It’s not just a great song by Tower of Power; the Host Identity Protocol (HIP) is a game changer in network communications. Let’s get some of the technical details out of the way and then discuss what it means:
HIP allows consenting hosts to securely establish and maintain shared IP-layer state, allowing separation of the identifier and locator roles of IP addresses. HIP uses public key identifiers from a new Host Identity namespace for mutual peer authentication. The protocol is designed to be resistant to denial-of-service (DoS) and man-in-the-middle (MitM) attacks. When used together with another suitable security protocol, such as the Encapsulated Security Payload (ESP), it provides integrity protection and encryption for upper-layer protocols, such as TCP and UDP. HIP has matured over 15 years of research, development, and deployment from companies like Boeing, Verizon, and Ericsson, as well as research institutions around the world.
The drawbacks of the dual use of the IP address cannot be understated, and are largely responsible for many of the Internet’s security and networking problems. With HIP this pattern of misuse is corrected, and the upper layers of the stack can now use a Host Identity in their socket APIs instead of an IP address. HIP then establishes secure communications between cryptographic identities, and binds local and remote application interfaces to these identities. At layer 3, IP addresses are still used for network delivery and routing. With IP addresses used to locate but not identify hosts, HIP enables seamless mobility (changing addresses), multi-homing (using multiple addresses), and switching between address families (IPv4/IPv6) while maintaining secure sessions. Extending to the extreme edge of the network, HIP Diet Exchange (DEX) enables HIP for extremely low-power, resource constrained IoT devices. Individuals can also use HIP with anonymous Host Identities, so the Internet can finally deliver anonymity when you need it and trust when you demand it. In summary, HIP embeds authentication, integrity, and authorization at the application level for free, without breaking the existing socket API!
November 19, 2014 is a remarkable day for HIP. After many years of development, testing, and consensus building, HIP RFC 5201-bis was just approved by the IETF as a proposed standard. This is an important step; however, the true measure of a standard is adoption and there are a number of challenges to supporting a new protocol like HIP. HIP allows us to gracefully and gradually embrace the path of Software Defined Networking. Based on 7 years of R&D at Boeing and now working with Fortune 500 clients, Tempered Networks discovered that we can enable HIP secure communications while performing a very vital function: protecting critical infrastructure and information. The Tempered Networks HIPswitch provides a migration path for non-HIP-enabled endpoints to “get” HIP. Over time endpoints will have HIP embedded in the protocol stacks, much like TCP/IP, ESP, and DNS support are built-in to any operating system.
By the time HIP is widely deployed, the challenge of the Internet moves from one of routing to one of orchestration. Orchestration enables highly dynamic definitions of network trust relationships at the identity level, along with routing and policy definitions at Internet scale. This is what we’re setting out to build at Tempered Networks. And that’s HIP!