IPv6 CGA and key (non-)management, was Re: How to preempt rogue RAs?
Francis Dupont
Francis.Dupont at fdupont.fr
Mon Nov 1 16:43:15 CET 2010
In your previous mail you wrote:
I thought the whole beauty of IPv6 CGA (horrible acronym) is that you
don't need key management. The address *is* the public key.
=> it is not true: a CGA is not an identity-based key scheme
(cf http://en.wikipedia.org/wiki/ID-based_cryptography),
you still have to transmit the key: it binds the key to the address
in a simple and easily checkable way.
If the person sending packets to you can generate packets that match the
public key, then they must have the private key
=> s/match/carry a signature which can be validated by/
No key further key management is necessary, at least as far as trusting
that the sender of a packet is the one that "owns" the origin IP
address.
At least, that's my understanding.
=> so you like SEND/CGA too (:-). Unfortunately this is not relevant
to the rogue RA issue as I explained in a previous message.
Regards
Francis.Dupont at fdupont.fr
More information about the ipv6-ops
mailing list