IPv6 CGA and key (non-)management, was Re: How to preempt rogue RAs?

Shane Kerr shane at time-travellers.org
Mon Nov 1 14:46:55 CET 2010


Mark,

On Mon, 2010-11-01 at 07:47 +1030, Mark Smith wrote:
> Key management is usually more of an issue. I've wondered, but haven't
> looked into, whether 802.1x can be used to boot strap IPv6 SEND,
> facilitating a simple username/password authentication model that we're
> all quite comfortable with.

I thought the whole beauty of IPv6 CGA (horrible acronym) is that you
don't need key management. The address *is* the public key. (To be
completely correct, the rightmost 64 bits of the address is the hash of
the public key).

If the person sending packets to you can generate packets that match the
public key, then they must have the private key

No key further key management is necessary, at least as far as trusting
that the sender of a packet is the one that "owns" the origin IP
address. 

At least, that's my understanding.

--
Shane




More information about the ipv6-ops mailing list