1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
|
Internet Engineering Task Force (IETF) J. Laganier
Request for Comments: 8003 Luminate Wireless, Inc.
Obsoletes: 5203 L. Eggert
Category: Standards Track NetApp
ISSN: 2070-1721 October 2016
Host Identity Protocol (HIP) Registration Extension
Abstract
This document specifies a registration mechanism for the Host
Identity Protocol (HIP) that allows hosts to register with services,
such as HIP rendezvous servers or middleboxes. This document
obsoletes RFC 5203.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8003.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Laganier & Eggert Standards Track [Page 1]
^L
RFC 8003 HIP Registration Extension October 2016
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. HIP Registration Extension Overview . . . . . . . . . . . . . 3
3.1. Registrar Announcing Its Ability . . . . . . . . . . . . 4
3.2. Requester Requesting Registration . . . . . . . . . . . . 4
3.3. Registrar Granting or Refusing Service(s) Registration . 4
4. Parameter Formats and Processing . . . . . . . . . . . . . . 7
4.1. Encoding Registration Lifetimes with Exponents . . . . . 7
4.2. REG_INFO . . . . . . . . . . . . . . . . . . . . . . . . 7
4.3. REG_REQUEST . . . . . . . . . . . . . . . . . . . . . . . 8
4.4. REG_RESPONSE . . . . . . . . . . . . . . . . . . . . . . 9
4.5. REG_FAILED . . . . . . . . . . . . . . . . . . . . . . . 10
5. Establishing and Maintaining Registrations . . . . . . . . . 11
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
8.1. Normative References . . . . . . . . . . . . . . . . . . 13
8.2. Informative References . . . . . . . . . . . . . . . . . 14
Appendix A. Changes from RFC 5203 . . . . . . . . . . . . . . . 15
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 15
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction
This document specifies an extension to the Host Identity Protocol
(HIP) [RFC7401]. The extension provides a generic means for a host
to register with a service. The service may, for example, be a HIP
rendezvous server [RFC8004] or a middlebox [RFC3234].
This document makes no further assumptions about the exact type of
service. Likewise, this document does not specify any mechanisms to
discover the presence of specific services or means to interact with
them after registration. Future documents may describe those
operations.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Laganier & Eggert Standards Track [Page 2]
^L
RFC 8003 HIP Registration Extension October 2016
2. Terminology
In addition to the terminology defined in the HIP Architecture
[HIP-ARCH], the HIP specification [RFC7401], and the HIP Rendezvous
Extension [RFC8004], this document defines and uses the following
terms:
Requester:
a HIP node registering with a HIP registrar to request
registration for a service.
Registrar:
a HIP node offering registration for one or more services.
Service:
a facility that provides requesters with new capabilities or
functionalities operating at the HIP layer. Examples include
firewalls that support HIP traversal or HIP rendezvous servers.
Registration:
shared state stored by a requester and a registrar, allowing the
requester to benefit from one or more HIP services offered by the
registrar. Each registration has an associated finite lifetime.
Requesters can extend established registrations through
re-registration (i.e., perform a refresh).
Registration Type:
an 8-bit identifier for a given service in the registration
protocol. For example, the rendezvous service is identified by a
specific registration type.
3. HIP Registration Extension Overview
This document does not specify the means by which a requester
discovers the availability of a service or how a requester locates a
registrar. After a requester has discovered a registrar, it either
initiates HIP base exchange or uses an existing HIP association with
the registrar. In both cases, registrars use additional parameters,
which the remainder of this document defines, to announce their
quality and grant or refuse registration. Requesters use
corresponding parameters to register with the service. Both the
registrar and the requester MAY also include in the messages
exchanged additional HIP parameters specific to the registration type
requested. Other documents will define parameters and how they shall
be used.
Laganier & Eggert Standards Track [Page 3]
^L
RFC 8003 HIP Registration Extension October 2016
The HIP base exchange, including the definition of the HIP I1, R1,
I2, and R2 packets, is defined in [RFC7401]. The following sections
describe the differences between this registration handshake and the
standard HIP base exchange [RFC7401].
3.1. Registrar Announcing Its Ability
A host that is capable and willing to act as a registrar vis-a-vis a
specific requester SHOULD include a REG_INFO parameter in the R1
packets it sends during all base exchanges with that requester. If
it is currently unable to provide services due to transient
conditions, it SHOULD include an empty REG_INFO, i.e., one with no
services listed. If services can be provided later, it SHOULD send
UPDATE packets indicating the current set of services available in a
new REG_INFO parameter to all hosts it is associated with.
3.2. Requester Requesting Registration
To request registration with a service, a requester constructs and
includes a corresponding REG_REQUEST parameter in an I2 or UPDATE
packet it sends to the registrar.
If the requester has no HIP association established with the
registrar, it SHOULD send the REG_REQUEST at the earliest
possibility, i.e., in the I2 packet. This minimizes the number of
packets that need to be exchanged with the registrar. A registrar
MAY end a HIP association that does not carry a REG_REQUEST by
including a NOTIFY with the type REG_REQUIRED in the R2. In this
case, no HIP association is created between the hosts. The
REG_REQUIRED notification error type is 51.
3.3. Registrar Granting or Refusing Service(s) Registration
Once registration has been requested, the registrar is able to
authenticate the requester based on the host identity included in I2.
If the registrar knows the Host Identities (HIs) of all the hosts
that are allowed to register for service(s), it SHOULD reject
registrations from unknown hosts. However, since it may be
infeasible to preconfigure the registrar with all the HIs, the
registrar SHOULD also support HIP certificates [RFC8002] to allow for
certificate-based authentication.
When a requester wants to register with a registrar, it SHOULD check
if it has a suitable certificate for authenticating with the
registrar. How the suitability is determined and how the
certificates are obtained is out of scope for this document. If the
requester has one or more suitable certificates, the host SHOULD
Laganier & Eggert Standards Track [Page 4]
^L
RFC 8003 HIP Registration Extension October 2016
include them (or just the most suitable one) in a CERT parameter to
the HIP packet along with the REG_REQUEST parameter. If the
requester does not have any suitable certificates, it SHOULD send the
registration request without the CERT parameter to test whether the
registrar accepts the request based on the host's identity.
When a registrar receives a HIP packet with a REG_REQUEST parameter,
and it requires authentication for at least one of the registration
types listed in the REG_REQUEST parameter, it MUST first check
whether the HI of the requester is in the allowed list for all the
registration types in the REG_REQUEST parameter. If the requester is
in the allowed list (or the registrar does not require any
authentication), the registrar MUST proceed with the registration.
If the requester was not in the allowed list and the registrar
requires the requester to authenticate, the registrar MUST check
whether the packet also contains a CERT parameter. If the packet
does not contain a CERT parameter, the registrar MUST reject the
registrations requiring authentication with Failure Type 0 (zero)
(registration requires additional credentials). If the certificate
is valid and accepted (issued for the requester and signed by a
trusted issuer), the registrar MUST proceed with the registration.
If the certificate in the parameter is not accepted, the registrar
MUST reject the corresponding registrations with the appropriate
Failure Type:
4 (Bad certificate): The certificate is corrupt, contains invalid
signatures, etc.
5 (Unsupported certificate): The certificate is of an unsupported
type.
6 (Certificate expired): The certificate is no longer valid.
7 (Certificate other): The certificate could not be validated for
some unspecified reason.
8 (Unknown CA): The issuing certification authority (CA) certificate
could not be located or is not trusted.
After successful authorization, the registrar includes a REG_RESPONSE
parameter in its response, which contains the service type(s) for
which it has authorized registration, and zero or more REG_FAILED
parameters containing the service type(s) for which it has not
authorized registration or registration has failed for other reasons.
This response can be either an R2 or an UPDATE message, respectively,
depending on whether the registration was requested during the base
Laganier & Eggert Standards Track [Page 5]
^L
RFC 8003 HIP Registration Extension October 2016
exchange or using an existing association. In particular, REG_FAILED
with a Failure Type of zero indicates the service type(s) that
requires further credentials for registration.
If the registrar requires further authorization and the requester has
additional credentials available, the requester SHOULD try to
register again with the service after the HIP association has been
established.
Successful processing of a REG_RESPONSE parameter creates
registration state at the requester. In a similar manner, successful
processing of a REG_REQUEST parameter creates registration state at
the registrar and possibly at the service. Both the requester and
registrar can cancel a registration before it expires, if the
services afforded by a registration are no longer needed by the
requester or cannot be provided any longer by the registrar (for
instance, because its configuration has changed).
+-----+ I1 +-----+-----+
| |--------------------->| | S1 |
| |<---------------------| | |
| | R1(REG_INFO:S1,S2,S3)| +-----+
| RQ | | R | S2 |
| | I2(REG_REQ:S1) | | |
| |--------------------->| +-----+
| |<---------------------| | S3 |
| | R2(REG_RESP:S1) | | |
+-----+ +-----+-----+
A requester (RQ) registers for service (S1) with a registrar (R) of
services (S1), (S2), and (S3) with which it has no current HIP
association
+-----+ +-----+-----+
| | UPDATE(REG_INFO:S) | | |
| |<---------------------| | |
| RQ |--------------------->| R | S |
| | UPDATE(REG_REQ:S) | | |
| | UPDATE(REG_RESP:S) | | |
| |<---------------------| | |
+-----+ +-----+-----+
A requester (RQ) registers for service (S) with a registrar (R) of
services (S) with which it currently has a HIP association
established
Laganier & Eggert Standards Track [Page 6]
^L
RFC 8003 HIP Registration Extension October 2016
4. Parameter Formats and Processing
This section describes the format and processing of the new
parameters introduced by the HIP Registration Extension. The
encoding of these new parameters conforms to the HIPv2 TLV format
described in Section 5.2.1 of RFC7401 [RFC7401].
4.1. Encoding Registration Lifetimes with Exponents
The HIP registration uses an exponential encoding of registration
lifetimes.
The special value 0 (zero) of the lifetime field MUST be interpreted
as representing a special lifetime duration of 0 (zero) seconds and
is used to request and grant cancellation of a registration.
The non-zero values of the lifetime field used throughout this
document MUST be interpreted as an exponent value representing a
lifetime duration of 2^((lifetime - 64)/8) seconds.
This allows a compact encoding of 255 different lifetime durations
(in addition to the special lifetime duration of zero seconds)
ranging from 2^(63/8) seconds (i.e., ~4 ms) to 2^(191/8) seconds
(i.e., ~178 days) into an 8-bit integer field.
4.2. REG_INFO
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Min Lifetime | Max Lifetime | Reg Type #1 | Reg Type #2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... | ... | Reg Type #n | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Padding +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 930
Length Length in octets, excluding Type, Length, and Padding.
Min Lifetime Minimum registration lifetime.
Max Lifetime Maximum registration lifetime.
Reg Type The registration types offered by the registrar.
Other documents will define specific values for registration types.
See Section 7 for more information.
Laganier & Eggert Standards Track [Page 7]
^L
RFC 8003 HIP Registration Extension October 2016
Registrars include the parameter in R1 packets in order to announce
their registration capabilities. The registrar SHOULD include the
parameter in UPDATE packets when its service offering has changed.
HIP_SIGNATURE_2 protects the parameter within the R1 packets.
The registrar indicates the minimum and maximum registration lifetime
that it is willing to offer to a requester. A requester SHOULD NOT
request registration with a lifetime greater than the maximum
registration lifetime or smaller than the minimum registration
lifetime.
4.3. REG_REQUEST
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Lifetime | Reg Type #1 | Reg Type #2 | Reg Type #3 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... | ... | Reg Type #n | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Padding +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 932
Length Length in octets, excluding Type, Length, and Padding.
Lifetime Requested registration lifetime.
Reg Type The preferred registration types in order of preference.
Other documents will define specific values for registration types.
See Section 7 for more information.
A requester includes the REG_REQUEST parameter in I2 or UPDATE
packets to register with a registrar's service(s). If the
REG_REQUEST parameter is in an UPDATE packet, the registrar MUST NOT
modify the registrations of registration types that are not listed in
the parameter. Moreover, the requester MUST NOT include the
parameter unless the registrar's R1 packet or latest received UPDATE
packet has contained a REG_INFO parameter with the requested
registration types.
The requester MUST NOT include more than one REG_REQUEST parameter in
its I2 or UPDATE packets, while the registrar MUST be able to process
one or more REG_REQUEST parameters in received I2 or UPDATE packets.
Laganier & Eggert Standards Track [Page 8]
^L
RFC 8003 HIP Registration Extension October 2016
When the registrar receives a registration with a lifetime that is
either smaller or greater than the minimum or maximum lifetime,
respectively, then it SHOULD grant the registration for the minimum
or maximum lifetime, respectively.
HIP_SIGNATURE protects the parameter within the I2 and UPDATE
packets.
4.4. REG_RESPONSE
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Lifetime | Reg Type #1 | Reg Type #2 | Reg Type #3 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... | ... | Reg Type #n | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Padding +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 934
Length Length in octets, excluding Type, Length, and Padding.
Lifetime Granted registration lifetime.
Reg Type The granted registration types in order of preference.
Other documents will define specific values for registration types.
See Section 7 for more information.
The registrar SHOULD include a REG_RESPONSE parameter in its R2 or
UPDATE packet only if a registration has successfully completed.
The registrar MUST NOT include more than one REG_RESPONSE parameter
in its R2 or UPDATE packets, while the requester MUST be able to
process one or more REG_RESPONSE parameters in received R2 or UPDATE
packets.
The requester MUST be prepared to receive any registration lifetime,
including ones beyond the minimum and maximum lifetime indicated in
the REG_INFO parameter. It MUST NOT expect that the returned
lifetime will be the requested one, even when the requested lifetime
falls within the announced minimum and maximum.
HIP_SIGNATURE protects the parameter within the R2 and UPDATE
packets.
Laganier & Eggert Standards Track [Page 9]
^L
RFC 8003 HIP Registration Extension October 2016
4.5. REG_FAILED
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Failure Type | Reg Type #1 | Reg Type #2 | Reg Type #3 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... | ... | Reg Type #n | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Padding +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 936
Length Length in octets, excluding Type, Length, and Padding.
Failure Type Reason for failure.
Reg Type The registration types that failed with the specified
reason.
Value Registration Failure Type
---------- --------------------------------------------
0 Registration requires additional credentials
1 Registration type unavailable
2 Insufficient resources
3 Invalid certificate
9-200 Unassigned
201-255 Reserved for Private Use
Other documents will define specific values for registration types.
See Section 7 for more information.
Failure Type 0 (zero) indicates that the registrar requires
additional credentials to authorize a requester to register with the
registration types listed in the parameter. Failure Type 1 (one)
indicates that the requested service type is unavailable at the
registrar. Failure Type 2 indicates that the registrar does not
currently have enough resources to register the requester for the
service(s); when that is the case, the requester MUST NOT reattempt
immediately to register for the same service(s) and MAY attempt to
contact another registrar to register for the service(s). Failure
Type 3 indicates that the registrar could not validate the
certificate provided by the requester to register for the service(s);
when that is the case, the requester MUST NOT reattempt to register
for the same set of services while providing the same certificate and
MAY attempt to register for the same set of services with a different
certificate, or with a different set of services with the same
certificate.
Laganier & Eggert Standards Track [Page 10]
^L
RFC 8003 HIP Registration Extension October 2016
The registrar SHOULD include a REG_FAILED parameter in its R2 or
UPDATE packet, if registration with the registration types listed has
not completed successfully, and a requester is asked to try again
with additional credentials.
HIP_SIGNATURE protects the parameter within the R2 and UPDATE
packets.
5. Establishing and Maintaining Registrations
Establishing and/or maintaining a registration may require additional
information not available in the transmitted REG_REQUEST or
REG_RESPONSE parameters. Therefore, registration type definitions
MAY define dependencies for HIP parameters that are not defined in
this document. Their semantics are subject to the specific
registration type specifications.
The minimum lifetime both registrars and requesters MUST support is
10 seconds, while they SHOULD support a maximum lifetime of 120
seconds, at least. These values define a baseline for the
specification of services based on the registration system. They
were chosen to be neither too short nor too long, and to accommodate
for existing timeouts of state established in middleboxes (e.g., NATs
and firewalls.)
A zero lifetime is reserved for canceling purposes. Requesting a
zero lifetime for a registration type is equal to canceling the
registration of that type. A requester MAY cancel a registration
before it expires by sending a REG_REQ to the registrar with a zero
lifetime. A registrar SHOULD respond and grant a registration with a
zero lifetime. A registrar (and an attached service) MAY cancel a
registration before it expires, at its own discretion. However, if
it does so, it SHOULD send a REG_RESPONSE with a zero lifetime to all
registered requesters.
6. Security Considerations
This section discusses the threats on the HIP registration protocol
and their implications on the overall security of HIP. In
particular, it argues that the extensions described in this document
do not introduce additional threats to HIP.
The extensions described in this document rely on the HIP base
exchange and do not modify its security characteristics, e.g.,
digital signatures or Hashed Message Authentication Code (HMAC).
Hence, the only threat introduced by these extensions is related to
the creation of soft registration state at the registrar.
Laganier & Eggert Standards Track [Page 11]
^L
RFC 8003 HIP Registration Extension October 2016
Registrars act on a voluntary basis and are willing to accept being a
Responder and then to create HIP associations with a number of
potentially unknown hosts. Because they have to store HIP
association state anyway, adding a certain amount of time-limited HIP
registration states should not introduce any serious additional
threats, especially because HIP registrars may cancel registrations
at any time at their own discretion, e.g., because of resource
constraints during an attack.
7. IANA Considerations
This section is to be interpreted according to "Guidelines for
Writing an IANA Considerations Section in RFCs" [RFC5226].
[RFC5203], obsoleted by this document, made the following definitions
and reservations in the "Parameter Types" subregistry under "Host
Identity Protocol (HIP) Parameters":
Value Parameter Type Length
----- -------------- --------
930 REG_INFO variable
932 REG_REQUEST variable
934 REG_RESPONSE variable
936 REG_FAILED variable
In the "Parameter Types" subregistry under "Host Identity Protocol
(HIP) Parameters", the references to the obsoleted [RFC5203] have
been replaced with references to this document.
[RFC5203], obsoleted by this document, requested the opening of the
"Registration Types" subregistry under "Host Identity Protocol (HIP)
Parameters", defined no registration types, but made the following
reservations in that subregistry:
Reg Type Service
-------- --------------------------------
201-255 Reserved by IANA for private use
Adding a new type requires new IETF specifications.
In the "Registration Types" subregistry under "Host Identity Protocol
(HIP) Parameters", references to the obsoleted [RFC5203] have been
replaced with references to this document.
[RFC5203], obsoleted by this document, requested the opening of the
"Registration Failure Types" subregistry under "Host Identity
Protocol (HIP) Parameters" and made the following definitions and
reservations in that subregistry:
Laganier & Eggert Standards Track [Page 12]
^L
RFC 8003 HIP Registration Extension October 2016
Failure Type Reason
------------ --------------------------------------------
0 Registration requires additional credentials
1 Registration type unavailable
201-255 Reserved by IANA for private use
Adding a new type requires new IETF specifications.
In the "Registration Failure Types" subregistry under "Host Identity
Protocol (HIP) Parameters", references to the obsoleted [RFC5203]
have been replaced with references to this document, and the
following HIP Registration Failure Types have been added:
Value Registration Failure Type
------------ --------------------------------------------
2 Insufficient resources
3 Invalid certificate
4 Bad certificate
5 Unsupported certificate
6 Certificate expired
7 Certificate other
8 Unknown CA
201-255 Reserved for Private Use
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>.
[RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T.
Henderson, "Host Identity Protocol Version 2 (HIPv2)",
RFC 7401, DOI 10.17487/RFC7401, April 2015,
<http://www.rfc-editor.org/info/rfc7401>.
[RFC8002] Heer, T. and S. Varjonen, "Host Identity Protocol
Certificates", RFC 8002, DOI 10.17487/RFC8002, October
2016, <http://www.rfc-editor.org/info/rfc8002>.
Laganier & Eggert Standards Track [Page 13]
^L
RFC 8003 HIP Registration Extension October 2016
[RFC8004] Laganier, J. and L. Eggert, "Host Identity Protocol (HIP)
Rendezvous Extension", RFC 8004, DOI 10.17487/RFC8004,
October 2016, <http://www.rfc-editor.org/info/rfc8004>.
8.2. Informative References
[HIP-ARCH]
Moskowitz, R. and M. Komu, "Host Identity Protocol
Architecture", Work in Progress, draft-ietf-hip-rfc4423-
bis-14, June 2016.
[HIP-NAT] Keranen, A., Melen, J., and M. Komu, "Native NAT Traversal
Mode for the Host Identity Protocol", Work in Progress,
draft-ietf-hip-native-nat-traversal-13, July 2016.
[RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and
Issues", RFC 3234, DOI 10.17487/RFC3234, February 2002,
<http://www.rfc-editor.org/info/rfc3234>.
[RFC5203] Laganier, J., Koponen, T., and L. Eggert, "Host Identity
Protocol (HIP) Registration Extension", RFC 5203,
DOI 10.17487/RFC5203, April 2008,
<http://www.rfc-editor.org/info/rfc5203>.
Laganier & Eggert Standards Track [Page 14]
^L
RFC 8003 HIP Registration Extension October 2016
Appendix A. Changes from RFC 5203
o Updated references to revised HIP specifications.
o Added a new registration Failure Type for use in case of
insufficient resources available at the HIP registrar.
o Added requester authorization based on certificates and new
registration Failure Types for invalid certificates.
Acknowledgments
The following people (in alphabetical order) have provided thoughtful
and helpful discussions and/or suggestions that have helped to
improve this document: Jeffrey Ahrenholz, Miriam Esteban, Ari
Keranen, Mika Kousa, Pekka Nikander, and Hannes Tschofenig.
Lars Eggert has received funding from the European Union's Horizon
2020 research and innovation program 2014-2018 under grant agreement
No. 644866. This document reflects only the authors' views, and the
European Commission is not responsible for any use that may be made
of the information it contains.
Ari Keranen suggested inclusion of the text specifying requester
authorization based on certificates as a direct adaption of text
found in the HIP native NAT traversal specification [HIP-NAT].
Thanks to Joel M. Halpern for performing the Gen-ART review of this
document as part of the publication process.
Contributors
Teemu Koponen coauthored an earlier, experimental version of this
specification [RFC5203].
Laganier & Eggert Standards Track [Page 15]
^L
RFC 8003 HIP Registration Extension October 2016
Authors' Addresses
Julien Laganier
Luminate Wireless, Inc.
Cupertino, CA
United States of America
Email: julien.ietf@gmail.com
Lars Eggert
NetApp
Sonnenallee 1
Kirchheim 85551
Germany
Phone: +49 151 12055791
Email: lars@netapp.com
URI: http://eggert.org
Laganier & Eggert Standards Track [Page 16]
^L
|
