The modifier used during the CGA generation is saved in the configuration file. The CGA itself is not stored.
Based on the stored modifier and RSA key pair, the same CGA can be regenerated.
The modifier is needed to be sent out in ND messages.
By storing the modifier in the configuration file, the operator can also configure an offline generated modifier (possibly with a security parameter > 1).
Example 1: Configure a SeND interface without modifiers:
configure router interface itf1
address 10.10.10.1
port 1/1/1
ipv6
secure-nd
no shutdown
=> A modifier is generated based on the actual RSA key pair (that is, imported or auto-generated). The modifier is used to generate a link-local CGA.
=> The modifier is saved in the interface configuration file:
exit
address 2000:1::/64
=> A modifier is generated based on the actual RSA key pair. The modifier is used to generate the global CGA.
=> The modifier is stored in the interface configuration file.
Example 2: Configure a SeND interface with modifiers:
configure router interface itf2
address 10.10.10.2
port 1/1/2
ipv6
secure-nd
link-local-modifier 0xABCD
=> The offline generated modifier is used to generate the link-local CGA:
no shutdown
exit
address 3000:1::/64
=> A modifier is generated based on the actual RSA key pair. The modifier is used to generate the global CGA.
=> The modifier is stored in the interface configuration file:
address 3000:2::/64 modifier 0xABCD
=> The same offline generated modifier as the preceding link-local address is used for the generation of a global address:
address 3000:3::/64 modifier 0xABCD
=> Another offline generated modifier (*) is used for the generation of a global address.
=> For an offline generated modifier, a check is performed to see if it is generated with the actual RSA key pair and the security parameter applicable for the interface. If this check fails, the command is refused, unless the command is triggered in the context of an exec of a config file. In that case, the modifier is replaced by a new one that is generated based on the actual RSA key pair.