IPv6 CGA and key (non-)management, was Re: How to preempt rogue RAs?

Francis Dupont Francis.Dupont at fdupont.fr
Mon Nov 1 16:43:15 CET 2010

 In your previous mail you wrote:

   I thought the whole beauty of IPv6 CGA (horrible acronym) is that you
   don't need key management. The address *is* the public key.

=> it is not true: a CGA is not an identity-based key scheme
(cf http://en.wikipedia.org/wiki/ID-based_cryptography),
you still have to transmit the key: it binds the key to the address
in a simple and easily checkable way.

   If the person sending packets to you can generate packets that match the
   public key, then they must have the private key
=> s/match/carry a signature which can be validated by/

   No key further key management is necessary, at least as far as trusting
   that the sender of a packet is the one that "owns" the origin IP
   At least, that's my understanding.
=> so you like SEND/CGA too (:-). Unfortunately this is not relevant
to the rogue RA issue as I explained in a previous message.


Francis.Dupont at fdupont.fr

More information about the ipv6-ops mailing list