Erik Giesa profile picture

Erik Giesa

Wednesday, May 17, 2017

I recently wrote about the Host Identity Protocol (HIP) and why it is so important for the future of the Internet. In this blog series, I go into greater detail on why I think Tempered Networks’ vision, and what our customers’ are now realizing is so game-changing.

Yes, we can!
I know, that phrase is probably trademarked but networking can be dramatically simplified and self-secured. Traditionally non-routable hosts actually can be securely routed and connected to other non-routable hosts -- without modifying an underlay networks’ infrastructure. And previously porous borders can be easily moved from the network edge to cryptographic micro-segments. Impossible? Read on…

Stop the insanity, please.
In the physical world, we wouldn’t think to use our home address as our identity, yet in the digital world we do. Think about it, the IP address serves a dual purpose for which it was never intended - location and identity. It rocks as a locator– the purpose for which it was always intended – but bombs as identity – a role that networking and security companies foisted on it because there was no real alternative. The “identity problem” is the Achilles heel of any network in existence today because an address is woefully imprecise (unless it’s IPv6 or a public IP of course), is not verifiable, can be spoofed, and management of address-based policies at scale is horribly complicated, and prone to error. The status quo is simply unsustainable.

A question with no good answer
If “next-gen” products base their policies and enforcement on addresses, are they really next-gen? When I define policy based on something like, “this address can talk to this one, but not this one; and when it routes to this address, transform it to this other address so it can talk to this thing with this address, unless it comes from this address then block it and…” You get the point. All I know is that network and security pros are heroes for putting up with this, but there really hasn’t been a choice, until now.

I may be crazy, but a self-secured network is not
HIP not only fixes the identity / locator problem inherent in TCP/IP networks, but once deployed, any HIP-enabled host or machine automatically performs authentication, authorization, confidentiality, privacy, and non-repudiation functions without human intervention. The network and security perimeter can now easily move from the network edge to the host creating cryptographic micro-perimeters. The network can now be transformed into a self-secured network.

What? Identity-based routing? Global IP flexibility and mobility? No barriers or borders?
I know, it sounds like magic, but it’s real. An interesting and extremely powerful networking artefact emerges when we free IP to function solely as a locator -- global IP flexibility without barriers becomes a reality.

Ever run into the multi-NAT or CGNAT problem to connect distributed “things?” Impossible to punch through and connect? Not anymore. Or have you ever tried to set up VPC to VPC cross-regional peering? How about AWS to Azure peering? The former isn’t allowed and the latter takes 3 or 4 different products, 150+ configuration steps (I stopped counting), and only gets you to the edge of each cloud network. Great solution. You just gave me 150 ways to lose my way and dropped me off a mile from my house. How about an alternative that takes less than five steps to directly connect any instance to another and drops me off at the front door? It’s not magic, it’s real.

It’s all possible because of the Host Identity Namespace. In order to communicate between two or more HIP-enabled systems – the cryptographic identity takes the lead in determining if, what, when, and to whom it can connect. Based on point and click simple policies set by the Conductor, either connections are allowed and encrypted packets are forwarded to the appropriate endpoint, or ignored if not allowed (more on this later). This frees the IP address to be nearly anything – static, dynamic, public, private – it doesn’t matter. As long as there is no direct IP conflict with its peer, it just works. HIP creates a new Host Identity Namespace that is fully compatible with IP and DNS namespaces. Imagine an Internet where routing decisions are made based on provable cryptographic identities, not addresses, providing precise and explicit networked trust and control. You could easily optimize, isolate and segment traffic by region based on performance, availability, or for compliance purposes. It would be an Internet based on trust and privacy, where there is no Man in the Middle, where resources can’t be DoS’d and IP can’t be spoofed. We’d have an Internet architecture where host-to-host encrypted connectivity, cloaking, and cryptographic micro-segmentation are automatic, knew no barriers, and could even leap tall buildings...well, not that last part.

Ta Da! Internet 3.0 has arrived.
Enter our new HIPrelay, the world’s first identity-based router. Yup, you heard correctly. Identity. Based. Router. Not only does the HIPrelay make Internetworking more secure, but it can directly route and connect privately addressed hosts that were previously non-routable and buried deep inside a network. It’s not only possible, but easy. Easy, as in less than 3 steps easy. This changes everything.

And for the next installment…
The next blog in this series will cover what those folks who dreamed up and developed HIP were thinking about with functions like HIP Rendezvous, the specifics on what types of IP address namespace limitations can be overcome, why it’s important, and more detail on just how the HIPrelay and the Host Identity Namespace actually work without modifying existing network and security infrastructure.