Experience with the host identity protocol for secure host mobility and multihoming

The Host Identity Protocol (HIP) is a recent protocol proposal for secure host mobility and multihoming using a cryptographic-based name space for Internet hosts. HIP aims to decouple IP addresses from transport connections in a secure manner, thereby admitting network-level mobility and multihoming solutions that do not require the use of a single IP address as a host identifier. Although HIP and related protocol proposals have been circulating for several years, there has been little reported implementation experience with the approach. This paper reports on our experience with implementing HIP and experimenting with it as a mobility management and host multihoming solution. After first introducing the HIP approach and contrasting it with other solutions, we describe our approach for implementing HIP as an extension to Linux and FreeS/WAN IPsec, including our use and extension of standard APIs. We then characterize the performance of HIP packet exchanges experimentally, and report that the computational overhead is dominated by the DSA signing of the HIP packets. Using 266MHz Pentium II-based laptops, our HIP implementation took slightly under 1 second on average to complete connection setup, and less than 200 ms to process a mobility-initiated readdress. We also characterize the overhead due to the HIP “cookie challenge” used for stateless connection setup. We conclude by identifying areas for continued HIP development.