Identity-Based Internet Protocol Network

The Identity-Based Internet Protocol IBIP Network project is experimenting with a new enterprise oriented network architecture using standard IP version 6 protocol to encode user and host identity ID information into the IP address. Our motivation is to increase our security posture by leveraging identity, reducing our threat exposure, enhancing situational understanding of our environment, and simplifying network operations. Our current implementation plan uses credentials from the Common Access Card CAC to establish a 40-bit user ID and credentials stored on the computers Trusted Platform Module TPM to establish a 40-bit host ID. The remaining part of the IP address can be a standard 48 network prefix or support a 32 prefix and a 16-bit group tag. A registration process built on top of an 802.1x security framework then occurs between the host and a registration server which is currently an enhanced RADIUS server. The IBIP registration server then validates the credentials and automatically configures the edge router, fronting the host, with appropriate access privileges so that no IP address spoofing or impersonation is permitted. Hosts that are client machines do not have their IP addresses advertised across the network - basically making them unreachable or hidden from reconnaissance initiated by other clients. Servers have their IP addresses advertised as usual. A unique IPv6 extension header was conceived to enable return traffic to hidden clients. This approach will also provide support for approved peer-to-peer applications which may have hidden clients at both ends voice-over-IP phones, for example. All infrastructure devices routers, switches, DNS, DHCP, and other designated servers are also not directly accessible by end user machines. For servers, the user ID is replaced with a service ID which can be used to identify and enforce policies on what the server is permitted to do.