Host Identity Protocol (HIP)

Creating a Trusted Identity Layer that Separates Location from Identity

HIP: An Internet Engineering Task Force (IETF) Open Standard

HIP is an open standard network protocol that delivers native identity, security, and mobility for IP networks. The protocol was officially ratified in 2015 by the IETF, as a result of over 20 years of coordinated development by several Fortune 500 companies (Ericsson, Nokia, Verizon, and others) as well as standards bodies such as the Trusted Computing Group (TCG) and Institute of Electrical and Electronics Engineers (IEEE 802).

HIP was deployed in production for over 12 years at The Boeing Company before being commercialized. Tempered Networks is the first and only commercially available solution that uses HIP.

HIP: An Internet Engineering Task Force (IETF) Open Standard

HIP is an open standard network protocol that delivers native identity, security, and mobility for IP networks. The protocol was officially ratified in 2015 by the IETF, as a result of over 20 years of coordinated development by several Fortune 500 companies (Ericsson, Nokia, Verizon, and others) as well as standards bodies such as the Trusted Computing Group (TCG) and Institute of Electrical and Electronics Engineers (IEEE 802).

HIP was deployed in production for over 12 years at The Boeing Company before being commercialized. Tempered Networks is the first and only commercially available solution that uses HIP.

line

HIP Creators: An Improved IP architecture

line

The importance of HIP, featuring Bob Moskowitz (inventor of HIP) and Richard Paine (author of Beyond Host Identity Protocol: The End to Hacking as We Know It).

 

Simplifying Networks by Separating the Identity - Location Roles of the Internet Protocol (IP)

HIP delivers a secure tunneling architecture that enables host mobility and multi - homing in a simple yet elegant way. It provides an alternative key exchange capability for the IPsec protocol and was designed to be part of the TCP/IP stack (native to the OS), but can also function as a gateway for devices that cannot have software installed. HIP separates the role of IP addresses as both host identity and topological location for networks by introducing the concept of an identifier - locator split. By adding a host identity layer between the network and transport layers, permanent and location - independent cryptographic identities are bound to devices and systems in the form of 2048 - bit RSA public keys, instead of spoofable IP addresses. Policies for connectivity and segmentation are now based on trusted identities, restoring addresses to their original role: location.

Moving Towards Networks We Can Finally Trust

line

TCP/IP BASED

IP address is used for both identity and location of a ‘thing’ on the network

No native security; no consistent and verifiable identity

No authentication and authorization before transport results in untrusted communications

Changing the host address directly is not possible without interrupting transport layer connections

HIP FORTIFIED TCP/IP NETWORKS

IP address is only used for location of a ‘thing’ on the network

Native security; verifiable cryptographic identities bound to any IP - enabled

Mutual authentication and authorization before transport ensures trusted communications

Host address and location can change while preserving transport layer

TCP/IP BASED

IP address is used for both identity and location of a ‘thing’ on the network

No native security; no consistent and verifiable identity

No authentication and authorization before transport results in untrusted communications

Changing the host address directly is not possible without interrupting transport layer connections

HIP FORTIFIED TCP/IP NETWORKS

IP address is only used for location of a ‘thing’ on the network

Native security; verifiable cryptographic identities bound to any IP - enabled

Mutual authentication and authorization before transport ensures trusted communications

Host address and location can change while preserving transport layer

Bringing HIP to Market

line

Tempered's purpose-built platform is based on device/system - level cryptographic identities and simple orchestration. The solution was deployed in production for over 12 years at The Boeing Company before being commercialized for the broader market by Tempered Networks.

Architected for the Future of Networking: IIoT

Internet Engineering
Task Force (IETF)

Tempered
Networks

Host Identity Protocol

IETF standard (RFC 4423, 5201, 7401) delivering trusted cryptographic identities and

Identity /Locator Split: Binding Cryptographic Identities (CIDs) to devices and systems and returning IP to its original function: location

Secure Tunneling Protocol: HIP data packets are carried using IPsec utilizing the Encapsulated Security Payload (ESP) transport

4 - Way Base Exchange: Mutual authentication and authorization of self - generated public - private key pairs before encrypted (AES - 256)

A 3rd Namespace: The Host Identity Namespace   (HIN), which is compatible with legacy IP and DNS Namespaces, and eliminates the lack of mobility and vulnerabilities caused by using the IP address as identity.

Identity Orchestration Engine

Single-pane-of-glass network management featuring policy configuration that's point-and-click simple

Identity Platform

Many hardware and software deployment options — a single architecture for all environments

Identity Routing

The world’s first identity-based router delivering secure peer-to-peer connectivity across all networks

Identity Defined Networking

line​​​​​​​

Internet Engineering
Task Force (IETF)

Host Identity Protocol

IETF standard (RFC 4423, 5201, 7401) delivering trusted cryptographic identities and

Identity /Locator Split: Binding Cryptographic Identities (CIDs) to devices and systems and returning IP to its original function: location

Secure Tunneling Protocol: HIP data packets are carried using IPsec utilizing the Encapsulated Security Payload (ESP) transport

4 - Way Base Exchange: Mutual authentication and authorization of self - generated public - private key pairs before encrypted (AES - 256)

A 3rd Namespace: The Host Identity Namespace   (HIN), which is compatible with legacy IP and DNS Namespaces, and eliminates the lack of mobility and vulnerabilities caused by using the IP address as identity.

Tempered Networks

Identity Orchestration Engine

Single-pane-of-glass network management featuring policy configuration that's point-and-click simple

Identity Platform

Many hardware and software deployment options—a single architecture for all environments

Identity Routing

The world’s first identity-based router delivering secure peer-to-peer connectivity across all networks

The Cause of Network Complexity and Security Exploits

When the TCP/IP architecture grew from a small university network up to a global communication infrastructure, many issues became apparent. Important functions such as mobility of devices and systems over separate IP networks and simultaneous connections to several networks were not a part of the original design, making networking complex and costly.

The TCP/IP suite uses IP addresses along with domain names for network communication between devices and systems. These addresses serve as both the identity of a device or system as well as its location on the network, a dual role that was never intended. This creates security and mobility issues that firewalls, routers, and VPNs cannot address.

By creating a Software-Defined Trusted Identity Layer that separates location and identity we are able to protect and cloak any connected device or workload. Our platform is based on Host Identity Protocol (HIP), an open IETF standard, that was designed to address many of the unique challenges of TCP/IP networking for IIoT infrastructure.

Additional Resources

Host Identity Protocol:

Towards the Secure Mobile Internet
Andrei Gurtov

Beyond HIP: The End of Hacking As We Know It
Richard Paine

Washington Post: The fundamental flaw of TCP/IP

Learn More →

Internet Engineering Task Force (IETF) RFCs

HIP 4423: https://tools.ietf.org/html/rfc4423

HIP 5201: https://tools.ietf.org/html/rfc5201

HIP 7401: https://tools.ietf.org/html/rfc7401