[ipv6hackers] opportunistic encryption in IPv6

Julius Kriukas julius.kriukas at gmail.com
Tue Jun 11 21:01:07 CEST 2013

On 06/11/2013 07:27 AM, Jim Small wrote:
> Here's an interesting question more relevant to the list and the paper though - are IPv6 CGAs useful?  It seems like SeND is dead.  But does anyone on the list think that CGAs could provide a useful competitive advantage for IPv6 over IPv4?  Are these a useful building block?

I believe CGAs solves PKI problem entirely. If using CGAs one does not 
need any PKI or CA certificate at all.

Each node having CGA can give self signed certificate. The certificate 
is used only to extract public key (PK), modifier, collision counter and 
any extension fields.

Extracted information can be used to verify that host address is valid 
CGA with the given public key.

Next step is symmetric key negotiation. If during key negotiation 
messages are encrypted with the specified public key then only node 
having the corresponding private key can decrypt key negotiation messages.

This step ensures that MITM is not possible if you are using CGA 
generated not from your own public/private key pair. If you use your own 
public/private keys then you no longer can easily choose your address.

If using CGA+IPSEC then IKE daemon can do the key negotiation part when 
given authenticated public key.

In SEND PKI is used only to protect from rogue routers. Only 
certificates signed by the CA should be able to send router advertisements.

For address authentication (protection against MITM) when using CGA no 
PKI is needed.

CGAs is holy grail for opportunistic encryption. Node can immediately 
start using opportunistic encryption by generating self signed 
certificate and CGA.

 > One thing I wonder about is a 64 bit hash is pretty small - I wonder
 > if that is sufficiently complex to provide security for the coming
 > decade+?

When generating CGA you can choose security level which allows to slow 
down brute force attacks (search for modifiers which would generate 
specific CGA address).

Security level is encoded in the first three bits of the address. 
Because of that CGAs with lower security does not overlap with stronger 

Julius Kriukas

More information about the Ipv6hackers mailing list