Host Identity Protocol for Linux

Have you ever wondered why your multimedia streams stop working after you switch to a different network with your laptop? Have you thought about why setting up a server on your home network behind a NAT is so awkward or even impossible? Host Identity Protocol for Linux (HIPL) offers a remedy to these and other problems.
How to Install and Use HIPL

The HIPL software bundle consists of the following main components:

  • HIPD (HIP Dæmon): HIP control, IPsec key and mobility management software.

  • HIPFW (HIP firewall utility dæmon): supports HIP packet filtering to enable public key-based access control and LSI implementation. It also provides userspace IPsec support for legacy hosts running kernel versions below 2.6.27.

  • DNS Proxy for HIP: translates hostname queries to DNS to HITs to applications when an HIT can be found.


You can install HIPL from the precompiled binaries or source code.

To install HIPL on Ubuntu Jaunty, add a new file, /etc/apt/sources.list.d/hipl.list, with the following contents:

deb jaunty main

$ apt-get update
$ apt-get install hipl-all

For Fedora 9 and above, first make sure that SELinux configuration is disabled in /etc/selinux/config, and reboot your machine:


Next, add a new file /etc/yum.repos.d/hipl.repo:


Then, run:

yum install hipl-all

For details on HIPL installation for other distributions, see

Alternatively, you can compile the HIPL software bundle manually from the sources. To do so, first download and extract the HIPL software bundle from Run --help to list the library and header dependencies. After you have installed the missing dependencies, you can compile the software by running the script without any arguments. To complete the manual installation, run make install.

The default installation encapsulates all HIP and IPsec traffic over UDP to support client-side NAT traversal. At minimum, you need to allow UDP port number 50500 in both directions for IPv4. The HIPL manual describes this in more detail at

Once installation has been completed, you should start the HIP dæmon as follows:

$ sudo hipd

When you start the hipd the first time, it generates its configuration files and identities in the /etc/hip/ directory. Your identity is visible as an IPv6 address on the dummy0 device. To see your host's identity, run the following:

$ ifconfig dummy0
## OR
$ ip addr show dev dummy0

Correspondingly, your IPv4-based “alias” for the HIT is listed on the dummy0:1 interface.

To perform name lookups for other hosts, you also have to start the HIP DNS proxy as follows:

$ sudo hipdnsproxy

Testing HIP with Firefox

HIP can be used with many applications and protocols, including FTP, SSH, VLC, LDAP, sendmail, Pidgin and VNC. However, the easiest way to validate your HIPL software installation is to start Firefox and connect to the Web server located at The Web server is running HIP and displays whether HIP was used for the connection. You optionally can install a Firefox add-on (, if you prefer a client-side indicator for HIP.

Streaming Multimedia and Testing Mobility with VLC

Now, let's stream some video with VLC and then try mobility. The example in this section assumes you have two computers with HIPL installations. We also assume that the computers are running in the same LAN with DHCP services. In this example, the two computers connect to LAN using the eth0 device.

First, display an HIT for the first host, and start VLC client on one computer:

client$ hipconf get hi default     # HIT_OF_CLIENT
client$ vlc -vvv 'rtp://@[HIT_OF_CLIENT]:50004'

Then, start the VLC server on the second host:

server$ vlc -vvv SOMEFILE.avi \
            --sout '#rtp{mux=ts,dst=[HIT_OF_CLIENT]}'

The string HIT_OF_CLIENT should not be taken literally. Instead, you can discover it from the output of the hipconf command at the client. The brackets around the HIT are mandatory for VLC to distinguish IPv4 addresses from IPv6.

Because the video stream is established directly to an HIT, the connection is guaranteed to use HIP; otherwise, the stream just fails. In this case, we did not use a hostname, and the server learns the client's IP address by broadcasting the first HIP packet to the LAN. The use of hostnames also is possible, and the HIPL software bundle publishes your hostname on InfraHIP's free name lookup servers by default.

Finally, let's test mobility. Type the following on the command line to obtain a new IP address from your network:

$ sudo dhclient eth0

You may see a small glitch during the dhclient run caused by a short disconnectivity period from the network. If you also have wireless connectivity, feel free to experiment with handovers from the wired network to wireless and vice versa.