Identity-Based Internet Protocol Network.

摘要

The Identity-Based Internet Protocol (IBIP) Network project is experimenting with a new enterprise oriented network architecture using standard IP version 6 protocol to encode user and host identity (ID) information into the IP address. Our motivation is to increase our security posture by leveraging identity, reducing our threat exposure, enhancing situational understanding of our environment, and simplifying network operations. Our current implementation plan uses credentials from the Common Access Card (CAC) to establish a 40-bit user ID and credentials stored on the computer's Trusted Platform Module (TPM) to establish a 40-bit host ID. The remaining part of the IP address can be a standard (/48) network prefix or support a (/32) prefix and a 16-bit group tag. A registration process (built on top of an 802.1x security framework) then occurs between the host and a registration server (which is currently an enhanced RADIUS server). The IBIP registration server then validates the credentials and automatically configures the edge router, fronting the host, with appropriate access privileges so that no IP address spoofing (or impersonation) is permitted. Hosts that are client machines do not have their IP addresses advertised across the network - basically making them unreachable or hidden from reconnaissance initiated by other clients. Servers have their IP addresses advertised as usual. A unique IPv6 extension header was conceived to enable return traffic to hidden clients. This approach will also provide support for approved peer-to-peer applications which may have hidden clients at both ends (voice-over-IP phones, for example). All infrastructure devices (routers, switches, DNS, DHCP, and other designated servers) are also not directly accessible by end user machines. For servers, the user ID is replaced with a service ID which can be used to identify and enforce policies on what the server is permitted to do.