[ipv6hackers] SEND implementation Patent

Julius Kriukas julius.kriukas at gmail.com
Wed Mar 14 10:59:32 CET 2012


> SEND secures NDP messages. If it is not possible to secure the other
> pieces, such as DNS with SEND, I think, it is more reasonable to find other
> approaches to secure these "unsecure pieces" rather than leave the whole
> "pieces" unsecure. Is it right?

The SEND itself may not secure DNS but CGAs may help to solve one
particular DNSSEC problem.

DNSSEC provides security for the recursive resolver issuing the
request to the authoritative name server. The unsecured part is from
the client to recursive resolver. Client either have to recursively
look-up the request itself or ultimately trust its configured
recursive resolver.

CGAs provide means to prove that the IP address really belongs to the
sender of the packet and also ensures that this IP address cannot be
used without stealing self generated private key from the IP address
owner.

If recursive resolver would use CGA IP address then all its clients
could verify that they are really talking to the IP address they think
they are talking. In other words CGA helps to protect from MITM
attack.

CGAs would not help if the attacker somehow changes default recursive
resolver address in the client system (for example by using rogue DHCP
server) but it can protect from MITM attacks when DNS server is
configured statically.

The main advantage of CGAs is that you do not have to have the
certificate or public key of the DNS server. The IP address of the DNS
server is already the fingerprints of its key. Therefore you do not
have to maintain CA. Also clients may not use CGAs as they do not
really need to authenticate itself to the DNS server.


This scheme can be extended to provide authentication to IPSEC if you
do not want to authenticate the server but just the IP address.

Correct me if I am wrong.

-- 
Julius Kriukas



More information about the Ipv6hackers mailing list