HIP and HIP middlebox福建工程学院现代教育技术中心

移动检测HomeAgentRemoteNodeMobileNodeForeignAgentMIPv4：使用外地代理转交地址

MobileNode①代理公告移动检测使用外地代理转交地址MotivationforHIP

家乡代理通信对端外地代理绑定注册家乡代理通信对端移动节点外地代理②注册请求②注册请求③注册应答③注册应答MotivationforHIP

接收/发送分组家乡代理通信对端移动节点外地代理代理ARP和免费ARP隧道IP数据IP头标IP数据IP头标IP头标家乡代理处IP-in-IP封装外地代理处IP-in-IP解封装源：家乡代理地址目的：外地代理地址分组分组分组分组MotivationforHIP

家乡代理通信对端移动节点外地代理三角路由问题三角路由问题MotivationforHIP

MotivationforHIP攻击者能够监听到移动节点的数据包攻击者在家乡网络和通信对端的路径上获得绑定管理密钥，伪造绑定更新等SecurityproblemWhatisHIPNewcryptographicidentifiersHostIdentities(Publickeyofakeypair)HostIdentityTags(128bits)IPaddressesaslocatorsAnauthenticationandkeyexchangeprotocolIPsecESPtransportmodefordatatrafficsecurity.HIP:HostIdentifyProtocol(RFC4423)WhatisHIPHIPLayeringModel:WhatisHIPHIPheader:WhatisHIPThedoublelookupmechanism

:HIPbaseexchangeDataheadercompressionHIPbaseexchangeHIPUPDATEProcedure

:WhatisHIPHIPandMiddleboxesAsymmetricpathsInterception,aspreviouslydescribed,isnotpossible:Firewall(I)needstoknowSPI(I)Firewall(R)needstoknowSPI(R)ProblemwithRoutingAsymmetryHIPregisterextensionHIPregisterextensionSystemframework发起端中间系统R1’I2’R2’I1响应端I1中间系统FW-IR1R1’I2’R2’R1R1I2I2R2R2I1FW-RSPI(I),SPI(R)SPI(I),SPI(R)HIPCookies预先产生随机数I;谜题的难度系数K是可调整的;难题解答与验证的难度不对称;Diffie-Hellman密钥交换机制ConsiderationofsecurityYlitalo,J.,Melen,J.,Nikander,P.andV.Torvinen,"Re-thinkingSecurityinIPbasedMicro-Mobility",7thInformationSecurityConference(ISC-04),PaloAlto,",September2004.Moskowitz,R.,Nikander,P.,Jokela,P.andT.Henderson:"HostIdentityProtocol",draft-ietf-hip-base-00.txt(workinprogress),June2004AbobaB.andDixonW.,IPsec-NetworkAddressTranslation(NAT)CompatibilityRequirementsRFC3715,March2004.H.Tschofenig.,"draft-tschofenig-hiprg-hip-natfw-traversal-06.txt",(workinprogress),July9,2007A.Huttunenetal,A.,"UDPEncapsulationofIPsecPackets",draft-ietf-ipsec-udp-encaps-07.txt(workinprogress),Jan2003.J.Laganier.,"draft-ietf-hip-registration-02.txt",(workinprogress),June7,2006.H.Tschofenig,A.Nagarajan,Siemens,etal.NATandFirewallTraversalforHIP

draft-t