draft-ietf-msec-gdoi-update-09.txt   draft-ietf-msec-gdoi-update-10.txt 
Updates: 3547 (once approved) B. Weis Obsoletes: 3547 (once approved) B. Weis
Internet-Draft S. Rowles Internet-Draft S. Rowles
Intended status: Standards Track Cisco Systems Intended status: Standards Track Cisco Systems
Expires: January 2, 2012 T. Hardjono Expires: February 9, 2012 T. Hardjono
MIT MIT
July 1, 2011 August 8, 2011
The Group Domain of Interpretation The Group Domain of Interpretation
draft-ietf-msec-gdoi-update-09 draft-ietf-msec-gdoi-update-10
Abstract Abstract
This document describes an updated version of the Group Domain of This document describes the Group Domain of Interpretation (GDOI)
Interpretation (GDOI) protocol specified in RFC 3547. The GDOI protocol specified in RFC 3547. The GDOI provides group key
provides group key management to support secure group communications management to support secure group communications according to the
according to the architecture specified in RFC 4046. The GDOI architecture specified in RFC 4046. The GDOI manages group security
manages group security associations, which are used by IPsec and associations, which are used by IPsec and potentially other data
potentially other data security protocols. security protocols. This document replaces RFC 3547.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 2, 2012. This Internet-Draft will expire on February 9, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 23 skipping to change at page 2, line 23
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Requirements notation . . . . . . . . . . . . . . . . . . 5 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 6
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Acronyms and Abbreviations . . . . . . . . . . . . . . . . 6 1.3. Acronyms and Abbreviations . . . . . . . . . . . . . . . . 7
2. GDOI Phase 1 protocol . . . . . . . . . . . . . . . . . . . . 8 2. GDOI Phase 1 protocol . . . . . . . . . . . . . . . . . . . . 9
2.1. DOI value . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1. DOI value . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2. UDP port . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2. UDP port . . . . . . . . . . . . . . . . . . . . . . . . . 9
3. GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . . . . 9 3. GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . . . . 10
3.1. Authorization . . . . . . . . . . . . . . . . . . . . . . 9 3.1. Authorization . . . . . . . . . . . . . . . . . . . . . . 10
3.2. Messages . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.2. Messages . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3. Group Member Operations . . . . . . . . . . . . . . . . . 11 3.3. Group Member Operations . . . . . . . . . . . . . . . . . 13
3.4. GCKS Operations . . . . . . . . . . . . . . . . . . . . . 13 3.4. GCKS Operations . . . . . . . . . . . . . . . . . . . . . 14
3.5. Counter-modes of operation . . . . . . . . . . . . . . . . 13 3.5. Counter-modes of operation . . . . . . . . . . . . . . . . 15
4. GROUPKEY-PUSH Message . . . . . . . . . . . . . . . . . . . . 16 4. GROUPKEY-PUSH Message . . . . . . . . . . . . . . . . . . . . 17
4.1. Use of signature keys . . . . . . . . . . . . . . . . . . 17 4.1. Use of signature keys . . . . . . . . . . . . . . . . . . 18
4.2. ISAKMP Header Initialization . . . . . . . . . . . . . . . 17 4.2. ISAKMP Header Initialization . . . . . . . . . . . . . . . 18
4.3. GCKS Operations . . . . . . . . . . . . . . . . . . . . . 17 4.3. GCKS Operations . . . . . . . . . . . . . . . . . . . . . 18
4.4. Group Member Operations . . . . . . . . . . . . . . . . . 18 4.4. Group Member Operations . . . . . . . . . . . . . . . . . 19
5. Payloads and Defined Values . . . . . . . . . . . . . . . . . 20 5. Payloads and Defined Values . . . . . . . . . . . . . . . . . 21
5.1. Identification Payload . . . . . . . . . . . . . . . . . . 20 5.1. Identification Payload . . . . . . . . . . . . . . . . . . 21
5.2. Security Association Payload . . . . . . . . . . . . . . . 20 5.2. Security Association Payload . . . . . . . . . . . . . . . 22
5.3. SA KEK payload . . . . . . . . . . . . . . . . . . . . . . 22 5.3. SA KEK payload . . . . . . . . . . . . . . . . . . . . . . 23
5.4. Group Associated Policy . . . . . . . . . . . . . . . . . 28 5.4. Group Associated Policy . . . . . . . . . . . . . . . . . 30
5.5. SA TEK Payload . . . . . . . . . . . . . . . . . . . . . . 30 5.5. SA TEK Payload . . . . . . . . . . . . . . . . . . . . . . 32
5.6. Key Download Payload . . . . . . . . . . . . . . . . . . . 34 5.6. Key Download Payload . . . . . . . . . . . . . . . . . . . 37
5.7. Sequence Number Payload . . . . . . . . . . . . . . . . . 43 5.7. Sequence Number Payload . . . . . . . . . . . . . . . . . 46
5.8. Nonce . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.8. Nonce . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.9. Delete . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.9. Delete . . . . . . . . . . . . . . . . . . . . . . . . . . 47
6. Algorithm Selection . . . . . . . . . . . . . . . . . . . . . 45 6. Algorithm Selection . . . . . . . . . . . . . . . . . . . . . 49
6.1. KEK . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 6.1. KEK . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
6.2. TEK . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 6.2. TEK . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
7. Security Considerations . . . . . . . . . . . . . . . . . . . 47 7. Security Considerations . . . . . . . . . . . . . . . . . . . 51
7.1. ISAKMP Phase 1 . . . . . . . . . . . . . . . . . . . . . . 47 7.1. ISAKMP Phase 1 . . . . . . . . . . . . . . . . . . . . . . 51
7.2. GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . . 48 7.2. GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . . 52
7.3. GROUPKEY-PUSH Exchange . . . . . . . . . . . . . . . . . . 50 7.3. GROUPKEY-PUSH Exchange . . . . . . . . . . . . . . . . . . 54
7.4. Forward and Backward Access Control . . . . . . . . . . . 51 7.4. Forward and Backward Access Control . . . . . . . . . . . 55
7.5. Derivation of keying material . . . . . . . . . . . . . . 53 7.5. Derivation of keying material . . . . . . . . . . . . . . 57
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 58
8.1. Additions to current registries . . . . . . . . . . . . . 54 8.1. Additions to current registries . . . . . . . . . . . . . 58
8.2. New registries . . . . . . . . . . . . . . . . . . . . . . 54 8.2. New registries . . . . . . . . . . . . . . . . . . . . . . 58
8.3. Cleanup of existing registries . . . . . . . . . . . . . . 56 8.3. Cleanup of existing registries . . . . . . . . . . . . . . 60
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 58 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 62
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 59 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 63
10.1. Normative References . . . . . . . . . . . . . . . . . . . 59 10.1. Normative References . . . . . . . . . . . . . . . . . . . 63
10.2. Informative References . . . . . . . . . . . . . . . . . . 60 10.2. Informative References . . . . . . . . . . . . . . . . . . 64
Appendix A. GDOI Applications . . . . . . . . . . . . . . . . . . 63 Appendix A. GDOI Applications . . . . . . . . . . . . . . . . . . 67
Appendix B. Significant Changes from RFC 3547 . . . . . . . . . . 64 Appendix B. Significant Changes from RFC 3547 . . . . . . . . . . 68
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 69
1. Introduction 1. Introduction
Secure group and multicast applications require a method by which Secure group and multicast applications require a method by which
each group member shares common security policy and keying material. each group member shares common security policy and keying material.
This document describes the Group Domain of Interpretation (GDOI), This document describes the Group Domain of Interpretation (GDOI),
which is an ISAMKP [RFC2408] Domain of Interpretation (DOI), a group which is an ISAMKP [RFC2408] Domain of Interpretation (DOI), a group
key management system. The GDOI distributes security associations key management system. The GDOI distributes security associations
(SAs) for IPsec AH [RFC4302] and ESP [RFC4303] protocols and (SAs) for IPsec AH [RFC4302] and ESP [RFC4303] protocols and
potentially other data security protocols used in group applications. potentially other data security protocols used in group applications.
The GDOI uses the group key management model defined in [RFC4046], The GDOI uses the group key management model defined in [RFC4046],
and described more generally by the The Multicast Group Security and described more generally by "The Multicast Group Security
Architecture [RFC3740]. Architecture" [RFC3740].
In this group key management model, the GDOI protocol participants In this group key management model, the GDOI protocol participants
are a "group controller/key server" (GCKS) and a group member (GM). are a "group controller/key server" (GCKS) and a group member (GM).
A group member contacts ("registers with") a GCKS to join the group. A group member contacts ("registers with") a GCKS to join the group.
During the registration mutual authentication and authorization are During the registration mutual authentication and authorization are
achieved, after which the GCKS distributes current group policy and achieved, after which the GCKS distributes current group policy and
keying material to the group member over an authenticated and keying material to the group member over an authenticated and
encrypted session. The GCKS may also initiate contact ("rekeys") encrypted session. The GCKS may also initiate contact ("rekeys")
with group members to provide updates to group policy. with group members to provide updates to group policy.
skipping to change at page 5, line 32 skipping to change at page 5, line 32
| | | | | | | | | | | | | |
| | GDOI GM(s) |<-------+-------->| GDOI GM(S) | | | | GDOI GM(s) |<-------+-------->| GDOI GM(S) | |
| | | | | | | | | | | |
| +-----------------+ +-----------------+ | | +-----------------+ +-----------------+ |
| | ^ | | | ^ |
| v | | | v | |
| +-Data Security Protocol (e.g., ESP)-+ | | +-Data Security Protocol (e.g., ESP)-+ |
| | | |
+--------------------------------------------------------------+ +--------------------------------------------------------------+
Figure 1. Group Key Management Model
Although the GROUPKEY-PUSH protocol specified by this document can be Although the GROUPKEY-PUSH protocol specified by this document can be
used to refresh the Re-key SA protecting the GROUPKEY-PUSH protocol, used to refresh the Re-key SA protecting the GROUPKEY-PUSH protocol,
the most common use of GROUPKEY-PUSH is to establish keying material the most common use of GROUPKEY-PUSH is to establish keying material
and policy for a data security protocol. and policy for a data security protocol.
GDOI defines several payload types used to distribute policy and
keying material within the GROUPKEY-PULL and GROUPKEY-PUSH protocols:
Security Association (SA), SA KEK, SA TEK, Group Associated Policy
(GAP) , Sequence Number (SEQ), and Key Download (KD). Format and
usage of these payloads are defined in later sections of this memo.
In summary, GDOI is a group security association management protocol: In summary, GDOI is a group security association management protocol:
all GDOI messages are used to create, maintain, or delete security all GDOI messages are used to create, maintain, or delete security
associations for a group. As described above, these security associations for a group. As described above, these security
associations protect one or more data security protocol SAs, a Re-key associations protect one or more data security protocol SAs, a Re-key
SA, and/or other data shared by group members for multicast and SA, and/or other data shared by group members for multicast and
groups security applications. groups security applications.
1.1. Requirements notation 1.1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
skipping to change at page 6, line 30 skipping to change at page 6, line 36
GROUPKEY-PULL. A protocol used by a GDOI Group Member to request GROUPKEY-PULL. A protocol used by a GDOI Group Member to request
group policy and keying material. group policy and keying material.
GROUPKEY-PUSH. A protocol used by a GDOI GCKS to distribute updates GROUPKEY-PUSH. A protocol used by a GDOI GCKS to distribute updates
of group policy and keying material to authorized group of group policy and keying material to authorized group
members. members.
Key Encrypting Key. The symmetric cipher key used to protect the Key Encrypting Key. The symmetric cipher key used to protect the
GROUPKEY-PUSH message. GROUPKEY-PUSH message.
Logical Key Hierarchy). A group management method defined in Section Logical Key Hierarchy. A group management method defined in Section
5.4 of [RFC2627]. 5.4 of [RFC2627].
Re-key SA. The security policy protecting a GROUPKEY-PUSH protocol. Re-key SA. The security policy protecting a GROUPKEY-PUSH protocol.
SA Attribute Payload A payload that follows the Security Association
payload that describe group security attributes associated with
the security association. SA Attribute Payloads include the
SAK, SAT and GAP payloads.
Security Parameter Index An arbitrary value that is used by a
receiver to identify a Security Association such as IPsec ESP
Security Association or a Re-key SA.
Traffic Encryption Key. The symmetric cipher key used to protect a Traffic Encryption Key. The symmetric cipher key used to protect a
data security protocol (e.g., IPsec ESP). data security protocol (e.g., IPsec ESP).
1.3. Acronyms and Abbreviations 1.3. Acronyms and Abbreviations
The following acronyms and abbreviations are used throughout this The following acronyms and abbreviations are used throughout this
document. document.
AH IP Authentication Header AH IP Authentication Header
skipping to change at page 7, line 22 skipping to change at page 7, line 39
GM Group Member GM Group Member
GSPD Group Security Policy Database GSPD Group Security Policy Database
IV Initialization Vector IV Initialization Vector
KD Key Download Payload KD Key Download Payload
KEK Key Encryption Key KEK Key Encryption Key
LKH Lock Key Hierarchy LKH Logical Key Hierarchy
SA Security Association SA Security Association
SAK SA KEK Payload SAK SA KEK Payload
SEQ Sequence Number Payload SEQ Sequence Number Payload
SAT SA TEK Payload SAT SA TEK Payload
SID Sender-ID SID Sender-ID
SPI Security Parameter Index
SSIV Sender-Specific ID SSIV Sender-Specific ID
TEK Traffic Encryption Key TEK Traffic Encryption Key
TLV Type/Length/Value
TV Type/Value
2. GDOI Phase 1 protocol 2. GDOI Phase 1 protocol
The GDOI GROUPKEY-PULL exchange is a "phase 2" protocol which MUST be The GDOI GROUPKEY-PULL exchange is a "phase 2" protocol which MUST be
protected by a "phase 1" protocol. The "phase 1" protocol can be any protected by a "phase 1" protocol. The "phase 1" protocol can be any
protocol which provides for the following protections: protocol which provides for the following protections:
o Peer Authentication o Peer Authentication
o Confidentiality o Confidentiality
skipping to change at page 8, line 39 skipping to change at page 9, line 39
2.1. DOI value 2.1. DOI value
The Phase 1 SA payload has a DOI value. That value MUST be the GDOI The Phase 1 SA payload has a DOI value. That value MUST be the GDOI
DOI value as defined later in this document. DOI value as defined later in this document.
2.2. UDP port 2.2. UDP port
IANA has assigned port 848 for the use of GDOI, which allows for an IANA has assigned port 848 for the use of GDOI, which allows for an
implementation to use separate ISAKMP implementations to service GDOI implementation to use separate ISAKMP implementations to service GDOI
and IKEv1 [RFC2409]. A GCKS SHOULD listen on this port for GROUPKEY- and IKE [RFC5996]. A GCKS SHOULD listen on this port for GROUPKEY-
PULL exchanges, and the GCKS MAY use this port to distribute PULL exchanges, and the GCKS MAY use this port to distribute
GROUPKEY-PUSH messages. An ISAKMP phase 1 exchange implementation GROUPKEY-PUSH messages. An ISAKMP phase 1 exchange implementation
supporting NAT Traversal [RFC3947] may move to port 4500 to process supporting NAT Traversal [RFC3947] MAY move to port 4500 to process
the GROUPKEY-PULL exchange. the GROUPKEY-PULL exchange.
3. GROUPKEY-PULL Exchange 3. GROUPKEY-PULL Exchange
The goal of the GROUPKEY-PULL exchange is to establish a Re-key The goal of the GROUPKEY-PULL exchange is to establish a Re-key
and/or Data-security SAs at the member for a particular group. A and/or Data-security SAs at the member for a particular group. A
Phase 1 SA protects the GROUPKEY-PULL; there MAY be multiple Phase 1 SA protects the GROUPKEY-PULL; there MAY be multiple
GROUPKEY-PULL exchanges for a given Phase 1 SA. The GROUPKEY-PULL GROUPKEY-PULL exchanges for a given Phase 1 SA. The GROUPKEY-PULL
exchange downloads the data security keys (TEKs) and/or group key exchange downloads the data security keys (TEKs) and/or group key
encrypting key (KEK) or KEK array under the protection of the Phase 1 encrypting key (KEK) or KEK array under the protection of the Phase 1
SA. SA.
3.1. Authorization 3.1. Authorization
The Phase 1 identity SHOULD be used by a GCKS to authorize the Phase The Phase 1 identity MUST be used by a GCKS to authorize the Phase 2
2 (GROUPKEY-PULL) request for a group key. A group member MUST (GROUPKEY-PULL) request for a group key. A group member MUST ensure
ensure that the Phase 1 identity of the GCKS is an authorized GCKS. that the Phase 1 identity of the GCKS is an authorized GCKS. When no
When no authorization is performed, it is possible for a rogue GDOI authorization is performed, it is possible for a rogue GDOI
participant to perpetrate a man-in-the-middle attack between a group participant to perpetrate a man-in-the-middle attack between a group
member and a GCKS [MP04]. member and a GCKS [MP04].
3.2. Messages 3.2. Messages
The GROUPKEY-PULL is a Phase 2 exchange. Phase 1 computes SKEYID_a The GROUPKEY-PULL is a Phase 2 exchange. Phase 1 computes SKEYID_a
which is the "key" in the keyed hash used in the GROUPKEY-PULL HASH which is the "key" in the keyed hash used in the ISAKMP HASH payloads
payloads. When using the Phase 1 defined in this document, SKEYID_a [RFC2408] included in GROUPKEY-PULL messages. When using the Phase 1
is derived according to [RFC2409]. As with the IKEv1 HASH payload defined in this document, SKEYID_a is derived according to [RFC2409].
generation (Section 5.5 of [RFC2409], each GROUPKEY-PULL message Each GROUPKEY-PULL message hashes a uniquely defined set of values
hashes a uniquely defined set of values (described below). Nonces (described below) and includes the result in the HASH payload.
permute the HASH and provide some protection against replay attacks. Nonces permute the HASH and provide some protection against replay
Replay protection is important to protect the GCKS from attacks that attacks. Replay protection is important to protect the GCKS from
a key management server will attract. attacks that a key management server will attract.
The GROUPKEY-PULL uses nonces to guarantee "liveness" as well as The GROUPKEY-PULL uses nonces to guarantee "liveness" as well as
against replay of a recent GROUPKEY-PULL message. The replay attack against replay of a recent GROUPKEY-PULL message. The replay attack
is only possible in the context of the current Phase 1. If a is only possible in the context of the current Phase 1. If a
GROUPKEY-PULL message is replayed based on a previous Phase 1, the GROUPKEY-PULL message is replayed based on a previous Phase 1, the
HASH calculation will fail due to a wrong SKEYID_a. The message will HASH calculation will fail due to a wrong SKEYID_a. The message will
fail processing before the nonce is ever evaluated. fail processing before the nonce is ever evaluated.
In order for either peer to get the benefit of the replay protection, In order for either peer to get the benefit of the replay protection,
it must postpone as much processing as possible until it receives the it must postpone as much processing as possible until it receives the
message in the protocol that proves the peer is live. For example, message in the protocol that proves the peer is live. For example,
the GCKS MUST NOT adjust its internal state (e.g., keeping a record the GCKS MUST NOT adjust its internal state (e.g., keeping a record
of the GM) until it receives a message with Nr included properly in of the GM) until it receives a message with Nr included properly in
the HASH payload. This requirement ensures that replays of GDOI the HASH payload. This requirement ensures that replays of GDOI
messages will not cause the GCKS to change the state of the group messages will not cause the GCKS to change the state of the group
until it has confirmation that the initiating group member is live. until it has confirmation that the initiating group member is live.
Group Member GCKS Group Member GCKS
------------ ---- ------------ ----
HDR*, HASH(1), Ni, ID --> (1) HDR*, HASH(1), Ni, ID -->
<-- HDR*, HASH(2), Nr, SA (2) <-- HDR*, HASH(2), Nr, SA
HDR*, HASH(3) [,GAP] --> (3) HDR*, HASH(3) [,GAP] -->
<-- HDR*, HASH(4), [SEQ,] KD (4) <-- HDR*, HASH(4), [SEQ,] KD
* Protected by the Phase 1 SA, encryption occurs after HDR * Protected by the Phase 1 SA, encryption occurs after HDR
HDR is an ISAKMP header payload that uses the Phase 1 cookies and a Figure 2. GROUPKEY-PULL Exchange
message identifier (M-ID) as in IKEv1.
Hashes are computed in the manner described within [RFC2409]. Each Figure 2 demonstrates the four messages that are part of a GROUPKEY-
HASH computation (shown below) is a psuedo-random function ("prf") PULL exchange. HDR is an ISAKMP header payload that uses the Phase 1
cookies and a message identifier (M-ID) as in ISAKMP. Following each
HDR is a set of payloads conveying requests (messages one and three
originated by the group member, or group policy and/or keying
material (messages two and four originated by the GCKS).
Hashes are computed in the manner described within [RFC2409]. The
HASH computation for each message is unique, shown in Figure 2 and
below as HASH(n) where (n) represents the GROUPKEY-PULL message
number. Each HASH calculation is a pseudo-random function ("prf")
over the message id (M-ID) from the ISAKMP header concatenated with over the message id (M-ID) from the ISAKMP header concatenated with
the entire message that follows the hash including all payload the entire message that follows the hash including all payload
headers, but excluding any padding added for encryption. The GM headers, but excluding any padding added for encryption. The GM
expects to find its nonce, Ni, in the HASH of a returned message. expects to find its nonce, Ni, in the HASH of a returned message.
And the GCKS expects to see its nonce, Nr, in the HASH of a returned And the GCKS expects to see its nonce, Nr, in the HASH of a returned
message. HASH(2), HASH(3), and HASH(4) also include nonce values message. HASH(2), HASH(3), and HASH(4) also include nonce values
previously passed in the protocol (i.e., Ni or Nr minus the payload previously passed in the protocol (i.e., Ni or Nr minus the payload
header). The nonce passed in Ni is represented as Ni_b, and the header). The nonce passed in Ni is represented as Ni_b, and the
nonce passed in Nr is represented as Nr_b. The HASH payloads prove nonce passed in Nr is represented as Nr_b. The HASH payloads prove
that the peer has the Phase 1 secret (SKEYID_a) and the nonce for the that the peer has the Phase 1 secret (SKEYID_a) and the nonce for the
skipping to change at page 10, line 42 skipping to change at page 11, line 50
HASH(2) = prf(SKEYID_a, M-ID | Ni_b | Nr | SA) HASH(2) = prf(SKEYID_a, M-ID | Ni_b | Nr | SA)
HASH(3) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | GAP ]) HASH(3) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | GAP ])
HASH(4) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | SEQ ] | KD) HASH(4) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | SEQ ] | KD)
In addition to the Nonce and HASH payloads, the GM identifies the In addition to the Nonce and HASH payloads, the GM identifies the
group it wishes to join through the ISAKMP ID payload. group it wishes to join through the ISAKMP ID payload.
The GCKS informs the member of the cryptographic policies of the The GCKS informs the member of the cryptographic policies of the
group in the SA payload, which describes the DOI, KEK and/or TEK group in the SA payload, which describes the DOI, KEK and/or TEK
keying material, authentication transforms, and other group policy. keying material, authentication transforms, and other group policy.
The SPIs are also determined by the GCKS and downloaded in the SA Each SPI is also determined by the GCKS and downloaded in the SA
payload chain (see Section 5.2). The SA KEK attribute contains the payload chain (see Section 5.2). The SA KEK attribute contains the
ISAKMP cookie pair for the Re-key SA, which is not negotiated but ISAKMP cookie pair for the Re-key SA, which is not negotiated but
downloaded. Each SA TEK attribute contains a SPI as defined in downloaded. Each SA TEK attribute contains a SPI as defined in
Section 5.5 of this document. Section 5.5 of this document.
After receiving and parsing the SA payload, the GM responds with an After receiving and parsing the SA payload, the GM responds with an
acknowledgement message proving its liveness. It optionally includes acknowledgement message proving its liveness. It optionally includes
a GAP payload requesting resources. a GAP payload requesting resources.
The GCKS informs the GM of the value of the sequence number in the The GCKS informs the GM of the value of the sequence number in the
SEQ payload. This sequence number provides anti-replay state SEQ payload. This sequence number provides anti-replay state
associated with a KEK, and its knowledge ensure that the GM will not associated with a KEK, and its knowledge ensures that the GM will not
accept GROUPKEY-PULL messages sent prior to the GM joining the group. accept GROUPKEY-PUSH messages sent prior to the GM joining the group.
The SEQ payload has no other use, and is omitted from the GROUPKEY- The SEQ payload has no other use, and is omitted from the GROUPKEY-
PULL exchange when a KEK attribute is not included in the SA payload. PULL exchange when a KEK attribute is not included in the SA payload.
When a SEQ payload is included in the GROUPKEY-PULL exchange, it When a SEQ payload is included in the GROUPKEY-PULL exchange, it
includes the most recently used sequence number for the group. At includes the most recently used sequence number for the group. At
the conclusion of a GROUPKEY-PULL exchange, the initiating group the conclusion of a GROUPKEY-PULL exchange, the initiating group
member MUST NOT accept any rekey message with both the KEK attribute member MUST NOT accept any rekey message with both the KEK attribute
SPI value and a sequence number less than or equal to the one SPI value and a sequence number less than or equal to the one
received during the GROUPKEY-PULL. When the first group member received during the GROUPKEY-PULL exchange. When the first group
initiates a GROUPKEY-PULL exchange, the GCKS provides a Sequence member initiates a GROUPKEY-PULL exchange, the GCKS provides a
Number of zero, since no GROUPKEY-PUSH messages have yet been sent. Sequence Number of zero, since no GROUPKEY-PUSH messages have yet
Note the sequence number increments only with GROUPKEY-PUSH messages. been sent. Note the sequence number increments only with GROUPKEY-
The GROUPKEY-PULL exchange distributes the current sequence number to PUSH messages. The GROUPKEY-PULL exchange distributes the current
the group member. The sequence number resets to a value of one with sequence number to the group member. The sequence number resets to a
the usage of a new KEK attribute. Thus the first packet sent for a value of one with the usage of a new KEK attribute. Thus the first
given Rekey SA will have a Sequence Number of 1. The sequence number packet sent for a given Rekey SA will have a Sequence Number of 1.
increments with each successive rekey. The sequence number increments with each successive rekey.
The GCKS always returns a KD payload containing keying material to The GCKS always returns a KD payload containing keying material to
the GM. If a Re-key SA is defined in the SA payload, then KD will the GM. If a Re-key SA is defined in the SA payload, then KD will
contain the KEK; if one or more Data-security SAs are defined in the contain the KEK; if one or more Data-security SAs are defined in the
SA payload, KD will contain the TEKs. SA payload, KD will contain the TEKs.
3.2.1. ISAKMP Header Initialization 3.2.1. ISAKMP Header Initialization
Cookies are used in the ISAKMP header to identify a particular GDOI Cookies are used in the ISAKMP header to identify a particular GDOI
session. The GDOI GROUPKEY-PULL exchange uses cookies according to session. The GDOI GROUPKEY-PULL exchange uses cookies according to
ISAKMP [RFC2408]. ISAKMP [RFC2408].
Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0). Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0).
Major Version is 1 and Minor Version is 0 according to ISAKMP Major Version is 1 and Minor Version is 0 according to ISAKMP
(Section 3.1 of [RFC2408]). (Section 3.1 of [RFC2408]).
The Exchange Type has value 32 for the GDOI GROUPKEY-PULL exchange. The Exchange Type has value 32 for the GDOI GROUPKEY-PULL exchange.
Flags, Message ID, and Length are according to ISAKMP (Section 3.1 of Flags, Message ID, and Length are according to ISAKMP (Section 3.1 of
[RFC2408]).
[RFC2408]). The Commit flag is not useful because there is no
synchronization between the GROUPKEY-PULL exchange and the data
traffic protected by the policy distributed by the GROUPKEY-PULL
exchange.
3.3. Group Member Operations 3.3. Group Member Operations
Before a GM contacts the GCKS, it needs to determine the group Before a GM contacts the GCKS, it needs to determine the group
identifier and acceptable Phase 1 policy via an out-of-band method. identifier and acceptable Phase 1 policy via an out-of-band method.
Phase 1 is initiated using the GDOI DOI in the SA payload. Once Phase 1 is initiated using the GDOI DOI in the SA payload. Once
Phase 1 is complete, the GM state machine moves to the GDOI protocol. Phase 1 is complete, the GM state machine moves to the GDOI protocol.
To construct the first GDOI message the GM chooses Ni and creates a To construct the first GDOI message the GM chooses Ni and creates a
nonce payload, builds an identity payload including the group nonce payload, builds an identity payload including the group
identifier, and generates HASH(1). identifier, and generates HASH(1).
Upon receipt of the second GDOI message, the GM validates HASH(2), Upon receipt of the second GDOI message, the GM validates HASH(2),
extracts the nonce Nr, and interprets the SA payload. The SA payload extracts the nonce Nr, and interprets the SA payload (including its
contains policy describing the security protocol and cryptographic SA Attribute Payloads) . The SA payload contains policy describing
protocols used by the group. This policy describes the Re-key SA (if the security protocol and cryptographic protocols used by the group.
present), Data-security SAs, and other group policy. If the policy This policy describes the Re-key SA (if present), Data-security SAs,
in the SA payload is acceptable to the GM, it continues the protocol. and other group policy. If the policy in the SA payload is
Otherwise, the GM SHOULD tear down the Phase 1 session after first acceptable to the GM, it continues the protocol. Otherwise, the GM
notifying the GCKS that it is doing so. If a Data-security SA SHOULD tear down the Phase 1 session after notifying the GCKS with an
describes the use of a counter mode cipher, the GM determines whether ISAKMP Informational Exchange containing a Delete payload.
it requires more than one Sender-ID (SID) (see Section 3.5). If so,
it includes a GAP payload indicating how many SID values it requires.
When constructing the third GDOI message, it first reviews each Data- When constructing the third GDOI message, it first reviews each Data-
security SA given to it. If any include a cipher counter mode, it security SA given to it. If any describe the use of a counter mode
needs to request for one or more Sender-IDs for its exclusive use cipher, the GM determines whether it requires more than one Sender-ID
within the counter mode nonce. Do to this, the GM will include a GAP (SID) (see Section 3.5). If so, it requests the required number of
payload with its request, as described in the Section 5.4 section of Sender-IDs for its exclusive use within the counter mode nonce as
this document. The GM the completes construction of the third GDOI described in the Section 5.4 section of this document. The GM the
message by creating HASH(3). completes construction of the third GDOI message by creating HASH(3).
Upon receipt of the fourth GDOI message, the GM validates HASH(4). Upon receipt of the fourth GDOI message, the GM validates HASH(4).
If the SEQ payload is present, the sequence number included in the If the SEQ payload is present, the sequence number included in the
SEQ payload MUST be greater than any previously received sequence SEQ payload asserts the lowest acceptable sequence number present in
number. If it is less than the previously received number, it MUST a future GROUPKEY-PUSH message. But if the the KEK associated with
be considered stale and ignored. this sequence number had been previously installed, due to the
asynchronous processing of GROUPKEY-PULL and GROUPKEY-PUSH messages
this sequence number may be lower than the sequence number contained
in the most recently received GROUPKEY-PUSH message. In this case,
the sequence number value in the SEQ payload MUST be considered stale
and ignored.
The GM interprets the KD key packets, where each key packet includes The GM interprets the KD key packets, where each key packet includes
the keying material for SAs distributed in the SA payload. Keying the keying material for SAs distributed in the SA payload. Keying
material is matched by comparing the SPIs in the key packets to SPIs material is matched by comparing the SPI in each key packet to SPI
previously sent in the SA payloads. Once TEK keys and policy are values previously sent in the SA payloads. Once TEK keys and policy
matched, the GM provides them to the data security subsystem, and it are matched, the GM provides them to the data security subsystem, and
is ready to send or receive packets matching the TEK policy. If this it is ready to send or receive packets matching the TEK policy. If
group has a KEK, the KEK policy and keys are marked as ready for use, this group has a KEK, the KEK policy and keys are marked as ready for
and the GM knows to expect the sequence number reset to 1 with the use and the GM knows to expect a sequence number not less than the
next Rekey SA, which will be encrypted with the new KEK attribute. one distributed in the SEQ payload. The GM is now ready to receive
The GM is now ready to receive GROUPKEY-PUSH messages. GROUPKEY-PUSH messages.
If the KD payload included an LKH array of keys, the GM takes the If the KD payload included an LKH array of keys, the GM takes the
last key in the array as the group KEK. The array is then stored last key in the array as the group KEK. The array is then stored
without further processing. without further processing.
3.4. GCKS Operations 3.4. GCKS Operations
The GCKS passively listens for incoming requests from group members. The GCKS passively listens for incoming requests from group members.
The Phase 1 authenticates the group member and sets up the secure The Phase 1 authenticates the group member and sets up the secure
session with them. session with them.
Upon receipt of the first GDOI message the GCKS validates HASH(1), Upon receipt of the first GDOI message the GCKS validates HASH(1),
extracts the Ni and group identifier in the ID payload. It verifies extracts the Ni and group identifier in the ID payload. It verifies
that its database contains the group information for the group that its database contains the group information for the group
identifier, and that the GM is authorized to participate in the identifier, and that the GM is authorized to participate in the
group. group.
The GCKS constructs the second GDOI message, including a nonce Nr, The GCKS constructs the second GDOI message, including a nonce Nr,
and the policy for the group in an SA payload, followed by SA KEK, and the policy for the group in an SA payload, followed by SA
GAP, and/or SA TEK payloads according to the GCKS policy. (See Attribute Payloads (i.e, SA KEK, GAP, and/or SA TEK payloads)
Section 5.2.1 for details on how the GCKS chooses which payloads to according to the GCKS policy. (See Section 5.2.1 for details on how
send.) the GCKS chooses which payloads to send.)
Upon receipt of the third GDOI message the GCKS validates HASH(3). Upon receipt of the third GDOI message the GCKS validates HASH(3).
If the message includes a GAP payload, it caches the requests If the message includes a GAP payload, it caches the requests
included in that payload for use of constructing the fourth GDOI included in that payload for use of constructing the fourth GDOI
message. message.
The GCKS constructs the fourth GDOI message, including the SEQ The GCKS constructs the fourth GDOI message, including the SEQ
payload (if the GCKS sends rekey messages), and the KD payload payload (if the GCKS sends rekey messages), and the KD payload
containing keys corresponding to policy previously sent in the SA TEK containing keys corresponding to policy previously sent in the SA TEK
and SA KEK payloads. If a group management algorithm is defined as and SA KEK payloads. If a group management algorithm is defined as
skipping to change at page 14, line 11 skipping to change at page 15, line 23
send a packet with the same Initialization Vector (IV) using the same send a packet with the same Initialization Vector (IV) using the same
cipher key and mode. This requirement is met in GDOI when the cipher key and mode. This requirement is met in GDOI when the
following requirements are met: following requirements are met:
o The GCKS distributes a unique key for each Data-Security SA. o The GCKS distributes a unique key for each Data-Security SA.
o The GCKS uses the method described in [RFC6054], which assigns o The GCKS uses the method described in [RFC6054], which assigns
each sender a portion of the IV space by provisioning each sender each sender a portion of the IV space by provisioning each sender
with one or more unique SID values. with one or more unique SID values.
When at least one Data-Security SAs included in the group policy When at least one Data-Security SA included in the group policy
includes a counter-mode, the GCKS automatically allocates and includes a counter-mode, the GCKS automatically allocates and
distributes one SID to each group member acting in the role of sender distributes one SID to each group member acting in the role of sender
on the Data-Security SA. The SID value is used exclusively by the on the Data-Security SA. The SID value is used exclusively by the
group member to which it was allocated. The group member uses the group member to which it was allocated. The group member uses the
same SID for each Data-Security SA specifying the use of a counter- same SID for each Data-Security SA specifying the use of a counter-
based mode of operation. A GCKS MUST distribute unique keys for each based mode of operation. A GCKS MUST distribute unique keys for each
Data-Security SA including a counter-based mode of operation in order Data-Security SA including a counter-based mode of operation in order
to maintain a unique key and nonce usage. to maintain a unique key and nonce usage.
When a group member receives a Data-Security SA in a SA TEK payload When a group member receives a Data-Security SA in a SA TEK payload
skipping to change at page 14, line 37 skipping to change at page 15, line 49
outbound direction. Alternatively, a group member MAY request more outbound direction. Alternatively, a group member MAY request more
than one SID and use them serially. This could be useful when it is than one SID and use them serially. This could be useful when it is
anticipated that the group member will exhaust their range of Data- anticipated that the group member will exhaust their range of Data-
Security SA nonces using a single SID too quickly (e.g., before the Security SA nonces using a single SID too quickly (e.g., before the
time-based policy in the TEK expires). time-based policy in the TEK expires).
When group policy includes a counter-based mode of operation, a GCKS When group policy includes a counter-based mode of operation, a GCKS
SHOULD use the following method to allocate SID values, which ensures SHOULD use the following method to allocate SID values, which ensures
that each SID will be allocated to just one group member. that each SID will be allocated to just one group member.
1. A GCKS maintains an SID-counter, which records which SIDs that 1. A GCKS maintains an SID-counter, which records which SIDs have
have been allocated. SIDs are allocated sequentially, with the been allocated. SIDs are allocated sequentially, with the first
first SID allocated to be zero. SID allocated to be zero.
2. Each time an SID is allocated, the current value of the counter 2. Each time an SID is allocated, the current value of the counter
is saved and allocated to the group member. The SID-counter is is saved and allocated to the group member. The SID-counter is
then incremented in preparation for the next allocation. then incremented in preparation for the next allocation.
3. When the GCKS distributes an Data-Security SA specifying a 3. When the GCKS distributes a Data-Security SA specifying a
counter-based mode of operation, and a group member is a sender, counter-based mode of operation, and a group member is a sender,
a group member may request a count of SIDs in a GAP payload. a group member may request a count of SIDs in a GAP payload.
When the GCKS receives this request, it increments the SID- When the GCKS receives this request, it increments the SID-
counter once for each requested SID, and distributes each SID counter once for each requested SID, and distributes each SID
value to the group member. value to the group member.
4. A GCKS allocates new SID values for each GROUPKEY-PULL exchange 4. A GCKS allocates new SID values for each GROUPKEY-PULL exchange
originated by a sender, regardless of whether a group member had originated by a sender, regardless of whether a group member had
previously contacted the GCKS. In this way, the GCKS does not previously contacted the GCKS. In this way, the GCKS does not
have a requirement of maintaining a record of which SID values it have a requirement of maintaining a record of which SID values it
skipping to change at page 16, line 13 skipping to change at page 17, line 13
IV values with the same Data-Security SA key. IV values with the same Data-Security SA key.
4. GROUPKEY-PUSH Message 4. GROUPKEY-PUSH Message
GDOI sends control information securely using group communications. GDOI sends control information securely using group communications.
Typically this will be using IP multicast distribution of a GROUPKEY- Typically this will be using IP multicast distribution of a GROUPKEY-
PUSH message but it can also be "pushed" using unicast delivery if IP PUSH message but it can also be "pushed" using unicast delivery if IP
multicast is not possible. The GROUPKEY-PUSH message replaces a Re- multicast is not possible. The GROUPKEY-PUSH message replaces a Re-
key SA KEK or KEK array, and/or creates a new Data-security SA. key SA KEK or KEK array, and/or creates a new Data-security SA.
GM GCKS GM GCKS
-- ---- -- ----
<---- HDR*, SEQ, [D,] SA, KD, SIG <---- HDR*, SEQ, [D,] SA, KD, SIG
* Protected by the Re-key SA KEK; encryption occurs after HDR * Protected by the Re-key SA KEK; encryption occurs after HDR
Figure 3. GROUPKEY-PUSH Message
HDR is defined below. The SEQ payload is defined in the Payloads HDR is defined below. The SEQ payload is defined in the Payloads
section. One or more D (Delete) payloads (further described in section. One or more D (Delete) payloads (further described in
Section 5.9) optionally specify the deletion of existing group Section 5.9) optionally specify the deletion of existing group
policy. The SA defines the group policy for replacement Re-key SA policy. The SA defines the group policy for replacement Re-key SA
and/or Data-security SAs as described in the Payloads section, with and/or Data-security SAs as described in the Payloads section, with
the KD providing keying material for those SAs. the KD providing keying material for those SAs.
The SIG payload includes a signature of a hash of the entire The SIG payload includes a signature of a hash of the entire
GROUPKEY-PUSH message (excepting the SIG payload bytes) before it has GROUPKEY-PUSH message (excepting the SIG payload octets) before it
been encrypted. The HASH is taken over the string 'rekey', the has been encrypted. The HASH is taken over the string 'rekey', the
GROUPKEY-PUSH HDR, followed by all payloads preceding the SIG GROUPKEY-PUSH HDR, followed by all payloads preceding the SIG
payload. The prefixed string ensures that the signature of the Rekey payload. The prefixed string ensures that the signature of the Rekey
datagram cannot be used for any other purpose in the GDOI protocol. datagram cannot be used for any other purpose in the GDOI protocol.
The SIG payload is created using the signature of the above hash, The SIG payload is created using the signature of the above hash,
with the receiver verifying the signature using a public key with the receiver verifying the signature using a public key
retrieved in a previous GDOI exchange. The current KEK encryption retrieved in a previous GDOI exchange. The current KEK encryption
key (also previously distributed in a GROUPKEY-PULL exchange or key (also previously distributed in a GROUPKEY-PULL exchange or
GROUPKEY-PUSH message) encrypts all the payloads following the GROUPKEY-PUSH message) encrypts all the payloads following the
GROUPKEY-PUSH HDR. Note: The rationale for this order of operations GROUPKEY-PUSH HDR. Note: The rationale for this order of operations
is given in Section 7.3.5. is given in Section 7.3.5.
skipping to change at page 17, line 21 skipping to change at page 18, line 23
4.1. Use of signature keys 4.1. Use of signature keys
A signing key should not be used in more than one context (e.g., used A signing key should not be used in more than one context (e.g., used
for host authentication and also for message authentication). Thus, for host authentication and also for message authentication). Thus,
the GCKS SHOULD NOT use the same key to sign the SIG payload in the the GCKS SHOULD NOT use the same key to sign the SIG payload in the
GROUPKEY-PUSH message as was used for authentication in the GROUPKEY- GROUPKEY-PUSH message as was used for authentication in the GROUPKEY-
PULL exchange. PULL exchange.
4.2. ISAKMP Header Initialization 4.2. ISAKMP Header Initialization
Unlike ISAKMP or IKEv1, the cookie pair is completely determined by Unlike ISAKMP, the cookie pair is completely determined by the GCKS.
the GCKS. The cookie pair in the GDOI ISAKMP header identifies the The cookie pair in the GDOI ISAKMP header identifies the Re-key SA to
Re-key SA to differentiate the secure groups managed by a GCKS. differentiate the secure groups managed by a GCKS. Thus, GDOI uses
Thus, GDOI uses the cookie fields as an SPI. the cookie fields as an SPI.
Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0). Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0).
Major Version is 1 and Minor Version is 0 according to ISAKMP Major Version is 1 and Minor Version is 0 according to ISAKMP
(Section 3.1 of [RFC2408]). (Section 3.1 of [RFC2408]).
The Exchange Type has value 33 for the GDOI GROUPKEY-PUSH message. The Exchange Type has value 33 for the GDOI GROUPKEY-PUSH message.
Flags MUST have the Encryption bit set according to Section 3.1 of Flags MUST have the Encryption bit set according to Section 3.1 of
[RFC2408]. All other bits MUST be set to zero. [RFC2408]. All other bits MUST be set to zero.
skipping to change at page 18, line 15 skipping to change at page 19, line 17
are changes to the KEK (including due to group members being are changes to the KEK (including due to group members being
excluded, in the case of LKH), an SA_KEK attribute is added to the excluded, in the case of LKH), an SA_KEK attribute is added to the
SA. If there are one or more new TEKs then SA_TEK attributes are SA. If there are one or more new TEKs then SA_TEK attributes are
added to describe that policy. added to describe that policy.
A KD payload is then added. This is identical in structure and A KD payload is then added. This is identical in structure and
meaning to a KD payload sent in a GROUPKEY-PULL exchange. If an meaning to a KD payload sent in a GROUPKEY-PULL exchange. If an
SA_KEK attribute was included in the SA payload then corresponding SA_KEK attribute was included in the SA payload then corresponding
KEK keys (or a KEK update array) is included. A KEK update array is KEK keys (or a KEK update array) is included. A KEK update array is
created by first determining which group members have been excluded, created by first determining which group members have been excluded,
and then generating new keys as necessary and distribute LKH update generating new keys as necessary, and then distributing LKH update
arrays sufficient to provide the new KEK to remaining group members arrays sufficient to provide the new KEK to remaining group members
(see Section 5.4.1 of [RFC2627] for details). TEK keys are also sent (see Section 5.4.1 of [RFC2627] for details). TEK keys are also sent
for each SA_TEK attribute included in the SA payload. for each SA_TEK attribute included in the SA payload.
In the penultimate step, the GCKS creates the SIG payload and adds it In the penultimate step, the GCKS creates the SIG payload and adds it
to the datagram. to the datagram.
Lastly, the payloads following the HDR are encrypted using the Lastly, the payloads following the HDR are encrypted using the
current KEK encryption key. The datagram can now be sent. current KEK encryption key. The datagram can now be sent.
skipping to change at page 18, line 48 skipping to change at page 19, line 50
The SA and KD payloads are processed which results in a new GDOI The SA and KD payloads are processed which results in a new GDOI
Rekey-SA (if the SA payload included an SA_KEK attribute) and/or new Rekey-SA (if the SA payload included an SA_KEK attribute) and/or new
Data-security SAs being added to the system. If the KD payload Data-security SAs being added to the system. If the KD payload
includes an LKH update array, the group member compares the LKH ID in includes an LKH update array, the group member compares the LKH ID in
each key update packet to the LKH IDs that it holds. If it finds a each key update packet to the LKH IDs that it holds. If it finds a
match, it decrypts the key using the key prior to it in the key array match, it decrypts the key using the key prior to it in the key array
and stores the new key in the LKH key array that it holds. The final and stores the new key in the LKH key array that it holds. The final
decryption yields the new group KEK. decryption yields the new group KEK.
If the SA payload includes Data-Security SA including a counter-modes If the SA payload includes one or more Data-Security SA including a
of operation and the receiving group member is a sender for that SA, counter-modes of operation and the receiving group member is a sender
the group member uses its current SID value with the Data-Security for that SA, the group member uses its current SID value with the
SAs to create counter-mode nonces. If it is a sender and does not Data-Security SAs to create counter-mode nonces. If it is a sender
hold a current SID value, it MUST NOT install the Data-Security SAs. and does not hold a current SID value, it MUST NOT install the Data-
It MAY initiate a GROUPKEY-PULL exchange to the GCKS in order to Security SAs. It MAY initiate a GROUPKEY-PULL exchange to the GCKS
obtain an SID value (along with current group policy). in order to obtain an SID value (along with current group policy).
5. Payloads and Defined Values 5. Payloads and Defined Values
This document specifies use of several ISAKMP payloads, which are This document specifies use of several ISAKMP payloads, which are
defined in accordance with [RFC2408]. The following payloads are defined in accordance with [RFC2408]. The following payloads are
extended or further specified. used as defined in [RFC2408].
Next Payload Type Value
----------------- -----
Hash Payload (HASH) 8
Signature (SIG) 9
The following payloads are extended or further specified.
Next Payload Type Value Next Payload Type Value
----------------- ----- ----------------- -----
Security Association (SA) 1 Security Association (SA) 1
Identification (ID) 5 Identification (ID) 5
Nonce (N) 10 Nonce (N) 10
Delete (D) 12
Several payload formats specific to the group security exchanges are Several payload formats specific to the group security exchanges are
required. required.
Next Payload Type Value Next Payload Type Value
----------------- ----- ----------------- -----
SA KEK Payload (SAK) 15 SA KEK Payload (SAK) 15
SA TEK Payload (SAT) 16 SA TEK Payload (SAT) 16
Key Download (KD) 17 Key Download (KD) 17
Sequence Number (SEQ) 18 Sequence Number (SEQ) 18
Group Associated Policy (GAP) TBD-1 Group Associated Policy (GAP) TBD-1
All multi-octet fields in GDOI payloads representing integers are
laid out in big endian order (also known as "most significant byte
first", or "network byte order").
All payloads including an ISAKMP Generic Payload Header create a
Payload Length field that includes the length of the generic payload
header (Section 3.2 of [RFC2408]).
5.1. Identification Payload 5.1. Identification Payload
The Identification Payload is defined in [RFC2408]. For the GDOI, it The Identification Payload is defined in [RFC2408]. For the GDOI, it
is used to identify a group identity that will later be associated is used to identify a group identity that will later be associated
with Security Associations for the group. A group identity may map with Security Associations for the group. A group identity may map
to a specific IP multicast group, or may specify a more general to a specific IPv4 or IPv6 multicast address, or may specify a more
identifier, such as one that represents a set of related multicast general identifier, such as one that represents a set of related
streams. multicast streams.
When used with the GDOI, the DOI Specific ID Data field MUST be set When used with the GDOI, the DOI Specific ID Data field MUST be set
to 0. to 0.
When used with the GDOI, the ID_KEY_ID ID Type MUST be supported by a When used with the GDOI, the ID_KEY_ID ID Type MUST be supported by a
conforming implementation, and MUST specify a four (4)-octet group conforming implementation, and MUST specify a four (4)-octet group
identifier as its value. Implementations MAY also support other ID identifier as its value. Implementations MAY also support other ID
Types. Types.
5.2. Security Association Payload 5.2. Security Association Payload
skipping to change at page 21, line 17 skipping to change at page 22, line 31
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length ! ! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! DOI ! ! DOI !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Situation ! ! Situation !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! SA Attribute Next Payload ! RESERVED2 ! ! SA Attribute Next Payload ! RESERVED2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
Figure 4. Security Association Payload
The Security Association Payload fields are defined as follows: The Security Association Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifies the next payload for the o Next Payload (1 octet) -- Identifies the next payload for the
GROUPKEY-PULL or the GROUPKEY-PUSH message as defined above. The GROUPKEY-PULL or the GROUPKEY-PUSH message as defined above. The
next payload MUST NOT be a SAK Payload or SAT Payload type; it MUST next payload MUST NOT be a SA Attribute Payload; it MUST be the next
be the next non-Security Association type payload. payload following the Security Association type payload.
o RESERVED (1 octet) -- MUST be zero. o RESERVED (1 octet) -- MUST be zero.
o Payload Length (2 octets) -- Is the octet length of the current o Payload Length (2 octets) -- Is the octet length of the current
payload including the generic header and all TEK and KEK payloads. payload including the generic header and all TEK and KEK payloads.
o DOI (4 octets) -- Is the GDOI, which is value 2. o DOI (4 octets) -- Is the GDOI, which is value 2.
o Situation (4 octets) -- MUST be zero. o Situation (4 octets) -- MUST be zero.
o SA Attribute Next Payload (1 octet) -- MUST be either a SAK Payload o SA Attribute Next Payload (2 octets) -- MUST be the code for an SA
or a SAT Payload. See section 5.2.1 for a description of which Attribute Payload type. See Section 5.2.1 for a description of which
circumstances are required for each payload type to be present. circumstances are required for each payload type to be present.
o RESERVED (2 octets) -- MUST be zero. o RESERVED (2 octets) -- MUST be zero.
5.2.1. Payloads following the SA payload 5.2.1. SA Attribute Payloads
Payloads that define specific security association attributes for the Payloads that define specific security association attributes for the
KEK and/or TEKs used by the group MUST follow the SA payload. How KEK and/or TEKs used by the group MUST follow the SA payload. How
many of each payload is dependent upon the group policy. There may many of each payload is dependent upon the group policy. There may
be zero or one SAK Payload, zero or one GAP Payload, and zero or more be zero or one SAK Payload, zero or one GAP Payload, and zero or more
SAT Payloads, where either one SAK or SAT payload MUST be present. SAT Payloads, where either one SAK or SAT payload MUST be present.
When present, the order of the SA Attributes payloads MUST be: KEK, When present, the order of the SA Attributes payloads MUST be: SAK,
GAP, and TEKs. GAP, and SATs.
This latitude regarding SA Attributes payloads allows various group This latitude regarding SA Attributes payloads allows various group
policies to be accommodated. For example if the group policy does policies to be accommodated. For example if the group policy does
not require the use of a Re-key SA, the GCKS would not need to send not require the use of a Re-key SA, the GCKS would not need to send
an SA KEK attribute to the group member since all SA updates would be an SA KEK attribute to the group member since all SA updates would be
performed using the Registration SA. Alternatively, group policy performed using the Registration SA. Alternatively, group policy
might use a Re-key SA but choose to download a KEK to the group might use a Re-key SA but choose to download a KEK to the group
member only as part of the Registration SA. Therefore, the KEK member only as part of the Registration SA. Therefore, the KEK
policy (in the SA KEK attribute) would not be necessary as part of policy (in the SA KEK attribute) would not be necessary as part of
the Re-key SA message SA payload. the Re-key SA message SA payload.
Specifying multiple SATs allows multiple sessions to be part of the Specifying multiple SATs allows multiple sessions to be part of the
same group and multiple streams to be associated with a session same group and multiple streams to be associated with a session
(e.g., video, audio, and text) but each with individual security (e.g., video, audio, and text) but each with individual security
association policy. association policy.
A GAP payload allows for the distribution of group-wise policy, such A GAP payload allows for the distribution of groupwide policy, such
as instructions as to when to activate and de-activate SAs. as instructions as to when to activate and de-activate SAs.
5.3. SA KEK payload 5.3. SA KEK payload
The SA KEK (SAK) payload contains security attributes for the KEK The SA KEK (SAK) payload contains security attributes for the KEK
method for a group and parameters specific to the GROUPKEY-PULL method for a group and parameters specific to the GROUPKEY-PULL
operation. The source and destination identities describe the operation. The source and destination identities describe the
identities used for the GROUPKEY-PULL datagram. identities used for the GROUPKEY-PULL datagram.
0 1 2 3 0 1 2 3
skipping to change at page 22, line 47 skipping to change at page 24, line 27
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! ! ! !
~ SPI ~ ~ SPI ~
! ! ! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! RESERVED2 ! ! RESERVED2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
~ KEK Attributes ~ ~ KEK Attributes ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
Figure 5. SA KEK Payload
The SAK Payload fields are defined as follows: The SAK Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifies the next payload for the o Next Payload (1 octet) -- Identifies the next payload for the
GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next
payload types for this message are a GAP Payload, SAT Payload or zero payload types for this message are a GAP Payload, SAT Payload or zero
to indicate that no SA Attribute payloads follow. to indicate that no SA Attribute payloads follow.
o RESERVED (1 octet) -- MUST be zero. o RESERVED (1 octet) -- MUST be zero.
o Payload Length (2 octets) -- Length of this payload, including the o Payload Length (2 octets) -- Length of this payload, including the
KEK attributes. KEK attributes.
o Protocol (1 octet) -- Value describing an IP protocol ID (e.g., o Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
UDP/TCP) for the rekey datagram. UDP/TCP) [PROTOCOL-REG] for the GROUPKEY-PUSH datagram.
o SRC ID Type (1 octet) -- Value describing the identity information o SRC ID Type (1 octet) -- Value describing the identity information
found in the SRC Identification Data field. Defined values are found in the SRC Identification Data field. Defined values are
specified by the IPsec Identification Type section in the IANA specified by the IPsec Identification Type section in the IANA
isakmpd-registry [ISAKMP-REG]. isakmpd-registry [ISAKMP-REG].
o SRC ID Port (2 octets) -- Value specifying a port associated with o SRC ID Port (2 octets) -- Value specifying a port associated with
the source Id. A value of zero means that the SRC ID Port field MUST the source Id. A value of zero means that the SRC ID Port field MUST
be ignored. be ignored.
o SRC ID Data Len (1 octet) -- Value specifying the length of the SRC o SRC ID Data Len (1 octet) -- Value specifying the length (in
Identification Data field. octets) of the SRC Identification Data field.
o SRC Identification Data (variable length) -- Value, as indicated by o SRC Identification Data (variable length) -- Value, as indicated by
the SRC ID Type. the SRC ID Type.
o DST ID Type (1 octet) -- Value describing the identity information o DST ID Type (1 octet) -- Value describing the identity information
found in the DST Identification Data field. Defined values are found in the DST Identification Data field. Defined values are
specified by the IPsec Identification Type section in the IANA specified by the IPsec Identification Type section in the IANA
isakmpd-registry [ISAKMP-REG]. isakmpd-registry [ISAKMP-REG].
o DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g., o DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g.,
UDP/TCP). UDP/TCP) [PROTOCOL-REG].
o DST ID Port (2 octets) -- Value specifying a port associated with o DST ID Port (2 octets) -- Value specifying a port associated with
the source Id. the source Id.
o DST ID Data Len (1 octet) -- Value specifying the length of the DST o DST ID Data Len (1 octet) -- Value specifying the length (in
Identification Data field. octets) of the DST Identification Data field.
o DST Identification Data (variable length) -- Value, as indicated by o DST Identification Data (variable length) -- Value, as indicated by
the DST ID Type. the DST ID Type.
o SPI (16 octets) -- Security Parameter Index for the KEK. The SPI o SPI (16 octets) -- Security Parameter Index for the KEK. The SPI
is the ISAKMP Header cookie pair where the first 8 octets become the is the ISAKMP Header cookie pair where the first 8 octets become the
"Initiator Cookie" field of the GROUPKEY-PUSH message ISAKMP HDR, and "Initiator Cookie" field of the GROUPKEY-PUSH message ISAKMP HDR, and
the second 8 octets become the "Responder Cookie" in the same HDR. the second 8 octets become the "Responder Cookie" in the same HDR.
As described above, these cookies are assigned by the GCKS. As described above, these cookies are assigned by the GCKS.
o RESERVED2 (4 octets) -- MUST be zero. These bytes represent fields o RESERVED2 (4 octets) -- MUST be zero. These octets represent
previously defined but no longer used by GDOI. fields previously defined but no longer used by GDOI.
o KEK Attributes -- Contains KEK policy attributes associated with o KEK Attributes -- Contains KEK policy attributes associated with
the group. The following attributes may be present in a SAK Payload. the group. The following attributes may be present in a SAK Payload.
The attributes must follow the format defined in ISAKMP (Section 3.3 The attributes must follow the format defined in ISAKMP (Section 3.3
of [RFC2408]). In the table, attributes that are defined as TV are of [RFC2408]). In the table, attributes that are defined as TV are
marked as Basic (B); attributes that are defined as TLV are marked as marked as Basic (B); attributes that are defined as TLV are marked as
Variable (V). Variable (V).
ID Class Value Type ID Class Value Type
-------- ----- ---- -------- ----- ----
skipping to change at page 28, line 49 skipping to change at page 30, line 43
The GAP payload is defined as follows: The GAP payload is defined as follows:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length ! ! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Group Associated Policy Attributes ~ ! Group Associated Policy Attributes ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
Figure 6. GAP Payload
The GAP payload fields are defined as follows: The GAP payload fields are defined as follows:
o Next Payload (1 octet) -- Identifies the next payload present in o Next Payload (1 octet) -- Identifies the next payload present in
the GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid the GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid
next payload type for this message is an SA TEK or zero to next payload type for this message is an SA TEK or zero to
indicate there are no more security association attributes. indicate there are no more security association attributes.
o RESERVED (1 octet) -- MUST be zero. o RESERVED (1 octet) -- MUST be zero.
o Payload Length (2 octets) -- Length of this payload, including the o Payload Length (2 octets) -- Length of this payload, including the
GAP header and Attributes. GAP header and Attributes.
o Group Associated Policy Attributes (variable) -- Contains o Group Associated Policy Attributes (variable) -- Contains
attributes following the format defined in Section 3.3 of attributes following the format defined in Section 3.3 of
[RFC2408]. [RFC2408]. In the table, attributes that are defined as TV are
marked as Basic (B); attributes that are defined as TLV are marked
as Variable (V).
Attribute Type Value Type
-------------- ----- ----
RESERVED 0
ACTIVATION_TIME_DELAY 1 B
DEACTIVATION_TIME_DELAY 2 B
SENDER_ID_REQUEST 3 B
Standards Action 4-127
Private Use 128-255
Unassigned 256-32767
Several group associated policy attributes are defined in this memo. Several group associated policy attributes are defined in this memo.
An GDOI implementation MUST abort if it encounters an attribute or An GDOI implementation MUST abort if it encounters an attribute or
capability that it does not understand. The values for these capability that it does not understand. The values for these
attributes are included in the IANA Considerations section of this attributes are included in the IANA Considerations section of this
memo. memo.
5.4.1. ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY 5.4.1. ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY
Section 4.2.1 of [RFC5374] specifies a key rollover method that Section 4.2.1 of [RFC5374] specifies a key rollover method that
skipping to change at page 30, line 20 skipping to change at page 32, line 26
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length ! ! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Protocol-ID ! TEK Protocol-Specific Payload ~ ! Protocol-ID ! TEK Protocol-Specific Payload ~
+-+-+-+-+-+-+-+-+ ~ +-+-+-+-+-+-+-+-+ ~
~ ~ ~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
Figure 7. SA TEK Payload
The SAT Payload fields are defined as follows: The SAT Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifies the next payload for the o Next Payload (1 octet) -- Identifies the next payload for the
GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next
payload types for this message are another SAT Payload or zero to payload types for this message are another SAT Payload or zero to
indicate there are no more security association attributes. indicate there are no more security association attributes.
o RESERVED (1 octet) -- MUST be zero. o RESERVED (1 octet) -- MUST be zero.
o Payload Length (2 octets) -- Length of this payload, including the o Payload Length (2 octets) -- Length of this payload, including the
skipping to change at page 31, line 21 skipping to change at page 33, line 35
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! DST ID Type ! DST ID Port !DST ID Data Len! ! DST ID Type ! DST ID Port !DST ID Data Len!
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! DST Identification Data ~ ! DST Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Transform ID ! SPI ! ! Transform ID ! SPI !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! SPI ! RFC 2407 SA Attributes ~ ! SPI ! RFC 2407 SA Attributes ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
Figure 8. ESP/AH TEK Payload
The SAT Payload fields are defined as follows: The SAT Payload fields are defined as follows:
o Protocol (1 octet) -- Value describing an IP protocol ID (e.g., o Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
UDP/TCP). A value of zero means that the Protocol field MUST be UDP/TCP) [PROTOCOL-REG]. A value of zero means that the Protocol
ignored. field MUST be ignored.
o SRC ID Type (1 octet) -- Value describing the identity information o SRC ID Type (1 octet) -- Value describing the identity information
found in the SRC Identification Data field. Defined values are found in the SRC Identification Data field. Defined values are
specified by the IPsec Identification Type section in the IANA specified by the IPsec Identification Type section in the IANA
isakmpd-registry [ISAKMP-REG]. isakmpd-registry [ISAKMP-REG].
o SRC ID Port (2 octets) -- Value specifying a port associated with o SRC ID Port (2 octets) -- Value specifying a port associated with
the source Id. A value of zero means that the SRC ID Port field MUST the source Id. A value of zero means that the SRC ID Port field MUST
be ignored. be ignored.
o SRC ID Data Len (1 octet) -- Value specifying the length of the SRC o SRC ID Data Len (1 octet) -- Value specifying the length (in
Identification Data field. octets) of the SRC Identification Data field.
o SRC Identification Data (variable length) -- Value, as indicated by o SRC Identification Data (variable length) -- Value, as indicated by
the SRC ID Type. Set to three bytes of zero for multiple-source the SRC ID Type. Set to three octets of zero for multiple-source
multicast groups that use a common TEK for all senders. multicast groups that use a common TEK for all senders.
o DST ID Type (1 octet) -- Value describing the identity information o DST ID Type (1 octet) -- Value describing the identity information
found in the DST Identification Data field. Defined values are found in the DST Identification Data field. Defined values are
specified by the IPsec Identification Type section in the IANA specified by the IPsec Identification Type section in the IANA
isakmpd-registry [ISAKMP-REG]. isakmpd-registry [ISAKMP-REG].
o DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g., o DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g.,
UDP/TCP). A value of zero means that the DST Id Prot field MUST be UDP/TCP) [PROTOCOL-REG]. A value of zero means that the DST Id Prot
ignored. field MUST be ignored.
o DST ID Port (2 octets) -- Value specifying a port associated with o DST ID Port (2 octets) -- Value specifying a port associated with
the source Id. A value of zero means that the DST ID Port field MUST the source Id. A value of zero means that the DST ID Port field MUST
be ignored. be ignored.
o DST ID Data Len (1 octet) -- Value specifying the length of the DST o DST ID Data Len (1 octet) -- Value specifying the length (in
Identification Data field. octets) of the DST Identification Data field.
o DST Identification Data (variable length) -- Value, as indicated by o DST Identification Data (variable length) -- Value, as indicated by
the DST ID Type. the DST ID Type.
o Transform ID (1 octet) -- Value specifying which ESP or AH o Transform ID (1 octet) -- Value specifying which ESP or AH
transform is to be used. The list of valid values is defined in the transform is to be used. The list of valid values is defined in the
IPsec ESP or IPsec AH Transform Identifiers section of the IANA IPsec ESP or IPsec AH Transform Identifiers section of the IANA
isakmpd-registry [ISAKMP-REG]. isakmpd-registry [ISAKMP-REG].
o SPI (4 octets) -- Security Parameter Index for ESP. o SPI (4 octets) -- Security Parameter Index for ESP.
skipping to change at page 33, line 4 skipping to change at page 35, line 25
how GDOI can convey the new attributes as IPsec Security Association how GDOI can convey the new attributes as IPsec Security Association
Attributes. Attributes.
5.5.1.1.1. Address Preservation 5.5.1.1.1. Address Preservation
Applications use the extensions in [RFC5374] to copy the IP addresses Applications use the extensions in [RFC5374] to copy the IP addresses
into the outer IP header when encapsulating an IP packet as an IPsec into the outer IP header when encapsulating an IP packet as an IPsec
tunnel mode packet. This allows an IP multicast packet to continue tunnel mode packet. This allows an IP multicast packet to continue
to be routed as a IP multicast packet. This attribute also provides to be routed as a IP multicast packet. This attribute also provides
the necessary policy so that the GDOI group member can appropriately the necessary policy so that the GDOI group member can appropriately
set up the GSPD. set up the GSPD. The following table defines values for the Address
Preservation attribute.
Address Preservation Type Value
------------------------- -----
Reserved 0
None 1
Source-Only 2
Destination-Only 3
Source-And-Destination 4
Standards Action 5-61439
Private Use 61440-65535
Depending on group policy, several address preservation methods are Depending on group policy, several address preservation methods are
possible: no address preservation ("None"), preservation of the possible: no address preservation ("None"), preservation of the
original source address ("Source-Only"), preservation of the original original source address ("Source-Only"), preservation of the original
destination address ("Destination-Only"), or both addresses ("Source- destination address ("Destination-Only"), or both addresses ("Source-
And-Destination"). The IANA Considerations section of this memo adds And-Destination"). If this attribute is not included in a GDOI SA
the "Address Preservation" security association attribute. If this TEK payload provided by a GCKS, then Source-And-Destination address
attribute is not included in a GDOI SA TEK payload provided by a preservation has been defined for the SA TEK.
GCKS, then Source-And-Destination address preservation has been
defined for the SA TEK.
5.5.1.1.2. SA Direction 5.5.1.1.2. SA Direction
Depending on group policy, an IPsec SA created from an SA TEK payload Depending on group policy, an IPsec SA created from an SA TEK payload
is defined to be in the sending and/or receiving direction. SA TEK is defined to be in the sending and/or receiving direction. The
policy used by multiple senders MUST be installed in both the sending following table defines values for the SA Direction attribute.
and receiving direction ("Symmetric"), whereas SA TEK for a single
sender SHOULD be installed in the receiving direction by receivers Name Value
("Receiver-Only") and in the sending direction by the sender ---- -----
("Sender-Only"). The IANA Considerations section of this memo adds Reserved 0
the "SA Direction" security association attribute. Sender-Only 1
Receiver-Only 2
Symmetric 3
Standards Action 4-61439
Private Use 61440-65535
SA TEK policy used by multiple senders MUST be installed in both the
sending and receiving direction ("Symmetric"), whereas SA TEK for a
single sender SHOULD be installed in the receiving direction by
receivers ("Receiver-Only") and in the sending direction by the
sender ("Sender-Only").
An SA TEK payload that does not include the SA Direction attribute is An SA TEK payload that does not include the SA Direction attribute is
treated as a Symmetric IPsec SA. Note that unless Symmetric may be treated as a Symmetric IPsec SA. Note that Symmetric is the only
the only value that can be meaningfully described for an SA TEK value that can be meaningfully described for an SA TEK distributed in
distributed in an GROUPKEY-PUSH message. Alternatively, Receiver- an GROUPKEY-PUSH message. Alternatively, Receiver-Only could be
Only could be distributed, but group senders would need to be distributed, but group senders would need to be configured to not
configured to not receive GROUPKEY-PUSH messages in order to retain receive GROUPKEY-PUSH messages in order to retain their role.
their role.
5.5.2. Other Security Protocols 5.5.2. Other Security Protocols
Besides ESP and AH, GDOI should serve to establish SAs for secure Besides ESP and AH, GDOI should serve to establish SAs for secure
groups needed by other Security Protocols that operate at the groups needed by other Security Protocols that operate at the
transport, application, and internetwork layers. These other transport, application, and internetwork layers. These other
Security Protocols, however, are in the process of being developed or Security Protocols, however, are in the process of being developed or
do not yet exist. do not yet exist.
The following information needs to be provided for a Security The following information needs to be provided for a Security
skipping to change at page 34, line 33 skipping to change at page 37, line 24
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length ! ! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Number of Key Packets ! RESERVED2 ! ! Number of Key Packets ! RESERVED2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
~ Key Packets ~ ~ Key Packets ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
Figure 9. Key Download Payload
The Key Download Payload fields are defined as follows: The Key Download Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifier for the payload type of the o Next Payload (1 octet) -- Identifier for the payload type of the
next payload in the message. If the current payload is the last in next payload in the message. If the current payload is the last in
the message, then this field will be zero. the message, then this field will be zero.
o RESERVED (1 octet) -- Unused, set to zero. o RESERVED (1 octet) -- Unused, set to zero.
o Payload Length (2 octets) -- Length in octets of the current o Payload Length (2 octets) -- Length in octets of the current
payload, including the generic payload header. payload, including the generic payload header.
o Number of Key Packets (2 octets) -- Contains the total number of o Number of Key Packets (2 octets) -- Contains the total number of
both TEK and Rekey arrays being passed in this data block. key packets being passed in this data block.
o Key Packets (variable) -- Several types of key packets are defined. o Key Packets (variable) -- Several types of key packets are defined.
Each Key Packet has the following format. Each Key Packet has the following format.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! KD Type ! RESERVED ! KD Length ! ! KD Type ! RESERVED ! KD Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! SPI Size ! SPI (variable) ~ ! SPI Size ! SPI (variable) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
~ Key Packet Attributes ~ ~ Key Packet Attributes ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
Figure 10. Key Packet
o Key Download (KD) Type (1 octet) -- Identifier for the Key Data o Key Download (KD) Type (1 octet) -- Identifier for the Key Data
field of this Key Packet. field of this Key Packet.
Key Download Type Value Key Download Type Value
----------------- ----- ----------------- -----
RESERVED 0 RESERVED 0
TEK 1 TEK 1
KEK 2 KEK 2
LKH 3 LKH 3
SID TBD-6 SID TBD-6
skipping to change at page 39, line 14 skipping to change at page 42, line 14
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH Version ! # of LKH Keys ! RESERVED ! ! LKH Version ! # of LKH Keys ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH Keys ! ! LKH Keys !
~ ~ ~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 11. LKH Download Array
The KEK_LKH attribute fields are defined as follows: The KEK_LKH attribute fields are defined as follows:
o LKH version (1 octet) -- Version of the LKH data format. Must be o LKH version (1 octet) -- Version of the LKH data format. Must be
one. one.
o Number of LKH Keys (2 octets) -- This value is the number of o Number of LKH Keys (2 octets) -- This value is the number of
distinct LKH keys in this sequence. distinct LKH keys in this sequence.
o RESERVED (1 octet) -- Unused, set to zero. Each LKH Key is defined o RESERVED (1 octet) -- Unused, set to zero. Each LKH Key is defined
as follows: as follows:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH ID ! Key Type ! RESERVED ! ! LKH ID ! Key Type ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Key Creation Date ! ! Key Creation Date !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Key expiration Date ! ! Key expiration Date !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Key Handle ! ! Key Handle !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! ! ! !
~ Key Data ~ ~ Key Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 12. LKH Key
o LKH ID (2 octets) -- Identity of the LKH node. A GCKS is free to o LKH ID (2 octets) -- Identity of the LKH node. A GCKS is free to
choose the ID in an implementation-specific manner (e.g., the choose the ID in an implementation-specific manner (e.g., the
position of this key in a binary tree structure used by LKH). position of this key in a binary tree structure used by LKH).
o Key Type (1 octet) -- Encryption algorithm for which this key data o Key Type (1 octet) -- Encryption algorithm for which this key data
is to be used. This value is specified in Section 5.3.3. is to be used. This value is specified in Section 5.3.3.
o RESERVED (1 octet) -- Unused, set to zero. o RESERVED (1 octet) -- Unused, set to zero.
o Key Creation Date (4 octets) -- Time value of when this key data o Key Creation Date (4 octets) -- Unsigned time value defining a
was originally generated. A time value of zero indicates that there valid time period in seconds representing the number of seconds since
is no time before which this key is not valid. 0 hours, 0 minutes, 0 seconds, January 1, 1970, Coordinated Universal
Time (UTC), without including leap seconds. [RFC5905]. This is the
time when this key data was originally generated. A time value of
zero indicates that there is no time before which this key is not
valid.
o Key Expiration Date (4 octets) -- Time value of when this key is no o Key Expiration Date (4 octets) -- Unsigned time value defining a
longer valid for use. A time value of zero indicates that this key valid time period in seconds representing the number of seconds since
does not have an expiration time. 0 hours, 0 minutes, 0 seconds, January 1, 1970, Coordinated Universal
Time (UTC), without including leap seconds. [RFC5905]. This is the
time when this key is no longer valid for use. A time value of zero
indicates that this key does not have an expiration time.
o Key Handle (4 octets) -- Value assigned by the GCKS to uniquely o Key Handle (4 octets) -- Value assigned by the GCKS to uniquely
identify a key within an LKH ID. Each new key distributed by the identify a key within an LKH ID. Each new key distributed by the
GCKS for this node will have a key handle identity distinct from GCKS for this node will have a key handle identity distinct from
previous or successive key handles specified for this node. previous or successive key handles specified for this node.
o Key Data (variable length) -- Key data, which is dependent on the o Key Data (variable length) -- Key data, which is dependent on the
Key Type algorithm for its format. If the mode of operation for the Key Type algorithm for its format. If the mode of operation for the
algorithm requires an IV, an explicit IV MUST be included in the Key algorithm requires an IV, an explicit IV MUST be included in the Key
Data field prepended to the actual key. Data field prepended to the actual key.
skipping to change at page 41, line 18 skipping to change at page 44, line 18
! LKH Version ! # of LKH Keys ! RESERVED ! ! LKH Version ! # of LKH Keys ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH ID ! RESERVED2 ! ! LKH ID ! RESERVED2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Key Handle ! ! Key Handle !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH Keys ! ! LKH Keys !
~ ~ ~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 13. LKH Update Array
o LKH version (1 octet) -- Version of the LKH data format. Must be o LKH version (1 octet) -- Version of the LKH data format. Must be
one. one.
o Number of LKH Keys (2 octets) -- Number of distinct LKH keys in o Number of LKH Keys (2 octets) -- Number of distinct LKH keys in
this sequence. this sequence.
o RESERVED (1 octet) -- Unused, set to zero. o RESERVED (1 octet) -- Unused, set to zero.
o LKH ID (2 octets) -- Node identifier associated with the key used o LKH ID (2 octets) -- Node identifier associated with the key used
to encrypt the first LKH Key. to encrypt the first LKH Key.
skipping to change at page 42, line 5 skipping to change at page 45, line 10
The SIG_ALGORITHM_KEY class declares that the public key for this SPI The SIG_ALGORITHM_KEY class declares that the public key for this SPI
is contained in the Key Packet Attribute, which may be useful when no is contained in the Key Packet Attribute, which may be useful when no
public key infrastructure is available. The signature algorithm that public key infrastructure is available. The signature algorithm that
will use this key was specified in the SAK payload. will use this key was specified in the SAK payload.
5.6.4. SID Download Type 5.6.4. SID Download Type
This attribute is used to download one or more Sender-ID (SID) values This attribute is used to download one or more Sender-ID (SID) values
for the exclusive use of a group member. for the exclusive use of a group member.
The SID Download Type does not require a SPI. When the KD Type is
SID, the SPI Size field MUST be zero, and the SPI field is omitted.
SID Class Value Type SID Class Value Type
--------- ----- ---- --------- ----- ----
RESERVED 0 RESERVED 0
NUMBER_OF_SID_BITS 1 B NUMBER_OF_SID_BITS 1 B
SID_VALUE 2 V SID_VALUE 2 V
Standards Action 3-128 Standards Action 3-128
Private Use 129-255 Private Use 129-255
Unassigned 256-32767 Unassigned 256-32767
Because a SID value is intended for a single group member, the SID Because a SID value is intended for a single group member, the SID
skipping to change at page 43, line 4 skipping to change at page 46, line 13
the SSIV value to its starting value. A group member MAY re-register the SSIV value to its starting value. A group member MAY re-register
prior to the actual exhaustion of the SSIV field to avoid dropping prior to the actual exhaustion of the SSIV field to avoid dropping
data packets due to the exhaustion of available SSIV values combined data packets due to the exhaustion of available SSIV values combined
with a particular SID value. with a particular SID value.
GROUPKEY-PUSH message may include Data-Security SAs that are GROUPKEY-PUSH message may include Data-Security SAs that are
distributed to the group member for the first time. An SID distributed to the group member for the first time. An SID
previously issued to the receiving group member is used with counter- previously issued to the receiving group member is used with counter-
based mode of operation Data-Security SAs on which the group member based mode of operation Data-Security SAs on which the group member
acts as a sender. Because this Data-Security SA has not previously acts as a sender. Because this Data-Security SA has not previously
been used for transmittion, the SSIV field should be set to its been used for transmission, the SSIV field should be set to its
starting value. starting value.
5.6.4.4. GCKS Semantics 5.6.4.4. GCKS Semantics
If any KD payload includes keying material that is associated with a If any KD payload includes keying material that is associated with a
counter-mode of operation, an SID Download Type KD payload containing counter-mode of operation, an SID Download Type KD payload containing
at least one SID_VALUE attribute MUST be included. at least one SID_VALUE attribute MUST be included.
The GCKS MUST NOT send the SID Download Type KD payload as part of a The GCKS MUST NOT send the SID Download Type KD payload as part of a
GROUPKEY-PUSH message, because distributing the same sender-specific GROUPKEY-PUSH message, because distributing the same sender-specific
skipping to change at page 43, line 32 skipping to change at page 46, line 41
Number field defined in the IPsec ESP protocol [RFC4303]. Number field defined in the IPsec ESP protocol [RFC4303].
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! RESERVED ! Payload Length ! ! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Sequence Number ! ! Sequence Number !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 14. Sequence Number Payload
The Sequence Number Payload fields are defined as follows: The Sequence Number Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifier for the payload type of the o Next Payload (1 octet) -- Identifier for the payload type of the
next payload in the message. If the current payload is the last in next payload in the message. If the current payload is the last in
the message, then this field will be zero. the message, then this field will be zero.
o RESERVED (1 octet) -- Unused, set to zero. o RESERVED (1 octet) -- Unused, set to zero.
o Payload Length (2 octets) -- Length in octets of the current o Payload Length (2 octets) -- Length in octets of the current
payload, including the generic payload header. MUST be a value of 8. payload, including the generic payload header. MUST be a value of 8.
skipping to change at page 44, line 9 skipping to change at page 47, line 21
Thus the first packet sent for a given Rekey SA will have a Sequence Thus the first packet sent for a given Rekey SA will have a Sequence
Number of 1. The GDOI implementation keeps a sequence counter as an Number of 1. The GDOI implementation keeps a sequence counter as an
attribute for the Rekey SA and increments the counter upon receipt of attribute for the Rekey SA and increments the counter upon receipt of
a GROUPKEY-PUSH message. The current value of the sequence number a GROUPKEY-PUSH message. The current value of the sequence number
MUST be transmitted to group members as a part of the Registration SA MUST be transmitted to group members as a part of the Registration SA
payload. payload.
5.8. Nonce 5.8. Nonce
The data portion of the Nonce payload (i.e., Ni_b and Nr_b included The data portion of the Nonce payload (i.e., Ni_b and Nr_b included
in the HASHs) MUST be a value between 8 and 128 bytes. in the HASHs) MUST be a value between 8 and 128 octets.
5.9. Delete 5.9. Delete
There are times the GCKS may want to signal to receivers to delete There are times the GCKS may want to signal to receivers to delete
SAs, for example at the end of a broadcast. Deletion of keys may be SAs, for example at the end of a broadcast. Deletion of keys may be
accomplished by sending an ISAKMP Delete payload (Section 3.15 of accomplished by sending an ISAKMP Delete payload (Section 3.15 of
[RFC2408]) as part of a GDOI GROUPKEY-PUSH message. [RFC2408]) as part of a GDOI GROUPKEY-PUSH message.
One or more Delete payloads MAY be placed following the SEQ payload One or more Delete payloads MAY be placed following the SEQ payload
in a GROUPKEY-PUSH message. If a GCKS has no further SAs to send to in a GROUPKEY-PUSH message. If a GCKS has no further SAs to send to
skipping to change at page 44, line 42 skipping to change at page 48, line 5
KEK SA are to be deleted, their SPI values MUST be sent in different KEK SA are to be deleted, their SPI values MUST be sent in different
Delete payloads. Delete payloads.
There may be circumstances where the GCKS may want to start over with There may be circumstances where the GCKS may want to start over with
a clean slate. If the administrator is no longer confident in the a clean slate. If the administrator is no longer confident in the
integrity of the group, the GCKS can signal deletion of all policy of integrity of the group, the GCKS can signal deletion of all policy of
a particular TEK protocol by sending a TEK with a SPI value equal to a particular TEK protocol by sending a TEK with a SPI value equal to
zero in the delete payload. For example, if the GCKS wishes to zero in the delete payload. For example, if the GCKS wishes to
remove all the KEKs and all the TEKs in the group, the GCKS SHOULD remove all the KEKs and all the TEKs in the group, the GCKS SHOULD
send a delete payload with a spi of zero and a protocol_id of a TEK send a delete payload with a spi of zero and a protocol_id of a TEK
protocol_id value, followed by another delete payload with a spi of protocol_id value, followed by another delete payload with a SPI
zero and protocol_id of zero, indicating that the KEK SA should be value of zero and protocol_id of zero, indicating that the KEK SA
deleted. should be deleted.
6. Algorithm Selection 6. Algorithm Selection
For GDOI implementations to interoperate, they must support one or For GDOI implementations to interoperate, they must support one or
more security algorithms in common. This section specifies the more security algorithms in common. This section specifies the
security algorithm implementation requirements for standards- security algorithm implementation requirements for standards-
conformant GDOI implementations. In all cases the choices are conformant GDOI implementations. In all cases the choices are
intended to maintain at least 112 bits of security [SP.800-131]. intended to maintain at least 112 bits of security [SP.800-131].
Algorithms not referenced in this section MAY be used. Algorithms not referenced in this section MAY be used.
skipping to change at page 47, line 23 skipping to change at page 51, line 23
replay, reflection, and denial-of-service (DOS) attacks on unsecured replay, reflection, and denial-of-service (DOS) attacks on unsecured
networks. GDOI assumes the network is not secure and may be under networks. GDOI assumes the network is not secure and may be under
the complete control of an attacker. the complete control of an attacker.
GDOI assumes that the group members and GCKS are secure even though GDOI assumes that the group members and GCKS are secure even though
the network is insecure. GDOI ultimately establishes keys among the network is insecure. GDOI ultimately establishes keys among
members of a group, which MUST be trusted to use those keys in an members of a group, which MUST be trusted to use those keys in an
authorized manner according to group policy. An GDOI entity authorized manner according to group policy. An GDOI entity
compromised by an attacker may reveal the secrets necessary to compromised by an attacker may reveal the secrets necessary to
eavesdrop on group traffic and/or take the identity of a group eavesdrop on group traffic and/or take the identity of a group
sender, so host security is of the utmost important once. The latter sender, so host security measures mitigating unauthorized access is
threat could be mitigated by using source origin authentication in of the utmost importance. The latter threat could be mitigated by
the Data-Security SAs (e.g., the use of RSA signatures [RFC4359] or using source origin authentication in the Data-Security SAs (e.g.,
TESLA [RFC4082]). The choice of Data-Security SAs is a matter of the use of RSA signatures [RFC4359] or TESLA [RFC4082]). The choice
group policy and is not within the scope of this memo. of Data-Security SAs is a matter of group policy and is not within
the scope of this memo.
There are three phases of GDOI as described in this document: an There are three phases of GDOI as described in this document: an
ISAKMP Phase 1 protocol, the GROUPKEY-PULL exchange protected by the ISAKMP Phase 1 protocol, the GROUPKEY-PULL exchange protected by the
ISAKMP Phase 1 protocol, and the GROUPKEY-PUSH message. Each phase ISAKMP Phase 1 protocol, and the GROUPKEY-PUSH message. Each phase
is considered separately below. is considered separately below.
7.1. ISAKMP Phase 1 7.1. ISAKMP Phase 1
GDOI uses the Phase 1 exchanges defined in [RFC2409] to protect the GDOI uses the Phase 1 exchanges defined in [RFC2409] to protect the
GROUPKEY-PULL exchange. Therefore all security properties and GROUPKEY-PULL exchange. Therefore all security properties and
skipping to change at page 49, line 50 skipping to change at page 53, line 50
to the state machine of that session. Packets not matching that to the state machine of that session. Packets not matching that
state machine will be discarded without processing. state machine will be discarded without processing.
7.2.5. Denial of Service Protection 7.2.5. Denial of Service Protection
GCKS implementations SHOULD keep a record of recently received GCKS implementations SHOULD keep a record of recently received
GROUPKEY-PULL messages (e.g., a hash of the packet) and reject GROUPKEY-PULL messages (e.g., a hash of the packet) and reject
messages that have already been processed. This provides Denial of messages that have already been processed. This provides Denial of
Service and Replay Protection of previously sent messages. An Service and Replay Protection of previously sent messages. An
implementation MAY choose to rate-limit the receipt of GDOI messages implementation MAY choose to rate-limit the receipt of GDOI messages
in order to mitigate avoid overloading its computational resources. in order to mitigate overloading its computational resources.
The GCKS SHOULD NOT perform any computationally expensive tasks The GCKS SHOULD NOT perform any computationally expensive tasks
before receiving a HASH with its own nonce included. The GCKS MUST before receiving a HASH with its own nonce included. The GCKS MUST
NOT update the group management state (e.g., LKH key tree, SID- NOT update the group management state (e.g., LKH key tree, SID-
counter) until it receives the third message in the exchange with a counter) until it receives the third message in the exchange with a
valid HASH payload including its own nonce. valid HASH payload including its own nonce.
7.2.6. Authorization 7.2.6. Authorization
A GCKS implementation SHOULD maintain an authorization list of A GCKS implementation SHOULD maintain an authorization list of
skipping to change at page 51, line 30 skipping to change at page 55, line 30
digital signatures is justified by the need to prevent GCKS digital signatures is justified by the need to prevent GCKS
impersonation: If a shared symmetric key were used for GROUPKEY-PUSH impersonation: If a shared symmetric key were used for GROUPKEY-PUSH
message authentication, then GCKS source authentication would be message authentication, then GCKS source authentication would be
impossible and any member would be capable of GCKS impersonation. impossible and any member would be capable of GCKS impersonation.
The potential of the digital signature amplifying a denial of service The potential of the digital signature amplifying a denial of service
attack is mitigated by the order of operations a group member takes, attack is mitigated by the order of operations a group member takes,
where the least expensive cryptographic operation is performed first. where the least expensive cryptographic operation is performed first.
The group member first decrypts the message using a symmetric cipher. The group member first decrypts the message using a symmetric cipher.
If it is a validly formed message then the sequence number is checked If it is a validly formed message then the sequence number is checked
against the most recently recieved sequence number. Only when the against the most recently received sequence number. Only when the
sequence number is valid (i.e., it is a larger value than previously sequence number is valid (i.e., it is a larger value than previously
received) is the digital signature verified and the message further received) is the digital signature verified and the message further
processed. Thus in order for a denial of service attack to be processed. Thus in order for a denial of service attack to be
mounted, an attacker would need to know both the symmetric encryption mounted, an attacker would need to know both the symmetric encryption
key used for confidentiality, and a valid sequence number. Generally key used for confidentiality, and a valid sequence number. Generally
speaking this means only current group members can effectively deploy speaking this means only current group members can effectively deploy
a denial of service attack. a denial of service attack.
7.4. Forward and Backward Access Control 7.4. Forward and Backward Access Control
skipping to change at page 58, line 7 skipping to change at page 62, line 7
are to be added and designated Private Use. Values 256-32767 are to are to be added and designated Private Use. Values 256-32767 are to
be added and designated Unassigned. be added and designated Unassigned.
8.3.11. LKH Download Type 8.3.11. LKH Download Type
Values 4-127 are to be designated Standards Action. Values 256-32767 Values 4-127 are to be designated Standards Action. Values 256-32767
are to be added and designated Unassigned. are to be added and designated Unassigned.
9. Acknowledgements 9. Acknowledgements
This text updates RFC 3547, and the authors wish to thank Mark This memo replaces RFC 3547, and the authors wish to thank Mark
Baugher and Hugh Harney for their extensive contributions that led to Baugher and Hugh Harney for their extensive contributions that led to
this updated version of GDOI. this newer specification of GDOI.
The authors are grateful to Catherine Meadows for her careful review The authors are grateful to Catherine Meadows for her careful review
and suggestions for mitigating the man-in-the-middle attack she had and suggestions for mitigating the man-in-the-middle attack she had
previously identified. Yoav Nir, Vincent Roca, and Sean Turner previously identified. Yoav Nir, Vincent Roca, Sean Turner, and
provided many useful technical and editorial comments and suggestions Elwyn Davies provided many useful technical and editorial comments
for improvement. and suggestions for improvement.
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2403] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within [RFC2403] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within
ESP and AH", RFC 2403, November 1998. ESP and AH", RFC 2403, November 1998.
skipping to change at page 61, line 31 skipping to change at page 65, line 31
[OFT] McGrew, D. and A. Sherman, "Key Establishment in Large [OFT] McGrew, D. and A. Sherman, "Key Establishment in Large
Dynamic Groups Using One-Way Function Trees", Manuscript, Dynamic Groups Using One-Way Function Trees", Manuscript,
submitted to IEEE Transactions on Software Engineering, submitted to IEEE Transactions on Software Engineering,
1998, <http://download.nai.com/products/media/nai/misc/ 1998, <http://download.nai.com/products/media/nai/misc/
oft052098.ps>. oft052098.ps>.
[PK01] Perlman, R. and C. Kaufman, "Analysis of the IPsec Key [PK01] Perlman, R. and C. Kaufman, "Analysis of the IPsec Key
Exchange Standard", WET-ICE conference , 2001, Exchange Standard", WET-ICE conference , 2001,
<http://sec.femto.org/wetice-2001/papers/radia-paper.pdf>. <http://sec.femto.org/wetice-2001/papers/radia-paper.pdf>.
[PROTOCOL-REG]
"Assigned Internet Protocol Numbers", <http://
www.iana.org/assignments/protocol-numbers/
protocol-numbers.txt>.
[RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES)
Counter Mode With IPsec Encapsulating Security Payload Counter Mode With IPsec Encapsulating Security Payload
(ESP)", RFC 3686, January 2004. (ESP)", RFC 3686, January 2004.
[RFC3740] Hardjono, T. and B. Weis, "The Multicast Group Security [RFC3740] Hardjono, T. and B. Weis, "The Multicast Group Security
Architecture", RFC 3740, March 2004. Architecture", RFC 3740, March 2004.
[RFC3947] Kivinen, T., Swander, B., Huttunen, A., and V. Volpe, [RFC3947] Kivinen, T., Swander, B., Huttunen, A., and V. Volpe,
"Negotiation of NAT-Traversal in the IKE", RFC 3947, "Negotiation of NAT-Traversal in the IKE", RFC 3947,
January 2005. January 2005.
skipping to change at page 62, line 26 skipping to change at page 66, line 32
Header (AH)", RFC 4359, January 2006. Header (AH)", RFC 4359, January 2006.
[RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message
Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543,
May 2006. May 2006.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008. May 2008.
[RFC5905] Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network
Time Protocol Version 4: Protocol and Algorithms
Specification", RFC 5905, June 2010.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)",
RFC 5996, September 2010.
[SP.800-131] [SP.800-131]
Barker, E. and A. Roginsky, "Recommendation for the Barker, E. and A. Roginsky, "Recommendation for the
Transitioning of Cryptographic Algorithms and Key Transitioning of Cryptographic Algorithms and Key
Lengths", United States of America, National Institute of Lengths", United States of America, National Institute of
Science and Technology DRAFT NIST Special Publication 800- Science and Technology DRAFT NIST Special Publication 800-
131, June 2010. 131, June 2010.
[SP.800-38A] [SP.800-38A]
Dworkin, M., "Recommendation for Block Cipher Modes of Dworkin, M., "Recommendation for Block Cipher Modes of
Operation", United States of America, National Institute Operation", United States of America, National Institute
 End of changes. 107 change blocks. 
229 lines changed or deleted 360 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/