1 / 5

CGA Extension Header for IPv6 draft-dong-savi-cga-header-03.txt

CGA Extension Header for IPv6 draft-dong-savi-cga-header-03.txt. Margaret Wasserman IETF 78, Maastricht July 2010. What are CGAs?. Cryptographically Generated Addresses Defined in RFC 3972 Currently used for Secure Neighbor Discovery (SeND) Proposed for use in DHCPv6

briana
Download Presentation

CGA Extension Header for IPv6 draft-dong-savi-cga-header-03.txt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CGA Extension Header for IPv6draft-dong-savi-cga-header-03.txt Margaret Wasserman IETF 78, Maastricht July 2010

  2. What are CGAs? • Cryptographically Generated Addresses • Defined in RFC 3972 • Currently used for Secure Neighbor Discovery (SeND) • Proposed for use in DHCPv6 • Private key associated with a particular node is used to generate the CGA & sign a packet w/CGA as source • Peer receives packet (w/CGA as source), public key and signature • Can verify that packet was generated by a node with the associated private key

  3. CGAs for Access Control • Host-based access control lists (ACLs) continue to be widely used due to their simple and intuitive configuration requirements • Administrator configures a list of nodes (by IP address or FQDN) that are approved for access • Unfortunately, these lists are quite insecure, due to ease of address spoofing • CGAs provide a secure alternative to insecure ACLs • Equivalent to public/private key exchange from a security standpoint • BUT… the ACL still consists of a list of nodes (by IP address), not a collection of keys

  4. Proposed Extension Header • Current focus is on concept, not specifics • Three options • Request CGA extension header from peer • Send CGA Params • Send Signature • Other means of sending this information have been suggested • Destination option • Via IKEv2

  5. Next Steps • Bar BOF at the NH Maastricht bar tonight from 1930-2030 • Old-fashioned bar BOF: in a bar, no slides • For people interested in this technology to discuss how to proceed • Mailing list: cgasec@ietf.org • To subscribe: https://www.ietf.org/mailman/listinfo/cgasec

More Related