[ipv6hackers] opportunistic encryption in IPv6

Jim Small jim.small at cdw.com
Wed Jun 12 05:31:10 CEST 2013

> > Here's an interesting question more relevant to the list and the paper
> though - are IPv6 CGAs useful?  It seems like SeND is dead.  But does anyone
> on the list think that CGAs could provide a useful competitive advantage for
> IPv6 over IPv4?  Are these a useful building block?
> I believe CGAs solves PKI problem entirely. If using CGAs one does not need
> any PKI or CA certificate at all.

True as long as you don't need authentication.  But I have to concede, the whole point of OE is just to encrypt the traffic.

> Each node having CGA can give self signed certificate. The certificate is used
> only to extract public key (PK), modifier, collision counter and any extension
> fields.
> Extracted information can be used to verify that host address is valid CGA
> with the given public key.
> Next step is symmetric key negotiation. If during key negotiation messages
> are encrypted with the specified public key then only node having the
> corresponding private key can decrypt key negotiation messages.
> This step ensures that MITM is not possible if you are using CGA generated
> not from your own public/private key pair. If you use your own public/private
> keys then you no longer can easily choose your address.
> If using CGA+IPSEC then IKE daemon can do the key negotiation part when
> given authenticated public key.
> In SEND PKI is used only to protect from rogue routers. Only certificates
> signed by the CA should be able to send router advertisements.
> For address authentication (protection against MITM) when using CGA no
> PKI is needed.

Per RFC 3972, "CGAs are not certified."  I read the RFC as assuming a strong hash and secure private key, once someone uses a CGA someone else can't hijack/impersonate that address.  So they are great for unauthenticated encryption.

> CGAs is holy grail for opportunistic encryption. Node can immediately start
> using opportunistic encryption by generating self signed certificate and CGA.
>  > One thing I wonder about is a 64 bit hash is pretty small - I wonder  > if that
> is sufficiently complex to provide security for the coming  > decade+?
> When generating CGA you can choose security level which allows to slow
> down brute force attacks (search for modifiers which would generate specific
> CGA address).
> Security level is encoded in the first three bits of the address.
> Because of that CGAs with lower security does not overlap with stronger
> CGAs.

True, but I wonder how well this fairs against modern massive parallel GPU crackers.  SHA-1 is a weak hash.  Would be nice to see an update using SHA-2/SHA-3 and to mandate longer key lengths - say >= 2048 bits.  Otherwise doesn't it seem like we're going down the WEP path again?

Still - it's a great point, CGAs do seem well suited for OE if you can live with the limitations.  Is there anything that currently supports this?  I'm wondering how much IPv6 market value this has...


More information about the Ipv6hackers mailing list