< draft-yeung-g-ikev2-14.txt   draft-yeung-g-ikev2-15.txt >
Network Working Group B. Weis Network Working Group B. Weis
Internet-Draft Cisco Systems Internet-Draft Independent
Obsoletes: 6407 (if approved) V. Smyslov Obsoletes: 6407 (if approved) V. Smyslov
Intended status: Standards Track ELVIS-PLUS Intended status: Standards Track ELVIS-PLUS
Expires: January 3, 2019 July 2, 2018 Expires: September 12, 2019 March 11, 2019
Group Key Management using IKEv2 Group Key Management using IKEv2
draft-yeung-g-ikev2-14 draft-yeung-g-ikev2-15
Abstract Abstract
This document presents a set of IKEv2 exchanges that comprise a group This document presents a set of IKEv2 exchanges that comprise a group
key management protocol. The protocol is in conformance with the key management protocol. The protocol is in conformance with the
Multicast Security (MSEC) key management architecture, which contains Multicast Security (MSEC) key management architecture, which contains
two components: member registration and group rekeying. Both two components: member registration and group rekeying. Both
components require a Group Controller/Key Server to download IPsec components require a Group Controller/Key Server to download IPsec
group security associations to authorized members of a group. The group security associations to authorized members of a group. The
group members then exchange IP multicast or other group traffic as group members then exchange IP multicast or other group traffic as
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 3, 2019. This Internet-Draft will expire on September 12, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 26 skipping to change at page 2, line 26
3. G-IKEv2 Protocol . . . . . . . . . . . . . . . . . . . . . . 6 3. G-IKEv2 Protocol . . . . . . . . . . . . . . . . . . . . . . 6
3.1. G-IKEv2 member registration and secure channel 3.1. G-IKEv2 member registration and secure channel
establishment . . . . . . . . . . . . . . . . . . . . . . 6 establishment . . . . . . . . . . . . . . . . . . . . . . 6
3.1.1. GSA_AUTH exchange . . . . . . . . . . . . . . . . . . 7 3.1.1. GSA_AUTH exchange . . . . . . . . . . . . . . . . . . 7
3.1.2. GSA_REGISTRATION Exchange . . . . . . . . . . . . . . 8 3.1.2. GSA_REGISTRATION Exchange . . . . . . . . . . . . . . 8
3.1.3. IKEv2 Header Initialization . . . . . . . . . . . . . 9 3.1.3. IKEv2 Header Initialization . . . . . . . . . . . . . 9
3.1.4. GM Registration Operations . . . . . . . . . . . . . 9 3.1.4. GM Registration Operations . . . . . . . . . . . . . 9
3.1.5. GCKS Registration Operations . . . . . . . . . . . . 10 3.1.5. GCKS Registration Operations . . . . . . . . . . . . 10
3.1.6. Interaction with IKEv2 protocols . . . . . . . . . . 12 3.1.6. Interaction with IKEv2 protocols . . . . . . . . . . 12
3.2. Group Maintenance Channel . . . . . . . . . . . . . . . . 12 3.2. Group Maintenance Channel . . . . . . . . . . . . . . . . 12
3.2.1. GSA_REKEY exchange . . . . . . . . . . . . . . . . . 12 3.2.1. GSA_REKEY exchange . . . . . . . . . . . . . . . . . 13
3.2.2. GSA_INBAND_REKEY exchange . . . . . . . . . . . . . . 16 3.2.2. GSA_INBAND_REKEY exchange . . . . . . . . . . . . . . 17
3.2.3. Deletion of SAs . . . . . . . . . . . . . . . . . . . 17 3.2.3. Deletion of SAs . . . . . . . . . . . . . . . . . . . 17
3.3. Counter-based modes of operation . . . . . . . . . . . . 18 3.3. Counter-based modes of operation . . . . . . . . . . . . 18
4. Header and Payload Formats . . . . . . . . . . . . . . . . . 19 3.3.1. Allocation of SIDs . . . . . . . . . . . . . . . . . 18
4.1. The G-IKEv2 Header . . . . . . . . . . . . . . . . . . . 19 3.3.2. GM Usage of SIDs . . . . . . . . . . . . . . . . . . 20
4.2. Group Identification (IDg) Payload . . . . . . . . . . . 20 4. Header and Payload Formats . . . . . . . . . . . . . . . . . 20
4.3. Security Association - GM Supported Transforms (SAg) . . 20 4.1. The G-IKEv2 Header . . . . . . . . . . . . . . . . . . . 20
4.4. Group Security Association Payload . . . . . . . . . . . 20 4.2. Group Identification (IDg) Payload . . . . . . . . . . . 21
4.3. Security Association - GM Supported Transforms (SAg) . . 21
4.4. Group Security Association Payload . . . . . . . . . . . 21
4.4.1. GSA Policy . . . . . . . . . . . . . . . . . . . . . 21 4.4.1. GSA Policy . . . . . . . . . . . . . . . . . . . . . 21
4.5. KEK Policy . . . . . . . . . . . . . . . . . . . . . . . 22 4.4.2. KEK Policy . . . . . . . . . . . . . . . . . . . . . 23
4.5.1. KEK Attributes . . . . . . . . . . . . . . . . . . . 23 4.4.3. GSA TEK Policy . . . . . . . . . . . . . . . . . . . 26
4.6. GSA TEK Policy . . . . . . . . . . . . . . . . . . . . . 26 4.4.4. GSA Group Associated Policy . . . . . . . . . . . . . 29
4.6.1. TEK ESP and AH Protocol-Specific Policy . . . . . . . 27 4.5. Key Download Payload . . . . . . . . . . . . . . . . . . 30
4.7. GSA Group Associated Policy . . . . . . . . . . . . . . . 28 4.5.1. TEK Download Type . . . . . . . . . . . . . . . . . . 32
4.7.1. ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY . . . . 29 4.5.2. KEK Download Type . . . . . . . . . . . . . . . . . . 33
4.8. Key Download Payload . . . . . . . . . . . . . . . . . . 30 4.5.3. LKH Download Type . . . . . . . . . . . . . . . . . . 34
4.8.1. TEK Download Type . . . . . . . . . . . . . . . . . . 31 4.5.4. SID Download Type . . . . . . . . . . . . . . . . . . 37
4.8.2. KEK Download Type . . . . . . . . . . . . . . . . . . 32 4.6. Delete Payload . . . . . . . . . . . . . . . . . . . . . 38
4.8.3. LKH Download Type . . . . . . . . . . . . . . . . . . 33 4.7. Notify Payload . . . . . . . . . . . . . . . . . . . . . 39
4.8.4. SID Download Type . . . . . . . . . . . . . . . . . . 36 4.8. Authentication Payload . . . . . . . . . . . . . . . . . 39
4.9. Delete Payload . . . . . . . . . . . . . . . . . . . . . 37
4.10. Notify Payload . . . . . . . . . . . . . . . . . . . . . 38
4.11. Authentication Payload . . . . . . . . . . . . . . . . . 39
5. Security Considerations . . . . . . . . . . . . . . . . . . . 39 5. Security Considerations . . . . . . . . . . . . . . . . . . . 39
5.1. GSA registration and secure channel . . . . . . . . . . . 39 5.1. GSA registration and secure channel . . . . . . . . . . . 40
5.2. GSA maintenance channel . . . . . . . . . . . . . . . . . 39 5.2. GSA maintenance channel . . . . . . . . . . . . . . . . . 40
5.2.1. Authentication/Authorization . . . . . . . . . . . . 39 5.2.1. Authentication/Authorization . . . . . . . . . . . . 40
5.2.2. Confidentiality . . . . . . . . . . . . . . . . . . . 39 5.2.2. Confidentiality . . . . . . . . . . . . . . . . . . . 40
5.2.3. Man-in-the-Middle Attack Protection . . . . . . . . . 39 5.2.3. Man-in-the-Middle Attack Protection . . . . . . . . . 40
5.2.4. Replay/Reflection Attack Protection . . . . . . . . . 39 5.2.4. Replay/Reflection Attack Protection . . . . . . . . . 40
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41
6.1. New registries . . . . . . . . . . . . . . . . . . . . . 40 6.1. New registries . . . . . . . . . . . . . . . . . . . . . 41
6.2. New payload and exchange types added to the existing 6.2. New payload and exchange types added to the existing
IKEv2 registry . . . . . . . . . . . . . . . . . . . . . 40 IKEv2 registry . . . . . . . . . . . . . . . . . . . . . 41
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 41 6.3. Changes to previous allocations . . . . . . . . . . . . . 42
8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 41 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 42
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 42
9.1. Normative References . . . . . . . . . . . . . . . . . . 42 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 43
9.2. Informative References . . . . . . . . . . . . . . . . . 43 9.1. Normative References . . . . . . . . . . . . . . . . . . 43
Appendix A. Use of LKH in G-IKEv2 . . . . . . . . . . . . . . . 44 9.2. Informative References . . . . . . . . . . . . . . . . . 44
A.1. Group Creation . . . . . . . . . . . . . . . . . . . . . 44 Appendix A. Use of LKH in G-IKEv2 . . . . . . . . . . . . . . . 45
A.2. Group Member Exclusion . . . . . . . . . . . . . . . . . 45 A.1. Group Creation . . . . . . . . . . . . . . . . . . . . . 45
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 46 A.2. Group Member Exclusion . . . . . . . . . . . . . . . . . 46
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 47
1. Introduction and Overview 1. Introduction and Overview
A group key management protocol provides IPsec keys and policy to a A group key management protocol provides IPsec keys and policy to a
set of IPsec devices which are authorized to communicate using a set of IPsec devices which are authorized to communicate using a
Group Security Association (GSA) defined in [RFC3740]. The data Group Security Association (GSA) defined in [RFC3740]. The data
communications within the group (e.g., IP multicast packets) are communications within the group (e.g., IP multicast packets) are
protected by a key pushed to the group members (GMs) by the Group protected by a key pushed to the group members (GMs) by the Group
Controller/Key Server (GCKS). This document presents a set of IKEv2 Controller/Key Server (GCKS). This document presents a set of IKEv2
[RFC7296] exchanges that comprise a group key management protocol. [RFC7296] exchanges that comprise a group key management protocol.
skipping to change at page 7, line 51 skipping to change at page 7, line 51
instead downloaded from the GCKS to the group member. instead downloaded from the GCKS to the group member.
Initiator (Member) Responder (GCKS) Initiator (Member) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
HDR, SK { IDi, [CERT,] [CERTREQ, ] [IDr, ] HDR, SK { IDi, [CERT,] [CERTREQ, ] [IDr, ]
AUTH, IDg, [SAg, ] [N ] } --> AUTH, IDg, [SAg, ] [N ] } -->
After the IKE_SA_INIT exchange completes, the group member initiates After the IKE_SA_INIT exchange completes, the group member initiates
a GSA_AUTH request to join a group indicated by the IDg payload. The a GSA_AUTH request to join a group indicated by the IDg payload. The
GM MAY include an SAg payload declaring which Transforms that it is GM MAY include an SAg payload declaring which Transforms that it is
willing to accept, and also MAY include the Notify payload status willing to accept. A GM that intends to emit data packets SHOULD
type SENDER_ID_REQUEST to request SIDs for a Counter-based cipher include a Notify payload status type of SENDER, which enables the
from the GCKS. GCKS to provide any additional policy necessary by group senders.
<-- HDR, SK { IDr, [CERT, ] AUTH, [ GSA, KD, ] [D, ] } <-- HDR, SK { IDr, [CERT, ] AUTH, [ GSA, KD, ] [D, ] }
The GCKS responds with IDr, optional CERT, and AUTH material as if it The GCKS responds with IDr, optional CERT, and AUTH material as if it
were an IKE_AUTH. It also informs the group member of the were an IKE_AUTH. It also informs the group member of the
cryptographic policies of the group in the GSA payload and the key cryptographic policies of the group in the GSA payload and the key
material in the KD payload. The GCKS can also include a Delete (D) material in the KD payload. The GCKS can also include a Delete (D)
payload instructing the group member to delete existing SAs it might payload instructing the group member to delete existing SAs it might
have as the result of a previous group member registration. have as the result of a previous group member registration. (See
more discussion on the Delete payload in Section 4.6.)
In addition to the IKEv2 error handling, the GCKS can reject the In addition to the IKEv2 error handling, the GCKS can reject the
registration request when the IDg is invalid or authorization fails, registration request when the IDg is invalid or authorization fails,
etc. In these cases, see Section 4.10, the GSA_AUTH response will etc. In these cases, see Section 4.7, the GSA_AUTH response will not
not include the GSA and KD, but will include a Notify payload include the GSA and KD, but will include a Notify payload indicating
indicating errors. If the group member included an SAg payload, and errors. If the group member included an SAg payload, and the GCKS
the GCKS chooses to evaluate it, and it detects that that group chooses to evaluate it, and it detects that that group member cannot
member cannot support the security policy defined for the group, then support the security policy defined for the group, then the GCKS
the GCKS SHOULD return a NO_PROPOSAL_CHOSEN. When the GCKS indicates SHOULD return a NO_PROPOSAL_CHOSEN. When the GCKS indicates errors,
errors, and the group member cannot resolve the errors, the group and the group member cannot resolve the errors, the group member MUST
member MUST delete the registration IKE SA. delete the registration IKE SA.
Initiator (Member) Responder (GCKS) Initiator (Member) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
<-- HDR, SK { N } <-- HDR, SK { N }
If the group member finds the policy sent by the GCKS is If the group member finds the policy sent by the GCKS is
unacceptable, the member SHOULD notify the GCKS by sending IDg and unacceptable, the member SHOULD notify the GCKS by sending IDg and
the Notify type NO_PROPOSAL_CHOSEN as shown below. the Notify type NO_PROPOSAL_CHOSEN as shown below.
Initiator (Member) Responder (GCKS) Initiator (Member) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
HDR, SK {IDg [N,]} --> HDR, SK {IDg [N,]} -->
<-- HDR, SK {} <-- HDR, SK {}
3.1.2. GSA_REGISTRATION Exchange 3.1.2. GSA_REGISTRATION Exchange
When a secure channel is already established between a GM and the When a secure channel is already established between a GM and the
GCKS, the GM registration for a group can reuse the established GCKS, the GM registration for a group can reuse the established
secure channel. In this scenario the GM will use the secure channel. In this scenario the GM will use the
GSA_REGISTRATION exchange by including the desired group ID (IDg) to GSA_REGISTRATION exchange. Payloads in the exchange are generated
request data security keys (TEKs) and/or group key encrypting keys and processed as defined in Section 3.1.1.
(KEKs) from the GCKS. If the group member includes an SAg payload,
and the GCKS chooses to evaluate it, and it detects that group member
cannot support the security policy defined for the group, then the
GCKS SHOULD return a NO_PROPOSAL_CHOSEN. The GM MAY also include the
Notify payload status type SENDER_ID_REQUEST to request SIDs for a
Counter-based cipher from the GCKS. The GCKS response payloads are
created and processed as in the GSA_AUTH reply.
Initiator (Member) Responder (GCKS) Initiator (Member) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
HDR, SK {IDg, [SAg, ][N ] } --> HDR, SK {IDg, [SAg, ][N ] } -->
<-- HDR, SK { GSA, KD, [D ] } <-- HDR, SK { GSA, KD, [D ] }
This exchange can also be used if the group member finds the policy This exchange can also be used if the group member finds the policy
sent by the GCKS is unacceptable. The group member SHOULD notify the sent by the GCKS is unacceptable. The group member SHOULD notify the
GCKS by sending IDg and the Notify type NO_PROPOSAL_CHOSEN, as shown GCKS by sending IDg and the Notify type NO_PROPOSAL_CHOSEN, as shown
skipping to change at page 9, line 43 skipping to change at page 9, line 40
A G-IKEv2 Initiator (GM) requesting registration contacts the GCKS A G-IKEv2 Initiator (GM) requesting registration contacts the GCKS
using the IKE_SA_INIT exchange and receives the response from the using the IKE_SA_INIT exchange and receives the response from the
GCKS. This exchange is unchanged from the IKE_SA_INIT in IKEv2 GCKS. This exchange is unchanged from the IKE_SA_INIT in IKEv2
protocol. protocol.
Upon completion of parsing and verifying the IKE_SA_INIT response, Upon completion of parsing and verifying the IKE_SA_INIT response,
the GM sends the GSA_AUTH message with the IKEv2 payloads from the GM sends the GSA_AUTH message with the IKEv2 payloads from
IKE_AUTH (without the SAi2, TSi and TSr payloads) along with the IKE_AUTH (without the SAi2, TSi and TSr payloads) along with the
Group ID informing the GCKS of the group the initiator wishes to Group ID informing the GCKS of the group the initiator wishes to
join. The initiator MAY specify how many Sender-ID values it would join. An initiator intending to emit data traffic SHOULD send a
like to receive in the Notify payload status type, SENDER_ID_REQUEST, SENDER Notify payload status. The SENDER not only signifies that it
in case the Data Security SA supports a counter mode cipher (see is a sender, but provides the initiator the ability to request
Section 3.3). Sender-ID values, in case the Data Security SA supports a counter
mode cipher. Section 3.3) includes guidance on requesting Sender-ID
values.
An initiator may be limited in the types of Transforms that it is An initiator may be limited in the types of Transforms that it is
able or willing to use, and may find it useful to inform the GCKS able or willing to use, and may find it useful to inform the GCKS
which Transforms that it is willing to accept. It can OPTIONALLY which Transforms that it is willing to accept. It can OPTIONALLY
include an SAg payload, which can include ESP and/or AH Proposals. include an SAg payload, which can include ESP and/or AH Proposals.
Each Proposal contains a list of Transforms that it is willing to Each Proposal contains a list of Transforms that it is willing to
support for that protocol. A Proposal of type ESP can include ENCR, support for that protocol. A Proposal of type ESP can include ENCR,
INTEG, and ESN Transforms. A Proposal of type AH can include INTEG, INTEG, and ESN Transforms. A Proposal of type AH can include INTEG,
and ESN Transforms. The SPI length of each Proposal in an SAg MUST and ESN Transforms. The SPI length of each Proposal in an SAg MUST
be zero, and the SPI field is null. Generally, a single Proposal of be zero, and the SPI field is null. Generally, a single Proposal of
each type will suffice, because the group member is not negotiating each type will suffice, because the group member is not negotiating
Transform sets, simply alerting the GCKS to restrictions it may have. Transform sets, simply alerting the GCKS to restrictions it may have.
Upon receiving the GSA_AUTH response, the initiator parses the Upon receiving the GSA_AUTH response, the initiator parses the
response from the GCKS authenticating the exchange using the IKEv2 response from the GCKS authenticating the exchange using the IKEv2
skipping to change at page 10, line 42 skipping to change at page 10, line 39
Message ID. The Message ID in the KEK_MESSAGE_ID attribute MUST be Message ID. The Message ID in the KEK_MESSAGE_ID attribute MUST be
checked against any previously received Message ID for this group. checked against any previously received Message ID for this group.
If it is less than the previously received number, it should be If it is less than the previously received number, it should be
considered stale and ignored. This could happen if two GSA_AUTH considered stale and ignored. This could happen if two GSA_AUTH
exchanges happened in parallel, and the Message ID changed. This exchanges happened in parallel, and the Message ID changed. This
KEK_MESSAGE_ID is used by the GM to prevent GSA_REKEY message replay KEK_MESSAGE_ID is used by the GM to prevent GSA_REKEY message replay
attacks. The first GSA_REKEY message that the GM receives from the attacks. The first GSA_REKEY message that the GM receives from the
GCKS must have a Message ID greater or equal to the Message ID GCKS must have a Message ID greater or equal to the Message ID
received in the KEK_MESSAGE_ID attribute. received in the KEK_MESSAGE_ID attribute.
If a GM has received GSA_REKEY policy during a registration, and it
does not need to initiate any additional exchanges to the GCKS, then
the GM SHOULD close the IKE SA.
3.1.5. GCKS Registration Operations 3.1.5. GCKS Registration Operations
A G-IKEv2 GCKS passively listens for incoming requests from group A G-IKEv2 GCKS passively listens for incoming requests from group
members. When the GCKS receives an IKE_SA_INIT request, it selects members. When the GCKS receives an IKE_SA_INIT request, it selects
an IKE proposal and generates a nonce and DH to include them in the an IKE proposal and generates a nonce and DH to include them in the
IKE_SA_INIT response. IKE_SA_INIT response.
Upon receiving the GSA_AUTH request, the GCKS authenticates the group Upon receiving the GSA_AUTH request, the GCKS authenticates the group
member using the same procedures as in the IKEv2 IKE_AUTH. The GCKS member using the same procedures as in the IKEv2 IKE_AUTH. The GCKS
then authorizes the group member according to group policy before then authorizes the group member according to group policy before
skipping to change at page 11, line 17 skipping to change at page 11, line 19
The GSA_AUTH response will include the group policy in the GSA The GSA_AUTH response will include the group policy in the GSA
payload and keys in the KD payload. If the GCKS policy includes a payload and keys in the KD payload. If the GCKS policy includes a
group rekey option, this policy is constructed in the GSA KEK and the group rekey option, this policy is constructed in the GSA KEK and the
key is constructed in the KD KEK. The GSA KEK MUST include the key is constructed in the KD KEK. The GSA KEK MUST include the
KEK_MESSAGE_ID attribute, specifying the starting Message ID the GCKS KEK_MESSAGE_ID attribute, specifying the starting Message ID the GCKS
will use when sending the GSA_REKEY message to the group member. will use when sending the GSA_REKEY message to the group member.
This Message ID is used to prevent GSA_REKEY message replay attacks This Message ID is used to prevent GSA_REKEY message replay attacks
and will be increased each time a GSA_REKEY message is sent to the and will be increased each time a GSA_REKEY message is sent to the
group. The GCKS data traffic policy is included in the GSA TEK and group. The GCKS data traffic policy is included in the GSA TEK and
keys are included in the KD TEK. The GSA GAP MAY also be included to keys are included in the KD TEK. The GSA GAP MAY also be included to
provide the ATD and/or DTD (Section 4.7.1) specifying activation and provide the ATD and/or DTD (Section 4.4.4.1) specifying activation
deactivation delays for SAs generated from the TEKs. If one or more and deactivation delays for SAs generated from the TEKs. If the
Data Security SAs distributed in the GSA payload included a counter group member has indicated that it is a sender of data traffic and
mode of operation, the GCKS includes at least one SID value in the KD one or more Data Security SAs distributed in the GSA payload included
payload, and possibly more depending on the request received in the a counter mode of operation, the GCKS responds with one or more SIDs
Notify payload status type SENDER_ID_REQUEST requesting the number of (see Section 3.3).
SIDs from the group member.
If the GCKS receives a GSA_REGISTRATION exchange with a request to If the GCKS receives a GSA_REGISTRATION exchange with a request to
register a GM to a group, the GCKS will need to authorize the GM with register a GM to a group, the GCKS will need to authorize the GM with
the new group (IDg) and respond with the corresponding group policy the new group (IDg) and respond with the corresponding group policy
and keys. If the GCKS fails to authorize the GM, it will respond and keys. If the GCKS fails to authorize the GM, it will respond
with the AUTHORIZATION_FAILED notification. with the AUTHORIZATION_FAILED notification.
If a group member includes an SAg in its GSA_AUTH or GSA_REGISTRATION If a group member includes an SAg in its GSA_AUTH or GSA_REGISTRATION
request, the GCKS MAY evaluate it according to an implementation request, the GCKS MAY evaluate it according to an implementation
specific policy. specific policy.
skipping to change at page 12, line 5 skipping to change at page 11, line 49
then it could return a NO_PROPOSAL_CHOSEN Notification. then it could return a NO_PROPOSAL_CHOSEN Notification.
o The GCKS could store the list of Transforms, with the goal of o The GCKS could store the list of Transforms, with the goal of
migrating the group policy to a different Transform when all of migrating the group policy to a different Transform when all of
the group members indicate that they can support that Transform. the group members indicate that they can support that Transform.
o The GCKS could store the list of Transforms and adjust the current o The GCKS could store the list of Transforms and adjust the current
group policy based on the capabilities of the devices as long as group policy based on the capabilities of the devices as long as
they fall within the acceptable security policy of the GCKS. they fall within the acceptable security policy of the GCKS.
Depending on its policy, the GCKS may have no need for the IKE SA
(e.g., it does not plan to initiate an GSA_INBAND_REKEY exchange).
If the GM does not initiate another registration exchange or Notify
(e.g., NO_PROPOSAL_CHOSEN), and also does not close the IKE SA and
the GCKS is not intended to use the SA, then after a short period of
time the GCKS SHOULD close the IKEv2 SA. The delay before closing
provides for receipt of a GM's error notification in the event of
packet loss.
3.1.6. Interaction with IKEv2 protocols 3.1.6. Interaction with IKEv2 protocols
3.1.6.1. Session Resumption 3.1.6.1. Session Resumption
G-IKEv2 is compatible with and can use IKEv2 Session Resumption G-IKEv2 is compatible with and can use IKEv2 Session Resumption
[RFC5723] except that a GM would include the initial ticket request [RFC5723] except that a GM would include the initial ticket request
in a GSA_AUTH exchange instead of an IKE_AUTH exchange. in a GSA_AUTH exchange instead of an IKE_AUTH exchange.
3.1.6.2. Postquantum Preshared Keys for IKEv2 3.1.6.2. Postquantum Preshared Keys for IKEv2
skipping to change at page 13, line 4 skipping to change at page 13, line 10
registration exchange. This exchange allows the GCKS to rekey registration exchange. This exchange allows the GCKS to rekey
without using an independent GSA_REKEY exchange. The without using an independent GSA_REKEY exchange. The
GSA_INBAND_REKEY exchange is useful when G-IKEv2 is used with a GSA_INBAND_REKEY exchange is useful when G-IKEv2 is used with a
small group of cooperating devices. small group of cooperating devices.
3.2.1. GSA_REKEY exchange 3.2.1. GSA_REKEY exchange
The GCKS initiates the G-IKEv2 Rekey securely, usually using IP The GCKS initiates the G-IKEv2 Rekey securely, usually using IP
multicast. Since this rekey does not require a response and it sends multicast. Since this rekey does not require a response and it sends
to multiple GMs, G-IKEv2 rekeying MUST NOT support IKE SA windowing. to multiple GMs, G-IKEv2 rekeying MUST NOT support IKE SA windowing.
The GCKS rekey message replaces the rekey GSA KEK or KEK array, and/ The GCKS rekey message replaces the rekey GSA KEK or KEK array, and/
or creates a new Data-Security GSA TEK. The SID Download attribute or creates a new Data-Security GSA TEK. The SID Download attribute
in the Key Download payload (defined in Section 4.8.4) MUST NOT be in the Key Download payload (defined in Section 4.5.4) MUST NOT be
part of the Rekey Exchange as this is sender specific information and part of the Rekey Exchange as this is sender specific information and
the Rekey Exchange is group specific. The GCKS initiates the the Rekey Exchange is group specific. The GCKS initiates the
GSA_REKEY exchange as following: GSA_REKEY exchange as following:
Members (Responder) GCKS (Initiator) Members (Responder) GCKS (Initiator)
-------------------- ------------------ -------------------- ------------------
<-- HDR, SK { GSA, KD, [D,] AUTH } <-- HDR, SK { GSA, KD, [D,] AUTH }
HDR is defined in Section 4.1. The Message ID in this message will HDR is defined in Section 4.1. The Message ID in this message will
start with the same value the GCKS sent to the group members in the start with the same value the GCKS sent to the group members in the
skipping to change at page 13, line 40 skipping to change at page 13, line 45
is updated in the KD payload. is updated in the KD payload.
A Delete payload MAY be included to instruct the GM to delete A Delete payload MAY be included to instruct the GM to delete
existing SAs. existing SAs.
The AUTH payload is included to authenticate the GSA_REKEY message The AUTH payload is included to authenticate the GSA_REKEY message
using a method defined in the IKEv2 Authentication Method IANA using a method defined in the IKEv2 Authentication Method IANA
registry [IKEV2-IANA]. The method SHOULD be a digital signature registry [IKEV2-IANA]. The method SHOULD be a digital signature
authentication scheme to ensure that the message was originated from authentication scheme to ensure that the message was originated from
an authorized GCKS. A Shared Key Integrity Code SHOULD NOT be used an authorized GCKS. A Shared Key Integrity Code SHOULD NOT be used
as it doesn't provide source origin authentication (although a small unless source origin authentication is not required (for example, in
group may not require source origin authentication). During group a small group of highly trusted GMs). During group member
member registration, the GCKS sends the authentication key in the GSA registration, the GCKS sends the authentication key in the GSA KEK
KEK payload, KEK_AUTH_KEY attribute, which the group member uses to payload, KEK_AUTH_KEY attribute, which the group member uses to
authenticate the key server. Before the current Authentication Key authenticate the key server. Before the current Authentication Key
expires, the GCKS will send a new KEK_AUTH_KEY to the group members expires, the GCKS will send a new KEK_AUTH_KEY to the group members
in a GSA_REKEY message. The AUTH key that is used in the rekey in a GSA_REKEY message. The AUTH key that is used in the rekey
message may not be the same as the authentication key used in message may not be the same as the authentication key used in
GSA_AUTH. Typically a rekey message is sent as multicast and GSA_AUTH. Typically a rekey message is sent as multicast and
received by all group members, therefore the same AUTH key is received by all group members, therefore the same AUTH key is
distributed to all group members. distributed to all group members.
After adding the AUTH payload to the rekey message, the current KEK After adding the AUTH payload to the rekey message, the current KEK
encryption key is used to encrypt all of the payloads following the encryption key is used to encrypt all of the payloads following the
skipping to change at page 17, line 47 skipping to change at page 18, line 5
The GSA MAY specify the remaining active time of the remaining policy The GSA MAY specify the remaining active time of the remaining policy
by using the DTD attribute in the GSA GAP. If a GCKS has no further by using the DTD attribute in the GSA GAP. If a GCKS has no further
SAs to send to group members, the GSA and KD payloads MUST be omitted SAs to send to group members, the GSA and KD payloads MUST be omitted
from the message. There may be circumstances where the GCKS may want from the message. There may be circumstances where the GCKS may want
to start over with a clean slate. If the administrator is no longer to start over with a clean slate. If the administrator is no longer
confident in the integrity of the group, the GCKS can signal deletion confident in the integrity of the group, the GCKS can signal deletion
of all the policies of a particular TEK protocol by sending a TEK of all the policies of a particular TEK protocol by sending a TEK
with a SPI value equal to zero in the delete payload. For example, with a SPI value equal to zero in the delete payload. For example,
if the GCKS wishes to remove all the KEKs and all the TEKs in the if the GCKS wishes to remove all the KEKs and all the TEKs in the
group, the GCKS SHOULD send a Delete payload with a SPI of zero and a group, the GCKS SHOULD send a Delete payload with a SPI of zero and a
protocol_id of a TEK protocol_id value defined in Section 4.6, protocol_id of a TEK protocol_id value defined in Section 4.4.3,
followed by another Delete payload with a SPI of zero and protocol_id followed by another Delete payload with a SPI of zero and protocol_id
of zero, indicating that the KEK SA should be deleted. of zero, indicating that the KEK SA should be deleted.
3.3. Counter-based modes of operation 3.3. Counter-based modes of operation
Several new counter-based modes of operation have been specified for Several new counter-based modes of operation have been specified for
ESP (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309], ESP (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309],
AES-GMAC [RFC4543]) and AH (e.g., AES-GMAC [RFC4543]). These AES-GMAC [RFC4543]) and AH (e.g., AES-GMAC [RFC4543]). These
counter-based modes require that no two senders in the group ever counter-based modes require that no two senders in the group ever
send a packet with the same Initialization Vector (IV) using the same send a packet with the same Initialization Vector (IV) using the same
cipher key and mode. This requirement is met in G-IKEv2 when the cipher key and mode. This requirement is met in G-IKEv2 when the
following requirements are met: following requirements are met:
o The GCKS distributes a unique key for each Data-Security SA. o The GCKS distributes a unique key for each Data-Security SA.
o The GCKS uses the method described in [RFC6054], which assigns each o The GCKS uses the method described in [RFC6054], which assigns each
sender a portion of the IV space by provisioning each sender with one sender a portion of the IV space by provisioning each sender with one
or more unique SID values. or more unique SID values.
3.3.1. Allocation of SIDs
When at least one Data-Security SA included in the group policy When at least one Data-Security SA included in the group policy
includes a counter-based mode of operation, the GCKS automatically includes a counter-based mode of operation, the GCKS automatically
allocates and distributes one SID to each group member acting in the allocates and distributes one SID to each group member acting in the
role of sender on the Data-Security SA. The SID value is used role of sender on the Data-Security SA. The SID value is used
exclusively by the group member to which it was allocated. The group exclusively by the group member to which it was allocated. The group
member uses the same SID for each Data-Security SA specifying the use member uses the same SID for each Data-Security SA specifying the use
of a counter-based mode of operation. A GCKS MUST distribute unique of a counter-based mode of operation. A GCKS MUST distribute unique
keys for each Data-Security SA including a counter-based mode of keys for each Data-Security SA including a counter-based mode of
operation in order to maintain unique key and nonce usage. operation in order to maintain unique key and nonce usage.
skipping to change at page 19, line 7 skipping to change at page 19, line 15
1. A GCKS maintains an SID-counter, which records the SIDs that have 1. A GCKS maintains an SID-counter, which records the SIDs that have
been allocated. SIDs are allocated sequentially, with zero as the been allocated. SIDs are allocated sequentially, with zero as the
first allocated SID. first allocated SID.
2. Each time an SID is allocated, the current value of the counter 2. Each time an SID is allocated, the current value of the counter
is saved and allocated to the group member. The SID-counter is then is saved and allocated to the group member. The SID-counter is then
incremented in preparation for the next allocation. incremented in preparation for the next allocation.
3. When the GCKS specifies a counter-based mode of operation in the 3. When the GCKS specifies a counter-based mode of operation in the
Data Security SA a group member may request a count of SIDs during Data Security SA a group member may request a count of SIDs during
registration in a Notify payload information of type SEND_ID_REQUEST. registration in a Notify payload information of type SENDER. When
When the GCKS receives this request, it increments the SID-counter the GCKS receives this request, it increments the SID-counter once
once for each requested SID, and distributes each SID value to the for each requested SID, and distributes each SID value to the group
group member. member. The GCKS SHOULD have a policy-defined upper bound for the
number of SIDs that it will return irrespective of the number
requested by the GM.
4. A GCKS allocates new SID values for each GSA_REGISTRATION 4. A GCKS allocates new SID values for each GSA_REGISTRATION
exchange originated by a sender, regardless of whether a group member exchange originated by a sender, regardless of whether a group member
had previously contacted the GCKS. In this way, the GCKS is not had previously contacted the GCKS. In this way, the GCKS is not
required to maintaining a record of which SID values it had required to maintaining a record of which SID values it had
previously allocated to each group member. More importantly, since previously allocated to each group member. More importantly, since
the GCKS cannot reliably detect whether the group member had sent the GCKS cannot reliably detect whether the group member had sent
data on the current group Data-Security SAs it does not know what data on the current group Data-Security SAs it does not know what
Data-Security counter-mode nonce values that a group member has used. Data-Security counter-mode nonce values that a group member has used.
By distributing new SID values, the key server ensures that each time By distributing new SID values, the key server ensures that each time
skipping to change at page 19, line 42 skipping to change at page 20, line 5
group members initiating a new GSA_REGISTRATION exchange, in which group members initiating a new GSA_REGISTRATION exchange, in which
they will receive both new SID values and new Data-Security SAs. The they will receive both new SID values and new Data-Security SAs. The
new SID values can safely be used because they are only used with the new SID values can safely be used because they are only used with the
new Data-Security SAs. Note that deletion of the Rekey SA is new Data-Security SAs. Note that deletion of the Rekey SA is
necessary to ensure that group members receiving a GSA_REKEY exchange necessary to ensure that group members receiving a GSA_REKEY exchange
before the re-register do not inadvertently use their old SIDs with before the re-register do not inadvertently use their old SIDs with
the new Data-Security SAs. Using the method above, at no time can the new Data-Security SAs. Using the method above, at no time can
two group members use the same IV values with the same Data-Security two group members use the same IV values with the same Data-Security
SA key. SA key.
3.3.2. GM Usage of SIDs
A GM applies the SID to Data Security SA as follows.
1. The most significant bits NUMBER_OF_SID_BITS of the IV are taken
to be the SID field of the IV.
2. The SID is placed in the least significant bits of the SID field,
where any unused most significant bits are set to zero.
4. Header and Payload Formats 4. Header and Payload Formats
Refer to IKEv2 [RFC7296] for existing payloads. Some payloads used Refer to IKEv2 [RFC7296] for existing payloads. Some payloads used
in G-IKEv2 exchanges are not aligned to 4-octet boundaries, which is in G-IKEv2 exchanges are not aligned to 4-octet boundaries, which is
also the case for some IKEv2 payloads (see Section 3.2 of [RFC7296]). also the case for some IKEv2 payloads (see Section 3.2 of [RFC7296]).
4.1. The G-IKEv2 Header 4.1. The G-IKEv2 Header
G-IKEv2 uses the same IKE header format as specified in RFC 7296 G-IKEv2 uses the same IKE header format as specified in RFC 7296
section 3.1. section 3.1.
skipping to change at page 21, line 47 skipping to change at page 22, line 21
SA. Therefore, the GSA KEK policy would not be necessary as part of SA. Therefore, the GSA KEK policy would not be necessary as part of
the GSA_REKEY message. the GSA_REKEY message.
Specifying multiple GSA TEKs allows multiple related data streams Specifying multiple GSA TEKs allows multiple related data streams
(e.g., video, audio, and text) to be associated with a session, but (e.g., video, audio, and text) to be associated with a session, but
each protected with an individual security association policy. each protected with an individual security association policy.
A GAP payload allows for the distribution of group-wise policy, such A GAP payload allows for the distribution of group-wise policy, such
as instructions for when to activate and de-activate SAs. as instructions for when to activate and de-activate SAs.
Policies following the GSA payload use the following common header. Policies are distributed in substructures to the GSA payload, and
include the following header.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | RESERVED | Length | | Type | RESERVED | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type is defined as follows: The payload fields are defined as follows:
ID Class Value o Type (1 octet) -- Identifies the substructure type. In the
following table the terms Reserved, Unassigned, and Private Use
are to be applied as defined in [RFC8126]. The registration
procedure is Expert Review.
Type Value
-------- ----- -------- -----
RESERVED 0 Reserved 0
KEK 1 KEK 1
GAP 2 GAP 2
TEK 3 TEK 3
Expert Review 4-127 Unassigned 4-127
Private Use 128-255 Private Use 128-255
4.5. KEK Policy o RESERVED (1 octet) -- Unused, set to zero.
o Length (2 octets) -- Length in octets of the substructure,
including its header.
4.4.2. KEK Policy
The GSA KEK policy contains security attributes for the KEK method The GSA KEK policy contains security attributes for the KEK method
for a group and parameters specific to the G-IKEv2 registration for a group and parameters specific to the G-IKEv2 registration
operation. The source and destination traffic selectors describe the operation. The source and destination traffic selectors describe the
network identities used for the rekey messages. network identities used for the rekey messages.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 1 ! RESERVED ! Length | | Type = 1 ! RESERVED ! Length |
skipping to change at page 23, line 41 skipping to change at page 24, line 24
IKEv2 registries [IKEV2-IANA]. Valid Transform Types are ENCR, IKEv2 registries [IKEV2-IANA]. Valid Transform Types are ENCR,
INTEG. The Last Substruc value in each Transform Substructure INTEG. The Last Substruc value in each Transform Substructure
will be set to 3 except for the last one in the list, which is set will be set to 3 except for the last one in the list, which is set
to 0. to 0.
o KEK Attributes -- Contains KEK policy attributes associated with o KEK Attributes -- Contains KEK policy attributes associated with
the group. The following sections describe the possible the group. The following sections describe the possible
attributes. Any or all attributes may be optional, depending on attributes. Any or all attributes may be optional, depending on
the group policy. the group policy.
4.5.1. KEK Attributes 4.4.2.1. KEK Attributes
The following attributes may be present in a GSA KEK policy. The The following attributes may be present in a GSA KEK policy. The
attributes must follow the format defined in the IKEv2 [RFC7296] attributes must follow the format defined in the IKEv2 [RFC7296]
section 3.3.5. In the table, attributes that are defined as TV are section 3.3.5. In the table, attributes that are defined as TV are
marked as Basic (B); attributes that are defined as TLV are marked as marked as Basic (B); attributes that are defined as TLV are marked as
Variable (V). The terms Reserved, Unassigned, and Private Use are to Variable (V). The terms Reserved, Unassigned, and Private Use are to
be applied as defined in [RFC8126]. The registration procedure is be applied as defined in [RFC8126]. The registration procedure is
Expert Review. Expert Review.
ID Class Value Type KEK Attributes Value Type
-------- ----- ---- -------------- ----- ----
Reserved 0 Reserved 0
KEK_MANAGEMENT_ALGORITHM 1 B KEK_MANAGEMENT_ALGORITHM 1 B
Reserved 2 Reserved 2
Reserved 3 Reserved 3
KEK_KEY_LIFETIME 4 V KEK_KEY_LIFETIME 4 V
Reserved 5 Reserved 5
KEK_AUTH_METHOD 6 B KEK_AUTH_METHOD 6 B
KEK_AUTH_HASH 7 B KEK_AUTH_HASH 7 B
KEK_MESSAGE_ID 8 V KEK_MESSAGE_ID 8 V
Unassigned 9-16383 Unassigned 9-16383
Private Use 16384-32767 Private Use 16384-32767
The following attributes may only be included in a G-IKEv2 The following attributes may only be included in a G-IKEv2
registration message: KEK_MANAGEMENT_ALGORITHM. registration message: KEK_MANAGEMENT_ALGORITHM.
Minimum attributes that must be sent as part of an GSA KEK: Minimum attributes that must be sent as part of an GSA KEK:
KEK_ENCR_ALGORITHM, KEK_KEY_LENGTH (if the cipher definition includes KEK_ENCR_ALGORITHM, KEK_KEY_LENGTH (if the cipher definition includes
a variable length key), KEK_MESSAGE_ID, KEK_KEY_LIFETIME, a variable length key), KEK_MESSAGE_ID, KEK_KEY_LIFETIME,
KEK_INTEGRITY_ALGORITHM, KEK_AUTH_METHOD, and KEK_AUTH_HASH (except KEK_INTEGRITY_ALGORITHM, KEK_AUTH_METHOD.
for DSA based algorithms).
4.5.1.1. KEK_MANAGEMENT_ALGORITHM 4.4.2.1.1. KEK_MANAGEMENT_ALGORITHM
The KEK_MANAGEMENT_ALGORITHM attribute specifies the group KEK The KEK_MANAGEMENT_ALGORITHM attribute specifies the group KEK
management algorithm used to provide forward or backward access management algorithm used to provide forward or backward access
control (i.e., used to exclude group members). Defined values are control (i.e., used to exclude group members). Defined values are
specified in the following table. The terms Reserved, Unassigned, specified in the following table. The terms Reserved, Unassigned,
and Private Use are to be applied as defined in [RFC8126]. The and Private Use are to be applied as defined in [RFC8126]. The
registration procedure is Expert Review. registration procedure is Expert Review.
KEK Management Type Value KEK Management Type Value
------------------- ----- ------------------- -----
Reserved 0 Reserved 0
LKH 1 LKH 1
Unassigned 2-16383 Unassigned 2-16383
Private Use 16384-32767 Private Use 16384-32767
4.5.1.2. KEK_ENCR_ALGORITHM 4.4.2.1.2. KEK_ENCR_ALGORITHM
The KEK_ENCR_ALGORITHM attribute specifies the encryption algorithm The KEK_ENCR_ALGORITHM attribute specifies the encryption algorithm
used with the KEK. This value is a value from the IKEv2 Transform used with the KEK. This value is a value from the IKEv2 Transform
Type 1 - Encryption Algorithm Transform IDs registry[IKEV2-IANA]. If Type 1 - Encryption Algorithm Transform IDs registry[IKEV2-IANA]. If
a KEK_MANAGEMENT_ALGORITHM is defined which defines multiple keys a KEK_MANAGEMENT_ALGORITHM is defined which defines multiple keys
(e.g., LKH), and if the management algorithm does not specify the (e.g., LKH), and if the management algorithm does not specify the
algorithm for those keys, then the algorithm defined by the algorithm for those keys, then the algorithm defined by the
KEK_ENCR_ALGORITHM attribute MUST be used for all keys which are KEK_ENCR_ALGORITHM attribute MUST be used for all keys which are
included as part of this KEK management. included as part of this KEK management.
4.5.1.3. KEK_KEY_LENGTH 4.4.2.1.3. KEK_KEY_LENGTH
The KEK_KEY_LENGTH attribute specifies the KEK Algorithm key length The KEK_KEY_LENGTH attribute specifies the KEK Algorithm key length
(in bits). (in bits).
The Group Controller/Key Server (GCKS) adds the KEK_KEY_LENGTH The Group Controller/Key Server (GCKS) adds the KEK_KEY_LENGTH
attribute to the GSA payload when distributing KEK policy to group attribute to the GSA payload when distributing KEK policy to group
members. The group member verifies whether or not it has the members. The group member verifies whether or not it has the
capability of using a cipher key of that size. If the cipher capability of using a cipher key of that size. If the cipher
definition includes a fixed key length, the group member can make its definition includes a fixed key length, the group member can make its
decision solely using the KEK_ENCR_ALGORITHM attribute and does not decision solely using the KEK_ENCR_ALGORITHM attribute and does not
need the KEK_KEY_LENGTH attribute. Sending the KEK_KEY_LENGTH need the KEK_KEY_LENGTH attribute. Sending the KEK_KEY_LENGTH
attribute in the GSA payload is OPTIONAL if the KEK cipher has a attribute in the GSA payload is OPTIONAL if the KEK cipher has a
fixed key length. fixed key length.
4.5.1.4. KEK_KEY_LIFETIME 4.4.2.1.4. KEK_KEY_LIFETIME
The KEK_KEY_LIFETIME attribute specifies the maximum time for which The KEK_KEY_LIFETIME attribute specifies the maximum time for which
the KEK is valid. The GCKS may refresh the KEK at any time before the KEK is valid. The GCKS may refresh the KEK at any time before
the end of the valid period. The value is a four (4) octet number the end of the valid period. The value is a four (4) octet number
defining a valid time period in seconds. defining a valid time period in seconds.
4.5.1.5. KEK_INTEGRITY_ALGORITHM 4.4.2.1.5. KEK_INTEGRITY_ALGORITHM
The KEK_INTEGRITY attribute specifies the integrity algorithm used to The KEK_INTEGRITY_ALGORITHM attribute specifies the integrity
protect the rekey message. This integrity algorithm is a value from algorithm used to protect the rekey message. This integrity
the IKEv2 Transform Type 3 - Integrity Algorithm Transform IDs algorithm is a value from the IKEv2 Transform Type 3 - Integrity
registry [IKEV2-IANA]. Algorithm Transform IDs registry [IKEV2-IANA].
4.5.1.6. KEK_AUTH_METHOD 4.4.2.1.6. KEK_AUTH_METHOD
The KEK_AUTH_METHOD attribute specifies the method of authentication The KEK_AUTH_METHOD attribute specifies the method of authentication
used. This value is from the IKEv2 Authentication Method registry used. This value is from the IKEv2 Authentication Method registry
[IKEV2-IANA]. [IKEV2-IANA].
4.5.1.7. KEK_AUTH_HASH 4.4.2.1.7. KEK_AUTH_HASH
The KEK_AUTH_HASH attribute specifies the hash algorithm used to The KEK_AUTH_HASH attribute specifies the hash algorithm used to
generate the AUTH key to authenticate GSA_REKEY messages. Hash generate the AUTH key to authenticate GSA_REKEY messages. Hash
algorithms are defined in IANA registry IKEv2 Hash Algorithms algorithms are defined in IANA registry IKEv2 Hash Algorithms
[IKEV2-IANA]. This attribute can be used by a group member to [IKEV2-IANA].
determine in advance if it supports the algorithm used in the rekey
message.
4.5.1.8. KEK_MESSAGE_ID This attribute SHOULD NOT be sent if the KEK_AUTH_METHOD implies a
particular hash algorithm (e.g., for DSA-based algorithms).
Furthermore, it is not necessary for the GCKS to send it if the GM is
known to support the algorithm because it declared it in a
SIGNATURE_HASH_ALGORITHMS notification during registration.
4.4.2.1.8. KEK_MESSAGE_ID
The KEK_MESSAGE_ID attribute defines the initial Message ID to be The KEK_MESSAGE_ID attribute defines the initial Message ID to be
used by the GCKS in the GSA_REKEY messages. The Message ID is a 4 used by the GCKS in the GSA_REKEY messages. The Message ID is a 4
octet unsigned integer in network byte order. octet unsigned integer in network byte order.
4.6. GSA TEK Policy 4.4.3. GSA TEK Policy
The GSA TEK policy contains security attributes for a single TEK The GSA TEK policy contains security attributes for a single TEK
associated with a group. associated with a group.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 3 | RESERVED | Length | | Type = 3 | RESERVED | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol-ID | TEK Protocol-Specific Payload | | Protocol-ID | TEK Protocol-Specific Payload |
skipping to change at page 27, line 5 skipping to change at page 27, line 42
----------- ----- ----------- -----
Reserved 0 Reserved 0
GSA_PROTO_IPSEC_ESP 1 GSA_PROTO_IPSEC_ESP 1
GSA_PROTO_IPSEC_AH 2 GSA_PROTO_IPSEC_AH 2
Unassigned 3-127 Unassigned 3-127
Private Use 128-255 Private Use 128-255
o TEK Protocol-Specific Payload (variable) -- Payload which o TEK Protocol-Specific Payload (variable) -- Payload which
describes the attributes specific for the Protocol-ID. describes the attributes specific for the Protocol-ID.
4.6.1. TEK ESP and AH Protocol-Specific Policy 4.4.3.1. TEK ESP and AH Protocol-Specific Policy
The TEK Protocol-Specific policy contains two traffic selectors one The TEK Protocol-Specific policy contains two traffic selectors one
for the source and one for the destination of the protected traffic, for the source and one for the destination of the protected traffic,
SPI, Transforms, and Attributes. SPI, Transforms, and Attributes.
The TEK Protocol-Specific policy for ESP and AH is as follows: The TEK Protocol-Specific policy for ESP and AH is as follows:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 28, line 14 skipping to change at page 29, line 5
o TEK Attributes -- Contains the TEK policy attributes associated o TEK Attributes -- Contains the TEK policy attributes associated
with the group, in the format defined in Section 3.3.5 of with the group, in the format defined in Section 3.3.5 of
[RFC7296]. All attributes are optional, depending on the group [RFC7296]. All attributes are optional, depending on the group
policy. policy.
Attribute Types are as follows. The terms Reserved, Unassigned, and Attribute Types are as follows. The terms Reserved, Unassigned, and
Private Use are to be applied as defined in [RFC8126]. The Private Use are to be applied as defined in [RFC8126]. The
registration procedure is Expert Review. registration procedure is Expert Review.
ID Class Value Type TEK Attributes Value Type
-------- ----- ---- -------------- ----- ----
Reserved 0 Reserved 0
TEK_KEY_LIFETIME 1 V TEK_KEY_LIFETIME 1 V
TEK_MODE 2 B TEK_MODE 2 B
Unassigned 3-16383 Unassigned 3-16383
Private Use 16384-32767 Private Use 16384-32767
It is NOT RECOMMENDED that the GCKS distribute both ESP and AH It is NOT RECOMMENDED that the GCKS distribute both ESP and AH
Protocol-Specific Policies for the same set of Traffic Selectors. Protocol-Specific Policies for the same set of Traffic Selectors.
4.6.1.1. TEK_KEY_LIFETIME 4.4.3.1.1. TEK_KEY_LIFETIME
The TEK_KEY_LIFETIME attribute specifies the maximum time for which The TEK_KEY_LIFETIME attribute specifies the maximum time for which
the TEK is valid. When the TEK expires, the AH or ESP security the TEK is valid. When the TEK expires, the AH or ESP security
association and all keys downloaded under the security association association and all keys downloaded under the security association
are discarded. The GCKS may refresh the TEK at any time before the are discarded. The GCKS may refresh the TEK at any time before the
end of the valid period. end of the valid period.
The value is a four (4) octet number defining a valid time period in The value is a four (4) octet number defining a valid time period in
seconds. If unspecified the default value of 28800 seconds (8 hours) seconds. If unspecified the default value of 28800 seconds (8 hours)
shall be assumed. shall be assumed.
4.6.1.2. TEK_MODE 4.4.3.1.2. TEK_MODE
The value of 0 is used for tunnel mode and 1 for transport mode. In The value of 0 is used for tunnel mode and 1 for transport mode. In
the absence of this attribute tunnel mode will be used. the absence of this attribute tunnel mode will be used.
4.7. GSA Group Associated Policy 4.4.4. GSA Group Associated Policy
Group specific policy that does not belong to rekey policy (GSA KEK) Group specific policy that does not belong to rekey policy (GSA KEK)
or traffic encryption policy (GSA TEK) can be distributed to all or traffic encryption policy (GSA TEK) can be distributed to all
group member using GSA GAP (Group Associated Policy). group member using GSA GAP (Group Associated Policy).
The GSA GAP payload is defined as follows: The GSA GAP payload is defined as follows:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 29, line 39 skipping to change at page 30, line 26
registration procedure is Expert Review. registration procedure is Expert Review.
Attribute Type Value Type Attribute Type Value Type
-------------- ----- ---- -------------- ----- ----
Reserved 0 Reserved 0
ACTIVATION_TIME_DELAY 1 B ACTIVATION_TIME_DELAY 1 B
DEACTIVATION_TIME_DELAY 2 B DEACTIVATION_TIME_DELAY 2 B
Unassigned 3-16383 Unassigned 3-16383
Private Use 16384-32767 Private Use 16384-32767
4.7.1. ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY 4.4.4.1. ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY
Section 4.2.1 of RFC 5374 specifies a key rollover method that Section 4.2.1 of RFC 5374 specifies a key rollover method that
requires two values be provided to group members. The requires two values be provided to group members. The
ACTIVATION_TIME_DELAY attribute allows a GCKS to set the Activation ACTIVATION_TIME_DELAY attribute allows a GCKS to set the Activation
Time Delay (ATD) for SAs generated from TEKs. The ATD defines how Time Delay (ATD) for SAs generated from TEKs. The ATD defines how
long after receiving new SAs that they are to be activated by the GM. long after receiving new SAs that they are to be activated by the GM.
The ATD value is in seconds. The ATD value is in seconds.
The DEACTIVATION_TIME_DELAY allows the GCKS to set the Deactivation The DEACTIVATION_TIME_DELAY allows the GCKS to set the Deactivation
Time Delay (DTD) for previously distributed SAs. The DTD defines how Time Delay (DTD) for previously distributed SAs. The DTD defines how
long after receiving new SAs it should deactivate SAs that are long after receiving new SAs it should deactivate SAs that are
destroyed by the rekey event. The value is in seconds. destroyed by the rekey event. The value is in seconds.
The values of ATD and DTD are independent. However, the DTD value The values of ATD and DTD are independent. However, the DTD value
should be larger, which allows new SAs to be activated before older should be larger, which allows new SAs to be activated before older
SAs are deactivated. Such a policy ensures that protected group SAs are deactivated. Such a policy ensures that protected group
traffic will always flow without interruption. traffic will always flow without interruption.
4.8. Key Download Payload 4.5. Key Download Payload
The Key Download Payload contains the group keys for the group The Key Download Payload contains the group keys for the group
specified in the GSA Payload. These key download payloads can have specified in the GSA Payload. These key download payloads can have
several security attributes applied to them based upon the security several security attributes applied to them based upon the security
policy of the group as defined by the associated GSA Payload. policy of the group as defined by the associated GSA Payload.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Length | | Next Payload |C| RESERVED | Length |
skipping to change at page 31, line 46 skipping to change at page 32, line 31
SPI as defined by the Protocol-Id. SPI as defined by the Protocol-Id.
o SPI (variable length) -- Security Parameter Index which matches a o SPI (variable length) -- Security Parameter Index which matches a
SPI previously sent in an GSA KEK or GSA TEK Payload. SPI previously sent in an GSA KEK or GSA TEK Payload.
o Key Packet Attributes (variable length) -- Contains Key o Key Packet Attributes (variable length) -- Contains Key
information. The format of this field is specific to the value of information. The format of this field is specific to the value of
the KD Type field. The following sections describe the format of the KD Type field. The following sections describe the format of
each KD Type. each KD Type.
4.8.1. TEK Download Type 4.5.1. TEK Download Type
The following attributes may be present in a TEK Download Type. The following attributes may be present in a TEK Download Type.
Exactly one attribute matching each type sent in the GSA TEK payload Exactly one attribute matching each type sent in the GSA TEK payload
MUST be present. The attributes must follow the format defined in MUST be present. The attributes must follow the format defined in
IKEv2 (Section 3.3.5 of [RFC7296]). In the table, attributes defined IKEv2 (Section 3.3.5 of [RFC7296]). In the table, attributes defined
as TV are marked as Basic (B); attributes defined as TLV are marked as TV are marked as Basic (B); attributes defined as TLV are marked
as Variable (V). The terms Reserved, Unassigned, and Private Use are as Variable (V). The terms Reserved, Unassigned, and Private Use are
to be applied as defined in [RFC8126]. The registration procedure is to be applied as defined in [RFC8126]. The registration procedure is
Expert Review. Expert Review.
skipping to change at page 32, line 22 skipping to change at page 33, line 7
TEK_INTEGRITY_KEY 2 V TEK_INTEGRITY_KEY 2 V
Unassigned 3-16383 Unassigned 3-16383
Private Use 16384-32767 Private Use 16384-32767
It is possible that the GCKS will send no TEK key packets in a It is possible that the GCKS will send no TEK key packets in a
Registration KD payload (as well as no corresponding GSA TEK payloads Registration KD payload (as well as no corresponding GSA TEK payloads
in the GSA payload), after which the TEK payloads will be sent in a in the GSA payload), after which the TEK payloads will be sent in a
rekey message. At least one TEK MUST be included in each Rekey KD rekey message. At least one TEK MUST be included in each Rekey KD
payload. payload.
4.8.1.1. TEK_ALGORITHM_KEY 4.5.1.1. TEK_ALGORITHM_KEY
The TEK_ALGORITHM_KEY class contains encryption keying material for The TEK_ALGORITHM_KEY class contains encryption keying material for
the corresponding SPI. This keying material will be used with the the corresponding SPI. This keying material will be used with the
encryption algorithm specified in the GSA TEK payload, and according encryption algorithm specified in the GSA TEK payload, and according
to the IPsec transform describing that encryption algorithm. The to the IPsec transform describing that encryption algorithm. The
keying material is treated equivalent to IKEv2 KEYMAT derived for keying material is treated equivalent to IKEv2 KEYMAT derived for
that IPsec transform. If the encryption algorithm requires a nonce that IPsec transform. If the encryption algorithm requires a nonce
(e.g., AES-GCM), the nonce is chosen as shown in Section 3.2. (e.g., AES-GCM), the nonce is chosen as shown in Section 3.2.
4.8.1.2. TEK_INTEGRITY_KEY 4.5.1.2. TEK_INTEGRITY_KEY
The TEK_INTEGRITY_KEY class declares that the integrity key for the The TEK_INTEGRITY_KEY class declares that the integrity key for the
corresponding SPI is contained in the Key Packet Attribute. Readers corresponding SPI is contained in the Key Packet Attribute. Readers
should refer to [IKEV2-IANA] for the latest values. should refer to [IKEV2-IANA] for the latest values.
4.8.2. KEK Download Type 4.5.2. KEK Download Type
The following attributes may be present in a KEK Download Type. The following attributes may be present in a KEK Download Type.
Exactly one attribute matching each type sent in the GSA KEK payload Exactly one attribute matching each type sent in the GSA KEK payload
MUST be present. The attributes must follow the format defined in MUST be present. The attributes must follow the format defined in
IKEv2 (Section 3.3.5 of [RFC7296]). In the table, attributes defined IKEv2 (Section 3.3.5 of [RFC7296]). In the table, attributes defined
as TV are marked as Basic (B); attributes defined as TLV are marked as TV are marked as Basic (B); attributes defined as TLV are marked
as Variable (V). The terms Reserved, Unassigned, and Private Use are as Variable (V). The terms Reserved, Unassigned, and Private Use are
to be applied as defined in [RFC8126]. The registration procedure is to be applied as defined in [RFC8126]. The registration procedure is
Expert Review. Expert Review.
skipping to change at page 33, line 17 skipping to change at page 33, line 46
Reserved 0 Reserved 0
KEK_ENCR_KEY 1 V KEK_ENCR_KEY 1 V
KEK_INTEGRITY_KEY 2 V KEK_INTEGRITY_KEY 2 V
KEK_AUTH_KEY 3 V KEK_AUTH_KEY 3 V
Unassigned 4-16383 Unassigned 4-16383
Private Use 16384-32767 Private Use 16384-32767
If the KEK Key Packet is included, there MUST be only one present in If the KEK Key Packet is included, there MUST be only one present in
the KD payload. the KD payload.
4.8.2.1. KEK_ENCR_KEY 4.5.2.1. KEK_ENCR_KEY
The KEK_ENCR_KEY class declares that the encryption key for the The KEK_ENCR_KEY class declares that the encryption key for the
corresponding SPI is contained in the Key Packet Attribute. The corresponding SPI is contained in the Key Packet Attribute. The
encryption algorithm that will use this key was specified in the GSA encryption algorithm that will use this key was specified in the GSA
KEK payload. KEK payload.
If the mode of operation for the algorithm requires an Initialization If the mode of operation for the algorithm requires an Initialization
Vector (IV), an explicit IV MUST be included in the KEK_ENCR_KEY Vector (IV), an explicit IV MUST be included in the KEK_ENCR_KEY
before the actual key. before the actual key.
4.8.2.2. KEK_INTEGRITY_KEY 4.5.2.2. KEK_INTEGRITY_KEY
The KEK_INTEGRITY_KEY class declares the integrity key for this SPI The KEK_INTEGRITY_KEY class declares the integrity key for this SPI
is contained in the Key Packet Attribute. The integrity algorithm is contained in the Key Packet Attribute. The integrity algorithm
that will use this key was specified in the GSA KEK payload. that will use this key was specified in the GSA KEK payload.
4.8.2.3. KEK_AUTH_KEY 4.5.2.3. KEK_AUTH_KEY
The KEK_AUTH_KEY class declares that the authentication key for this The KEK_AUTH_KEY class declares that the authentication key for this
SPI is contained in the Key Packet Attribute. The signature SPI is contained in the Key Packet Attribute. The signature
algorithm that will use this key was specified in the GSA KEK algorithm that will use this key was specified in the GSA KEK
payload. An RSA public key format is defined in RFC 3447, payload. An RSA public key format is defined in RFC 3447,
Section A.1.1. DSS public key format is defined in RFC 3279 Section A.1.1. DSS public key format is defined in RFC 3279
Section 2.3.2. For ECDSA Public keys, use format described in RFC Section 2.3.2. For ECDSA Public keys, use format described in RFC
5480 Section 2.2. 5480 Section 2.2. Other algorithms added to the IKEv2 Authentication
Method registry are also expected to include a format of the public
key included in the algorithm specification.
4.8.3. LKH Download Type 4.5.3. LKH Download Type
The LKH key packet is comprised of attributes representing different The LKH key packet is comprised of attributes representing different
leaves in the LKH key tree. leaves in the LKH key tree.
The following attributes are used to pass an LKH KEK array in the KD The following attributes are used to pass an LKH KEK array in the KD
payload. The attributes must follow the format defined in IKEv2 payload. The attributes must follow the format defined in IKEv2
(Section 3.3.5 of [RFC7296]). In the table, attributes defined as TV (Section 3.3.5 of [RFC7296]). In the table, attributes defined as TV
are marked as Basic (B); attributes defined as TLV are marked as are marked as Basic (B); attributes defined as TLV are marked as
Variable (V). The terms Reserved, Unassigned, and Private Use are to Variable (V). The terms Reserved, Unassigned, and Private Use are to
be applied as defined in [RFC8126]. The registration procedure is be applied as defined in [RFC8126]. The registration procedure is
skipping to change at page 34, line 19 skipping to change at page 35, line 5
------------------ ----- ---- ------------------ ----- ----
Reserved 0 Reserved 0
LKH_DOWNLOAD_ARRAY 1 V LKH_DOWNLOAD_ARRAY 1 V
LKH_UPDATE_ARRAY 2 V LKH_UPDATE_ARRAY 2 V
Unassigned 3-16383 Unassigned 3-16383
Private Use 16384-32767 Private Use 16384-32767
If an LKH key packet is included in the KD payload, there MUST be If an LKH key packet is included in the KD payload, there MUST be
only one present. only one present.
4.8.3.1. LKH_DOWNLOAD_ARRAY 4.5.3.1. LKH_DOWNLOAD_ARRAY
The LKH_DOWNLOAD_ARRAY class is used to download a set of LKH keys to The LKH_DOWNLOAD_ARRAY class is used to download a set of LKH keys to
a group member. It MUST NOT be included in a IKEv2 rekey message KD a group member. It MUST NOT be included in a IKEv2 rekey message KD
payload if the IKEv2 rekey is sent to more than one group member. If payload if the IKEv2 rekey is sent to more than one group member. If
an LKH_DOWNLOAD_ARRAY attribute is included in a KD payload, there an LKH_DOWNLOAD_ARRAY attribute is included in a KD payload, there
MUST be only one present. MUST be only one present.
This attribute consists of a header block, followed by one or more This attribute consists of a header block, followed by one or more
LKH keys. LKH keys.
skipping to change at page 35, line 20 skipping to change at page 35, line 48
| Key Handle | | Key Handle |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Key Data ~ ~ Key Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
o LKH ID (2 octets) -- This is the position of this key in the o LKH ID (2 octets) -- This is the position of this key in the
binary tree structure used by LKH. binary tree structure used by LKH.
o Encr Alg (2 octets) -- This is the encryption algorithm for which o Encr Alg (2 octets) -- This is the encryption algorithm for which
this key data is to be used. This value is specified in this key data is to be used. This value is specified in
Section 4.5.1.2. Section 4.4.2.1.2.
o RESERVED (1 octet) -- Unused, set to zero. o RESERVED (1 octet) -- Unused, set to zero.
o Key Handle (4 octets) -- This is a randomly generated value to o Key Handle (4 octets) -- This is a randomly generated value to
uniquely identify a key within an LKH ID. uniquely identify a key within an LKH ID.
o Key Data (variable length) -- This is the actual encryption key o Key Data (variable length) -- This is the actual encryption key
data, which is dependent on the Encr Alg algorithm for its format. data, which is dependent on the Encr Alg algorithm for its format.
If the mode of operation for the algorithm requires an If the mode of operation for the algorithm requires an
Initialization Vector (IV), an explicit IV MUST be included in the Initialization Vector (IV), an explicit IV MUST be included in the
Key Data field before the actual key. Key Data field before the actual key.
The first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute The first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute
contains the Leaf identifier and key for the group member. The rest contains the Leaf identifier and key for the group member. The rest
of the LKH Key structures contain keys along the path of the key tree of the LKH Key structures contain keys along the path of the key tree
in the order starting from the leaf, culminating in the group KEK. in the order starting from the leaf, culminating in the group KEK.
4.8.3.2. LKH_UPDATE_ARRAY 4.5.3.2. LKH_UPDATE_ARRAY
The LKH_UPDATE_ARRAY class is used to update the LKH keys for a The LKH_UPDATE_ARRAY class is used to update the LKH keys for a
group. It is most likely to be included in a G-IKEv2 rekey message group. It is most likely to be included in a G-IKEv2 rekey message
KD payload to rekey the entire group. This attribute consists of a KD payload to rekey the entire group. This attribute consists of a
header block, followed by one or more LKH keys, as defined in header block, followed by one or more LKH keys, as defined in
Section 4.8.3.1. Section 4.5.3.1.
There may be any number of LKH_UPDATE_ARRAY attributes included in a There may be any number of LKH_UPDATE_ARRAY attributes included in a
KD payload. KD payload.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| # of LKH Keys | LKH ID | | # of LKH Keys | LKH ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key Handle | | Key Handle |
skipping to change at page 36, line 25 skipping to change at page 36, line 50
o Number of LKH Keys (2 octets) -- This value is the number of o Number of LKH Keys (2 octets) -- This value is the number of
distinct LKH keys in this sequence. distinct LKH keys in this sequence.
o LKH ID (2 octets) -- This is the node identifier associated with o LKH ID (2 octets) -- This is the node identifier associated with
the key used to encrypt the first LKH Key. the key used to encrypt the first LKH Key.
o Key Handle (4 octets) -- This is the value that uniquely o Key Handle (4 octets) -- This is the value that uniquely
identifies the key within the LKH ID which was used to encrypt the identifies the key within the LKH ID which was used to encrypt the
first LKH key. first LKH key.
The LKH Keys are as defined in Section 4.8.3.1. The LKH Key The LKH Keys are as defined in Section 4.5.3.1. The LKH Key
structures contain keys along the path of the key tree in the order structures contain keys along the path of the key tree in the order
from the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in from the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in
the group KEK. The Key Data field of each LKH Key is encrypted with the group KEK. The Key Data field of each LKH Key is encrypted with
the LKH key preceding it in the LKH_UPDATE_ARRAY attribute. The the LKH key preceding it in the LKH_UPDATE_ARRAY attribute. The
first LKH Key is encrypted under the key defined by the LKH ID and first LKH Key is encrypted under the key defined by the LKH ID and
Key Handle found in the LKH_UPDATE_ARRAY header. Key Handle found in the LKH_UPDATE_ARRAY header.
4.8.4. SID Download Type 4.5.4. SID Download Type
The SID attribute is used to download one or more Sender-ID (SID) The SID attribute is used to download one or more Sender-ID (SID)
values for the exclusive use of a group member. The terms Reserved, values for the exclusive use of a group member. The terms Reserved,
Unassigned, and Private Use are to be applied as defined in Unassigned, and Private Use are to be applied as defined in
[RFC8126]. The registration procedure is Expert Review. [RFC8126]. The registration procedure is Expert Review.
SID Download Class Value Type SID Download Class Value Type
------------------ ----- ---- ------------------ ----- ----
Reserved 0 Reserved 0
NUMBER_OF_SID_BITS 1 B NUMBER_OF_SID_BITS 1 B
SID_VALUE 2 V SID_VALUE 2 V
Unassigned 3-16383 Unassigned 3-16383
Private Use 16384-32767 Private Use 16384-32767
Because a SID value is intended for a single group member, the SID Because a SID value is intended for a single group member, the SID
Download type MUST NOT be distributed in a GSA_REKEY message Download type MUST NOT be distributed in a GSA_REKEY message
distributed to multiple group members. distributed to multiple group members.
4.8.4.1. NUMBER_OF_SID_BITS 4.5.4.1. NUMBER_OF_SID_BITS
The NUMBER_OF_SID_BITS class declares how many bits of the cipher The NUMBER_OF_SID_BITS class declares how many bits of the cipher
nonce in which to represent an SID value. This value is applied to nonce in which to represent an SID value. The bits are applied as
each SID value distributed in the SID Download. the most significant bits of the IV, as shown in Figure 1 of
[RFC6054] and specified in Section 3.3.2. Guidance for a GCKS
choosing the NUMBER_OF_SID_BITS is provided in Section 3 of
[RFC6054].
4.8.4.2. SID_VALUE This value is applied to each SID value distributed in the SID
Download.
4.5.4.2. SID_VALUE
The SID_VALUE class declares a single SID value for the exclusive use The SID_VALUE class declares a single SID value for the exclusive use
of this group member. Multiple SID_VALUE attributes MAY be included of this group member. Multiple SID_VALUE attributes MAY be included
in a SID Download. in a SID Download.
4.8.4.3. GM Semantics 4.5.4.3. GM Semantics
The SID_VALUE attribute value distributed to the group member MUST be The SID_VALUE attribute value distributed to the group member MUST be
used by that group member as the SID field portion of the IV for all used by that group member as the SID field portion of the IV for all
Data-Security SAs including a counter-based mode of operation Data-Security SAs including a counter-based mode of operation
distributed by the GCKS as a part of this group. When the Sender- distributed by the GCKS as a part of this group. When the Sender-
Specific IV (SSIV) field for any Data-Security SA is exhausted, the Specific IV (SSIV) field for any Data-Security SA is exhausted, the
group member MUST NOT act as a sender on that SA using its active group member MUST NOT act as a sender on that SA using its active
SID. The group member SHOULD re-register, at which time the GCKS SID. The group member SHOULD re-register, at which time the GCKS
will issue a new SID to the group member, along with either the same will issue a new SID to the group member, along with either the same
Data-Security SAs or replacement ones. The new SID replaces the Data-Security SAs or replacement ones. The new SID replaces the
existing SID used by this group member, and also resets the SSIV existing SID used by this group member, and also resets the SSIV
value to its starting value. A group member MAY re-register prior to value to its starting value. A group member MAY re-register prior to
the actual exhaustion of the SSIV field to avoid dropping data the actual exhaustion of the SSIV field to avoid dropping data
packets due to the exhaustion of available SSIV values combined with packets due to the exhaustion of available SSIV values combined with
a particular SID value. a particular SID value.
A group member MUST ignore an SID Download Type KD payload present in A group member MUST ignore an SID Download Type KD payload present in
a GSA-REKEY message, otherwise more than one GM may end up using the a GSA-REKEY message, otherwise more than one GM may end up using the
same SID. same SID.
4.8.4.4. GCKS Semantics 4.5.4.4. GCKS Semantics
If any KD payload includes keying material that is associated with a If any KD payload includes keying material that is associated with a
counter-mode of operation, an SID Download Type KD payload containing counter-mode of operation, an SID Download Type KD payload containing
at least one SID_VALUE attribute MUST be included. The GCKS MUST NOT at least one SID_VALUE attribute MUST be included. The GCKS MUST NOT
send the SID Download Type KD payload as part of a GSA_REKEY message, send the SID Download Type KD payload as part of a GSA_REKEY message,
because distributing the same sender-specific policy to more than one because distributing the same sender-specific policy to more than one
group member will reduce the security of the group. group member will reduce the security of the group.
4.9. Delete Payload 4.6. Delete Payload
There are occasions when the GCKS may want to signal to group members There are occasions when the GCKS may want to signal to group members
to delete policy at the end of a broadcast, or if policy has changed. to delete policy at the end of a broadcast, if group policy has
Deletion of keys MAY be accomplished by sending an IKEv2 Delete changed, or the GCKS needs to reset the policy and keying material
Payload, section 3.11 of [RFC7296] as part of the GSA_AUTH or for the group due to an emergency. Deletion of keys MAY be
GSA_REKEY Exchange. One or more Delete payloads MAY be placed accomplished by sending an IKEv2 Delete Payload, section 3.11 of
following the HDR payload in the GSA_AUTH or GSA_REKEY Exchange. [RFC7296] as part of a registration or rekey Exchange. Whenever an
SA is to be deleted, the GKCS SHOULD send the Delete Payload in both
registration and rekey exchanges, because GMs with previous group
policy may contact the GCKS using either exchange.
The Protocol ID MUST be 41 for GSA_REKEY Exchange, 2 for AH or 3 for The Protocol ID MUST be 41 for GSA_REKEY Exchange, 2 for AH or 3 for
ESP. Note that only one protocol id value can be defined in a Delete ESP. Note that only one protocol id value can be defined in a Delete
payload. If a TEK and a KEK SA for GSA_REKEY Exchange must be payload. If a TEK and a KEK SA for GSA_REKEY Exchange must be
deleted, they must be sent in different Delete payloads. Similarly, deleted, they must be sent in different Delete payloads. Similarly,
if a TEK specifying ESP and a TEK specifying AH need to be deleted, if a TEK specifying ESP and a TEK specifying AH need to be deleted,
they must be sent in different Delete payloads. they must be sent in different Delete payloads.
There may be circumstances where the GCKS may want to reset the There may be circumstances where the GCKS may want to reset the
policy and keying material for the group. The GCKS can signal policy and keying material for the group. The GCKS can signal
deletion of all policy of a particular TEK by sending a TEK with a deletion of all policy of a particular TEK by sending a TEK with a
SPI value equal to zero in the delete payload. In the event that the SPI value equal to zero in the delete payload. In the event that the
administrator is no longer confident in the integrity of the group administrator is no longer confident in the integrity of the group
they may wish to remove all KEK and all the TEKs in the group. This they may wish to remove all KEK and all the TEKs in the group. This
is done by having the GCKS send a delete payload with a SPI of zero is done by having the GCKS send a delete payload with a SPI of zero
and a Protocol-ID of AH or ESP to delete all TEKs, followed by and a Protocol-ID of AH or ESP to delete all TEKs, followed by
another delete payload with a SPI value of zero and Protocol-ID of another delete payload with a SPI value of zero and Protocol-ID of
KEK SA to delete the KEK SA. KEK SA to delete the KEK SA.
4.10. Notify Payload 4.7. Notify Payload
G-IKEv2 uses the same Notify payload as specified in [RFC7296], G-IKEv2 uses the same Notify payload as specified in [RFC7296],
section 3.10. section 3.10.
There are additional Notify Message types introduced by G-IKEv2 to There are additional Notify Message types introduced by G-IKEv2 to
communicate error conditions and status. communicate error conditions and status.
NOTIFY messages - error types Value NOTIFY messages - error types Value
------------------------------------------------------------------- -------------------------------------------------------------------
INVALID_GROUP_ID - 45 INVALID_GROUP_ID - 45
Indicates the group id sent during the registration process is Indicates the group id sent during the registration process is
invalid. invalid.
AUTHORIZATION_FAILED - 46 AUTHORIZATION_FAILED - 46
Sent in the response to a GSA_AUTH message when authorization failed. Sent in the response to a GSA_AUTH message when authorization
failed.
REGISTRATION_FAILED - TBD-1
Sent by the GCKS when the GM registration request cannot be
satisfied.
NOTIFY messages - status types Value NOTIFY messages - status types Value
------------------------------------------------------------------- -------------------------------------------------------------------
SENDER_ID_REQUEST - 16429 SENDER - 16429
Sent in GSA_AUTH or GSA_REGISTRATION to request SIDs from the GCKS. Sent in GSA_AUTH or GSA_REGISTRATION to indicate that the GM
The data includes a count of how many SID values it desires. intends to be sender of data traffic. The data includes a count of
how many SID values the GM desires. The count MUST be 4 octets long
and contain the big endian representation of the number of
requested SIDs.
4.11. Authentication Payload 4.8. Authentication Payload
G-IKEv2 uses the same Authentication payload as specified in G-IKEv2 uses the same Authentication payload as specified in
[RFC7296], section 3.8, to sign the rekey message. [RFC7296], section 3.8, to sign the rekey message.
5. Security Considerations 5. Security Considerations
5.1. GSA registration and secure channel 5.1. GSA registration and secure channel
G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT protocols, G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT protocols,
inheriting all the security considerations documented in [RFC7296] inheriting all the security considerations documented in [RFC7296]
section 5 Security Considerations, including authentication, section 5 Security Considerations, including authentication,
confidentiality, protection against man-in-the-middle, protection confidentiality, protection against man-in-the-middle, protection
against replay/reflection attacks, and denial of service protection. against replay/reflection attacks, and denial of service protection.
The GSA_AUTH and GSA_REGISTRATION exchanges also take advantage of The GSA_AUTH and GSA_REGISTRATION exchanges also take advantage of
those protections. In addition, G-IKEv2 brings in the capability to those protections. In addition, G-IKEv2 brings in the capability to
authorize a particular group member regardless of whether they have authorize a particular group member regardless of whether they have
skipping to change at page 40, line 20 skipping to change at page 41, line 17
6.1. New registries 6.1. New registries
A new set of registries should be created for G-IKEv2, on a new page A new set of registries should be created for G-IKEv2, on a new page
titled Group Key Management using IKEv2 (G-IKEv2) Parameters. The titled Group Key Management using IKEv2 (G-IKEv2) Parameters. The
following registries should be placed on that page. The terms following registries should be placed on that page. The terms
Reserved, Expert Review and Private Use are to be applied as defined Reserved, Expert Review and Private Use are to be applied as defined
in [RFC8126]. in [RFC8126].
GSA Policy Type Registry, see Section 4.4.1 GSA Policy Type Registry, see Section 4.4.1
KEK Attributes Registry, see Section 4.5.1 KEK Attributes Registry, see Section 4.4.2.1
KEK Management Algorithm Registry, see Section 4.5.1.1 KEK Management Algorithm Registry, see Section 4.4.2.1.1
GSA TEK Payload Protocol ID Type Registry, see Section 4.6 GSA TEK Payload Protocol ID Type Registry, see Section 4.4.3
TEK Attributes Registry, see Section 4.6 TEK Attributes Registry, see Section 4.4.3
Key Download Type Registry, see Section 4.8 Key Download Type Registry, see Section 4.5
TEK Download Type Attributes Registry, see Section 4.8.1 TEK Download Type Attributes Registry, see Section 4.5.1
KEK Download Type Attributes Registry, see Section 4.8.2 KEK Download Type Attributes Registry, see Section 4.5.2
LKH Download Type Attributes Registry, see Section 4.8.3 LKH Download Type Attributes Registry, see Section 4.5.3
SID Download Type Attributes Registry, see Section 4.8.4 SID Download Type Attributes Registry, see Section 4.5.4
6.2. New payload and exchange types added to the existing IKEv2 6.2. New payload and exchange types added to the existing IKEv2
registry registry
The following new payloads and exchange types specified in this memo The following new payloads and exchange types specified in this memo
have already been allocated by IANA and require no further action, have already been allocated by IANA and require no further action,
other than replacing the draft name with an RFC number. other than replacing the draft name with an RFC number.
The present document describes new IKEv2 Next Payload types, see The present document describes new IKEv2 Next Payload types, see
Section 4.1 Section 4.1
skipping to change at page 41, line 4 skipping to change at page 41, line 47
The following new payloads and exchange types specified in this memo The following new payloads and exchange types specified in this memo
have already been allocated by IANA and require no further action, have already been allocated by IANA and require no further action,
other than replacing the draft name with an RFC number. other than replacing the draft name with an RFC number.
The present document describes new IKEv2 Next Payload types, see The present document describes new IKEv2 Next Payload types, see
Section 4.1 Section 4.1
The present document describes new IKEv2 Exchanges types, see The present document describes new IKEv2 Exchanges types, see
Section 4.1 Section 4.1
The present document describes new IKEv2 notification types, see The present document describes new IKEv2 notification types, see
Section 4.10 Section 4.7
6.3. Changes to previous allocations
Section 4.7 indicates an allocation in the IKEv2 Notify Message Types
- Status Types registry has been made. This NOTIFY type was
allocated earlier in the development of G-IKEv2. The number is
16429, and was allocated with the name SENDER_REQUEST_ID. The name
should be changed to SENDER.
7. Acknowledgements 7. Acknowledgements
The authors thank Lakshminath Dondeti and Jing Xiang for first The authors thank Lakshminath Dondeti and Jing Xiang for first
exploring the use of IKEv2 for group key management and providing the exploring the use of IKEv2 for group key management and providing the
basis behind the protocol. Mike Sullenberger and Amjad Inamdar were basis behind the protocol. Mike Sullenberger and Amjad Inamdar were
instrumental in helping resolve many issues in several versions of instrumental in helping resolve many issues in several versions of
the document. the document.
8. Contributors 8. Contributors
skipping to change at page 43, line 19 skipping to change at page 44, line 19
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
9.2. Informative References 9.2. Informative References
[I-D.ietf-ipsecme-qr-ikev2] [I-D.ietf-ipsecme-qr-ikev2]
Fluhrer, S., McGrew, D., Kampanakis, P., and V. Smyslov, Fluhrer, S., McGrew, D., Kampanakis, P., and V. Smyslov,
"Postquantum Preshared Keys for IKEv2", draft-ietf- "Postquantum Preshared Keys for IKEv2", draft-ietf-
ipsecme-qr-ikev2-04 (work in progress), July 2018. ipsecme-qr-ikev2-07 (work in progress), January 2019.
[IKEV2-IANA] [IKEV2-IANA]
IANA, "Internet Key Exchange Version 2 (IKEv2) IANA, "Internet Key Exchange Version 2 (IKEv2)
Parameters", February 2016, Parameters", February 2016,
<http://www.iana.org/assignments/ikev2-parameters/ <http://www.iana.org/assignments/ikev2-parameters/
ikev2-parameters.xhtml#ikev2-parameters-7>. ikev2-parameters.xhtml#ikev2-parameters-7>.
[NNL] Naor, D., Noal, M., and J. Lotspiech, "Revocation and [NNL] Naor, D., Noal, M., and J. Lotspiech, "Revocation and
Tracing Schemes for Stateless Receivers", Advances in Tracing Schemes for Stateless Receivers", Advances in
Cryptology, Crypto '01, Springer-Verlag LNCS 2139, 2001, Cryptology, Crypto '01, Springer-Verlag LNCS 2139, 2001,
skipping to change at page 46, line 36 skipping to change at page 47, line 36
+---------------+ +---------------+ +---------------+ +---------------+
4' 5 6 7 4' 5 6 7
+---+ +-------+ +--------+ +--------+ +---+ +-------+ +--------+ +--------+
A B C D E F G H A B C D E F G H
Figure 4: LKH tree after B has been excluded Figure 4: LKH tree after B has been excluded
Authors' Addresses Authors' Addresses
Brian Weis Brian Weis
Cisco Systems Independent
170 W. Tasman Drive
San Jose, California 95134-1706
USA USA
Phone: +1-408-526-4796 Email: bew.stds@gmail.com
Email: bew@cisco.com
Valery Smyslov Valery Smyslov
ELVIS-PLUS ELVIS-PLUS
PO Box 81 PO Box 81
Moscow (Zelenograd) 124460 Moscow (Zelenograd) 124460
Russian Federation Russian Federation
Phone: +7 495 276 0211 Phone: +7 495 276 0211
Email: svan@elvis.ru Email: svan@elvis.ru
 End of changes. 94 change blocks. 
173 lines changed or deleted 231 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/