Host Identity Protocol (HIP)
The Host Identity Protocol (HIP) is an Identity Exchange mechanism that enables secure communications with tunneling protocols such as ESP. HIP provides a method of separating the end-point identifier and locator roles of IP addresses. It introduces a new Host Identity (HI) name space, based on public keys, from which end-point identifiers are taken. The public keys are typically, but not necessarily, self generated. HIP uses existing IP addressing and forwarding for locators and packet delivery.
Protocol dependencies
UDP: Typically, HIP uses UDP as its transport protocol.
Note: HIP is not limited to TCP and UDP usage.
Example traffic
No. Time Source Destination Protocol Info
- 1 0.000000 193.167.187.26 193.234.218.203 HIP HIP I1 (HIP Initiator Packet)
... Host Identity Protocol
- Payload Protocol: 59 Header Length: 4 Fixed P-bit: 0 (Always zero) Packet Type: 1 Version: 1, Reserved: 0 Fixed S-bit: 1 (HIP) Checksum: 0x3d4a (correct) HIP Controls: 0x0000
- ... .... .... ...0 = Anonymous (Sender's HI is anonymous): False
No. Time Source Destination Protocol Info
- 2 0.037852 193.234.218.203 193.167.187.26 HIP HIP R1 (HIP Responder Packet)
... Host Identity Protocol
- Payload Protocol: 59 Header Length: 74 Fixed P-bit: 0 (Always zero) Packet Type: 2 Version: 1, Reserved: 0 Fixed S-bit: 1 (HIP) Checksum: 0x9fb9 (correct) HIP Controls: 0x0000
- ... .... .... ...0 = Anonymous (Sender's HI is anonymous): False
- R1_COUNTER (type=128, length=12)
- Reserved: 0x00000000 R1 Counter: 0000000000001045
- Difficulty (K): 10 Lifetime: 37 Opaque Data: 0x0000 Random number (I): 23c8b08466518471
- 3 (1536-bit MODP group) Public Value Length: 192 Public Value: c6d90a4e31a12b297b00162e7ce87d4eac71f53e032a7088...
- 1 (AES-CBC with HMAC-SHA1) 2 (3DES-CBC with HMAC-SHA1)
- Reserved: 0x0000 1 (AES-CBC with HMAC-SHA1) 2 (3DES-CBC with HMAC-SHA1)
- Host Identity Length: 136 Domain Identifier Type: 0 Domain Identifier Length: 0 Host Identity flags: 0x0202ff05
- 0000 0010 0000 0010 .... .... .... .... = Host Identity Header Flags: Key is associated with non-zone entity (0x00000202)
- ... .... .... .... 1111 1111 .... .... = Host Identity Header Protocol: Key is valid for any protocol (0x000000ff)
- ... .... .... .... .... .... 0000 0101 = Host Identity Header Algorithm: RSA (0x00000005)
- 5 (RSA) Signature: 5c942e27bfb3002c645902d8106780f96bc71c503f11b00b...
- Opaque Data: d390247cef89e3a61d8775701b1452bae218f0c6
No. Time Source Destination Protocol Info
- 3 0.052798 193.167.187.26 193.234.218.203 HIP HIP I2 (Second HIP Initiator Packet)
... Host Identity Protocol
- Payload Protocol: 59 Header Length: 84 Fixed P-bit: 0 (Always zero) Packet Type: 3 Version: 1, Reserved: 0 Fixed S-bit: 1 (HIP) Checksum: 0x70ea (correct) HIP Controls: 0x0000
- ... .... .... ...0 = Anonymous (Sender's HI is anonymous): False
- ESP_INFO (type=65, length=12)
- Reserved: 0x0000 Keymaterial Index: 0x0048 Old SPI: 0x00000000 New SPI: 0xc1905228
- Reserved: 0x00000048 R1 Counter: 0000000000001045
- Difficulty (K): 10 Reserved: 0 Opaque Data: 0x0000 Random number (I): 23c8b08466518471 Solution (J): 4540f2538515f5d3
- 3 (1536-bit MODP group) Public Value Length: 192 Public Value: 579c9096ead9be2d39e59173d4d4985a15910ea8702f3b5b...
- 1 (AES-CBC with HMAC-SHA1)
- Reserved: 0x00000000 Encrypted Parameter Data (176 bytes)
- Reserved: 0x0000 1 (AES-CBC with HMAC-SHA1)
- HMAC: 5357199e5c4251ff155a23479dbb1c813c4a7e5c
- 5 (RSA) Signature: 505f0ddc50bc9067147ab6cb00ab99b1c9f87f271712f875...
- Opaque Data: d390247cef89e3a61d8775701b1452bae218f0c6
No. Time Source Destination Protocol Info
- 4 0.198993 193.234.218.203 193.167.187.26 HIP HIP R2 (Second HIP Responder Packet)
... Host Identity Protocol
- Payload Protocol: 59 Header Length: 26 Fixed P-bit: 0 (Always zero) Packet Type: 4 Version: 1, Reserved: 0 Fixed S-bit: 1 (HIP) Checksum: 0x5728 (correct) HIP Controls: 0x0000
- ... .... .... ...0 = Anonymous (Sender's HI is anonymous): False
- ESP_INFO (type=65, length=12)
- Reserved: 0x0000 Keymaterial Index: 0x0048 Old SPI: 0x00000000 New SPI: 0x3b71d381
- HMAC: abe35f9e9fc6e1ca12526eb4ed195a44f9e29dd1
- 5 (RSA) Signature: 818c6d10afe29450f90159289948f55d3175ab94b514d947...
Wireshark
The HIP dissector is fully functional and conforms to the following specifications:
RFC 5201, RFC 5202, RFC 5203, RFC 5204. RFC 5206, draft-ietf-hip-nat-traversal-09 (RFC 5770), draft-ietf-hip-cert-03
Display Filter
A complete list of HIP display filter fields can be found in the display filter reference
Show only the HIP based traffic:
hip
External links
RFC 4423 Host Identity Protocol (HIP) Architecture.
RFC 5201 Host Identity Protocol.
RFC 5202 Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP).
RFC 5203 Host Identity Protocol (HIP) Registration Extension.
RFC 5204 Host Identity Protocol (HIP) Rendezvous Extension.
RFC 5206 End-Host Mobility and Multihoming with the Host Identity Protocol.
RFC 5770 Basic Host Identity Protocol (HIP) Extensions for Traversal of Network Address Translators.
Draft HIP CERT HIP Certificates.