Traversing Middleboxes with the Host Identity Protocol

  • Hannes Tschofenig
  • Andrei Gurtov
  • Jukka Ylitalo
  • Aarthi Nagarajan
  • Murugaraj Shanmugam
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3574)


The limited flexibility of the Internet to support mobility has motivated many researchers to look for alternative architectures. One such effort that combines security and multihoming together is the Host Identity Protocol (HIP). HIP is a signaling protocol that adds a new protocol layer to the Internet stack between the transport and the network layer. HIP establishes IPsec associations to protect subsequent data traffic. Though the security associations are established solely between the communicating end hosts, HIP also aims to interwork with middleboxes such as NATs and firewalls. This paper investigates this interworking aspect and proposes a solution for secure middlebox traversal.


Identifier-Locator Split Host Identity Protocol Middlebox Network Address Translators (NATs) Firewalls Authentication Authorization 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Moskowitz, R., Nikander, P., Jokela, P., Henderson, T.: Host Identity Protocol draft-ietf-hip-base-01.txt (work in progress) (October 2004)Google Scholar
  2. 2.
    Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylnen, T.: SPKI Certificate Theory. RFC 2693 (September 1999)Google Scholar
  3. 3.
    Maler, E., Philpott, R., Mishra, P.: Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1 (September 2003)Google Scholar
  4. 4.
    Kivinen, T., Swander, B., Huttunen, A., Volpe, V.: Negotiation of NATTraversal in the IKE, RFC 3947 (January 2005)Google Scholar
  5. 5.
    Huttunen, A., Swander, B., Volpe, V., DiBurro, L., Stenberg, M.: UDP Encapsulation of IPsec ESP Packets. RFC 3948 (January 2005)Google Scholar
  6. 6.
    Kaufman, C.: Internet Key Exchange (IKEv2) Protocol. draft-ietf-ipsec-ikev2- 17.txt (work in progress) (September 2004)Google Scholar
  7. 7.
    Ylitalo, J., Melen, J., Nikander, P., Torvinen, V.: Re-thinking Security in IP based Micro-Mobility. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 318–329. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  8. 8.
    Automated Validation of Internet Security Protocols and Applications (AVISPA) IST-2001-39252, Deliverable v1.0 (November 2003)Google Scholar
  9. 9.
    Moore, K.: Things that NATs break Unpublished (October 2003),
  10. 10.
    Aboba, B., Dixon, W.: IPsec-Network Address Translation (NAT) Compatibility Requirements RFC 3715 (March 2004)Google Scholar
  11. 11.
    Ylitalo, J., Jokela, P., Wall, J., Nikander, P.: End-point Identifiers in Secure Multi- Homed Mobility. In: Proc. of the 6th International Conference On Principles Of DIstributed Systems (OPODIS 2002), France, December 2002, pp. 17–28 (2002)Google Scholar
  12. 12.
    Giving, K., Francis, P.: Network Address Translator RFC 1631 (May 1994)Google Scholar
  13. 13.
    Next Steps in Signaling (nsis) Working Group Charter (February 2005),
  14. 14.
    Kent, S., Atkinson, R.: IP Encapsulating Security Payload, RFC2406 (November 1998)Google Scholar
  15. 15.
    Automated Validation of Internet Security Protocols and Applications Webpage (February 2005),
  16. 16.
    Kent, S., Seo, K.: Security Architecture for the Internet Protocol, draft-ietfipsec- rfc2401bis-05.txt (work in progress) (December 2004)Google Scholar
  17. 17.
    Host Identity Protocol (HIP) IRTF Research Group (February 2005),
  18. 18.
    Jokela, P., Moskowitz, R., Nikander, P.: Using ESP format with HIP draft-jokela-hipesp- 00.txt (work in progress) (Febrauary 2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Hannes Tschofenig
    • 1
  • Andrei Gurtov
    • 2
  • Jukka Ylitalo
    • 3
  • Aarthi Nagarajan
    • 4
  • Murugaraj Shanmugam
    • 4
  1. 1.SiemensGermany
  2. 2.Helsinki Institute for Information TechnologyFinland
  3. 3.Ericsson Research NomadicLabFinland
  4. 4.Technical University Hamburg-HarburgGermany

Personalised recommendations