Generating CGA for Secure neighbor discovery (SeND)

 IPv6  No Responses »
Sep 262012
 

CGA stands for cryptographic generated address. Using this method of address generation, it is supposed that address spoofing could be eliminated.

Rfc 3972 states:
The basic idea is to generate the interface identifier of the IPv6 address by computing a cryptographic hash of the public key. The resulting IPv6 address is called a cryptographically generated address (CGA). The corresponding private key can then be used to sign messages sent from the address.

Let us configure the routers to generate Cryptographic Address.

  •  A RSA must be generated as SeND uses public/private key pairs.
  •  Then this RSA key is used to generate the CGA modifier.
  •  Finally the interface is told to use CGA.

R1(config)#crypto key generate rsa modulus 1024 label SEND
The name for the keys will be: SEND

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Continue reading »

Layer 3 to Layer 2 resolution in IPv6

 IPv6  No Responses »
Aug 302012
 

When the packet travels down the OSI and reaches the network layer, the MAC address must be resolved from the destination host for the encapsulation process. Traditionally this was done in IPv4 using ARP which uses broadcast packets. As in IPv6 we do not have Broadcasts, this must be done with the help of Multicasts. In IPv6 we do not have a separate protocol to accomplish this; it is built into the IPv6 stack itself. The Layer 3 to Layer 2 resolution in done with ICMP neighbor discovery.

Each host which has an IPv6 address configured listens to a particular multicast group. Thus there could be many hosts which listen to the same group. Finally the neighbor discovery request will itself contain the L3 address to be resolved, and only the host which is configured with the address in question will answer the request.

The neighbor discovery packet is an ICMPv6 Packet which has a type code of 135. This is called a neighbor solicitation packet. This is equivalent to the ARP request. The host which has the address configured will answer with an ICMPv6 packet with a type code of 136. This is called a neighbor advertisement packet. This is equivalent to ARP reply.

When an interface is assigned an IPv6 address, it will join a multicast group of FF02:0:0:0:0:1:FFXX:XXXX. The X is the last 24 bits of the IPv6 address which is assigned to an interface. Let us look into the details, when R1 has the IPv6 address of 123::1/64 assigned. It will then join a multicast group of FF02::1:FF00:1.

Continue reading »

 Newer Entries