2/25/2016CSI WG/IETF761 Open Source Project SEND & Extensions Beijing University of Posts & Telecommunications HUAWEI Yuhong LI (Speaker) Wendong WANG Guangxue SU Quanchao HUI
Contents Project overview Basic and extended functions Implementations Tests Future work
2/25/2016CSI WG/IETF763 Project Overview Project began from Nov GPL-style License Code –Plan to put at Google Code ( Platforms –HostLinux* –RouterQuagga over Linux* Linux* Linux Kernel Ubuntu 8.04
2/25/2016CSI WG/IETF764 Basic Functions Implementations of RFCs: –RFC Secure Neighbor Discovery (SEND) –RFC Cryptographically Generated Addresses (CGAs) –RFC X.509 Extensions for IP Addresses and AS Identifiers Supported features: –Processing CPS/CPA messages (Authorization Delegation Discovery) Configuration of trust anchor & certificate path Adding IP Address Extensions to certificates Handling of the certificate path … –Processing ND messages with SEND options Generation & Verification of CGA and CGA parameters Generation & Verification of the RSA signature Handling the Nonce & Timestamp options …
2/25/2016CSI WG/IETF765 Extended Functions Supports –ECDSA as an alternative of RSA Based on draft-shen-csi-ecc-01 ( the revised version in draft-cheneau-csi-ecc-sig-agility-00) –CRL verification
2/25/2016CSI WG/IETF766 Implementations SEND Kernel module –Embedded into IPv6 module of Linux kernel –About 6K lines of C++ SEND Daemon module –Cryptographical procedures are implemented in user space in the form of Daemon –About 7K lines of C++
2/25/2016CSI WG/IETF767 Software Prototype ---- Host
2/25/2016CSI WG/IETF768 Software Prototype –--- Router
Tests of SEND & Extensions Performed in a link-local environment 72 function tests for SEND and extensions Performance tests on CGA and RSA/ECDSA
Test scenario 1: nodes support only SEND Messages from the original NDP nodes are considered insecure and are discarded –Neighbor Discovery SEND nodes discard ND messages without SEND options. –Router Discovery SEND nodes send CPS to routers to require CPA; Routes are considered insecure and will be ignored if routes do not respond CPA messages –Redirect SEND nodes ignore Redirect messages from NDP nodes
Test scenario 2: nodes work in compatible mode SEND nodes in compatible mode accept NDP nodes, but mark them as insecure –Neighbor Discovery SEND nodes on link are marked as secure NDP nodes on the link are marked as insecure –Router Discovery Routers which pass CPA verification are marked as secure Other routers are marked as insecure secure routers have higher priority when routing –Redirect Both SEND/ND redirect messages are accepted.
Test results of CGA generating time Platform: –An Intel Duo2 (2.53GHz) workstation Results of average CGA generating time –SEC=0: 100 μs –SEC=1: 60 ms; –SEC=2: 2000s (varies from 100~7000sec) –SEC=3: N/A Theoretically estimating, more than hours are required.
Performance comparisons of RSA and ECDSA Ref: draft-shen-csi-ecc-01 ( the revised version in draft-cheneau-csi-ecc-sig- agility-00) RSA-1024 and ECDSA-192 is of the same security strength. ECDSA has a shorter signature length, and a less signature generating time.
2/25/2016CSI WG/IETF7614 Future work Supports signature algorithm agility based on –draft-cheneau-csi-cga-pk-agility-00 Support for Multiple Signature Algorithms in Cryptographically Generated Addresses (CGAs) Proposed in Oct. 12, 2009 by Huawei Support multiple signature algorithms through providing multiple public keys in CGA –draft-cheneau-csi-send-sig-agility-00 Signature Algorithm Agility in the Secure Neighbor Discovery (SEND) Protocol Proposed in Oct. 12, 2009 by Huawei Add Supported Signature Algorithm Option, provide agility to SEND –draft-cheneau-csi-ecc-sig-agility-00 ECC public key and signature support in Cryptographically Generated Addresses (CGA) and in the Secure Neighbor Discovery (SEND) Proposed in Oct. 12, 2009 by Huawei E.g. how to use ECC public key in CGA etc.
Thanks! Questions/Comments? Contact us –Yuhong –Wendong Wang: –Guangxue –Quanchao