MSEC Working Group                                               B. Weis
Internet-Draft                                                 S. Rowles
Intended status: Standards Track                           Cisco Systems
Expires: April 28, September 15, 2011                                  T. Hardjono
                                                                     MIT
                                                        October 25, 2010
                                                          March 14, 2011

                   The Group Domain of Interpretation
                     draft-ietf-msec-gdoi-update-07
                     draft-ietf-msec-gdoi-update-08

Abstract

   This document describes an updated version of the Group Domain of
   Interpretation (GDOI) protocol specified in RFC 3547.  The GDOI
   provides group key management to support secure group communications
   according to the architecture specified in RFC 4046.  The GDOI
   manages group security associations, which are used by IPsec and
   potentially other data security protocols.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 28, September 15, 2011.

Copyright Notice

   Copyright (c) 2010 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
     1.1.  Requirements notation  . . . . . . . . . . . . . . . . . .  5
     1.2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  6
     1.3.  GDOI Applications  . . . .  Acronyms and Abbreviations . . . . . . . . . . . . . . . .  6
     1.4.  Extending

   2.  GDOI Phase 1 protocol  . . . . . . . . . . . . . . . . . . . . . .  7
     1.5.  Forward and Backward Access Control  . . . . . . . . . . .  7

   2.  GDOI  8
     2.1.  ISAKMP Phase 1 protocol  . . . . . . . . . . . . . . . . .  8

   3.  GROUPKEY-PULL Exchange . . .  9
     2.1.  ISAKMP Phase 1 protocol . . . . . . . . . . . . . . . . .  9

   3.  GROUPKEY-PULL Exchange . . .
     3.1.  Authorization  . . . . . . . . . . . . . . . . . 10
     3.1.  Authorization . . . . .  9
     3.2.  Messages . . . . . . . . . . . . . . . . . 10
     3.2.  Messages . . . . . . . .  9
     3.3.  Group Member Operations  . . . . . . . . . . . . . . . . . 10
     3.3.  Initiator 11
     3.4.  GCKS Operations  . . . . . . . . . . . . . . . . . . . 12
     3.4.  Receiver Operations  . . . 13
     3.5.  Counter-modes of operation . . . . . . . . . . . . . . . . 13

   4.  GROUPKEY-PUSH Message  . . . . . . . . . . . . . . . . . . . . 15 16
     4.1.  Use of signature keys  . . . . . . . . . . . . . . . . . . 16 17
     4.2.  ISAKMP Header Initialization . . . . . . . . . . . . . . . 16 17
     4.3.  GCKS Operations  . . . . . . . . . . . . . . . . . . . . . 16 17
     4.4.  Group Member Operations  . . . . . . . . . . . . . . . . . 17 18

   5.  Payloads and Defined Values  . . . . . . . . . . . . . . . . . 18 20
     5.1.  Identification Payload . . . . . . . . . . . . . . . . . . 18 20
     5.2.  Security Association Payload . . . . . . . . . . . . . . . 18 20
     5.3.  SA KEK payload . . . . . . . . . . . . . . . . . . . . . . 20 22
     5.4.  Group Associated Policy  . . . . . . . . . . . . . . . . . 26 28
     5.5.  SA TEK Payload . . . . . . . . . . . . . . . . . . . . . . 29 30
     5.6.  Key Download Payload . . . . . . . . . . . . . . . . . . . 33 34
     5.7.  Sequence Number Payload  . . . . . . . . . . . . . . . . . 41 43
     5.8.  Nonce  . . . . . . . . . . . . . . . . . . . . . . . . . . 42 44
     5.9.  Delete . . . . . . . . . . . . . . . . . . . . . . . . . . 42 44

   6.  Algorithm Selection  . . . . . . . . . . . . . . . . . . . . . 43 46
     6.1.  KEK  . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 46
     6.2.  TEK  . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 47

   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 45 48
     7.1.  ISAKMP Phase 1 . . . . . . . . . . . . . . . . . . . . . . 45 48
     7.2.  GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . . 46 49
     7.3.  GROUPKEY-PUSH Exchange . . . . . . . . . . . . . . . . . . 48 51
     7.4.  Forward and Backward Access Control  . . . . . . . . . . . 52
     7.5.  Derivation of keying material  . . . . . . . . . . . . . . 54

   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 50 55
     8.1.  Additions to current registries  . . . . . . . . . . . . . 50 55
     8.2.  New registries . . . . . . . . . . . . . . . . . . . . . . 50 55
     8.3.  Cleanup of existing registries . . . . . . . . . . . . . . 57

   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 52 59

   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 53 60
     10.1. Normative References . . . . . . . . . . . . . . . . . . . 53 60
     10.2. Informative References . . . . . . . . . . . . . . . . . . 53 60

   Appendix A.  Alternate  Extending GDOI Phase 1 protocols  . . . . . . . . . . 58
     A.1.  IKEv2 Exchange . . . . . . . . . 65
     A.1.  Alternate GDOI Phase 1 protocols . . . . . . . . . . . . . 58 65
     A.2.  KINK Protocol  Supporting new SA TEK types  . . . . . . . . . . . . . . . 66

   Appendix B.  GDOI Applications . . . . . . . . . . . . . . . . . . 58 67

   Appendix B. C.  Significant Changes from RFC 3547 . . . . . . . . . . 59 68

   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 60 69

1.  Introduction

   Secure group and multicast applications require a method by which
   each group member shares common security policy and keying material.
   This document describes the Group Domain of Interpretation (GDOI),
   which is an ISAMKP [RFC2408] Domain of Interpretation (DOI), a group
   key management system.  The GDOI distributes security associations
   (SAs) for IPsec AH [RFC4302] and ESP [RFC4303] protocols and
   potentially other data security protocols used in group applications.
   The GDOI uses the group key management model defined in [RFC4046],
   and described more generally by the The Multicast Group Security
   Architecture [RFC3740].

   In this group key management model, the GDOI protocol participants
   are a "group controller/key server" (GCKS) and a group member (GM).
   A group member contacts ("registers with") a GCKS to join the group.
   During the registration mutual authentication and authorization are
   achieved, after which the GCKS distributes current group policy and
   keying material to the group member over an authenticated and
   encrypted session.  The GCKS may also initiate contact ("rekeys")
   with group members to provide updates to group policy.

   ISAKMP defines two "phases" of negotiation (p.16 of [RFC2408]).  A
   Phase 1 security association provides mutual authentication and
   authorization, and a security association that is used by the
   protocol participants to execute a phase 2 exchange.  This document
   incorporates (i.e., uses but does not re-define) the Phase 1 security
   association definition from the Internet DOI [RFC2407], [RFC2409].
   Phase 1 security association types other than ISAKMP are possible,
   and are noted in Appendix A.  Requirements of those phase 1 security
   associations are specified in Section 2.  The GDOI includes two new
   phase 2 ISAKMP exchanges (protocols), as well as necessary new
   payload definitions to the ISAKMP standard (p. 14 of [RFC2408]).
   These two new protocols are:

   1.  The GROUPKEY-PULL registration protocol exchange.  This exchange
       uses "pull" behavior since the member initiates the retrieval of
       these SAs from a GCKS.  It is protected by an ISAKMP phase 1
       protocol, as described above.  At the culmination of a GROUPKEY-
       PULL exchange, an authorized group member has received and
       installed a set of SAs that represent group policy, and it is
       ready to participate in secure group communications.

   2.  The GROUPKEY-PUSH rekey protocol exchange.  The rekey protocol is
       a datagram initiated ("pushed") by the GCKS, usually delivered to
       group members using a IP multicast address.  The rekey protool protocol
       is an ISAKMP protocol, where cryptographic policy and keying
       material ("Re-key SA") is included in the group policy
       distributed by the GCKS in the GROUPKEY-PULL exchange.  At the
       culmination of a GROUPKEY-PUSH exchange the key server has sent
       group policy to all authorized group members, allowing receiving
       group members to participate in secure group communications.  If
       a group management method is included in group policy (as
       described in Section 1.5.1), 7.4), at the conclusion of the GROUPKEY-
       PUSH GROUPKEY-PUSH
       exchange some members of the group may have been de-
       authorized de-authorized
       and no longer able to participate in the secure group
       communications.

      +--------------------------------------------------------------+
      |                                                              |
      |                    +--------------------+                    |
      |            +------>|     GDOI GCKS      |<------+            |
      |            |       +--------------------+       |            |
      |            |                 |                  |            |
      |       GROUPKEY-PULL          |             GROUPKEY-PULL     |
      |         PROTOCOL             |               PROTOCOL        |
      |            |                 |                  |            |
      |            v           GROUPKEY-PUSH            v            |
      |   +-----------------+     PROTOCOL     +-----------------+   |
      |   |                 |        |         |                 |   |
      |   |    GDOI GM(s)   |<-------+-------->|    GDOI GM(S)   |   |
      |   |                 |                  |                 |   |
      |   +-----------------+                  +-----------------+   |
      |            |                                    ^            |
      |            v                                    |            |
      |            +-Data Security Protocol (e.g., ESP)-+            |
      |                                                              |
      +--------------------------------------------------------------+

   Although the GROUPKEY-PUSH protocol specified by this document can be
   used to refresh the Re-key SA protecting the GROUPKEY-PUSH protocol,
   the most common use of GROUPKEY-PUSH is to establish keying material
   and policy for a data security protocol.

   In summary, GDOI is a group security association management protocol:
   All
   all GDOI messages are used to create, maintain, or delete security
   associations for a group.  As described above, these security
   associations protect one or more data security protocal protocol SAs, a Re-key
   SA, and/or other data shared by group members for multicast and
   groups security applications.

1.1.  Requirements notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

1.2.  Terminology

   The following key terms are used throughout this document.

   Data-Security SA.  The security policy distributed by a GDOI GCKS
         describing traffic that is expected to be protected by group
         members.  This document described the distribution of IPsec AH
         and ESP Data-Security SAs.

   GCKS.  A

   Group Controller/Key Server [RFC3740]  A device that defines group policy and
         distributes keys for that policy. policy.[RFC3740]

   Group Member.  An authorized member of a secure group, sending and/or
         receiving IP packets related to the group.

   GROUPKEY-PULL.  A protocol used by a GDOI Group Member to requst request
         group policy and keying material.

   GROUPKEY-PUSH.  A protocol used by a GDOI GCKS to distribute updates
         of group policy and keying material to authorized group
         members.

   Key Encrypting Key (KEK). Key.  The symmetric cipher key used to protect the
         GROUPKEY-PUSH message.

   Logical Key Hierarchy (LKH). Hierarchy).  A group management method defined in Section
         5.4 of [RFC2627].

   Re-key SA.  The security policy protecting a GROUPKEY-PUSH protocol.

   Traffic Encryption Key (TEK). Key.  The symmetric cipher key used to protect a
         data security protocol (e.g., IPsec ESP).

1.3.  GDOI Applications

   GDOI can be  Acronyms and Abbreviations

   The following acronyms and abbreviations are used to distribute keys for several secure multicast
   applications, where different appliacations have different key
   management requirements.  This section outlines two example ways that
   GDOI can be used.  Other examples can be found in Section 10 of
   [HD03].

   A simple application is secure delivery throughout this
   document.

   AH    IP Authentication Header

   ATD   Activation Time Delay

   DOI   Domain of periodic multicast content
   over an organization's Interpretation

   DTD   Deactivation Time Delay
   ESP   IP network, perhaps a multicast video
   broadcast.  Assuming the content delivery timeframe is bounded and
   the group membership is not expected to change over time, there is no
   need for group policy to include a GROUPKEY-PUSH exchange, and
   there's no need for the Encapsulating Security Payload

   GCKS to distribute a Re-key SA.  Thus, the  Group Controller/Key Server

   GDOI GCKS may only need to distribute a single set  Group Domain of Data-Security
   SAs to protect the time-bounded broadcast.

   In contrast, Interpretation

   GAP   Group Associated Policy Payload

   GM    Group Member

   IV    Initialization Vector

   KD    Key Download Payload

   KEK   Key Encryption Key

   LKH   Lock Key Hierarchy

   SA    Security Association

   SAK   SA KEK Payload

   SEQ   Sequence Number Payload

   SAT   SA TEK Payload

   SID   Sender-ID

   TEK   Traffic Encryption Key

2.  GDOI Phase 1 protocol

   The GDOI GROUPKEY-PULL exchange is a persistent IP multicast application (e.g., stock-
   ticker delivery service) may have many group members, where "phase 2" protocol which MUST be
   protected by a "phase 1" protocol.  The "phase 1" protocol can be any
   protocol which provides for the group
   membership changes over time.  A periodic change of Data-security SAs following protections:

   o  Peer Authentication

   o  Confidentiality

   o  Message Integrity

   The following sections describe one such "phase 1" protocol.  Other
   protocols which may be desirable, and the potential for change "phase 1" protocols are described in group membership
   requires
   Appendix A.  However, the use of a group management method enabling de-
   authorization of group members.  The GDOI GCKS will distribute the
   current set protocols listed there are not
   considered part of Data-Security SAs and a Re-key SA to registering group
   members.  It will then deliver regularly-scheduled GROUPKEY-PUSH this document.

2.1.  ISAKMP Phase 1 protocol delivering the new SAs for the group.  Additionally, the
   group membership on the GCKS may be frequently adjusted, which will
   result in GROUPKEY-PUSH exchange delivering a new Rekey SAs protected
   by a group management method.  Each GROUPKEY-PUSH may include Data-
   security SAs and/or a Rekey SA.

   In each example

   This document defines how the relevant policy is ISAKMP phase 1 exchanges as defined on the GCKS and
   relayed to group members using the GROUPKEY-PULL and/or GROUPKEY-PUSH
   protocols.  Specific policy choices configured by the GCKS
   administrator depends on each application.

1.4.  Extending GDOI

   Not all secure multicast or multimedia applications in
   [RFC2409] can use IPsec ESP
   or AH.  Many Real Time Transport Protocol applications, be used a "phase 1" protocol for example,
   require security above GDOI.  The following
   sections define characteristics of the IP layer to preserve RTP header
   compression efficiencies and transport-independence [RFC3550].
   Alternatively, GDOI can distribute message authentication code (MAC)
   policy and keys for legacy applications ISAKMP phase 1 protocols that have defined their own
   security associations [I-D.weis-gdoi-mac-tek].

   In order to add
   are unique for these exchanges when used for GDOI.

   Section 7.1 describes how the ISAKMP Phase 1 protocols meet the
   requirements of a new data security protocol, GDOI "phase 1" protocol.

2.1.1.  DOI value

   The Phase 1 SA payload has a new RFC DOI value.  That value MUST specify be the data-security SA parameters conveyed by GDOI for that security
   protocol; these parameters are listed
   DOI value as defined later in Section 5.5.2 of this document.

   Data security protocol SAs MUST protect group traffic.

2.1.2.  UDP port

   IANA has assigned port 848 for the use of GDOI, which allows for an
   implementation to use separate ISAKMP implementations to service GDOI provides
   no restriction
   and IKEv1 [RFC2409].  A GCKS SHOULD listen on whether that group traffic is transmitted as
   unicast or multicast packets.

1.5.  Forward this port for GROUPKEY-
   PULL exchanges, and Backward Access Control

   Through GROUPKEY-PUSH, the GDOI supports group management methods
   such as LKH (section 5.4 of [RFC2627]) that have GCKS MAY use this port to distribute
   GROUPKEY-PUSH messages.  An ISAKMP phase 1 exchange implementation
   supporting NAT Traversal [RFC3947] may move to port 4500 to process
   the property GROUPKEY-PULL exchange.

3.  GROUPKEY-PULL Exchange

   The goal of
   denying access the GROUPKEY-PULL exchange is to establish a new group key by a Re-key
   and/or Data-security SAs at the member removed from for a particular group.  A
   Phase 1 SA protects the group
   (forward access control) and to an old group key by GROUPKEY-PULL; there MAY be multiple
   GROUPKEY-PULL exchanges for a member added to given Phase 1 SA.  The GROUPKEY-PULL
   exchange downloads the data security keys (TEKs) and/or group (backward access control).  An unrelated notion to PFS,
   "forward access control" and "backward access control" have been
   called "perfect forward security" and "perfect backward security" in
   the literature [RFC2627].

   Group management algorithms providing forward and backward access
   control other than LKH have been proposed in key
   encrypting key (KEK) or KEK array under the literature,
   including OFT [OFT] and Subset Difference [NNL].  These algorithms
   could protection of the Phase 1
   SA.

3.1.  Authorization

   The Phase 1 identity SHOULD be used with GDOI, but are not specified as by a part of this
   document.

1.5.1.  Forward Access Control Requirements

   When group membership is altered using GCKS to authorize the Phase
   2 (GROUPKEY-PULL) request for a group management algorithm
   new Data-security SAs are usually also needed.  New SAs key.  A group member MUST
   ensure that
   members who were denied access can no longer participate in the
   group.

   If forward access control is a desired property Phase 1 identity of the group, new
   Data-security SAs MUST NOT be included in GCKS is an authorized GCKS.
   When no authorization is performed, it is possible for a rogue GDOI
   participant to perpetrate a man-in-the-middle attack between a GROUPKEY-PUSH message
   which changes group membership.  This
   member and a GCKS [MP04].

3.2.  Messages

   The GROUPKEY-PULL is a Phase 2 exchange.  Phase 1 computes SKEYID_a
   which is required because the new
   Data-security SAs are not protected with the new KEK.  Instead, two
   sequential GROUPKEY-PUSH messages must be sent by the GCKS; "key" in the first
   changing keyed hash used in the KEK, and GROUPKEY-PULL HASH
   payloads.  When using the second (protected Phase 1 defined in this document, SKEYID_a
   is derived according to [RFC2409].  As with the new KEK)
   distributing IKEv1 HASH payload
   generation (Section 5.5 of [RFC2409], each GROUPKEY-PULL message
   hashes a uniquely defined set of values (described below).  Nonces
   permute the new Data-security SAs.

   Note HASH and provide some protection against replay attacks.
   Replay protection is important to protect the GCKS from attacks that
   a key management server will attract.

   The GROUPKEY-PULL uses nonces to guarantee "liveness" as well as
   against replay of a recent GROUPKEY-PULL message.  The replay attack
   is only possible in the above sequence, although context of the new KEK can effectively
   deny access to current Phase 1.  If a
   GROUPKEY-PULL message is replayed based on a previous Phase 1, the group to some group members they
   HASH calculation will be able fail due to
   view a wrong SKEYID_a.  The message will
   fail processing before the new KEK policy.  If forward access control policy nonce is ever evaluated.

   In order for either peer to get the
   group includes keeping benefit of the KEK policy secret replay protection,
   it must postpone as well much processing as possible until it receives the KEK
   itself secret, then two GROUPKEY-PUSH messages changing the KEK must
   occur before the new Data-security SAs are transmitted.

   If other methods of using LKH or other group management algorithms
   are added to GDOI, those methods MAY remove
   message in the above restrictions
   requiring multiple GROUPKEY-PUSH messages, providing those methods
   specify how forward access control policy is maintained within a
   single GROUPKEY-PUSH message.

2.  GDOI Phase 1 protocol

   The GDOI GROUPKEY-PULL exchange that proves the peer is a "phase 2" protocol which live.  For example,
   the GCKS MUST be
   protected by NOT adjust its internal state (e.g., keeping a "phase 1" protocol.  The "phase 1" protocol can be any
   protocol which provides for record
   of the following protections:

   o  Peer Authentication

   o  Confidentiality

   o  Message Integrity

   The following sections describe one such "phase 1" protocol.  Other
   protocols which may be potential "phase 1" protocols are described GM) until it receives a message with Nr included properly in
   Appendix A.  However,
   the use HASH payload.  This requirement ensures that replays of the protocols listed there are GDOI
   messages will not
   considered part of this document.

2.1.  ISAKMP Phase 1 protocol

   This document defines how cause the ISAKMP phase 1 exchanges as defined in
   [RFC2409] can be used a "phase 1" protocol for GDOI.  The following
   sections define characteristics GCKS to change the state of the ISAKMP phase 1 protocols group
   until it has confirmation that
   are unique for these exchanges when used for GDOI.

   Section 7.1 describes how the ISAKMP initiating group member is live.

              Group Member                      GCKS
              ------------                      ----
              HDR*, HASH(1), Ni, ID     -->
                                        <--     HDR*, HASH(2), Nr, SA
              HDR*, HASH(3) [,GAP]      -->
                                        <--     HDR*, HASH(4), [SEQ,] KD

    * Protected by the Phase 1 protocols meet SA, encryption occurs after HDR

   HDR is an ISAKMP header payload that uses the
   requirements of a GDOI "phase 1" protocol.

2.1.1.  DOI value

   The Phase 1 SA payload has cookies and a DOI value.  That value MUST be the GDOI
   DOI value
   message identifier (M-ID) as defined later in this document.

2.1.2.  UDP port

   IANA has assigned port 848 for the use of GDOI, which allows for an
   implementation to use separate ISAKMP implementations to service GDOI
   and IKEv1 [RFC2409].  A GCKS SHOULD listen on this port for GROUPKEY-
   PULL exchanges, and the GCKS MAY use this port to distribute
   GROUPKEY-PUSH messages.  An ISAKMP phase 1 exchange implementation
   supporting NAT Traversal [RFC3947] may move to port 4500 to process
   the GROUPKEY-PULL exchange.

3.  GROUPKEY-PULL Exchange

   The goal of IKEv1.

   Hashes are computed in the GROUPKEY-PULL exchange manner described within RFC 2409.  Each
   HASH computation (shown below) is to establish a Re-key
   and/or Data-security SAs at prf over the member for a particular group.  A
   Phase 1 SA protects message id (M-ID)
   from the GROUPKEY-PULL; there MAY be multiple
   GROUPKEY-PULL exchanges ISAKMP header concatenated with the entire message that
   follows the hash including all payload headers, but excluding any
   padding added for a given Phase 1 SA. encryption.  The GROUPKEY-PULL
   exchange downloads the data security keys (TEKs) and/or group key
   encrypting key (KEK) or KEK array under GM expects to find its nonce, Ni,
   in the protection HASH of the Phase 1
   SA.

3.1.  Authorization

   The Phase 1 identity SHOULD be used by a returned message.  And the GCKS expects to authorize see its
   nonce, Nr, in the Phase
   2 (GROUPKEY-PULL) request for HASH of a group key.  A group member MUST
   ensure returned message.  HASH(2), HASH(3), and
   HASH(4) also include nonce values previously passed in the protocol
   (i.e., Ni or Nr minus the payload header).  The nonce passed in Ni is
   represented as Ni_b, and the nonce passed in Nr is represented as
   Nr_b.  The HASH payloads prove that the peer has the Phase 1 identity of secret
   (SKEYID_a) and the GCKS is an authorized GCKS.
   When no authorization is performed, it is possible nonce for a rogue GDOI
   participant the exchange identified by message id,
   M-ID.

        HASH(1) = prf(SKEYID_a, M-ID | Ni | ID)
        HASH(2) = prf(SKEYID_a, M-ID | Ni_b | Nr | SA)
        HASH(3) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | GAP ])
        HASH(4) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | SEQ ] | KD)

   In addition to perpetrate a man-in-the-middle attack between a the Nonce and HASH payloads, the GM identifies the
   group it wishes to join through the ISAKMP ID payload.

   The GCKS informs the member of the cryptographic policies of the
   group in the SA payload, which describes the DOI, KEK and/or TEK
   keying material, authentication transforms, and a GCKS [MP04].

3.2.  Messages other group policy.
   The GROUPKEY-PULL is a Phase 2 exchange.  Phase 1 computes SKEYID_a
   which is SPIs are also determined by the "key" GCKS and downloaded in the keyed hash used in SA
   payload chain (see Section 5.2).  The SA KEK attribute contains the GROUPKEY-PULL HASH
   payloads.  When using
   ISAKMP cookie pair for the Phase 1 Re-key SA, which is not negotiated but
   downloaded.  Each SA TEK attribute contains a SPI as defined in this document, SKEYID_a
   is derived according to [RFC2409].  As with the IKEv1 HASH payload
   generation (Section
   Section 5.5 of [RFC2409], each GROUPKEY-PULL this document.

   After receiving and parsing the SA payload, the GM responds with an
   acknowledgement message
   hashes proving its liveness.  It optionally includes
   a uniquely defined set GAP payload requesting resources.

   The GCKS informs the GM of values.  Nonces permute the HASH and
   provide some protection against replay attacks.  Replay protection is
   important to protect value of the GCKS from attacks that sequence number in the
   SEQ payload.  This sequence number provides anti-replay state
   associated with a key management
   server KEK, and its knowledge ensure that the GM will attract.

   The not
   accept GROUPKEY-PULL uses nonces messages sent prior to guarantee "liveness", or against
   replay of a recent GROUPKEY-PULL message. the GM joining the group.
   The replay attack SEQ payload has no other use, and is only
   useful omitted from the
   GROUPKEY_PULL exchange when a KEK attribute is not included in the SA
   payload.  When a SEQ payload is included in the context of GROUPKEY-PULL
   exchange, it includes the most recently used sequence number for the
   group.  At the current Phase 1.  If conclusion of a GROUPKEY-PULL
   message is replayed based on a previous Phase 1, exchange, the HASH calculation
   will fail due to a wrong SKEYID_a.  The initiating
   group member MUST NOT accept any rekey message will fail processing
   before with both the nonce is ever evaluated.  In order for either peer KEK
   attribute SPI value and a sequence number less than or equal to get the benefit of
   one received during the replay protection, it must postpone as much
   processing as possible until it receives GROUPKEY-PULL.  When the message in first group member
   initiates a GROUPKEY-PULL exchange, the protocol
   that proves GCKS provides a Sequence
   Number of zero, since no GROUPKEY-PUSH messages have yet been sent.
   Note the peer is live.  For example, sequence number increments only with GROUPKEY-PUSH messages.
   The GROUPKEY-PULL exchange distributes the Responder MUST NOT
   adjust its internal state (e.g., keeping current sequence number to
   the group member.  The sequence number resets to a record value of one with
   the Initiator)
   until it receives usage of a message new KEK attribute.  Thus the first packet sent for a
   given Rekey SA will have a Sequence Number of 1.  The sequence number
   increments with Nr included properly each successive rekey.

   The GCKS always returns a KD payload containing keying material to
   the GM.  If a Re-key SA is defined in the HASH
   payload.

   Nonces require an additional message SA payload, then KD will
   contain the KEK; if one or more Data-security SAs are defined in the protocol exchange to
   ensure that
   SA payload, KD will contain the GCKS does not add TEKs.

3.2.1.  ISAKMP Header Initialization

   Cookies are used in the ISAKMP header to identify a group member until it proves
   liveliness. particular GDOI
   session.  The GDOI GROUPKEY-PULL member-initiator expects exchange uses cookies according to find its
   nonce, Ni, in the HASH
   ISAKMP [RFC2408].

   Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0).

   Major Version is 1 and Minor Version is 0 according to ISAKMP
   (Section 3.1 of a returned message.  And [RFC2408]).

   The Exchange Type has value 32 for the GDOI GROUPKEY-PULL
   GCKS responder expects exchange.

   Flags, Message ID, and Length are according to see its nonce, Nr, in the HASH ISAKMP (Section 3.1 of
   [RFC2408]).

3.3.  Group Member Operations

   Before a
   returned message before providing group-keying material as in GM contacts the
   following exchange.

              Initiator (Member)                   Responder (GCKS)
              ------------------                   ----------------
              HDR*, HASH(1), Ni, ID     -->
                                        <--     HDR*, HASH(2), Nr, SA
              HDR*, HASH(3)             -->
                                        <--     HDR*, HASH(4), [SEQ,] KD

   Hashes are computed as follows:

        HASH(1) = prf(SKEYID_a, M-ID | Ni | ID)
        HASH(2) = prf(SKEYID_a, M-ID | Ni_b | Nr | SA)
        HASH(3) = prf(SKEYID_a, M-ID | Ni_b | Nr_b
        HASH(4) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | SEQ | ] KD)

      * Protected by GCKS, it must determine the group identifier
   and acceptable Phase 1 SA, encryption occurs after HDR

   HDR is policy via an ISAKMP header payload that uses the out-of-band method.  Phase 1 cookies and a
   message identifier (M-ID) as in IKEv1.  Note that nonces are included
   in the first two messages, with is
   initiated using the GCKS returning only GDOI DOI in the SA policy
   payload before liveliness payload.  Once Phase 1 is proven.  The HASH payloads [RFC2409]
   prove that
   complete, the peer has GM state machine moves to the Phase 1 secret (SKEYID_a) GDOI protocol.

   To construct the first GDOI message the GM chooses Ni and the creates a
   nonce
   for payload, builds an identity payload including the exchange identified by message id, M-ID.  Once liveliness is
   established, group
   identifier, and generates HASH(1).

   Upon receipt of the last message completes second GDOI message, the real processing of
   downloading GM validates HASH(2),
   extracts the KD nonce Nr, and interprets the SA payload.

   In addition to  The SA payload
   contains policy describing the Nonce security protocol and HASH payloads, cryptographic
   protocols used by the member-initiator
   identifies group.  This policy describes the Re-key SA (if
   present), Data-security SAs, and other group it wishes to join through policy.  If the ISAKMP ID payload.
   The GCKS responder informs policy
   in the member of SA payload is acceptable to the current value of GM, it continues the
   sequence number in protocol.
   Otherwise, the SEQ payload; GM SHOULD tear down the sequence number provides
   anti-replay state associated with a KEK.  The SEQ payload has no
   other use, and is omitted from Phase 1 session after first
   notifying the GROUPKEY_PULL exchange when a KEK
   attribute GCKS that it is not included in the doing so.  If a Data-security SA payload.

   When
   describes the use of a SEQ payload is included in counter mode cipher, the GROUPKEY-PULL exchange, GM determines whether
   it requires more than one Sender-ID (SID) (see Section 3.5).  If so,
   it includes a GAP payload indicating how many SID values it requires.

   When constructing the most recently used sequence number third GDOI message, it first reviews each Data-
   security SA given to it.  If any include a cipher counter mode, it
   needs to request for one or more Sender-IDs for its exclusive use
   within the group.  At counter mode nonce.  Do to this, the conclusion of GM will include a GROUPKEY-PULL exchange, the initiating group
   member MUST NOT accept any rekey message GAP
   payload with both its request, as described in the Section 5.4 section of
   this document.  The GM the KEK attribute
   SPI value and a sequence number less than or equal to completes construction of the one
   received during third GDOI
   message by creating HASH(3).

   Upon receipt of the GROUPKEY-PULL.  When fourth GDOI message, the first group member
   initiates a GROUPKEY-PULL exchange, GM validates HASH(4).

   If the GCKS provides a Sequence
   Number of zero, since no GROUPKEY-PUSH messages have yet been sent.
   Note SEQ payload is present, the sequence number increments only with GROUPKEY-PUSH messages.

   The GROUPKEY-PULL exchange distributes in the current SEQ payload
   must be checked against any previously received sequence number to for
   this group.  If it is less than the group member. previously received number, it
   should be considered stale and ignored.

   The sequence number resets to a value of one with the usage of a new
   KEK attribute.  Thus GM interprets the first KD key packets, where each key packet sent includes
   the keying material for a given Rekey SA will
   have a Sequence Number of 1.  The sequence number increments with
   each successive rekey.

   The GCKS responder informs SAs distributed in the member of SA payload.  Keying
   material is matched by comparing the cryptographic policies
   of SPIs in the group key packets to SPIs
   previously sent in the SA payload, which describes the DOI, KEK and/or payloads.  Once TEK keying material, keys and authentication transforms.  The SPIs policy are
   also determined by
   matched, the GCKS GM provides them to the data security subsystem, and downloaded in it
   is ready to send or receive packets matching the TEK policy.  If this
   group has a KEK, the SA payload chain
   (see Section 5.2).  The SA KEK attribute contains policy and keys are marked as ready for use,
   and the GM knows to expect the ISAKMP cookie
   pair for sequence number reset to 1 with the Re-key
   next Rekey SA, which is not negotiated but downloaded.  The
   SA TEK attribute contains a SPI as defined in Section 5.5 of this
   document. will be encrypted with the new KEK attribute.
   The second message downloads this SA payload.  If a Re-key
   SA GM is defined in now ready to receive GROUPKEY-PUSH messages.

   If the SA payload, then KD will contain payload included an LKH array of keys, the KEK; if one
   or more Data-security SAs are defined GM takes the
   last key in the SA payload, KD will
   contain array as the TEKs.  This is useful if there group KEK.  The array is an initial set of TEKs then stored
   without further processing.

3.4.  GCKS Operations

   The GCKS passively listens for incoming requests from group members.
   The Phase 1 authenticates the particular group member and can obviate sets up the need for future TEK
   GROUPKEY-PUSH messages (described in section 4).

3.2.1.  ISAKMP Header Initialization

   Cookies are used in secure
   session with them.

   Upon receipt of the ISAKMP header to identify a particular GDOI
   session.  The GDOI GROUPKEY-PULL exchange uses cookies according to
   ISAKMP [RFC2408].

   Next Payload identifies an ISAKMP or first GDOI payload (see Section 5.0).

   Major Version is 1 message the GCKS validates HASH(1),
   extracts the Ni and Minor Version is 0 according to ISAKMP
   (Section 3.1 of [RFC2408]).

   The Exchange Type has value 32 group identifier in the ID payload.  It verifies
   that its database contains the group information for the GDOI GROUPKEY-PULL exchange.

   Flags, Message ID, group
   identifier, and Length are according that the GM is authorized to ISAKMP (Section 3.1 of
   [RFC2408]).

3.3.  Initiator Operations

   Before a group member (GDOI initiator) contacts participate in the GCKS, it must
   determine
   group.

   The GCKS constructs the group identifier second GDOI message, including a nonce Nr,
   and acceptable Phase 1 the policy via an
   out-of-band method.  Phase 1 is initiated using for the GDOI DOI group in the an SA payload.  Once Phase 1 is complete, the initiator state machine
   moves payload, followed by SA KEK,
   GAP, and/or SA TEK payloads according to the GDOI protocol.

   To construct GCKS policy.  (See
   Section 5.2.1 for details on how the first GCKS chooses which payloads to
   send.)

   Upon receipt of the third GDOI message the initiator chooses Ni and
   creates GCKS validates HASH(3).
   If the message includes a nonce GAP payload, builds an identity payload including it caches the
   group identifier, and generates HASH(1).

   Upon receipt requests
   included in that payload for use of constructing the second fourth GDOI
   message.

   The GCKS constructs the fourth GDOI message, including the initiator validates
   HASH(2), extracts SEQ
   payload (if the nonce Nr, GCKS sends rekey messages), and interprets the SA payload.  The
   SA KD payload contains
   containing keys corresponding to policy describing previously sent in the security protocol SA TEK
   and
   cryptographic protocols used by SA KEK payloads.  If a group management algorithm is defined as
   part of group policy, the group.  This policy describes GCKS will first insert the
   Re-key SA (if present), Data-security SAs, group member
   into the group management structure (e.g., a leaf in the LKH tree),
   and other then create an LKH array of keys and include it in the KD
   payload.  The first key in the array is associated with the group policy.
   If
   member leaf node, followed by each LKH node above it in the policy tree,
   culminating with the root node (which is also the KEK).  If one or
   more Data-Security SAs distributed in the SA payload is acceptable to included a
   counter mode of operation, the initiator, it
   continues GCKS includes at least one SID value
   in the protocol.

   The initiator constructs KD payload, and possibly more depending on a request received
   in the third GDOI message by creating HASH(3).

   Upon receipt message.

3.5.  Counter-modes of operation

   Several new counter-based modes of operation have been specified for
   ESP (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309],
   AES-GMAC [RFC4543]) and AH (e.g., AES-GMAC [RFC4543]).  These
   counter-based modes require that no two senders in the fourth GDOI message, group ever
   send a packet with the initiator validates
   HASH(4).

   If SEQ payload is present, same Initialization Vector (IV) using the sequence number same
   cipher key and mode.  This requirement is met in GDOI when the SEQ payload
   must be checked against any previously received sequence number
   following requirements are met:

   o  The GCKS distributes a unique key for
   this group.  If it is less than each Data-Security SA.

   o  The GCKS uses the previously received number, it
   should be considered stale and ignored.  This could happen if two
   GROUPKEY-PULL messages happened method described in parallel, and [RFC6054], which assigns
      each sender a portion of the sequence number
   changed between IV space by provisioning each sender
      with one or more unique SID values.

   When at least one Data-Security SAs included in the times group policy
   includes a counter-mode, the results GCKS automatically allocates and
   distributes one SID to each group member acting in the role of two GROUPKEY-PULL messages
   were returned from sender
   on the GCKS. Data-Security SA.  The initiator interprets SID value is used exclusively by the KD key packets, where
   group member to which it was allocated.  The group member uses the
   same SID for each Data-Security SA specifying the use of a counter-
   based mode of operation.  A GCKS MUST distribute unique keys for each
   Data-Security SA including a counter-based mode of operation in order
   to maintain a unique key packet
   includes the keying material for SAs distributed and nonce usage.

   When a group member receives a Data-Security SA in the a SA payload.
   Keying material TEK payload
   for which it is matched by comparing a sender, it can choose to request one or more SID
   values.  Requesting a value of 1 is not necessary since the SPIs GCKS will
   automatically allocate exactly one to the sending group member.  A
   group member MUST request as many SIDs matching the number of
   encryption modules in which it will be installing the key packets
   to SPIs previously sent TEKs in the SA payloads.  Once TEK keys
   outbound direction.  Alternatively, a group member MAY request more
   than one SID and policy
   are matched, the initiator provides use them to the data security
   subsystem, and serially.  This could be useful when it is ready to send or receive packets matching
   anticipated that the
   TEK policy.  If this group has member will exhaust their range of Data-
   Security SA nonces using a KEK, single SID too quickly (e.g., before the KEK
   time-based policy and keys are
   marked as ready for use, and in the initiator knows to expect TEK expires).

   When group policy includes a counter-based mode of operation, a GCKS
   SHOULD use the
   sequence number reset following method to 1 with the next Rekey SA, allocate SID values, which ensures
   that each SID will be
   encrypted allocated to just one group member.

   1.  A GCKS maintains an SID-counter, which records which SIDs that
       have been allocated.  SIDs are allocated sequentially, with the new KEK attribute.  The initiator is now ready
       first SID allocated to
   receive GROUPKEY-PUSH messages.

   If the KD payload included be zero.

   2.  Each time an LKH array of keys, the initiator takes SID is allocated, the last key in current value of the array as counter
       is saved and allocated to the group KEK. member.  The array SID-counter is
       then stored
   without further processing.

3.4.  Receiver Operations

   The GCKS (responder) passively listens incremented in preparation for incoming requests from
   group members.  The Phase 1 authenticates the next allocation.

   3.  When the GCKS distributes an Data-Security SA specifying a
       counter-based mode of operation, and a group member and sets
   up the secure session with them.

   Upon receipt is a sender,
       a group member may request a count of the first GDOI message SIDs in a GAP payload.
       When the GCKS validates HASH(1),
   extracts receives this request, it increments the Ni SID-
       counter once for each requested SID, and group identifier in the ID payload.  It verifies
   that its database contains distributes each SID
       value to the group information member.

   4.  A GCKS allocates new SID values for each GROUPKEY-PULL exchange
       originated by a sender, regardless of whether a group member had
       previously contacted the GCKS.  In this way, the GCKS does not
       have a requirement of maintaining a record of which SID values it
       had previously allocated to each group
   identifier.

   The member.  More importantly,
       since the GCKS constructs cannot reliably detect whether the second GDOI message, including a nonce Nr,
   and group member
       had sent data on the policy for current group Data-Security SAs it does not
       know what Data-Security counter-mode nonce values that a group
       member has used.  By distributing new SID values, the key server
       ensures that each time a conforming group in an member installs a Data-
       Security SA payload, followed it will use a unique set of counter-based mode
       nonces.

   5.  When the SID-counter maintained by SA GAP, SA
   KEK, and/or SA TEK payloads according to the GCKS policy.  (See
   Section 5.2.1 reaches its final SID
       value, no more SID values can be distributed.  Before
       distributing any new SID values, the GCKS MUST delete the Data-
       Security SAs for details on how the GCKS chooses which payloads to
   send.)

   Upon receipt group, followed by creation of new Data-
       Security SAs, and resetting the third GDOI message the GCKS validates HASH(3). SID-counter to its initial value.

   6.  The GCKS constructs the fourth GDOI message, including the SEQ
   payload (if the GCKS sends rekey messages), SHOULD send a GROUPKEY-PUSH message deleting all Data-
       Security SAs and the KD payload
   containing keys corresponding to policy previously sent in the SA TEK
   and Rekey SA KEK payloads.  If a group management algorithm is defined as
   part of group policy, for the GCKS group.  This will first insert the group member
   into result in
       the group management structure (e.g., members initiating a leaf new GROUPKEY-PULL exchange, in the LKH tree),
   and then create an LKH array of keys
       which they will receive both new SID values and include it in the KD
   payload. new Data-Security
       SAs.  The first key in new SID values can safely be used because they are only
       used with the array new Data-Security SAs.  Note that deletion of the
       Rekey SA is associated necessary to ensure that group members receiving a
       GROUPKEY-PUSH exchange before the re-register do not
       inadvertently use their old SIDs with the new Data-Security SAs.

   Using the method above, at no time can two group
   member leaf node, followed by each LKH node above it in members use the tree,
   culminating same
   IV values with the root node (which is also the KEK). same Data-Security SA key.

4.  GROUPKEY-PUSH Message

   GDOI sends control information securely using group communications.
   Typically this will be using IP multicast distribution of a GROUPKEY-
   PUSH message but it can also be "pushed" using unicast delivery if IP
   multicast is not possible.  The GROUPKEY-PUSH message replaces a Re-
   key SA KEK or KEK array, and/or creates a new Data-security SA.

              Member

              GM                    GCKS or Delegate
              ------                               ----------------
              --                    ----
                              <---- HDR*, SEQ, [D,] SA, KD, SIG

      * Protected by the Re-key SA KEK; encryption occurs after HDR

   HDR is defined below.  The SEQ payload is defined in the Payloads
   section.  One or more D (Delete) payloads (further described in
   Section 5.9) optionally specify the deletion of existing group
   policy.  The SA defines the group policy (e.g., protection suite) and
   attributes (e.g., SPI) for a replacement Re-key SA
   and/or Data-
   security SAs.  KD is the key download payload Data-security SAs as described in the
   Payloads section. Payloads section, with
   the KD providing keying material for those SAs.

   The SIG payload includes a signature of a hash of the entire
   GROUPKEY-PUSH message (excepting the SIG payload bytes) before it has
   been encrypted.  The HASH is taken over the string 'rekey', the
   GROUPKEY-PUSH HDR, followed by all payloads preceding the SIG
   payload.  The prefixed string ensures that the signature of the Rekey
   datagram cannot be used for any other purpose in the GDOI protocol.
   After the
   The SIG payload is created using the signature of the above hash,
   with the receiver verifying the signature using a public key
   retrieved in policy received by a GROUPKEY-PULL exchange, or
   distributed in an earlier GROUPKEY-PUSH message. previous GDOI exchange.  The current KEK encryption
   key (previously (also previously distributed in a GROUPKEY-PULL exchange or
   GROUPKEY-PUSH message) encrypts all the payloads following the
   GROUPKEY-PUSH HDR.  Note: The rationale for this order of operations
   is given in Section 7.3.5.

   If the SA defines the use of a single KEK or an LKH KEK array, KD
   MUST contain a corresponding KEK or KEK array for a new Re-key SA,
   which has a new cookie pair.  When the KD payload carries a new SA
   KEK attribute (section 5.3), a Re-key SA is replaced with a new SA
   having the same group identifier (ID specified in message 1 of
   section 3.2) and incrementing the same sequence counter, which is
   initialized in message 4 of section 3.2.  Note the first packet for
   the given Rekey SA encrypted with the new KEK attribute will have a
   Sequence number of 1.  If the SA defines an SA TEK payload, this
   informs the member that a new Data-security SA has been created, with
   keying material carried in KD (Section 5.6).

   If the SA defines a large LKH KEK array (e.g., during group
   initialization and batched rekeying), parts of the array MAY be sent
   in different unique GROUPKEY-PUSH datagrams.  However, each of the
   GROUPKEY-PUSH datagrams MUST be a fully formed GROUPKEY-PUSH
   datagram.  This results in each datagram containing a sequence number
   and the policy in the SA payload, which corresponds to the KEK array
   portion sent in the KD payload.

4.1.  Use of signature keys

   A signing key should not be used in more than one context (e.g., used
   for host authentication and also for message authentication).  Thus,
   the GCKS SHOULD NOT use the same key to sign the SIG payload in the
   GROUPKEY-PUSH message as was used for authentication in the GROUPKEY-
   PULL exchange.

4.2.  ISAKMP Header Initialization

   Unlike ISAKMP or IKEv1, the cookie pair is completely determined by
   the GCKS.  The cookie pair in the GDOI ISAKMP header identifies the
   Re- key
   Re-key SA to differentiate the secure groups managed by a GCKS.
   Thus, GDOI uses the cookie fields as an SPI.

   Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0).

   Major Version is 1 and Minor Version is 0 according to ISAKMP
   (Section 3.1 of [RFC2408]).

   The Exchange Type has value 33 for the GDOI GROUPKEY-PUSH message.

   Flags MUST have the Encryption bit set according to [RFC2008, Section
   3.1].  All other bits MUST be set to zero.

   Message ID MUST be set to zero.

   Length is according to ISAKMP (Section 3.1 of [RFC2408]).

4.3.  GCKS Operations

   GCKS or its delegate may initiate a Rekey message for one of several reasons, e.g.,
   the group membership has changed or keys are due to expire.

   To begin the rekey datagram the GCKS builds an ISAKMP HDR with the
   correct cookie pair, and a SEQ payload that includes a sequence
   number which is one greater than the previous rekey datagram.  If the
   message is using the new KEK attribute for the first time, the SEQ is
   reset to 1 in this message.

   An SA payload is then added.  This is identical in structure and
   meaning to a SA payload sent in a GROUPKEY-PULL exchange.  If there
   are changes to the KEK (including due to group members being
   excluded, in the case of LKH), an SA_KEK attribute is added to the
   SA.  If there are one or more new TEKs then SA_TEK attributes are
   added to describe that policy.

   A KD payload is then added.  This is identical in structure and
   meaning to a KD payload sent in a GROUPKEY-PULL exchange.  If an
   SA_KEK attribute was included in the SA payload then corresponding
   KEK keys (or a KEK update array) is included.  A KEK update array is
   created by first determining which group members have been excluded,
   and then generating new keys as necessary and distribute LKH update
   arrays sufficient to provide the new KEK to remaining group members
   (see Section 5.4.1 of [RFC2627] for details).  TEK keys are also sent
   for each SA_TEK attribute included in the SA payload.

   In the penultimate step, the initiator hashes the string "rekey"
   followed by GCKS creates the key management message already formed.  The hash is
   signed, placed in a SIG payload and added adds it
   to the datagram.

   Lastly, the payloads following the HDR are encrypted using the
   current KEK encryption key.  The datagram can now be sent.

4.4.  Group Member Operations

   A group member receiving the GROUPKEY-PUSH datagram matches the
   cookie pair in the ISAKMP HDR to an existing SA.  The message is
   decrypted, and the form of the datagram is validated.  This weeds out
   obvious ill-formed messages (which may be sent as part of a Denial of
   Service attack on the group).

   The sequence number in the SEQ payload is validated to ensure that it
   is greater than the previously received sequence number, and that it
   fits within a window of acceptable values.  The SIG payload is then
   validated.  If the signature fails, the message is discarded.

   The SA and KD payloads are processed which results in a new GDOI
   Rekey SA
   Rekey-SA (if the SA payload included an SA_KEK attribute) and/or new
   IPsec
   Data-security SAs being added to the system.  If the KD payload
   includes an LKH update array, the group member compares the LKH ID in
   each key update packet to the LKH IDs that it holds.  If it finds a
   match, it decrypts the key using the key prior to it in the key array
   and stores the new key in the LKH key array that it holds.  The final
   decryption yields the new group KEK.

   If the SA payload includes Data-Security SA including a counter-modes
   of operation and the receiving group member is a sender for that SA,
   the group member uses its current SID value with the Data-Security
   SAs to create counter-mode nonces.  If it is a sender and does not
   hold a current SID value, it MUST NOT install the Data-Security SAs.
   It MAY initiate a GROUPKEY-PULL exchange to the GCKS in order to
   obtain an SID value (along with current group policy).

5.  Payloads and Defined Values

   This document specifies use of several ISAKMP payloads, which are
   defined in accordance with RFC 2408.  The following payloads are
   extended or further specified.

                  Next Payload Type            Value
                  -----------------            -----
                  Security Association (SA)      1
                  Identification (ID)            5
                  Nonce (N)                     10

   Several payload formats specific to the group security exchanges are
   required.

                  Next Payload Type                Value
                  -----------------                -----
                  SA KEK Payload (SAK)              15
                  SA TEK Payload (SAT)              16
                  Key Download (KD)                 17
                  Sequence Number (SEQ)             18
                  SA
                  Group Associated Policy (GAP)   TBD-1

5.1.  Identification Payload

   The Identification Payload is defined in RFC 2408.  For the GDOI, it
   is used to identify a group identity that will later be associated
   with Security Associations for the group.  A group identity may map
   to a specific IP multicast group, or may specify a more general
   identifier, such as one that represents a set of related multicast
   streams.

   When used with the GDOI, the DOI Specific ID Data field MUST be set
   to 0.

   When used with the GDOI, the ID_KEY_ID ID Type MUST be supported by a
   conforming implementation, and MUST specify a four (4)-octet group
   identifier as its value.  Implementations MAY also support other ID
   Types.

5.2.  Security Association Payload

   The Security Association payload is defined in RFC 2408.  For the
   GDOI, it is used by the GCKS to assert security attributes for both
   Re-key and Data-security SAs.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload  !   RESERVED    !         Payload Length        !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       !                              DOI                              !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !                           Situation                           !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! SA Attribute Next Payload     !          RESERVED2            !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The Security Association Payload fields are defined as follows:

   o Next Payload (1 octet) -- Identifies the next payload for the
   GROUPKEY-PULL or the GROUPKEY-PUSH message as defined above.  The
   next payload MUST NOT be a SAK Payload or SAT Payload type, but the
   next non-Security Association type payload.

   o RESERVED (1 octet) -- Must be zero.

   o Payload Length (2 octets) -- Is the octet length of the current
   payload including the generic header and all TEK and KEK payloads.

   o DOI (4 octets) -- Is the GDOI, which is value 2.

   o Situation (4 octets) -- Must be zero.

   o SA Attribute Next Payload (1 octet) -- Must be either a SAK Payload
   or a SAT Payload.  See section 5.2.1 for a description of which
   circumstances are required for each payload type to be present.

   o RESERVED (2 octets) -- Must be zero.

5.2.1.  Payloads following the SA payload

   Payloads that define specific security association attributes for the
   KEK and/or TEKs used by the group MUST follow the SA payload.  How
   many of each payload is dependent upon the group policy.  There may
   be zero or one SAK Payloads, Payload, zero or more one GAP Payloads, Payload, and zero or more
   SAT Payloads, where either one SAK or SAT payload MUST be present.
   When present, the order of the SA Attributes payloads must be: KEK,
   GAP, and TEKs.

   This latitude regarding SA Attributes payloads allows various group
   policies to be accommodated.  For example if the group policy does
   not require the use of a Re-key SA, the GCKS would not need to send
   an SA KEK attribute to the group member since all SA updates would be
   performed using the Registration SA.  Alternatively, group policy
   might use a Re-key SA but choose to download a KEK to the group
   member only as part of the Registration SA.  Therefore, the KEK
   policy (in the SA KEK attribute) would not be necessary as part of
   the Re-key SA message SA payload.

   Specifying multiple SATs allows multiple sessions to be part of the
   same group and multiple streams to be associated with a session
   (e.g., video, audio, and text) but each with individual security
   association policy.

   A GAP payload allows for the distribution of group-wise policy, such
   as instructions as to when to activate and de-activate SAs.

5.3.  SA KEK payload

   The SA KEK (SAK) payload contains security attributes for the KEK
   method for a group and parameters specific to the GROUPKEY-PULL
   operation.  The source and destination identities describe the
   identities used for the GROUPKEY-PULL datagram.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload  !   RESERVED    !         Payload Length        !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !        !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !    Protocol   !  SRC ID Type  !         SRC ID Port           !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !SRC ID Data Len!          SRC Identification Data              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! DST ID Type   !         DST ID Port           !DST ID Data Len!
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !                    DST Identification Data                    ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !                                                               !
       ~                              SPI                              ~
       !                                                               !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !                           RESERVED2                           !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ~                        KEK Attributes                         ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The SAK Payload fields are defined as follows:

   o Next Payload (1 octet) -- Identifies the next payload for the
   GROUPKEY-PULL or the GROUPKEY-PUSH message.  The only valid next
   payload types for this message are a GAP Payload, SAT Payload or zero
   to indicate that no SA Attribute payloads follow.

   o RESERVED (1 octet) -- Must be zero.

   o Payload Length (2 octets) -- Length of this payload, including the
   KEK attributes.

   o Protocol   ! (1 octet) -- Value describing an IP protocol ID (e.g.,
   UDP/TCP) for the rekey datagram.

   o SRC ID Type  ! (1 octet) -- Value describing the identity information
   found in the SRC Identification Data field.  Defined values are
   specified by the IPsec Identification Type section in the IANA
   isakmpd-registry [ISAKMP-REG].

   o SRC ID Port           !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !SRC (2 octets) -- Value specifying a port associated with
   the source Id.  A value of zero means that the SRC ID Port field
   should be ignored.

   o SRC ID Data Len! Len (1 octet) -- Value specifying the length of the SRC
   Identification Data              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! field.

   o SRC Identification Data (variable length) -- Value, as indicated by
   the SRC ID Type.

   o DST ID Type   ! (1 octet) -- Value describing the identity information
   found in the DST Identification Data field.  Defined values are
   specified by the IPsec Identification Type section in the IANA
   isakmpd-registry [ISAKMP-REG].

   o DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g.,
   UDP/TCP).

   o DST ID Port           !DST (2 octets) -- Value specifying a port associated with
   the source Id.

   o DST ID Data Len!
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Len (1 octet) -- Value specifying the length of the DST
   Identification Data                    ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !                                                               !
       ~                              SPI                              ~
       !                                                               !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !                           RESERVED2                           !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ~                        KEK Attributes                         ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The SAK Payload fields are defined as follows: field.

   o Next Payload (1 octet) DST Identification Data (variable length) -- Identifies Value, as indicated by
   the next payload DST ID Type.

   o SPI (16 octets) -- Security Parameter Index for the
   GROUPKEY-PULL or KEK.  The SPI
   must be the ISAKMP Header cookie pair where the first 8 octets become
   the "Initiator Cookie" field of the GROUPKEY-PUSH message.  The only valid next
   payload types for this message ISAKMP HDR,
   and the second 8 octets become the "Responder Cookie" in the same
   HDR.  As described above, these cookies are a GAP Payload, SAT Payload or zero
   to indicate that no SA Attribute payloads follow. assigned by the GCKS.

   o RESERVED (1 octet) RESERVED2 (4 octets) -- Must be zero.  This bytes represent fields
   previously defined but no longer used by GDOI.

   o Payload Length (2 octets) KEK Attributes -- Length of this payload, including the Contains KEK policy attributes associated with
   the group.  The following sections describe the possible attributes.

   o Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
   UDP/TCP) for
   Any or all attributes may be optional, depending on the rekey datagram.

   o SRC group policy.

5.3.1.  KEK Attributes

   The following attributes may be present in a SAK Payload.  The
   attributes must follow the format defined in ISAKMP (Section 3.3 of
   [RFC2408]).  In the table, attributes that are defined as TV are
   marked as Basic (B); attributes that are defined as TLV are marked as
   Variable (V).

                ID Type (1 octet) -- Class                   Value describing the identity information
   found    Type
                --------                   -----    ----
                RESERVED                     0
                KEK_MANAGEMENT_ALGORITHM     1        B
                KEK_ALGORITHM                2        B
                KEK_KEY_LENGTH               3        B
                KEK_KEY_LIFETIME             4        V
                SIG_HASH_ALGORITHM           5        B
                SIG_ALGORITHM                6        B
                SIG_KEY_LENGTH               7        B
                KE_OAKLEY_GROUP              8        B
                Standards Action            9-127
                Private Use               128-255
                Unassigned                256-32767

   The KEK_MANAGEMENT_ALGORITHM attribute may only be included in a
   GROUPKEY-PULL message.

5.3.2.  KEK_MANAGEMENT_ALGORITHM

   The KEK_MANAGEMENT_ALGORITHM class specifies the SRC Identification Data field. group KEK management
   algorithm used to provide forward or backward access control (i.e.,
   used to exclude group members).  Defined values are specified by the IPsec Identification Type section in the IANA
   isakmpd-registry [ISAKMP-REG].

   o SRC ID Port (2 octets) --
   following table.

                  KEK Management Type               Value specifying a port associated with
                  -------------------               -----
                  RESERVED                            0
                  LKH                                 1
                  Standards Action                   2-127
                  Private Use                      128-255

5.3.2.1.  LKH

   This type indicates the source Id. group management method described in Section
   5.4 of [RFC2627].  A value general discussion of zero means that the SRC ID Port field
   should LKH operations can also be ignored.

   o SRC ID Data Len (1 octet) -- Value specifying the length
   found in Section 6.3 of Multicast and Group Security [HD03]

5.3.3.  KEK_ALGORITHM

   The KEK_ALGORITHM class specifies the SRC
   Identification Data field.

   o SRC Identification Data (variable length) -- Value, as indicated by
   the SRC ID Type.

   o DST ID Type (1 octet) -- Value describing the identity information
   found encryption algorithm in which
   the DST Identification Data field. KEK is used to provide confidentiality for the GROUPKEY-PUSH
   message.  Defined values are specified by the IPsec Identification Type section in the IANA
   isakmpd-registry [ISAKMP-REG].

   o DST ID Prot (1 octet) -- Value describing following table.  A
   GDOI implementation MUST abort if it encounters an IP protocol ID (e.g.,
   UDP/TCP).

   o DST ID Port (2 octets) -- Value specifying a port associated with
   the source Id.

   o DST ID Data Len (1 octet) -- attribute or
   capability that it does not understand.

                   Algorithm Type      Value specifying the length of
                   --------------      -----
                   RESERVED               0
                   KEK_ALG_DES            1
                   KEK_ALG_3DES           2
                   KEK_ALG_AES            3
                   Standards Action      4-127
                   Private Use         128-255
                   Unassigned          256-32767

   If a KEK_MANAGEMENT_ALGORITHM is defined which defines multiple keys
   (e.g., LKH), and if the DST
   Identification Data field.

   o DST Identification Data (variable length) -- Value, as indicated by management algorithm does not specify the DST ID Type.

   o SPI (16 octets) -- Security Parameter Index
   algorithm for those keys, then the KEK.  The SPI
   must be the ISAKMP Header cookie pair where the first 8 octets become algorithm defined by the "Initiator Cookie" field
   KEK_ALGORITHM attribute MUST be used for all keys which are included
   as part of the GROUPKEY-PUSH message ISAKMP HDR,
   and the second 8 octets become management.

5.3.3.1.  KEK_ALG_DES

   This type specifies DES using the "Responder Cookie" Cipher Block Chaining (CBC) mode as
   described in the same
   HDR.  As [FIPS81].

5.3.3.2.  KEK_ALG_3DES

   This type specifies 3DES using three independent keys as described above, these cookies are assigned by in
   "Keying Option 1" in [FIPS46-3].

5.3.3.3.  KEK_ALG_AES

   This type specifies AES as described in [FIPS197].  The mode of
   operation for AES is Cipher Block Chaining (CBC) as recommended in
   [SP.800-38A].

5.3.4.  KEK_KEY_LENGTH

   The KEK_KEY_LENGTH class specifies the GCKS.

   o RESERVED2 (4 octets) -- Must be zero.

   o KEK Attributes -- Contains KEK policy attributes associated with
   the group. Algorithm key length (in
   bits).  The following sections describe Group Controller/Key Server (GCKS) adds the possible attributes.
   Any or all attributes may be optional, depending on
   KEK_KEY_LENGTH attribute to the group policy.

5.3.1. SA payload when distributing KEK Attributes
   policy to group members.  The following attributes may be present in group member verifies whether or not it
   has the capability of using a cipher key of that size.  If the cipher
   definition includes a SAK Payload.  The
   attributes must follow fixed key length (e.g., KEK_ALG_3DES), the format defined in ISAKMP (Section 3.3 of
   [RFC2408]).  In
   group member can make its decision solely using the table, attributes that are defined as TV are
   marked as Basic (B); attributes that are defined as TLV are marked as
   Variable (V).

                ID Class                   Value    Type
                --------                   -----    ----
                RESERVED                     0
                KEK_MANAGEMENT_ALGORITHM     1        B KEK_ALGORITHM                2        B
   attribute and does not need the KEK_KEY_LENGTH attribute.  Sending
   the KEK_KEY_LENGTH               3        B
                KEK_KEY_LIFETIME             4        V
                SIG_HASH_ALGORITHM           5        B
                SIG_ALGORITHM                6        B
                SIG_KEY_LENGTH               7        B

   The KEK_MANAGEMENT_ALGORITHM attribute may in the SA payload is OPTIONAL if the KEK
   cipher has a fixed key length.  Also, note that the KEK_KEY_LEN
   includes only be the actual length of the cipher key (the IV length is
   not included in a
   GROUPKEY-PULL message.

5.3.2.  KEK_MANAGEMENT_ALGORITHM this attribute).

5.3.5.  KEK_KEY_LIFETIME

   The KEK_MANAGEMENT_ALGORITHM KEK_KEY_LIFETIME class specifies the group maximum time for which the
   KEK management
   algorithm used to provide forward or backward access control (i.e.,
   used to exclude group members).  Defined values are specified is valid.  The GCKS may refresh the KEK at any time before the
   end of the valid period.  The value is a four (4) octet number
   defining a valid time period in seconds.

5.3.6.  SIG_HASH_ALGORITHM

   SIG_HASH_ALGORITHM specifies the SIG payload hash algorithm.  The
   following table.

                  KEK Management table defines the algorithms for SIG_HASH_ALGORITHM.

                   Algorithm Type     Value
                  -------------------
                   --------------     -----
                   RESERVED             0
                  LKH
                   SIG_HASH_MD5         1
                  RESERVED                           2-127
                   SIG_HASH_SHA1        2
                   SIG_HASH_SHA256     TBD-2
                   SIG_HASH_SHA384     TBD-3
                   SIG_HASH_SHA512     TBD-4
                   Standards Action    3-127
                   Private Use       128-255

5.3.2.1.  LKH

   This type indicates
                   Unassigned        256-32767
   The SHA hash algorithms are defined in the Secure Hash
   Standard[FIPS.180-2.2002].

   If the SIG_ALGORITHM is SIG_ALG_ECDSA-256, SIG_ALG_ECDSA-384, or
   SIG_ALG_ECDSA-521 the group management method described hash algorithm is implicit in Section
   5.4 of [RFC2627].  A general discussion of LKH operations can also the definition,
   and SIG_HASH_ALGORITHM is not required to be
   found present in Section 6.3 of Multicast and Group Security [HD03]

5.3.3.  KEK_ALGORITHM a SAK
   Payload.

5.3.7.  SIG_ALGORITHM

   The KEK_ALGORITHM SIG_ALGORITHM class specifies the encryption algorithm using with
   the KEK. SIG payload signature
   algorithm.  Defined values are specified in the following table.  An
   GDOI implementation MUST abort if it encounters an attribute or
   capability that it does not understand.

                   Algorithm Type      Value
                   --------------      -----
                   RESERVED              0
                   KEK_ALG_DES
                   SIG_ALG_RSA           1
                   KEK_ALG_3DES
                   SIG_ALG_DSS           2
                   KEK_ALG_AES
                   SIG_ALG_ECDSS         3
                   RESERVED
                   SIG_ALG_RSA_PSS      TBD-6
                   SIG_ALG_ECDSA-256    TBD-7
                   SIG_ALG_ECDSA-384    TBD-8
                   SIG_ALG_ECDSA-521    TBD-9
                   Standards Action     4-127
                   Private Use        128-255

   If a KEK_MANAGEMENT_ALGORITHM is defined which defines multiple keys
   (e.g., LKH), and if
                   Unassigned         256-32767

5.3.7.1.  SIG_ALG_RSA

   This algorithm specifies the management RSA digital signature algorithm does not specify using
   the EMSA-PKCS1-v1_5 encoding method, as described in [RFC3447].

5.3.7.2.  SIG_ALG_DSS

   This algorithm for those keys, then specifies the DSS digital signature algorithm defined by as
   described in Section 4 of [FIPS186-3].

5.3.7.3.  SIG_ALG_ECDSS

   This algorithm specifies the
   KEK_ALGORITHM attribute MUST be used for all keys which are included Elliptic Curve digital signature
   algorithm as part described in Section 5 of [FIPS186-3].  This definition
   is deprecated in favor of the management.

5.3.3.1.  KEK_ALG_DES SIG_ALG_ECDSA family of algorithms.

5.3.7.4.  SIG_ALG_RSA_PSS

   This type algorithm specifies DES the RSA digital signature algorithm using
   the Cipher Block Chaining (CBC) mode EMSA-PSS encoding method, as described in [FIPS81].

5.3.3.2.  KEK_ALG_3DES [RFC3447].

5.3.7.5.  SIG_ALG_ECDSA-256

   This type algorithm specifies 3DES using three independent keys the 256-bit Random ECP Group, as described
   in [RFC5903].  The format of the signature in the SIG payload MUST be
   as specified in [RFC4754].

5.3.7.6.  SIG_ALG_ECDSA-384

   This algorithm specifies the 384-bit Random ECP Group, as described
   in
   "Keying Option 1" [RFC5903].  The format of the signature in the SIG payload MUST be
   as specified in [FIPS46-3].

5.3.3.3.  KEK_ALG_AES [RFC4754].

5.3.7.7.  SIG_ALG_ECDSA-521

   This type algorithm specifies AES the 521-bit Random ECP Group, as described
   in [FIPS197]. [RFC5903].  The mode format of
   operation for AES is Cipher Block Chaining (CBC) the signature in the SIG payload MUST be
   as recommended specified in
   [SP.800-38A].

5.3.4.  KEK_KEY_LENGTH [RFC4754].

5.3.8.  SIG_KEY_LENGTH

   The KEK_KEY_LENGTH SIG_KEY_LENGTH class specifies the KEK Algorithm key length (in
   bits).  The Group Controller/Key Server (GCKS) adds the KEK_KEY_LEN
   attribute to of the SA SIG payload when distributing KEK key
   in bits.

5.4.  Group Associated Policy

   A GCKS may have group-specific policy that is not distributed in an
   SA TEK or SA KEK.  Some of this policy is relevant to all group
   members.  The
   members, and some is sender-specific policy for a particular group member verifies whether
   member.  The former can be distributed in either a GROUPKEY-PULL or not it has
   GROUPKEY-PUSH exchange, whereas the
   capability of using latter MUST only be sent in a cipher key of that size.  If the cipher
   definition includes
   GROUPKEY-PULL exchange.  Additionally, a fixed key length (e.g., KEK_ALG_3DES), the group member can sometimes has
   the need to make its decision solely using policy requests for resources of the KEK_ALGORITHM
   attribute GCKS in a
   GROUPKEY-PULL exchange.  GDOI distributes this associated group
   policy and does not need policy requests in the KEK_KEY_LEN attribute.  Sending Group Associated Policy (GAP)
   payload.

   The GAP payload can be distributed by the
   KEK_KEY_LEN attribute in GCKS as part of the SA payload
   payload.  It follows any SA KEK payload, and is OPTIONAL if placed before any SA
   TEK payloads.  In the KEK cipher
   has a fixed key length.  Also, note case that group policy does not include an SA
   KEK, the SA Attribute Next Payload field in the KEK_KEY_LEN includes
   only SA payload MAY
   indicate the actual length SA GAP payload.

   The GAP payload can be optionally included by a group member in
   message 3 of the cipher key (the IV length is not
   included GROUPKEY-PULL exchange in this attribute).

5.3.5.  KEK_KEY_LIFETIME order to make policy
   requests.

   The KEK_KEY_LIFETIME class specifies the maximum time for which the
   KEK SA GAP payload is valid. defined as follows:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload  !   RESERVED    !        Payload Length         !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !               Group Associated Policy Attributes              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The GCKS may refresh SA GAP payload fields are defined as follows:

   o  Next Payload (1 octet) -- Identifies the KEK at any time before next payload present in
      the
   end of GROUPKEY-PULL or the valid period. GROUPKEY-PUSH message.  The value is a four (4) octet number
   defining a only valid time period in seconds.

5.3.6.  SIG_HASH_ALGORITHM

   SIG_HASH_ALGORITHM specifies the SIG
      next payload hash algorithm.  The
   following table defines the algorithms type for SIG_HASH_ALGORITHM.

                   Algorithm Type  Value
                   --------------  -----
                   RESERVED           0
                   SIG_HASH_MD5       1
                   SIG_HASH_SHA1      2
                   SIG_HASH_SHA256   TBD-2
                   SIG_HASH_SHA384   TBD-3
                   SIG_HASH_SHA512   TBD-4 this message is an SA TEK or zero to
      indicate there are no more security association attributes.

   o  RESERVED         6-127
                   Private Use   128-255

   The SHA hash algorithms (1 octet) -- Must be zero.

   o  Payload Length (2 octets) -- Length of this payload, including the
      SA GAP header and Attributes.

   o  Group Associated Policy Attributes (variable) -- Contains
      attributes following the format defined in Section 3.3 of RFC
      2408.

   Several group associated policy attributes are defined in the Secure Hash
   Standard[FIPS.180-2.2002].

   If the SIG_ALGORITHM is SIG_ALG_ECDSA-256, SIG_ALG_ECDSA-384, this memo.
   An GDOI implementation MUST abort if it encounters an attribute or
   SIG_ALG_ECDSA-521 the hash algorithm is implicit in the definition,
   and SIG_HASH_ALGORITHM is
   capability that it does not required to be present in a SAK
   Payload.

5.3.7.  SIG_ALGORITHM understand.  The SIG_ALGORITHM class specifies the SIG payload signature
   algorithm.  Defined values for these
   attributes are specified in the following table.

                   Algorithm Type    Value
                   --------------    -----
                   RESERVED            0
                   SIG_ALG_RSA         1
                   SIG_ALG_DSS         2
                   SIG_ALG_ECDSS       3
                   SIG_ALG_RSA_PSS   TBD-6
                   SIG_ALG_ECDSA-256 TBD-7
                   SIG_ALG_ECDSA-384 TBD-8
                   SIG_ALG_ECDSA-521 TBD-9
                   RESERVED          8-127
                   Private Use     128-255

5.3.7.1.  SIG_ALG_RSA

   This algorithm specifies the RSA digital signature algorithm using
   the EMSA-PKCS1-v1_5 encoding method, as described included in [RFC3447].

5.3.7.2.  SIG_ALG_DSS

   This algorithm specifies the DSS digital signature algorithm as
   described in Section 4 IANA Considerations section of [FIPS186-3].

5.3.7.3.  SIG_ALG_ECDSS

   This algorithm specifies the Elliptic Curve digital signature
   algorithm as described in this
   memo.

5.4.1.  ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY

   Section 5 of [FIPS186-3].  This definition
   is deprecated in favor of the SIG_ALG_ECDSA family 4.2.1 of algorithms.

5.3.7.4.  SIG_ALG_RSA_PSS

   This algorithm specifies the RSA digital signature algorithm using
   the EMSA-PSS encoding method, as described in [RFC3447].

5.3.7.5.  SIG_ALG_ECDSA-256

   This algorithm RFC 5374 specifies a key rollover method that
   requires two values be given it from the 256-bit Random ECP Group, as described
   in [RFC5903]. group key management
   protocol.  The format of the signature in ACTIVATION_TIME_DELAY attribute allows a GCKS to set
   the SIG payload MUST Activation Time Delay (ATD) for SAs generated from TEKs.  The ATD
   defines how long after receiving new SAs that they are to be
   as specified in [RFC4754].

5.3.7.6.  SIG_ALG_ECDSA-384

   This algorithm specifies
   activated by the 384-bit Random ECP Group, as described GM.  The ATD value is in [RFC5903]. seconds.

   The format of DEACTIVATION_TIME_DELAY allows the signature in GCKS to set the SIG payload MUST be
   as specified in [RFC4754].

5.3.7.7.  SIG_ALG_ECDSA-521

   This algorithm specifies Deactivation
   Time Delay (DTD) for previously distributed SAs.  The DTD defines how
   long after receiving new SAs that it should deactivate SAs that are
   destroyed by the 521-bit Random ECP Group, as described re-key event.  The value is in [RFC5903]. seconds.

   The format values of ATD and DTD are independent.  However, the signature in the SIG payload MUST DTD value
   should be
   as specified in [RFC4754].

5.3.8.  SIG_KEY_LENGTH larger, which allows new SAs to be activated before older
   SAs are deactivated.  Such a policy ensures that protected group
   traffic will always flow without interruption.

5.4.2.  SENDER_ID_REQUEST

   The SIG_KEY_LENGTH class specifies SENDER_ID_REQUEST attribute is used by a group member to request
   SIDs during the length GROUPKEY-PULL message, and includes a count of the SIG how
   many SID values it desires.

5.5.  SA TEK Payload

   The SA TEK (SAT) payload key
   in bits.

5.4.  Group Associated Policy

   RFC 3547 provides contains security attributes for a single
   TEK associated with a group.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload  !   RESERVED    !         Payload Length        !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Protocol-ID   !       TEK Protocol-Specific Payload           ~
       +-+-+-+-+-+-+-+-+                                               ~
       ~                                                               ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The SAT Payload fields are defined as follows:

   o Next Payload (1 octet) -- Identifies the distribution of policy in next payload for the
   GROUPKEY-PULL
   exchange in an SA payload.  Policy can define or the GROUPKEY-PUSH policy
   (SA KEK) message.  The only valid next
   payload types for this message are another SAT Payload or traffic encryption policy (SA TEK) such as IPsec policy.
   There is a need zero to distribute group policy that fits into neither
   category.  Some
   indicate there are no more security association attributes.

   o RESERVED (1 octet) -- Must be zero.

   o Payload Length (2 octets) -- Length of this policy is generic to the group, and some is
   sender-specific policy for a particular group member.

   GDOI distributes this associated group policy in a new payload called
   the SA Group Associated Policy (SA GAP).  The SA GAP payload follows
   any SA KEK payload, and is placed before any SA including the
   TEK payloads.  In Protocol-Specific Payload.

   o Protocol-ID (1 octet) -- Value specifying the
   case that group policy does not include an SA KEK, Security Protocol.
   The following table defines values for the SA Attribute
   Next Security Protocol
             Protocol ID                       Value
             -----------                       -----
             RESERVED                            0
             GDOI_PROTO_IPSEC_ESP                1
             GDOI_PROTO_IPSEC_AH                TBD-5
             Standards Action                   3-127
             Private Use                      128-255

   o TEK Protocol-Specific Payload field in (variable) -- Payload which describes
   the SA payload MAY indicate attributes specific for the SA GAP payload. Protocol-ID.

5.5.1.  GDOI_PROTO_IPSEC_ESP/GDOI_PROTO_IPSEC_AH

   The SA GAP TEK Protocol-Specific payload for ESP and AH is defined as follows:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload    Protocol   !   RESERVED  SRC ID Type  !        Payload Length         SRC ID Port           !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !SRC ID Data Len!          SRC Identification Data              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! DST ID Type   !         DST ID Port           !DST ID Data Len!
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! DST Identification Data                                       ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Transform ID  !                        SPI                    !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !               Group Associated Policy      SPI      !       RFC 2407 SA Attributes                  ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The SA GAP payload SAT Payload fields are defined as follows:

   o  Next Payload Protocol (1 octet) -- Identifies the next payload present in
      the GROUPKEY-PULL or the GROUPKEY-PUSH message.  The only valid
      next payload type for this message is Value describing an SA TEK or IP protocol ID (e.g.,
   UDP/TCP).  A value of zero to
      indicate there are no more security association attributes. means that the Protocol field should be
   ignored.

   o  RESERVED SRC ID Type (1 octet) -- Must be zero.

   o  Payload Length (2 octets) -- Length of this payload, including the
      SA GAP header and Attributes.

   o  Group Associated Policy Attributes (variable) -- Contains
      attributes following the format defined in Section 3.3 of RFC
      2408.

   Several group associated policy attributes are defined in this memo.
   An GDOI implementation MUST abort if it encounters and attribute or
   capability that it does not understand.

5.4.1.  ACTIVATION_TIME_DELAY

   This attribute allows a GCKS to set the Activation Time Delay for SAs
   generated from TEKs.  The value is in seconds.

5.4.2.  DEACTIVATION_TIME_DELAY

   This attribute allows a GCKS to set Value describing the Deactivation Time Delay for
   SAs generated from TEKs.  The value is identity information
   found in seconds.  The values of
   Activation Time Delay and Deactivation Time Delay are independant.
   However, the Deactivation Time Delay vaue should be larger, which
   allows new SAs to be activated before older SAs are deactivated.
   Such a policy ensures that protected group traffic will always flow
   without interruption.

5.4.3.  SENDER_ID

   Several new AES counter-based modes of operation have been specified
   for ESP [RFC3686],[RFC4106],[RFC4309],[RFC4543] and AH [RFC4543].
   These AES counter-based modes require that no two senders the SRC Identification Data field.  Defined values are
   specified by the IPsec Identification Type section in the
   group ever send IANA
   isakmpd-registry [ISAKMP-REG].

   o SRC ID Port (2 octets) -- Value specifying a packet port associated with
   the same IV.  This requirement is met
   using source Id.  A value of zero means that the method described in
   [I-D.ietf-msec-ipsec-group-counter-modes], which requires each sender
   to SRC ID Port field
   should be allocated a unique Sender ignored.

   o SRC ID (SID).  The SENDER_ID attribute is
   used to distribute an SID Data Len (1 octet) -- Value specifying the length of the SRC
   Identification Data field.

   o SRC Identification Data (variable length) -- Value, as indicated by
   the SRC ID Type.  Set to three bytes of zero for multiple-source
   multicast groups that use a group member during the GROUPKEY-PULL
   message.  Other algorithms with common TEK for all senders.

   o DST ID Type (1 octet) -- Value describing the same need may be defined identity information
   found in the
   future; the sender MUST use DST Identification Data field.  Defined values are
   specified by the IV construction method described
   above with those algorithms as well.

   The SENDER_ID attribute value contains IPsec Identification Type section in the following fields.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !   SID Length  !                    SID Value                  ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! IANA
   isakmpd-registry [ISAKMP-REG].

   o  SID Length DST ID Prot (1 octet) -- A natural number defining Value describing an IP protocol ID (e.g.,
   UDP/TCP).  A value of zero means that the DST Id Prot field should be
   ignored.

   o DST ID Port (2 octets) -- Value specifying a port associated with
   the number source Id.  A value of
      bits to be used in zero means that the SID DST ID Port field of
   should be ignored.

   o DST ID Data Len (1 octet) -- Value specifying the counter mode transform
      nonce.  The length of the SID is chosen DST
   Identification Data field.

   o DST Identification Data (variable length) -- Value, as indicated by
   the GCKS administrator
      based on the counter-based mode specification and the number of
      expected group members.  In accordance with
      [I-D.ietf-msec-ipsec-group-counter-modes] an implementation MUST
      support values of 8, 12, and 16. DST ID Type.

   o  SID Value (variable) -- The Sender Transform ID value allocated to the group
      member.

5.4.3.1.  GCKS Semantics

   The GCKS maintains a SID counter (SIDC).  It is incremented each time
   a SENDER_ID attribute (1 octet) -- Value specifying which ESP or AH
   transform is distributed to a group member. be used.  The first
   group member to register is given the SID list of 1.

   Any group member registering will be given a new SID value, which
   allows group members to act as a group sender when an older SID value
   becomes unusable (as described in the next section).

   A GCKS MAY allocate multiple SID valid values is defined in one SA GAP payload.
   Allocating several SID values at the same time to a group member
   expected to send at a high rate would obviate
   IPsec ESP or IPsec AH Transform Identifiers section of the need IANA
   isakmpd-registry [ISAKMP-REG].

   o SPI (4 octets) -- Security Parameter Index for ESP.

   o RFC 2407 Attributes -- ESP and AH Attributes from RFC 2407 Section
   4.5.  The GDOI supports all IPsec DOI SA Attributes for
   GDOI_PROTO_IPSEC_ESP and GDOI_PROTO_IPSEC_AH excluding the group
   member to re-register as frequently.

   If Group
   Description (section 4.5 of [RFC2407], which MUST NOT be sent by a GCKS allocates all SID values, it can no longer respond to
   GDOI
   registrations implementation and must re-initialize the entire group.  This is done ignored by including Delete Payload for all ESP and AH SAs in a GDOI rekey
   message, resetting the SIDC to zero, and creating new implementation if
   received.  The following attributes MUST be supported by an
   implementation supporting ESP and AH SAs
   that match AH: SA Life Type, SA Life Duration,
   Encapsulation Mode.  An implementation supporting ESP must also
   support the group policy.  When group members re-register, Authentication Algorithm attribute if the
   SIDs are allocated again beginning with ESP transform
   includes authentication/ The Authentication Algorithm attribute of
   the value 1 as described
   above.  Each re-registering IPsec DOI is group member will be given a new SID and authentication in GDOI.

5.5.1.1.  New IPsec Security Association Attributes

   The Multicast Extensions to the Security Architecture for the
   Internet Protocol (RFC 5374) introduces new requirements for a group
   key management system distributing IPsec policy.

   The SENDER_ID attribute MUST NOT be sent  It also defines new
   attributes as part of a GROUPKEY-PUSH
   message, because distributing the same sender-specific Group Security Policy Database (GSPD).
   These attributes describe policy that a group key management system
   must convey to more
   than one a group member may reduce the security of the group.

5.4.3.2.  Group Member Semantics

   The SENDER_ID attribute value distributed in order to support those extensions.
   The GDOI SA TEK payload distributes IPsec policy using IPsec security
   association attributes defined in [ISAKMP-REG].  This section defines
   how GDOI can convey the group member MUST be
   used by that group member new attributes as IPsec Security Association
   Attributes.

5.5.1.1.1.  Address Preservation

   Applications use the Sender Identifier (SID) field
   portion of extensions in RFC 5374 to copy the IV.  The SID is used for all counter mode SAs
   distributed by IP addresses
   into the GCKS outer IP header when encapsulating an IP packet as an IPsec
   tunnel mode packet.  This allows an IP multicast packet to continue
   to be used for communications sent routed as a part
   of this group.

   When the Sender-Specific IV (SSIV) field IP multicast packet.  In order for any IPsec SA is
   exhausted, the GDOI group
   member MUST no longer act as a sender using its
   active SID.  The group member SHOULD re-register, during which time to appropriately set up the GSPD, the GCKS will issue a new SID must provide that
   policy to the group member.  The new SID
   replaces the existing SID used by this group member, and also resets
   the SSIV value to its starting value.  A

   Depending on group member MAY re-register
   prior to the actual exhaustion policy, several address preservation methods are
   possible: no address preservation ("None"), preservation of the SSIV field to avoid dropping
   data packets due to
   original source address ("Source-Only"), preservation of the exhaustion original
   destination address ("Destination-Only"), or both addresses ("Source-
   And-Destination").  The IANA Considerations section of available SSIV values combined
   with a particular SID value.

   A group member MUST NOT process a SENDER_ID this memo adds
   the "Address Preservation" security association attribute.  If this
   attribute present is not included in a
   GROUPKEY-PUSH message.

5.5. GDOI SA TEK payload provided by a
   GCKS, then Source-And-Destination address preservation has been
   defined for the SA TEK.

5.5.1.1.2.  SA Direction

   Depending on group policy, an IPsec SA created from an SA TEK payload
   may be required in one or both directions.  SA TEK Payload

   The policy used by
   multiple senders is required to be installed in both the sending and
   receiving direction ("Symmetric"), whereas SA TEK (SAT) payload contains security attributes for a single
   TEK associated with a group.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload  !   RESERVED    !         Payload Length        !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Protocol-ID   !       TEK Protocol-Specific Payload           ~
       +-+-+-+-+-+-+-+-+                                               ~
       ~                                                               ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! sender
   should only be installed in the receiving direction by receivers
   ("Receiver-Only") and in the sending direction by the sender
   ("Sender-Only").  The SAT Payload fields are defined as follows:

   o Next Payload (1 octet) -- Identifies IANA Considerations section of this memo adds
   the next "SA Direction" security association attribute.

   An SA TEK payload for that does not include the
   GROUPKEY-PULL or SA Direction attribute is
   treated as a Symmetric IPsec SA.  Note that unless Symmetric may be
   the only value that can be meaningfully described for an SA TEK
   distributed in an GROUPKEY-PUSH message.  The only valid next
   payload types  Alternatively, Receiver-
   Only could be distributed, but group senders would need to be
   configured to not receive GROUPKEY-PUSH messages in order to retain
   their role.

5.5.2.  Other Security Protocols

   Besides ESP and AH, GDOI should serve to establish SAs for this message secure
   groups needed by other Security Protocols that operate at the
   transport, application, and internetwork layers.  These other
   Security Protocols, however, are another SAT Payload in the process of being developed or zero
   do not yet exist.

   The following information needs to
   indicate there are no more security association attributes.

   o RESERVED (1 octet) -- Must be zero.

   o Payload Length (2 octets) -- Length of this payload, including provided for a Security
   Protocol to the
   TEK Protocol-Specific Payload. GDOI.

   o  The Protocol-ID (1 octet) -- Value specifying for the particular Security Protocol. Protocol

   o  The following table defines values SPI Size

   o  The method of SPI generation

   o  The transforms, attributes and keys needed by the Security
      Protocol

   All Security Protocols must provide the information in the bulleted
   list above to guide the GDOI specification for that protocol.
   Definitions for the support of those Security Protocols in GDOI will
   be specified in separate documents.

   A Security Protocol MAY protect traffic at any level of the network
   stack.  However, in all cases applications of the Security Protocol ID                       Value
             -----------                       -----
             RESERVED                            0
             GDOI_PROTO_IPSEC_ESP                1
             GDOI_PROTO_IPSEC_AH                TBD-5
             RESERVED                           3-127
             Private Use                      128-255

   o TEK Protocol-Specific
   MUST protect traffic which MAY be shared by more than two entities.

5.6.  Key Download Payload (variable) --

   The Key Download Payload which describes contains group keys for the group specified
   in the SA Payload.  These key download payloads can have several
   security attributes specific for applied to them based upon the Protocol-ID.

5.5.1.  GDOI_PROTO_IPSEC_ESP/GDOI_PROTO_IPSEC_AH

   The TEK Protocol-Specific payload for ESP and AH is security policy of
   the group as follows: defined by the associated SA Payload.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !    Protocol   !  SRC ID Type  !         SRC ID Port           !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !SRC ID Data Len!          SRC Identification Data              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! DST ID Type   !         DST ID Port           !DST ID Data Len! 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! DST Identification Data                                       ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! Next Payload  ! Transform ID   RESERVED    !                        SPI         Payload Length        !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !      SPI Number of Key Packets         !       RFC 2407 SA Attributes            RESERVED2          !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ~                    Key Packets                                ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   The SAT Key Download Payload fields are defined as follows:

   o Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
   UDP/TCP).  A value of zero means that the Protocol field should be
   ignored.

   o SRC ID Type (1 octet) -- Value describing the identity information
   found in the SRC Identification Data field.  Defined values are
   specified by the IPsec Identification Type section in the IANA
   isakmpd-registry [ISAKMP-REG].

   o SRC ID Port (2 octets) -- Value specifying a port associated with
   the source Id.  A value of zero means that the SRC ID Port field
   should be ignored.

   o SRC ID Data Len Next Payload (1 octet) -- Value specifying the length of the SRC
   Identification Data field.

   o SRC Identification Data (variable length) -- Value, as indicated by
   the SRC ID Type.  Set to three bytes of zero for multiple-source
   multicast groups that use a common TEK Identifier for all senders.

   o DST ID Type (1 octet) -- Value describing the identity information
   found in the DST Identification Data field.  Defined values are
   specified by the IPsec Identification Type section in the IANA
   isakmpd-registry [ISAKMP-REG].

   o DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g.,
   UDP/TCP).  A value of zero means that the DST Id Prot field should be
   ignored.

   o DST ID Port (2 octets) -- Value specifying a port associated with the source Id.  A value payload type of zero means that the DST ID Port
   next payload in the message.  If the current payload is the last in
   the message, then this field
   should will be ignored. zero.

   o DST ID Data Len RESERVED (1 octet) -- Value specifying Unused, set to zero.

   o Payload Length (2 octets) -- Length in octets of the length current
   payload, including the generic payload header.

   o Number of Key Packets (2 octets) -- Contains the DST
   Identification Data field. total number of
   both TEK and Rekey arrays being passed in this data block.

   o DST Identification Data (variable length) Key Packets (variable) -- Value, as indicated by Several types of key packets are defined.
   Each Key Packet has the DST ID Type. following format.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !   KD Type     !   RESERVED    !            KD Length          !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !    SPI Size   !                   SPI (variable)              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ~                    Key Packet Attributes                      ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

   o Transform ID Key Download (KD) Type (1 octet) -- Identifier for the Key Data
   field of this Key Packet.

                          Key Download Type        Value specifying which ESP or AH
   transform
                          -----------------        -----
                          RESERVED                   0
                          TEK                        1
                          KEK                        2
                          LKH                        3
                          SID                       TBD-7
                          Standards Action          4-127
                          Private Use             128-255

   "KEK" is to be used.  The list of valid values a single key whereas LKH is defined an array of key-encrypting keys.

   o RESERVED (1 octet) -- Unused, set to zero.

   o Key Download Length (2 octets) -- Length in octets of the Key
   Packet data, including the
   IPsec ESP or IPsec AH Transform Identifiers section Key Packet header.

   o SPI Size (1 octet) -- Value specifying the length in octets of the IANA
   isakmpd-registry [ISAKMP-REG].
   SPI as defined by the Protocol-Id.

   o SPI (4 octets) (variable length) -- Security Parameter Index for ESP.

   o RFC 2407 Attributes -- ESP and AH Attributes from RFC 2407 Section
   4.5.  The GDOI supports all IPsec DOI SA Attributes for
   GDOI_PROTO_IPSEC_ESP and GDOI_PROTO_IPSEC_AH excluding the Group
   Description (section 4.5 of [RFC2407], which MUST NOT be sent by a
   GDOI implementation and is ignored by matches a GDOI implementation if
   received.  The following attributes MUST be supported by
   SPI previously sent in an
   implementation supporting ESP and AH: SA Life Type, SA Life Duration,
   Encapsulation Mode.  An implementation supporting ESP must also
   support the Authentication Algorithm attribute if the ESP transform
   includes authentication/ SAK or SAT Payload.

   o Key Packet Attributes (variable length) -- Contains Key
   information.  The Authentication Algorithm attribute format of
   the IPsec DOI this field is group authentication in GDOI.

5.5.1.1.  Harmonization with RFC 5374

   The Multicast Extensions specific to the Security Architecture for value of
   the
   Internet Protocol (RFC 5374) introduces new requirements for a group
   key management system distributing IPsec policy. KD Type field.  The following sections describe new GDOI requirements that result from harmonizing
   with that document.

5.5.1.1.1.  Group Security Policy Database Attributes

   RFC 5374 describes new attributes as part of the Group Security
   Policy Database (GSPD).  These attributes describe policy that a
   group key management system must convey to a group member in order to
   support those extensions. format of
   each KD Type.

5.6.1.  TEK Download Type

   The GDOI SA following attributes may be present in a TEK Download Type.
   Exactly one attribute matching each type sent in the SAT payload distributes IPsec
   policy using IPsec security association MUST
   be present.  The attributes must follow the format defined in
   [ISAKMP-REG].  This section defines how GDOI can convey ISAKMP
   (Section 3.3 of [RFC2408]).  In the new table, attributes defined as IPsec Security Association Attributes.

5.5.1.1.2.  Address Preservation

   Applications use the extensions in RFC 5374 to copy the IP addresses
   into the outer IP header when encapsulating an IP packet TV
   are marked as an IPsec
   tunnel mode packet.  This allows an IP multicast packet to continue
   to be routed Basic (B); attributes defined as TLV are marked as
   Variable (V).

                TEK Class                 Value      Type
                ---------                 -----      ----
                RESERVED                     0
                TEK_ALGORITHM_KEY            1        V
                TEK_INTEGRITY_KEY            2        V
                TEK_SOURCE_AUTH_KEY          3        V
                Standards Action            4-127
                Private Use               128-255
                Unassigned                256-32767

   If no TEK key packets are included in a IP multiast packet.  In order for Registration KD payload, the GDOI
   group member can expect to appropriately set up the GSPD, the GCKS must provide that
   policy to the group member.

   Depending on group policy, several address preservation methods are
   possible: no address preservation ("None"), preservation of the
   original source address ("Source-Only"), preservation of the original
   destination address ("Destination-Only"), or both addresses ("Source-
   And-Destination").  This memo adds receive the "Address Preservation"
   security association attribute.  If this attribute is not included in
   a GDOI SA TEK payload provided by as part of a GCKS, then Source-And-Destination
   address preservation has been defined for the SA TEK.

5.5.1.1.3.  SA Direction

   Depending on group policy, an IPsec SA created from an SA Re-key SA.
   At least one TEK payload must be included in each Re-key KD payload.
   Multiple TEKs may be required in one or both directions.  SA TEK policy used by included if multiple senders is required streams associated with the
   SA are to be installed rekeyed.

   When an algorithm specification specifies the format of the keying
   material, the value transported in both the sending and
   receiving direction ("Symmetric"), whereas SA TEK KD payload for that key is
   passed according to that specification.  The keying material may
   contain information besides a single sender
   should only be installed key.  For example, The Use of Galois/
   Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)
   [RFC4106] defines a salt value as part of KEYMAT.

5.6.1.1.  TEK_ALGORITHM_KEY

   The TEK_ALGORITHM_KEY class declares that the receiving direction by receivers
   ("Receiver-Only") and in encryption key for this
   SPI is contained as the sending direction by Key Packet Attribute.  The encryption
   algorithm that will use this key was specified in the sender
   ("Sender-Only").  This memo adds SAT payload.

   In the "SA Direction" security
   association attribute.  If case that the attribute is not algorithm requires multiple keys (e.g., 3DES),
   all keys will be included in a GDOI SA
   TEK payload, then the IPsec SA is treated as a Symmetric IPsec SA.

5.5.1.1.4.  Re-key rollover

   Section 4.2.1 one attribute.

   DES keys will consist of RFC 5374 specifies a 64 bits (the 56 key rollover method bits with parity bit).
   Triple DES keys will be specified as a single 192 bit attribute
   (including parity bits) in the order that
   requires two values the keys are to be given it from used for
   encryption (e.g., DES_KEY1, DES_KEY2, DES_KEY3).

5.6.1.2.  TEK_INTEGRITY_KEY

   The TEK_INTEGRITY_KEY class declares that the integrity key for this
   SPI is contained as the group key management
   protocol. Key Packet Attribute.  The Activation Time Delay (ATD) attribute allows integrity
   algorithm that will use this key was specified in the GCKS SAT payload.
   Thus, GDOI assumes that both the symmetric encryption and integrity
   keys are pushed to specify how long after the start member.  HMAC-SHA1 keys will consist of 160
   bits[RFC2404], HMAC-MD5 keys will consist of 128 bits[RFC2403].
   HMAC-SHA2 and AES-GMAC keys will have a re-key event key length equal to the
   output length of the hash functions [RFC4868][RFC4543].

5.6.1.3.  TEK_SOURCE_AUTH_KEY

   The TEK_SOURCE_AUTH_KEY class declares that a group
   member the source authentication
   key for this SPI is to activate new TEKs. contained in the Key Packet Attribute.  The Deactivation Time Delay (DTD)
   source authentication algorithm that will use this key was specified
   in the SAT payload.

5.6.2.  KEK Download Type

   The following attributes may be present in a KEK Download Type.
   Exactly one attribute allows matching each type sent in the GCKS to specify how long after SAK payload MUST
   be present.  The attributes must follow the start format defined in ISAKMP
   (Section 3.3 of a
   re-key event that a group member is to deactivate existing TEKs.

   This memo adds new [RFC2408]).  In the table, attributes by which a GCKS can relay these values
   to group members defined as part of TV
   are marked as Basic (B); attributes defined as TLV are marked as
   Variable (V).

                KEK Class                 Value      Type
                ---------                 -----      ----
                RESERVED                     0
                KEK_ALGORITHM_KEY            1        V
                SIG_ALGORITHM_KEY            2        V
                Standards Action            3-127
                Private Use               128-255
                Unassigned                256-32767

   If the KEK key packet is included, there MUST be only one present in
   the KD payload.

5.6.2.1.  KEK_ALGORITHM_KEY

   The KEK_ALGORITHM_KEY class declares the Group Associated Policy described in
   Section 5.

5.5.2.  Other Security Protocols

   Besides ESP and AH, GDOI should serve to establish SAs encryption key for secure
   groups needed by other Security Protocols that operate at this SPI
   is contained in the
   transport, application, and internetwork layers.  These other
   Security Protocols, however, are Key Packet Attribute.  The encryption algorithm
   that will use this key was specified in the process SAK payload.

   If the mode of being developed or
   do not yet exist.

   The following information needs to be provided operation for a Security
   Protocol to the GDOI.

   o algorithm requires an IV, an
   explicit IV MUST be included in the KEK_ALGORITHM_KEY before the
   actual key.

5.6.2.2.  SIG_ALGORITHM_KEY

   The Protocol-ID SIG_ALGORITHM_KEY class declares that the public key for this SPI
   is contained in the particular Security Protocol

   o Key Packet Attribute, which may be useful when no
   public key infrastructure is available.  The SPI Size

   o signature algorithm that
   will use this key was specified in the SAK payload.

5.6.3.  LKH Download Type

   The method LKH key packet is comprised of SPI generation

   o attributes representing different
   nodes in the LKH key tree.

   The transforms, following attributes and keys needed by are used to pass an LKH KEK array in the Security
      Protocol

   All Security Protocols KD
   payload.  The attributes must provide follow the information format defined in ISAKMP
   (Section 3.3 of [RFC2408]).  In the table, attributes defined as TV
   are marked as Basic (B); attributes defined as TLV are marked as
   Variable (V).

                KEK Class                 Value      Type
                ---------                 -----      ----
                RESERVED                     0
                LKH_DOWNLOAD_ARRAY           1        V
                LKH_UPDATE_ARRAY             2        V
                SIG_ALGORITHM_KEY            3        V
                Standards Action            4-127
                Private Use               128-255
                Unassigned                256-32767

   If an LKH key packet is included in the bulleted
   list above KD payload, there must be
   only one present.

5.6.3.1.  LKH_DOWNLOAD_ARRAY

   This attribute is used to guide the GDOI specification for that protocol.
   Definitions for the support download a set of those Security Protocols in GDOI will keys to a group member.
   It MUST NOT be specified in separate documents.

   A Security Protocol MAY protect traffic at any level of the network
   stack.  However, included in all cases applications of a GROUPKEY-PUSH message KD payload if the Security Protocol
   MUST protect traffic which MAY be shared by
   GROUPKEY-PUSH is sent to more than two entities.

5.6.  Key Download Payload

   The Key Download Payload contains group keys for the group specified member.  If an
   LKH_DOWNLOAD_ARRAY attribute is included in the SA Payload.  These key download payloads can have several
   security attributes applied to them based upon the security policy a KD payload, there must
   be only one present.

   This attribute consists of
   the group as defined a header block, followed by the associated SA Payload. one or more
   LKH keys.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !   RESERVED  LKH Version  !         Payload Length          # of LKH Keys        !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!  RESERVED     ! Number of Key Packets
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !            RESERVED2                             LKH Keys                          !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ~                    Key Packets                                                               ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   The Key Download Payload KEK_LKH attribute fields are defined as follows:

   o Next Payload (1 octet) -- Identifier for the payload type of the
   next payload in the message.  If the current payload is the last in
   the message, then this field will be zero.

   o RESERVED LKH version (1 octet) -- Unused, set to zero.

   o Payload Length (2 octets) -- Length in octets octet) -- Version of the current
   payload, including the generic payload header. LKH data format.  Must be
   one.

   o Number of Key Packets LKH Keys (2 octets) -- Contains This value is the total number of
   both TEK and Rekey arrays being passed
   distinct LKH keys in this data block. sequence.

   o Key Packets Several types of key packets are defined. RESERVED (1 octet) -- Unused, set to zero.  Each LKH Key
   Packet has the following format. is defined
   as follows:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !   KD             LKH ID            !    Key Type   !    RESERVED   !            KD Length          !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                        Key Creation Date                      !    SPI Size
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                       Key expiration Date                     !                   SPI (variable)
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!                           Key Handle                          !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                                                               !
      ~                            Key Packet Attributes Data                           ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   o LKH ID (2 octets) -- Identity of the LKH node.  A GCKS is free to
   choose the ID in an implementation-specific manner (e.g., the
   position of this key in a binary tree structure used by LKH).

   o Key Download (KD) Type (1 octet) -- Identifier Encryption algorithm for the Key Data
   field of which this Key Packet.

                          Key Download Type        Value
                          -----------------        -----
                          RESERVED                   0
                          TEK                        1
                          KEK                        2
                          LKH                        3
                          RESERVED                  4-127
                          Private Use             128-255

   "KEK" is a single key whereas LKH data
   is an array of key-encrypting keys. to be used.  This value is specified in Section 5.3.3.

   o RESERVED (1 octet) -- Unused, set to zero.

   o Key Download Length (2 Creation Date (4 octets) -- Length in octets Time value of the Key
   Packet data, including the Key Packet header.

   o SPI Size (1 octet) -- Value specifying the length in octets when this key data
   was originally generated.  A time value of the
   SPI as defined by the Protocol-Id.

   o SPI (variable length) -- Security Parameter Index zero indicates that there
   is no time before which matches a
   SPI previously sent in an SAK or SAT Payload. this key is not valid.

   o Key Packet Attributes (variable length) Expiration Date (4 octets) -- Contains Key
   information.  The format Time value of when this field key is specific to the no
   longer valid for use.  A time value of
   the KD Type field.  The following sections describe the format of
   each KD Type.

5.6.1.  TEK Download Type

   The following attributes may be present in a TEK Download Type.
   Exactly one attribute matching each type sent in the SAT payload MUST
   be present.  The attributes must follow the format defined in ISAKMP
   (Section 3.3 of [RFC2408]).  In the table, attributes defined as TV
   are marked as Basic (B); attributes defined as TLV are marked as
   Variable (V).

                TEK Class                 Value      Type
                ---------                 -----      ----
                RESERVED                     0
                TEK_ALGORITHM_KEY            1        V
                TEK_INTEGRITY_KEY            2        V
                TEK_SOURCE_AUTH_KEY          3        V

   If no TEK zero indicates that this key packets are included in a Registration KD payload,
   does not have an expiration time.

   o Key Handle (4 octets) -- Value assigned by the
   group member can expect GCKS to receive the TEK as part of uniquely
   identify a Re-key SA.
   At least one TEK must be included in each Re-key KD payload.
   Multiple TEKs may be included if multiple streams associated with the
   SA are to be rekeyed.

   When key within an LKH ID.  Each new key distributed by the
   GCKS for this node will have a key handle identity distinct from
   previous or successive key handles specified for this node.

   o Key Data (variable length) -- Key data, which is dependent on the
   Key Type algorithm specification specifies for its format.  If the format mode of operation for the keying
   material, the value transported
   algorithm requires an IV, an explicit IV MUST be included in the KD payload for that key is
   passed according Key
   Data field prepended to that specification.  The keying material may
   contain information besides a the actual key.  For example,

   The Use of Galois/
   Counter Mode (GCM) Key Creation Date and Key expiration Dates MAY be zero.  This is
   necessary in IPsec Encapsulating Security Payload (ESP)
   [RFC4106] defines a salt value as part of KEYMAT.

5.6.1.1.  TEK_ALGORITHM_KEY the case where time synchronization within the group is
   not possible.

   The TEK_ALGORITHM_KEY class declares that first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute
   contains the encryption Leaf identifier and key for this
   SPI is contained as the Key Packet Attribute. group member.  The encryption
   algorithm that will use this rest
   of the LKH Key structures contain keys along the path of the key was specified tree
   in order from the SAT payload.

   In leaf, culminating in the case that group KEK.

5.6.3.2.  LKH_UPDATE_ARRAY

   This attribute is used to update the algorithm requires multiple keys (e.g., 3DES),
   all keys will for a group.  It is most
   likely to be included in one attribute.

   DES keys will consist of 64 bits (the 56 key bits with parity bit).
   Triple DES keys will be specified as a single 192 bit attribute
   (including parity bits) in the order that the keys are GROUPKEY-PUSH message KD payload to be used for
   encryption (e.g., DES_KEY1, DES_KEY2, DES_KEY3).

5.6.1.2.  TEK_INTEGRITY_KEY

   The TEK_INTEGRITY_KEY class declares that rekey
   the integrity key for this
   SPI is contained entire group.  This attribute consists of a header block,
   followed by one or more LKH keys, as the Key Packet Attribute.  The integrity
   algorithm that will use this key was specified defined in the SAT previous section.

   There may be any number of UPDATE_ARRAY attributes included in a KD
   payload.
   Thus, GDOI assumes that both the symmetric encryption and integrity
   keys are pushed to

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !  LKH Version  !          # of LKH Keys        !  RESERVED     !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !            LKH ID             !           RESERVED2           !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                           Key Handle                          !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                            LKH Keys                           !
      ~                                                               ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   o LKH version (1 octet) -- Version of the member.  HMAC-SHA1 keys will consist LKH data format.  Must be
   one.

   o Number of 160
   bits[RFC2404], HMAC-MD5 keys will consist LKH Keys (2 octets) -- Number of 128 bits[RFC2403].
   HMAC-SHA2 and AES-GMAC distinct LKH keys will have a in
   this sequence.

   o RESERVED (1 octet) -- Unused, set to zero.

   o LKH ID (2 octets) -- Node identifier associated with the key length equal used
   to encrypt the
   output length of first LKH Key.

   o RESERVED2 (2 octets) -- Unused, set to zero.

   o Key Handle (4 octets) -- Value assigned by the hash functions [RFC4868][RFC4543].

5.6.1.3.  TEK_SOURCE_AUTH_KEY

   The TEK_SOURCE_AUTH_KEY class declares that GCKS to uniquely
   identify the source authentication key for this SPI is contained in within the Key Packet Attribute.  The
   source authentication algorithm that will use this key was specified
   in LKH ID used to encrypt the SAT payload.

5.6.2.  KEK Download Type first LKH Key.

   The following attributes may be present in a KEK Download Type.
   Exactly one attribute matching each type sent LKH Keys are as defined in the SAK payload MUST
   be present. previous section.  The attributes must follow LKH Key
   structures contain keys along the format defined in ISAKMP
   (Section 3.3 path of [RFC2408]).  In the table, attributes defined as TV
   are marked as Basic (B); attributes defined as TLV are marked as
   Variable (V).

                KEK Class                 Value      Type
                ---------                 -----      ----
                RESERVED                     0
                KEK_ALGORITHM_KEY            1        V
                SIG_ALGORITHM_KEY            2        V

   If the KEK key packet is included, there MUST be only one present tree in order from
   the KD payload.

5.6.2.1.  KEK_ALGORITHM_KEY

   The KEK_ALGORITHM_KEY class declares LKH ID found in the encryption key for this SPI
   is contained LKH_UPDATE_ARRAY header, culminating in the Key Packet Attribute.
   group KEK.  The encryption algorithm
   that will use this Key Data field of each LKH Key is encrypted with the
   LKH key was specified preceding it in the SAK payload.

   If LKH_UPDATE_ARRAY attribute.  The first
   LKH Key is encrypted under the mode of operation for key defined by the algorithm requires an Initialization
   Vector (IV), an explicit IV MUST be included LKH ID and Key
   Handle found in the KEK_ALGORITHM_KEY
   before the actual key.

5.6.2.2. LKH_UPDATE_ARRAY header.

5.6.3.3.  SIG_ALGORITHM_KEY

   The SIG_ALGORITHM_KEY class declares that the public key for this SPI
   is contained in the Key Packet Attribute, which may be useful when no
   public key infrastructure is available.  The signature algorithm that
   will use this key was specified in the SAK payload.

5.6.3.  LKH

5.6.4.  SID Download Type

   The LKH key packet

   This attribute is comprised of attributes representing different
   nodes in the LKH key tree.

   The following attributes are used to pass an LKH KEK array in the KD
   payload.  The attributes must follow the format defined in ISAKMP
   (Section 3.3 of [RFC2408]).  In download one or more Sender-ID (SID) values
   for the table, attributes defined as TV
   are marked as Basic (B); attributes defined as TLV are marked as
   Variable (V).

                KEK exclusive use of a group member.

                SID Class                 Value      Type
                ---------                 -----      ----
                RESERVED                     0
                LKH_DOWNLOAD_ARRAY
                NUMBER_OF_SID_BITS           1        V
                LKH_UPDATE_ARRAY        B
                SID_VALUE                    2        V
                SIG_ALGORITHM_KEY            3        V
                RESERVED                    4-127
                Standards Action           3-128
                Private Use               128-255

   If an LKH key packet              129-255
                Unassigned               256-32767

   Because a SID value is included in intended for a single group member, the KD payload, there must SID
   Download type MUST NOT be
   only one present.

5.6.3.1.  LKH_DOWNLOAD_ARRAY distributed in a GROUPKEY_PUSH message
   distributed to multiple group members.

5.6.4.1.  NUMBER_OF_SID_BITS

   The NUMBER_OF_SID_BITS class declares how many bits of the cipher
   nonce in which to represent a SID value.  This value is applied to
   each SID value distributed in the SID Download.

5.6.4.2.  SID_VALUE

   The SID_VALUE class declares a single SID value for the exclusive use
   of the a group member.  Multiple SID_VALUE attributes MAY be included
   in a SID Download.

5.6.4.3.  Group Member Semantics

   The SID_VALUE attribute value distributed to the group member MUST be
   used by that group member as the SID field portion of the IV for all
   Data-Security SAs including a counter-based mode of operation
   distributed by the GCKS as a part of this group.

   When the Sender-Specific IV (SSIV) field for any Data-Security SA is
   exhausted, the group member MUST no longer act as a sender on that SA
   using its active SID.  The group member SHOULD re-register, at which
   time the GCKS will issue a new SID to the group member, along with
   either the same Data-Security SAs or replacement ones.  The new SID
   replaces the existing SID used by this group member, and also resets
   the SSIV value to its starting value.  A group member MAY re-register
   prior to download a set the actual exhaustion of keys the SSIV field to avoid dropping
   data packets due to the exhaustion of available SSIV values combined
   with a particular SID value.

   A group member.
   It member MUST NOT be included process an SID Download Type KD payload
   present in a GROUPKEY-PUSH message message.

5.6.4.4.  GCKS Semantics

   If any KD payload if the
   GROUPKEY-PUSH is sent to more than the group member.  If an
   LKH_DOWNLOAD_ARRAY attribute includes keying material that is included in associated with a
   counter-mode of operation, an SID Download Type KD payload, there must
   be only payload containing
   at least one present.

   This SID_VALUE attribute consists of a header block, followed by one or more
   LKH keys.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !  LKH Version  !          # of LKH Keys        !  RESERVED     !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                             LKH Keys                          !
      ~                                                               ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ MUST be included.

   The KEK_LKH attribute fields are defined GCKS MUST NOT send the SID Download Type KD payload as follows:

   o LKH version (1 octet) -- Version part of a
   GROUPKEY-PUSH message, because distributing the LKH data format.  Must be
   one.

   o Number of LKH Keys (2 octets) -- This value is same sender-specific
   policy to more than one group member will reduce the number security of
   distinct LKH keys in this sequence.

   o RESERVED (1 octet) -- Unused, set to zero.  Each LKH Key the
   group.

5.7.  Sequence Number Payload

   The Sequence Number Payload (SEQ) provides an anti-replay protection
   for GROUPKEY-PUSH messages.  Its use is similar to the Sequence
   Number field defined
   as follows: in the IPsec ESP protocol [RFC4303].

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !             LKH ID            !    Key Type Next Payload  !   RESERVED    !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                        Key Creation Date                      !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                       Key expiration Date                     !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ~                           Key Handle         Payload Length        !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                      Sequence Number                          !
      ~                            Key Data                           ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   The Sequence Number Payload fields are defined as follows:

   o LKH ID (2 octets) Next Payload (1 octet) -- Identity Identifier for the payload type of the LKH node.  A GCKS
   next payload in the message.  If the current payload is free to
   choose the ID last in an implementation-specific manner (e.g.,
   the
   position of this key in a binary tree structure used by LKH).

   o Key Type (1 octet) -- Encryption algorithm for which message, then this key data
   is to field will be used.  This value is specified in Section 5.3.3. zero.

   o RESERVED (1 octet) -- Unused, set to zero.

   o Key Creation Date (4 Payload Length (2 octets) -- Time value Length in octets of when this key data
   was originally generated.  A time the current
   payload, including the generic payload header.  Must be a value of zero indicates that there
   is no time before which this key is not valid. 8.

   o Key Expiration Date Sequence Number (4 octets) -- Time This field contains a monotonically
   increasing counter value of when this key is no
   longer valid for use.  A time value of zero indicates that this key
   does not have an expiration time.

   o Key Handle (4 octets) -- Value assigned by the GCKS group.  It is initialized to uniquely
   identify a key within an LKH ID.  Each new key distributed zero by
   the
   GCKS for this node GCKS, and incremented in each subsequently-transmitted message.
   Thus the first packet sent for a given Rekey SA will have a key handle identity distinct from
   previous or successive key handles specified Sequence
   Number of 1.  The GDOI implementation keeps a sequence counter as an
   attribute for this node.

   o Key Data (variable length) -- Key data, which is dependent on the
   Key Type algorithm for its format.  If Rekey SA and increments the mode counter upon receipt of
   a GROUPKEY-PUSH message.  The current value of operation for the
   algorithm requires an Initialization Vector (IV), an explicit IV MUST sequence number
   must be included in the Key Data field prepended transmitted to group members as a part of the actual key. Registration SA
   payload.  A group member must keep a sliding receive window.  The Key Creation Date and Key expiration Dates MAY
   window must be zero.  This is
   necessary treated as in the case where time synchronization within the group is
   not possible. ESP protocol [RFC4303] Section
   3.4.3.

5.8.  Nonce

   The first LKH Key structure data portion of the Nonce payload (i.e., Ni_b and Nr_b included
   in an LKH_DOWNLOAD_ARRAY attribute
   contains the Leaf identifier HASHs) MUST be a value between 8 and key 128 bytes.

5.9.  Delete

   There are times the GCKS may want to signal to receivers to delete
   SAs, for example at the end of a broadcast.  Deletion of keys may be
   accomplished by sending an ISAKMP Delete payload (Section 3.15 of
   [RFC2408]) as part of a GDOI GROUPKEY-PUSH message.

   One or more Delete payloads MAY be placed following the SEQ payload
   in a GROUPKEY-PUSH message.  If a GCKS has no further SAs to send to
   group member. members, the SA and KD payloads MUST be omitted from the
   message.

   The rest following fields of the LKH Key structures contain keys along the path Delete Payload are further defined as
   follows:

   o The Domain of Interpretation field contains the key tree
   in order from the leaf, culminating GDOI DOI.

   o The Protocol-Id field contains TEK protocol id values defined in
   Section 5.5 of this document.  To delete a KEK SA, the group KEK.

5.6.3.2.  LKH_UPDATE_ARRAY

   This attribute is value of zero
   MUST be used to update as the keys for a group.  It is most
   likely to protocol id.  Note that only one protocol id
   value can be included defined in a GROUPKEY-PUSH message KD payload to rekey
   the entire group.  This attribute consists of Delete payload.  If a header block,
   followed by one or more LKH keys, as defined TEK SA and a KEK SA
   must be deleted, they must be sent in the previous section. different Delete payloads.

   There may be any number of UPDATE_ARRAY attributes included in circumstances where the GCKS may want to start over with
   a KD
   payload.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !  LKH Version  !          # of LKH Keys        !  RESERVED     !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !            LKH ID             !           RESERVED2           !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                           Key Handle                          !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                            LKH Keys                           !
      ~                                                               ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   o LKH version (1 octet) -- Version clean slate.  If the administrator is no longer confident in the
   integrity of the LKH data format.  Must be
   one.

   o Number group, the GCKS can signal deletion of LKH Keys (2 octets) -- Number all policy of distinct LKH keys in
   this sequence.

   o RESERVED (1 octet) -- Unused, set to zero.

   o LKH ID (2 octets) -- Node identifier associated
   a particular TEK protocol by sending a TEK with the key used a SPI value equal to encrypt
   zero in the first LKH Key.

   o RESERVED2 (2 octets) -- Unused, set to zero.

   o Key Handle (4 octets) -- Value assigned by delete payload.  For example, if the GCKS wishes to uniquely
   identify
   remove all the key within KEKs and all the LKH ID used TEKs in the group, the GCKS SHOULD
   send a delete payload with a spi of zero and a protocol_id of a TEK
   protocol_id value, followed by another delete payload with a spi of
   zero and protocol_id of zero, indicating that the KEK SA should be
   deleted.

6.  Algorithm Selection

   For GDOI implementations to encrypt interoperate, they must support one or
   more security algorithms in common.  This section specifies the first LKH Key.

   The LKH Keys
   security algorithm implementation requirements for standards-
   conformant GDOI implementations.  In all cases the choices are as defined
   intended to maintain at least 112 bits of security [SP.800-131].

   Algorithms not referenced in this section MAY be used.

6.1.  KEK

   These tables list the previous section.  The algorithm selections for values related to the
   KEK.
                Requirement   KEK Management Algorithm
                -----------   ---------------------
                SHOULD        LKH Key
   structures contain

                Requirement   KEK Algorithm (notes)
                -----------   ---------------------
                MUST          KEK_ALG_AES with 128-bit keys
                SHOULD NOT    KEK_ALG_DES  (1)

                Requirement   KEK Signature Hash Algorithm (notes)
                -----------   ------------------------------------
                MUST          SIG_HASH_SHA256
                SHOULD        SIG_HASH_SHA1 (2)
                SHOULD NOT    SIG_HASH_MD5 (3)

                Requirement   KEK Signature Algorithm (notes)
                -----------   -------------------------------
                MUST          SIG_ALG_RSA with 2048-bit keys along the path of the

   Notes:

   (1)  DES, with its small key tree in order from
   the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in the
   group KEK. size and corresponding security strength
        is of questionable security for general use

   (2)  The Key Data field use of each LKH Key is encrypted SIG_HASH_SHA1 as a signature hash algorithm used with
        GROUPKEY-PUSH messages remains safe at the
   LKH key preceding it in the LKH_UPDATE_ARRAY attribute.  The first
   LKH Key is encrypted under the key defined by the LKH ID time of this writing,
        and Key
   Handle is a widely deployed signature hash algorithm.

   (3)  Although a real weakness with second preimage resistance with
        MD5 has not been found in the LKH_UPDATE_ARRAY header.

5.6.3.3.  SIG_ALGORITHM_KEY

   The SIG_ALGORITHM_KEY class declares that at the public key for time of this SPI
   is contained in writing, the Key Packet Attribute, which may security
        strength of MD5 has been shown to be useful when no
   public key infrastructure is available.  The signature algorithm that
   will rapidly declining over time
        and it's use this key was specified in the SAK payload.

5.7.  Sequence Number Payload should be understood and carefully weighed.

6.2.  TEK

   The Sequence Number Payload (SEQ) provides following table lists the requirements for Security Protocol
   support for an anti-replay protection implementation.

                Requirement   KEK Management Algorithm
                -----------   ---------------------
                MUST          GDOI_PROTO_IPSEC_ESP

7.  Security Considerations

   GDOI is a security association (SA) management protocol for GROUPKEY-PUSH groups of
   senders and receivers.  This protocol performs authentication of
   communicating protocol participants (Group Member, Group Controller/
   Key Server).  It provides confidentiality of key management messages,
   and it provides source authentication of those messages.  Its use  GDOI
   includes defenses against man-in-middle, connection hijacking,
   replay, reflection, and denial-of-service (DOS) attacks on unsecured
   networks.  GDOI assumes the network is similar to not secure and may be under
   the Sequence
   Number field defined in complete control of an attacker.

   GDOI assumes that the IPsec ESP protocol [RFC4303].

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ! Next Payload  !   RESERVED    !         Payload Length        !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                      Sequence Number                          !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   The Sequence Number Payload fields group members and GCKS are defined as follows:

   o Next Payload (1 octet) -- Identifier for secure even though
   the payload type network is insecure.  GDOI ultimately establishes keys among
   members of the
   next payload a group, which MUST be trusted to use those keys in an
   authorized manner according to group policy.  An GDOI entity
   compromised by an attacker may reveal the message.  If secrets necessary to
   eavesdrop on group traffic and/or take the current payload identity of a group
   sender, so host security is of the last in
   the message, then this field will utmost important once.  The latter
   threat could be zero.

   o RESERVED (1 octet) -- Unused, set to zero.

   o Payload Length (2 octets) -- Length mitigated by using source origin authentication in octets of the current
   payload, including
   the generic payload header.

   o Sequence Number (4 octets) -- This field contains a monotonically
   increasing counter value for Data-Security SAs (e.g., the group.  It use of RSA signatures [RFC4359] or
   TESLA [RFC4082]).  The choice of Data-Security SAs is initialized to zero by
   the GCKS, a matter of
   group policy and incremented in each subsequently-transmitted message.
   Thus is not within the first packet sent for a given Rekey SA will have a Sequence
   Number scope of this memo.

   There are three phases of 1.  The GDOI implementation keeps a sequence counter as described in this document: an
   attribute for
   ISAKMP Phase 1 protocol, the Rekey SA GROUPKEY-PULL exchange protected by the
   ISAKMP Phase 1 protocol, and increments the counter upon receipt of
   a GROUPKEY-PUSH message.  The current value of  Each phase
   is considered separately below.

7.1.  ISAKMP Phase 1

   GDOI uses the sequence number
   must be transmitted Phase 1 exchanges defined in [RFC2409] to group members protect the
   GROUPKEY-PULL exchange.  Therefore all security properties and
   considerations of those exchanges (as noted in [RFC2409]) are
   relevant for GDOI.

   GDOI may inherit the problems of its ancestor protocols [FS00], such
   as a part identity exposure, absence of unidirectional authentication, or
   stateful cookies [PK01].

7.1.1.  Authentication

   Authentication is provided via the Registration SA
   payload.  A group member must keep mechanisms defined in [RFC2409],
   namely Pre-Shared Keys or Public Key encryption.

7.1.2.  Confidentiality

   Confidentiality is achieved in Phase 1 through a sliding receive window. Diffie-Hellman
   exchange that provides keying material, and through negotiation of
   encryption transforms.

   The
   window must Phase 1 protocol will be treated as protecting encryption and integrity keys
   sent in the ESP protocol [RFC4303] Section
   3.4.3.

5.8.  Nonce GROUPKEY-PULL protocol.  The data portion strength of the Nonce payload (i.e., Ni_b and Nr_b included encryption
   used for Phase 1 SHOULD exceed that of the keys send in the HASHs) MUST be GROUPKEY-
   PULL protocol.

7.1.3.  Man-in-the-Middle Attack Protection

   A successful man-in-the-middle or connection-hijacking attack foils
   entity authentication of one or more of the communicating entities
   during key establishment.  GDOI relies on Phase 1 authentication to
   defeat man-in-the-middle attacks.

7.1.4.  Replay/Reflection Attack Protection

   In a value replay/reflection attack, an attacker captures messages between 8
   GDOI entities and 128 bytes.

5.9.  Delete

   There are times the GCKS may want subsequently forwards them to signal a GDOI entity.
   Replay and reflection attacks seek to receivers gain information from a
   subsequent GDOI message response or seek to delete
   SAs, for example at disrupt the end of a broadcast.  Deletion of keys may be
   accomplished by sending an ISAKMP Delete payload (Section 3.15 of
   [RFC2408]) as part operation of
   a GDOI GROUPKEY-PUSH message.

   One member or more Delete payloads MAY be placed following GCKS entity.  GDOI relies on the SEQ payload Phase 1 nonce
   mechanism in combination with a GROUPKEY-PUSH message.  If a GCKS has no further SAs to send hash-based message authentication
   code to
   group members, the SA and KD payloads MUST be omitted from the
   message.

   The following fields of protect against the Delete Payload are further defined as
   follows:

   o The Domain replay or reflection of Interpretation field contains the GDOI DOI.

   o The Protocol-Id field contains TEK protocol id values defined in
   Section 5.5 previous key
   management messages.

7.1.5.  Denial of this document.  To delete a KEK SA, the value Service Protection

   A denial of zero
   MUST be used as the protocol id.  Note that only one protocol id
   value can be defined in a Delete payload.  If a TEK SA and a KEK SA
   must be deleted, they must be sent in different Delete payloads.

   There may be circumstances where the GCKS may want service attacker sends messages to start over with a clean slate.  If GDOI entity to cause
   that entity to perform unneeded message authentication operations.
   GDOI uses the administrator Phase 1 cookie mechanism to identify spurious messages
   prior to cryptographic hash processing.  This is no longer confident in the
   integrity a "weak" form of
   denial of service protection in that the group, the GCKS GDOI entity must check for
   good cookies, which can signal deletion of all policy of
   a particular TEK protocol be successfully imitated by sending a TEK with sophisticated
   attacker.  The Phase 1 cookie mechanism is stateful, and commits
   memory resources for cookies.

7.2.  GROUPKEY-PULL Exchange

   The GROUPKEY-PULL exchange allows a SPI value equal to
   zero in the delete payload.  For example, if the GCKS wishes group member to
   remove all the KEKs request SAs and all
   keys from a GCKS.  It runs as a "phase 2" protocol under protection
   of the TEKs Phase 1 security association.

7.2.1.  Authentication

   Peer authentication is not required in the group, GROUPKEY-PULL protocol.
   It is running in the GCKS SHOULD
   send a delete payload with a spi context of zero and a protocol_id the Phase 1 protocol, which has
   previously authenticated the identity of a TEK
   protocol_id value, followed the peer.

   Message authentication is provided by another delete payload with a spi of
   zero and protocol_id of zero, indicating that HASH payloads in each message,
   where the KEK SA should be
   deleted.

6.  Algorithm Selection

   For GDOI implementations HASH is defined to interoperate, they must support one or
   more security algorithms be over SKEYID_a (derived in common.  This section specifies the
   security algorithm implementation requirements for standards-
   conformant GDOI implementations.  In Phase 1
   exchange), the ISAKMP Message-ID, and all cases payloads in the choices are
   intended to maintain at least 112 bits message.
   Because only the two endpoints of security [SP.800-131].

   Algorithms not referenced in the exchange know the SKEYID_a
   value, this section MAY be used.

6.1.  KEK

   These tables list provides confidence that the algorithm selections for values related to peer sent the
   KEK.
                Requirement   KEK Management Algorithm
                -----------   ---------------------
                SHOULD        LKH

                Requirement   KEK Algorithm (notes)
                -----------   ---------------------
                MUST          KEK_ALG_AES with 128-bit keys
                SHOULD NOT    KEK_ALG_DES  (1)

                Requirement   KEK Signature Hash Algorithm (notes)
                -----------   ------------------------------------
                MUST          SIG_HASH_SHA256
                SHOULD        SIG_HASH_SHA1 (2)
                SHOULD NOT    SIG_HASH_MD5 (3)

                Requirement   KEK Signature Algorithm (notes)
                -----------   -------------------------------
                MUST          SIG_ALG_RSA with 2048-bit keys

   Notes:

   (1)  DES, with its small key size and corresponding security strength message.

7.2.2.  Confidentiality

   Confidentiality is of questionable provided by the Phase 1 security for general use

   (2)  The use of SIG_HASH_SHA1 as association,
   after the manner described in [RFC2409].

7.2.3.  Man-in-the-Middle Attack Protection

   Message authentication (described above) includes a signature hash algorithm used with
        GROUPKEY-PUSH messages remains safe at secret known only
   to the time of this writing, group member and is a widely deployed signature hash algorithm.

   (3)  Although GCKS when constructing a real weakness with second preimage resistance with
        MD5 has HASH payload.  This
   prevents man-in-the-middle and connection-hijacking attacks because
   an attacker would not been found at be able to change the time of this writing, message undetected.

7.2.4.  Replay Protection

   A GROUPKEY-PULL message identifies its messages using a cookie pair
   from the security
        strength of MD5 has been shown to Phase 1 exchange that precedes it.  A GROUPKEY-PULL message
   with invalid cookies will be rapidly declining over time
        and it's use should discarded.  Therefore, GDOI messages
   that are not associated with a current GDOI session will be understood discarded
   without further processing.

   Replayed GDOI messages that are associated with a current GDOI
   session will be decrypted and carefully weighed.

6.2.  TEK authenticated.  The following table lists M-ID in the requirements for Security Protocol
   support for an implementation.

                Requirement   KEK Management Algorithm
                -----------   ---------------------
                MUST          GDOI_PROTO_IPSEC_ESP

7.  Security Considerations

   GDOI is HDR
   identifies a security association (SA) management protocol for groups session.  Replayed packets will be processed according
   to the state machine of
   senders and receivers.  Unlike that session.  Packets not matching that
   state machine will be discarded without processing.

7.2.5.  Denial of Service Protection

   GCKS implementations SHOULD keep a data security protocol, SA
   management includes record of recently received
   GROUPKEY-PULL messages (e.g., a key establishment protocol to securely
   establish keys at communication endpoints.  This protocol performs
   entity authentication hash of the GDOI member or Group Controller/Key
   Server (GCKS), it packet) and reject
   messages that have already been processed.  This provides confidentiality Denial of key management
   messages,
   Service and it provides source authentication Replay Protection of those previously sent messages.
   This protocol also uses best-known practices for defense against man-
   in-middle, connection hijacking, replay, reflection, and denial-of-
   service (DOS) attacks on unsecured networks [STS], [RFC2522],
   [SKEME].  GDOI assumes the network is not secure and may be under  An
   implementation MAY choose to rate-limit the
   complete control receipt of an attacker. GDOI assumes that messages
   in order to mitigate avoid overloading its computational resources.

   The GCKS SHOULD NOT perform any computationally expensive tasks
   before receiving a HASH with its own nonce included.  The GCKS MUST
   NOT update the host computer is secure even though group management state (e.g., LKH key tree, SID-
   counter) until it receives the third message in the network
   is insecure.  GDOI ultimately establishes keys among members of exchange with a
   group, which MUST be trusted to use those keys in
   valid HASH payload including its own nonce.

7.2.6.  Authorization

   A GCKS implementation SHOULD maintain an authorization list of
   authorized
   manner according to group policy. members.  Group members MUST specifically list each
   authorized GCKS in its Group Peer Authorization Database (GPAD)
   [RFC5374].

7.3.  GROUPKEY-PUSH Exchange

   The security of GDOI, therefore, GROUPKEY-PUSH exchange is as good as the degree a single message that allows a GCKS to
   send SAs and keys to which group members can members.  This is likely to be trusted sent to
   protect authenticators, encryption keys, decryption keys, and all
   members using an IP multicast group.  This message
   authentication keys.

   There are three phases of GDOI as described in this document: provides an
   ISAKMP Phase 1 protocol, a new exchange called GROUPKEY-PULL which is
   protected by the ISAKMP Phase 1 protocol,
   efficient rekey and group membership adjustment capability.

7.3.1.  Authentication

   The GROUPKEY-PULL exchange distributes a new public key that is used for
   message authentication.  The GROUPKEY-PUSH message called
   GROUPKEY-PUSH.  Each phase is considered separately below.

7.1.  ISAKMP Phase 1

   As described in this document, digitally
   signed using the corresponding private key held by the GCKS.  This
   digital signature provides source authentication for the message.
   Thus, GDOI uses protects the Phase 1 exchanges
   defined GCKS from impersonation in group
   environments.

7.3.2.  Confidentiality

   The GCKS encrypts the GROUPKEY-PUSH message with an encryption key
   that was distributed in [RFC2409] to protect the GROUPKEY-PULL exchange or a previous
   GROUPKEY-PUSH exchange.
   Therefore all security properties and considerations of those
   exchanges (as noted in [RFC2409]) are relevant for GDOI.

   GDOI  The encryption key may inherit be a simple KEK, or
   the problems result of its ancestor protocols [FS00], such
   as identity exposure, absence a group management method (e.g., LKH) calculation.

7.3.3.  Man-in-the-Middle Attack Protection

   This combination of unidirectional authentication, or
   stateful cookies [PK01].  GDOI could benefit, however, confidentiality and message authentication
   services protects the GROUPKEY-PUSH message from
   improvements man-in-middle and
   connection-hijacking attacks.

7.3.4.  Replay/Reflection Attack Protection

   The GROUPKEY-PUSH message includes a monotonically increasing
   sequence number to its ancestor protocols just as it benefits from years
   of experience protect against replay and work embodied in those protocols.  To reap reflection attacks.  A
   group member will discard sequence numbers associated with the
   current KEK SPI that have the same or lower value as the
   benefits most
   recently received replay number.

   Implementations SHOULD keep a record (e.g., a hash value) of future IKE improvements, however, GDOI would need recently
   received GROUPKEY-PUSH messages and reject duplicate messages prior
   to be
   revised in a future standards-track RFC, which is beyond performing cryptographic operations.  This enables an early
   discard of the scope replayed messages.

7.3.5.  Denial of
   this specification.

7.1.1.  Authentication

   Authentication is provided via Service Protection

   A cookie pair identifies the mechanisms defined in [RFC2409],
   namely Pre-Shared Keys or Public Key encryption.

7.1.2.  Confidentiality

   Confidentiality is achieved in Phase 1 through security association for the GROUPKEY-
   PUSH message.  The cookies thus serve as a Diffie-Hellman
   exchange that provides keying material, and through negotiation weak form of
   encryption transforms. denial-of-
   service protection for the GROUPKEY-PUSH message.

   The Phase 1 protocol will be protecting encryption digital signature used for message authentication has a much
   greater computational cost than a message authentication code and integrity keys
   sent in
   could amplify the GROUPKEY-PULL protocol. effects of a denial of service attack on GDOI
   members who process GROUPKEY-PUSH messages.  The strength added cost of
   digital signatures is justified by the encryption need to prevent GCKS
   impersonation: If a shared symmetric key were used for Phase 1 SHOULD exceed that of the keys send in the GROUPKEY-
   PULL protocol.

7.1.3.  Man-in-the-Middle Attack Protection

   A successful man-in-the-middle or connection-hijacking attack foils
   entity GROUPKEY-PUSH
   message authentication, then GCKS source authentication would be
   impossible and any member would be capable of one or more GCKS impersonation.

   The potential of the communicating entities
   during key establishment.  GDOI relies on Phase 1 authentication to
   defeat man-in-the-middle attacks.

7.1.4.  Replay/Reflection Attack Protection

   In a replay/reflection attack, an attacker captures messages between
   GDOI entities and subsequently forwards them to a GDOI entity.
   Replay and reflection attacks seek to gain information from digital signature amplifying a
   subsequent GDOI message response or seek to disrupt denial of service
   attack is mitigated by the operation order of operations a GDOI group member or GCKS entity.  GDOI relies on takes,
   where the Phase 1 nonce
   mechanism in combination with least expensive cryptographic operation is performed first.
   The group member first decrypts the message using a hash-based symmetric cipher.
   If it is a validly formed message authentication
   code to protect then the sequence number is checked
   against the replay or reflection of previous key
   management messages.

7.1.5.  Denial of Service Protection

   A window.  Only if the sequence number is valid is
   the digital signature verified.  Thus in order for a denial of
   service attack to be mounted, an attacker sends messages would need to know both the
   symmetric encryption key used for confidentiality, and a valid
   sequence number.  Generally speaking this means only current group
   members can effectively deploy a denial of service attack.

7.4.  Forward and Backward Access Control

   Through GROUPKEY-PUSH, the GDOI entity to cause supports group management methods
   such as LKH (section 5.4 of [RFC2627]) that entity to perform unneeded message authentication operations.
   GDOI uses have the Phase 1 cookie mechanism to identify spurious messages
   prior property of
   denying access to cryptographic hash processing.  This is a "weak" form of
   denial of service protection in that new group key by a member removed from the GDOI entity must check for
   good cookies, which can be successfully imitated group
   (forward access control) and to an old group key by a sophisticated
   attacker. member added to
   the group (backward access control).  The Phase 1 cookie mechanism is stateful, concepts "forward access
   control" and commits
   memory resources for cookies, "backward access control" have also been described as
   "perfect forward security" and "perfect backward security"
   respectively in the literature [RFC2627].

   Group management algorithms providing forward and backward access
   control other than LKH have been proposed in the literature,
   including OFT [OFT] and Subset Difference [NNL].  These algorithms
   could be used with GDOI, but stateless cookies are not specified as a better
   defense against denial part of service attacks.

7.2.  GROUPKEY-PULL Exchange

   The GROUPKEY-PULL exchange allows this
   document.

7.4.1.  Forward Access Control Requirements

   When group membership is altered using a group member to request management algorithm
   new Data-security SAs and
   keys from a GCKS.  It runs as are usually also needed.  New SAs ensure that
   members who were denied access can no longer participate in the
   group.

   If forward access control is a "phase 2" protocol under protection desired property of the Phase 1 security association.

7.2.1.  Authentication

   Peer authentication group, new
   Data-security SAs MUST NOT be included in a GROUPKEY-PUSH message
   which changes group membership.  This is not required in because the GROUPKEY-PULL protocol.
   It is running in new
   Data-security SAs are not protected with the context of new KEK.  Instead, two
   sequential GROUPKEY-PUSH messages must be sent by the Phase 1 protocol, which has
   previously authenticated GCKS; the identity of first
   changing the peer.

   Message authentication is provided by HASH payloads KEK, and the second (protected with the new KEK)
   distributing the new Data-security SAs.

   Note that in each message,
   where the HASH is defined above sequence, although the new KEK can effectively
   deny access to the group to some group members they will be over SKEYID_a (derived in able to
   view the Phase 1
   exchange), new KEK policy.  If forward access control policy for the ISAKMP Message-ID, and all payloads in
   group includes keeping the message.
   Because only KEK policy secret as well as the KEK
   itself secret, then two endpoints of the exchange know GROUPKEY-PUSH messages changing the SKEYID_a
   value, this provides confidence that KEK must
   occur before the peer sent new Data-security SAs are transmitted.

   If other methods of using LKH or other group management algorithms
   are added to GDOI, those methods MAY remove the above restrictions
   requiring multiple GROUPKEY-PUSH messages, providing those methods
   specify how forward access control policy is maintained within a
   single GROUPKEY-PUSH message.

7.2.2.  Confidentiality

   Confidentiality

7.4.2.  Backward Access Control Requirements

   If backward access control is provided by the Phase 1 security association,
   after a desired property of the manner described in [RFC2409].

7.2.3.  Man-in-the-Middle Attack Protection

   Message authentication (described above) includes group, a secret known only new
   member MUST NOT be given Data-security SAs that were used prior to it
   joining the group member and GCKS when constructing a HASH payload. group.  This
   prevents man-in-the-middle and connection-hijacking attacks because
   an attacker would not can be able to change accomplished if the message undetected.

7.2.4.  Replay/Reflection Attack Protection

   Nonces provide freshness of GCKS provides
   only the GROUPKEY-PULL exchange.  The group Rekey SA to the new member and GCKS exchange nonce values first two messages.  These
   nonces are included in subsequent HASH payload calculations.  The
   Group member and GCKS MUST NOT perform any computationally expensive
   tasks before receiving a HASH with its own nonce included. GROUPKEY-PULL exchange,
   followed by a GROUPKEY-PUSH message that both deletes current Data-
   security SAs, and provides new replacement Data-security SAs.  The GCKS
   MUST NOT update
   new group member will effectively join the group management state (e.g., LKH key tree) until
   it receives at such time as the third message in
   existing members begin sending on the exchange with a valid HASH
   payload including its own nonce.

   Implementations SHOULD keep Data-security SAs.

   If there is a record of recently received GROUPKEY-
   PULL messages and reject messages possibility that have already been processed.
   This enables an early discard of the replayed messages.

7.2.5.  Denial of Service Protection

   A GROUPKEY-PULL message identifies its new group member has stored
   GROUPKEY-PUSH messages using a cookie pair
   from delivered prior to joining the Phase 1 exchange that precedes it.  The cookies provide a
   weak form of denial of service protection as described above, in group, then the
   sense that a GROUPKEY-PULL message with invalid cookies will be
   discarded.

   The replay protection mechanisms described
   above provide the basis
   for denial of service protection.

7.2.6.  Authorization

   A procedure is not sufficient.  In this case, to achieve backward
   access control the GCKS implementation should maintain an authorization list of
   authorized needs to return a new Rekey SA to the group members.  Group members will specifically list each
   authorized GCKS
   member in its Group Peer Authorization Database (GPAD)
   [RFC5374].

7.3. a GROUPKEY-PULL exchange rather than the existing one.  The
   GCKS would subsequently deliver two GROUPKEY-PUSH Exchange messages.  The
   first, intended for existing group members, distributes the new
   Rekey-SA to existing members.  The GCKS would then deliver the second
   GROUPKEY-PUSH exchange is a single message using the new Rekey-SA that allows a GCKS both deletes
   current Data-security SAs, and provides new replacement Data-security
   SAs.  Both preexisting and new members would process the second
   GROUPKEY-PUSH message, and all would be able to
   send communicate using the
   new Data-security SAs.

7.5.  Derivation of keying material

   A GCKS distributes keying material associated with Data-Security SAs
   and keys to the Rekey SA.  Because these security associations are used by a
   set of group members.  This members, this keying material is likely to be sent not related to all
   members using an IP multicast group.  This provides an efficient
   rekey any pair
   wise connection, and group membership adjustment capability.

7.3.1.  Authentication

   The GROUPKEY-PULL exchange identifies a public key that there is used for
   message authentication. no requirement in The GROUPKEY-PUSH message Multicast Group
   Security Architecture [RFC3740] for group members to permute group
   keying material.  Because the GCKS is digitally
   signed using solely responsible for the corresponding private key held by
   generation of the keying material, the GCKS or its
   delegate.  This digital signature provides source authentication for MUST derive the message.  Thus, keying
   material using a strong random number generator.  Because there are
   no interoperability concerns with key generation, no method is
   prescribed in GDOI.

8.  IANA Considerations

   This memo requests IANA to make several additions to existing
   registries, and to add sever new GDOI protects registries.  When the GCKS from impersonation new
   registries are added, the following terms are to be applied as
   described in
   group environments.

7.3.2.  Confidentiality

   The GCKS encrypts the GROUPKEY-PUSH message with Guidelines for Writing an encryption key
   that was established by the GROUPKEY-PULL exchange.

7.3.3.  Man-in-the-Middle Attack Protection

   This combination of confidentiality IANA Considerations
   Section in RFCs [RFC5226]: Standards Action, and message authentication
   services protects the GROUPKEY-PUSH message Private Use.

8.1.  Additions to current registries

   The GDOI KEK Attribute named SIG_HASH_ALGORITHM [GDOI-REG] should be
   assigned several new Algorithm Type values from man-in-middle the RESERVED space to
   represent the SHA-256, SHA-384, and
   connection-hijacking attacks.

7.3.4.  Replay/Reflection Attack Protection SHA-512 hash algorithms as
   defined in [FIPS.180-2.2002].  The GROUPKEY-PUSH message includes a monotonically increasing
   sequence number to protect against replay new algorithm names should be
   SIG_HASH_SHA256, SIG_HASH_SHA384, and reflection attacks.  A
   group member will recognize a replayed message by comparing SIG_HASH_SHA512 respectively
   and have the
   sequence number to values of TBD-2, TBD-3, and TBD-4 respectively.

   The GDOI KEK Attributed named SIG_ALGORITHM [GDOI-REG] should be
   assigned a sliding window, in new Algorithm Type value from the same manner as RESERVED space to
   represent the ESP
   protocol uses sequence numbers.

   Implementations SHOULD keep a record of recently received GROUPKEY-
   PUSH messages RSA PSS encoding type.  The new algorithm name should
   be SIG_ALG_RSA_PSS, and reject duplicate messages.  This enables an early
   discard of has the replayed messages.

7.3.5.  Denial value of Service Protection TBD-6.

   A cookie pair identifies new GDOI SA TEK type Protocol-ID type [GDOI-REG] should be assigned
   from the security association for RESERVED space.  The new algorithm id should be called
   GDOI_PROTO_IPSEC_AH, refers to the GROUPKEY-
   PUSH message.  The cookies thus serve as IPsec AH encapsulation, and has a weak form
   value of denial-of-
   service protection for the GROUPKEY-PUSH message. TBD-5.

   A new Next Payload Type [ISAKMP-REG] should be assigned.  The digital signature used for message authentication new
   type is called "SA Group Associated Policy (GAP)", and has a much
   greater computational cost than a message authentication code and
   could amplify the effects value of
   TBD-1.

   A new Key Download Type Section 5.6 should be assigned.  The new type
   is called "SID", and has a denial value of service attack on TBD-7.

8.2.  New registries

   A new namespace should be created in the GDOI
   members who process GROUPKEY-PUSH messages. Payloads registry
   [GDOI-REG] to describe SA GAP Payload Values.  The added cost following rules
   apply to define the attributes in SA SSA Payload Values:

              Attribute Type         Value       Type
              ----                   -----       ----
              RESERVED                 0
              ACTIVATION_TIME_DELAY    1          B
              DEACTIVATION_TIME_DELAY  2          B
              SENDER_ID_REQUEST        3          B
              Standards Action        4-127
              Private Use           128-255
              Unassigned            256-32767

   A new IPsec Security Association Attribute [ISAKMP-REG] defining the
   preservation of
   digital signatures IP addresses is justified by the need to prevent GCKS
   impersonation: If a shared symmetric key were used for GROUPKEY-PUSH
   message authentication, then GCKS source authentication would be
   impossible needed.  The attribute class is
   called "Address Preservation", and any member would be capable of GCKS impersonation. it is a Basic type.  The potential of following
   rules apply to define the digital signature amplifying a denial values of service
   attack is mitigated by the order of operations a group member takes,
   where attribute:

              Name                      Value
              ----                      -----
              Reserved                  0
              None                      1
              Source-Only               2
              Destination-Only          3
              Source-And-Destination    4
              Standards Action         5-61439
              Private Use          61440-65535

   A new IPsec Security Association Attribute [ISAKMP-REG] defining the least expensive cryptographic operation
   SA direction is performed first. needed.  The group member first decrypts the message using a symmetric cipher.
   If attribute class is called "SA
   Direction", and it is a validly formed message then the sequence number is checked
   against Basic type.  The following rules apply to
   define the replay window.  Only if values of the sequence number is valid is attribute:

              Name                      Value
              ----                      -----
              Reserved                  0
              Sender-Only               1
              Receiver-Only             2
              Symmetric                 3
              Standards Action         4-61439
              Private Use          61440-65535

   When the digital signature verified.  Thus SID "Key Download Type" (described in order for a denial of
   service attack to be mounted, an attacker would need to know both the
   symmetric encryption key used for confidentiality, and a valid
   sequence number.  Generally speaking this means only current group
   members can effectively deploy previous section)
   has a denial set of service attack.

7.3.6.  Forward Access Control

   If a group management algorithm (such as LKH) is used, forward access
   control may not be ensured in some cases.  This can happen if some
   group members are denied access to attributes.  The attributes must follow the group format
   defined in ISAKMP (Section 3.3 of [RFC2408]).  In the same GROUPKEY-
   PUSH message table,
   attributes defined as new policy and TEKs TV are delivered to the group.  As
   discussed in Section 1.5.1, forward access control can be maintained
   by sending multiple GROUPKEY-PUSH messages, where the group
   membership changes marked as Basic (B); attributes defined
   as TLV are sent from the GCKS separate from the new
   policy and TEKs.

8.  IANA Considerations

   This memo requests IANA to make several additions to marked as Variable (V).

                SID Class                 Value      Type
                ---------                 -----      ----
                RESERVED                     0
                NUMBER_OF_SID_BITS           1        B
                SID_VALUE                    2        V
                Standards Action           3-128
                Private Use              129-255
                Unassigned               256-32767

8.3.  Cleanup of existing registries

   Several existing
   registries, and to add sever new GDOI registries.  When the new Payloads registries are added, do not use the following terms in RFC
   5226 and/or do not describe the entire range of possible values.  The
   following sections correct these registries.

8.3.1.  Pop Algorithm

   Values 4-127 are to be applied as
   described in the Guidelines for Writing an IANA Considerations
   Section in RFCs [RFC5226]: designated Standards Action, and Private Use.

8.1.  Additions Action.  Values 256-32767
   are to current registries

   The GDOI KEK Attribute named SIG_HASH_ALGORITHM [GDOI-REG] should be
   assigned several new Algorithm Type values from the RESERVED space added and designated Unassigned.

8.3.2.  KEK Attributes

   Values 9-127 are to
   represent the SHA-256, SHA-384, added and SHA-512 hash algorithms as
   defined in [FIPS.180-2.2002].  The new algorithm names should designated Standards Action.  Values
   128-255 are to be
   SIG_HASH_SHA256, SIG_HASH_SHA384, and SIG_HASH_SHA512 respectively added and have the values of TBD-2, TBD-3, designated Private Use. Values 256-32767
   are to be added and TBD-4 respectively.

   The GDOI KEK Attributed named SIG_ALGORITHM [GDOI-REG] should designated Unassigned.

8.3.3.  KEK_MANAGEMENT_ALGORITHM

   Values 2-127 are to be
   assigned a new Algorithm Type value from the RESERVED space designated Standards Action.  Values 256-65535
   are to
   represent the RSA PSS encoding type.  The new algorithm name should be SIG_ALG_RSA_PSS, added and has the value of TBD-6.

   A new GDOI SA TEK type Protocol-ID type [GDOI-REG] should be assigned
   from the RESERVED space.  The new algorithm id should designated Unassigned.

8.3.4.  KEK_ALGORITHM

   Values 4-127 are to be called
   GDOI_PROTO_IPSEC_AH, refers designated Standards Action.  Values 256-65535
   are to the IPsec AH encapsulation, and has a
   value of TBD-5.

   A new Next Payload Type [ISAKMP-REG] should be assigned.  The new
   type is called "SA Group Associated Policy (GAP)", added and designated Unassigned.

8.3.5.  SIG_HASH_ALGORITHM

   Values 3-127 are to be designated Standards Action.  Values 256-65535
   are to be added and has a value of
   TBD-1.

8.2.  New registries

   A new namespace should designated Unassigned.

8.3.6.  SIG_ALGORITHM

   Values 4-127 are to be created in the GDOI Payloads registry
   [GDOI-REG] designated Standards Action.  Values 256-65535
   are to describe be added and designated Unassigned.

8.3.7.  SA GAP TEK Payload Values.  The following rules
   apply Values

   Values 2-127 are to define the attributes in SA SSA Payload Values:

              Attribute Type         Value       Type
              ----                   -----       ----
              RESERVED                 0
              ACTIVATION_TIME_DELAY    1          B
              DEACTIVATION_TIME_DELAY  2          B
              SENDER_ID                3          V be designated Standards Action Action.

8.3.8.  Key Download Types

   Values 4-127
              Private Use are to be designated Standards Action.

8.3.9.  TEK Download Type

   Values 4-127 are to be added and designated Standards Action.  Values
   128-255

   A new IPsec Security Association Attribute [ISAKMP-REG] defining the
   preservation of IP addresses is needed.  The attribute class is
   called "Address Preservation", are to be added and it is a Basic type.  The following
   rules apply designated Private Use. Values 256-32767
   are to define the values of the attribute:

              Name                      Value
              ----                      -----
              Reserved                  0
              None                      1
              Source-Only               2
              Destination-Only          3
              Source-And-Destination    4 be added and designated Unassigned.

8.3.10.  KEK Download Type

   Values 3-127 are to be designated Standards Action         5-61439 Action.  Values 128-255
   are to be added and designated Private Use          61440-65535

   A new IPsec Security Association Attribute [ISAKMP-REG] defining the
   SA direction is needed.  The attribute class is called "SA
   Direction", Use. Values 256-32767 are to
   be added and it is a Basic type.  The following rules apply designated Unassigned.

8.3.11.  LKH Download Type

   Values 4-127 are to
   define the values of the attribute:

              Name                      Value
              ----                      -----
              Reserved                  0
              Sender-Only               1
              Receiver-Only             2
              Symmetric                 3 be designated Standards Action         4-61439
              Private Use          61440-65535 Action.  Values 256-32767
   are to be added and designated Unassigned.

9.  Acknowledgements

   This text updates RFC 3547, and the authors with wish to thank Mark
   Baugher and Hugh Harney for their extensive contributions. contributions that led to
   this updated version of GDOI.

   The authors are grateful to Catherine Meadows for her careful review
   and suggestions for mitigating the man-in-the-middle attack she had
   previously identified.  Yoav Nir and Vincent Roca provided many
   useful technical and editorial comments and suggestions for
   improvement.

10.  References

10.1.  Normative References

   [I-D.ietf-msec-ipsec-group-counter-modes]
              McGrew, D. and B. Weis, "Using Counter Modes with
              Encapsulating Security Payload (ESP) and Authentication
              Header (AH) to Protect Group Traffic",
              draft-ietf-msec-ipsec-group-counter-modes-06 (work in
              progress), September 2010.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4302]  Kent, S., "IP Authentication Header", RFC 4302,
              December 2005.

   [RFC4303]  Kent, S., "IP Encapsulating Security Payload (ESP)",
              RFC 4303, December 2005.

   [RFC5374]  Weis, B., Gross, G., and D. Ignjatic, "Multicast
              Extensions to the Security Architecture for the Internet
              Protocol", RFC 5374, November 2008.

   [RFC6054]  McGrew, D. and B. Weis, "Using Counter Modes with
              Encapsulating Security Payload (ESP) and Authentication
              Header (AH) to Protect Group Traffic", RFC 6054,
              November 2010.

10.2.  Informative References

   [FIPS.180-2.2002]
              National Institute of Standards and Technology, "Secure
              Hash Standard", FIPS PUB 180-2, August 2002, <http://
              csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf>.

   [FIPS186-3]
              "Digital Signature Standard (DSS)", United States of
              America, National Institute of Science and
              Technology Federal Information Processing Standard (FIPS)
              186-2, June 2009.

   [FIPS197]  "Advanced Encryption Standard (AES)", United States of
              America, National Institute of Science and
              Technology Federal Information Processing Standard (FIPS)
              197, November 2001.

   [FIPS46-3]
              "Data Encryption Standard (DES)", United States of
              America, National Institute of Science and
              Technology Federal Information Processing Standard (FIPS)
              46-3, October 1999.

   [FIPS81]   "DES Modes of Operation", United States of America,
              National Institute of Science and Technology Federal
              Information Processing Standard (FIPS) 81, December 1980.

   [FS00]     Ferguson, N. and B. Schneier, Counterpane, "A
              Cryptographic Evaluation of IPsec",
              <http://www.counterpane.com/ipsec.html>.

   [GDOI-REG]
              Internet Assigned Numbers Authority, "Group Domain of
              Interpretation (GDOI) Payload Type Values", IANA Registry,
              December 2004,
              <http://www.iana.org/assignments/gdoi-payloads>.

   [HD03]     Hardjono, T. and L. Dondeti, "Multicast and Group
              Security", Artech House Computer Security Series, ISBN
              1-58053-342-6, 2003.

   [I-D.weis-gdoi-mac-tek]
              Weis, B. and S. Rowles, "GDOI Generic Message
              Authentication Code Policy", draft-weis-gdoi-mac-tek-01 draft-weis-gdoi-mac-tek-02
              (work in progress), June 2010. March 2011.

   [ISAKMP-REG]
              "'Magic Numbers' for ISAKMP Protocol",
              <http://www.iana.org/assignments/isakmp-registry>.

   [MP04]     Meadows, C. and D. Pavlovic, "Deriving, Attacking, and
              Defending the GDOI Protocol", ESORICS 2004 pp. 53-72,
              September 2004.

   [NNL]      Naor, D., Noal, M., and J. Lotspiech, "Revocation and
              Tracing Schemes for Stateless Receivers", Advances in
              Cryptology, Crypto '01,  Springer-Verlag LNCS 2139, 2001,
              pp. 41-62, 2001,
              <http://www.wisdom.weizmann.ac.il/~naor/>.

   [OFT]      McGrew, D. and A. Sherman, "Key Establishment in Large
              Dynamic Groups Using One-Way Function Trees", Manuscript,
               submitted to IEEE Transactions on Software Engineering,
              1998, <http://download.nai.com/products/media/nai/misc/
              oft052098.ps>.

   [PK01]     Perlman, R. and C. Kaufman, "Analysis of the IPsec Key
              Exchange Standard", WET-ICE conference , 2001,
              <http://sec.femto.org/wetice-2001/papers/radia-paper.pdf>.

   [RFC2403]  Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within
              ESP and AH", RFC 2403, November 1998.

   [RFC2404]  Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within
              ESP and AH", RFC 2404, November 1998.

   [RFC2407]  Piper, D., "The Internet IP Security Domain of
              Interpretation for ISAKMP", RFC 2407, November 1998.

   [RFC2408]  Maughan, D., Schneider, M., and M. Schertler, "Internet
              Security Association and Key Management Protocol
              (ISAKMP)", RFC 2408, November 1998.

   [RFC2409]  Harkins, D. and D. Carrel, "The Internet Key Exchange
              (IKE)", RFC 2409, November 1998.

   [RFC2522]  Karn, P. and W. Simpson, "Photuris: Session-Key Management
              Protocol", RFC 2522, March 1999.

   [RFC2627]  Wallner, D., Harder, E., and R. Agee, "Key Management for
              Multicast: Issues and Architectures", RFC 2627, June 1999.

   [RFC3447]  Jonsson, J. and B. Kaliski, "Public-Key Cryptography
              Standards (PKCS) #1: RSA Cryptography Specifications
              Version 2.1", RFC 3447, February 2003.

   [RFC3550]  Schulzrinne, H., Casner, S., Frederick, R., and V.
              Jacobson, "RTP: A Transport Protocol for Real-Time
              Applications", STD 64, RFC 3550, July 2003.

   [RFC3686]  Housley, R., "Using Advanced Encryption Standard (AES)
              Counter Mode With IPsec Encapsulating Security Payload
              (ESP)", RFC 3686, January 2004.

   [RFC3740]  Hardjono, T. and B. Weis, "The Multicast Group Security
              Architecture", RFC 3740, March 2004.

   [RFC3947]  Kivinen, T., Swander, B., Huttunen, A., and V. Volpe,
              "Negotiation of NAT-Traversal in the IKE", RFC 3947,
              January 2005.

   [RFC4046]  Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm,
              "Multicast Security (MSEC) Group Key Management
              Architecture", RFC 4046, April 2005.

   [RFC4082]  Perrig, A., Song, D., Canetti, R., Tygar, J., and B.
              Briscoe, "Timed Efficient Stream Loss-Tolerant
              Authentication (TESLA): Multicast Source Authentication
              Transform Introduction", RFC 4082, June 2005.

   [RFC4106]  Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
              (GCM) in IPsec Encapsulating Security Payload (ESP)",
              RFC 4106, June 2005.

   [RFC4301]  Kent, S. and K. Seo, "Security Architecture for the
              Internet Protocol", RFC 4301, December 2005.

   [RFC4309]  Housley, R., "Using Advanced Encryption Standard (AES) CCM
              Mode with IPsec Encapsulating Security Payload (ESP)",
              RFC 4309, December 2005.

   [RFC4359]  Weis, B., "The Use of RSA/SHA-1 Signatures within
              Encapsulating Security Payload (ESP) and Authentication
              Header (AH)", RFC 4359, January 2006.

   [RFC4430]  Sakane, S., Kamada, K., Thomas, M., and J. Vilhuber,
              "Kerberized Internet Negotiation of Keys (KINK)",
              RFC 4430, March 2006.

   [RFC4543]  McGrew, D. and J. Viega, "The Use of Galois Message
              Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543,
              May 2006.

   [RFC4754]  Fu, D. and J. Solinas, "IKE and IKEv2 Authentication Using
              the Elliptic Curve Digital Signature Algorithm (ECDSA)",
              RFC 4754, January 2007.

   [RFC4868]  Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-
              384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              May 2008.

   [RFC5903]  Fu, D. and J. Solinas, "Elliptic Curve Groups modulo a
              Prime (ECP Groups) for IKE and IKEv2", RFC 5903,
              June 2010.

   [RFC5996]  Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
              "Internet Key Exchange Protocol Version 2 (IKEv2)",
              RFC 5996, September 2010.

   [SKEME]    Krawczyk, H., "SKEME: A Versatile Secure Key Exchange
              Mechanism for Internet", ISOC Secure Networks and
              Distributed Systems Symposium San Diego, 1996.

   [SP.800-131]
              Barker, E. and A. Roginsky, "Recommendation for the
              Transitioning of Cryptographic Algorithms and Key
              Lengths", United States of America, National Institute of
              Science and Technology DRAFT NIST Special Publication 800-
              131, June 2010.

   [SP.800-38A]
              Dworkin, M., "Recommendation for Block Cipher Modes of
              Operation", United States of America, National Institute
              of Science and Technology NIST Special Publication 800-38A
              2001 Edition, December 2001.

   [STS]      Diffie, W., Van Oorschot, P., and M. Wiener,
              "Authentication and Authenticated Key Exchanges", Designs,
              Codes and Cryptography, 2, 107-125 (1992), Kluwer Academic
              Publishers, 1992.

Appendix A.  Extending GDOI

A.1.  Alternate GDOI Phase 1 protocols

   This section describes a manner

   This section describes a manner in which other protocols could be
   used as GDOI Phase 1 protocols in place of the ISAKMP Phase 1
   protocol.  However, they are not specified as a part of this
   document.  A separate document MUST be written in order for another
   protocol to be used as a GDOI Phase 1 protocol.

   Other possible phase 1 protocols are also described in [RFC4046].

   Any GDOI phase 1 protocol MUST satisfy the requirements specified in
   Section 2 of this document.

A.1.1.  IKEv2 Exchange

   Version 2 of the IKE protocol (IKEv2) [RFC5996] has been published.
   That protocol simplifies IKE processing, and combines the two phases
   of IKE.  An IKEv2 Phase 1 negotiates an IPsec SA during phase 1,
   which was not possible in IKE.  However, IKEv2 also defines a phase 2
   protocol.  The phase 2 protocol is protected by the Phase 1, similar
   in concept to how IKE Quick Mode is protected by the IKE Phase 1
   protocols in which other protocols could [RFC2409].

   It would be
   used as possible to define GDOI Phase 1 protocols in place as a phase 2 protocol protected
   by an IKEv2 initial exchange.  Alternatively, it would be possible to
   define a new protocol re-using some of the ISAKMP Phase 1
   protocol.  However, they are not specified as IKEv2 initial exchange
   (e.g., IKE_SA_INIT).

A.1.2.  KINK Protocol

   The Kerberized Internet Negotiation of Keys (KINK) [RFC4430] has
   defined a part method of this
   document.  A separate document MUST be written encapsulating an IKEv1 Quick Mode [RFC2409]
   encapsulated in order Kerberos KRB_AP_REQ and KRB_AP_REP payloads.  KINK
   provides a low-latency, computationally inexpensive, easily managed,
   and cryptographically sound method of setting up IPsec security
   associations.

   The KINK message format includes a DOI field in the KINK header.  The
   [RFC4430] document defines the DOI for another
   protocol to the IPsec DOI.

   A new DOI for KINK could be used as defined which would encapsulate a GDOI Phase 1 protocol.

   Other possible phase 1 protocols are also described
   GROUPKEY-PULL exchange in [RFC4046].

   Any the Kerberos KRB_AP_REQ and KRB_AP_REP
   payloads.  As such, GDOI phase 1 protocol would benefit from the computational
   efficiencies of KINK.

A.2.  Supporting new SA TEK types

   Not all secure multicast or multimedia applications can use IPsec ESP
   or AH.  Many Real Time Transport Protocol applications, for example,
   require security above the IP layer to preserve RTP header
   compression efficiencies and transport-independence [RFC3550].
   Alternatively, GDOI can distribute message authentication code (MAC)
   policy and keys for legacy applications that have defined their own
   security associations [I-D.weis-gdoi-mac-tek].

   In order to add a new data security protocol, a new RFC MUST satisfy specify
   the requirements specified data-security SA parameters conveyed by GDOI for that security
   protocol; these parameters are listed in Section 2 5.5.2 of this
   document.

A.1.  IKEv2 Exchange

   Version 2 of the IKE protocol (IKEv2) [RFC5996] has been published.
   That

   Data security protocol simplifies IKE processing, and combines the SAs MUST protect group traffic.  GDOI provides
   no restriction on whether that group traffic is transmitted as
   unicast or multicast packets.

Appendix B.  GDOI Applications

   GDOI can be used to distribute keys for several secure multicast
   applications, where different applications have different key
   management requirements.  This section outlines two phases example ways that
   GDOI can be used.  Other examples can be found in Section 10 of IKE.  An IKEv2 Phase 1 negotiates
   [HD03].

   A simple application is secure delivery of periodic multicast content
   over an IPsec SA during phase 1,
   which was not possible in IKE.  However, IKEv2 also defines organization's IP network, perhaps a phase 2
   protocol.  The phase 2 protocol multicast video
   broadcast.  Assuming the content delivery time frame is protected by bounded and
   the Phase 1, similar
   in concept group membership is not expected to how IKE Quick Mode change over time, there is protected by the IKE Phase 1
   protocols in [RFC2409].

   It would be possible no
   need for group policy to define GDOI as include a phase 2 protocol protected
   by an IKEv2 initial exchange.  Alternatively, it would be possible GROUPKEY-PUSH exchange, and
   there's no need for the GCKS to
   define distribute a new protocol re-using some Re-key SA.  Thus, the
   GDOI GCKS may only need to distribute a single set of Data-Security
   SAs to protect the IKEv2 initial exchange
   (e.g., IKE_SA_INIT).

A.2.  KINK Protocol

   The Kerberized Internet Negotiation of Keys (KINK) [RFC4430] has
   defined time-bounded broadcast.

   In contrast, a method persistent IP multicast application (e.g., stock-
   ticker delivery service) may have many group members, where the group
   membership changes over time.  A periodic change of encapsulating an IKEv1 Quick Mode [RFC2409]
   encapsulated in Kerberos KRB_AP_REQ Data-security SAs
   may be desirable, and KRB_AP_REP payloads.  KINK
   provides the potential for change in group membership
   requires the use of a low-latency, computationally inexpensive, easily managed,
   and cryptographically sound group management method enabling de-
   authorization of setting up IPsec security
   associations. group members.  The KINK message format includes a GDOI field in the KINK header.
   The [RFC4430] document defines GCKS will distribute the DOI for
   current set of Data-Security SAs and a Re-key SA to registering group
   members.  It will then deliver regularly-scheduled GROUPKEY-PUSH
   protocol delivering the IPsec DOI.

   A new DOI SAs for KINK could the group.  Additionally, the
   group membership on the GCKS may be defined frequently adjusted, which would encapsulate a
   GROUPKEY-PULL exchange will
   result in GROUPKEY-PUSH exchange delivering a new Rekey SAs protected
   by a group management method.  Each GROUPKEY-PUSH may include Data-
   security SAs and/or a Rekey SA.

   In each example the Kerberos KRB_AP_REQ relevant policy is defined on the GCKS and KRB_AP_REP
   payloads.  As such, GDOI would benefit from
   relayed to group members using the computational
   efficiencies of KINK. GROUPKEY-PULL and/or GROUPKEY-PUSH
   protocols.  Specific policy choices configured by the GCKS
   administrator depends on each application.

Appendix B. C.  Significant Changes from RFC 3547

   The following significant changes have been made from RFC 3547.

   o  The Proof of Possession (POP) payload was removed from the
      GROUPKEY-PULL exchange.  It provided an alternate form of
      authorization, but its use was underspecified.  Furthermore,
      Meadows and Pavlovic [MP04] discussed a man-in-the-middle attack
      on the POP authorization method, which would require changes to
      its semantics.  No known implementation of RFC 3547 supported the
      POP payload, so it was removed.  Removal of the POP payload
      obviated the need for the CERT payload in that exchange and it was
      removed as well.

   o  The Key Exchange Payloads (KE_I, KE_R) payloads were removed from
      the GROUPKEY-PULL exchange.  However, the specification for
      computing keying material for the additional encryption function
      in RFC 3547 is faulty.  Furthermore, it has been observed that
      because the GDOI registration message uses strong ciphers and
      provides authenticated encryption, additional encryption of the
      keying material in a GDOI registration message provides negligible
      value.  Therefore, the use of KE payloads is deprecated in this
      memo.

   o  The Certificate Payload (CERT) was removed from the GROUPKEY-PUSH
      exchange.  The use of this payload was underspecified.  In all
      known use cases, the public key of used to verify the GROUPKEY-
      PUSH payload is distributed directly from the key server as part
      of the GROUPKEY-PULL exchange.

   o  Supported cryptographic algorithms were changed to meet current
      guidance.  Implementations are required to support AES with 128-
      bit keys to encrypt the rekey message, and SHA-256 for
      cryptographic signatures.  The use of DES is deprecated.

   o  New protocol support for AH.

   o  New protocol definitions were added to conform to the most recent
      Security Architecture for the Internet Protocol [RFC4301] and the
      Multicast Extensions to the Security Architecture for the Internet
      Protocol[RFC5374].  This includes addition of the GAP payload payload.

   o  New protocol definitions and semantics were added to support Using
      Counter Modes with ESP and AH to Protect Group
      Traffic[I-D.ietf-msec-ipsec-group-counter-modes]. Traffic[RFC6054].

   o  Specification to IANA to better clarify the use of the GDOI
      Payloads registry.

Authors' Addresses

   Brian Weis
   Cisco Systems
   170 W. Tasman Drive
   San Jose, California  95134-1706
   USA

   Phone: +1-408-526-4796
   Email: bew@cisco.com

   Sheela Rowles
   Cisco Systems
   170 W. Tasman Drive
   San Jose, California  95134-1706
   USA

   Phone: +1-408-527-7677
   Email: sheela@cisco.com

   Thomas Hardjono
   MIT
   77 Massachusetts Ave.
   Cambridge, Massachusets  02139
   USA

   Phone: +1-781-729-9559
   Email: hardjono@mit.edu