Get HIP to Simple and Secure Networking

BrandPost By Tempered Networks
Nov 14, 2017

istock 682462080
Credit: iStock

There is a better approach to security and networking—one where it’s easy to connect, route, and segment any device with a powerful orchestration engine. Not only that, but it essentially cloaks network devices from would-be wrong-doers. It’s the HIP way of doing things. 

HIP—which stands for Host Identity Protocol—moves beyond the old address-defined networking paradigm of blindly networking everything. Instead, HIP only networks devices with provable host identities. And it does so in a way that shuts out hackers while making it easy for devices to automatically join a HIP-based network. 

“HIP provides an alternative key exchange capability for the IPsec protocol, enabling transparent and legacy-compatible security for all TCP/IP applications,” explains Andrei Gurtov, ACM Distinguished Scientist and contributor to HIP standardization at the IETF, where he co-led the HIP Research Group at the Internet Research Task Force (IRTF). 

“HIP introduces the concept of an identifier-locator split (separating the role of IP addresses as host identity and topological location in the Internet), where hosts are identified using strong cryptographic identities in the form of 2,048-bit RSA public keys,” Gurtov writes. 

Separating identifier and locator roles

According to Erik Giesa, vice president of Products with Tempered Networks, “HIP separates the end-point identifier and locator roles of IP addresses, which fixes the broken trust model and introduces a more flexible networking and secure Host Identity Namespace. The implications of this on the networking world are huge. With HIP, we can move beyond routing to the concept of orchestration, where we define network trust relationships by identity, at the device level, while still using traditional IP addressing for location across the Internet. This Identity-First architecture leads us directly to a transition from address-defined networking to identity-defined networking.” 

HIP was first implemented at Boeing in 2006 to secure industrial control systems and has only recently been commercialized for the general market.  “With built-in encryption and authentication, [HIP] is resistant to denial-of-service and man-in-the-middle attacks,” the Enterprise Strategy Group writes in a lab report about Tempered Networks’ HIP-based solution. “With HIP-enabled solutions, IP addresses are used only to locate hosts, not to identify them, enhancing resource mobility.” 

According to Giesa, by assigning every device (or endpoint on a network) a unique cryptographic identity, “our Identity Defined Networking (IDN) solution effectively cloaks vulnerable, high-value systems from hacker reconnaissance, both north-south and east-west traffic.”  

Easier to implement

Not only does HIP make networking more secure, but it actually makes it easier to implement and manage. 

“Only endpoints that are authenticated and authorized can communicate within an overlay segment, creating a fully isolated, hardened network zone that is operationally much simpler because there is no reason to use things such as NAT/PAT, VLANs, Layer 3 VPNs, and static routes,” writes Zeus Kerravala, founder and principal analyst with ZK Research. 

That network fabric eliminates myriad problems of IP addressing, such as when devices move to different hosts, or when IP networks have conflicting addresses. Consider two gateways in separate homes: if they’re both using, the effort to network them is immense; but if they’re both equipped with HIP chips and properly authorized, they’ll instantly seek out the HIP server, declare themselves, and be transparently connected. 

HIP makes it possible to connect systems that typically aren’t able to directly connect without going through a gateway, whether it’s two mobile phones on different networks or hundreds of thousands of IoT devices. And do so securely. 

To find out more about HIP-based networking, download a primer by Andrei Gurtov.