Stopping time condition for practical IPv6 cryptographically generated addresses

Abstract

Cryptographically Generated Addresses (CGA) are employed as an authentication mechanism in IPv6 network to realize the proof of address ownership without relying on any trust authority. The security parameter (Sec) indicates the security level of the CGA address. For Sec value greater than zero, there is no guarantee to stop the brute-force search after certain time. The address generator tries different values of Modifier until (16×Sec)-leftmost-bit of the second hash (Hash2) computes to zero. This paper proposes some modifications to the standard CGA “RFC 3972” in order to limit the time that CGA generation may takes. The modified CGA generation algorithm takes the upper bound of CGA running time as an input and the Sec value is determined as an output of the brute-force computations. The modified CGA keeps track of the best founded Hash2 value during the running time. The paper also proposes to reduce the granularity of the security level from “16” to “8”, to increase the chance to have better Sec value within the time limit. We called the modified CGA as Time-Based CGA (TB-CGA). The implementation and evaluation of TB-CGA are done in this paper.