CGA Extension Header for IPv6draft-dong-savi-cga-header-03.txt

Margaret Wasserman

IETF 78, Maastricht

July 2010

What are CGAs?

• Cryptographically Generated Addresses– Defined in RFC 3972– Currently used for Secure Neighbor Discovery (SeND)– Proposed for use in DHCPv6

• Private key associated with a particular node is used to generate the CGA & sign a packet w/CGA as source

• Peer receives packet (w/CGA as source), public key and signature– Can verify that packet was generated by a node with the

associated private key

CGAs for Access Control

• Host-based access control lists (ACLs) continue to be widely used due to their simple and intuitive configuration requirements– Administrator configures a list of nodes (by IP address or

FQDN) that are approved for access– Unfortunately, these lists are quite insecure, due to ease of

address spoofing• CGAs provide a secure alternative to insecure ACLs

– Equivalent to public/private key exchange from a security standpoint

– BUT… the ACL still consists of a list of nodes (by IP address), not a collection of keys

Proposed Extension Header

• Current focus is on concept, not specifics • Three options

– Request CGA extension header from peer– Send CGA Params– Send Signature

• Other means of sending this information have been suggested– Destination option– Via IKEv2

Next Steps

• Bar BOF at the NH Maastricht bar tonight from 1930-2030– Old-fashioned bar BOF: in a bar, no slides– For people interested in this technology to

discuss how to proceed• Mailing list: cgasec@ietf.org

– To subscribe: https://www.ietf.org/mailman/listinfo/cgasec