Muutke küpsiste eelistusi

Host Identity Protocol (HIP): Towards the Secure Mobile Internet [Kõva köide]

4.00/5 (4 hinnangut Goodreads-ist)
(Helsinki Institute for Information Technology)
Teised raamatud teemal:
Host Identity Protocol (HIP): Towards the Secure Mobile InternetSuurem pilt
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9780470997901.html
Märksõnad:
“Within the set of many identifier-locator separation designs for the Internet, HIP has progressed further than anything else we have so far. It is time to see what HIP can do in larger scale in the real world. In order to make that happen, the world needs a HIP book, and now we have it.” - Jari Arkko, Internet Area Director, IETF 

One of the challenges facing the current Internet architecture is the incorporation of mobile and multi-homed terminals (hosts), and an overall lack of protection against Denial-of-Service attacks and identity spoofing. The Host Identity Protocol (HIP) is being developed by the Internet Engineering Task Force (IETF) as an integrated solution to these problems. The book presents a well-structured, readable and compact overview of the core protocol with relevant extensions to the Internet architecture and infrastructure. The covered topics include the Bound End-to-End Tunnel Mode for IPsec, Overlay Routable Cryptographic Hash Identifiers, extensions to the Domain Name System, IPv4 and IPv6 interoperability, integration with SIP, and support for legacy applications.

Unique features of the book:

  • All-in-one source for HIP specifications
  • Complete coverage of HIP architecture and protocols
  • Base exchange, mobility and multihoming extensions
  • Practical snapshots of protocol operation
  • IP security on lightweight devices
  • Traversal of middleboxes, such as NATs and firewalls
  • Name resolution infrastructure
  • Micromobility, multicast, privacy extensions
  • Chapter on applications, including HIP pilot deployment in a Boeing factory
  • HOWTO for HIP on Linux (HIPL) implementation  

An important compliment to the official IETF specifications, this book will be a valuable reference for practicing engineers in equipment manufacturing companies and telecom operators, as well as network managers, network engineers, network operators and telecom engineers. Advanced students and academics, IT managers, professionals and operating system specialists will also find this book of interest.

Arvustused

"I recommend this book to all software writers and engineers who are working in the context of mobile IP, IPv6, and the future internet. Graduate and advanced undergraduate students who are interested in discovering a practical and challenging application of identity management models and cryptographic protocols will also benefit from this book." (Computing Reviews, May 5, 2009)

About the Author xi
Foreword xii
Jari Arkko
Foreword xv
David Hutchison
Preface xvii
Acknowledgments xxi
Abbreviations xxiii
Part I Introduction
1(42)
Overview
3(8)
Identifier-locator split
4(1)
HIP in the Internet architecture
5(2)
Brief history of HIP
7(2)
Organization of the book
9(2)
Introduction to network security
11(32)
Goals of cryptographic protocols
11(1)
Basics and terminology
12(1)
Attack types
13(2)
Eavesdropping
13(1)
Impersonation
13(1)
Man-In-The-Middle attacks
13(1)
Delay and replay attacks
14(1)
Denial-of-Service attacks
14(1)
Exhaustive key space search
15(1)
Cryptoanalysis
15(1)
Defense mechanisms
15(12)
Symmetric cryptography
15(4)
Public-key cryptography
19(4)
One-way cryptographic hash functions
23(2)
One-time signatures
25(1)
Sequence numbers
26(1)
Cryptographic nonces
26(1)
Cliet puzzles
27(1)
Security protocols
27(12)
Modular exponential Diffie-Hellman groups
28(1)
Keying material
28(1)
Transforms
29(1)
IP security architecture: IPsec
30(1)
IPsec modes
31(2)
IPsec security protocols
33(1)
SIGMA
34(3)
Internet Key Exchange: IKE
37(2)
Weak authentication techniques
39(1)
Secure DNS
40(3)
Part II The Host Identity Protocol
43(118)
Architectural overview
45(6)
Internet namespaces
45(1)
Methods of identifying a host
46(1)
Overlay Routable Cryptographic Hash Identifiers
47(2)
The purpose of an IPv6 prefix
47(1)
Generating and routing an ORCHID
47(1)
ORCHID properties
48(1)
The role of IPsec
49(1)
Related IETF activities
49(2)
Base protocol
51(16)
Base exchange
51(9)
I1 packet
51(3)
R1 packet
54(3)
I2 packet
57(1)
R2 packet
57(3)
Other HIP control packets
60(2)
IPsec encapsulation
62(5)
ESP transforms
63(1)
ESP Bound End-to-End Tunnel
64(3)
Main extensions
67(18)
Mobility and multihoming
67(11)
Mobility and multihoming architecture
67(2)
Multihoming as extension of mobility
69(2)
Effect of ESP anti-replay window
71(3)
The LOCATOR parameter
74(1)
Locator states
75(1)
Credit-based authentication
76(1)
Interaction with transport protocols
76(2)
Rendezvous server
78(1)
Registering with a rendezvous server
78(1)
Rendezvous parameters
79(1)
DNS extensions
79(3)
HIP requirements to DNS
79(1)
Storing a RVS address
80(1)
DNS security
81(1)
Registration protocol
82(3)
The process of registration
82(1)
Packet formats
82(3)
Advanced extensions
85(20)
Opportunistic mode
85(1)
Initiating opportunistic base exchange
85(1)
Implementation using a TCP option
86(1)
Piggybacking transport headers to base exchange
86(1)
Piggybacking to I2
86(1)
Security concerns
87(1)
HIP service discovery
87(4)
Overview of Service Discovery
87(1)
On-the-path Service Discovery
88(2)
Passive Service Discovery
90(1)
Regional Service Discovery
91(1)
Simultaneous multiaccess
91(4)
Flow binding extension
92(1)
Packet formats
93(2)
Disseminating HITs with a presence service
95(1)
HITs in the Presence Information Data Format
95(1)
Disseminating protocol
96(1)
Multicast
96(9)
Challenges for IP multicast
98(1)
Host Identity Specific multicast
99(4)
Authenticating multicast receivers
103(2)
Performance measurements
105(12)
HIP on Nokia Internet Tablet
105(1)
Experimental results
106(8)
Test environment
106(1)
Basic HIP characteristics
107(7)
Summary
114(3)
Lightweight HIP
117(44)
Security functionality of HIP
117(4)
Performance limitations of HIP
118(1)
Problem statement
118(1)
Scope of LHIP
119(1)
Threat model
120(1)
HIP high-level goals
121(5)
LHIP high-level goals
122(2)
Possible approaches
124(2)
LHIP design
126(28)
Hash chains for HIP authentication
126(1)
Time-based signatures
127(1)
Interactive signatures based on hash chains
128(2)
LHIP authentication layer
130(7)
LHIP integration
137(2)
LHIP associations
139(8)
Security considerations
147(3)
Association upgrades: from LHIP to HIP
150(4)
LHIP performance
154(3)
LHIP base exchange
154(1)
LHIP update
155(2)
Discussion
157(4)
LH1-performance
157(1)
LH2-protocol security
158(1)
LH3-namespace security
158(1)
LH4-compatibility
158(3)
Part III Infrastructure Support
161(64)
Middlebox traversal
163(18)
Requirements for traversing legacy middleboxes
163(3)
NAT traversal
164(1)
Firewall traversal
165(1)
Strategies for legacy middlebox traversal
165(1)
Legacy NAT traversal
166(9)
NAT detection
166(1)
Header format
167(1)
Initiator behind a NAT
168(2)
Responder behind a NAT
170(2)
Initiator and Responder behind a NAT
172(2)
Multihoming and mobility with NATs
174(1)
Traversing firewalls
175(1)
Requirements for HIP-aware middleboxes
175(1)
HIP-aware firewall
176(5)
Flow identification
176(1)
Advanced extensions
177(2)
Asymmetric routing
179(1)
Security risks
179(2)
Name resolution
181(22)
Problem statement of naming
181(3)
Distributed Hash Tables
184(2)
Overview of Distributed Hash Tables
184(1)
OpenDHT interface
185(1)
HIP interface to OpenDHT
186(2)
Overview of overlay networks
188(2)
Host Identity Indirection Infrastructure
190(13)
Separating control, data, and naming
191(1)
The data plane
192(5)
The control plane
197(4)
Discussion of the Hi3 design
201(2)
Micromobility
203(14)
Local rendezvous servers
203(3)
Intra-domain mobility
204(1)
Inter-domain mobility
205(1)
Secure micromobility
206(4)
Hash chain authentication
207(1)
Secure network attachment
208(1)
Micromobility handover
209(1)
Network mobility
210(7)
Delegation of signaling
210(1)
Mobile router
211(2)
HarMoNy
213(4)
Communication privacy
217(8)
SPINAT
217(1)
BLIND
218(4)
Location and identity privacy
218(1)
Protecting host identity
219(2)
Protecting location privacy
221(1)
Anonymous identifiers
222(3)
Identifiers on protocol layers
222(1)
Changing identifiers
223(2)
Part IV Applications
225(54)
Possible HIP applications
227(16)
Virtual Private Networking
227(2)
P2P Internet Sharing Architecture
229(1)
Interoperating IPv4 and IPv6
230(2)
Secure Mobile Architecture
232(5)
Components of SMA
233(1)
SMA testbed at Boeing
234(3)
Live application migration
237(3)
Network operator viewpoint on HIP
240(3)
Application interface
243(12)
Using legacy applications with HIP
243(2)
Using IP addresses
244(1)
Using DNS resolution
244(1)
Directly using HIT
245(1)
API for native HIP applications
245(10)
Overview of the design
245(1)
Interface specification
246(4)
Socket attributes
250(5)
Integrating HIP with other protocols
255(24)
Generalized HIP
255(4)
Classification of proposals
256(2)
HIP implications
258(1)
The use of Session Initiation Protocol
259(6)
SIP as a rendezvous service
259(2)
Complementary mobility
261(1)
Securing SIP control traffic
262(2)
Session Description Protocol extensions
264(1)
Encapsulating HIP data using SRTP
265(4)
Replacing HIP base exchange with IKEv2
269(3)
Mobile IP and HIP
272(2)
HIP proxy for legacy hosts
274(5)
Legacy mobile hosts
274(2)
Legacy correspondent hosts
276(3)
Appendix A Installing and using HIP
279(6)
A.1 Overview of HIP implementations
279(2)
A.2 HIPL tutorial
281(4)
Bibliography 285(6)
Index 291
Andrei Gurtov is a senior research scientist leading the Networking Research group at the Helsinki Institute for Information Technology focusing on the Host Identity Protocol and next generation Internet architecture. He received his M.Sc and Ph.D. degrees in Computer Science from the University of Helsinki, Finland. He co-chairs the IRTF research group on HIP and teaches as an adjunct professor at Telecommunications and Multimedia Laboratory of the Helsinki University of Technology.