Home

HIP Service Discovery

PostDateIcon January 30th, 2010

The Service Discovery extensions for the HIP protocol allow a HIPenabled host to locate other HIP enabled divides or services on anetwork or specified address.  Static networks do not typically scalewell as their size increases or can make maintenance time intensive. Service Discovery would make maintenance and network use more trivialand allow other applications to take advantage of the HIPinfrastructure without complex procedures.

Originally in the HIP specification a BOS or bootstrap packet wouldtraverse the same LAN discovering other HIP hosts.  Due to a lackavailable research and effort amongst the IETF HIP group, the BOSpacket was removed from development.

However, the HIP Service Discovery offered two modes of operation: on-the-path and local network discovery.

The first mode, on-the-path requires a Middlebox to be located on thepath to the destination peer.  A HIP host will then send an UPDATE orService Discovery packet towards the peer.  When the Middleboxarrives at the Middlebox responsible for relaying the traffic willrespond with a Service Announcement packet to the HIP host.

The second mode, local network discovery requires a broadcast from aHIP host out to the host's associated LAN.  This local discovery modeenables the discovery of services and hosts outside of the known pathof the HIP host making this inquiry.

These two methods are active modes, but in situations where network traffic must be kept to a minimum or for example, lightweight mobile devices that have limited battery constraints another method is required.  This alternative method is passive discovery.

Passive Service Discovery is implemented by a Service Provider replying to the Initiator host after forwarding its 1l or UPDATE packet.

HIP hosts can perform Regional Service Discovery on a network as well.  This is done when the HIP host sends a Service Discovery packet to a multi-cast or broadcast address.  The HIT destination is set to zero and the destination IP to the special-purpose address. On a IPv4 network, a host can only use 255.255.255.255.  On a IPv6 network the host can use one of the following:

  1. FF02:0:0:0:0:0:0:1 (link-local all multicast address)
  2.  FF02:0:0:0:0:0:0:2 (link-local routers multicast address)
  3. FF05:0:0:0:0:0:0:2 (site-local routers multicast address)

Note that the transmission rate of Service Announcements is limited.  This is to avoid any DoS attack to a spoofed IP address.

This all sounds great, but the Service Discovery mechanisms are insecure.  The insecurities are the result of:

  1. Not protected by a signature
  2. Could be modified in transit or sent from a spoofed IP address

Conclusively, Service Discovery could be useful in certain scenarios and a valid feature.  However, if Service Discovery is to be enabled and relied upon, it should be used as a hint for hosts to find HIP services.  Ultimately, the hint should be verified by other external security mechanisms.

0
Your rating: None
PostCategoryIcon Share this   | PostTagIcon Tags: Article
Post new comment
The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.
Navigation
Syndicate
Syndicate content
Share this
Powered by Drupal, an open source content management system

® Ron Brash 2010 | About Me | Contact | Sitemap