IPv6 CGA and key (non-)management, was Re: How to preempt rogue RAs?

Gert Doering gert at space.net
Mon Nov 1 15:20:09 CET 2010


On Mon, Nov 01, 2010 at 02:46:55PM +0100, Shane Kerr wrote:
> On Mon, 2010-11-01 at 07:47 +1030, Mark Smith wrote:
> > Key management is usually more of an issue. I've wondered, but haven't
> > looked into, whether 802.1x can be used to boot strap IPv6 SEND,
> > facilitating a simple username/password authentication model that we're
> > all quite comfortable with.
> I thought the whole beauty of IPv6 CGA (horrible acronym) is that you
> don't need key management. The address *is* the public key. (To be
> completely correct, the rightmost 64 bits of the address is the hash of
> the public key).

True for "neighbor discovery" things, where you want to make sure that
the person replying to an ND for a well-known IPv6 address is really the
one entitled to answer (protect against ND poisoning/spoofing).  You
need prior knowledge: you need to know who you want to talk *to*.

For RAs, since you don't know who the router *is*, CGA-style protection
("I'm a router, and I have the key to prove that my IPv6 address really
is what I claim the address to be") will not validate the "I'm a router!"
bit.  For that, you need the CA stuff - someone you trust authorizes the
router to send RAs.  Who has no CA certificate is not a trusted router.

[Details might not be 100% correct, but I think the overall picture should
be fine]

Gert Doering
        -- NetMaster
did you enable IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279

More information about the ipv6-ops mailing list