Professional Documents
Culture Documents
Leo Bhebhe
Helsinki University of Technology
Department Of Computer Science
leo.bhebhe@nokia.com
CONTENTS
Introduction
Services
Service Discovery System
Service Discovery Protocols
Service Discovery mechanism
Security Concerns
Host Identity Protocol
Name Resolution
Secure-i3
HI3
Shortcoming of HIP
Conclusion
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Introduction
What is a service?
A service is a component or application that performs the work on behalf of a
requesting application or client
Services
Offered by networks in distributed systems, e.g. those offered by
printers,
copiers,
scanners,
fax machines,
Information services
Nearest Pizza hut , weather forecast, todays flight schedule
Transport services in case of emergency (e.g. car break down, lost in the wild, coast guard
help, taxi)
Payment services
Etc
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Jini
UPnP
Salutation Bluetooth
Message Encription
Symetric
(SSL/TLS)
Symetric
Key Exchange
Asymetric
(SSL/TLS)
Plain text
Authroization
Digital signitures
X.509
e.g. UPnP, SLP are built on top of the TCP/IP protocol stack
Password
UPnP
Application
Application(HTTP,SMTP)
Application(HTTP,SMTP)
HTTP (extension)
Transport(TCP,UDP)
Transport(TCP,UDP)
UPnP
Network(IP)
Host Identity
Link(Ethernet,PPP)
Network(IP)
Physical
Link(Ethernet,PPP)
UPnP API
Physical
e.g. UPnP, SLP are built on top of the TCP/IP protocol stack
Adding a waist to the protocol may give it some basic security
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Security
The discovery function is a source of security concern
Security is an integral part of service discovery
Denial of service attacks (DOS) or distributed Denial of service attacks (DDOS)
Confidentiality and integrity in service discovery are primary for
communication security
Security needs will vary from application to application
Naming endpoints with HIs provide natural solutions for mobility and multipoint
If an endpoint identified by HI[i] changes its IP address, the host identity layer on
the peer of the endpoint will re-resolve HI[i] to find a new IP address.
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Responder
Name Resolution
DNS
2. <FQDN>
1. <FQDN>
Application
Resolver
5. <ED>
Socket layer
HIs in the DNS
DNS query asks for addresses and HITs
Requires one to have a DNS name
HITs not resolvable due to name space being flat
DNS resolution time
Possible DoS Attacks (knowledge of DNS IP add)
3. <HI, Addresses>
Transport
HIP
IPSec
Network
4. <HI, Addresses>
FQDN (R)->HI(R)
FQDN (R)->)->IP(RVS)
2. HI(R), IP(RVS).
1. Query FQDN(R)
DNS
HI(R)->IP(R)
RVS
1
3. I
P (R
to I
VS)
4. I
1 to
IP(R
)
5. R1
6. I2 to IP(R)
7. R2
Initiator
Receiver
Data packet
ID
DATA
initiator
Trigger
ID
ADDR
ADDR=IP or Identifier
IP router
i3 node
istoica@cs.berkeley.edu
I3 server
storing the
private id
privid
privid
IP router
i3 node
1.
2.
i3 server storing public key sends (privid, data) to I3 server storing the private id
3.
4.
Receiver sends back to i3 server storing the private id (S, data) + privid
5.
6.
The initiator then sends (privid, data) to I3 server storing the private id
7.
3. I1
FQDN (R)->)->IP(RVS)
4. R1
]
ge
r
tri
g
6.
R2
I2
at
I1
5.
I2
iv
3.
5.
6.
R2
5.
[p
r
R1
4.
2. HIT, Address.
1. Query FQDN(R)
DNS
I3 server storing
private triggers
I2
6.
R2
Initiator
Receiver
Shortcoming of HIP
HIP alone cannot provide full security. Theres a need to provide other
architectures and network elements to provide the required security
DNS to store His identities and provide a mapping to the current IP interface
addresses
Rendezvous Server
Problems with NATs
Problems with Firewalls
Firewalls and NATs block applications that choose port numbers dynamically
Solution
UDP encapsulation (some Firewalls block UDP)
Intercept the flow id during Initial stages
QoS
Service ability aims at explaining how well to serve a customer
Service discovery mechanisms lack the ability to discover and negotiate the
QoS services supported by devices or required by users
QoS service verification
Users experience
Your friends knowledge
Conclusion
The Host identity Protocol (HIP) uses cryptographic host identities to provide secure and efficient
end-to-end communication without requiring a distributed key authority. However HIP can be
vulnerable to attacks and requires some infrastructures like secure-i3, HI3 aware NAT/FWs to
support a secure service discovery.
For HIP to be used for dynamic service discovery in a heterogeneous network lot of protocols need
to be changed to support HIP and terminals just like the heterogeneous networks need to be HIP
aware.
Its possible to implement, but requires joint forces from all governments to make this happen and
as usual a good business case should substantiate the need.
Currently HIP is undergoing tests and specification and its too early to think about its deployment.
However, the HI3 infrastructure looks promising as compared to the current Internet. However,
functionalities like multicast, anycast and service composition are still an issue and needs further
work.