summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc3972.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc3972.txt')
-rw-r--r--doc/rfc/rfc3972.txt1235
1 files changed, 1235 insertions, 0 deletions
diff --git a/doc/rfc/rfc3972.txt b/doc/rfc/rfc3972.txt
new file mode 100644
index 0000000..9c7a7ab
--- /dev/null
+++ b/doc/rfc/rfc3972.txt
@@ -0,0 +1,1235 @@
+
+
+
+
+
+
+Network Working Group T. Aura
+Request for Comments: 3972 Microsoft Research
+Category: Standards Track March 2005
+
+
+ Cryptographically Generated Addresses (CGA)
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2004).
+
+Abstract
+
+ This document describes a method for binding a public signature key
+ to an IPv6 address in the Secure Neighbor Discovery (SEND) protocol.
+ Cryptographically Generated Addresses (CGA) are IPv6 addresses for
+ which the interface identifier is generated by computing a
+ cryptographic one-way hash function from a public key and auxiliary
+ parameters. The binding between the public key and the address can
+ be verified by re-computing the hash value and by comparing the hash
+ with the interface identifier. Messages sent from an IPv6 address
+ can be protected by attaching the public key and auxiliary parameters
+ and by signing the message with the corresponding private key. The
+ protection works without a certification authority or any security
+ infrastructure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aura Standards Track [Page 1]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 2. CGA Format . . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 3. CGA Parameters and Hash Values . . . . . . . . . . . . . . . . 5
+ 4. CGA Generation . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 5. CGA Verification . . . . . . . . . . . . . . . . . . . . . . . 9
+ 6. CGA Signatures . . . . . . . . . . . . . . . . . . . . . . . . 10
+ 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12
+ 7.1. Security Goals and Limitations . . . . . . . . . . . . . 12
+ 7.2. Hash Extension . . . . . . . . . . . . . . . . . . . . . 13
+ 7.3. Privacy Considerations . . . . . . . . . . . . . . . . . 15
+ 7.4. Related Protocols . . . . . . . . . . . . . . . . . . . 15
+ 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
+ 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
+ 9.1. Normative References . . . . . . . . . . . . . . . . . . 17
+ 9.2. Informative References . . . . . . . . . . . . . . . . . 18
+ Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
+ A. Example of CGA Generation. . . . . . . . . . . . . . . . . 20
+ B. Acknowledgements . . . . . . . . . . . . . . . . . . . . . 21
+ Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 21
+ Full Copyright Statements. . . . . . . . . . . . . . . . . . . . . 22
+
+1. Introduction
+
+ This document specifies a method for securely associating a
+ cryptographic public key with an IPv6 address in the Secure Neighbor
+ Discovery (SEND) protocol [RFC3971]. The basic idea is to generate
+ the interface identifier (i.e., the rightmost 64 bits) of the IPv6
+ address by computing a cryptographic hash of the public key. The
+ resulting IPv6 address is called a cryptographically generated
+ address (CGA). The corresponding private key can then be used to
+ sign messages sent from the address. An introduction to CGAs and
+ their application to SEND can be found in [Aura03] and [AAKMNR02].
+
+ This document specifies:
+
+ o how to generate a CGA from the cryptographic hash of a public key
+ and auxiliary parameters,
+
+ o how to verify the association between the public key and the CGA,
+ and
+
+ o how to sign a message sent from the CGA, and how to verify the
+ signature.
+
+
+
+
+
+
+Aura Standards Track [Page 2]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+ To verify the association between the address and the public key, the
+ verifier needs to know the address itself, the public key, and the
+ values of the auxiliary parameters. The verifier can then go on to
+ verify messages signed by the owner of the public key (i.e., the
+ address owner). No additional security infrastructure, such as a
+ public key infrastructure (PKI), certification authorities, or other
+ trusted servers, is needed.
+
+ Note that because CGAs themselves are not certified, an attacker can
+ create a new CGA from any subnet prefix and its own (or anyone
+ else's) public key. However, the attacker cannot take a CGA created
+ by someone else and send signed messages that appear to come from the
+ owner of that address.
+
+ The address format and the CGA parameter format are defined in
+ Sections 2 and 3. Detailed algorithms for generating addresses and
+ for verifying them are given in Sections 4 and 5, respectively.
+ Section 6 defines the procedures for generating and verifying CGA
+ signatures. The security considerations in Section 7 include
+ limitations of CGA-based security, the reasoning behind the hash
+ extension technique that enables effective hash lengths above the
+ 64-bit limit of the interface identifier, the implications of CGAs on
+ privacy, and protection against related-protocol attacks.
+
+ In this document, the key words MUST, MUST NOT, REQUIRED, SHALL,
+ SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to
+ be interpreted as described in [RFC2119].
+
+2. CGA Format
+
+ When talking about addresses, this document refers to IPv6 addresses
+ in which the leftmost 64 bits of a 128-bit address form the subnet
+ prefix and the rightmost 64 bits of the address form the interface
+ identifier [RFC3513]. We number the bits of the interface identifier
+ starting from bit zero on the left.
+
+ A cryptographically generated address (CGA) has a security parameter
+ (Sec) that determines its strength against brute-force attacks. The
+ security parameter is a three-bit unsigned integer, and it is encoded
+ in the three leftmost bits (i.e., bits 0 - 2) of the interface
+ identifier. This can be written as follows:
+
+ Sec = (interface identifier & 0xe000000000000000) >> 61
+
+
+
+
+
+
+
+
+Aura Standards Track [Page 3]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+ The CGA is associated with a set of parameters that consist of a
+ public key and auxiliary parameters. Two hash values Hash1 (64 bits)
+ and Hash2 (112 bits) are computed from the parameters. The formats
+ of the public key and auxiliary parameters, and the way to compute
+ the hash values, are defined in Section 3.
+
+ A cryptographically generated address is defined as an IPv6 address
+ that satisfies the following two conditions:
+
+ o The first hash value, Hash1, equals the interface identifier of
+ the address. Bits 0, 1, 2, 6, and 7 (i.e., the bits that encode
+ the security parameter Sec and the "u" and "g" bits from the
+ standard IPv6 address architecture format of interface identifiers
+ [RFC3513]) are ignored in the comparison.
+
+ o The 16*Sec leftmost bits of the second hash value, Hash2, are
+ zero.
+
+ The above definition can be stated in terms of the following two bit
+ masks:
+
+ Mask1 (64 bits) = 0x1cffffffffffffff
+
+ Mask2 (112 bits) = 0x0000000000000000000000000000 if Sec=0,
+ 0xffff000000000000000000000000 if Sec=1,
+ 0xffffffff00000000000000000000 if Sec=2,
+ 0xffffffffffff0000000000000000 if Sec=3,
+ 0xffffffffffffffff000000000000 if Sec=4,
+ 0xffffffffffffffffffff00000000 if Sec=5,
+ 0xffffffffffffffffffffffff0000 if Sec=6, and
+ 0xffffffffffffffffffffffffffff if Sec=7
+
+ A cryptographically generated address is an IPv6 address for which
+ the following two equations hold:
+
+ Hash1 & Mask1 == interface identifier & Mask1
+ Hash2 & Mask2 == 0x0000000000000000000000000000
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aura Standards Track [Page 4]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+3. CGA Parameters and Hash Values
+
+ Each CGA is associated with a CGA Parameters data structure, which
+ has the following format:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + +
+ | |
+ + Modifier (16 octets) +
+ | |
+ + +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + Subnet Prefix (8 octets) +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |Collision Count| |
+ +-+-+-+-+-+-+-+-+ |
+ | |
+ ~ Public Key (variable length) ~
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ ~ Extension Fields (optional, variable length) ~
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Modifier
+
+ This field contains a 128-bit unsigned integer, which can be any
+ value. The modifier is used during CGA generation to implement
+ the hash extension and to enhance privacy by adding randomness to
+ the address.
+
+ Subnet Prefix
+
+ This field contains the 64-bit subnet prefix of the CGA.
+
+ Collision Count
+
+ This is an eight-bit unsigned integer that MUST be 0, 1, or 2.
+ The collision count is incremented during CGA generation to
+ recover from an address collision detected by duplicate address
+ detection.
+
+
+
+Aura Standards Track [Page 5]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+ Public Key
+
+ This is a variable-length field containing the public key of the
+ address owner. The public key MUST be formatted as a DER-encoded
+ [ITU.X690.2002] ASN.1 structure of the type SubjectPublicKeyInfo,
+ defined in the Internet X.509 certificate profile [RFC3280]. SEND
+ SHOULD use an RSA public/private key pair. When RSA is used, the
+ algorithm identifier MUST be rsaEncryption, which is
+ 1.2.840.113549.1.1.1, and the RSA public key MUST be formatted by
+ using the RSAPublicKey type as specified in Section 2.3.1 of RFC
+ 3279 [RFC3279]. The RSA key length SHOULD be at least 384 bits.
+ Other public key types are undesirable in SEND, as they may result
+ in incompatibilities between implementations. The length of this
+ field is determined by the ASN.1 encoding.
+
+ Extension Fields
+
+ This is an optional variable-length field that is not used in the
+ current specification. Future versions of this specification may
+ use this field for additional data items that need to be included
+ in the CGA Parameters data structure. IETF standards action is
+ required to specify the use of the extension fields.
+ Implementations MUST ignore the value of any unrecognized
+ extension fields.
+
+ The two hash values MUST be computed as follows. The SHA-1 hash
+ algorithm [FIPS.180-1.1995] is applied to the CGA Parameters. When
+ Hash1 is computed, the input to the SHA-1 algorithm is the CGA
+ Parameters data structure. The 64-bit Hash1 is obtained by taking
+ the leftmost 64 bits of the 160-bit SHA-1 hash value. When Hash2 is
+ computed, the input is the same CGA Parameters data structure except
+ that the subnet prefix and collision count are set to zero. The
+ 112-bit Hash2 is obtained by taking the leftmost 112 bits of the
+ 160-bit SHA-1 hash value. Note that the hash values are computed
+ over the entire CGA Parameters data structure, including any
+ unrecognized extension fields.
+
+4. CGA Generation
+
+ The process of generating a new CGA takes three input values: a
+ 64-bit subnet prefix, the public key of the address owner as a
+ DER-encoded ASN.1 structure of the type SubjectPublicKeyInfo, and the
+ security parameter Sec, which is an unsigned three-bit integer. The
+ cost of generating a new CGA depends exponentially on the security
+ parameter Sec, which can have values from 0 to 7.
+
+
+
+
+
+
+Aura Standards Track [Page 6]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+ A CGA and associated parameters SHOULD be generated as follows:
+
+ 1. Set the modifier to a random or pseudo-random 128-bit value.
+
+ 2. Concatenate from left to right the modifier, 9 zero octets, the
+ encoded public key, and any optional extension fields. Execute
+ the SHA-1 algorithm on the concatenation. Take the 112 leftmost
+ bits of the SHA-1 hash value. The result is Hash2.
+
+ 3. Compare the 16*Sec leftmost bits of Hash2 with zero. If they are
+ all zero (or if Sec=0), continue with step 4. Otherwise,
+ increment the modifier by one and go back to step 2.
+
+ 4. Set the 8-bit collision count to zero.
+
+ 5. Concatenate from left to right the final modifier value, the
+ subnet prefix, the collision count, the encoded public key, and
+ any optional extension fields. Execute the SHA-1 algorithm on the
+ concatenation. Take the 64 leftmost bits of the SHA-1 hash value.
+ The result is Hash1.
+
+ 6. Form an interface identifier from Hash1 by writing the value of
+ Sec into the three leftmost bits and by setting bits 6 and 7
+ (i.e., the "u" and "g" bits) to zero.
+
+ 7. Concatenate the 64-bit subnet prefix and the 64-bit interface
+ identifier to form a 128-bit IPv6 address with the subnet prefix
+ to the left and interface identifier to the right, as in a
+ standard IPv6 address [RFC3513].
+
+ 8. Perform duplicate address detection if required, as per [RFC3971].
+ If an address collision is detected, increment the collision count
+ by one and go back to step 5. However, after three collisions,
+ stop and report the error.
+
+ 9. Form the CGA Parameters data structure by concatenating from left
+ to right the final modifier value, the subnet prefix, the final
+ collision count value, the encoded public key, and any optional
+ extension fields.
+
+ The output of the address generation algorithm is a new CGA and a CGA
+ Parameters data structure.
+
+ The initial value of the modifier in step 1 SHOULD be chosen randomly
+ to make addresses generated from the same public key unlinkable,
+ which enhances privacy (see Section 7.3). The quality of the random
+ number generator does not affect the strength of the binding between
+
+
+
+
+Aura Standards Track [Page 7]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+ the address and the public key. Implementations that have no strong
+ random numbers available MAY use a non-cryptographic pseudo-random
+ number generator initialized with the current time of day.
+
+ For Sec=0, the above algorithm is deterministic and relatively fast.
+ Nodes that implement CGA generation MAY always use the security
+ parameter value Sec=0. If Sec=0, steps 2 - 3 of the generation
+ algorithm can be skipped.
+
+ For Sec values greater than zero, the above algorithm is not
+ guaranteed to terminate after a certain number of iterations. The
+ brute-force search in steps 2 - 3 takes O(2^(16*Sec)) iterations to
+ complete. The algorithm has been intentionally designed so that the
+ generation of CGAs with high Sec values is infeasible with current
+ technology.
+
+ Implementations MAY use optimized or otherwise modified versions of
+ the above algorithm for CGA generation. However, the output of any
+ modified versions MUST fulfill the following two requirements.
+ First, the resulting CGA and CGA Parameters data structure MUST be
+ formatted as specified in Sections 2 - 3. Second, the CGA
+ verification procedure defined in Section 5 MUST succeed when invoked
+ on the output of the CGA generation algorithm. Note that some
+ optimizations involve trade-offs between privacy and the cost of
+ address generation.
+
+ One optimization is particularly important. If the subnet prefix of
+ the address changes but the address owner's public key does not, the
+ old modifier value MAY be reused. If it is reused, the algorithm
+ SHOULD be started from step 4. This optimization avoids repeating
+ the expensive search for an acceptable modifier value but may, in
+ some situations, make it easier for an observer to link two addresses
+ to each other.
+
+ Note that this document does not specify whether duplicate address
+ detection should be performed and how the detection is done. Step 8
+ only defines what to do if some form of duplicate address detection
+ is performed and an address collision is detected.
+
+ Future versions of this specification may specify additional inputs
+ to the CGA generation algorithm that are concatenated as extension
+ fields to the end of the CGA Parameters data structure. No such
+ extension fields are defined in this document.
+
+
+
+
+
+
+
+
+Aura Standards Track [Page 8]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+5. CGA Verification
+
+ CGA verification takes an IPv6 address and a CGA Parameters data
+ structure as input. The CGA Parameters consist of the concatenated
+ modifier, subnet prefix, collision count, public key, and optional
+ extension fields. The verification either succeeds or fails.
+
+ The CGA MUST be verified with the following steps:
+
+ 1. Check that the collision count in the CGA Parameters data
+ structure is 0, 1, or 2. The CGA verification fails if the
+ collision count is out of the valid range.
+
+ 2. Check that the subnet prefix in the CGA Parameters data structure
+ is equal to the subnet prefix (i.e., the leftmost 64 bits) of the
+ address. The CGA verification fails if the prefix values differ.
+
+ 3. Execute the SHA-1 algorithm on the CGA Parameters data structure.
+ Take the 64 leftmost bits of the SHA-1 hash value. The result is
+ Hash1.
+
+ 4. Compare Hash1 with the interface identifier (i.e., the rightmost
+ 64 bits) of the address. Differences in the three leftmost bits
+ and in bits 6 and 7 (i.e., the "u" and "g" bits) are ignored. If
+ the 64-bit values differ (other than in the five ignored bits),
+ the CGA verification fails.
+
+ 5. Read the security parameter Sec from the three leftmost bits of
+ the 64-bit interface identifier of the address. (Sec is an
+ unsigned 3-bit integer.)
+
+ 6. Concatenate from left to right the modifier, 9 zero octets, the
+ public key, and any extension fields that follow the public key in
+ the CGA Parameters data structure. Execute the SHA-1 algorithm on
+ the concatenation. Take the 112 leftmost bits of the SHA-1 hash
+ value. The result is Hash2.
+
+ 7. Compare the 16*Sec leftmost bits of Hash2 with zero. If any one
+ of them is not zero, the CGA verification fails. Otherwise, the
+ verification succeeds. (If Sec=0, the CGA verification never
+ fails at this step.)
+
+ If the verification fails at any step, the execution of the algorithm
+ MUST be stopped immediately. On the other hand, if the verification
+ succeeds, the verifier knows that the public key in the CGA
+ Parameters is the authentic public key of the address owner. The
+
+
+
+
+
+Aura Standards Track [Page 9]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+ verifier can extract the public key by removing 25 octets from the
+ beginning of the CGA Parameters and by decoding the following
+ SubjectPublicKeyInfo data structure.
+
+ Note that the values of bits 6 and 7 (the "u" and "g" bits) of the
+ interface identifier are ignored during CGA verification. In the
+ SEND protocol, after the verification succeeds, the verifier SHOULD
+ process all CGAs in the same way regardless of the Sec, modifier, and
+ collision count values. In particular, the verifier in the SEND
+ protocol SHOULD NOT have any security policy that differentiates
+ between addresses based on the value of Sec. That way, the address
+ generator is free to choose any value of Sec.
+
+ All nodes that implement CGA verification MUST be able to process all
+ security parameter values Sec = 0, 1, 2, 3, 4, 5, 6, 7. The
+ verification procedure is relatively fast and always requires at most
+ two computations of the SHA-1 hash function. If Sec=0, the
+ verification never fails in steps 6 - 7 and these steps can be
+ skipped.
+
+ Nodes that implement CGA verification for SEND SHOULD be able to
+ process RSA public keys that have the algorithm identifier
+ rsaEncryption and, key length between 384 and 2,048 bits.
+ Implementations MAY support longer keys. Future versions of this
+ specification may recommend support for longer keys.
+
+ Implementations of CGA verification MUST ignore the value of any
+ unrecognized extension fields that follow the public key in the CGA
+ Parameters data structure. However, implementations MUST include any
+ such unrecognized data in the hash input when computing Hash1 in step
+ 3 and Hash2 in step 6 of the CGA verification algorithm. This is
+ important to ensure upward compatibility with future extensions.
+
+6. CGA Signatures
+
+ This section defines the procedures for generating and verifying CGA
+ signatures. To sign a message, a node needs the CGA, the associated
+ CGA Parameters data structure, the message, and the private
+ cryptographic key that corresponds to the public key in the CGA
+ Parameters. The node also must have a 128-bit type tag for the
+ message from the CGA Message Type name space.
+
+ To sign a message, a node SHOULD do the following:
+
+ o Concatenate the 128-bit type tag (in network byte order) and the
+ message with the type tag to the left and the message to the
+ right. The concatenation is the message to be signed in the next
+ step.
+
+
+
+Aura Standards Track [Page 10]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+ o Generate the RSA signature by using the RSASSA-PKCS1-v1_5
+ [RFC3447] signature algorithm with the SHA-1 hash algorithm. The
+ private key and the concatenation created above are the inputs to
+ the generation operation.
+
+ The SEND protocol specification [RFC3971] defines several messages
+ that contain a signature in the Signature Option. The SEND protocol
+ specification also defines a type tag from the CGA Message Type name
+ space. The same type tag is used for all the SEND messages that have
+ the Signature Option. This type tag is an IANA-allocated 128 bit
+ integer that has been chosen at random to prevent an accidental type
+ collision with messages of other protocols that use the same public
+ key but that may or may not use IANA-allocated type tags.
+
+ The CGA, the CGA Parameters data structure, the message, and the
+ signature are sent to the verifier. The SEND protocol specification
+ defines how these data items are sent in SEND protocol messages.
+ Note that the 128-bit type tag is not included in the SEND protocol
+ messages because the verifier knows its value implicitly from the
+ ICMP message type field in the SEND message. See the SEND
+ specification [RFC3971] for precise information about how SEND
+ handles the type tag.
+
+ To verify a signature, the verifier needs the CGA, the associated CGA
+ Parameters data structure, the message, and the signature. The
+ verifier also needs to have the 128-bit type tag for the message.
+
+ To verify the signature, a node SHOULD do the following:
+
+ o Verify the CGA as defined in Section 5. The inputs to the CGA
+ verification are the CGA and the CGA Parameters data structure.
+
+ o Concatenate the 128-bit type tag and the message with the type tag
+ to the left and the message to the right. The concatenation is
+ the message whose signature is to be verified in the next step.
+
+ o Verify the RSA signature by using the RSASSA-PKCS1-v1_5 [RFC3447]
+ algorithm with the SHA-1 hash algorithm. The inputs to the
+ verification operation are the public key (i.e., the RSAPublicKey
+ structure from the SubjectPublicKeyInfo structure that is a part
+ of the CGA Parameters data structure), the concatenation created
+ above, and the signature.
+
+ The verifier MUST accept the signature as authentic only if both the
+ CGA verification and the signature verification succeed.
+
+
+
+
+
+
+Aura Standards Track [Page 11]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+7. Security Considerations
+
+7.1. Security Goals and Limitations
+
+ The purpose of CGAs is to prevent stealing and spoofing of existing
+ IPv6 addresses. The public key of the address owner is bound
+ cryptographically to the address. The address owner can use the
+ corresponding private key to assert its ownership and to sign SEND
+ messages sent from the address.
+
+ It is important to understand that an attacker can create a new
+ address from an arbitrary subnet prefix and its own (or someone
+ else's) public key because CGAs are not certified. However, the
+ attacker cannot impersonate somebody else's address. This is because
+ the attacker would have to find a collision of the cryptographic hash
+ value Hash1. (The property of the hash function needed here is
+ called second pre-image resistance [MOV97].)
+
+ For each valid CGA Parameters data structure, there are 4*(Sec+1)
+ different CGAs that match the value. This is because decrementing
+ the Sec value in the three leftmost bits of the interface identifier
+ does not invalidate the address, and the verifier ignores the values
+ of the "u" and "g" bits. In SEND, this does not have any security or
+ implementation implications.
+
+ Another limitation of CGAs is that there is no mechanism for proving
+ that an address is not a CGA. Thus, an attacker could take someone
+ else's CGA and present it as a non-cryptographically generated
+ address (e.g., as an RFC 3041 address [RFC3041]). An attacker does
+ not benefit from this because although SEND nodes accept both signed
+ and unsigned messages from every address, they give priority to the
+ information in the signed messages.
+
+ The minimum RSA key length required for SEND is only 384 bits. So
+ short keys are vulnerable to integer-factoring attacks and cannot be
+ used for strong authentication or secrecy. On the other hand, the
+ cost of factoring 384-bit keys is currently high enough to prevent
+ most denial-of-service attacks. Implementations that initially use
+ short RSA keys SHOULD be prepared to switch to longer keys when
+ denial-of-service attacks arising from integer factoring become a
+ problem.
+
+ The impact of a key compromise on CGAs depends on the application for
+ which they are used. In SEND, it is not a major concern. If the
+ private signature key is compromised because the SEND node has itself
+ been compromised, the attacker does not need to spoof SEND messages
+ from the node. When it is discovered that a node has been
+ compromised, a new signature key and a new CGA SHOULD be generated.
+
+
+
+Aura Standards Track [Page 12]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+ On the other hand, if the RSA key is compromised because integer-
+ factoring attacks for the chosen key length have become practical,
+ the key has to be replaced with a longer one, as explained above. In
+ either case, the address change effectively revokes the old public
+ key. It is not necessary to have any additional key revocation
+ mechanism or to limit the lifetimes of the signature keys.
+
+7.2. Hash Extension
+
+ As computers become faster, the 64 bits of the interface identifier
+ will not be sufficient to prevent attackers from searching for hash
+ collisions. It helps somewhat that we include the subnet prefix of
+ the address in the hash input. This prevents the attacker from using
+ a single pre-computed database to attack addresses with different
+ subnet prefixes. The attacker needs to create a separate database
+ for each subnet prefix. Link-local addresses are, however, left
+ vulnerable because the same prefix is used by all IPv6 nodes.
+
+ To prevent the CGA technology from becoming outdated as computers
+ become faster, the hash technique used to generate CGAs must be
+ extended somehow. The chosen extension technique is to increase the
+ cost of both address generation and brute-force attacks by the same
+ parameterized factor while keeping the cost of address use and
+ verification constant. This also provides protection for link-local
+ addresses. Introduction of the hash extension is the main difference
+ between this document and earlier CGA proposals [OR01][Nik01][MC02].
+
+ To achieve the effective extension of the hash length, the input to
+ the second hash function, Hash2, is modified (by changing the
+ modifier value) until the leftmost 16*Sec bits of the hash value are
+ zero. This increases the cost of address generation approximately by
+ a factor of 2^(16*Sec). It also increases the cost of brute-force
+ attacks by the same factor. That is, the cost of creating a CGA
+ Parameters data structure that binds the attacker's public key with
+ somebody else's address is increased from O(2^59) to
+ O(2^(59+16*Sec)). The address generator may choose the security
+ parameter Sec depending on its own computational capacity, the
+ perceived risk of attacks, and the expected lifetime of the address.
+ Currently, Sec values between 0 and 2 are sufficient for most IPv6
+ nodes. As computers become faster, higher Sec values will slowly
+ become useful.
+
+ Theoretically, if no hash extension is used (i.e., Sec=0) and a
+ typical attacker is able to tap into N local networks at the same
+ time, an attack against link-local addresses is N times as efficient
+ as an attack against addresses of a specific network. The effect
+ could be countered by using a slightly higher Sec value for link-
+
+
+
+
+Aura Standards Track [Page 13]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+ local addresses. When higher Sec values (such that 2^(16*Sec) > N)
+ are used for all addresses, the relative advantage of attacking
+ link-local addresses becomes insignificant.
+
+ The effectiveness of the hash extension depends on the assumption
+ that the computational capacities of the attacker and the address
+ generator will grow at the same (potentially exponential) rate. This
+ is not necessarily true if the addresses are generated on low-end
+ mobile devices, for which the main design goals are to lower cost and
+ decrease size, rather than increase computing power. But there is no
+ reason for doing so. The expensive part of the address generation
+ (steps 1 - 3 of the generation algorithm) may be delegated to a more
+ powerful computer. Moreover, this work can be done in advance or
+ offline, rather than in real time, when a new address is needed.
+
+ To make it possible for mobile nodes whose subnet prefixes change
+ frequently to use Sec values greater than zero, we have decided not
+ to include the subnet prefix in the input of Hash2. The result is
+ weaker than it would be if the subnet prefix were included in the
+ input of both hashes. On the other hand, our scheme is at least as
+ strong as using the hash extension technique without including the
+ subnet prefix in either hash. It is also at least as strong as not
+ using the hash extension but including the subnet prefix. This
+ trade-off was made because mobile nodes frequently move to insecure
+ networks, where they are at the risk of denial-of-service (DoS)
+ attacks (for example, during the duplicate address detection
+ procedure).
+
+ In most networks, the goal of Secure Neighbor Discovery and CGA
+ signatures is to prevent denial-of-service attacks. Therefore, it is
+ usually sensible to start by using a low Sec value and to replace
+ addresses with stronger ones only when denial-of-service attacks
+ based on brute-force search become a significant problem. If CGAs
+ were used as a part of a strong authentication or secrecy mechanism,
+ it might be necessary to start with higher Sec values.
+
+ The collision count value is used to modify the input to Hash1 if
+ there is an address collision. It is important not to allow
+ collision count values higher than 2. First, it is extremely
+ unlikely that three collisions would occur and the reason is certain
+ to be either a configuration or implementation error or a denial-of-
+ service attack. (When the SEND protocol is used, deliberate
+ collisions caused by a DoS attacker are detected and ignored.)
+ Second, an attacker doing a brute-force search to match a given CGA
+ can try all different values of a collision count without repeating
+ the brute-force search for the modifier value. Thus, if higher
+ values are allowed for the collision count, the hash extension
+ technique becomes less effective in preventing brute force attacks.
+
+
+
+Aura Standards Track [Page 14]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+7.3. Privacy Considerations
+
+ CGAs can give the same level of pseudonymity as the IPv6 address
+ privacy extensions defined in RFC 3041 [RFC3041]. An IP host can
+ generate multiple pseudo-random CGAs by executing the CGA generation
+ algorithm of Section 4 multiple times and by using a different random
+ or pseudo-random initial value for the modifier every time. The host
+ should change its address periodically as in [RFC3041]. When privacy
+ protection is needed, the (pseudo)random number generator used in
+ address generation SHOULD be strong enough to produce unpredictable
+ and unlinkable values. Advice on random number generation can be
+ found in [RFC1750].
+
+ There are two apparent limitations to this privacy protection.
+ However, as will be explained below, neither is very serious.
+
+ First, the high cost of address generation may prevent hosts that use
+ a high Sec value from changing their address frequently. This
+ problem is mitigated because the expensive part of the address
+ generation may be done in advance or offline, as explained in the
+ previous section. It should also be noted that the nodes that
+ benefit most from high Sec values (e.g., DNS servers, routers, and
+ data servers) usually do not require pseudonymity, and the nodes that
+ have high privacy requirements (e.g., client PCs and mobile hosts)
+ are unlikely targets for expensive brute-force DoS attacks and can
+ make do with lower Sec values.
+
+ Second, the public key of the address owner is revealed in the signed
+ SEND messages. This means that if the address owner wants to be
+ pseudonymous toward the nodes in the local links that it accesses, it
+ should generate not only a new address but also a new public key.
+ With typical local-link technologies, however, a node's link-layer
+ address is a unique identifier for the node. As long as the node
+ keeps using the same link-layer address, it makes little sense to
+ change the public key for privacy reasons.
+
+7.4. Related Protocols
+
+ Although this document defines CGAs only for the purposes of Secure
+ Neighbor Discovery, other protocols could be defined elsewhere that
+ use the same addresses and public keys. This raises the possibility
+ of related-protocol attacks in which a signed message from one
+ protocol is replayed in another protocol. This means that other
+ protocols (perhaps even those designed without an intimate knowledge
+ of SEND) could endanger the security of SEND. What makes this threat
+ even more significant is that the attacker could create a CGA from
+ someone else's public key and then replay signed messages from a
+ protocol that has nothing to do with CGAs or IP addresses.
+
+
+
+Aura Standards Track [Page 15]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+ To prevent the related-protocol attacks, a type tag is prepended to
+ every message before it is signed. The type tags are 128-bit
+ randomly chosen values, which prevents accidental type collisions
+ with even poorly designed protocols that do not use any type tags.
+ Moreover, the SEND protocol includes the sender's CGA address in all
+ signed messages. This makes it even more difficult for an attacker
+ to take signed messages from some other context and to replay them as
+ SEND messages.
+
+ Finally, a strong cautionary note has to be made about using CGA
+ signatures for purposes other than SEND. First, the other protocols
+ MUST include a type tag and the sender address in all signed messages
+ in the same way that SEND does. Each protocol MUST define its own
+ type tag values as explained in Section 8. Moreover, because of the
+ possibility of related-protocol attacks, the public key MUST be used
+ only for signing, and it MUST NOT be used for encryption. Second,
+ the minimum RSA key length of 384 bits may be too short for many
+ applications and the impact of key compromise on the particular
+ protocol must be evaluated. Third, CGA-based authorization is
+ particularly suitable for securing neighbor discovery [RFC2461] and
+ duplicate address detection [RFC2462] because these are network-layer
+ signaling protocols for which IPv6 addresses are natural endpoint
+ identifiers. In any protocol that uses other identifiers, such as
+ DNS names, CGA signatures alone are not a sufficient security
+ mechanism. There must also be a secure way of mapping the other
+ identifiers to IPv6 addresses. If the goal is not to verify claims
+ about IPv6 addresses, CGA signatures are probably not the right
+ solution.
+
+8. IANA Considerations
+
+ This document defines a new CGA Message Type name space for use as
+ type tags in messages that may be signed by using CGA signatures.
+ The values in this name space are 128-bit unsigned integers. Values
+ in this name space are allocated on a First Come First Served basis
+ [RFC2434]. IANA assigns new 128-bit values directly without a
+ review.
+
+ The requester SHOULD generate the new values with a strong random-
+ number generator. Continuous ranges of at most 256 values can be
+ requested provided that the 120 most significant bits of the values
+ have been generated with a strong random-number generator.
+
+ IANA does not generate random values for the requester. IANA
+ allocates requested values without verifying the way in which they
+ have been generated. The name space is essentially unlimited, and
+ any number of individual values and ranges of at most 256 values can
+ be allocated.
+
+
+
+Aura Standards Track [Page 16]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+ CGA Message Type values for private use MAY be generated with a
+ strong random-number generator without IANA allocation.
+
+ This document does not define any new values in any name space.
+
+9. References
+
+9.1. Normative References
+
+ [RFC3971] Arkko, J., Ed., Kempf, J., Sommerfeld, B., Zill,
+ B., and P. Nikander, "SEcure Neighbor Discovery
+ (SEND)", RFC 3971, March 2005.
+
+ [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms
+ and Identifiers for the Internet X.509 Public Key
+ Infrastructure Certificate and Certificate
+ Revocation List (CRL) Profile", RFC 3279, April
+ 2002.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC3513] Hinden, R. and S. Deering, "Internet Protocol
+ Version 6 (IPv6) Addressing Architecture", RFC
+ 3513, April 2003.
+
+ [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo,
+ "Internet X.509 Public Key Infrastructure
+ Certificate and Certificate Revocation List (CRL)
+ Profile", RFC 3280, April 2002.
+
+ [ITU.X690.2002] International Telecommunications Union,
+ "Information Technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER)", ITU-T Recommendation X.690,
+ July 2002.
+
+ [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key
+ Cryptography Standards (PKCS) #1: RSA Cryptography
+ Specifications Version 2.1", RFC 3447, February
+ 2003.
+
+ [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for
+ Writing an IANA Considerations Section in RFCs",
+ BCP 26, RFC 2434, October 1998.
+
+
+
+
+
+Aura Standards Track [Page 17]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+ [FIPS.180-1.1995] National Institute of Standards and Technology,
+ "Secure Hash Standard", Federal Information
+ Processing Standards Publication FIPS PUB 180-1,
+ April 1995,
+ <http://www.itl.nist.gov/fipspubs/fip180-1.htm>.
+
+9.2. Informative References
+
+ [AAKMNR02] Arkko, J., Aura, T., Kempf, J., Mantyla, V.,
+ Nikander, P., and M. Roe, "Securing IPv6 neighbor
+ discovery and router discovery", ACM Workshop on
+ Wireless Security (WiSe 2002), Atlanta, GA USA ,
+ September 2002.
+
+ [Aura03] Aura, T., "Cryptographically Generated Addresses
+ (CGA)", 6th Information Security Conference
+ (ISC'03), Bristol, UK, October 2003.
+
+ [RFC1750] Eastlake, D., Crocker, S., and J. Schiller,
+ "Randomness Recommendations for Security", RFC
+ 1750, December 1994.
+
+ [MOV97] Menezes, A., van Oorschot, P., and S. Vanstone,
+ "Handbook of Applied Cryptography", CRC Press ,
+ 1997.
+
+ [MC02] Montenegro, G. and C. Castelluccia, "Statistically
+ unique and cryptographically verifiable identifiers
+ and addresses", ISOC Symposium on Network and
+ Distributed System Security (NDSS 2002), San Diego,
+ CA USA , February 2002.
+
+ [RFC3041] Narten, T. and R. Draves, "Privacy Extensions for
+ Stateless Address Autoconfiguration in IPv6", RFC
+ 3041, January 2001.
+
+ [RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor
+ Discovery for IP Version 6 (IPv6)", RFC 2461,
+ December 1998.
+
+ [Nik01] Nikander, P., "A scaleable architecture for IPv6
+ address ownership", draft-nikander-addr-ownership-
+ 00 (work in progress), March 2001.
+
+ [OR01] O'Shea, G. and M. Roe, "Child-proof authentication
+ for MIPv6 (CAM)", ACM Computer Communications
+ Review 31(2), April 2001.
+
+
+
+
+Aura Standards Track [Page 18]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+ [RFC2462] Thomson, S. and T. Narten, "IPv6 Stateless Address
+ Autoconfiguration", RFC 2462, December 1998.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aura Standards Track [Page 19]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+Appendix A. Example of CGA Generation
+
+ We generate a CGA with Sec=1 from the subnet prefix fe80:: and the
+ following public key:
+
+ 305c 300d 0609 2a86 4886 f70d 0101 0105 0003 4b00 3048 0241
+ 00c2 c2f1 3730 5454 f10b d9ce a368 44b5 30e9 211a 4b26 2b16
+ 467c b7df ba1f 595c 0194 f275 be5a 4d38 6f2c 3c23 8250 8773
+ c786 7f9b 3b9e 63a0 9c7b c48f 7a54 ebef af02 0301 0001
+
+ The modifier is initialized to a random value 89a8 a8b2 e858 d8b8
+ f263 3f44 d2d4 ce9a. The input to Hash2 is:
+
+ 89a8 a8b2 e858 d8b8 f263 3f44 d2d4 ce9a 0000 0000 0000 0000 00
+ 305c 300d 0609 2a86 4886 f70d 0101 0105 0003 4b00 3048 0241
+ 00c2 c2f1 3730 5454 f10b d9ce a368 44b5 30e9 211a 4b26 2b16
+ 467c b7df ba1f 595c 0194 f275 be5a 4d38 6f2c 3c23 8250 8773
+ c786 7f9b 3b9e 63a0 9c7b c48f 7a54 ebef af02 0301 0001
+
+ The 112 first bits of the SHA-1 hash value computed from the above
+ input are Hash2=436b 9a70 dbfd dbf1 926e 6e66 29c0. This does not
+ begin with 16*Sec=16 zero bits. Thus, we must increment the modifier
+ by one and recompute the hash. The new input to Hash2 is:
+
+ 89a8 a8b2 e858 d8b8 f263 3f44 d2d4 ce9b 0000 0000 0000 0000 00
+ 305c 300d 0609 2a86 4886 f70d 0101 0105 0003 4b00 3048 0241
+ 00c2 c2f1 3730 5454 f10b d9ce a368 44b5 30e9 211a 4b26 2b16
+ 467c b7df ba1f 595c 0194 f275 be5a 4d38 6f2c 3c23 8250 8773
+ c786 7f9b 3b9e 63a0 9c7b c48f 7a54 ebef af02 0301 0001
+
+ The new hash value is Hash2=0000 01ca 680b 8388 8d09 12df fcce. The
+ 16 leftmost bits of Hash2 are all zero. Thus, we found a suitable
+ modifier. (We were very lucky to find it so soon.)
+
+ The input to Hash1 is:
+
+ 89a8 a8b2 e858 d8b8 f263 3f44 d2d4 ce9b fe80 0000 0000 0000 00
+ 305c 300d 0609 2a86 4886 f70d 0101 0105 0003 4b00 3048 0241
+ 00c2 c2f1 3730 5454 f10b d9ce a368 44b5 30e9 211a 4b26 2b16
+ 467c b7df ba1f 595c 0194 f275 be5a 4d38 6f2c 3c23 8250 8773
+ c786 7f9b 3b9e 63a0 9c7b c48f 7a54 ebef af02 0301 0001
+
+ The 64 first bits of the SHA-1 hash value of the above input are
+ Hash1=fd4a 5bf6 ffb4 ca6c. We form an interface identifier from this
+ by writing Sec=1 into the three leftmost bits and by setting bits 6
+ and 7 (the "u" and "g" bits) to zero. The new interface identifier
+ is 3c4a:5bf6:ffb4:ca6c.
+
+
+
+
+Aura Standards Track [Page 20]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+ Finally, we form the IPv6 address fe80::3c4a:5bf6:ffb4:ca6c. This is
+ the new CGA. No address collisions were detected this time.
+ (Collisions are very rare.) The CGA Parameters data structure
+ associated with the address is the same as the input to Hash1 above.
+
+Appendix B. Acknowledgements
+
+ The author gratefully acknowledges the contributions of Jari Arkko,
+ Francis Dupont, Pasi Eronen, Christian Huitema, James Kempf, Pekka
+ Nikander, Michael Roe, Dave Thaler, and other participants of the
+ SEND working group.
+
+Author's Address
+
+ Tuomas Aura
+ Microsoft Research
+ Roger Needham Building
+ 7 JJ Thomson Avenue
+ Cambridge CB3 0FB
+ United Kingdom
+
+ Phone: +44 1223 479708
+ EMail: tuomaura@microsoft.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aura Standards Track [Page 21]
+
+RFC 3972 Cryptographically Generated Addresses March 2005
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2005).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at ietf-
+ ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+Aura Standards Track [Page 22]
+