IPv6 CGA and key (non-)management, was Re: How to preempt rogue RAs?

[Shane Kerr]

Gert,

On Mon, 2010-11-01 at 15:20 +0100, Gert Doering wrote:
> True for "neighbor discovery" things, where you want to make sure that
> the person replying to an ND for a well-known IPv6 address is really the
> one entitled to answer (protect against ND poisoning/spoofing).  You
> need prior knowledge: you need to know who you want to talk *to*.
> 
> For RAs, since you don't know who the router *is*, CGA-style protection
> ("I'm a router, and I have the key to prove that my IPv6 address really
> is what I claim the address to be") will not validate the "I'm a router!"
> bit.  For that, you need the CA stuff - someone you trust authorizes the
> router to send RAs.  Who has no CA certificate is not a trusted router.

Fair enough. I guess I sort of lost sight of the context of the
discussion (worrying about rogue RAs).

I'm not sure that configuring a CA gives you a lot though. You're
basically configuring your network devices so that you can use RA which
will avoid having to configure your network devices. :-P

Also, if we're talking about networks where administrators cannot be
bothered to filter RA traffic then does it seem likely that they will be
interested in configuring certificates on their devices? ;)

--
Shane