Host Identity Protocol for Linux

 in
Have you ever wondered why your multimedia streams stop working after you switch to a different network with your laptop? Have you thought about why setting up a server on your home network behind a NAT is so awkward or even impossible? Host Identity Protocol for Linux (HIPL) offers a remedy to these and other problems.
How to Install and Use HIPL

The HIPL software bundle consists of the following main components:

  • HIPD (HIP Dæmon): HIP control, IPsec key and mobility management software.

  • HIPFW (HIP firewall utility dæmon): supports HIP packet filtering to enable public key-based access control and LSI implementation. It also provides userspace IPsec support for legacy hosts running kernel versions below 2.6.27.

  • DNS Proxy for HIP: translates hostname queries to DNS to HITs to applications when an HIT can be found.

Installation

You can install HIPL from the precompiled binaries or source code.

To install HIPL on Ubuntu Jaunty, add a new file, /etc/apt/sources.list.d/hipl.list, with the following contents:

deb http://packages.infrahip.net/ubuntu jaunty main

$ apt-get update
$ apt-get install hipl-all

For Fedora 9 and above, first make sure that SELinux configuration is disabled in /etc/selinux/config, and reboot your machine:

SELINUX=disabled

Next, add a new file /etc/yum.repos.d/hipl.repo:

[hipl]
name=HIPL
baseurl=http://packages.infrahip.net/fedora/base/$releasever/$basearch
gpgcheck=0
enabled=1

Then, run:

yum install hipl-all

For details on HIPL installation for other distributions, see infrahip.hiit.fi/index.php?index=download.

Alternatively, you can compile the HIPL software bundle manually from the sources. To do so, first download and extract the HIPL software bundle from infrahip.hiit.fi/hipl/hipl.tar.gz. Run autogen.sh --help to list the library and header dependencies. After you have installed the missing dependencies, you can compile the software by running the script without any arguments. To complete the manual installation, run make install.

The default installation encapsulates all HIP and IPsec traffic over UDP to support client-side NAT traversal. At minimum, you need to allow UDP port number 50500 in both directions for IPv4. The HIPL manual describes this in more detail at infrahip.hiit.fi/hipl/manual/ch02.html.

Once installation has been completed, you should start the HIP dæmon as follows:

$ sudo hipd

When you start the hipd the first time, it generates its configuration files and identities in the /etc/hip/ directory. Your identity is visible as an IPv6 address on the dummy0 device. To see your host's identity, run the following:

$ ifconfig dummy0
## OR
$ ip addr show dev dummy0

Correspondingly, your IPv4-based “alias” for the HIT is listed on the dummy0:1 interface.

To perform name lookups for other hosts, you also have to start the HIP DNS proxy as follows:

$ sudo hipdnsproxy

Testing HIP with Firefox

HIP can be used with many applications and protocols, including FTP, SSH, VLC, LDAP, sendmail, Pidgin and VNC. However, the easiest way to validate your HIPL software installation is to start Firefox and connect to the Web server located at crossroads.infrahip.net. The Web server is running HIP and displays whether HIP was used for the connection. You optionally can install a Firefox add-on (https://addons.mozilla.org/en-US/firefox/addon/10551), if you prefer a client-side indicator for HIP.

Streaming Multimedia and Testing Mobility with VLC

Now, let's stream some video with VLC and then try mobility. The example in this section assumes you have two computers with HIPL installations. We also assume that the computers are running in the same LAN with DHCP services. In this example, the two computers connect to LAN using the eth0 device.

First, display an HIT for the first host, and start VLC client on one computer:

client$ hipconf get hi default     # HIT_OF_CLIENT
client$ vlc -vvv 'rtp://@[HIT_OF_CLIENT]:50004'

Then, start the VLC server on the second host:

server$ vlc -vvv SOMEFILE.avi \
            --sout '#rtp{mux=ts,dst=[HIT_OF_CLIENT]}'

The string HIT_OF_CLIENT should not be taken literally. Instead, you can discover it from the output of the hipconf command at the client. The brackets around the HIT are mandatory for VLC to distinguish IPv4 addresses from IPv6.

Because the video stream is established directly to an HIT, the connection is guaranteed to use HIP; otherwise, the stream just fails. In this case, we did not use a hostname, and the server learns the client's IP address by broadcasting the first HIP packet to the LAN. The use of hostnames also is possible, and the HIPL software bundle publishes your hostname on InfraHIP's free name lookup servers by default.

Finally, let's test mobility. Type the following on the command line to obtain a new IP address from your network:

$ sudo dhclient eth0

You may see a small glitch during the dhclient run caused by a short disconnectivity period from the network. If you also have wireless connectivity, feel free to experiment with handovers from the wired network to wireless and vice versa.

______________________

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState