summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc3547.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc3547.txt')
-rw-r--r--doc/rfc/rfc3547.txt2691
1 files changed, 2691 insertions, 0 deletions
diff --git a/doc/rfc/rfc3547.txt b/doc/rfc/rfc3547.txt
new file mode 100644
index 0000000..2377aa3
--- /dev/null
+++ b/doc/rfc/rfc3547.txt
@@ -0,0 +1,2691 @@
+
+
+
+
+
+
+Network Working Group M. Baugher
+Request for Comments: 3547 B. Weis
+Category: Standards Track Cisco
+ T. Hardjono
+ Verisign
+ H. Harney
+ Sparta
+ July 2003
+
+
+ The Group Domain of Interpretation
+
+Status of this Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+Abstract
+
+ This document presents an ISAMKP Domain of Interpretation (DOI) for
+ group key management to support secure group communications. The
+ GDOI manages group security associations, which are used by IPSEC and
+ potentially other data security protocols running at the IP or
+ application layers. These security associations protect one or more
+ key-encrypting keys, traffic-encrypting keys, or data shared by group
+ members.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.1. GDOI Applications. . . . . . . . . . . . . . . . . . . . 5
+ 1.2. Extending GDOI . . . . . . . . . . . . . . . . . . . . . 5
+ 2. GDOI Phase 1 protocol. . . . . . . . . . . . . . . . . . . . . 6
+ 2.1. ISAKMP Phase 1 protocol. . . . . . . . . . . . . . . . . 6
+ 2.1.1. DOI value. . . . . . . . . . . . . . . . . . . . 6
+ 2.1.2. UDP port . . . . . . . . . . . . . . . . . . . . 6
+ 3. GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . . . . 6
+ 3.1. Authorization. . . . . . . . . . . . . . . . . . . . . . 7
+ 3.2. Messages . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 3.2.1. Perfect Forward Secrecy. . . . . . . . . . . . . 9
+ 3.2.2. ISAKMP Header Initialization . . . . . . . . . . 9
+
+
+
+Baugher, et. al. Standards Track [Page 1]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ 3.3. Initiator Operations . . . . . . . . . . . . . . . . . . 10
+ 3.4. Receiver Operations. . . . . . . . . . . . . . . . . . . 11
+ 4. GROUPKEY-PUSH Message. . . . . . . . . . . . . . . . . . . . . 11
+ 4.1. Perfect Forward Secrecy (PFS). . . . . . . . . . . . . . 12
+ 4.2. Forward and Backward Access Control. . . . . . . . . . . 12
+ 4.2.1. Forward Access Control Requirements. . . . . . . 13
+ 4.3. Delegation of Key Management . . . . . . . . . . . . . . 14
+ 4.4. Use of signature keys. . . . . . . . . . . . . . . . . . 14
+ 4.5. ISAKMP Header Initialization . . . . . . . . . . . . . . 14
+ 4.6. Deletion of SAs. . . . . . . . . . . . . . . . . . . . . 14
+ 4.7. GCKS Operations. . . . . . . . . . . . . . . . . . . . . 15
+ 4.8. Group Member Operations. . . . . . . . . . . . . . . . . 16
+ 5. Payloads and Defined Values. . . . . . . . . . . . . . . . . . 16
+ 5.1. Identification Payload . . . . . . . . . . . . . . . . . 17
+ 5.1.1. Identification Type Values . . . . . . . . . . . 18
+ 5.2. Security Association Payload . . . . . . . . . . . . . . 18
+ 5.2.1. Payloads following the SA payload. . . . . . . . 19
+ 5.3. SA KEK payload . . . . . . . . . . . . . . . . . . . . . 19
+ 5.3.1. KEK Attributes . . . . . . . . . . . . . . . . . 22
+ 5.3.2. KEK_MANAGEMENT_ALGORITHM . . . . . . . . . . . . 22
+ 5.3.3. KEK_ALGORITHM. . . . . . . . . . . . . . . . . . 23
+ 5.3.4. KEK_KEY_LENGTH . . . . . . . . . . . . . . . . . 23
+ 5.3.5. KEK_KEY_LIFETIME . . . . . . . . . . . . . . . . 24
+ 5.3.6. SIG_HASH_ALGORITHM . . . . . . . . . . . . . . . 24
+ 5.3.7. SIG_ALGORITHM. . . . . . . . . . . . . . . . . . 24
+ 5.3.8. SIG_KEY_LENGTH . . . . . . . . . . . . . . . . . 25
+ 5.3.9. KE_OAKLEY_GROUP. . . . . . . . . . . . . . . . . 25
+ 5.4. SA TEK Payload . . . . . . . . . . . . . . . . . . . . . 25
+ 5.4.1. PROTO_IPSEC_ESP. . . . . . . . . . . . . . . . . 26
+ 5.4.2. Other Security Protocols . . . . . . . . . . . . 28
+ 5.5. Key Download Payload . . . . . . . . . . . . . . . . . . 28
+ 5.5.1. TEK Download Type. . . . . . . . . . . . . . . . 30
+ 5.5.2. KEK Download Type. . . . . . . . . . . . . . . . 31
+ 5.5.3. LKH Download Type. . . . . . . . . . . . . . . . 32
+ 5.6. Sequence Number Payload. . . . . . . . . . . . . . . . . 35
+ 5.7. Proof of Possession. . . . . . . . . . . . . . . . . . . 36
+ 5.8. Nonce. . . . . . . . . . . . . . . . . . . . . . . . . . 36
+ 6. Security Considerations. . . . . . . . . . . . . . . . . . . . 36
+ 6.1. ISAKMP Phase 1 . . . . . . . . . . . . . . . . . . . . . 37
+ 6.1.1. Authentication . . . . . . . . . . . . . . . . . 37
+ 6.1.2. Confidentiality. . . . . . . . . . . . . . . . . 37
+ 6.1.3. Man-in-the-Middle Attack Protection. . . . . . . 38
+ 6.1.4. Replay/Reflection Attack Protection. . . . . . . 38
+ 6.1.5. Denial of Service Protection . . . . . . . . . . 38
+ 6.2. GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . 38
+ 6.2.1. Authentication . . . . . . . . . . . . . . . . . 38
+ 6.2.2. Confidentiality. . . . . . . . . . . . . . . . . 39
+ 6.2.3. Man-in-the-Middle Attack Protection. . . . . . . 39
+
+
+
+Baugher, et. al. Standards Track [Page 2]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ 6.2.4. Replay/Reflection Attack Protection. . . . . . . 39
+ 6.2.5. Denial of Service Protection . . . . . . . . . . 39
+ 6.2.6. Authorization. . . . . . . . . . . . . . . . . . 40
+ 6.3. GROUPKEY-PUSH Exchange . . . . . . . . . . . . . . . . . 40
+ 6.3.1. Authentication . . . . . . . . . . . . . . . . . 40
+ 6.3.2. Confidentiality. . . . . . . . . . . . . . . . . 40
+ 6.3.3. Man-in-the-Middle Attack Protection. . . . . . . 40
+ 6.3.4. Replay/Reflection Attack Protection. . . . . . . 40
+ 6.3.5. Denial of Service Protection . . . . . . . . . . 41
+ 6.3.6. Forward Access Control . . . . . . . . . . . . . 41
+ 7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 41
+ 7.1. ISAKMP DOI . . . . . . . . . . . . . . . . . . . . . . . 41
+ 7.2. Payload Types. . . . . . . . . . . . . . . . . . . . . . 42
+ 7.3. New Name spaces. . . . . . . . . . . . . . . . . . . . . 42
+ 7.4. UDP Port . . . . . . . . . . . . . . . . . . . . . . . . 42
+ 8. Intellectual Property Rights Statement . . . . . . . . . . . . 42
+ 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 43
+ 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 43
+ 10.1. Normative References . . . . . . . . . . . . . . . . . . 43
+ 10.2. Informative References . . . . . . . . . . . . . . . . . 44
+ Appendix A: Alternate GDOI Phase 1 protocols . . . . . . . . . . . 46
+ A.1. IKEv2 Phase 1 protocol . . . . . . . . . . . . . . . . . 46
+ A.2. KINK Protocol. . . . . . . . . . . . . . . . . . . . . . 46
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 47
+ Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 48
+
+1. Introduction
+
+ This document presents an ISAMKP Domain of Interpretation (DOI) for
+ group key management called the "Group Domain of Interpretation"
+ (GDOI). In this group key management model, the GDOI protocol is run
+ between a group member and a "group controller/key server" (GCKS),
+ which establishes security associations [Section 4.6.2 RFC2401] among
+ authorized group members. ISAKMP defines two "phases" of negotiation
+ [p.16 RFC2408]. The GDOI MUST be protected by a Phase 1 security
+ association. This document incorporates the Phase 1 security
+ association (SA) definition from the Internet DOI [RFC2407, RFC2409].
+ Other possible Phase 1 security association types are noted in
+ Appendix A. The Phase 2 exchange is defined in this document, and
+ proposes new payloads and exchanges according to the ISAKMP standard
+ [p. 14 RFC2408].
+
+ There are six new payloads:
+
+ 1) GDOI SA
+ 2) SA KEK (SAK) which follows the SA payload
+ 3) SA TEK (SAT) which follows the SA payload
+
+
+
+
+Baugher, et. al. Standards Track [Page 3]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ 4) Key Download Array (KD)
+ 5) Sequence number (SEQ)
+ 6) Proof of Possession (POP)
+
+ There are two new exchanges.
+
+ 1) A Phase 2 exchange creates Re-key and Data-Security Protocol SAs.
+
+ The new Phase 2 exchange, called "GROUPKEY-PULL," downloads keys for
+ a group's "Re-key" SA and/or "Data-security" SA. The Re-key SA
+ includes a key encrypting key, or KEK, common to the group; a
+ Data-security SA includes a data encryption key, or TEK, used by a
+ data-security protocol to encrypt or decrypt data traffic [Section
+ 2.1 RFC2407]. The SA for the KEK or TEK includes authentication
+ keys, encryption keys, cryptographic policy, and attributes. The
+ GROUPKEY-PULL exchange uses "pull" behavior since the member
+ initiates the retrieval of these SAs from a GCKS.
+
+ 2) A datagram subsequently establishes additional Rekey and/or
+ Data-Security Protocol SAs.
+
+ The GROUPKEY-PUSH datagram is "pushed" from the GCKS to the members
+ to create or update a Re-key or Data-security SA. A Re-key SA
+ protects GROUPKEY-PUSH messages. Thus, a GROUPKEY-PULL is necessary
+ to establish at least one Re-key SA in order to protect subsequent
+ GROUPKEY-PUSH messages. The GCKS encrypts the GROUPKEY-PUSH message
+ using the KEK Re-key SA. GDOI accommodates the use of arrays of KEKs
+ for group key management algorithms using the Logical Key Hierarchy
+ (LKH) algorithm to efficiently add and remove group members
+ [RFC2627]. Implementation of the LKH algorithm is OPTIONAL.
+
+ Although the GROUPKEY-PUSH specified by this document can be used to
+ refresh a Re-key SA, the most common use of GROUPKEY-PUSH is to
+ establish a Data-security SA for a data security protocol. GDOI can
+ accommodate future extensions to support a variety of data security
+ protocols. This document only specifies data-security SAs for one
+ security protocol, IPsec ESP. A separate RFC will specify support
+ for other data security protocols such as a future secure Real-time
+ Transport Protocol. A security protocol uses the TEK and "owns" the
+ data-security SA in the same way that IPsec ESP uses the IKE Phase 2
+ keys and owns the Phase 2 SA; for GDOI, IPsec ESP uses the TEK.
+
+ Thus, GDOI is a group security association management protocol: All
+ GDOI messages are used to create, maintain, or delete security
+ associations for a group. As described above, these security
+ associations protect one or more key-encrypting keys,
+ traffic-encrypting keys, or data shared by group members for
+ multicast and groups security applications.
+
+
+
+Baugher, et. al. Standards Track [Page 4]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
+ SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
+ document, are to be interpreted as described in BCP 14, RFC 2119
+ [RFC2119].
+
+1.1. GDOI Applications
+
+ Secure multicast applications include video broadcast and multicast
+ file transfer. In a business environment, many of these applications
+ require network security and may use IPsec ESP to secure their data
+ traffic. Section 5.4.1 specifies how GDOI carries the needed SA
+ parameters for ESP. In this way, GDOI supports multicast ESP with
+ group authentication of ESP packets using the shared, group key
+ (authentication of unique sources of ESP packets is not possible).
+
+ GDOI can also secure group applications that do not use multicast
+ transport such as video-on-demand. For example, the GROUPKEY-PUSH
+ message may establish a pair-wise IPsec ESP SA for a member of a
+ subscription group without the need for key management exchanges and
+ costly asymmetric cryptography.
+
+1.2. Extending GDOI
+
+ Not all secure multicast or multimedia applications can use IPsec
+ ESP. Many Real Time Transport Protocol applications, for example,
+ require security above the IP layer to preserve RTP header
+ compression efficiencies and transport-independence [RFC3550]. A
+ future RTP security protocol may benefit from using GDOI to establish
+ group SAs.
+
+ In order to add a new data security protocol, a new RFC MUST specify
+ the data-security SA parameters conveyed by GDOI for that security
+ protocol; these parameters are listed in section 5.4.2 of this
+ document.
+
+ Data security protocol SAs MUST protect group traffic. GDOI provides
+ no restriction on whether that group traffic is transmitted as
+ unicast or multicast packets. However, GDOI MUST NOT be used as a
+ key management mechanism by a data security protocol when the packets
+ protected by the data-security SA are intended to be private and
+ never become part of group communications.
+
+
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 5]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+2. GDOI Phase 1 protocol
+
+ GDOI is a "phase 2" protocol which MUST be protected by a "phase 1"
+ protocol. The "phase 1" protocol can be any protocol which provides
+ for the following protections:
+
+ o Peer Authentication
+ o Confidentiality
+ o Message Integrity
+
+ The following sections describe one such "phase 1" protocol. Other
+ protocols which may be potential "phase 1" protocols are described in
+ Appendix A. However, the use of the protocols listed there are not
+ considered part of this document.
+
+2.1. ISAKMP Phase 1 protocol
+
+ This document defines how the ISAKMP phase 1 exchanges as defined in
+ [RFC2409] can be used a "phase 1" protocol for GDOI. The following
+ sections define characteristics of the ISAKMP phase 1 protocols that
+ are unique for these exchanges when used for GDOI.
+
+ Section 6.1 describes how the ISAKMP Phase 1 protocols meet the
+ requirements of a GDOI "phase 1" protocol.
+
+2.1.1. DOI value
+
+ The Phase 1 SA payload has a DOI value. That value MUST be the GDOI
+ DOI value as defined later in this document.
+
+2.1.2. UDP port
+
+ GDOI MUST NOT run on port 500 (the port commonly used for IKE). IANA
+ has assigned port 848 for the use of GDOI.
+
+3. GROUPKEY-PULL Exchange
+
+ The goal of the GROUPKEY-PULL exchange is to establish a Re-key
+ and/or Data-security SAs at the member for a particular group. A
+ Phase 1 SA protects the GROUPKEY-PULL; there MAY be multiple
+ GROUPKEY-PULL exchanges for a given Phase 1 SA. The GROUPKEY-PULL
+ exchange downloads the data security keys (TEKs) and/or group key
+ encrypting key (KEK) or KEK array under the protection of the Phase 1
+ SA.
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 6]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+3.1. Authorization
+
+ There are two alternative means for authorizing the GROUPKEY-PULL
+ message. First, the Phase 1 identity can be used to authorize the
+ Phase 2 (GROUPKEY-PULL) request for a group key. Second, a new
+ identity can be passed in the GROUPKEY-PULL request. The new
+ identity could be specific to the group and use a certificate that is
+ signed by the group owner to identify the holder as an authorized
+ group member. The Proof-of-Possession payload validates that the
+ holder possesses the secret key associated with the Phase 2 identity.
+
+3.2. Messages
+
+ The GROUPKEY-PULL is a Phase 2 exchange. Phase 1 computes SKEYID_a
+ which is the "key" in the keyed hash used in the GROUPKEY-PULL HASH
+ payloads. When using the Phase 1 defined in this document, SKEYID_a
+ is derived according to [RFC2409]. As with the IKE HASH payload
+ generation [RFC 2409 section 5.5], each GROUPKEY-PULL message hashes
+ a uniquely defined set of values. Nonces permute the HASH and
+ provide some protection against replay attacks. Replay protection is
+ important to protect the GCKS from attacks that a key management
+ server will attract.
+
+ The GROUPKEY-PULL uses nonces to guarantee "liveliness", or against
+ replay of a recent GROUPKEY-PULL message. The replay attack is only
+ useful in the context of the current Phase 1. If a GROUPKEY-PULL
+ message is replayed based on a previous Phase 1, the HASH calculation
+ will fail due to a wrong SKEYID_a. The message will fail processing
+ before the nonce is ever evaluated. In order for either peer to get
+ the benefit of the replay protection, it must postpone as much
+ processing as possible until it receives the message in the protocol
+ that proves the peer is live. For example, the Responder MUST NOT
+ compute the shared Diffie-Hellman number (if KE payloads were
+ included) or install the new SAs until it receives a message with Nr
+ included properly in the HASH payload.
+
+ Nonces require an additional message in the protocol exchange to
+ ensure that the GCKS does not add a group member until it proves
+ liveliness. The GROUPKEY-PULL member-initiator expects to find its
+ nonce, Ni, in the HASH of a returned message. And the GROUPKEY-PULL
+ GKCS responder expects to see its nonce, Nr, in the HASH of a
+ returned message before providing group-keying material as in the
+ following exchange.
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 7]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ Initiator (Member) Responder (GCKS)
+ ------------------ ----------------
+ HDR*, HASH(1), Ni, ID -->
+ <-- HDR*, HASH(2), Nr, SA
+ HDR*, HASH(3) [,KE_I] -->
+ [,CERT] [,POP_I]
+ <-- HDR*, HASH(4),[KE_R,][SEQ,]
+ KD [,CERT] [,POP_R]
+
+ Hashes are computed as follows:
+
+ HASH(1) = prf(SKEYID_a, M-ID | Ni | ID)
+ HASH(2) = prf(SKEYID_a, M-ID | Ni_b | Nr | SA)
+ HASH(3) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | KE_I ] [ | CERT ]
+ [ | POP_I ])
+ HASH(4) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | KE_R ] [ | SEQ | ]
+ KD [ | CERT ] [ | POP_R])
+
+ POP payload is constructed as described in Section 5.7.
+ * Protected by the Phase 1 SA, encryption occurs after HDR
+
+ HDR is an ISAKMP header payload that uses the Phase 1 cookies and a
+ message identifier (M-ID) as in IKE [RFC2409]. Note that nonces are
+ included in the first two exchanges, with the GCKS returning only the
+ SA policy payload before liveliness is proven. The HASH payloads
+ [RFC2409] prove that the peer has the Phase 1 secret (SKEYID_a) and
+ the nonce for the exchange identified by message id, M-ID. Once
+ liveliness is established, the last message completes the real
+ processing of downloading the KD payload.
+
+ In addition to the Nonce and HASH payloads, the member-initiator
+ identifies the group it wishes to join through the ISAKMP ID payload.
+ The GCKS responder informs the member of the current value of the
+ sequence number in the SEQ payload; the sequence number orders the
+ GROUPKEY-PUSH datagrams (section 4); the member MUST check to see
+ that the sequence number is greater than in the previous SEQ payload
+ the member holds for the group (if it holds any) before installing
+ any new SAs. The SEQ payload MUST be present if the SA payload
+ contains an SA KEK attribute. The GCKS responder informs the member
+ of the cryptographic policies of the group in the SA payload, which
+ describes the DOI, KEK and/or TEK keying material, and authentication
+ transforms. The SPIs are also determined by the GCKS and downloaded
+ in the SA payload chain (see section 5.2). The SA KEK attribute
+ contains the ISAKMP cookie pair for the Re-key SA, which is not
+ negotiated but downloaded. The SA TEK attribute contains an SPI as
+ defined in section 5.4 of this document. The second message
+ downloads this SA payload. If a Re-key SA is defined in the SA
+ payload, then KD will contain the KEK; if one or more Data-security
+
+
+
+Baugher, et. al. Standards Track [Page 8]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ SAs are defined in the SA payload, KD will contain the TEKs. This is
+ useful if there is an initial set of TEKs for the particular group
+ and can obviate the need for future TEK GROUPKEY-PUSH messages
+ (described in section 4).
+
+ As described above, the member may establish an identity in the
+ GROUPKEY-PULL exchange in an optional CERT payload that is separate
+ from the Phase 1 identity. When the member passes a new CERT, a
+ proof of possession (POP) payload accompanies it. The POP payload
+ demonstrates that the member or GCKS has used the very secret that
+ authenticates it. POP_I is an ISAKMP SIG payload containing a hash
+ including the nonces Ni and Nr signed by the member, when the member
+ passes a CERT, signed by the Group Owner to prove its authorization.
+ POP_R contains the hash including the concatenated nonces Ni and Nr
+ signed by the GCKS, when the GCKS passes a CERT, signed by the group
+ owner, to prove its authority to provide keys for a particular group.
+ The use of the nonce pair for the POP payload, transformed through a
+ pseudo-random function (prf) and encrypted, is designed to withstand
+ compromise of the Phase 1 key. Implementation of the CERT and POP
+ payloads is OPTIONAL.
+
+3.2.1. Perfect Forward Secrecy
+
+ If PFS is desired and the optional KE payload is used in the
+ exchange, then both sides compute a DH secret and use it to protect
+ the new keying material contained in KD. The GCKS responder will xor
+ the DH secret with the KD payload and send it to the member
+ Initiator, which recovers the KD by repeating this operation as in
+ the Oakley IEXTKEY procedure [RFC2412]. Implementation of the KE
+ payload is OPTIONAL.
+
+3.2.2. ISAKMP Header Initialization
+
+ Cookies are used in the ISAKMP header as a weak form of denial of
+ service protection. The GDOI GROUPKEY-PULL exchange uses cookies
+ according to ISAKMP [RFC2408].
+
+ Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0).
+
+ Major Version is 1 and Minor Version is 0 according to ISAKMP
+ [RFC2408, Section 3.1].
+
+ The Exchange Type has value 32 for the GDOI GROUPKEY-PULL exchange.
+
+ Flags, Message ID, and Length are according to ISAKMP [RFC2408,
+ Section 3.1]
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 9]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+3.3. Initiator Operations
+
+ Before a group member (GDOI initiator) contacts the GCKS, it must
+ determine the group identifier and acceptable Phase 1 policy via an
+ out-of-band method such as SDP. Phase 1 is initiated using the GDOI
+ DOI in the SA payload. Once Phase 1 is complete, the initiator state
+ machine moves to the GDOI protocol.
+
+ To construct the first GDOI message the initiator chooses Ni and
+ creates a nonce payload, builds an identity payload including the
+ group identifier, and generates HASH(1).
+
+ Upon receipt of the second GDOI message, the initiator validates
+ HASH(2), extracts the nonce Nr, and interprets the SA payload. If
+ the policy in the SA payload is acceptable (e.g., the security
+ protocol and cryptographic protocols can be supported by the
+ initiator), the initiator continues the protocol.
+
+ If the group policy uses certificates for authorization, the
+ initiator generates a hash including Ni and Nr and signs it. This
+ becomes the contents of the POP payload. If necessary, a CERT
+ payload is constructed which holds the public key corresponding to
+ the private key used to sign the POP payload.
+
+ The initiator constructs the third GDOI message by including the CERT
+ and POP payloads (if needed) and creating HASH(3).
+
+ Upon receipt of the fourth GDOI message, the initiator validates
+ HASH(4). If the responder sent CERT and POP_R payloads, the POP
+ signature is validated.
+
+ If SEQ payload is present, the sequence number in the SEQ payload
+ must be checked against any previously received sequence number for
+ this group. If it is less than the previously received number, it
+ should be considered stale and ignored. This could happen if two
+ GROUPKEY-PULL messages happened in parallel, and the sequence number
+ changed between the times the results of two GROUPKEY-PULL messages
+ were returned from the GCKS.
+
+ The initiator interprets the KD key packets, matching the SPIs in the
+ key packets to SPIs previously sent in the SA payloads identifying
+ particular policy. For TEKs, once the keys and policy are matched,
+ the initiator is ready to send or receive packets matching the TEK
+ policy. (If policy and keys had been previously received for this
+ TEK policy, the initiator may decide instead to ignore this TEK
+ policy in case it is stale.) If this group has a KEK, the KEK policy
+ and keys are marked as ready for use.
+
+
+
+
+Baugher, et. al. Standards Track [Page 10]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+3.4. Receiver Operations
+
+ The GCKS (responder) passively listens for incoming requests from
+ group members. The Phase 1 authenticates the group member and sets
+ up the secure session with them.
+
+ Upon receipt of the first GDOI message the GCKS validates HASH(1),
+ extracts the Ni and group identifier in the ID payload. It verifies
+ that its database contains the group information for the group
+ identifier.
+
+ The GCKS constructs the second GDOI message, including a nonce Nr,
+ and the policy for the group in an SA payload, followed by SA TEK
+ payloads for traffic SAs, and SA KEK policy (if the group controller
+ will be sending Re-key messages to the group).
+
+ Upon receipt of the third GDOI message the GCKS validates HASH(3).
+ If the initiator sent CERT and POP_I payloads, the POP signature is
+ validated.
+
+ The GCKS constructs the fourth GDOI message, including the SEQ
+ payload (if the GCKS sends rekey messages), the KD payload containing
+ keys corresponding to policy previously sent in the SA TEK and SA KEK
+ payloads, and the CERT and POP payloads (if needed).
+
+4. GROUPKEY-PUSH Message
+
+ GDOI sends control information securely using group communications.
+ Typically this will be using IP multicast distribution of a
+ GROUPKEY-PUSH message but it can also be "pushed" using unicast
+ delivery if IP multicast is not possible. The GROUPKEY-PUSH message
+ replaces a Re-key SA KEK or KEK array, and/or creates a new
+ Data-security SA.
+
+ Member GCKS or Delegate
+ ------ ----------------
+
+ <---- HDR*, SEQ, SA, KD, [CERT,] SIG
+
+ * Protected by the Re-key SA KEK; encryption occurs after HDR
+
+ HDR is defined below. The SEQ payload is defined in the Payloads
+ section. The SA defines the policy (e.g., protection suite) and
+ attributes (e.g., SPI) for a Re-key and/or Data-security SAs. The
+ GCKS or delegate optionally provides a CERT payload for verification
+ of the SIG. KD is the key download payload as described in the
+ Payloads section.
+
+
+
+
+Baugher, et. al. Standards Track [Page 11]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ The SIG payload is a signature of a hash of the entire message before
+ encryption (including the header and excluding the SIG payload
+ itself), prefixed with the string "rekey". The prefixed string
+ ensures that the signature of the Rekey datagram cannot be used for
+ any other purpose in the GDOI protocol.
+
+ If the SA defines an LKH KEK array or single KEK, KD contains a KEK
+ or KEK array for a new Re-key SA, which has a new cookie pair. When
+ the KD payload carries a new SA KEK attribute (section 5.3), a Re-key
+ SA is replaced with a new SA having the same group identifier (ID
+ specified in message 1 of section 3.2) and incrementing the same
+ sequence counter, which is initialized in message 4 of section 3.2.
+ If the SA defines an SA TEK payload, this informs the member that a
+ new Data-security SA has been created, with keying material carried
+ in KD (Section 5.5).
+
+ If the SA defines a large LKH KEK array (e.g., during group
+ initialization and batched rekeying), parts of the array MAY be sent
+ in different unique GROUPKEY-PUSH datagrams. However, each of the
+ GROUPKEY-PUSH datagrams MUST be a fully formed GROUPKEY-PUSH
+ datagram. This results in each datagram containing a sequence number
+ and the policy in the SA payload, which corresponds to the KEK array
+ portion sent in the KD payload.
+
+4.1. Perfect Forward Secrecy (PFS)
+
+ The GROUPKEY-PUSH message is protected by the group KEK though in all
+ cases, the GROUPKEY-PUSH message carries new key downloads, among
+ other information. A freshly generated secret must protect the key
+ download for the GROUPKEY-PUSH message to have PFS. This issue is
+ for further study.
+
+4.2. Forward and Backward Access Control
+
+ Through GROUPKEY-PUSH, the GDOI supports algorithms such as LKH that
+ have the property of denying access to a new group key by a member
+ removed from the group (forward access control) and to an old group
+ key by a member added to the group (backward access control). An
+ unrelated notion to PFS, "forward access control" and "backward
+ access control" have been called "perfect forward security" and
+ "perfect backward security" in the literature [RFC2627].
+
+ Group management algorithms providing forward and backward access
+ control other than LKH have been proposed in the literature,
+ including OFT [OFT] and Subset Difference [NNL]. These algorithms
+ could be used with GDOI, but are not specified as a part of this
+ document.
+
+
+
+
+Baugher, et. al. Standards Track [Page 12]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ Support for group management algorithms is supported via the
+ KEY_MANAGEMENT_ALGORITHM attribute which is sent in the SA_KEK
+ payload. GDOI specifies one method by which LKH can be used for
+ forward and backward access control. Other methods of using LKH, as
+ well as other group management algorithms such as OFT or Subset
+ Difference may be added to GDOI as part of a later document. Any
+ such addition MUST be due to a Standards Action as defined in
+ [RFC2434].
+
+4.2.1. Forward Access Control Requirements
+
+ When group membership is altered using a group management algorithm
+ new SA_TEKs (and their associated keys) are usually also needed. New
+ SAs and keys ensure that members who were denied access can no longer
+ participate in the group.
+
+ If forward access control is a desired property of the group, new
+ SA_TEKs and the associated key packets in the KD payload MUST NOT be
+ included in a GROUPKEY-PUSH message which changes group membership.
+ This is required because the SA_TEK policy and the associated key
+ packets in the KD payload are not protected with the new KEK. A
+ second GROUPKEY-PUSH message can deliver the new SA_TEKS and their
+ associated keys because it will be protected with the new KEK, and
+ thus will not be visible to the members who were denied access.
+
+ If forward access control policy for the group includes keeping group
+ policy changes from members that are denied access to the group, then
+ two sequential GROUPKEY-PUSH messages changing the group KEK MUST be
+ sent by the GCKS. The first GROUPKEY-PUSH message creates a new KEK
+ for the group. Group members, which are denied access, will not be
+ able to access the new KEK, but will see the group policy since the
+ GROUPKEY-PUSH message is protected under the current KEK. A
+ subsequent GROUPKEY-PUSH message containing the changed group policy
+ and again changing the KEK allows complete forward access control. A
+ GROUPKEY-PUSH message MUST NOT change the policy without creating a
+ new KEK.
+
+ If other methods of using LKH or other group management algorithms
+ are added to GDOI, those methods MAY remove the above restrictions
+ requiring multiple GROUPKEY-PUSH messages, providing those methods
+ specify how forward access control policy is maintained within a
+ single GROUPKEY-PUSH message.
+
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 13]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+4.3. Delegation of Key Management
+
+ GDOI supports delegation of GROUPKEY-PUSH datagrams through the
+ delegation capabilities of the PKI. However, GDOI does not
+ explicitly specify how the GCKS identifies delegates, but leaves this
+ to the PKI that is used by a particular GDOI implementation.
+
+4.4. Use of signature keys
+
+ The GCKS SHOULD NOT use the same key to sign the SIG payload in the
+ GROUPKEY-PUSH message as was used for authorization in the
+ GROUPKEY-PULL POP payload. If the same key must be used, a different
+ hash function SHOULD be used as a base for the POP payload than is
+ used as a base for the SIG payload.
+
+4.5. ISAKMP Header Initialization
+
+ Unlike ISAKMP or IKE, the cookie pair is completely determined by the
+ GCKS. The cookie pair in the GDOI ISAKMP header identifies the Re-
+ key SA to differentiate the secure groups managed by a GCKS. Thus,
+ GDOI uses the cookie fields as an SPI.
+
+ Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0).
+
+ Major Version is 1 and Minor Version is 0 according to ISAKMP
+ [RFC2408, Section 3.1].
+
+ The Exchange Type has value 33 for the GDOI GROUPKEY-PUSH message.
+
+ Flags MUST have the Encryption bit set according to [RFC2008, Section
+ 3.1]. All other bits MUST be set to zero.
+
+ Message ID MUST be set to zero.
+
+ Length is according to ISAKMP [RFC2408, Section 3.1]
+
+4.6. Deletion of SAs
+
+ There are times the GCKS may want to signal to receivers to delete
+ SAs, for example at the end of a broadcast. Deletion of keys may be
+ accomplished by sending an ISAKMP Delete payload [RFC2408, Section
+ 3.15] as part of a GDOI GROUPKEY-PUSH message.
+
+ One or more Delete payloads MAY be placed following the SEQ payload
+ in a GROUPKEY-PUSH message. If a GCKS has no further SAs to send to
+ group members, the SA and KD payloads MUST be omitted from the
+ message.
+
+
+
+
+Baugher, et. al. Standards Track [Page 14]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ The following fields of the Delete Payload are further defined as
+ follows:
+
+ o The Domain of Interpretation field contains the GDOI DOI.
+
+ o The Protocol-Id field contains TEK protocol id values defined
+ in Section 5.4 of this document. To delete a KEK SA, the value
+ of zero MUST be used as the protocol id. Note that only one
+ protocol id value can be defined in a Delete payload. If a TEK
+ SA and a KEK SA must be deleted, they must be sent in different
+ Delete payloads.
+
+4.7. GCKS Operations
+
+ GCKS or its delegate may initiate a Rekey message for one of several
+ reasons, e.g., the group membership has changed or keys are due to
+ expire.
+
+ To begin the rekey datagram the GCKS builds an ISAKMP HDR with the
+ correct cookie pair, and a SEQ payload that includes a sequence
+ number which is one greater than the previous rekey datagram.
+
+ An SA payload is then added. This is identical in structure and
+ meaning to a SA payload sent in a GROUPKEY-PULL exchange. If there
+ are changes to the KEK (in the case of a static KEK) or in group
+ membership (in the case of LKH) an SA_KEK attribute is added to the
+ SA. If there are one or more new TEKs then SA_TEK attributes are
+ added to describe that policy.
+
+ A KD payload is then added. This is identical in structure and
+ meaning to a KD payload sent in a GROUPKEY-PULL exchange. If an
+ SA_KEK attribute was included in the SA payload then corresponding
+ KEK keys (or a KEK array) is included. TEK keys are sent for each
+ SA_TEK attribute included in the SA payload.
+
+ A CERT payload is added if the initiator needs to provide its
+ certificate.
+
+ In the penultimate step, the initiator hashes the string "rekey"
+ followed by the key management message already formed. The hash is
+ signed, placed in a SIG payload and added to the datagram.
+
+ Lastly, the payloads following the HDR are encrypted using the
+ current KEK encryption key. The datagram can now be sent.
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 15]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+4.8. Group Member Operations
+
+ A group member receiving the GROUPKEY-PUSH datagram matches the
+ cookie pair in the ISAKMP HDR to an existing SA. The message is
+ decrypted, and the form of the datagram is validated. This weeds out
+ obvious ill-formed messages (which may be sent as part of a Denial of
+ Service attack on the group).
+
+ The signature of the decrypted message is then validated, possibly
+ using the CERT payload if it is included.
+
+ The sequence number in the SEQ payload is validated to ensure that it
+ is greater than the previously received sequence number, and that it
+ fits within a window of acceptable values.
+
+ The SA and KD payloads are processed which results in a new GDOI
+ Rekey SA (if the SA payload included an SA_KEK attribute) and/or new
+ IPsec SAs being added to the system.
+
+5. Payloads and Defined Values
+
+ This document specifies use of several ISAKMP payloads, which are
+ defined in accordance with RFC2408. The following payloads are
+ extended or further specified.
+
+ Next Payload Type Value
+ ----------------- -----
+ Security Association (SA) 1
+ Identification (ID) 5
+ Nonce (N) 10
+
+ Several new payload formats are required in the group security
+ exchanges.
+
+ Next Payload Type Value
+ ----------------- -----
+ SA KEK Payload (SAK) 15
+ SA TEK Payload (SAT) 16
+ Key Download (KD) 17
+ Sequence Number (SEQ) 18
+ Proof of Possession (POP) 19
+
+
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 16]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+5.1. Identification Payload
+
+ The Identification Payload is used to identify a group identity that
+ will later be associated with Security Associations for the group. A
+ group identity may map to a specific IP multicast group, or may
+ specify a more general identifier, such as one that represents a set
+ of related multicast streams.
+
+ The Identification Payload is defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next Payload ! RESERVED ! Payload Length !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! ID Type ! RESERVE2 !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ~ Identification Data ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The Identification Payload fields are defined as follows:
+
+ o Next Payload (1 octet) -- Identifier for the payload type of
+ the next payload in the message. If the current payload is the
+ last in the message, this field will be zero (0).
+
+ o RESERVED (1 octet) -- Unused, must be zero (0).
+
+ o Payload Length (2 octets) -- Length, in octets, of the
+ identification data, including the generic header.
+
+ o Identification Type (1 octet) -- Value describing the identity
+ information found in the Identification Data field.
+
+ o RESERVED2 (2 octets) -- Unused, must be zero (0).
+
+ o Identification Data (variable length) -- Value, as indicated by
+ the Identification Type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 17]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+5.1.1. Identification Type Values
+
+ The following table lists the assigned values for the Identification
+ Type field found in the Identification Payload.
+
+ ID Type Value
+ ------- -----
+ RESERVED 0 - 10
+ ID_KEY_ID 11
+ RESERVED 12 - 127
+ Private Use 128 - 255
+
+5.1.1.1. ID_KEY_ID
+
+ In the context of a GDOI ID payload, ID_KEY_ID specifies a four
+ (4)-octet group identifier.
+
+5.2. Security Association Payload
+
+ The Security Association payload is defined in RFC 2408. For the
+ GDOI, it is used by the GCKS to assert security attributes for both
+ Re-key and Data-security SAs.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! Next Payload ! RESERVED ! Payload Length !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! DOI !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! Situation !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! SA Attribute Next Payload ! RESERVED2 !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+
+ The Security Association Payload fields are defined as follows:
+
+ o Next Payload (1 octet) -- Identifies the next payload for the
+ GROUPKEY-PULL or the GROUPKEY-PUSH message as defined above.
+ The next payload MUST NOT be a SAK Payload or SAT Payload type,
+ but the next non-Security Association type payload.
+
+ o RESERVED (1 octet) -- Must be zero.
+
+ o Payload Length (2 octets) -- Is the octet length of the current
+ payload including the generic header and all TEK and KEK
+ payloads.
+
+
+
+
+Baugher, et. al. Standards Track [Page 18]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ o DOI (4 octets) -- Is the GDOI, which is value 2.
+
+ o Situation (4 octets) -- Must be zero.
+
+ o SA Attribute Next Payload (1 octet) -- Must be either a SAK
+ Payload or a SAT Payload. See section 5.2.1 for a description
+ of which circumstances are required for each payload type to be
+ present.
+
+ o RESERVED (2 octets) -- Must be zero.
+
+5.2.1. Payloads following the SA payload
+
+ Payloads that define specific security association attributes for the
+ KEK and/or TEKs used by the group MUST follow the SA payload. How
+ many of each payload is dependent upon the group policy. There may
+ be zero or one SAK Payloads, and zero or more SAT Payloads, where
+ either one SAK or SAT payload MUST be present.
+
+ This latitude allows various group policies to be accommodated. For
+ example if the group policy does not require the use of a Re-key SA,
+ the GCKS would not need to send an SA KEK attribute to the group
+ member since all SA updates would be performed using the Registration
+ SA. Alternatively, group policy might use a Re-key SA but choose to
+ download a KEK to the group member only as part of the Registration
+ SA. Therefore, the KEK policy (in the SA KEK attribute) would not be
+ necessary as part of the Re-key SA message SA payload.
+
+ Specifying multiple SATs allows multiple sessions to be part of the
+ same group and multiple streams to be associated with a session
+ (e.g., video, audio, and text) but each with individual security
+ association policy.
+
+5.3. SA KEK payload
+
+ The SA KEK (SAK) payload contains security attributes for the KEK
+ method for a group and parameters specific to the GROUPKEY-PULL
+ operation. The source and destination identities describe the
+ identities used for the GROUPKEY-PULL datagram.
+
+
+
+
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 19]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! Next Payload ! RESERVED ! Payload Length !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! Protocol ! SRC ID Type ! SRC ID Port !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ !SRC ID Data Len! SRC Identification Data ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! DST ID Type ! DST ID Port !DST ID Data Len!
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! DST Identification Data ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! !
+ ~ SPI ~
+ ! !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! POP Algorithm ! POP Key Length !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ~ KEK Attributes ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+
+ The SAK Payload fields are defined as follows:
+
+ o Next Payload (1 octet) -- Identifies the next payload for the
+ GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid
+ next payload types for this message are a SAT Payload or zero
+ to indicate there is no SA TEK payload.
+
+ o RESERVED (1 octet) -- Must be zero.
+
+ o Payload Length (2 octets) -- Length of this payload, including
+ the KEK attributes.
+
+ o Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
+ UDP/TCP) for the rekey datagram.
+
+ o SRC ID Type (1 octet) -- Value describing the identity
+ information found in the SRC Identification Data field.
+ Defined values are specified by the IPSEC Identification Type
+ section in the IANA isakmpd-registry [ISAKMP-REG].
+
+ o SRC ID Port (2 octets) -- Value specifying a port associated
+ with the source Id. A value of zero means that the SRC ID Port
+ field should be ignored.
+
+ o SRC ID Data Len (1 octet) -- Value specifying the length of the
+ SRC Identification Data field.
+
+
+
+Baugher, et. al. Standards Track [Page 20]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ o SRC Identification Data (variable length) -- Value, as
+ indicated by the SRC ID Type.
+
+ o DST ID Type (1 octet) -- Value describing the identity
+ information found in the DST Identification Data field.
+ Defined values are specified by the IPSEC Identification Type
+ section in the IANA isakmpd-registry [ISAKMP-REG].
+
+ o DST ID Prot (1 octet) -- Value describing an IP protocol ID
+ (e.g., UDP/TCP).
+
+ o DST ID Port (2 octets) -- Value specifying a port associated
+ with the source Id.
+
+ o DST ID Data Len (1 octet) -- Value specifying the length of the
+ DST Identification Data field.
+
+ o DST Identification Data (variable length) -- Value, as
+ indicated by the DST ID Type.
+
+ o SPI (16 octets) -- Security Parameter Index for the KEK. The
+ SPI must be the ISAKMP Header cookie pair where the first 8
+ octets become the "Initiator Cookie" field of the GROUPKEY-PUSH
+ message ISAKMP HDR, and the second 8 octets become the
+ "Responder Cookie" in the same HDR. As described above, these
+ cookies are assigned by the GCKS.
+
+ o POP Algorithm (2 octets) -- The POP payload algorithm. Defined
+ values are specified in the following table. If no POP
+ algorithm is defined by the KEK policy this field must be zero.
+
+ Algorithm Type Value
+ -------------- -----
+ RESERVED 0
+ POP_ALG_RSA 1
+ POP_ALG_DSS 2
+ POP_ALG_ECDSS 3
+ RESERVED 4-127
+ Private Use 128-255
+
+ o POP Key Length (2 octets) -- Length of the POP payload key. If
+ no POP algorithm is defined in the KEK policy, this field must
+ be zero.
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 21]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ o KEK Attributes -- Contains KEK policy attributes associated
+ with the group. The following sections describe the possible
+ attributes. Any or all attributes may be optional, depending on
+ the group policy.
+
+5.3.1. KEK Attributes
+
+ The following attributes may be present in a SAK Payload. The
+ attributes must follow the format defined in ISAKMP [RFC2408] section
+ 3.3. In the table, attributes that are defined as TV are marked as
+ Basic (B); attributes that are defined as TLV are marked as Variable
+ (V).
+
+ ID Class Value Type
+ -------- ----- ----
+ RESERVED 0
+ KEK_MANAGEMENT_ALGORITHM 1 B
+ KEK_ALGORITHM 2 B
+ KEK_KEY_LENGTH 3 B
+ KEK_KEY_LIFETIME 4 V
+ SIG_HASH_ALGORITHM 5 B
+ SIG_ALGORITHM 6 B
+ SIG_KEY_LENGTH 7 B
+ KE_OAKLEY_GROUP 8 B
+
+ The following attributes may only be included in a GROUPKEY-PULL
+ message: KEK_MANAGEMENT_ALGORITHM, KE_OAKLEY_GROUP.
+
+5.3.2. KEK_MANAGEMENT_ALGORITHM
+
+ The KEK_MANAGEMENT_ALGORITHM class specifies the group KEK management
+ algorithm used to provide forward or backward access control (i.e.,
+ used to exclude group members). Defined values are specified in the
+ following table.
+
+ KEK Management Type Value
+ ------------------- -----
+ RESERVED 0
+ LKH 1
+ RESERVED 2-127
+ Private Use 128-255
+
+
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 22]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+5.3.3. KEK_ALGORITHM
+
+ The KEK_ALGORITHM class specifies the encryption algorithm using with
+ the KEK. Defined values are specified in the following table.
+
+ Algorithm Type Value
+ -------------- -----
+ RESERVED 0
+ KEK_ALG_DES 1
+ KEK_ALG_3DES 2
+ KEK_ALG_AES 3
+ RESERVED 4-127
+ Private Use 128-255
+
+ A GDOI implementation MUST support the KEK_ALG_3DES algorithm
+ attribute.
+
+ If a KEK_MANAGEMENT_ALGORITHM is defined which defines multiple keys
+ (e.g., LKH), and if the management algorithm does not specify the
+ algorithm for those keys, then the algorithm defined by the
+ KEK_ALGORITHM attribute MUST be used for all keys which are included
+ as part of the management.
+
+5.3.3.1. KEK_ALG_DES
+
+ This algorithm specifies DES using the Cipher Block Chaining (CBC)
+ mode as described in [FIPS81].
+
+5.3.3.2. KEK_ALG_3DES
+
+ This algorithm specifies 3DES using three independent keys as
+ described in "Keying Option 1" in [FIPS46-3].
+
+5.3.3.3. KEK_ALG_AES
+
+ This algorithm specifies AES as described in [FIPS197]. The mode of
+ operation for AES is Cipher Block Chaining (CBC) as recommended in
+ [AES-MODES].
+
+5.3.4. KEK_KEY_LENGTH
+
+ The KEK_KEY_LENGTH class specifies the KEK Algorithm key length (in
+ bits).
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 23]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+5.3.5. KEK_KEY_LIFETIME
+
+ The KEK_KEY_LIFETIME class specifies the maximum time for which the
+ KEK is valid. The GCKS may refresh the KEK at any time before the
+ end of the valid period. The value is a four (4) octet number
+ defining a valid time period in seconds.
+
+5.3.6. SIG_HASH_ALGORITHM
+
+ SIG_HASH_ALGORITHM specifies the SIG payload hash algorithm. The
+ following tables define the algorithms for SIG_HASH_ALGORITHM.
+
+ Algorithm Type Value
+ -------------- -----
+ RESERVED 0
+ SIG_HASH_MD5 1
+ SIG_HASH_SHA1 2
+ RESERVED 3-127
+ Private Use 128-255
+
+ SIG_HASH_ALGORITHM is not required if the SIG_ALGORITHM is
+ SIG_ALG_DSS or SIG_ALG_ECDSS, which imply SIG_HASH_SHA1.
+
+5.3.7. SIG_ALGORITHM
+
+ The SIG_ALGORITHM class specifies the SIG payload signature
+ algorithm. Defined values are specified in the following table.
+
+ Algorithm Type Value
+ -------------- -----
+ RESERVED 0
+ SIG_ALG_RSA 1
+ SIG_ALG_DSS 2
+ SIG_ALG_ECDSS 3
+ RESERVED 4-127
+ Private Use 128-255
+
+ A GDOI implementation MUST support the following algorithm attribute:
+ SIG_ALG_RSA.
+
+5.3.7.1. SIG_ALG_RSA
+
+ This algorithm specifies the RSA digital signature algorithm as
+ described in [RSA].
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 24]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+5.3.7.2. SIG_ALG_DSS
+
+ This algorithm specifies the DSS digital signature algorithm as
+ described in [FIPS186-2].
+
+5.3.7.3. SIG_ALG_ECDSS
+
+ This algorithm specifies the Elliptic Curve digital signature
+ algorithm as described in [FIPS186-2].
+
+5.3.8. SIG_KEY_LENGTH
+
+ The SIG_KEY_LENGTH class specifies the length of the SIG payload key.
+
+5.3.9. KE_OAKLEY_GROUP
+
+ The KE_OAKLEY_GROUP class defines the OAKLEY Group used to compute
+ the PFS secret in the optional KE payload of the GDOI GROUPKEY-PULL
+ exchange. This attribute uses the values assigned to Group
+ Definitions in the IANA IPsec-registry [IPSEC-REG].
+
+5.4. SA TEK Payload
+
+ The SA TEK (SAT) payload contains security attributes for a single
+ TEK associated with a group.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! Next Payload ! RESERVED ! Payload Length !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! Protocol-ID ! TEK Protocol-Specific Payload ~
+ +-+-+-+-+-+-+-+-+ ~
+ ~ ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+
+ The SAT Payload fields are defined as follows:
+
+ o Next Payload (1 octet) -- Identifies the next payload for the
+ GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid
+ next payload types for this message are another SAT Payload or
+ zero to indicate there are no more security association
+ attributes.
+
+ o RESERVED (1 octet) -- Must be zero.
+
+ o Payload Length (2 octets) -- Length of this payload, including
+ the TEK Protocol-Specific Payload.
+
+
+
+Baugher, et. al. Standards Track [Page 25]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ o Protocol-ID (1 octet) -- Value specifying the Security
+ Protocol. The following table defines values for the Security
+ Protocol
+
+ Protocol ID Value
+ ----------- -----
+ RESERVED 0
+ GDOI_PROTO_IPSEC_ESP 1
+ RESERVED 2-127
+ Private Use 128-255
+
+ o TEK Protocol-Specific Payload (variable) -- Payload which
+ describes the attributes specific for the Protocol-ID.
+
+5.4.1. PROTO_IPSEC_ESP
+
+ The TEK Protocol-Specific payload for ESP is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! Protocol ! SRC ID Type ! SRC ID Port !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ !SRC ID Data Len! SRC Identification Data ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! DST ID Type ! DST ID Port !DST ID Data Len!
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! DST Identification Data ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! Transform ID ! SPI !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! SPI ! RFC 2407 SA Attributes ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+
+ The SAT Payload fields are defined as follows:
+
+ o Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
+ UDP/TCP). A value of zero means that the Protocol field should
+ be ignored.
+
+ o SRC ID Type (1 octet) -- Value describing the identity
+ information found in the SRC Identification Data field.
+ Defined values are specified by the IPSEC Identification Type
+ section in the IANA isakmpd-registry [ISAKMP-REG].
+
+ o SRC ID Port (2 octets) -- Value specifying a port associated
+ with the source Id. A value of zero means that the SRC ID Port
+ field should be ignored.
+
+
+
+Baugher, et. al. Standards Track [Page 26]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ o SRC ID Data Len (1 octet) -- Value specifying the length of the
+ SRC Identification Data field.
+
+ o SRC Identification Data (variable length) -- Value, as
+ indicated by the SRC ID Type. Set to three bytes of zero for
+ multiple-source multicast groups that use a common TEK for all
+ senders.
+
+ o DST ID Type (1 octet) -- Value describing the identity
+ information found in the DST Identification Data field.
+ Defined values are specified by the IPSEC Identification Type
+ section in the IANA isakmpd-registry [ISAKMP-REG].
+
+ o DST ID Prot (1 octet) -- Value describing an IP protocol ID
+ (e.g., UDP/TCP). A value of zero means that the DST Id Prot
+ field should be ignored.
+
+ o DST ID Port (2 octets) -- Value specifying a port associated
+ with the source Id. A value of zero means that the DST ID Port
+ field should be ignored.
+
+ o DST ID Data Len (1 octet) -- Value specifying the length of the
+ DST Identification Data field.
+
+ o DST Identification Data (variable length) -- Value, as
+ indicated by the DST ID Type.
+
+ o Transform ID (1 octet) -- Value specifying which ESP transform
+ is to be used. The list of valid values is defined in the
+ IPSEC ESP Transform Identifiers section of the IANA
+ isakmpd-registry [ISAKMP-REG].
+
+ o SPI (4 octets) -- Security Parameter Index for ESP.
+
+ o RFC 2407 Attributes -- ESP Attributes from RFC 2407 Section
+ 4.5. The GDOI supports all IPSEC DOI SA Attributes for
+ PROTO_IPSEC_ESP excluding the Group Description [RFC2407,
+ section 4.5], which MUST NOT be sent by a GDOI implementation
+ and is ignored by a GDOI implementation if received. All
+ mandatory IPSEC DOI attributes are mandatory in GDOI
+ PROTO_IPSEC_ESP. The Authentication Algorithm attribute of the
+ IPSEC DOI is group authentication in GDOI.
+
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 27]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+5.4.2. Other Security Protocols
+
+ Besides ESP, GDOI should serve to establish SAs for secure groups
+ needed by other Security Protocols that operate at the transport,
+ application, and internetwork layers. These other Security
+ Protocols, however, are in the process of being developed or do not
+ yet exist.
+
+ The following information needs to be provided for a Security
+ Protocol to the GDOI.
+
+ o The Protocol-ID for the particular Security Protocol
+ o The SPI Size
+ o The method of SPI generation
+ o The transforms, attributes and keys needed by the Security
+ Protocol
+
+ All Security Protocols must provide the information in the bulleted
+ list above to guide the GDOI specification for that protocol.
+ Definitions for the support of those Security Protocols in GDOI will
+ be specified in separate documents.
+
+ A Security Protocol MAY protect traffic at any level of the network
+ stack. However, in all cases applications of the Security Protocol
+ MUST protect traffic which MAY be shared by more than two entities.
+
+5.5. Key Download Payload
+
+ The Key Download Payload contains group keys for the group specified
+ in the SA Payload. These key download payloads can have several
+ security attributes applied to them based upon the security policy of
+ the group as defined by the associated SA Payload.
+
+ When included as part of the Re-key SA with an optional KE payload,
+ The Key Download Payload will be xor'ed with the new Diffie-Hellman
+ shared secret. The xor operation will begin at the "Number of Key
+ Packets" field.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! Next Payload ! RESERVED ! Payload Length !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! Number of Key Packets ! RESERVED2 !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ~ Key Packets ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+
+
+
+
+Baugher, et. al. Standards Track [Page 28]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ The Key Download Payload fields are defined as follows:
+
+ o Next Payload (1 octet) -- Identifier for the payload type of
+ the next payload in the message. If the current payload is the
+ last in the message, then this field will be zero.
+
+ o RESERVED (1 octet) -- Unused, set to zero.
+
+ o Payload Length (2 octets) -- Length in octets of the current
+ payload, including the generic payload header.
+
+ o Number of Key Packets (2 octets) -- Contains the total number
+ of both TEK and Rekey arrays being passed in this data block.
+
+ o Key Packets
+ Several types of key packets are defined. Each Key Packet has
+ the following format.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! KD Type ! RESERVED ! KD Length !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ! SPI Size ! SPI (variable) ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+ ~ Key Packet Attributes ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
+
+ o Key Download (KD) Type (1 octet) -- Identifier for the Key Data
+ field of this Key Packet.
+
+ Key Download Type Value
+ ----------------- -----
+ RESERVED 0
+ TEK 1
+ KEK 2
+ LKH 3
+ RESERVED 4-127
+ Private Use 128-255
+
+
+ "KEK" is a single key whereas LKH is an array of key-encrypting keys.
+
+ o RESERVED (1 octet) -- Unused, set to zero.
+
+ o Key Download Length (2 octets) -- Length in octets of the Key
+ Packet data, including the Key Packet header.
+
+
+
+
+Baugher, et. al. Standards Track [Page 29]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ o SPI Size (1 octet) -- Value specifying the length in octets of
+ the SPI as defined by the Protocol-Id.
+
+ o SPI (variable length) -- Security Parameter Index which matches
+ a SPI previously sent in an SAK or SAT Payload.
+
+ o Key Packet Attributes (variable length) -- Contains Key
+ information. The format of this field is specific to the value
+ of the KD Type field. The following sections describe the
+ format of each KD Type.
+
+5.5.1. TEK Download Type
+
+ The following attributes may be present in a TEK Download Type.
+ Exactly one attribute matching each type sent in the SAT payload MUST
+ be present. The attributes must follow the format defined in ISAKMP
+ [RFC2408] section 3.3. In the table, attributes defined as TV are
+ marked as Basic (B); attributes defined as TLV are marked as Variable
+ (V).
+
+ TEK Class Value Type
+ --------- ----- ----
+ RESERVED 0
+ TEK_ALGORITHM_KEY 1 V
+ TEK_INTEGRITY_KEY 2 V
+ TEK_SOURCE_AUTH_KEY 3 V
+
+
+ If no TEK key packets are included in a Registration KD payload, the
+ group member can expect to receive the TEK as part of a Re-key SA.
+ At least one TEK must be included in each Re-key KD payload.
+ Multiple TEKs may be included if multiple streams associated with the
+ SA are to be rekeyed.
+
+5.5.1.1. TEK_ALGORITHM_KEY
+
+ The TEK_ALGORITHM_KEY class declares that the encryption key for this
+ SPI is contained as the Key Packet Attribute. The encryption
+ algorithm that will use this key was specified in the SAT payload.
+
+ In the case that the algorithm requires multiple keys (e.g., 3DES),
+ all keys will be included in one attribute.
+
+ DES keys will consist of 64 bits (the 56 key bits with parity bit).
+ Triple DES keys will be specified as a single 192 bit attribute
+ (including parity bits) in the order that the keys are to be used for
+ encryption (e.g., DES_KEY1, DES_KEY2, DES_KEY3).
+
+
+
+
+Baugher, et. al. Standards Track [Page 30]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+5.5.1.2. TEK_INTEGRITY_KEY
+
+ The TEK_INTEGRITY_KEY class declares that the integrity key for this
+ SPI is contained as the Key Packet Attribute. The integrity
+ algorithm that will use this key was specified in the SAT payload.
+ Thus, GDOI assumes that both the symmetric encryption and integrity
+ keys are pushed to the member. SHA keys will consist of 160 bits,
+ and MD5 keys will consist of 128 bits.
+
+5.5.1.3. TEK_SOURCE_AUTH_KEY
+
+ The TEK_SOURCE_AUTH_KEY class declares that the source authentication
+ key for this SPI is contained in the Key Packet Attribute. The
+ source authentication algorithm that will use this key was specified
+ in the SAT payload.
+
+5.5.2. KEK Download Type
+
+ The following attributes may be present in a KEK Download Type.
+ Exactly one attribute matching each type sent in the SAK payload MUST
+ be present. The attributes must follow the format defined in ISAKMP
+ [RFC2408] section 3.3. In the table, attributes defined as TV are
+ marked as Basic (B); attributes defined as TLV are marked as Variable
+ (V).
+
+ KEK Class Value Type
+ --------- ----- ----
+ RESERVED 0
+ KEK_ALGORITHM_KEY 1 V
+ SIG_ALGORITHM_KEY 2 V
+
+ If the KEK key packet is included, there MUST be only one present in
+ the KD payload.
+
+5.5.2.1. KEK_ALGORITHM_KEY
+
+ The KEK_ALGORITHM_KEY class declares the encryption key for this SPI
+ is contained in the Key Packet Attribute. The encryption algorithm
+ that will use this key was specified in the SAK payload.
+
+ If the mode of operation for the algorithm requires an Initialization
+ Vector (IV), an explicit IV MUST be included in the KEK_ALGORITHM_KEY
+ before the actual key.
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 31]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+5.5.2.2. SIG_ALGORITHM_KEY
+
+ The SIG_ALGORITHM_KEY class declares that the public key for this SPI
+ is contained in the Key Packet Attribute, which may be useful when no
+ public key infrastructure is available. The signature algorithm that
+ will use this key was specified in the SAK payload.
+
+5.5.3. LKH Download Type
+
+ The LKH key packet is comprised of attributes representing different
+ leaves in the LKH key tree.
+
+ The following attributes are used to pass an LKH KEK array in the KD
+ payload. The attributes must follow the format defined in ISAKMP
+ [RFC2408] section 3.3. In the table, attributes defined as TV are
+ marked as Basic (B); attributes defined as TLV are marked as Variable
+ (V).
+
+ KEK Class Value Type
+ --------- ----- ----
+ RESERVED 0
+ LKH_DOWNLOAD_ARRAY 1 V
+ LKH_UPDATE_ARRAY 2 V
+ SIG_ALGORITHM_KEY 3 V
+ RESERVED 4-127
+ Private Use 128-255
+
+ If an LKH key packet is included in the KD payload, there must be
+ only one present.
+
+5.5.3.1. LKH_DOWNLOAD_ARRAY
+
+ This attribute is used to download a set of keys to a group member.
+ It MUST NOT be included in a GROUPKEY-PUSH message KD payload if the
+ GROUPKEY-PUSH is sent to more than the group member. If an
+ LKH_DOWNLOAD_ARRAY attribute is included in a KD payload, there must
+ be only one present.
+
+ This attribute consists of a header block, followed by one or more
+ LKH keys.
+
+
+
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 32]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! LKH Version ! # of LKH Keys ! RESERVED !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! LKH Keys !
+ ~ ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The KEK_LKH attribute fields are defined as follows:
+
+ o LKH version (1 octet) -- Contains the version of the LKH
+ protocol which the data is formatted in. Must be one.
+
+ o Number of LKH Keys (2 octets) -- This value is the number of
+ distinct LKH keys in this sequence.
+
+ o RESERVED (1 octet) -- Unused, set to zero. Each LKH Key is
+ defined as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! LKH ID ! Key Type ! RESERVED !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ~ Key Creation Date !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ~ Key expiration Date !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ~ Key Handle !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! !
+ ~ Key Data ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ o LKH ID (2 octets) -- This is the position of this key in the
+ binary tree structure used by LKH.
+
+ o Key Type (1 octet) -- This is the encryption algorithm for
+ which this key data is to be used. This value is specified in
+ Section 5.3.3.
+
+ o RESERVED (1 octet) -- Unused, set to zero.
+
+ o Key Creation Date (4 octets) -- This is the time value of when
+ this key data was originally generated. A time value of zero
+ indicates that there is no time before which this key is not
+ valid.
+
+
+
+Baugher, et. al. Standards Track [Page 33]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ o Key Expiration Date (4 octets) -- This is the time value of
+ when this key is no longer valid for use. A time value of zero
+ indicates that this key does not have an expiration time.
+
+ o Key Handle (4 octets) -- This is the randomly generated value
+ to uniquely identify a key within an LKH ID.
+
+ o Key Data (variable length) -- This is the actual encryption key
+ data, which is dependent on the Key Type algorithm for its
+ format. If the mode of operation for the algorithm requires an
+ Initialization Vector (IV), an explicit IV MUST be included in
+ the Key Data field before the actual key.
+
+ The Key Creation Date and Key expiration Dates MAY be zero. This is
+ necessary in the case where time synchronization within the group is
+ not possible.
+
+ The first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute
+ contains the Leaf identifier and key for the group member. The rest
+ of the LKH Key structures contain keys along the path of the key tree
+ in order from the leaf, culminating in the group KEK.
+
+5.5.3.2. LKH_UPDATE_ARRAY
+
+ This attribute is used to update the keys for a group. It is most
+ likely to be included in a GROUPKEY-PUSH message KD payload to rekey
+ the entire group. This attribute consists of a header block,
+ followed by one or more LKH keys, as defined in Section 5.5.3.1
+
+ There may be any number of UPDATE_ARRAY attributes included in a KD
+ payload.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! LKH Version ! # of LKH Keys ! RESERVED !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! LKH ID ! RESERVED2 !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Key Handle !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! LKH Keys !
+ ~ ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ o LKH version (1 octet) -- Contains the version of the LKH
+ protocol which the data is formatted in. Must be one.
+
+
+
+
+Baugher, et. al. Standards Track [Page 34]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ o Number of LKH Keys (2 octets) -- This value is the number of
+ distinct LKH keys in this sequence.
+
+ o RESERVED (1 octet) -- Unused, set to zero.
+
+ o LKH ID (2 octets) -- This is the node identifier associated
+ with the key used to encrypt the first LKH Key.
+
+ o RESERVED2 (2 octets) -- Unused, set to zero.
+
+ o Key Handle (4 octets) -- This is the value to uniquely identify
+ the key within the LKH ID which was used to encrypt the first
+ LKH key.
+
+ The LKH Keys are as defined in Section 5.5.3.1. The LKH Key
+ structures contain keys along the path of the key tree in order from
+ the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in the
+ group KEK. The Key Data field of each LKH Key is encrypted with the
+ LKH key preceding it in the LKH_UPDATE_ARRAY attribute. The first
+ LKH Key is encrypted under the key defined by the LKH ID and Key
+ Handle found in the LKH_UPDATE_ARRAY header.
+
+5.5.3.3. SIG_ALGORITHM_KEY
+
+ The SIG_ALGORITHM_KEY class declares that the public key for this SPI
+ is contained in the Key Packet Attribute, which may be useful when no
+ public key infrastructure is available. The signature algorithm that
+ will use this key was specified in the SAK payload.
+
+5.6. Sequence Number Payload
+
+ The Sequence Number Payload (SEQ) provides an anti-replay protection
+ for GROUPKEY-PUSH messages. Its use is similar to the Sequence
+ Number field defined in the IPsec ESP protocol [RFC2406].
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Next Payload ! RESERVED ! Payload Length !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ ! Sequence Number !
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The Sequence Number Payload fields are defined as follows:
+
+ o Next Payload (1 octet) -- Identifier for the payload type of
+ the next payload in the message. If the current payload is the
+ last in the message, then this field will be zero.
+
+
+
+Baugher, et. al. Standards Track [Page 35]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ o RESERVED (1 octet) -- Unused, set to zero.
+
+ o Payload Length (2 octets) -- Length in octets of the current
+ payload, including the generic payload header.
+
+ o Sequence Number (4 octets) -- This field contains a
+ monotonically increasing counter value for the group. It is
+ initialized to zero by the GCKS, and incremented in each
+ subsequently-transmitted message. Thus the first packet sent
+ for a given Rekey SA will have a Sequence Number of 1. The
+ GDOI implementation keeps a sequence counter as an attribute
+ for the Rekey SA and increments the counter upon receipt of a
+ GROUPKEY-PUSH message. The current value of the sequence
+ number must be transmitted to group members as a part of the
+ Registration SA SA payload. A group member must keep a sliding
+ receive window. The window must be treated as in the ESP
+ protocol [RFC2406] Section 3.4.3.
+
+5.7. Proof of Possession
+
+ The Proof of Possession Payload is used as part of group membership
+ authorization during a GDOI exchange. The Proof of Possession
+ Payload is identical to an ISAKMP SIG payload. However, the usage is
+ entirely different.
+
+ The GCKS, GCKS delegate or member signs a hash of the following
+ values:
+ POP_HASH = hash("pop" | Ni | Nr)
+ Where hash() is the hash function used with the signature.
+
+ The "pop" prefix ensures that the signature of the POP payload cannot
+ be used for any other purpose in the GDOI protocol.
+
+5.8. Nonce
+
+ The data portion of the Nonce payload (i.e., Ni_b and Nr_b included
+ in the HASHs) MUST be a value between 8 and 128 bytes.
+
+6. Security Considerations
+
+ GDOI is a security association (SA) management protocol for groups of
+ senders and receivers. Unlike a data security protocol, SA
+ management includes a key establishment protocol to securely
+ establish keys at communication endpoints. This protocol performs
+ entity authentication of the GDOI member or Group Controller/Key
+ Server (GCKS), it provides confidentiality of key management
+ messages, and it provides source authentication of those messages.
+ This protocol also uses best-known practices for defense against
+
+
+
+Baugher, et. al. Standards Track [Page 36]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ man-in-middle, connection hijacking, replay, reflection, and
+ denial-of-service (DOS) attacks on unsecured networks [STS, RFC2522,
+ SKEME]. GDOI assumes the network is not secure and may be under the
+ complete control of an attacker.
+
+ GDOI assumes that the host computer is secure even though the network
+ is insecure. GDOI ultimately establishes keys among members of a
+ group, which MUST be trusted to use those keys in an authorized
+ manner according to group policy. The security of GDOI, therefore,
+ is as good as the degree to which group members can be trusted to
+ protect authenticators, encryption keys, decryption keys, and message
+ authentication keys.
+
+ There are three phases of GDOI as described in this document: an
+ ISAKMP Phase 1 protocol, a new exchange called GROUPKEY-PULL which is
+ protected by the ISAKMP Phase 1 protocol, and a new message called
+ GROUPKEY-PUSH. Each phase is considered separately below.
+
+6.1. ISAKMP Phase 1
+
+ As described in this document, GDOI uses the Phase 1 exchanges
+ defined in [RFC2409] to protect the GROUPKEY-PULL exchange.
+ Therefore all security properties and considerations of those
+ exchanges (as noted in [RFC2409]) are relevant for GDOI.
+
+ GDOI may inherit the problems of its ancestor protocols [FS00], such
+ as identity exposure, absence of unidirectional authentication, or
+ stateful cookies [PK01]. GDOI could benefit, however, from
+ improvements to its ancestor protocols just as it benefits from years
+ of experience and work embodied in those protocols. To reap the
+ benefits of future IKE improvements, however, GDOI would need to be
+ revised in a future standards-track RFC, which is beyond the scope of
+ this specification.
+
+6.1.1. Authentication
+
+ Authentication is provided via the mechanisms defined in [RFC2409],
+ namely Pre-Shared Keys or Public Key encryption.
+
+6.1.2. Confidentiality
+
+ Confidentiality is achieved in Phase 1 through a Diffie-Hellman
+ exchange that provides keying material, and through negotiation of
+ encryption transforms.
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 37]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ The Phase 1 protocol will be protecting encryption and integrity keys
+ sent in the GROUPKEY-PULL protocol. The strength of the encryption
+ used for Phase 1 SHOULD exceed that of the keys send in the
+ GROUPKEY-PULL protocol.
+
+6.1.3. Man-in-the-Middle Attack Protection
+
+ A successful man-in-the-middle or connection-hijacking attack foils
+ entity authentication of one or more of the communicating entities
+ during key establishment. GDOI relies on Phase 1 authentication to
+ defeat man-in-the-middle attacks.
+
+6.1.4. Replay/Reflection Attack Protection
+
+ In a replay/reflection attack, an attacker captures messages between
+ GDOI entities and subsequently forwards them to a GDOI entity.
+ Replay and reflection attacks seek to gain information from a
+ subsequent GDOI message response or seek to disrupt the operation of
+ a GDOI member or GCKS entity. GDOI relies on the Phase 1 nonce
+ mechanism in combination with a hash-based message authentication
+ code to protect against the replay or reflection of previous key
+ management messages.
+
+6.1.5. Denial of Service Protection
+
+ A denial of service attacker sends messages to a GDOI entity to cause
+ that entity to perform unneeded message authentication operations.
+ GDOI uses the Phase 1 cookie mechanism to identify spurious messages
+ prior to cryptographic hash processing. This is a "weak" form of
+ denial of service protection in that the GDOI entity must check for
+ good cookies, which can be successfully imitated by a sophisticated
+ attacker. The Phase 1 cookie mechanism is stateful, and commits
+ memory resources for cookies, but stateless cookies are a better
+ defense against denial of service attacks.
+
+6.2. GROUPKEY-PULL Exchange
+
+ The GROUPKEY-PULL exchange allows a group member to request SAs and
+ keys from a GCKS. It runs as a "phase 2" protocol under protection
+ of the Phase 1 security association.
+
+6.2.1. Authentication
+
+ Peer authentication is not required in the GROUPKEY-PULL protocol.
+ It is running in the context of the Phase 1 protocol, which has
+ previously authenticated the identity of the peer.
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 38]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ Message authentication is provided by HASH payloads in each message,
+ where the HASH is defined to be over SKEYID_a (derived in the Phase 1
+ exchange), the ISAKMP Message-ID, and all payloads in the message.
+ Because only the two endpoints of the exchange know the SKEYID_a
+ value, this provides confidence that the peer sent the message.
+
+6.2.2. Confidentiality
+
+ Confidentiality is provided by the Phase 1 security association,
+ after the manner described in [RFC2409].
+
+6.2.3. Man-in-the-Middle Attack Protection
+
+ Message authentication (described above) includes a secret known only
+ to the group member and GCKS when constructing a HASH payload. This
+ prevents man-in-the-middle and connection-hijacking attacks because
+ an attacker would not be able to change the message undetected.
+
+6.2.4. Replay/Reflection Attack Protection
+
+ Nonces provide freshness of the GROUPKEY-PULL exchange. The group
+ member and GCKS exchange nonce values first two messages. These
+ nonces are included in subsequent HASH payload calculations. The
+ Group member and GCKS MUST NOT perform any computationally expensive
+ tasks before receiving a HASH with its own nonce included. The GCKS
+ MUST NOT update the group management state (e.g., LKH key tree) until
+ it receives the third message in the exchange with a valid HASH
+ payload including its own nonce.
+
+ Implementations SHOULD keep a record of recently received
+ GROUPKEY-PULL messages and reject messages that have already been
+ processed. This enables an early discard of the replayed messages.
+
+6.2.5. Denial of Service Protection
+
+ A GROUPKEY-PULL message identifies its messages using a cookie pair
+ from the Phase 1 exchange that precedes it. The cookies provide a
+ weak form of denial of service protection as described above, in the
+ sense that a GROUPKEY-PULL message with invalid cookies will be
+ discarded.
+
+ The replay protection mechanisms described above provide the basis
+ for denial of service protection.
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 39]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+6.2.6. Authorization
+
+ The CERT payload in a GROUPKEY-PULL exchange allows a group member or
+ GCKS to submit a certificate containing authorization attributes to
+ the peer as well as identifying a public/private key pair. The
+ GROUPKEY-PULL POP payload enables authorization to be accomplished
+ where the authorization infrastructure is different than the
+ GROUPKEY-PULL authentication infrastructure by proving that it is in
+ possession of the private key.
+
+6.3. GROUPKEY-PUSH Exchange
+
+ The GROUPKEY-PUSH exchange is a single message that allows a GCKS to
+ send SAs and keys to group members. This is likely to be sent to all
+ members using an IP multicast group. This provides an efficient
+ rekey and group membership adjustment capability.
+
+6.3.1. Authentication
+
+ The GROUPKEY-PULL exchange identifies a public key that is used for
+ message authentication. The GROUPKEY-PUSH message is digitally
+ signed using the corresponding private key held by the GCKS or its
+ delegate. This digital signature provides source authentication for
+ the message. Thus, GDOI protects the GCKS from impersonation in
+ group environments.
+
+6.3.2. Confidentiality
+
+ The GCKS encrypts the GROUPKEY-PUSH message with an encryption key
+ that was established by the GROUPKEY-PULL exchange.
+
+6.3.3. Man-in-the-Middle Attack Protection
+
+ This combination of confidentiality and message authentication
+ services protects the GROUPKEY-PUSH message from man-in-middle and
+ connection-hijacking attacks.
+
+6.3.4. Replay/Reflection Attack Protection
+
+ The GROUPKEY-PUSH message includes a monotonically increasing
+ sequence number to protect against replay and reflection attacks. A
+ group member will recognize a replayed message by comparing the
+ sequence number to a sliding window, in the same manner as the ESP
+ protocol uses sequence numbers.
+
+ Implementations SHOULD keep a record of recently received
+ GROUPKEY-PUSH messages and reject duplicate messages. This enables
+ an early discard of the replayed messages.
+
+
+
+Baugher, et. al. Standards Track [Page 40]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+6.3.5. Denial of Service Protection
+
+ A cookie pair identifies the security association for the
+ GROUPKEY-PUSH message. The cookies thus serve as a weak form of
+ denial-of-service protection for the GROUPKEY-PUSH message.
+
+ The digital signature used for message authentication has a much
+ greater computational cost than a message authentication code and
+ could amplify the effects of a denial of service attack on GDOI
+ members who process GROUPKEY-PUSH messages. The added cost of
+ digital signatures is justified by the need to prevent GCKS
+ impersonation: If a shared symmetric key were used for
+ GROUPKEY-PUSH message authentication, then GCKS source authentication
+ would be impossible and any member would be capable of GCKS
+ impersonation.
+
+ The potential of the digital signature amplifying a denial of service
+ attack is mitigated by the order of operations a group member takes,
+ where the least expensive cryptographic operation is performed first.
+ The group member first decrypts the message using a symmetric cipher.
+ If it is a validly formed message then the sequence number is checked
+ against the replay window. Only if the sequence number is valid is
+ the digital signature verified. Thus in order for a denial of
+ service attack to be mounted, an attacker would need to know both the
+ symmetric encryption key used for confidentiality, and a valid
+ sequence number. Generally speaking this means only current group
+ members can effectively deploy a denial of service attack.
+
+6.3.6. Forward Access Control
+
+ If a group management algorithm (such as LKH) is used, forward access
+ control may not be ensured in some cases. This can happen if some
+ group members are denied access to the group in the same
+ GROUPKEY-PUSH message as new policy and TEKs are delivered to the
+ group. As discussed in Section 4.2.1, forward access control can be
+ maintained by sending multiple GROUPKEY-PUSH messages, where the
+ group membership changes are sent from the GCKS separate from the new
+ policy and TEKs.
+
+7. IANA Considerations
+
+7.1. ISAKMP DOI
+
+ An ISAKMP DOI number is needed to identify an SA payload as a GDOI SA
+ payload. The IANA has assigned the value 2 to represent GDOI.
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 41]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+7.2. Payload Types
+
+ The present document defines new ISAKMP Next Payload types. See
+ Section 5.0 for the payloads defined in this document, including the
+ Next Payload values defined by the IANA to identify these payloads.
+
+7.3. New Name spaces
+
+ The present document describes many new name spaces for use in the
+ GDOI payloads. Those may be found in subsections under Section 5.0.
+ A new GDOI registry has been created for these name spaces.
+
+ Portions of name spaces marked "RESERVED" are reserved for IANA
+ allocation. New values MUST be added due to a Standards Action as
+ defined in [RFC2434].
+
+ Portions of name spaces marked "Private Use" may be allocated by
+ implementations for their own purposes.
+
+7.4. UDP Port
+
+ The IANA has assigned port 848 for use by GDOI.
+
+8. Intellectual Property Rights Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; neither does it represent that it
+ has made any effort to identify any such rights. Information on the
+ IETF's procedures with respect to rights in standards-track and
+ standards-related documentation can be found in BCP-11. Copies of
+ claims of rights made available for publication and any assurances of
+ licenses to be made available, or the result of an attempt made to
+ obtain a general license or permission for the use of such
+ proprietary rights by implementors or users of this specification can
+ be obtained from the IETF Secretariat.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 42]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+9. Acknowledgements
+
+ The authors thank Ran Canetti, Cathy Meadows, Andrea Colegrove, and
+ Lakshminath Dondeti. Ran has advised the authors on secure group
+ cryptography, which has led to changes in the exchanges and payload
+ definitions. Cathy identified several problems in previous versions
+ of this document, including a replay attack against the proof of
+ possession exchange, as well as several man-in-the-middle attacks.
+ Andrea contributed to the group policy section of this document.
+ Lakshminath identified several protocol issues that needed further
+ specification and helped to resolve them.
+
+10. References
+
+10.1. Normative References
+
+ [AES-MODES] "Recommendation for Block Cipher Modes of Operation",
+ United States of American, National Institute of Science
+ and Technology, NIST Special Publication 800-38A 2001
+ Edition, December 2001.
+
+ [FIPS46-3] "Data Encryption Standard (DES)", United States of
+ American, National Institute of Science and Technology,
+ Federal Information Processing Standard (FIPS) 46-3,
+ October 1999.
+
+ [FIPS81] "DES Modes of Operation", United States of American,
+ National Institute of Science and Technology, Federal
+ Information Processing Standard (FIPS) 81, December
+ 1980.
+
+ [FIPS186-2] "Digital Signature Standard (DSS)", United States of
+ American, National Institute of Science and Technology,
+ Federal Information Processing Standard (FIPS) 186-2,
+ January 2000.
+
+ [FIPS197] "Advanced Encryption Standard (AES)", United States of
+ American, National Institute of Science and Technology,
+ Federal Information Processing Standard (FIPS) 197,
+ November 2001.
+
+ [IPSEC-REG] http://www.iana.org/assignments/ipsec-registry
+
+ [ISAKMP-REG] http://www.iana.org/assignments/isakmp-registry
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Level", BCP 14, RFC 2119, March 1997.
+
+
+
+
+Baugher, et. al. Standards Track [Page 43]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the
+ Internet Protocol", RFC 2401, November 1998
+
+ [RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security
+ Payload (ESP)", RFC 2406, November 1998.
+
+ [RFC2407] Piper, D., "The Internet IP Domain of Interpretation for
+ ISAKMP", RFC 2407, November 1998.
+
+ [RFC2408] Maughan, D., Shertler, M., Schneider, M. and J. Turner,
+ "Internet Security Association and Key Management
+ Protocol", RFC 2408, November 1998.
+
+ [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
+ (IKE)", RFC 2409, November 1998.
+
+ [RFC2412] Orman, H., "The OAKLEY Key Determination Protocol", RFC
+ 2412, November 1998.
+
+ [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+ IANA Considerations Section in RFCs", BCP 26, RFC 2434,
+ October 1998.
+
+ [RFC2522] Karn, P. and W. Simpson, "Photuris: Session-Key
+ Management Protocol", RFC 2522, March 1999.
+
+ [RFC2627] Wallner, D., Harder, E. and R. Agee, "Key Management for
+ Multicast: Issues and Architectures", RFC 2627,
+ September 1998.
+
+ [RSA] RSA Laboratories, "PKCS #1 v2.0: RSA Encryption
+ Standard", October 1998.
+
+10.2. Informative References
+
+ [FS00] N. Ferguson and B. Schneier, "A Cryptographic Evaluation
+ of IPsec, CounterPane",
+ http://www.counterpane.com/ipsec.html.
+
+ [GKMARCH] M. Baugher, R. Canetti, L. Dondeti, F. Lindholm, "Group
+ Key Management Architecture", Work in Progress.
+
+ [IKEv2] D. Harkins, et. al., "Proposal for the IKEv2 protocol",
+ Work In Progress.
+
+ [KINK] M. Thomas, J. Vilhuber, "Kerberized Internet Negotiation
+ of Keys (KINK)", Work in Progress.
+
+
+
+
+Baugher, et. al. Standards Track [Page 44]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+ [NNL] D. Naor, M. Naor and J. Lotspiech, "Revocation and
+ Tracing Schemes for Stateless Receivers", Advances in
+ Cryptology, Crypto '01, Springer-Verlag LNCS 2139, 2001,
+ pp. 41-62. A full version of the paper appears in
+ http://www.wisdom.weizmann.ac.il/~naor/.
+
+ [OFT] D. Mcgrew and A. Sherman, "Key Establishment in Large
+ Dynamic Groups Using One-Way Function Trees", Manuscript
+ submitted to IEEE Transactions on Software Engineering.
+ A full version of the paper
+ appears in http://download.nai.com/products/media/nai/
+ misc/oft052098.ps, 1998
+
+ [PK01] R.Perlman, C.Kaufman, "Analysis of the IPsec Key
+ Exchange Standard", WET-ICE conference, 2001.
+ http://sec.femto.org/wetice-2001/papers/radia-paper.pdf
+
+ [RFC2093] Harney, H., and C. Muckenhirn, "Group Key Management
+ Protocol (GKMP) Specification," RFC 2093, July 1997.
+
+ [RFC2094] Harney, H. and C. Muckenhirn, "Group Key Management
+ Protocol (GKMP) Architecture," RFC 2094, July 1997.
+
+ [RFC2367] McDonald, D., Metz, C. and B. Phan, "PF_KEY Key
+ Management API, Version 2", RFC 2367, July 1998.
+
+ [RFC3550] Schulzrinne, H., Casner, S., Jacobson, V. and R.
+ Frederick, "RTP: A Transport Protocol for Real-Time
+ Applications", RFC 3550, June 2003.
+
+ [SKEME] H. Krawczyk, "SKEME: A Versatile Secure Key Exchange
+ Mechanism for Internet", ISOC Secure Networks and
+ Distributed Systems Symposium, San Diego, 1996.
+
+ [STS] Diffie, P. van Oorschot, M. J. Wiener, "Authentication
+ and Authenticated Key Exchanges, Designs, Codes and
+ Cryptography", 2, 107-125 (1992), Kluwer Academic
+ Publishers.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 45]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+Appendix A: Alternate GDOI Phase 1 protocols
+
+ This section describes a manner in which other protocols could be
+ used as GDOI Phase 1 protocols in place of the ISAKMP Phase 1
+ protocol. However, they are not specified as a part of this
+ document. A separate document MUST be written in order for another
+ protocol to be used as a GDOI Phase 1 protocol.
+
+ Other possible phase 1 protocols are also described in [GKMARCH].
+
+ Any GDOI phase 1 protocol MUST satisfy the requirements specified in
+ Section 2 of this document.
+
+A.1. IKEv2 Phase 1 protocol
+
+ Version 2 of the IKE protocol (IKEv2) is a work in progress [IKEv2].
+ That protocol seeks to simplify the IKE Phase 1 and Phase 2
+ protocols, and improve the security of the IKE protocol. An IKEv2
+ Phase 1 negotiates an IPSEC SA during phase 1, which was not possible
+ in IKE. However, IKEv2 also defines a phase 2 protocol. The phase 2
+ protocol is protected by the Phase 1, similar in concept to how IKE
+ Quick Mode is protected by the IKE Phase 1 protocols in [RFC2409].
+
+ IKEv2 may not include a DOI value in the SA payload. However, since
+ GDOI uses a unique port, choice of a phase 2 protocol in the SA
+ payload using a GDOI value is not necessary. It is expected that an
+ IKEv2 Phase 1 protocol definition could be run on the GDOI port. The
+ SA payload in the protocol would be specific to GDOI, or omitted if
+ not needed at all.
+
+ The GROUPKEY-PULL protocol would follow the IKEv2 Phase 1 protocol in
+ the same manner as described in this document.
+
+A.2. KINK Protocol
+
+ A work in progress [KINK] has defined a method of encapsulating an
+ IKE Quick Mode [RFC2409] encapsulated in Kerberos KRB_AP_REQ and
+ KRB_AP_REP payloads. KINK provides a low-latency, computationally
+ inexpensive, easily managed, and cryptographically sound method of
+ setting up IPSec security associations.
+
+ The KINK message format includes a GDOI field in the KINK header.
+ The [KINK] document defines the DOI for the IPSEC DOI.
+
+ A new DOI for KINK could be defined which would encapsulate a
+ GROUPKEY-PULL exchange in the Kerberos KRB_AP_REQ and KRB_AP_REP
+ payloads. As such, GDOI would benefit from the computational
+ efficiencies of KINK.
+
+
+
+Baugher, et. al. Standards Track [Page 46]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+Authors' Addresses
+
+ Mark Baugher
+ Cisco Systems
+ 5510 SW Orchid Street
+ Portland, OR 97219, USA
+
+ Phone: (503) 245-4543
+ EMail: mbaugher@cisco.com
+
+
+ Thomas Hardjono
+ VeriSign
+ 401 Edgewater Place, Suite 280
+ Wakefield, MA 01880
+
+ Phone: 781-245-6996
+ EMail: thardjono@verisign.com
+
+
+ Hugh Harney
+ Sparta
+ 9861 Broken Land Parkway
+ Columbia, MD 21046
+
+ Phone: (410) 381-9400 x203
+ EMail: hh@sparta.com
+
+
+ Brian Weis
+ Cisco Systems
+ 170 W. Tasman Drive,
+ San Jose, CA 95134-1706, USA
+
+ Phone: (408) 526-4796
+ EMail: bew@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 47]
+
+RFC 3547 GDOI Domain of Interpretation July 2003
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Baugher, et. al. Standards Track [Page 48]
+