HIP - was Re: [CentOS] Centos 5.2, Firefox 3, and IPv6

Thu Aug 28 04:23:08 UTC 2008
Robert Moskowitz <rgm at htt-consult.com>


Rob Townley wrote:
> On Wed, Aug 27, 2008 at 9:50 PM, Robert Moskowitz <rgm at htt-consult.com 
> <mailto:rgm at htt-consult.com>> wrote:
>
>
>
>     Rob Townley wrote:
>
>         On Wed, Aug 27, 2008 at 8:24 AM, Robert Moskowitz
>         <rgm at htt-consult.com <mailto:rgm at htt-consult.com>
>         <mailto:rgm at htt-consult.com <mailto:rgm at htt-consult.com>>> wrote:
>
>            Um, as the original poster, I WANT IPv6.  Not make IPv4 lookups
>            faster by ignoring AAAA records.
>
>            Further testing has IPv6 working just fine.  Thing is when I
>            enable the HIP API intercepts, FIrefox does not work.  Like
>         they
>            are doing something 'non-standard' with the regualr TCP
>         socket API
>            so that HIP can't slide in there.  I tried disabling a
>         number of
>            options, thinking it might be some security setting, but if
>         it is,
>            I have not found it.
>
>
>         Yep, i fully understood you wanted IPv6.  i just thought you
>         might want to verify what settings you have for Firefox --
>         making sure Firefox has turned on IPv6 dns.
>
>     Default was on.
>
>         Just curious, what is the motivation for the HIP api stuff, it
>         is not there by default is it?
>
>     read the RFCs on HIP:  4423 and 5201-5206.
>
>     4423 provides the justification of HIP and its architecture.  I
>     created HIP almost 10 years ago, shortly after (as IPsec co-chair)
>     got the IPsec RFCs out.  HIP is much more than an alternative
>     keying protocol for ESP (compared to IKE).  It directly addresses
>     secure mobility.  HIP **IS** an important change to the TCP/IP
>     architecture; this has been part of its slow advancement.  As such
>     it has its own 'native' API:
>      http://www.ietf.org/internet-drafts/draft-ietf-hip-native-api-05.txt.
>
>     I can go into more about HIP if you wish.
>
>
> So HIP isn't in any distribution by default or is it? 

No, but Ericsson just released there FreeBSD implementation:  
http://www.hip4inter.net/download/download.php

And Boeing has their Vista and I think NetBSD code base.

HIPL is available for FC8 and Ubuntu and I think Suse.  I saw it running 
on the Nokia N810 when I was in Helsinki earlier this month.

> How does one know?

Our goal is to move HIP from Experimental to Standards track in the IETF 
at the November session.  From there it may well be that HIP could be in 
Centos 6.0.  But that is a long shot.

> Would it make sense to include HIP in a Wireless Access Point firmware 
> or a RADIUS type machine?

As a better security protocol to run RADIUS through between the AP and 
the Radius server?  YES!

> Looks interesting, will have to keep it in mind for wlan sec.

Just remember that it is NOT a tunneling keying protocol.  It runs ESP 
in Transport mode, even if you are using BEET ESP mode.  You can run a 
tunneling protocol within it.  I am working on that....

HIP is NOT a VPN alternative.  It is really host-to-host security.