CGA Extension Header for IPv6 draft-dong-savi-cga-header-03.txt Margaret Wasserman IETF 78,...
-
Upload
joshua-joseph -
Category
Documents
-
view
220 -
download
4
Transcript of CGA Extension Header for IPv6 draft-dong-savi-cga-header-03.txt Margaret Wasserman IETF 78,...
CGA Extension Header for IPv6draft-dong-savi-cga-header-03.txt
Margaret Wasserman
IETF 78, Maastricht
July 2010
What are CGAs?
• Cryptographically Generated Addresses– Defined in RFC 3972– Currently used for Secure Neighbor Discovery (SeND)– Proposed for use in DHCPv6
• Private key associated with a particular node is used to generate the CGA & sign a packet w/CGA as source
• Peer receives packet (w/CGA as source), public key and signature– Can verify that packet was generated by a node with the
associated private key
CGAs for Access Control
• Host-based access control lists (ACLs) continue to be widely used due to their simple and intuitive configuration requirements– Administrator configures a list of nodes (by IP address or
FQDN) that are approved for access– Unfortunately, these lists are quite insecure, due to ease of
address spoofing• CGAs provide a secure alternative to insecure ACLs
– Equivalent to public/private key exchange from a security standpoint
– BUT… the ACL still consists of a list of nodes (by IP address), not a collection of keys
Proposed Extension Header
• Current focus is on concept, not specifics • Three options
– Request CGA extension header from peer– Send CGA Params– Send Signature
• Other means of sending this information have been suggested– Destination option– Via IKEv2
Next Steps
• Bar BOF at the NH Maastricht bar tonight from 1930-2030– Old-fashioned bar BOF: in a bar, no slides– For people interested in this technology to
discuss how to proceed• Mailing list: [email protected]
– To subscribe: https://www.ietf.org/mailman/listinfo/cgasec