MSEC Working Group                                               B. Weis
Internet-Draft                                                 S. Rowles
Intended status: Standards Track                           Cisco Systems
Expires: March 17, 2008 September 14, 2007 7, 2009                                 March 6, 2009

          Updates to the Group Domain of Interpretation (GDOI)
                     draft-ietf-msec-gdoi-update-03
                     draft-ietf-msec-gdoi-update-04

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of which he BCP 78 and BCP 79.  This document may contain material
   from IETF Documents or she is aware
   have been IETF Contributions published or will made publicly
   available before November 10, 2008.  The person(s) controlling the
   copyright in some of this material may not have granted the IETF
   Trust the right to allow modifications of such material outside the
   IETF Standards Process.  Without obtaining an adequate license from
   the person(s) controlling the copyright in such materials, this
   document may not be disclosed, modified outside the IETF Standards Process, and any
   derivative works of which he or she becomes
   aware will it may not be disclosed, in accordance with Section 6 of BCP 79. created outside the IETF Standards
   Process, except to format it for publication as an RFC or to
   translate it into languages other than English.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on March 17, 2008. September 7, 2009.

Copyright Notice

   Copyright (C) The (c) 2009 IETF Trust (2007). and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Abstract

   This memo describes updates to the Group Domain of Interpretation
   (GDOI) [RFC3547]. .  It provides clarification where the original text is
   unclear.  It also includes a discussion of algorithm agility
   within GDOI, and proposes adds several new algorithm attribute values.
   values, including complete support for algorithm agility.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4  5
     1.1.  Requirements notation  . . . . . . . . . . . . . . . . . .  4  5

   2.  Cryptographic Algorithm agility  RFC 3547 Clarification . . . . . . . . . . . . . . .  5
     2.1.  Phase 1 protocol . . . . .  6
     2.1.  SA KEK Payload . . . . . . . . . . . . . . . .  5
     2.2.  GROUPKEY-PUSH message . . . . . .  6
     2.2.  SA TEK Payload . . . . . . . . . . . .  5
     2.3.  IPsec TEK Distribution . . . . . . . . . .  6
     2.3.  KD Payload . . . . . . . .  6
     2.4.  Certificate Payload . . . . . . . . . . . . . . . .  7
     2.4.  SEQ Payload  . . .  6
     2.5.  POP Payload . . . . . . . . . . . . . . . . . . . .  7
     2.5.  POP Payload  . . .  6

   3.  RFC 3547 Clarification . . . . . . . . . . . . . . . . . . . .  7
     3.1.  SA  8
     2.6.  CERT Payload . . . . . . . . . . . . . . . . . . . . . . . .  7
     3.2.  8
     2.7.  SIG Payload  . . . . . . . . . . . . . . . . . . . . . . .  7
     3.3.  SEQ  8
     2.8.  KE Payload . . . . . . . . . . . . . . . . . . . . . . . .  8
     3.4.  POP Payload
     2.9.  Attribute behavour . . . . . . . . . . . . . . . . . . . .  9
     2.10. Deletion of SAs  . . .  8
     3.5.  CERT Payload . . . . . . . . . . . . . . . . . .  9

   3.  Authorization  . . . . . 10
     3.6.  TEK Integrity Key Length . . . . . . . . . . . . . . . . . 10
     3.7.  KE Payload . . . . . . . . . . 10

   4.  Harmonization with RFC 5374  . . . . . . . . . . . . . . 10
     3.8.  Minimum defined attributes . . . 12
     4.1.  Group Security Policy Database Attributes  . . . . . . . . 12
       4.1.1.  Address Preservation . . . . . 12
     3.9.  Attribute behavour . . . . . . . . . . . . 12
       4.1.2.  SA Direction . . . . . . . . 12

   4.  GCKS and Group Member Authorization . . . . . . . . . . . . . 13
     4.1.  Authorization using the CERT/POP Payloads 12
       4.1.3.  Re-key rollover  . . . . . . . . 13
     4.2.  Authorization through other methods . . . . . . . . . . . 13

   5.  New GDOI Attributes  . . . . . . . . . . . . . . . . . . . . . 14
     5.1.  Signature Hash Algorithm . . . . . . . . . . . . . . . . . 14
     5.2.  Support of AH  . . . . . . . . . . . . . . . . . . . . . . 14
     5.3.  Sender-Specific Attributes  Group Associated Policy  . . . . . . . . . . . . . . . . . 16
       5.3.1.  SENDER_ID  . . . . . .  ACTIVATION_TIME_DELAY  . . . . . . . . . . . . . . . . 17
         5.3.1.1.  GCKS Semantics . . .
       5.3.2.  DEACTIVATION_TIME_DELAY  . . . . . . . . . . . . . . . 17
         5.3.1.2.  Group Member Semantics . . . . . . . . . . . .
       5.3.3.  SENDER_ID  . . 18

   6.  New IPsec Security Association Attributes . . . . . . . . . . 19
     6.1.  Address Preservation . . . . . . . . . . 17
         5.3.3.1.  GCKS Semantics . . . . . . . . . 19
     6.2.  SA Direction . . . . . . . . . 18
         5.3.3.2.  Group Member Semantics . . . . . . . . . . . . . . 19

   7. 18

   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 20
   8. 19

   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 22

   9. 21

   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23

   10. 22
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
     10.1. 23
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 24
     10.2. 23
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 24 23

   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27
   Intellectual Property and Copyright Statements . . . . . . . . . . 28 25

1.  Introduction

   The Group Domain of Interpretation (GDOI) [RFC3547] is a group key
   management protocol fitting into the Multicast Security Group Key
   Management Architecture [RFC4046].  GDOI is used to disseminate
   policy and corresponding secrets to a group of participants.  GDOI is
   implemented on hosts and intermediate systems to protect group IP
   communication (e.g., IP multicast packets) by encapsulating them with
   the IP Encapsulating Security Payload (ESP) [RFC4303] packets.
   However, implementation experience has revealed some
   Several factors have prompted new for updates to GDOI including:

   o  the discovery of inconsistencies in RFC 3547 needing clarification.  It also defines some additional
   GDOI algorithm attributes 3547, which are useful to GDOI applications.

   Algorithm agility, need
      clarification (Section 2),

   o  the ability to add new algorithms to namespaces,
   is publishing of an important consideration for any protocol.  This memo analyzes attack on the state protocol (Section 3)

   o  the publishing of algorithm agility within GDOI, and proposes some changes
   based upon that analysis.  In particular, methods the Multicast Extensions to the Security
      Architecture for fully
   supporting the Internet Protocol [RFC5374], which has
      implications to the policy distributed by group key management
      (Section 4),

   o  the need for new GDOI algorithm attributes, including the need to
      support SHA-256 [FIPS.180-2.2002] as an alternative to theSHA-1 the SHA-1
      and MD5 hash algorithms are described. (Section 5).

   The clarification and modifications in this memo retain backwards
   compatibility with update RFC 3547.

1.1.  Requirements notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.  Cryptographic Algorithm agility

   Algorithm agility was a goal during the development  RFC 3547 Clarification

   Implementation experience of GDOI, and RFC 3547 generally provides the ability to add new algorithms as
   necessary.  However, further analysis has shown that there are places
   where algorithm agility is revealed a few areas of
   text that are not complete. sufficiently precise.  This section discusses the
   use of cryptographic algorithms within GDOI, points out variances in
   algorithm agility, and proposes clarifications without changing any
   payload formats within the protocol.

   Recent published attacks on the SHA-1 algorithm motivate its
   replacement as a cryptographic algorithm.  The ability provides
   clarifying text for GDOI to
   move to those areas.

2.1.  SA KEK Payload

   Section 5.3 of RFC 4357 defines the SHA-256 algorithm is explicitly discussed.  Later
   sections on this document propose some enhancements to SA KEK payload.  It includes the GDOI
   protocol to provide for an easier means
   "POP Key Length" field,The units of supporting this and
   additional hash functions.

2.1.  Phase 1 protocol

   GDOI is a "phase 2" protocol protected by a "phase 1" protocol.  The
   Phase 1 protocol defined field are not explicitly
   specified in RFC 3547 is an IKEv1 Phase 1 protocol
   (Main Mode or Aggressive Mode). 3547.  The Phase 1 protocol provides
   confidentiality via an encryption cipher.  It also provides message
   integrity via value MUST be a pseudo random function ("prf") (described number representing the
   length of key in bits.  In the case of POP_ALG_RSA, the value
   represents the size of the modulus.

   Section
   4 5.3 of [RFC2409], which is usually a hash algorithm using RFC 4357 also defines the HMAC
   [RFC2104] construction.  IKEv1 negotiates POP Algorithm of type of
   POP_ALG_RSA, but does not specify which encryption ciphers
   and hash algorithms are to PKCS#1 [RFC3447] encoding
   method is employed.  To match existing practice, this memo requires
   that it be used.

   IKEv1 cipher algorithms come from the "Encryption Algorithm" list in EMSA-PKCS1-v1_5 encoding method.

   The units of the IANA IPsec registry [IPSEC-REG], and SIG_KEY_LENGTH KEK attribute value was not
   explicitly specified in section 5.3.8 of RFC 3547.  The value MUST be
   a number representing the hash algorithms come
   from length of the "Hash Algorithm" list KEK encryption key in the same registry. bits.

   The IANA IPsec
   registry currently includes Group Controller/Key Server (GCKS) adds the SHA2-256, which is intended KEK_KEY_LEN attribute
   to be the
   SHA-256 algorithm.

   In summary, there are no cryptographic algorithm agility issues with
   the IKEv1 Phase 1 protocol SA payload when used as a GDOI "phase 1" protocol.
   For a more detailed analysis of distributing KEK policy to group members.  The
   group member verifies whether or not it has the use capability of hash algorithms in IKE and
   IPsec, see RFC 4894 [RFC4894].

2.2.  GROUPKEY-PUSH message

   The GROUPKEY-PUSH message is protected by an encryption cipher for
   confidentiality and using a digital signature for message integrity.  The
   encryption
   cipher is described by the IANA GDOI registry as key of that size.  If the
   KEK_ALGORITHM attribute [GDOI-REG].  The digital signature comprises
   both cipher definition includes a hash algorithm defined by fixed
   key length (e.g., KEK_ALG_3DES), the GDOI SIG_HASH_ALGORITHM group member can make its
   decision solely using KEK_ALGORITHM attribute and a public key signature algorithm defined by does not need the
   SIG_ALGORITHM
   KEK_KEY_LEN attribute.  This memo adds the SHA-256 algorithm to  Sending the
   SIG_HASH_ALGORITHM KEK_KEY_LEN attribute in a later section.

   In summary, there are no cryptographic algorithm agility issues with the GROUPKEY-PUSH message.

2.3.  IPsec TEK Distribution

   IPsec SAs are distributed by GDOI.  An IPsec ESP SA can include an
   encryption cipher for confidentiality and an algorithm for packet
   authentication.  The encryption ciphers are defined by the IPsec ESP
   Transform Identifiers defined in the IANA ISAKMP registry
   [ISAKMP-REG].  The packet authentication method
   payload is distributed via an
   "Authentication Algorithm" SA attribute.  SHA-256 may OPTIONAL if the KEK cipher has a fixed key length.

   Minimum attributes that must be chosen sent as
   the authentication algorithm with HMAC-SHA2-256.  Similarly, part of an IPsec
   AH SA is defined by choosing AH_SHA2-256 as the "AH Transform
   Identifier".

   In summary, there are no cryptographic algorithm agility issues
   during TEK distribution.

2.4.  Certificate Payload

   Messages in KEK:
   KEK_ALGORITHM, KEK_KEY_LENGTH (if the GROUPKEY-PULL and GROUPKEY-PUSH protocols may include cipher definition includes a Certificate Payload (CERT).  Certificate digital signatures, and
   the algorithm agility thereof, are outside the scope of this memo.

2.5.  POP
   variable length key), KEK_KEY_LIFETIME, SIG_HASH_ALGORITHM (except
   for DSA based algorithms), SIG_ALGORITHM, and SIG_KEY_LENGTH.

2.2.  SA TEK Payload

   The GDOI Proof

   Section 5.4.1 of Possession (POP) payload may be included RFC 3547 states that all mandatory IPsec DOI
   attributes are mandatory in the
   GROUPKEY-PULL protocol.  It contains a digital signature over the
   hash of a set GDOI_PROTO_IPSEC_ESP.  However, RFC 2407
   lists no such list of identities and nonces, which provides mandatory IPsec DOI attributes.  This memo
   requires that the current
   possession of following attributes MUST be supported by an RFC
   3547 implementation supporting the GDOI_PROTO_IPSEC_ESP SA TEK: SA
   Life Type, SA Life Duration, Encapsulation Mode, Authentication
   Algorithm (if the peer. ESP transform includes authentication).

   The digital signature algorithm GDOI_PROTO_IPSEC_ESP attribute is defined
   as the "POP Algorithm" in the IANA GDOI registry [GDOI-REG].
   However, identity of the hash algorithm sometimes referred to create the signed data was
   omitted in RFC 3547.

   In summary,
   3547 by the POP truncated name of PROTO_IPSEC_ESP.

2.3.  KD Payload has an algorithm agility deficiency with
   regards to the hash algorithm.  This memo remedies this omission in a
   clarification section below.

3.  RFC 3547 Clarification

   Implementation experience

   Section 5.5.2.1 of RFC 3547 has revealed explicitly specifies that if a few areas of
   text KEK cipher
   requires an IV, then the IV must precede the key in the
   KEK_ALGORITHM_KEY KD payload attribute.  However, it should be noted
   that are this IV length is not sufficiently clear.  This section provides
   clarifying text for those areas.

3.1.  SA Payload

   The included in the KEK_KEY_LEN SA KEK payload includes
   attribute sent in the "POP Key Length" field, which is
   meant to declare SA payload.  The KEK_KEY_LEN includes only the
   actual length of a POP signature the cipher key.  Unfortunately,
   it is not clear as to whether this refers to the GCKS POP signature
   key or all entities' POP signature keys.  The intent

   Section 5.5.1.2 of conveying the
   length was to ensure that a group member has RFC 3547 defines key lengths for the capability to
   validate
   TEK_INTEGRITY_KEY.  When the GCKS POP payload, so this memo specifies that algorithm passes in the value SA TEK payload
   is taken to indicate the length SHA256, keys will consist of only the GCKS signature key.
   Additionally, the units 256 bits.

2.4.  SEQ Payload

   Section 3.2 of this field are not explicitly specified in RFC 3547.  The value is 3547 defines a number representing the length of key in
   bits.  In the case of POP_ALG_RSA, the value represents the size of
   the modulus. GROUPKEY-PULL message as including
   a sequence number, which provides anti-replay state associated with a
   KEK.  The units of SEQ payload has no other use, and is omitted from the SIG_KEY_LENGTH
   GROUPKEY-PULL exchange when a KEK attribute value was is not
   explicitly specified included in RFC 3547.  The value the SA
   payload.

   A KEK sequence number is associated with a number representing single SPI (i.e., the length
   single set of the KEK encryption key cookie pair values sent in bits.

   The GDOI_PROTO_IPSEC_ESP attribute a GROUPKEY-PUSH ISAKMP
   [RFC2408] HDR).  When a new KEK is sometimes referred to distributed by the
   truncated name PROTO_IPSEC_ESP.

   RFC 3547 explicitly specifies that if a KEK cipher requires an IV,
   then the IV MUST precede the key in GCKS, it contains
   a new SPI and resets the KEK_ALGORITHM_KEY KD sequence number.

   When a SEQ payload
   attribute.  However, it should be noted that this IV length is not included in the KEK_KEY_LEN SA payload attribute sent in the SA
   payload.  The KEK_KEY_LEN GROUPKEY-PULL exchange, it
   includes only the actual length of the
   cipher key.

   The Group Controller/Key Server (GCKS) adds the KEK_KEY_LEN attribute
   to most recently used sequence number for the SA payload when distributing KEK policy to group members.  The
   group member verifies whether or not it has group.  At
   the capability of using a
   cipher key conclusion of that size.  If the cipher definition includes a fixed
   key length (e.g., KEK_ALG_3DES), GROUPKEY-PULL exchange, the initiating group
   member can make its
   decision solely using KEK_ALGORITHM MUST NOT accept any rekey message with both the KEK attribute
   SPI value and does not need the
   KEK_KEY_LEN attribute.  Sending a sequence number less than or equal to the KEK_KEY_LEN attribute in one
   received during the SA
   payload is OPTIONAL if GROUPKEY-PULL.  When the KEK cipher has first group member
   initiates a fixed key length.

3.2.  SIG Payload

   The GROUPKEY-PUSH message SIG payload is further clarified here; GROUPKEY-PULL exchange, the
   SIG payload is GCKS provides a signature Sequence
   Number of the entire zero, since no GROUPKEY-PUSH message (not
   including the SIG payload) before it's messages have yet been encrypted.  The HASH is
   taken over the string 'rekey', sent.
   Note the sequence number increments only with GROUPKEY-PUSH HDR, SEQ, SA, KD,
   and optionally the CERT payload.  After the SIG payload is created
   using the signature of the above hash, messages.
   The GROUPKEY-PULL exchange distributes the current KEK encryption key
   encrypts all the payloads following sequence number to
   the GROUPKEY-PUSH HDR. group member.

   The SIG_ALGORITHM type of SIG_ALG_RSA does not specify which PKCS#1
   [RFC3447] encoding method is employed.  To match existing practice,
   this memo requires that it be the EMSA-PKCS1-v1_5 encoding method.

3.3.  SEQ Payload

   Each GROUPKEY-PUSH message contains a sequence number, which provides
   anti-replay protection for number resets to a KEK.  Thus, the GCKS returns a SEQ
   payload in the GROUPKEY-PULL exchange only if a KEK attribute also
   exists in the SA payload.

   A KEK sequence number is associated with a single SPI (i.e., the
   single set of cookie pair values sent in a GROUPKEY-PUSH ISAKMP HDR).
   When a new KEK is distributed by a GCKS, it contains a new SPI and
   resets the sequence number.

   When a SEQ payload is included in the GROUPKEY-PULL exchange, it
   includes the most recently used sequence number for the group.  At
   the conclusion of a GROUPKEY-PULL exchange, the initiating group
   member MUST NOT accept any rekey message with both the KEK attribute
   SPI value and a sequence number less than or equal to the one
   received during the GROUPKEY-PULL.  When the first group member
   initiates a GROUPKEY-PULL exchange, the GCKS provides a Sequence
   Number of zero, since no GROUPKEY-PUSH messages have yet been sent.
   Note the sequence number increments only with GROUPKEY-PUSH messages.
   The GROUPKEY-PULL exchange distributes the current sequence number to
   the group member.

   The sequence number resets to one with value of one with a new KEK attribute, as
   attribute.  As described in section 5.6 of RFC 3547: "Thus the first
   packet sent for a given Rekey SA will have a Sequence Number of 1".
   The sequence number increments with each successive rekey.

3.4.

2.5.  POP Payload

   RFC 3547 defines the Proof of Possession (POP) payload, which
   contains a digital signature over a hash.  Some RFC 3547 text
   erroneously describes it as a "prf()".

   RFC 3547 omitted including a method of specifying the hash function
   type used in the POP payload.  As a result, the GCKS or group member
   do not have a means by which to agree which hash algorithm should be
   used.  To remedy this omission without changing the protocol, this
   memo specifies that the hash algorithm passed in the
   SIG_HASH_ALGORITHM MUST be also used as the POP hash algorithm.

   The SIG_ALGORITHM type

2.6.  CERT Payload

   Receivers of SIG_ALG_RSA does the POP payload need the sender's public key in order to
   validate the POP.  However the source of that public key is not specify which PKCS#1
   [RFC3447]
   explicitly defined.  For example, if the certificate encoding method value
   passed in the CERT payload (defined in Section 3.9 of RFC 2408) does
   not contain a public key then no public key is employed. available.  To match existing practice, remedy
   this omission, this memo requires specifies that it be the EMSA-PKCS1-v1_5 encoding method.

   Meadows and Pavlovic have published a paper [MP04] describing a means
   by which certificate passed in the
   CERT payload MUST be a rogue GDOI device (i.e., GCKS or group member) can gain
   access to public key certificate.

2.7.  SIG Payload

   The GROUPKEY-PUSH message defined in Section 4 of RFC 3547 includes a group for which it
   SIG payload.  The first paragraph on page 12 is not a group member. amended as follows.

      The rogue
   device perpetrates SIG payload includes a man-in-the-middle attack, which can occur if the
   following conditions are true:

   1.  The rogue GDOI participant convinces an authorized member signature of the
       group (i.e., victim group member) that it is a GCKS for that
       group, and it also convinces the GCKS (i.e., victim GCKS) hash of that
       group the entire
      GROUPKEY-PUSH message (excepting the SIG payload bytes) before it is an authorized group member.

   2.
      has been encrypted.  The victim group member, victim GCKS, HASH is taken over the string 'rekey',
      the GROUPKEY-PUSH HDR, SEQ, SA, KD, and rogue group member all
       share IKEv1 authentication credentials.

   3. optionally the CERT
      payload.  The victim GCKS does not properly verify prefixed string ensures that the IKEv1
       authentication credentials used to protect a GROUPKEY-PULL
       protocol are authorized to signature of the
      Rekey datagram cannot be join used for any other purpose in the group.

   The point of proof-of-possession GDOI
      protocol.  After the SIG payload is to prove that created using the owner signature of
      the
   identity associated with above hash, the Phase 1 current KEK encryption key is encrypts all the same as
      payloads following the owner GROUPKEY-PUSH HDR.  Note: The rationale for
      this order of
   the key distributed operations is given in the CERT.  This attack can be mitigated by
   adding the Phase 1 identities into the hashed data.  This memo
   replaces the method Section 6.3.5 of computing POP_HASH, RFC 3547.

   Section 5.3.7.1 of RFC 4357 defines a SIG_ALGORITHM type of
   SIG_ALG_RSA, but it omits specifying which is:

   POP_HASH = hash("pop" | IKE-Initiator-P1-ID | IKE-Responder-P1-ID |
   Ni | Nr)

   where PKCS#1 [RFC3447] encoding
   method is employed.  To match existing practice, this memo requires
   that it be the fields are hashed as follows:

   o  The string "pop" without a NULL termination character.

   o EMSA-PKCS1-v1_5 encoding method.

2.8.  KE Payload

   The IKE Phase 1 identity purpose of the GCKS as distributed KE Payload in GDOI is to encrypt keying material
   before encrypting the
      "identification Data" portion of the ID payload.  Because entire GDOI registration message.  However, the
      length of
   specification for computing keying material for the identity additional
   encryption function in RFC 3547 is variable, faulty.  Furthermore, it has been
   observed that because the length GDOI registration message uses strong
   ciphers and provides authenticated encryption, additional encryption
   of the
      Identification Data MUST be hashed as keying material in a four octet value with GDOI registration message provides
   negligible value.  Therefore, the
      length located use of KE payloads is deprecated in
   this memo.

2.9.  Attribute behavour

   An GDOI implementation MUST abort if it encounters and attribute or
   capability that it does not understand.

2.10.  Deletion of SAs

   RFC 3547 provides for the least significant bits (in big-endian
      format).  The length value is hashed before condition that the data value.

   o  The IKE Phase 1 identity of GCKS may want to signal
   to receivers to delete their SAs, but there may be circumstances
   where the group member as distributed GCKS may want to start over with a clean slate.  If the
   administrator is no longer confident in the
      "identification Data" portion integrity of the ID payload.  Because group,
   the
      length GCKS can signal deletion of the identity is variable, the length all policy of the
      Identification Data MUST be hashed as a four octet value particular TEK
   protocol by sending a TEK with the
      length located in the least significant bits (in big-endian
      format).  The length a SPI value is hashed before the data value.

   o  The initiator nonce Ni, as passed in the first GROUPKEY-PULL
      message.

   o  The responder nonce Nr, as passed in the second GROUPKEY-PULL
      message.

3.5.  CERT Payload

   Receivers of the POP payload need the sender's public key in order equal to
   validate the POP.  However zero in the source of that public key is not
   explicitly defined.
   delete payload.  For example, if the certificate passed in GCKS wishes to remove all the
   CERT payload is an attribute certificate (not containing a public
   key) then no public key is available.  To remedy this omission, this
   memo specifies that
   KEKs and all the certificate passed TEKs in the CERT group, the GCKS SHOULD send a delete
   payload MUST
   be an identity certificate (including with a public key).

3.6.  TEK Integrity Key Length

   This length of an integrity key distributed within GDOI varies
   according to the integrity algorithm.  The SHA1 keys will consist of
   160 bits, SHA256 keys will consist spi of 256 bits, zero and MD5 keys will
   consist a protocol_id of a TEK protocol_id
   value as defined in section 5.4 of 128 bits.

3.7.  KE Payload RFC 3547 provides an OPTIONAL additional protection for the KD 3547, followed by another
   delete payload during with a GROUPKEY-PULL exchange called Perfect Forward
   Secrecy (PFS).  If the GCKS spi of zero and group member exchange KE payloads
   containing Diffie-Hellman public keys, the GCKS encrypts the KD
   payload with a secret obtained from the Diffie-Hellman shared number.
   This encryption precedes the encryption protocol_id of zero,
   indicating that the entire GROUPKEY-PULL
   message.

   The purpose of PFS in KEK SA should be deleted.

3.  Authorization

   Meadows and Pavlovic have published a paper [MP04] describing a means
   by which a rogue GDOI is to more carefully protect the keying
   material passed from the device (i.e., GCKS to the or group member.  If member) can gain
   access to a passive
   attacker captures the GROUPKEY-PULL exchange and performs an offline
   attack of the IKE Phase 1 confidentiality keys, group for which it may eventually
   discover them.  If PFS is not used, the attacker a group member.  The rogue
   device perpetrates a man-in-the-middle attack, which can immediately use
   the recovered keys to decrypt data packets and GROUPKEY-PUSH
   messages, either live or stored.  Thus, occur if the IKE Phase 1 keys
   following conditions are
   critical to the long-term confidentiality true:

   1.  The rogue GDOI participant convinces an authorized member of the group.  PFS was
   added as an additional mechanism to hinder
       group (i.e., victim group member) that it is a passive attacker by
   requiring the attacker to perform an additional cryptanalysis to
   recover the Diffie-Hellman shared number computed by the GCKS for that
       group, and it also convinces the GCKS (i.e., victim GCKS) of that
       group it is an authorized group member.

   RFC 3547 Section 3.2.1 says "The GCKS responder will xor the DH
   secret with the KD payload

   2.  The victim group member, victim GCKS, and send it to the rogue group member Initiator, which
   recovers the KD by repeating this operation as in the Oakley IEXTKEY
   procedure [RFC2412]".  However, the IEXTKEY procedure all
       share IKEv1 authentication credentials.

   3.  The victim GCKS does not xor
   the DH shared secret with an entire payload, and properly verify that the DH shared secret
   is not likely IKE
       authentication credentials used to protect a GROUPKEY-PULL
       protocol are authorized to be long enough join the group.

   The value of proof-of-possession is to cover prove that the entire payload.
   Therefore, owner of the following amended procedure MUST be used for PFS.

   1.  The GCKS and group member MUST derive an encryption
   identity associated with the Phase 1 key and IV
       (if needed by is the encryption algorithm mode) using same as the dhEphem
       method described in Section 6.1.2.1 owner of [NIST.800-56A.2006].

   2.  The key derivation function MUST be
   the preferred key derivation
       function described in Section 5.8.1 of [NIST.800-56A.2006].  The
       "kdf" function MUST be algorithm defined distributed in the group policy as
       the SIG_HASH_ALGORITHM attribute.  The "keydatalen" input will CERT.  This attack can be mitigated by
   adding the number of bits necessary for Phase 1 identities into the encryption algorithm plus hashed data.  This memo
   replaces the number method computing POP_HASH in Section 5.7 of bits needed by RFC 3547
   with the algorithm mode (if any).  The following kdf "OtherInfo" values MUST be hashed:

       *  AlgorithmID: This value represents the encryption algorithm
          with which method:

   POP_HASH = hash("pop" | IKE-Initiator-P1-ID | IKE-Responder-P1-ID |
   Ni | Nr)

   where the derived keying material will be used (i.e.,
          KEK_ALGORITHM).  The value is fields are hashed as follows:

   o  The string "pop" without a two octet value with
          the algorithm id located in the least significant bits (in
          big-endian format).

       *  PartyUInfo: This value will be the NULL termination character.

   o  The IKE Phase 1 identity of the GCKS as distributed in the
      "identification Data" portion of the ID payload.  Because the
      length of the identity is variable, the length of the
      Identification Data MUST be hashed as a four octet value with the
      length located in the least significant bits (in big-endian format). network byte
      order).  The length value is hashed before the data value.

       *  PartyVInfo: This value will be the

   o  The IKE Phase 1 identity of the group member as distributed in the
      "identification Data" portion of the ID payload.  Because the
      length of the identity is variable, the length of the
      Identification Data MUST be hashed as a four octet value with the
      length located in the least significant bits (in big-endian format). network byte
      order).  The length value is hashed before the data value.

   3.

   o  The result of the hash will be used initiator nonce Ni, as input to the encryption
       algorithm described passed in the KEK_ALGORITHM attribute.  If the
       algorithm mode requires an IV, the initial bits (in big-endian
       format) of the derived keying material will be used as the IV. first GROUPKEY-PULL
      message.

   o  The subsequent bits are used responder nonce Nr, as passed in the encryption key, encrypting second GROUPKEY-PULL
      message.

   This attack can also be mitigated by applying appropriate GCKS and
   group member authorization.  When the bytes use of the KD payload as described CERT and POP payloads
   are not mandated in Section 5.4 of RFC
       3547.  Note that group policy, the length GCKS SHOULD have a means of
   recognizing authorized group members for each group, where the KD payload
   recognition is based on IKE authentication credentials.  For example,
   the GCKS may have a list of authorized IKE identifiers stored for
   each Group.  The authorization check SHOULD be larger due
       to cipher block padding.  If so, made after receipt of
   the KD ID payload length must be
       modified to reflect containing a group id the actual length of the ciphertext.

3.8.  Minimum defined attributes

   Minimum attributes that must be sent as part of an SA KEK:
   KEK_ALGORITHM, KEK_KEY_LENGTH (if the cipher definition includes a
   variable length key), KEK_KEY_LIFETIME, SIG_HASH_ALGORITHM (except
   for DSA based algorithms), SIG_ALGORITHM, and SIG_KEY_LENGTH.

   RFC 3547 states that all mandatory IPsec DOI attributes are mandatory
   in GDOI_PROTO_IPSEC_ESP.  However, no such list of mandatory IPsec
   DOI attributes can be found in RFC 2407.  This memo requires that the
   following attributes MUST be supported by an RFC 3547 implementation
   supporting the GDOI_PROTO_IPSEC_ESP SA TEK: SA Life Type, SA Life
   Duration, Encapsulation Mode, Authentication Algorithm (if the ESP
   transform includes authentication).

3.9.  Attribute behavour

   An GDOI implementation MUST abort if it encounters and attribute or
   capability that it does not understand.

4.  GCKS and Group Member Authorization

   A GDOI group member SHOULD be configured is requesting
   to join.

4.  Harmonization with policy describing which
   IKEv1 identities are authorized RFC 5374

   the Multicast Extensions to act as GCKS the Security Architecture for the
   Internet Protocol (RFC 5374) introduces new requirements for a group. group
   key management system distributing IPsec policy.  The following
   sections clarify describe new GDOI requirements that result from harmonizing
   with that document.

4.1.  Group Security Policy Database Attributes

   RFC 5374 describes new attributes as part of the need for Group Security
   Policy Database (GSPD).  These attributes describe policy that a GCKS
   group key management system must convey to authorize a group
   members.  Authorization is needed regardless of whether the CERT and
   POP payloads are mandated member in group policy.

4.1.  Authorization order to
   support those extensions.  The GDOI SA TEK payload distributes IPsec
   policy using IPsec security association attributes defined in
   [ISAKMP-REG].  This section defines how GDOI can convey the CERT/POP Payloads

   A GCKS conforming with RFC 3547 SHOULD perform authorization based on
   the IKEv1 authentication credentials.  When new
   attributes as IPsec Security Association Attributes.

4.1.1.  Address Preservation

   Applications use the CERT and POP payloads extensions in RFC 5374 create encapsulate IPsec
   multicast packets that are used IP multicast packets.  In order for authorization, the GCKS and
   GDOI group member SHOULD verify
   that the identify in the CERT payload is syntactically the same
   identity as used in to appropriately setup the IKEv1 authentication credentials.  For GSPD, the
   authorization check GCKS must
   provide that policy to succeed, the two credentials group member.

   Depending on group policy, several address preservation methods are compared and
   found to be identical.
   possible: no address preservation ("None"), preservation of the
   original source address ("Source-Only"), preservation of the original
   destination address ("Destination-Only"), or both addresses ("Source-
   And-Destination").  This stops memo adds the "Address Preservation"
   security association attribute.  If this attribute is not included in
   a GDOI SA TEK payload provided by a GCKS, then Source-And-Destination
   address preservation has been defined for the SA TEK.

4.1.2.  SA Direction

   Depending on group member policy, an IPsec SA created from authenticating an SA TEK payload
   may be required in one or both directions.  SA TEK policy used by
   multiple senders is required to be installed in both the GCKS with its own credential, yet including another group
   member's credentials sending and proof-of-possession
   receiving direction ("Symmetric"), whereas SA TEK for a single sender
   should only be installed in the CERT receiving direction by receivers
   ("Receiver-Only") and POP
   payloads.

4.2.  Authorization through other methods

   When in the use of CERT and POP payloads are sending direction by the sender
   ("Sender-Only").  This memo adds the "SA Direction" security
   association attribute.  If the attribute is not mandated included in a GDOI SA
   TEK payload, then the IPsec SA is treated as a Symmetric IPsec SA.

4.1.3.  Re-key rollover

   Section 4.2.1 of RFC 5374 specifies a key rollover method that
   requires two values be given it from the group
   policy, key management
   protocol.  The Activation Time Delay (ATD) attribute allows the GCKS SHOULD have
   to specify how long a means after the start of recognizing authorized a re-key event that a group
   members for each group, where the recognition
   member is based on IKEv1
   authentication credentials.  For example, to activate new TEKs.  The Deactivation Time Delay (DTD)
   attribute allows the GCKS may have to specify how long a list of
   authorized IKEv1 identifiers stored for each Group.  The
   authorization check SHOULD be made after receipt of the ID payload
   containing start of a
   re-key event that a group id the group member is requesting to join. deactivate existing TEKs.

   This memo adds new attributes by which a GCKS can relay these values
   to group members as part of the Group Associated Policy described in
   Section 5.

5.  New GDOI Attributes

   This section contains new attributes to be are defined as part of
   GDOI.

5.1.  Signature Hash Algorithm

   RFC 3547 defines two signature hash algorithms (MD5 and SHA-1).
   However, steady advances in technology have rendered both hash
   algorithms to be weak when used as a signature hash algorithm.

   The SHA-256 algorithm [FIPS.180-2.2002] has been made available by
   NIST as a replacement for SHA-1, and is its preferred replacement for
   both MD5 and SHA-1.  A new value for the GDOI SIG_HASH_ALGORITHM
   attribute is defined by this memo to represent the SHA-256 algorithm:
   SIG_HASH_SHA256.  Support for SIG_HASH_SHA256 is OPTIONAL.

5.2.  Support of AH

   RFC3547 only specifies data-security SAs for one security protocol,
   IPsec ESP.  Typically IPsec implementations use ESP and AH IPsec SAs.
   This document extends the capability of GDOI to support both ESP and
   AH.  The GROUPKEY-PULL mechanism will establish IPsec ESP SAs and
   IPsec AH SAs.  The GROUPKEY-PUSH will refresh the IPsec ESP SAs and
   the IPsec AH SAs.  Support for AH [RFC4302] will come is achieved with the
   introduction of a new SA_TEK Protocol-ID with the name
   GDOI_PROTO_IPSEC_AH.  Support for the GDOI_PROTO_IPSEC_AH SA TEK is
   OPTIONAL.

   The TEK Protocol-Specific payload for AH is as follows:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !    Protocol   !  SRC ID Type  !         SRC ID Port           !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !SRC ID Data Len!          SRC Identification Data              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! DST ID Type   !         DST ID Port           !DST ID Data Len!
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! DST Identification Data                                       ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Transform ID  !                        SPI                    !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !      SPI      !       RFC 2407 SA Attributes                  ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The SAT Payload fields are defined as follows:

   o  Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
      UDP/TCP).  A value of zero means that the Protocol field should be
      ignored.

   o  SRC ID Type (1 octet) -- Value describing the identity information
      found in the SRC Identification Data field.  Defined values are
      specified by the IPsec Identification Type section in the IANA
      ISAKMP Registry [ISAKMP-REG].

   o  SRC ID Port (2 octets) -- Value specifying a port associated with
      the source Id.  A value of zero means that the SRC ID Port field
      should be ignored.

   o  SRC ID Data Len (1 octet) -- Value specifying the length of the
      SRC Identification Data field.

   o  SRC Identification Data (variable length) -- Value, as indicated
      by the SRC ID Type.  Set to three bytes of zero for multiple-
      source multicast groups that use a common TEK for all senders.

   o  DST ID Type (1 octet) -- Value describing the identity information
      found in the DST Identification Data field.  Defined values are
      specified by the IPsec Identification Type section in the IANA
      ISAKMP Registry [ISAKMP-REG].

   o  DST ID Port (1 octet) -- Value describing an IP protocol ID (e.g.,
      UDP/TCP).  A value of zero means that the DST Id Port field should
      be ignored.

   o  DST ID Port (2 octets) -- Value specifying a port associated with
      the source Id.  A value of zero means that the DST ID Port field
      should be ignored.

   o  DST ID Data Len (1 octet) -- Value specifying the length of the
      DST Identification Data field.

   o  DST Identification Data (variable length) -- Value, as indicated
      by the DST ID Type.

   o  Transform ID (1 octet) -- Value specifying which AH transform is
      to be used.  The list of valid values is defined in the IPsec AH
      Transform Identifiers section of the IANA ISAKMP Registry
      [ISAKMP-REG].

   o  SPI (4 octets) -- Security Parameter Index for AH.

   o  RFC 2407 Attributes -- AH Attributes from Section 4.5 of
      [RFC2407].  The GDOI supports all IPsec DOI SA Attributes for
      GDOI_PROTO_IPSEC_AH excluding the Group Description, which MUST
      NOT be sent by a GDOI implementation and is ignored by a GDOI
      implementation if received.  The Authentication Algorithm
      attribute of the IPsec DOI is group authentication in GDOI.  The
      following RFC 2407 attributes MUST be sent as part of a
      GDOI_PROTO_IPSEC_AH attribute: SA Life Type, SA Life Duration,
      Encapsulation Mode.

5.3.  Sender-Specific Attributes  Group Associated Policy

   RFC 3547 provides for the distribution of policy in the GROUPKEY-PULL
   exchange in an SA payload.  Policy can define GROUPKEY-PUSH policy
   (SA KEK) or traffic encryption policy (SA TEK) such as IPsec policy.
   Additionally, there
   There is a need to distribute sender-specific policy to
   each group member policy that is irrespective fits into neither
   category.  Some of either this policy is generic to the SA KEK or SA TEK
   policy. group, and some is
   sender-specific policy for a particular group member.

   GDOI distributes this sender-specific associated group policy in a new payload called
   the SA Sender-Specific Attributes Payload Group Associated Policy (SA SSA). SAP).  The SA SSA GAP payload follows
   any SA KEK payload, and is placed before any SA TEK payloads.  In the
   case that group policy does not include an SA KEK, the SA Attribute
   Next Payload field in the SA payload MAY indicate the SA SSA GAP payload.

   The SA SSA payload MUST NOT be a part of a GROUPKEY-PUSH message,
   because distributing the same sender-specific policy to more than one
   group member may reduce the security of the group.  A group member
   MUST NOT process an SA SSA payload present in a GROUPKEY-PUSH
   message.

   The SA SSA GAP payload is defined as follows:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload  !   RESERVED    !        Payload Length         !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !                   Sender-Specific               Group Associated Policy Attributes              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The SA SSA GAP payload fields are defined as follows:

   o  Next Payload (1 octet) -- Identifies the next payload for present in
      the GROUPKEY-PULL or the GROUPKEY-PUSH message.  The only valid
      next payload type for this message is an SA TEK or zero to
      indicate there are no more security association attributes.

   o  RESERVED (1 octet) -- Must be zero.

   o  Payload Length (2 octets) -- Length of this payload, including the
      SA SSA GAP header and Sender-Specific Attributes.

   o  Group Associated Policy Attributes (variable) -- Contains sender-specific
      attributes following the format defined format defined in Section 3.3 of RFC
      2408.

   Several group associated policy attributes are defined in this memo.

5.3.1.  ACTIVATION_TIME_DELAY

   This attribute allows a GCKS to set the Activation Time Delay for SAs
   generated from TEKs.  The value is in seconds.  If a group member
   receives a TEK with an ATD value, but discovers that it has no
   current SAs matching the policy in ISAKMP [RFC2408] section 3.3.

   One the TEK, then it SHOULD create and
   install SAs from the TEK immediately.

5.3.2.  DEACTIVATION_TIME_DELAY

   This attribute with allows a GCKS to set the type of SENDER_ID Deactivation Time Delay for
   SAs generated from TEKs.  The value is defined in this memo.

5.3.1. seconds.

5.3.3.  SENDER_ID

   Several new AES counter-based modes of operation have been specified
   for ESP [RFC3686],[RFC4106],[RFC4309],[RFC4543] and AH [RFC4543].
   These AES counter-based modes require that no two senders in the
   group ever send a packet with the same IV.  This requirement can be
   met using the method described in
   [I-D.ietf-msec-ipsec-group-counter-modes], which requires each sender
   to be allocated a unique Sender ID (SID).  The SENDER_ID attribute is
   used to distribute a SID to a group member during the GROUPKEY-PULL
   message.  Other algorithms with the same need may be defined in the
   future; the sender MUST use the IV construction method described
   above with those algorithms as well.

   The SENDER_ID attribute value contains the following fields.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !   SID Length  !                    SID Value                  ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   o  SID Length (1 octet) -- A natural number defining the number of
      bits to be used in the SID field of the counter mode transform
      nonce.

   o  SID Value (variable) -- The Sender ID value allocated to the group
      member.

5.3.1.1.

5.3.3.1.  GCKS Semantics

   The GCKS maintains a SID counter (SIDC).  It is incremented each time
   a SENDER_ID attribute is distributed to a group member.The first
   group member to register is given the SID of 1.

   Any group member registering will be given a new SID value, which
   allows group members to act as a group sender when an older SID value
   becomes unusable (as described in the next section).

   A GCKS MAY allocate multiple SID values in one SA SSA payload.
   Allocating several SID values at the same time to a group member
   expected to send at a high rate would obviate the need for the group
   member to re-register as frequently.

   If a GKCS allocates all SID values, it can no longer respond to GDOI
   registrations. and must re-initialize the entire group.  This is done
   by issuing DELETE notifications for all ESP and AH SAs in a GDOI
   rekey message, resetting the SIDC to zero, and creating new ESP and
   AH SAs that match the group policy.  When group members re-register,
   the SIDs are allocated again beginning with the value 1 as described
   above.  Each re-registering group member will be given a new SID and
   the new group policy.

5.3.1.2.  Group Member Semantics

   The SENDER_ID attribute value distributed to the group member MUST be
   used by that group member as the Sender Identifier (SID) field
   portion of the IV.  The SID is used for all counter mode SAs SENDER_ID attribute is distributed by the GCKS to be used for communications sent as a part
   of this group.

   When the Sender-Specific IV (SSIV) field for any IPsec SA is
   exhausted, the group member MUST no longer act as a sender using its
   active SID. member.  The first
   group member SHOULD re-register, during which time to register is given the GCKS SID of 1.

   Any group member registering will issue be given a new SID value, which
   allows group members to the act as a group member.  The new sender when an older SID
   replaces value
   becomes unusable (as described in the existing next section).

   A GCKS MAY allocate multiple SID used by this group member, and also resets values in one SA SSA payload.
   Allocating several SID values at the SSIV value same time to it's starting value.  A a group member MAY re-
   register prior
   expected to send at a high rate would obviate the actual exhaustion of need for the SSIV field to avoid
   dropping data packets due group
   member to the exhaustion of available SSIV values
   combined with re-register as frequently.

   If a particular GCKS allocates all SID value.

6.  New IPsec Security Association Attributes

   The Multicast Extensions to RFC 4301 [I-D.ietf-msec-ipsec-extensions]
   describes new attributes to an IPsec security association.  These
   attributes describe policy that a group key management system must
   convey in order values, it can no longer respond to support those extensions.  The GDOI SA TEK payload
   distributes IPsec policy using IPsec security association attributes
   defined in [ISAKMP-REG].  This section defines how GDOI can convey
   registrations and must re-initialize the new attributes as IPsec Security Association Attributes.

6.1.  Address Preservation

   In order entire group.  This is done
   by issuing DELETE notifications for an IP multicast packet all ESP and AH SAs in a GDOI
   rekey message, resetting the SIDC to be encapsulated such zero, and creating new ESP and
   AH SAs that it
   will remain an IP multicast packet, match the original IP addresses may
   need to group policy.  When group members re-register,
   the SIDs are allocated again beginning with the value 1 as described
   above.  Each re-registering group member will be retained.  This requires given a new IPsec SA SID and
   the new group policy.

   The SENDER_ID attribute
   describing which MUST NOT be sent as part of a GROUPKEY-PUSH
   message, because distributing the IP addresses are same sender-specific policy to be preserved.

   Depending on more
   than one group policy, several address preservation methods are
   possible: no address preservation ("None"), preservation of member may reduce the
   original source address ("Source-Only"), preservation security of the original
   destination address ("Destination-Only"), or both addresses ("Source-
   And-Destination").  If the group.

5.3.3.2.  Group Member Semantics

   The SENDER_ID attribute is not included in a GDOI SA TEK
   payload then Source-And-Destination address preservation has been
   defined for value distributed to the SA TEK.

6.2.  SA Direction

   Depending on group policy, an IPsec SA may member MUST be required in one or both
   directions.  An IPsec SA
   used by multiple senders that group member as the Sender Identifier (SID) field
   portion of the IV.  The SID is required used for all counter mode SAs
   distributed by the GCKS to be
   installed in both used for communications sent as a part
   of this group.

   When the sending and receiving direction ("Symmetric"),
   whereas an Sender-Specific IV (SSIV) field for any IPsec SA with is
   exhausted, the group member MUST no longer act as a sender using its
   active SID.  The group member SHOULD re-register, during which time
   the GCKS will issue a single sender need only be installed in new SID to the
   receiving direction group member.  The new SID
   replaces the existing SID used by receivers ("Receiver-Only") this group member, and in also resets
   the sending
   direction by SSIV value to it's starting value.  A group member MAY re-
   register prior to the sender ("Sender-Only").  If actual exhaustion of the SSIV field to avoid
   dropping data packets due to the exhaustion of available SSIV values
   combined with a particular SID value.

   A group member MUST NOT process SENDER_ID attribute is not
   included present in a GDOI SA TEK payload then the IPsec SA is treated as a
   Symmetric IPsec SA.

7.
   GROUPKEY-PUSH message.

6.  IANA Considerations

   The GDOI SIG_HASH_ALGORITHM KEK Attribute named SIG_HASH_ALGORITHM [GDOI-REG] should be
   assigned a new Algorithm Type value from the RESERVED space to
   represent the SHA-256 hash algorithm as defined.  The new algorithm
   name should be SIG_HASH_SHA256.

   A new GDOI KEK Attribute [GDOI-REG] is needed to represent the number
   of seconds before a sender should transmit on an TEK.  The attribute
   has the name TEK_TRANSMIT_WAIT_PERIOD, and is a Variable type.

   A new GDOI SA TEK type Protocol-ID type [GDOI-REG] should be assigned
   from the RESERVED space.  The new algorithm id should be called
   GDOI_PROTO_IPSEC_AH, and refers to the IPsec AH encapsulation.

   A new Next Payload Type [ISAKMP-REG] should be assigned.  The new
   type is called "SA SSA Payload (SSA)". Group Associated Policy (GAP)".

   A new namespace should be created in the GDOI Payloads registry
   [GDOI-REG] to describe SA SSA Payload Values.  The following rules
   apply to define the attributes in SA SSA Payload Values:

              Attribute Type         Value       Type
              ----                   -----       ----
              RESERVED                 0
              SENDER_ID
              ACTIVATION_TIME_DELAY    1          B
              DEACTIVATION_TIME_DELAY  2          B
              SENDER_ID                3          V
              Reserved to IANA        2-127
              Private Use           128-255

   A new IPSEC Security Association Attribute [ISAKMP-REG] defining the
   preservation of IP addresses is needed.  The attribute class is
   called "Address Preservation", and it is a Basic type.  The following
   rules apply to define the values of the attribute:

              Name                      Value
              ----                      -----
              Reserved                  0
              None                      1
              Source-Only               2
              Destination-Only          3
              Source-And-Destination    4
              Reserved to IANA          5-61439
              Private Use               61440-65535

   A new IPSEC Security Association Attribute [ISAKMP-REG] defining the
   SA direction is needed.  The attribute class is called "SA
   Direction", and it is a Basic type.  The following rules apply to
   define the values of the attribute:

              Name                      Value
              ----                      -----
              Reserved                  0
              Sender-Only               1
              Receiver-Only             2
              Symmetric                 3
              Reserved to IANA          4-61439
              Private Use               61440-65535

8.

7.  Security Considerations

   This memo describes additional clarification and protocol updates adds additional
   attributes to be passed within the GDOI protocol.  The security
   considerations in RFC 3547 remain accurate, with the following
   additions.

   o  Several minor cryptographic hash algorithm agility issues are
      resolved, and the stronger SHA-256 cryptographic hash algorithm is
      added.

   o  Protocol analysis has revealed a man-in-the-middle attack when the
      GCKS does not authorize group members based on their IKEv1 IKE
      authentication credentials.  This is true even when a CERT and POP
      payloads are used for authorization.  Although suggested as an
      option in RFC 3547, a GDOI device (group member or GCKS) SHOULD
      NOT accept an identity in a CERT payload that does not match the
      IKEv1
      IKE identity used to authenticate the group member.

   o  Any SA TEK specicifying specifying a counter-based mode of operation with
      multiple senders MUST construct the IVs in each SA TEK according
      to [I-D.ietf-msec-ipsec-group-counter-modes].  The SID MUST either
      be pre-configured on all group members or distributed using the
      SENDER_ID attribute in the SA SSA GAP payload.  However, use use of the
      SENDER_ID attribute is RECOMMENDED.

9.

8.  Acknowledgements

   The authors are grateful to Catherine Meadows for her careful review
   and suggestions for mitigating the man-in-the-middle attack she had
   previously identified.

10.

9.  References

10.1.

9.1.  Normative References

   [FIPS.180-2.2002]
              National Institute of Standards and Technology, "Secure
              Hash Standard", FIPS PUB 180-2, August 2002, <http://
              csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf>.

   [I-D.ietf-msec-ipsec-extensions]
              Weis, B., Gross, G., and D. Ignjatic, "Multicast
              Extensions to the Security Architecture for the Internet
              Protocol", draft-ietf-msec-ipsec-extensions-06 (work in
              progress), July 2007.

   [I-D.ietf-msec-ipsec-group-counter-modes]
              McGrew, D. and B. Weis, "Using Counter Modes with
              Encapsulating Security Payload (ESP) and  Authentication
              Header (AH) to Protect Group Traffic",
              draft-ietf-msec-ipsec-group-counter-modes-00
              draft-ietf-msec-ipsec-group-counter-modes-03 (work in
              progress), February 2007.

   [NIST.800-56A.2006]
              National Institute of Standards and Technology,
              "Recommendation for Pair-Wise Key Establishment Schemes
              Using Discrete Logarithm Cryptography", NIST 800-56A, March 2006, <http://csrc.nist.gov/publications/nistpubs/
              800-56A/sp800-56A_May-3-06.pdf>. 2009.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3547]  Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The
              Group Domain of Interpretation", RFC 3547, July 2003.

   [RFC4302]  Kent, S., "IP Authentication Header", RFC 4302,
              December 2005.

   [RFC4303]  Kent, S., "IP Encapsulating

   [RFC5374]  Weis, B., Gross, G., and D. Ignjatic, "Multicast
              Extensions to the Security Payload (ESP)",
              RFC 4303, December 2005.

10.2. Architecture for the Internet
              Protocol", RFC 5374, November 2008.

9.2.  Informative References

   [FIPS.180-2.2002]
              National Institute of Standards and Technology, "Secure
              Hash Standard", FIPS PUB 180-2, August 2002, <http://
              csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf>.

   [GDOI-REG]
              Internet Assigned Numbers Authority, "Group Domain of
              Interpretation (GDOI) Payload Type Values", IANA Registry,
              December 2004,
              <http://www.iana.org/assignments/gdoi-payloads>.

   [IPSEC-REG]
              Internet Assigned Numbers Authority, "Internet Key
              Exchange (IKE) Attributes IKE Attributes", IANA Registry,
              December 2005,
              <http://www.iana.org/assignments/ipsec-registry>.

   [ISAKMP-REG]
              Internet Assigned Numbers Authority, "Internet Security
              Association and Key Management Protocol (ISAKMP)
              Identifiers ISAKMP Attributes", IANA Registry,
              January 2006,
              <http://www.iana.org/assignments/isakmp-registry>.

   [MP04]     Meadows, C. and D. Pavlovic, "Deriving, Attacking, and
              Defending the GDOI Protocol", ESORICS 2004 pp. 53-72,
              September 2004.

   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
              Hashing for Message Authentication", RFC 2104,
              February 1997.

   [RFC2407]  Piper, D., "The Internet IP Security Domain of
              Interpretation for ISAKMP", RFC 2407, November 1998.

   [RFC2408]  Maughan, D., Schneider, M., and M. Schertler, "Internet
              Security Association and Key Management Protocol
              (ISAKMP)", RFC 2408, November 1998.

   [RFC2409]  Harkins, D. and D. Carrel, "The Internet Key Exchange
              (IKE)", RFC 2409, November 1998.

   [RFC3447]  Jonsson, J. and B. Kaliski, "Public-Key Cryptography
              Standards (PKCS) #1: RSA Cryptography Specifications
              Version 2.1", RFC 3447, February 2003.

   [RFC3686]  Housley, R., "Using Advanced Encryption Standard (AES)
              Counter Mode With IPsec Encapsulating Security Payload
              (ESP)", RFC 3686, January 2004.

   [RFC4046]  Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm,
              "Multicast Security (MSEC) Group Key Management
              Architecture", RFC 4046, April 2005.

   [RFC4106]  Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
              (GCM) in IPsec Encapsulating Security Payload (ESP)",
              RFC 4106, June 2005.

   [RFC4302]  Kent, S., "IP Authentication Header", RFC 4302,
              December 2005.

   [RFC4303]  Kent, S., "IP Encapsulating Security Payload (ESP)",
              RFC 4303, December 2005.

   [RFC4309]  Housley, R., "Using Advanced Encryption Standard (AES) CCM
              Mode with IPsec Encapsulating Security Payload (ESP)",
              RFC 4309, December 2005.

   [RFC4543]  McGrew, D. and J. Viega, "The Use of Galois Message
              Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543,
              May 2006.

   [RFC4894]  Hoffman, P., "Use of Hash Algorithms in Internet Key
              Exchange (IKE) and IPsec", RFC 4894, May 2007.

Authors' Addresses

   Brian Weis
   Cisco Systems
   170 W. Tasman Drive
   San Jose, California  95134-1706
   USA

   Phone: +1-408-526-4796
   Email: bew@cisco.com

   Sheela Rowles
   Cisco Systems
   170 W. Tasman Drive
   San Jose, California  95134-1706
   USA

   Phone: +1-408-527-7677
   Email: srowles@cisco.com

Full Copyright Statement

   Copyright (C) The IETF Trust (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA). sheela@cisco.com