Re: [v6ops] [EXTERNAL] Re: Improving ND security

Vasilenko Eduard <> Wed, 05 August 2020 13:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3D89E3A0A08; Wed, 5 Aug 2020 06:27:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HBmo03vvDhmn; Wed, 5 Aug 2020 06:27:24 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C79B23A0780; Wed, 5 Aug 2020 06:27:23 -0700 (PDT)
Received: from (unknown []) by Forcepoint Email with ESMTP id 3D0993084FB1BB0499D1; Wed, 5 Aug 2020 14:27:22 +0100 (IST)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Wed, 5 Aug 2020 14:27:21 +0100
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Wed, 5 Aug 2020 16:27:21 +0300
Received: from ([]) by ([]) with mapi id 15.01.1913.007; Wed, 5 Aug 2020 16:27:21 +0300
From: Vasilenko Eduard <>
To: "Pascal Thubert (pthubert)" <>, Fernando Gont <>
CC: 6man <>, v6ops list <>
Thread-Topic: [v6ops] [EXTERNAL] Re: Improving ND security
Date: Wed, 5 Aug 2020 13:27:21 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>, <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_839840b994fc496eade28a02b55c9578huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <>
Subject: Re: [v6ops] [EXTERNAL] Re: Improving ND security
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 05 Aug 2020 13:27:29 -0000

Hi Pascal,
It is exactly the problem. You continue to talk on some proprietary (and low security) algorithm that is invented inside CGA.
I do not believe that it is possible to prove any level of security for it (even if 3 bits would push for huge computation resource).
Hence, you claim low level of security for SeND in general.

But in reality, the level of SeND security is very high, because it is based on additional crypto algorithm (RSA) that is good enough even for very demanding applications now.

Just forget about CGA – it is not the source of SeND security guaranties.

By the way, It is exactly what you did in your draft.

From: Pascal Thubert (pthubert) []
Sent: 5 августа 2020 г. 14:49
To: Vasilenko Eduard <>om>; Fernando Gont <>
Cc: 6man <>rg>; v6ops list <>
Subject: RE: [v6ops] [EXTERNAL] Re: Improving ND security

> I believe that you are a little misleading audience on SeND.

How so, Eduard? I could not find an answer in your mail below and that was certainly not an intention.

The reduced security is the due to the size of the CGA that has to fit in 64 bits. It is thus sensitive to brute force attack. The defense in RFC 3972 is the use of the Sec parameter that makes the generation if the CGA compute intensive. The problem with that is that small devices cannot generate hih Sec CGAs so they become a second class device with no privacy.



   For Sec values greater than zero, the above algorithm is not
   guaranteed to terminate after a certain number of iterations.  The
   brute-force search in steps 2 - 3 takes O(2^(16*Sec)) iterations to
   complete.  The algorithm has been intentionally designed so that the
   generation of CGAs with high Sec values is infeasible with current



Hi Pascal,
I believe that you are a little misleading audience on SeND.

Yes, they did something terrible: they have invented their own crypto algorithm for Interface ID generation.
It is something like HMAC: based on “proof of work”. It is a some sort of signature, but weak and expensive (a lot of computations). Yet could be simple -  complexity regulated by special 3 bits.
Good security rule has been broken: never ever develop your own crypto algorithm! One should have very good reasons to do it. Even more, never develop crypto protocol. Remember how many vulnerabilities have been found in SSL or TLS on the protocol level.
When I was reading about this requirement that bits should be 0 – it reminded me block chain☺ Is Satoshi Nakamoto was behind this 0 version of block chain?

HMAC-like is the big computation burden for any processor. It is really “killing application” for IoT. Literally “killing”.

I was not capable to understand why it has been done for SeND. Why it was not acceptable to generate Interface ID in typical way?
Why in principle we need “Cryptographically Generated Addresses”?!?

I was really laughing when I have read this justification in SeND: “second signature algorithm is only necessary as a recovery mechanism, in case a flaw is found in RSA”

But what if a flaw would be found in 2nd mechanism – may be 3rd mechanism would be needed? Why 2nd mechanism (CGA) is so miserable from cryptographic point of view (low protection, high computation)?

After this jumping around proprietary HMAC (in IID),

Normal Private key of RSA is used over whole packet – it is real protection. Look to very small section 6 of RFC 3972 (CGA).
Pascal, protection is strong, but real assurance is given from RSA, not from this simplified HMAC that everybody would probably keep on minimal level of complexity (as you said).

IMHO: CGA part of SeND should be just discarded as redundant. It is exactly what Pascal did in his draft that he is promoting here.

I agree that SeND have seen dinosaurs. Zero chances that it would be accepted by the market.

From: ipv6 [] On Behalf Of Pascal Thubert (pthubert)
Sent: 5 августа 2020 г. 8:35
To: Fernando Gont <<>>
Cc: 6man <<>>; v6ops list <<>>
Subject: Re: [v6ops] [EXTERNAL] Re: Improving ND security

I agree that a valuable ND security should not only protect address ownership but also provide SAVi, which send does not.

SeND has to protect distributed stateless address claim so they decided to embed the proof of ownership in the address. This limits the size of the security proof to 64 bits which is far from sufficient. So CGA added those 3 bits that optionally make the computational cost more cumbersome. Nobody uses that so the protection is low. Very powerful devices could potentially do that but smaller devices will be left with little protection and hardship to form new addresses.

In a stateful architecture the proof of ownership can be separated from the address and made bigger. It is stored in the infrastructure together with the address on the first come. A same proof can be used for multiple addresses (and obfuscated with rehashing) so it does not affect privacy addressing. Is sitting in the rfc editor queue and soon on the shelf. It does all the above. SAVI. Proof of ownership. But it only works for addresses that are registered through rfc 8505, which makes ND proactive/stateful.
All the best,


Le 5 août 2020 à 01:41, Fernando Gont <<>> a écrit :
Hi, Fred,

On 3/8/20 16:55, Templin (US), Fred L wrote:

That is fine; we can accommodate CGAs in OMNI, cumbersome as they are.
I have this on my TODO list for after the adoption call.

Why "cumbersome"?
I realize the addresses are cryptographically-generated, which implies a security property
which is good. But, they would not be the primary link-local addresses that neighbor
nodes will know each other by - the CGAs will be found in the IPv6 ND message source
and destination addresses, while the primary addresses will be carried in an additional
IPv6 encapsulation header and would be the addresses that the NCEs are indexed by.

Not sure what you mean...

So, all the CGAs really are is placeholders in the IPv6 header to run security checks over.
They need not even be checked for uniqueness on the link, because it is the primary
addresses and not the CGAs which need to be maintained as unique.

The point of CGAs is that in order for you to ND-answer for PREFIX:IID, you need to have the key identified by "IID". So, assuming /64s, you'd need to be lucky to, given a CGA (PREFIX:IID), generate a key-pair where the public key is identified by "IID".

But then, RFC4380 offers a “poor-man’s” alternative to SEND/CGA. It
places a message authentication code in the encapsulation headers of IPv6 ND messages so
that the messages can pass a rudimentary authentication check.

You mean the Teredo spec? If so, I don't think it includes any sort of
poor-man's SEND-CGA.

It provides for message authentication,

But what's special about SEND/CGAs is that they tie the address to a key...
OK, that sounds good. So, we like that property but AFAICT that is about all the
CGA is good for in my application.

The thing is that, while in theory you could *theoretically* extend the use of CGAs as a spoofing mitigation, in the context of SEND CGAs are just employed for mitigating ND attacks... and that's kind a lot of effort for mitigating something that we have learned to live_with/mitigate in IPv4 in simpler ways.

i.e., I find SEND smart... but, in the bigger picture, not very compelling to deploy.

The usage we have for OMNI is that of an Internet-based Client sending an
authenticated, encapsulated, unicast RS message to an Internet-based Server
which then must authenticate the message.

Depends on what you mean by "authenticated". CGAs prove that the node that sends the packet is the owner of the address. Not more than that.

That's different than authenticating the client.

Similarly, you could authenticate the client, but that wouldn't mean that a client is the owner of a given address.

So someone with
security experience please help me out here – is RFC4380 authentication an acceptably
secure  replacement for SEND/CGA that might be easier to work with and less

Nope. Tee point of CGAs is that they allow you to prove address
ownership. There's nothing in RFC4380 that provides the same or similar

Why do we have to prove address ownership

Well, that's one of the goals of SEND/CGAs. :-)

and use a whacky address format like CGA?

The *address format* is not really whacky. At the end of the day, it's a
random number, with the specific property that it's part of the hash of
a public key.

looking at a CGA, you probably wouldn't be able to tell CGA from RFC7217.
I think if you look inside the IPv6 ND message and find a CG option you can
infer that the address in the IPv6 header is a CGA.

Yep... but CGA != CGA option.

Fernando Gont
e-mail:<> ||<>
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1