Generating CGA for Secure neighbor discovery (SeND)

 IPv6  Add comments
Sep 262012
 

CGA stands for cryptographic generated address. Using this method of address generation, it is supposed that address spoofing could be eliminated.

Rfc 3972 states:
The basic idea is to generate the interface identifier of the IPv6 address by computing a cryptographic hash of the public key. The resulting IPv6 address is called a cryptographically generated address (CGA). The corresponding private key can then be used to sign messages sent from the address.

Let us configure the routers to generate Cryptographic Address.

  •  A RSA must be generated as SeND uses public/private key pairs.
  •  Then this RSA key is used to generate the CGA modifier.
  •  Finally the interface is told to use CGA.

R1(config)#crypto key generate rsa modulus 1024 label SEND
The name for the keys will be: SEND

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

A RSA key pair is generated with the strength of 1024 bits. The name of the key pair is SEND. Now we can use this key pair to generate a CGA modifier
R1(config)#ipv6 cga modifier rsakeypair SEND sec-level 1

R1(config)#do sh ipv6 cga modifier-db
824A:2FA7:DAC6:2750:8DFA:C906:8E53:A918
        label:          SEND
        sec level:      1
        Addresses:

The CGA modifier is generated. Now we must go to the interface and specify to use CGA. We must specify for which address the CGA must be used. We are going to auto generate the link local and global address using CGA.

R1(config)#interface f0/0        
R1(config-if)#ipv6 cga rsakeypair SEND
R1(config-if)#ipv6 address feaa:: link-local cga
R1(config-if)#ipv6 address 12::/64 cga

R1#sh ipv6 cga address-db
12::/64 ::30A7:8466:F438:A054 - table 0x0
        interface:      FastEthernet0/0 (4)
        modifier:       SEND
        collisions:     0
FEAA::/64 ::34F0:851B:396E:E077 - table 0x12000004
        interface:      FastEthernet0/0 (4)
        modifier:       SEND
        collisions:     0

The same configuration also goes in R2.

crypto key generate rsa modulus 1024 label SEND
ipv6 cga modifier rsakeypair SEND sec-level 1
interface FastEthernet0/0
 no shutdown
 ipv6 cga rsakeypair SEND
 ipv6 address FE80:: link-local cga
 ipv6 address 12::/64 cga
end

Now both routers can use Secure Neighbor Discovery to resolve the Layer 2 address. The attached wireshark capture shows the process in action.

Download Wireshark Capture