[hiprg] The Evolution of HIP

Robert Moskowitz <rgm@htt-consult.com> Tue, 03 August 2010 15:43 UTC

Return-Path: <rgm@htt-consult.com>
X-Original-To: hiprg@core3.amsl.com
Delivered-To: hiprg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 43DA33A6A9C for <hiprg@core3.amsl.com>; Tue, 3 Aug 2010 08:43:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.241
X-Spam-Level:
X-Spam-Status: No, score=-0.241 tagged_above=-999 required=5 tests=[AWL=-0.242, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KQtuH8DU0Ubk for <hiprg@core3.amsl.com>; Tue, 3 Aug 2010 08:43:19 -0700 (PDT)
Received: from klovia.htt-consult.com (klovia.htt-consult.com [208.83.67.149]) by core3.amsl.com (Postfix) with ESMTP id 012473A6AA1 for <hiprg@irtf.org>; Tue, 3 Aug 2010 08:42:49 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 0EE6268A87; Tue, 3 Aug 2010 15:33:47 +0000 (UTC)
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kJXz6aQZ+-Tu; Tue, 3 Aug 2010 11:33:37 -0400 (EDT)
Received: from nc2400.htt-consult.com (h155.home.htt [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id BD55D68B43; Tue, 3 Aug 2010 11:33:37 -0400 (EDT)
Message-ID: <4C583904.4020205@htt-consult.com>
Date: Tue, 03 Aug 2010 11:43:00 -0400
From: Robert Moskowitz <rgm@htt-consult.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100720 Fedora/3.0.6-1.fc12 Thunderbird/3.0.6
MIME-Version: 1.0
To: HIP WG <hipsec@ietf.org>, hiprg@irtf.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [hiprg] The Evolution of HIP
X-BeenThere: hiprg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Host Identity Protocol \(HIP\) Research Group" <hiprg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/listinfo/hiprg>, <mailto:hiprg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/hiprg>
List-Post: <mailto:hiprg@irtf.org>
List-Help: <mailto:hiprg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hiprg>, <mailto:hiprg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Aug 2010 15:43:19 -0000

I have been doing some deep thinking over the past few weeks as I look 
at the 3 HIP exchanges and what we are doing with them and what other 
groups are doing with security.

I started HIP with the intent to create a lightweight (in terms of 
packet and crypto cost) for lite protocols.  It quickly evolved to an 
Identity protocol that enables secure communication.

I was always careful NOT to claim that HIP was an alternative keying 
mechanism for IPsec.  Rather it is an Identity Exchange mechinism that 
enables secure communications with protocols like ESP.  To some that is 
twisting words to avoid confrontation, but HIP is not modeled with an 
SPD.  HIP is first, and secure communications is a result of that.  I 
have to work on the wording of this some more to be more concise....

If you look critically at HIP for RFID draft and open your world-view 
you can see HIP as an Identity-based secure signalling channel.  This 
channel can simply pass a signal, as HIP for RFID does when all that is 
communicated is the devices ID. or it can establish a Security 
Association complete with keying material to enable secure communications.

Viewing HIP as a signalling channel opens up possibilities for 
interesting use cases.  Identity can be 'classic HIP' of self-asserted 
Identity that can be validated via an ACL, or X.509 certs can be 
transmitted per the cert doc.

Think about it.

I will be reviewing 4423-bis in this light and seeing what changes can 
be made to turn the model the rest of the way around.  Took me long 
enough to see this.