[Battlemesh] Host Identity Protocol, any experience?

Tom Henderson tomh at tomh.org
Mon Nov 28 17:19:07 UTC 2016


On 11/28/2016 05:05 AM, Linus Lüssing wrote:
> Hi,
>
> Just read about this protocol a few days ago:
>
> https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-43/121-host.html
> https://en.wikipedia.org/wiki/Host_Identity_Protocol
> https://tools.ietf.org/html/rfc7401
>
> Has anyone had the pleasure to play with it yet?
>
> Seems like it might be a necessity to support truely decentral,
> distributed, dynamic internet uplinks in a public mesh network?
>
> (otherwise, everytime a node with a direct uplink vanishes, TCP
> connections would break or would need some tunneling)
>
>
> The idea of HIP to strip the identity part from IP addresses and
> replacing it with a layer in between, which cryptographically
> generates identities, sounds ingenious!

I've been involved with HIP for a long time.  There have been several 
variations on the basic architecture, but the main idea is to allow 
transport sessions and applications to bind to a stable identifier which 
is a) 128 bits long so that it can be used in place of an IPv6 address 
in protocols and code, and b) the hash of a public key, with enough 
strength to prevent brute force attacks. Think of Mobile IPv6, but with 
the home address being this other IPv6-address-like identifier that is 
bound to a public key.  In mobility and multihoming situations, where IP 
addresses change, a peer host can directly verify that it is indeed 
talking to the same host on different addresses, without checks such as 
return routability.  The network stack is responsible for managing the 
binding of real IP addresses to this HIP identifier, and performing a 
"host NAT" operation on incoming and outgoing datagrams.

One variation for small networks or overlays is to route directly on 
these identifiers:
https://tools.ietf.org/html/rfc6079

Possible drawbacks to HIP are the cost of managing this layer of 
indirection in the stack (including support for NAT traversal, DNS 
extensions, address discovery of mobile hosts, key revocation), and the 
inability to aggregate these identifiers in access control lists.  
However, it has found application in some environments for which 
security is critical (e.g. SCADA networks, some IoT applications).

- Tom


More information about the Battlemesh mailing list