwards-compatible API (see [HIP-APP]), using identifiers that look similar to IP addresses, or a completely new API, providing enhanced
services related to Host Identities. Depending on the HIP
implementation, the identifier provided to the application may be
different; for example, it can be a HIT or an IP address.
The exact format and method for transferring the data from the source
HIP host to the destination HIP host is defined in the corresponding
transport format document. The actual data is transferred in the
network using the appropriate source and destination IP addresses.
In this document, conceptual processing rules are defined only for
the base case where both hosts have only single usable IP addresses;
the multi-address multi-homing case will be specified separately.
The following conceptual algorithm describes the steps that are
required for handling outgoing datagrams destined to a HIT.
1. If the datagram has a specified source address, it MUST be a HIT.
If it is not, the implementation MAY replace the source address
with a HIT. Otherwise, it MUST drop the packet.
2. If the datagram has an unspecified source address, the
implementation must choose a suitable source HIT for the
datagram.
3. If there is no active HIP association with the given <source,
destination> HIT pair, one must be created by running the base
exchange. While waiting for the base exchange to complete, the
implementation SHOULD queue at least one packet per HIP
association to be formed, and it MAY queue more than one.
4. Once there is an active HIP association for the given <source,
destination> HIT pair, the outgoing datagram is passed to
transport handling. The possible transport formats are defined
in separate documents, of which the ESP transport format for HIP
is mandatory for all HIP implementations.
5. Before sending the packet, the HITs in the datagram are replaced
with suitable IP addresses. For IPv6, the rules defined in
[RFC3484] SHOULD be followed. Note that this HIT-to-IP-address
conversion step MAY also be performed at some other point in the
stack, e.g., before wrapping the packet into the output format.
6.2. Processing Incoming Application Data
The following conceptual algorithm describes the incoming datagram
handling when HITs are used at the receiving host as application-
level identifiers. More detailed steps for processing packets are
defined in corresponding transport format documents.
1. The incoming datagram is mapped to an existing HIP association,
typically using some information from the packet. For example,
such mapping may be based on the ESP Security Parameter Index
(SPI).
2. The specific transport format is unwrapped, in a way depending on
the transport format, yielding a packet that looks like a
standard (unencrypted) IP packet. If possible, this step SHOULD
also verify that the packet was indeed (once) sent by the remote
HIP host, as identified by the HIP association.
Depending on the used transport mode, the verification method can
vary. While the HI (as well as HIT) is used as the higher-layer
identifier, the verification method has to verify that the data
packet was sent by a node identity and that the actual identity
maps to this particular HIT. When using ESP transport format
[RFC5202], the verification is done using the SPI value in the
data packet to find the corresponding SA with associated HIT and
key, and decrypting the packet with that associated key.
3. The IP addresses in the datagram are replaced with the HITs
associated with the HIP association. Note that this IP-address-
to-HIT conversion step MAY also be performed at some other point
in the stack.
4. The datagram is delivered to the upper layer. When
demultiplexing the datagram, the right upper-layer socket is
based on the HITs.
6.3. Solving the Puzzle
This subsection describes the puzzle-solving details.
In R1, the values I and K are sent in network byte order. Similarly,
in I2, the values I and J are sent in network byte order. The hash
is created by concatenating, in network byte order, the following
data, in the following order and using the RHASH algorithm:
64-bit random value I, in network byte order, as appearing in R1
and I2.
128-bit Initiator's HIT, in network byte order, as appearing in
the HIP Payload in R1 and I2.
128-bit Responder's HIT, in network byte order, as appearing in
the HIP Payload in R1 and I2.
64-bit random value J, in network byte order, as appearing in I2.
In order to be a valid response puzzle, the K low-order bits of the
resulting RHASH digest must be zero.
Notes:
i) The length of the data to be hashed is 48 bytes.
ii) All the data in the hash input MUST be in network byte order.
iii) The order of the Initiator's and Responder's HITs are
different in the R1 and I2 packets; see Section 5.1. Care must be
taken to copy the values in the right order to the hash input.
The following procedure describes the processing steps involved,
assuming that the Responder chooses to precompute the R1 packets:
Precomputation by the Responder:
Sets up the puzzle difficulty K.
Creates a signed R1 and caches it.
Responder:
Selects a suitable cached R1.
Generates a random number I.
Sends I and K in an R1.
Saves I and K for a Delta time.
Initiator:
Generates repeated attempts to solve the puzzle until a matching J
is found:
Ltrunc( RHASH( I | HIT-I | HIT-R | J ), K ) == 0
Sends I and J in an I2.
Responder:
Verifies that the received I is a saved one.
Finds the right K based on I.
Computes V := Ltrunc( RHASH( I | HIT-I | HIT-R | J ), K )
Rejects if V != 0
Accept if V == 0
6.4. HMAC and SIGNATURE Calculation and Verification
The following subsections define the actions for processing HMAC, HIP_SIGNATURE and HIP_SIGNATURE_2 parameters.6.4.1. HMAC Calculation
The following process applies both to the HMAC and HMAC_2 parameters. When processing HMAC_2, the difference is that the HMAC calculation includes a pseudo HOST_ID field containing the Responder's information as sent in the R1 packet earlier. Both the Initiator and the Responder should take some care when verifying or calculating the HMAC_2. Specifically, the Responder should preserve other parameters than the HOST_ID when sending the R2. Also, the Initiator has to preserve the HOST_ID exactly as it was received in the R1 packet. The scope of the calculation for HMAC and HMAC_2 is: HMAC: { HIP header | [ Parameters ] } where Parameters include all HIP parameters of the packet that is being calculated with Type values from 1 to (HMAC's Type value - 1) and exclude parameters with Type values greater or equal to HMAC's Type value. During HMAC calculation, the following applies: o In the HIP header, the Checksum field is set to zero. o In the HIP header, the Header Length field value is calculated to the beginning of the HMAC parameter. Parameter order is described in Section 5.2.1. HMAC_2: { HIP header | [ Parameters ] | HOST_ID } where Parameters include all HIP parameters for the packet that is being calculated with Type values from 1 to (HMAC_2's Type value - 1) and exclude parameters with Type values greater or equal to HMAC_2's Type value. During HMAC_2 calculation, the following applies: o In the HIP header, the Checksum field is set to zero.
o In the HIP header, the Header Length field value is calculated to
the beginning of the HMAC_2 parameter and added to the length of
the concatenated HOST_ID parameter length.
o HOST_ID parameter is exactly in the form it was received in the R1
packet from the Responder.
Parameter order is described in Section 5.2.1, except that the
HOST_ID parameter in this calculation is added to the end.
The HMAC parameter is defined in Section 5.2.9 and the HMAC_2
parameter in Section 5.2.10. The HMAC calculation and verification
process (the process applies both to HMAC and HMAC_2 except where
HMAC_2 is mentioned separately) is as follows:
Packet sender:
1. Create the HIP packet, without the HMAC, HIP_SIGNATURE,
HIP_SIGNATURE_2, or any other parameter with greater Type value
than the HMAC parameter has.
2. In case of HMAC_2 calculation, add a HOST_ID (Responder)
parameter to the end of the packet.
3. Calculate the Header Length field in the HIP header including the
added HOST_ID parameter in case of HMAC_2.
4. Compute the HMAC using either HIP-gl or HIP-lg integrity key
retrieved from KEYMAT as defined in Section 6.5.
5. In case of HMAC_2, remove the HOST_ID parameter from the packet.
6. Add the HMAC parameter to the packet and any parameter with
greater Type value than the HMAC's (HMAC_2's) that may follow,
including possible HIP_SIGNATURE or HIP_SIGNATURE_2 parameters
7. Recalculate the Length field in the HIP header.
Packet receiver:
1. Verify the HIP header Length field.
2. Remove the HMAC or HMAC_2 parameter, as well as all other
parameters that follow it with greater Type value including
possible HIP_SIGNATURE or HIP_SIGNATURE_2 fields, saving the
contents if they will be needed later.
3. In case of HMAC_2, build and add a HOST_ID parameter (with
Responder information) to the packet. The HOST_ID parameter
should be identical to the one previously received from the
Responder.
4. Recalculate the HIP packet length in the HIP header and clear the
Checksum field (set it to all zeros). In case of HMAC_2, the
length is calculated with the added HOST_ID parameter.
5. Compute the HMAC using either HIP-gl or HIP-lg integrity key as
defined in Section 6.5 and verify it against the received HMAC.
6. Set Checksum and Header Length field in the HIP header to
original values.
7. In case of HMAC_2, remove the HOST_ID parameter from the packet
before further processing.
6.4.2. Signature Calculation
The following process applies both to the HIP_SIGNATURE and
HIP_SIGNATURE_2 parameters. When processing HIP_SIGNATURE_2, the
only difference is that instead of HIP_SIGNATURE parameter, the
HIP_SIGNATURE_2 parameter is used, and the Initiator's HIT and PUZZLE
Opaque and Random #I fields are cleared (set to all zeros) before
computing the signature. The HIP_SIGNATURE parameter is defined in
Section 5.2.11 and the HIP_SIGNATURE_2 parameter in Section 5.2.12.
The scope of the calculation for HIP_SIGNATURE and HIP_SIGNATURE_2
is:
HIP_SIGNATURE: { HIP header | [ Parameters ] }
where Parameters include all HIP parameters for the packet that is
being calculated with Type values from 1 to (HIP_SIGNATURE's Type
value - 1).
During signature calculation, the following apply:
o In the HIP header, the Checksum field is set to zero.
o In the HIP header, the Header Length field value is calculated to
the beginning of the HIP_SIGNATURE parameter.
Parameter order is described in Section 5.2.1.
HIP_SIGNATURE_2: { HIP header | [ Parameters ] }
where Parameters include all HIP parameters for the packet that is
being calculated with Type values from 1 to (HIP_SIGNATURE_2's Type
value - 1).
During signature calculation, the following apply:
o In the HIP header, the Initiator's HIT field and Checksum fields
are set to zero.
o In the HIP header, the Header Length field value is calculated to
the beginning of the HIP_SIGNATURE_2 parameter.
o PUZZLE parameter's Opaque and Random #I fields are set to zero.
Parameter order is described in Section 5.2.1.
Signature calculation and verification process (the process applies
both to HIP_SIGNATURE and HIP_SIGNATURE_2 except in the case where
HIP_SIGNATURE_2 is separately mentioned):
Packet sender:
1. Create the HIP packet without the HIP_SIGNATURE parameter or any
parameters that follow the HIP_SIGNATURE parameter.
2. Calculate the Length field and zero the Checksum field in the HIP
header. In case of HIP_SIGNATURE_2, set Initiator's HIT field in
the HIP header as well as PUZZLE parameter's Opaque and Random #I
fields to zero.
3. Compute the signature using the private key corresponding to the
Host Identifier (public key).
4. Add the HIP_SIGNATURE parameter to the packet.
5. Add any parameters that follow the HIP_SIGNATURE parameter.
6. Recalculate the Length field in the HIP header, and calculate the
Checksum field.
Packet receiver:
1. Verify the HIP header Length field.
2. Save the contents of the HIP_SIGNATURE parameter and any
parameters following the HIP_SIGNATURE parameter and remove them
from the packet.
3. Recalculate the HIP packet Length in the HIP header and clear the
Checksum field (set it to all zeros). In case of
HIP_SIGNATURE_2, set Initiator's HIT field in HIP header as well
as PUZZLE parameter's Opaque and Random #I fields to zero.
4. Compute the signature and verify it against the received
signature using the packet sender's Host Identifier (public key).
5. Restore the original packet by adding removed parameters (in step
2) and resetting the values that were set to zero (in step 3).
The verification can use either the HI received from a HIP packet,
the HI from a DNS query, if the FQDN has been received in the HOST_ID
packet, or one received by some other means.
6.5. HIP KEYMAT Generation
HIP keying material is derived from the Diffie-Hellman session key,
Kij, produced during the HIP base exchange (Section 4.1.3). The
Initiator has Kij during the creation of the I2 packet, and the
Responder has Kij once it receives the I2 packet. This is why I2 can
already contain encrypted information.
The KEYMAT is derived by feeding Kij and the HITs into the following
operation; the | operation denotes concatenation.
KEYMAT = K1 | K2 | K3 | ...
where
K1 = RHASH( Kij | sort(HIT-I | HIT-R) | I | J | 0x01 )
K2 = RHASH( Kij | K1 | 0x02 )
K3 = RHASH( Kij | K2 | 0x03 )
...
K255 = RHASH( Kij | K254 | 0xff )
K256 = RHASH( Kij | K255 | 0x00 )
etc.
Sort(HIT-I | HIT-R) is defined as the network byte order
concatenation of the two HITs, with the smaller HIT preceding the
larger HIT, resulting from the numeric comparison of the two HITs
interpreted as positive (unsigned) 128-bit integers in network byte
order.
I and J values are from the puzzle and its solution that were
exchanged in R1 and I2 messages when this HIP association was set up.
Both hosts have to store I and J values for the HIP association for
future use.
The initial keys are drawn sequentially in the order that is
determined by the numeric comparison of the two HITs, with comparison
method described in the previous paragraph. HOST_g denotes the host
with the greater HIT value, and HOST_l the host with the lower HIT
value.
The drawing order for initial keys:
HIP-gl encryption key for HOST_g's outgoing HIP packets
HIP-gl integrity (HMAC) key for HOST_g's outgoing HIP packets
HIP-lg encryption key (currently unused) for HOST_l's outgoing HIP
packets
HIP-lg integrity (HMAC) key for HOST_l's outgoing HIP packets
The number of bits drawn for a given algorithm is the "natural" size
of the keys. For the mandatory algorithms, the following sizes
apply:
AES 128 bits
SHA-1 160 bits
NULL 0 bits
If other key sizes are used, they must be treated as different
encryption algorithms and defined separately.
6.6. Initiation of a HIP Exchange
An implementation may originate a HIP exchange to another host based
on a local policy decision, usually triggered by an application
datagram, in much the same way that an IPsec IKE key exchange can
dynamically create a Security Association. Alternatively, a system may initiate a HIP exchange if it has rebooted or timed out, or otherwise lost its HIP state, as described in Section 4.5.4. The implementation prepares an I1 packet and sends it to the IP address that corresponds to the peer host. The IP address of the peer host may be obtained via conventional mechanisms, such as DNS lookup. The I1 contents are specified in Section 5.3.1. The selection of which Host Identity to use, if a host has more than one to choose from, is typically a policy decision. The following steps define the conceptual processing rules for initiating a HIP exchange: 1. The Initiator gets the Responder's HIT and one or more addresses either from a DNS lookup of the Responder's FQDN, from some other repository, or from a local table. If the Initiator does not know the Responder's HIT, it may attempt opportunistic mode by using NULL (all zeros) as the Responder's HIT. See also "HIP Opportunistic Mode" (Section 4.1.6). 2. The Initiator sends an I1 to one of the Responder's addresses. The selection of which address to use is a local policy decision. 3. Upon sending an I1, the sender shall transition to state I1-SENT, start a timer whose timeout value should be larger than the worst-case anticipated RTT, and shall increment a timeout counter associated with the I1. 4. Upon timeout, the sender SHOULD retransmit the I1 and restart the timer, up to a maximum of I1_RETRIES_MAX tries.6.6.1. Sending Multiple I1s in Parallel
For the sake of minimizing the session establishment latency, an implementation MAY send the same I1 to more than one of the Responder's addresses. However, it MUST NOT send to more than three (3) addresses in parallel. Furthermore, upon timeout, the implementation MUST refrain from sending the same I1 packet to multiple addresses. That is, if it retries to initialize the connection after timeout, it MUST NOT send the I1 packet to more than one destination address. These limitations are placed in order to avoid congestion of the network, and potential DoS attacks that might happen, e.g., because someone's claim to have hundreds or thousands of addresses could generate a huge number of I1 messages from the Initiator.
As the Responder is not guaranteed to distinguish the duplicate I1s it receives at several of its addresses (because it avoids storing states when it answers back an R1), the Initiator may receive several duplicate R1s. The Initiator SHOULD then select the initial preferred destination address using the source address of the selected received R1, and use the preferred address as a source address for the I2. Processing rules for received R1s are discussed in Section 6.8.6.6.2. Processing Incoming ICMP Protocol Unreachable Messages
A host may receive an ICMP 'Destination Protocol Unreachable' message as a response to sending a HIP I1 packet. Such a packet may be an indication that the peer does not support HIP, or it may be an attempt to launch an attack by making the Initiator believe that the Responder does not support HIP. When a system receives an ICMP 'Destination Protocol Unreachable' message while it is waiting for an R1, it MUST NOT terminate the wait. It MAY continue as if it had not received the ICMP message, and send a few more I1s. Alternatively, it MAY take the ICMP message as a hint that the peer most probably does not support HIP, and return to state UNASSOCIATED earlier than otherwise. However, at minimum, it MUST continue waiting for an R1 for a reasonable time before returning to UNASSOCIATED.6.7. Processing Incoming I1 Packets
An implementation SHOULD reply to an I1 with an R1 packet, unless the implementation is unable or unwilling to set up a HIP association. If the implementation is unable to set up a HIP association, the host SHOULD send an ICMP Destination Protocol Unreachable, Administratively Prohibited, message to the I1 source address. If the implementation is unwilling to set up a HIP association, the host MAY ignore the I1. This latter case may occur during a DoS attack such as an I1 flood. The implementation MUST be able to handle a storm of received I1 packets, discarding those with common content that arrive within a small time delta. A spoofed I1 can result in an R1 attack on a system. An R1 sender MUST have a mechanism to rate-limit R1s to an address. It is RECOMMENDED that the HIP state machine does not transition upon sending an R1.
The following steps define the conceptual processing rules for
responding to an I1 packet:
1. The Responder MUST check that the Responder's HIT in the received
I1 is either one of its own HITs or NULL.
2. If the Responder is in ESTABLISHED state, the Responder MAY
respond to this with an R1 packet, prepare to drop existing SAs,
and stay at ESTABLISHED state.
3. If the Responder is in I1-SENT state, it must make a comparison
between the sender's HIT and its own (i.e., the receiver's) HIT.
If the sender's HIT is greater than its own HIT, it should drop
the I1 and stay at I1-SENT. If the sender's HIT is smaller than
its own HIT, it should send R1 and stay at I1-SENT. The HIT
comparison goes similarly as in Section 6.5.
4. If the implementation chooses to respond to the I1 with an R1
packet, it creates a new R1 or selects a precomputed R1 according
to the format described in Section 5.3.2.
5. The R1 MUST contain the received Responder's HIT, unless the
received HIT is NULL, in which case the Responder SHOULD select a
HIT that is constructed with the MUST algorithm in Section 3,
which is currently RSA. Other than that, selecting the HIT is a
local policy matter.
6. The Responder sends the R1 to the source IP address of the I1
packet.
6.7.1. R1 Management
All compliant implementations MUST produce R1 packets. An R1 packet
MAY be precomputed. An R1 packet MAY be reused for time Delta T,
which is implementation dependent, and SHOULD be deprecated and not
used once a valid response I2 packet has been received from an
Initiator. During an I1 message storm, an R1 packet may be re-used
beyond this limit. R1 information MUST NOT be discarded until Delta
S after T. Time S is the delay needed for the last I2 to arrive back
to the Responder.
An implementation MAY keep state about received I1s and match the
received I2s against the state, as discussed in Section 4.1.1.
6.7.2. Handling Malformed Messages
If an implementation receives a malformed I1 message, it SHOULD NOT respond with a NOTIFY message, as such practice could open up a potential denial-of-service danger. Instead, it MAY respond with an ICMP packet, as defined in Section 5.4.6.8. Processing Incoming R1 Packets
A system receiving an R1 MUST first check to see if it has sent an I1 to the originator of the R1 (i.e., it is in state I1-SENT). If so, it SHOULD process the R1 as described below, send an I2, and go to state I2-SENT, setting a timer to protect the I2. If the system is in state I2-SENT, it MAY respond to an R1 if the R1 has a larger R1 generation counter; if so, it should drop its state due to processing the previous R1 and start over from state I1-SENT. If the system is in any other state with respect to that host, it SHOULD silently drop the R1. When sending multiple I1s, an Initiator SHOULD wait for a small amount of time after the first R1 reception to allow possibly multiple R1s to arrive, and it SHOULD respond to an R1 among the set with the largest R1 generation counter. The following steps define the conceptual processing rules for responding to an R1 packet: 1. A system receiving an R1 MUST first check to see if it has sent an I1 to the originator of the R1 (i.e., it has a HIP association that is in state I1-SENT and that is associated with the HITs in the R1). Unless the I1 was sent in opportunistic mode (see Section 4.1.6), the IP addresses in the received R1 packet SHOULD be ignored and, when looking up the right HIP association, the received R1 SHOULD be matched against the associations using only the HITs. If a match exists, the system should process the R1 as described below. 2. Otherwise, if the system is in any other state than I1-SENT or I2-SENT with respect to the HITs included in the R1, it SHOULD silently drop the R1 and remain in the current state. 3. If the HIP association state is I1-SENT or I2-SENT, the received Initiator's HIT MUST correspond to the HIT used in the original, and the I1 and the Responder's HIT MUST correspond to the one used, unless the I1 contained a NULL HIT. 4. The system SHOULD validate the R1 signature before applying further packet processing, according to Section 5.2.12.
5. If the HIP association state is I1-SENT, and multiple valid R1s
are present, the system SHOULD select from among the R1s with
the largest R1 generation counter.
6. If the HIP association state is I2-SENT, the system MAY reenter
state I1-SENT and process the received R1 if it has a larger R1
generation counter than the R1 responded to previously.
7. The R1 packet may have the A bit set -- in this case, the system
MAY choose to refuse it by dropping the R1 and returning to
state UNASSOCIATED. The system SHOULD consider dropping the R1
only if it used a NULL HIT in I1. If the A bit is set, the
Responder's HIT is anonymous and should not be stored.
8. The system SHOULD attempt to validate the HIT against the
received Host Identity by using the received Host Identity to
construct a HIT and verify that it matches the Sender's HIT.
9. The system MUST store the received R1 generation counter for
future reference.
10. The system attempts to solve the puzzle in R1. The system MUST
terminate the search after exceeding the remaining lifetime of
the puzzle. If the puzzle is not successfully solved, the
implementation may either resend I1 within the retry bounds or
abandon the HIP exchange.
11. The system computes standard Diffie-Hellman keying material
according to the public value and Group ID provided in the
DIFFIE_HELLMAN parameter. The Diffie-Hellman keying material
Kij is used for key extraction as specified in Section 6.5. If
the received Diffie-Hellman Group ID is not supported, the
implementation may either resend I1 within the retry bounds or
abandon the HIP exchange.
12. The system selects the HIP transform from the choices presented
in the R1 packet and uses the selected values subsequently when
generating and using encryption keys, and when sending the I2.
If the proposed alternatives are not acceptable to the system,
it may either resend I1 within the retry bounds or abandon the
HIP exchange.
13. The system initializes the remaining variables in the associated
state, including Update ID counters.
14. The system prepares and sends an I2, as described in
Section 5.3.3.
15. The system SHOULD start a timer whose timeout value should be
larger than the worst-case anticipated RTT, and MUST increment a
timeout counter associated with the I2. The sender SHOULD
retransmit the I2 upon a timeout and restart the timer, up to a
maximum of I2_RETRIES_MAX tries.
16. If the system is in state I1-SENT, it shall transition to state
I2-SENT. If the system is in any other state, it remains in the
current state.
6.8.1. Handling Malformed Messages
If an implementation receives a malformed R1 message, it MUST
silently drop the packet. Sending a NOTIFY or ICMP would not help,
as the sender of the R1 typically doesn't have any state. An
implementation SHOULD wait for some more time for a possibly good R1,
after which it MAY try again by sending a new I1 packet.
6.9. Processing Incoming I2 Packets
Upon receipt of an I2, the system MAY perform initial checks to
determine whether the I2 corresponds to a recent R1 that has been
sent out, if the Responder keeps such state. For example, the sender
could check whether the I2 is from an address or HIT that has
recently received an R1 from it. The R1 may have had Opaque data
included that was echoed back in the I2. If the I2 is considered to
be suspect, it MAY be silently discarded by the system.
Otherwise, the HIP implementation SHOULD process the I2. This
includes validation of the puzzle solution, generating the Diffie-
Hellman key, decrypting the Initiator's Host Identity, verifying the
signature, creating state, and finally sending an R2.
The following steps define the conceptual processing rules for
responding to an I2 packet:
1. The system MAY perform checks to verify that the I2 corresponds
to a recently sent R1. Such checks are implementation
dependent. See Appendix A for a description of an example
implementation.
2. The system MUST check that the Responder's HIT corresponds to
one of its own HITs.
3. If the system's state machine is in the R2-SENT state, the
system MAY check if the newly received I2 is similar to the one
that triggered moving to R2-SENT. If so, it MAY retransmit a
previously sent R2, reset the R2-SENT timer, and the state
machine stays in R2-SENT.
4. If the system's state machine is in the I2-SENT state, the
system makes a comparison between its local and sender's HITs
(similarly as in Section 6.5). If the local HIT is smaller than
the sender's HIT, it should drop the I2 packet, use the peer
Diffie-Hellman key and nonce I from the R1 packet received
earlier, and get the local Diffie-Hellman key and nonce J from
the I2 packet sent to the peer earlier. Otherwise, the system
should process the received I2 packet and drop any previously
derived Diffie-Hellman keying material Kij it might have formed
upon sending the I2 previously. The peer Diffie-Hellman key and
the nonce J are taken from the just arrived I2 packet. The
local Diffie-Hellman key and the nonce I are the ones that were
earlier sent in the R1 packet.
5. If the system's state machine is in the I1-SENT state, and the
HITs in the I2 match those used in the previously sent I1, the
system uses this received I2 as the basis for the HIP
association it was trying to form, and stops retransmitting I1
(provided that the I2 passes the below additional checks).
6. If the system's state machine is in any other state than R2-
SENT, the system SHOULD check that the echoed R1 generation
counter in I2 is within the acceptable range. Implementations
MUST accept puzzles from the current generation and MAY accept
puzzles from earlier generations. If the newly received I2 is
outside the accepted range, the I2 is stale (perhaps replayed)
and SHOULD be dropped.
7. The system MUST validate the solution to the puzzle by computing
the hash described in Section 5.3.3 using the same RHASH
algorithm.
8. The I2 MUST have a single value in the HIP_TRANSFORM parameter,
which MUST match one of the values offered to the Initiator in
the R1 packet.
9. The system must derive Diffie-Hellman keying material Kij based
on the public value and Group ID in the DIFFIE_HELLMAN
parameter. This key is used to derive the HIP association keys,
as described in Section 6.5. If the Diffie-Hellman Group ID is
unsupported, the I2 packet is silently dropped.
10. The encrypted HOST_ID is decrypted by the Initiator encryption
key defined in Section 6.5. If the decrypted data is not a
HOST_ID parameter, the I2 packet is silently dropped.
11. The implementation SHOULD also verify that the Initiator's HIT
in the I2 corresponds to the Host Identity sent in the I2.
(Note: some middleboxes may not able to make this verification.)
12. The system MUST verify the HMAC according to the procedures in
Section 5.2.9.
13. The system MUST verify the HIP_SIGNATURE according to
Section 5.2.11 and Section 5.3.3.
14. If the checks above are valid, then the system proceeds with
further I2 processing; otherwise, it discards the I2 and its
state machine remains in the same state.
15. The I2 packet may have the A bit set -- in this case, the system
MAY choose to refuse it by dropping the I2 and the state machine
returns to state UNASSOCIATED. If the A bit is set, the
Initiator's HIT is anonymous and should not be stored.
16. The system initializes the remaining variables in the associated
state, including Update ID counters.
17. Upon successful processing of an I2 when the system's state
machine is in state UNASSOCIATED, I1-SENT, I2-SENT, or R2-SENT,
an R2 is sent and the system's state machine transitions to
state R2-SENT.
18. Upon successful processing of an I2 when the system's state
machine is in state ESTABLISHED, the old HIP association is
dropped and a new one is installed, an R2 is sent, and the
system's state machine transitions to R2-SENT.
19. Upon the system's state machine transitioning to R2-SENT, the
system starts a timer. The state machine transitions to
ESTABLISHED if some data has been received on the incoming HIP
association, or an UPDATE packet has been received (or some
other packet that indicates that the peer system's state machine
has moved to ESTABLISHED). If the timer expires (allowing for
maximal retransmissions of I2s), the state machine transitions
to ESTABLISHED.
6.9.1. Handling Malformed Messages
If an implementation receives a malformed I2 message, the behavior SHOULD depend on how many checks the message has already passed. If the puzzle solution in the message has already been checked, the implementation SHOULD report the error by responding with a NOTIFY packet. Otherwise, the implementation MAY respond with an ICMP message as defined in Section 5.4.6.10. Processing Incoming R2 Packets
An R2 received in states UNASSOCIATED, I1-SENT, or ESTABLISHED results in the R2 being dropped and the state machine staying in the same state. If an R2 is received in state I2-SENT, it SHOULD be processed. The following steps define the conceptual processing rules for an incoming R2 packet: 1. The system MUST verify that the HITs in use correspond to the HITs that were received in the R1. 2. The system MUST verify the HMAC_2 according to the procedures in Section 5.2.10. 3. The system MUST verify the HIP signature according to the procedures in Section 5.2.11. 4. If any of the checks above fail, there is a high probability of an ongoing man-in-the-middle or other security attack. The system SHOULD act accordingly, based on its local policy. 5. If the system is in any other state than I2-SENT, the R2 is silently dropped. 6. Upon successful processing of the R2, the state machine moves to state ESTABLISHED.6.11. Sending UPDATE Packets
A host sends an UPDATE packet when it wants to update some information related to a HIP association. There are a number of likely situations, e.g., mobility management and rekeying of an existing ESP Security Association. The following paragraphs define the conceptual rules for sending an UPDATE packet to the peer. Additional steps can be defined in other documents where the UPDATE packet is used.
The system first determines whether there are any outstanding UPDATE
messages that may conflict with the new UPDATE message under
consideration. When multiple UPDATEs are outstanding (not yet
acknowledged), the sender must assume that such UPDATEs may be
processed in an arbitrary order. Therefore, any new UPDATEs that
depend on a previous outstanding UPDATE being successfully received
and acknowledged MUST be postponed until reception of the necessary
ACK(s) occurs. One way to prevent any conflicts is to only allow one
outstanding UPDATE at a time. However, allowing multiple UPDATEs may
improve the performance of mobility and multihoming protocols.
The following steps define the conceptual processing rules for
sending UPDATE packets.
1. The first UPDATE packet is sent with Update ID of zero.
Otherwise, the system increments its own Update ID value by one
before continuing the below steps.
2. The system creates an UPDATE packet that contains a SEQ parameter
with the current value of Update ID. The UPDATE packet may also
include an ACK of the peer's Update ID found in a received UPDATE
SEQ parameter, if any.
3. The system sends the created UPDATE packet and starts an UPDATE
timer. The default value for the timer is 2 * RTT estimate. If
multiple UPDATEs are outstanding, multiple timers are in effect.
4. If the UPDATE timer expires, the UPDATE is resent. The UPDATE
can be resent UPDATE_RETRY_MAX times. The UPDATE timer SHOULD be
exponentially backed off for subsequent retransmissions. If no
acknowledgment is received from the peer after UPDATE_RETRY_MAX
times, the HIP association is considered to be broken and the
state machine should move from state ESTABLISHED to state CLOSING
as depicted in Section 4.4.3. The UPDATE timer is cancelled upon
receiving an ACK from the peer that acknowledges receipt of the
UPDATE.
6.12. Receiving UPDATE Packets
When a system receives an UPDATE packet, its processing depends on
the state of the HIP association and the presence and values of the
SEQ and ACK parameters. Typically, an UPDATE message also carries
optional parameters whose handling is defined in separate documents.
For each association, the peer's next expected in-sequence Update ID
("peer Update ID") is stored. Initially, this value is zero. Update
ID comparisons of "less than" and "greater than" are performed with
respect to a circular sequence number space.
The sender may send multiple outstanding UPDATE messages. These
messages are processed in the order in which they are received at the
receiver (i.e., no resequencing is performed). When processing
UPDATEs out-of-order, the receiver MUST keep track of which UPDATEs
were previously processed, so that duplicates or retransmissions are
ACKed and not reprocessed. A receiver MAY choose to define a receive
window of Update IDs that it is willing to process at any given time,
and discard received UPDATEs falling outside of that window.
The following steps define the conceptual processing rules for
receiving UPDATE packets.
1. If there is no corresponding HIP association, the implementation
MAY reply with an ICMP Parameter Problem, as specified in
Section 5.4.4.
2. If the association is in the ESTABLISHED state and the SEQ (but
not ACK) parameter is present, the UPDATE is processed and
replied to as described in Section 6.12.1.
3. If the association is in the ESTABLISHED state and the ACK (but
not SEQ) parameter is present, the UPDATE is processed as
described in Section 6.12.2.
4. If the association is in the ESTABLISHED state and there is both
an ACK and SEQ in the UPDATE, the ACK is first processed as
described in Section 6.12.2, and then the rest of the UPDATE is
processed as described in Section 6.12.1.
6.12.1. Handling a SEQ Parameter in a Received UPDATE Message
The following steps define the conceptual processing rules for
handling a SEQ parameter in a received UPDATE packet.
1. If the Update ID in the received SEQ is not the next in the
sequence of Update IDs and is greater than the receiver's window
for new UPDATEs, the packet MUST be dropped.
2. If the Update ID in the received SEQ corresponds to an UPDATE
that has recently been processed, the packet is treated as a
retransmission. The HMAC verification (next step) MUST NOT be
skipped. (A byte-by-byte comparison of the received and a stored
packet would be OK, though.) It is recommended that a host cache
UPDATE packets sent with ACKs to avoid the cost of generating a
new ACK packet to respond to a replayed UPDATE. The system MUST
acknowledge, again, such (apparent) UPDATE message
retransmissions but SHOULD also consider rate-limiting such
retransmission responses to guard against replay attacks.
3. The system MUST verify the HMAC in the UPDATE packet. If the
verification fails, the packet MUST be dropped.
4. The system MAY verify the SIGNATURE in the UPDATE packet. If the
verification fails, the packet SHOULD be dropped and an error
message logged.
5. If a new SEQ parameter is being processed, the parameters in the
UPDATE are then processed. The system MUST record the Update ID
in the received SEQ parameter, for replay protection.
6. An UPDATE acknowledgment packet with ACK parameter is prepared
and sent to the peer. This ACK parameter may be included in a
separate UPDATE or piggybacked in an UPDATE with SEQ parameter,
as described in Section 5.3.5. The ACK parameter MAY acknowledge
more than one of the peer's Update IDs.
6.12.2. Handling an ACK Parameter in a Received UPDATE Packet
The following steps define the conceptual processing rules for
handling an ACK parameter in a received UPDATE packet.
1. The sequence number reported in the ACK must match with an
earlier sent UPDATE packet that has not already been
acknowledged. If no match is found or if the ACK does not
acknowledge a new UPDATE, the packet MUST either be dropped if no
SEQ parameter is present, or the processing steps in
Section 6.12.1 are followed.
2. The system MUST verify the HMAC in the UPDATE packet. If the
verification fails, the packet MUST be dropped.
3. The system MAY verify the SIGNATURE in the UPDATE packet. If the
verification fails, the packet SHOULD be dropped and an error
message logged.
4. The corresponding UPDATE timer is stopped (see Section 6.11) so
that the now acknowledged UPDATE is no longer retransmitted. If
multiple UPDATEs are newly acknowledged, multiple timers are
stopped.
6.13. Processing NOTIFY Packets
Processing NOTIFY packets is OPTIONAL. If processed, any errors in a
received NOTIFICATION parameter SHOULD be logged. Received errors
MUST be considered only as informational, and the receiver SHOULD NOT
change its HIP state (Section 4.4.1) purely based on the received
NOTIFY message.
6.14. Processing CLOSE Packets
When the host receives a CLOSE message, it responds with a CLOSE_ACK message and moves to CLOSED state. (The authenticity of the CLOSE message is verified using both HMAC and SIGNATURE). This processing applies whether or not the HIP association state is CLOSING in order to handle CLOSE messages from both ends that cross in flight. The HIP association is not discarded before the host moves from the UNASSOCIATED state. Once the closing process has started, any need to send data packets will trigger creating and establishing of a new HIP association, starting with sending an I1. If there is no corresponding HIP association, the CLOSE packet is dropped.6.15. Processing CLOSE_ACK Packets
When a host receives a CLOSE_ACK message, it verifies that it is in CLOSING or CLOSED state and that the CLOSE_ACK was in response to the CLOSE (using the included ECHO_RESPONSE_SIGNED in response to the sent ECHO_REQUEST_SIGNED). The CLOSE_ACK uses HMAC and SIGNATURE for verification. The state is discarded when the state changes to UNASSOCIATED and, after that, the host MAY respond with an ICMP Parameter Problem to an incoming CLOSE message (see Section 5.4.4).6.16. Handling State Loss
In the case of system crash and unanticipated state loss, the system SHOULD delete the corresponding HIP state, including the keying material. That is, the state SHOULD NOT be stored on stable storage. If the implementation does drop the state (as RECOMMENDED), it MUST also drop the peer's R1 generation counter value, unless a local policy explicitly defines that the value of that particular host is stored. An implementation MUST NOT store R1 generation counters by default, but storing R1 generation counter values, if done, MUST be configured by explicit HITs.
7. HIP Policies
There are a number of variables that will influence the HIP exchanges that each host must support. All HIP implementations MUST support more than one simultaneous HI, at least one of which SHOULD be reserved for anonymous usage. Although anonymous HIs will be rarely used as Responders' HIs, they will be common for Initiators. Support for more than two HIs is RECOMMENDED. Many Initiators would want to use a different HI for different Responders. The implementations SHOULD provide for an ACL of Initiator's HIT to Responder's HIT. This ACL SHOULD also include preferred transform and local lifetimes. The value of K used in the HIP R1 packet can also vary by policy. K should never be greater than 20, but for trusted partners it could be as low as 0. Responders would need a similar ACL, representing which hosts they accept HIP exchanges, and the preferred transform and local lifetimes. Wildcarding SHOULD be supported for this ACL also.8. Security Considerations
HIP is designed to provide secure authentication of hosts. HIP also attempts to limit the exposure of the host to various denial-of- service and man-in-the-middle (MitM) attacks. In so doing, HIP itself is subject to its own DoS and MitM attacks that potentially could be more damaging to a host's ability to conduct business as usual. The 384-bit Diffie-Hellman Group is targeted to be used in hosts that either do not require or are not powerful enough for handling strong cryptography. Although there is a risk that with suitable equipment the encryption can be broken in real time, the 384-bit group can provide some protection for end-hosts that are not able to handle any stronger cryptography. When the security provided by the 384-bit group is not enough for applications on a host, the support for this group should be turned off in the configuration. Denial-of-service attacks often take advantage of the cost of start of state for a protocol on the Responder compared to the 'cheapness' on the Initiator. HIP makes no attempt to increase the cost of the start of state on the Initiator, but makes an effort to reduce the cost to the Responder. This is done by having the Responder start the 3-way exchange instead of the Initiator, making the HIP protocol 4 packets long. In doing this, packet 2 becomes a 'stock' packet that the Responder MAY use many times, until some Initiator has
provided a valid response to such an R1 packet. During an I1 storm, the host may reuse the same D-H value also even if some Initiator has provided a valid response using that particular D-H value. However, such behavior is discouraged and should be avoided. Using the same Diffie-Hellman values and random puzzle #I value has some risks. This risk needs to be balanced against a potential storm of HIP I1 packets. This shifting of the start of state cost to the Initiator in creating the I2 HIP packet, presents another DoS attack. The attacker spoofs the I1 HIP packet and the Responder sends out the R1 HIP packet. This could conceivably tie up the 'Initiator' with evaluating the R1 HIP packet, and creating the I2 HIP packet. The defense against this attack is to simply ignore any R1 packet where a corresponding I1 was not sent. A second form of DoS attack arrives in the I2 HIP packet. Once the attacking Initiator has solved the puzzle, it can send packets with spoofed IP source addresses with either an invalid encrypted HIP payload component or a bad HIP signature. This would take resources in the Responder's part to reach the point to discover that the I2 packet cannot be completely processed. The defense against this attack is after N bad I2 packets, the Responder would discard any I2s that contain the given Initiator HIT. This will shut down the attack. The attacker would have to request another R1 and use that to launch a new attack. The Responder could up the value of K while under attack. On the downside, valid I2s might get dropped too. A third form of DoS attack is emulating the restart of state after a reboot of one of the partners. A restarting host would send an I1 to a peer, which would respond with an R1 even if it were in the ESTABLISHED state. If the I1 were spoofed, the resulting R1 would be received unexpectedly by the spoofed host and would be dropped, as in the first case above. A fourth form of DoS attack is emulating the end of state. HIP relies on timers plus a CLOSE/CLOSE_ACK handshake to explicitly signal the end of a HIP association. Because both CLOSE and CLOSE_ACK messages contain an HMAC, an outsider cannot close a connection. The presence of an additional SIGNATURE allows middleboxes to inspect these messages and discard the associated state (for e.g., firewalling, SPI-based NATing, etc.). However, the optional behavior of replying to CLOSE with an ICMP Parameter Problem packet (as described in Section 5.4.4) might allow an IP spoofer sending CLOSE messages to launch reflection attacks.
A fifth form of DoS attack is replaying R1s to cause the Initiator to solve stale puzzles and become out of synchronization with the Responder. The R1 generation counter is a monotonically increasing counter designed to protect against this attack, as described in Section 4.1.4. Man-in-the-middle attacks are difficult to defend against, without third-party authentication. A skillful MitM could easily handle all parts of HIP, but HIP indirectly provides the following protection from a MitM attack. If the Responder's HI is retrieved from a signed DNS zone, a certificate, or through some other secure means, the Initiator can use this to validate the R1 HIP packet. Likewise, if the Initiator's HI is in a secure DNS zone, a trusted certificate, or otherwise securely available, the Responder can retrieve the HI (after having got the I2 HIP packet) and verify that the HI indeed can be trusted. However, since an Initiator may choose to use an anonymous HI, it knowingly risks a MitM attack. The Responder may choose not to accept a HIP exchange with an anonymous Initiator. The HIP Opportunistic Mode concept has been introduced in this document, but this document does not specify what the semantics of such a connection setup are for applications. There are certain concerns with opportunistic mode, as discussed in Section 4.1.6. NOTIFY messages are used only for informational purposes and they are unacknowledged. A HIP implementation cannot rely solely on the information received in a NOTIFY message because the packet may have been replayed. It SHOULD NOT change any state information based purely on a received NOTIFY message. Since not all hosts will ever support HIP, ICMP 'Destination Protocol Unreachable' messages are to be expected and present a DoS attack. Against an Initiator, the attack would look like the Responder does not support HIP, but shortly after receiving the ICMP message, the Initiator would receive a valid R1 HIP packet. Thus, to protect from this attack, an Initiator should not react to an ICMP message until a reasonable delta time to get the real Responder's R1 HIP packet. A similar attack against the Responder is more involved. Normally, if an I1 message received by a Responder was a bogus one sent by an attacker, the Responder may receive an ICMP message from the IP address the R1 message was sent to. However, a sophisticated attacker can try to take advantage of such a behavior and try to break up the HIP exchange by sending such an ICMP message to the Responder before the Initiator has a chance to send a valid I2 message. Hence, the Responder SHOULD NOT act on such an ICMP message. Especially, it SHOULD NOT remove any minimal state created
when it sent the R1 HIP packet (if it did create one), but wait for either a valid I2 HIP packet or the natural timeout (that is, if R1 packets are tracked at all). Likewise, the Initiator should ignore any ICMP message while waiting for an R2 HIP packet, and should delete any pending state only after a natural timeout.9. IANA Considerations
IANA has reserved protocol number 139 for the Host Identity Protocol. This document defines a new 128-bit value under the CGA Message Type namespace [RFC3972], 0xF0EF F02F BFF4 3D0F E793 0C3C 6E61 74EA, to be used for HIT generation as specified in ORCHID [RFC4843]. This document also creates a set of new namespaces. These are described below. Packet Type The 7-bit Packet Type field in a HIP protocol packet describes the type of a HIP protocol message. It is defined in Section 5.1. The current values are defined in Sections 5.3.1 through 5.3.8. New values are assigned through IETF Consensus [RFC2434]. HIP Version The four-bit Version field in a HIP protocol packet describes the version of the HIP protocol. It is defined in Section 5.1. The only currently defined value is 1. New values are assigned through IETF Consensus. Parameter Type The 16-bit Type field in a HIP parameter describes the type of the parameter. It is defined in Section 5.2.1. The current values are defined in Sections 5.2.3 through 5.2.20. With the exception of the assigned Type codes, the Type codes 0 through 1023 and 61440 through 65535 are reserved for future base protocol extensions, and are assigned through IETF Consensus. The Type codes 32768 through 49141 are reserved for experimentation. Types SHOULD be selected in a random fashion from this range, thereby reducing the probability of collisions. A method employing genuine randomness (such as flipping a coin) SHOULD be used.
All other Type codes are assigned through First Come First Served,
with Specification Required [RFC2434].
Group ID
The eight-bit Group ID values appear in the DIFFIE_HELLMAN
parameter and are defined in Section 5.2.6. New values either
from the reserved or unassigned space are assigned through IETF
Consensus.
Suite ID
The 16-bit Suite ID values in a HIP_TRANSFORM parameter are
defined in Section 5.2.7. New values either from the reserved or
unassigned space are assigned through IETF Consensus.
DI-Type
The four-bit DI-Type values in a HOST_ID parameter are defined in
Section 5.2.8. New values are assigned through IETF Consensus.
Notify Message Type
The 16-bit Notify Message Type values in a NOTIFICATION parameter
are defined in Section 5.2.16.
Notify Message Type values 1-10 are used for informing about
errors in packet structures, values 11-20 for informing about
problems in parameters containing cryptographic related material,
values 21-30 for informing about problems in authentication or
packet integrity verification. Parameter numbers above 30 can be
used for informing about other types of errors or events. Values
51-8191 are error types reserved to be allocated by IANA. Values
8192-16383 are error types for experimentation. Values 16385-
40959 are status types to be allocated by IANA, and values 40960-
65535 are status types for experimentation. New values in ranges
51-8191 and 16385-40959 are assigned through First Come First
Served, with Specification Required.
10. Acknowledgments
The drive to create HIP came to being after attending the MALLOC
meeting at the 43rd IETF meeting. Baiju Patel and Hilarie Orman
really gave the original author, Bob Moskowitz, the assist to get HIP
beyond 5 paragraphs of ideas. It has matured considerably since the
early versions thanks to extensive input from IETFers. Most
importantly, its design goals are articulated and are different from
other efforts in this direction. Particular mention goes to the
members of the NameSpace Research Group of the IRTF. Noel Chiappa provided valuable input at early stages of discussions about identifier handling and Keith Moore the impetus to provide resolvability. Steve Deering provided encouragement to keep working, as a solid proposal can act as a proof of ideas for a research group. Many others contributed; extensive security tips were provided by Steve Bellovin. Rob Austein kept the DNS parts on track. Paul Kocher taught Bob Moskowitz how to make the puzzle exchange expensive for the Initiator to respond, but easy for the Responder to validate. Bill Sommerfeld supplied the Birthday concept, which later evolved into the R1 generation counter, to simplify reboot management. Erik Nordmark supplied the CLOSE-mechanism for closing connections. Rodney Thayer and Hugh Daniels provided extensive feedback. In the early times of this document, John Gilmore kept Bob Moskowitz challenged to provide something of value. During the later stages of this document, when the editing baton was transferred to Pekka Nikander, the input from the early implementors was invaluable. Without having actual implementations, this document would not be on the level it is now. In the usual IETF fashion, a large number of people have contributed to the actual text or ideas. The list of these people include Jeff Ahrenholz, Francis Dupont, Derek Fawcus, George Gross, Andrew McGregor, Julien Laganier, Miika Komu, Mika Kousa, Jan Melen, Henrik Petander, Michael Richardson, Tim Shepard, Jorma Wall, and Jukka Ylitalo. Our apologies to anyone whose name is missing. Once the HIP Working Group was founded in early 2004, a number of changes were introduced through the working group process. Most notably, the original document was split in two, one containing the base exchange and the other one defining how to use ESP. Some modifications to the protocol proposed by Aura, et al., [AUR03] were added at a later stage.
11. References
11.1. Normative References
[FIPS95] NIST, "FIPS PUB 180-1: Secure Hash Standard", April 1995. [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August 1980. [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within ESP and AH", RFC 2404, November 1998. [RFC2451] Pereira, R. and R. Adams, "The ESP CBC-Mode Cipher Algorithms", RFC 2451, November 1998. [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [RFC2463] Conta, A. and S. Deering, "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", RFC 2463, December 1998. [RFC2536] Eastlake, D., "DSA KEYs and SIGs in the Domain Name System (DNS)", RFC 2536, March 1999. [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography Specification Version 2.0", RFC 2898, September 2000. [RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)", RFC 3110, May 2001. [RFC3484] Draves, R., "Default Address Selection for Internet Protocol version 6 (IPv6)", RFC 3484, February 2003. [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)", RFC 3526, May 2003. [RFC3602] Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC Cipher Algorithm and Its Use with IPsec", RFC 3602, September 2003.
[RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", RFC 3972, March 2005. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005. [RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The Network Access Identifier", RFC 4282, December 2005. [RFC4307] Schiller, J., "Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)", RFC 4307, December 2005. [RFC4843] Nikander, P., Laganier, J., and F. Dupont, "An IPv6 Prefix for Overlay Routable Cryptographic Hash Identifiers (ORCHID)", RFC 4843, April 2007. [RFC5202] Jokela, P., Moskowitz, R., and P. Nikander, "Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP)", RFC 5202, April 2008.11.2. Informative References
[AUR03] Aura, T., Nagarajan, A., and A. Gurtov, "Analysis of the HIP Base Exchange Protocol", in Proceedings of 10th Australasian Conference on Information Security and Privacy, July 2003. [CRO03] Crosby, SA. and DS. Wallach, "Denial of Service via Algorithmic Complexity Attacks", in Proceedings of Usenix Security Symposium 2003, Washington, DC., August 2003. [DIF76] Diffie, W. and M. Hellman, "New Directions in Cryptography", IEEE Transactions on Information Theory vol. IT-22, number 6, pages 644-654, Nov 1976. [FIPS01] NIST, "FIPS PUB 197: Advanced Encryption Standard", Nov 2001. [HIP-APP] Henderson, T., Nikander, P., and M. Komu, "Using the Host Identity Protocol with Legacy Applications", Work in Progress, November 2007.
[IPsec-APIs] Richardson, M., Williams, N., Komu, M., and S. Tarkoma, "IPsec Application Programming Interfaces", Work in Progress, February 2008. [KAU03] Kaufman, C., Perlman, R., and B. Sommerfeld, "DoS protection for UDP-based protocols", ACM Conference on Computer and Communications Security , Oct 2003. [KRA03] Krawczyk, H., "SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE- Protocols", in Proceedings of CRYPTO 2003, pages 400- 425, August 2003. [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, RFC 792, September 1981. [RFC2412] Orman, H., "The OAKLEY Key Determination Protocol", RFC 2412, November 1998. [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005. [RFC4423] Moskowitz, R. and P. Nikander, "Host Identity Protocol (HIP) Architecture", RFC 4423, May 2006. [RFC5204] Laganier, J. and L. Eggert, "Host Identity Protocol (HIP) Rendezvous Extension", RFC 5204, April 2008. [RFC5205] Nikander, P. and J. Laganier, "Host Identity Protocol (HIP) Domain Name System (DNS) Extensions", RFC 5205, April 2008. [RFC5206] Henderson, T., Ed., "End-Host Mobility and Multihoming with the Host Identity Protocol", RFC 5206, April 2008. [SHIM6-PROTO] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming Shim Protocol for IPv6", Work in Progress, February 2008.
Appendix A. Using Responder Puzzles
As mentioned in Section 4.1.1, the Responder may delay state creation and still reject most spoofed I2s by using a number of pre-calculated R1s and a local selection function. This appendix defines one possible implementation in detail. The purpose of this appendix is to give the implementors an idea on how to implement the mechanism. If the implementation is based on this appendix, it MAY contain some local modification that makes an attacker's task harder. The Responder creates a secret value S, that it regenerates periodically. The Responder needs to remember the two latest values of S. Each time the S is regenerated, the R1 generation counter value is incremented by one. The Responder generates a pre-signed R1 packet. The signature for pre-generated R1s must be recalculated when the Diffie-Hellman key is recomputed or when the R1_COUNTER value changes due to S value regeneration. When the Initiator sends the I1 packet for initializing a connection, the Responder gets the HIT and IP address from the packet, and generates an I value for the puzzle. The I value is set to the pre- signed R1 packet. I value calculation: I = Ltrunc( RHASH ( S | HIT-I | HIT-R | IP-I | IP-R ), 64) The RHASH algorithm is the same that is used to generate the Responder's HIT value. From an incoming I2 packet, the Responder gets the required information to validate the puzzle: HITs, IP addresses, and the information of the used S value from the R1_COUNTER. Using these values, the Responder can regenerate the I, and verify it against the I received in the I2 packet. If the I values match, it can verify the solution using I, J, and difficulty K. If the I values do not match, the I2 is dropped. puzzle_check: V := Ltrunc( RHASH( I2.I | I2.hit_i | I2.hit_r | I2.J ), K ) if V != 0, drop the packet If the puzzle solution is correct, the I and J values are stored for later use. They are used as input material when keying material is generated.
Keeping state about failed puzzle solutions depends on the implementation. Although it is possible for the Responder not to keep any state information, it still may do so to protect itself against certain attacks (see Section 4.1.1).Appendix B. Generating a Public Key Encoding from an HI
The following pseudo-code illustrates the process to generate a public key encoding from an HI for both RSA and DSA. The symbol := denotes assignment; the symbol += denotes appending. The pseudo-function encode_in_network_byte_order takes two parameters, an integer (bignum) and a length in bytes, and returns the integer encoded into a byte string of the given length. switch ( HI.algorithm ) { case RSA: buffer := encode_in_network_byte_order ( HI.RSA.e_len, ( HI.RSA.e_len > 255 ) ? 3 : 1 ) buffer += encode_in_network_byte_order ( HI.RSA.e, HI.RSA.e_len ) buffer += encode_in_network_byte_order ( HI.RSA.n, HI.RSA.n_len ) break; case DSA: buffer := encode_in_network_byte_order ( HI.DSA.T , 1 ) buffer += encode_in_network_byte_order ( HI.DSA.Q , 20 ) buffer += encode_in_network_byte_order ( HI.DSA.P , 64 + 8 * HI.DSA.T ) buffer += encode_in_network_byte_order ( HI.DSA.G , 64 + 8 * HI.DSA.T ) buffer += encode_in_network_byte_order ( HI.DSA.Y , 64 + 8 * HI.DSA.T ) break; }
Appendix C. Example Checksums for HIP Packets
The HIP checksum for HIP packets is specified in Section 5.1.1. Checksums for TCP and UDP packets running over HIP-enabled security associations are specified in Section 3.5. The examples below use IP addresses of 192.168.0.1 and 192.168.0.2 (and their respective IPv4- compatible IPv6 formats), and HITs with the prefix of 2001:10 followed by zeros, followed by a decimal 1 or 2, respectively. The following example is defined only for testing a checksum calculation. The address format for the IPv4-compatible IPv6 address is not a valid one, but using these IPv6 addresses when testing an IPv6 implementation gives the same checksum output as an IPv4 implementation with the corresponding IPv4 addresses.C.1. IPv6 HIP Example (I1)
Source Address: ::192.168.0.1 Destination Address: ::192.168.0.2 Upper-Layer Packet Length: 40 0x28 Next Header: 139 0x8b Payload Protocol: 59 0x3b Header Length: 4 0x4 Packet Type: 1 0x1 Version: 1 0x1 Reserved: 1 0x1 Control: 0 0x0 Checksum: 446 0x1be Sender's HIT : 2001:10::1 Receiver's HIT: 2001:10::2C.2. IPv4 HIP Packet (I1)
The IPv4 checksum value for the same example I1 packet is the same as the IPv6 checksum (since the checksums due to the IPv4 and IPv6 pseudo-header components are the same).
C.3. TCP Segment
Regardless of whether IPv6 or IPv4 is used, the TCP and UDP sockets use the IPv6 pseudo-header format [RFC2460], with the HITs used in place of the IPv6 addresses. Sender's HIT: 2001:10::1 Receiver's HIT: 2001:10::2 Upper-Layer Packet Length: 20 0x14 Next Header: 6 0x06 Source port: 65500 0xffdc Destination port: 22 0x0016 Sequence number: 1 0x00000001 Acknowledgment number: 0 0x00000000 Header length: 20 0x14 Flags: SYN 0x02 Window size: 65535 0xffff Checksum: 28618 0x6fca Urgent pointer: 0 0x0000 0x0000: 6000 0000 0014 0640 2001 0010 0000 0000 0x0010: 0000 0000 0000 0001 2001 0010 0000 0000 0x0020: 0000 0000 0000 0002 ffdc 0016 0000 0001 0x0030: 0000 0000 5002 ffff 6fca 0000Appendix D. 384-Bit Group
This 384-bit group is defined only to be used with HIP. NOTE: The security level of this group is very low! The encryption may be broken in a very short time, even real-time. It should be used only when the host is not powerful enough (e.g., some PDAs) and when security requirements are low (e.g., during normal web surfing). This prime is: 2^384 - 2^320 - 1 + 2^64 * { [ 2^254 pi] + 5857 } Its hexadecimal value is: FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B13B202 FFFFFFFF FFFFFFFF The generator is: 2.
Appendix E. OAKLEY Well-Known Group 1
See also [RFC2412] for definition of OAKLEY well-known group 1. OAKLEY Well-Known Group 1: A 768-bit prime The prime is 2^768 - 2^704 - 1 + 2^64 * { [2^638 pi] + 149686 }. The hexadecimal value is: FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF This has been rigorously verified as a prime. The generator is: 22 (decimal)
Authors' Addresses
Robert Moskowitz ICSAlabs, An Independent Division of Verizon Business Systems 1000 Bent Creek Blvd, Suite 200 Mechanicsburg, PA USA EMail: rgm@icsalabs.com Pekka Nikander Ericsson Research NomadicLab JORVAS FIN-02420 FINLAND Phone: +358 9 299 1 EMail: pekka.nikander@nomadiclab.com Petri Jokela (editor) Ericsson Research NomadicLab JORVAS FIN-02420 FINLAND Phone: +358 9 299 1 EMail: petri.jokela@nomadiclab.com Thomas R. Henderson The Boeing Company P.O. Box 3707 Seattle, WA USA EMail: thomas.r.henderson@boeing.com
Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.