170 likes | 393 Views
HIP proxy. Patrik Salmela. Contents. Background: ID-locator split HIP Why a HIP proxy Functionality of a HIP proxy The prototype Performance Conclusions. Background: ID – locator split. Currently: IP address serves 2 purposes Locator POW: Node moves -> new locator: OK
E N D
HIP proxy Patrik Salmela
Contents • Background: ID-locator split • HIP • Why a HIP proxy • Functionality of a HIP proxy • The prototype • Performance • Conclusions
Background: ID – locator split • Currently: • IP address serves 2 purposes • Locator POW: • Node moves -> new locator: OK • Identifier POW: • Node moves -> new identifier: NOT OK • Identifier requirements: • Stay constant regardless of location and time
Background (cont.)Some ID – locator split solutions • GSE proposal for IPv6 • Part of address serves as ID, constant • FARA • Framework for designing new architectures • PeerNet • DHT and peer-to-peer thinking • I3 • IDs registered at I3 servers • HIP
The HIP way • ID-locator split • ID: HI (-> HIT / LSI) locator: IP address • Packets sent to ID, routed using locator • Security • IPsec ESP, SAs created during base exchange • Mobility • Connections between IDs (HITs) • Location update messages • Multihoming • Packets sent to ID, the routing is irrelevant • The ID is the base for all these features
Why a HIP proxy? • More HIP hosts -> more use for HIP • It will take time for HIP to spread • A HIP proxy enables HIP between legacy hosts and HIP hosts Legacy host HIP proxy HIP host HIP IPsec ESP
Why a HIP proxy (cont.) • Promotes HIP • New possibilities to use HIP • Can be used as ”try-then-buy” for HIP • Easier to enable HIP for hosts in a network • In the long run an all HIP solution is better; less configuration, more freedom/features • If satisfied by services provided by HIP (proxy) -> upgrade to a HIP host/network
Restrictions for a HIP proxy • No security between proxy and legacy host • Solution: Proxy on the border of a private network • HIP host unaware of proxy, security problem • Solution: Add indication into base exchange • Legacy hosts cannot use all HIP features • Solution: Upgrade to HIP host
Functionality of a HIP proxy • Assign, and use, HITs for legacy hosts HIP connection from HIP host also possible
The prototype HIP proxy • FreeBSD 5.2, Ericsson Finland’s HIP impl. • IPv6 only • No HIP modified DNS -> HIT-IP mappings in configuration file • Proxy between two small LANs • Uses ip6fw and divert6
The prototype (cont.) • Packets diverted to proxy for processing • All packets coming from priv. net. • Locate HIT-IP mappings • Replace IP addresses with HITs • Packets from pub. net. with HITs in header • Locate HIT-IP mappings • Replace HITs with IP addresses
Performance + ~12% (0,070ms) (proxy) + ~22% (0,150ms) (IPsec)
Performance (cont.) • If the host lists are long: • Configuration file difficult to manage • (probably) very much traffic through the proxy • -> Delay from looking up mappings is not the main problem
Further work • IP version independent HIP proxy • Work in progress… • Improve proxy configuration • E.g. check if configuration file has been edited
Conclusions • HIP proxy prototype intended as proof-of-concept • concept proven • Can be used as base for new, improved, version • HIP proxy can be used as a stepping stone when going legacy -> HIP