[ipv6hackers] opportunistic encryption in IPv6
Julius Kriukas
julius.kriukas at gmail.com
Tue Jun 11 21:01:07 CEST 2013
On 06/11/2013 07:27 AM, Jim Small wrote:
> Here's an interesting question more relevant to the list and the paper though - are IPv6 CGAs useful? It seems like SeND is dead. But does anyone on the list think that CGAs could provide a useful competitive advantage for IPv6 over IPv4? Are these a useful building block?
I believe CGAs solves PKI problem entirely. If using CGAs one does not
need any PKI or CA certificate at all.
Each node having CGA can give self signed certificate. The certificate
is used only to extract public key (PK), modifier, collision counter and
any extension fields.
Extracted information can be used to verify that host address is valid
CGA with the given public key.
Next step is symmetric key negotiation. If during key negotiation
messages are encrypted with the specified public key then only node
having the corresponding private key can decrypt key negotiation messages.
This step ensures that MITM is not possible if you are using CGA
generated not from your own public/private key pair. If you use your own
public/private keys then you no longer can easily choose your address.
If using CGA+IPSEC then IKE daemon can do the key negotiation part when
given authenticated public key.
In SEND PKI is used only to protect from rogue routers. Only
certificates signed by the CA should be able to send router advertisements.
TLDR:
For address authentication (protection against MITM) when using CGA no
PKI is needed.
CGAs is holy grail for opportunistic encryption. Node can immediately
start using opportunistic encryption by generating self signed
certificate and CGA.
> One thing I wonder about is a 64 bit hash is pretty small - I wonder
> if that is sufficiently complex to provide security for the coming
> decade+?
When generating CGA you can choose security level which allows to slow
down brute force attacks (search for modifiers which would generate
specific CGA address).
Security level is encoded in the first three bits of the address.
Because of that CGAs with lower security does not overlap with stronger
CGAs.
--
Julius Kriukas
More information about the Ipv6hackers
mailing list