idnits 2.17.1 

draft-ietf-hip-applications-03.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 19.

  -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on
     line 709.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 720.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 727.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 733.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust Copyright Line does not match the
     current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (June 28, 2008) is 5780 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  -- Obsolete informational reference (is this intentional?): RFC 5201
     (Obsoleted by RFC 7401)

  -- Obsolete informational reference (is this intentional?): RFC 4843
     (Obsoleted by RFC 7343)


     Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 9 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                       T. Henderson
3	Internet-Draft                                        The Boeing Company
4	Intended status: Informational                               P. Nikander
5	Expires: December 30, 2008                  Ericsson Research NomadicLab
6	                                                                 M. Komu
7	                                      Helsinki Institute for Information
8	                                                              Technology
9	                                                           June 28, 2008

11	       Using the Host Identity Protocol with Legacy Applications
12	                     draft-ietf-hip-applications-03

14	Status of this Memo

16	   By submitting this Internet-Draft, each author represents that any
17	   applicable patent or other IPR claims of which he or she is aware
18	   have been or will be disclosed, and any of which he or she becomes
19	   aware will be disclosed, in accordance with Section 6 of BCP 79.

21	   Internet-Drafts are working documents of the Internet Engineering
22	   Task Force (IETF), its areas, and its working groups.  Note that
23	   other groups may also distribute working documents as Internet-
24	   Drafts.

26	   Internet-Drafts are draft documents valid for a maximum of six months
27	   and may be updated, replaced, or obsoleted by other documents at any
28	   time.  It is inappropriate to use Internet-Drafts as reference
29	   material or to cite them other than as "work in progress."

31	   The list of current Internet-Drafts can be accessed at
32	   http://www.ietf.org/ietf/1id-abstracts.txt.

34	   The list of Internet-Draft Shadow Directories can be accessed at
35	   http://www.ietf.org/shadow.html.

37	   This Internet-Draft will expire on December 30, 2008.

39	Abstract

41	   This document is an informative overview of how legacy applications
42	   can be made to work with the Host Identity Protocol (HIP).  HIP
43	   proposes to add a cryptographic name space for network stack names.
44	   From an application viewpoint, HIP-enabled systems support a new
45	   address family of host identifiers, but it may be a long time until
46	   such HIP-aware applications are widely deployed even if host systems
47	   are upgraded.  This informational document discusses implementation
48	   and Application Programming Interface (API) issues relating to using
49	   HIP in situations in which the system is HIP-aware but the
50	   applications are not, and is intended to aid implementors and early
51	   adopters in thinking about and locally solving systems issues
52	   regarding the incremental deployment of HIP.

54	Table of Contents

56	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
57	   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  5
58	   3.  Enabling HIP transparently within the system . . . . . . . . .  6
59	     3.1.  Applying HIP to cases in which IP addresses are used . . .  6
60	     3.2.  Interposing a HIP-aware agent in the DNS resolution  . . .  7
61	     3.3.  Discussion . . . . . . . . . . . . . . . . . . . . . . . .  8
62	   4.  Users Invoking HIP with a Legacy Application . . . . . . . . . 10
63	     4.1.  Connecting to a HIT or LSI . . . . . . . . . . . . . . . . 10
64	     4.2.  Using a modified DNS name  . . . . . . . . . . . . . . . . 10
65	     4.3.  Other techniques . . . . . . . . . . . . . . . . . . . . . 11
66	   5.  Local address management . . . . . . . . . . . . . . . . . . . 12
67	   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 14
68	   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 16
69	   8.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 17
70	   9.  Informative References . . . . . . . . . . . . . . . . . . . . 18
71	   Appendix A.  Changes from previous versions  . . . . . . . . . . . 19
72	     A.1.  From version-01 to version-02  . . . . . . . . . . . . . . 19
73	     A.2.  From version-02 to version-03 (current)  . . . . . . . . . 20
74	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21
75	   Intellectual Property and Copyright Statements . . . . . . . . . . 22

77	1.  Introduction

79	   The Host Identity Protocol (HIP) [RFC5201] is an experimental effort
80	   in the IETF and IRTF to study a new public-key-based name space for
81	   use as host identifiers in Internet protocols.  Fully deployed, the
82	   HIP architecture would permit applications and users to explicitly
83	   request the system to send packets to another host by expressing a
84	   location-independent unique name of a peer host when the system call
85	   to connect or send packets is performed.  However, there will be a
86	   transition period during which systems become HIP-enabled but
87	   applications are not.  This informational document does not propose
88	   normative specification or even suggest that different HIP
89	   implementations use more uniform methods for legacy application
90	   support, but is intended instead to aid implementors and early
91	   adopters in thinking about and solving systems issues regarding the
92	   incremental deployment of HIP.

94	   When applications and systems are both HIP-aware, the coordination
95	   between the application and the system can be straightforward.  For
96	   example, using the terminology of the widely used sockets Application
97	   Programming Interface (API), the application can issue a system call
98	   to send packets to another host by naming it explicitly, and the
99	   system can perform the necessary name-to-address mapping to assign
100	   appropriate routable addresses to the packets.  To enable this, a new
101	   address family for hosts could be defined, and additional API
102	   extensions could be defined (such as allowing IP addresses to be
103	   passed in the system call, along with the host name, as hints of
104	   where to initially try to reach the host).

106	   This document does not define a native HIP API such as described
107	   above.  Rather, this document is concerned with the scenario in which
108	   the application is not HIP-aware and a traditional IP-address-based
109	   API is used by the application.

111	   The discussion so far assumes that applications are written directly
112	   to a sockets API.  However, many applications are built on top of
113	   middleware that exports a higher-level API to the application.  In
114	   this case, for the purpose of this document, we refer to the
115	   combination of the middleware and the middleware- based application
116	   as an overall application, or client of the sockets API.

118	   When HIP is enabled on a system, but the applications are not HIP-
119	   aware, there are a few basic possibilities to use HIP, each of which
120	   may or may not be supported by a given HIP implementation.  We report
121	   here on techniques that have been used or considered by experimental
122	   HIP implementations.  We organize the discussion around the policy
123	   chosen to use or expose HIP to the applications.  The first option is
124	   that users are completely unaware of HIP, or are unable to control
125	   whether or not HIP is invoked, but rather the system chooses to
126	   enable HIP for some or all sessions based on policy.  The second
127	   option is that the user makes a decision to try to use HIP by
128	   conveying this information somehow within the constraints of the
129	   unmodified application.  We discuss both of these use cases in detail
130	   below.

132	   HIP was designed to work with unmodified applications, to ease
133	   incremental deployment.  For instance, the HIT is the same size as
134	   the IPv6 address, and the design thinking was that, during initial
135	   experiments and transition periods, the HITs could substitute in data
136	   structures where IPv6 addresses were expected.  However, to a varying
137	   degree depending on the mechanism employed, such use of HIP can alter
138	   the semantics of what is considered to be an IP address by
139	   applications.  Applications use IP addresses as short-lived local
140	   handles, long-lived application associations, callbacks, referrals,
141	   and identity comparisons.  The transition techniques described below
142	   have implications on these different uses of IP addresses by legacy
143	   applications, and we will try to clarify these implications in the
144	   below discussions.

146	2.  Terminology

148	   Callback:   The application at one end retrieves the IP address of
149	      the peer and uses that to later communicate "back" to the peer.
150	      An example is the FTP PORT command.

152	   Host Identity:  An abstract concept applied to a computing platform.

154	   Host Identifier (HI):  A public key of an asymmetric key pair used as
155	      a name for a Host Identity.  More details are available in
156	      [RFC5201].

158	   Host Identity Tag (HIT):  A 128-bit quantity composed with the hash
159	      of a Host Identity.  More details are available in [RFC4843] and
160	      [RFC5201].

162	   Local Scope Identifier (LSI):  A 32- or 128-bit quantity locally
163	      representing the Host Identity at the IPv4 or IPv6 API.

165	   Referral:   In an application with more than two parties, party B
166	      takes the IP address of party A and passes that to party C. After
167	      this party C uses the IP address to communicate with A.

169	   Resolver:  The system function used by applications to resolve domain
170	      names to IP addresses.

172	   Short-lived local handle:  The IP addresses is never retained by the
173	      application.  The only usage is for the application to pass it
174	      from the DNS APIs (e.g., getaddrinfo()) and the API to the
175	      protocol stack (e.g., connect() or sendto()).

177	   Long-lived application associations:  The IP address is retained by
178	      the application for several instances of communication.

180	3.  Enabling HIP transparently within the system

182	   When both users and applications are unaware of HIP, but the host
183	   administrator chooses to use HIP between hosts, a few options are
184	   possible.  The first basic option is to perform a mapping of the
185	   application-provided IP address to a host identifier within the
186	   stack.  The second option, if DNS is used, is to interpose a local
187	   agent in the DNS resolution process and to return to the application
188	   a HIT or a locally scoped handle, formatted like an IP address.

190	3.1.  Applying HIP to cases in which IP addresses are used

192	   Consider the case in which an application issues a "connect(ip)"
193	   system call to set the default destination to a system named by
194	   address "ip", but for which the host administrator would like to
195	   enable HIP to protect the communications.  The user or application
196	   intends for the system to communicate with the host reachable at that
197	   IP address.  The decision to invoke HIP must be done on the basis of
198	   host policy.  For example, when an IPsec-based implementation of HIP
199	   is being used, a policy may be entered into the security policy
200	   database that mandates to use or to try HIP based on a match on the
201	   source or destination IP address, port numbers, or other factors.
202	   The mapping of IP address to host identifier may be implemented by
203	   modifying the host operating system or by wrapping the existing
204	   sockets API, such as in the TESLA approach [paper.tesla].

206	   There are a number of ways that HIP could be configured by the host
207	   administrator in such a scenario.

209	   Manual configuration:

211	      Pre-existing SAs may be available due to previous administrative
212	      action, or a binding between an IP address and a HIT could be
213	      stored in a configuration file or database.

215	   Opportunistically:

217	      The system could send an I1 to the Responder with an empty value
218	      for Responder HIT.

220	   Using DNS to map IP addresses to HIs:

222	      If the responder has host identifiers registered in the forward
223	      DNS zone and has a PTR record in the reverse zone, the Initiator
224	      could perform a reverse+forward lookup to learn the HIT associated
225	      with the address.  Although the approach should work under normal
226	      circumstances, it has not been tested to verify that there are no
227	      recursion or bootstrapping issues, particularly if HIP is used to
228	      secure the connection to the DNS servers.  Discussion of the
229	      security implications of the use or absence of DNSSEC is deferred
230	      to the security considerations section.

232	   Using HIP in the above fashion can cause additional setup delays
233	   compared to using plain IP.  For opportunistic mode, a host must wait
234	   to learn whether the peer is HIP-capable, although the delays may be
235	   mitigated in some implementations by sending initial packets (e.g.,
236	   TCP SYN) in parallel to the HIP I1 packet and waiting some time to
237	   receive a HIP R1 before processing a TCP SYN/ACK.  Note that there
238	   presently does not exist specification for how to invoke such
239	   connections in parallel.  Resolution latencies may also be incurred
240	   when using DNS in the above fashion.

242	   A possible way to reduce latencies noted above, in the case that the
243	   application uses DNS, would be for the system to opportunistically
244	   query for HIP records in parallel to other DNS resource records, and
245	   to temporarily cache the HITs returned with a DNS lookup, indexed by
246	   the IP addresses returned in the same entry, and pass the IP
247	   addresses up to the application as usual.  If an application connects
248	   to one of those IP addresses within a short time after the lookup,
249	   the host should initiate a base exchange using the cached HITs.  The
250	   benefit is that this removes the uncertainty/delay associated with
251	   opportunistic HIP, because the DNS record suggests that the peer is
252	   HIP-capable.

254	3.2.  Interposing a HIP-aware agent in the DNS resolution

256	   In the previous section, it was noted that a HIP-unaware application
257	   might typically use the DNS to fetch IP addresses prior to invoking
258	   socket calls.  A HIP-enabled system might make use of DNS to
259	   transparently fetch host identifiers for such domain names prior to
260	   the onset of communication.

262	   A system with a local DNS agent could alternately return a Local
263	   Scope Identifier (LSI) or HIT rather than an IP address, if HIP
264	   information is available in the DNS or other directory that binds a
265	   particular domain name to a host identifier, and otherwise to return
266	   an IP address as usual.  The system can then maintain a mapping
267	   between LSI and host identifier and perform the appropriate
268	   conversion at the system call interface or below.  The application
269	   uses the LSI or HIT as it would an IP address.  This technique has
270	   been used in overlay networking experiments such as the Internet
271	   Indirection Infrastructure (i3) and by at least one HIP
272	   implementation.

274	   In the case when resolvers can return multiple destination
275	   identifiers for an application, it may be configured that some of the
276	   identifiers can be HIP-based identifiers, and the rest can be IPv4 or
277	   IPv6 addresses.  The system resolver may return HIP-based identifiers
278	   in front of the list of identifiers when the underlying system and
279	   policies support HIP.  An application processing the identifiers
280	   sequentially will then first try a HIP-based connection and only then
281	   other non-HIP based connections.  However, certain applications may
282	   launch the connections in parallel.  In such a case, the non-HIP
283	   connections may succeed before HIP connections.  Based on local
284	   system policies, a system may disallow such behaviour and return only
285	   HIP-based identifiers when they are found from DNS.

287	   If the application obtains LSIs or HITs that it treats as IP
288	   addresses, a few potential hazards arise.  First, applications that
289	   perform referrals may pass the LSI to another system that has no
290	   system context to resolve the LSI back to a host identifier or an IP
291	   address.  Note that these are the same type of applications that will
292	   likely break if used over certain types of network address
293	   translators (NATs).  Second, applications may cache the results of
294	   DNS queries for a long time, and it may be hard for a HIP system to
295	   determine when to perform garbage collection on the LSI bindings.
296	   However, when using HITs, the security of using the HITs for identity
297	   comparison may be stronger than in the case of using IP addresses.
298	   Finally, applications may generate log files, and administrators or
299	   other consumers of these log files may become confused to find LSIs
300	   or HITs instead of IP addresses.  Therefore, it is recommended that
301	   the HIP software logs the HITs, LSIs (if applicable), and FQDN-
302	   related information so that administrators can correlate other logs
303	   with HIP identifiers.

305	   It may be possible for an LSI or HIT to be routable or resolvable,
306	   either directly or through an overlay, in which case it would be
307	   preferable for applications to handle such names instead of IP
308	   addresses.  However, such networks are out of scope of this document.

310	3.3.  Discussion

312	   Solutions preserving the use of IP addresses in the applications have
313	   the benefit of better support for applications that use IP addresses
314	   for long-lived application associations, callbacks, and referrals,
315	   although it should be noted that applications are discouraged from
316	   using IP addresses in this manner due to the frequent presence of
317	   NATs [RFC1958].  However, they have weaker security properties than
318	   the approaches outlined in Section 3.2 and Section 4, because the
319	   binding between host identifier and address is weak and not visible
320	   to the application or user.  In fact, the semantics of the
321	   application's "connect(ip)" call may be interpreted as "connect me to
322	   the system reachable at IP address ip" but perhaps no stronger
323	   semantics than that.  HIP can be used in this case to provide perfect
324	   forward secrecy and authentication, but not to strongly authenticate
325	   the peer at the onset of communications.

327	   Using IP addresses at the application layer may not provide the full
328	   potential benefits of HIP mobility support.  It allows for mobility
329	   if the system is able to readdress long-lived, connected sockets upon
330	   a HIP readdress event.  However, as in current systems, mobility will
331	   break in the connectionless case, when an application caches the IP
332	   address and repeatedly calls sendto(), or in the case of TCP when the
333	   system later opens additional sockets to the same destination.

335	   Section 4.1.6 of the base HIP protocol specification [RFC5201] states
336	   that implementations that learn of HIT-to-IP address bindings through
337	   the use of HIP opportunistic mode must not enforce those bindings on
338	   later communications sessions.  This implies that when IP addresses
339	   are used by the applications, systems that attempt to
340	   opportunistically set up HIP must not assume that later sessions to
341	   the same address will communicate with the same host.

343	   The legacy application is unaware of HIP and therefore cannot notify
344	   the user when the application uses HIP.  However, the operating
345	   system can notify the user of the usage of HIP through a user agent.
346	   Further, it is possible for the user agent to name the network
347	   application that caused a HIP-related event.  This way, the user is
348	   aware when he or she is using HIP even though the legacy network
349	   application is not.  Based on usability tests from initial
350	   deployments, displaying the HITs and LSIs should be avoided in user
351	   interfaces.  Instead, traditional security measures (lock pictures,
352	   colored address bars) should be used where possible.

354	   One drawback to spoofing the DNS resolution is that some
355	   applications, or selected instances of an application, actually may
356	   want to fetch IP addresses (e.g., diagnostic applications such as
357	   ping).  One way to provide finer granularity on whether the resolver
358	   returns an IP address or an LSI is to have the user form a modified
359	   domain name when he or she wants to invoke HIP.  This leads us to
360	   consider, in the next section, use cases for which the end user
361	   explicitly and selectively chooses to enable HIP.

363	4.  Users Invoking HIP with a Legacy Application

365	   The previous section described approaches for configuring HIP for
366	   legacy applications that did not necessarily involve the user.
367	   However, there may be cases in which a legacy application user wants
368	   to use HIP for a given application instance by signaling to the HIP-
369	   enabled system in some way.  If the application user interface or
370	   configuration file accepts IP addresses, there may be an opportunity
371	   to provide a HIT or an LSI in its place.  Furthermore, if the
372	   application uses DNS, a user may provide a specially crafted domain
373	   name to signal to the resolver to fetch HIP records and to signal to
374	   the system to use HIP.  We describe both of these approaches below.

376	4.1.  Connecting to a HIT or LSI

378	   Section 3.2 above describes the use of HITs or LSIs as spoofed return
379	   values of the DNS resolution process.  A similar approach that is
380	   more explicit is to configure the application to connect directly to
381	   a HIT (e.g., "connect(HIT)" as a socket call).  This scenario has
382	   stronger security semantics, because the application is asking the
383	   system to send packets specifically to the named peer system.  HITs
384	   have been defined as Overlay Routable Cryptographic Hash Identifiers
385	   (ORCHIDs) such that they cannot be confused with routable IP
386	   addresses; see [RFC4843].

388	   This approach also has a few challenges.  Using HITs can be more
389	   cumbersome for human users (due to the flat HIT name space) than
390	   using either IPv6 addresses or domain names.  Another challenge with
391	   this approach is in actually finding the IP addresses to use, based
392	   on the HIT.  Some type of HIT resolution service would be needed in
393	   this case.  A third challenge of this approach is in supporting
394	   callbacks and referrals to possibly non-HIP-aware hosts.  However,
395	   since most communications in this case would likely be to other HIP-
396	   aware hosts (else the initial HIP associations would fail to
397	   establish), the resulting referral problem may be that the peer host
398	   supports HIP but is not able to perform HIT resolution for some
399	   reason.

401	4.2.  Using a modified DNS name

403	   Specifically, if the application requests to resolve "HIP-
404	   www.example.com" (or some similar prefix string), then the system
405	   returns an LSI, while if the application requests to resolve
406	   "www.example.com", IP address(es) are returned as usual.  The use of
407	   a prefix rather than suffix is recommended, and the use of a string
408	   delimiter that is not a dot (".") is also recommended, to reduce the
409	   likelihood that such modified DNS names are mistakenly treated as
410	   names rooted at a new top-level domain.  Limits of domain name length
411	   or label length (255 or 63, respectively) should be considered when
412	   prepending any prefixes.

414	4.3.  Other techniques

416	   Alternatives to using a modified DNS name that have been experimented
417	   with include the following.  Command-line tools or tools with a
418	   graphical user interface (GUI) can be provided by the system to allow
419	   a user to set the policy on which applications use HIP.  Another
420	   common technique, for dynamically linked applications, is to
421	   dynamically link the application to a modified library that wraps the
422	   system calls and interposes HIP layer communications on them; this
423	   can be invoked by the user by running commands through a special
424	   shell, for example.

426	5.  Local address management

428	   The previous two sections focused mainly on controlling client
429	   behavior (HIP initiator).  We must also consider the behavior for
430	   servers.  Typically, a server binds to a wildcard IP address and
431	   well-known port.  In the case of HIP use with legacy server
432	   implementations, there are again a few options.  The system may be
433	   configured manually to always, optionally (depending on the client
434	   behavior), or never use HIP with a particular service, as a matter of
435	   policy, when the server specifies a wildcard (IP) address.

437	   When a system API call such as getaddrinfo [RFC3493] is used for
438	   resolving local addresses, it may also return HITs or LSIs, if the
439	   system has assigned HITs or LSIs to internal virtual interfaces
440	   (common in many HIP implementations).  The application may use such
441	   identifiers as addresses in subsequent socket calls.

443	   Some applications may try to bind a socket to a specific local
444	   address, or may implement server-side access control lists based on
445	   socket calls such as getsockname() and getpeername() in the C-based
446	   socket APIs.  If the local address specified is an IP address, again,
447	   the underlying system may be configured to still use HIP.  If the
448	   local address specified is a HIT (Section 4), the system should
449	   enforce that connections to the local application can only arrive to
450	   the specified HIT.  If a system has many HITs, an application that
451	   binds to a single HIT cannot accept connections to the other HITs in
452	   the system.

454	   When a host has multiple HIs and the socket behavior does not
455	   prescribe the use of any particular HI as a local identifier, it is a
456	   matter of local policy as to how to select a HI to serve as a local
457	   identifier.  However, systems that bind to a wildcard may face
458	   problems when multiple HITs or LSIs are defined.  These problems are
459	   not specific to HIP per se, but are also encountered in non-HIP
460	   multihoming scenarios with applications not designed for multihoming.

462	   As an example, consider a client application that sends an UDP
463	   datagram to a server that is bound to a wildcard.  The server
464	   application receives the packet using recvfrom() and sends a response
465	   using sendto().  The problem here is that sendto() may actually use a
466	   different server HIT than the client assumes.  The client will drop
467	   the response packet when the client implements access control on the
468	   UDP socket (e.g. using connect()).

470	   Reimplementing the server application using the sendmsg() and
471	   recvmsg() to support multihoming (particularly considering the
472	   ancillary data) would be the ultimate solution to this problem, but
473	   with legacy applications is not an option.  As a workaround, we make
474	   suggestion for servers providing UDP-based services with non-
475	   multihoming capable services.  Such servers should announce only the
476	   HIT or public key that matches to the default outgoing HIT of the
477	   host to avoid such problems.

479	   Finally, some applications may create a connection to a local HIT.
480	   In such a case, the local system may use NULL encryption to avoid
481	   unnecessary encryption overhead, and may be otherwise more permissive
482	   than usual such as excluding authentication, Diffie-Hellman exchange,
483	   and puzzle.

485	6.  Security Considerations

487	   In this section we discuss the security of the system in general
488	   terms, outlining some of the security properties.  However, this
489	   section is not intended to provide a complete risk analysis.  Such an
490	   analysis would, in any case, be dependent on the actual application
491	   using HIP, and is therefore considered out of scope.

493	   The scenarios outlined above differ considerably in their security
494	   properties.  When the DNS is used, there are further differences
495	   related to whether DNSSEC [RFC4033] is used or not, and whether the
496	   DNS zones are considered trustworthy enough.  Here we mean that there
497	   should exist a delegation chain to whatever trust anchors are
498	   available in the respective trees, and the DNS zone administrators in
499	   charge of the netblock should be trusted to put in the right
500	   information.

502	   When IP addresses are used by applications to name the peer system,
503	   the security properties depend on the configuration method.  With
504	   manual configuration, the security of the system is comparable to a
505	   non-HIP system with similar IPsec policies.  The security semantics
506	   of an initial opportunistic key exchange are roughly equal to non-
507	   secured IP; the exchange is vulnerable to man-in-the-middle attacks.
508	   However, the system is less vulnerable to connection hijacking
509	   attacks.  If the DNS is used, if both zones are secured (or the HITs
510	   are stored in the reverse DNS record) and the client trusts the
511	   DNSSEC signatures, the system may provide a fairly high security
512	   level.  However, much depends on the details of the implementation,
513	   the security and administrative practices used when signing the DNS
514	   zones, and other factors.

516	   Using the forward DNS to map a domain name into an LSI is a case that
517	   is closest to the most typical use scenarios today.  If DNSSEC is
518	   used, the result is fairly similar to the current use of certificates
519	   with TLS.  If DNSSEC is not used, the result is fairly similar to the
520	   current use of plain IP, with the additional protection of data
521	   integrity, confidentiality, and prevention of connection hijacking
522	   that opportunistic HIP provides.  If DNSSEC is used, data integrity
523	   and data origin authentication services are added to the normal DNS
524	   query protocol, thereby providing more certainty that the desired
525	   host is being contacted, if the DNS records themselves are
526	   trustworthy.

528	   If the application is basing its operations on HITs, the connections
529	   become automatically secured due to the implicit channel bindings in
530	   HIP.  That is, when the application makes a connect(HIT) system call,
531	   the resulting packets will either be sent to a node possessing the
532	   corresponding private key or the security association will fail to be
533	   established.

535	   When the system provides (spoofs) LSIs or HITs instead of IP
536	   addresses as the result of name resolution, the resultant fields may
537	   inadvertently show up in user interfaces and system logs, which may
538	   cause operational concerns for some network administrators.
539	   Therefore, it is recommended that the HIP software logs the HITs,
540	   LSIs (if applicable), and FQDN-related information so that
541	   administrators can correlate other logs with HIP identifiers.

543	7.  IANA Considerations

545	   This document has no actions for IANA.

547	8.  Acknowledgments

549	   Jeff Ahrenholz, Gonzalo Camarillo, Alberto Garcia, Teemu Koponen,
550	   Julien Laganier, and Jukka Ylitalo have provided comments on
551	   different versions of this draft.  Erik Nordmark provided the
552	   taxonomy of how applications use IP addresses in a previously expired
553	   Internet Draft.  The document received substantial and useful
554	   comments during the review phase from David Black, Pekka Savola, Lars
555	   Eggert, and Peter Koch.

557	9.  Informative References

559	   [RFC5201]  Moskowitz, R., Nikander, P., Jokela, P., and T. Henderson,
560	              "Host Identity Protocol", RFC 5201, April 2008.

562	   [RFC4843]  Nikander, P., Laganier, J., and F. Dupont, "An IPv6 Prefix
563	              for Overlay Routable Cryptographic Hash Identifiers
564	              (ORCHID)", RFC 4843, April 2007.

566	   [paper.tesla]
567	              Salz, J., Balakrishnan, H., and A. Snoeren, "TESLA:  A
568	              Transparent, Extensible Session-Layer Architecture for
569	              End-to-end Network Services",  Proceedings of USENIX
570	              Symposium on Internet Technologies and Systems (USITS),
571	              pages 211-224, March 2003.

573	   [RFC1958]  Carpenter, B., "Architectural Principles of the Internet",
574	              RFC 1958, June 1996.

576	   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
577	              Rose, "DNS Security Introduction and Requirements",
578	              RFC 4033, March 2005.

580	   [RFC3493]  Gilligan, R., Thomson, S., Bound, J., McCann, J., and W.
581	              Stevens, "Basic Socket Interface Extensions for IPv6",
582	              RFC 3493, February 2003.

584	Appendix A.  Changes from previous versions

586	   This section is to be removed by the RFC Editor before publication.
587	   It summarizes resolution of issues raised in the following reviews:
588	   (1) IESG last call, (2) Gen-ART review, and (3) DNS directorate
589	   review.  Mobility and secdir reviews did not result in actionable
590	   comments.

592	A.1.  From version-01 to version-02

594	   Better clarity in the abstract and introduction about the goal of the
595	   draft; namely, that it is informational to help implementors and
596	   early adopters think about and solve deployment issues (comment from
597	   Pekka Savola).

599	   Delete the second paragraph of 3 about the general applicability of
600	   replacing IP addresses with LSIs and HITs at the socket layer.
601	   (comment from Pekka Savola).

603	   Delete comments in Section 3.2 on routable LSIs, as this is seen to
604	   be out of scope and potentially controversial or incomplete (comment
605	   from David Black).

607	   Delete reference to Erik Nordmark's shim6 application referral draft,
608	   since it is a dead draft (comment from David Black).  Instead, Erik
609	   is cited in the acknowledgments section for providing the taxonomy of
610	   IP address usage scenarios.

612	   Clarify (and reference the base spec) in Sec. 3.1 that use of the
613	   opportunistic mode requires that systems not enforce that the
614	   HIT-to-IP address bindings learned will pertain to subsequent
615	   sessions to that IP address.

617	   Section 3.2 drew comments from several reviewers.  First, David Black
618	   raised the issue that spoofing IP addresses with HITs or LSIs raises
619	   risks that it may turn up in log records; this has been noted in the
620	   text.  The section on using a DNS suffix to signal the preferred use
621	   of HIP was objected to by members of the DNS directorate and others
622	   (including the co-author Pekka Nikander), due to concern that queries
623	   to a new TLD might leak out.  The current draft instead recommends a
624	   DNS prefix instead of suffix, due to a suggestion by Thomas Narten.

626	   In section 3.1, clarify recursion issues that may arise when doing
627	   reverse+forward lookup of HIP records from DNS (comment from Pekka
628	   Savola).

630	   Clarify more specifically in security considerations section the
631	   DNSSEC trust assumptions or security considerations (outline of text
632	   provided by Pekka Savola, and similar comment raised by Peter Koch).

634	   Clarified in security considerations section that IP address spoofing
635	   could cause some operational difficulties if they unexpectedly show
636	   up in log files or UIs (comment from David Black).

638	   Clarified in Sec. 3.1 that opportunistic and DNS techniques can incur
639	   additional latency when compared to plain IP (comment from Lars
640	   Eggert)

642	   Added third option to Section 3.2 for using DNS (transparently
643	   fetching HIP resource records when doing other RR queries), suggested
644	   by Lars Eggert and also by Olaf Kolkman.

646	   Incorporated last-call comments from Miika Komu, which were all
647	   handled in Section 3.4: i) clarify multihoming issue for servers with
648	   multiple HITs, when receiving UDP, ii) clarify a problem that might
649	   arise for applications that do parallel connect, and iii) suggest
650	   that loopback HIP connections could use a NULL encryption.

652	   Removed expired references and updated active references.

654	   Incorporated additional review comments from Miika Komu, and some
655	   suggested replacement text, and added him as a co-author.

657	A.2.  From version-02 to version-03 (current)

659	   DNSSEC clarifications added based on dns-dir review from Peter Koch

661	   Editing pass through document.  Organizationally, everything except
662	   security considerations was in one section.  The existing text of
663	   Sections 3.1 through 3.3 was moved to new Sections 3 and 4, the
664	   previous text of section 3.4 has been moved to section 5, and the
665	   previous Section 4 (security considerations) is now Section 6.
666	   Performed further wordsmithing and cleanup.

668	Authors' Addresses

670	   Thomas Henderson
671	   The Boeing Company
672	   P.O. Box 3707
673	   Seattle, WA
674	   USA

676	   Email: thomas.r.henderson@boeing.com

678	   Pekka Nikander
679	   Ericsson Research NomadicLab
680	   JORVAS  FIN-02420
681	   FINLAND

683	   Phone: +358 9 299 1
684	   Email: pekka.nikander@nomadiclab.com

686	   Miika Komu
687	   Helsinki Institute for Information Technology
688	   Metsaenneidonkuja 4
689	   Helsinki  FIN-02420
690	   FINLAND

692	   Phone: +358503841531
693	   Email: miika@iki.fi

695	Full Copyright Statement

697	   Copyright (C) The IETF Trust (2008).

699	   This document is subject to the rights, licenses and restrictions
700	   contained in BCP 78, and except as set forth therein, the authors
701	   retain all their rights.

703	   This document and the information contained herein are provided on an
704	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
705	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
706	   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
707	   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
708	   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
709	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

711	Intellectual Property

713	   The IETF takes no position regarding the validity or scope of any
714	   Intellectual Property Rights or other rights that might be claimed to
715	   pertain to the implementation or use of the technology described in
716	   this document or the extent to which any license under such rights
717	   might or might not be available; nor does it represent that it has
718	   made any independent effort to identify any such rights.  Information
719	   on the procedures with respect to rights in RFC documents can be
720	   found in BCP 78 and BCP 79.

722	   Copies of IPR disclosures made to the IETF Secretariat and any
723	   assurances of licenses to be made available, or the result of an
724	   attempt made to obtain a general license or permission for the use of
725	   such proprietary rights by implementers or users of this
726	   specification can be obtained from the IETF on-line IPR repository at
727	   http://www.ietf.org/ipr.

729	   The IETF invites any interested party to bring to its attention any
730	   copyrights, patents or patent applications, or other proprietary
731	   rights that may cover technology that may be required to implement
732	   this standard.  Please address the information to the IETF at
733	   ietf-ipr@ietf.org.