Secure access control and connectivity for Amahi?

Posts: 1
Joined: Tue Dec 27, 2011 6:39 am

Secure access control and connectivity for Amahi?

Postby smiccke » Tue Dec 27, 2011 9:52 am

Hi guys,

have you considered trying Host Identity Protocol (HIP). It's described in detail in RFC4423 and RFC5201 but I'll explain it in a nutshell and try to motivate why it might be interesting for Amahi community.

In brief, HIP is a VPN alternative that supports IP address mobility and offers very nice support for NAT traversal. Thus, I believe it could be used to simplify access control and privacy for Amahi-based services (VNC, back up, etc). HIP is implemented by three open-source software:
  • - OpenHIP: OS X, Windows, Linux
    - HIP for BSD platforms, Linux
    - HIP for Linux: Fedora, CentOS, Debian, Ubuntu, Maemo and OpenWRT binary images
HIPL was also in the Linux Journal:

In more detail, HIP could be described as a hybrid of VPN and SSH. To compare it with VPN, HIP has the following characteristics:

Similarities with VPNs:
  • - Uses IPsec tunnels
    - Uses virtual addresses
Differences with VPNs:
  • - The gateway is optional (people typically run HIP directly between the client and server)
    - Supports IP address changes both at the client and server side
Compared to SSH, HIP has the following properties:

Similarities with SSH:
  • - Public-key based authentication
    - Uses fingerprints (e.g. hashes of public keys)
    - Public keys can optionally be published in DNS
Differences with SSH:
  • - SSH tunnels are usually created manually, HIP tunnels are automatic (policy or DNS based).
    - For IPv6 applications, the fingerprint represents the virtual IPv6 address (secure access control lists)
    - As mentioned earlier, supports IP address changes both at the client and server side
The virtual addresses in HIP are fingerprints of the public keys. The idea is that each host creates it's own keys. This allows the virtual addresses to be used conveniently in access control lists. Also, it is statistically very difficult to create the same key pair, so no centralized authority is needed to take care of the keys (like in SSH) and you can easily address different servers behind a single NAT box (based on the unique virtual addresses). NAT traversal is supported by HIP natively or alternatively by reusing the free Teredo infrastructure (Linux has Miredo software for this). So there's really no need to configure your access point at home anymore for NAT traversal.

HIP supports both IPv4 and IPv6 connectivity - both at the application and network level. With HIP, IPv4 applications can talk with IPv6 apps and vice versa. At the network level, HIP supports handovers between IPv4 and IPv6 addresses.

All implementations offer varying levels of DNS support. HIPL implementation has integrated support for DynDNS-like service for human-friendly hostnames and readdressing. Unpatched Bind nameserver supports HIP records as "binary blobs" (try "dig -t any").

If this seems interesting, I can give you further information on the topic? We have been also experimenting with bridging uPnP networks on Linux, but this requires probably another discussion thread :)

Who is online

Users browsing this forum: No registered users and 2 guests