2004-12-01

HIP proxy

Patrik Salmela

2004-12-01 2

Contents

Background: ID-locator split HIP Why a HIP proxy Functionality of a HIP proxy The prototype Performance Conclusions

2004-12-01 3

Background: ID – locator split

Currently:IP address serves 2 purposesLocator POW:

• Node moves -> new locator: OKIdentifier POW:

• Node moves -> new identifier: NOT OKIdentifier requirements:

• Stay constant regardless of location and time

2004-12-01 4

Background (cont.)Some ID – locator split solutions

GSE proposal for IPv6 Part of address serves as ID, constant

FARA Framework for designing new architectures

PeerNet DHT and peer-to-peer thinking

I3

IDs registered at I3 servers HIP

2004-12-01 5

The HIP way

ID-locator split• IDID: HI (-> HIT / LSI) locatorlocator: IP address• Packets sent to IDID, routed using locatorlocator

Security• IPsec ESP, SAs created during base exchange

Mobility• Connections between IDs (HITs)• Location update messages

Multihoming• Packets sent to IDID, the routing is irrelevant

The ID is the base for all these features

2004-12-01 6

HIP (cont.)

2004-12-01 7

Why a HIP proxy?

More HIP hosts -> more use for HIP It will take time for HIP to spread A HIP proxy enables HIP between legacy

hosts and HIP hosts

Legacy host HIP hostHIP proxy

HIPIPsec ESP

2004-12-01 8

Why a HIP proxy (cont.)

Promotes HIP• New possibilities to use HIP

Can be used as ”try-then-buy” for HIP• Easier to enable HIP for hosts in a network

• In the long run an all HIP solution is better; less configuration, more freedom/features

• If satisfied by services provided by HIP (proxy) -> upgrade to a HIP host/network

2004-12-01 9

Restrictions for a HIP proxy

No security between proxy and legacy host• Solution: Proxy on the border of a private network

HIP host unaware of proxy, security problem• Solution: Add indication into base exchange

Legacy hosts cannot use all HIP features• Solution: Upgrade to HIP host

2004-12-01 10

Functionality of a HIP proxy

Assign, and use, HITs for legacy hosts

HIP connection from HIP host also possible

2004-12-01 11

The prototype HIP proxy

FreeBSD 5.2, Ericsson Finland’s HIP impl.

IPv6 only

No HIP modified DNS -> HIT-IP mappings in configuration file

Proxy between two small LANs

Uses ip6fw and divert6

2004-12-01 12

The prototype (cont.)

Packets diverted to proxy for processing

All packets coming from priv. net.• Locate HIT-IP mappings

• Replace IP addresses with HITs

Packets from pub. net. with HITs in header• Locate HIT-IP mappings

• Replace HITs with IP addresses

2004-12-01 13

Performance

Using proxy

Using

HIP

Conn. Avg. RTT

(20 pkts.)

No

No

Yes

Yes

Yes

Yes

Yes

Yes

No

No

No

No

Yes

Yes

Yes

Yes

1

2

1

2

1

2

4

8

0,624ms

0,616ms

0,698ms

0,684ms

0,851ms

0,832ms

0,822ms

0,872ms

+ ~12% (0,070ms) (proxy)

+ ~22% (0,150ms) (IPsec)

2004-12-01 14

Performance (cont.)

Using proxy

Using

HIP

Hosts/ list

Avg. RTT

(20 pkts.)

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No

10

50

100

500

1000

0,676ms

0,693ms

0,705ms

0,730ms

0,770ms

If the host lists are long:• Configuration file difficult to manage• (probably) very much traffic through the proxy-> Delay from looking up mappings is not the main problem

2004-12-01 15

Further work

IP version independent HIP proxy• Work in progress…

Improve proxy configuration• E.g. check if configuration file has been

edited

2004-12-01 16

Conclusions

HIP proxy prototype intended as proof-of-concept

• concept proven

Can be used as base for new, improved, version

HIP proxy can be used as a stepping stone when going legacy -> HIP

2004-12-01 17

Comments / Questions?