MSEC Working Group                                               B. Weis
Internet-Draft                                                 S. Rowles
Intended status: Standards Track                           Cisco Systems
Expires: September 7, 2009 9, 2010                                 March 6, 2009

          Updates to 8, 2010

                   The Group Domain of Interpretation
                     draft-ietf-msec-gdoi-update-05

Abstract

   This document describes an updated version of the Group Domain of
   Interpretation (GDOI)
                     draft-ietf-msec-gdoi-update-04 protocols.  GDOI is an ISAMKP Domain of
   Interpretation (DOI) for group key management to support secure group
   communications.  The GDOI manages group security associations, which
   are used by IPSEC and potentially other data security protocols
   running at the IP or application layers.  These security associations
   protect one or more key-encrypting keys, traffic-encrypting keys, or
   data shared by group members.

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.  This document may contain material
   from IETF Documents or IETF Contributions published or made publicly
   available before November 10, 2008.  The person(s) controlling the
   copyright in some of this material may not have granted the IETF
   Trust the right to allow modifications of such material outside the
   IETF Standards Process.  Without obtaining an adequate license from
   the person(s) controlling the copyright in such materials, this
   document may not be modified outside the IETF Standards Process, and
   derivative works of it may not be created outside the IETF Standards
   Process, except to format it for publication as an RFC or to
   translate it into languages other than English.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on September 7, 2009. 9, 2010.

Copyright Notice

   Copyright (c) 2009 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info). document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Abstract  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the BSD License.

   This memo describes updates to document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the Group Domain copyright in some of Interpretation
   (GDOI) .  It provides clarification where this
   material may not have granted the original text is
   unclear.  It also includes adds several new algorithm attribute
   values, including complete support for algorithm agility.

Table IETF Trust the right to allow
   modifications of Contents such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  5  6
     1.1.  Requirements notation  . . . . . . . . . . . . . . . . . .  5

   2.  RFC 3547 Clarification  7
     1.2.  GDOI Applications  . . . . . . . . . . . . . . . . . . . .  6
     2.1.  SA KEK Payload  7
     1.3.  Extending GDOI . . . . . . . . . . . . . . . . . . . . . .  6
     2.2.  SA TEK Payload  8

   2.  GDOI Phase 1 protocol  . . . . . . . . . . . . . . . . . . . .  9
     2.1.  ISAKMP Phase 1 protocol  . .  6
     2.3.  KD Payload . . . . . . . . . . . . . . .  9
       2.1.1.  DOI value  . . . . . . . . .  7
     2.4.  SEQ Payload . . . . . . . . . . . . .  9
       2.1.2.  UDP port . . . . . . . . . .  7
     2.5.  POP Payload . . . . . . . . . . . . .  9

   3.  GROUPKEY-PULL Exchange . . . . . . . . . .  8
     2.6.  CERT Payload . . . . . . . . . . 10
     3.1.  Authorization  . . . . . . . . . . . . .  8
     2.7.  SIG Payload . . . . . . . . . 10
     3.2.  Messages . . . . . . . . . . . . . .  8
     2.8.  KE Payload . . . . . . . . . . . 10
       3.2.1.  ISAKMP Header Initialization . . . . . . . . . . . . .  8
     2.9.  Attribute behavour 12
     3.3.  Initiator Operations . . . . . . . . . . . . . . . . . . . 12
     3.4.  Receiver Operations  .  9
     2.10. Deletion of SAs . . . . . . . . . . . . . . . . . . 13

   4.  GROUPKEY-PUSH Message  . . .  9

   3.  Authorization . . . . . . . . . . . . . . . . . 15
     4.1.  Forward and Backward Access Control  . . . . . . . 10

   4.  Harmonization with RFC 5374 . . . . 16
       4.1.1.  Forward Access Control Requirements  . . . . . . . . . 16
     4.2.  Delegation of Key Management . . . . 12
     4.1.  Group Security Policy Database Attributes . . . . . . . . 12
       4.1.1.  Address Preservation . . . 17
     4.3.  Use of signature keys  . . . . . . . . . . . . . . 12
       4.1.2.  SA Direction . . . . 17
     4.4.  ISAKMP Header Initialization . . . . . . . . . . . . . . . 17
     4.5.  Deletion of SAs  . . 12
       4.1.3.  Re-key rollover . . . . . . . . . . . . . . . . . . . 13

   5.  New GDOI Attributes 18
     4.6.  GCKS Operations  . . . . . . . . . . . . . . . . . . . . . 14
     5.1.  Signature Hash Algorithm 18
     4.7.  Group Member Operations  . . . . . . . . . . . . . . . . . 14
     5.2.  Support of AH 19

   5.  Payloads and Defined Values  . . . . . . . . . . . . . . . . . 20
     5.1.  Identification Payload . . . . . 14
     5.3.  Group Associated Policy . . . . . . . . . . . . . 20
     5.2.  Security Association Payload . . . . 16
       5.3.1.  ACTIVATION_TIME_DELAY . . . . . . . . . . . 20
       5.2.1.  Payloads following the SA payload  . . . . . 17
       5.3.2.  DEACTIVATION_TIME_DELAY . . . . . 21
     5.3.  SA KEK payload . . . . . . . . . . 17
       5.3.3.  SENDER_ID . . . . . . . . . . . . 22
       5.3.1.  KEK Attributes . . . . . . . . . . 17
         5.3.3.1.  GCKS Semantics . . . . . . . . . . 24
       5.3.2.  KEK_MANAGEMENT_ALGORITHM . . . . . . . . 18 . . . . . . . 24
       5.3.3.  KEK_ALGORITHM  . . . . . . . . . . . . . . . . . . . . 24
         5.3.3.1.  KEK_ALG_DES  . . . . . . . . . . . . . . . . . . . 25
         5.3.3.2.  Group Member Semantics  KEK_ALG_3DES . . . . . . . . . . . . . . 18

   6.  IANA Considerations . . . . . 25
         5.3.3.3.  KEK_ALG_AES  . . . . . . . . . . . . . . . . . . 19

   7.  Security Considerations . 25
       5.3.4.  KEK_KEY_LENGTH . . . . . . . . . . . . . . . . . . 21

   8.  Acknowledgements . . 25
       5.3.5.  KEK_KEY_LIFETIME . . . . . . . . . . . . . . . . . . . 26
       5.3.6.  SIG_HASH_ALGORITHM . . 22
   9.  References . . . . . . . . . . . . . . . . 26
       5.3.7.  SIG_ALGORITHM  . . . . . . . . . . 23
     9.1.  Normative References . . . . . . . . . . 26
         5.3.7.1.  SIG_ALG_RSA  . . . . . . . . . 23
     9.2.  Informative References . . . . . . . . . . 27
         5.3.7.2.  SIG_ALG_DSS  . . . . . . . . 23

   Authors' Addresses . . . . . . . . . . . 27
         5.3.7.3.  SIG_ALG_ECDSS  . . . . . . . . . . . . . 25

1.  Introduction

   The . . . . . 27
         5.3.7.4.  SIG_ALG_RSA_PSS  . . . . . . . . . . . . . . . . . 27

       5.3.8.  SIG_KEY_LENGTH . . . . . . . . . . . . . . . . . . . . 27
     5.4.  Group Domain of Interpretation (GDOI) [RFC3547] is a group key
   management protocol fitting into the Multicast Security Associated Policy  . . . . . . . . . . . . . . . . . 27
       5.4.1.  ACTIVATION_TIME_DELAY  . . . . . . . . . . . . . . . . 28
       5.4.2.  DEACTIVATION_TIME_DELAY  . . . . . . . . . . . . . . . 28
       5.4.3.  SENDER_ID  . . . . . . . . . . . . . . . . . . . . . . 29
         5.4.3.1.  GCKS Semantics . . . . . . . . . . . . . . . . . . 29
         5.4.3.2.  Group Key
   Management Architecture [RFC4046].  GDOI is used to disseminate
   policy and corresponding secrets to a group of participants.  GDOI is
   implemented Member Semantics . . . . . . . . . . . . . . 30
     5.5.  SA TEK Payload . . . . . . . . . . . . . . . . . . . . . . 30
       5.5.1.  GDOI_PROTO_IPSEC_ESP/GDOI_PROTO_IPSEC_AH . . . . . . . 31
         5.5.1.1.  Harmonization with RFC 5374  . . . . . . . . . . . 33
           5.5.1.1.1.  Group Security Policy Database Attributes  . . 33
           5.5.1.1.2.  Address Preservation . . . . . . . . . . . . . 33
           5.5.1.1.3.  SA Direction . . . . . . . . . . . . . . . . . 33
           5.5.1.1.4.  Re-key rollover  . . . . . . . . . . . . . . . 34
       5.5.2.  Other Security Protocols . . . . . . . . . . . . . . . 34
     5.6.  Key Download Payload . . . . . . . . . . . . . . . . . . . 35
       5.6.1.  TEK Download Type  . . . . . . . . . . . . . . . . . . 36
         5.6.1.1.  TEK_ALGORITHM_KEY  . . . . . . . . . . . . . . . . 37
         5.6.1.2.  TEK_INTEGRITY_KEY  . . . . . . . . . . . . . . . . 37
         5.6.1.3.  TEK_SOURCE_AUTH_KEY  . . . . . . . . . . . . . . . 37
       5.6.2.  KEK Download Type  . . . . . . . . . . . . . . . . . . 38
         5.6.2.1.  KEK_ALGORITHM_KEY  . . . . . . . . . . . . . . . . 38
         5.6.2.2.  SIG_ALGORITHM_KEY  . . . . . . . . . . . . . . . . 38
       5.6.3.  LKH Download Type  . . . . . . . . . . . . . . . . . . 38
         5.6.3.1.  LKH_DOWNLOAD_ARRAY . . . . . . . . . . . . . . . . 39
         5.6.3.2.  LKH_UPDATE_ARRAY . . . . . . . . . . . . . . . . . 41
         5.6.3.3.  SIG_ALGORITHM_KEY  . . . . . . . . . . . . . . . . 42
     5.7.  Sequence Number Payload  . . . . . . . . . . . . . . . . . 42
     5.8.  Nonce  . . . . . . . . . . . . . . . . . . . . . . . . . . 43

   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 44
     6.1.  ISAKMP Phase 1 . . . . . . . . . . . . . . . . . . . . . . 44
       6.1.1.  Authentication . . . . . . . . . . . . . . . . . . . . 44
       6.1.2.  Confidentiality  . . . . . . . . . . . . . . . . . . . 45
       6.1.3.  Man-in-the-Middle Attack Protection  . . . . . . . . . 45
       6.1.4.  Replay/Reflection Attack Protection  . . . . . . . . . 45
       6.1.5.  Denial of Service Protection . . . . . . . . . . . . . 45
     6.2.  GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . . 45
       6.2.1.  Authentication . . . . . . . . . . . . . . . . . . . . 46
       6.2.2.  Confidentiality  . . . . . . . . . . . . . . . . . . . 46
       6.2.3.  Man-in-the-Middle Attack Protection  . . . . . . . . . 46
       6.2.4.  Replay/Reflection Attack Protection  . . . . . . . . . 46
       6.2.5.  Denial of Service Protection . . . . . . . . . . . . . 46
       6.2.6.  Authorization  . . . . . . . . . . . . . . . . . . . . 47
     6.3.  GROUPKEY-PUSH Exchange . . . . . . . . . . . . . . . . . . 47
       6.3.1.  Authentication . . . . . . . . . . . . . . . . . . . . 47
       6.3.2.  Confidentiality  . . . . . . . . . . . . . . . . . . . 47
       6.3.3.  Man-in-the-Middle Attack Protection  . . . . . . . . . 47
       6.3.4.  Replay/Reflection Attack Protection  . . . . . . . . . 47
       6.3.5.  Denial of Service Protection . . . . . . . . . . . . . 48
       6.3.6.  Forward Access Control . . . . . . . . . . . . . . . . 48

   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 49
     7.1.  Additions to current registries  . . . . . . . . . . . . . 49
     7.2.  New registries . . . . . . . . . . . . . . . . . . . . . . 49

   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 51

   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 52
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 52
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 52

   Appendix A.  Alternate GDOI Phase 1 protocols  . . . . . . . . . . 56
     A.1.  IKEv2 Phase 1 protocol . . . . . . . . . . . . . . . . . . 56
     A.2.  KINK Protocol  . . . . . . . . . . . . . . . . . . . . . . 56

   Appendix B.  Significant Changes from RFC 3547 . . . . . . . . . . 58

   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 59

1.  Introduction

   This document presents an ISAMKP Domain of Interpretation (DOI) for
   group key management called the "Group Domain of Interpretation"
   (GDOI).  In this group key management model, the GDOI protocol is run
   between a group member and a "group controller/key server" (GCKS),
   which establishes security associations among authorized group
   members.  ISAKMP defines two "phases" of negotiation (p.16 of
   [RFC2408]).  The GDOI MUST be protected by a Phase 1 security
   association.  This document incorporates the Phase 1 security
   association (SA) definition from the Internet DOI [RFC2407],
   [RFC2409].  Other possible Phase 1 security association types are
   noted in Appendix A.  The Phase 2 exchange is defined in this
   document, and proposes new payloads and exchanges according to the
   ISAKMP standard (p. 14 of [RFC2408]).

   There are five payloads specific to GDOI:

      1) GDOI SA

      2) SA KEK (SAK) which follows the SA payload

      3) SA TEK (SAT) which follows the SA payload

      4) Key Download Array (KD)

      5) Sequence number (SEQ)

   There are two GDOI exchanges.

   1) A Phase 2 exchange creates Re-key and Data-Security Protocol SAs.

   The new Phase 2 exchange, called "GROUPKEY-PULL," downloads keys for
   a group's "Re-key" SA and/or "Data-security" SA.  The Re-key SA
   includes a key encrypting key, or KEK, common to the group; a Data-
   security SA includes a data encryption key, or TEK, used by a data-
   security protocol to encrypt or decrypt data traffic Section 2.1 of
   [RFC2407].  The SA for the KEK or TEK includes authentication keys,
   encryption keys, cryptographic policy, and attributes.  The GROUPKEY-
   PULL exchange uses "pull" behavior since the member initiates the
   retrieval of these SAs from a GCKS.

   2) A datagram subsequently establishes additional Rekey and/or Data-
   Security Protocol SAs.

   The GROUPKEY-PUSH datagram is "pushed" from the GCKS to the members
   to create or update a Re-key or Data-security SA.  A Re-key SA
   protects GROUPKEY-PUSH messages.  Thus, a GROUPKEY-PULL is necessary
   to establish at least one Re-key SA in order to protect subsequent
   GROUPKEY-PUSH messages.  The GCKS encrypts the GROUPKEY-PUSH message
   using the KEK Re-key SA.  GDOI accommodates the use of arrays of KEKs
   for group key management algorithms using the Logical Key Hierarchy
   (LKH) algorithm to efficiently add and remove group members
   [RFC2627].  Implementation of the LKH algorithm is OPTIONAL.

   Although the GROUPKEY-PUSH specified by this document can be used to
   refresh a Re-key SA, the most common use of GROUPKEY-PUSH is to
   establish a Data-security SA for a data security protocol.  GDOI can
   accommodate future extensions to support a variety of data security
   protocols.  This document only specifies data-security SAs for
   security protocols, IPsec ESP and IPsec AH.  A security protocol uses
   the TEK and "owns" the data-security SA in the same way that IPsec
   ESP uses the IKE Phase 2 keys and owns the Phase 2 SA; for GDOI,
   IPsec ESP or IPsec AH use the TEK.

   Thus, GDOI is a group security association management protocol: All
   GDOI messages are used to create, maintain, or delete security
   associations for a group.  As described above, these security
   associations protect one or more key-encrypting keys, traffic-
   encrypting keys, or data shared by group members for multicast and
   groups security applications.

1.1.  Requirements notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

1.2.  GDOI Applications

   Secure multicast applications include video broadcast and multicast
   file transfer.  Many of these applications require network security
   and may use IPsec ESP or AH to secure their data traffic.
   Section 5.5.1 specifies how GDOI carries the needed SA parameters for
   ESP or AH.  In this way, GDOI supports multicast ESP or AH with group
   authentication of ESP or AH packets using the shared, group key.

   GDOI can also secure group applications that do not use multicast
   transport such as video-on-demand.  For example, the GROUPKEY-PUSH
   message may establish a pair-wise IPsec ESP or AH SA for a member of
   a subscription group without the need for key management exchanges
   and costly asymmetric cryptography.

1.3.  Extending GDOI

   Not all secure multicast or multimedia applications can use IPsec ESP
   or AH.  Many Real Time Transport Protocol applications, for example,
   require security above the IP layer to preserve RTP header
   compression efficiencies and transport-independence [RFC3550].  A
   future RTP security protocol may benefit from using GDOI to establish
   group SAs.

   In order to add a new data security protocol, a new RFC MUST specify
   the data-security SA parameters conveyed by GDOI for that security
   protocol; these parameters are listed in Section 5.5.2 of this
   document.

   Data security protocol SAs MUST protect group traffic.  GDOI provides
   no restriction on whether that group traffic is transmitted as
   unicast or multicast packets.

2.  GDOI Phase 1 protocol

   GDOI is a "phase 2" protocol which MUST be protected by a "phase 1"
   protocol.  The "phase 1" protocol can be any protocol which provides
   for the following protections:

   o  Peer Authentication

   o  Confidentiality

   o  Message Integrity

   The following sections describe one such "phase 1" protocol.  Other
   protocols which may be potential "phase 1" protocols are described in
   Appendix A.  However, the use of the protocols listed there are not
   considered part of this document.

2.1.  ISAKMP Phase 1 protocol

   This document defines how the ISAKMP phase 1 exchanges as defined in
   [RFC2409] can be used a "phase 1" protocol for GDOI.  The following
   sections define characteristics of the ISAKMP phase 1 protocols that
   are unique for these exchanges when used for GDOI.

   Section 6.1 describes how the ISAKMP Phase 1 protocols meet the
   requirements of a GDOI "phase 1" protocol.

2.1.1.  DOI value

   The Phase 1 SA payload has a DOI value.  That value MUST be the GDOI
   DOI value as defined later in this document.

2.1.2.  UDP port

   IANA has assigned port 848 for the use of GDOI.

3.  GROUPKEY-PULL Exchange

   The goal of the GROUPKEY-PULL exchange is to establish a Re-key
   and/or Data-security SAs at the member for a particular group.  A
   Phase 1 SA protects the GROUPKEY-PULL; there MAY be multiple
   GROUPKEY-PULL exchanges for a given Phase 1 SA.  The GROUPKEY-PULL
   exchange downloads the data security keys (TEKs) and/or group key
   encrypting key (KEK) or KEK array under the protection of the Phase 1
   SA.

3.1.  Authorization

   The Phase 1 identity SHOULD be used by a GCKS to authorize the Phase
   2 (GROUPKEY-PULL) request for a group key.  Similarly, a group member
   SHOULD ensure that the Phase 1 identity of the GCKS is an authorized
   GCKS.  When no authorization is performed, it is possible for a rogue
   GDOI participant to perpetrate a man-in-the-middle attack between a
   group member and a GCKS [MP04].

3.2.  Messages

   The GROUPKEY-PULL is a Phase 2 exchange.  Phase 1 computes SKEYID_a
   which is the "key" in the keyed hash used in the GROUPKEY-PULL HASH
   payloads.  When using the Phase 1 defined in this document, SKEYID_a
   is derived according to [RFC2409].  As with the IKE HASH payload
   generation (Section 5.5 of [RFC2409], each GROUPKEY-PULL message
   hashes a uniquely defined set of values.  Nonces permute the HASH and
   provide some protection against replay attacks.  Replay protection is
   important to protect the GCKS from attacks that a key management
   server will attract.

   The GROUPKEY-PULL uses nonces to guarantee "liveness", or against
   replay of a recent GROUPKEY-PULL message.  The replay attack is only
   useful in the context of the current Phase 1.  If a GROUPKEY-PULL
   message is replayed based on a previous Phase 1, the HASH calculation
   will fail due to a wrong SKEYID_a.  The message will fail processing
   before the nonce is ever evaluated.  In order for either peer to get
   the benefit of the replay protection, it must postpone as much
   processing as possible until it receives the message in the protocol
   that proves the peer is live.  For example, the Responder MUST NOT
   adjust its internal state (e.g., keeping a record of the Initiator)
   until it receives a message with Nr included properly in the HASH
   payload.

   Nonces require an additional message in the protocol exchange to
   ensure that the GCKS does not add a group member until it proves
   liveliness.  The GROUPKEY-PULL member-initiator expects to find its
   nonce, Ni, in the HASH of a returned message.  And the GROUPKEY-PULL
   GCKS responder expects to see its nonce, Nr, in the HASH of a
   returned message before providing group-keying material as in the
   following exchange.

              Initiator (Member)                   Responder (GCKS)
              ------------------                   ----------------
              HDR*, HASH(1), Ni, ID     -->
                                        <--     HDR*, HASH(2), Nr, SA
              HDR*, HASH(3)             -->
                                        <--     HDR*, HASH(4), [SEQ,] KD

   Hashes are computed as follows:

        HASH(1) = prf(SKEYID_a, M-ID | Ni | ID)
        HASH(2) = prf(SKEYID_a, M-ID | Ni_b | Nr | SA)
        HASH(3) = prf(SKEYID_a, M-ID | Ni_b | Nr_b
        HASH(4) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | SEQ | ] KD)

      * Protected by the Phase 1 SA, encryption occurs after HDR

   HDR is an ISAKMP header payload that uses the Phase 1 cookies and a
   message identifier (M-ID) as in IKE [RFC2409].  Note that nonces are
   included in the first two exchanges, with the GCKS returning only the
   SA policy payload before liveliness is proven.  The HASH payloads
   [RFC2409] prove that the peer has the Phase 1 secret (SKEYID_a) and
   the nonce for the exchange identified by message id, M-ID.  Once
   liveliness is established, the last message completes the real
   processing of downloading the KD payload.

   In addition to the Nonce and HASH payloads, the member-initiator
   identifies the group it wishes to join through the ISAKMP ID payload.
   The GCKS responder informs the member of the current value of the
   sequence number in the SEQ payload; the sequence number provides
   anti-replay state associated with a KEK.  The SEQ payload has no
   other use, and is omitted from the GROUPKEY_PULL exchange when a KEK
   attribute is not included in the SA payload.

   When a SEQ payload is included in the GROUPKEY-PULL exchange, it
   includes the most recently used sequence number for the group.  At
   the conclusion of a GROUPKEY-PULL exchange, the initiating group
   member MUST NOT accept any rekey message with both the KEK attribute
   SPI value and a sequence number less than or equal to the one
   received during the GROUPKEY-PULL.  When the first group member
   initiates a GROUPKEY-PULL exchange, the GCKS provides a Sequence
   Number of zero, since no GROUPKEY-PUSH messages have yet been sent.
   Note the sequence number increments only with GROUPKEY-PUSH messages.

   The GROUPKEY-PULL exchange distributes the current sequence number to
   the group member.

   The sequence number resets to a value of one with the usage of a new
   KEK attribute.  Thus the first packet sent for a given Rekey SA will
   have a Sequence Number of 1.  The sequence number increments with
   each successive rekey.

   The GCKS responder informs the member of the cryptographic policies
   of the group in the SA payload, which describes the DOI, KEK and/or
   TEK keying material, and authentication transforms.  The SPIs are
   also determined by the GCKS and downloaded in the SA payload chain
   (see Section 5.2).  The SA KEK attribute contains the ISAKMP cookie
   pair for the Re-key SA, which is not negotiated but downloaded.  The
   SA TEK attribute contains a SPI as defined in Section 5.5 of this
   document.  The second message downloads this SA payload.  If a Re-key
   SA is defined in the SA payload, then KD will contain the KEK; if one
   or more Data-security SAs are defined in the SA payload, KD will
   contain the TEKs.  This is useful if there is an initial set of TEKs
   for the particular group and can obviate the need for future TEK
   GROUPKEY-PUSH messages (described in section 4).

3.2.1.  ISAKMP Header Initialization

   Cookies are used in the ISAKMP header as a weak form of denial of
   service protection.  The GDOI GROUPKEY-PULL exchange uses cookies
   according to ISAKMP [RFC2408].

   Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0).

   Major Version is 1 and Minor Version is 0 according to ISAKMP
   (Section 3.1 of [RFC2408]).

   The Exchange Type has value 32 for the GDOI GROUPKEY-PULL exchange.

   Flags, Message ID, and Length are according to ISAKMP (Section 3.1 of
   [RFC2408]).

3.3.  Initiator Operations

   Before a group member (GDOI initiator) contacts the GCKS, it must
   determine the group identifier and acceptable Phase 1 policy via an
   out-of-band method.  Phase 1 is initiated using the GDOI DOI in the
   SA payload.  Once Phase 1 is complete, the initiator state machine
   moves to the GDOI protocol.

   To construct the first GDOI message the initiator chooses Ni and
   creates a nonce payload, builds an identity payload including the
   group identifier, and generates HASH(1).

   Upon receipt of the second GDOI message, the initiator validates
   HASH(2), extracts the nonce Nr, and interprets the SA payload.  If
   the policy in the SA payload is acceptable (e.g., the security
   protocol and cryptographic protocols can be supported by the
   initiator), the initiator continues the protocol.

   The initiator constructs the third GDOI message by creating HASH(3).

   Upon receipt of the fourth GDOI message, the initiator validates
   HASH(4).

   If SEQ payload is present, the sequence number in the SEQ payload
   must be checked against any previously received sequence number for
   this group.  If it is less than the previously received number, it
   should be considered stale and ignored.  This could happen if two
   GROUPKEY-PULL messages happened in parallel, and the sequence number
   changed between the times the results of two GROUPKEY-PULL messages
   were returned from the GCKS.

   The initiator interprets the KD key packets, matching the SPIs in the
   key packets to SPIs previously sent in the SA payloads identifying
   particular policy.  For TEKs, once the keys and policy are matched,
   the initiator is ready to send or receive packets matching the TEK
   policy.  (If policy and keys had been previously received for this
   TEK policy, the initiator may decide instead to ignore this TEK
   policy in case it is stale.)  If this group has a KEK, the KEK policy
   and keys are marked as ready for use, and the group member knows to
   expect the sequence number reset to 1 with the next Rekey SA, which
   will be encrypted with the new KEK attribute.

3.4.  Receiver Operations

   The GCKS (responder) passively listens for incoming requests from
   group members.  The Phase 1 authenticates the group member and sets
   up the secure session with them.

   Upon receipt of the first GDOI message the GCKS validates HASH(1),
   extracts the Ni and group identifier in the ID payload.  It verifies
   that its database contains the group information for the group
   identifier.

   The GCKS constructs the second GDOI message, including a nonce Nr,
   and the policy for the group in an SA payload, followed by SA TEK
   payloads for traffic SAs, and SA KEK policy (if the group controller
   will be sending Re-key messages to the group).

   Upon receipt of the third GDOI message the GCKS validates HASH(3).

   The GCKS constructs the fourth GDOI message, including the SEQ
   payload (if the GCKS sends rekey messages), and the KD payload
   containing keys corresponding to policy previously sent in the SA TEK
   and SA KEK payloads.

4.  GROUPKEY-PUSH Message

   GDOI sends control information securely using group communications.
   Typically this will be using IP multicast distribution of a GROUPKEY-
   PUSH message but it can also be "pushed" using unicast delivery if IP
   multicast is not possible.  The GROUPKEY-PUSH message replaces a Re-
   key SA KEK or KEK array, and/or creates a new Data-security SA.

              Member                               GCKS or Delegate
              ------                               ----------------
                              <---- HDR*, SEQ, SA, KD, [CERT,] SIG

      * Protected by the Re-key SA KEK; encryption occurs after HDR

   HDR is defined below.  The SEQ payload is defined in the Payloads
   section.  The SA defines the policy (e.g., protection suite) and
   attributes (e.g., SPI) for a Re-key and/or Data-security SAs.  The
   GCKS or delegate optionally provides a CERT payload for verification
   of the SIG.  KD is the key download payload as described in the
   Payloads section.

   The SIG payload includes a signature of a hash of the entire
   GROUPKEY-PUSH message (excepting the SIG payload bytes) before it has
   been encrypted.  The HASH is taken over the string 'rekey', the
   GROUPKEY-PUSH HDR, SEQ, SA, KD, and optionally the CERT payload.  The
   prefixed string ensures that the signature of the Rekey datagram
   cannot be used for any other purpose in the GDOI protocol.  After the
   SIG payload is created using the signature of the above hash, the
   current KEK encryption key encrypts all the payloads following the
   GROUPKEY-PUSH HDR.  Note: The rationale for this order of operations
   is given in Section 6.3.5.

   If the SA defines an LKH KEK array or single KEK, KD contains a KEK
   or KEK array for a new Re-key SA, which has a new cookie pair.  When
   the KD payload carries a new SA KEK attribute (section 5.3), a Re-key
   SA is replaced with a new SA having the same group identifier (ID
   specified in message 1 of section 3.2) and incrementing the same
   sequence counter, which is initialized in message 4 of section 3.2.
   Note the first packet for the given Rekey SA encrypted with the new
   KEK attribute will have a Sequence number of 1.  If the SA defines an
   SA TEK payload, this informs the member that a new Data-security SA
   has been created, with keying material carried in KD (Section 5.6).

   If the SA defines a large LKH KEK array (e.g., during group
   initialization and batched rekeying), parts of the array MAY be sent
   in different unique GROUPKEY-PUSH datagrams.  However, each of the
   GROUPKEY-PUSH datagrams MUST be a fully formed GROUPKEY-PUSH
   datagram.  This results in each datagram containing a sequence number
   and the policy in the SA payload, which corresponds to the KEK array
   portion sent in the KD payload.

4.1.  Forward and Backward Access Control

   Through GROUPKEY-PUSH, the GDOI supports algorithms such as LKH that
   have the property of denying access to a new group key by a member
   removed from the group (forward access control) and to an old group
   key by a member added to the group (backward access control).  An
   unrelated notion to PFS, "forward access control" and "backward
   access control" have been called "perfect forward security" and
   "perfect backward security" in the literature [RFC2627].

   Group management algorithms providing forward and backward access
   control other than LKH have been proposed in the literature,
   including OFT [OFT] and Subset Difference [NNL].  These algorithms
   could be used with GDOI, but are not specified as a part of this
   document.

   Support for group management algorithms is supported via the
   KEY_MANAGEMENT_ALGORITHM attribute which is sent in the SA_KEK
   payload.  GDOI specifies one method by which LKH can be used for
   forward and backward access control.  Other methods of using LKH, as
   well as other group management algorithms such as OFT or Subset
   Difference may be added to GDOI as part of a later document.  Any
   such addition MUST be due to a Standards Action as defined in
   [RFC5226].

4.1.1.  Forward Access Control Requirements

   When group membership is altered using a group management algorithm
   new SA_TEKs (and their associated keys) are usually also needed.  New
   SAs and keys ensure that members who were denied access can no longer
   participate in the group.

   If forward access control is a desired property of the group, new
   SA_TEKs and the associated key packets in the KD payload MUST NOT be
   included in a GROUPKEY-PUSH message which changes group membership.
   This is required because the SA_TEK policy and the associated key
   packets in the KD payload are not protected with the new KEK.  A
   second GROUPKEY-PUSH message can deliver the new SA_TEKS and their
   associated keys because it will be protected with the new KEK, and
   thus will not be visible to the members who were denied access.

   If forward access control policy for the group includes keeping group
   policy changes from members that are denied access to the group, then
   two sequential GROUPKEY-PUSH messages changing the group KEK MUST be
   sent by the GCKS.  The first GROUPKEY-PUSH message creates a new KEK
   for the group.  Group members, which are denied access, will not be
   able to access the new KEK, but will see the group policy since the
   GROUPKEY-PUSH message is protected under the current KEK.  A
   subsequent GROUPKEY-PUSH message containing the changed group policy
   and again changing the KEK allows complete forward access control.  A
   GROUPKEY-PUSH message MUST NOT change the policy without creating a
   new KEK.

   If other methods of using LKH or other group management algorithms
   are added to GDOI, those methods MAY remove the above restrictions
   requiring multiple GROUPKEY-PUSH messages, providing those methods
   specify how forward access control policy is maintained within a
   single GROUPKEY-PUSH message.

4.2.  Delegation of Key Management

   GDOI supports delegation of GROUPKEY-PUSH datagrams through the
   delegation capabilities of the PKI.  However, GDOI does not
   explicitly specify how the GCKS identifies delegates, but leaves this
   to the PKI that is used by a particular GDOI implementation.

4.3.  Use of signature keys

   The GCKS SHOULD NOT use the same key to sign the SIG payload in the
   GROUPKEY-PUSH message as was used for authentication in the GROUPKEY-
   PULL exchange.

4.4.  ISAKMP Header Initialization

   Unlike ISAKMP or IKE, the cookie pair is completely determined by the
   GCKS.  The cookie pair in the GDOI ISAKMP header identifies the Re-
   key SA to differentiate the secure groups managed by a GCKS.  Thus,
   GDOI uses the cookie fields as an SPI.

   Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0).

   Major Version is 1 and Minor Version is 0 according to ISAKMP
   (Section 3.1 of [RFC2408]).

   The Exchange Type has value 33 for the GDOI GROUPKEY-PUSH message.

   Flags MUST have the Encryption bit set according to [RFC2008, Section
   3.1].  All other bits MUST be set to zero.

   Message ID MUST be set to zero.

   Length is according to ISAKMP (Section 3.1 of [RFC2408]).

4.5.  Deletion of SAs

   There are times the GCKS may want to signal to receivers to delete
   SAs, for example at the end of a broadcast.  Deletion of keys may be
   accomplished by sending an ISAKMP Delete payload (Section 3.15 of
   [RFC2408]) as part of a GDOI GROUPKEY-PUSH message.

   One or more Delete payloads MAY be placed following the SEQ payload
   in a GROUPKEY-PUSH message.  If a GCKS has no further SAs to send to
   group members, the SA and KD payloads MUST be omitted from the
   message.

   The following fields of the Delete Payload are further defined as
   follows:

   o The Domain of Interpretation field contains the GDOI DOI.

   o The Protocol-Id field contains TEK protocol id values defined in
   Section 5.5 of this document.  To delete a KEK SA, the value of zero
   MUST be used as the protocol id.  Note that only one protocol id
   value can be defined in a Delete payload.  If a TEK SA and a KEK SA
   must be deleted, they must be sent in different Delete payloads.

   There may be circumstances where the GCKS may want to start over with
   a clean slate.  If the administrator is no longer confident in the
   integrity of the group, the GCKS can signal deletion of all policy of
   a particular TEK protocol by sending a TEK with a SPI value equal to
   zero in the delete payload.  For example, if the GCKS wishes to
   remove all the KEKs and all the TEKs in the group, the GCKS SHOULD
   send a delete payload with a spi of zero and a protocol_id of a TEK
   protocol_id value, followed by another delete payload with a spi of
   zero and protocol_id of zero, indicating that the KEK SA should be
   deleted.

4.6.  GCKS Operations

   GCKS or its delegate may initiate a Rekey message for one of several
   reasons, e.g., the group membership has changed or keys are due to
   expire.

   To begin the rekey datagram the GCKS builds an ISAKMP HDR with the
   correct cookie pair, and a SEQ payload that includes a sequence
   number which is one greater than the previous rekey datagram.  If the
   message is using the new KEK attribute for the first time, the SEQ is
   reset to 1 in this message.

   An SA payload is then added.  This is identical in structure and
   meaning to a SA payload sent in a GROUPKEY-PULL exchange.  If there
   are changes to the KEK (in the case of a static KEK) or in group
   membership (in the case of LKH) an SA_KEK attribute is added to the
   SA.  If there are one or more new TEKs then SA_TEK attributes are
   added to describe that policy.

   A KD payload is then added.  This is identical in structure and
   meaning to a KD payload sent in a GROUPKEY-PULL exchange.  If an
   SA_KEK attribute was included in the SA payload then corresponding
   KEK keys (or a KEK array) is included.  TEK keys are sent for each
   SA_TEK attribute included in the SA payload.

   A CERT payload is added if the initiator needs to provide its
   certificate.

   In the penultimate step, the initiator hashes the string "rekey"
   followed by the key management message already formed.  The hash is
   signed, placed in a SIG payload and added to the datagram.

   Lastly, the payloads following the HDR are encrypted using the
   current KEK encryption key.  The datagram can now be sent.

4.7.  Group Member Operations

   A group member receiving the GROUPKEY-PUSH datagram matches the
   cookie pair in the ISAKMP HDR to an existing SA.  The message is
   decrypted, and the form of the datagram is validated.  This weeds out
   obvious ill-formed messages (which may be sent as part of a Denial of
   Service attack on the group).

   The signature of the decrypted message is then validated, possibly
   using the CERT payload if it is included.

   The sequence number in the SEQ payload is validated to ensure that it
   is greater than the previously received sequence number, and that it
   fits within a window of acceptable values.

   The SA and KD payloads are processed which results in a new GDOI
   Rekey SA (if the SA payload included an SA_KEK attribute) and/or new
   IPsec SAs being added to the system.

5.  Payloads and Defined Values

   This document specifies use of several ISAKMP payloads, which are
   defined in accordance with RFC 2408.  The following payloads are
   extended or further specified.

                  Next Payload Type            Value
                  -----------------            -----
                  Security Association (SA)      1
                  Identification (ID)            5
                  Nonce (N)                     10

   Several payload formats specific to the group security exchanges are
   required.

                  Next Payload Type                Value
                  -----------------                -----
                  SA KEK Payload (SAK)              15
                  SA TEK Payload (SAT)              16
                  Key Download (KD)                 17
                  Sequence Number (SEQ)             18
                  SA Group Associated Policy (GAP) TBD-1

5.1.  Identification Payload

   The Identification Payload is defined in RFC 2408.  For the GDOI, it
   is used to identify a group identity that will later be associated
   with Security Associations for the group.  A group identity may map
   to a specific IP multicast group, or may specify a more general
   identifier, such as one that represents a set of related multicast
   streams.

   When used with the GDOI, the DOI Specific ID Data field MUST be set
   to 0.

   When used with the GDOI, the ID_KEY_ID ID Type MUST be supported by a
   conforming implementation, and MUST specify a four (4)-octet group
   identifier as its value.  Implementations MAY also support other ID
   Types.

5.2.  Security Association Payload

   The Security Association payload is defined in RFC 2408.  For the
   GDOI, it is used by the GCKS to assert security attributes for both
   Re-key and Data-security SAs.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload  !   RESERVED    !         Payload Length        !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       !                              DOI                              !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !                           Situation                           !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! SA Attribute Next Payload     !          RESERVED2            !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The Security Association Payload fields are defined as follows:

   o Next Payload (1 octet) -- Identifies the next payload for the
   GROUPKEY-PULL or the GROUPKEY-PUSH message as defined above.  The
   next payload MUST NOT be a SAK Payload or SAT Payload type, but the
   next non-Security Association type payload.

   o RESERVED (1 octet) -- Must be zero.

   o Payload Length (2 octets) -- Is the octet length of the current
   payload including the generic header and all TEK and KEK payloads.

   o DOI (4 octets) -- Is the GDOI, which is value 2.

   o Situation (4 octets) -- Must be zero.

   o SA Attribute Next Payload (1 octet) -- Must be either a SAK Payload
   or a SAT Payload.  See section 5.2.1 for a description of which
   circumstances are required for each payload type to be present.

   o RESERVED (2 octets) -- Must be zero.

5.2.1.  Payloads following the SA payload

   Payloads that define specific security association attributes for the
   KEK and/or TEKs used by the group MUST follow the SA payload.  How
   many of each payload is dependent upon the group policy.  There may
   be zero or one SAK Payloads, zero or more GAP Payloads, and zero or
   more SAT Payloads, where either one SAK or SAT payload MUST be
   present.  When present, the order of the SA Attributes payloads must
   be: KEK, GAP, and TEKs.

   This latitude allows various group policies to be accommodated.  For
   example if the group policy does not require the use of a Re-key SA,
   the GCKS would not need to send an SA KEK attribute to the group
   member since all SA updates would be performed using the Registration
   SA.  Alternatively, group policy might use a Re-key SA but choose to
   download a KEK to the group member only as part of the Registration
   SA.  Therefore, the KEK policy (in the SA KEK attribute) would not be
   necessary as part of the Re-key SA message SA payload.

   Specifying multiple SATs allows multiple sessions to be part of the
   same group and multiple streams to be associated with a session
   (e.g., video, audio, and text) but each with individual security
   association policy.

5.3.  SA KEK payload

   The SA KEK (SAK) payload contains security attributes for the KEK
   method for a group and parameters specific to the GROUPKEY-PULL
   operation.  The source and destination identities describe the
   identities used for the GROUPKEY-PULL datagram.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload  !   RESERVED    !         Payload Length        !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !    Protocol   !  SRC ID Type  !         SRC ID Port           !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !SRC ID Data Len!          SRC Identification Data              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! DST ID Type   !         DST ID Port           !DST ID Data Len!
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !                    DST Identification Data                    ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !                                                               !
       ~                              SPI                              ~
       !                                                               !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !           RESERVED            !           RESERVED            !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ~                        KEK Attributes                         ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The SAK Payload fields are defined as follows:

   o Next Payload (1 octet) -- Identifies the next payload for the
   GROUPKEY-PULL or the GROUPKEY-PUSH message.  The only valid next
   payload types for this message are a GAP Payload, SAT Payload or zero
   to indicate that no SA Attribute payloads follow.

   o RESERVED (1 octet) -- Must be zero.

   o Payload Length (2 octets) -- Length of this payload, including the
   KEK attributes.

   o Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
   UDP/TCP) for the rekey datagram.

   o SRC ID Type (1 octet) -- Value describing the identity information
   found in the SRC Identification Data field.  Defined values are
   specified by the IPsec Identification Type section in the IANA
   isakmpd-registry [ISAKMP-REG].

   o SRC ID Port (2 octets) -- Value specifying a port associated with
   the source Id.  A value of zero means that the SRC ID Port field
   should be ignored.

   o SRC ID Data Len (1 octet) -- Value specifying the length of the SRC
   Identification Data field.

   o SRC Identification Data (variable length) -- Value, as indicated by
   the SRC ID Type.

   o DST ID Type (1 octet) -- Value describing the identity information
   found in the DST Identification Data field.  Defined values are
   specified by the IPsec Identification Type section in the IANA
   isakmpd-registry [ISAKMP-REG].

   o DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g.,
   UDP/TCP).

   o DST ID Port (2 octets) -- Value specifying a port associated with
   the source Id.

   o DST ID Data Len (1 octet) -- Value specifying the length of the DST
   Identification Data field.

   o DST Identification Data (variable length) -- Value, as indicated by
   the DST ID Type.

   o SPI (16 octets) -- Security Parameter Index for the KEK.  The SPI
   must be the ISAKMP Header cookie pair where the first 8 octets become
   the "Initiator Cookie" field of the GROUPKEY-PUSH message ISAKMP HDR,
   and the second 8 octets become the "Responder Cookie" in the same
   HDR.  As described above, these cookies are assigned by the GCKS.

   o KEK Attributes -- Contains KEK policy attributes associated with
   the group.  The following sections describe the possible attributes.
   Any or all attributes may be optional, depending on hosts the group policy.

5.3.1.  KEK Attributes

   The following attributes may be present in a SAK Payload.  The
   attributes must follow the format defined in ISAKMP (Section 3.3 of
   [RFC2408]).  In the table, attributes that are defined as TV are
   marked as Basic (B); attributes that are defined as TLV are marked as
   Variable (V).

                ID Class                   Value    Type
                --------                   -----    ----
                RESERVED                     0
                KEK_MANAGEMENT_ALGORITHM     1        B
                KEK_ALGORITHM                2        B
                KEK_KEY_LENGTH               3        B
                KEK_KEY_LIFETIME             4        V
                SIG_HASH_ALGORITHM           5        B
                SIG_ALGORITHM                6        B
                SIG_KEY_LENGTH               7        B

   The KEK_MANAGEMENT_ALGORITHM attribute may only be included in a
   GROUPKEY-PULL message.

5.3.2.  KEK_MANAGEMENT_ALGORITHM

   The KEK_MANAGEMENT_ALGORITHM class specifies the group KEK management
   algorithm used to provide forward or backward access control (i.e.,
   used to exclude group members).  Defined values are specified in the
   following table.

                  KEK Management Type               Value
                  -------------------               -----
                  RESERVED                            0
                  LKH                                 1
                  RESERVED                           2-127
                  Private Use                       128-255

5.3.3.  KEK_ALGORITHM

   The KEK_ALGORITHM class specifies the encryption algorithm using with
   the KEK.  Defined values are specified in the following table.  An
   GDOI implementation MUST abort if it encounters and attribute or
   capability that it does not understand.

                   Algorithm Type  Value
                   --------------  -----
                   RESERVED           0
                   KEK_ALG_DES        1
                   KEK_ALG_3DES       2
                   KEK_ALG_AES        3
                   RESERVED         4-127
                   Private Use    128-255

   A GDOI implementation MUST support the KEK_ALG_AES algorithm
   attribute.  A GDOI implementation SHOULD NOT use KEK_ALG_DES, as the
   level of security is not considered strong enough for this purpose.

   If a KEK_MANAGEMENT_ALGORITHM is defined which defines multiple keys
   (e.g., LKH), and if the management algorithm does not specify the
   algorithm for those keys, then the algorithm defined by the
   KEK_ALGORITHM attribute MUST be used for all keys which are included
   as part of the management.

5.3.3.1.  KEK_ALG_DES

   This algorithm specifies DES using the Cipher Block Chaining (CBC)
   mode as described in [FIPS81].

5.3.3.2.  KEK_ALG_3DES

   This algorithm specifies 3DES using three independent keys as
   described in "Keying Option 1" in [FIPS46-3].

5.3.3.3.  KEK_ALG_AES

   This algorithm specifies AES as described in [FIPS197].  The mode of
   operation for AES is Cipher Block Chaining (CBC) as recommended in
   [AES-MODES].

5.3.4.  KEK_KEY_LENGTH

   The KEK_KEY_LENGTH class specifies the KEK Algorithm key length (in
   bits).  The Group Controller/Key Server (GCKS) adds the KEK_KEY_LEN
   attribute to the SA payload when distributing KEK policy to group
   members.  The group member verifies whether or not it has the
   capability of using a cipher key of that size.  If the cipher
   definition includes a fixed key length (e.g., KEK_ALG_3DES), the
   group member can make its decision solely using KEK_ALGORITHM
   attribute and does not need the KEK_KEY_LEN attribute.  Sending the
   KEK_KEY_LEN attribute in the SA payload is OPTIONAL if the KEK cipher
   has a fixed key length.  Also, note that the KEK_KEY_LEN includes
   only the actual length of the cipher key (the IV length is not
   included in this attribute).

5.3.5.  KEK_KEY_LIFETIME

   The KEK_KEY_LIFETIME class specifies the maximum time for which the
   KEK is valid.  The GCKS may refresh the KEK at any time before the
   end of the valid period.  The value is a four (4) octet number
   defining a valid time period in seconds.

5.3.6.  SIG_HASH_ALGORITHM

   SIG_HASH_ALGORITHM specifies the SIG payload hash algorithm.  The
   following table defines the algorithms for SIG_HASH_ALGORITHM.

                   Algorithm Type  Value
                   --------------  -----
                   RESERVED           0
                   SIG_HASH_MD5       1
                   SIG_HASH_SHA1      2
                   SIG_HASH_SHA256   TBD-2
                   SIG_HASH_SHA384   TBD-3
                   SIG_HASH_SHA512   TBD-4
                   RESERVED         6-127
                   Private Use   128-255

   The SHA hash algorithms are defined in the Secure Hash
   Standard[FIPS.180-2.2002].  SIG_HASH_MD5 and SIG_HASH_SHA1 SHOULD NOT
   be used, as the level of security is not considered strong enough for
   this purpose.

   SIG_HASH_ALGORITHM is not required if the SIG_ALGORITHM is
   SIG_ALG_DSS or SIG_ALG_ECDSS, which imply SIG_HASH_SHA1.

5.3.7.  SIG_ALGORITHM

   The SIG_ALGORITHM class specifies the SIG payload signature
   algorithm.  Defined values are specified in the following table.

                   Algorithm Type  Value
                   --------------  -----
                   RESERVED           0
                   SIG_ALG_RSA        1
                   SIG_ALG_DSS        2
                   SIG_ALG_ECDSS      3
                   SIG_ALG_RSA_PSS  TBD-6
                   RESERVED         4-127
                   Private Use    128-255

   A GDOI implementation MUST support the following algorithm attribute:
   SIG_ALG_RSA.

5.3.7.1.  SIG_ALG_RSA

   This algorithm specifies the RSA digital signature algorithm using
   the EMSA-PKCS1-v1_5 encoding method, as described in [RFC3447].

5.3.7.2.  SIG_ALG_DSS

   This algorithm specifies the DSS digital signature algorithm as
   described in [FIPS186-2].

5.3.7.3.  SIG_ALG_ECDSS

   This algorithm specifies the Elliptic Curve digital signature
   algorithm as described in [FIPS186-2].

5.3.7.4.  SIG_ALG_RSA_PSS

   This algorithm specifies the RSA digital signature algorithm using
   the EMSA-PSS encoding method, as described in [RFC3447].

5.3.8.  SIG_KEY_LENGTH

   The SIG_KEY_LENGTH class specifies the length of the SIG payload key
   in bits.

5.4.  Group Associated Policy

   RFC 3547 provides for the distribution of policy in the GROUPKEY-PULL
   exchange in an SA payload.  Policy can define GROUPKEY-PUSH policy
   (SA KEK) or traffic encryption policy (SA TEK) such as IPsec policy.
   There is a need to distribute group policy that fits into neither
   category.  Some of this policy is generic to the group, and some is
   sender-specific policy for a particular group member.

   GDOI distributes this associated group policy in a new payload called
   the SA Group Associated Policy (SA GAP).  The SA GAP payload follows
   any SA KEK payload, and is placed before any SA TEK payloads.  In the
   case that group policy does not include an SA KEK, the SA Attribute
   Next Payload field in the SA payload MAY indicate the SA GAP payload.

   The SA GAP payload is defined as follows:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload  !   RESERVED    !        Payload Length         !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !               Group Associated Policy Attributes              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The SA GAP payload fields are defined as follows:

   o  Next Payload (1 octet) -- Identifies the next payload present in
      the GROUPKEY-PULL or the GROUPKEY-PUSH message.  The only valid
      next payload type for this message is an SA TEK or zero to
      indicate there are no more security association attributes.

   o  RESERVED (1 octet) -- Must be zero.

   o  Payload Length (2 octets) -- Length of this payload, including the
      SA GAP header and Attributes.

   o  Group Associated Policy Attributes (variable) -- Contains
      attributes following the format defined in Section 3.3 of RFC
      2408.

   Several group associated policy attributes are defined in this memo.
   An GDOI implementation MUST abort if it encounters and attribute or
   capability that it does not understand.

5.4.1.  ACTIVATION_TIME_DELAY

   This attribute allows a GCKS to set the Activation Time Delay for SAs
   generated from TEKs.  The value is in seconds.  If a group member
   receives a TEK with an ATD value, but discovers that it has no
   current SAs matching the policy in the TEK, then it SHOULD create and
   install SAs from the TEK immediately.

5.4.2.  DEACTIVATION_TIME_DELAY

   This attribute allows a GCKS to set the Deactivation Time Delay for
   SAs generated from TEKs.  The value is in seconds.

5.4.3.  SENDER_ID

   Several new AES counter-based modes of operation have been specified
   for ESP [RFC3686],[RFC4106],[RFC4309],[RFC4543] and AH [RFC4543].
   These AES counter-based modes require that no two senders in the
   group ever send a packet with the same IV.  This requirement can be
   met using the method described in
   [I-D.ietf-msec-ipsec-group-counter-modes], which requires each sender
   to be allocated a unique Sender ID (SID).  The SENDER_ID attribute is
   used to distribute a SID to a group member during the GROUPKEY-PULL
   message.  Other algorithms with the same need may be defined in the
   future; the sender MUST use the IV construction method described
   above with those algorithms as well.

   The SENDER_ID attribute value contains the following fields.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !   SID Length  !                    SID Value                  ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   o  SID Length (1 octet) -- A natural number defining the number of
      bits to be used in the SID field of the counter mode transform
      nonce.

   o  SID Value (variable) -- The Sender ID value allocated to the group
      member.

5.4.3.1.  GCKS Semantics

   The GCKS maintains a SID counter (SIDC).  It is incremented each time
   a SENDER_ID attribute is distributed to a group member.  The first
   group member to register is given the SID of 1.

   Any group member registering will be given a new SID value, which
   allows group members to act as a group sender when an older SID value
   becomes unusable (as described in the next section).

   A GCKS MAY allocate multiple SID values in one SA GAP payload.
   Allocating several SID values at the same time to a group member
   expected to send at a high rate would obviate the need for the group
   member to re-register as frequently.

   If a GCKS allocates all SID values, it can no longer respond to GDOI
   registrations and must re-initialize the entire group.  This is done
   by issuing DELETE notifications for all ESP and AH SAs in a GDOI
   rekey message, resetting the SIDC to zero, and creating new ESP and
   AH SAs that match the group policy.  When group members re-register,
   the SIDs are allocated again beginning with the value 1 as described
   above.  Each re-registering group member will be given a new SID and intermediate systems
   the new group policy.

   The SENDER_ID attribute MUST NOT be sent as part of a GROUPKEY-PUSH
   message, because distributing the same sender-specific policy to protect more
   than one group IP
   communication (e.g., IP multicast packets) member may reduce the security of the group.

5.4.3.2.  Group Member Semantics

   The SENDER_ID attribute value distributed to the group member MUST be
   used by encapsulating them with that group member as the IP Encapsulating Security Sender Identifier (SID) field
   portion of the IV.  The SID is used for all counter mode SAs
   distributed by the GCKS to be used for communications sent as a part
   of this group.

   When the Sender-Specific IV (SSIV) field for any IPsec SA is
   exhausted, the group member MUST no longer act as a sender using its
   active SID.  The group member SHOULD re-register, during which time
   the GCKS will issue a new SID to the group member.  The new SID
   replaces the existing SID used by this group member, and also resets
   the SSIV value to it's starting value.  A group member MAY re-
   register prior to the actual exhaustion of the SSIV field to avoid
   dropping data packets due to the exhaustion of available SSIV values
   combined with a particular SID value.

   A group member MUST NOT process SENDER_ID attribute present in a
   GROUPKEY-PUSH message.

5.5.  SA TEK Payload

   The SA TEK (SAT) payload contains security attributes for a single
   TEK associated with a group.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload (ESP) [RFC4303] packets.
   Several factors have prompted new  !   RESERVED    !         Payload Length        !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Protocol-ID   !       TEK Protocol-Specific Payload           ~
       +-+-+-+-+-+-+-+-+                                               ~
       ~                                                               ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The SAT Payload fields are defined as follows:

   o Next Payload (1 octet) -- Identifies the next payload for updates the
   GROUPKEY-PULL or the GROUPKEY-PUSH message.  The only valid next
   payload types for this message are another SAT Payload or zero to GDOI including:
   indicate there are no more security association attributes.

   o  the discovery RESERVED (1 octet) -- Must be zero.

   o Payload Length (2 octets) -- Length of inconsistencies in RFC 3547, this payload, including the
   TEK Protocol-Specific Payload.

   o Protocol-ID (1 octet) -- Value specifying the Security Protocol.
   The following table defines values for the Security Protocol

             Protocol ID                       Value
             -----------                       -----
             RESERVED                            0
             GDOI_PROTO_IPSEC_ESP                1
             GDOI_PROTO_IPSEC_AH                TBD-5
             RESERVED                           3-127
             Private Use                      128-255

   o TEK Protocol-Specific Payload (variable) -- Payload which need
      clarification (Section 2), describes
   the attributes specific for the Protocol-ID.

5.5.1.  GDOI_PROTO_IPSEC_ESP/GDOI_PROTO_IPSEC_AH

   The TEK Protocol-Specific payload for ESP and AH is as follows:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !    Protocol   !  SRC ID Type  !         SRC ID Port           !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !SRC ID Data Len!          SRC Identification Data              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! DST ID Type   !         DST ID Port           !DST ID Data Len!
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! DST Identification Data                                       ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Transform ID  !                        SPI                    !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !      SPI      !       RFC 2407 SA Attributes                  ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The SAT Payload fields are defined as follows:

   o  the publishing of Protocol (1 octet) -- Value describing an attack on the IP protocol (Section 3)

   o  the publishing ID (e.g.,
   UDP/TCP).  A value of zero means that the Multicast Extensions to the Security
      Architecture for the Internet Protocol [RFC5374], which has
      implications to the policy distributed by group key management
      (Section 4), field should be
   ignored.

   o SRC ID Type (1 octet) -- Value describing the need for new GDOI algorithm attributes, including the need to
      support SHA-256 [FIPS.180-2.2002] as an alternative to the SHA-1
      and MD5 hash algorithms (Section 5).

   The clarification and modifications in this memo update RFC 3547.

1.1.  Requirements notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described identity information
   found in [RFC2119].

2.  RFC 3547 Clarification

   Implementation experience of RFC 3547 has revealed a few areas of
   text that are not sufficiently precise.  This section provides
   clarifying text for those areas.

2.1.  SA KEK Payload

   Section 5.3 of RFC 4357 defines the SA KEK payload.  It includes the
   "POP Key Length" field,The units of this field SRC Identification Data field.  Defined values are not explicitly
   specified in RFC 3547.  The value MUST be a number representing by the
   length of key IPsec Identification Type section in bits.  In the case of POP_ALG_RSA, the value
   represents the size of the modulus.

   Section 5.3 of RFC 4357 also defines the POP Algorithm of type of
   POP_ALG_RSA, but does not specify which PKCS#1 [RFC3447] encoding
   method is employed.  To match existing practice, this memo requires
   that it be the EMSA-PKCS1-v1_5 encoding method.

   The units of IANA
   isakmpd-registry [ISAKMP-REG].

   o SRC ID Port (2 octets) -- Value specifying a port associated with
   the SIG_KEY_LENGTH KEK attribute source Id.  A value was not
   explicitly specified in section 5.3.8 of RFC 3547.  The value MUST zero means that the SRC ID Port field
   should be
   a number representing ignored.

   o SRC ID Data Len (1 octet) -- Value specifying the length of the KEK encryption key in bits.

   The Group Controller/Key Server (GCKS) adds the KEK_KEY_LEN attribute
   to SRC
   Identification Data field.

   o SRC Identification Data (variable length) -- Value, as indicated by
   the SA payload when distributing KEK policy SRC ID Type.  Set to group members.  The
   group member verifies whether or not it has the capability three bytes of using zero for multiple-source
   multicast groups that use a
   cipher key common TEK for all senders.

   o DST ID Type (1 octet) -- Value describing the identity information
   found in the DST Identification Data field.  Defined values are
   specified by the IPsec Identification Type section in the IANA
   isakmpd-registry [ISAKMP-REG].

   o DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g.,
   UDP/TCP).  A value of zero means that size.  If the cipher definition includes DST Id Prot field should be
   ignored.

   o DST ID Port (2 octets) -- Value specifying a fixed
   key length (e.g., KEK_ALG_3DES), port associated with
   the group member can make its
   decision solely using KEK_ALGORITHM attribute and does not need source Id.  A value of zero means that the
   KEK_KEY_LEN attribute.  Sending DST ID Port field
   should be ignored.

   o DST ID Data Len (1 octet) -- Value specifying the KEK_KEY_LEN attribute in length of the SA
   payload is OPTIONAL if DST
   Identification Data field.

   o DST Identification Data (variable length) -- Value, as indicated by
   the KEK cipher has a fixed key length.

   Minimum attributes that must DST ID Type.

   o Transform ID (1 octet) -- Value specifying which ESP or AH
   transform is to be sent as part used.  The list of an SA KEK:
   KEK_ALGORITHM, KEK_KEY_LENGTH (if valid values is defined in the cipher definition includes a
   variable length key), KEK_KEY_LIFETIME, SIG_HASH_ALGORITHM (except
   for DSA based algorithms), SIG_ALGORITHM, and SIG_KEY_LENGTH.

2.2.  SA TEK Payload

   Section 5.4.1
   IPsec ESP or IPsec AH Transform Identifiers section of the IANA
   isakmpd-registry [ISAKMP-REG].

   o SPI (4 octets) -- Security Parameter Index for ESP.

   o RFC 3547 states that all mandatory IPsec DOI
   attributes are mandatory in GDOI_PROTO_IPSEC_ESP.  However, 2407 Attributes -- ESP and AH Attributes from RFC 2407
   lists no such list of mandatory Section
   4.5.  The GDOI supports all IPsec DOI attributes.  This memo
   requires that SA Attributes for
   GDOI_PROTO_IPSEC_ESP and GDOI_PROTO_IPSEC_AH excluding the Group
   Description (section 4.5 of [RFC2407], which MUST NOT be sent by a
   GDOI implementation and is ignored by a GDOI implementation if
   received.  The following attributes MUST be supported by an RFC
   3547
   implementation supporting the GDOI_PROTO_IPSEC_ESP SA TEK: ESP and AH: SA Life Type, SA Life Duration,
   Encapsulation Mode, Mode.  An implementation supporting ESP must also
   support the Authentication Algorithm (if attribute if the ESP transform
   includes authentication). authentication/ The GDOI_PROTO_IPSEC_ESP Authentication Algorithm attribute of
   the IPsec DOI is sometimes referred to group authentication in GDOI.

5.5.1.1.  Harmonization with RFC
   3547 by the truncated name of PROTO_IPSEC_ESP.

2.3.  KD Payload

   Section 5.5.2.1 of RFC 3547 explicitly specifies that if a KEK cipher
   requires an IV, then 5374

   The Multicast Extensions to the IV must precede Security Architecture for the
   Internet Protocol (RFC 5374) introduces new requirements for a group
   key in management system distributing IPsec policy.  The following
   sections describe new GDOI requirements that result from harmonizing
   with that document.

5.5.1.1.1.  Group Security Policy Database Attributes

   RFC 5374 describes new attributes as part of the
   KEK_ALGORITHM_KEY KD payload attribute.  However, it should be noted Group Security
   Policy Database (GSPD).  These attributes describe policy that this IV length is not included a
   group key management system must convey to a group member in the KEK_KEY_LEN order to
   support those extensions.  The GDOI SA TEK payload
   attribute sent distributes IPsec
   policy using IPsec security association attributes defined in
   [ISAKMP-REG].  This section defines how GDOI can convey the SA payload.  The KEK_KEY_LEN includes only the
   actual length of new
   attributes as IPsec Security Association Attributes.

5.5.1.1.2.  Address Preservation

   Applications use the cipher key.

   Section 5.5.1.2 of extensions in RFC 3547 defines key lengths 5374 create encapsulate IPsec
   multicast packets that are IP multicast packets.  In order for the
   TEK_INTEGRITY_KEY.  When
   GDOI group member to appropriately setup the algorithm passes in GSPD, the SA TEK payload
   is SHA256, keys will consist GCKS must
   provide that policy to the group member.

   Depending on group policy, several address preservation methods are
   possible: no address preservation ("None"), preservation of 256 bits.

2.4.  SEQ Payload

   Section 3.2 the
   original source address ("Source-Only"), preservation of RFC 3547 defines a GROUPKEY-PULL message as including
   a sequence number, which provides anti-replay state associated with a
   KEK.  The SEQ payload has no other use, and is omitted from the
   GROUPKEY-PULL exchange when a KEK original
   destination address ("Destination-Only"), or both addresses ("Source-
   And-Destination").  This memo adds the "Address Preservation"
   security association attribute.  If this attribute is not included in the SA
   payload.

   A KEK sequence number is associated with a single SPI (i.e., the
   single set of cookie pair values sent in a GROUPKEY-PUSH ISAKMP
   [RFC2408] HDR).  When a new KEK is distributed by a GCKS, it contains
   a new SPI and resets the sequence number.

   When a SEQ payload is included in the GROUPKEY-PULL exchange, it
   includes the most recently used sequence number for the group.  At
   the conclusion of
   a GROUPKEY-PULL exchange, GDOI SA TEK payload provided by a GCKS, then Source-And-Destination
   address preservation has been defined for the initiating SA TEK.

5.5.1.1.3.  SA Direction

   Depending on group
   member MUST NOT accept any rekey message with both the KEK attribute
   SPI value and a sequence number less than policy, an IPsec SA created from an SA TEK payload
   may be required in one or equal both directions.  SA TEK policy used by
   multiple senders is required to be installed in both the one
   received during the GROUPKEY-PULL.  When the first group member
   initiates sending and
   receiving direction ("Symmetric"), whereas SA TEK for a GROUPKEY-PULL exchange, single sender
   should only be installed in the GCKS provides a Sequence
   Number of zero, since no GROUPKEY-PUSH messages have yet been sent.
   Note receiving direction by receivers
   ("Receiver-Only") and in the sequence number increments only with GROUPKEY-PUSH messages.
   The GROUPKEY-PULL exchange distributes sending direction by the current sequence number to sender
   ("Sender-Only").  This memo adds the group member.

   The sequence number resets to a value of one with a new KEK "SA Direction" security
   association attribute.  As described in section 5.6 of RFC 3547: "Thus  If the first
   packet sent for attribute is not included in a given Rekey GDOI SA will have a Sequence Number of 1".
   The sequence number increments with each successive rekey.

2.5.  POP Payload

   RFC 3547 defines the Proof of Possession (POP)
   TEK payload, which
   contains a digital signature over a hash.  Some RFC 3547 text
   erroneously describes it then the IPsec SA is treated as a "prf()". Symmetric IPsec SA.

5.5.1.1.4.  Re-key rollover

   Section 4.2.1 of RFC 3547 omitted including 5374 specifies a key rollover method of specifying that
   requires two values be given it from the hash function
   type used in group key management
   protocol.  The Activation Time Delay (ATD) attribute allows the POP payload.  As GCKS
   to specify how long after the start of a result, re-key event that a group
   member is to activate new TEKs.  The Deactivation Time Delay (DTD)
   attribute allows the GCKS or to specify how long after the start of a
   re-key event that a group member
   do not have a means is to deactivate existing TEKs.

   This memo adds new attributes by which a GCKS can relay these values
   to agree which hash algorithm should be
   used.  To remedy this omission without changing group members as part of the protocol, this
   memo specifies Group Associated Policy described in
   Section 5.

5.5.2.  Other Security Protocols

   Besides ESP and AH, GDOI should serve to establish SAs for secure
   groups needed by other Security Protocols that operate at the hash algorithm passed
   transport, application, and internetwork layers.  These other
   Security Protocols, however, are in the
   SIG_HASH_ALGORITHM MUST be also used as the POP hash algorithm.

2.6.  CERT Payload

   Receivers process of the POP payload need the sender's public key in order being developed or
   do not yet exist.

   The following information needs to be provided for a Security
   Protocol to
   validate the POP.  However GDOI.

   o  The Protocol-ID for the source particular Security Protocol

   o  The SPI Size

   o  The method of that public key is not
   explicitly defined.  For example, if SPI generation

   o  The transforms, attributes and keys needed by the certificate encoding value
   passed in Security
      Protocol

   All Security Protocols must provide the CERT payload (defined information in Section 3.9 of RFC 2408) does
   not contain a public key then no public key is available.  To remedy
   this omission, this memo specifies the bulleted
   list above to guide the GDOI specification for that protocol.
   Definitions for the certificate passed support of those Security Protocols in GDOI will
   be specified in separate documents.

   A Security Protocol MAY protect traffic at any level of the network
   stack.  However, in all cases applications of the
   CERT payload Security Protocol
   MUST protect traffic which MAY be a public key certificate.

2.7.  SIG shared by more than two entities.

5.6.  Key Download Payload

   The GROUPKEY-PUSH message defined Key Download Payload contains group keys for the group specified
   in Section the SA Payload.  These key download payloads can have several
   security attributes applied to them based upon the security policy of
   the group as defined by the associated SA Payload.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload  !   RESERVED    !         Payload Length        !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Number of RFC 3547 includes a
   SIG payload. Key Packets         !            RESERVED2          !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ~                    Key Packets                                ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The first paragraph on page 12 is amended Key Download Payload fields are defined as follows.

      The SIG follows:

   o Next Payload (1 octet) -- Identifier for the payload includes a signature of a hash type of the entire
      GROUPKEY-PUSH message (excepting the SIG
   next payload bytes) before it
      has been encrypted.  The HASH is taken over the string 'rekey', in the GROUPKEY-PUSH HDR, SEQ, SA, KD, and optionally message.  If the CERT
      payload.  The prefixed string ensures that current payload is the signature of last in
   the
      Rekey datagram cannot message, then this field will be used for any other purpose zero.

   o RESERVED (1 octet) -- Unused, set to zero.

   o Payload Length (2 octets) -- Length in octets of the GDOI
      protocol.  After current
   payload, including the SIG generic payload is created using the signature header.

   o Number of Key Packets (2 octets) -- Contains the above hash, the current KEK encryption total number of
   both TEK and Rekey arrays being passed in this data block.

   o Key Packets Several types of key encrypts all packets are defined.  Each Key
   Packet has the
      payloads following the GROUPKEY-PUSH HDR.  Note: The rationale format.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !   KD Type     !   RESERVED    !            KD Length          !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !    SPI Size   !                   SPI (variable)              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ~                    Key Packet Attributes                      ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   o Key Download (KD) Type (1 octet) -- Identifier for
      this order the Key Data
   field of operations this Key Packet.

                          Key Download Type        Value
                          -----------------        -----
                          RESERVED                   0
                          TEK                        1
                          KEK                        2
                          LKH                        3
                          RESERVED                  4-127
                          Private Use             128-255

   "KEK" is given in Section 6.3.5 of RFC 3547.

   Section 5.3.7.1 of RFC 4357 defines a SIG_ALGORITHM type of
   SIG_ALG_RSA, but it omits specifying which PKCS#1 [RFC3447] encoding
   method single key whereas LKH is employed.  To match existing practice, this memo requires
   that it be the EMSA-PKCS1-v1_5 encoding method.

2.8.  KE Payload

   The purpose an array of the KE Payload in GDOI is key-encrypting keys.

   o RESERVED (1 octet) -- Unused, set to encrypt keying material
   before encrypting the entire GDOI registration message.  However, the
   specification for computing keying material for the additional
   encryption function zero.

   o Key Download Length (2 octets) -- Length in RFC 3547 is faulty.  Furthermore, it has been
   observed that because the GDOI registration message uses strong
   ciphers and provides authenticated encryption, additional encryption octets of the keying material Key
   Packet data, including the Key Packet header.

   o SPI Size (1 octet) -- Value specifying the length in a GDOI registration message provides
   negligible value.  Therefore, the use octets of KE payloads is deprecated the
   SPI as defined by the Protocol-Id.

   o SPI (variable length) -- Security Parameter Index which matches a
   SPI previously sent in
   this memo.

2.9.  Attribute behavour

   An GDOI implementation MUST abort if it encounters and attribute an SAK or
   capability that it does not understand.

2.10.  Deletion SAT Payload.

   o Key Packet Attributes (variable length) -- Contains Key
   information.  The format of SAs

   RFC 3547 provides for this field is specific to the condition that value of
   the GCKS may want to signal
   to receivers to delete their SAs, but there may be circumstances
   where KD Type field.  The following sections describe the GCKS format of
   each KD Type.

5.6.1.  TEK Download Type

   The following attributes may want to start over with be present in a clean slate.  If the
   administrator is no longer confident TEK Download Type.
   Exactly one attribute matching each type sent in the integrity SAT payload MUST
   be present.  The attributes must follow the format defined in ISAKMP
   (Section 3.3 of [RFC2408]).  In the group, table, attributes defined as TV
   are marked as Basic (B); attributes defined as TLV are marked as
   Variable (V).

                TEK Class                 Value      Type
                ---------                 -----      ----
                RESERVED                     0
                TEK_ALGORITHM_KEY            1        V
                TEK_INTEGRITY_KEY            2        V
                TEK_SOURCE_AUTH_KEY          3        V

   If no TEK key packets are included in a Registration KD payload, the GCKS
   group member can signal deletion of all policy of a particular expect to receive the TEK
   protocol by sending as part of a Re-key SA.
   At least one TEK must be included in each Re-key KD payload.
   Multiple TEKs may be included if multiple streams associated with a SPI value equal the
   SA are to zero be rekeyed.

5.6.1.1.  TEK_ALGORITHM_KEY

   The TEK_ALGORITHM_KEY class declares that the encryption key for this
   SPI is contained as the Key Packet Attribute.  The encryption
   algorithm that will use this key was specified in the
   delete SAT payload.  For example, if

   In the GCKS wishes to remove all case that the
   KEKs and algorithm requires multiple keys (e.g., 3DES),
   all the TEKs in the group, the GCKS SHOULD send a delete
   payload with a spi of zero and a protocol_id of a TEK protocol_id
   value as defined keys will be included in section 5.4 one attribute.

   DES keys will consist of RFC 3547, followed by another
   delete payload 64 bits (the 56 key bits with parity bit).
   Triple DES keys will be specified as a spi of zero and a protocol_id of zero,
   indicating single 192 bit attribute
   (including parity bits) in the order that the KEK SA should be deleted.

3.  Authorization

   Meadows and Pavlovic have published a paper [MP04] describing a means
   by which a rogue GDOI device (i.e., GCKS or group member) can gain
   access keys are to a group be used for which it is not a group member.  The rogue
   device perpetrates a man-in-the-middle attack, which can occur if the
   following conditions are true:

   1.
   encryption (e.g., DES_KEY1, DES_KEY2, DES_KEY3).

5.6.1.2.  TEK_INTEGRITY_KEY

   The rogue GDOI participant convinces an authorized member of the
       group (i.e., victim group member) that it is a GCKS for TEK_INTEGRITY_KEY class declares that
       group, and it also convinces the GCKS (i.e., victim GCKS) of that
       group it integrity key for this
   SPI is an authorized group member.

   2.  The victim group member, victim GCKS, and rogue group member all
       share IKEv1 authentication credentials.

   3. contained as the Key Packet Attribute.  The victim GCKS does not properly verify integrity
   algorithm that will use this key was specified in the IKE
       authentication credentials used to protect a GROUPKEY-PULL
       protocol SAT payload.
   Thus, GDOI assumes that both the symmetric encryption and integrity
   keys are authorized pushed to be join the group.

   The value member.  HMAC-SHA1 keys will consist of proof-of-possession is 160
   bits[RFC2404], HMAC-MD5 keys will consist of 128 bits[RFC2403].
   HMAC-SHA2 and AES-GMAC keys will have a key length equal to prove that the owner
   output length of the
   identity associated with hash functions [RFC4868][RFC4543].

5.6.1.3.  TEK_SOURCE_AUTH_KEY

   The TEK_SOURCE_AUTH_KEY class declares that the Phase 1 source authentication
   key for this SPI is contained in the same as the owner of
   the Key Packet Attribute.  The
   source authentication algorithm that will use this key distributed was specified
   in the CERT.  This attack can SAT payload.

5.6.2.  KEK Download Type

   The following attributes may be mitigated by
   adding the Phase 1 identities into present in a KEK Download Type.
   Exactly one attribute matching each type sent in the hashed data.  This memo
   replaces SAK payload MUST
   be present.  The attributes must follow the method computing POP_HASH format defined in Section 5.7 ISAKMP
   (Section 3.3 of RFC 3547
   with the following method:

   POP_HASH = hash("pop" | IKE-Initiator-P1-ID | IKE-Responder-P1-ID |
   Ni | Nr)

   where [RFC2408]).  In the fields table, attributes defined as TV
   are hashed marked as follows:

   o  The string "pop" without a NULL termination character.

   o  The IKE Phase 1 identity of the GCKS Basic (B); attributes defined as distributed in the
      "identification Data" portion of the ID payload.  Because the
      length of TLV are marked as
   Variable (V).

                KEK Class                 Value      Type
                ---------                 -----      ----
                RESERVED                     0
                KEK_ALGORITHM_KEY            1        V
                SIG_ALGORITHM_KEY            2        V

   If the identity KEK key packet is variable, the length of the
      Identification Data included, there MUST be hashed as a four octet value with the
      length located only one present in
   the least significant bits (in network byte
      order). KD payload.

5.6.2.1.  KEK_ALGORITHM_KEY

   The length value KEK_ALGORITHM_KEY class declares the encryption key for this SPI
   is hashed before contained in the data value.

   o Key Packet Attribute.  The IKE Phase 1 identity of the group member as distributed encryption algorithm
   that will use this key was specified in the
      "identification Data" portion of the ID SAK payload.  Because the
      length of the identity is variable,

   If the length mode of operation for the
      Identification Data algorithm requires an Initialization
   Vector (IV), an explicit IV MUST be hashed as a four octet value with included in the
      length located KEK_ALGORITHM_KEY
   before the actual key.

5.6.2.2.  SIG_ALGORITHM_KEY

   The SIG_ALGORITHM_KEY class declares that the public key for this SPI
   is contained in the least significant bits (in network byte
      order).  The length value Key Packet Attribute, which may be useful when no
   public key infrastructure is hashed before available.  The signature algorithm that
   will use this key was specified in the data value.

   o SAK payload.

5.6.3.  LKH Download Type

   The initiator nonce Ni, as passed LKH key packet is comprised of attributes representing different
   leaves in the first GROUPKEY-PULL
      message.

   o LKH key tree.

   The responder nonce Nr, as passed following attributes are used to pass an LKH KEK array in the second GROUPKEY-PULL
      message.

   This attack can also be mitigated by applying appropriate GCKS and
   group member authorization.  When KD
   payload.  The attributes must follow the use format defined in ISAKMP
   (Section 3.3 of CERT and POP payloads [RFC2408]).  In the table, attributes defined as TV
   are not mandated marked as Basic (B); attributes defined as TLV are marked as
   Variable (V).

                KEK Class                 Value      Type
                ---------                 -----      ----
                RESERVED                     0
                LKH_DOWNLOAD_ARRAY           1        V
                LKH_UPDATE_ARRAY             2        V
                SIG_ALGORITHM_KEY            3        V
                RESERVED                    4-127
                Private Use               128-255

   If an LKH key packet is included in group policy, the GCKS SHOULD have KD payload, there must be
   only one present.

5.6.3.1.  LKH_DOWNLOAD_ARRAY

   This attribute is used to download a means set of
   recognizing authorized keys to a group members for each group, where member.
   It MUST NOT be included in a GROUPKEY-PUSH message KD payload if the
   recognition
   GROUPKEY-PUSH is based on IKE authentication credentials.  For example, sent to more than the GCKS may have group member.  If an
   LKH_DOWNLOAD_ARRAY attribute is included in a list KD payload, there must
   be only one present.

   This attribute consists of authorized IKE identifiers stored for
   each Group. a header block, followed by one or more
   LKH keys.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !  LKH Version  !          # of LKH Keys        !  RESERVED     !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                             LKH Keys                          !
      ~                                                               ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   The authorization check SHOULD be made after receipt KEK_LKH attribute fields are defined as follows:

   o LKH version (1 octet) -- Contains the version of the ID payload containing a group id LKH protocol
   which the group member data is requesting
   to join.

4.  Harmonization with RFC 5374

   the Multicast Extensions to the Security Architecture for the
   Internet Protocol (RFC 5374) introduces new requirements for a group
   key management system distributing IPsec policy.  The following
   sections describe new GDOI requirements that result from harmonizing
   with that document.

4.1.  Group Security Policy Database Attributes

   RFC 5374 describes new attributes as part formatted in.  Must be one.

   o Number of LKH Keys (2 octets) -- This value is the Group Security
   Policy Database (GSPD).  These attributes describe policy that a
   group key management system must convey to a group member number of
   distinct LKH keys in order this sequence.

   o RESERVED (1 octet) -- Unused, set to
   support those extensions.  The GDOI SA TEK payload distributes IPsec
   policy using IPsec security association attributes zero.  Each LKH Key is defined in
   [ISAKMP-REG].  This section defines how GDOI can convey the new
   attributes
   as IPsec Security Association Attributes.

4.1.1.  Address Preservation

   Applications use the extensions in RFC 5374 create encapsulate IPsec
   multicast packets that are IP multicast packets.  In order for follows:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !             LKH ID            !    Key Type   !    RESERVED   !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                        Key Creation Date                      !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                       Key expiration Date                     !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                           Key Handle                          !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                                                               !
      ~                            Key Data                           ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   o LKH ID (2 octets) -- This is the
   GDOI group member to appropriately setup position of this key in the GSPD, binary
   tree structure used by LKH.

   o Key Type (1 octet) -- This is the GCKS must
   provide that policy encryption algorithm for which
   this key data is to be used.  This value is specified in Section
   5.3.3.

   o RESERVED (1 octet) -- Unused, set to zero.

   o Key Creation Date (4 octets) -- This is the group member.

   Depending on group policy, several address preservation methods are
   possible: no address preservation ("None"), preservation time value of the
   original source address ("Source-Only"), preservation when this
   key data was originally generated.  A time value of the original
   destination address ("Destination-Only"), or both addresses ("Source-
   And-Destination"). zero indicates
   that there is no time before which this key is not valid.

   o Key Expiration Date (4 octets) -- This memo adds is the "Address Preservation"
   security association attribute.  If time value of when
   this attribute key is not included in
   a GDOI SA TEK payload provided by a GCKS, then Source-And-Destination
   address preservation has been defined no longer valid for the SA TEK.

4.1.2.  SA Direction

   Depending on group policy, an IPsec SA created from use.  A time value of zero indicates
   that this key does not have an SA TEK payload
   may be required in one or both directions.  SA TEK policy used by
   multiple senders expiration time.

   o Key Handle (4 octets) -- This is required the randomly generated value to be installed in both
   uniquely identify a key within an LKH ID.

   o Key Data (variable length) -- This is the sending and
   receiving direction ("Symmetric"), whereas SA TEK actual encryption key
   data, which is dependent on the Key Type algorithm for a single sender
   should only be installed in its format.
   If the receiving direction by receivers
   ("Receiver-Only") and mode of operation for the algorithm requires an Initialization
   Vector (IV), an explicit IV MUST be included in the sending direction by Key Data field
   before the sender
   ("Sender-Only"). actual key.

   The Key Creation Date and Key expiration Dates MAY be zero.  This memo adds is
   necessary in the "SA Direction" security
   association attribute.  If case where time synchronization within the attribute group is
   not included possible.

   The first LKH Key structure in a GDOI SA
   TEK payload, then an LKH_DOWNLOAD_ARRAY attribute
   contains the IPsec SA is treated as a Symmetric IPsec SA.

4.1.3.  Re-key rollover

   Section 4.2.1 Leaf identifier and key for the group member.  The rest
   of RFC 5374 specifies a the LKH Key structures contain keys along the path of the key rollover method that
   requires two values be given it tree
   in order from the leaf, culminating in the group key management
   protocol.  The Activation Time Delay (ATD) KEK.

5.6.3.2.  LKH_UPDATE_ARRAY

   This attribute allows is used to update the GCKS keys for a group.  It is most
   likely to specify how long be included in a after GROUPKEY-PUSH message KD payload to rekey
   the start entire group.  This attribute consists of a re-key event that header block,
   followed by one or more LKH keys, as defined in the previous section.

   There may be any number of UPDATE_ARRAY attributes included in a group
   member KD
   payload.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !  LKH Version  !          # of LKH Keys        !  RESERVED     !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !            LKH ID             !           RESERVED2           !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                           Key Handle                          !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                            LKH Keys                           !
      ~                                                               ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   o LKH version (1 octet) -- Contains the version of the LKH protocol
   which the data is formatted in.  Must be one.

   o Number of LKH Keys (2 octets) -- This value is the number of
   distinct LKH keys in this sequence.

   o RESERVED (1 octet) -- Unused, set to activate new TEKs.  The Deactivation Time Delay (DTD)
   attribute allows zero.

   o LKH ID (2 octets) -- This is the GCKS node identifier associated with
   the key used to specify how long a after encrypt the start of a
   re-key event that a group member is first LKH Key.

   o RESERVED2 (2 octets) -- Unused, set to deactivate existing TEKs. zero.

   o Key Handle (4 octets) -- This memo adds new attributes by which a GCKS can relay these values is the value to group members as part of uniquely identify the Group Associated Policy described in
   Section 5.

5.  New GDOI Attributes

   This section contains new attributes
   key within the LKH ID which was used to be encrypt the first LKH key.

   The LKH Keys are defined as part of
   GDOI.

5.1.  Signature Hash Algorithm

   RFC 3547 defines two signature hash algorithms (MD5 and SHA-1).
   However, steady advances defined in technology have rendered both hash
   algorithms to be weak when used as a signature hash algorithm.

   The SHA-256 algorithm [FIPS.180-2.2002] has been made available by
   NIST as a replacement for SHA-1, and is its preferred replacement for
   both MD5 and SHA-1.  A new value for the GDOI SIG_HASH_ALGORITHM
   attribute is defined by this memo to represent previous section.  The LKH Key
   structures contain keys along the SHA-256 algorithm:
   SIG_HASH_SHA256.  Support for SIG_HASH_SHA256 is OPTIONAL.

5.2.  Support path of AH

   RFC3547 only specifies data-security SAs for one security protocol,
   IPsec ESP.  Typically IPsec implementations use ESP and AH IPsec SAs.
   This document extends the capability of GDOI to support both ESP and
   AH.  The GROUPKEY-PULL mechanism will establish IPsec ESP SAs and
   IPsec AH SAs. key tree in order from
   the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in the
   group KEK.  The GROUPKEY-PUSH will refresh Key Data field of each LKH Key is encrypted with the IPsec ESP SAs and
   LKH key preceding it in the IPsec AH SAs.  Support for AH [RFC4302] LKH_UPDATE_ARRAY attribute.  The first
   LKH Key is achieved with encrypted under the
   introduction of a new SA_TEK Protocol-ID with key defined by the name
   GDOI_PROTO_IPSEC_AH.  Support LKH ID and Key
   Handle found in the LKH_UPDATE_ARRAY header.

5.6.3.3.  SIG_ALGORITHM_KEY

   The SIG_ALGORITHM_KEY class declares that the public key for this SPI
   is contained in the GDOI_PROTO_IPSEC_AH SA TEK Key Packet Attribute, which may be useful when no
   public key infrastructure is
   OPTIONAL. available.  The TEK Protocol-Specific payload signature algorithm that
   will use this key was specified in the SAK payload.

5.7.  Sequence Number Payload

   The Sequence Number Payload (SEQ) provides an anti-replay protection
   for AH GROUPKEY-PUSH messages.  Its use is as follows: similar to the Sequence
   Number field defined in the IPsec ESP protocol [RFC4303].

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !    Protocol   !  SRC ID Type  !         SRC ID Port           !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !SRC ID Data Len!          SRC Identification Data              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! DST ID Type   !         DST ID Port           !DST ID Data Len!
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ! DST Identification Data                                       ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! Next Payload  ! Transform ID   RESERVED    !                        SPI         Payload Length        !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !      SPI                      Sequence Number                          !       RFC 2407 SA Attributes                  ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   The SAT Sequence Number Payload fields are defined as follows:

   o  Protocol Next Payload (1 octet) -- Value describing an IP protocol ID (e.g.,
      UDP/TCP).  A value of zero means that Identifier for the Protocol field should be
      ignored.

   o  SRC ID Type (1 octet) -- Value describing payload type of the identity information
      found
   next payload in the SRC Identification Data field.  Defined values are
      specified by the IPsec Identification Type section in message.  If the IANA
      ISAKMP Registry [ISAKMP-REG].

   o  SRC ID Port (2 octets) -- Value specifying a port associated with current payload is the source Id.  A value of zero means that last in
   the SRC ID Port message, then this field
      should will be ignored. zero.

   o  SRC ID Data Len RESERVED (1 octet) -- Value specifying the length Unused, set to zero.

   o Payload Length (2 octets) -- Length in octets of the
      SRC Identification Data field. current
   payload, including the generic payload header.

   o  SRC Identification Data (variable length) Sequence Number (4 octets) -- Value, as indicated
      by This field contains a monotonically
   increasing counter value for the SRC ID Type.  Set group.  It is initialized to three bytes of zero by
   the GCKS, and incremented in each subsequently-transmitted message.
   Thus the first packet sent for multiple-
      source multicast groups that use a common TEK given Rekey SA will have a Sequence
   Number of 1.  The GDOI implementation keeps a sequence counter as an
   attribute for all senders.

   o  DST ID Type (1 octet) -- Value describing the identity information
      found in Rekey SA and increments the DST Identification Data field.  Defined values are
      specified by counter upon receipt of
   a GROUPKEY-PUSH message.  The current value of the IPsec Identification Type section sequence number
   must be transmitted to group members as a part of the Registration SA
   payload.  A group member must keep a sliding receive window.  The
   window must be treated as in the IANA
      ISAKMP Registry [ISAKMP-REG].

   o  DST ID Port (1 octet) -- Value describing an IP ESP protocol ID (e.g.,
      UDP/TCP).  A [RFC4303] Section
   3.4.3.

5.8.  Nonce

   The data portion of the Nonce payload (i.e., Ni_b and Nr_b included
   in the HASHs) MUST be a value between 8 and 128 bytes.

6.  Security Considerations

   GDOI is a security association (SA) management protocol for groups of
   senders and receivers.  Unlike a data security protocol, SA
   management includes a key establishment protocol to securely
   establish keys at communication endpoints.  This protocol performs
   entity authentication of the GDOI member or Group Controller/Key
   Server (GCKS), it provides confidentiality of key management
   messages, and it provides source authentication of zero means that those messages.
   This protocol also uses best-known practices for defense against man-
   in-middle, connection hijacking, replay, reflection, and denial-of-
   service (DOS) attacks on unsecured networks [STS], [RFC2522],
   [SKEME].  GDOI assumes the DST Id Port field should network is not secure and may be ignored.

   o  DST ID Port (2 octets) -- Value specifying a port associated with under the source Id.  A value
   complete control of zero means an attacker.

   GDOI assumes that the DST ID Port field
      should be ignored.

   o  DST ID Data Len (1 octet) -- Value specifying host computer is secure even though the length network
   is insecure.  GDOI ultimately establishes keys among members of a
   group, which MUST be trusted to use those keys in an authorized
   manner according to group policy.  The security of GDOI, therefore,
   is as good as the
      DST Identification Data field.

   o  DST Identification Data (variable length) -- Value, degree to which group members can be trusted to
   protect authenticators, encryption keys, decryption keys, and message
   authentication keys.

   There are three phases of GDOI as indicated described in this document: an
   ISAKMP Phase 1 protocol, a new exchange called GROUPKEY-PULL which is
   protected by the DST ID Type.

   o  Transform ID (1 octet) -- Value specifying which AH transform ISAKMP Phase 1 protocol, and a new message called
   GROUPKEY-PUSH.  Each phase is considered separately below.

6.1.  ISAKMP Phase 1

   As described in this document, GDOI uses the Phase 1 exchanges
   defined in [RFC2409] to protect the GROUPKEY-PULL exchange.
   Therefore all security properties and considerations of those
   exchanges (as noted in [RFC2409]) are relevant for GDOI.

   GDOI may inherit the problems of its ancestor protocols [FS00], such
   as identity exposure, absence of unidirectional authentication, or
   stateful cookies [PK01].  GDOI could benefit, however, from
   improvements to its ancestor protocols just as it benefits from years
   of experience and work embodied in those protocols.  To reap the
   benefits of future IKE improvements, however, GDOI would need to be used.  The list
   revised in a future standards-track RFC, which is beyond the scope of valid values
   this specification.

6.1.1.  Authentication

   Authentication is provided via the mechanisms defined in [RFC2409],
   namely Pre-Shared Keys or Public Key encryption.

6.1.2.  Confidentiality

   Confidentiality is achieved in Phase 1 through a Diffie-Hellman
   exchange that provides keying material, and through negotiation of
   encryption transforms.

   The Phase 1 protocol will be protecting encryption and integrity keys
   sent in the IPsec AH
      Transform Identifiers section GROUPKEY-PULL protocol.  The strength of the IANA ISAKMP Registry
      [ISAKMP-REG].

   o  SPI (4 octets) -- Security Parameter Index encryption
   used for AH.

   o  RFC 2407 Attributes -- AH Attributes from Section 4.5 Phase 1 SHOULD exceed that of
      [RFC2407].  The GDOI supports all IPsec DOI SA Attributes for
      GDOI_PROTO_IPSEC_AH excluding the Group Description, which MUST
      NOT be sent by keys send in the GROUPKEY-
   PULL protocol.

6.1.3.  Man-in-the-Middle Attack Protection

   A successful man-in-the-middle or connection-hijacking attack foils
   entity authentication of one or more of the communicating entities
   during key establishment.  GDOI relies on Phase 1 authentication to
   defeat man-in-the-middle attacks.

6.1.4.  Replay/Reflection Attack Protection

   In a replay/reflection attack, an attacker captures messages between
   GDOI implementation entities and is ignored by subsequently forwards them to a GDOI
      implementation if received.  The Authentication Algorithm
      attribute of entity.
   Replay and reflection attacks seek to gain information from a
   subsequent GDOI message response or seek to disrupt the IPsec DOI is group authentication in GDOI.  The
      following RFC 2407 attributes MUST be sent as part operation of
   a
      GDOI_PROTO_IPSEC_AH attribute: SA Life Type, SA Life Duration,
      Encapsulation Mode.

5.3.  Group Associated Policy

   RFC 3547 provides for GDOI member or GCKS entity.  GDOI relies on the distribution of policy Phase 1 nonce
   mechanism in combination with a hash-based message authentication
   code to protect against the GROUPKEY-PULL
   exchange in an SA payload.  Policy can define GROUPKEY-PUSH policy
   (SA KEK) replay or traffic encryption policy (SA TEK) such as IPsec policy.
   There is reflection of previous key
   management messages.

6.1.5.  Denial of Service Protection

   A denial of service attacker sends messages to a need GDOI entity to distribute group policy cause
   that fits into neither
   category.  Some of this policy is generic entity to perform unneeded message authentication operations.
   GDOI uses the group, and some Phase 1 cookie mechanism to identify spurious messages
   prior to cryptographic hash processing.  This is a "weak" form of
   denial of service protection in that the GDOI entity must check for
   good cookies, which can be successfully imitated by a sophisticated
   attacker.  The Phase 1 cookie mechanism is
   sender-specific policy stateful, and commits
   memory resources for cookies, but stateless cookies are a better
   defense against denial of service attacks.

6.2.  GROUPKEY-PULL Exchange

   The GROUPKEY-PULL exchange allows a particular group member.

   GDOI distributes this associated group policy in member to request SAs and
   keys from a new payload called GCKS.  It runs as a "phase 2" protocol under protection
   of the SA Group Associated Policy (SA SAP).  The SA GAP payload follows
   any SA KEK payload, and Phase 1 security association.

6.2.1.  Authentication

   Peer authentication is placed before any SA TEK payloads.  In the
   case that group policy does not include an SA KEK, required in the SA Attribute
   Next Payload field GROUPKEY-PULL protocol.
   It is running in the SA payload MAY indicate context of the SA GAP payload.

   The SA GAP payload is defined as follows:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 Phase 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload  !   RESERVED    !        Payload Length         !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !               Group Associated Policy Attributes              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The SA GAP payload fields are defined as follows:

   o  Next Payload (1 octet) -- Identifies protocol, which has
   previously authenticated the next payload present in identity of the GROUPKEY-PULL or peer.

   Message authentication is provided by HASH payloads in each message,
   where the GROUPKEY-PUSH message.  The only valid
      next payload type for this message HASH is an SA TEK or zero defined to
      indicate there are no more security association attributes.

   o  RESERVED (1 octet) -- Must be zero.

   o  Payload Length (2 octets) -- Length of this payload, including the
      SA GAP header and Attributes.

   o  Group Associated Policy Attributes (variable) -- Contains
      attributes following over SKEYID_a (derived in the format defined Phase 1
   exchange), the ISAKMP Message-ID, and all payloads in Section 3.3 the message.
   Because only the two endpoints of RFC
      2408.

   Several group associated policy attributes are defined in the exchange know the SKEYID_a
   value, this memo.

5.3.1.  ACTIVATION_TIME_DELAY

   This attribute allows a GCKS to set provides confidence that the Activation Time Delay for SAs
   generated from TEKs.  The value peer sent the message.

6.2.2.  Confidentiality

   Confidentiality is provided by the Phase 1 security association,
   after the manner described in seconds.  If [RFC2409].

6.2.3.  Man-in-the-Middle Attack Protection

   Message authentication (described above) includes a secret known only
   to the group member
   receives and GCKS when constructing a TEK with HASH payload.  This
   prevents man-in-the-middle and connection-hijacking attacks because
   an ATD value, but discovers that it has no
   current SAs matching attacker would not be able to change the policy in message undetected.

6.2.4.  Replay/Reflection Attack Protection

   Nonces provide freshness of the TEK, then it SHOULD create GROUPKEY-PULL exchange.  The group
   member and
   install SAs from the TEK immediately.

5.3.2.  DEACTIVATION_TIME_DELAY

   This attribute allows GCKS exchange nonce values first two messages.  These
   nonces are included in subsequent HASH payload calculations.  The
   Group member and GCKS MUST NOT perform any computationally expensive
   tasks before receiving a HASH with its own nonce included.  The GCKS to set
   MUST NOT update the Deactivation Time Delay for
   SAs generated from TEKs.  The value is group management state (e.g., LKH key tree) until
   it receives the third message in seconds.

5.3.3.  SENDER_ID

   Several new AES counter-based modes the exchange with a valid HASH
   payload including its own nonce.

   Implementations SHOULD keep a record of operation have been specified
   for ESP [RFC3686],[RFC4106],[RFC4309],[RFC4543] recently received GROUPKEY-
   PULL messages and AH [RFC4543].
   These AES counter-based modes require reject messages that no two senders in the
   group ever send a packet with the same IV. have already been processed.
   This requirement can be
   met using enables an early discard of the method described in
   [I-D.ietf-msec-ipsec-group-counter-modes], which requires each sender
   to be allocated replayed messages.

6.2.5.  Denial of Service Protection

   A GROUPKEY-PULL message identifies its messages using a unique Sender ID (SID). cookie pair
   from the Phase 1 exchange that precedes it.  The SENDER_ID attribute is
   used to distribute a SID to cookies provide a group member during
   weak form of denial of service protection as described above, in the
   sense that a GROUPKEY-PULL
   message.  Other algorithms message with the same need may invalid cookies will be defined in the
   future; the sender MUST use the IV construction method
   discarded.

   The replay protection mechanisms described above with those algorithms as well.

   The SENDER_ID attribute value contains provide the following fields.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !   SID Length  !                    SID Value                  ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   o  SID Length (1 octet) -- basis
   for denial of service protection.

6.2.6.  Authorization

   A natural number defining the number GCKS implementation should maintain an authorization list of
      bits to be used in the SID field
   authorized group members.  Group members should maintain a list of the counter mode transform
      nonce.

   o  SID Value (variable) -- The Sender ID value allocated to the
   authorized group
      member.

5.3.3.1.  GCKS Semantics members as part of its Group Peer Authorization
   Database (GPAD) [RFC5374].

6.3.  GROUPKEY-PUSH Exchange

   The GCKS maintains a SID counter (SIDC).  It GROUPKEY-PUSH exchange is incremented each time a SENDER_ID attribute single message that allows a GCKS to
   send SAs and keys to group members.  This is distributed likely to be sent to all
   members using an IP multicast group.  This provides an efficient
   rekey and group membership adjustment capability.

6.3.1.  Authentication

   The GROUPKEY-PULL exchange identifies a public key that is used for
   message authentication.  The GROUPKEY-PUSH message is digitally
   signed using the corresponding private key held by the GCKS or its
   delegate.  This digital signature provides source authentication for
   the message.  Thus, GDOI protects the GCKS from impersonation in
   group member. environments.

6.3.2.  Confidentiality

   The first
   group member to register is given GCKS encrypts the SID GROUPKEY-PUSH message with an encryption key
   that was established by the GROUPKEY-PULL exchange.

6.3.3.  Man-in-the-Middle Attack Protection

   This combination of 1.

   Any confidentiality and message authentication
   services protects the GROUPKEY-PUSH message from man-in-middle and
   connection-hijacking attacks.

6.3.4.  Replay/Reflection Attack Protection

   The GROUPKEY-PUSH message includes a monotonically increasing
   sequence number to protect against replay and reflection attacks.  A
   group member registering will be given recognize a new SID value, which
   allows group members replayed message by comparing the
   sequence number to act as a group sender when an older SID value
   becomes unusable (as described in the next section).

   A GCKS MAY allocate multiple SID values sliding window, in one SA SSA payload.
   Allocating several SID values at the same time to a group member
   expected to send at manner as the ESP
   protocol uses sequence numbers.

   Implementations SHOULD keep a high rate would obviate record of recently received GROUPKEY-
   PUSH messages and reject duplicate messages.  This enables an early
   discard of the need replayed messages.

6.3.5.  Denial of Service Protection

   A cookie pair identifies the security association for the group
   member to re-register GROUPKEY-
   PUSH message.  The cookies thus serve as frequently.

   If a GCKS allocates all SID values, it can no longer respond to GDOI
   registrations and must re-initialize weak form of denial-of-
   service protection for the entire group.  This is done
   by issuing DELETE notifications GROUPKEY-PUSH message.

   The digital signature used for all ESP and AH SAs in message authentication has a GDOI
   rekey message, resetting the SIDC to zero, and creating new ESP much
   greater computational cost than a message authentication code and
   AH SAs that match
   could amplify the group policy.  When group effects of a denial of service attack on GDOI
   members re-register,
   the SIDs are allocated again beginning with who process GROUPKEY-PUSH messages.  The added cost of
   digital signatures is justified by the value 1 as described
   above.  Each re-registering group member will need to prevent GCKS
   impersonation: If a shared symmetric key were used for GROUPKEY-PUSH
   message authentication, then GCKS source authentication would be given a new SID
   impossible and
   the new group policy.

   The SENDER_ID attribute MUST NOT any member would be sent as part capable of GCKS impersonation.

   The potential of the digital signature amplifying a GROUPKEY-PUSH
   message, because distributing denial of service
   attack is mitigated by the same sender-specific policy to more
   than one order of operations a group member may reduce the security of takes,
   where the group.

5.3.3.2.  Group Member Semantics least expensive cryptographic operation is performed first.
   The SENDER_ID attribute value distributed to the group member MUST be
   used by that group member as first decrypts the Sender Identifier (SID) field
   portion of message using a symmetric cipher.
   If it is a validly formed message then the IV.  The SID sequence number is used for all counter mode SAs
   distributed by checked
   against the GCKS replay window.  Only if the sequence number is valid is
   the digital signature verified.  Thus in order for a denial of
   service attack to be mounted, an attacker would need to know both the
   symmetric encryption key used for communications sent as confidentiality, and a part
   of valid
   sequence number.  Generally speaking this group.

   When the Sender-Specific IV (SSIV) field for any IPsec SA is
   exhausted, the means only current group member MUST no longer act as
   members can effectively deploy a sender using its
   active SID.  The group member SHOULD re-register, during which time
   the GCKS will issue denial of service attack.

6.3.6.  Forward Access Control

   If a new SID group management algorithm (such as LKH) is used, forward access
   control may not be ensured in some cases.  This can happen if some
   group members are denied access to the group member.  The in the same GROUPKEY-
   PUSH message as new SID
   replaces policy and TEKs are delivered to the existing SID used group.  As
   discussed in Section 4.1.1, forward access control can be maintained
   by this group member, and also resets sending multiple GROUPKEY-PUSH messages, where the SSIV value to it's starting value.  A group member MAY re-
   register prior to
   membership changes are sent from the actual exhaustion of GCKS separate from the SSIV field new
   policy and TEKs.

7.  IANA Considerations

   This memo requests IANA to avoid
   dropping data packets due make several additions to existing
   registries, and to add sever new GDOI registries.  When the exhaustion of available SSIV values
   combined with a particular SID value.

   A group member MUST NOT process SENDER_ID attribute present new
   registries are added, the following terms are to be applied as
   descrined in a
   GROUPKEY-PUSH message.

6. the Guidelines for Writing an IANA Considerations
   Section in RFCs [RFC5226]: Standards Action, and Private Use.

7.1.  Additions to current registries

   The GDOI KEK Attribute named SIG_HASH_ALGORITHM [GDOI-REG] should be
   assigned a several new Algorithm Type value values from the RESERVED space to
   represent the SHA-256 SHA-256, SHA-384, and SHA-512 hash algorithm algorithms as defined.
   defined in [FIPS.180-2.2002].  The new algorithm names should be
   SIG_HASH_SHA256, SIG_HASH_SHA384, and SIG_HASH_SHA512 respectively
   and have the values of TBD-2, TBD-3, and TBD-4 respectively.

   The GDOI KEK Attributed named SIG_ALGORITHM [GDOI-REG] should be
   assigned a new Algorithm Type value from the RESERVED space to
   represent the RSA PSS encoding type.  The new algorithm name should
   be SIG_HASH_SHA256. SIG_ALG_RSA_PSS, and has the value of TBD-6.

   A new GDOI SA TEK type Protocol-ID type [GDOI-REG] should be assigned
   from the RESERVED space.  The new algorithm id should be called
   GDOI_PROTO_IPSEC_AH, and refers to the IPsec AH encapsulation. encapsulation, and has a
   value of TBD-5.

   A new Next Payload Type [ISAKMP-REG] should be assigned.  The new
   type is called "SA Group Associated Policy (GAP)". (GAP)", and has a value of
   TBD-1.

7.2.  New registries

   A new namespace should be created in the GDOI Payloads registry
   [GDOI-REG] to describe SA SSA Payload Values.  The following rules
   apply to define the attributes in SA SSA Payload Values:

              Attribute Type attributes in SA SSA Payload Values:

              Attribute Type         Value       Type
              ----                   -----       ----
              RESERVED                 0
              ACTIVATION_TIME_DELAY    1          B
              DEACTIVATION_TIME_DELAY  2          B
              SENDER_ID                3          V
              Standards Action        4-127
              Private Use           128-255

   A new IPsec Security Association Attribute [ISAKMP-REG] defining the
   preservation of IP addresses is needed.  The attribute class is
   called "Address Preservation", and it is a Basic type.  The following
   rules apply to define the values of the attribute:

              Name                      Value
              ----                      -----
              Reserved                  0
              None                      1
              Source-Only               2
              Destination-Only          3
              Source-And-Destination    4
              Standards Action         5-61439
              Private Use          61440-65535

   A new IPsec Security Association Attribute [ISAKMP-REG] defining the
   SA direction is needed.  The attribute class is called "SA
   Direction", and it is a Basic type.  The following rules apply to
   define the values of the attribute:

              Name                      Value       Type
              ----                      -----       ----
              RESERVED
              Reserved                  0
              ACTIVATION_TIME_DELAY
              Sender-Only               1          B
              DEACTIVATION_TIME_DELAY
              Receiver-Only             2          B
              SENDER_ID
              Symmetric                 3          V
              Reserved to IANA        2-127
              Standards Action         4-61439
              Private Use           128-255

   A new IPSEC          61440-65535

8.  Acknowledgements

   This text updates RFC 3547, and the authors with to thank the authors
   of that specification for their extensive contributions: Mark
   Baugher, Thomas Hardjono, and Hugh Harney.

   The authors are grateful to Catherine Meadows for her careful review
   and suggestions for mitigating the man-in-the-middle attack she had
   previously identified.

9.  References

9.1.  Normative References

   [I-D.ietf-msec-ipsec-group-counter-modes]
              McGrew, D. and B. Weis, "Using Counter Modes with
              Encapsulating Security Association Attribute Payload (ESP) and Authentication
              Header (AH) to Protect Group Traffic",
              draft-ietf-msec-ipsec-group-counter-modes-05 (work in
              progress), March 2010.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4303]  Kent, S., "IP Encapsulating Security Payload (ESP)",
              RFC 4303, December 2005.

   [RFC4306]  Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
              RFC 4306, December 2005.

   [RFC5374]  Weis, B., Gross, G., and D. Ignjatic, "Multicast
              Extensions to the Security Architecture for the Internet
              Protocol", RFC 5374, November 2008.

9.2.  Informative References

   [AES-MODES]
              Dworkin, M., "Recommendation for Block Cipher Modes of
              Operation", United States of America, National Institute
              of Science and Technology NIST Special Publication 800-38A
              2001 Edition, December 2001.

   [FIPS.180-2.2002]
              National Institute of Standards and Technology, "Secure
              Hash Standard", FIPS PUB 180-2, August 2002, <http://
              csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf>.

   [FIPS186-2]
              "Digital Signature Standard (DSS)", United States of
              America, National Institute of Science and
              Technology Federal Information Processing Standard (FIPS)
              186-2, January 2001.

   [FIPS197]  "Advanced Encryption Standard (AES)", United States of
              America, National Institute of Science and
              Technology Federal Information Processing Standard (FIPS)
              197, November 2001.

   [FIPS46-3]
              "Data Encryption Standard (DES)", United States of
              America, National Institute of Science and
              Technology Federal Information Processing Standard (FIPS)
              46-3, October 1999.

   [FIPS81]   "DES Modes of Operation", United States of America,
              National Institute of Science and Technology Federal
              Information Processing Standard (FIPS) 81, December 1980.

   [FS00]     Ferguson, N. and B. Schneier, Counterpane, "A
              Cryptographic Evaluation of IPsec",
              <http://www.counterpane.com/ipsec.html>.

   [GDOI-REG]
              Internet Assigned Numbers Authority, "Group Domain of
              Interpretation (GDOI) Payload Type Values", IANA Registry,
              December 2004,
              <http://www.iana.org/assignments/gdoi-payloads>.

   [ISAKMP-REG] defining
              "'Magic Numbers' for ISAKMP Protocol",
              <http://www.iana.org/assignments/isakmp-registry>.

   [MP04]     Meadows, C. and D. Pavlovic, "Deriving, Attacking, and
              Defending the
   preservation of IP addresses is needed.  The attribute class is
   called "Address Preservation", GDOI Protocol", ESORICS 2004 pp. 53-72,
              September 2004.

   [NNL]      Naor, D., Noal, M., and it is a Basic type.  The following
   rules apply J. Lotspiech, "Revocation and
              Tracing Schemes for Stateless Receivers", Advances in
              Cryptology, Crypto '01,  Springer-Verlag LNCS 2139, 2001,
              pp. 41-62, 2001,
              <http://www.wisdom.weizmann.ac.il/~naor/>.

   [OFT]      McGrew, D. and A. Sherman, "Key Establishment in Large
              Dynamic Groups Using One-Way Function Trees", Manuscript,
               submitted to define the values IEEE Transactions on Software Engineering,
              1998, <http://download.nai.com/products/media/nai/misc/
              oft052098.ps>.

   [PK01]     Perlman, R. and C. Kaufman, "Analysis of the attribute:

              Name                      Value
              ----                      -----
              Reserved                  0
              None                      1
              Source-Only               2
              Destination-Only          3
              Source-And-Destination    4
              Reserved to IANA          5-61439
              Private IPsec Key
              Exchange Standard", WET-ICE conference , 2001,
              <http://sec.femto.org/wetice-2001/papers/radia-paper.pdf>.

   [RFC2403]  Madson, C. and R. Glenn, "The Use               61440-65535 of HMAC-MD5-96 within
              ESP and AH", RFC 2403, November 1998.

   [RFC2404]  Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within
              ESP and AH", RFC 2404, November 1998.

   [RFC2407]  Piper, D., "The Internet IP Security Domain of
              Interpretation for ISAKMP", RFC 2407, November 1998.

   [RFC2408]  Maughan, D., Schneider, M., and M. Schertler, "Internet
              Security Association and Key Management Protocol
              (ISAKMP)", RFC 2408, November 1998.

   [RFC2409]  Harkins, D. and D. Carrel, "The Internet Key Exchange
              (IKE)", RFC 2409, November 1998.

   [RFC2522]  Karn, P. and W. Simpson, "Photuris: Session-Key Management
              Protocol", RFC 2522, March 1999.

   [RFC2627]  Wallner, D., Harder, E., and R. Agee, "Key Management for
              Multicast: Issues and Architectures", RFC 2627, June 1999.

   [RFC3447]  Jonsson, J. and B. Kaliski, "Public-Key Cryptography
              Standards (PKCS) #1: RSA Cryptography Specifications
              Version 2.1", RFC 3447, February 2003.

   [RFC3550]  Schulzrinne, H., Casner, S., Frederick, R., and V.
              Jacobson, "RTP: A new IPSEC Transport Protocol for Real-Time
              Applications", STD 64, RFC 3550, July 2003.

   [RFC3686]  Housley, R., "Using Advanced Encryption Standard (AES)
              Counter Mode With IPsec Encapsulating Security Payload
              (ESP)", RFC 3686, January 2004.

   [RFC4046]  Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm,
              "Multicast Security (MSEC) Group Key Management
              Architecture", RFC 4046, April 2005.

   [RFC4106]  Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
              (GCM) in IPsec Encapsulating Security Association Attribute [ISAKMP-REG] defining the
   SA direction is needed.  The attribute class is called "SA
   Direction", Payload (ESP)",
              RFC 4106, June 2005.

   [RFC4301]  Kent, S. and it is a Basic type.  The following rules apply to
   define K. Seo, "Security Architecture for the values
              Internet Protocol", RFC 4301, December 2005.

   [RFC4309]  Housley, R., "Using Advanced Encryption Standard (AES) CCM
              Mode with IPsec Encapsulating Security Payload (ESP)",
              RFC 4309, December 2005.

   [RFC4430]  Sakane, S., Kamada, K., Thomas, M., and J. Vilhuber,
              "Kerberized Internet Negotiation of the attribute:

              Name                      Value
              ----                      -----
              Reserved                  0
              Sender-Only               1
              Receiver-Only             2
              Symmetric                 3
              Reserved to IANA          4-61439
              Private Keys (KINK)",
              RFC 4430, March 2006.

   [RFC4543]  McGrew, D. and J. Viega, "The Use               61440-65535

7.  Security of Galois Message
              Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543,
              May 2006.

   [RFC4868]  Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-
              384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              May 2008.

   [SKEME]    Krawczyk, H., "SKEME: A Versatile Secure Key Exchange
              Mechanism for Internet", ISOC Secure Networks and
              Distributed Systems Symposium San Diego, 1996.

   [STS]      Diffie, W., Van Oorschot, P., and M. Wiener,
              "Authentication and Authenticated Key Exchanges", Designs,
              Codes and Cryptography, 2, 107-125 (1992), Kluwer Academic
              Publishers, 1992.

Appendix A.  Alternate GDOI Phase 1 protocols

   This memo section describes additional clarification and adds additional
   attributes to a manner in which other protocols could be passed within the
   used as GDOI protocol.  The security
   considerations Phase 1 protocols in RFC 3547 remain accurate, with place of the following
   additions.

   o  Several minor cryptographic hash algorithm agility issues ISAKMP Phase 1
   protocol.  However, they are
      resolved, and the stronger SHA-256 cryptographic hash algorithm is
      added.

   o  Protocol analysis has revealed a man-in-the-middle attack when the
      GCKS does not authorize group members based on their IKE
      authentication credentials.  This is true even when specified as a CERT and POP
      payloads are used part of this
   document.  A separate document MUST be written in order for authorization.  Although suggested another
   protocol to be used as an
      option in RFC 3547, a GDOI device (group member or GCKS) SHOULD
      NOT accept an identity Phase 1 protocol.

   Other possible phase 1 protocols are also described in a CERT payload that does not match [RFC4046].

   Any GDOI phase 1 protocol MUST satisfy the requirements specified in
   Section 2 of this document.

A.1.  IKEv2 Phase 1 protocol

   Version 2 of the IKE identity used protocol (IKEv2) [RFC4306] has been published.
   That protocol seeks to authenticate simplify the group member.

   o  Any IKE Phase 1 and Phase 2
   protocols, and improve the security of the IKE protocol.  An IKEv2
   Phase 1 negotiates an IPsec SA TEK specifying during phase 1, which was not possible
   in IKE.  However, IKEv2 also defines a counter-based mode of operation with
      multiple senders MUST construct phase 2 protocol.  The phase 2
   protocol is protected by the IVs Phase 1, similar in each SA TEK according concept to [I-D.ietf-msec-ipsec-group-counter-modes].  The SID MUST either
      be pre-configured on all group members or distributed using how IKE
   Quick Mode is protected by the
      SENDER_ID attribute IKE Phase 1 protocols in [RFC2409].

   IKEv2 may not include a DOI value in the SA GAP payload.  However, use since
   GDOI uses a unique port, choice of a phase 2 protocol in the
      SENDER_ID attribute SA
   payload using a GDOI value is RECOMMENDED.

8.  Acknowledgements

   The authors are grateful to Catherine Meadows for her careful review
   and suggestions for mitigating not necessary.  It is expected that an
   IKEv2 Phase 1 protocol definition could be run on the man-in-the-middle attack she had
   previously identified.

9.  References

9.1.  Normative References

   [I-D.ietf-msec-ipsec-group-counter-modes]
              McGrew, D. and B. Weis, "Using Counter Modes with
              Encapsulating Security Payload (ESP) and  Authentication
              Header (AH) to Protect Group Traffic",
              draft-ietf-msec-ipsec-group-counter-modes-03 (work in
              progress), March 2009.

   [RFC2119]  Bradner, S., "Key words for use GDOI port.  The
   SA payload in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3547]  Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The
              Group Domain of Interpretation", RFC 3547, July 2003.

   [RFC5374]  Weis, B., Gross, G., and D. Ignjatic, "Multicast
              Extensions the protocol would be specific to GDOI, or omitted if
   not needed at all.

   The GROUPKEY-PULL protocol would follow the Security Architecture for IKEv2 Phase 1 protocol in
   the same manner as described in this document.

A.2.  KINK Protocol

   The Kerberized Internet
              Protocol", RFC 5374, November 2008.

9.2.  Informative References

   [FIPS.180-2.2002]
              National Institute Negotiation of Standards and Technology, "Secure
              Hash Standard", FIPS PUB 180-2, August 2002, <http://
              csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf>.

   [GDOI-REG]
              Internet Assigned Numbers Authority, "Group Domain Keys (KINK) [RFC4430] has
   defined a method of
              Interpretation (GDOI) Payload Type Values", IANA Registry,
              December 2004,
              <http://www.iana.org/assignments/gdoi-payloads>.

   [ISAKMP-REG]
              Internet Assigned Numbers Authority, "Internet Security
              Association and Key Management Protocol (ISAKMP)
              Identifiers ISAKMP Attributes", IANA Registry,
              January 2006,
              <http://www.iana.org/assignments/isakmp-registry>.

   [MP04]     Meadows, C. encapsulating an IKE Quick Mode [RFC2409]
   encapsulated in Kerberos KRB_AP_REQ and D. Pavlovic, "Deriving, Attacking, KRB_AP_REP payloads.  KINK
   provides a low-latency, computationally inexpensive, easily managed,
   and
              Defending cryptographically sound method of setting up IPsec security
   associations.

   The KINK message format includes a GDOI field in the KINK header.
   The [RFC4430] document defines the DOI for the IPsec DOI.

   A new DOI for KINK could be defined which would encapsulate a
   GROUPKEY-PULL exchange in the Kerberos KRB_AP_REQ and KRB_AP_REP
   payloads.  As such, GDOI Protocol", ESORICS 2004 pp. 53-72,
              September 2004.

   [RFC2407]  Piper, D., "The Internet IP Security Domain would benefit from the computational
   efficiencies of
              Interpretation for ISAKMP", KINK.

Appendix B.  Significant Changes from RFC 2407, November 1998.

   [RFC2408]  Maughan, D., Schneider, M., and M. Schertler, "Internet
              Security Association and Key Management Protocol
              (ISAKMP)", 3547

   The following significant changes have been made from RFC 2408, November 1998.

   [RFC3447]  Jonsson, J. 3547.

   o  The Proof of Possession (POP) payload was removed from the
      GROUPKEY-PULL exchange.  It provided an alternate form of
      authorization, but its use was underspecified.  Furthermore,
      Meadows and B. Kaliski, "Public-Key Cryptography
              Standards (PKCS) #1: RSA Cryptography Specifications
              Version 2.1", RFC 3447, February 2003.

   [RFC3686]  Housley, R., "Using Advanced Encryption Standard (AES)
              Counter Mode With IPsec Encapsulating Security Payload
              (ESP)", Pavlovic [MP04] discussed a man-in-the-middle attack
      on the POP authorization method, which would require changes to
      its semantics.  No known implementation of RFC 3686, January 2004.

   [RFC4046]  Baugher, M., Canetti, R., Dondeti, L., 3547 supported the
      POP payload, so it was removed.  Removal of the POP payload
      obviated the need for the CERT payload in that exchange and F. Lindholm,
              "Multicast Security (MSEC) Group it was
      removed as well.

   o  The Key Management
              Architecture", Exchange Payloads (KE_I, KE_R) payloads were removed from
      the GROUPKEY-PULL exchange.  However, the specification for
      computing keying material for the additional encryption function
      in RFC 4046, April 2005.

   [RFC4106]  Viega, J. 3547 is faulty.  Furthermore, it has been observed that
      because the GDOI registration message uses strong ciphers and D. McGrew, "The Use
      provides authenticated encryption, additional encryption of Galois/Counter Mode
              (GCM) the
      keying material in IPsec Encapsulating Security Payload (ESP)",
              RFC 4106, June 2005.

   [RFC4302]  Kent, S., "IP Authentication Header", RFC 4302,
              December 2005.

   [RFC4303]  Kent, S., "IP Encapsulating Security Payload (ESP)",
              RFC 4303, December 2005.

   [RFC4309]  Housley, R., "Using Advanced Encryption Standard (AES) CCM
              Mode a GDOI registration message provides negligible
      value.  Therefore, the use of KE payloads is deprecated in this
      memo.

   o  Supported cryptographic algorithms were changed to meet current
      guidance.  Implementations are required to support AES with IPsec Encapsulating Security Payload (ESP)",
              RFC 4309, December 2005.

   [RFC4543]  McGrew, D. 128-
      bit keys to encrypt the rekey message, and J. Viega, "The Use SHA-256 for
      cryptographic signatures.  The use of Galois Message
              Authentication Code (GMAC) in IPsec DES is deprecated.

   o  New protocol support for AH.

   o  New protocol definitions were added to conform to the most recent
      Security Architecture for the Internet Protocol [RFC4301] and the
      Multicast Extensions to the Security Architecture for the Internet
      Protocol[RFC5374].

   o  New protocol definitions were added to support Using Counter Modes
      with ESP and AH", RFC 4543,
              May 2006. AH to Protect Group
      Traffic[I-D.ietf-msec-ipsec-group-counter-modes].

Authors' Addresses

   Brian Weis
   Cisco Systems
   170 W. Tasman Drive
   San Jose, California  95134-1706
   USA

   Phone: +1-408-526-4796
   Email: bew@cisco.com

   Sheela Rowles
   Cisco Systems
   170 W. Tasman Drive
   San Jose, California  95134-1706
   USA

   Phone: +1-408-527-7677
   Email: sheela@cisco.com