draft-ietf-msec-gdoi-update-03.txt   draft-ietf-msec-gdoi-update-04.txt 
MSEC Working Group B. Weis MSEC Working Group B. Weis
Internet-Draft S. Rowles Internet-Draft S. Rowles
Intended status: Standards Track Cisco Systems Intended status: Standards Track Cisco Systems
Expires: March 17, 2008 September 14, 2007 Expires: September 7, 2009 March 6, 2009
Updates to the Group Domain of Interpretation (GDOI) Updates to the Group Domain of Interpretation (GDOI)
draft-ietf-msec-gdoi-update-03 draft-ietf-msec-gdoi-update-04
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any This Internet-Draft is submitted to IETF in full conformance with the
applicable patent or other IPR claims of which he or she is aware provisions of BCP 78 and BCP 79. This document may contain material
have been or will be disclosed, and any of which he or she becomes from IETF Documents or IETF Contributions published or made publicly
aware will be disclosed, in accordance with Section 6 of BCP 79. available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 17, 2008. This Internet-Draft will expire on September 7, 2009.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract Abstract
This memo describes updates to the Group Domain of Interpretation This memo describes updates to the Group Domain of Interpretation
(GDOI) [RFC3547]. It provides clarification where the original text (GDOI) . It provides clarification where the original text is
is unclear. It also includes a discussion of algorithm agility unclear. It also includes adds several new algorithm attribute
within GDOI, and proposes several new algorithm attribute values. values, including complete support for algorithm agility.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Requirements notation . . . . . . . . . . . . . . . . . . 4 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 5
2. Cryptographic Algorithm agility . . . . . . . . . . . . . . . 5 2. RFC 3547 Clarification . . . . . . . . . . . . . . . . . . . . 6
2.1. Phase 1 protocol . . . . . . . . . . . . . . . . . . . . . 5 2.1. SA KEK Payload . . . . . . . . . . . . . . . . . . . . . . 6
2.2. GROUPKEY-PUSH message . . . . . . . . . . . . . . . . . . 5 2.2. SA TEK Payload . . . . . . . . . . . . . . . . . . . . . . 6
2.3. IPsec TEK Distribution . . . . . . . . . . . . . . . . . . 6 2.3. KD Payload . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4. Certificate Payload . . . . . . . . . . . . . . . . . . . 6 2.4. SEQ Payload . . . . . . . . . . . . . . . . . . . . . . . 7
2.5. POP Payload . . . . . . . . . . . . . . . . . . . . . . . 6 2.5. POP Payload . . . . . . . . . . . . . . . . . . . . . . . 8
2.6. CERT Payload . . . . . . . . . . . . . . . . . . . . . . . 8
2.7. SIG Payload . . . . . . . . . . . . . . . . . . . . . . . 8
2.8. KE Payload . . . . . . . . . . . . . . . . . . . . . . . . 8
2.9. Attribute behavour . . . . . . . . . . . . . . . . . . . . 9
2.10. Deletion of SAs . . . . . . . . . . . . . . . . . . . . . 9
3. RFC 3547 Clarification . . . . . . . . . . . . . . . . . . . . 7 3. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1. SA Payload . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2. SIG Payload . . . . . . . . . . . . . . . . . . . . . . . 7
3.3. SEQ Payload . . . . . . . . . . . . . . . . . . . . . . . 8
3.4. POP Payload . . . . . . . . . . . . . . . . . . . . . . . 8
3.5. CERT Payload . . . . . . . . . . . . . . . . . . . . . . . 10
3.6. TEK Integrity Key Length . . . . . . . . . . . . . . . . . 10
3.7. KE Payload . . . . . . . . . . . . . . . . . . . . . . . . 10
3.8. Minimum defined attributes . . . . . . . . . . . . . . . . 12
3.9. Attribute behavour . . . . . . . . . . . . . . . . . . . . 12
4. GCKS and Group Member Authorization . . . . . . . . . . . . . 13 4. Harmonization with RFC 5374 . . . . . . . . . . . . . . . . . 12
4.1. Authorization using the CERT/POP Payloads . . . . . . . . 13 4.1. Group Security Policy Database Attributes . . . . . . . . 12
4.2. Authorization through other methods . . . . . . . . . . . 13 4.1.1. Address Preservation . . . . . . . . . . . . . . . . . 12
4.1.2. SA Direction . . . . . . . . . . . . . . . . . . . . . 12
4.1.3. Re-key rollover . . . . . . . . . . . . . . . . . . . 13
5. New GDOI Attributes . . . . . . . . . . . . . . . . . . . . . 14 5. New GDOI Attributes . . . . . . . . . . . . . . . . . . . . . 14
5.1. Signature Hash Algorithm . . . . . . . . . . . . . . . . . 14 5.1. Signature Hash Algorithm . . . . . . . . . . . . . . . . . 14
5.2. Support of AH . . . . . . . . . . . . . . . . . . . . . . 14 5.2. Support of AH . . . . . . . . . . . . . . . . . . . . . . 14
5.3. Sender-Specific Attributes . . . . . . . . . . . . . . . . 16 5.3. Group Associated Policy . . . . . . . . . . . . . . . . . 16
5.3.1. SENDER_ID . . . . . . . . . . . . . . . . . . . . . . 17 5.3.1. ACTIVATION_TIME_DELAY . . . . . . . . . . . . . . . . 17
5.3.1.1. GCKS Semantics . . . . . . . . . . . . . . . . . . 17 5.3.2. DEACTIVATION_TIME_DELAY . . . . . . . . . . . . . . . 17
5.3.1.2. Group Member Semantics . . . . . . . . . . . . . . 18 5.3.3. SENDER_ID . . . . . . . . . . . . . . . . . . . . . . 17
5.3.3.1. GCKS Semantics . . . . . . . . . . . . . . . . . . 18
6. New IPsec Security Association Attributes . . . . . . . . . . 19 5.3.3.2. Group Member Semantics . . . . . . . . . . . . . . 18
6.1. Address Preservation . . . . . . . . . . . . . . . . . . . 19
6.2. SA Direction . . . . . . . . . . . . . . . . . . . . . . . 19
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
8. Security Considerations . . . . . . . . . . . . . . . . . . . 22
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23 7. Security Considerations . . . . . . . . . . . . . . . . . . . 21
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22
10.1. Normative References . . . . . . . . . . . . . . . . . . . 24 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
10.2. Informative References . . . . . . . . . . . . . . . . . . 24 9.1. Normative References . . . . . . . . . . . . . . . . . . . 23
9.2. Informative References . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25
Intellectual Property and Copyright Statements . . . . . . . . . . 28
1. Introduction 1. Introduction
The Group Domain of Interpretation (GDOI) is a group key management The Group Domain of Interpretation (GDOI) [RFC3547] is a group key
protocol fitting into the Multicast Security Group Key Management management protocol fitting into the Multicast Security Group Key
Architecture [RFC4046]. GDOI is used to disseminate policy and Management Architecture [RFC4046]. GDOI is used to disseminate
corresponding secrets to a group of participants. GDOI is policy and corresponding secrets to a group of participants. GDOI is
implemented on hosts and intermediate systems to protect group IP implemented on hosts and intermediate systems to protect group IP
communication (e.g., IP multicast packets) by encapsulating them with communication (e.g., IP multicast packets) by encapsulating them with
the IP Encapsulating Security Payload (ESP) [RFC4303] packets. the IP Encapsulating Security Payload (ESP) [RFC4303] packets.
However, implementation experience has revealed some inconsistencies Several factors have prompted new for updates to GDOI including:
in RFC 3547 needing clarification. It also defines some additional
GDOI algorithm attributes which are useful to GDOI applications.
Algorithm agility, the ability to add new algorithms to namespaces, o the discovery of inconsistencies in RFC 3547, which need
is an important consideration for any protocol. This memo analyzes clarification (Section 2),
the state of algorithm agility within GDOI, and proposes some changes
based upon that analysis. In particular, methods for fully
supporting SHA-256 [FIPS.180-2.2002] as an alternative to theSHA-1
and MD5 hash algorithms are described.
The clarification and modifications in this memo retain backwards o the publishing of an attack on the protocol (Section 3)
compatibility with RFC 3547.
o the publishing of the Multicast Extensions to the Security
Architecture for the Internet Protocol [RFC5374], which has
implications to the policy distributed by group key management
(Section 4),
o the need for new GDOI algorithm attributes, including the need to
support SHA-256 [FIPS.180-2.2002] as an alternative to the SHA-1
and MD5 hash algorithms (Section 5).
The clarification and modifications in this memo update RFC 3547.
1.1. Requirements notation 1.1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Cryptographic Algorithm agility 2. RFC 3547 Clarification
Algorithm agility was a goal during the development of GDOI, and RFC
3547 generally provides the ability to add new algorithms as
necessary. However, further analysis has shown that there are places
where algorithm agility is not complete. This section discusses the
use of cryptographic algorithms within GDOI, points out variances in
algorithm agility, and proposes clarifications without changing any
payload formats within the protocol.
Recent published attacks on the SHA-1 algorithm motivate its
replacement as a cryptographic algorithm. The ability for GDOI to
move to the SHA-256 algorithm is explicitly discussed. Later
sections on this document propose some enhancements to the GDOI
protocol to provide for an easier means of supporting this and
additional hash functions.
2.1. Phase 1 protocol
GDOI is a "phase 2" protocol protected by a "phase 1" protocol. The
Phase 1 protocol defined in RFC 3547 is an IKEv1 Phase 1 protocol
(Main Mode or Aggressive Mode). The Phase 1 protocol provides
confidentiality via an encryption cipher. It also provides message
integrity via a pseudo random function ("prf") (described in Section
4 of [RFC2409], which is usually a hash algorithm using the HMAC
[RFC2104] construction. IKEv1 negotiates which encryption ciphers
and hash algorithms are to be used.
IKEv1 cipher algorithms come from the "Encryption Algorithm" list in
the IANA IPsec registry [IPSEC-REG], and the hash algorithms come
from the "Hash Algorithm" list in the same registry. The IANA IPsec
registry currently includes the SHA2-256, which is intended to be the
SHA-256 algorithm.
In summary, there are no cryptographic algorithm agility issues with
the IKEv1 Phase 1 protocol when used as a GDOI "phase 1" protocol.
For a more detailed analysis of the use of hash algorithms in IKE and
IPsec, see RFC 4894 [RFC4894].
2.2. GROUPKEY-PUSH message
The GROUPKEY-PUSH message is protected by an encryption cipher for
confidentiality and a digital signature for message integrity. The
encryption cipher is described by the IANA GDOI registry as the
KEK_ALGORITHM attribute [GDOI-REG]. The digital signature comprises
both a hash algorithm defined by the GDOI SIG_HASH_ALGORITHM
attribute and a public key signature algorithm defined by the
SIG_ALGORITHM attribute. This memo adds the SHA-256 algorithm to the
SIG_HASH_ALGORITHM attribute in a later section.
In summary, there are no cryptographic algorithm agility issues with
the GROUPKEY-PUSH message.
2.3. IPsec TEK Distribution
IPsec SAs are distributed by GDOI. An IPsec ESP SA can include an
encryption cipher for confidentiality and an algorithm for packet
authentication. The encryption ciphers are defined by the IPsec ESP
Transform Identifiers defined in the IANA ISAKMP registry
[ISAKMP-REG]. The packet authentication method is distributed via an
"Authentication Algorithm" SA attribute. SHA-256 may be chosen as
the authentication algorithm with HMAC-SHA2-256. Similarly, an IPsec
AH SA is defined by choosing AH_SHA2-256 as the "AH Transform
Identifier".
In summary, there are no cryptographic algorithm agility issues
during TEK distribution.
2.4. Certificate Payload
Messages in the GROUPKEY-PULL and GROUPKEY-PUSH protocols may include
a Certificate Payload (CERT). Certificate digital signatures, and
the algorithm agility thereof, are outside the scope of this memo.
2.5. POP Payload
The GDOI Proof of Possession (POP) payload may be included in the
GROUPKEY-PULL protocol. It contains a digital signature over the
hash of a set of identities and nonces, which provides the current
possession of the peer. The digital signature algorithm is defined
as the "POP Algorithm" in the IANA GDOI registry [GDOI-REG].
However, identity of the hash algorithm to create the signed data was
omitted in RFC 3547.
In summary, the POP Payload has an algorithm agility deficiency with
regards to the hash algorithm. This memo remedies this omission in a
clarification section below.
3. RFC 3547 Clarification
Implementation experience of RFC 3547 has revealed a few areas of Implementation experience of RFC 3547 has revealed a few areas of
text that are not sufficiently clear. This section provides text that are not sufficiently precise. This section provides
clarifying text for those areas. clarifying text for those areas.
3.1. SA Payload 2.1. SA KEK Payload
The SA KEK payload includes the "POP Key Length" field, which is
meant to declare the length of a POP signature key. Unfortunately,
it is not clear as to whether this refers to the GCKS POP signature
key or all entities' POP signature keys. The intent of conveying the
length was to ensure that a group member has the capability to
validate the GCKS POP payload, so this memo specifies that the value
is taken to indicate the length of only the GCKS signature key.
Additionally, the units of this field are not explicitly specified in
RFC 3547. The value is a number representing the length of key in
bits. In the case of POP_ALG_RSA, the value represents the size of
the modulus.
The units of the SIG_KEY_LENGTH KEK attribute value was not Section 5.3 of RFC 4357 defines the SA KEK payload. It includes the
explicitly specified in RFC 3547. The value is a number representing "POP Key Length" field,The units of this field are not explicitly
the length of the KEK encryption key in bits. specified in RFC 3547. The value MUST be a number representing the
length of key in bits. In the case of POP_ALG_RSA, the value
represents the size of the modulus.
The GDOI_PROTO_IPSEC_ESP attribute is sometimes referred to by the Section 5.3 of RFC 4357 also defines the POP Algorithm of type of
truncated name PROTO_IPSEC_ESP. POP_ALG_RSA, but does not specify which PKCS#1 [RFC3447] encoding
method is employed. To match existing practice, this memo requires
that it be the EMSA-PKCS1-v1_5 encoding method.
RFC 3547 explicitly specifies that if a KEK cipher requires an IV, The units of the SIG_KEY_LENGTH KEK attribute value was not
then the IV MUST precede the key in the KEK_ALGORITHM_KEY KD payload explicitly specified in section 5.3.8 of RFC 3547. The value MUST be
attribute. However, it should be noted that this IV length is not a number representing the length of the KEK encryption key in bits.
included in the KEK_KEY_LEN SA payload attribute sent in the SA
payload. The KEK_KEY_LEN includes only the actual length of the
cipher key.
The Group Controller/Key Server (GCKS) adds the KEK_KEY_LEN attribute The Group Controller/Key Server (GCKS) adds the KEK_KEY_LEN attribute
to the SA payload when distributing KEK policy to group members. The to the SA payload when distributing KEK policy to group members. The
group member verifies whether or not it has the capability of using a group member verifies whether or not it has the capability of using a
cipher key of that size. If the cipher definition includes a fixed cipher key of that size. If the cipher definition includes a fixed
key length (e.g., KEK_ALG_3DES), the group member can make its key length (e.g., KEK_ALG_3DES), the group member can make its
decision solely using KEK_ALGORITHM attribute and does not need the decision solely using KEK_ALGORITHM attribute and does not need the
KEK_KEY_LEN attribute. Sending the KEK_KEY_LEN attribute in the SA KEK_KEY_LEN attribute. Sending the KEK_KEY_LEN attribute in the SA
payload is OPTIONAL if the KEK cipher has a fixed key length. payload is OPTIONAL if the KEK cipher has a fixed key length.
3.2. SIG Payload Minimum attributes that must be sent as part of an SA KEK:
KEK_ALGORITHM, KEK_KEY_LENGTH (if the cipher definition includes a
variable length key), KEK_KEY_LIFETIME, SIG_HASH_ALGORITHM (except
for DSA based algorithms), SIG_ALGORITHM, and SIG_KEY_LENGTH.
The GROUPKEY-PUSH message SIG payload is further clarified here; the 2.2. SA TEK Payload
SIG payload is a signature of the entire GROUPKEY-PUSH message (not
including the SIG payload) before it's been encrypted. The HASH is
taken over the string 'rekey', the GROUPKEY-PUSH HDR, SEQ, SA, KD,
and optionally the CERT payload. After the SIG payload is created
using the signature of the above hash, the current KEK encryption key
encrypts all the payloads following the GROUPKEY-PUSH HDR.
The SIG_ALGORITHM type of SIG_ALG_RSA does not specify which PKCS#1 Section 5.4.1 of RFC 3547 states that all mandatory IPsec DOI
[RFC3447] encoding method is employed. To match existing practice, attributes are mandatory in GDOI_PROTO_IPSEC_ESP. However, RFC 2407
this memo requires that it be the EMSA-PKCS1-v1_5 encoding method. lists no such list of mandatory IPsec DOI attributes. This memo
requires that the following attributes MUST be supported by an RFC
3547 implementation supporting the GDOI_PROTO_IPSEC_ESP SA TEK: SA
Life Type, SA Life Duration, Encapsulation Mode, Authentication
Algorithm (if the ESP transform includes authentication).
3.3. SEQ Payload The GDOI_PROTO_IPSEC_ESP attribute is sometimes referred to in RFC
3547 by the truncated name of PROTO_IPSEC_ESP.
Each GROUPKEY-PUSH message contains a sequence number, which provides 2.3. KD Payload
anti-replay protection for a KEK. Thus, the GCKS returns a SEQ
payload in the GROUPKEY-PULL exchange only if a KEK attribute also Section 5.5.2.1 of RFC 3547 explicitly specifies that if a KEK cipher
exists in the SA payload. requires an IV, then the IV must precede the key in the
KEK_ALGORITHM_KEY KD payload attribute. However, it should be noted
that this IV length is not included in the KEK_KEY_LEN SA payload
attribute sent in the SA payload. The KEK_KEY_LEN includes only the
actual length of the cipher key.
Section 5.5.1.2 of RFC 3547 defines key lengths for the
TEK_INTEGRITY_KEY. When the algorithm passes in the SA TEK payload
is SHA256, keys will consist of 256 bits.
2.4. SEQ Payload
Section 3.2 of RFC 3547 defines a GROUPKEY-PULL message as including
a sequence number, which provides anti-replay state associated with a
KEK. The SEQ payload has no other use, and is omitted from the
GROUPKEY-PULL exchange when a KEK attribute is not included in the SA
payload.
A KEK sequence number is associated with a single SPI (i.e., the A KEK sequence number is associated with a single SPI (i.e., the
single set of cookie pair values sent in a GROUPKEY-PUSH ISAKMP HDR). single set of cookie pair values sent in a GROUPKEY-PUSH ISAKMP
When a new KEK is distributed by a GCKS, it contains a new SPI and [RFC2408] HDR). When a new KEK is distributed by a GCKS, it contains
resets the sequence number. a new SPI and resets the sequence number.
When a SEQ payload is included in the GROUPKEY-PULL exchange, it When a SEQ payload is included in the GROUPKEY-PULL exchange, it
includes the most recently used sequence number for the group. At includes the most recently used sequence number for the group. At
the conclusion of a GROUPKEY-PULL exchange, the initiating group the conclusion of a GROUPKEY-PULL exchange, the initiating group
member MUST NOT accept any rekey message with both the KEK attribute member MUST NOT accept any rekey message with both the KEK attribute
SPI value and a sequence number less than or equal to the one SPI value and a sequence number less than or equal to the one
received during the GROUPKEY-PULL. When the first group member received during the GROUPKEY-PULL. When the first group member
initiates a GROUPKEY-PULL exchange, the GCKS provides a Sequence initiates a GROUPKEY-PULL exchange, the GCKS provides a Sequence
Number of zero, since no GROUPKEY-PUSH messages have yet been sent. Number of zero, since no GROUPKEY-PUSH messages have yet been sent.
Note the sequence number increments only with GROUPKEY-PUSH messages. Note the sequence number increments only with GROUPKEY-PUSH messages.
The GROUPKEY-PULL exchange distributes the current sequence number to The GROUPKEY-PULL exchange distributes the current sequence number to
the group member. the group member.
The sequence number resets to one with a new KEK attribute, as The sequence number resets to a value of one with a new KEK
described in section 5.6 of RFC 3547: "Thus the first packet sent for attribute. As described in section 5.6 of RFC 3547: "Thus the first
a given Rekey SA will have a Sequence Number of 1". The sequence packet sent for a given Rekey SA will have a Sequence Number of 1".
number increments with each successive rekey. The sequence number increments with each successive rekey.
3.4. POP Payload 2.5. POP Payload
RFC 3547 defines the Proof of Possession (POP) payload, which RFC 3547 defines the Proof of Possession (POP) payload, which
contains a digital signature over a hash. Some RFC 3547 text contains a digital signature over a hash. Some RFC 3547 text
erroneously describes it as a "prf()". erroneously describes it as a "prf()".
RFC 3547 omitted including a method of specifying the hash function RFC 3547 omitted including a method of specifying the hash function
type used in the POP payload. As a result, the GCKS or group member type used in the POP payload. As a result, the GCKS or group member
do not have a means by which to agree which hash algorithm should be do not have a means by which to agree which hash algorithm should be
used. To remedy this omission without changing the protocol, this used. To remedy this omission without changing the protocol, this
memo specifies that the hash algorithm passed in the memo specifies that the hash algorithm passed in the
SIG_HASH_ALGORITHM MUST be also used as the POP hash algorithm. SIG_HASH_ALGORITHM MUST be also used as the POP hash algorithm.
The SIG_ALGORITHM type of SIG_ALG_RSA does not specify which PKCS#1 2.6. CERT Payload
[RFC3447] encoding method is employed. To match existing practice,
this memo requires that it be the EMSA-PKCS1-v1_5 encoding method. Receivers of the POP payload need the sender's public key in order to
validate the POP. However the source of that public key is not
explicitly defined. For example, if the certificate encoding value
passed in the CERT payload (defined in Section 3.9 of RFC 2408) does
not contain a public key then no public key is available. To remedy
this omission, this memo specifies that the certificate passed in the
CERT payload MUST be a public key certificate.
2.7. SIG Payload
The GROUPKEY-PUSH message defined in Section 4 of RFC 3547 includes a
SIG payload. The first paragraph on page 12 is amended as follows.
The SIG payload includes a signature of a hash of the entire
GROUPKEY-PUSH message (excepting the SIG payload bytes) before it
has been encrypted. The HASH is taken over the string 'rekey',
the GROUPKEY-PUSH HDR, SEQ, SA, KD, and optionally the CERT
payload. The prefixed string ensures that the signature of the
Rekey datagram cannot be used for any other purpose in the GDOI
protocol. After the SIG payload is created using the signature of
the above hash, the current KEK encryption key encrypts all the
payloads following the GROUPKEY-PUSH HDR. Note: The rationale for
this order of operations is given in Section 6.3.5 of RFC 3547.
Section 5.3.7.1 of RFC 4357 defines a SIG_ALGORITHM type of
SIG_ALG_RSA, but it omits specifying which PKCS#1 [RFC3447] encoding
method is employed. To match existing practice, this memo requires
that it be the EMSA-PKCS1-v1_5 encoding method.
2.8. KE Payload
The purpose of the KE Payload in GDOI is to encrypt keying material
before encrypting the entire GDOI registration message. However, the
specification for computing keying material for the additional
encryption function in RFC 3547 is faulty. Furthermore, it has been
observed that because the GDOI registration message uses strong
ciphers and provides authenticated encryption, additional encryption
of the keying material in a GDOI registration message provides
negligible value. Therefore, the use of KE payloads is deprecated in
this memo.
2.9. Attribute behavour
An GDOI implementation MUST abort if it encounters and attribute or
capability that it does not understand.
2.10. Deletion of SAs
RFC 3547 provides for the condition that the GCKS may want to signal
to receivers to delete their SAs, but there may be circumstances
where the GCKS may want to start over with a clean slate. If the
administrator is no longer confident in the integrity of the group,
the GCKS can signal deletion of all policy of a particular TEK
protocol by sending a TEK with a SPI value equal to zero in the
delete payload. For example, if the GCKS wishes to remove all the
KEKs and all the TEKs in the group, the GCKS SHOULD send a delete
payload with a spi of zero and a protocol_id of a TEK protocol_id
value as defined in section 5.4 of RFC 3547, followed by another
delete payload with a spi of zero and a protocol_id of zero,
indicating that the KEK SA should be deleted.
3. Authorization
Meadows and Pavlovic have published a paper [MP04] describing a means Meadows and Pavlovic have published a paper [MP04] describing a means
by which a rogue GDOI device (i.e., GCKS or group member) can gain by which a rogue GDOI device (i.e., GCKS or group member) can gain
access to a group for which it is not a group member. The rogue access to a group for which it is not a group member. The rogue
device perpetrates a man-in-the-middle attack, which can occur if the device perpetrates a man-in-the-middle attack, which can occur if the
following conditions are true: following conditions are true:
1. The rogue GDOI participant convinces an authorized member of the 1. The rogue GDOI participant convinces an authorized member of the
group (i.e., victim group member) that it is a GCKS for that group (i.e., victim group member) that it is a GCKS for that
group, and it also convinces the GCKS (i.e., victim GCKS) of that group, and it also convinces the GCKS (i.e., victim GCKS) of that
group it is an authorized group member. group it is an authorized group member.
2. The victim group member, victim GCKS, and rogue group member all 2. The victim group member, victim GCKS, and rogue group member all
share IKEv1 authentication credentials. share IKEv1 authentication credentials.
3. The victim GCKS does not properly verify that the IKEv1 3. The victim GCKS does not properly verify that the IKE
authentication credentials used to protect a GROUPKEY-PULL authentication credentials used to protect a GROUPKEY-PULL
protocol are authorized to be join the group. protocol are authorized to be join the group.
The point of proof-of-possession is to prove that the owner of the The value of proof-of-possession is to prove that the owner of the
identity associated with the Phase 1 key is the same as the owner of identity associated with the Phase 1 key is the same as the owner of
the key distributed in the CERT. This attack can be mitigated by the key distributed in the CERT. This attack can be mitigated by
adding the Phase 1 identities into the hashed data. This memo adding the Phase 1 identities into the hashed data. This memo
replaces the method of computing POP_HASH, which is: replaces the method computing POP_HASH in Section 5.7 of RFC 3547
with the following method:
POP_HASH = hash("pop" | IKE-Initiator-P1-ID | IKE-Responder-P1-ID | POP_HASH = hash("pop" | IKE-Initiator-P1-ID | IKE-Responder-P1-ID |
Ni | Nr) Ni | Nr)
where the fields are hashed as follows: where the fields are hashed as follows:
o The string "pop" without a NULL termination character. o The string "pop" without a NULL termination character.
o The IKE Phase 1 identity of the GCKS as distributed in the o The IKE Phase 1 identity of the GCKS as distributed in the
"identification Data" portion of the ID payload. Because the "identification Data" portion of the ID payload. Because the
length of the identity is variable, the length of the length of the identity is variable, the length of the
Identification Data MUST be hashed as a four octet value with the Identification Data MUST be hashed as a four octet value with the
length located in the least significant bits (in big-endian length located in the least significant bits (in network byte
format). The length value is hashed before the data value. order). The length value is hashed before the data value.
o The IKE Phase 1 identity of the group member as distributed in the o The IKE Phase 1 identity of the group member as distributed in the
"identification Data" portion of the ID payload. Because the "identification Data" portion of the ID payload. Because the
length of the identity is variable, the length of the length of the identity is variable, the length of the
Identification Data MUST be hashed as a four octet value with the Identification Data MUST be hashed as a four octet value with the
length located in the least significant bits (in big-endian length located in the least significant bits (in network byte
format). The length value is hashed before the data value. order). The length value is hashed before the data value.
o The initiator nonce Ni, as passed in the first GROUPKEY-PULL o The initiator nonce Ni, as passed in the first GROUPKEY-PULL
message. message.
o The responder nonce Nr, as passed in the second GROUPKEY-PULL o The responder nonce Nr, as passed in the second GROUPKEY-PULL
message. message.
3.5. CERT Payload This attack can also be mitigated by applying appropriate GCKS and
group member authorization. When the use of CERT and POP payloads
Receivers of the POP payload need the sender's public key in order to are not mandated in group policy, the GCKS SHOULD have a means of
validate the POP. However the source of that public key is not recognizing authorized group members for each group, where the
explicitly defined. For example, if the certificate passed in the recognition is based on IKE authentication credentials. For example,
CERT payload is an attribute certificate (not containing a public the GCKS may have a list of authorized IKE identifiers stored for
key) then no public key is available. To remedy this omission, this each Group. The authorization check SHOULD be made after receipt of
memo specifies that the certificate passed in the CERT payload MUST the ID payload containing a group id the group member is requesting
be an identity certificate (including a public key). to join.
3.6. TEK Integrity Key Length
This length of an integrity key distributed within GDOI varies
according to the integrity algorithm. The SHA1 keys will consist of
160 bits, SHA256 keys will consist of 256 bits, and MD5 keys will
consist of 128 bits.
3.7. KE Payload
RFC 3547 provides an OPTIONAL additional protection for the KD
payload during a GROUPKEY-PULL exchange called Perfect Forward
Secrecy (PFS). If the GCKS and group member exchange KE payloads
containing Diffie-Hellman public keys, the GCKS encrypts the KD
payload with a secret obtained from the Diffie-Hellman shared number.
This encryption precedes the encryption of the entire GROUPKEY-PULL
message.
The purpose of PFS in GDOI is to more carefully protect the keying
material passed from the GCKS to the group member. If a passive
attacker captures the GROUPKEY-PULL exchange and performs an offline
attack of the IKE Phase 1 confidentiality keys, it may eventually
discover them. If PFS is not used, the attacker can immediately use
the recovered keys to decrypt data packets and GROUPKEY-PUSH
messages, either live or stored. Thus, the IKE Phase 1 keys are
critical to the long-term confidentiality of the group. PFS was
added as an additional mechanism to hinder a passive attacker by
requiring the attacker to perform an additional cryptanalysis to
recover the Diffie-Hellman shared number computed by the GCKS and
group member.
RFC 3547 Section 3.2.1 says "The GCKS responder will xor the DH
secret with the KD payload and send it to the member Initiator, which
recovers the KD by repeating this operation as in the Oakley IEXTKEY
procedure [RFC2412]". However, the IEXTKEY procedure does not xor
the DH shared secret with an entire payload, and the DH shared secret
is not likely to be long enough to cover the entire payload.
Therefore, the following amended procedure MUST be used for PFS.
1. The GCKS and group member MUST derive an encryption key and IV
(if needed by the encryption algorithm mode) using the dhEphem
method described in Section 6.1.2.1 of [NIST.800-56A.2006].
2. The key derivation function MUST be the preferred key derivation
function described in Section 5.8.1 of [NIST.800-56A.2006]. The
"kdf" function MUST be algorithm defined in the group policy as
the SIG_HASH_ALGORITHM attribute. The "keydatalen" input will be
the number of bits necessary for the encryption algorithm plus
the number of bits needed by the algorithm mode (if any). The
following kdf "OtherInfo" values MUST be hashed:
* AlgorithmID: This value represents the encryption algorithm
with which the derived keying material will be used (i.e.,
KEK_ALGORITHM). The value is hashed as a two octet value with
the algorithm id located in the least significant bits (in
big-endian format).
* PartyUInfo: This value will be the IKE Phase 1 identity of the
GCKS as distributed in the "identification Data" portion of
the ID payload. Because the length of the identity is
variable, the length of the Identification Data MUST be hashed
as a four octet value with the length located in the least
significant bits (in big-endian format). The length value is
hashed before the data value.
* PartyVInfo: This value will be the IKE Phase 1 identity of the
group member as distributed in the "identification Data"
portion of the ID payload. Because the length of the identity
is variable, the length of the Identification Data MUST be
hashed as a four octet value with the length located in the
least significant bits (in big-endian format). The length
value is hashed before the data value.
3. The result of the hash will be used as input to the encryption
algorithm described in the KEK_ALGORITHM attribute. If the
algorithm mode requires an IV, the initial bits (in big-endian
format) of the derived keying material will be used as the IV.
The subsequent bits are used as the encryption key, encrypting
the bytes of the KD payload as described in Section 5.4 of RFC
3547. Note that the length of the KD payload may be larger due
to cipher block padding. If so, the KD payload length must be
modified to reflect the actual length of the ciphertext.
3.8. Minimum defined attributes 4. Harmonization with RFC 5374
Minimum attributes that must be sent as part of an SA KEK: the Multicast Extensions to the Security Architecture for the
KEK_ALGORITHM, KEK_KEY_LENGTH (if the cipher definition includes a Internet Protocol (RFC 5374) introduces new requirements for a group
variable length key), KEK_KEY_LIFETIME, SIG_HASH_ALGORITHM (except key management system distributing IPsec policy. The following
for DSA based algorithms), SIG_ALGORITHM, and SIG_KEY_LENGTH. sections describe new GDOI requirements that result from harmonizing
with that document.
RFC 3547 states that all mandatory IPsec DOI attributes are mandatory 4.1. Group Security Policy Database Attributes
in GDOI_PROTO_IPSEC_ESP. However, no such list of mandatory IPsec
DOI attributes can be found in RFC 2407. This memo requires that the
following attributes MUST be supported by an RFC 3547 implementation
supporting the GDOI_PROTO_IPSEC_ESP SA TEK: SA Life Type, SA Life
Duration, Encapsulation Mode, Authentication Algorithm (if the ESP
transform includes authentication).
3.9. Attribute behavour RFC 5374 describes new attributes as part of the Group Security
Policy Database (GSPD). These attributes describe policy that a
group key management system must convey to a group member in order to
support those extensions. The GDOI SA TEK payload distributes IPsec
policy using IPsec security association attributes defined in
[ISAKMP-REG]. This section defines how GDOI can convey the new
attributes as IPsec Security Association Attributes.
An GDOI implementation MUST abort if it encounters and attribute or 4.1.1. Address Preservation
capability that it does not understand.
4. GCKS and Group Member Authorization Applications use the extensions in RFC 5374 create encapsulate IPsec
multicast packets that are IP multicast packets. In order for the
GDOI group member to appropriately setup the GSPD, the GCKS must
provide that policy to the group member.
A GDOI group member SHOULD be configured with policy describing which Depending on group policy, several address preservation methods are
IKEv1 identities are authorized to act as GCKS for a group. possible: no address preservation ("None"), preservation of the
original source address ("Source-Only"), preservation of the original
destination address ("Destination-Only"), or both addresses ("Source-
And-Destination"). This memo adds the "Address Preservation"
security association attribute. If this attribute is not included in
a GDOI SA TEK payload provided by a GCKS, then Source-And-Destination
address preservation has been defined for the SA TEK.
The following sections clarify the need for a GCKS to authorize group 4.1.2. SA Direction
members. Authorization is needed regardless of whether the CERT and
POP payloads are mandated in group policy.
4.1. Authorization using the CERT/POP Payloads Depending on group policy, an IPsec SA created from an SA TEK payload
may be required in one or both directions. SA TEK policy used by
multiple senders is required to be installed in both the sending and
receiving direction ("Symmetric"), whereas SA TEK for a single sender
should only be installed in the receiving direction by receivers
("Receiver-Only") and in the sending direction by the sender
("Sender-Only"). This memo adds the "SA Direction" security
association attribute. If the attribute is not included in a GDOI SA
TEK payload, then the IPsec SA is treated as a Symmetric IPsec SA.
A GCKS conforming with RFC 3547 SHOULD perform authorization based on 4.1.3. Re-key rollover
the IKEv1 authentication credentials. When the CERT and POP payloads
are used for authorization, the GCKS and group member SHOULD verify
that the identify in the CERT payload is syntactically the same
identity as used in the IKEv1 authentication credentials. For the
authorization check to succeed, the two credentials are compared and
found to be identical. This stops a group member from authenticating
to the GCKS with its own credential, yet including another group
member's credentials and proof-of-possession in the CERT and POP
payloads.
4.2. Authorization through other methods Section 4.2.1 of RFC 5374 specifies a key rollover method that
requires two values be given it from the group key management
protocol. The Activation Time Delay (ATD) attribute allows the GCKS
to specify how long a after the start of a re-key event that a group
member is to activate new TEKs. The Deactivation Time Delay (DTD)
attribute allows the GCKS to specify how long a after the start of a
re-key event that a group member is to deactivate existing TEKs.
When the use of CERT and POP payloads are not mandated in group This memo adds new attributes by which a GCKS can relay these values
policy, the GCKS SHOULD have a means of recognizing authorized group to group members as part of the Group Associated Policy described in
members for each group, where the recognition is based on IKEv1 Section 5.
authentication credentials. For example, the GCKS may have a list of
authorized IKEv1 identifiers stored for each Group. The
authorization check SHOULD be made after receipt of the ID payload
containing a group id the group member is requesting to join.
5. New GDOI Attributes 5. New GDOI Attributes
This section contains new attributes to be are defined as part of This section contains new attributes to be are defined as part of
GDOI. GDOI.
5.1. Signature Hash Algorithm 5.1. Signature Hash Algorithm
RFC 3547 defines two signature hash algorithms (MD5 and SHA-1). RFC 3547 defines two signature hash algorithms (MD5 and SHA-1).
However, steady advances in technology have rendered both hash However, steady advances in technology have rendered both hash
skipping to change at page 14, line 29 skipping to change at page 14, line 29
attribute is defined by this memo to represent the SHA-256 algorithm: attribute is defined by this memo to represent the SHA-256 algorithm:
SIG_HASH_SHA256. Support for SIG_HASH_SHA256 is OPTIONAL. SIG_HASH_SHA256. Support for SIG_HASH_SHA256 is OPTIONAL.
5.2. Support of AH 5.2. Support of AH
RFC3547 only specifies data-security SAs for one security protocol, RFC3547 only specifies data-security SAs for one security protocol,
IPsec ESP. Typically IPsec implementations use ESP and AH IPsec SAs. IPsec ESP. Typically IPsec implementations use ESP and AH IPsec SAs.
This document extends the capability of GDOI to support both ESP and This document extends the capability of GDOI to support both ESP and
AH. The GROUPKEY-PULL mechanism will establish IPsec ESP SAs and AH. The GROUPKEY-PULL mechanism will establish IPsec ESP SAs and
IPsec AH SAs. The GROUPKEY-PUSH will refresh the IPsec ESP SAs and IPsec AH SAs. The GROUPKEY-PUSH will refresh the IPsec ESP SAs and
the IPsec AH SAs. Support for AH [RFC4302] will come with the the IPsec AH SAs. Support for AH [RFC4302] is achieved with the
introduction of a new SA_TEK Protocol-ID with the name introduction of a new SA_TEK Protocol-ID with the name
GDOI_PROTO_IPSEC_AH. Support for the GDOI_PROTO_IPSEC_AH SA TEK is GDOI_PROTO_IPSEC_AH. Support for the GDOI_PROTO_IPSEC_AH SA TEK is
OPTIONAL. OPTIONAL.
The TEK Protocol-Specific payload for AH is as follows: The TEK Protocol-Specific payload for AH is as follows:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Protocol ! SRC ID Type ! SRC ID Port ! ! Protocol ! SRC ID Type ! SRC ID Port !
skipping to change at page 16, line 12 skipping to change at page 16, line 12
o RFC 2407 Attributes -- AH Attributes from Section 4.5 of o RFC 2407 Attributes -- AH Attributes from Section 4.5 of
[RFC2407]. The GDOI supports all IPsec DOI SA Attributes for [RFC2407]. The GDOI supports all IPsec DOI SA Attributes for
GDOI_PROTO_IPSEC_AH excluding the Group Description, which MUST GDOI_PROTO_IPSEC_AH excluding the Group Description, which MUST
NOT be sent by a GDOI implementation and is ignored by a GDOI NOT be sent by a GDOI implementation and is ignored by a GDOI
implementation if received. The Authentication Algorithm implementation if received. The Authentication Algorithm
attribute of the IPsec DOI is group authentication in GDOI. The attribute of the IPsec DOI is group authentication in GDOI. The
following RFC 2407 attributes MUST be sent as part of a following RFC 2407 attributes MUST be sent as part of a
GDOI_PROTO_IPSEC_AH attribute: SA Life Type, SA Life Duration, GDOI_PROTO_IPSEC_AH attribute: SA Life Type, SA Life Duration,
Encapsulation Mode. Encapsulation Mode.
5.3. Sender-Specific Attributes 5.3. Group Associated Policy
RFC 3547 provides for the distribution of policy in the GROUPKEY-PULL RFC 3547 provides for the distribution of policy in the GROUPKEY-PULL
exchange in an SA payload. Policy can define GROUPKEY-PUSH policy exchange in an SA payload. Policy can define GROUPKEY-PUSH policy
(SA KEK) or traffic encryption policy (SA TEK) such as IPsec policy. (SA KEK) or traffic encryption policy (SA TEK) such as IPsec policy.
Additionally, there is a need to distribute sender-specific policy to There is a need to distribute group policy that fits into neither
each group member that is irrespective of either the SA KEK or SA TEK category. Some of this policy is generic to the group, and some is
policy. sender-specific policy for a particular group member.
GDOI distributes this sender-specific policy in a new payload called
the SA Sender-Specific Attributes Payload (SA SSA). The SA SSA
payload follows any SA KEK payload, and is placed before any SA TEK
payloads. In the case that group policy does not include an SA KEK,
the SA Attribute Next Payload field in the SA payload MAY indicate
the SA SSA payload.
The SA SSA payload MUST NOT be a part of a GROUPKEY-PUSH message, GDOI distributes this associated group policy in a new payload called
because distributing the same sender-specific policy to more than one the SA Group Associated Policy (SA SAP). The SA GAP payload follows
group member may reduce the security of the group. A group member any SA KEK payload, and is placed before any SA TEK payloads. In the
MUST NOT process an SA SSA payload present in a GROUPKEY-PUSH case that group policy does not include an SA KEK, the SA Attribute
message. Next Payload field in the SA payload MAY indicate the SA GAP payload.
The SA SSA payload is defined as follows: The SA GAP payload is defined as follows:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length ! ! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Sender-Specific Attributes ~ ! Group Associated Policy Attributes ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The SA SSA payload fields are defined as follows: The SA GAP payload fields are defined as follows:
o Next Payload (1 octet) -- Identifies the next payload for the o Next Payload (1 octet) -- Identifies the next payload present in
GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next the GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid
payload type for this message is an SA TEK or zero to indicate next payload type for this message is an SA TEK or zero to
there are no more security association attributes. indicate there are no more security association attributes.
o RESERVED (1 octet) -- Must be zero. o RESERVED (1 octet) -- Must be zero.
o Payload Length (2 octets) -- Length of this payload, including the o Payload Length (2 octets) -- Length of this payload, including the
SA SSA header and Sender-Specific Attributes. SA GAP header and Attributes.
o Group Attributes (variable) -- Contains sender-specific attributes o Group Associated Policy Attributes (variable) -- Contains
following the format defined in ISAKMP [RFC2408] section 3.3. attributes following the format defined in Section 3.3 of RFC
2408.
One attribute with the type of SENDER_ID is defined in this memo. Several group associated policy attributes are defined in this memo.
5.3.1. SENDER_ID 5.3.1. ACTIVATION_TIME_DELAY
This attribute allows a GCKS to set the Activation Time Delay for SAs
generated from TEKs. The value is in seconds. If a group member
receives a TEK with an ATD value, but discovers that it has no
current SAs matching the policy in the TEK, then it SHOULD create and
install SAs from the TEK immediately.
5.3.2. DEACTIVATION_TIME_DELAY
This attribute allows a GCKS to set the Deactivation Time Delay for
SAs generated from TEKs. The value is in seconds.
5.3.3. SENDER_ID
Several new AES counter-based modes of operation have been specified Several new AES counter-based modes of operation have been specified
for ESP [RFC3686],[RFC4106],[RFC4309],[RFC4543] and AH [RFC4543]. for ESP [RFC3686],[RFC4106],[RFC4309],[RFC4543] and AH [RFC4543].
These AES counter-based modes require that no two senders in the These AES counter-based modes require that no two senders in the
group ever send a packet with the same IV. This requirement can be group ever send a packet with the same IV. This requirement can be
met using the method described in met using the method described in
[I-D.ietf-msec-ipsec-group-counter-modes], which requires each sender [I-D.ietf-msec-ipsec-group-counter-modes], which requires each sender
to be allocated a unique Sender ID (SID). The SENDER_ID attribute is to be allocated a unique Sender ID (SID). The SENDER_ID attribute is
used to distribute a SID to a group member during the GROUPKEY-PULL used to distribute a SID to a group member during the GROUPKEY-PULL
message. Other algorithms with the same need may be defined in the message. Other algorithms with the same need may be defined in the
skipping to change at page 17, line 44 skipping to change at page 18, line 5
! SID Length ! SID Value ~ ! SID Length ! SID Value ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
o SID Length (1 octet) -- A natural number defining the number of o SID Length (1 octet) -- A natural number defining the number of
bits to be used in the SID field of the counter mode transform bits to be used in the SID field of the counter mode transform
nonce. nonce.
o SID Value (variable) -- The Sender ID value allocated to the group o SID Value (variable) -- The Sender ID value allocated to the group
member. member.
5.3.1.1. GCKS Semantics 5.3.3.1. GCKS Semantics
The GCKS maintains a SID counter (SIDC). It is incremented each time The GCKS maintains a SID counter (SIDC). It is incremented each time
a SENDER_ID attribute is distributed to a group member.The first a SENDER_ID attribute is distributed to a group member.The first
group member to register is given the SID of 1. group member to register is given the SID of 1.
Any group member registering will be given a new SID value, which Any group member registering will be given a new SID value, which
allows group members to act as a group sender when an older SID value allows group members to act as a group sender when an older SID value
becomes unusable (as described in the next section). becomes unusable (as described in the next section).
A GCKS MAY allocate multiple SID values in one SA SSA payload. A GCKS MAY allocate multiple SID values in one SA SSA payload.
Allocating several SID values at the same time to a group member Allocating several SID values at the same time to a group member
expected to send at a high rate would obviate the need for the group expected to send at a high rate would obviate the need for the group
member to re-register as frequently. member to re-register as frequently.
If a GKCS allocates all SID values, it can no longer respond to GDOI If a GCKS allocates all SID values, it can no longer respond to GDOI
registrations. and must re-initialize the entire group. This is done registrations and must re-initialize the entire group. This is done
by issuing DELETE notifications for all ESP and AH SAs in a GDOI by issuing DELETE notifications for all ESP and AH SAs in a GDOI
rekey message, resetting the SIDC to zero, and creating new ESP and rekey message, resetting the SIDC to zero, and creating new ESP and
AH SAs that match the group policy. When group members re-register, AH SAs that match the group policy. When group members re-register,
the SIDs are allocated again beginning with the value 1 as described the SIDs are allocated again beginning with the value 1 as described
above. Each re-registering group member will be given a new SID and above. Each re-registering group member will be given a new SID and
the new group policy. the new group policy.
5.3.1.2. Group Member Semantics The SENDER_ID attribute MUST NOT be sent as part of a GROUPKEY-PUSH
message, because distributing the same sender-specific policy to more
than one group member may reduce the security of the group.
5.3.3.2. Group Member Semantics
The SENDER_ID attribute value distributed to the group member MUST be The SENDER_ID attribute value distributed to the group member MUST be
used by that group member as the Sender Identifier (SID) field used by that group member as the Sender Identifier (SID) field
portion of the IV. The SID is used for all counter mode SAs portion of the IV. The SID is used for all counter mode SAs
distributed by the GCKS to be used for communications sent as a part distributed by the GCKS to be used for communications sent as a part
of this group. of this group.
When the Sender-Specific IV (SSIV) field for any IPsec SA is When the Sender-Specific IV (SSIV) field for any IPsec SA is
exhausted, the group member MUST no longer act as a sender using its exhausted, the group member MUST no longer act as a sender using its
active SID. The group member SHOULD re-register, during which time active SID. The group member SHOULD re-register, during which time
the GCKS will issue a new SID to the group member. The new SID the GCKS will issue a new SID to the group member. The new SID
replaces the existing SID used by this group member, and also resets replaces the existing SID used by this group member, and also resets
the SSIV value to it's starting value. A group member MAY re- the SSIV value to it's starting value. A group member MAY re-
register prior to the actual exhaustion of the SSIV field to avoid register prior to the actual exhaustion of the SSIV field to avoid
dropping data packets due to the exhaustion of available SSIV values dropping data packets due to the exhaustion of available SSIV values
combined with a particular SID value. combined with a particular SID value.
6. New IPsec Security Association Attributes A group member MUST NOT process SENDER_ID attribute present in a
GROUPKEY-PUSH message.
The Multicast Extensions to RFC 4301 [I-D.ietf-msec-ipsec-extensions]
describes new attributes to an IPsec security association. These
attributes describe policy that a group key management system must
convey in order to support those extensions. The GDOI SA TEK payload
distributes IPsec policy using IPsec security association attributes
defined in [ISAKMP-REG]. This section defines how GDOI can convey
the new attributes as IPsec Security Association Attributes.
6.1. Address Preservation
In order for an IP multicast packet to be encapsulated such that it
will remain an IP multicast packet, the original IP addresses may
need to be retained. This requires a new IPsec SA attribute
describing which of the IP addresses are to be preserved.
Depending on group policy, several address preservation methods are
possible: no address preservation ("None"), preservation of the
original source address ("Source-Only"), preservation of the original
destination address ("Destination-Only"), or both addresses ("Source-
And-Destination"). If the attribute is not included in a GDOI SA TEK
payload then Source-And-Destination address preservation has been
defined for the SA TEK.
6.2. SA Direction
Depending on group policy, an IPsec SA may be required in one or both
directions. An IPsec SA used by multiple senders is required to be
installed in both the sending and receiving direction ("Symmetric"),
whereas an SA with a single sender need only be installed in the
receiving direction by receivers ("Receiver-Only") and in the sending
direction by the sender ("Sender-Only"). If the attribute is not
included in a GDOI SA TEK payload then the IPsec SA is treated as a
Symmetric IPsec SA.
7. IANA Considerations 6. IANA Considerations
The GDOI SIG_HASH_ALGORITHM KEK Attribute [GDOI-REG] should be The GDOI KEK Attribute named SIG_HASH_ALGORITHM [GDOI-REG] should be
assigned a new Algorithm Type value from the RESERVED space to assigned a new Algorithm Type value from the RESERVED space to
represent the SHA-256 hash algorithm as defined. The new algorithm represent the SHA-256 hash algorithm as defined. The new algorithm
name should be SIG_HASH_SHA256. name should be SIG_HASH_SHA256.
A new GDOI KEK Attribute [GDOI-REG] is needed to represent the number
of seconds before a sender should transmit on an TEK. The attribute
has the name TEK_TRANSMIT_WAIT_PERIOD, and is a Variable type.
A new GDOI SA TEK type Protocol-ID type [GDOI-REG] should be assigned A new GDOI SA TEK type Protocol-ID type [GDOI-REG] should be assigned
from the RESERVED space. The new algorithm id should be called from the RESERVED space. The new algorithm id should be called
GDOI_PROTO_IPSEC_AH, and refers to the IPsec AH encapsulation. GDOI_PROTO_IPSEC_AH, and refers to the IPsec AH encapsulation.
A new Next Payload Type [ISAKMP-REG] should be assigned. The new A new Next Payload Type [ISAKMP-REG] should be assigned. The new
type is called "SA SSA Payload (SSA)". type is called "SA Group Associated Policy (GAP)".
A new namespace should be created in the GDOI Payloads registry A new namespace should be created in the GDOI Payloads registry
[GDOI-REG] to describe SA SSA Payload Values. The following rules [GDOI-REG] to describe SA SSA Payload Values. The following rules
apply to define the attributes in SA SSA Payload Values: apply to define the attributes in SA SSA Payload Values:
Attribute Type Value Type Attribute Type Value Type
---- ----- ---- ---- ----- ----
RESERVED 0 RESERVED 0
SENDER_ID 1 V ACTIVATION_TIME_DELAY 1 B
DEACTIVATION_TIME_DELAY 2 B
SENDER_ID 3 V
Reserved to IANA 2-127 Reserved to IANA 2-127
Private Use 128-255 Private Use 128-255
A new IPSEC Security Association Attribute [ISAKMP-REG] defining the A new IPSEC Security Association Attribute [ISAKMP-REG] defining the
preservation of IP addresses is needed. The attribute class is preservation of IP addresses is needed. The attribute class is
called "Address Preservation", and it is a Basic type. The following called "Address Preservation", and it is a Basic type. The following
rules apply to define the values of the attribute: rules apply to define the values of the attribute:
Name Value Name Value
---- ----- ---- -----
skipping to change at page 22, line 5 skipping to change at page 21, line 5
Name Value Name Value
---- ----- ---- -----
Reserved 0 Reserved 0
Sender-Only 1 Sender-Only 1
Receiver-Only 2 Receiver-Only 2
Symmetric 3 Symmetric 3
Reserved to IANA 4-61439 Reserved to IANA 4-61439
Private Use 61440-65535 Private Use 61440-65535
8. Security Considerations 7. Security Considerations
This memo describes additional clarification and protocol updates to This memo describes additional clarification and adds additional
the GDOI protocol. The security considerations in RFC 3547 remain attributes to be passed within the GDOI protocol. The security
accurate, with the following additions. considerations in RFC 3547 remain accurate, with the following
additions.
o Several minor cryptographic hash algorithm agility issues are o Several minor cryptographic hash algorithm agility issues are
resolved, and the stronger SHA-256 cryptographic hash algorithm is resolved, and the stronger SHA-256 cryptographic hash algorithm is
added. added.
o Protocol analysis has revealed a man-in-the-middle attack when the o Protocol analysis has revealed a man-in-the-middle attack when the
GCKS does not authorize group members based on their IKEv1 GCKS does not authorize group members based on their IKE
authentication credentials. This is true even when a CERT and POP authentication credentials. This is true even when a CERT and POP
payloads are used for authorization. Although suggested as an payloads are used for authorization. Although suggested as an
option in RFC 3547, a GDOI device (group member or GCKS) SHOULD option in RFC 3547, a GDOI device (group member or GCKS) SHOULD
NOT accept an identity in a CERT payload that does not match the NOT accept an identity in a CERT payload that does not match the
IKEv1 identity used to authenticate the group member. IKE identity used to authenticate the group member.
o Any SA TEK specicifying a counter-based mode of operation with o Any SA TEK specifying a counter-based mode of operation with
multiple senders MUST construct the IVs in each SA TEK according multiple senders MUST construct the IVs in each SA TEK according
to [I-D.ietf-msec-ipsec-group-counter-modes]. The SID MUST either to [I-D.ietf-msec-ipsec-group-counter-modes]. The SID MUST either
be pre-configured on all group members or distributed using the be pre-configured on all group members or distributed using the
SENDER_ID attribute in the SA SSA payload. However, use use of SENDER_ID attribute in the SA GAP payload. However, use of the
the SENDER_ID attribute is RECOMMENDED. SENDER_ID attribute is RECOMMENDED.
9. Acknowledgements 8. Acknowledgements
The authors are grateful to Catherine Meadows for her careful review The authors are grateful to Catherine Meadows for her careful review
and suggestions for mitigating the man-in-the-middle attack she had and suggestions for mitigating the man-in-the-middle attack she had
previously identified. previously identified.
10. References 9. References
10.1. Normative References
[FIPS.180-2.2002]
National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-2, August 2002, <http://
csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf>.
[I-D.ietf-msec-ipsec-extensions] 9.1. Normative References
Weis, B., Gross, G., and D. Ignjatic, "Multicast
Extensions to the Security Architecture for the Internet
Protocol", draft-ietf-msec-ipsec-extensions-06 (work in
progress), July 2007.
[I-D.ietf-msec-ipsec-group-counter-modes] [I-D.ietf-msec-ipsec-group-counter-modes]
McGrew, D. and B. Weis, "Using Counter Modes with McGrew, D. and B. Weis, "Using Counter Modes with
Encapsulating Security Payload (ESP) and Authentication Encapsulating Security Payload (ESP) and Authentication
Header (AH) to Protect Group Traffic", Header (AH) to Protect Group Traffic",
draft-ietf-msec-ipsec-group-counter-modes-00 (work in draft-ietf-msec-ipsec-group-counter-modes-03 (work in
progress), February 2007. progress), March 2009.
[NIST.800-56A.2006]
National Institute of Standards and Technology,
"Recommendation for Pair-Wise Key Establishment Schemes
Using Discrete Logarithm Cryptography", NIST 800-56A,
March 2006, <http://csrc.nist.gov/publications/nistpubs/
800-56A/sp800-56A_May-3-06.pdf>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The [RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The
Group Domain of Interpretation", RFC 3547, July 2003. Group Domain of Interpretation", RFC 3547, July 2003.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302, [RFC5374] Weis, B., Gross, G., and D. Ignjatic, "Multicast
December 2005. Extensions to the Security Architecture for the Internet
Protocol", RFC 5374, November 2008.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", 9.2. Informative References
RFC 4303, December 2005.
10.2. Informative References [FIPS.180-2.2002]
National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-2, August 2002, <http://
csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf>.
[GDOI-REG] [GDOI-REG]
Internet Assigned Numbers Authority, "Group Domain of Internet Assigned Numbers Authority, "Group Domain of
Interpretation (GDOI) Payload Type Values", IANA Registry, Interpretation (GDOI) Payload Type Values", IANA Registry,
December 2004, December 2004,
<http://www.iana.org/assignments/gdoi-payloads>. <http://www.iana.org/assignments/gdoi-payloads>.
[IPSEC-REG]
Internet Assigned Numbers Authority, "Internet Key
Exchange (IKE) Attributes IKE Attributes", IANA Registry,
December 2005,
<http://www.iana.org/assignments/ipsec-registry>.
[ISAKMP-REG] [ISAKMP-REG]
Internet Assigned Numbers Authority, "Internet Security Internet Assigned Numbers Authority, "Internet Security
Association and Key Management Protocol (ISAKMP) Association and Key Management Protocol (ISAKMP)
Identifiers ISAKMP Attributes", IANA Registry, Identifiers ISAKMP Attributes", IANA Registry,
January 2006, January 2006,
<http://www.iana.org/assignments/isakmp-registry>. <http://www.iana.org/assignments/isakmp-registry>.
[MP04] Meadows, C. and D. Pavlovic, "Deriving, Attacking, and [MP04] Meadows, C. and D. Pavlovic, "Deriving, Attacking, and
Defending the GDOI Protocol", ESORICS 2004 pp. 53-72, Defending the GDOI Protocol", ESORICS 2004 pp. 53-72,
September 2004. September 2004.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104,
February 1997.
[RFC2407] Piper, D., "The Internet IP Security Domain of [RFC2407] Piper, D., "The Internet IP Security Domain of
Interpretation for ISAKMP", RFC 2407, November 1998. Interpretation for ISAKMP", RFC 2407, November 1998.
[RFC2408] Maughan, D., Schneider, M., and M. Schertler, "Internet [RFC2408] Maughan, D., Schneider, M., and M. Schertler, "Internet
Security Association and Key Management Protocol Security Association and Key Management Protocol
(ISAKMP)", RFC 2408, November 1998. (ISAKMP)", RFC 2408, November 1998.
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1", RFC 3447, February 2003. Version 2.1", RFC 3447, February 2003.
[RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES)
Counter Mode With IPsec Encapsulating Security Payload Counter Mode With IPsec Encapsulating Security Payload
(ESP)", RFC 3686, January 2004. (ESP)", RFC 3686, January 2004.
[RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm,
"Multicast Security (MSEC) Group Key Management "Multicast Security (MSEC) Group Key Management
Architecture", RFC 4046, April 2005. Architecture", RFC 4046, April 2005.
[RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
(GCM) in IPsec Encapsulating Security Payload (ESP)", (GCM) in IPsec Encapsulating Security Payload (ESP)",
RFC 4106, June 2005. RFC 4106, June 2005.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
December 2005.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, December 2005.
[RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM
Mode with IPsec Encapsulating Security Payload (ESP)", Mode with IPsec Encapsulating Security Payload (ESP)",
RFC 4309, December 2005. RFC 4309, December 2005.
[RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message
Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543,
May 2006. May 2006.
[RFC4894] Hoffman, P., "Use of Hash Algorithms in Internet Key
Exchange (IKE) and IPsec", RFC 4894, May 2007.
Authors' Addresses Authors' Addresses
Brian Weis Brian Weis
Cisco Systems Cisco Systems
170 W. Tasman Drive 170 W. Tasman Drive
San Jose, California 95134-1706 San Jose, California 95134-1706
USA USA
Phone: +1-408-526-4796 Phone: +1-408-526-4796
Email: bew@cisco.com Email: bew@cisco.com
Sheela Rowles Sheela Rowles
Cisco Systems Cisco Systems
170 W. Tasman Drive 170 W. Tasman Drive
San Jose, California 95134-1706 San Jose, California 95134-1706
USA USA
Phone: +1-408-527-7677 Phone: +1-408-527-7677
Email: srowles@cisco.com Email: sheela@cisco.com
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
 End of changes. 92 change blocks. 
472 lines changed or deleted 344 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/