Francis, => I strongly disagree: the use of those SHAx steps is the way to extend the search space and until SHAx pre-images are broken for the worst case (i.e., no attack better than brute force).
Be patient please. It takes time to prepare a response because I will need to work on code to break RSA and also SHAx (CGA) and currently I have no opportunity to work on this. => this seems to be replay attacks. RFC 3972 (CGAs) doesn't protect against replay but provides message (aka connectionless) integrity so any use of CGAs can add an anti-replay device (RFC 3971 (SEND) uses nonces and timestamps for anti-replay). BTW CGAs and SSASs are the same for this point. Nonce and timestamp both cannot be much helpful for relay attacks. I mentioned a fast replay attack. You need to consider the clock skew for timestamp (two seconds or so). The other nodes do not know the nonce is for an attacker or for your node. I, as an attacker, can easily copy and paste the whole packet content in my message with my own link layer address and send it back to you. There is difference between SSAS and CGA in DAD process. There is no doubt that CGA verification needs improvements, I probably try to write another draft and improve that document too while at the same time as I am improving SSAS with the best design of RPKI (I will do that after my trip :-) so give me more time...). Thanks, Hosnieh -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------