[Search] [txt|pdfized|bibtex] [Tracker] [Email] [Nits]
Versions: 00 01                                                         
Host Identity Protocol                                      T. Heer, Ed.
Internet-Draft                                                  H. Wirtz
Intended status: Experimental            Distributed Systems Group, RWTH
Expires: August 31, 2009                               Aachen University
                                                             S. Varjonen
                                                  Helsinki Institute for
                                                  Information Technology
                                                       February 27, 2009

                      Service Identifiers for HIP

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.  This document may not be modified,
   and derivative works of it may not be created, except to format it
   for publication as an RFC and to translate it into languages other
   than English.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on August 31, 2009.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights

Heer, et al.             Expires August 31, 2009                [Page 1]

Internet-Draft               Hip-Service-ID                February 2009

   and restrictions with respect to this document.


   The Host Identity Protocol [RFC5201] is a signaling protocol for
   secure communication, mobility, and multihoming that introduces a
   cryptographic namespace.  This document specifies an extension for
   HIP that enables HIP end-hosts and HIP-aware middleboxes to announce
   services to HIP hosts during a HIP Base EXchange (BEX) or HIP update.
   Service providers are able to specify the type and requirements of a
   service; clients can then decide to agree on the terms of service.
   This allows the service provider to verify the accordance of the
   client with the service conditions while the client is able to verify
   the authenticity of the used service.

Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

1.  Introduction

   The Host Identity Protocol (HIP) introduces a new cryptographic
   namespace, based on public keys, in order to secure Internet
   communication.  Several HIP-related documents are concerned with the
   provision and discovery of services, e.g., the HIP registration
   extension [RFC5203] and the HIP middlebox authentication extension
   [I-D.heer-hip-middle-auth].  This document specifies a new HIP
   parameter that lets service providers communicate properties and
   requirements of a service to the HIP end-hosts and to on-path HIP-
   aware network entities.  Service providers can either be other HIP
   end-hosts (Initiator or Responder), on-path network entities (HIP-
   aware middleboxes and other HIP-aware network infrastructure
   elements), or entities using the HIP registration extension.

2.  Terminology

   In addition to the terminology defined in [RFC5203], this document
   defines the following terms:

   Service provider:  A HIP end-host or HIP-aware on-path entity
      (middlebox) that offers a service to a HIP end-host.  Middleboxes
      that offer a service can either use the HIP registration extension
      [RFC5203] or the HIP middlebox authentication extension

Heer, et al.             Expires August 31, 2009                [Page 2]

Internet-Draft               Hip-Service-ID                February 2009

   Client:  A HIP end-host (Initiator or Responder) that is offered a
      service.  The client can choose whether to accept or to deny the
      offered service.

3.  Protocol Overview

   The service announcement and service acknowledgement procedure
   defined in this document is a two-way communication process that
   integrates into the regular HIP control channel packet exchanges
   (i.e. the HIP BEX and the HIP update mechanism).

   During a base exchange or HIP update mechanism, a service provider
   (the HIP end-host or a HIP-aware service provider on the
   communication path) can add a SERVICE_OFFER to an I1, R1, I2, R2, or
   UPDATE packet.  The SERVICE_OFFER provides general information about
   the service and service-specific information for the client.  This
   information is addressed to the receiver of the HIP control packet.
   Each HIP packet can contain multiple SERVICE_OFFER parameters from
   one or more service providers.

   The client reads the SERVICE_OFFER parameters from the incoming HIP
   control packet and based on local policies decides to accept or deny
   the service offer from the service provider.  If it decides to accept
   the service offer, it responds by creating a SERVICE_ACK parameter
   which it sends in the signed part of the next regular HIP control
   packet.  If the HIP control packet containing the SERVICE_OFFER does
   not require an immediate response in the next control packet, the
   receiver of the SERVICE_OFFER generates an additional HIP UPDATE
   packet that contains the SERVICE_ACK.  If a client declines the
   service offer, it does not respond with a SERVICE_ACK parameter.

   The SERVICE_OFFER parameter comes in two flavors: SERVICE_OFFER and
   SERVICE_OFFER_UNSIGNED.  The SERVICE_OFFER parameter is covered by
   the signature of the HIP control packet that contains it.  Therefore,
   it can only be added by the HIP end-host that generates the HIP
   control packet.  The SERVICE_OFFER_UNSIGNED is not covered by the
   signature in the HIP control packet, it is added by HIP-aware
   middleboxes or HIP end-hosts.  Consequently, end-hosts can decide
   whether to use the signed or unsigned version of the parameter.  An
   example in which an end-host may prefer to use the unsigned parameter
   is the use of pre-created R1 packets which should include a
   SERVICE_OFFER that depends on properties of the Initiator (e.g. its
   HI or IP address).

   The service provider can determine whether the client acknowledges
   the service offer by checking the presence of a SERVICE_ACK parameter
   with a matching SERVICE_ID in the next packet.  The SERVICE_ACK

Heer, et al.             Expires August 31, 2009                [Page 3]

Internet-Draft               Hip-Service-ID                February 2009

   contains the hash of the service offer, allowing the service provider
   to verify that the user has accepted the terms of service as added by
   the service provider in the SERVICE_OFFER.  Replying with the hash of
   the complete SERVICE_OFFER ensures that the client adheres to all
   conditions of the service offer and that the SERVICE_OFFER_UNSIGNED
   parameter was delivered without modification in transit.
   Additionally, the service provider SHOULD verify the validity of the
   signature in the HIP control packet.  In order to shelter against
   Denial-of-Service (DoS) attacks, end-hosts and middleboxes can
   utilize the puzzle mechanisms specified in [RFC5201] for end-hosts
   and [I-D.heer-hip-middle-auth] for middleboxes

3.1.  HIP Parameters


   The SERVICE_OFFER and the SERVICE_OFFER_UNSIGNED have identical
   structures and semantics.  The two parameters differ only in their
   type numbers.  Therefore, we discuss only about the contents of the
   SERVICE_OFFER parameter while the following specifications concerning
   the SERVICE_OFFER parameter also apply to the SERVICE_OFFER_UNSIGNED

   The SERVICE_OFFER parameter is depicted below.  It consists of three

       the receiving host with a basic classification of the service
       based on general parameters.  The service properties are an aid
       for the end-hosts for understanding the nature of an unknown

   2.  SERVICE_ID (SID): The SERVICE_ID is a number that identifies a
       service or a class of services.  The SERVICE_DESCRIPTION is
       interpreted depending on the SERVICE_ID.  The SERVICE_ID MUST be
       known to all hosts that intend to use that particular service.
       The SID numbers from 0 to 2^31-1 are assigned by IANA.  SID
       numbers from 2^31 to 2^32-1 are unallocated and may be used by
       service providers without prior request or notice.

       variable-length data blob that is interpreted based on the
       information in the SID field.  It MUST be understood by all hosts
       that intend to use the service.  The SD field allows a service to
       provide specific service-related information.  The structure and
       semantics of the SD field are not part of this document but are
       specified by the service operators.

Heer, et al.             Expires August 31, 2009                [Page 4]

Internet-Draft               Hip-Service-ID                February 2009

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |             Type              |             Length            |
   |                SP (SERVICE_PROPERTIES) (32 bit)              |
   |                SID  (SERVICE_ID) (32 bit)                     |
   |          SD (SERVICE_DESCRIPTION (variable length)           /
   /                                           +-+-+-+-+-+-+-+-+-+-|
   /                                           |      Padding      |

   Type       65334

   Length     Variable

   SP         Service Properties. A bit field characterizing the
              service (see below).

   SID        Unique service ID identifying the service or type of
              service. 0 (zero) to 2^31-1 assigned by IANA, rest
              unallocated and in free use.

   SD         Service Description and service conditions specified
              by the service provider and interpreted by the client.

Heer, et al.             Expires August 31, 2009                [Page 5]

Internet-Draft               Hip-Service-ID                February 2009

   SERVICE_PROPERTIES field structure:

       0                                       1
       0   1   2   3   4   5   6   7   8   9   0   1   2   3   4   5
   0 |REQ COM FOR TER INI ACI ACR CEI CER <---  RESERVED  --->       |
   1 |                    <---  RESERVED  --->                       |

   0 REQ - Required:      Non adherence to the requested authentication
                           will result in denial of service.

   1 COM - Commercial:     Use of this service may result in monetary

   2 FOR - Forwarding:     This service entails forwarding of packets.

   3 TER - Terminal:       This HIP-aware middlebox is located at the
                           last hop towards the responder.

   4 INI - Initial:        This HIP-aware middlebox is located at the
                           first hop towards the responder.

   5 ACI - ACL Initiator:  The HIT of the Initiator must be in the ACL
                           of the service.

   6 ACR - ACL Responder:  The HIT of the Responder must be in the ACL
                            of the service.

   7 CEI - Cert Initiator: Cert from Initiator required. Cert type
                           defined in variable SD field.

   8 CER - Cert Responder: Cert from Responder required. Cert type
                           defined in variable SD field.

   Bits 9 to 32 are reserved for future purposes.


   A host that accepts a SERVICE_OFFER or SERVICE_OFFER_UNSIGNED replies
   with a SERVICE_ACK parameter in its next regular HIP packet.

   The service acknowledgement contains the SID as reference to the
   acknowledged service and the hash of the SERVICE_OFFER parameter.
   The hash is generated by applying SHA-1 hash function to the

Heer, et al.             Expires August 31, 2009                [Page 6]

Internet-Draft               Hip-Service-ID                February 2009

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |             Type              |             Length            |
   |                                                               |
   |                SID (Service IDentifier)  (32 bit)             |
   |                                                               |
   |                   SH (Service Hash)  (128 bit)                |
   |                                                               |
   |                                                               |

   Type       65334

   Length     160 bit

   SID        Unique service ID identifying the service or type of
              service. 0 (zero) to 2^31-1 assigned by IANA, rest
              unallocated and in free use.

   SH         SHA-1 hash of the accepted SERVICE_OFFER parameter
              belonging to the SID

4.  Applications and Use Cases

4.1.  Certificates

   Middleboxes or end-hosts may require certificates that state that the
   host is entitled to perform certain actions (e.g. connect to a host,
   use a certain link, use a certain service) [I-D.ietf-hip-cert].  The
   HIP CERT parameter allows HIP hosts to transmit certificate
   information within HIP control packets.  However, a host may possess
   multiple certificates and therefore it must decide which certificate
   to transmit.

   End-hosts and middleboxes can require the client to present a
   certificate by adding a SERVICE_OFFER parameter to the next packer
   addressed to the client.  Setting the CEI bit set indicates that a
   certificate is required and should be sent on the consequent control
   packet in order to get service.  The type of certificate can be
   transmitted in the SD field.

   If the end-host fails in providing sufficient credentials to the
   service provider it can respond with a NOTIFICATION with

Heer, et al.             Expires August 31, 2009                [Page 7]

Internet-Draft               Hip-Service-ID                February 2009

   BLOCKED_BY_POLICY if the service provider is an end-host or a
   NOTIFICATION with BLOCKED_BY_POLICY_M if the service provider is a
   middlebox to signal the error.  BLOCKED_BY_POLICY is defined in
   [RFC5201] and BLOCKED_BY_POLICY_M is defined below.

      NOTIFY MESSAGES - ERROR TYPES            Value
      ------------------------------           -----

      BLOCKED_BY_POLICY                    42

         The Responder is unwilling to set up an association
         for policy reasons.

      BLOCKED_BY_POLICY_M                      8192

         The middlebox is not willing to service the client for
         policy reasons.

   The policy reason for not serving or setting up an association in
   this case would be a missing or insufficient certificate.

4.2.  Quality of Service

   Services may offer a free basic service and a commercial premium
   service.  In such cases, the service provider can add a SERVICE_OFFER
   for the premium service and default to the basic service if the
   client does not send a matching SERVICE_ACK.  Alternatively, the
   service provider can add multiple SERVICE_OFFER parameters to a hip
   control packets, leaving it to the client to acknowledge the
   appropriate offer.

   Further service details (e.g. payment and the quality of the offered
   services) can be negotiated by using the SERVICE_DETAILS field.  By
   signing the SERVICE_ACK, the end-host agrees to the terms of service.
   The service provider can use the signed HIP packet containing the
   SERVICE_ACK as proof that the client has requested the service.  It
   can later use this proof for billing.

   Service providers MAY send a NOTIFICATION if the client does not
   respond with a matching SERVICE_ACK by sending either
   BLOCKED_BY_POLICY (end-host) or BLOCKED_BY_POLICY_M (middlebox) if
   they decide to deny the service.  See section Section 4.1 for the
   definition of these parameters.

Heer, et al.             Expires August 31, 2009                [Page 8]

Internet-Draft               Hip-Service-ID                February 2009

5.  Security Considerations

   The question of whether a client must subscribe to a service and the
   question of whether a service is on the shortest direct path between
   the Initiator and the Responder is out of scope for this document.
   However, service operators can design the SERVICE_OFFER parameter in
   a way that allows semantic sanity checks.  For example, a host can
   detect a suspicios situation if two middleboxes claim to be inital or
   terminal middleboxes (active INI or TER bits in the SD field of the
   SERVICE_OFFER parameter).  In such cases, end-hosts may require to
   react based on policies or user interaction.

   This document makes no assumptions about the authenticity of the
   SERVICE_OFFER and SERVICE_OFFER_UNSIGNED parameter.  Especially the
   identity of a service provider is not verified.  However, should a
   service require authentication of a service provider, it can
   implement this in the variable data field in the SERVICE_OFFER and

6.  IANA Considerations

   This draft specifies a new namespace for service identifiers (SID
   numbers).  The SID numbers from 0 to 2^31-1 are to be assigned by
   IANA.  SID numbers from 2^31 to 2^32-1 are unallocated and may be
   used by service providers without prior request or notice.  The SID
   numbers in the unmanaged SID number space should be selected in a
   random fashion.  There is no guarantee that the SID numbers in the
   unmanaged SID space are free from collisions.  Service providers that
   use SID numbers from the unallocated SID space should, therefore,
   take precautions for cases of collisions.

   In addition to the SID, a service is described by its SP-flags.  To
   guarantee consistent extensibility of service descriptions,
   assignment of flags and their positions should also be provided by

7.  Normative References

              Heer, T., Wehrle, K., and M. Komu, "End-Host
              Authentication for HIP Middleboxes",
              draft-heer-hip-middle-auth-01 (work in progress),
              July 2008.

              Heer, T. and S. Varjonen, "HIP Certificates",

Heer, et al.             Expires August 31, 2009                [Page 9]

Internet-Draft               Hip-Service-ID                February 2009

              draft-ietf-hip-cert-00 (work in progress), October 2008.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC5201]  Moskowitz, R., Nikander, P., Jokela, P., and T. Henderson,
              "Host Identity Protocol", RFC 5201, April 2008.

   [RFC5203]  Laganier, J., Koponen, T., and L. Eggert, "Host Identity
              Protocol (HIP) Registration Extension", RFC 5203,
              April 2008.

Authors' Addresses

   Tobias  Heer (editor)
   Distributed Systems Group, RWTH Aachen University
   Ahornstrasse 55
   Aachen  52062

   Phone: +49 241 80 20776
   Email: heer@cs.rwth-aachen.de
   URI:   http://ds.cs.rwth-aachen.de/members/heer

   Hanno Wirtz
   Distributed Systems Group, RWTH Aachen University
   Ahornstrasse 55
   Aachen  52062

   Phone: +49 241 80 20773
   Email: hanno.wirtz@rwth-aachen.de
   URI:   http://ds.cs.rwth-aachen.de/members/wirtz

   Samu Varjonen
   Helsinki Institute for Information Technology
   Metsnneidonkuja 4

   Fax:   +358 969 49768
   Email: samu.varjonen@hiit.fi
   URI:   http://www.hiit.fi

Heer, et al.             Expires August 31, 2009               [Page 10]