draft-ietf-msec-gdoi-update-04.txt   draft-ietf-msec-gdoi-update-05.txt 
MSEC Working Group B. Weis MSEC Working Group B. Weis
Internet-Draft S. Rowles Internet-Draft S. Rowles
Intended status: Standards Track Cisco Systems Intended status: Standards Track Cisco Systems
Expires: September 7, 2009 March 6, 2009 Expires: September 9, 2010 March 8, 2010
Updates to the Group Domain of Interpretation (GDOI) The Group Domain of Interpretation
draft-ietf-msec-gdoi-update-04 draft-ietf-msec-gdoi-update-05
Abstract
This document describes an updated version of the Group Domain of
Interpretation (GDOI) protocols. GDOI is an ISAMKP Domain of
Interpretation (DOI) for group key management to support secure group
communications. The GDOI manages group security associations, which
are used by IPSEC and potentially other data security protocols
running at the IP or application layers. These security associations
protect one or more key-encrypting keys, traffic-encrypting keys, or
data shared by group members.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material provisions of BCP 78 and BCP 79.
from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 7, 2009. This Internet-Draft will expire on September 9, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents
publication of this document (http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Abstract include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
This memo describes updates to the Group Domain of Interpretation This document may contain material from IETF Documents or IETF
(GDOI) . It provides clarification where the original text is Contributions published or made publicly available before November
unclear. It also includes adds several new algorithm attribute 10, 2008. The person(s) controlling the copyright in some of this
values, including complete support for algorithm agility. material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.1. Requirements notation . . . . . . . . . . . . . . . . . . 5 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 7
1.2. GDOI Applications . . . . . . . . . . . . . . . . . . . . 7
1.3. Extending GDOI . . . . . . . . . . . . . . . . . . . . . . 8
2. RFC 3547 Clarification . . . . . . . . . . . . . . . . . . . . 6 2. GDOI Phase 1 protocol . . . . . . . . . . . . . . . . . . . . 9
2.1. SA KEK Payload . . . . . . . . . . . . . . . . . . . . . . 6 2.1. ISAKMP Phase 1 protocol . . . . . . . . . . . . . . . . . 9
2.2. SA TEK Payload . . . . . . . . . . . . . . . . . . . . . . 6 2.1.1. DOI value . . . . . . . . . . . . . . . . . . . . . . 9
2.3. KD Payload . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.2. UDP port . . . . . . . . . . . . . . . . . . . . . . . 9
2.4. SEQ Payload . . . . . . . . . . . . . . . . . . . . . . . 7
2.5. POP Payload . . . . . . . . . . . . . . . . . . . . . . . 8
2.6. CERT Payload . . . . . . . . . . . . . . . . . . . . . . . 8
2.7. SIG Payload . . . . . . . . . . . . . . . . . . . . . . . 8
2.8. KE Payload . . . . . . . . . . . . . . . . . . . . . . . . 8
2.9. Attribute behavour . . . . . . . . . . . . . . . . . . . . 9
2.10. Deletion of SAs . . . . . . . . . . . . . . . . . . . . . 9
3. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 10 3. GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . . . . 10
3.1. Authorization . . . . . . . . . . . . . . . . . . . . . . 10
3.2. Messages . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2.1. ISAKMP Header Initialization . . . . . . . . . . . . . 12
3.3. Initiator Operations . . . . . . . . . . . . . . . . . . . 12
3.4. Receiver Operations . . . . . . . . . . . . . . . . . . . 13
4. Harmonization with RFC 5374 . . . . . . . . . . . . . . . . . 12 4. GROUPKEY-PUSH Message . . . . . . . . . . . . . . . . . . . . 15
4.1. Group Security Policy Database Attributes . . . . . . . . 12 4.1. Forward and Backward Access Control . . . . . . . . . . . 16
4.1.1. Address Preservation . . . . . . . . . . . . . . . . . 12 4.1.1. Forward Access Control Requirements . . . . . . . . . 16
4.1.2. SA Direction . . . . . . . . . . . . . . . . . . . . . 12 4.2. Delegation of Key Management . . . . . . . . . . . . . . . 17
4.1.3. Re-key rollover . . . . . . . . . . . . . . . . . . . 13 4.3. Use of signature keys . . . . . . . . . . . . . . . . . . 17
4.4. ISAKMP Header Initialization . . . . . . . . . . . . . . . 17
4.5. Deletion of SAs . . . . . . . . . . . . . . . . . . . . . 18
4.6. GCKS Operations . . . . . . . . . . . . . . . . . . . . . 18
4.7. Group Member Operations . . . . . . . . . . . . . . . . . 19
5. New GDOI Attributes . . . . . . . . . . . . . . . . . . . . . 14 5. Payloads and Defined Values . . . . . . . . . . . . . . . . . 20
5.1. Signature Hash Algorithm . . . . . . . . . . . . . . . . . 14 5.1. Identification Payload . . . . . . . . . . . . . . . . . . 20
5.2. Support of AH . . . . . . . . . . . . . . . . . . . . . . 14 5.2. Security Association Payload . . . . . . . . . . . . . . . 20
5.3. Group Associated Policy . . . . . . . . . . . . . . . . . 16 5.2.1. Payloads following the SA payload . . . . . . . . . . 21
5.3.1. ACTIVATION_TIME_DELAY . . . . . . . . . . . . . . . . 17 5.3. SA KEK payload . . . . . . . . . . . . . . . . . . . . . . 22
5.3.2. DEACTIVATION_TIME_DELAY . . . . . . . . . . . . . . . 17 5.3.1. KEK Attributes . . . . . . . . . . . . . . . . . . . . 24
5.3.3. SENDER_ID . . . . . . . . . . . . . . . . . . . . . . 17 5.3.2. KEK_MANAGEMENT_ALGORITHM . . . . . . . . . . . . . . . 24
5.3.3.1. GCKS Semantics . . . . . . . . . . . . . . . . . . 18 5.3.3. KEK_ALGORITHM . . . . . . . . . . . . . . . . . . . . 24
5.3.3.2. Group Member Semantics . . . . . . . . . . . . . . 18 5.3.3.1. KEK_ALG_DES . . . . . . . . . . . . . . . . . . . 25
5.3.3.2. KEK_ALG_3DES . . . . . . . . . . . . . . . . . . . 25
5.3.3.3. KEK_ALG_AES . . . . . . . . . . . . . . . . . . . 25
5.3.4. KEK_KEY_LENGTH . . . . . . . . . . . . . . . . . . . . 25
5.3.5. KEK_KEY_LIFETIME . . . . . . . . . . . . . . . . . . . 26
5.3.6. SIG_HASH_ALGORITHM . . . . . . . . . . . . . . . . . . 26
5.3.7. SIG_ALGORITHM . . . . . . . . . . . . . . . . . . . . 26
5.3.7.1. SIG_ALG_RSA . . . . . . . . . . . . . . . . . . . 27
5.3.7.2. SIG_ALG_DSS . . . . . . . . . . . . . . . . . . . 27
5.3.7.3. SIG_ALG_ECDSS . . . . . . . . . . . . . . . . . . 27
5.3.7.4. SIG_ALG_RSA_PSS . . . . . . . . . . . . . . . . . 27
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 5.3.8. SIG_KEY_LENGTH . . . . . . . . . . . . . . . . . . . . 27
5.4. Group Associated Policy . . . . . . . . . . . . . . . . . 27
5.4.1. ACTIVATION_TIME_DELAY . . . . . . . . . . . . . . . . 28
5.4.2. DEACTIVATION_TIME_DELAY . . . . . . . . . . . . . . . 28
5.4.3. SENDER_ID . . . . . . . . . . . . . . . . . . . . . . 29
5.4.3.1. GCKS Semantics . . . . . . . . . . . . . . . . . . 29
5.4.3.2. Group Member Semantics . . . . . . . . . . . . . . 30
5.5. SA TEK Payload . . . . . . . . . . . . . . . . . . . . . . 30
5.5.1. GDOI_PROTO_IPSEC_ESP/GDOI_PROTO_IPSEC_AH . . . . . . . 31
5.5.1.1. Harmonization with RFC 5374 . . . . . . . . . . . 33
5.5.1.1.1. Group Security Policy Database Attributes . . 33
5.5.1.1.2. Address Preservation . . . . . . . . . . . . . 33
5.5.1.1.3. SA Direction . . . . . . . . . . . . . . . . . 33
5.5.1.1.4. Re-key rollover . . . . . . . . . . . . . . . 34
5.5.2. Other Security Protocols . . . . . . . . . . . . . . . 34
5.6. Key Download Payload . . . . . . . . . . . . . . . . . . . 35
5.6.1. TEK Download Type . . . . . . . . . . . . . . . . . . 36
5.6.1.1. TEK_ALGORITHM_KEY . . . . . . . . . . . . . . . . 37
5.6.1.2. TEK_INTEGRITY_KEY . . . . . . . . . . . . . . . . 37
5.6.1.3. TEK_SOURCE_AUTH_KEY . . . . . . . . . . . . . . . 37
5.6.2. KEK Download Type . . . . . . . . . . . . . . . . . . 38
5.6.2.1. KEK_ALGORITHM_KEY . . . . . . . . . . . . . . . . 38
5.6.2.2. SIG_ALGORITHM_KEY . . . . . . . . . . . . . . . . 38
5.6.3. LKH Download Type . . . . . . . . . . . . . . . . . . 38
5.6.3.1. LKH_DOWNLOAD_ARRAY . . . . . . . . . . . . . . . . 39
5.6.3.2. LKH_UPDATE_ARRAY . . . . . . . . . . . . . . . . . 41
5.6.3.3. SIG_ALGORITHM_KEY . . . . . . . . . . . . . . . . 42
5.7. Sequence Number Payload . . . . . . . . . . . . . . . . . 42
5.8. Nonce . . . . . . . . . . . . . . . . . . . . . . . . . . 43
7. Security Considerations . . . . . . . . . . . . . . . . . . . 21 6. Security Considerations . . . . . . . . . . . . . . . . . . . 44
6.1. ISAKMP Phase 1 . . . . . . . . . . . . . . . . . . . . . . 44
6.1.1. Authentication . . . . . . . . . . . . . . . . . . . . 44
6.1.2. Confidentiality . . . . . . . . . . . . . . . . . . . 45
6.1.3. Man-in-the-Middle Attack Protection . . . . . . . . . 45
6.1.4. Replay/Reflection Attack Protection . . . . . . . . . 45
6.1.5. Denial of Service Protection . . . . . . . . . . . . . 45
6.2. GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . . 45
6.2.1. Authentication . . . . . . . . . . . . . . . . . . . . 46
6.2.2. Confidentiality . . . . . . . . . . . . . . . . . . . 46
6.2.3. Man-in-the-Middle Attack Protection . . . . . . . . . 46
6.2.4. Replay/Reflection Attack Protection . . . . . . . . . 46
6.2.5. Denial of Service Protection . . . . . . . . . . . . . 46
6.2.6. Authorization . . . . . . . . . . . . . . . . . . . . 47
6.3. GROUPKEY-PUSH Exchange . . . . . . . . . . . . . . . . . . 47
6.3.1. Authentication . . . . . . . . . . . . . . . . . . . . 47
6.3.2. Confidentiality . . . . . . . . . . . . . . . . . . . 47
6.3.3. Man-in-the-Middle Attack Protection . . . . . . . . . 47
6.3.4. Replay/Reflection Attack Protection . . . . . . . . . 47
6.3.5. Denial of Service Protection . . . . . . . . . . . . . 48
6.3.6. Forward Access Control . . . . . . . . . . . . . . . . 48
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 49
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 7.1. Additions to current registries . . . . . . . . . . . . . 49
9.1. Normative References . . . . . . . . . . . . . . . . . . . 23 7.2. New registries . . . . . . . . . . . . . . . . . . . . . . 49
9.2. Informative References . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 51
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 52
9.1. Normative References . . . . . . . . . . . . . . . . . . . 52
9.2. Informative References . . . . . . . . . . . . . . . . . . 52
Appendix A. Alternate GDOI Phase 1 protocols . . . . . . . . . . 56
A.1. IKEv2 Phase 1 protocol . . . . . . . . . . . . . . . . . . 56
A.2. KINK Protocol . . . . . . . . . . . . . . . . . . . . . . 56
Appendix B. Significant Changes from RFC 3547 . . . . . . . . . . 58
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 59
1. Introduction 1. Introduction
The Group Domain of Interpretation (GDOI) [RFC3547] is a group key This document presents an ISAMKP Domain of Interpretation (DOI) for
management protocol fitting into the Multicast Security Group Key group key management called the "Group Domain of Interpretation"
Management Architecture [RFC4046]. GDOI is used to disseminate (GDOI). In this group key management model, the GDOI protocol is run
policy and corresponding secrets to a group of participants. GDOI is between a group member and a "group controller/key server" (GCKS),
implemented on hosts and intermediate systems to protect group IP which establishes security associations among authorized group
communication (e.g., IP multicast packets) by encapsulating them with members. ISAKMP defines two "phases" of negotiation (p.16 of
the IP Encapsulating Security Payload (ESP) [RFC4303] packets. [RFC2408]). The GDOI MUST be protected by a Phase 1 security
Several factors have prompted new for updates to GDOI including: association. This document incorporates the Phase 1 security
association (SA) definition from the Internet DOI [RFC2407],
[RFC2409]. Other possible Phase 1 security association types are
noted in Appendix A. The Phase 2 exchange is defined in this
document, and proposes new payloads and exchanges according to the
ISAKMP standard (p. 14 of [RFC2408]).
o the discovery of inconsistencies in RFC 3547, which need There are five payloads specific to GDOI:
clarification (Section 2),
o the publishing of an attack on the protocol (Section 3) 1) GDOI SA
o the publishing of the Multicast Extensions to the Security 2) SA KEK (SAK) which follows the SA payload
Architecture for the Internet Protocol [RFC5374], which has
implications to the policy distributed by group key management
(Section 4),
o the need for new GDOI algorithm attributes, including the need to 3) SA TEK (SAT) which follows the SA payload
support SHA-256 [FIPS.180-2.2002] as an alternative to the SHA-1
and MD5 hash algorithms (Section 5).
The clarification and modifications in this memo update RFC 3547. 4) Key Download Array (KD)
5) Sequence number (SEQ)
There are two GDOI exchanges.
1) A Phase 2 exchange creates Re-key and Data-Security Protocol SAs.
The new Phase 2 exchange, called "GROUPKEY-PULL," downloads keys for
a group's "Re-key" SA and/or "Data-security" SA. The Re-key SA
includes a key encrypting key, or KEK, common to the group; a Data-
security SA includes a data encryption key, or TEK, used by a data-
security protocol to encrypt or decrypt data traffic Section 2.1 of
[RFC2407]. The SA for the KEK or TEK includes authentication keys,
encryption keys, cryptographic policy, and attributes. The GROUPKEY-
PULL exchange uses "pull" behavior since the member initiates the
retrieval of these SAs from a GCKS.
2) A datagram subsequently establishes additional Rekey and/or Data-
Security Protocol SAs.
The GROUPKEY-PUSH datagram is "pushed" from the GCKS to the members
to create or update a Re-key or Data-security SA. A Re-key SA
protects GROUPKEY-PUSH messages. Thus, a GROUPKEY-PULL is necessary
to establish at least one Re-key SA in order to protect subsequent
GROUPKEY-PUSH messages. The GCKS encrypts the GROUPKEY-PUSH message
using the KEK Re-key SA. GDOI accommodates the use of arrays of KEKs
for group key management algorithms using the Logical Key Hierarchy
(LKH) algorithm to efficiently add and remove group members
[RFC2627]. Implementation of the LKH algorithm is OPTIONAL.
Although the GROUPKEY-PUSH specified by this document can be used to
refresh a Re-key SA, the most common use of GROUPKEY-PUSH is to
establish a Data-security SA for a data security protocol. GDOI can
accommodate future extensions to support a variety of data security
protocols. This document only specifies data-security SAs for
security protocols, IPsec ESP and IPsec AH. A security protocol uses
the TEK and "owns" the data-security SA in the same way that IPsec
ESP uses the IKE Phase 2 keys and owns the Phase 2 SA; for GDOI,
IPsec ESP or IPsec AH use the TEK.
Thus, GDOI is a group security association management protocol: All
GDOI messages are used to create, maintain, or delete security
associations for a group. As described above, these security
associations protect one or more key-encrypting keys, traffic-
encrypting keys, or data shared by group members for multicast and
groups security applications.
1.1. Requirements notation 1.1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. RFC 3547 Clarification 1.2. GDOI Applications
Implementation experience of RFC 3547 has revealed a few areas of Secure multicast applications include video broadcast and multicast
text that are not sufficiently precise. This section provides file transfer. Many of these applications require network security
clarifying text for those areas. and may use IPsec ESP or AH to secure their data traffic.
Section 5.5.1 specifies how GDOI carries the needed SA parameters for
ESP or AH. In this way, GDOI supports multicast ESP or AH with group
authentication of ESP or AH packets using the shared, group key.
2.1. SA KEK Payload GDOI can also secure group applications that do not use multicast
transport such as video-on-demand. For example, the GROUPKEY-PUSH
message may establish a pair-wise IPsec ESP or AH SA for a member of
a subscription group without the need for key management exchanges
and costly asymmetric cryptography.
Section 5.3 of RFC 4357 defines the SA KEK payload. It includes the 1.3. Extending GDOI
"POP Key Length" field,The units of this field are not explicitly
specified in RFC 3547. The value MUST be a number representing the
length of key in bits. In the case of POP_ALG_RSA, the value
represents the size of the modulus.
Section 5.3 of RFC 4357 also defines the POP Algorithm of type of Not all secure multicast or multimedia applications can use IPsec ESP
POP_ALG_RSA, but does not specify which PKCS#1 [RFC3447] encoding or AH. Many Real Time Transport Protocol applications, for example,
method is employed. To match existing practice, this memo requires require security above the IP layer to preserve RTP header
that it be the EMSA-PKCS1-v1_5 encoding method. compression efficiencies and transport-independence [RFC3550]. A
future RTP security protocol may benefit from using GDOI to establish
group SAs.
The units of the SIG_KEY_LENGTH KEK attribute value was not In order to add a new data security protocol, a new RFC MUST specify
explicitly specified in section 5.3.8 of RFC 3547. The value MUST be the data-security SA parameters conveyed by GDOI for that security
a number representing the length of the KEK encryption key in bits. protocol; these parameters are listed in Section 5.5.2 of this
document.
The Group Controller/Key Server (GCKS) adds the KEK_KEY_LEN attribute Data security protocol SAs MUST protect group traffic. GDOI provides
to the SA payload when distributing KEK policy to group members. The no restriction on whether that group traffic is transmitted as
group member verifies whether or not it has the capability of using a unicast or multicast packets.
cipher key of that size. If the cipher definition includes a fixed
key length (e.g., KEK_ALG_3DES), the group member can make its
decision solely using KEK_ALGORITHM attribute and does not need the
KEK_KEY_LEN attribute. Sending the KEK_KEY_LEN attribute in the SA
payload is OPTIONAL if the KEK cipher has a fixed key length.
Minimum attributes that must be sent as part of an SA KEK: 2. GDOI Phase 1 protocol
KEK_ALGORITHM, KEK_KEY_LENGTH (if the cipher definition includes a
variable length key), KEK_KEY_LIFETIME, SIG_HASH_ALGORITHM (except
for DSA based algorithms), SIG_ALGORITHM, and SIG_KEY_LENGTH.
2.2. SA TEK Payload GDOI is a "phase 2" protocol which MUST be protected by a "phase 1"
protocol. The "phase 1" protocol can be any protocol which provides
for the following protections:
Section 5.4.1 of RFC 3547 states that all mandatory IPsec DOI o Peer Authentication
attributes are mandatory in GDOI_PROTO_IPSEC_ESP. However, RFC 2407
lists no such list of mandatory IPsec DOI attributes. This memo
requires that the following attributes MUST be supported by an RFC
3547 implementation supporting the GDOI_PROTO_IPSEC_ESP SA TEK: SA
Life Type, SA Life Duration, Encapsulation Mode, Authentication
Algorithm (if the ESP transform includes authentication).
The GDOI_PROTO_IPSEC_ESP attribute is sometimes referred to in RFC o Confidentiality
3547 by the truncated name of PROTO_IPSEC_ESP.
2.3. KD Payload o Message Integrity
Section 5.5.2.1 of RFC 3547 explicitly specifies that if a KEK cipher The following sections describe one such "phase 1" protocol. Other
requires an IV, then the IV must precede the key in the protocols which may be potential "phase 1" protocols are described in
KEK_ALGORITHM_KEY KD payload attribute. However, it should be noted Appendix A. However, the use of the protocols listed there are not
that this IV length is not included in the KEK_KEY_LEN SA payload considered part of this document.
attribute sent in the SA payload. The KEK_KEY_LEN includes only the
actual length of the cipher key.
Section 5.5.1.2 of RFC 3547 defines key lengths for the 2.1. ISAKMP Phase 1 protocol
TEK_INTEGRITY_KEY. When the algorithm passes in the SA TEK payload
is SHA256, keys will consist of 256 bits.
2.4. SEQ Payload This document defines how the ISAKMP phase 1 exchanges as defined in
[RFC2409] can be used a "phase 1" protocol for GDOI. The following
sections define characteristics of the ISAKMP phase 1 protocols that
are unique for these exchanges when used for GDOI.
Section 3.2 of RFC 3547 defines a GROUPKEY-PULL message as including Section 6.1 describes how the ISAKMP Phase 1 protocols meet the
a sequence number, which provides anti-replay state associated with a requirements of a GDOI "phase 1" protocol.
KEK. The SEQ payload has no other use, and is omitted from the
GROUPKEY-PULL exchange when a KEK attribute is not included in the SA 2.1.1. DOI value
The Phase 1 SA payload has a DOI value. That value MUST be the GDOI
DOI value as defined later in this document.
2.1.2. UDP port
IANA has assigned port 848 for the use of GDOI.
3. GROUPKEY-PULL Exchange
The goal of the GROUPKEY-PULL exchange is to establish a Re-key
and/or Data-security SAs at the member for a particular group. A
Phase 1 SA protects the GROUPKEY-PULL; there MAY be multiple
GROUPKEY-PULL exchanges for a given Phase 1 SA. The GROUPKEY-PULL
exchange downloads the data security keys (TEKs) and/or group key
encrypting key (KEK) or KEK array under the protection of the Phase 1
SA.
3.1. Authorization
The Phase 1 identity SHOULD be used by a GCKS to authorize the Phase
2 (GROUPKEY-PULL) request for a group key. Similarly, a group member
SHOULD ensure that the Phase 1 identity of the GCKS is an authorized
GCKS. When no authorization is performed, it is possible for a rogue
GDOI participant to perpetrate a man-in-the-middle attack between a
group member and a GCKS [MP04].
3.2. Messages
The GROUPKEY-PULL is a Phase 2 exchange. Phase 1 computes SKEYID_a
which is the "key" in the keyed hash used in the GROUPKEY-PULL HASH
payloads. When using the Phase 1 defined in this document, SKEYID_a
is derived according to [RFC2409]. As with the IKE HASH payload
generation (Section 5.5 of [RFC2409], each GROUPKEY-PULL message
hashes a uniquely defined set of values. Nonces permute the HASH and
provide some protection against replay attacks. Replay protection is
important to protect the GCKS from attacks that a key management
server will attract.
The GROUPKEY-PULL uses nonces to guarantee "liveness", or against
replay of a recent GROUPKEY-PULL message. The replay attack is only
useful in the context of the current Phase 1. If a GROUPKEY-PULL
message is replayed based on a previous Phase 1, the HASH calculation
will fail due to a wrong SKEYID_a. The message will fail processing
before the nonce is ever evaluated. In order for either peer to get
the benefit of the replay protection, it must postpone as much
processing as possible until it receives the message in the protocol
that proves the peer is live. For example, the Responder MUST NOT
adjust its internal state (e.g., keeping a record of the Initiator)
until it receives a message with Nr included properly in the HASH
payload. payload.
A KEK sequence number is associated with a single SPI (i.e., the Nonces require an additional message in the protocol exchange to
single set of cookie pair values sent in a GROUPKEY-PUSH ISAKMP ensure that the GCKS does not add a group member until it proves
[RFC2408] HDR). When a new KEK is distributed by a GCKS, it contains liveliness. The GROUPKEY-PULL member-initiator expects to find its
a new SPI and resets the sequence number. nonce, Ni, in the HASH of a returned message. And the GROUPKEY-PULL
GCKS responder expects to see its nonce, Nr, in the HASH of a
returned message before providing group-keying material as in the
following exchange.
Initiator (Member) Responder (GCKS)
------------------ ----------------
HDR*, HASH(1), Ni, ID -->
<-- HDR*, HASH(2), Nr, SA
HDR*, HASH(3) -->
<-- HDR*, HASH(4), [SEQ,] KD
Hashes are computed as follows:
HASH(1) = prf(SKEYID_a, M-ID | Ni | ID)
HASH(2) = prf(SKEYID_a, M-ID | Ni_b | Nr | SA)
HASH(3) = prf(SKEYID_a, M-ID | Ni_b | Nr_b
HASH(4) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | SEQ | ] KD)
* Protected by the Phase 1 SA, encryption occurs after HDR
HDR is an ISAKMP header payload that uses the Phase 1 cookies and a
message identifier (M-ID) as in IKE [RFC2409]. Note that nonces are
included in the first two exchanges, with the GCKS returning only the
SA policy payload before liveliness is proven. The HASH payloads
[RFC2409] prove that the peer has the Phase 1 secret (SKEYID_a) and
the nonce for the exchange identified by message id, M-ID. Once
liveliness is established, the last message completes the real
processing of downloading the KD payload.
In addition to the Nonce and HASH payloads, the member-initiator
identifies the group it wishes to join through the ISAKMP ID payload.
The GCKS responder informs the member of the current value of the
sequence number in the SEQ payload; the sequence number provides
anti-replay state associated with a KEK. The SEQ payload has no
other use, and is omitted from the GROUPKEY_PULL exchange when a KEK
attribute is not included in the SA payload.
When a SEQ payload is included in the GROUPKEY-PULL exchange, it When a SEQ payload is included in the GROUPKEY-PULL exchange, it
includes the most recently used sequence number for the group. At includes the most recently used sequence number for the group. At
the conclusion of a GROUPKEY-PULL exchange, the initiating group the conclusion of a GROUPKEY-PULL exchange, the initiating group
member MUST NOT accept any rekey message with both the KEK attribute member MUST NOT accept any rekey message with both the KEK attribute
SPI value and a sequence number less than or equal to the one SPI value and a sequence number less than or equal to the one
received during the GROUPKEY-PULL. When the first group member received during the GROUPKEY-PULL. When the first group member
initiates a GROUPKEY-PULL exchange, the GCKS provides a Sequence initiates a GROUPKEY-PULL exchange, the GCKS provides a Sequence
Number of zero, since no GROUPKEY-PUSH messages have yet been sent. Number of zero, since no GROUPKEY-PUSH messages have yet been sent.
Note the sequence number increments only with GROUPKEY-PUSH messages. Note the sequence number increments only with GROUPKEY-PUSH messages.
skipping to change at page 7, line 41 skipping to change at page 12, line 4
When a SEQ payload is included in the GROUPKEY-PULL exchange, it When a SEQ payload is included in the GROUPKEY-PULL exchange, it
includes the most recently used sequence number for the group. At includes the most recently used sequence number for the group. At
the conclusion of a GROUPKEY-PULL exchange, the initiating group the conclusion of a GROUPKEY-PULL exchange, the initiating group
member MUST NOT accept any rekey message with both the KEK attribute member MUST NOT accept any rekey message with both the KEK attribute
SPI value and a sequence number less than or equal to the one SPI value and a sequence number less than or equal to the one
received during the GROUPKEY-PULL. When the first group member received during the GROUPKEY-PULL. When the first group member
initiates a GROUPKEY-PULL exchange, the GCKS provides a Sequence initiates a GROUPKEY-PULL exchange, the GCKS provides a Sequence
Number of zero, since no GROUPKEY-PUSH messages have yet been sent. Number of zero, since no GROUPKEY-PUSH messages have yet been sent.
Note the sequence number increments only with GROUPKEY-PUSH messages. Note the sequence number increments only with GROUPKEY-PUSH messages.
The GROUPKEY-PULL exchange distributes the current sequence number to The GROUPKEY-PULL exchange distributes the current sequence number to
the group member. the group member.
The sequence number resets to a value of one with a new KEK The sequence number resets to a value of one with the usage of a new
attribute. As described in section 5.6 of RFC 3547: "Thus the first KEK attribute. Thus the first packet sent for a given Rekey SA will
packet sent for a given Rekey SA will have a Sequence Number of 1". have a Sequence Number of 1. The sequence number increments with
The sequence number increments with each successive rekey. each successive rekey.
2.5. POP Payload The GCKS responder informs the member of the cryptographic policies
of the group in the SA payload, which describes the DOI, KEK and/or
TEK keying material, and authentication transforms. The SPIs are
also determined by the GCKS and downloaded in the SA payload chain
(see Section 5.2). The SA KEK attribute contains the ISAKMP cookie
pair for the Re-key SA, which is not negotiated but downloaded. The
SA TEK attribute contains a SPI as defined in Section 5.5 of this
document. The second message downloads this SA payload. If a Re-key
SA is defined in the SA payload, then KD will contain the KEK; if one
or more Data-security SAs are defined in the SA payload, KD will
contain the TEKs. This is useful if there is an initial set of TEKs
for the particular group and can obviate the need for future TEK
GROUPKEY-PUSH messages (described in section 4).
RFC 3547 defines the Proof of Possession (POP) payload, which 3.2.1. ISAKMP Header Initialization
contains a digital signature over a hash. Some RFC 3547 text
erroneously describes it as a "prf()".
RFC 3547 omitted including a method of specifying the hash function Cookies are used in the ISAKMP header as a weak form of denial of
type used in the POP payload. As a result, the GCKS or group member service protection. The GDOI GROUPKEY-PULL exchange uses cookies
do not have a means by which to agree which hash algorithm should be according to ISAKMP [RFC2408].
used. To remedy this omission without changing the protocol, this
memo specifies that the hash algorithm passed in the
SIG_HASH_ALGORITHM MUST be also used as the POP hash algorithm.
2.6. CERT Payload Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0).
Receivers of the POP payload need the sender's public key in order to Major Version is 1 and Minor Version is 0 according to ISAKMP
validate the POP. However the source of that public key is not (Section 3.1 of [RFC2408]).
explicitly defined. For example, if the certificate encoding value
passed in the CERT payload (defined in Section 3.9 of RFC 2408) does
not contain a public key then no public key is available. To remedy
this omission, this memo specifies that the certificate passed in the
CERT payload MUST be a public key certificate.
2.7. SIG Payload The Exchange Type has value 32 for the GDOI GROUPKEY-PULL exchange.
The GROUPKEY-PUSH message defined in Section 4 of RFC 3547 includes a Flags, Message ID, and Length are according to ISAKMP (Section 3.1 of
SIG payload. The first paragraph on page 12 is amended as follows. [RFC2408]).
The SIG payload includes a signature of a hash of the entire 3.3. Initiator Operations
GROUPKEY-PUSH message (excepting the SIG payload bytes) before it
has been encrypted. The HASH is taken over the string 'rekey',
the GROUPKEY-PUSH HDR, SEQ, SA, KD, and optionally the CERT
payload. The prefixed string ensures that the signature of the
Rekey datagram cannot be used for any other purpose in the GDOI
protocol. After the SIG payload is created using the signature of
the above hash, the current KEK encryption key encrypts all the
payloads following the GROUPKEY-PUSH HDR. Note: The rationale for
this order of operations is given in Section 6.3.5 of RFC 3547.
Section 5.3.7.1 of RFC 4357 defines a SIG_ALGORITHM type of Before a group member (GDOI initiator) contacts the GCKS, it must
SIG_ALG_RSA, but it omits specifying which PKCS#1 [RFC3447] encoding determine the group identifier and acceptable Phase 1 policy via an
method is employed. To match existing practice, this memo requires out-of-band method. Phase 1 is initiated using the GDOI DOI in the
that it be the EMSA-PKCS1-v1_5 encoding method. SA payload. Once Phase 1 is complete, the initiator state machine
moves to the GDOI protocol.
2.8. KE Payload To construct the first GDOI message the initiator chooses Ni and
creates a nonce payload, builds an identity payload including the
group identifier, and generates HASH(1).
The purpose of the KE Payload in GDOI is to encrypt keying material Upon receipt of the second GDOI message, the initiator validates
before encrypting the entire GDOI registration message. However, the HASH(2), extracts the nonce Nr, and interprets the SA payload. If
specification for computing keying material for the additional the policy in the SA payload is acceptable (e.g., the security
encryption function in RFC 3547 is faulty. Furthermore, it has been protocol and cryptographic protocols can be supported by the
observed that because the GDOI registration message uses strong initiator), the initiator continues the protocol.
ciphers and provides authenticated encryption, additional encryption
of the keying material in a GDOI registration message provides
negligible value. Therefore, the use of KE payloads is deprecated in
this memo.
2.9. Attribute behavour The initiator constructs the third GDOI message by creating HASH(3).
An GDOI implementation MUST abort if it encounters and attribute or Upon receipt of the fourth GDOI message, the initiator validates
capability that it does not understand. HASH(4).
2.10. Deletion of SAs If SEQ payload is present, the sequence number in the SEQ payload
must be checked against any previously received sequence number for
this group. If it is less than the previously received number, it
should be considered stale and ignored. This could happen if two
GROUPKEY-PULL messages happened in parallel, and the sequence number
changed between the times the results of two GROUPKEY-PULL messages
were returned from the GCKS.
RFC 3547 provides for the condition that the GCKS may want to signal The initiator interprets the KD key packets, matching the SPIs in the
to receivers to delete their SAs, but there may be circumstances key packets to SPIs previously sent in the SA payloads identifying
where the GCKS may want to start over with a clean slate. If the particular policy. For TEKs, once the keys and policy are matched,
administrator is no longer confident in the integrity of the group, the initiator is ready to send or receive packets matching the TEK
the GCKS can signal deletion of all policy of a particular TEK policy. (If policy and keys had been previously received for this
protocol by sending a TEK with a SPI value equal to zero in the TEK policy, the initiator may decide instead to ignore this TEK
delete payload. For example, if the GCKS wishes to remove all the policy in case it is stale.) If this group has a KEK, the KEK policy
KEKs and all the TEKs in the group, the GCKS SHOULD send a delete and keys are marked as ready for use, and the group member knows to
payload with a spi of zero and a protocol_id of a TEK protocol_id expect the sequence number reset to 1 with the next Rekey SA, which
value as defined in section 5.4 of RFC 3547, followed by another will be encrypted with the new KEK attribute.
delete payload with a spi of zero and a protocol_id of zero,
indicating that the KEK SA should be deleted.
3. Authorization 3.4. Receiver Operations
Meadows and Pavlovic have published a paper [MP04] describing a means The GCKS (responder) passively listens for incoming requests from
by which a rogue GDOI device (i.e., GCKS or group member) can gain group members. The Phase 1 authenticates the group member and sets
access to a group for which it is not a group member. The rogue up the secure session with them.
device perpetrates a man-in-the-middle attack, which can occur if the
following conditions are true:
1. The rogue GDOI participant convinces an authorized member of the Upon receipt of the first GDOI message the GCKS validates HASH(1),
group (i.e., victim group member) that it is a GCKS for that extracts the Ni and group identifier in the ID payload. It verifies
group, and it also convinces the GCKS (i.e., victim GCKS) of that that its database contains the group information for the group
group it is an authorized group member. identifier.
2. The victim group member, victim GCKS, and rogue group member all The GCKS constructs the second GDOI message, including a nonce Nr,
share IKEv1 authentication credentials. and the policy for the group in an SA payload, followed by SA TEK
payloads for traffic SAs, and SA KEK policy (if the group controller
will be sending Re-key messages to the group).
3. The victim GCKS does not properly verify that the IKE Upon receipt of the third GDOI message the GCKS validates HASH(3).
authentication credentials used to protect a GROUPKEY-PULL
protocol are authorized to be join the group.
The value of proof-of-possession is to prove that the owner of the The GCKS constructs the fourth GDOI message, including the SEQ
identity associated with the Phase 1 key is the same as the owner of payload (if the GCKS sends rekey messages), and the KD payload
the key distributed in the CERT. This attack can be mitigated by containing keys corresponding to policy previously sent in the SA TEK
adding the Phase 1 identities into the hashed data. This memo and SA KEK payloads.
replaces the method computing POP_HASH in Section 5.7 of RFC 3547
with the following method:
POP_HASH = hash("pop" | IKE-Initiator-P1-ID | IKE-Responder-P1-ID | 4. GROUPKEY-PUSH Message
Ni | Nr)
where the fields are hashed as follows: GDOI sends control information securely using group communications.
Typically this will be using IP multicast distribution of a GROUPKEY-
PUSH message but it can also be "pushed" using unicast delivery if IP
multicast is not possible. The GROUPKEY-PUSH message replaces a Re-
key SA KEK or KEK array, and/or creates a new Data-security SA.
o The string "pop" without a NULL termination character. Member GCKS or Delegate
------ ----------------
<---- HDR*, SEQ, SA, KD, [CERT,] SIG
o The IKE Phase 1 identity of the GCKS as distributed in the * Protected by the Re-key SA KEK; encryption occurs after HDR
"identification Data" portion of the ID payload. Because the
length of the identity is variable, the length of the
Identification Data MUST be hashed as a four octet value with the
length located in the least significant bits (in network byte
order). The length value is hashed before the data value.
o The IKE Phase 1 identity of the group member as distributed in the HDR is defined below. The SEQ payload is defined in the Payloads
"identification Data" portion of the ID payload. Because the section. The SA defines the policy (e.g., protection suite) and
length of the identity is variable, the length of the attributes (e.g., SPI) for a Re-key and/or Data-security SAs. The
Identification Data MUST be hashed as a four octet value with the GCKS or delegate optionally provides a CERT payload for verification
length located in the least significant bits (in network byte of the SIG. KD is the key download payload as described in the
order). The length value is hashed before the data value. Payloads section.
o The initiator nonce Ni, as passed in the first GROUPKEY-PULL The SIG payload includes a signature of a hash of the entire
message. GROUPKEY-PUSH message (excepting the SIG payload bytes) before it has
been encrypted. The HASH is taken over the string 'rekey', the
GROUPKEY-PUSH HDR, SEQ, SA, KD, and optionally the CERT payload. The
prefixed string ensures that the signature of the Rekey datagram
cannot be used for any other purpose in the GDOI protocol. After the
SIG payload is created using the signature of the above hash, the
current KEK encryption key encrypts all the payloads following the
GROUPKEY-PUSH HDR. Note: The rationale for this order of operations
is given in Section 6.3.5.
o The responder nonce Nr, as passed in the second GROUPKEY-PULL If the SA defines an LKH KEK array or single KEK, KD contains a KEK
message. or KEK array for a new Re-key SA, which has a new cookie pair. When
the KD payload carries a new SA KEK attribute (section 5.3), a Re-key
SA is replaced with a new SA having the same group identifier (ID
specified in message 1 of section 3.2) and incrementing the same
sequence counter, which is initialized in message 4 of section 3.2.
Note the first packet for the given Rekey SA encrypted with the new
KEK attribute will have a Sequence number of 1. If the SA defines an
SA TEK payload, this informs the member that a new Data-security SA
has been created, with keying material carried in KD (Section 5.6).
This attack can also be mitigated by applying appropriate GCKS and If the SA defines a large LKH KEK array (e.g., during group
group member authorization. When the use of CERT and POP payloads initialization and batched rekeying), parts of the array MAY be sent
are not mandated in group policy, the GCKS SHOULD have a means of in different unique GROUPKEY-PUSH datagrams. However, each of the
recognizing authorized group members for each group, where the GROUPKEY-PUSH datagrams MUST be a fully formed GROUPKEY-PUSH
recognition is based on IKE authentication credentials. For example, datagram. This results in each datagram containing a sequence number
the GCKS may have a list of authorized IKE identifiers stored for and the policy in the SA payload, which corresponds to the KEK array
each Group. The authorization check SHOULD be made after receipt of portion sent in the KD payload.
the ID payload containing a group id the group member is requesting
to join.
4. Harmonization with RFC 5374 4.1. Forward and Backward Access Control
the Multicast Extensions to the Security Architecture for the Through GROUPKEY-PUSH, the GDOI supports algorithms such as LKH that
Internet Protocol (RFC 5374) introduces new requirements for a group have the property of denying access to a new group key by a member
key management system distributing IPsec policy. The following removed from the group (forward access control) and to an old group
sections describe new GDOI requirements that result from harmonizing key by a member added to the group (backward access control). An
with that document. unrelated notion to PFS, "forward access control" and "backward
access control" have been called "perfect forward security" and
"perfect backward security" in the literature [RFC2627].
4.1. Group Security Policy Database Attributes Group management algorithms providing forward and backward access
control other than LKH have been proposed in the literature,
including OFT [OFT] and Subset Difference [NNL]. These algorithms
could be used with GDOI, but are not specified as a part of this
document.
RFC 5374 describes new attributes as part of the Group Security Support for group management algorithms is supported via the
Policy Database (GSPD). These attributes describe policy that a KEY_MANAGEMENT_ALGORITHM attribute which is sent in the SA_KEK
group key management system must convey to a group member in order to payload. GDOI specifies one method by which LKH can be used for
support those extensions. The GDOI SA TEK payload distributes IPsec forward and backward access control. Other methods of using LKH, as
policy using IPsec security association attributes defined in well as other group management algorithms such as OFT or Subset
[ISAKMP-REG]. This section defines how GDOI can convey the new Difference may be added to GDOI as part of a later document. Any
attributes as IPsec Security Association Attributes. such addition MUST be due to a Standards Action as defined in
[RFC5226].
4.1.1. Address Preservation 4.1.1. Forward Access Control Requirements
Applications use the extensions in RFC 5374 create encapsulate IPsec When group membership is altered using a group management algorithm
multicast packets that are IP multicast packets. In order for the new SA_TEKs (and their associated keys) are usually also needed. New
GDOI group member to appropriately setup the GSPD, the GCKS must SAs and keys ensure that members who were denied access can no longer
provide that policy to the group member. participate in the group.
Depending on group policy, several address preservation methods are If forward access control is a desired property of the group, new
possible: no address preservation ("None"), preservation of the SA_TEKs and the associated key packets in the KD payload MUST NOT be
original source address ("Source-Only"), preservation of the original included in a GROUPKEY-PUSH message which changes group membership.
destination address ("Destination-Only"), or both addresses ("Source- This is required because the SA_TEK policy and the associated key
And-Destination"). This memo adds the "Address Preservation" packets in the KD payload are not protected with the new KEK. A
security association attribute. If this attribute is not included in second GROUPKEY-PUSH message can deliver the new SA_TEKS and their
a GDOI SA TEK payload provided by a GCKS, then Source-And-Destination associated keys because it will be protected with the new KEK, and
address preservation has been defined for the SA TEK. thus will not be visible to the members who were denied access.
4.1.2. SA Direction If forward access control policy for the group includes keeping group
policy changes from members that are denied access to the group, then
two sequential GROUPKEY-PUSH messages changing the group KEK MUST be
sent by the GCKS. The first GROUPKEY-PUSH message creates a new KEK
for the group. Group members, which are denied access, will not be
able to access the new KEK, but will see the group policy since the
GROUPKEY-PUSH message is protected under the current KEK. A
subsequent GROUPKEY-PUSH message containing the changed group policy
and again changing the KEK allows complete forward access control. A
GROUPKEY-PUSH message MUST NOT change the policy without creating a
new KEK.
Depending on group policy, an IPsec SA created from an SA TEK payload If other methods of using LKH or other group management algorithms
may be required in one or both directions. SA TEK policy used by are added to GDOI, those methods MAY remove the above restrictions
multiple senders is required to be installed in both the sending and requiring multiple GROUPKEY-PUSH messages, providing those methods
receiving direction ("Symmetric"), whereas SA TEK for a single sender specify how forward access control policy is maintained within a
should only be installed in the receiving direction by receivers single GROUPKEY-PUSH message.
("Receiver-Only") and in the sending direction by the sender
("Sender-Only"). This memo adds the "SA Direction" security
association attribute. If the attribute is not included in a GDOI SA
TEK payload, then the IPsec SA is treated as a Symmetric IPsec SA.
4.1.3. Re-key rollover 4.2. Delegation of Key Management
Section 4.2.1 of RFC 5374 specifies a key rollover method that GDOI supports delegation of GROUPKEY-PUSH datagrams through the
requires two values be given it from the group key management delegation capabilities of the PKI. However, GDOI does not
protocol. The Activation Time Delay (ATD) attribute allows the GCKS explicitly specify how the GCKS identifies delegates, but leaves this
to specify how long a after the start of a re-key event that a group to the PKI that is used by a particular GDOI implementation.
member is to activate new TEKs. The Deactivation Time Delay (DTD)
attribute allows the GCKS to specify how long a after the start of a
re-key event that a group member is to deactivate existing TEKs.
This memo adds new attributes by which a GCKS can relay these values 4.3. Use of signature keys
to group members as part of the Group Associated Policy described in
Section 5.
5. New GDOI Attributes The GCKS SHOULD NOT use the same key to sign the SIG payload in the
GROUPKEY-PUSH message as was used for authentication in the GROUPKEY-
PULL exchange.
This section contains new attributes to be are defined as part of 4.4. ISAKMP Header Initialization
GDOI.
5.1. Signature Hash Algorithm Unlike ISAKMP or IKE, the cookie pair is completely determined by the
GCKS. The cookie pair in the GDOI ISAKMP header identifies the Re-
key SA to differentiate the secure groups managed by a GCKS. Thus,
GDOI uses the cookie fields as an SPI.
RFC 3547 defines two signature hash algorithms (MD5 and SHA-1). Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0).
However, steady advances in technology have rendered both hash
algorithms to be weak when used as a signature hash algorithm.
The SHA-256 algorithm [FIPS.180-2.2002] has been made available by Major Version is 1 and Minor Version is 0 according to ISAKMP
NIST as a replacement for SHA-1, and is its preferred replacement for (Section 3.1 of [RFC2408]).
both MD5 and SHA-1. A new value for the GDOI SIG_HASH_ALGORITHM
attribute is defined by this memo to represent the SHA-256 algorithm:
SIG_HASH_SHA256. Support for SIG_HASH_SHA256 is OPTIONAL.
5.2. Support of AH The Exchange Type has value 33 for the GDOI GROUPKEY-PUSH message.
RFC3547 only specifies data-security SAs for one security protocol, Flags MUST have the Encryption bit set according to [RFC2008, Section
IPsec ESP. Typically IPsec implementations use ESP and AH IPsec SAs. 3.1]. All other bits MUST be set to zero.
This document extends the capability of GDOI to support both ESP and
AH. The GROUPKEY-PULL mechanism will establish IPsec ESP SAs and
IPsec AH SAs. The GROUPKEY-PUSH will refresh the IPsec ESP SAs and
the IPsec AH SAs. Support for AH [RFC4302] is achieved with the
introduction of a new SA_TEK Protocol-ID with the name
GDOI_PROTO_IPSEC_AH. Support for the GDOI_PROTO_IPSEC_AH SA TEK is
OPTIONAL.
The TEK Protocol-Specific payload for AH is as follows: Message ID MUST be set to zero.
Length is according to ISAKMP (Section 3.1 of [RFC2408]).
4.5. Deletion of SAs
There are times the GCKS may want to signal to receivers to delete
SAs, for example at the end of a broadcast. Deletion of keys may be
accomplished by sending an ISAKMP Delete payload (Section 3.15 of
[RFC2408]) as part of a GDOI GROUPKEY-PUSH message.
One or more Delete payloads MAY be placed following the SEQ payload
in a GROUPKEY-PUSH message. If a GCKS has no further SAs to send to
group members, the SA and KD payloads MUST be omitted from the
message.
The following fields of the Delete Payload are further defined as
follows:
o The Domain of Interpretation field contains the GDOI DOI.
o The Protocol-Id field contains TEK protocol id values defined in
Section 5.5 of this document. To delete a KEK SA, the value of zero
MUST be used as the protocol id. Note that only one protocol id
value can be defined in a Delete payload. If a TEK SA and a KEK SA
must be deleted, they must be sent in different Delete payloads.
There may be circumstances where the GCKS may want to start over with
a clean slate. If the administrator is no longer confident in the
integrity of the group, the GCKS can signal deletion of all policy of
a particular TEK protocol by sending a TEK with a SPI value equal to
zero in the delete payload. For example, if the GCKS wishes to
remove all the KEKs and all the TEKs in the group, the GCKS SHOULD
send a delete payload with a spi of zero and a protocol_id of a TEK
protocol_id value, followed by another delete payload with a spi of
zero and protocol_id of zero, indicating that the KEK SA should be
deleted.
4.6. GCKS Operations
GCKS or its delegate may initiate a Rekey message for one of several
reasons, e.g., the group membership has changed or keys are due to
expire.
To begin the rekey datagram the GCKS builds an ISAKMP HDR with the
correct cookie pair, and a SEQ payload that includes a sequence
number which is one greater than the previous rekey datagram. If the
message is using the new KEK attribute for the first time, the SEQ is
reset to 1 in this message.
An SA payload is then added. This is identical in structure and
meaning to a SA payload sent in a GROUPKEY-PULL exchange. If there
are changes to the KEK (in the case of a static KEK) or in group
membership (in the case of LKH) an SA_KEK attribute is added to the
SA. If there are one or more new TEKs then SA_TEK attributes are
added to describe that policy.
A KD payload is then added. This is identical in structure and
meaning to a KD payload sent in a GROUPKEY-PULL exchange. If an
SA_KEK attribute was included in the SA payload then corresponding
KEK keys (or a KEK array) is included. TEK keys are sent for each
SA_TEK attribute included in the SA payload.
A CERT payload is added if the initiator needs to provide its
certificate.
In the penultimate step, the initiator hashes the string "rekey"
followed by the key management message already formed. The hash is
signed, placed in a SIG payload and added to the datagram.
Lastly, the payloads following the HDR are encrypted using the
current KEK encryption key. The datagram can now be sent.
4.7. Group Member Operations
A group member receiving the GROUPKEY-PUSH datagram matches the
cookie pair in the ISAKMP HDR to an existing SA. The message is
decrypted, and the form of the datagram is validated. This weeds out
obvious ill-formed messages (which may be sent as part of a Denial of
Service attack on the group).
The signature of the decrypted message is then validated, possibly
using the CERT payload if it is included.
The sequence number in the SEQ payload is validated to ensure that it
is greater than the previously received sequence number, and that it
fits within a window of acceptable values.
The SA and KD payloads are processed which results in a new GDOI
Rekey SA (if the SA payload included an SA_KEK attribute) and/or new
IPsec SAs being added to the system.
5. Payloads and Defined Values
This document specifies use of several ISAKMP payloads, which are
defined in accordance with RFC 2408. The following payloads are
extended or further specified.
Next Payload Type Value
----------------- -----
Security Association (SA) 1
Identification (ID) 5
Nonce (N) 10
Several payload formats specific to the group security exchanges are
required.
Next Payload Type Value
----------------- -----
SA KEK Payload (SAK) 15
SA TEK Payload (SAT) 16
Key Download (KD) 17
Sequence Number (SEQ) 18
SA Group Associated Policy (GAP) TBD-1
5.1. Identification Payload
The Identification Payload is defined in RFC 2408. For the GDOI, it
is used to identify a group identity that will later be associated
with Security Associations for the group. A group identity may map
to a specific IP multicast group, or may specify a more general
identifier, such as one that represents a set of related multicast
streams.
When used with the GDOI, the DOI Specific ID Data field MUST be set
to 0.
When used with the GDOI, the ID_KEY_ID ID Type MUST be supported by a
conforming implementation, and MUST specify a four (4)-octet group
identifier as its value. Implementations MAY also support other ID
Types.
5.2. Security Association Payload
The Security Association payload is defined in RFC 2408. For the
GDOI, it is used by the GCKS to assert security attributes for both
Re-key and Data-security SAs.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! DOI !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Situation !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! SA Attribute Next Payload ! RESERVED2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The Security Association Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifies the next payload for the
GROUPKEY-PULL or the GROUPKEY-PUSH message as defined above. The
next payload MUST NOT be a SAK Payload or SAT Payload type, but the
next non-Security Association type payload.
o RESERVED (1 octet) -- Must be zero.
o Payload Length (2 octets) -- Is the octet length of the current
payload including the generic header and all TEK and KEK payloads.
o DOI (4 octets) -- Is the GDOI, which is value 2.
o Situation (4 octets) -- Must be zero.
o SA Attribute Next Payload (1 octet) -- Must be either a SAK Payload
or a SAT Payload. See section 5.2.1 for a description of which
circumstances are required for each payload type to be present.
o RESERVED (2 octets) -- Must be zero.
5.2.1. Payloads following the SA payload
Payloads that define specific security association attributes for the
KEK and/or TEKs used by the group MUST follow the SA payload. How
many of each payload is dependent upon the group policy. There may
be zero or one SAK Payloads, zero or more GAP Payloads, and zero or
more SAT Payloads, where either one SAK or SAT payload MUST be
present. When present, the order of the SA Attributes payloads must
be: KEK, GAP, and TEKs.
This latitude allows various group policies to be accommodated. For
example if the group policy does not require the use of a Re-key SA,
the GCKS would not need to send an SA KEK attribute to the group
member since all SA updates would be performed using the Registration
SA. Alternatively, group policy might use a Re-key SA but choose to
download a KEK to the group member only as part of the Registration
SA. Therefore, the KEK policy (in the SA KEK attribute) would not be
necessary as part of the Re-key SA message SA payload.
Specifying multiple SATs allows multiple sessions to be part of the
same group and multiple streams to be associated with a session
(e.g., video, audio, and text) but each with individual security
association policy.
5.3. SA KEK payload
The SA KEK (SAK) payload contains security attributes for the KEK
method for a group and parameters specific to the GROUPKEY-PULL
operation. The source and destination identities describe the
identities used for the GROUPKEY-PULL datagram.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Protocol ! SRC ID Type ! SRC ID Port ! ! Protocol ! SRC ID Type ! SRC ID Port !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
!SRC ID Data Len! SRC Identification Data ~ !SRC ID Data Len! SRC Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! DST ID Type ! DST ID Port !DST ID Data Len! ! DST ID Type ! DST ID Port !DST ID Data Len!
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! DST Identification Data ~ ! DST Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Transform ID ! SPI ! ! !
~ SPI ~
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! SPI ! RFC 2407 SA Attributes ~ ! RESERVED ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
~ KEK Attributes ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The SAT Payload fields are defined as follows: The SAK Payload fields are defined as follows:
o Protocol (1 octet) -- Value describing an IP protocol ID (e.g., o Next Payload (1 octet) -- Identifies the next payload for the
UDP/TCP). A value of zero means that the Protocol field should be GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next
ignored. payload types for this message are a GAP Payload, SAT Payload or zero
to indicate that no SA Attribute payloads follow.
o SRC ID Type (1 octet) -- Value describing the identity information o RESERVED (1 octet) -- Must be zero.
found in the SRC Identification Data field. Defined values are
specified by the IPsec Identification Type section in the IANA
ISAKMP Registry [ISAKMP-REG].
o SRC ID Port (2 octets) -- Value specifying a port associated with o Payload Length (2 octets) -- Length of this payload, including the
the source Id. A value of zero means that the SRC ID Port field KEK attributes.
should be ignored.
o SRC ID Data Len (1 octet) -- Value specifying the length of the o Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
SRC Identification Data field. UDP/TCP) for the rekey datagram.
o SRC Identification Data (variable length) -- Value, as indicated o SRC ID Type (1 octet) -- Value describing the identity information
by the SRC ID Type. Set to three bytes of zero for multiple- found in the SRC Identification Data field. Defined values are
source multicast groups that use a common TEK for all senders. specified by the IPsec Identification Type section in the IANA
isakmpd-registry [ISAKMP-REG].
o DST ID Type (1 octet) -- Value describing the identity information o SRC ID Port (2 octets) -- Value specifying a port associated with
found in the DST Identification Data field. Defined values are the source Id. A value of zero means that the SRC ID Port field
specified by the IPsec Identification Type section in the IANA should be ignored.
ISAKMP Registry [ISAKMP-REG].
o DST ID Port (1 octet) -- Value describing an IP protocol ID (e.g., o SRC ID Data Len (1 octet) -- Value specifying the length of the SRC
UDP/TCP). A value of zero means that the DST Id Port field should Identification Data field.
be ignored.
o DST ID Port (2 octets) -- Value specifying a port associated with o SRC Identification Data (variable length) -- Value, as indicated by
the source Id. A value of zero means that the DST ID Port field the SRC ID Type.
should be ignored.
o DST ID Data Len (1 octet) -- Value specifying the length of the o DST ID Type (1 octet) -- Value describing the identity information
DST Identification Data field. found in the DST Identification Data field. Defined values are
specified by the IPsec Identification Type section in the IANA
isakmpd-registry [ISAKMP-REG].
o DST Identification Data (variable length) -- Value, as indicated o DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g.,
by the DST ID Type. UDP/TCP).
o Transform ID (1 octet) -- Value specifying which AH transform is o DST ID Port (2 octets) -- Value specifying a port associated with
to be used. The list of valid values is defined in the IPsec AH the source Id.
Transform Identifiers section of the IANA ISAKMP Registry
[ISAKMP-REG].
o SPI (4 octets) -- Security Parameter Index for AH. o DST ID Data Len (1 octet) -- Value specifying the length of the DST
Identification Data field.
o RFC 2407 Attributes -- AH Attributes from Section 4.5 of o DST Identification Data (variable length) -- Value, as indicated by
[RFC2407]. The GDOI supports all IPsec DOI SA Attributes for the DST ID Type.
GDOI_PROTO_IPSEC_AH excluding the Group Description, which MUST
NOT be sent by a GDOI implementation and is ignored by a GDOI
implementation if received. The Authentication Algorithm
attribute of the IPsec DOI is group authentication in GDOI. The
following RFC 2407 attributes MUST be sent as part of a
GDOI_PROTO_IPSEC_AH attribute: SA Life Type, SA Life Duration,
Encapsulation Mode.
5.3. Group Associated Policy o SPI (16 octets) -- Security Parameter Index for the KEK. The SPI
must be the ISAKMP Header cookie pair where the first 8 octets become
the "Initiator Cookie" field of the GROUPKEY-PUSH message ISAKMP HDR,
and the second 8 octets become the "Responder Cookie" in the same
HDR. As described above, these cookies are assigned by the GCKS.
o KEK Attributes -- Contains KEK policy attributes associated with
the group. The following sections describe the possible attributes.
Any or all attributes may be optional, depending on the group policy.
5.3.1. KEK Attributes
The following attributes may be present in a SAK Payload. The
attributes must follow the format defined in ISAKMP (Section 3.3 of
[RFC2408]). In the table, attributes that are defined as TV are
marked as Basic (B); attributes that are defined as TLV are marked as
Variable (V).
ID Class Value Type
-------- ----- ----
RESERVED 0
KEK_MANAGEMENT_ALGORITHM 1 B
KEK_ALGORITHM 2 B
KEK_KEY_LENGTH 3 B
KEK_KEY_LIFETIME 4 V
SIG_HASH_ALGORITHM 5 B
SIG_ALGORITHM 6 B
SIG_KEY_LENGTH 7 B
The KEK_MANAGEMENT_ALGORITHM attribute may only be included in a
GROUPKEY-PULL message.
5.3.2. KEK_MANAGEMENT_ALGORITHM
The KEK_MANAGEMENT_ALGORITHM class specifies the group KEK management
algorithm used to provide forward or backward access control (i.e.,
used to exclude group members). Defined values are specified in the
following table.
KEK Management Type Value
------------------- -----
RESERVED 0
LKH 1
RESERVED 2-127
Private Use 128-255
5.3.3. KEK_ALGORITHM
The KEK_ALGORITHM class specifies the encryption algorithm using with
the KEK. Defined values are specified in the following table. An
GDOI implementation MUST abort if it encounters and attribute or
capability that it does not understand.
Algorithm Type Value
-------------- -----
RESERVED 0
KEK_ALG_DES 1
KEK_ALG_3DES 2
KEK_ALG_AES 3
RESERVED 4-127
Private Use 128-255
A GDOI implementation MUST support the KEK_ALG_AES algorithm
attribute. A GDOI implementation SHOULD NOT use KEK_ALG_DES, as the
level of security is not considered strong enough for this purpose.
If a KEK_MANAGEMENT_ALGORITHM is defined which defines multiple keys
(e.g., LKH), and if the management algorithm does not specify the
algorithm for those keys, then the algorithm defined by the
KEK_ALGORITHM attribute MUST be used for all keys which are included
as part of the management.
5.3.3.1. KEK_ALG_DES
This algorithm specifies DES using the Cipher Block Chaining (CBC)
mode as described in [FIPS81].
5.3.3.2. KEK_ALG_3DES
This algorithm specifies 3DES using three independent keys as
described in "Keying Option 1" in [FIPS46-3].
5.3.3.3. KEK_ALG_AES
This algorithm specifies AES as described in [FIPS197]. The mode of
operation for AES is Cipher Block Chaining (CBC) as recommended in
[AES-MODES].
5.3.4. KEK_KEY_LENGTH
The KEK_KEY_LENGTH class specifies the KEK Algorithm key length (in
bits). The Group Controller/Key Server (GCKS) adds the KEK_KEY_LEN
attribute to the SA payload when distributing KEK policy to group
members. The group member verifies whether or not it has the
capability of using a cipher key of that size. If the cipher
definition includes a fixed key length (e.g., KEK_ALG_3DES), the
group member can make its decision solely using KEK_ALGORITHM
attribute and does not need the KEK_KEY_LEN attribute. Sending the
KEK_KEY_LEN attribute in the SA payload is OPTIONAL if the KEK cipher
has a fixed key length. Also, note that the KEK_KEY_LEN includes
only the actual length of the cipher key (the IV length is not
included in this attribute).
5.3.5. KEK_KEY_LIFETIME
The KEK_KEY_LIFETIME class specifies the maximum time for which the
KEK is valid. The GCKS may refresh the KEK at any time before the
end of the valid period. The value is a four (4) octet number
defining a valid time period in seconds.
5.3.6. SIG_HASH_ALGORITHM
SIG_HASH_ALGORITHM specifies the SIG payload hash algorithm. The
following table defines the algorithms for SIG_HASH_ALGORITHM.
Algorithm Type Value
-------------- -----
RESERVED 0
SIG_HASH_MD5 1
SIG_HASH_SHA1 2
SIG_HASH_SHA256 TBD-2
SIG_HASH_SHA384 TBD-3
SIG_HASH_SHA512 TBD-4
RESERVED 6-127
Private Use 128-255
The SHA hash algorithms are defined in the Secure Hash
Standard[FIPS.180-2.2002]. SIG_HASH_MD5 and SIG_HASH_SHA1 SHOULD NOT
be used, as the level of security is not considered strong enough for
this purpose.
SIG_HASH_ALGORITHM is not required if the SIG_ALGORITHM is
SIG_ALG_DSS or SIG_ALG_ECDSS, which imply SIG_HASH_SHA1.
5.3.7. SIG_ALGORITHM
The SIG_ALGORITHM class specifies the SIG payload signature
algorithm. Defined values are specified in the following table.
Algorithm Type Value
-------------- -----
RESERVED 0
SIG_ALG_RSA 1
SIG_ALG_DSS 2
SIG_ALG_ECDSS 3
SIG_ALG_RSA_PSS TBD-6
RESERVED 4-127
Private Use 128-255
A GDOI implementation MUST support the following algorithm attribute:
SIG_ALG_RSA.
5.3.7.1. SIG_ALG_RSA
This algorithm specifies the RSA digital signature algorithm using
the EMSA-PKCS1-v1_5 encoding method, as described in [RFC3447].
5.3.7.2. SIG_ALG_DSS
This algorithm specifies the DSS digital signature algorithm as
described in [FIPS186-2].
5.3.7.3. SIG_ALG_ECDSS
This algorithm specifies the Elliptic Curve digital signature
algorithm as described in [FIPS186-2].
5.3.7.4. SIG_ALG_RSA_PSS
This algorithm specifies the RSA digital signature algorithm using
the EMSA-PSS encoding method, as described in [RFC3447].
5.3.8. SIG_KEY_LENGTH
The SIG_KEY_LENGTH class specifies the length of the SIG payload key
in bits.
5.4. Group Associated Policy
RFC 3547 provides for the distribution of policy in the GROUPKEY-PULL RFC 3547 provides for the distribution of policy in the GROUPKEY-PULL
exchange in an SA payload. Policy can define GROUPKEY-PUSH policy exchange in an SA payload. Policy can define GROUPKEY-PUSH policy
(SA KEK) or traffic encryption policy (SA TEK) such as IPsec policy. (SA KEK) or traffic encryption policy (SA TEK) such as IPsec policy.
There is a need to distribute group policy that fits into neither There is a need to distribute group policy that fits into neither
category. Some of this policy is generic to the group, and some is category. Some of this policy is generic to the group, and some is
sender-specific policy for a particular group member. sender-specific policy for a particular group member.
GDOI distributes this associated group policy in a new payload called GDOI distributes this associated group policy in a new payload called
the SA Group Associated Policy (SA SAP). The SA GAP payload follows the SA Group Associated Policy (SA GAP). The SA GAP payload follows
any SA KEK payload, and is placed before any SA TEK payloads. In the any SA KEK payload, and is placed before any SA TEK payloads. In the
case that group policy does not include an SA KEK, the SA Attribute case that group policy does not include an SA KEK, the SA Attribute
Next Payload field in the SA payload MAY indicate the SA GAP payload. Next Payload field in the SA payload MAY indicate the SA GAP payload.
The SA GAP payload is defined as follows: The SA GAP payload is defined as follows:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length ! ! Next Payload ! RESERVED ! Payload Length !
skipping to change at page 17, line 6 skipping to change at page 28, line 36
o RESERVED (1 octet) -- Must be zero. o RESERVED (1 octet) -- Must be zero.
o Payload Length (2 octets) -- Length of this payload, including the o Payload Length (2 octets) -- Length of this payload, including the
SA GAP header and Attributes. SA GAP header and Attributes.
o Group Associated Policy Attributes (variable) -- Contains o Group Associated Policy Attributes (variable) -- Contains
attributes following the format defined in Section 3.3 of RFC attributes following the format defined in Section 3.3 of RFC
2408. 2408.
Several group associated policy attributes are defined in this memo. Several group associated policy attributes are defined in this memo.
An GDOI implementation MUST abort if it encounters and attribute or
capability that it does not understand.
5.3.1. ACTIVATION_TIME_DELAY 5.4.1. ACTIVATION_TIME_DELAY
This attribute allows a GCKS to set the Activation Time Delay for SAs This attribute allows a GCKS to set the Activation Time Delay for SAs
generated from TEKs. The value is in seconds. If a group member generated from TEKs. The value is in seconds. If a group member
receives a TEK with an ATD value, but discovers that it has no receives a TEK with an ATD value, but discovers that it has no
current SAs matching the policy in the TEK, then it SHOULD create and current SAs matching the policy in the TEK, then it SHOULD create and
install SAs from the TEK immediately. install SAs from the TEK immediately.
5.3.2. DEACTIVATION_TIME_DELAY 5.4.2. DEACTIVATION_TIME_DELAY
This attribute allows a GCKS to set the Deactivation Time Delay for This attribute allows a GCKS to set the Deactivation Time Delay for
SAs generated from TEKs. The value is in seconds. SAs generated from TEKs. The value is in seconds.
5.3.3. SENDER_ID 5.4.3. SENDER_ID
Several new AES counter-based modes of operation have been specified Several new AES counter-based modes of operation have been specified
for ESP [RFC3686],[RFC4106],[RFC4309],[RFC4543] and AH [RFC4543]. for ESP [RFC3686],[RFC4106],[RFC4309],[RFC4543] and AH [RFC4543].
These AES counter-based modes require that no two senders in the These AES counter-based modes require that no two senders in the
group ever send a packet with the same IV. This requirement can be group ever send a packet with the same IV. This requirement can be
met using the method described in met using the method described in
[I-D.ietf-msec-ipsec-group-counter-modes], which requires each sender [I-D.ietf-msec-ipsec-group-counter-modes], which requires each sender
to be allocated a unique Sender ID (SID). The SENDER_ID attribute is to be allocated a unique Sender ID (SID). The SENDER_ID attribute is
used to distribute a SID to a group member during the GROUPKEY-PULL used to distribute a SID to a group member during the GROUPKEY-PULL
message. Other algorithms with the same need may be defined in the message. Other algorithms with the same need may be defined in the
skipping to change at page 18, line 5 skipping to change at page 29, line 34
! SID Length ! SID Value ~ ! SID Length ! SID Value ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
o SID Length (1 octet) -- A natural number defining the number of o SID Length (1 octet) -- A natural number defining the number of
bits to be used in the SID field of the counter mode transform bits to be used in the SID field of the counter mode transform
nonce. nonce.
o SID Value (variable) -- The Sender ID value allocated to the group o SID Value (variable) -- The Sender ID value allocated to the group
member. member.
5.3.3.1. GCKS Semantics 5.4.3.1. GCKS Semantics
The GCKS maintains a SID counter (SIDC). It is incremented each time The GCKS maintains a SID counter (SIDC). It is incremented each time
a SENDER_ID attribute is distributed to a group member. The first a SENDER_ID attribute is distributed to a group member. The first
group member to register is given the SID of 1. group member to register is given the SID of 1.
Any group member registering will be given a new SID value, which Any group member registering will be given a new SID value, which
allows group members to act as a group sender when an older SID value allows group members to act as a group sender when an older SID value
becomes unusable (as described in the next section). becomes unusable (as described in the next section).
A GCKS MAY allocate multiple SID values in one SA SSA payload. A GCKS MAY allocate multiple SID values in one SA GAP payload.
Allocating several SID values at the same time to a group member Allocating several SID values at the same time to a group member
expected to send at a high rate would obviate the need for the group expected to send at a high rate would obviate the need for the group
member to re-register as frequently. member to re-register as frequently.
If a GCKS allocates all SID values, it can no longer respond to GDOI If a GCKS allocates all SID values, it can no longer respond to GDOI
registrations and must re-initialize the entire group. This is done registrations and must re-initialize the entire group. This is done
by issuing DELETE notifications for all ESP and AH SAs in a GDOI by issuing DELETE notifications for all ESP and AH SAs in a GDOI
rekey message, resetting the SIDC to zero, and creating new ESP and rekey message, resetting the SIDC to zero, and creating new ESP and
AH SAs that match the group policy. When group members re-register, AH SAs that match the group policy. When group members re-register,
the SIDs are allocated again beginning with the value 1 as described the SIDs are allocated again beginning with the value 1 as described
above. Each re-registering group member will be given a new SID and above. Each re-registering group member will be given a new SID and
the new group policy. the new group policy.
The SENDER_ID attribute MUST NOT be sent as part of a GROUPKEY-PUSH The SENDER_ID attribute MUST NOT be sent as part of a GROUPKEY-PUSH
message, because distributing the same sender-specific policy to more message, because distributing the same sender-specific policy to more
than one group member may reduce the security of the group. than one group member may reduce the security of the group.
5.3.3.2. Group Member Semantics 5.4.3.2. Group Member Semantics
The SENDER_ID attribute value distributed to the group member MUST be The SENDER_ID attribute value distributed to the group member MUST be
used by that group member as the Sender Identifier (SID) field used by that group member as the Sender Identifier (SID) field
portion of the IV. The SID is used for all counter mode SAs portion of the IV. The SID is used for all counter mode SAs
distributed by the GCKS to be used for communications sent as a part distributed by the GCKS to be used for communications sent as a part
of this group. of this group.
When the Sender-Specific IV (SSIV) field for any IPsec SA is When the Sender-Specific IV (SSIV) field for any IPsec SA is
exhausted, the group member MUST no longer act as a sender using its exhausted, the group member MUST no longer act as a sender using its
active SID. The group member SHOULD re-register, during which time active SID. The group member SHOULD re-register, during which time
the GCKS will issue a new SID to the group member. The new SID the GCKS will issue a new SID to the group member. The new SID
replaces the existing SID used by this group member, and also resets replaces the existing SID used by this group member, and also resets
the SSIV value to it's starting value. A group member MAY re- the SSIV value to it's starting value. A group member MAY re-
register prior to the actual exhaustion of the SSIV field to avoid register prior to the actual exhaustion of the SSIV field to avoid
dropping data packets due to the exhaustion of available SSIV values dropping data packets due to the exhaustion of available SSIV values
combined with a particular SID value. combined with a particular SID value.
A group member MUST NOT process SENDER_ID attribute present in a A group member MUST NOT process SENDER_ID attribute present in a
GROUPKEY-PUSH message. GROUPKEY-PUSH message.
6. IANA Considerations 5.5. SA TEK Payload
The SA TEK (SAT) payload contains security attributes for a single
TEK associated with a group.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Protocol-ID ! TEK Protocol-Specific Payload ~
+-+-+-+-+-+-+-+-+ ~
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The SAT Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifies the next payload for the
GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next
payload types for this message are another SAT Payload or zero to
indicate there are no more security association attributes.
o RESERVED (1 octet) -- Must be zero.
o Payload Length (2 octets) -- Length of this payload, including the
TEK Protocol-Specific Payload.
o Protocol-ID (1 octet) -- Value specifying the Security Protocol.
The following table defines values for the Security Protocol
Protocol ID Value
----------- -----
RESERVED 0
GDOI_PROTO_IPSEC_ESP 1
GDOI_PROTO_IPSEC_AH TBD-5
RESERVED 3-127
Private Use 128-255
o TEK Protocol-Specific Payload (variable) -- Payload which describes
the attributes specific for the Protocol-ID.
5.5.1. GDOI_PROTO_IPSEC_ESP/GDOI_PROTO_IPSEC_AH
The TEK Protocol-Specific payload for ESP and AH is as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Protocol ! SRC ID Type ! SRC ID Port !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
!SRC ID Data Len! SRC Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! DST ID Type ! DST ID Port !DST ID Data Len!
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! DST Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Transform ID ! SPI !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! SPI ! RFC 2407 SA Attributes ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The SAT Payload fields are defined as follows:
o Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
UDP/TCP). A value of zero means that the Protocol field should be
ignored.
o SRC ID Type (1 octet) -- Value describing the identity information
found in the SRC Identification Data field. Defined values are
specified by the IPsec Identification Type section in the IANA
isakmpd-registry [ISAKMP-REG].
o SRC ID Port (2 octets) -- Value specifying a port associated with
the source Id. A value of zero means that the SRC ID Port field
should be ignored.
o SRC ID Data Len (1 octet) -- Value specifying the length of the SRC
Identification Data field.
o SRC Identification Data (variable length) -- Value, as indicated by
the SRC ID Type. Set to three bytes of zero for multiple-source
multicast groups that use a common TEK for all senders.
o DST ID Type (1 octet) -- Value describing the identity information
found in the DST Identification Data field. Defined values are
specified by the IPsec Identification Type section in the IANA
isakmpd-registry [ISAKMP-REG].
o DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g.,
UDP/TCP). A value of zero means that the DST Id Prot field should be
ignored.
o DST ID Port (2 octets) -- Value specifying a port associated with
the source Id. A value of zero means that the DST ID Port field
should be ignored.
o DST ID Data Len (1 octet) -- Value specifying the length of the DST
Identification Data field.
o DST Identification Data (variable length) -- Value, as indicated by
the DST ID Type.
o Transform ID (1 octet) -- Value specifying which ESP or AH
transform is to be used. The list of valid values is defined in the
IPsec ESP or IPsec AH Transform Identifiers section of the IANA
isakmpd-registry [ISAKMP-REG].
o SPI (4 octets) -- Security Parameter Index for ESP.
o RFC 2407 Attributes -- ESP and AH Attributes from RFC 2407 Section
4.5. The GDOI supports all IPsec DOI SA Attributes for
GDOI_PROTO_IPSEC_ESP and GDOI_PROTO_IPSEC_AH excluding the Group
Description (section 4.5 of [RFC2407], which MUST NOT be sent by a
GDOI implementation and is ignored by a GDOI implementation if
received. The following attributes MUST be supported by an
implementation supporting ESP and AH: SA Life Type, SA Life Duration,
Encapsulation Mode. An implementation supporting ESP must also
support the Authentication Algorithm attribute if the ESP transform
includes authentication/ The Authentication Algorithm attribute of
the IPsec DOI is group authentication in GDOI.
5.5.1.1. Harmonization with RFC 5374
The Multicast Extensions to the Security Architecture for the
Internet Protocol (RFC 5374) introduces new requirements for a group
key management system distributing IPsec policy. The following
sections describe new GDOI requirements that result from harmonizing
with that document.
5.5.1.1.1. Group Security Policy Database Attributes
RFC 5374 describes new attributes as part of the Group Security
Policy Database (GSPD). These attributes describe policy that a
group key management system must convey to a group member in order to
support those extensions. The GDOI SA TEK payload distributes IPsec
policy using IPsec security association attributes defined in
[ISAKMP-REG]. This section defines how GDOI can convey the new
attributes as IPsec Security Association Attributes.
5.5.1.1.2. Address Preservation
Applications use the extensions in RFC 5374 create encapsulate IPsec
multicast packets that are IP multicast packets. In order for the
GDOI group member to appropriately setup the GSPD, the GCKS must
provide that policy to the group member.
Depending on group policy, several address preservation methods are
possible: no address preservation ("None"), preservation of the
original source address ("Source-Only"), preservation of the original
destination address ("Destination-Only"), or both addresses ("Source-
And-Destination"). This memo adds the "Address Preservation"
security association attribute. If this attribute is not included in
a GDOI SA TEK payload provided by a GCKS, then Source-And-Destination
address preservation has been defined for the SA TEK.
5.5.1.1.3. SA Direction
Depending on group policy, an IPsec SA created from an SA TEK payload
may be required in one or both directions. SA TEK policy used by
multiple senders is required to be installed in both the sending and
receiving direction ("Symmetric"), whereas SA TEK for a single sender
should only be installed in the receiving direction by receivers
("Receiver-Only") and in the sending direction by the sender
("Sender-Only"). This memo adds the "SA Direction" security
association attribute. If the attribute is not included in a GDOI SA
TEK payload, then the IPsec SA is treated as a Symmetric IPsec SA.
5.5.1.1.4. Re-key rollover
Section 4.2.1 of RFC 5374 specifies a key rollover method that
requires two values be given it from the group key management
protocol. The Activation Time Delay (ATD) attribute allows the GCKS
to specify how long after the start of a re-key event that a group
member is to activate new TEKs. The Deactivation Time Delay (DTD)
attribute allows the GCKS to specify how long after the start of a
re-key event that a group member is to deactivate existing TEKs.
This memo adds new attributes by which a GCKS can relay these values
to group members as part of the Group Associated Policy described in
Section 5.
5.5.2. Other Security Protocols
Besides ESP and AH, GDOI should serve to establish SAs for secure
groups needed by other Security Protocols that operate at the
transport, application, and internetwork layers. These other
Security Protocols, however, are in the process of being developed or
do not yet exist.
The following information needs to be provided for a Security
Protocol to the GDOI.
o The Protocol-ID for the particular Security Protocol
o The SPI Size
o The method of SPI generation
o The transforms, attributes and keys needed by the Security
Protocol
All Security Protocols must provide the information in the bulleted
list above to guide the GDOI specification for that protocol.
Definitions for the support of those Security Protocols in GDOI will
be specified in separate documents.
A Security Protocol MAY protect traffic at any level of the network
stack. However, in all cases applications of the Security Protocol
MUST protect traffic which MAY be shared by more than two entities.
5.6. Key Download Payload
The Key Download Payload contains group keys for the group specified
in the SA Payload. These key download payloads can have several
security attributes applied to them based upon the security policy of
the group as defined by the associated SA Payload.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Number of Key Packets ! RESERVED2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
~ Key Packets ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The Key Download Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifier for the payload type of the
next payload in the message. If the current payload is the last in
the message, then this field will be zero.
o RESERVED (1 octet) -- Unused, set to zero.
o Payload Length (2 octets) -- Length in octets of the current
payload, including the generic payload header.
o Number of Key Packets (2 octets) -- Contains the total number of
both TEK and Rekey arrays being passed in this data block.
o Key Packets Several types of key packets are defined. Each Key
Packet has the following format.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! KD Type ! RESERVED ! KD Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! SPI Size ! SPI (variable) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
~ Key Packet Attributes ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
o Key Download (KD) Type (1 octet) -- Identifier for the Key Data
field of this Key Packet.
Key Download Type Value
----------------- -----
RESERVED 0
TEK 1
KEK 2
LKH 3
RESERVED 4-127
Private Use 128-255
"KEK" is a single key whereas LKH is an array of key-encrypting keys.
o RESERVED (1 octet) -- Unused, set to zero.
o Key Download Length (2 octets) -- Length in octets of the Key
Packet data, including the Key Packet header.
o SPI Size (1 octet) -- Value specifying the length in octets of the
SPI as defined by the Protocol-Id.
o SPI (variable length) -- Security Parameter Index which matches a
SPI previously sent in an SAK or SAT Payload.
o Key Packet Attributes (variable length) -- Contains Key
information. The format of this field is specific to the value of
the KD Type field. The following sections describe the format of
each KD Type.
5.6.1. TEK Download Type
The following attributes may be present in a TEK Download Type.
Exactly one attribute matching each type sent in the SAT payload MUST
be present. The attributes must follow the format defined in ISAKMP
(Section 3.3 of [RFC2408]). In the table, attributes defined as TV
are marked as Basic (B); attributes defined as TLV are marked as
Variable (V).
TEK Class Value Type
--------- ----- ----
RESERVED 0
TEK_ALGORITHM_KEY 1 V
TEK_INTEGRITY_KEY 2 V
TEK_SOURCE_AUTH_KEY 3 V
If no TEK key packets are included in a Registration KD payload, the
group member can expect to receive the TEK as part of a Re-key SA.
At least one TEK must be included in each Re-key KD payload.
Multiple TEKs may be included if multiple streams associated with the
SA are to be rekeyed.
5.6.1.1. TEK_ALGORITHM_KEY
The TEK_ALGORITHM_KEY class declares that the encryption key for this
SPI is contained as the Key Packet Attribute. The encryption
algorithm that will use this key was specified in the SAT payload.
In the case that the algorithm requires multiple keys (e.g., 3DES),
all keys will be included in one attribute.
DES keys will consist of 64 bits (the 56 key bits with parity bit).
Triple DES keys will be specified as a single 192 bit attribute
(including parity bits) in the order that the keys are to be used for
encryption (e.g., DES_KEY1, DES_KEY2, DES_KEY3).
5.6.1.2. TEK_INTEGRITY_KEY
The TEK_INTEGRITY_KEY class declares that the integrity key for this
SPI is contained as the Key Packet Attribute. The integrity
algorithm that will use this key was specified in the SAT payload.
Thus, GDOI assumes that both the symmetric encryption and integrity
keys are pushed to the member. HMAC-SHA1 keys will consist of 160
bits[RFC2404], HMAC-MD5 keys will consist of 128 bits[RFC2403].
HMAC-SHA2 and AES-GMAC keys will have a key length equal to the
output length of the hash functions [RFC4868][RFC4543].
5.6.1.3. TEK_SOURCE_AUTH_KEY
The TEK_SOURCE_AUTH_KEY class declares that the source authentication
key for this SPI is contained in the Key Packet Attribute. The
source authentication algorithm that will use this key was specified
in the SAT payload.
5.6.2. KEK Download Type
The following attributes may be present in a KEK Download Type.
Exactly one attribute matching each type sent in the SAK payload MUST
be present. The attributes must follow the format defined in ISAKMP
(Section 3.3 of [RFC2408]). In the table, attributes defined as TV
are marked as Basic (B); attributes defined as TLV are marked as
Variable (V).
KEK Class Value Type
--------- ----- ----
RESERVED 0
KEK_ALGORITHM_KEY 1 V
SIG_ALGORITHM_KEY 2 V
If the KEK key packet is included, there MUST be only one present in
the KD payload.
5.6.2.1. KEK_ALGORITHM_KEY
The KEK_ALGORITHM_KEY class declares the encryption key for this SPI
is contained in the Key Packet Attribute. The encryption algorithm
that will use this key was specified in the SAK payload.
If the mode of operation for the algorithm requires an Initialization
Vector (IV), an explicit IV MUST be included in the KEK_ALGORITHM_KEY
before the actual key.
5.6.2.2. SIG_ALGORITHM_KEY
The SIG_ALGORITHM_KEY class declares that the public key for this SPI
is contained in the Key Packet Attribute, which may be useful when no
public key infrastructure is available. The signature algorithm that
will use this key was specified in the SAK payload.
5.6.3. LKH Download Type
The LKH key packet is comprised of attributes representing different
leaves in the LKH key tree.
The following attributes are used to pass an LKH KEK array in the KD
payload. The attributes must follow the format defined in ISAKMP
(Section 3.3 of [RFC2408]). In the table, attributes defined as TV
are marked as Basic (B); attributes defined as TLV are marked as
Variable (V).
KEK Class Value Type
--------- ----- ----
RESERVED 0
LKH_DOWNLOAD_ARRAY 1 V
LKH_UPDATE_ARRAY 2 V
SIG_ALGORITHM_KEY 3 V
RESERVED 4-127
Private Use 128-255
If an LKH key packet is included in the KD payload, there must be
only one present.
5.6.3.1. LKH_DOWNLOAD_ARRAY
This attribute is used to download a set of keys to a group member.
It MUST NOT be included in a GROUPKEY-PUSH message KD payload if the
GROUPKEY-PUSH is sent to more than the group member. If an
LKH_DOWNLOAD_ARRAY attribute is included in a KD payload, there must
be only one present.
This attribute consists of a header block, followed by one or more
LKH keys.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH Version ! # of LKH Keys ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH Keys !
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The KEK_LKH attribute fields are defined as follows:
o LKH version (1 octet) -- Contains the version of the LKH protocol
which the data is formatted in. Must be one.
o Number of LKH Keys (2 octets) -- This value is the number of
distinct LKH keys in this sequence.
o RESERVED (1 octet) -- Unused, set to zero. Each LKH Key is defined
as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH ID ! Key Type ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Key Creation Date !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Key expiration Date !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Key Handle !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! !
~ Key Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
o LKH ID (2 octets) -- This is the position of this key in the binary
tree structure used by LKH.
o Key Type (1 octet) -- This is the encryption algorithm for which
this key data is to be used. This value is specified in Section
5.3.3.
o RESERVED (1 octet) -- Unused, set to zero.
o Key Creation Date (4 octets) -- This is the time value of when this
key data was originally generated. A time value of zero indicates
that there is no time before which this key is not valid.
o Key Expiration Date (4 octets) -- This is the time value of when
this key is no longer valid for use. A time value of zero indicates
that this key does not have an expiration time.
o Key Handle (4 octets) -- This is the randomly generated value to
uniquely identify a key within an LKH ID.
o Key Data (variable length) -- This is the actual encryption key
data, which is dependent on the Key Type algorithm for its format.
If the mode of operation for the algorithm requires an Initialization
Vector (IV), an explicit IV MUST be included in the Key Data field
before the actual key.
The Key Creation Date and Key expiration Dates MAY be zero. This is
necessary in the case where time synchronization within the group is
not possible.
The first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute
contains the Leaf identifier and key for the group member. The rest
of the LKH Key structures contain keys along the path of the key tree
in order from the leaf, culminating in the group KEK.
5.6.3.2. LKH_UPDATE_ARRAY
This attribute is used to update the keys for a group. It is most
likely to be included in a GROUPKEY-PUSH message KD payload to rekey
the entire group. This attribute consists of a header block,
followed by one or more LKH keys, as defined in the previous section.
There may be any number of UPDATE_ARRAY attributes included in a KD
payload.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH Version ! # of LKH Keys ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH ID ! RESERVED2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Key Handle !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH Keys !
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
o LKH version (1 octet) -- Contains the version of the LKH protocol
which the data is formatted in. Must be one.
o Number of LKH Keys (2 octets) -- This value is the number of
distinct LKH keys in this sequence.
o RESERVED (1 octet) -- Unused, set to zero.
o LKH ID (2 octets) -- This is the node identifier associated with
the key used to encrypt the first LKH Key.
o RESERVED2 (2 octets) -- Unused, set to zero.
o Key Handle (4 octets) -- This is the value to uniquely identify the
key within the LKH ID which was used to encrypt the first LKH key.
The LKH Keys are as defined in the previous section. The LKH Key
structures contain keys along the path of the key tree in order from
the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in the
group KEK. The Key Data field of each LKH Key is encrypted with the
LKH key preceding it in the LKH_UPDATE_ARRAY attribute. The first
LKH Key is encrypted under the key defined by the LKH ID and Key
Handle found in the LKH_UPDATE_ARRAY header.
5.6.3.3. SIG_ALGORITHM_KEY
The SIG_ALGORITHM_KEY class declares that the public key for this SPI
is contained in the Key Packet Attribute, which may be useful when no
public key infrastructure is available. The signature algorithm that
will use this key was specified in the SAK payload.
5.7. Sequence Number Payload
The Sequence Number Payload (SEQ) provides an anti-replay protection
for GROUPKEY-PUSH messages. Its use is similar to the Sequence
Number field defined in the IPsec ESP protocol [RFC4303].
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Sequence Number !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Sequence Number Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifier for the payload type of the
next payload in the message. If the current payload is the last in
the message, then this field will be zero.
o RESERVED (1 octet) -- Unused, set to zero.
o Payload Length (2 octets) -- Length in octets of the current
payload, including the generic payload header.
o Sequence Number (4 octets) -- This field contains a monotonically
increasing counter value for the group. It is initialized to zero by
the GCKS, and incremented in each subsequently-transmitted message.
Thus the first packet sent for a given Rekey SA will have a Sequence
Number of 1. The GDOI implementation keeps a sequence counter as an
attribute for the Rekey SA and increments the counter upon receipt of
a GROUPKEY-PUSH message. The current value of the sequence number
must be transmitted to group members as a part of the Registration SA
payload. A group member must keep a sliding receive window. The
window must be treated as in the ESP protocol [RFC4303] Section
3.4.3.
5.8. Nonce
The data portion of the Nonce payload (i.e., Ni_b and Nr_b included
in the HASHs) MUST be a value between 8 and 128 bytes.
6. Security Considerations
GDOI is a security association (SA) management protocol for groups of
senders and receivers. Unlike a data security protocol, SA
management includes a key establishment protocol to securely
establish keys at communication endpoints. This protocol performs
entity authentication of the GDOI member or Group Controller/Key
Server (GCKS), it provides confidentiality of key management
messages, and it provides source authentication of those messages.
This protocol also uses best-known practices for defense against man-
in-middle, connection hijacking, replay, reflection, and denial-of-
service (DOS) attacks on unsecured networks [STS], [RFC2522],
[SKEME]. GDOI assumes the network is not secure and may be under the
complete control of an attacker.
GDOI assumes that the host computer is secure even though the network
is insecure. GDOI ultimately establishes keys among members of a
group, which MUST be trusted to use those keys in an authorized
manner according to group policy. The security of GDOI, therefore,
is as good as the degree to which group members can be trusted to
protect authenticators, encryption keys, decryption keys, and message
authentication keys.
There are three phases of GDOI as described in this document: an
ISAKMP Phase 1 protocol, a new exchange called GROUPKEY-PULL which is
protected by the ISAKMP Phase 1 protocol, and a new message called
GROUPKEY-PUSH. Each phase is considered separately below.
6.1. ISAKMP Phase 1
As described in this document, GDOI uses the Phase 1 exchanges
defined in [RFC2409] to protect the GROUPKEY-PULL exchange.
Therefore all security properties and considerations of those
exchanges (as noted in [RFC2409]) are relevant for GDOI.
GDOI may inherit the problems of its ancestor protocols [FS00], such
as identity exposure, absence of unidirectional authentication, or
stateful cookies [PK01]. GDOI could benefit, however, from
improvements to its ancestor protocols just as it benefits from years
of experience and work embodied in those protocols. To reap the
benefits of future IKE improvements, however, GDOI would need to be
revised in a future standards-track RFC, which is beyond the scope of
this specification.
6.1.1. Authentication
Authentication is provided via the mechanisms defined in [RFC2409],
namely Pre-Shared Keys or Public Key encryption.
6.1.2. Confidentiality
Confidentiality is achieved in Phase 1 through a Diffie-Hellman
exchange that provides keying material, and through negotiation of
encryption transforms.
The Phase 1 protocol will be protecting encryption and integrity keys
sent in the GROUPKEY-PULL protocol. The strength of the encryption
used for Phase 1 SHOULD exceed that of the keys send in the GROUPKEY-
PULL protocol.
6.1.3. Man-in-the-Middle Attack Protection
A successful man-in-the-middle or connection-hijacking attack foils
entity authentication of one or more of the communicating entities
during key establishment. GDOI relies on Phase 1 authentication to
defeat man-in-the-middle attacks.
6.1.4. Replay/Reflection Attack Protection
In a replay/reflection attack, an attacker captures messages between
GDOI entities and subsequently forwards them to a GDOI entity.
Replay and reflection attacks seek to gain information from a
subsequent GDOI message response or seek to disrupt the operation of
a GDOI member or GCKS entity. GDOI relies on the Phase 1 nonce
mechanism in combination with a hash-based message authentication
code to protect against the replay or reflection of previous key
management messages.
6.1.5. Denial of Service Protection
A denial of service attacker sends messages to a GDOI entity to cause
that entity to perform unneeded message authentication operations.
GDOI uses the Phase 1 cookie mechanism to identify spurious messages
prior to cryptographic hash processing. This is a "weak" form of
denial of service protection in that the GDOI entity must check for
good cookies, which can be successfully imitated by a sophisticated
attacker. The Phase 1 cookie mechanism is stateful, and commits
memory resources for cookies, but stateless cookies are a better
defense against denial of service attacks.
6.2. GROUPKEY-PULL Exchange
The GROUPKEY-PULL exchange allows a group member to request SAs and
keys from a GCKS. It runs as a "phase 2" protocol under protection
of the Phase 1 security association.
6.2.1. Authentication
Peer authentication is not required in the GROUPKEY-PULL protocol.
It is running in the context of the Phase 1 protocol, which has
previously authenticated the identity of the peer.
Message authentication is provided by HASH payloads in each message,
where the HASH is defined to be over SKEYID_a (derived in the Phase 1
exchange), the ISAKMP Message-ID, and all payloads in the message.
Because only the two endpoints of the exchange know the SKEYID_a
value, this provides confidence that the peer sent the message.
6.2.2. Confidentiality
Confidentiality is provided by the Phase 1 security association,
after the manner described in [RFC2409].
6.2.3. Man-in-the-Middle Attack Protection
Message authentication (described above) includes a secret known only
to the group member and GCKS when constructing a HASH payload. This
prevents man-in-the-middle and connection-hijacking attacks because
an attacker would not be able to change the message undetected.
6.2.4. Replay/Reflection Attack Protection
Nonces provide freshness of the GROUPKEY-PULL exchange. The group
member and GCKS exchange nonce values first two messages. These
nonces are included in subsequent HASH payload calculations. The
Group member and GCKS MUST NOT perform any computationally expensive
tasks before receiving a HASH with its own nonce included. The GCKS
MUST NOT update the group management state (e.g., LKH key tree) until
it receives the third message in the exchange with a valid HASH
payload including its own nonce.
Implementations SHOULD keep a record of recently received GROUPKEY-
PULL messages and reject messages that have already been processed.
This enables an early discard of the replayed messages.
6.2.5. Denial of Service Protection
A GROUPKEY-PULL message identifies its messages using a cookie pair
from the Phase 1 exchange that precedes it. The cookies provide a
weak form of denial of service protection as described above, in the
sense that a GROUPKEY-PULL message with invalid cookies will be
discarded.
The replay protection mechanisms described above provide the basis
for denial of service protection.
6.2.6. Authorization
A GCKS implementation should maintain an authorization list of
authorized group members. Group members should maintain a list of
authorized group members as part of its Group Peer Authorization
Database (GPAD) [RFC5374].
6.3. GROUPKEY-PUSH Exchange
The GROUPKEY-PUSH exchange is a single message that allows a GCKS to
send SAs and keys to group members. This is likely to be sent to all
members using an IP multicast group. This provides an efficient
rekey and group membership adjustment capability.
6.3.1. Authentication
The GROUPKEY-PULL exchange identifies a public key that is used for
message authentication. The GROUPKEY-PUSH message is digitally
signed using the corresponding private key held by the GCKS or its
delegate. This digital signature provides source authentication for
the message. Thus, GDOI protects the GCKS from impersonation in
group environments.
6.3.2. Confidentiality
The GCKS encrypts the GROUPKEY-PUSH message with an encryption key
that was established by the GROUPKEY-PULL exchange.
6.3.3. Man-in-the-Middle Attack Protection
This combination of confidentiality and message authentication
services protects the GROUPKEY-PUSH message from man-in-middle and
connection-hijacking attacks.
6.3.4. Replay/Reflection Attack Protection
The GROUPKEY-PUSH message includes a monotonically increasing
sequence number to protect against replay and reflection attacks. A
group member will recognize a replayed message by comparing the
sequence number to a sliding window, in the same manner as the ESP
protocol uses sequence numbers.
Implementations SHOULD keep a record of recently received GROUPKEY-
PUSH messages and reject duplicate messages. This enables an early
discard of the replayed messages.
6.3.5. Denial of Service Protection
A cookie pair identifies the security association for the GROUPKEY-
PUSH message. The cookies thus serve as a weak form of denial-of-
service protection for the GROUPKEY-PUSH message.
The digital signature used for message authentication has a much
greater computational cost than a message authentication code and
could amplify the effects of a denial of service attack on GDOI
members who process GROUPKEY-PUSH messages. The added cost of
digital signatures is justified by the need to prevent GCKS
impersonation: If a shared symmetric key were used for GROUPKEY-PUSH
message authentication, then GCKS source authentication would be
impossible and any member would be capable of GCKS impersonation.
The potential of the digital signature amplifying a denial of service
attack is mitigated by the order of operations a group member takes,
where the least expensive cryptographic operation is performed first.
The group member first decrypts the message using a symmetric cipher.
If it is a validly formed message then the sequence number is checked
against the replay window. Only if the sequence number is valid is
the digital signature verified. Thus in order for a denial of
service attack to be mounted, an attacker would need to know both the
symmetric encryption key used for confidentiality, and a valid
sequence number. Generally speaking this means only current group
members can effectively deploy a denial of service attack.
6.3.6. Forward Access Control
If a group management algorithm (such as LKH) is used, forward access
control may not be ensured in some cases. This can happen if some
group members are denied access to the group in the same GROUPKEY-
PUSH message as new policy and TEKs are delivered to the group. As
discussed in Section 4.1.1, forward access control can be maintained
by sending multiple GROUPKEY-PUSH messages, where the group
membership changes are sent from the GCKS separate from the new
policy and TEKs.
7. IANA Considerations
This memo requests IANA to make several additions to existing
registries, and to add sever new GDOI registries. When the new
registries are added, the following terms are to be applied as
descrined in the Guidelines for Writing an IANA Considerations
Section in RFCs [RFC5226]: Standards Action, and Private Use.
7.1. Additions to current registries
The GDOI KEK Attribute named SIG_HASH_ALGORITHM [GDOI-REG] should be The GDOI KEK Attribute named SIG_HASH_ALGORITHM [GDOI-REG] should be
assigned several new Algorithm Type values from the RESERVED space to
represent the SHA-256, SHA-384, and SHA-512 hash algorithms as
defined in [FIPS.180-2.2002]. The new algorithm names should be
SIG_HASH_SHA256, SIG_HASH_SHA384, and SIG_HASH_SHA512 respectively
and have the values of TBD-2, TBD-3, and TBD-4 respectively.
The GDOI KEK Attributed named SIG_ALGORITHM [GDOI-REG] should be
assigned a new Algorithm Type value from the RESERVED space to assigned a new Algorithm Type value from the RESERVED space to
represent the SHA-256 hash algorithm as defined. The new algorithm represent the RSA PSS encoding type. The new algorithm name should
name should be SIG_HASH_SHA256. be SIG_ALG_RSA_PSS, and has the value of TBD-6.
A new GDOI SA TEK type Protocol-ID type [GDOI-REG] should be assigned A new GDOI SA TEK type Protocol-ID type [GDOI-REG] should be assigned
from the RESERVED space. The new algorithm id should be called from the RESERVED space. The new algorithm id should be called
GDOI_PROTO_IPSEC_AH, and refers to the IPsec AH encapsulation. GDOI_PROTO_IPSEC_AH, refers to the IPsec AH encapsulation, and has a
value of TBD-5.
A new Next Payload Type [ISAKMP-REG] should be assigned. The new A new Next Payload Type [ISAKMP-REG] should be assigned. The new
type is called "SA Group Associated Policy (GAP)". type is called "SA Group Associated Policy (GAP)", and has a value of
TBD-1.
7.2. New registries
A new namespace should be created in the GDOI Payloads registry A new namespace should be created in the GDOI Payloads registry
[GDOI-REG] to describe SA SSA Payload Values. The following rules [GDOI-REG] to describe SA SSA Payload Values. The following rules
apply to define the attributes in SA SSA Payload Values: apply to define the attributes in SA SSA Payload Values:
Attribute Type Value Type Attribute Type Value Type
---- ----- ---- ---- ----- ----
RESERVED 0 RESERVED 0
ACTIVATION_TIME_DELAY 1 B ACTIVATION_TIME_DELAY 1 B
DEACTIVATION_TIME_DELAY 2 B DEACTIVATION_TIME_DELAY 2 B
SENDER_ID 3 V SENDER_ID 3 V
Reserved to IANA 2-127 Standards Action 4-127
Private Use 128-255 Private Use 128-255
A new IPSEC Security Association Attribute [ISAKMP-REG] defining the A new IPsec Security Association Attribute [ISAKMP-REG] defining the
preservation of IP addresses is needed. The attribute class is preservation of IP addresses is needed. The attribute class is
called "Address Preservation", and it is a Basic type. The following called "Address Preservation", and it is a Basic type. The following
rules apply to define the values of the attribute: rules apply to define the values of the attribute:
Name Value Name Value
---- ----- ---- -----
Reserved 0 Reserved 0
None 1 None 1
Source-Only 2 Source-Only 2
Destination-Only 3 Destination-Only 3
Source-And-Destination 4 Source-And-Destination 4
Reserved to IANA 5-61439 Standards Action 5-61439
Private Use 61440-65535 Private Use 61440-65535
A new IPSEC Security Association Attribute [ISAKMP-REG] defining the A new IPsec Security Association Attribute [ISAKMP-REG] defining the
SA direction is needed. The attribute class is called "SA SA direction is needed. The attribute class is called "SA
Direction", and it is a Basic type. The following rules apply to Direction", and it is a Basic type. The following rules apply to
define the values of the attribute: define the values of the attribute:
Name Value Name Value
---- ----- ---- -----
Reserved 0 Reserved 0
Sender-Only 1 Sender-Only 1
Receiver-Only 2 Receiver-Only 2
Symmetric 3 Symmetric 3
Reserved to IANA 4-61439 Standards Action 4-61439
Private Use 61440-65535 Private Use 61440-65535
7. Security Considerations
This memo describes additional clarification and adds additional
attributes to be passed within the GDOI protocol. The security
considerations in RFC 3547 remain accurate, with the following
additions.
o Several minor cryptographic hash algorithm agility issues are
resolved, and the stronger SHA-256 cryptographic hash algorithm is
added.
o Protocol analysis has revealed a man-in-the-middle attack when the
GCKS does not authorize group members based on their IKE
authentication credentials. This is true even when a CERT and POP
payloads are used for authorization. Although suggested as an
option in RFC 3547, a GDOI device (group member or GCKS) SHOULD
NOT accept an identity in a CERT payload that does not match the
IKE identity used to authenticate the group member.
o Any SA TEK specifying a counter-based mode of operation with
multiple senders MUST construct the IVs in each SA TEK according
to [I-D.ietf-msec-ipsec-group-counter-modes]. The SID MUST either
be pre-configured on all group members or distributed using the
SENDER_ID attribute in the SA GAP payload. However, use of the
SENDER_ID attribute is RECOMMENDED.
8. Acknowledgements 8. Acknowledgements
This text updates RFC 3547, and the authors with to thank the authors
of that specification for their extensive contributions: Mark
Baugher, Thomas Hardjono, and Hugh Harney.
The authors are grateful to Catherine Meadows for her careful review The authors are grateful to Catherine Meadows for her careful review
and suggestions for mitigating the man-in-the-middle attack she had and suggestions for mitigating the man-in-the-middle attack she had
previously identified. previously identified.
9. References 9. References
9.1. Normative References 9.1. Normative References
[I-D.ietf-msec-ipsec-group-counter-modes] [I-D.ietf-msec-ipsec-group-counter-modes]
McGrew, D. and B. Weis, "Using Counter Modes with McGrew, D. and B. Weis, "Using Counter Modes with
Encapsulating Security Payload (ESP) and Authentication Encapsulating Security Payload (ESP) and Authentication
Header (AH) to Protect Group Traffic", Header (AH) to Protect Group Traffic",
draft-ietf-msec-ipsec-group-counter-modes-03 (work in draft-ietf-msec-ipsec-group-counter-modes-05 (work in
progress), March 2009. progress), March 2010.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
Group Domain of Interpretation", RFC 3547, July 2003. RFC 4303, December 2005.
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005.
[RFC5374] Weis, B., Gross, G., and D. Ignjatic, "Multicast [RFC5374] Weis, B., Gross, G., and D. Ignjatic, "Multicast
Extensions to the Security Architecture for the Internet Extensions to the Security Architecture for the Internet
Protocol", RFC 5374, November 2008. Protocol", RFC 5374, November 2008.
9.2. Informative References 9.2. Informative References
[AES-MODES]
Dworkin, M., "Recommendation for Block Cipher Modes of
Operation", United States of America, National Institute
of Science and Technology NIST Special Publication 800-38A
2001 Edition, December 2001.
[FIPS.180-2.2002] [FIPS.180-2.2002]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-2, August 2002, <http:// Hash Standard", FIPS PUB 180-2, August 2002, <http://
csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf>. csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf>.
[FIPS186-2]
"Digital Signature Standard (DSS)", United States of
America, National Institute of Science and
Technology Federal Information Processing Standard (FIPS)
186-2, January 2001.
[FIPS197] "Advanced Encryption Standard (AES)", United States of
America, National Institute of Science and
Technology Federal Information Processing Standard (FIPS)
197, November 2001.
[FIPS46-3]
"Data Encryption Standard (DES)", United States of
America, National Institute of Science and
Technology Federal Information Processing Standard (FIPS)
46-3, October 1999.
[FIPS81] "DES Modes of Operation", United States of America,
National Institute of Science and Technology Federal
Information Processing Standard (FIPS) 81, December 1980.
[FS00] Ferguson, N. and B. Schneier, Counterpane, "A
Cryptographic Evaluation of IPsec",
<http://www.counterpane.com/ipsec.html>.
[GDOI-REG] [GDOI-REG]
Internet Assigned Numbers Authority, "Group Domain of Internet Assigned Numbers Authority, "Group Domain of
Interpretation (GDOI) Payload Type Values", IANA Registry, Interpretation (GDOI) Payload Type Values", IANA Registry,
December 2004, December 2004,
<http://www.iana.org/assignments/gdoi-payloads>. <http://www.iana.org/assignments/gdoi-payloads>.
[ISAKMP-REG] [ISAKMP-REG]
Internet Assigned Numbers Authority, "Internet Security "'Magic Numbers' for ISAKMP Protocol",
Association and Key Management Protocol (ISAKMP)
Identifiers ISAKMP Attributes", IANA Registry,
January 2006,
<http://www.iana.org/assignments/isakmp-registry>. <http://www.iana.org/assignments/isakmp-registry>.
[MP04] Meadows, C. and D. Pavlovic, "Deriving, Attacking, and [MP04] Meadows, C. and D. Pavlovic, "Deriving, Attacking, and
Defending the GDOI Protocol", ESORICS 2004 pp. 53-72, Defending the GDOI Protocol", ESORICS 2004 pp. 53-72,
September 2004. September 2004.
[NNL] Naor, D., Noal, M., and J. Lotspiech, "Revocation and
Tracing Schemes for Stateless Receivers", Advances in
Cryptology, Crypto '01, Springer-Verlag LNCS 2139, 2001,
pp. 41-62, 2001,
<http://www.wisdom.weizmann.ac.il/~naor/>.
[OFT] McGrew, D. and A. Sherman, "Key Establishment in Large
Dynamic Groups Using One-Way Function Trees", Manuscript,
submitted to IEEE Transactions on Software Engineering,
1998, <http://download.nai.com/products/media/nai/misc/
oft052098.ps>.
[PK01] Perlman, R. and C. Kaufman, "Analysis of the IPsec Key
Exchange Standard", WET-ICE conference , 2001,
<http://sec.femto.org/wetice-2001/papers/radia-paper.pdf>.
[RFC2403] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within
ESP and AH", RFC 2403, November 1998.
[RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within
ESP and AH", RFC 2404, November 1998.
[RFC2407] Piper, D., "The Internet IP Security Domain of [RFC2407] Piper, D., "The Internet IP Security Domain of
Interpretation for ISAKMP", RFC 2407, November 1998. Interpretation for ISAKMP", RFC 2407, November 1998.
[RFC2408] Maughan, D., Schneider, M., and M. Schertler, "Internet [RFC2408] Maughan, D., Schneider, M., and M. Schertler, "Internet
Security Association and Key Management Protocol Security Association and Key Management Protocol
(ISAKMP)", RFC 2408, November 1998. (ISAKMP)", RFC 2408, November 1998.
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[RFC2522] Karn, P. and W. Simpson, "Photuris: Session-Key Management
Protocol", RFC 2522, March 1999.
[RFC2627] Wallner, D., Harder, E., and R. Agee, "Key Management for
Multicast: Issues and Architectures", RFC 2627, June 1999.
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1", RFC 3447, February 2003. Version 2.1", RFC 3447, February 2003.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, July 2003.
[RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES)
Counter Mode With IPsec Encapsulating Security Payload Counter Mode With IPsec Encapsulating Security Payload
(ESP)", RFC 3686, January 2004. (ESP)", RFC 3686, January 2004.
[RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm,
"Multicast Security (MSEC) Group Key Management "Multicast Security (MSEC) Group Key Management
Architecture", RFC 4046, April 2005. Architecture", RFC 4046, April 2005.
[RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
(GCM) in IPsec Encapsulating Security Payload (ESP)", (GCM) in IPsec Encapsulating Security Payload (ESP)",
RFC 4106, June 2005. RFC 4106, June 2005.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302, [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
December 2005. Internet Protocol", RFC 4301, December 2005.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, December 2005.
[RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM
Mode with IPsec Encapsulating Security Payload (ESP)", Mode with IPsec Encapsulating Security Payload (ESP)",
RFC 4309, December 2005. RFC 4309, December 2005.
[RFC4430] Sakane, S., Kamada, K., Thomas, M., and J. Vilhuber,
"Kerberized Internet Negotiation of Keys (KINK)",
RFC 4430, March 2006.
[RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message
Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543,
May 2006. May 2006.
[RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-
384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
[SKEME] Krawczyk, H., "SKEME: A Versatile Secure Key Exchange
Mechanism for Internet", ISOC Secure Networks and
Distributed Systems Symposium San Diego, 1996.
[STS] Diffie, W., Van Oorschot, P., and M. Wiener,
"Authentication and Authenticated Key Exchanges", Designs,
Codes and Cryptography, 2, 107-125 (1992), Kluwer Academic
Publishers, 1992.
Appendix A. Alternate GDOI Phase 1 protocols
This section describes a manner in which other protocols could be
used as GDOI Phase 1 protocols in place of the ISAKMP Phase 1
protocol. However, they are not specified as a part of this
document. A separate document MUST be written in order for another
protocol to be used as a GDOI Phase 1 protocol.
Other possible phase 1 protocols are also described in [RFC4046].
Any GDOI phase 1 protocol MUST satisfy the requirements specified in
Section 2 of this document.
A.1. IKEv2 Phase 1 protocol
Version 2 of the IKE protocol (IKEv2) [RFC4306] has been published.
That protocol seeks to simplify the IKE Phase 1 and Phase 2
protocols, and improve the security of the IKE protocol. An IKEv2
Phase 1 negotiates an IPsec SA during phase 1, which was not possible
in IKE. However, IKEv2 also defines a phase 2 protocol. The phase 2
protocol is protected by the Phase 1, similar in concept to how IKE
Quick Mode is protected by the IKE Phase 1 protocols in [RFC2409].
IKEv2 may not include a DOI value in the SA payload. However, since
GDOI uses a unique port, choice of a phase 2 protocol in the SA
payload using a GDOI value is not necessary. It is expected that an
IKEv2 Phase 1 protocol definition could be run on the GDOI port. The
SA payload in the protocol would be specific to GDOI, or omitted if
not needed at all.
The GROUPKEY-PULL protocol would follow the IKEv2 Phase 1 protocol in
the same manner as described in this document.
A.2. KINK Protocol
The Kerberized Internet Negotiation of Keys (KINK) [RFC4430] has
defined a method of encapsulating an IKE Quick Mode [RFC2409]
encapsulated in Kerberos KRB_AP_REQ and KRB_AP_REP payloads. KINK
provides a low-latency, computationally inexpensive, easily managed,
and cryptographically sound method of setting up IPsec security
associations.
The KINK message format includes a GDOI field in the KINK header.
The [RFC4430] document defines the DOI for the IPsec DOI.
A new DOI for KINK could be defined which would encapsulate a
GROUPKEY-PULL exchange in the Kerberos KRB_AP_REQ and KRB_AP_REP
payloads. As such, GDOI would benefit from the computational
efficiencies of KINK.
Appendix B. Significant Changes from RFC 3547
The following significant changes have been made from RFC 3547.
o The Proof of Possession (POP) payload was removed from the
GROUPKEY-PULL exchange. It provided an alternate form of
authorization, but its use was underspecified. Furthermore,
Meadows and Pavlovic [MP04] discussed a man-in-the-middle attack
on the POP authorization method, which would require changes to
its semantics. No known implementation of RFC 3547 supported the
POP payload, so it was removed. Removal of the POP payload
obviated the need for the CERT payload in that exchange and it was
removed as well.
o The Key Exchange Payloads (KE_I, KE_R) payloads were removed from
the GROUPKEY-PULL exchange. However, the specification for
computing keying material for the additional encryption function
in RFC 3547 is faulty. Furthermore, it has been observed that
because the GDOI registration message uses strong ciphers and
provides authenticated encryption, additional encryption of the
keying material in a GDOI registration message provides negligible
value. Therefore, the use of KE payloads is deprecated in this
memo.
o Supported cryptographic algorithms were changed to meet current
guidance. Implementations are required to support AES with 128-
bit keys to encrypt the rekey message, and SHA-256 for
cryptographic signatures. The use of DES is deprecated.
o New protocol support for AH.
o New protocol definitions were added to conform to the most recent
Security Architecture for the Internet Protocol [RFC4301] and the
Multicast Extensions to the Security Architecture for the Internet
Protocol[RFC5374].
o New protocol definitions were added to support Using Counter Modes
with ESP and AH to Protect Group
Traffic[I-D.ietf-msec-ipsec-group-counter-modes].
Authors' Addresses Authors' Addresses
Brian Weis Brian Weis
Cisco Systems Cisco Systems
170 W. Tasman Drive 170 W. Tasman Drive
San Jose, California 95134-1706 San Jose, California 95134-1706
USA USA
Phone: +1-408-526-4796 Phone: +1-408-526-4796
Email: bew@cisco.com Email: bew@cisco.com
 End of changes. 140 change blocks. 
431 lines changed or deleted 1992 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/