Re: [RRG] Nimrod, NIIA, HIP... as a long term solution?

[Pekka Nikander <pekka.nikander@nomadiclab.com>]

Hi Robin,

> My understanding is the HIP involves 128 bit Host Identifiers, to
> which sockets are bound.  From this I understand that HIP can be
> installed in the operating system code of an IPv6 stack, so that
> IPv6-aware applications can use it.
>
> With respect to 99.99?% of desktop and server computers used by
> ordinary folk today, I think your statement doesn't apply, since
> their applications do not support IPv6.

Well, firstly, HIP works also with 32-bit "LSI"s, which look like  
IPv4 addresses.  However, such LSIs are not globally unique, i.e.,  
the same LSI can denote different peers at different hosts.  Hence,  
third party referrals (host A referring the identity of host B,  
identifying it by its LSI, to host C) does not work in the global  
sense.  (But it can be made to work in a closed network, with some  
care.)  There are also HIP implementations that allow using routable  
IPv4 addresses as LSI, more-or-less similar to the HIP opportunistic  
mode [1].

Second, a pretty large fraction of apps running on Windows, Mac OS X,  
and Linux, work already now with IPv6.  There are probably small  
glitches here and there, as the APIs are not used by that many people  
yet, but basically the mechanisms are there.

Third, as I wrote, it is possible to use HIP with proxies.  In that  
way the local network can continue to use IPv4 or convert to IPv6,  
independent of what the ISP network uses.  But, as I wrote, the  
details of that hasn't been specified in the form of an internet  
draft, at least not yet.

Fourth, it must be understood that in the HIP case the "API version"  
of IP and the "stack version" of IP are really distinct.  You can use  
IPv6 APIs and underlying IPv4 internetworking, or vice versa.  You  
can even use one version of the API in one end and the other version  
in the other end.  For example, already 3-4 years ago we demonstrated  
at some IETF meeting how one can use IPv4-look-alike LSIs in a telnet  
client to connect to a telnet server in a way that the telnet server  
sees the connection coming from the corresponding IPv6-look-alike  
HIT.  The same applies to underlying IP: with something like SPINAT  
[2] in between you can send packets over IPv4 in the one end and  
receive them over IPv6 at the other end (and vice versa).

Finally, while the currently only specified way of using HIP is to  
use ESP as a wrapper for the data traffic, there is nothing  
architecturally specific to that.  In principle, you could use IPv4 
+UDP, IPv4+SHIM, or even plain IPv6 wrapping as well, but then you  
wouldn't get the integrity and confidentiality that HIP provides.   
(In theory, you probably could use IPv4 without UDP or SHIM too, but  
that would be pretty brittle due to all those NATs out there; at  
minimum there would be problems with checksums.)

--Pekka Nikander

[1] http://tools.ietf.org/id/draft-henderson-hip-applications-03.txt
[2] Jukka Ylitalo, Patrik Salmela, and Hannes Tschofenig, "SPINAT:  
Integrating IPsec into Overlay Routing", in Proc. of the First  
International Conference on Security and Privacy for Emerging Areas  
in Communication Networks (SecureComm'05), Athens, Greece, September  
5-9, 2005.  http://users.tkk.fi/~jylitalo/publications/SecureComm05- 
Ylitalo-et-al.pdf


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg