IPv6 CGA and key (non-)management, was Re: How to preempt rogue RAs?
Gert Doering
gert at space.net
Mon Nov 1 15:20:09 CET 2010
Hi,
On Mon, Nov 01, 2010 at 02:46:55PM +0100, Shane Kerr wrote:
> On Mon, 2010-11-01 at 07:47 +1030, Mark Smith wrote:
> > Key management is usually more of an issue. I've wondered, but haven't
> > looked into, whether 802.1x can be used to boot strap IPv6 SEND,
> > facilitating a simple username/password authentication model that we're
> > all quite comfortable with.
>
> I thought the whole beauty of IPv6 CGA (horrible acronym) is that you
> don't need key management. The address *is* the public key. (To be
> completely correct, the rightmost 64 bits of the address is the hash of
> the public key).
True for "neighbor discovery" things, where you want to make sure that
the person replying to an ND for a well-known IPv6 address is really the
one entitled to answer (protect against ND poisoning/spoofing). You
need prior knowledge: you need to know who you want to talk *to*.
For RAs, since you don't know who the router *is*, CGA-style protection
("I'm a router, and I have the key to prove that my IPv6 address really
is what I claim the address to be") will not validate the "I'm a router!"
bit. For that, you need the CA stuff - someone you trust authorizes the
router to send RAs. Who has no CA certificate is not a trusted router.
[Details might not be 100% correct, but I think the overall picture should
be fine]
Gert Doering
-- NetMaster
--
did you enable IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
More information about the ipv6-ops
mailing list