Network Working Group                                            B. Weis                                         V. Smyslov
Internet-Draft                                               Independent                                                ELVIS-PLUS
Obsoletes: 6407 (if approved)                                 V. Smyslov                                    B. Weis
Intended status: Standards Track                              ELVIS-PLUS                             Independent
Expires: July 12, 2020 January 9, 14, 2021                                  July 13, 2020

                    Group Key Management using IKEv2
                     draft-ietf-ipsecme-g-ikev2-00
                     draft-ietf-ipsecme-g-ikev2-01

Abstract

   This document presents a set an extension to the Internet Key Exchange
   version 2 (IKEv2) protocol for the purpose of IKEv2 exchanges that comprise a group key management protocol. management.
   The protocol is in conformance with the Multicast Security (MSEC) key
   management architecture, which contains two components: member
   registration and group rekeying.  Both components require a Group
   Controller/Key Server to download IPsec group security associations
   to authorized members of a group.  The group members then exchange IP
   multicast or other group traffic as IPsec packets.  This document
   obsoletes RFC 6407.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 12, 2020. January 14, 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction and Overview . . . . . . . . . . . . . . . . . .   3
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   5
     1.2.  G-IKEv2 Integration into IKEv2 Protocol . . . . . . . . .   5
       1.2.1.  G-IKEv2 Transport and Port  . . . . . . . . . . . . .   5   6
       1.2.2.  IKEv2 Header Initialization . . . . . . . . . . . . .   6
     1.3.  G-IKEv2 Protocol  . . . . . . . . . . . . . . . . . . . .   6
       1.3.1.  G-IKEv2 Payloads  . . . . . . . . . . . . . . . . . .   6
     1.4.  G-IKEv2 Member Registration and Secure Channel
           Establishment . . . . . . . . . . . . . . . . . . . . . .   7
       1.4.1.  GSA_AUTH exchange . . . . . . . . . . . . . . . . . .   7
       1.4.2.  GSA_REGISTRATION Exchange . . . . . . . . . . . . . .   9
       1.4.3.  GM Registration Operations  . . . . . . . . . . . . .  10
       1.4.4.  GCKS Registration Operations  . . . . . . . . . . . .  11  12
       1.4.5.  Group Maintenance Channel . . . . . . . . . . . . . .  12  13
       1.4.6.  Counter-based modes of operation  . . . . . . . . . .  19
     1.5.  Interaction with IKEv2 Protocol Extensions  20
   2.  Group Key Management and Access Control . . . . . . .  21
       1.5.1.  Postquantum Preshared Keys for IKEv2 . . . .  22
     2.1.  Key Wrap Keys . . . . .  21
   2.  Header and Payload Formats . . . . . . . . . . . . . . . . .  23
     2.1.  The G-IKEv2 Header
       2.1.1.  Default Key Wrap Key  . . . . . . . . . . . . . . . .  23
     2.2.  GCKS Key Management Semantics . . . . . . . . . .  23
     2.2.  Group Identification (IDg) Payload . . . .  23
       2.2.1.  Forward Access Control Requirements . . . . . . . . .  24
     2.3.  Security Association -  GM Supported Transforms (SAg) Key Management Semantics . .  24
     2.4.  Group Security Association Payload . . . . . . . . . . .  24
       2.4.1.  GSA Policy . .  25
     2.4.  Group SA Keys . . . . . . . . . . . . . . . . . . . .  25
       2.4.2.  KEK Policy . .  26
   3.  Header and Payload Formats  . . . . . . . . . . . . . . . . .  27
     3.1.  G-IKEv2 Header  . .  26
       2.4.3.  GSA TEK Policy . . . . . . . . . . . . . . . . . . .  30
       2.4.4.  GSA  27
     3.2.  Group Associated Policy Identification Payload  . . . . . . . . . . . . .  33
     2.5.  Key Download .  27
     3.3.  Security Association - GM Supported Transforms Payload  .  27
     3.4.  Group Security Association Payload  . . . . . . . . . . .  28
       3.4.1.  Group Policies  . . . . . . .  34
       2.5.1.  TEK Download Type . . . . . . . . . . . .  28
       3.4.2.  Group Security Association Policy Substructure  . . .  29
       3.4.3.  Group Associated Policy Substructure  . . . . . . . .  36
       2.5.2.  KEK  35
     3.5.  Key Download Type Payload  . . . . . . . . . . . . . . . . . .  37
       2.5.3.  LKH Download Type
       3.5.1.  Wrapped Key Format  . . . . . . . . . . . . . . . . .  37
       3.5.2.  Group Key Packet Substructure . .  38
       2.5.4.  SID Download Type . . . . . . . . . .  39
       3.5.3.  Member Key Packet Substructure  . . . . . . . . . . .  40
     2.6.
     3.6.  Delete Payload  . . . . . . . . . . . . . . . . . . . . .  42
     2.7.  43
     3.7.  Notify Payload  . . . . . . . . . . . . . . . . . . . . .  42
     2.8.  43
       3.7.1.  USE_TRANSPORT_MODE Notification . . . . . . . . . . .  44
     3.8.  Authentication Payload  . . . . . . . . . . . . . . . . .  43
   3.  45
   4.  Interaction with other IKEv2 Protocol Extensions  . . . . . .  45
     4.1.  Mixing Preshared Keys in IKEv2 for Post-quantum Security   45

   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  43
     3.1.  47
     5.1.  GSA Registration and Secure Channel . . . . . . . . . . .  43
     3.2.  47
     5.2.  GSA Maintenance Channel . . . . . . . . . . . . . . . . .  44
       3.2.1.  47
       5.2.1.  Authentication/Authorization  . . . . . . . . . . . .  44
       3.2.2.  47
       5.2.2.  Confidentiality . . . . . . . . . . . . . . . . . . .  44
       3.2.3.  47
       5.2.3.  Man-in-the-Middle Attack Protection . . . . . . . . .  44
       3.2.4.  48
       5.2.4.  Replay/Reflection Attack Protection . . . . . . . . .  44

   4.  48
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  44
     4.1.  48
     6.1.  New Registries  . . . . . . . . . . . . . . . . . . . . .  44
     4.2.  New Payload and Exchange Types Added to  48
     6.2.  Changes in the Existing IKEv2 Registry  . Registries  . . . . . . . .  50
   7.  Acknowledgements  . . . . . . . . . . . .  45
     4.3.  Changes to Previous Allocations . . . . . . . . . .  51
   8.  Contributors  . . .  45
   5.  Acknowledgements . . . . . . . . . . . . . . . . . . . . .  51
   9.  References  .  45
   6.  Contributors . . . . . . . . . . . . . . . . . . . . . . . .  46
   7.  52
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  52
     9.2.  Informative References  . . . . . . .  46
     7.1.  Normative References  . . . . . . . . . . .  53
   Appendix A.  Use of LKH in G-IKEv2  . . . . . . .  47
     7.2.  Informative References . . . . . . . .  56
     A.1.  Notation  . . . . . . . . .  48
   Appendix A.  Use of LKH in G-IKEv2 . . . . . . . . . . . . . . .  50
     A.1.  56
     A.2.  Group Creation  . . . . . . . . . . . . . . . . . . . . .  50
     A.2.  56
     A.3.  Simple Group SA Rekey . . . . . . . . . . . . . . . . . .  57
     A.4.  Group Member Exclusion  . . . . . . . . . . . . . . . . .  51  58
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  52  59

1.  Introduction and Overview

   A group key management protocol provides IPsec keys and policy to a
   set of IPsec devices which are authorized to communicate using a
   Group Security Association (GSA) defined in [RFC3740].  The data
   communications within the group (e.g., IP multicast packets) are
   protected by a key pushed to the group members (GMs) by the Group
   Controller/Key Server (GCKS).  This document presents a set of an extension to
   IKEv2 [RFC7296] exchanges called G-IKEv2, that comprise allows to perform a group key
   management.

   G-IKEv2 conforms to the Multicast Group Security Architecture
   [RFC3740], Multicast Extensions to the Security Architecture for the
   Internet Protocol [RFC5374] and the Multicast Security (MSEC) Group
   Key Management Architecture [RFC4046].  G-IKEv2 replaces GDOI
   [RFC6407], which defines a similar group key management protocol. protocol
   using IKEv1 [RFC2409] (since deprecated by IKEv2).  When G-IKEv2 is
   used, group key management use cases can benefit from the simplicity,
   increased robustness and cryptographic improvements of IKEv2 (see
   Appendix A of [RFC7296].

   A GM begins a "registration" exchange when it first joins the group.
   With G-IKEv2, the GCKS authenticates and authorizes GMs, then pushes
   policy and keys used by the group to the GM.  G-IKEv2 includes two
   "registration" exchanges.  The first is the GSA_AUTH exchange (
   Section 1.4.1), which follows an IKE_SA_INIT exchange.  The second is
   the GSA_REGISTRATION exchange ( Section (Section 1.4.2), which a GM can use
   within an established IKE SA.  Group rekeys are accomplished using
   either the GSA_REKEY exchange pseudo-exchange (a single message distributed to
   all GMs, usually as a multicast message), or as a GSA_INBAND_REKEY
   exchange delivered individually to group members using existing IKE
   SAs).

   Large and small groups may use different sets of these protocols.
   When a large group of devices are communicating, the GCKS is likely
   to use the GSA_REKEY message for efficiency.  This is shown in
   Figure 1.  (Note: For clarity, IKE_SA_INIT is omitted from the
   figure.)

                                +--------+
                 +------------->|  GCKS  |<-------------+
                 |              +--------+              |
                 |                |    ^                |
                 |                |    |                |
                 |                | GSA_AUTH            |
                 |                |   or                |
                 |                | GSA_REGISTRATION    |
                 |                |    |                |
              GSA_AUTH            |    |             GSA_AUTH
                or           GSA_REKEY |               or
          GSA_REGISTRATION        |    |         GSA_REGISTRATION
                 |                |    |                |
                 |   +------------+-----------------+   |
                 |   |            |    |            |   |
                 v   v            v    v            v   v
               +-------+        +--------+        +-------+
               |  GM   |  ...   |   GM   |  ...   |  GM   |
               +-------+        +--------+        +-------+
                   ^                 ^                ^
                   |                 |                |
                   +-------ESP-------+-------ESP------+

                  Figure 1: G-IKEv2 used in large groups

   Alternatively, a small group may simply use the GSA_AUTH as a
   registration protocol, where the GCKS issues rekeys using the
   GSA_INBAND_REKEY within the same IKEv2 SA.  The GCKS is also likely
   to be a GM in a small group (as shown in Figure 2.)
                          GSA_AUTH, GSA_INBAND_REKEY
            +-----------------------------------------------+
            |                                               |
            |         GSA_AUTH, GSA_INBAND_REKEY            |
            |   +-----------------------------+             |
            |   |                             |             |
            |   | GSA_AUTH, GSA_INBAND_REKEY  |             |
            |   |   +--------+                |             |
            v   v   v        v                v             v
           +---------+    +----+           +----+        +----+
           | GCKS/GM |    | GM |           | GM |        | GM |
           +---------+    +----+           +----+        +----+
                ^            ^                ^             ^
                |            |                |             |
                +----ESP-----+------ESP-------+-----ESP-----+

                  Figure 2: G-IKEv2 used in small groups

   IKEv2 message semantics are preserved in that all communications
   consists of message request-response pairs.  The exception to this
   rule is the GSA_REKEY exchange, pseudo-exchange, which is a single message
   delivering group updates to the GMs.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

1.2.  G-IKEv2 conforms with the Multicast Group Security Architecture
   [RFC3740], and the Multicast Security (MSEC) Group Key Management
   Architecture [RFC4046].  G-IKEv2 replaces GDOI [RFC6407], which
   defines a similar group key management protocol using IKEv1 [RFC2409]
   (since deprecated by IKEv2).  When G-IKEv2 is used, group key
   management use cases can benefit from the simplicity, increased
   robustness and cryptographic improvements of IKEv2 (see Appendix A of
   [RFC7296].

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

1.2.  G-IKEv2 Integration into IKEv2 Protocol

   G-IKEv2 uses Integration into IKEv2 Protocol

   G-IKEv2 uses the security mechanisms of IKEv2 (peer authentication,
   confidentiality, message integrity) to ensure that only authenticated
   devices have access to the group policy and keys.  The G-IKEv2
   exchange further provides group authorization, and secure policy and
   key download from the GCKS to GMs.  Some IKEv2 extensions require
   special handling if used with G-IKEv2.  See Section 1.5 4 for more
   details.

   It is assumed that readers are familiar with the IKEv2 protocol, so
   this document skips many details that are described in [RFC7296].

1.2.1.  G-IKEv2 Transport and Port

   G-IKEv2 SHOULD use UDP port 848, the same as GDOI [RFC6407], because
   they serve a similar function.  They can use the same ports, just as
   IKEv1 and IKEv2 can share port 500.  The version number in the IKE
   header distinguishes the G-IKEv2 protocol from GDOI protocol
   [RFC6407].  G-IKEv2 MAY also use the IKEv2 ports (500, 4500), which
   would provide a better integration with IKEv2.  G-IKEv2 MAY also use
   TCP transport for registration (unicast) IKE SA, as defined in
   [RFC8229].

1.2.2.  IKEv2 Header Initialization

   The Major Version is (2) and Minor Version is (0) according to IKEv2
   [RFC7296], and maintained in this document.  The G-IKEv2 IKE_SA_INIT,
   GSA_AUTH, GSA_REGISTRATION and GSA_INBAND_REKEY use the IKE SPI
   according to IKEv2 [RFC7296], section 2.6.

1.3.  G-IKEv2 Protocol

1.3.1.  G-IKEv2 Payloads

   In the following descriptions, the payloads contained in the G-IKEv2
   messages are indicated by names as listed below.

        Notation      Payload
       ------------------------------------------------------------
        AUTH          Authentication
        CERT          Certificate
        CERTREQ       Certificate Request
        D             Delete
        GSA           Group Security Association
        HDR           IKEv2 Header
        IDg           Identification - Group
        IDi           Identification - Initiator
        IDr           Identification - Responder
        KD            Key Download
        KE            Key Exchange
        Ni, Nr        Nonce
        N             Notify
        SA            Security Association
        SAg           Security Association - GM Supported Transforms

   Payloads defined as part of other IKEv2 extensions MAY also be
   included in these messages.  Payloads that may optionally appear in
   G-IKEv2 messages will be shown in brackets, such as [ CERTREQ ], to indicate that a
   certificate request payload can optionally be included. [CERTREQ].

   G-IKEv2 defines several new payloads not used in IKEv2:

   o  IDg (Group ID) - The GM requests the GCKS for membership into the
      group by sending its IDg payload.

   o  GSA (Group Security Association) - The GCKS sends the group policy
      to the GM using this payload.

   o  KD (Key Download) - The GCKS sends the control and data keys and the security
      parameters to the GM GMs using the KD payload.

   o  SAg (Security Association - GM Supported Transforms) - the GM
      sends supported transforms, so that GCKS may select a policy
      appropriate for all members of the group.

   The details of the contents of each payload are described in
   Section 2. 3.

1.4.  G-IKEv2 Member Registration and Secure Channel Establishment

   The registration protocol consists of a minimum of two messages
   exchanges, IKE_SA_INIT and GSA_AUTH; member registration may have a
   few more messages exchanged if the EAP method, cookie challenge (for
   DoS protection) or negotiation of Diffie-Hellman group is included.
   Each exchange consists of request/response pairs.  The first exchange
   IKE_SA_INIT is defined in IKEv2 [RFC7296].  This exchange negotiates
   cryptographic algorithms, exchanges nonces and does a Diffie-Hellman
   exchange between the group member (GM) and the Group Controller/Key
   Server (GCKS).

   The second exchange GSA_AUTH authenticates the previous messages,
   exchanges identities and certificates.  These messages are encrypted
   and integrity protected with keys established through the IKE_SA_INIT
   exchange, so the identities are hidden from eavesdroppers and all
   fields in all the messages are authenticated.  The GCKS SHOULD
   authorize group members to be allowed into the group as part of the
   GSA_AUTH exchange.  Once the GCKS accepts a group member to join a
   group it will download the data security keys (TEKs) and/or group key
   encrypting key (KEK) or KEK array as part of the GSA_AUTH response
   message.

1.4.1.  GSA_AUTH exchange

   After the group member and GCKS use the IKE_SA_INIT exchange to
   negotiate cryptographic algorithms, exchange nonces, and perform a
   Diffie-Hellman exchange as defined in IKEv2 [RFC7296], the GSA_AUTH
   exchange MUST complete before any other exchanges can be done.  The
   security properties of the GSA_AUTH exchange are the same as the
   properties of the IKE_AUTH exchange.  It is used to authenticate the
   IKE_SA_INIT messages, exchange identities and certificates.  G-IKEv2
   also uses this exchange for group member registration and
   authorization.  Even though the IKE_AUTH does contain the SA2, TSi,
   and TSr payload the GSA_AUTH does not.  They are not needed because
   policy is not negotiated between the group member and the GCKS, but
   instead downloaded from the GCKS to the group member.

    Initiator (Member)                              Responder (GCKS)
   --------------------                            ------------------
    HDR, SK { IDi, SK{IDi, [CERT,] [CERTREQ, ] [IDr, ] [CERTREQ,] [IDr,]
             AUTH, IDg, [SAg, ] [N ] } [SAg,] [N]}        -->

                        Figure 3: GSA_AUTH Request

   After the IKE_SA_INIT exchange completes, the group member initiates
   a GSA_AUTH request to join a group indicated by the IDg payload.  The
   GM MAY include an SAg payload declaring which Transforms that it is
   willing to accept.  A GM that intends to emit data packets SHOULD
   include a Notify payload status type of SENDER, which enables the
   GCKS to provide any additional policy necessary by group senders.

    Initiator (Member)             Responder (GCKS)
   --------------------           ------------------
                             <--   HDR, SK { IDr, [CERT, ] SK{IDr, [CERT,]
                                   AUTH, [ GSA, KD, ] [D, ] } [GSA, KD,] [N,] [D]}

                    Figure 4: GSA_AUTH Normal Response

   The GCKS responds with IDr, optional CERT, and AUTH material as if it
   were an IKE_AUTH.  It also informs the group member of the
   cryptographic policies of the group in the GSA payload and the key
   material in the KD payload.  The GCKS can also include a Delete (D)
   payload instructing the group member to delete existing SAs it might
   have as the result of a previous group member registration.  Note,
   that since the GCKS generally doesn't know which SAs the GM has, the
   SPI field in the Delete payload(s) SHOULD be set to zero in this
   case.  (See more discussion on the Delete payload in Section 2.6.) 3.6.)

   In addition to the IKEv2 error handling, the GCKS can reject the
   registration request when the IDg is invalid or authorization fails,
   etc.  In these cases, see Section 2.7, 3.7, the GSA_AUTH response will not
   include the GSA and KD, but will include a Notify payload indicating
   errors.  If the group member included an SAg payload, and the GCKS
   chooses to evaluate it, and it detects that that group member cannot
   support the security policy defined for the group, then the GCKS
   SHOULD return a NO_PROPOSAL_CHOSEN.  Other types of notifications can
   be AUTHORIZATION_FAILED or REGISTRATION_FAILED.

    Initiator (Member)               Responder (GCKS)
   --------------------             ------------------
                              <--   HDR, SK { IDr, [CERT, ] SK{IDr, [CERT,] AUTH, N } N}

                     Figure 5: GSA_AUTH Error Response

   If the group member finds the policy sent by the GCKS is
   unacceptable, the member SHOULD initiate GSA_REGISTRATION exchange
   sending IDg and the Notify NO_PROPOSAL_CHOSEN (see Section 1.4.2)).

1.4.2.  GSA_REGISTRATION Exchange

   When a secure channel is already established between a GM and the
   GCKS, the GM registration for a group can reuse the established
   secure channel.  In this scenario the GM will use the
   GSA_REGISTRATION exchange.  Payloads in the exchange are generated
   and processed as defined in Section 1.4.1.

    Initiator (Member)               Responder (GCKS)
   --------------------             ------------------
    HDR, SK {IDg, [SAg, ][N ] } SK{IDg, [SAg,][N ]} -->
                                <--  HDR, SK { GSA, KD, [D ] } SK{GSA,] [N,] [D]}

                Figure 6: GSA_REGISTRATION Normal Exchange

   As with GSA_AUTH exchange, the GCKS can reject the registration
   request when the IDg is invalid or authorization fails, or GM cannot
   support the security policy defined for the group (which can be
   concluded by GCKS by evaluation of SAg payload).  In this case the
   GCKS returns an appropriate error notification as described in
   Section 1.4.1.

    Initiator (Member)                Responder (GCKS)
   --------------------              ------------------
    HDR, SK {IDg, [SAg, ][N ] } SK{IDg, [SAg,] [N]} -->
                               <--    HDR, SK { N } SK{N}

                 Figure 7: GSA_REGISTRATION Error Exchange

   This exchange can also be used if the group member finds the policy
   sent by the GCKS is unacceptable or for some reason wants to
   unregister itself from the group.  The group member SHOULD notify the
   GCKS by sending IDg and the Notify type NO_PROPOSAL_CHOSEN or
   REGISTRATION_FAILED, as shown below.  The GCKS MUST unregister the
   group member.

    Initiator (Member)                 Responder (GCKS)
   --------------------               ------------------
    HDR, SK {IDg, N } SK{IDg, N}      -->
                            <--        HDR, SK {} SK{}

        Figure 8: GM Reporting Errors in GSA_REGISTRATION Exchange

1.4.3.  GM Registration Operations

   A G-IKEv2 Initiator (GM) requesting registration contacts the GCKS
   using the IKE_SA_INIT exchange and receives the response from the
   GCKS.  This exchange is unchanged from the IKE_SA_INIT in IKEv2
   protocol.

   Upon completion of parsing and verifying the IKE_SA_INIT response,
   the GM sends the GSA_AUTH message with the IKEv2 payloads from
   IKE_AUTH (without the SAi2, TSi and TSr payloads) along with the
   Group ID informing the GCKS of the group the initiator wishes to
   join.  An initiator intending to emit data traffic SHOULD send a
   SENDER Notify payload status.  The SENDER not only signifies that it
   is a sender, but provides the initiator the ability to request
   Sender-ID values, in case the Data Security data security SA supports a counter
   mode cipher.  Section 1.4.6) includes guidance on requesting Sender-
   ID values.

   An initiator

   A GM may be limited in the types of Transforms that it is able or
   willing to use, and may find it useful to inform the GCKS which
   Transforms that it is willing to accept.  It can OPTIONALLY
   include an SAg payload, which can include ESP accept for different security protocols.
   Proposals for Rekey SA (with protocol GIKE_REKEY) and for data
   security (AH and/or AH Proposals. ESP) SAs may be included into SAg.  Each Proposal
   contains a list of Transforms that it the GM is willing able to support for that
   protocol.  A Proposal of type ESP can include ENCR,
   INTEG, and ESN Transforms.  A Proposal of type AH can include INTEG,  Valid transform types depend on the protocol and ESN Transforms. are
   defined in Figure 15.  Other transform types SHOULD NOT be included.
   The SPI length of each Proposal in an SAg is set to zero, and thus
   the SPI field is null. empty.  The GCKS MUST ignore SPI field in the SAg
   payload.

   Generally, a single Proposal of each type will suffice, because the
   group member is not negotiating Transform sets, simply alerting the
   GCKS to restrictions it may have, however
   if the have.  In particular, the restriction
   from Section 3.3 of [RFC7296] that AEAD and non-AEAD transforms must
   not be combined in a single proposal doesn't hold when the SAg
   payload is being formed.  However if the GM has restrictions on
   combination of algorithms, this can be expressed by sending several
   proposals.

   Although the SAg payload is optional, it is RECOMMENDED for the GM to
   include this payload into the GSA_AUTH request to allow the GCKS to
   select an appropriate policy.

   A GM may also indicate the support for IPcomp by inclusion one or
   more the IPCOMP_SUPPORTED notifications along with the SAg payload.
   The CPI in these notifications is set to zero and MUST be ignored by
   the GCKS.

   Upon receiving the GSA_AUTH response, the initiator parses the
   response from the GCKS authenticating the exchange using the IKEv2
   method, then processes the GSA and KD.

   The GSA payload contains the security policy and cryptographic
   protocols used by the group.  This policy describes the Rekey SA
   (KEK), if present, Data-security SAs (TEK), and other group policy (GAP).  If the
   policy in the GSA payload is not acceptable to the GM, it SHOULD
   notify the GCKS by initiating a GSA_REGISTRATION exchange with a
   NO_PROPOSAL_CHOSEN Notify payload (see Section 1.4.2).  Note, that
   this should normally not happen if the GM includes SAg payload in the
   GSA_AUTH request and the GCKS takes it into account.  Finally the KD is
   are parsed providing the keying material for the TEK and/or KEK.  The
   GM interprets the KD key packets, where each key packet includes the
   keying material for SAs distributed in the GSA payload.  Keying
   material is matched by comparing the SPIs in the key packets to SPIs
   previously included in the GSA payloads.  Once TEK keys and policy
   are matched, the GM provides them to the data security subsystem, and
   it is ready to send or receive packets matching the TEK policy.

   The GSA KEK policy MUST include KEK the attribute KEK_MESSAGE_ID GSA_INITIAL_MESSAGE_ID
   with a
   Message ID.  The first Message ID in the KEK_MESSAGE_ID GM should expect to receive if it is non-
   zero.  The value of the attribute MUST be checked by a GM against any
   previously received Message ID for this group.  If it is less than
   the previously received number, it should be considered stale and
   ignored.  This could happen if two GSA_AUTH exchanges happened in
   parallel, and the Message ID changed.  This
   KEK_MESSAGE_ID attribute is used by the
   GM to prevent GSA_REKEY message replay attacks.  The first GSA_REKEY
   message that the GM receives from the GCKS must have a Message ID
   greater or equal to the Message ID received in the KEK_MESSAGE_ID
   GSA_INITIAL_MESSAGE_ID attribute.

   Once a GM has received GSA_REKEY policy during a registration the IKE
   SA may be closed.  However, the GM SHOULD NOT close IKE SA, it is the
   GCKS who makes the decision whether to close or keep it, because
   depending on the policy the IKE SA may be used for inband rekeying
   for small groups.

1.4.4.  GCKS Registration Operations

   A G-IKEv2 GCKS passively listens for incoming requests from group
   members.  When the GCKS receives an IKE_SA_INIT request, it selects
   an IKE proposal and generates a nonce and DH to include them in the
   IKE_SA_INIT response.

   Upon receiving the GSA_AUTH request, the GCKS authenticates the group
   member using the same procedures as in the IKEv2 IKE_AUTH.  The GCKS
   then authorizes the group member according to group policy before
   preparing to send the GSA_AUTH response.  If the GCKS fails to
   authorize the GM, it will respond with an AUTHORIZATION_FAILED notify
   message.

   The GSA_AUTH response will include the group policy in the GSA
   payload and keys in the KD payload.  If the GCKS policy includes a
   group rekey option, this policy is constructed in the GSA KEK and the
   key is constructed in the KD KEK.  The GSA KEK MUST include the
   KEK_MESSAGE_ID
   GSA_INITIAL_MESSAGE_ID attribute, specifying the starting Message ID
   the GCKS will use when sending the GSA_REKEY message to the group member.
   member if this Message ID is non-zero.  This Message ID is used to
   prevent GSA_REKEY message replay attacks and will be increased each
   time a GSA_REKEY message is sent to the group.  The GCKS data traffic
   policy is included in the GSA TEK and keys are included in the KD
   TEK.  The GSA GAP MAY also be included to provide the ATD and/or DTD
   (Section 2.4.4.1) 3.4.3.1) specifying activation and deactivation delays for
   SAs generated from the TEKs.  If the group member has indicated that
   it is a sender of data traffic and one or more Data Security SAs
   distributed in the GSA payload included a counter mode of operation,
   the GCKS responds with one or more SIDs (see Section 1.4.6).

   If the GCKS receives a GSA_REGISTRATION exchange with a request to
   register a GM to a group, the GCKS will need to authorize the GM with
   the new group (IDg) and respond with the corresponding group policy
   and keys.  If the GCKS fails to authorize the GM, it will respond
   with the AUTHORIZATION_FAILED notification.

   If a group member includes an SAg in its GSA_AUTH or GSA_REGISTRATION
   request, the GCKS MAY evaluate it according to an implementation
   specific policy.

   o  The GCKS could evaluate the list of Transforms and compare it to
      its current policy for the group.  If the group member did not
      include all of the ESP or AH Transforms in its current policy,
      then it could return a NO_PROPOSAL_CHOSEN Notification.

   o  The GCKS could store the list of Transforms, with the goal of
      migrating the group policy to a different Transform when all of
      the group members indicate that they can support that Transform.

   o  The GCKS could store the list of Transforms and adjust the current
      group policy based on the capabilities of the devices as long as
      they fall within the acceptable security policy of the GCKS.

   Depending on its policy, the GCKS may have no need for the IKE SA
   (e.g., it does not plan to initiate an GSA_INBAND_REKEY exchange).
   If the GM does not initiate another registration exchange or Notify
   (e.g., NO_PROPOSAL_CHOSEN), and also does not close the IKE SA and
   the GCKS is not intended to use the SA, then after a short period of
   time the GCKS SHOULD close the IKEv2 SA.  The delay before closing
   provides for receipt of a GM's error notification in the event of
   packet loss.

1.4.5.  Group Maintenance Channel

   The GCKS is responsible for rekeying the secure group per the group
   policy.  Rekeying is an operation whereby the GCKS provides
   replacement TEKs and KEK, deleting TEKs, and/or excluding group
   members.  The GCKS may initiate a rekey message if group membership
   and/or policy has changed, or if the keys are about to expire.  Two
   forms of group maintenance channels are provided in G-IKEv2 to push
   new policy to group members.

   GSA_REKEY  The GSA_REKEY exchange is an exchange a pseudo-exchange initiated by the GCKS,
      where the rekey policy is usually delivered to group members using
      IP multicast as a transport.  This is not a real IKEv2 exchange,
      since no response messages are sent.  This method is valuable for
      large and dynamic groups, and where policy may change frequently
      and an a scalable rekeying method is required.  When the GSA_REKEY exchange is
      used, the IKEv2 SA protecting the member registration exchanges is
      usually terminated, and group members await policy changes from
      the GCKS via the GSA_REKEY exchange. messages.

   GSA_INBAND_REKEY  The GSA_INBAND_REKEY exchange is a rekey method normal IKEv2 exchange
      using the IKEv2 SA that was setup to protecting the member
      registration exchange.  This exchange allows the GCKS to rekey
      without using an independent GSA_REKEY exchange. pseudo-exchange.  The
      GSA_INBAND_REKEY exchange provides a reliable policy delivery and
      is useful when G-IKEv2 is used with a small group of cooperating
      devices.

   Depending on the policy the GCKS may combine these two methods.  For
   example, it may use the GSA_INBAND_REKEY to deliver key to the GMs in
   the group acting as senders (as this would provide reliable keys
   delivery), and the GSA_REKEY for the rest GMs.

1.4.5.1.  GSA_REKEY Exchange

   The GCKS initiates the G-IKEv2 Rekey securely, usually using IP
   multicast.  Since this rekey does not require a response and it sends
   to multiple GMs, G-IKEv2 rekeying MUST NOT support IKE SA windowing.
   The GCKS rekey message replaces the rekey GSA KEK or KEK array, and/
   or creates a new Data-Security GSA TEK.  The SID Download attribute
   in the Key Download payload (defined in Section 2.5.4) 3.5.3.2) MUST NOT be
   part of the Rekey Exchange as this is sender specific information and
   the Rekey Exchange is group specific.  The GCKS initiates the
   GSA_REKEY exchange pseudo-exchange as following:

    Members (Responder)           GCKS (Initiator)
   --------------------          ------------------
                             <--  HDR, SK { GSA, SK{GSA, KD, [N,] [D,] [AUTH] } [AUTH]}

                    Figure 9: GSA_REKEY Exchange Pseudo-Exchange

   HDR is defined in Section 2.1. 3.1.  The Message ID in this message will
   start with the same value the GCKS sent to the group members in the KEK
   attribute KEK_MESSAGE_ID during registration; GSA_INITIAL_MESSAGE_ID or from zero if this attribute
   wasn't sent.  The Message ID will be increased incremented each time a new
   GSA_REKEY message is sent to the group members.

   The GSA payload contains the current rekey and data security SAs.
   The GSA may contain a new rekey SA and/or a new data security SA,
   which, optionally contains an LKH rekey SA, SA
   Section 2.4. 3.4.

   The KD payload contains the keys for the policy included in the GSA.
   If the data security SA is being refreshed in this rekey message, the
   IPsec keys are updated in the KD, and/or if the rekey SA is being
   refreshed in this rekey message, the rekey Key or the LKH KEK array
   is updated in the KD payload.

   A Delete payload MAY be included to instruct the GM to delete
   existing SAs.

   The AUTH payload MUST be included to authenticate the GSA_REKEY
   message if the authentication method is based on public key
   signatures or a dedicated shared secret and MUST NOT be included if it
   authentication is based on shared secret. implicit.  In a latter case, the fact that a GM can
   decrypt the GSA_REKEY message and verify its ICV proves that the
   sender of this message knows the current KEK, thus authenticating
   that the sender is a member of the group.  Shared secret and implicit
   authentication doesen't don't provide source origin authentication.  For this
   reason using it them as authentication method methods for multicast Rekey GSA_REKEY is NOT
   RECOMMENDED unless source origin authentication is not required (for
   example, in a small group of highly trusted GMs).  If AUTH payload is
   included then the Auth Method field MUST NOT be one specifying using digital signatures. NULL Authentication.

   During group member registration, the GCKS sends the authentication
   key in the GSA KEK payload, KEK_AUTH_KEY AUTH_KEY attribute, which the group
   member uses to authenticate the key server.  Before the current
   Authentication Key expires, the GCKS will send a new KEK_AUTH_KEY AUTH_KEY to the
   group members in a GSA_REKEY message.  The AUTH key that is used in
   the rekey message may be not the same as the authentication key used
   in GSA_AUTH.

1.4.5.1.1.  GSA_REKEY GCKS Operations

   The GCKS builds the rekey message with a Message ID value that  If implicit authentication is one
   greater than the value included in used, then AUTH_KEY MUST
   NOT be sent to GMs.

1.4.5.1.1.  GSA_REKEY Messages Authentication

   The content of the previous rekey.  If AUTH payload depends on the
   message authentication method
   and is using either a new KEK attribute, the Message ID is reset digital signature or a result of prf applied to 1 in
   this the
   content of the not yet encrypted GSA_REKEY message.

   The GSA, KD, and D payloads follow with authentication algorithm (prf or digital signing) is applied to
   the same
   characteristics as in concatenation of two chunks: A and P.  The chunk A lasts from the GSA Registration exchange.

   If present
   first octet of the AUTH payload G-IKEv2 Header (not including prepended four
   octets of zeros, if port 4500 is created as follows.  First used) to the message
   is prepared, all payloads are formed and included in last octet of the message, but
   Encrypted Payload header.  The chunk P consists of the not yet
   encrypted content of the Encrypted payload payload, excluding the
   Initialization Vector, the Padding, the Pad Length and the Integrity
   Checksum Data fields (see 3.14 of [RFC7296] for description of the
   Encrypted payload).  In other words, the P chunk is not yet encrypted.  However, the inner
   payloads of the Encrypted payload in plaintext form.  These inner
   payloads must be fully formed, including correct values
   in IV, Padding formed and Pad Length ready for encryption except for the
   AUTH payload.  Figure 10 illustrates the layout of the P and fields. A chunks
   in the GSA_REKEY message.

   The AUTH payload is
   included in the message with the must have correct values in the Payload Header
   (including Next Payload, Payload Length and Header, the
   Auth Method fields). and the RESERVED fields.  The Authentication Data field
   is zeroed for the purposes of signature
   calculation, zeroed, but if Digiatal Digital Signature authentication method is in use,
   then the ASN.1 Length and the AlgorithmIdentifier fields must be
   properly filled in, see [RFC7427].  The signature is computed using

   For the signature algorithm from purpose of the KEK_AUTH_METHOD attribute (along
   with AUTH payload calculation the KEK_AUTH_HASH if KEK_AUTH_METHOD is not Digital Signature) Length field in
   the IKE header and the private key corresponding to the public key from the
   KEK_AUTH_KEY attribute.  It is computed over the block of data
   starting from the first octet of IKE Header (but non including non-
   ESP marker if it is present) to the last octet of Payload Length field in the (not yet
   encrypted) Encrypted Payload (i.e. up to
   header are adjusted so that they don't count the lengths of
   Initialization Vector, Integrity Checksum Data and including Padding (along
   with Pad Length field).  Then  In other words, the signature Length field in the IKE
   header (denoted as AdjustedLen in Figure 10 ) is placed into set to the Signature Value sum of
   the
   AUTH payload, the content lengths of the Encrypted payload is encrypted A and
   the ICV is computed using current KEK keys.

   Because GSA_REKEY messages are not acknowledged P, and could be
   discarded by the network, one or more GMs may not receive the
   message.  To mitigate such lost messages, during a rekey event the
   GCKS may transmit several GSA_REKEY messages with Payload Length field in the new policy.
   The retransmitted messages MUST be bitwise identical and SHOULD be
   sent within a short time interval (a few seconds) Encrypted
   Payload header (denoted as AdjustedPldLen in Figure 10) is set to ensure that
   time-to-live would not not substantially skewed for the GMs that
   would receive different copies
   length of P plus the messages.

   GCKS may also include one or several KEK_NEXT_SPI/TEK_NEXT_SPI
   attributes specifying SPIs for the prospected rekeys, so that
   listening GMs are able to detect lost rekey messages and recover from
   this situation.  See Sections Section 2.4.2.1.6 and Section 2.4.3.1.4
   for more detail.

1.4.5.1.2.  GSA_REKEY GM Operations

   When a group member receives the Rekey Message from the GCKS it
   decrypts the message using the current KEK, validates the signature
   using size of the public key retrieved Payload header (four octets).

   DataToAuthenticate = A | P
   GsaRekeyMessage = GenIKEHDR | EncPayload
   GenIKEHDR = [ four octets 0 if using port 4500 ] | AdjustedIKEHDR
   AdjustedIKEHDR =  SPIi | SPIr |  . . . | AdjustedLen
   EncPayload = AdjustedEncPldHdr | IV | InnerPlds | Pad | PadLen | ICV
   AdjustedEncPldHdr = NextPld | C | RESERVED | AdjustedPldLen
   A = AdjustedIKEHDR | AdjustedEncPldHdr
   P = InnerPlds

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^ ^
   |                     G-IKEv2 SA Initiator's SPI                | | |
   |                                                               | | |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I |
   |                     G-IKEv2 SA Responder's SPI                | K |
   |                                                               | E |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   |
   |  Next Payload | MjVer | MnVer | Exchange Type |     Flags     | H A
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ d |
   |                           Message ID                          | r |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
   |                          AdjustedLeng                         | | |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v |
   | Next Payload  |C|  RESERVED   |         AdjustedPldLen        | | |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ E v
   |                     Initialization Vector                     | n
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ c ^
   |                                                               | r |
   ~             Inner payloads (not yet encrypted)                ~   P
   |                                                               | P |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ l v
   |              Padding (0-255 octets)           |  Pad Length   | d
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
   ~                    Integrity Checksum Data                    ~ |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v

         Figure 10: Data to Authenticate in the GSA_REKEY Messages

   The authentication data is calculated using the authentication
   algorithm from the Authentication Method transform and the key
   provided before in the AUTH_KEY attribute.  Depending on the
   authentication method the authentication data is either a digital
   signature or a result of applying prf from the Pseudorandom Function
   transform.  The calculated authentication data is placed into the
   AUTH payload, the Length fields in the IKE Header and the Encryption
   Payload header are restored, the content of the Encrypted payload is
   encrypted and the ICV is computed using the current SKe/SKa keys.

   The calculation of authentication data MUST be applied to whole
   messages only, before possible IKE Fragmentation.  If the message was
   received in fragmented form, it should be reconstructed before
   verifying its authenticity as if it were received unfragmented.  The
   RESERVED field in the reconstructed Encrypted Payload header MUST be
   set to the value of the RESERVED field in the Encrypted Fragment
   payload header from the first fragment (that with Fragment Number
   equal to 1).

1.4.5.1.2.  GSA_REKEY GCKS Operations

   The GCKS builds the rekey message with a Message ID value that is one
   greater than the value included in the previous rekey.  If the
   message is using a new KEK attribute, the Message ID is reset to 0 in
   this message.  The GSA, KD, N and D payloads follow with the same
   characteristics as in the GSA Registration exchange.

   The AUTH payload (if present) is created as defined in
   Section 1.4.5.1.1.

   Because GSA_REKEY messages are not acknowledged and could be
   discarded by the network, one or more GMs may not receive the
   message.  To mitigate such lost messages, during a rekey event the
   GCKS may transmit several GSA_REKEY messages with the new policy.
   The retransmitted messages MUST be bitwise identical and SHOULD be
   sent within a short time interval (a few seconds) to ensure that
   time-to-live would not be substantially skewed for the GMs that would
   receive different copies of the messages.

   GCKS may also include one or several GSA_NEXT_SPI attributes
   specifying SPIs for the prospected rekeys, so that listening GMs are
   able to detect lost rekey messages and recover from this situation.
   See Sections Section 3.4.2.2.3 for more detail.

1.4.5.1.3.  GSA_REKEY GM Operations

   When a group member receives the Rekey Message from the GCKS it
   decrypts the message using the current KEK, validates its
   authenticity using the key retrieved in a previous G-IKEv2 exchange
   if AUTH payload is present, verifies the Message ID, and processes
   the GSA and KD payloads.  The group member then downloads the new
   data security SA and/or new rekey SA.  The parsing of the payloads is
   identical to the parsing done in the registration exchange.

   Replay protection is achieved by a group member rejecting a GSA_REKEY
   message which has a Message ID smaller than the current Message ID
   that the GM is expecting.  The GM expects the Message ID in the first
   GSA_REKEY message it receives to be equal or greater than the Message
   ID it receives in the GSA_INITIAL_MESSAGE_ID attribute.  Note, that
   if no this attribute was received for the Rekey SA, the GM MUST
   assume zero as the first expected Message ID.  The GM expects the
   Message ID in subsequent GSA_REKEY messages to be greater than the
   last valid GSA_REKEY message ID it received.

   If the GSA payload includes a Data-Security SA including a counter-
   modes of operation and the receiving group member is a sender for
   that SA, the group member uses its current SID value with the Data-
   Security SAs to create counter-mode nonces.  If it is a sender and
   does not hold a current SID value, it MUST NOT install the Data-
   Security SAs.  It MAY initiate a GSA_REGISTRATION exchange to the
   GCKS in order to obtain an SID value (along with current group
   policy).

   Once a new Rekey SA is installed as a result of GSA_REKEY message,
   the current Rekey SA (over which the message was received) MUST be
   silently deleted after waiting DEACTIVATION_TIME_DELAY interval
   regardless of its expiration time.  If the GSA TEK payload includes
   GSA_REKEY_SPI attribute then after installing a new Data-Security SA
   the old one, identified by the SPI in this attribute, MUST be
   silently deleted after waiting DEACTIVATION_TIME_DELAY interval
   regardless of its expiration time.

   If a Data-Security SA is not rekeyed yet and is about to expire (a
   "soft lifetime" expiration is described in Section 4.4.2.1 of
   [RFC4301]), the GM SHOULD initiate a previous G-IKEv2 exchange registration to the GCKS.  This
   registration serves as a request for current SAs, and will result in
   the download of replacement SAs, assuming the GCKS policy has created
   them.  A GM SHOULD also initiate a registration request if AUTH
   payload a Rekey SA
   is about to expire and not yet replaced with a new one.

1.4.5.1.4.  IKE Fragmentation

   IKE fragmentation [RFC7383] can be used to perform fragmentation of
   large GSA_REKEY messages, however when the GSA_REKEY message is
   emitted as an IP multicast packet there is a lack of response from
   the GMs.  This has the following implications.

   o  Policy regarding the use of IKE fragmentation is implicit.  If a
      GCKS detects that all GMs have negotiated support of IKE
      fragmentation in IKE_SA_INIT, then it MAY use IKE fragmentation on
      large GSA_REKEY messages.

   o  The GCKS must always use IKE fragmentation based on a known
      fragmentation threshold (unspecified in this memo), as there is no
      way to check if fragmentation is needed by first sending
      unfragmented messages and waiting for response.

   o  PMTU probing cannot be performed due to lack of GSA_REKEY response
      message.

1.4.5.2.  GSA_INBAND_REKEY Exchange

   When the IKEv2 SA protecting the member registration exchange is
   maintained while group member participates in the group, the GCKS can
   use the GSA_INBAND_REKEY exchange to individually provide policy
   updates to the group member.

    Member (Responder)            GCKS (Initiator)
   --------------------          ------------------
                           <--    HDR, SK{GSA, KD, [N,] [D]}
      HDR, SK{}            -->

                   Figure 11: GSA_INBAND_REKEY Exchange

   Because this is present, verifies a normal IKEv2 exchange, the Message ID, HDR is treated as
   defined in [RFC7296].

1.4.5.2.1.  GSA_INBAND_REKEY GCKS Operations

   The GSA, KD, N and D payloads are built in the same manner as in a
   registration exchange.

1.4.5.2.2.  GSA_INBAND_REKEY GM Operations

   The GM processes the GSA GSA, KD, N and KD payloads.  The D payloads in the same manner as
   if they were received in a registration exchange.

1.4.5.3.  Deletion of SAs

   There are occasions when the GCKS may want to signal to group member then downloads members
   to delete policy at the new data
   security end of a broadcast, or if group policy has
   changed.  Deletion of keys MAY be accomplished by sending the G-IKEv2
   Delete Payload [RFC7296], section 3.11 as part of the GSA_REKEY
   pseudo-exchange as shown below.

    Members (Responder)        GCKS (Initiator)
   --------------------       ------------------
                         <--   HDR, SK{[GSA,] [KD,], [N] [D,] [AUTH]}

                    Figure 12: SA and/or new Rekey SA. Deletion in GSA_REKEY

   The parsing GSA MAY specify the remaining active time of the payloads is
   identical to remaining policy
   by using the parsing done DTD attribute in the registration exchange.

   Replay protection is achieved by a group member rejecting GSA GAP.  If a GSA_REKEY
   message which GCKS has a Message ID smaller than no further
   SAs to send to group members, the current Message ID
   that GSA and KD payloads MUST be omitted
   from the GM message.  There may be circumstances where the GCKS may want
   to start over with a clean state.  If the administrator is expecting.  The GM expects no longer
   confident in the Message ID integrity of the group, the GCKS can signal deletion
   of all the policies of a particular TEK protocol by sending a TEK
   with a SPI value equal to zero in the first
   GSA_REKEY message it receives to be equal or greater than delete payload.  For example,
   if the message
   id it receives in GCKS wishes to remove all the KEK_MESSAGE_ID attribute.  The GM expects KEKs and all the
   message ID TEKs in subsequent GSA_REKEY messages to be greater than the
   last valid GSA_REKEY message ID it received.

   If
   group, the GSA GCKS SHOULD send a Delete payload includes with a Data-Security SA including SPI of zero and
   Protocol ID of AH or ESP, followed by another Delete payload with a counter-
   modes
   SPI of operation zero and Protocol ID of GIKE_REKEY, indicating that the receiving group member is a sender KEK SA
   should be deleted.

1.4.6.  Counter-based modes of operation

   Several new counter-based modes of operation have been specified for
   ESP (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309],
   ChaCha20-Poly1305 [RFC7634], AES-GMAC [RFC4543]) and AH (e.g., AES-
   GMAC [RFC4543]).  These counter-based modes require that SA, no two
   senders in the group member uses its current SID value ever send a packet with the Data-
   Security SAs to create counter-mode nonces.  If it same Initialization
   Vector (IV) using the same cipher key and mode.  This requirement is
   met in G-IKEv2 when the following requirements are met:

   o  The GCKS distributes a unique key for each Data-Security SA.

   o  The GCKS uses the method described in [RFC6054], which assigns
      each sender and
   does not hold a current portion of the IV space by provisioning each sender
      with one or more unique SID value, it MUST NOT install values.

1.4.6.1.  Allocation of SIDs

   When at least one Data-Security SA included in the Data-
   Security SAs.  It MAY initiate group policy
   includes a GSA_REGISTRATION exchange to counter-based mode of operation, the GCKS in order automatically
   allocates and distributes one SID to obtain an each group member acting in the
   role of sender on the Data-Security SA.  The SID value (along with current group
   policy).

   Once a new Rekey SA is installed as a result of GSA_REKEY message, used
   exclusively by the current Rekey SA (over group member to which the message it was received) MUST be
   silently deleted after waiting DEACTIVATION_TIME_DELAY interval
   regardless of its expiration time.  If allocated.  The group
   member uses the GSA TEK payload includes
   TEK_REKEY_SPI attribute then after installing a new same SID for each Data-Security SA specifying the old one, identified by the SPI in this attribute, MUST be
   silently deleted after waiting DEACTIVATION_TIME_DELAY interval
   regardless use
   of its expiration time.

   If a counter-based mode of operation.  A GCKS MUST distribute unique
   keys for each Data-Security SA is not rekeyed yet including a counter-based mode of
   operation in order to maintain unique key and is about nonce usage.

   During registration, the group member can choose to expire (a
   "soft lifetime" expiration is described in Section 4.4.2.1 request one or
   more SID values.  Requesting a value of
   [RFC4301]), 1 is not necessary since the GM SHOULD initiate a registration
   GCKS will automatically allocate exactly one to the GCKS.  This
   registration serves as a group member.  A
   group member MUST request for current SAs, and will result in as many SIDs matching the download number of replacement SAs, assuming
   encryption modules in which it will be installing the GCKS policy has created
   them.  A GM SHOULD also initiate a registration request if a Rekey SA
   is about to expire and not yet replaced with TEKs in the
   outbound direction.  Alternatively, a new one.

1.4.5.1.3.  Forward group member MAY request more
   than one SID and Backward Access Control

   Through the G-IKEv2 rekey, G-IKEv2 supports algorithms such as LKH use them serially.  This could be useful when it is
   anticipated that have the property group member will exhaust their range of denying access to Data-
   Security SA nonces using a new single SID too quickly (e.g., before the
   time-based policy in the TEK expires).

   When the group key by policy includes a
   member removed from counter-based mode of operation, a
   GCKS SHOULD use the group (forward access control) and following method to an old
   group key by a member added allocate SID values, which
   ensures that each SID will be allocated to the just one group (backward access control).
   An unrelated notion to PFS, "forward access control" and "backward
   access control" have been called "perfect forward security" and
   "perfect backward security" in member.

   1.  A GCKS maintains an SID-counter, which records the literature [RFC2627].

   Group management algorithms providing forward and backward access
   control other than LKH SIDs that have
       been proposed in the literature,
   including OFT [OFT] and Subset Difference [NNL].  These algorithms
   could be used with G-IKEv2, but allocated.  SIDs are not specified allocated sequentially, with zero as a part
       the first allocated SID.

   2.  Each time an SID is allocated, the current value of this
   document.

   Support for group management algorithms are supported via the
   KEY_MANAGEMENT_ALGORITHM attribute which counter
       is sent in saved and allocated to the GSA KEK
   policy.  G-IKEv2 specifies one method by which LKH can be used group member.  The SID-counter is
       then incremented in preparation for
   forward and backward access control.  Other methods the next allocation.

   3.  When the GCKS specifies a counter-based mode of using LKH, as
   well as other operation in the
       data security SA a group management algorithms such as OFT or Subset
   Difference member may be added to G-IKEv2 as part request a count of SIDs
       during registration in a later document.

1.4.5.1.3.1.  Forward Access Control Requirements Notify payload information of type
       SENDER.  When group membership is altered using a group management algorithm
   new GSA TEKs (and their associated keys) are usually also needed.

   New GSAs the GCKS receives this request, it increments the
       SID-counter once for each requested SID, and keys ensure that members who were denied access can no
   longer participate in distributes each SID
       value to the group.

   If forward access control is group member.  The GCKS SHOULD have a desired property policy-defined
       upper bound for the number of SIDs that it will return
       irrespective of the group, number requested by the GM.

   4.  A GCKS allocates new GSA
   TEKs and SID values for each GSA_REGISTRATION
       exchange originated by a sender, regardless of whether a group
       member had previously contacted the associated key packets in GCKS.  In this way, the KD payload MUST NOT be
   included in GCKS
       is not required to maintaining a G-IKEv2 rekey message record of which changes SID values it
       had previously allocated to each group membership.
   This is required because member.  More importantly,
       since the GSA TEK policy and GCKS cannot reliably detect whether the associated key
   packets in group member
       had sent data on the KD payload are current group Data-Security SAs it does not protected with the
       know what Data-Security counter-mode nonce values that a group
       member has used.  By distributing new KEK.  A
   second G-IKEv2 rekey message can deliver SID values, the new GSA TEKS and their
   associated key packets because server
       ensures that each time a conforming group member installs a Data-
       Security SA it will be protected with use a unique set of counter-based mode
       nonces.

   5.  When the new KEK,
   and thus will not SID-counter maintained by the GCKS reaches its final SID
       value, no more SID values can be visible to distributed.  Before
       distributing any new SID values, the members who were denied access.

   If forward access control policy for GCKS MUST delete the group includes keeping group
   policy changes from members that are denied access to Data-
       Security SAs for the group, then
   two sequential G-IKEv2 rekey messages changing the group KEK MUST be
   sent followed by creation of new Data-
       Security SAs, and resetting the GCKS. SID-counter to its initial value.

   6.  The first G-IKEv2 rekey message creates GCKS SHOULD send a new KEK GSA_REKEY message deleting all Data-
       Security SAs and the Rekey SA for the group.  Group members, which are denied access,  This will not be
   able to access result in
       the group members initiating a new KEK, but GSA_REGISTRATION exchange, in
       which they will see receive both new SID values and new Data-Security
       SAs.  The new SID values can safely be used because they are only
       used with the group policy since new Data-Security SAs.  Note that deletion of the
   G-IKEv2 rekey message
       Rekey SA is protected under the current KEK.  A
   subsequent G-IKEv2 rekey message containing the changed necessary to ensure that group policy
   and again changing the KEK allows complete forward access control.  A
   G-IKEv2 rekey members receiving a
       GSA_REKEY message MUST NOT change before the re-register do not inadvertently use
       their old SIDs with the policy without creating a new KEK.

   If other methods of using LKH or other Data-Security SAs.  Using the method
       above, at no time can two group management algorithms
   are added to G-IKEv2, those methods MAY remove members use the above restrictions
   requiring multiple G-IKEv2 rekey messages, providing those methods
   specify how same IV values
       with the forward access control policy is maintained within a
   single G-IKEv2 rekey message.

1.4.5.1.4.  Fragmentation

   IKE fragmentation [RFC7383] can be used to perform fragmentation same Data-Security SA key.

1.4.6.2.  GM Usage of
   large GSA_REKEY messages, however when SIDs

   A GM applies the GSA_REKEY message is
   emitted SID to data security SA as an IP multicast packet there is a lack follows.

   o  The most significant bits NUMBER_OF_SID_BITS of response from the GMs.  This has IV are taken
      to be the following implications. SID field of the IV.

   o  Policy regarding  The SID is placed in the use least significant bits of IKE fragmentation is implicit. the SID field,
      where any unused most significant bits are set to zero.  If a
      GCKS detects that all GMs have negotiated support of IKE
      fragmentation in IKE_SA_INIT, the
      SID value doesn't fit into the NUMBER_OF_SID_BITS bits, then it MAY use IKE fragmentation on
      large GSA_REKEY exchange messages.

   o  The GCKS must always use IKE fragmentation based on a known
      fragmentation threshold (unspecified in the
      GM MUST treat this memo), as there is no
      way to check if fragmentation is needed by first sending
      unfragmented messages a fatal error and waiting for response.

   o  PMTU probing cannot be performed due re-register to lack of GSA_REKEY response
      message.

1.4.5.2.  GSA_INBAND_REKEY Exchange

   When the IKEv2 SA protecting group.

2.  Group Key Management and Access Control

   Through the member registration exchange is
   maintained while G-IKEv2 rekey, G-IKEv2 supports algorithms such as
   Logical Key Hierarchy (LKH) that have the property of denying access
   to a new group key by a member participates in the group, the GCKS can
   use removed from the GSA_INBAND_REKEY exchange group (forward access
   control) and to individually provide policy
   updates an old group key by a member added to the group member.

      Member (Responder)            GCKS (Initiator)
     --------------------          ------------------
                            <--     HDR, SK { GSA, KD, [D,] }
      HDR, SK {}            -->

                   Figure 10: GSA_INBAND_REKEY Exchange

   Because this is an IKEv2 exchange, the HDR is treated as defined
   (backward access control).  An unrelated notion to PFS, "forward
   access control" and "backward access control" have been called
   "perfect forward security" and "perfect backward security" in
   [RFC7296].

1.4.5.2.1.  GSA_INBAND_REKEY GCKS Operations

   The GSA, KD, the
   literature [RFC2627].

   Group management algorithms providing forward and D payloads are built backward access
   control other than LKH have been proposed in the same manner literature,
   including OFT [OFT] and Subset Difference [NNL].  These algorithms
   could be used with G-IKEv2, but are not specified as in a
   registration exchange.

1.4.5.2.2.  GSA_INBAND_REKEY GM Operations part of this
   document.

   The GM processes Group Key Management Method transform from the GSA, KD, and D payloads in GSA policy
   specifies how members of the same manner as if
   they were received in group obtain group keys.  This document
   specifies a registration exchange.

1.4.5.3.  Deletion of SAs

   There are occasions when single method for the GCKS may want to signal to group members key management - Wrapped Key
   Download.  This method assumes that all group keys are sent to delete policy at the end of a broadcast, or if group policy has
   changed.  Deletion of keys MAY be accomplished
   GMs by sending the G-IKEv2
   Delete Payload [RFC7296], section 3.11 as part of the GSA_REKEY
   Exchange as shown below.

       Members (Responder) GCKS (Initiator)
      --------------------       ------------------
                          <--   HDR, SK { [GSA ], [KD ], [D, ] [AUTH ] }

                    Figure 11: SA Deletion in GSA_REKEY

   The GSA MAY specify the remaining active time of encrypted with other keys, called Key Wrap Keys
   (KWK).

2.1.  Key Wrap Keys

   Every GM always knows at least one KWK - the remaining policy
   by using KWK that is associated
   with the DTD attribute in IKE SA or multicast rekey SA the GSA GAP.  If a wrapped keys are sent over.
   In this document it is called default KWK and is denoted as SK_w.

   The GCKS has no further
   SAs to may also send other keys to group members, the GSA and KD payloads MUST GMs that will be omitted used as Key
   Wrap Keys for the purpose of building key hierarchy.  Each such key
   is associated with an encryption algorithm from the message.  There may be circumstances where Encryption
   Algorithm transform used for the GCKS may want
   to start over with a clean slate.  If SA the administrator key is no longer
   confident in the integrity sent in.  The size of
   such key MUST be of the group, the GCKS can signal deletion size of all the policies key size of a particular TEK protocol by sending a TEK
   with a SPI value equal to zero in this Encryption
   Algorithm transform (taking into consideration the delete payload.  For example, Key Length
   attribute for this transform if present).  This association persists
   even if the GCKS wishes to remove all the KEKs and all the TEKs key is used later in the
   group, context of another SA with
   possibly different Encryption Algorithm transform.

   To have an ability to provide forward access control the GCKS SHOULD send a Delete payload
   provides each GM with a SPI personal key at the time of zero and registration.
   Besides several intermediate keys that form a
   protocol_id key hierarchy and are
   shared among several GMs are provided by the GCKS.

2.1.1.  Default Key Wrap Key

   The default KWK (SK_w) is only used in the context of a TEK protocol_id value defined in Section 2.4.3,
   followed by another Delete payload single IKE
   SA.  Every IKE SA (unicast or group rekey) will have its own SK_w.
   The SK_w is used with a SPI of zero and protocol_id
   of zero, indicating that the KEK algorithm from the Encryption Algorithm
   transform used for the SA should the SK_w is used in.  The size of SK_w MUST
   be deleted.

1.4.6.  Counter-based modes of operation

   Several new counter-based modes the key size of operation have been specified for
   ESP (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309],
   AES-GMAC [RFC4543]) and AH (e.g., AES-GMAC [RFC4543]).  These
   counter-based modes require that no two senders in this Encryption Algorithm transform (taking
   into consideration the group ever
   send a packet with Key Length attribute for this transform if
   present).

   For the same Initialization Vector (IV) using unicast IKE SA (used for the same
   cipher key GM registration and mode.  This requirement is met in G-IKEv2 when optionally
   for GSA_INBAND_REKEY exchanges) the
   following requirements are met:

   o The GCKS distributes a unique key SK_w is computed as follows:

   SK_w = prf+(SK_d, "Key Wrap for each Data-Security SA.

   o The GCKS uses G-IKEv2")

   where the method described in [RFC6054], which assigns each
   sender a portion of string "Key Wrap for G-IKEv2" is 20 ASCII characters
   without null termination.

   For the IV space by provisioning each sender with one
   or more unique SID values.

1.4.6.1.  Allocation of SIDs

   When at least one Data-Security multicast rekey SA included the SK_w is provided along with other SA
   keys as defined in Section 2.4.

2.2.  GCKS Key Management Semantics

   Wrapped Key Download method allows the GCKS to employ various key
   management policies.

   o  A simple key management policy - when the GCKS always sends group
      SA keys encrypted with the SK_w.

   o  An LKH key management policy
   includes a counter-based mode of operation, - when the GCKS automatically
   allocates and distributes one SID to provides each group member acting in GM with
      an individual key at the
   role time of sender on GM registration (encrypted with
      SK_w).  Then the Data-Security SA.  The SID value is used
   exclusively by GCKS forms an hierarchy of keys so that the group member to
      SA keys are encrypted with other keys which it was allocated.  The group
   member uses are encrypted with
      other keys and so on, tracing back to the same SID for each Data-Security SA specifying individual GMs' keys.

   Other key policies may also be employed by the use
   of GCKS.

2.2.1.  Forward Access Control Requirements

   When group membership is altered using a counter-based mode of operation.  A GCKS MUST distribute unique group management algorithm
   new GSA TEKs (and their associated keys) are usually also needed.
   New GSAs and keys for each Data-Security SA including ensure that members who were denied access can no
   longer participate in the group.

   If forward access control is a counter-based mode desired property of
   operation in order to maintain unique key the group, new GSA
   TEKs and nonce usage.

   During registration, the group member can choose to request one or
   more SID values.  Requesting associated key packets in the KD payload MUST NOT be
   included in a value of 1 G-IKEv2 rekey message which changes group membership.
   This is not necessary since required because the
   GCKS will automatically allocate exactly one to GSA TEK policy and the group member. associated key
   packets in the KD payload are not protected with the new KEK.  A
   group member MUST request as many SIDs matching
   second G-IKEv2 rekey message can deliver the number of
   encryption modules in which new GSA TEKS and their
   associated key packets because it will be installing the TEKs in protected with the
   outbound direction.  Alternatively, a group member MAY request more
   than one SID new KEK,
   and use them serially.  This could thus will not be useful when it is
   anticipated that visible to the group member will exhaust their range of Data-
   Security SA nonces using a single SID too quickly (e.g., before members who were denied access.

   If forward access control policy for the
   time-based group includes keeping group
   policy in changes from members that are denied access to the TEK expires).

   When group, then
   two sequential G-IKEv2 rekey messages changing the group policy includes a counter-based mode of operation, KEK MUST be
   sent by the GCKS.  The first G-IKEv2 rekey message creates a
   GCKS SHOULD use new KEK
   for the following method to allocate SID values, group.  Group members, which
   ensures that each SID are denied access, will not be allocated
   able to just one group member.

   1.  A GCKS maintains an SID-counter, which records the SIDs that have
   been allocated.  SIDs are allocated sequentially, with zero as access the
   first allocated SID.

   2.  Each time an SID is allocated, new KEK, but will see the current value of group policy since the counter
   G-IKEv2 rekey message is saved and allocated to protected under the current KEK.  A
   subsequent G-IKEv2 rekey message containing the changed group member.  The SID-counter is then
   incremented in preparation for policy
   and again changing the next allocation.

   3.  When KEK allows complete forward access control.  A
   G-IKEv2 rekey message MUST NOT change the GCKS specifies policy without creating a counter-based mode
   new KEK.

   If other methods of operation in using LKH or other group management algorithms
   are added to G-IKEv2, those methods MAY remove the
   Data Security SA above restrictions
   requiring multiple G-IKEv2 rekey messages, providing those methods
   specify how the forward access control policy is maintained within a group member may request
   single G-IKEv2 rekey message.

2.3.  GM Key Management Semantics

   This specification defines a count of SIDs during
   registration GM Key Management semantics in such a Notify payload information of type SENDER.  When
   the GCKS receives this request,
   way, that it increments doesn't depend on the SID-counter once
   for each requested SID, and distributes each SID value to key management policy employed by
   the group
   member.  The GCKS SHOULD have a policy-defined upper bound for GCKS.  This allows having all the
   number complexity of SIDs that it will return irrespective key management in
   the GCKS, which is free to implement various key management policies,
   such as direct transmitting of group SA keys or using some kind of
   key hierarchy (e.g.  LKH).  For all these policies the number
   requested by GMs' behavior
   is the GM.

   4.  A GCKS allocates new SID values for each GSA_REGISTRATION
   exchange originated same.

   Each key is identified by a sender, regardless 32-bit number called Key ID.  Zero Key ID
   has a special meaning - it always contains keying material from which
   the group SA keys are taken.

   All keys in G-IKEv2 are transmitted in encrypted form, which format
   is defined in Section 3.5.1.  This format specifies a Key ID (ID of whether a group member
   had previously contacted the GCKS.  In this way, the GCKS
   key that is not
   required to maintaining encrypted in this attribute) and a record KWK ID (ID of which SID values it had
   previously allocated a key
   that was used to each group member.  More importantly, since
   the GCKS cannot reliably detect whether the group member had sent
   data on encrypt this attribute).  Keys may be encrypted
   either with default KWK (SK_w) or with other keys, which the current group Data-Security SAs it does not know what
   Data-Security counter-mode nonce values that a group member GM has used.
   By distributing new SID values,
   received in the key server ensures that each time
   a conforming group member installs a Data-Security SA it will use KEY_WRAP_KEY attributes.  If a
   unique set of counter-based mode nonces.

   5.  When the SID-counter maintained by key was encrypted with
   SK_w, then the GCKS reaches its final SID
   value, no more SID values can be distributed.  Before distributing
   any new SID values, KWK ID field is set to zero, otherwise the GCKS MUST delete KWK ID
   field identifies the Data-Security SAs key used for
   the group, followed by creation of new Data-Security SAs, and
   resetting the SID-counter to its initial value.

   6.  The GCKS SHOULD send encryption.

   When a GM receives a GSA_REKEY message deleting all Data-
   Security SAs and the Rekey SA for from the group.  This GCKS installing new data
   security or rekey SA, it will result in the
   group members initiating contain a new GSA_REGISTRATION exchange, in which
   they KD payload with a SA_KEY
   attribute containing keying material for this SA.  For a data
   security SA exactly one SA_KEY attribute will receive both new SID values and new Data-Security SAs.  The
   new SID values can safely be used because they are only used present with the
   new Data-Security SAs.  Note both
   Key ID and KWK ID fields set to zero.  This means that deletion of the Rekey SA is
   necessary default
   KWK (SK_w) should be used to ensure that group members receiving extract this keying material.

   For a GSA_REKEY exchange
   before multicast rekey SA multiple SA_KEY attributes may be present
   depending on the re-register do not inadvertently use their old SIDs with key management policy employed by the new Data-Security SAs.  Using GCKS.  If
   multiple SA_KEY attributes are present then all of them MUST contain
   the method above, at no time same keying material encrypted using different keys.  The GM in
   general is unaware of the GCKS's key management policy and can
   two group members always
   use the same IV values with procedure to get the same Data-Security
   SA key.

1.4.6.2.  GM Usage of SIDs

   A GM applies keys.  In particular, the SID GM's task
   is to Data Security SA as follows.

   1.  The most significant bits NUMBER_OF_SID_BITS find a way to decrypt at least one of the IV are taken
   to be SA_KEY attributes
   using either the SID field of SK_w or the IV.

   2.  The SID is placed keys from the KEY_WRAP_KEY attributes
   that are present in the least significant bits of same message or were receives in previous
   messages.

   We will use the SID field, term "Key Path" to describe an ordered sequence of
   keys where any unused most significant bits are set each subsequent key was used to zero.  If encrypt the SID
   value doesn't fit into previous one.
   The GM keeps its own Key Path (called working Key Path) in the memory
   associated with each group it is registered to and update it when
   needed.  When the NUMBER_OF_SID_BITS bits, then GSA_REKEY message is received the GM MUST
   treat this as a fatal error and re-register to processes the group.

1.5.  Interaction with IKEv2 Protocol Extensions

   IKEv2 defines
   received SA_KEY attributes one by one trying to construct a number of extensions new key
   path that can be used to extend
   protocol functionality.  G-IKEv2 is compatible starts from this attributes and ends with most of such
   extensions.  In particular, EAP authentication defined any key in [RFC7296]
   can be used to establish registration IKE SA, as well as Secure
   Password authentication ([RFC6467]).  G-IKEv2 is compatible the
   working Key Path or with and
   can use IKEv2 Session Resumption [RFC5723] except that a GM would
   include the initial ticket request in a GSA_AUTH exchange instead of
   an IKE_AUTH exchange.  G-IKEv2 default KWK (SK_w).

   In the simplest case the SA_KEY attribute is also compatible encrypted with Quantum Safe SK_w so
   that the new Key Exchange framework, defined in
   [I-D.tjhai-ipsecme-hybrid-qske-ikev2].

   Some IKEv2 extensions however require special handling if Path is empty.  If more complex key management
   policies are used then the Key Path will contain intermediate keys,
   which will be from the KEY_WRAP_KEY attributes received in
   G-IKEv2.

1.5.1.  Postquantum Preshared Keys for IKEv2

   G-IKEv2 can take advantage of the protection provided by Postquantum
   Preshared Keys (PPK) for IKEv2 [I-D.ietf-ipsecme-qr-ikev2].  However, same
   messages.  If the GM is able to construct a new Key Path, then it is
   able to decrypt the SA_KEY attribute and use of PPK leaves its content to form the initial IKE
   SA susceptible keys.  If it is unable to quantum
   computer (QC) attacks.  For this reason an alternative approach for
   using PPK in IKEv2 defined build a new Key Path, then in [I-D.smyslov-ipsecme-ikev2-qr-alt]
   SHOULD means that
   the GM is excluded from the group.

   Depending on the new Key Path the GM should do the following actions
   to be prepared for future key updates:

   o  If the new Key Path is empty then no actions are needed.  This may
      happen if no KEY_WRAP_KEY attributes from the received message
      were used.

   o  If the alternative approach new Key Path is not supported by non-empty and it ends up with the peers, default
      KWK (SK_w), then the whole new Key Path is stored by the GM as the
      GM's working Key Path.  This situation may only happen at the time
      the GM is registering to the group, when the GCKS MUST NOT send GSA is providing it
      with its personal key and KD payloads in the GSA_AUTH response
   message.  Instead, other keys from the GCKS MUST return a new notification
   REKEY_IS_NEEDED.  Upon receiving key tree that
      are needed for this notification in GM.  These keys form an initial working Key
      Path.

   o  In all other cases the GSA_AUTH
   response new Key Path will end up where some key
      from the GM's working Key Path was used.  In this case the GM MUST perform an IKE SA rekey and then initiate a new
   GSA_REGISTRATION request for Key
      Path replaces the same group.  Below are possible
   scenarios involving using PPK.

   GM begins IKE_SA_INIT requesting PPK, part of the GM's working Key Path from the
      beginning and GCKS responds with
   willingness to do it, or aborts according up to its "mandatory_or_not"
   flag:

   Initiator (Member)                Responder (GCKS)
   --------------------              ------------------
   HDR, SAi1, KEi, Ni, N(USE_PPK) --->
                               <--- HDR, SAr1, KEr, Nr, [CERTREQ],
                                    N(USE_PPK)

           Figure 12: IKE_SA_INIT Exchange requesting using PPK (but not including) the key that the GM begins GSA_AUTH with PPK_ID; has
      used to decrypt the last key in the new Key Path.

   Appendix A contains an example of how this algorithm works in case of
   LKH key management policy.

2.4.  Group SA Keys

   Group SA keys are downloaded to GMs in the form of keying material.
   The keys are taken from this keying material as if using PPK is not mandatory they were
   concatenated to form it.

   For a data security SA the keys are taken in accordance to the third
   bullet from Section 2.17 of [RFC7296].  In particular, for the
   GM, N(NO_PPK_AUTH) is included too:

   Initiator (Member)                Responder (GCKS)
   --------------------              ------------------
   HDR, SK {IDi, AUTH, IDg,
   N(PPK_IDENTITY), N(NO_PPK_AUTH) } --->

                   Figure 13: GSA_AUTH Request using PPK

   If GCKS has no such PPK ESP
   and using PPK is not mandatory for it AH SAs the encryption key (if any) MUST be taken from the first
   bits of the keying material and
   N(NO_PPK_AUTH) is included, then the GCKS continues w/o PPK; in this
   case no integrity key (if any) MUST be
   taken from the remaining bits.

   For a group rekey is needed:

   Initiator (Member)                Responder (GCKS)
   --------------------              ------------------
                               <--- HDR, SK { IDr, AUTH, GSA, KD }

                 Figure 14: GSA_AUTH Response using no PPK

   If GCKS has no such PPK SA the following keys are taken from the keying
   material:

   SK_e | SK_a | SK_w = KEYMAT

   where SK_e and either N(NO_PPK_AUTH) is missing or using
   PPK is mandatory SK_a are the keys used for GCKS, the GCKS aborts Encryption Algorithm
   and the exchange:

   Initiator (Member)                Responder (GCKS)
   --------------------              ------------------
                               <--- HDR, SK { N(AUTHENTICATION_FAILED) }

                    Figure 15: GSA_AUTH Error Response

   Assuming GCKS has a proper PPK Integrity Algorithm transforms for the GCKS continues with request to GM
   to immediately perform a rekey:

   Initiator (Member)                Responder (GCKS)
   --------------------              ------------------
                               <--- HDR, SK{IDr, AUTH, N(PPK_IDENTITY),
                                    N(REKEY_IS_NEEDED) }

                  Figure 16: GSA_AUTH Response using PPK

   GM initiates CREATE_CHILD_SA to rekey IKE corresponding SA and then makes
   SK_w is a new
   registration request default KWK for this SA.  Note, that SK_w is also used with
   the Encryption Algorithm transform as well as SK_e.  Note also, that
   if AEAD algorithm is used for encryption, then SK_a key will not be
   used (GM can use the same group over formula above assuming the new IKE SA:

   Initiator (Member)                Responder (GCKS)
   --------------------              ------------------
   HDR, SK {SA, Ni, KEi } --->
                               <--- HDR, SK {SA, Nr, KEr }
   HDR, SK {IDg } --->
                               <--- HDR, SK { GSA, KD }

     Figure 17: Rekeying IKE SA followed by GSA_REGISTRATION Exchange

2. length of SK_a is
   zero).

3.  Header and Payload Formats

   Refer to IKEv2 [RFC7296] for existing payloads.  Some payloads used
   in

   The G-IKEv2 exchanges are not aligned to 4-octet boundaries, which is
   also the case an IKEv2 extension and thus inherits its wire format
   for data structures.  However, the processing of some IKEv2 payloads (see Section 3.2 of [RFC7296]).

2.1.  The G-IKEv2 Header

   G-IKEv2 uses the same IKE header format as specified in [RFC7296]
   section 3.1.

   Several are
   different and several new payload formats payloads are required in the group security
   exchanges.

                 Next Payload Type                   Value
                 -----------------                   ----- defined: Group Identification (IDg)           50
   (IDg), Group Security Association (GSA)     51 Key Download (KD)                    52 (KD).  New
   exchange types GSA_AUTH, GSA_REGISTRATION and GSA_REGISTRATION, GSA_REKEY and
   GSA_INBAND_REKEY are added
   to also added.

   This section describes new payloads and the differences in processing
   of existing IKEv2 payloads.

3.1.  G-IKEv2 Header

   G-IKEv2 uses the same IKE header format as specified in [RFC7296] protocol.

                       Exchange Type           Value
                       --------------          -----
                       GSA_AUTH                 39
                       GSA_REGISTRATION         40
                       GSA_REKEY                41
                       GSA_INBAND_REKEY        TBD
   section 3.1.  Major Version is 2 and Minor Version is 0 as in IKEv2 [RFC7296]. IKEv2.
   IKE SA Initiator's SPI, IKE SA Responder's SPI, Flags, Message ID,
   and Length are as specified in [RFC7296].

2.2.

3.2.  Group Identification (IDg) Payload

   The IDg Payload Group Identification (IDg) payload allows the group member to
   indicate which group it wants to join.  The payload is constructed by
   using the IKEv2 Identification Payload (section 3.5 of [RFC7296]).
   ID type ID_KEY_ID MUST be supported.  ID types ID_IPV4_ADDR, ID_FQDN,
   ID_RFC822_ADDR, ID_IPV6_ADDR SHOULD be supported.  ID types
   ID_DER_ASN1_DN and ID_DER_ASN1_GN are not expected to be used.

2.3.  The
   Payload Type for the Group Identification payload is fifty (50).

3.3.  Security Association - GM Supported Transforms (SAg) Payload

   The SAg Security Association - GM Supported Transforms Payload (SAg)
   payload declares which Transforms a GM is willing to accept.  The
   payload is constructed using the format of the IKEv2 Security
   Association payload (section 3.3 of [RFC7296]).  The Payload Type for
   SAg is identical to the SA Payload Type - thirty-three (33).

2.4.

3.4.  Group Security Association Payload

   The Group Security Association (GSA) payload is used by the GCKS to
   assert security attributes for both Rekey and Data-security SAs.  The
   Payload Type for the Group Security Association payload is fifty-one
   (51).

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Next Payload  |C|   RESERVED  |         Payload Length        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   ~                       <Group Policies>                        ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                       Figure 18: 13: GSA Payload Format

   The Security Association Payload fields are defined as follows:

   o  Next Payload, C, RESERVED, Payload (1 octet) -- Identifies the next payload type for the
      G-IKEv2 registration or Length fields comprise the G-IKEv2 rekey message.

   o  Critical (1 bit) -- Set according to
      IKEv2 Generic Payload Header and are defined in Section 3.2. of
      [RFC7296].

   o  RESERVED (7 bits) -- Must be zero.

   o  Payload Length (2 octets) -- Is the octet length  Group Policies (variable) - A set of group policies for the current
      payload including the generic header and all TEK group.

3.4.1.  Group Policies

   Croup policies are comprised of two types of policy - Group SA (GSA)
   policy and KEK policies.

2.4.1. Group Associated (GA) policy.  GSA Policy

   Following policy defines
   parameters for the GSA generic payload header are Security Association for the group.  Depending on
   the employed security protocol GSA policies for group may further be classified
   as rekeying (KEK), SA policy (GSA KEK) and data traffic SAs (TEK) and/or Group Associated Policy
   (GAP).  There SA policy (GSA TEK).
   GSA payload may be contain zero or one GSA KEK policy, zero or one GAP
   policies, and zero or more GSA
   TEK policies, and zero or one GA policy, where either one GSA KEK or
   GSA TEK payload policy MUST be present.

   This latitude allows various group policies to be accommodated.  For
   example if the group policy does not require the use of a Rekey SA,
   the GCKS would not need to send a GSA KEK attribute policy to the group member
   since all SA updates would be performed using the Registration SA.
   Alternatively, group policy might use a Rekey SA but choose to
   download a KEK to the group member only as part of the Registration
   SA.  Therefore, the GSA KEK policy would not be necessary as part of
   the GSA_REKEY message.

   Specifying multiple GSA TEKs allows multiple related data streams
   (e.g., video, audio, and text) to be associated with a session, but
   each protected with an individual security association policy.

   A GAP payload allows for the distribution of group-wise policy, such as
   instructions for when to activate and de-activate SAs.

   Policies are distributed in substructures to the GSA payload, and
   include the following header.

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Type       |   RESERVED    |            Length             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                Figure 19: GSA Policy Generic Header Format payload.  The payload fields are defined as follows:

   o  Type (1 octet) -- Identifies the substructure type.  In the
      following table
   format of the terms Reserved, Unassigned, and Private Use
      are to be applied as substructures is defined below in [RFC8126].  The registration
      procedure is Expert Review.

                            Type          Value
                          --------        -----
                          Reserved          0
                          KEK               1
                          GAP               2
                          TEK               3
                          Unassigned       4-127
                          Private Use    128-255

   o  RESERVED (1 octet) -- Unused, set to zero.

   o  Length (2 octets) -- Length Section 3.4.2 (for
   GSA policy) and in octets Section 3.4.3 (for GA policy).  The first octet of
   the substructure,
      including its header.

2.4.2.  KEK substructure unambiguously determines its type - it is zero for
   GAP and non-zero (actually, it is the security protocol ID) for GSA
   policies.

3.4.2.  Group Security Association Policy Substructure

   The GSA KEK policy substructure contains security attributes parameters for the KEK method
   for SA used with
   this group.  Depending on the security protocol the SA is either a group
   rekey SA or a data security SA (ESP and parameters specific to AH).  It is NOT RECOMMENDED
   that the G-IKEv2 registration
   operation.  The source GCKS distribute both ESP and destination traffic selectors describe the
   network identities used AH policies for the rekey messages. same set of
   Traffic Selectors.

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Type = 1    Protocol   |   RESERVED   SPI Size    |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   ~                              SPI                              ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   ~                 <Source Traffic Selector>                     ~
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      ~               <Destination                  Source Traffic Selector>                  ~
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      ~               <Transform Substructure List>                   ~
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                        KEK Attributes Selector                      ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                       Figure 20: KEK Policy Format

   The GSA KEK Payload fields are defined as follows:

   o  Type = 1 (1 octet) -- Identifies the GSA payload type as KEK in
      the G-IKEv2 registration or the G-IKEv2 rekey message.

   o  RESERVED (1 octet) -- Must be zero.

   o  Length (2 octets) -- Length of this structure including KEK
      attributes.

   o  SPI (16 octets) -- Security Parameter Index for the rekey message.
      The SPI must be the IKEv2 Header SPI pair where the first 8 octets
      become the "Initiator's SPI" field in the G-IKEv2 rekey message
      IKEv2 HDR, and the second 8 octets become the "Responder's SPI" in
      the same HDR.  As described above, these SPIs are assigned by the
      GCKS.  When selecting SPI the GCKS MUST make sure that the sole
      first 8 octets (corresponding to "Initiator's SPI" field in the
      IKEv2 header) uniquely identify the Rekey SA.

   o  Source &                Destination Traffic Selectors - Substructures describing
      the source and destination of the network identities.  These
      identities refer to the source and destination of the next KEK
      rekey SA.  Defined format and values Selector                   ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   ~                       <GSA Transforms>                        ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   ~                       <GSA Attributes>                        ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                 Figure 14: GSA Policy Substructure Format

   The GSA policy fields are specified by IKEv2
      [RFC7296], section 3.13.1. defined as follows:

   o  Transform Substructure List -- A list of Transform Substructures
      specifies  Protocol (1 octet) - Identifies the transform information. security protocol for this
      group SA.  The format is defined in
      IKEv2 [RFC7296], section 3.3.2, and values are described defined in the IKEv2 registries Security Protocol
      Identifiers in [IKEV2-IANA].  Valid Transform Types are ENCR,
      INTEG.  The Last Substruc value in each Transform Substructure
      will be set to valid values for this field are:
      <TBA> (GIKE_REKEY) for GSA KEK policy and 2 (AH) or 3 except (ESP) for
      GSA TEK policy.

   o  SPI Size (1 octet) - Size of Security Parameter Index (SPI) for
      the last one in group SA.  SPI size depends on the list, which SA protocol.  For
      GIKE_REKEY it is set
      to 0. 16 octets, while for AH and ESP it is 4 octets.

   o  KEK Attributes -- Contains KEK policy attributes associated with
      the group.  The following sections describe  Length (2 octets, unsigned integer) - Length of this substructure
      including the possible
      attributes.  Any or all attributes may be optional, depending on header.

   o  SPI (variable) - Security Parameter Index for the group policy.

2.4.2.1.  KEK Attributes

   The following attributes may be present in a GSA KEK policy. SA.  The
   attributes must follow
      size of this field is determined by the format defined in SPI Size field.  As
      described above, these SPIs are assigned by the IKEv2 [RFC7296]
   section 3.3.5. GCKS.  In case of
      GIKE_REKEY the table, attributes that are defined as TV are
   marked as Basic (B); attributes that are defined as TLV are marked as
   Variable (V).  The terms Reserved, Unassigned, and Private Use are to SPI must be applied as defined in [RFC8126].  The registration procedure is
   Expert Review.

           KEK Attributes             Value    Type    Mandatory
           --------------             -----    ----    ---------
           Reserved                     0
           KEK_MANAGEMENT_ALGORITHM     1        B        N
           Reserved                     2
           Reserved                     3
           KEK_KEY_LIFETIME             4        V        Y
           Reserved                     5
           KEK_AUTH_METHOD              6        B        Y
           KEK_AUTH_HASH                7        B        N
           KEK_MESSAGE_ID the IKEv2 Header SPI pair where the
      first 8        V        Y (*)
           KEK_NEXT_SPI                 9        V        N
           Unassigned                 10-16383
           Private Use             16384-32767

   (*) octets become the KEK_MESSAGE_ID MUST be included "Initiator's SPI" field in a the G-IKEv2 registration
      rekey message IKEv2 HDR, and MUST NOT be included in rekey messages.

   The following attributes may only be included in a G-IKEv2
   registration message: KEK_MANAGEMENT_ALGORITHM, KEK_MESSAGE_ID.

2.4.2.1.1.  KEK_MANAGEMENT_ALGORITHM

   The KEK_MANAGEMENT_ALGORITHM attribute specifies the group KEK
   management algorithm used to provide forward or backward access
   control (i.e., used to exclude group members).  Defined values are
   specified in second 8 octets become the following table.  The terms Reserved, Unassigned,
   and Private Use are to be applied as defined
      "Responder's SPI" in [RFC8126].  The
   registration procedure is Expert Review.

                  KEK Management Type               Value
                  -------------------               -----
                  Reserved                            0
                  LKH                                 1
                  Unassigned                         2-16383
                  Private Use                    16384-32767

2.4.2.1.2.  KEK_KEY_LIFETIME

   The KEK_KEY_LIFETIME attribute specifies the maximum time for which same HDR.  When selecting SPI the KEK is valid.  The GCKS may refresh
      MUST make sure that the KEK at any time before sole first 8 octets (corresponding to
      "Initiator's SPI" field in the end IKEv2 header) uniquely identify the
      Rekey SA.

   o  Source & Destination Traffic Selectors - (variable) -
      Substructures describing the source and destination of the valid period. network
      identities.  The value format for these substructures is a four (4) octet number
   defining a valid time period defined in seconds.

2.4.2.1.3.  KEK_AUTH_METHOD

   The KEK_AUTH_METHOD attribute specifies
      IKEv2 [RFC7296], section 3.13.1.  For the method of authentication
   used.  This value is from group rekey SA (protocol
      GIKE_REKEY) the IKEv2 Authentication Method registry
   [IKEV2-IANA].  The method must either specify using some public key
   signatures or Shared Key Message Integrity Code.  Other
   authentication methods destination traffic selectors MUST NOT define a single
      IP address, IP protocol and port the GSA_REKEY messages will be used.

2.4.2.1.4.  KEK_AUTH_HASH
      destined to.  The KEK_AUTH_HASH attribute specifies the hash algorithm used to
   generate source traffic selector in this case MUST either
      define a single IP address, IP protocol and port the AUTH key to authenticate GSA_REKEY messages.  Hash
   algorithms are defined in IANA registry IKEv2 Hash Algorithms
   [IKEV2-IANA].

   This attribute SHOULD NOT
      messages will be originated from or be sent if the KEK_AUTH_METHOD implies a
   particular hash algorithm (e.g., for DSA-based algorithms).
   Furthermore, it is not necessary for the GCKS to send it if wildcard selector.  For
      the GM is
   known to support data security (AH and ESP) SAs the algorithm because it declared it in a
   SIGNATURE_HASH_ALGORITHMS notification during registration (see
   [RFC7427]).

2.4.2.1.5.  KEK_MESSAGE_ID

   The KEK_MESSAGE_ID attribute defines traffic selectors instead
      specify characteristics of the initial Message ID traffic to be
   used protected by the GCKS in
      corresponding SA.

   o  GSA Transforms (variable) - A list of Transform Substructures
      specifies the GSA_REKEY messages. policy information for the group SA.  The Message ID format is a 4
   octet unsigned integer
      defined in network byte order.

2.4.2.1.6.  KEK_NEXT_SPI IKEv2 [RFC7296], section 3.3.2.  The KEK_NEXT_SPI attribute may optionally be included by GCKS Last Substruc
      value in
   GSA_REKEY message, indicating what IKE SPIs are intended each Transform Substructure will be used set to 3 except for
      the next rekey last one in the list, which is set to 0.  Section 3.4.2.1
      describes using IKEv2 transforms in GSA policy substructure.

   o  GSA Attributes (variable) - Contains policy attributes associated
      with the group SA.  The attribute data MUST be 16 octets in length
   specifying the pair of IKE SPIs as they appear in following sections describe the IKE header.
   Multiple possible
      attributes.  Any or all attributes of this type MAY be included, meaning that any of
   the supplied SPIs can may be used for optional, depending on
      the next rekey.

   The GM may save these values group SA protocol and if later the GM starts receiving IKE
   messages with one group policy.  Section 3.4.2.2
      defines attributes used in GSA policy.

3.4.2.1.  GSA Transforms

   GSA policy is defined by means of these SPIs without seeing a rekey message over
   the current rekey SA, transforms in GSA policy
   substructure.  For this may be used as an indication, that purpose the
   rekey message was lost on its way to this GM. transforms defined in [RFC7296]
   are used.  In this case the GM
   SHOULD re-register to addition, new transform types are defined for using in
   G-IKEv2: Authentication Method (AUTH) and Group Key Management Method
   (GKM), see Section 6.

   Valid Transform Types depend on group SA protocol and are summarized
   in the group.

   Note, that this method of detecting missed rekeys can only table below.

   Protocol    Mandatory Types                 Optional Types
   ----------------------------------------------------------
   GIKE_REKEY  ENCR, INTEG*, PRF, AUTH, GKM
   ESP         ENCR                             INTEG
   AH          INTEG

                     Figure 15: Valid Transform Types

   (*) If AEAD encryption algorithm is used, then INTEG transform MUST
   NOT be specified, otherwise it MUST be specified.

3.4.2.1.1.  Authentication Method Transform

   The Authentication Method (AUTH) transform is used by
   passive GMs, i.e. those, that only listen and don't send data.  It's
   also no point to include this attribute in the GSA_INBAND_REKEY
   messages, since they use reliable transport.  Note also, that the
   GCKS is free to forget its promises and not GIKE_REKEY
   policy to use convey information of how GCKS will authenticate the SPIs it sent
   GSA_REKEY messages.  This values are from the IKEv2 Authentication
   Method registry [IKEV2-IANA].  Note, that this registry defines only
   256 possible values, so even that Transform ID field in the KEK_NEXT_SPI attributes before (e.g. Transform
   substructure allows for 65536 possible values, in case of GCKS reboot),
   so the GM must
   Authentication Method transform the values 257-65535 MUST NOT be
   used.

   Among the currently defined authentication methods in the IKEv2
   Authentication Method registry, only treat these information as a "best effort" made
   by GCKS the following are allowed to prepare for future rekeys.

2.4.3.  GSA TEK Policy be
   used in the Authentication Method transform: Shared Key Message
   Integrity Code, NULL Authentication and Digital Signature.  Other
   currently defined authentication methods MUST NOT be used.  The GSA TEK policy contains security attributes for a single TEK
   following semantics is associated with a group.

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Type = 3   |   RESERVED    |            Length             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Protocol-ID   |       TEK Protocol-Specific Payload           |
      +-+-+-+-+-+-+-+-+                                               ~
      ~                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                Figure 21: TEK Policy Generic Header Format

   The GSA TEK Payload fields are defined as follows:

   o  Type = 3 (1 octet) -- Identifies the GSA payload type as TEK in each of the G-IKEv2 registration or allowed methods.

      Shared Key Message Integrity Code - GCKS will authenticates the G-IKEv2 rekey message.

   o  RESERVED (1 octet) -- Must be zero.

   o  Length (2 octets) -- Length
      GSA_REKEY messages by means of shared secret.  In this structure, including case the TEK
      Protocol-Specific Payload.

   o  Protocol-ID (1 octet) -- Value specifying
      GCKS MUST include the Security Protocol.
      The following table defines values for AUTH_KEY attribute containing the Security Protocol.
      Support for shared key
      into the GSA_PROTO_IPSEC_AH GSA TEK KD payload at the time the GM is OPTIONAL.  The terms
      Reserved, Unassigned, and Private Use are registered to the group.

      NULL Authentication - No additional authentication of the
      GSA_REKEY messages will be applied as defined
      in [RFC8126].  The registration procedure is Expert Review.

                 Protocol ID                       Value
                 -----------                       -----
                 Reserved                            0
                 GSA_PROTO_IPSEC_ESP                 1
                 GSA_PROTO_IPSEC_AH                  2
                 Unassigned                         3-127
                 Private Use                      128-255

   o  TEK Protocol-Specific Payload (variable) -- Payload which
      describes provided by the attributes specific for GCKS (besides the Protocol-ID.

2.4.3.1.  TEK ESP and AH Protocol-Specific Policy

   The TEK Protocol-Specific policy contains two traffic selectors one
      ability for the source GMs to correctly decrypt them and one for verify their
      ICV).  In this case the destination of GCKS MUST NOT include the protected traffic,
   SPI, Transforms, and Attributes.

   The TEK Protocol-Specific policy for ESP and AH is as follows:

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             SPI                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      ~                 <Source Traffic Selector>                     ~
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      ~               <Destination Traffic Selector>                  ~
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      ~               <Transform Substructure List>                   ~
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                        TEK Attributes                         ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                  Figure 22: AH and ESP TEK Policy Format

   The GSA TEK Policy fields are defined as follows:

   o  SPI (4 octets) -- Security Parameter Index.

   o  Source & Destination Traffic Selectors AUTH_KEY
      attribute into the KD payload.

      Digital Signature - The traffic selectors
      describe Digital signatures will be used by the GCKS to
      authenticate the GSA_REKEY messages.  In this case the source and GCKS MUST
      include the destination AUTH_KEY attribute containing the public key into the
      KD payload at the time the GM is registered to the group.  To
      specify the details of the protected traffic.
      The format signature algorithm a new attribute
      Algorithm Identifier (<TBA by IANA>) is defined.  This attribute
      contains DER-encoded ASN.1 object AlgorithmIdentifier, which would
      specify the signature algorithm and values are the hash function that the
      GCKS will use for authentication.  The AlgorithmIdentifier object
      is defined in IKEv2 [RFC7296], section
      3.13.1.

   o  Transform Substructure List -- A 4.1.1.2 of [RFC5280], see also [RFC7427] for
      the list of Transform Substructures
      specifies common AlgorithmIdentifier values used in IKEv2.  In
      case of using digital signature the transform information. GCKS MUST include the
      Algorithm Identifier attribute in the Authentication Method
      transform.

   The format type of the Authentication Method Transform is defined <TBA by IANA>.

3.4.2.1.2.  Group Key Management Method Transform

   The Group Key Management Method (GKM) transform is used in
      IKEv2 [RFC7296], section 3.3.2, the
   GIKE_REKEY policy to convey information of how GCKS will manage the
   group keys to provide forward and values backward access control (i.e., used
   to exclude group members).  Possible key management methods are described
   defined in the a new IKEv2 registries [IKEV2-IANA].  Valid Transform Types registry "Transform Type <TBA> - Group Key
   Management Methods" (see Section 6).  This document defines one
   values for ESP this registry:

      Wrapped Key Download (<TBA by IANA>) - Keys are
      ENCR, INTEG, downloaded by GCKS
      to the GMs in encrypted form.  This algorithm may provide forward
      and ESN.  Valid Transform Types for AH are INTEG backward access control if some form of key hierarchy is used
      and
      ESN.  The Last Substruc value in each Transform Substructure will
      be set to 3 except for GM is provided with a personal key at the last one in time of
      registration.  Otherwise no access control is provided.

   The type of the list, which Group Key Management Method transform is set <TBA by
   IANA>.

3.4.2.2.  GSA Attributes

   GSA attributes are generally used to
      0.  A Transform Substructure provide GMs with attributes (e.g., additional
   parameters for the ENCR Key
      Length), they GSA policy.  Unlike security parameters
   distributed via transforms, which are included within the Transform Substructure as
      usual.

   o  TEK Attributes -- Contains the TEK expected not to change over
   time (unless policy changes), the parameters distributed via GSA
   attributes associated
      with may depend on the group, in time the format defined in Section 3.3.5 of
      [RFC7296].  All attributes are optional, depending distribution takes place, on
   the existence of others group
      policy.

   Attribute Types are as follows.  The terms Reserved, Unassigned, and
   Private Use are to be applied SAs or on other conditions.

   This document creates a new IKEv2 IANA registry for the types of the
   GSA attributes which is initially filled as defined described in [RFC8126].  The
   registration procedure is Expert Review.

           TEK Section 6.
   In particular, the following attributes are initially added.

   GSA Attributes          Value  Type    Mandatory
           --------------             -----    ----    ---------   Multiple  Used In
   ---------------------------------------------------------------------
   Reserved                0
           TEK_KEY_LIFETIME
   GSA_KEY_LIFETIME        1      V      N
           TEK_MODE         (GIKE_REKEY, AH, ESP)
   GSA_INITIAL_MESSAGE_ID  2        B        Y
           TEK_REKEY_SPI                3      V      N
           TEK_NEXT_SPI                 4         (GIKE_REKEY)
   GSA_NEXT_SPI            3      V        N
           Unassigned                  5-16383
           Private Use             16384-32767

   It is NOT RECOMMENDED that      Y         (GIKE_REKEY, AH, ESP)
   The attributes must follow the GCKS distribute both ESP and AH
   Protocol-Specific Policies for format defined in the same set of Traffic Selectors.

2.4.3.1.1.  TEK_KEY_LIFETIME IKEv2 [RFC7296]
   section 3.3.5.  In the table, attributes that are defined as TV are
   marked as Basic (B); attributes that are defined as TLV are marked as
   Variable (V).

3.4.2.2.1.  GSA_KEY_LIFETIME Attribute

   The TEK_KEY_LIFETIME GSA_KEY_LIFETIME attribute specifies the maximum time for which
   the TEK group SA is valid.  The value is a 4 octet number defining a
   valid time period in seconds.  A single attribute of this type MUST
   be included into any GSA policy substructure.

   When the TEK lifetime expires, the AH or ESP group security association and all
   associated keys downloaded under the security association
   are discarded. MUST be deleted.  The GCKS may refresh delete the TEK SA at any
   time before the end of the valid period.

3.4.2.2.2.  GSA_INITIAL_MESSAGE_ID Attribute

   The value is a four (4) octet number defining a valid time period GSA_INITIAL_MESSAGE_ID attribute defines the initial Message ID
   to be used by the GCKS in
   seconds.  If unspecified the default value of 28800 seconds (8 hours)
   shall be assumed.

2.4.3.1.2.  TEK_MODE GSA_REKEY messages.  The value of 0 Message ID is used for tunnel mode and 1 for transport mode.  In
   the absence
   a 4 octet unsigned integer in network byte order.

   A single attribute of this attribute tunnel mode will type MUST be used.

2.4.3.1.3.  TEK_REKEY_SPI

   This attribute contains an SPI for included into the SA that is being rekeyed.  The
   size of SPI depends on GSA KEK
   policy substructure if the protocol, for ESP and AH initial Message ID is non-zero.  Note,
   that it is 4 octets,
   so always the size of case if GMs join the data MUST be 4 octets for AH and ESP.

   If group after some multicast
   rekey operations have already taken place, so in these cases this
   attribute is will be included in the rekey message, the GM SHOULD
   delete the SA corresponding to this SPI once into the new SA is installed
   and regardless of GSA policy at the expiration time of the SA to be deleted (but
   after waiting DEACTIVATION_TIME_DELAY time period).

2.4.3.1.4.  TEK_NEXT_SPI

   This GMs'
   registration.

3.4.2.2.3.  GSA_NEXT_SPI Attribute

   The optional GSA_NEXT_SPI attribute contains an SPI that the GCKS
   reserved for the next
   rekey. group SA replacing this group SA.  The size length
   of SPI depends on the protocol, for ESP and AH it attribute data is
   4 octets, so determined by the size of SPI Size field in the data MUST be 4 octets for AH GSA
   Policy substructure the attribute resides in (see Section 3.4.2), and ESP.
   the attribute data contains SPI as it would appear on the network.
   Multiple attributes of this type MAY be included, which means meaning that any of
   the provided supplied SPIs can be used in the next rekey. replacement group SA.

   The GM may save store these values and if later the GM starts receiving
   IPsec
   group SA messages with one of these SPIs without seeing a rekey
   message
   for it, over the current rekey SA, this may be used as an indication,
   that the rekey message was got lost on its way to this GM.  In this case
   the GM SHOULD re-register to the group.

   Note, that this method of detecting missed lost rekey messages can only be
   used by passive GMs, i.e. those, that only listen and don't send
   data.  It's  There is also no point to include this attribute in the
   GSA_INBAND_REKEY messages, since they use reliable transport.  Note
   also, that the GCKS is free to forget its promises and not to use the
   SPIs it sent in the TEK_NEXT_SPI GSA_NEXT_SPI attributes before (e.g. in case of
   the GCKS reboot), so the GM must only treat these information as a
   "best effort" made by GCKS to prepare for future rekeys.

2.4.4.  GSA

3.4.3.  Group Associated Policy Substructure

   Group specific policy that does not belong to rekey policy (GSA KEK)
   or traffic encryption any SA policy (GSA TEK) can be
   distributed to all group member using GSA GAP (Group Group Associated Policy). Policy (GAP)
   substructure.

   The GSA GAP payload substructure is defined as follows:

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Type = 2   |   RESERVED            ZERO               |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   ~               Group Associated Policy Attributes                        <GAP Attributes>                       ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                    Figure 23: 16: GAP Policy Substructure Format

   The GSA GAP payload substructure fields are defined as follows:

   o  Type = 2 (1 octet) -- Identifies the GSA payload type as GAP in
      the G-IKEv2 registration or the G-IKEv2 rekey message.

   o  RESERVED (1 octet) -- Must  ZERO (2 octets) - MUST be zero.

   o  Length (2 octets) -- octets, unsigned integer) - Length of this structure, substructure
      including the GSA
      GAP header and Attributes. header.

   o  Group Associated Policy  GAP Attributes (variable) -- - Contains policy attributes associated
      with no specific SA.  The following sections describe the format defined in Section 3.3.5 of
      [RFC7296].

   Attribute Types are as follows.  The terms Reserved, Unassigned, and
   Private Use are to possible
      attributes.  Any or all attributes may be applied optional, depending on
      the group policy.

   This document creates a new IKEv2 IANA registry for the types of the
   GAP attributes which is initially filled as defined described in [RFC8126].  The
   registration procedure is Expert Review.

                  Attribute Type Section 6.
   In particular, the following attributes are initially added.

           GAP Attributes              Value   Type
                  --------------         -----       ----    Multiple
           ----------------------------------------------------
           Reserved                    0
                  ACTIVATION_TIME_DELAY
           GAP_ATD                     1       B
                  DEACTIVATION_TIME_DELAY       N
           GAP_DTD                     2       B
                  Unassigned              3-16383
                  Private Use         16384-32767

2.4.4.1.  ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY       N
           GAP_SID_BITS                3       B       N

   The attributes must follow the format defined in the IKEv2 [RFC7296]
   section 3.3.5.  In the table, attributes that are defined as TV are
   marked as Basic (B); attributes that are defined as TLV are marked as
   Variable (V).

3.4.3.1.  GAP_ATD And GAP_DTD Attributes

   Section 4.2.1 of [RFC5374] specifies a key rollover method that
   requires two values be provided to group members. members - Activation Time
   Delay (ATD) and Deactivation Time Delay (DTD).

   The
   ACTIVATION_TIME_DELAY GAP_ATD attribute allows a GCKS to set the Activation Time Delay (ATD)
   for data security SAs generated from TEKs. of the group.  The ATD defines how long active
   members of the group (those who sends traffic) should wait after
   receiving new SAs before staring sending traffic over them.  Note,
   that they are to be activated by achieve smooth rollover passive members of the GM.
   The ATD value is in seconds. group should
   activate the SAs immediately once they receive them.

   The DEACTIVATION_TIME_DELAY GAP_DTD attribute allows the GCKS to set the Deactivation Time
   Delay (DTD) for previously distributed SAs.  The DTD defines how long after
   receiving new a request to delete data security SAs it passive group members
   should deactivate SAs wait before actually deleting them.  Note that active members
   of the group should stop sending traffic over these old SAs once new
   replacement SAs are
   destroyed by activated (after time specified in the rekey event. GAP_ATD
   attribute).

   The value is GAP_ATD and GAP_DTD attributes contain 16 bit unsigned integer in
   a network byte order, specifying the delay in seconds.

   The values  These
   attributes are OPTIONAL.  If one of ATD and DTD them or both are independent.  However, not sent by the DTD value
   GCKS, the GMs should be larger, which allows new SAs to be activated before older
   SAs use default values for activation and
   deactivation time delays.

3.4.3.2.  GAP_SID_BITS Attribute

   The GAP_SID_BITS attribute declares how many bits of the cipher nonce
   are deactivated.  Such a policy ensures that protected group
   traffic will always flow without interruption.

2.5.  Key Download Payload taken to represent an SID value.  The Key Download Payload contains bits are applied as the group keys for
   most significant bits of the group IV, as shown in Figure 1 of [RFC6054]
   and specified in Section 1.4.6.2.  Guidance for a GCKS choosing the GSA Payload.  These key download payloads can have
   several security attributes
   NUMBER_OF_SID_BITS is provided in Section 3 of [RFC6054].  This value
   is applied to them each SID value distributed in the KD payload.

   The GCKS MUST include this attribute if there are more than one
   sender in the group and any of the data security SAs use counter-
   based upon cipher mode.  The number of SID bits is represented as 16 bit
   unsigned integer in network byte order.

3.5.  Key Download Payload

   The Key Download (KD) payload contains the security
   policy of group keys for the group as defined by
   specified in the associated GSA Payload.  The Payload Type for the Key Download
   payload is fifty-two (52).

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Next Payload  |C|  RESERVED   |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   ~                          Key Packets                         <Key Packets>                         ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                  Figure 24: 17: Key Download Payload Format

   The Key Download Payload payload fields are defined as follows:

   o  Next Payload, C, RESERVED, Payload (1 octet) -- Identifier for the payload type of the
      next payload in the message.  If the current payload is the last
      in the message, then this field will be zero.

   o  Critical (1 bit) -- Set according to [RFC7296].

   o  RESERVED (7 bits) -- Unused, set to zero.

   o  Payload Length (2 octets) -- Length in octets of the current
      payload, including the generic payload header.

   o  Key Packets (variable) -- Contains Key Packets.  Several types of
      key packets are defined.  Each Key Packet has the following
      format.

                          1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   KD Type     |   RESERVED    |           KD Length           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |    SPI Size   |                 SPI (variable)                ~
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     ~                    Key Packet Attributes                      ~
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                       Figure 25: Key Packet Format

   o  Key Download (KD) Type (1 octet) -- Identifier for the Key Data
      field of this Key Packet.  In the following table fields comprise the terms
      Reserved, Unassigned, and Private Use are to be applied as defined
      in [RFC8126].  The registration procedure is Expert Review.

                      Key Download Type        Value
                      -----------------        -----
                      Reserved                   0
                      TEK                        1
                      KEK                        2
                      LKH                        3
                      SID                        4
                      Unassigned                5-127
                      Private Use             128-255

   o  RESERVED (1 octet) -- Unused, set to zero.

   o  Key Download Length (2 octets) -- Length
      IKEv2 Generic Payload Header and are defined in octets Section 3.2. of the
      [RFC7296].

   o  Key Packets (variable) - Contains Group Key Packet data, including the and Member Key
      Packet header.

   o  SPI Size (1 octet) -- Value specifying the length in octets of the
      SPI as defined by the Protocol-Id.

   o  SPI (variable length) -- Security Parameter Index which matches substructures.  Each Key Packet contains keys for a
      SPI previously sent in an GSA KEK single
      group rekey or GSA TEK Payload.

   o data security SA or a keys and security parameters
      for a GM.

   Two types of Key Packets are used - Group Key Packet Attributes (variable length) -- Contains and Member Key
      information.  The format of this field is specific to the value of
      the KD Type field.  The following sections describe the format of
      each KD Type.

2.5.1.  TEK Download Type
   Packet.

3.5.1.  Wrapped Key Format

   The following attributes may be present symmetric keys in a TEK Download Type.
   Exactly one attribute matching each type G-IKEv2 are never sent in the GSA TEK payload
   MUST be present.  The attributes must follow clear.  They are
   always encrypted with other keys using the format defined in
   IKEv2 (Section 3.3.5 of [RFC7296]).  In the table, attributes defined
   as TV are marked as Basic (B); attributes defined as TLV are marked
   as Variable (V). called Wrapped Key
   that is shown below (Figure 18).

   The terms Reserved, Unassigned, and Private Use keys are
   to be applied as defined in [RFC8126].  The registration procedure encrypted using algorithm that is
   Expert Review.

           TEK KD Attributes          Value    Type    Mandatory
           -----------------          -----    ----    ---------
           Reserved                    0-2
           TEK_KEYMAT                   3        V        Y
           Unassigned                  4-16383
           Private Use             16384-32767 used to encrypt the
   message the keys are sent in.  It is possible means, that in case of unicast IKE
   SA (used for GMs registration and rekeying using GSA_INBAND_REKEY)
   the encryption algorithm will be the one negotiated during the GCKS SA
   establishment, while for the GSA_REKEY messages the algorithm will send no TEK key packets be
   provided by the GCKS in a
   Registration KD payload (as well as no corresponding GSA TEK payloads the Encryption Algorithm transform in the GSA payload), after which
   payload when this multicast SA was being established (not in the TEK payloads will same
   GSA_REKEY message).

   If AEAD mode is used for encryption, then for the purpose of key
   encryption the authentication tag MUST NOT be sent used (both not
   calculated and not verified), since the G-IKEv2 provides
   authentication of all its messages.  In addition there is no AAD in
   this case.  If encryption algorithm requires padding, then the
   encrypted key MUST be padded before encryption to have the required
   size.  If the encryption algorithm doesn't define the padding
   content, then the following scheme SHOULD be used: the Padding bytes
   are initialized with a
   rekey message.

2.5.1.1.  TEK_KEYMAT series of (unsigned, 1-byte) integer values.
   The TEK_KEYMAT attribute contains keying material for first padding byte appended to the
   corresponding SPI.  This keying material will be used plaintext is numbered 1, with
   subsequent padding bytes making up a monotonically increasing
   sequence: 1, 2, 3, ....  The length of the
   transform specified in padding is not transmitted
   and is implicitly determined, since the GSA TEK payload. length of the key is known.

                            1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                              Key ID                           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                              KWK ID                           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     ~                               IV                              ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     ~                          Encrypted Key                        ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                       Figure 18: Wrapped Key Format

   The Wrapped Key fields are defined as follows:

   o  Key ID (4 octets) - ID of the encrypted key.  The value zero means
      that the encrypted key contains keying material is
   treated equivalent to IKEv2 KEYMAT derived for the group SA,
      otherwise it contains some intermediate key.

   o  Key Wrap Key (KWK) ID (4 octets) - ID of the key that IPsec transform.

2.5.2.  KEK Download Type was used to
      encrypt this key.  The following attributes may be present in a KEK Download Type.
   Exactly one attribute matching each type sent in value zero means that the GSA KEK payload
   MUST be present. default KWK was
      used to encrypt the key, otherwise some other key was used.

   o  IV (variable) - Initialization Vector used for encryption.  The attributes must follow
      size and the format content of IV is defined in
   IKEv2 (Section 3.3.5 by the encryption algorithm
      employed.

   o  Encrypted Key (variable) - The encrypted key bits.  These bits may
      comprise either a single encrypted key or a result of [RFC7296]).  In encryption
      of a concatenation of keys (key material) for several algorithms.

3.5.2.  Group Key Packet Substructure

   Group Key Packet substructure contains SA key information.  This key
   information is associated with some group SAs: either with data
   security SAs or with group rekey SA.

                          1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |    Protocol   |   SPI Size    |            Length             |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     ~                              SPI                              ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     ~               <Group Key Download Attributes>                 ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

              Figure 19: Group Key Packet Substructure Format

   o  Protocol (1 octet) - Identifies the table, attributes defined
   as TV are marked as Basic (B); attributes defined as TLV are marked
   as Variable (V). security protocol for this key
      packet.  The terms Reserved, Unassigned, and Private Use values are
   to be applied as defined in [RFC8126]. the IKEv2 Security Protocol
      Identifiers in [IKEV2-IANA].  The registration procedure is
   Expert Review. valid values for this field are:
      <TBA> (GIKE_REKEY) for KEK KD Attributes          Value    Type    Mandatory
           -----------------          -----    ----    ---------
           Reserved                     0
           KEK_ENCR_KEY                 1        V         Y
           KEK_INTEGRITY_KEY Key packet and 2        V         N
           KEK_AUTH_KEY (AH) or 3        V         N
           Unassigned                  4-16383
           Private Use             16384-32767

   If the KEK Key Packet is included, there MUST be only one present in
   the KD payload.

2.5.2.1.  KEK_ENCR_KEY

   The KEK_ENCR_KEY attribute type declares that the encryption (ESP) for
      TEK key packet.

   o  SPI Size (1 octet) - Size of Security Parameter Index (SPI) for
      the corresponding SA.  SPI is contained in the Key Packet Attribute.  The
   encryption algorithm that will use this key was specified in the GSA
   KEK payload.

2.5.2.2.  KEK_INTEGRITY_KEY

   The KEK_INTEGRITY_KEY attribute type declares size depends on the integrity key security protocol.
      For GIKE_REKEY it is 16 octets, while for AH and ESP it is 4
      octets.

   o  Length (2 octets, unsigned integer) - Length of this substructure
      including the header.

   o  SPI is contained in (variable) - Security Parameter Index for the Key Packet Attribute. corresponding
      SA.  The integrity
   algorithm that will use size of this key was specified in field is determined by the GSA KEK
   payload.

2.5.2.3.  KEK_AUTH_KEY

   The KEK_AUTH_KEY attribute type declares that SPI Size field.
      In case of GIKE_REKEY the authentication key
   for this SPI is contained in must be the Key Packet Attribute.  The signature
   algorithm that will use this key was specified in IKEv2 Header SPI pair
      where the GSA KEK
   payload.  An RSA public key format is defined in [RFC3447],
   Section A.1.1.  DSS public key format is defined in [RFC3279]
   Section 2.3.2.  For ECDSA Public keys, use format described first 8 octets become the "Initiator's SPI" field in
   [RFC5480] Section 2.2.  Other algorithms added to the
      G-IKEv2 rekey message IKEv2
   Authentication Method registry are also expected to include a format
   of HDR, and the public key included second 8 octets become
      the "Responder's SPI" in the algorithm specification.

2.5.3.  LKH same HDR.  When selecting SPI the
      GCKS MUST make sure that the sole first 8 octets (corresponding to
      "Initiator's SPI" field in the IKEv2 header) uniquely identify the
      Rekey SA.

   o  Group Key Download Type

   The LKH key packet is comprised Attributes (variable length) - Contains Key
      information for the corresponding SA.

   This document creates a new IKEv2 IANA registry for the types of the
   Group Key Download attributes representing different
   leaves which is initially filled as described
   in Section 6.  In particular, the LKH key tree.

   The following attributes are used to pass an LKH KEK array in the KD
   payload. initially
   added.

       GKD Attributes      Value   Type    Multiple    Used In
       ------------------------------------------------------------
       Reserved            0
       SA_KEY              1       V       Y           (GIKE_REKEY)
                                           N           (AH, ESP)

   The attributes must follow the format defined in the IKEv2
   (Section 3.3.5 of [RFC7296]). [RFC7296]
   section 3.3.5.  In the table, attributes that are defined as TV are
   marked as Basic (B); attributes that are defined as TLV are marked as
   Variable (V).

3.5.2.1.  SA_KEY Attribute

   The terms Reserved, Unassigned, and Private Use are to
   be applied as defined in [RFC8126]. SA_KEY attribute contains a keying material for the corresponding
   SA.  The registration procedure is
   Expert Review.

                 LKH KD Attributes          Value     Type
                 -----------------          -----     ----
                 Reserved                     0
                 LKH_DOWNLOAD_ARRAY           1        V
                 LKH_UPDATE_ARRAY             2        V
                 Unassigned                  3-16383
                 Private Use             16384-32767

   If an LKH key packet content of the attribute is included in formatted according to
   Section 3.5.1 with a precondition that the KD payload, there Key ID field MUST be
   only one present.

2.5.3.1.  LKH_DOWNLOAD_ARRAY zero.
   The LKH_DOWNLOAD_ARRAY attribute type is used size of the keying material MUST be equal to download a set the total size of
   LKH
   the keys needed to be taken from this keying material (see
   Section 2.4) for the corresponding SA.

   If the Key Packet is for a group member.  It data security SA (AH or ESP protocols),
   then exactly one SA_KEY attribute MUST NOT be included in a IKEv2 rekey
   message KD payload if the IKEv2 rekey is sent present with both Key ID
   and KWK ID fields set to more than one group
   member. zero.

   If an LKH_DOWNLOAD_ARRAY attribute the Key Packet is included in for a KD
   payload, there rekey SA (GIKE_REKEY protocol), then at
   least one SA_KEY attribute with zero Key ID MUST be only one present.

   This attribute consists of a header block, followed by one or
   Depending on GCKS key management policy more
   LKH keys. SA_KEY attributes MAY be
   present.

3.5.3.  Member Key Packet Substructure

   The Member Key Packet substructure contains keys and other parameters
   that are specific for the member of the group and are not associated
   with any particular group SA.

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |             ZERO              |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   ~                 <Member Key Download Attributes>              ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

             Figure 20: Member Key Packet Substructure Format

   The Member Key Packet substructure fields are defined as follows:

   o  ZERO (2 octets) - MUST be zero.

   o  Length (2 octets, unsigned integer) - Length of this substructure
      including the header.

   o  Member Key Download Attributes (variable length) - Contains Key
      information and other parameters exclusively for a particular
      member of the group.

   Member Key Packet substructure contains sensitive information for a
   single GM, for this reason it MUST NOT be sent in GSA_REKEY messages
   and MUST only be sent via unicast SA at the time the GM registers to
   the group (in either GSA_AUTH or GSA_REGISTRATION exchanges).

   This document creates a new IKEv2 IANA registry for the types of the
   Member Key Download attributes which is initially filled as described
   in Section 6.  In particular, the following attributes are initially
   added.

             MKD Attributes          Value   Type    Multiple
             ------------------------------------------------
             Reserved                0
             KEY_WRAP_KEY            1       V       Y
             GM_SID                  2       V       Y
             AUTH_KEY                3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |         # of LKH Keys        |             RESERVED           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                           LKH Keys                            ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                   Figure 26: LKH_DOWNLOAD_ARRAY Format       V       N

   The KEK_LKH attribute fields attributes must follow the format defined in the IKEv2 [RFC7296]
   section 3.3.5.  In the table, attributes that are defined as follows:

   o  Number of LKH Keys (2 octets) -- This value TV are
   marked as Basic (B); attributes that are defined as TLV are marked as
   Variable (V).

3.5.3.1.  KEY_WRAP_KEY Attribute

   The KEY_WRAP_KEY attribute contains a key that is used to encrypt
   other keys.  One or more the number of
      distinct LKH keys in this sequence.

   o  RESERVED (2 octets) -- Unused, set these attributes are sent to zero.

   Each LKH Key is GMs if the
   GCKS key management policy relies on some key hierarchy (e.g.  LKH).

   The content of the attribute has a format defined as follows:

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |             LKH ID            |            Encr Alg           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           Key Handle                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                            Key Data                           ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                         Figure 27: LKH in Section 3.5.1
   with a precondition that the Key Format

   o  LKH ID (2 octets) -- This field MUST NOT be zero.  The
   algorithm associated with the key is from the Encryption Transform
   for the SA the KEY_WRAP_KEY attributes was sent in.  The size of the
   key MUST be equal to the key size for this algorithm.

   Multiple instances of the KEY_WRAP_KEY attributes MAY be present in
   the key packet.

3.5.3.2.  GM_SID Attribute

   The GM_SID attribute is used to download one or more Sender-ID (SID)
   values for the position exclusive use of a group member.  One or more of this key
   attributes MUST be sent by the GCKS if the GM informed the GCKS that
   it would be a sender (by inclusion the SENDER notification to the
   request) and at least one of the data security SAs included in the
      binary tree structure used
   GSA payload uses counter-based mode of encryption.

   If the GMs has requested multiple SID values in the SENDER
   notification, then the GCKS SHOULD provide it with the requested
   number of SIDs by LKH.

   o  Encr Alg (2 octets) -- This sending multiple instances of the GM_SID attribute.
   The GCKS MAY send fewer SIDs than requested by the GM (e.g. if it is
   running out of SIDs), but it MUST NOT send more than requested.

3.5.3.3.  AUTH_KEY Attribute

   The AUTH_KEY attribute contains the encryption algorithm for which
      this key data that is used to be used.  This value is authenticate
   the GSA_REKEY messages.  The content of the attribute depends on the
   authentication method the GCKS specified in the ENCR Authentication Method
   transform in the GSA payload.

   o  Key Handle (4 octets) -- This is a randomly generated value to
      uniquely identify  If a key within an LKH ID.

   o  Key Data (variable length) -- This is the actual encryption key
      data, which shared secret is dependent on the Encr Alg algorithm used for its format.

   The first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute
   contains the Leaf identifier and key for GSA_REKEY messages
      authentication then the group member.  The rest content of the LKH Key structures contain keys along AUTH_KEY attribute is the path
      shared secret that MUST be represented in the form of Wrapped Key
      (see Section 3.5.1) with zero KWK ID.  The Key ID in this case is
      arbitrary and MUST be ignored by the key tree
   in GM.

   o  If digital signatures are used for the order starting from GSA_REKEY messages
      authentication then the leaf, culminating in content of the group KEK.

2.5.3.2.  LKH_UPDATE_ARRAY

   The LKH_UPDATE_ARRAY AUTH_KEY attribute type is a
      public key used to update the LKH keys for a group.  It is most likely to digital signature authentication.  The public
      key MUST be included represented as DER-encoded ASN.1 object
      SubjectPublicKeyInfo, defined in section 4.1.2.7 of [RFC5280].

      The signature algorithm that will use this key was specified in a G-IKEv2 rekey
   message KD payload to rekey
      the entire group.  This Algorithm Identifier attribute
   consists of a header block, followed by one or more LKH keys, as the Authentication Method
      transform.  The key MUST be compatible with this algorithm.  An
      RSA public key format is defined in [RFC3447], Section 2.5.3.1.

   There may be any number of LKH_UPDATE_ARRAY attributes included A.1.  DSS
      public key format is defined in [RFC3279] Section 2.3.2.  For
      ECDSA Public keys, use format described in [RFC5480] Section 2.
      Other algorithms added to the IKEv2 Authentication Method registry
      are also expected to include a
   KD payload.

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          # of LKH Keys        |             LKH ID            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           Key Handle                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                            LKH Keys                           ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                    Figure 28: LKH_UPDATE_ARRAY Format

   o  Number format of LKH Keys (2 octets) -- This value is the number of
      distinct LKH keys SubjectPublicKeyInfo
      object included in this sequence.

   o  LKH ID (2 octets) -- This is the node identifier associated with algorithm specification.

   Multiple instances of the key used AUTH_KEY attributes MUST NOT be sent.

3.6.  Delete Payload

   There are occasions when the GCKS may want to encrypt signal to group members
   to delete policy at the first LKH Key.

   o  Key Handle (4 octets) -- This is end of a broadcast, if group policy has
   changed, or the value that uniquely
      identifies GCKS needs to reset the key within policy and keying material
   for the LKH ID which was used group due to encrypt the
      first LKH key.

   The LKH Keys are as defined in Section 2.5.3.1.  The LKH Key
   structures contain an emergency.  Deletion of keys along the path MAY be
   accomplished by sending an IKEv2 Delete Payload, section 3.11 of
   [RFC7296] as part of a registration or rekey Exchange.  Whenever an
   SA is to be deleted, the key tree in GKCS SHOULD send the order
   from Delete Payload in both
   registration and rekey exchanges, because GMs with previous group
   policy may contact the LKH GCKS using either exchange.

   The Protocol ID found MUST be GIKE_REKEY (<TBA>) for GSA_REKEY pseudo-
   exchange, 2 for AH or 3 for ESP.  Note that only one protocol id
   value can be defined in the LKH_UPDATE_ARRAY header, culminating a Delete payload.  If a TEK and a KEK SA for
   GSA_REKEY pseudo-exchange must be deleted, they must be sent in
   different Delete payloads.  Similarly, if a TEK specifying ESP and a
   TEK specifying AH need to be deleted, they must be sent in different
   Delete payloads.

   There may be circumstances where the group KEK.  The Key Data field of each LKH Key is encrypted with GCKS may want to reset the LKH key preceding it in
   policy and keying material for the LKH_UPDATE_ARRAY attribute. group.  The
   first LKH Key is encrypted under GCKS can signal
   deletion of all policy of a particular TEK by sending a TEK with a
   SPI value equal to zero in the key defined by delete payload.  In the LKH ID and
   Key Handle found in event that the LKH_UPDATE_ARRAY header.

2.5.4.  SID Download Type

   The SID attribute
   administrator is used to download one or more Sender-ID (SID)
   values for no longer confident in the exclusive use integrity of a the group member.  The terms Reserved,
   Unassigned, and Private Use are
   they may wish to be applied as defined remove all KEK and all the TEKs in
   [RFC8126].  The registration procedure the group.  This
   is Expert Review.

                 SID KD Attributes          Value     Type
                 -----------------          -----     ----
                 Reserved                     0
                 NUMBER_OF_SID_BITS           1        B
                 SID_VALUE                    2        V
                 Unassigned                  3-16383
                 Private Use             16384-32767

   Because done by having the GCKS send a SID value is intended for delete payload with a single group member, the SID
   Download type MUST NOT be distributed in SPI of zero
   and a GSA_REKEY message
   distributed Protocol-ID of AH or ESP to multiple group members.

2.5.4.1.  NUMBER_OF_SID_BITS

   The NUMBER_OF_SID_BITS attribute type declares how many bits delete all TEKs, followed by
   another delete payload with a SPI value of the
   cipher nonce in which zero and Protocol-ID of
   KEK SA to represent an SID value.  The bits are
   applied as delete the most significant bits of KEK SA.

3.7.  Notify Payload

   G-IKEv2 uses the IV, same Notify payload as shown in Figure 1
   of [RFC6054] and specified in [RFC7296],
   section 3.10.

   There are additional Notify Message types introduced by G-IKEv2 to
   communicate error conditions and status (see Section 1.4.6.2.  Guidance for a GCKS
   choosing 6).

   o  INVALID_GROUP_ID (45) - error type notification that indicates
      that the NUMBER_OF_SID_BITS is provided in Section 3 of
   [RFC6054].

   This value group id sent during the registration process is applied to each SID value distributed invalid.
      The Protocol ID and SPI Size fields in the SID
   Download.

2.5.4.2.  SID_VALUE

   The SID_VALUE attribute type declares a single SID value for Notify payload MUST be
      zero.  There is no data associated with this notification and the
   exclusive use
      content of this group member.  Multiple SID_VALUE attributes
   MAY the Notification Data field MUST be included ignored on receipt.

   o  AUTHORIZATION_FAILED (46) - error type notification that is sent
      in the response to a SID Download.

2.5.4.3.  GM Semantics GSA_AUTH message when authorization failed.
      The SID_VALUE attribute value distributed to Protocol ID and SPI Size fields in the group member Notify payload MUST be
   used by that group member as
      zero.  There is no data associated with this notification and the SID field portion
      content of the IV for all
   Data-Security SAs including a counter-based mode of operation
   distributed Notification Data field MUST be ignored on receipt.

   o  REGISTRATION_FAILED (<TBA>) - error type notification that is sent
      by the GCKS as a part of this group.  When when the Sender-
   Specific IV (SSIV) field for any Data-Security SA GM registration request cannot be satisfied.
      The Protocol ID and SPI Size fields in the Notify payload MUST be
      zero.  There is exhausted, no data associated with this notification and the
   group member
      content of the Notification Data field MUST NOT act as a sender be ignored on receipt.

   o  SENDER (16429) - status type notification that SA using its active
   SID.  The group member SHOULD re-register, at which time is sent in the GCKS
   will issue a new SID to
      GSA_AUTH or the group member, along with either GSA_REGISTRATION exchanges to indicate that the same
   Data-Security SAs or replacement ones. GM
      intends to be sender of data traffic.  The new data includes a count
      of how many SID replaces values the
   existing SID used by this group member, GM desires.  The count MUST be 4 octets
      long and also resets contain the SSIV
   value to its starting value.  A group member MAY re-register prior to big endian representation of the actual exhaustion number of
      requested SIDs.  The Protocol ID and SPI Size fields in the SSIV field to avoid dropping data
   packets due Notify
      payload MUST be zero.

   o  REKEY_IS_NEEDED (<TBA>) - status type notification that is sent in
      the GSA_AUTH response message to indicate that the exhaustion GM must perform
      an immediate rekey of available SSIV values combined with IKE SA to make it secure against quantum
      computers and then start a particular SID value.

   A group member MUST ignore an SID Download Type KD payload present registration request over.  The
      Protocol ID and SPI Size fields in
   a GSA-REKEY message, otherwise more than one GM may end up using the
   same SID.

2.5.4.4.  GCKS Semantics

   If any KD Notify payload includes keying material that MUST be
      zero.  There is no data associated with a
   counter-mode this notification and the
      content of operation, an SID Download Type KD payload containing
   at least one SID_VALUE attribute the Notification Data field MUST be included. ignored on receipt.

3.7.1.  USE_TRANSPORT_MODE Notification

   This specification uses USE_TRANSPORT_MODE notification defined in
   section 3.10.1 of [RFC7296] to specify which mode data security SAs
   should be created in.  The GCKS MUST NOT
   send the SID Download Type KD payload as part of include one USE_TRANSPORT_MODE
   notification in a GSA_REKEY message,
   because distributing message containing the same sender-specific policy GSA payload for every data
   security SAs specified in this payload that is to more than one
   group member will reduce be created in
   transport mode.  In other words, there must be as many these
   notifications included in the security message as many SAs are created in
   transport mode.  The Protocol ID, SPI Size and SPI fields of the group.

2.6.  Delete
   Notify Payload MUST correctly specify each such SA.

3.8.  Authentication Payload

   There are occasions when

   G-IKEv2 uses the GCKS may want to signal to group members same Authentication payload as specified in
   [RFC7296], section 3.8, to delete policy at authenticate the end of a broadcast, rekey message.  However,
   if group policy has
   changed, or the GCKS needs to reset it is used in the policy and keying material
   for GSA_REKEY messages the group due to an emergency.  Deletion of keys MAY be
   accomplished by sending an IKEv2 Delete Payload, section 3.11 of
   [RFC7296] as part content of a registration or rekey Exchange.  Whenever an
   SA is to be deleted, the GKCS SHOULD send the Delete Payload payload is
   computed differently, as described in both
   registration and rekey exchanges, because GMs Section 1.4.5.1.1.

4.  Interaction with previous group
   policy may contact the GCKS using either exchange.

   The other IKEv2 Protocol ID MUST be 41 for GSA_REKEY Exchange, 2 for AH or 3 for
   ESP.  Note Extensions

   A number of IKEv2 extensions is defined that only one protocol id value can be defined in a Delete
   payload.  If a TEK and a KEK SA for GSA_REKEY Exchange must be
   deleted, they must be sent in different Delete payloads.  Similarly,
   if a TEK specifying ESP and a TEK specifying AH need used to be deleted,
   they must be sent extend
   protocol functionality.  G-IKEv2 is compatible with most of them.  In
   particular, EAP authentication defined in different Delete payloads.

   There may [RFC7296] can be circumstances where the GCKS may want used to reset the
   policy and keying material for the group.  The GCKS
   establish registration IKE SA, as well as Secure Password
   authentication ([RFC6467]).  G-IKEv2 is compatible with and can signal
   deletion of all policy of use
   IKEv2 Session Resumption [RFC5723] except that a particular TEK by sending GM would include the
   initial ticket request in a TEK GSA_AUTH exchange instead of an IKE_AUTH
   exchange.  G-IKEv2 is also compatible with a
   SPI value equal to zero Multiple Key Exchanges in the delete payload.  In the event that the
   administrator is no longer confident
   IKEv2 framework, defined in [I-D.ietf-ipsecme-ikev2-multiple-ke].

   Some IKEv2 extensions however require special handling if used in
   G-IKEv2.

4.1.  Mixing Preshared Keys in IKEv2 for Post-quantum Security

   G-IKEv2 can take advantage of the integrity protection provided by Postquantum
   Preshared Keys (PPK) for IKEv2 [RFC8784].  However, the use of PPK
   leaves the group
   they may wish initial IKE SA susceptible to remove all KEK and all the TEKs quantum computer (QC)
   attacks.  For this reason an alternative approach for using PPK in
   IKEv2 defined in [I-D.smyslov-ipsecme-ikev2-qr-alt] SHOULD be used.

   If the group.  This alternative approach is done not supported by having the peers, then the
   GCKS MUST NOT send a delete payload with a SPI of zero GSA and KD payloads in the GSA_AUTH response
   message.  Instead, the GCKS MUST return a Protocol-ID of AH or ESP to delete all TEKs, followed by
   another delete payload with a SPI value of zero and Protocol-ID of
   KEK SA to delete new notification
   REKEY_IS_NEEDED.  Upon receiving this notification in the KEK SA.

2.7.  Notify Payload

   G-IKEv2 uses GSA_AUTH
   response the GM MUST perform an IKE SA rekey and then initiate a new
   GSA_REGISTRATION request for the same Notify payload as specified in [RFC7296],
   section 3.10.

   There group.  Below are additional Notify Message types introduced by G-IKEv2 to
   communicate error conditions possible
   scenarios involving using PPK.

   The GM starts the IKE_SA_INIT exchange requesting using PPK, and status.

   NOTIFY messages - error types          Value
   -------------------------------------------------------------------
   INVALID_GROUP_ID -                      45
   AUTHORIZATION_FAILED -                  46
   REGISTRATION_FAILED -                  TBD

   INVALID_GROUP_ID indicates the group id sent during
   GCKS responds with agreement to do it, or aborts according to its
   "mandatory_or_not" flag:

    Initiator (Member)                Responder (GCKS)
   --------------------              ------------------
    HDR, SAi1, KEi, Ni, N(USE_PPK)  -->
                                 <--  DR, SAr1, KEr, Nr, [CERTREQ],
                                      N(USE_PPK)

           Figure 21: IKE_SA_INIT Exchange requesting using PPK

   The GM then starts the registration
   process GSA_AUTH exchange with the PPK_ID; if using
   PPK is invalid.

   AUTHORIZATION_FAILED not mandatory for the GM, the NO_PPK_AUTH notification is sent
   included in the response to a request:

    Initiator (Member)                Responder (GCKS)
   --------------------              ------------------
    HDR, SK{IDi, AUTH, IDg,
    N(PPK_IDENTITY), N(NO_PPK_AUTH)}  -->

                   Figure 22: GSA_AUTH message
   when authorization failed.

   REGISTRATION_FAILED is sent by Request using PPK

   If the GCKS when has no such PPK and using PPK is not mandatory for it and
   the GM registration
   request cannot be satisfied.

   NOTIFY messages - status types          Value
   -------------------------------------------------------------------
   SENDER -                                16429
   REKEY_IS_NEEDED -                       TBD

   SENDER notification NO_PPK_AUTH is sent included, then the GCKS continues without PPK; in
   this case no rekey is needed:

    Initiator (Member)              Responder (GCKS)
   --------------------            ------------------
                               <--  HDR, SK{IDr, AUTH, GSA, KD}

                 Figure 23: GSA_AUTH or GSA_REGISTRATION to
   indicate that the GM intends to be sender of data traffic.  The data
   includes a count of how many SID values Response using no PPK

   If the GM desires.  The count
   MUST be 4 octets long GCKS has no such PPK and contain the big endian representation of either the number of requested SIDs.

   REKEY_IS_NEEDED NO_PPK_AUTH is sent in missing or
   using PPK is mandatory for the GCKS, the GCKS aborts the exchange:

    Initiator (Member)                Responder (GCKS)
   --------------------              ------------------
                                 <--  HDR, SK{N(AUTHENTICATION_FAILED)}

                    Figure 24: GSA_AUTH response message Error Response

   Assuming the GCKS has the proper PPK it continues with a request to indicate that
   the GM must to immediately perform an immediate a rekey of by sending the REKEY_IS_NEEDED
   notification:

    Initiator (Member)               Responder (GCKS)
   --------------------             ------------------
                                <--  HDR, SK{IDr, AUTH, N(PPK_IDENTITY),
                                     N(REKEY_IS_NEEDED) }

                  Figure 25: GSA_AUTH Response using PPK

   The GM initiates the CREATE_CHILD_SA exchange to rekey the initial
   IKE SA to make it secure
   against quantum computers and then start makes a new registration request over.

2.8.  Authentication Payload

   G-IKEv2 uses for the same Authentication payload as specified in
   [RFC7296], section 3.8, to sign group
   over the rekey message.

3. new IKE SA:

    Initiator (Member)                Responder (GCKS)
   --------------------              ------------------
    HDR, SK{SA, Ni, KEi}  -->
                                 <--  HDR, SK{SA, Nr, KEr}
    HDR, SK{IDg} --->
                                 <--  HDR, SK{GSA, KD}

     Figure 26: Rekeying IKE SA followed by GSA_REGISTRATION Exchange

5.  Security Considerations

3.1.

5.1.  GSA Registration and Secure Channel

   G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT protocols,
   inheriting all the security considerations documented in [RFC7296]
   section 5 Security Considerations, including authentication,
   confidentiality, protection against man-in-the-middle, protection
   against replay/reflection attacks, and denial of service protection.
   The GSA_AUTH and GSA_REGISTRATION exchanges also take advantage of
   those protections.  In addition, G-IKEv2 brings in the capability to
   authorize a particular group member regardless of whether they have
   the IKEv2 credentials.

3.2.

5.2.  GSA Maintenance Channel

   The GSA maintenance channel is cryptographically and integrity
   protected using the cryptographic algorithm and key negotiated in the
   GSA member registration exchanged.

3.2.1.

5.2.1.  Authentication/Authorization

   Authentication is implicit, the public key of the identity is
   distributed during the registration, and the receiver of the rekey
   message uses that public key and identity to verify the message came
   from the authorized GCKS.

3.2.2.

5.2.2.  Confidentiality

   Confidentiality is provided by distributing a confidentiality key as
   part of the GSA member registration exchange.

3.2.3.

5.2.3.  Man-in-the-Middle Attack Protection

   GSA maintenance channel is integrity protected by using a digital
   signature.

3.2.4.

5.2.4.  Replay/Reflection Attack Protection

   The GSA_REKEY message includes a monotonically increasing sequence
   number to protect against replay and reflection attacks.  A group
   member will recognize a replayed message by comparing the Message ID
   number to that of the last received rekey message, any rekey message
   containing a Message ID number less than or equal to the last
   received value MUST be discarded.  Implementations should keep a
   record last
   received value MUST be discarded.  Implementations should keep a
   record of recently received GSA rekey messages for this comparison.

6.  IANA Considerations

6.1.  New Registries

   A new set of registries is created for G-IKEv2 on IKEv2 parameters
   page [IKEV2-IANA].  The terms Reserved, Expert Review and Private Use
   are to be applied as defined in [RFC8126].

   This document creates a new IANA registry "Transform Type <TBA> -
   Group Key Management Methods".  The initial values of the new
   registry are:

   Value                       Group Key Management Method
   -------------------------------------------------------
   Reserved                    0
   Wrapped Key Download        1
   Unassigned                 2-1023
   Private Use             1024-65535

   Changes and additions to the unassigned range of this registry are by
   the Expert Review Policy [RFC8126].

   This document creates a new IANA registry "GSA Attributes".  The
   initial values of the new registry are:

   GSA Attributes          Value  Type   Multiple  Used In
   ---------------------------------------------------------------------
   Reserved                0
   GSA_KEY_LIFETIME        1      V      N         (GIKE_REKEY, AH, ESP)
   GSA_INITIAL_MESSAGE_ID  2      V      N         (GIKE_REKEY)
   GSA_NEXT_SPI            3      V      Y         (GIKE_REKEY, AH, ESP)
   Unassigned             5-16383
   Private Use        16384-32767
   Changes and additions to the unassigned range of recently received GSA rekey messages for this comparison.

4. registry are by
   the Expert Review Policy [RFC8126].

   This document creates a new IANA Considerations

4.1.  New Registries

   A registry "GAP Attributes".  The
   initial values of the new set registry are:

   GAP Attributes              Value   Type    Multiple
   ----------------------------------------------------
   Reserved                    0
   GAP_ATD                     1       B       N
   GAP_DTD                     2       B       N
   GAP_SID_BITS                3       B       N
   Unassigned                 4-16383
   Private Use            16384-32767

   Changes and additions to the unassigned range of registries should be created for G-IKEv2, on this registry are by
   the Expert Review Policy [RFC8126].

   This document creates a new page
   titled Group IANA registry "Group Key Management using IKEv2 (G-IKEv2) Parameters.  The
   following registries should be placed on that page. Download
   Attributes".  The terms
   Reserved, Expert Review and initial values of the new registry are:

   GKD Attributes      Value   Type    Multiple    Used In
   ------------------------------------------------------------
   Reserved            0
   SA_KEY              1       V       Y           (GIKE_REKEY)
                                       N           (AH, ESP)
   Unassigned         2-16383
   Private Use are    16384-32767

   Changes and additions to be applied as defined
   in [RFC8126].

   GSA the unassigned range of this registry are by
   the Expert Review Policy Type Registry, see Section 2.4.1
   KEK Attributes Registry, see Section 2.4.2.1

   KEK Management Algorithm Registry, see Section 2.4.2.1.1

   GSA TEK Payload Protocol ID Type Registry, see Section 2.4.3

   TEK Attributes Registry, see Section 2.4.3 [RFC8126].

   This document creates a new IANA registry "Member Key Download Type Registry, see Section 2.5

   TEK Download Type Attributes Registry, see Section 2.5.1

   KEK Download Type Attributes Registry, see Section 2.5.2

   LKH Download Type
   Attributes".  The initial values of the new registry are:

   MKD Attributes Registry, see Section 2.5.3

   SID Download          Value   Type Attributes Registry, see Section 2.5.4

4.2.  New Payload    Multiple
   ------------------------------------------------
   Reserved                0
   KEY_WRAP_KEY            1       V       Y
   GM_SID                  2       V       Y
   AUTH_KEY                3       V       N
   Unassigned             4-16383
   Private Use        16384-32767

   Changes and Exchange Types Added additions to the unassigned range of this registry are by
   the Expert Review Policy [RFC8126].

6.2.  Changes in the Existing IKEv2
      Registry

   The following Registries

   This document defines new payloads and exchange types specified Exchange Types in this memo
   have already been allocated by IANA and require no further action,
   other than replacing the draft name with an RFC number.

   The present "IKEv2 Exchange
   Types" registry:

   Value       Exchange Type
   ----------------------------
   39          GSA_AUTH
   40          GSA_REGISTRATION
   41          GSA_REKEY
   <TBA>       GSA_INBAND_REKEY

   This document describes defines new IKEv2 Payload Types in the "IKEv2 Payload Types"
   registry:

   Value       Next Payload types, see
   Section 2.1

   The present Type               Notation
   ----------------------------------------------------
   50          Group Identification            IDg
   51          Group Security Association      GSA
   52          Key Download                    KD

   This document describes defines a new IKEv2 Exchanges types, see
   Section 2.1

   The present Security Protocol Identifier in the
   "IKEv2 Security Protocol Identifiers" registry:

   <TBA>       GIKE_REKEY

   This document describes defines new IKEv2 notification types, see
   Section 2.7

4.3.  Changes to Previous Allocations

   Section 4.7 indicates an allocation Transform Types in the IKEv2 "Transform Type
   Values" registry and changes the "Used In" column for the existing
   allocations:

   Type  Description                          Used In
   ---------------------------------------------------------------------
   1     Encryption Algorithm (ENCR)          (IKE, GIKE_REKEY and ESP)
   2     Pseudo-random Function (PRF)         (IKE, GIKE_REKEY)
   3     Integrity Algorithm (INTEG)          (IKE, GIKE_REKEY, AH,
                                               optional in ESP)
   4     Diffie-Hellman Group (D-H)           (IKE, optional in AH, ESP)
   5     Extended Sequence Numbers (ESN)      (AH and ESP)
   <TBA> Authentication Method (AUTH)         (GIKE_REKEY)
   <TBA> Group Key Management Method (GKM)    (GIKE_REKEY)

   This document defines a new Attribute Type in the "IKEv2 Transform
   Attribute Types" registry:

   Value       Attribute Type              Format
   ----------------------------------------------
   <TBA>       Algorithm Identifier        TLV
   This document defines new Notify Message Types in the "Notify Message
   Types - Status Types" registry:

   Value       Notify Messages - Status Types registry has been made.  This NOTIFY
   ------------------------------------------
   16429       SENDER

   The Notify type with the value 16429 was allocated earlier in the
   development of G-IKEv2.  The number is
   16429, and was allocated G-IKEv2 document with the name SENDER_REQUEST_ID.  The
   This specification changes its name
   should be changed to SENDER.

5.

   This document defines new Notify Message Types in the "Notify Message
   Types - Error Types" registry:

   Value       Notify Messages - Error Types
   -----------------------------------------
   45          INVALID_GROUP_ID
   46          AUTHORIZATION_FAILED
   <TBA>       REGISTRATION_FAILED

7.  Acknowledgements

   The authors thank Lakshminath Dondeti and Jing Xiang for first
   exploring the use of IKEv2 for group key management and providing the
   basis behind the protocol.  Mike Sullenberger and Amjad Inamdar were
   instrumental in helping resolve many issues in several versions of
   the document.

6.

8.  Contributors

   The following individuals made substantial contributions to early
   versions of this memo.

      Sheela Rowles
      Cisco Systems
      170 W. Tasman Drive
      San Jose, California  95134-1706
      USA

      Phone: +1-408-527-7677
      Email: sheela@cisco.com
      Aldous Yeung
      Cisco Systems
      170 W. Tasman Drive
      San Jose, California  95134-1706
      USA

      Phone: +1-408-853-2032
      Email: cyyeung@cisco.com

      Paulina Tran
      Cisco Systems
      170 W. Tasman Drive
      San Jose, California  95134-1706
      USA

      Phone: +1-408-526-8902
      Email: ptran@cisco.com

      Yoav Nir
      Dell EMC
      9 Andrei Sakharov St
      Haifa  3190500
      Israel

      Email: ynir.ietf@gmail.com

7.

9.  References
7.1.

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC2627]  Wallner, D., Harder, E., and R. Agee, "Key Management for
              Multicast: Issues and Architectures", RFC 2627,
              DOI 10.17487/RFC2627, June 1999,
              <https://www.rfc-editor.org/info/rfc2627>.

   [RFC3740]  Hardjono, T. and B. Weis, "The Multicast Group Security
              Architecture", RFC 3740, DOI 10.17487/RFC3740, March 2004,
              <https://www.rfc-editor.org/info/rfc3740>.

   [RFC4046]  Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm,
              "Multicast Security (MSEC) Group Key Management
              Architecture", RFC 4046, DOI 10.17487/RFC4046, April 2005,
              <https://www.rfc-editor.org/info/rfc4046>.

   [RFC4301]  Kent, S. and K. Seo, "Security Architecture for the
              Internet Protocol", RFC 4301, 4301, DOI 10.17487/RFC4301,
              December 2005, <https://www.rfc-editor.org/info/rfc4301>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC4301,
              December 2005, <https://www.rfc-editor.org/info/rfc4301>. 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/info/rfc5280>.

   [RFC6054]  McGrew, D. and B. Weis, "Using Counter Modes with
              Encapsulating Security Payload (ESP) and Authentication
              Header (AH) to Protect Group Traffic", RFC 6054,
              DOI 10.17487/RFC6054, November 2010,
              <https://www.rfc-editor.org/info/rfc6054>.

   [RFC7296]  Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
              Kivinen, "Internet Key Exchange Protocol Version 2
              (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
              2014, <https://www.rfc-editor.org/info/rfc7296>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

7.2.

9.2.  Informative References

   [I-D.ietf-ipsecme-qr-ikev2]

   [I-D.ietf-ipsecme-ikev2-multiple-ke]
              Tjhai, C., Tomlinson, M., grbartle@cisco.com, g., Fluhrer,
              S., McGrew, Geest, D., Kampanakis, P., Garcia-Morchon, O., and V. Smyslov,
              "Mixing Preshared Keys
              "Multiple Key Exchanges in IKEv2 for Post-quantum
              Resistance", draft-ietf-ipsecme-qr-ikev2-10 IKEv2", draft-ietf-ipsecme-
              ikev2-multiple-ke-00 (work in progress), December 2019. January 2020.

   [I-D.smyslov-ipsecme-ikev2-qr-alt]
              Smyslov, V., "An Alternative "Alternative Approach for Postquantum Mixing Preshared
              Keys in IKEv2", draft-smyslov-ipsecme-ikev2-qr-
              alt-00 (work in progress), October 2019.

   [I-D.tjhai-ipsecme-hybrid-qske-ikev2]
              Tjhai, C., Tomlinson, M., grbartle@cisco.com, g., Fluhrer,
              S., Geest, D., Garcia-Morchon, O., and V. Smyslov,
              "Framework to Integrate IKEv2 for Post-quantum Key Exchanges into
              Internet Key Exchange Protocol Version 2 (IKEv2)", draft-
              tjhai-ipsecme-hybrid-qske-ikev2-04 Security", draft-smyslov-
              ipsecme-ikev2-qr-alt-01 (work in progress),
              July 2019. February 2020.

   [IKEV2-IANA]
              IANA, "Internet Key Exchange Version 2 (IKEv2)
              Parameters", <http://www.iana.org/assignments/ikev2-
              parameters/ikev2-parameters.xhtml#ikev2-parameters-7>.

   [NNL]      Naor, D., Noal, M., and J. Lotspiech, "Revocation and
              Tracing Schemes for Stateless Receivers", Advances in
              Cryptology, Crypto '01,  Springer-Verlag LNCS 2139, 2001,
              pp. 41-62, 2001,
              <http://www.wisdom.weizmann.ac.il/~naor/>.
              <http://www.wisdom.weizmann.ac.il/~naor/PAPERS/2nl.pdf>.

   [OFT]      McGrew, D. and A. Sherman, "Key Establishment in Large
              Dynamic Groups Using One-Way Function Trees", Manuscript,
               submitted to IEEE Transactions on Software Engineering,
              1998, <http://download.nai.com/products/media/nai/misc/
              oft052098.ps>. <https://pdfs.semanticscholar.org/
              d24c/7b41f7bcc2b6690e1b4d80eaf8c3e1cc5ee5.pdf>.

   [RFC2409]  Harkins, D. and D. Carrel, "The Internet Key Exchange
              (IKE)", RFC 2409, DOI 10.17487/RFC2409, November 1998,
              <https://www.rfc-editor.org/info/rfc2409>.

   [RFC3279]  Bassham, L., Polk, W., and R. Housley, "Algorithms and
              Identifiers for the Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April
              2002, <https://www.rfc-editor.org/info/rfc3279>.

   [RFC3447]  Jonsson, J. and B. Kaliski, "Public-Key Cryptography
              Standards (PKCS) #1: RSA Cryptography Specifications
              Version 2.1", RFC 3447, DOI 10.17487/RFC3447, February
              2003, <https://www.rfc-editor.org/info/rfc3447>.

   [RFC3686]  Housley, R., "Using Advanced Encryption Standard (AES)
              Counter Mode With IPsec Encapsulating Security Payload
              (ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004,
              <https://www.rfc-editor.org/info/rfc3686>.

   [RFC4106]  Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
              (GCM) in IPsec Encapsulating Security Payload (ESP)",
              RFC 4106, DOI 10.17487/RFC4106, June 2005,
              <https://www.rfc-editor.org/info/rfc4106>.

   [RFC4309]  Housley, R., "Using Advanced Encryption Standard (AES) CCM
              Mode with IPsec Encapsulating Security Payload (ESP)",
              RFC 4309, DOI 10.17487/RFC4309, December 2005,
              <https://www.rfc-editor.org/info/rfc4309>.

   [RFC4543]  McGrew, D. and J. Viega, "The Use of Galois Message
              Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543,
              DOI 10.17487/RFC4543, May 2006,
              <https://www.rfc-editor.org/info/rfc4543>.

   [RFC5374]  Weis, B., Gross, G., and D. Ignjatic, "Multicast
              Extensions to the Security Architecture for the Internet
              Protocol", RFC 5374, DOI 10.17487/RFC5374, November 2008,
              <https://www.rfc-editor.org/info/rfc5374>.

   [RFC5480]  Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk,
              "Elliptic Curve Cryptography Subject Public Key
              Information", RFC 5480, DOI 10.17487/RFC5480, March 2009,
              <https://www.rfc-editor.org/info/rfc5480>.

   [RFC5723]  Sheffer, Y. and H. Tschofenig, "Internet Key Exchange
              Protocol Version 2 (IKEv2) Session Resumption", RFC 5723,
              DOI 10.17487/RFC5723, January 2010,
              <https://www.rfc-editor.org/info/rfc5723>.

   [RFC6407]  Weis, B., Rowles, S., and T. Hardjono, "The Group Domain
              of Interpretation", RFC 6407, DOI 10.17487/RFC6407,
              October 2011, <https://www.rfc-editor.org/info/rfc6407>.

   [RFC6467]  Kivinen, T., "Secure Password Framework for Internet Key
              Exchange Version 2 (IKEv2)", RFC 6467,
              DOI 10.17487/RFC6467, December 2011,
              <https://www.rfc-editor.org/info/rfc6467>.

   [RFC7383]  Smyslov, V., "Internet Key Exchange Protocol Version 2
              (IKEv2) Message Fragmentation", RFC 7383,
              DOI 10.17487/RFC7383, November 2014,
              <https://www.rfc-editor.org/info/rfc7383>.

   [RFC7427]  Kivinen, T. and J. Snyder, "Signature Authentication in
              the Internet Key Exchange Version 2 (IKEv2)", RFC 7427,
              DOI 10.17487/RFC7427, January 2015,
              <https://www.rfc-editor.org/info/rfc7427>.

   [RFC7634]  Nir, Y., "ChaCha20, Poly1305, and Their Use in the
              Internet Key Exchange Protocol (IKE) and IPsec", RFC 7634,
              DOI 10.17487/RFC7634, August 2015,
              <https://www.rfc-editor.org/info/rfc7634>.

   [RFC8229]  Pauly, T., Touati, S., and R. Mantha, "TCP Encapsulation
              of IKE and IPsec Packets", RFC 8229, DOI 10.17487/RFC8229,
              August 2017, <https://www.rfc-editor.org/info/rfc8229>.

   [RFC8784]  Fluhrer, S., Kampanakis, P., McGrew, D., and V. Smyslov,
              "Mixing Preshared Keys in the Internet Key Exchange
              Protocol Version 2 (IKEv2) for Post-quantum Security",
              RFC 8784, DOI 10.17487/RFC8784, June 2020,
              <https://www.rfc-editor.org/info/rfc8784>.

Appendix A.  Use of LKH in G-IKEv2

   Section 5.4 of [RFC2627] describes the LKH architecture, and how a
   GCKS uses LKH to exclude group members.  This section clarifies how
   the LKH architecture is used with G-IKEv2.

A.1.  Notation

   In this section we will use the notation X{Y} where a key with ID Y
   is encrypted with the key with ID X.  The notation 0{Y} means that
   the default wrap key (SK_w) is used to encrypt key Y, and the
   notation X{0} means key X is used to encrypt the group SA key.  Note,
   that 0{0} means that the group SA key is encrypted with default wrap
   key.

   The content of the KD payload will be shown as a sequence of Key
   Packets.  The Group Key Packet substructure will be denoted as SAn(),
   when n is an SPI for the SA, and The Member Key Packet substructure
   will be denoted as GM().  The content of the Key Packets is shown as
   SA_KEY and KEY_WRAP_KEY attributes with the notation described above.
   Here is the example of KD payload.

                      KD(SA1(X{0}),GM(Y{X},Z{Y},0{Z})

   For simplicity any other attributes in the KD payload are omitted.

   We will also use the notation X->Y->Z to describe the Key Path, i.e.
   the relation between the keys.  In this case the keys had the
   following relation: Z{Y}, Y{X}.

A.2.  Group Creation

   When a GCKS forms a group, it creates a key tree as shown in the
   figure below.  The key tree contains logical keys (represented (which are
   represented as
   numbers the values of their Key IDs in the figure) and a
   private key shared with only a single GM
   (represented (the GMs are represented as
   letters followed by the corresponding key ID in parentheses in the
   figure).  Note  The root of the tree contains the multicast rekey SA key
   (which is represented as SAn(0), showing that its Key ID is always
   zero).  The figure below assumes that the use of numbers
   and letters Key IDs are assigned
   sequentially; this is not a requirement and only used for explanatory purposes; in fact, each key would
   have an LKH ID, which is two-octet identifier chosen by the GCKS.
   illustrative purposes.  The GCKS may create a complete tree as shown,
   or a partial tree which is created on demand as members join the
   group.  The top of the key
   tree (i.e., "1" in Figure 29) is used as the KEK for the group.

                                     1

                                 SA1(0)
                    +------------------------------+
                    1                              2                              3
            +---------------+              +---------------+
            3               4              5               6               7
        +-------+       +-------+      +--------+      +--------+
         A       B       C       D      E        F      G        H
       A(7)    B(8)    C(9)   D(10)  E(11)    F(12)  G(13)    H(14)

                        Figure 29: 27: Initial LKH tree

   When GM "A" A joins the group, the GCKS provides an LKH_DOWNLOAD_ARRAY it with the keys in the
   KEY_WRAP_KEY attributes in the KD payload of the GSA_AUTH or
   GSA_REGISTRATION exchange.  Given the tree shown in figure above, the LKH_DOWNLOAD_ARRAY
   KD payload will
   contain four LKH be:

                      KD(SA1(1{0}),GM(3{1},7{3},0{7})

                     KD Payload for the Group Member A

   From these attributes the GM A will construct the Key payloads, each containing an LKH ID Path
   0->1->3->7->0 and Key
   Data.  If since it ends up with SK_w, it will use all the LKH ID values were chosen as shown
   KEY_WRAP_KEY attributes present in the figure, four
   LKH Keys would path as its working Key Path:
   1->3->7.

   Similarly, when other GMs will be joining the group they will be
   provided to GM "A", in with the corresponding keys, so after all the GMs will have
   the following order: A, 4,
   2, 1.  When GM "B" joins working Key Paths:

   A: 1->3->7      B: 1->3->8      C: 1->4->9,     D: 1->4->10
   E: 2->5->11     F: 2->5->12     G: 2->6->13     H: 2->6->14

A.3.  Simple Group SA Rekey

   If the group, GCKS performs a simple SA rekey without changing group
   membership, it would also be given four LKH
   Keys will only send Group Key Packet in the following order: B, 4, 2, 1.  And so on, until GM "H"
   joins KD payload with
   a new SA key encrypted with the group default KWK.

                               KD(SA2(0{0}))

                     KD Payload for the Group Member F

   All the GMs will be able to decrypt it and is given H, 7, 3, 1.

A.2. no changes in their
   working Key Paths will take place.

A.4.  Group Member Exclusion

   If the GKCS has reason to believe that a GM should be excluded, then
   it can do so by sending a GSA_REKEY exchange message that includes a set of
   LKH_UPDATE_ARRAY
   GM_KEY attributes in the KD payload.  Each LKH_UPDATE_ARRAY
   contains a set of LKH Key payloads, in which every GM other than would allow all GMs except for the excluded GM will be able
   one to determine a set of new logical keys,
   which culminate in get a new key "1".  The excluded GM will observe SA key.

   In the
   set of LKH_UPDATE_ARRAY attributes, but cannot determine example below the new
   logical keys because each of GCKS excludes GM F.  For this purpose it
   changes the "Key Data" fields is encrypted key tree as follows, replacing the key 2 with
   a the key held by other GMs.  The GM will hold no keys to properly
   decrypt any of 15
   and the "Key Data" fields, including key "1" (i.e., 5 with the key 16.  It also a new KEK).  When SA key for a subsequent GSA_REKEY exchange is delivered by the
   GCKS and protected by the new KEK, the SA3.

                                 SA3(0)
                    +------------------------------+
                    1                             15
            +---------------+              +---------------+
            3               4             16               6
        +-------+       +-------+      +----           +--------+
       A(7)    B(8)    C(9)   D(10)  E(11)    F(12)  G(13)    H(14)

               Figure 28: LKH tree after F has been excluded GM will no longer be
   able to see

   Then it sends the contents of following KD payload for the GSA_REKEY, including new TEKs that
   will be delivered to replace existing TEKs.  At this point, rekey SA3:

              KD(SA3(1{0},SA3(15{0})),GM(6{15},16{15},11{16})

                     KD Payload for the GM Group Member F

   While processing this KD payload:

   o  GMs A, B, C and D will no longer be able to participate in decrypt the group.

   In SA_KEY attribute
      1{0} by using the example below, "1" key from their key path.  Since no new keys
      GM_KEY attributes are represented as in the number followed
   by a "prime" symbol (e.g., "1" becomes "1'").  Each key is encrypted
   by another key.  This is represented as "{key1}key2", where key2
   encrypts key1.  For example, "{1'}2' states that a new key "1'" is
   encrypted with a Key Path, they won't update their
      working Key Paths.

   o  GMs G and H will construct new key "2'".

   If GM "B" is to Key Path 15->0 and will be excluded, able to
      decrypt the GCKS new GM_KEY 15 using the key 6 from their working Key
      Paths.  So, they will need update their working Key Paths replacing
      their beginnings up to include three
   LKH_UPDATE_ARRAY attributes in the GSA_REKEY message.  The order of key 6 with the attributes does not matter; only new Key Path (thus
      replacing the order of key 2 with the keys within
   each attribute. key 15).

   o  One will provide  GM "A" with new logical keys that are shared with
      B: {4'}A, {2'}4', {1'}2'

   o  One E will provide all GMs holding key "5" with construct new logical keys:
      {2'}5, {1'}2'

   o  One Key Path 16->15->0 and will provide all GMs holding key "3" with a be able to
      decrypt the new KEK: {1'}3

   Each GM GM_KEY 16 using the key 11 from its working Key
      Path.  So, it will look at each LKH_UPDATE_ARRAY attribute and observe an
   LKH ID which is present in an LKH update its working Key delivered Path replacing its
      beginnings up to them in the
   LKH_DOWNLOAD_ARRAY they were given.  If they find a matching LKH ID,
   then they will decrypt key 11 with the new Key Path (thus replacing
      the key 2 with the logical key immediately
   preceding that LKH Key, 15 and the key 5 with the key 16).

   o  GM F won't be able to construct any Key Path leading to any key he
      possesses, so on until they have received it will be unable to decrypt the new 1'
   key.

   The resulting SA key tree from this rekey event would would for the
      SA3 and thus it will be shown in
   Figure 30.

                                     1'
                     +------------------------------+
                     2'                             3
             +---------------+              +---------------+
             4'              5              6               7
         +---+           +-------+      +--------+      +--------+
         A       B       C       D      E        F      G        H

               Figure 30: LKH tree after B has been excluded from the group once the GCKS
      starts sending TEK keys using SA3.

   Finally, the GMs will have the following working Key Paths:

   A: 1->3->7      B: 1->3->8      C: 1->4->9,     D: 1->4->10
   E: 15->16->11   F: excluded     G: 15->6->13    H: 15->6->14

Authors' Addresses

   Brian Weis
   Independent
   USA

   Email: bew.stds@gmail.com

   Valery Smyslov
   ELVIS-PLUS
   PO Box 81
   Moscow (Zelenograd)  124460
   Russian Federation

   Phone: +7 495 276 0211
   Email: svan@elvis.ru

   Brian Weis
   Independent
   USA

   Email: bew.stds@gmail.com