MSEC Working Group B. Weis Internet-Draft S. Rowles Intended status: Standards Track Cisco Systems Expires:
September 3, 2007March 02,17, 2008 September 14, 2007 Updates to the Group Domain of Interpretation (GDOI) draft-ietf-msec-gdoi-update-02draft-ietf-msec-gdoi-update-03 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on September 3, 2007.March 17, 2008. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract This memo describes updates to the Group Domain of Interpretation (GDOI) [RFC3547]. It provides clarification where the original text is unclear. It also includes a discussion of algorithm agility within GDOI, and proposes several new algorithm attribute values. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 4 2. Cryptographic Algorithm agility . . . . . . . . . . . . . . . 5 2.1. Phase 1 protocol . . . . . . . . . . . . . . . . . . . . . 5 2.2. GROUPKEY-PUSH message . . . . . . . . . . . . . . . . . . 5 2.3. IPsec TEK Distribution . . . . . . . . . . . . . . . . . . 6 2.4. Certificate Payload . . . . . . . . . . . . . . . . . . . 6 2.5. POP Payload . . . . . . . . . . . . . . . . . . . . . . . 6 3. RFC 3547 Clarification . . . . . . . . . . . . . . . . . . . . 7 3.1. SA Payload . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2. SIG Payload . . . . . . . . . . . . . . . . . . . . . . . 7 3.3. SEQ Payload . . . . . . . . . . . . . . . . . . . . . . . 8 3.4. POP Payload . . . . . . . . . . . . . . . . . . . . . . . 8 3.5. CERT Payload . . . . . . . . . . . . . . . . . . . . . . . 10 3.6. TEK Integrity Key Length . . . . . . . . . . . . . . . . . 10 3.7. KE Payload . . . . . . . . . . . . . . . . . . . . . . . . 10 3.8. Minimum defined attributes . . . . . . . . . . . . . . . . 12 3.9. Attribute behavour . . . . . . . . . . . . . . . . . . . . 12 4. GCKS and Group Member Authorization . . . . . . . . . . . . . 13 4.1. Authorization using the CERT/POP Payloads . . . . . . . . 13 4.2. Authorization through other methods . . . . . . . . . . . 13 5. New GDOI Attributes . . . . . . . . . . . . . . . . . . . . . 14 5.1. Signature Hash Algorithm . . . . . . . . . . . . . . . . . 14 5.2. Support of AH . . . . . . . . . . . . . . . . . . . . . . 14 5.3. Sender-Specific Attributes . . . . . . . . . . . . . . . . 16 5.3.1. SENDER_ID . . . . . . . . . . . . . . . . . . . . . . 17 126.96.36.199. GCKS Semantics . . . . . . . . . . . . . . . . . . 17 188.8.131.52. Group Member Semantics . . . . . . . . . . . . . . 18 6. New IPsec Security Association Attributes . . . . . . . . . . 1819 6.1. Address Preservation . . . . . . . . . . . . . . . . . . . 1819 6.2. SA Direction . . . . . . . . . . . . . . . . . . . . . . . 1819 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 1920 8. Security Considerations . . . . . . . . . . . . . . . . . . . 2122 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 2223 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 2324 10.1. Normative References . . . . . . . . . . . . . . . . . . . 2324 10.2. Informative References . . . . . . . . . . . . . . . . . . 2324 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 2627 Intellectual Property and Copyright Statements . . . . . . . . . . 2728 1. Introduction The Group Domain of Interpretation (GDOI) is a group key management protocol fitting into the Multicast Security Group Key Management Architecture [RFC4046]. GDOI is used to disseminate policy and corresponding secrets to a group of participants. GDOI is implemented on hosts and intermediate systems to protect group IP communication (e.g., IP multicast packets) by encapsulating them with the IP Encapsulating Security Payload (ESP) [RFC4303] packets. However, implementation experience has revealed some inconsistencies in RFC 3547 needing clarification. It also defines some additional GDOI algorithm attributes which are useful to GDOI applications. Algorithm agility, the ability to add new algorithms to namespaces, is an important consideration for any protocol. This memo analyzes the state of algorithm agility within GDOI, and proposes some changes based upon that analysis. In particular, methods for fully supporting SHA-256 [FIPS.180-2.2002] as an alternative to theSHA-1 and MD5 hash algorithms are described. The clarification and modifications in this memo retain backwards compatibility with RFC 3547. 1.1. Requirements notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Cryptographic Algorithm agility Algorithm agility was a goal during the development of GDOI, and RFC 3547 generally provides the ability to add new algorithms as necessary. However, further analysis has shown that there are places where algorithm agility is not complete. This section discusses the use of cryptographic algorithms within GDOI, points out variances in algorithm agility, and proposes clarifications without changing any payload formats within the protocol. Recent published attacks on the SHA-1 algorithm motivate its replacement as a cryptographic algorithm. The ability for GDOI to move to the SHA-256 algorithm is explicitly discussed. Later sections on this document propose some enhancements to the GDOI protocol to provide for an easier means of supporting this and additional hash functions. 2.1. Phase 1 protocol GDOI is a "phase 2" protocol protected by a "phase 1" protocol. The Phase 1 protocol defined in RFC 3547 is an IKEv1 Phase 1 protocol (Main Mode or Aggressive Mode). The Phase 1 protocol provides confidentiality via an encryption cipher. It also provides message integrity via a pseudo random function ("prf") (described in Section 4 of [RFC2409], which is usually a hash algorithm using the HMAC [RFC2104] construction. IKEv1 negotiates which encryption ciphers and hash algorithms are to be used. IKEv1 cipher algorithms come from the "Encryption Algorithm" list in the IANA IPsec registry [IPSEC-REG], and the hash algorithms come from the "Hash Algorithm" list in the same registry. The IANA IPsec registry currently includes the SHA2-256, which is intended to be the SHA-256 algorithm. In summary, there are no cryptographic algorithm agility issues with the IKEv1 Phase 1 protocol when used as a GDOI "phase 1" protocol. For a more detailed analysis of the use of hash algorithms in IKE and IPsec, see [I-D.hoffman-ike-ipsec-hash-use].RFC 4894 [RFC4894]. 2.2. GROUPKEY-PUSH message The GROUPKEY-PUSH message is protected by an encryption cipher for confidentiality and a digital signature for message integrity. The encryption cipher is described by the IANA GDOI registry as the KEK_ALGORITHM attribute [GDOI-REG]. The digital signature comprises both a hash algorithm defined by the GDOI SIG_HASH_ALGORITHM attribute and a public key signature algorithm defined by the SIG_ALGORITHM attribute. This memo adds the SHA-256 algorithm to the SIG_HASH_ALGORITHM attribute in a later section. In summary, there are no cryptographic algorithm agility issues with the GROUPKEY-PUSH message. 2.3. IPsec TEK Distribution IPsec SAs are distributed by GDOI. An IPsec ESP SA can include an encryption cipher for confidentiality and an algorithm for packet authentication. The encryption ciphers are defined by the IPsec ESP Transform Identifiers defined in the IANA ISAKMP registry [ISAKMP-REG]. The packet authentication method is distributed via an "Authentication Algorithm" SA attribute. SHA-256 may be chosen as the authentication algorithm with HMAC-SHA2-256. Similarly, an IPsec AH SA is defined by choosing AH_SHA2-256 as the "AH Transform Identifier". In summary, there are no cryptographic algorithm agility issues during TEK distribution. 2.4. Certificate Payload Messages in the GROUPKEY-PULL and GROUPKEY-PUSH protocols may include a Certificate Payload (CERT). Certificate digital signatures, and the algorithm agility thereof, are outside the scope of this memo. 2.5. POP Payload The GDOI Proof of Possession (POP) payload may be included in the GROUPKEY-PULL protocol. It contains a digital signature over the hash of a set of identities and nonces, which provides the current possession of the peer. The digital signature algorithm is defined as the "POP Algorithm" in the IANA GDOI registry [GDOI-REG]. However, identity of the hash algorithm to create the signed data was omitted in RFC 3547. In summary, the POP Payload has an algorithm agility deficiency with regards to the hash algorithm. This memo remedies this omission in a clarification section below. 3. RFC 3547 Clarification Implementation experience of RFC 3547 has revealed a few areas of text that are not sufficiently clear. This section provides clarifying text for those areas. 3.1. SA Payload The SA KEK payload includes the "POP Key Length" field, which is meant to declare the length of a POP signature key. Unfortunately, it is not clear as to whether this refers to the GCKS POP signature key or all entities' POP signature keys. The intent of conveying the length was to ensure that a group member has the capability to validate the GCKS POP payload, so this memo specifies that the value is taken to indicate the length of only the GCKS signature key. Additionally, the units of this field are not explicitly specified in RFC 3547. The value is a number representing the length of key in bits. In the case of POP_ALG_RSA, the value represents the size of the modulus. The units of the SIG_KEY_LENGTH KEK attribute value was not explicitly specified in RFC 3547. The value is a number representing the length of the KEK encryption key in bits. The GDOI_PROTO_IPSEC_ESP attribute is sometimes referred to by the truncated name PROTO_IPSEC_ESP. RFC3547RFC 3547 explicitly specifies that if a KEK cipher requires an IV, then the IV MUST precede the key in the KEK_ALGORITHM_KEY KD payload attribute. However, it should be noted that this IV length is not included in the KEK_KEY_LEN SA payload attribute sent in the SA payload. The KEK_KEY_LEN includes only the actual length of the cipher key. The Group Controller/Key Server (GCKS) adds the KEK_KEY_LEN attribute to the SA payload when distributing KEK policy to group members. The group member verifies whether or not it has the capability of using a cipher key of that size. If the cipher definition includes a fixed key length (e.g., KEK_ALG_3DES), the group member can make its decision solely using KEK_ALGORITHM attribute and does not need the KEK_KEY_LEN attribute. Sending the KEK_KEY_LEN attribute in the SA payload is OPTIONAL if the KEK cipher has a fixed key length. 3.2. SIG Payload The GROUPKEY-PUSH message SIG payload is further clarified here; the SIG payload is a signature of the entire GROUPKEY-PUSH message (not including the SIG payload) before it's been encrypted. The HASH is taken over the string 'rekey', the GROUPKEY-PUSH HDR, SEQ, SA, KD, and optionally the CERT payload. After the SIG payload is created using the signature of the above hash, the current KEK encryption key encrypts all the payloads following the GROUPKEY-PUSH HDR. The SIG_ALGORITHM type of SIG_ALG_RSA does not specify which PKCS#1 [RFC3447] encoding method is employed. To match existing practice, this memo requires that it be the EMSA-PKCS1-v1_5 encoding method. 3.3. SEQ Payload Each GROUPKEY-PUSH message contains a sequence number, which provides anti-replay protection for a KEK. Thus, the GCKS returns a SEQ payload in the GROUPKEY-PULL exchange only if a KEK attribute also exists in the SA payload. A KEK sequence number is associated with a single SPI (i.e., the single set of cookie pair values sent in a GROUPKEY-PUSH ISAKMP HDR). When a new KEK is distributed by a GCKS, it contains a new SPI and resets the sequence number. When a SEQ payload is included in the GROUPKEY-PULL exchange, it includes the most recently used sequence number for the group. At the conclusion of a GROUPKEY-PULL exchange, the initiating group member MUST NOT accept any rekey message with both the KEK attribute SPI value and a sequence number less than or equal to the one received during the GROUPKEY-PULL. When the first group member initiates a GROUPKEY-PULL exchange, the GCKS provides a Sequence Number of zero, since no GROUPKEY-PUSH messages have yet been sent. Note the sequence number increments only with GROUPKEY-PUSH messages. The GROUPKEY-PULL exchange distributes the current sequence number to the group member. The sequence number resets to one with a new KEK attribute, as described in section 5.6 of RFC 3547: "Thus the first packet sent for a given Rekey SA will have a Sequence Number of 1". The sequence number increments with each successive rekey. 3.4. POP Payload RFC 3547 defines the Proof of Possession (POP) payload, which contains a digital signature over a hash. Some RFC 3547 text erroneously describes it as a "prf()". RFC 3547 omitted including a method of specifying the hash function type used in the POP payload. As a result, the GCKS or group member do not have a means by which to agree which hash algorithm should be used. To remedy this omission without changing the protocol, this memo specifies that the hash algorithm passed in the SIG_HASH_ALGORITHM MUST be also used as the POP hash algorithm. The SIG_ALGORITHM type of SIG_ALG_RSA does not specify which PKCS#1 [RFC3447] encoding method is employed. To match existing practice, this memo requires that it be the EMSA-PKCS1-v1_5 encoding method. Meadows and Pavlovic have published a paper [MP04] describing a means by which a rogue GDOI device (i.e., GCKS or group member) can gain access to a group for which it is not a group member. The rogue device perpetrates a man-in-the-middle attack, which can occur if the following conditions are true: 1. The rogue GDOI participant convinces an authorized member of the group (i.e., victim group member) that it is a GCKS for that group, and it also convinces the GCKS (i.e., victim GCKS) of that group it is an authorized group member. 2. The victim group member, victim GCKS, and rogue group member all share IKEv1 authentication credentials. 3. The victim GCKS does not properly verify that the IKEv1 authentication credentials used to protect a GROUPKEY-PULL protocol are authorized to be join the group. The point of proof-of-possession is to prove that the owner of the identity associated with the Phase 1 key is the same as the owner of the key distributed in the CERT. This attack can be mitigated by adding the Phase 1 identities into the hashed data. This memo replaces the method of computing POP_HASH, which is: POP_HASH = hash("pop" | IKE-Initiator-P1-ID | IKE-Responder-P1-ID | Ni | Nr) where the fields are hashed as follows: o The string "pop" without a NULL termination character. o The IKE Phase 1 identity of the GCKS as distributed in the "identification Data" portion of the ID payload. Because the length of the identity is variable, the length of the Identification Data MUST be hashed as a four octet value with the length located in the least significant bits (in big-endian format). The length value is hashed before the data value. o The IKE Phase 1 identity of the group member as distributed in the "identification Data" portion of the ID payload. Because the length of the identity is variable, the length of the Identification Data MUST be hashed as a four octet value with the length located in the least significant bits (in big-endian format). The length value is hashed before the data value. o The initiator nonce Ni, as passed in the first GROUPKEY-PULL message. o The responder nonce Nr, as passed in the second GROUPKEY-PULL message. 3.5. CERT Payload Receivers of the POP payload need the sender's public key in order to validate the POP. However the source of that public key is not explicitly defined. For example, if the certificate passed in the CERT payload is an attribute certificate (not containing a public key) then no public key is available. To remedy this omission, this memo specifies that the certificate passed in the CERT payload MUST be an identity certificate (including a public key). 3.6. TEK Integrity Key Length This length of an integrity key distributed within GDOI varies according to the integrity algorithm. The SHA1 keys will consist of 160 bits, SHA256 keys will consist of 256 bits, and MD5 keys will consist of 128 bits. 3.7. KE Payload RFC 3547 provides an OPTIONAL additional protection for the KD payload during a GROUPKEY-PULL exchange called Perfect Forward Secrecy (PFS). If the GCKS and group member exchange KE payloads containing Diffie-Hellman public keys, the GCKS encrypts the KD payload with a secret obtained from the Diffie-Hellman shared number. This encryption precedes the encryption of the entire GROUPKEY-PULL message. The purpose of PFS in GDOI is to more carefully protect the keying material passed from the GCKS to the group member. If a passive attacker captures the GROUPKEY-PULL exchange and performs an offline attack of the IKE Phase 1 confidentiality keys, it may eventually discover them. If PFS is not used, the attacker can immediately use the recovered keys to decrypt data packets and GROUPKEY-PUSH messages, either live or stored. Thus, the IKE Phase 1 keys are critical to the long-term confidentiality of the group. PFS was added as an additional mechanism to hinder a passive attacker by requiring the attacker to perform an additional cryptanalysis to recover the Diffie-Hellman shared number computed by the GCKS and group member. RFC 3547 Section 3.2.1 says "The GCKS responder will xor the DH secret with the KD payload and send it to the member Initiator, which recovers the KD by repeating this operation as in the Oakley IEXTKEY procedure [RFC2412]". However, the IEXTKEY procedure does not xor the DH shared secret with an entire payload, and the DH shared secret is not likely to be long enough to cover the entire payload. Therefore, the following amended procedure MUST be used for PFS. 1. The GCKS and group member MUST derive an encryption key and IV (if needed by the encryption algorithm mode) using the dhEphem method described in Section 184.108.40.206.2.1 of [NIST.800-56A.2006]. 2. The key derivation function MUST be the preferred key derivation function described in Section 5.8.1 of [NIST.800-56A.2006]. The "kdf" function MUST be algorithm defined in the group policy as the SIG_HASH_ALGORITHM attribute. The "keydatalen" input will be the number of bits necessary for the encryption algorithm plus the number of bits needed by the algorithm mode (if any). The following kdf "OtherInfo" values MUST be hashed: * AlgorithmID: This value represents the encryption algorithm with which the derived keying material will be used (i.e., KEK_ALGORITHM). The value is hashed as a two octet value with the algorithm id located in the least significant bits (in big-endian format). * PartyUInfo: This value will be the IKE Phase 1 identity of the GCKS as distributed in the "identification Data" portion of the ID payload. Because the length of the identity is variable, the length of the Identification Data MUST be hashed as a four octet value with the length located in the least significant bits (in big-endian format). The length value is hashed before the data value. * PartyVInfo: This value will be the IKE Phase 1 identity of the group member as distributed in the "identification Data" portion of the ID payload. Because the length of the identity is variable, the length of the Identification Data MUST be hashed as a four octet value with the length located in the least significant bits (in big-endian format). The length value is hashed before the data value. 3. The result of the hash will be used as input to the encryption algorithm described in the KEK_ALGORITHM attribute. If the algorithm mode requires an IV, the initial bits (in big-endian format) of the derived keying material will be used as the IV. The subsequent bits are used as the encryption key, encrypting the bytes of the KD payload as described in Section 5.4 of RFC 3547. Note that the length of the KD payload may be larger due to cipher block padding. If so, the KD payload length must be modified to reflect the actual length of the ciphertext. 3.8. Minimum defined attributes Minimum attributes that must be sent as part of an SA KEK: KEK_ALGORITHM, KEK_KEY_LENGTH (if the cipher definition includes a variable length key), KEK_KEY_LIFETIME, SIG_HASH_ALGORITHM (except for DSA based algorithms), SIG_ALGORITHM, and SIG_KEY_LENGTH. RFC 3547 states that all mandatory IPsec DOI attributes are mandatory in GDOI_PROTO_IPSEC_ESP. However, no such list of mandatory IPsec DOI attributes can be found in RFC 2407. This memo requires that the following attributes MUST be supported by an RFC 3547 implementation supporting the GDOI_PROTO_IPSEC_ESP SA TEK: SA Life Type, SA Life Duration, Encapsulation Mode, Authentication Algorithm (if the ESP transform includes authentication). 3.9. Attribute behavour An GDOI implementation MUST abort if it encounters and attribute or capability that it does not understand. 4. GCKS and Group Member Authorization A GDOI group member SHOULD be configured with policy describing which IKEv1 identities are authorized to act as GCKS for a group. The following sections clarify the need for a GCKS to authorize group members. Authorization is needed regardless of whether the CERT and POP payloads are mandated in group policy. 4.1. Authorization using the CERT/POP Payloads A GCKS conforming with RFC 3547 SHOULD perform authorization based on the IKEv1 authentication credentials. When the CERT and POP payloads are used for authorization, the GCKS and group member SHOULD verify that the identify in the CERT payload is syntactically the same identity as used in the IKEv1 authentication credentials. For the authorization check to succeed, the two credentials are compared and found to be identical. This stops a group member from authenticating to the GCKS with its own credential, yet including another group member's credentials and proof-of-possession in the CERT and POP payloads. 4.2. Authorization through other methods When the use of CERT and POP payloads are not mandated in group policy, the GCKS SHOULD have a means of recognizing authorized group members for each group, where the recognition is based on IKEv1 authentication credentials. For example, the GCKS may have a list of authorized IKEv1 identifiers stored for each Group. The authorization check SHOULD be made after receipt of the ID payload containing a group id the group member is requesting to join. 5. New GDOI Attributes This section contains new attributes to be are defined as part of GDOI. 5.1. Signature Hash Algorithm RFC 3547 defines two signature hash algorithms (MD5 and SHA-1). However, steady advances in technology have rendered both hash algorithms to be weak when used as a signature hash algorithm. The SHA-256 algorithm [FIPS.180-2.2002] has been made available by NIST as a replacement for SHA-1, and is its preferred replacement for both MD5 and SHA-1. A new value for the GDOI SIG_HASH_ALGORITHM attribute is defined by this memo to represent the SHA-256 algorithm: SIG_HASH_SHA256. Support for SIG_HASH_SHA256 is OPTIONAL. 5.2. Support of AH RFC3547 only specifies data-security SAs for one security protocol, IPsec ESP. Typically IPsec implementations use ESP and AH IPsec SAs. This document extends the capability of GDOI to support both ESP and AH. The GROUPKEY-PULL mechanism will establish IPsec ESP SAs and IPsec AH SAs. The GROUPKEY-PUSH will refresh the IPsec ESP SAs and the IPsec AH SAs. Support for AH [RFC4302] will come with the introduction of a new SA_TEK Protocol-ID with the name GDOI_PROTO_IPSEC_AH. Support for the GDOI_PROTO_IPSEC_AH SA TEK is OPTIONAL. The TEK Protocol-Specific payload for AH is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Protocol ! SRC ID Type ! SRC ID Port ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! !SRC ID Data Len! SRC Identification Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! DST ID Type ! DST ID Port !DST ID Data Len! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! DST Identification Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Transform ID ! SPI ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! SPI ! RFC 2407 SA Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The SAT Payload fields are defined as follows: o Protocol (1 octet) -- Value describing an IP protocol ID (e.g., UDP/TCP). A value of zero means that the Protocol field should be ignored. o SRC ID Type (1 octet) -- Value describing the identity information found in the SRC Identification Data field. Defined values are specified by the IPsec Identification Type section in the IANA ISAKMP Registry [ISAKMP-REG]. o SRC ID Port (2 octets) -- Value specifying a port associated with the source Id. A value of zero means that the SRC ID Port field should be ignored. o SRC ID Data Len (1 octet) -- Value specifying the length of the SRC Identification Data field. o SRC Identification Data (variable length) -- Value, as indicated by the SRC ID Type. Set to three bytes of zero for multiple- source multicast groups that use a common TEK for all senders. o DST ID Type (1 octet) -- Value describing the identity information found in the DST Identification Data field. Defined values are specified by the IPsec Identification Type section in the IANA ISAKMP Registry [ISAKMP-REG]. o DST ID Port (1 octet) -- Value describing an IP protocol ID (e.g., UDP/TCP). A value of zero means that the DST Id Port field should be ignored. o DST ID Port (2 octets) -- Value specifying a port associated with the source Id. A value of zero means that the DST ID Port field should be ignored. o DST ID Data Len (1 octet) -- Value specifying the length of the DST Identification Data field. o DST Identification Data (variable length) -- Value, as indicated by the DST ID Type. o Transform ID (1 octet) -- Value specifying which AH transform is to be used. The list of valid values is defined in the IPsec AH Transform Identifiers section of the IANA ISAKMP Registry [ISAKMP-REG]. o SPI (4 octets) -- Security Parameter Index for AH. o RFC 2407 Attributes -- AH Attributes from Section 4.5 of [RFC2407]. The GDOI supports all IPsec DOI SA Attributes for GDOI_PROTO_IPSEC_AH excluding the Group Description, which MUST NOT be sent by a GDOI implementation and is ignored by a GDOI implementation if received. The Authentication Algorithm attribute of the IPsec DOI is group authentication in GDOI. The following RFC 2407 attributes MUST be sent as part of a GDOI_PROTO_IPSEC_AH attribute: SA Life Type, SA Life Duration, Encapsulation Mode. 5.3. Sender-Specific Attributes RFC 3547 provides for the distribution of policy in the GROUPKEY-PULL exchange in an SA payload. Policy can define GROUPKEY-PUSH policy (SA KEK) or traffic encryption policy (SA TEK) such as IPsec policy. Additionally, there is a need to distribute sender-specific policy to each group member that is irrespective of either the SA KEK or SA TEK policy. GDOI distributes this sender-specific policy in a new payload called the SA Sender-Specific Attributes Payload (SA SSA). The SA SSA payload follows any SA KEK payload, and is placed before any SA TEK payloads. In the case that group policy does not include an SA KEK, the SA Attribute Next Payload field in the SA payload MAY indicate the SA SSA payload. The SA SSA payload MUST NOT be a part of a GROUPKEY-PUSH message, because distributing the same sender-specific policy to more than one group member may reduce the security of the group. A group member MUST NOT process an SA SSA payload present in a GROUPKEY-PUSH message. The SA SSA payload is defined as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Sender-Specific Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The SA SSA payload fields are defined as follows: o Next Payload (1 octet) -- Identifies the next payload for the GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next payload type for this message is an SA TEK or zero to indicate there are no more security association attributes. o RESERVED (1 octet) -- Must be zero. o Payload Length (2 octets) -- Length of this payload, including the SA SSA header and Sender-Specific Attributes. o Group Attributes (variable) -- Contains sender-specific attributes following the format defined in ISAKMP [RFC2408] section 3.3. One attribute with the type of SENDER_ID is defined in this memo. 5.3.1. SENDER_ID Several new AES counter-based modes of operation have been specified for ESP [RFC3686],[RFC4106],[RFC4309],[RFC4543] and AH [RFC4543]. These AES counter-based modes require that no two senders in the group ever send a packet with the same IV. This requirement can be met using the method described in [I-D.draft-ietf-msec-ipsec-group-counter-modes],[I-D.ietf-msec-ipsec-group-counter-modes], which requires each sender to be allocated a unique Sender ID (SID). The SENDER_ID attribute is used to distribute a SID to a group member during the GROUPKEY-PULL message. Other algorithms with the same need may be defined in the future; the sender MUST use the IV construction method described above with those algorithms as well. The SENDER_ID attribute value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! SID Length ! SID Value ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! o SID Length (1 octet) -- NumberA natural number defining the number of bits to be used in the SID field of the counter mode transform nonce. o SID Value (variable) -- The Sender ID value allocated to the group member. 220.127.116.11. GCKS Semantics The GCKS maintains a SID counter (SIDC). It is incremented each time a SENDER_ID attribute is distributed to a group member.The first group member to register is given the SID of 1. Any group member registering will be given a new SID value, which allows group members to act as a group sender MUST constructwhen an older SID value becomes unusable (as described in the IVsnext section). A GCKS MAY allocate multiple SID values in eachone SA TEK accordingSSA payload. Allocating several SID values at the same time to a group member expected to send at a high rate would obviate the need for the group member to re-register as frequently. If a GKCS allocates all SID values, it can no longer respond to [I-D.draft-ietf-msec-ipsec-group-counter-modes],GDOI registrations. and must re-initialize the entire group. This is done by usingissuing DELETE notifications for all ESP and AH SAs in a GDOI rekey message, resetting the SIDC to zero, and creating new ESP and AH SAs that match the group policy. When group members re-register, the SIDs are allocated again beginning with the value 1 as described above. Each re-registering group member will be given a new SID and the new group policy. 18.104.22.168. Group Member Semantics The SENDER_ID attribute value distributed to the group member MUST be used by that group member as the Sender Identifier field, for each(SID) field portion of the ESP encryption algorithms that requires that IV valuesIV. The SID is used for all counter mode SAs distributed by the GCKS to be distinct, andused for eachcommunications sent as a part of this group. When the AH authentication algorithms that requiresSender-Specific IV (SSIV) field for any IPsec SA is exhausted, the group member MUST no longer act as a distinct IV. Algorithms needing distinct IVs are specified in [RFC3686],[RFC4106],[RFC4309]sender using its active SID. The group member SHOULD re-register, during which time the GCKS will issue a new SID to the group member. The new SID replaces the existing SID used by this group member, and [RFC4543]. Other algorithms withalso resets the same need may be defined inSSIV value to it's starting value. A group member MAY re- register prior to the future;actual exhaustion of the sender MUST useSSIV field to avoid dropping data packets due to the IV construction method described aboveexhaustion of available SSIV values combined with those algorithms as well.a particular SID value. 6. New IPsec Security Association Attributes The Multicast Extensions to RFC 4301 [I-D.ietf-msec-ipsec-extensions] describes new attributes to an IPsec security association. These attributes describe policy that a group key management system must convey in order to support those extensions. The GDOI SA TEK payload distributes IPsec policy using IPsec security association attributes defined in [ISAKMP-REG]. This section defines how GDOI can convey the new attributes as IPsec Security Association Attributes. 6.1. Address Preservation In order for an IP multicast packet to be encapsulated such that it will remain an IP multicast packet, the original IP addresses may need to be retained. This requires a new IPsec SA attribute describing which of the IP addresses are to be preserved. Depending on group policy, several address preservation methods are possible: no address preservation ("None"), preservation of the original source address ("Source-Only"), preservation of the original destination address ("Destination-Only"), or both addresses ("Source- And-Destination"). If the attribute is not included in a GDOI SA TEK payload then Source-And-Destination address preservation has been defined for the SA TEK. 6.2. SA Direction Depending on group policy, an IPsec SA may be required in one or both directions. An IPsec SA used by multiple senders is required to be installed in both the sending and receiving direction ("Symmetric"), whereas an SA with a single sender need only be installed in the receiving direction by receivers ("Receiver-Only") and in the sending direction by the sender ("Sender-Only"). If the attribute is not included in a GDOI SA TEK payload then the IPsec SA is treated as a Symmetric IPsec SA. 7. IANA Considerations The GDOI SIG_HASH_ALGORITHM KEK Attribute [GDOI-REG] should be assigned a new Algorithm Type value from the RESERVED space to represent the SHA-256 hash algorithm as defined. The new algorithm name should be SIG_HASH_SHA256. A new GDOI KEK Attribute [GDOI-REG] is needed to represent the number of seconds before a sender should transmit on an TEK. The attribute has the name TEK_TRANSMIT_WAIT_PERIOD, and is a Variable type. A new GDOI SA TEK type Protocol-ID type [GDOI-REG] should be assigned from the RESERVED space. The new algorithm id should be called GDOI_PROTO_IPSEC_AH, and refers to the IPsec AH encapsulation. A new Next Payload Type [ISAKMP-REG] should be assigned. The new type is called "SA SSA Payload (SSA)". A new namespace should be created in the GDOI Payloads registry [GDOI-REG] to describe SA SSA Payload Values. The following rules apply to define the attributes in SA SSA Payload Values: Attribute Type Value Type ---- ----- ---- RESERVED 0 SENDER_ID 1 V Reserved to IANA 2-127 Private Use 128-255 A new IPSEC Security Association Attribute [ISAKMP-REG] defining the preservation of IP addresses is needed. The attribute class is called "Address Preservation", and it is a Basic type. The following rules apply to define the values of the attribute: Name Value ---- ----- Reserved 0 None 1 Source-Only 2 Destination-Only 3 Source-And-Destination 4 Reserved to IANA 5-61439 Private Use 61440-65535 A new IPSEC Security Association Attribute [ISAKMP-REG] defining the SA direction is needed. The attribute class is called "SA Direction", and it is a Basic type. The following rules apply to define the values of the attribute: Name Value ---- ----- Reserved 0 Sender-Only 1 Receiver-Only 2 Symmetric 3 Reserved to IANA 4-61439 Private Use 61440-65535 8. Security Considerations This memo describes additional clarification and protocol updates to the GDOI protocol. The security considerations in RFC 3547 remain accurate, with the following additions. o Several minor cryptographic hash algorithm agility issues are resolved, and the stronger SHA-256 cryptographic hash algorithm is added. o Protocol analysis has revealed a man-in-the-middle attack when the GCKS does not authorize group members based on their IKEv1 authentication credentials. This is true even when a CERT and POP payloads are used for authorization. Although suggested as an option in RFC 3547, a GDOI device (group member or GCKS) SHOULD NOT accept an identity in a CERT payload that does not match the IKEv1 identity used to authenticate the group member. o Any SA TEK specicifying a counter-based mode of operation with multiple senders MUST construct the IVs in each SA TEK according to [I-D.draft-ietf-msec-ipsec-group-counter-modes].[I-D.ietf-msec-ipsec-group-counter-modes]. The SID MUST either be pre-configured on all group members or distributed using the SENDER_ID attribute in the SA SSA payload. However, use use of the SENDER_ID attribute is RECOMMENDED. 9. Acknowledgements The authors are grateful to Catherine Meadows for her careful review and suggestions for mitigating the man-in-the-middle attack she had previously identified. 10. References 10.1. Normative References [FIPS.180-2.2002] National Institute of Standards and Technology, "Secure Hash Standard", FIPS PUB 180-2, August 2002, <http:// csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf>. [I-D.draft-ietf-msec-ipsec-group-counter-modes][I-D.ietf-msec-ipsec-extensions] Weis, B., Gross, G., and D. Ignjatic, "Multicast Extensions to the Security Architecture for the Internet Protocol", draft-ietf-msec-ipsec-extensions-06 (work in progress), July 2007. [I-D.ietf-msec-ipsec-group-counter-modes] McGrew, D. and B. Weis, "Using Counter Modes with Encapsulating Security Payload (ESP) and Authentication Header (AH) to Protect Group Traffic", draft-ietf-msec-ipsec-group-counter-modes-000 (work in progress), February 2007. [I-D.ietf-msec-ipsec-extensions] Weis, B., Gross, G., and D. Ignjatic, "Multicast Extensions to the Security Architecture for the Internet Protocol", draft-ietf-msec-ipsec-extensions-05draft-ietf-msec-ipsec-group-counter-modes-00 (work in progress), February 2007. [NIST.800-56A.2006] National Institute of Standards and Technology, "Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography", NIST 800-56A, March 2006, <http://csrc.nist.gov/publications/nistpubs/ 800-56A/sp800-56A_May-3-06.pdf>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The Group Domain of Interpretation", RFC 3547, July 2003. [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December 2005. [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005. 10.2. Informative References [GDOI-REG] Internet Assigned Numbers Authority, "Group Domain of Interpretation (GDOI) Payload Type Values", IANA Registry, December 2004, <http://www.iana.org/assignments/gdoi-payloads>. [I-D.hoffman-ike-ipsec-hash-use] Hoffman, P., "Use of Hash Algorithms in IKE and IPsec", draft-hoffman-ike-ipsec-hash-use-05 (work in progress), January 2007.[IPSEC-REG] Internet Assigned Numbers Authority, "Internet Key Exchange (IKE) Attributes IKE Attributes", IANA Registry, December 2005, <http://www.iana.org/assignments/ipsec-registry>. [ISAKMP-REG] Internet Assigned Numbers Authority, "Internet Security Association and Key Management Protocol (ISAKMP) Identifiers ISAKMP Attributes", IANA Registry, January 2006, <http://www.iana.org/assignments/isakmp-registry>. [MP04] Meadows, C. and D. Pavlovic, "Deriving, Attacking, and Defending the GDOI Protocol", ESORICS 2004 pp. 53-72, September 2004. [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, February 1997. [RFC2407] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. [RFC2408] Maughan, D., Schneider, M., and M. Schertler, "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998. [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC 3447, February 2003. [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)", RFC 3686, January 2004. [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, "Multicast Security (MSEC) Group Key Management Architecture", RFC 4046, April 2005. [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC 4106, June 2005. [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)", RFC 4309, December 2005. [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, May 2006. [RFC4894] Hoffman, P., "Use of Hash Algorithms in Internet Key Exchange (IKE) and IPsec", RFC 4894, May 2007. Authors' Addresses Brian Weis Cisco Systems 170 W. Tasman Drive San Jose, California 95134-1706 USA Phone: +1-408-526-4796 Email: firstname.lastname@example.org Sheela Rowles Cisco Systems 170 W. Tasman Drive San Jose, California 95134-1706 USA Phone: +1-408-527-7677 Email: email@example.com Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at firstname.lastname@example.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).