Re: [CGA-EXT] Call for comments on draft-rafiee-6man-ssas-00.txt

"Al-Sadeh, Ahmad" <> Sun, 06 January 2013 20:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CCB4E21F859C; Sun, 6 Jan 2013 12:09:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vmdslolbzLEW; Sun, 6 Jan 2013 12:09:29 -0800 (PST)
Received: from ( [IPv6:2001:638:807:204::8d59:e17a]) by (Postfix) with ESMTP id EBE5B21F859B; Sun, 6 Jan 2013 12:09:28 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 0EA5CD2C8E; Sun, 6 Jan 2013 21:09:26 +0100 (CET)
Received: from ([fe80::88e9:3d98:b35f:83bf]) by ([2002:8d59:e1a2::8d59:e1a2]) with mapi; Sun, 6 Jan 2013 21:09:25 +0100
From: "Al-Sadeh, Ahmad" <>
To: Hosnieh Rafiee <>, "" <>
Content-Class: urn:content-classes:message
Date: Sun, 6 Jan 2013 21:09:53 +0100
Thread-Topic: [CGA-EXT] Call for comments on draft-rafiee-6man-ssas-00.txt
Thread-Index: AQI7ECCw5lZJtuTcH4KW/U5riPTnyZdfT5EQgAMhrjeAAAIU+A==
Message-ID: <BB4E1F8A-2971-4648-82E4-3A34DBE777A5@mimectl>
References: <000001cdea08$1a37e0c0$4ea7a240$>, <000d01cdeab7$f627a340$e276e9c0$>
In-Reply-To: <000d01cdeab7$f627a340$e276e9c0$>
Accept-Language: en-GB
Content-Language: en-GB
acceptlanguage: en-GB
x-mimectl: Produced By Microsoft Exchange V8.3.105.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [CGA-EXT] Call for comments on draft-rafiee-6man-ssas-00.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: CGA and SeND Extensions <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 06 Jan 2013 20:09:29 -0000

I have read your draft. And I have the following comments.
SEND already offers what you are looking for. It has the Timestamp and the Signature options which are attached to the DNP messages. So, the new benefits of your approach are not clear to me.
I agree with the claim that CGA is compute intensive, but one can use Sec=0 or 1. In this case the computation of the CGA (SEND) would be equivalent to the complexity of your approach.  Therefore the enhancements that are proposed to protect the user privacy by setting a lifetime for the generated address (e.g. 2 days) or generating the key pairs by CGA code can be directly applied to the CGA and SEND implementation without significant change to proposed standard.
In Section 5, “… it provides proof of address ownership at a speed that is about 600 times faster than that of the CGA algorithm.”
For which Sec value this comparison was done?
Ahmad AlSadeh

From: [] On Behalf Of Hosnieh Rafiee []
Sent: 04 January 2013 21:13
Subject: [CGA-EXT] Call for comments on draft-rafiee-6man-ssas-00.txt

Dear All,

This draft addresses the following problem:
Unfortunately the existing drafts do not consider the integration of
security and privacy  for the generation of the Interface ID (IID). This
draft tries to offer a solution to this problem while at the same time
considering the generation and verification times and complexity of the
existing algorithms. Please take a look. Comments are greatly appreciated.
Thank you,

Filename:        draft-rafiee-6man-ssas
Revision:        00
Title:           A Simple Secure Addressing Generation Scheme for IPv6
AutoConfiguration (SSAS)
Creation date:   2013-01-02
WG ID:           Individual Submission
Number of pages: 13

   The default method for IPv6 address generation uses two unique
   manufacturer IDs that are assigned by the IEEE Standards Association
   [1] (section 2.5.1 RFC-4291) [RFC4291]. This means that a node will
   always have the same Interface ID (IID) whenever it connects to a new
   network. Because the node's IP address does not change, the node is
   vulnerable to privacy related attacks. To address this issue, there
   are currently two mechanisms in use to randomize the IID,
   Cryptographically Generated Addresses (CGA) [RFC3972] and Privacy
   Extension [RFC4941]. The problem with the former approach is the
   computational cost involved for the IID generation. The problem with
   the latter approach is that it lacks security. This document offers a
   new algorithm for use in the generation of the IID while, at the same
   time, securing the node against some types of attack, such as IP
   spoofing. These attacks are prevented with the addition of a
   signature to the Neighbor Discovery messages (NDP).

IETF IPv6 working group mailing list
Administrative Requests:

CGA-EXT mailing list