draft-ietf-hip-arch-01.txt   draft-ietf-hip-arch-02.txt 
Network Working Group R. Moskowitz Network Working Group R. Moskowitz
Internet-Draft ICSAlabs, a Division of TruSecure Internet-Draft ICSAlabs, a Division of TruSecure
Expires: June 21, 2005 Corporation Expires: July 11, 2004 Corporation
P. Nikander P. Nikander
Ericsson Research Nomadic Lab Ericsson Research Nomadic Lab
December 21, 2004 January 11, 2004
Host Identity Protocol Architecture Host Identity Protocol Architecture
draft-ietf-hip-arch-01 draft-ietf-hip-arch-02
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with which he or she become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 21, 2005. This Internet-Draft will expire on July 11, 2004.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). Copyright (C) The Internet Society (2004).
Abstract Abstract
This memo describes a snapshot of the reasoning behind a proposed new This memo describes a snapshot of the reasoning behind a proposed new
namespace, the Host Identity namespace, and a new protocol layer, the namespace, the Host Identity namespace, and a new protocol layer, the
Host Identity Protocol, between the internetworking and transport Host Identity Protocol, between the internetworking and transport
skipping to change at page 2, line 39 skipping to change at page 2, line 39
8. HIP and IPsec . . . . . . . . . . . . . . . . . . . . . . . 13 8. HIP and IPsec . . . . . . . . . . . . . . . . . . . . . . . 13
9. HIP and NATs . . . . . . . . . . . . . . . . . . . . . . . . 14 9. HIP and NATs . . . . . . . . . . . . . . . . . . . . . . . . 14
9.1 HIP and TCP checksums . . . . . . . . . . . . . . . . . . . 15 9.1 HIP and TCP checksums . . . . . . . . . . . . . . . . . . . 15
10. Multicast . . . . . . . . . . . . . . . . . . . . . . . . . 15 10. Multicast . . . . . . . . . . . . . . . . . . . . . . . . . 15
11. HIP policies . . . . . . . . . . . . . . . . . . . . . . . . 15 11. HIP policies . . . . . . . . . . . . . . . . . . . . . . . . 15
12. Benefits of HIP . . . . . . . . . . . . . . . . . . . . . . 16 12. Benefits of HIP . . . . . . . . . . . . . . . . . . . . . . 16
12.1 HIP's answers to NSRG questions . . . . . . . . . . . . . . 17 12.1 HIP's answers to NSRG questions . . . . . . . . . . . . . . 17
13. Security considerations . . . . . . . . . . . . . . . . . . 19 13. Security considerations . . . . . . . . . . . . . . . . . . 19
13.1 HITs used in ACLs . . . . . . . . . . . . . . . . . . . . . 20 13.1 HITs used in ACLs . . . . . . . . . . . . . . . . . . . . . 20
13.2 Non-security considerations . . . . . . . . . . . . . . . . 21 13.2 Non-security considerations . . . . . . . . . . . . . . . . 21
14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 21 14. IANA considerations . . . . . . . . . . . . . . . . . . . . 21
15. Informative references . . . . . . . . . . . . . . . . . . . 22 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 21
16. Informative references . . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 23
Intellectual Property and Copyright Statements . . . . . . . 24 Intellectual Property and Copyright Statements . . . . . . . 24
1. Disclaimer 1. Disclaimer
The purpose of this memo is to provide a stable reference point in The purpose of this memo is to provide a stable reference point in
the development of the Host Identity Protocol architecture. This the development of the Host Identity Protocol architecture. This
memo describes the thinking of the authors as of Fall 2003; their memo describes the thinking of the authors as of Fall 2003; their
thinking may have evolved since then. Occasionally, this memo may be thinking may have evolved since then. Occasionally, this memo may be
confusing or self-contradicting. That is (partially) intentional, confusing or self-contradicting. That is (partially) intentional,
skipping to change at page 21, line 42 skipping to change at page 21, line 42
should only be implemented using public key Host Identities. should only be implemented using public key Host Identities.
If it is desirable to use HIP in a low security situation where If it is desirable to use HIP in a low security situation where
public key computations are considered expensive, HIP can be used public key computations are considered expensive, HIP can be used
with very short Diffie-Hellman and Host Identity keys. Such use with very short Diffie-Hellman and Host Identity keys. Such use
makes the participating hosts vulnerable to MitM and connection makes the participating hosts vulnerable to MitM and connection
hijacking attacks. However, it does not cause flooding dangers, hijacking attacks. However, it does not cause flooding dangers,
since the address check mechanism relies on the routing system and since the address check mechanism relies on the routing system and
not on cryptographic strength. not on cryptographic strength.
14. Acknowledgments 14. IANA considerations
This document has no actions for IANA.
15. Acknowledgments
For the people historically involved in the early stages of HIP, see For the people historically involved in the early stages of HIP, see
the Acknowledgements section in the Host Identity Protocol the Acknowledgements section in the Host Identity Protocol
specification [6]. specification [6].
During the later stages of this document, when the editing baton was During the later stages of this document, when the editing baton was
transfered to Pekka Nikander, the comments from the early transfered to Pekka Nikander, the comments from the early
implementors and others, including Jari Arkko, Tom Henderson, Petri implementors and others, including Jari Arkko, Tom Henderson, Petri
Jokela, Miika Komu, Mika Kousa, Andrew McGregor, Jan Melen, Tim Jokela, Miika Komu, Mika Kousa, Andrew McGregor, Jan Melen, Tim
Shepard, Jukka Ylitalo, and Jorma Wall, were invaluable. Finally, Shepard, Jukka Ylitalo, and Jorma Wall, were invaluable. Finally,
Lars Eggert, Spencer Dawkins and Dave Crocker provided valuable input Lars Eggert, Spencer Dawkins and Dave Crocker provided valuable input
during the final stages of publication, most of which was during the final stages of publication, most of which was
incorporated but some of which the authors decided to ignore in order incorporated but some of which the authors decided to ignore in order
to get this document published in the first place. to get this document published in the first place.
15 Informative references 16 Informative references
[1] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic [1] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
Updates in the Domain Name System (DNS UPDATE)", RFC 2136, Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
April 1997. April 1997.
[2] Eastlake, D., "Domain Name System Security Extensions", RFC [2] Eastlake, D., "Domain Name System Security Extensions", RFC
2535, March 1999. 2535, March 1999.
[3] Tsirtsis, G. and P. Srisuresh, "Network Address Translation - [3] Tsirtsis, G. and P. Srisuresh, "Network Address Translation -
Protocol Translation (NAT-PT)", RFC 2766, February 2000. Protocol Translation (NAT-PT)", RFC 2766, February 2000.
skipping to change at page 23, line 10 skipping to change at page 23, line 14
[12] Chiappa, J., "Endpoints and Endpoint Names: A Proposed [12] Chiappa, J., "Endpoints and Endpoint Names: A Proposed
Enhancement to the Internet Architecture", URL Enhancement to the Internet Architecture", URL
http://users.exis.net/~jnc/tech/endpoints.txt, 1999. http://users.exis.net/~jnc/tech/endpoints.txt, 1999.
[13] Nikander, P., "Denial-of-Service, Address Ownership, and Early [13] Nikander, P., "Denial-of-Service, Address Ownership, and Early
Authentication in the IPv6 World", in Proceesings of Security Authentication in the IPv6 World", in Proceesings of Security
Protocols, 9th International Workshop, Cambridge, UK, April Protocols, 9th International Workshop, Cambridge, UK, April
25-27 2001, LNCS 2467, pp. 12-26, Springer, 2002. 25-27 2001, LNCS 2467, pp. 12-26, Springer, 2002.
[14] Bellovin, S., "EIDs, IPsec, and HostNAT", in Proceesings of [14] Bellovin, S., "EIDs, IPsec, and HostNAT", in Proceedings of
41th IETF, Los Angeles, CA, March 1998. 41th IETF, Los Angeles, CA, March 1998.
Authors' Addresses Authors' Addresses
Robert Moskowitz Robert Moskowitz
ICSAlabs, a Division of TruSecure Corporation ICSAlabs, a Division of TruSecure Corporation
1000 Bent Creek Blvd, Suite 200 1000 Bent Creek Blvd, Suite 200
Mechanicsburg, PA Mechanicsburg, PA
USA USA
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/