1. CGA Extension Header for IPv6 draft-dong-savi-cga-header-03.txt Margaret Wasserman IETF 78, Maastricht July 2010

2. What are CGAs? Cryptographically Generated Addresses –Defined in RFC 3972 –Currently used for Secure Neighbor Discovery (SeND) –Proposed for use in DHCPv6 Private key associated with a particular node is used to generate the CGA & sign a packet w/CGA as source Peer receives packet (w/CGA as source), public key and signature –Can verify that packet was generated by a node with the associated private key

3. CGAs for Access Control Host-based access control lists (ACLs) continue to be widely used due to their simple and intuitive configuration requirements –Administrator configures a list of nodes (by IP address or FQDN) that are approved for access –Unfortunately, these lists are quite insecure, due to ease of address spoofing CGAs provide a secure alternative to insecure ACLs –Equivalent to public/private key exchange from a security standpoint –BUT… the ACL still consists of a list of nodes (by IP address), not a collection of keys

4. Proposed Extension Header Current focus is on concept, not specifics Three options –Request CGA extension header from peer –Send CGA Params –Send Signature Other means of sending this information have been suggested –Destination option –Via IKEv2

5. Next Steps Bar BOF at the NH Maastricht bar tonight from 1930-2030 –Old-fashioned bar BOF: in a bar, no slides –For people interested in this technology to discuss how to proceed Mailing list: cgasec@ietf.orgcgasec@ietf.org –To subscribe: https://www.ietf.org/mailman/listinfo/cgasec https://www.ietf.org/mailman/listinfo/cgasec