1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
|
Network Working Group M. Baugher
Request for Comments: 3547 B. Weis
Category: Standards Track Cisco
T. Hardjono
Verisign
H. Harney
Sparta
July 2003
The Group Domain of Interpretation
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
This document presents an ISAMKP Domain of Interpretation (DOI) for
group key management to support secure group communications. The
GDOI manages group security associations, which are used by IPSEC and
potentially other data security protocols running at the IP or
application layers. These security associations protect one or more
key-encrypting keys, traffic-encrypting keys, or data shared by group
members.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. GDOI Applications. . . . . . . . . . . . . . . . . . . . 5
1.2. Extending GDOI . . . . . . . . . . . . . . . . . . . . . 5
2. GDOI Phase 1 protocol. . . . . . . . . . . . . . . . . . . . . 6
2.1. ISAKMP Phase 1 protocol. . . . . . . . . . . . . . . . . 6
2.1.1. DOI value. . . . . . . . . . . . . . . . . . . . 6
2.1.2. UDP port . . . . . . . . . . . . . . . . . . . . 6
3. GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . . . . 6
3.1. Authorization. . . . . . . . . . . . . . . . . . . . . . 7
3.2. Messages . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2.1. Perfect Forward Secrecy. . . . . . . . . . . . . 9
3.2.2. ISAKMP Header Initialization . . . . . . . . . . 9
Baugher, et. al. Standards Track [Page 1]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
3.3. Initiator Operations . . . . . . . . . . . . . . . . . . 10
3.4. Receiver Operations. . . . . . . . . . . . . . . . . . . 11
4. GROUPKEY-PUSH Message. . . . . . . . . . . . . . . . . . . . . 11
4.1. Perfect Forward Secrecy (PFS). . . . . . . . . . . . . . 12
4.2. Forward and Backward Access Control. . . . . . . . . . . 12
4.2.1. Forward Access Control Requirements. . . . . . . 13
4.3. Delegation of Key Management . . . . . . . . . . . . . . 14
4.4. Use of signature keys. . . . . . . . . . . . . . . . . . 14
4.5. ISAKMP Header Initialization . . . . . . . . . . . . . . 14
4.6. Deletion of SAs. . . . . . . . . . . . . . . . . . . . . 14
4.7. GCKS Operations. . . . . . . . . . . . . . . . . . . . . 15
4.8. Group Member Operations. . . . . . . . . . . . . . . . . 16
5. Payloads and Defined Values. . . . . . . . . . . . . . . . . . 16
5.1. Identification Payload . . . . . . . . . . . . . . . . . 17
5.1.1. Identification Type Values . . . . . . . . . . . 18
5.2. Security Association Payload . . . . . . . . . . . . . . 18
5.2.1. Payloads following the SA payload. . . . . . . . 19
5.3. SA KEK payload . . . . . . . . . . . . . . . . . . . . . 19
5.3.1. KEK Attributes . . . . . . . . . . . . . . . . . 22
5.3.2. KEK_MANAGEMENT_ALGORITHM . . . . . . . . . . . . 22
5.3.3. KEK_ALGORITHM. . . . . . . . . . . . . . . . . . 23
5.3.4. KEK_KEY_LENGTH . . . . . . . . . . . . . . . . . 23
5.3.5. KEK_KEY_LIFETIME . . . . . . . . . . . . . . . . 24
5.3.6. SIG_HASH_ALGORITHM . . . . . . . . . . . . . . . 24
5.3.7. SIG_ALGORITHM. . . . . . . . . . . . . . . . . . 24
5.3.8. SIG_KEY_LENGTH . . . . . . . . . . . . . . . . . 25
5.3.9. KE_OAKLEY_GROUP. . . . . . . . . . . . . . . . . 25
5.4. SA TEK Payload . . . . . . . . . . . . . . . . . . . . . 25
5.4.1. PROTO_IPSEC_ESP. . . . . . . . . . . . . . . . . 26
5.4.2. Other Security Protocols . . . . . . . . . . . . 28
5.5. Key Download Payload . . . . . . . . . . . . . . . . . . 28
5.5.1. TEK Download Type. . . . . . . . . . . . . . . . 30
5.5.2. KEK Download Type. . . . . . . . . . . . . . . . 31
5.5.3. LKH Download Type. . . . . . . . . . . . . . . . 32
5.6. Sequence Number Payload. . . . . . . . . . . . . . . . . 35
5.7. Proof of Possession. . . . . . . . . . . . . . . . . . . 36
5.8. Nonce. . . . . . . . . . . . . . . . . . . . . . . . . . 36
6. Security Considerations. . . . . . . . . . . . . . . . . . . . 36
6.1. ISAKMP Phase 1 . . . . . . . . . . . . . . . . . . . . . 37
6.1.1. Authentication . . . . . . . . . . . . . . . . . 37
6.1.2. Confidentiality. . . . . . . . . . . . . . . . . 37
6.1.3. Man-in-the-Middle Attack Protection. . . . . . . 38
6.1.4. Replay/Reflection Attack Protection. . . . . . . 38
6.1.5. Denial of Service Protection . . . . . . . . . . 38
6.2. GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . 38
6.2.1. Authentication . . . . . . . . . . . . . . . . . 38
6.2.2. Confidentiality. . . . . . . . . . . . . . . . . 39
6.2.3. Man-in-the-Middle Attack Protection. . . . . . . 39
Baugher, et. al. Standards Track [Page 2]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
6.2.4. Replay/Reflection Attack Protection. . . . . . . 39
6.2.5. Denial of Service Protection . . . . . . . . . . 39
6.2.6. Authorization. . . . . . . . . . . . . . . . . . 40
6.3. GROUPKEY-PUSH Exchange . . . . . . . . . . . . . . . . . 40
6.3.1. Authentication . . . . . . . . . . . . . . . . . 40
6.3.2. Confidentiality. . . . . . . . . . . . . . . . . 40
6.3.3. Man-in-the-Middle Attack Protection. . . . . . . 40
6.3.4. Replay/Reflection Attack Protection. . . . . . . 40
6.3.5. Denial of Service Protection . . . . . . . . . . 41
6.3.6. Forward Access Control . . . . . . . . . . . . . 41
7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 41
7.1. ISAKMP DOI . . . . . . . . . . . . . . . . . . . . . . . 41
7.2. Payload Types. . . . . . . . . . . . . . . . . . . . . . 42
7.3. New Name spaces. . . . . . . . . . . . . . . . . . . . . 42
7.4. UDP Port . . . . . . . . . . . . . . . . . . . . . . . . 42
8. Intellectual Property Rights Statement . . . . . . . . . . . . 42
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 43
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 43
10.1. Normative References . . . . . . . . . . . . . . . . . . 43
10.2. Informative References . . . . . . . . . . . . . . . . . 44
Appendix A: Alternate GDOI Phase 1 protocols . . . . . . . . . . . 46
A.1. IKEv2 Phase 1 protocol . . . . . . . . . . . . . . . . . 46
A.2. KINK Protocol. . . . . . . . . . . . . . . . . . . . . . 46
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 47
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 48
1. Introduction
This document presents an ISAMKP Domain of Interpretation (DOI) for
group key management called the "Group Domain of Interpretation"
(GDOI). In this group key management model, the GDOI protocol is run
between a group member and a "group controller/key server" (GCKS),
which establishes security associations [Section 4.6.2 RFC2401] among
authorized group members. ISAKMP defines two "phases" of negotiation
[p.16 RFC2408]. The GDOI MUST be protected by a Phase 1 security
association. This document incorporates the Phase 1 security
association (SA) definition from the Internet DOI [RFC2407, RFC2409].
Other possible Phase 1 security association types are noted in
Appendix A. The Phase 2 exchange is defined in this document, and
proposes new payloads and exchanges according to the ISAKMP standard
[p. 14 RFC2408].
There are six new payloads:
1) GDOI SA
2) SA KEK (SAK) which follows the SA payload
3) SA TEK (SAT) which follows the SA payload
Baugher, et. al. Standards Track [Page 3]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
4) Key Download Array (KD)
5) Sequence number (SEQ)
6) Proof of Possession (POP)
There are two new exchanges.
1) A Phase 2 exchange creates Re-key and Data-Security Protocol SAs.
The new Phase 2 exchange, called "GROUPKEY-PULL," downloads keys for
a group's "Re-key" SA and/or "Data-security" SA. The Re-key SA
includes a key encrypting key, or KEK, common to the group; a
Data-security SA includes a data encryption key, or TEK, used by a
data-security protocol to encrypt or decrypt data traffic [Section
2.1 RFC2407]. The SA for the KEK or TEK includes authentication
keys, encryption keys, cryptographic policy, and attributes. The
GROUPKEY-PULL exchange uses "pull" behavior since the member
initiates the retrieval of these SAs from a GCKS.
2) A datagram subsequently establishes additional Rekey and/or
Data-Security Protocol SAs.
The GROUPKEY-PUSH datagram is "pushed" from the GCKS to the members
to create or update a Re-key or Data-security SA. A Re-key SA
protects GROUPKEY-PUSH messages. Thus, a GROUPKEY-PULL is necessary
to establish at least one Re-key SA in order to protect subsequent
GROUPKEY-PUSH messages. The GCKS encrypts the GROUPKEY-PUSH message
using the KEK Re-key SA. GDOI accommodates the use of arrays of KEKs
for group key management algorithms using the Logical Key Hierarchy
(LKH) algorithm to efficiently add and remove group members
[RFC2627]. Implementation of the LKH algorithm is OPTIONAL.
Although the GROUPKEY-PUSH specified by this document can be used to
refresh a Re-key SA, the most common use of GROUPKEY-PUSH is to
establish a Data-security SA for a data security protocol. GDOI can
accommodate future extensions to support a variety of data security
protocols. This document only specifies data-security SAs for one
security protocol, IPsec ESP. A separate RFC will specify support
for other data security protocols such as a future secure Real-time
Transport Protocol. A security protocol uses the TEK and "owns" the
data-security SA in the same way that IPsec ESP uses the IKE Phase 2
keys and owns the Phase 2 SA; for GDOI, IPsec ESP uses the TEK.
Thus, GDOI is a group security association management protocol: All
GDOI messages are used to create, maintain, or delete security
associations for a group. As described above, these security
associations protect one or more key-encrypting keys,
traffic-encrypting keys, or data shared by group members for
multicast and groups security applications.
Baugher, et. al. Standards Track [Page 4]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
document, are to be interpreted as described in BCP 14, RFC 2119
[RFC2119].
1.1. GDOI Applications
Secure multicast applications include video broadcast and multicast
file transfer. In a business environment, many of these applications
require network security and may use IPsec ESP to secure their data
traffic. Section 5.4.1 specifies how GDOI carries the needed SA
parameters for ESP. In this way, GDOI supports multicast ESP with
group authentication of ESP packets using the shared, group key
(authentication of unique sources of ESP packets is not possible).
GDOI can also secure group applications that do not use multicast
transport such as video-on-demand. For example, the GROUPKEY-PUSH
message may establish a pair-wise IPsec ESP SA for a member of a
subscription group without the need for key management exchanges and
costly asymmetric cryptography.
1.2. Extending GDOI
Not all secure multicast or multimedia applications can use IPsec
ESP. Many Real Time Transport Protocol applications, for example,
require security above the IP layer to preserve RTP header
compression efficiencies and transport-independence [RFC3550]. A
future RTP security protocol may benefit from using GDOI to establish
group SAs.
In order to add a new data security protocol, a new RFC MUST specify
the data-security SA parameters conveyed by GDOI for that security
protocol; these parameters are listed in section 5.4.2 of this
document.
Data security protocol SAs MUST protect group traffic. GDOI provides
no restriction on whether that group traffic is transmitted as
unicast or multicast packets. However, GDOI MUST NOT be used as a
key management mechanism by a data security protocol when the packets
protected by the data-security SA are intended to be private and
never become part of group communications.
Baugher, et. al. Standards Track [Page 5]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
2. GDOI Phase 1 protocol
GDOI is a "phase 2" protocol which MUST be protected by a "phase 1"
protocol. The "phase 1" protocol can be any protocol which provides
for the following protections:
o Peer Authentication
o Confidentiality
o Message Integrity
The following sections describe one such "phase 1" protocol. Other
protocols which may be potential "phase 1" protocols are described in
Appendix A. However, the use of the protocols listed there are not
considered part of this document.
2.1. ISAKMP Phase 1 protocol
This document defines how the ISAKMP phase 1 exchanges as defined in
[RFC2409] can be used a "phase 1" protocol for GDOI. The following
sections define characteristics of the ISAKMP phase 1 protocols that
are unique for these exchanges when used for GDOI.
Section 6.1 describes how the ISAKMP Phase 1 protocols meet the
requirements of a GDOI "phase 1" protocol.
2.1.1. DOI value
The Phase 1 SA payload has a DOI value. That value MUST be the GDOI
DOI value as defined later in this document.
2.1.2. UDP port
GDOI MUST NOT run on port 500 (the port commonly used for IKE). IANA
has assigned port 848 for the use of GDOI.
3. GROUPKEY-PULL Exchange
The goal of the GROUPKEY-PULL exchange is to establish a Re-key
and/or Data-security SAs at the member for a particular group. A
Phase 1 SA protects the GROUPKEY-PULL; there MAY be multiple
GROUPKEY-PULL exchanges for a given Phase 1 SA. The GROUPKEY-PULL
exchange downloads the data security keys (TEKs) and/or group key
encrypting key (KEK) or KEK array under the protection of the Phase 1
SA.
Baugher, et. al. Standards Track [Page 6]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
3.1. Authorization
There are two alternative means for authorizing the GROUPKEY-PULL
message. First, the Phase 1 identity can be used to authorize the
Phase 2 (GROUPKEY-PULL) request for a group key. Second, a new
identity can be passed in the GROUPKEY-PULL request. The new
identity could be specific to the group and use a certificate that is
signed by the group owner to identify the holder as an authorized
group member. The Proof-of-Possession payload validates that the
holder possesses the secret key associated with the Phase 2 identity.
3.2. Messages
The GROUPKEY-PULL is a Phase 2 exchange. Phase 1 computes SKEYID_a
which is the "key" in the keyed hash used in the GROUPKEY-PULL HASH
payloads. When using the Phase 1 defined in this document, SKEYID_a
is derived according to [RFC2409]. As with the IKE HASH payload
generation [RFC 2409 section 5.5], each GROUPKEY-PULL message hashes
a uniquely defined set of values. Nonces permute the HASH and
provide some protection against replay attacks. Replay protection is
important to protect the GCKS from attacks that a key management
server will attract.
The GROUPKEY-PULL uses nonces to guarantee "liveliness", or against
replay of a recent GROUPKEY-PULL message. The replay attack is only
useful in the context of the current Phase 1. If a GROUPKEY-PULL
message is replayed based on a previous Phase 1, the HASH calculation
will fail due to a wrong SKEYID_a. The message will fail processing
before the nonce is ever evaluated. In order for either peer to get
the benefit of the replay protection, it must postpone as much
processing as possible until it receives the message in the protocol
that proves the peer is live. For example, the Responder MUST NOT
compute the shared Diffie-Hellman number (if KE payloads were
included) or install the new SAs until it receives a message with Nr
included properly in the HASH payload.
Nonces require an additional message in the protocol exchange to
ensure that the GCKS does not add a group member until it proves
liveliness. The GROUPKEY-PULL member-initiator expects to find its
nonce, Ni, in the HASH of a returned message. And the GROUPKEY-PULL
GKCS responder expects to see its nonce, Nr, in the HASH of a
returned message before providing group-keying material as in the
following exchange.
Baugher, et. al. Standards Track [Page 7]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
Initiator (Member) Responder (GCKS)
------------------ ----------------
HDR*, HASH(1), Ni, ID -->
<-- HDR*, HASH(2), Nr, SA
HDR*, HASH(3) [,KE_I] -->
[,CERT] [,POP_I]
<-- HDR*, HASH(4),[KE_R,][SEQ,]
KD [,CERT] [,POP_R]
Hashes are computed as follows:
HASH(1) = prf(SKEYID_a, M-ID | Ni | ID)
HASH(2) = prf(SKEYID_a, M-ID | Ni_b | Nr | SA)
HASH(3) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | KE_I ] [ | CERT ]
[ | POP_I ])
HASH(4) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | KE_R ] [ | SEQ | ]
KD [ | CERT ] [ | POP_R])
POP payload is constructed as described in Section 5.7.
* Protected by the Phase 1 SA, encryption occurs after HDR
HDR is an ISAKMP header payload that uses the Phase 1 cookies and a
message identifier (M-ID) as in IKE [RFC2409]. Note that nonces are
included in the first two exchanges, with the GCKS returning only the
SA policy payload before liveliness is proven. The HASH payloads
[RFC2409] prove that the peer has the Phase 1 secret (SKEYID_a) and
the nonce for the exchange identified by message id, M-ID. Once
liveliness is established, the last message completes the real
processing of downloading the KD payload.
In addition to the Nonce and HASH payloads, the member-initiator
identifies the group it wishes to join through the ISAKMP ID payload.
The GCKS responder informs the member of the current value of the
sequence number in the SEQ payload; the sequence number orders the
GROUPKEY-PUSH datagrams (section 4); the member MUST check to see
that the sequence number is greater than in the previous SEQ payload
the member holds for the group (if it holds any) before installing
any new SAs. The SEQ payload MUST be present if the SA payload
contains an SA KEK attribute. The GCKS responder informs the member
of the cryptographic policies of the group in the SA payload, which
describes the DOI, KEK and/or TEK keying material, and authentication
transforms. The SPIs are also determined by the GCKS and downloaded
in the SA payload chain (see section 5.2). The SA KEK attribute
contains the ISAKMP cookie pair for the Re-key SA, which is not
negotiated but downloaded. The SA TEK attribute contains an SPI as
defined in section 5.4 of this document. The second message
downloads this SA payload. If a Re-key SA is defined in the SA
payload, then KD will contain the KEK; if one or more Data-security
Baugher, et. al. Standards Track [Page 8]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
SAs are defined in the SA payload, KD will contain the TEKs. This is
useful if there is an initial set of TEKs for the particular group
and can obviate the need for future TEK GROUPKEY-PUSH messages
(described in section 4).
As described above, the member may establish an identity in the
GROUPKEY-PULL exchange in an optional CERT payload that is separate
from the Phase 1 identity. When the member passes a new CERT, a
proof of possession (POP) payload accompanies it. The POP payload
demonstrates that the member or GCKS has used the very secret that
authenticates it. POP_I is an ISAKMP SIG payload containing a hash
including the nonces Ni and Nr signed by the member, when the member
passes a CERT, signed by the Group Owner to prove its authorization.
POP_R contains the hash including the concatenated nonces Ni and Nr
signed by the GCKS, when the GCKS passes a CERT, signed by the group
owner, to prove its authority to provide keys for a particular group.
The use of the nonce pair for the POP payload, transformed through a
pseudo-random function (prf) and encrypted, is designed to withstand
compromise of the Phase 1 key. Implementation of the CERT and POP
payloads is OPTIONAL.
3.2.1. Perfect Forward Secrecy
If PFS is desired and the optional KE payload is used in the
exchange, then both sides compute a DH secret and use it to protect
the new keying material contained in KD. The GCKS responder will xor
the DH secret with the KD payload and send it to the member
Initiator, which recovers the KD by repeating this operation as in
the Oakley IEXTKEY procedure [RFC2412]. Implementation of the KE
payload is OPTIONAL.
3.2.2. ISAKMP Header Initialization
Cookies are used in the ISAKMP header as a weak form of denial of
service protection. The GDOI GROUPKEY-PULL exchange uses cookies
according to ISAKMP [RFC2408].
Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0).
Major Version is 1 and Minor Version is 0 according to ISAKMP
[RFC2408, Section 3.1].
The Exchange Type has value 32 for the GDOI GROUPKEY-PULL exchange.
Flags, Message ID, and Length are according to ISAKMP [RFC2408,
Section 3.1]
Baugher, et. al. Standards Track [Page 9]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
3.3. Initiator Operations
Before a group member (GDOI initiator) contacts the GCKS, it must
determine the group identifier and acceptable Phase 1 policy via an
out-of-band method such as SDP. Phase 1 is initiated using the GDOI
DOI in the SA payload. Once Phase 1 is complete, the initiator state
machine moves to the GDOI protocol.
To construct the first GDOI message the initiator chooses Ni and
creates a nonce payload, builds an identity payload including the
group identifier, and generates HASH(1).
Upon receipt of the second GDOI message, the initiator validates
HASH(2), extracts the nonce Nr, and interprets the SA payload. If
the policy in the SA payload is acceptable (e.g., the security
protocol and cryptographic protocols can be supported by the
initiator), the initiator continues the protocol.
If the group policy uses certificates for authorization, the
initiator generates a hash including Ni and Nr and signs it. This
becomes the contents of the POP payload. If necessary, a CERT
payload is constructed which holds the public key corresponding to
the private key used to sign the POP payload.
The initiator constructs the third GDOI message by including the CERT
and POP payloads (if needed) and creating HASH(3).
Upon receipt of the fourth GDOI message, the initiator validates
HASH(4). If the responder sent CERT and POP_R payloads, the POP
signature is validated.
If SEQ payload is present, the sequence number in the SEQ payload
must be checked against any previously received sequence number for
this group. If it is less than the previously received number, it
should be considered stale and ignored. This could happen if two
GROUPKEY-PULL messages happened in parallel, and the sequence number
changed between the times the results of two GROUPKEY-PULL messages
were returned from the GCKS.
The initiator interprets the KD key packets, matching the SPIs in the
key packets to SPIs previously sent in the SA payloads identifying
particular policy. For TEKs, once the keys and policy are matched,
the initiator is ready to send or receive packets matching the TEK
policy. (If policy and keys had been previously received for this
TEK policy, the initiator may decide instead to ignore this TEK
policy in case it is stale.) If this group has a KEK, the KEK policy
and keys are marked as ready for use.
Baugher, et. al. Standards Track [Page 10]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
3.4. Receiver Operations
The GCKS (responder) passively listens for incoming requests from
group members. The Phase 1 authenticates the group member and sets
up the secure session with them.
Upon receipt of the first GDOI message the GCKS validates HASH(1),
extracts the Ni and group identifier in the ID payload. It verifies
that its database contains the group information for the group
identifier.
The GCKS constructs the second GDOI message, including a nonce Nr,
and the policy for the group in an SA payload, followed by SA TEK
payloads for traffic SAs, and SA KEK policy (if the group controller
will be sending Re-key messages to the group).
Upon receipt of the third GDOI message the GCKS validates HASH(3).
If the initiator sent CERT and POP_I payloads, the POP signature is
validated.
The GCKS constructs the fourth GDOI message, including the SEQ
payload (if the GCKS sends rekey messages), the KD payload containing
keys corresponding to policy previously sent in the SA TEK and SA KEK
payloads, and the CERT and POP payloads (if needed).
4. GROUPKEY-PUSH Message
GDOI sends control information securely using group communications.
Typically this will be using IP multicast distribution of a
GROUPKEY-PUSH message but it can also be "pushed" using unicast
delivery if IP multicast is not possible. The GROUPKEY-PUSH message
replaces a Re-key SA KEK or KEK array, and/or creates a new
Data-security SA.
Member GCKS or Delegate
------ ----------------
<---- HDR*, SEQ, SA, KD, [CERT,] SIG
* Protected by the Re-key SA KEK; encryption occurs after HDR
HDR is defined below. The SEQ payload is defined in the Payloads
section. The SA defines the policy (e.g., protection suite) and
attributes (e.g., SPI) for a Re-key and/or Data-security SAs. The
GCKS or delegate optionally provides a CERT payload for verification
of the SIG. KD is the key download payload as described in the
Payloads section.
Baugher, et. al. Standards Track [Page 11]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
The SIG payload is a signature of a hash of the entire message before
encryption (including the header and excluding the SIG payload
itself), prefixed with the string "rekey". The prefixed string
ensures that the signature of the Rekey datagram cannot be used for
any other purpose in the GDOI protocol.
If the SA defines an LKH KEK array or single KEK, KD contains a KEK
or KEK array for a new Re-key SA, which has a new cookie pair. When
the KD payload carries a new SA KEK attribute (section 5.3), a Re-key
SA is replaced with a new SA having the same group identifier (ID
specified in message 1 of section 3.2) and incrementing the same
sequence counter, which is initialized in message 4 of section 3.2.
If the SA defines an SA TEK payload, this informs the member that a
new Data-security SA has been created, with keying material carried
in KD (Section 5.5).
If the SA defines a large LKH KEK array (e.g., during group
initialization and batched rekeying), parts of the array MAY be sent
in different unique GROUPKEY-PUSH datagrams. However, each of the
GROUPKEY-PUSH datagrams MUST be a fully formed GROUPKEY-PUSH
datagram. This results in each datagram containing a sequence number
and the policy in the SA payload, which corresponds to the KEK array
portion sent in the KD payload.
4.1. Perfect Forward Secrecy (PFS)
The GROUPKEY-PUSH message is protected by the group KEK though in all
cases, the GROUPKEY-PUSH message carries new key downloads, among
other information. A freshly generated secret must protect the key
download for the GROUPKEY-PUSH message to have PFS. This issue is
for further study.
4.2. Forward and Backward Access Control
Through GROUPKEY-PUSH, the GDOI supports algorithms such as LKH that
have the property of denying access to a new group key by a member
removed from the group (forward access control) and to an old group
key by a member added to the group (backward access control). An
unrelated notion to PFS, "forward access control" and "backward
access control" have been called "perfect forward security" and
"perfect backward security" in the literature [RFC2627].
Group management algorithms providing forward and backward access
control other than LKH have been proposed in the literature,
including OFT [OFT] and Subset Difference [NNL]. These algorithms
could be used with GDOI, but are not specified as a part of this
document.
Baugher, et. al. Standards Track [Page 12]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
Support for group management algorithms is supported via the
KEY_MANAGEMENT_ALGORITHM attribute which is sent in the SA_KEK
payload. GDOI specifies one method by which LKH can be used for
forward and backward access control. Other methods of using LKH, as
well as other group management algorithms such as OFT or Subset
Difference may be added to GDOI as part of a later document. Any
such addition MUST be due to a Standards Action as defined in
[RFC2434].
4.2.1. Forward Access Control Requirements
When group membership is altered using a group management algorithm
new SA_TEKs (and their associated keys) are usually also needed. New
SAs and keys ensure that members who were denied access can no longer
participate in the group.
If forward access control is a desired property of the group, new
SA_TEKs and the associated key packets in the KD payload MUST NOT be
included in a GROUPKEY-PUSH message which changes group membership.
This is required because the SA_TEK policy and the associated key
packets in the KD payload are not protected with the new KEK. A
second GROUPKEY-PUSH message can deliver the new SA_TEKS and their
associated keys because it will be protected with the new KEK, and
thus will not be visible to the members who were denied access.
If forward access control policy for the group includes keeping group
policy changes from members that are denied access to the group, then
two sequential GROUPKEY-PUSH messages changing the group KEK MUST be
sent by the GCKS. The first GROUPKEY-PUSH message creates a new KEK
for the group. Group members, which are denied access, will not be
able to access the new KEK, but will see the group policy since the
GROUPKEY-PUSH message is protected under the current KEK. A
subsequent GROUPKEY-PUSH message containing the changed group policy
and again changing the KEK allows complete forward access control. A
GROUPKEY-PUSH message MUST NOT change the policy without creating a
new KEK.
If other methods of using LKH or other group management algorithms
are added to GDOI, those methods MAY remove the above restrictions
requiring multiple GROUPKEY-PUSH messages, providing those methods
specify how forward access control policy is maintained within a
single GROUPKEY-PUSH message.
Baugher, et. al. Standards Track [Page 13]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
4.3. Delegation of Key Management
GDOI supports delegation of GROUPKEY-PUSH datagrams through the
delegation capabilities of the PKI. However, GDOI does not
explicitly specify how the GCKS identifies delegates, but leaves this
to the PKI that is used by a particular GDOI implementation.
4.4. Use of signature keys
The GCKS SHOULD NOT use the same key to sign the SIG payload in the
GROUPKEY-PUSH message as was used for authorization in the
GROUPKEY-PULL POP payload. If the same key must be used, a different
hash function SHOULD be used as a base for the POP payload than is
used as a base for the SIG payload.
4.5. ISAKMP Header Initialization
Unlike ISAKMP or IKE, the cookie pair is completely determined by the
GCKS. The cookie pair in the GDOI ISAKMP header identifies the Re-
key SA to differentiate the secure groups managed by a GCKS. Thus,
GDOI uses the cookie fields as an SPI.
Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0).
Major Version is 1 and Minor Version is 0 according to ISAKMP
[RFC2408, Section 3.1].
The Exchange Type has value 33 for the GDOI GROUPKEY-PUSH message.
Flags MUST have the Encryption bit set according to [RFC2008, Section
3.1]. All other bits MUST be set to zero.
Message ID MUST be set to zero.
Length is according to ISAKMP [RFC2408, Section 3.1]
4.6. Deletion of SAs
There are times the GCKS may want to signal to receivers to delete
SAs, for example at the end of a broadcast. Deletion of keys may be
accomplished by sending an ISAKMP Delete payload [RFC2408, Section
3.15] as part of a GDOI GROUPKEY-PUSH message.
One or more Delete payloads MAY be placed following the SEQ payload
in a GROUPKEY-PUSH message. If a GCKS has no further SAs to send to
group members, the SA and KD payloads MUST be omitted from the
message.
Baugher, et. al. Standards Track [Page 14]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
The following fields of the Delete Payload are further defined as
follows:
o The Domain of Interpretation field contains the GDOI DOI.
o The Protocol-Id field contains TEK protocol id values defined
in Section 5.4 of this document. To delete a KEK SA, the value
of zero MUST be used as the protocol id. Note that only one
protocol id value can be defined in a Delete payload. If a TEK
SA and a KEK SA must be deleted, they must be sent in different
Delete payloads.
4.7. GCKS Operations
GCKS or its delegate may initiate a Rekey message for one of several
reasons, e.g., the group membership has changed or keys are due to
expire.
To begin the rekey datagram the GCKS builds an ISAKMP HDR with the
correct cookie pair, and a SEQ payload that includes a sequence
number which is one greater than the previous rekey datagram.
An SA payload is then added. This is identical in structure and
meaning to a SA payload sent in a GROUPKEY-PULL exchange. If there
are changes to the KEK (in the case of a static KEK) or in group
membership (in the case of LKH) an SA_KEK attribute is added to the
SA. If there are one or more new TEKs then SA_TEK attributes are
added to describe that policy.
A KD payload is then added. This is identical in structure and
meaning to a KD payload sent in a GROUPKEY-PULL exchange. If an
SA_KEK attribute was included in the SA payload then corresponding
KEK keys (or a KEK array) is included. TEK keys are sent for each
SA_TEK attribute included in the SA payload.
A CERT payload is added if the initiator needs to provide its
certificate.
In the penultimate step, the initiator hashes the string "rekey"
followed by the key management message already formed. The hash is
signed, placed in a SIG payload and added to the datagram.
Lastly, the payloads following the HDR are encrypted using the
current KEK encryption key. The datagram can now be sent.
Baugher, et. al. Standards Track [Page 15]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
4.8. Group Member Operations
A group member receiving the GROUPKEY-PUSH datagram matches the
cookie pair in the ISAKMP HDR to an existing SA. The message is
decrypted, and the form of the datagram is validated. This weeds out
obvious ill-formed messages (which may be sent as part of a Denial of
Service attack on the group).
The signature of the decrypted message is then validated, possibly
using the CERT payload if it is included.
The sequence number in the SEQ payload is validated to ensure that it
is greater than the previously received sequence number, and that it
fits within a window of acceptable values.
The SA and KD payloads are processed which results in a new GDOI
Rekey SA (if the SA payload included an SA_KEK attribute) and/or new
IPsec SAs being added to the system.
5. Payloads and Defined Values
This document specifies use of several ISAKMP payloads, which are
defined in accordance with RFC2408. The following payloads are
extended or further specified.
Next Payload Type Value
----------------- -----
Security Association (SA) 1
Identification (ID) 5
Nonce (N) 10
Several new payload formats are required in the group security
exchanges.
Next Payload Type Value
----------------- -----
SA KEK Payload (SAK) 15
SA TEK Payload (SAT) 16
Key Download (KD) 17
Sequence Number (SEQ) 18
Proof of Possession (POP) 19
Baugher, et. al. Standards Track [Page 16]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
5.1. Identification Payload
The Identification Payload is used to identify a group identity that
will later be associated with Security Associations for the group. A
group identity may map to a specific IP multicast group, or may
specify a more general identifier, such as one that represents a set
of related multicast streams.
The Identification Payload is defined as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! ID Type ! RESERVE2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Identification Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifier for the payload type of
the next payload in the message. If the current payload is the
last in the message, this field will be zero (0).
o RESERVED (1 octet) -- Unused, must be zero (0).
o Payload Length (2 octets) -- Length, in octets, of the
identification data, including the generic header.
o Identification Type (1 octet) -- Value describing the identity
information found in the Identification Data field.
o RESERVED2 (2 octets) -- Unused, must be zero (0).
o Identification Data (variable length) -- Value, as indicated by
the Identification Type.
Baugher, et. al. Standards Track [Page 17]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
5.1.1. Identification Type Values
The following table lists the assigned values for the Identification
Type field found in the Identification Payload.
ID Type Value
------- -----
RESERVED 0 - 10
ID_KEY_ID 11
RESERVED 12 - 127
Private Use 128 - 255
5.1.1.1. ID_KEY_ID
In the context of a GDOI ID payload, ID_KEY_ID specifies a four
(4)-octet group identifier.
5.2. Security Association Payload
The Security Association payload is defined in RFC 2408. For the
GDOI, it is used by the GCKS to assert security attributes for both
Re-key and Data-security SAs.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! DOI !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Situation !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! SA Attribute Next Payload ! RESERVED2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The Security Association Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifies the next payload for the
GROUPKEY-PULL or the GROUPKEY-PUSH message as defined above.
The next payload MUST NOT be a SAK Payload or SAT Payload type,
but the next non-Security Association type payload.
o RESERVED (1 octet) -- Must be zero.
o Payload Length (2 octets) -- Is the octet length of the current
payload including the generic header and all TEK and KEK
payloads.
Baugher, et. al. Standards Track [Page 18]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
o DOI (4 octets) -- Is the GDOI, which is value 2.
o Situation (4 octets) -- Must be zero.
o SA Attribute Next Payload (1 octet) -- Must be either a SAK
Payload or a SAT Payload. See section 5.2.1 for a description
of which circumstances are required for each payload type to be
present.
o RESERVED (2 octets) -- Must be zero.
5.2.1. Payloads following the SA payload
Payloads that define specific security association attributes for the
KEK and/or TEKs used by the group MUST follow the SA payload. How
many of each payload is dependent upon the group policy. There may
be zero or one SAK Payloads, and zero or more SAT Payloads, where
either one SAK or SAT payload MUST be present.
This latitude allows various group policies to be accommodated. For
example if the group policy does not require the use of a Re-key SA,
the GCKS would not need to send an SA KEK attribute to the group
member since all SA updates would be performed using the Registration
SA. Alternatively, group policy might use a Re-key SA but choose to
download a KEK to the group member only as part of the Registration
SA. Therefore, the KEK policy (in the SA KEK attribute) would not be
necessary as part of the Re-key SA message SA payload.
Specifying multiple SATs allows multiple sessions to be part of the
same group and multiple streams to be associated with a session
(e.g., video, audio, and text) but each with individual security
association policy.
5.3. SA KEK payload
The SA KEK (SAK) payload contains security attributes for the KEK
method for a group and parameters specific to the GROUPKEY-PULL
operation. The source and destination identities describe the
identities used for the GROUPKEY-PULL datagram.
Baugher, et. al. Standards Track [Page 19]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Protocol ! SRC ID Type ! SRC ID Port !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
!SRC ID Data Len! SRC Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! DST ID Type ! DST ID Port !DST ID Data Len!
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! DST Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! !
~ SPI ~
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! POP Algorithm ! POP Key Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
~ KEK Attributes ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The SAK Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifies the next payload for the
GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid
next payload types for this message are a SAT Payload or zero
to indicate there is no SA TEK payload.
o RESERVED (1 octet) -- Must be zero.
o Payload Length (2 octets) -- Length of this payload, including
the KEK attributes.
o Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
UDP/TCP) for the rekey datagram.
o SRC ID Type (1 octet) -- Value describing the identity
information found in the SRC Identification Data field.
Defined values are specified by the IPSEC Identification Type
section in the IANA isakmpd-registry [ISAKMP-REG].
o SRC ID Port (2 octets) -- Value specifying a port associated
with the source Id. A value of zero means that the SRC ID Port
field should be ignored.
o SRC ID Data Len (1 octet) -- Value specifying the length of the
SRC Identification Data field.
Baugher, et. al. Standards Track [Page 20]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
o SRC Identification Data (variable length) -- Value, as
indicated by the SRC ID Type.
o DST ID Type (1 octet) -- Value describing the identity
information found in the DST Identification Data field.
Defined values are specified by the IPSEC Identification Type
section in the IANA isakmpd-registry [ISAKMP-REG].
o DST ID Prot (1 octet) -- Value describing an IP protocol ID
(e.g., UDP/TCP).
o DST ID Port (2 octets) -- Value specifying a port associated
with the source Id.
o DST ID Data Len (1 octet) -- Value specifying the length of the
DST Identification Data field.
o DST Identification Data (variable length) -- Value, as
indicated by the DST ID Type.
o SPI (16 octets) -- Security Parameter Index for the KEK. The
SPI must be the ISAKMP Header cookie pair where the first 8
octets become the "Initiator Cookie" field of the GROUPKEY-PUSH
message ISAKMP HDR, and the second 8 octets become the
"Responder Cookie" in the same HDR. As described above, these
cookies are assigned by the GCKS.
o POP Algorithm (2 octets) -- The POP payload algorithm. Defined
values are specified in the following table. If no POP
algorithm is defined by the KEK policy this field must be zero.
Algorithm Type Value
-------------- -----
RESERVED 0
POP_ALG_RSA 1
POP_ALG_DSS 2
POP_ALG_ECDSS 3
RESERVED 4-127
Private Use 128-255
o POP Key Length (2 octets) -- Length of the POP payload key. If
no POP algorithm is defined in the KEK policy, this field must
be zero.
Baugher, et. al. Standards Track [Page 21]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
o KEK Attributes -- Contains KEK policy attributes associated
with the group. The following sections describe the possible
attributes. Any or all attributes may be optional, depending on
the group policy.
5.3.1. KEK Attributes
The following attributes may be present in a SAK Payload. The
attributes must follow the format defined in ISAKMP [RFC2408] section
3.3. In the table, attributes that are defined as TV are marked as
Basic (B); attributes that are defined as TLV are marked as Variable
(V).
ID Class Value Type
-------- ----- ----
RESERVED 0
KEK_MANAGEMENT_ALGORITHM 1 B
KEK_ALGORITHM 2 B
KEK_KEY_LENGTH 3 B
KEK_KEY_LIFETIME 4 V
SIG_HASH_ALGORITHM 5 B
SIG_ALGORITHM 6 B
SIG_KEY_LENGTH 7 B
KE_OAKLEY_GROUP 8 B
The following attributes may only be included in a GROUPKEY-PULL
message: KEK_MANAGEMENT_ALGORITHM, KE_OAKLEY_GROUP.
5.3.2. KEK_MANAGEMENT_ALGORITHM
The KEK_MANAGEMENT_ALGORITHM class specifies the group KEK management
algorithm used to provide forward or backward access control (i.e.,
used to exclude group members). Defined values are specified in the
following table.
KEK Management Type Value
------------------- -----
RESERVED 0
LKH 1
RESERVED 2-127
Private Use 128-255
Baugher, et. al. Standards Track [Page 22]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
5.3.3. KEK_ALGORITHM
The KEK_ALGORITHM class specifies the encryption algorithm using with
the KEK. Defined values are specified in the following table.
Algorithm Type Value
-------------- -----
RESERVED 0
KEK_ALG_DES 1
KEK_ALG_3DES 2
KEK_ALG_AES 3
RESERVED 4-127
Private Use 128-255
A GDOI implementation MUST support the KEK_ALG_3DES algorithm
attribute.
If a KEK_MANAGEMENT_ALGORITHM is defined which defines multiple keys
(e.g., LKH), and if the management algorithm does not specify the
algorithm for those keys, then the algorithm defined by the
KEK_ALGORITHM attribute MUST be used for all keys which are included
as part of the management.
5.3.3.1. KEK_ALG_DES
This algorithm specifies DES using the Cipher Block Chaining (CBC)
mode as described in [FIPS81].
5.3.3.2. KEK_ALG_3DES
This algorithm specifies 3DES using three independent keys as
described in "Keying Option 1" in [FIPS46-3].
5.3.3.3. KEK_ALG_AES
This algorithm specifies AES as described in [FIPS197]. The mode of
operation for AES is Cipher Block Chaining (CBC) as recommended in
[AES-MODES].
5.3.4. KEK_KEY_LENGTH
The KEK_KEY_LENGTH class specifies the KEK Algorithm key length (in
bits).
Baugher, et. al. Standards Track [Page 23]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
5.3.5. KEK_KEY_LIFETIME
The KEK_KEY_LIFETIME class specifies the maximum time for which the
KEK is valid. The GCKS may refresh the KEK at any time before the
end of the valid period. The value is a four (4) octet number
defining a valid time period in seconds.
5.3.6. SIG_HASH_ALGORITHM
SIG_HASH_ALGORITHM specifies the SIG payload hash algorithm. The
following tables define the algorithms for SIG_HASH_ALGORITHM.
Algorithm Type Value
-------------- -----
RESERVED 0
SIG_HASH_MD5 1
SIG_HASH_SHA1 2
RESERVED 3-127
Private Use 128-255
SIG_HASH_ALGORITHM is not required if the SIG_ALGORITHM is
SIG_ALG_DSS or SIG_ALG_ECDSS, which imply SIG_HASH_SHA1.
5.3.7. SIG_ALGORITHM
The SIG_ALGORITHM class specifies the SIG payload signature
algorithm. Defined values are specified in the following table.
Algorithm Type Value
-------------- -----
RESERVED 0
SIG_ALG_RSA 1
SIG_ALG_DSS 2
SIG_ALG_ECDSS 3
RESERVED 4-127
Private Use 128-255
A GDOI implementation MUST support the following algorithm attribute:
SIG_ALG_RSA.
5.3.7.1. SIG_ALG_RSA
This algorithm specifies the RSA digital signature algorithm as
described in [RSA].
Baugher, et. al. Standards Track [Page 24]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
5.3.7.2. SIG_ALG_DSS
This algorithm specifies the DSS digital signature algorithm as
described in [FIPS186-2].
5.3.7.3. SIG_ALG_ECDSS
This algorithm specifies the Elliptic Curve digital signature
algorithm as described in [FIPS186-2].
5.3.8. SIG_KEY_LENGTH
The SIG_KEY_LENGTH class specifies the length of the SIG payload key.
5.3.9. KE_OAKLEY_GROUP
The KE_OAKLEY_GROUP class defines the OAKLEY Group used to compute
the PFS secret in the optional KE payload of the GDOI GROUPKEY-PULL
exchange. This attribute uses the values assigned to Group
Definitions in the IANA IPsec-registry [IPSEC-REG].
5.4. SA TEK Payload
The SA TEK (SAT) payload contains security attributes for a single
TEK associated with a group.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Protocol-ID ! TEK Protocol-Specific Payload ~
+-+-+-+-+-+-+-+-+ ~
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The SAT Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifies the next payload for the
GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid
next payload types for this message are another SAT Payload or
zero to indicate there are no more security association
attributes.
o RESERVED (1 octet) -- Must be zero.
o Payload Length (2 octets) -- Length of this payload, including
the TEK Protocol-Specific Payload.
Baugher, et. al. Standards Track [Page 25]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
o Protocol-ID (1 octet) -- Value specifying the Security
Protocol. The following table defines values for the Security
Protocol
Protocol ID Value
----------- -----
RESERVED 0
GDOI_PROTO_IPSEC_ESP 1
RESERVED 2-127
Private Use 128-255
o TEK Protocol-Specific Payload (variable) -- Payload which
describes the attributes specific for the Protocol-ID.
5.4.1. PROTO_IPSEC_ESP
The TEK Protocol-Specific payload for ESP is as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Protocol ! SRC ID Type ! SRC ID Port !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
!SRC ID Data Len! SRC Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! DST ID Type ! DST ID Port !DST ID Data Len!
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! DST Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Transform ID ! SPI !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! SPI ! RFC 2407 SA Attributes ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The SAT Payload fields are defined as follows:
o Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
UDP/TCP). A value of zero means that the Protocol field should
be ignored.
o SRC ID Type (1 octet) -- Value describing the identity
information found in the SRC Identification Data field.
Defined values are specified by the IPSEC Identification Type
section in the IANA isakmpd-registry [ISAKMP-REG].
o SRC ID Port (2 octets) -- Value specifying a port associated
with the source Id. A value of zero means that the SRC ID Port
field should be ignored.
Baugher, et. al. Standards Track [Page 26]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
o SRC ID Data Len (1 octet) -- Value specifying the length of the
SRC Identification Data field.
o SRC Identification Data (variable length) -- Value, as
indicated by the SRC ID Type. Set to three bytes of zero for
multiple-source multicast groups that use a common TEK for all
senders.
o DST ID Type (1 octet) -- Value describing the identity
information found in the DST Identification Data field.
Defined values are specified by the IPSEC Identification Type
section in the IANA isakmpd-registry [ISAKMP-REG].
o DST ID Prot (1 octet) -- Value describing an IP protocol ID
(e.g., UDP/TCP). A value of zero means that the DST Id Prot
field should be ignored.
o DST ID Port (2 octets) -- Value specifying a port associated
with the source Id. A value of zero means that the DST ID Port
field should be ignored.
o DST ID Data Len (1 octet) -- Value specifying the length of the
DST Identification Data field.
o DST Identification Data (variable length) -- Value, as
indicated by the DST ID Type.
o Transform ID (1 octet) -- Value specifying which ESP transform
is to be used. The list of valid values is defined in the
IPSEC ESP Transform Identifiers section of the IANA
isakmpd-registry [ISAKMP-REG].
o SPI (4 octets) -- Security Parameter Index for ESP.
o RFC 2407 Attributes -- ESP Attributes from RFC 2407 Section
4.5. The GDOI supports all IPSEC DOI SA Attributes for
PROTO_IPSEC_ESP excluding the Group Description [RFC2407,
section 4.5], which MUST NOT be sent by a GDOI implementation
and is ignored by a GDOI implementation if received. All
mandatory IPSEC DOI attributes are mandatory in GDOI
PROTO_IPSEC_ESP. The Authentication Algorithm attribute of the
IPSEC DOI is group authentication in GDOI.
Baugher, et. al. Standards Track [Page 27]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
5.4.2. Other Security Protocols
Besides ESP, GDOI should serve to establish SAs for secure groups
needed by other Security Protocols that operate at the transport,
application, and internetwork layers. These other Security
Protocols, however, are in the process of being developed or do not
yet exist.
The following information needs to be provided for a Security
Protocol to the GDOI.
o The Protocol-ID for the particular Security Protocol
o The SPI Size
o The method of SPI generation
o The transforms, attributes and keys needed by the Security
Protocol
All Security Protocols must provide the information in the bulleted
list above to guide the GDOI specification for that protocol.
Definitions for the support of those Security Protocols in GDOI will
be specified in separate documents.
A Security Protocol MAY protect traffic at any level of the network
stack. However, in all cases applications of the Security Protocol
MUST protect traffic which MAY be shared by more than two entities.
5.5. Key Download Payload
The Key Download Payload contains group keys for the group specified
in the SA Payload. These key download payloads can have several
security attributes applied to them based upon the security policy of
the group as defined by the associated SA Payload.
When included as part of the Re-key SA with an optional KE payload,
The Key Download Payload will be xor'ed with the new Diffie-Hellman
shared secret. The xor operation will begin at the "Number of Key
Packets" field.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Number of Key Packets ! RESERVED2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
~ Key Packets ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
Baugher, et. al. Standards Track [Page 28]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
The Key Download Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifier for the payload type of
the next payload in the message. If the current payload is the
last in the message, then this field will be zero.
o RESERVED (1 octet) -- Unused, set to zero.
o Payload Length (2 octets) -- Length in octets of the current
payload, including the generic payload header.
o Number of Key Packets (2 octets) -- Contains the total number
of both TEK and Rekey arrays being passed in this data block.
o Key Packets
Several types of key packets are defined. Each Key Packet has
the following format.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! KD Type ! RESERVED ! KD Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! SPI Size ! SPI (variable) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
~ Key Packet Attributes ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
o Key Download (KD) Type (1 octet) -- Identifier for the Key Data
field of this Key Packet.
Key Download Type Value
----------------- -----
RESERVED 0
TEK 1
KEK 2
LKH 3
RESERVED 4-127
Private Use 128-255
"KEK" is a single key whereas LKH is an array of key-encrypting keys.
o RESERVED (1 octet) -- Unused, set to zero.
o Key Download Length (2 octets) -- Length in octets of the Key
Packet data, including the Key Packet header.
Baugher, et. al. Standards Track [Page 29]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
o SPI Size (1 octet) -- Value specifying the length in octets of
the SPI as defined by the Protocol-Id.
o SPI (variable length) -- Security Parameter Index which matches
a SPI previously sent in an SAK or SAT Payload.
o Key Packet Attributes (variable length) -- Contains Key
information. The format of this field is specific to the value
of the KD Type field. The following sections describe the
format of each KD Type.
5.5.1. TEK Download Type
The following attributes may be present in a TEK Download Type.
Exactly one attribute matching each type sent in the SAT payload MUST
be present. The attributes must follow the format defined in ISAKMP
[RFC2408] section 3.3. In the table, attributes defined as TV are
marked as Basic (B); attributes defined as TLV are marked as Variable
(V).
TEK Class Value Type
--------- ----- ----
RESERVED 0
TEK_ALGORITHM_KEY 1 V
TEK_INTEGRITY_KEY 2 V
TEK_SOURCE_AUTH_KEY 3 V
If no TEK key packets are included in a Registration KD payload, the
group member can expect to receive the TEK as part of a Re-key SA.
At least one TEK must be included in each Re-key KD payload.
Multiple TEKs may be included if multiple streams associated with the
SA are to be rekeyed.
5.5.1.1. TEK_ALGORITHM_KEY
The TEK_ALGORITHM_KEY class declares that the encryption key for this
SPI is contained as the Key Packet Attribute. The encryption
algorithm that will use this key was specified in the SAT payload.
In the case that the algorithm requires multiple keys (e.g., 3DES),
all keys will be included in one attribute.
DES keys will consist of 64 bits (the 56 key bits with parity bit).
Triple DES keys will be specified as a single 192 bit attribute
(including parity bits) in the order that the keys are to be used for
encryption (e.g., DES_KEY1, DES_KEY2, DES_KEY3).
Baugher, et. al. Standards Track [Page 30]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
5.5.1.2. TEK_INTEGRITY_KEY
The TEK_INTEGRITY_KEY class declares that the integrity key for this
SPI is contained as the Key Packet Attribute. The integrity
algorithm that will use this key was specified in the SAT payload.
Thus, GDOI assumes that both the symmetric encryption and integrity
keys are pushed to the member. SHA keys will consist of 160 bits,
and MD5 keys will consist of 128 bits.
5.5.1.3. TEK_SOURCE_AUTH_KEY
The TEK_SOURCE_AUTH_KEY class declares that the source authentication
key for this SPI is contained in the Key Packet Attribute. The
source authentication algorithm that will use this key was specified
in the SAT payload.
5.5.2. KEK Download Type
The following attributes may be present in a KEK Download Type.
Exactly one attribute matching each type sent in the SAK payload MUST
be present. The attributes must follow the format defined in ISAKMP
[RFC2408] section 3.3. In the table, attributes defined as TV are
marked as Basic (B); attributes defined as TLV are marked as Variable
(V).
KEK Class Value Type
--------- ----- ----
RESERVED 0
KEK_ALGORITHM_KEY 1 V
SIG_ALGORITHM_KEY 2 V
If the KEK key packet is included, there MUST be only one present in
the KD payload.
5.5.2.1. KEK_ALGORITHM_KEY
The KEK_ALGORITHM_KEY class declares the encryption key for this SPI
is contained in the Key Packet Attribute. The encryption algorithm
that will use this key was specified in the SAK payload.
If the mode of operation for the algorithm requires an Initialization
Vector (IV), an explicit IV MUST be included in the KEK_ALGORITHM_KEY
before the actual key.
Baugher, et. al. Standards Track [Page 31]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
5.5.2.2. SIG_ALGORITHM_KEY
The SIG_ALGORITHM_KEY class declares that the public key for this SPI
is contained in the Key Packet Attribute, which may be useful when no
public key infrastructure is available. The signature algorithm that
will use this key was specified in the SAK payload.
5.5.3. LKH Download Type
The LKH key packet is comprised of attributes representing different
leaves in the LKH key tree.
The following attributes are used to pass an LKH KEK array in the KD
payload. The attributes must follow the format defined in ISAKMP
[RFC2408] section 3.3. In the table, attributes defined as TV are
marked as Basic (B); attributes defined as TLV are marked as Variable
(V).
KEK Class Value Type
--------- ----- ----
RESERVED 0
LKH_DOWNLOAD_ARRAY 1 V
LKH_UPDATE_ARRAY 2 V
SIG_ALGORITHM_KEY 3 V
RESERVED 4-127
Private Use 128-255
If an LKH key packet is included in the KD payload, there must be
only one present.
5.5.3.1. LKH_DOWNLOAD_ARRAY
This attribute is used to download a set of keys to a group member.
It MUST NOT be included in a GROUPKEY-PUSH message KD payload if the
GROUPKEY-PUSH is sent to more than the group member. If an
LKH_DOWNLOAD_ARRAY attribute is included in a KD payload, there must
be only one present.
This attribute consists of a header block, followed by one or more
LKH keys.
Baugher, et. al. Standards Track [Page 32]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH Version ! # of LKH Keys ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH Keys !
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The KEK_LKH attribute fields are defined as follows:
o LKH version (1 octet) -- Contains the version of the LKH
protocol which the data is formatted in. Must be one.
o Number of LKH Keys (2 octets) -- This value is the number of
distinct LKH keys in this sequence.
o RESERVED (1 octet) -- Unused, set to zero. Each LKH Key is
defined as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH ID ! Key Type ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Key Creation Date !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Key expiration Date !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Key Handle !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! !
~ Key Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
o LKH ID (2 octets) -- This is the position of this key in the
binary tree structure used by LKH.
o Key Type (1 octet) -- This is the encryption algorithm for
which this key data is to be used. This value is specified in
Section 5.3.3.
o RESERVED (1 octet) -- Unused, set to zero.
o Key Creation Date (4 octets) -- This is the time value of when
this key data was originally generated. A time value of zero
indicates that there is no time before which this key is not
valid.
Baugher, et. al. Standards Track [Page 33]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
o Key Expiration Date (4 octets) -- This is the time value of
when this key is no longer valid for use. A time value of zero
indicates that this key does not have an expiration time.
o Key Handle (4 octets) -- This is the randomly generated value
to uniquely identify a key within an LKH ID.
o Key Data (variable length) -- This is the actual encryption key
data, which is dependent on the Key Type algorithm for its
format. If the mode of operation for the algorithm requires an
Initialization Vector (IV), an explicit IV MUST be included in
the Key Data field before the actual key.
The Key Creation Date and Key expiration Dates MAY be zero. This is
necessary in the case where time synchronization within the group is
not possible.
The first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute
contains the Leaf identifier and key for the group member. The rest
of the LKH Key structures contain keys along the path of the key tree
in order from the leaf, culminating in the group KEK.
5.5.3.2. LKH_UPDATE_ARRAY
This attribute is used to update the keys for a group. It is most
likely to be included in a GROUPKEY-PUSH message KD payload to rekey
the entire group. This attribute consists of a header block,
followed by one or more LKH keys, as defined in Section 5.5.3.1
There may be any number of UPDATE_ARRAY attributes included in a KD
payload.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH Version ! # of LKH Keys ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH ID ! RESERVED2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Key Handle !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH Keys !
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
o LKH version (1 octet) -- Contains the version of the LKH
protocol which the data is formatted in. Must be one.
Baugher, et. al. Standards Track [Page 34]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
o Number of LKH Keys (2 octets) -- This value is the number of
distinct LKH keys in this sequence.
o RESERVED (1 octet) -- Unused, set to zero.
o LKH ID (2 octets) -- This is the node identifier associated
with the key used to encrypt the first LKH Key.
o RESERVED2 (2 octets) -- Unused, set to zero.
o Key Handle (4 octets) -- This is the value to uniquely identify
the key within the LKH ID which was used to encrypt the first
LKH key.
The LKH Keys are as defined in Section 5.5.3.1. The LKH Key
structures contain keys along the path of the key tree in order from
the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in the
group KEK. The Key Data field of each LKH Key is encrypted with the
LKH key preceding it in the LKH_UPDATE_ARRAY attribute. The first
LKH Key is encrypted under the key defined by the LKH ID and Key
Handle found in the LKH_UPDATE_ARRAY header.
5.5.3.3. SIG_ALGORITHM_KEY
The SIG_ALGORITHM_KEY class declares that the public key for this SPI
is contained in the Key Packet Attribute, which may be useful when no
public key infrastructure is available. The signature algorithm that
will use this key was specified in the SAK payload.
5.6. Sequence Number Payload
The Sequence Number Payload (SEQ) provides an anti-replay protection
for GROUPKEY-PUSH messages. Its use is similar to the Sequence
Number field defined in the IPsec ESP protocol [RFC2406].
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Sequence Number !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Sequence Number Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifier for the payload type of
the next payload in the message. If the current payload is the
last in the message, then this field will be zero.
Baugher, et. al. Standards Track [Page 35]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
o RESERVED (1 octet) -- Unused, set to zero.
o Payload Length (2 octets) -- Length in octets of the current
payload, including the generic payload header.
o Sequence Number (4 octets) -- This field contains a
monotonically increasing counter value for the group. It is
initialized to zero by the GCKS, and incremented in each
subsequently-transmitted message. Thus the first packet sent
for a given Rekey SA will have a Sequence Number of 1. The
GDOI implementation keeps a sequence counter as an attribute
for the Rekey SA and increments the counter upon receipt of a
GROUPKEY-PUSH message. The current value of the sequence
number must be transmitted to group members as a part of the
Registration SA SA payload. A group member must keep a sliding
receive window. The window must be treated as in the ESP
protocol [RFC2406] Section 3.4.3.
5.7. Proof of Possession
The Proof of Possession Payload is used as part of group membership
authorization during a GDOI exchange. The Proof of Possession
Payload is identical to an ISAKMP SIG payload. However, the usage is
entirely different.
The GCKS, GCKS delegate or member signs a hash of the following
values:
POP_HASH = hash("pop" | Ni | Nr)
Where hash() is the hash function used with the signature.
The "pop" prefix ensures that the signature of the POP payload cannot
be used for any other purpose in the GDOI protocol.
5.8. Nonce
The data portion of the Nonce payload (i.e., Ni_b and Nr_b included
in the HASHs) MUST be a value between 8 and 128 bytes.
6. Security Considerations
GDOI is a security association (SA) management protocol for groups of
senders and receivers. Unlike a data security protocol, SA
management includes a key establishment protocol to securely
establish keys at communication endpoints. This protocol performs
entity authentication of the GDOI member or Group Controller/Key
Server (GCKS), it provides confidentiality of key management
messages, and it provides source authentication of those messages.
This protocol also uses best-known practices for defense against
Baugher, et. al. Standards Track [Page 36]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
man-in-middle, connection hijacking, replay, reflection, and
denial-of-service (DOS) attacks on unsecured networks [STS, RFC2522,
SKEME]. GDOI assumes the network is not secure and may be under the
complete control of an attacker.
GDOI assumes that the host computer is secure even though the network
is insecure. GDOI ultimately establishes keys among members of a
group, which MUST be trusted to use those keys in an authorized
manner according to group policy. The security of GDOI, therefore,
is as good as the degree to which group members can be trusted to
protect authenticators, encryption keys, decryption keys, and message
authentication keys.
There are three phases of GDOI as described in this document: an
ISAKMP Phase 1 protocol, a new exchange called GROUPKEY-PULL which is
protected by the ISAKMP Phase 1 protocol, and a new message called
GROUPKEY-PUSH. Each phase is considered separately below.
6.1. ISAKMP Phase 1
As described in this document, GDOI uses the Phase 1 exchanges
defined in [RFC2409] to protect the GROUPKEY-PULL exchange.
Therefore all security properties and considerations of those
exchanges (as noted in [RFC2409]) are relevant for GDOI.
GDOI may inherit the problems of its ancestor protocols [FS00], such
as identity exposure, absence of unidirectional authentication, or
stateful cookies [PK01]. GDOI could benefit, however, from
improvements to its ancestor protocols just as it benefits from years
of experience and work embodied in those protocols. To reap the
benefits of future IKE improvements, however, GDOI would need to be
revised in a future standards-track RFC, which is beyond the scope of
this specification.
6.1.1. Authentication
Authentication is provided via the mechanisms defined in [RFC2409],
namely Pre-Shared Keys or Public Key encryption.
6.1.2. Confidentiality
Confidentiality is achieved in Phase 1 through a Diffie-Hellman
exchange that provides keying material, and through negotiation of
encryption transforms.
Baugher, et. al. Standards Track [Page 37]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
The Phase 1 protocol will be protecting encryption and integrity keys
sent in the GROUPKEY-PULL protocol. The strength of the encryption
used for Phase 1 SHOULD exceed that of the keys send in the
GROUPKEY-PULL protocol.
6.1.3. Man-in-the-Middle Attack Protection
A successful man-in-the-middle or connection-hijacking attack foils
entity authentication of one or more of the communicating entities
during key establishment. GDOI relies on Phase 1 authentication to
defeat man-in-the-middle attacks.
6.1.4. Replay/Reflection Attack Protection
In a replay/reflection attack, an attacker captures messages between
GDOI entities and subsequently forwards them to a GDOI entity.
Replay and reflection attacks seek to gain information from a
subsequent GDOI message response or seek to disrupt the operation of
a GDOI member or GCKS entity. GDOI relies on the Phase 1 nonce
mechanism in combination with a hash-based message authentication
code to protect against the replay or reflection of previous key
management messages.
6.1.5. Denial of Service Protection
A denial of service attacker sends messages to a GDOI entity to cause
that entity to perform unneeded message authentication operations.
GDOI uses the Phase 1 cookie mechanism to identify spurious messages
prior to cryptographic hash processing. This is a "weak" form of
denial of service protection in that the GDOI entity must check for
good cookies, which can be successfully imitated by a sophisticated
attacker. The Phase 1 cookie mechanism is stateful, and commits
memory resources for cookies, but stateless cookies are a better
defense against denial of service attacks.
6.2. GROUPKEY-PULL Exchange
The GROUPKEY-PULL exchange allows a group member to request SAs and
keys from a GCKS. It runs as a "phase 2" protocol under protection
of the Phase 1 security association.
6.2.1. Authentication
Peer authentication is not required in the GROUPKEY-PULL protocol.
It is running in the context of the Phase 1 protocol, which has
previously authenticated the identity of the peer.
Baugher, et. al. Standards Track [Page 38]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
Message authentication is provided by HASH payloads in each message,
where the HASH is defined to be over SKEYID_a (derived in the Phase 1
exchange), the ISAKMP Message-ID, and all payloads in the message.
Because only the two endpoints of the exchange know the SKEYID_a
value, this provides confidence that the peer sent the message.
6.2.2. Confidentiality
Confidentiality is provided by the Phase 1 security association,
after the manner described in [RFC2409].
6.2.3. Man-in-the-Middle Attack Protection
Message authentication (described above) includes a secret known only
to the group member and GCKS when constructing a HASH payload. This
prevents man-in-the-middle and connection-hijacking attacks because
an attacker would not be able to change the message undetected.
6.2.4. Replay/Reflection Attack Protection
Nonces provide freshness of the GROUPKEY-PULL exchange. The group
member and GCKS exchange nonce values first two messages. These
nonces are included in subsequent HASH payload calculations. The
Group member and GCKS MUST NOT perform any computationally expensive
tasks before receiving a HASH with its own nonce included. The GCKS
MUST NOT update the group management state (e.g., LKH key tree) until
it receives the third message in the exchange with a valid HASH
payload including its own nonce.
Implementations SHOULD keep a record of recently received
GROUPKEY-PULL messages and reject messages that have already been
processed. This enables an early discard of the replayed messages.
6.2.5. Denial of Service Protection
A GROUPKEY-PULL message identifies its messages using a cookie pair
from the Phase 1 exchange that precedes it. The cookies provide a
weak form of denial of service protection as described above, in the
sense that a GROUPKEY-PULL message with invalid cookies will be
discarded.
The replay protection mechanisms described above provide the basis
for denial of service protection.
Baugher, et. al. Standards Track [Page 39]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
6.2.6. Authorization
The CERT payload in a GROUPKEY-PULL exchange allows a group member or
GCKS to submit a certificate containing authorization attributes to
the peer as well as identifying a public/private key pair. The
GROUPKEY-PULL POP payload enables authorization to be accomplished
where the authorization infrastructure is different than the
GROUPKEY-PULL authentication infrastructure by proving that it is in
possession of the private key.
6.3. GROUPKEY-PUSH Exchange
The GROUPKEY-PUSH exchange is a single message that allows a GCKS to
send SAs and keys to group members. This is likely to be sent to all
members using an IP multicast group. This provides an efficient
rekey and group membership adjustment capability.
6.3.1. Authentication
The GROUPKEY-PULL exchange identifies a public key that is used for
message authentication. The GROUPKEY-PUSH message is digitally
signed using the corresponding private key held by the GCKS or its
delegate. This digital signature provides source authentication for
the message. Thus, GDOI protects the GCKS from impersonation in
group environments.
6.3.2. Confidentiality
The GCKS encrypts the GROUPKEY-PUSH message with an encryption key
that was established by the GROUPKEY-PULL exchange.
6.3.3. Man-in-the-Middle Attack Protection
This combination of confidentiality and message authentication
services protects the GROUPKEY-PUSH message from man-in-middle and
connection-hijacking attacks.
6.3.4. Replay/Reflection Attack Protection
The GROUPKEY-PUSH message includes a monotonically increasing
sequence number to protect against replay and reflection attacks. A
group member will recognize a replayed message by comparing the
sequence number to a sliding window, in the same manner as the ESP
protocol uses sequence numbers.
Implementations SHOULD keep a record of recently received
GROUPKEY-PUSH messages and reject duplicate messages. This enables
an early discard of the replayed messages.
Baugher, et. al. Standards Track [Page 40]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
6.3.5. Denial of Service Protection
A cookie pair identifies the security association for the
GROUPKEY-PUSH message. The cookies thus serve as a weak form of
denial-of-service protection for the GROUPKEY-PUSH message.
The digital signature used for message authentication has a much
greater computational cost than a message authentication code and
could amplify the effects of a denial of service attack on GDOI
members who process GROUPKEY-PUSH messages. The added cost of
digital signatures is justified by the need to prevent GCKS
impersonation: If a shared symmetric key were used for
GROUPKEY-PUSH message authentication, then GCKS source authentication
would be impossible and any member would be capable of GCKS
impersonation.
The potential of the digital signature amplifying a denial of service
attack is mitigated by the order of operations a group member takes,
where the least expensive cryptographic operation is performed first.
The group member first decrypts the message using a symmetric cipher.
If it is a validly formed message then the sequence number is checked
against the replay window. Only if the sequence number is valid is
the digital signature verified. Thus in order for a denial of
service attack to be mounted, an attacker would need to know both the
symmetric encryption key used for confidentiality, and a valid
sequence number. Generally speaking this means only current group
members can effectively deploy a denial of service attack.
6.3.6. Forward Access Control
If a group management algorithm (such as LKH) is used, forward access
control may not be ensured in some cases. This can happen if some
group members are denied access to the group in the same
GROUPKEY-PUSH message as new policy and TEKs are delivered to the
group. As discussed in Section 4.2.1, forward access control can be
maintained by sending multiple GROUPKEY-PUSH messages, where the
group membership changes are sent from the GCKS separate from the new
policy and TEKs.
7. IANA Considerations
7.1. ISAKMP DOI
An ISAKMP DOI number is needed to identify an SA payload as a GDOI SA
payload. The IANA has assigned the value 2 to represent GDOI.
Baugher, et. al. Standards Track [Page 41]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
7.2. Payload Types
The present document defines new ISAKMP Next Payload types. See
Section 5.0 for the payloads defined in this document, including the
Next Payload values defined by the IANA to identify these payloads.
7.3. New Name spaces
The present document describes many new name spaces for use in the
GDOI payloads. Those may be found in subsections under Section 5.0.
A new GDOI registry has been created for these name spaces.
Portions of name spaces marked "RESERVED" are reserved for IANA
allocation. New values MUST be added due to a Standards Action as
defined in [RFC2434].
Portions of name spaces marked "Private Use" may be allocated by
implementations for their own purposes.
7.4. UDP Port
The IANA has assigned port 848 for use by GDOI.
8. Intellectual Property Rights Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Baugher, et. al. Standards Track [Page 42]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
9. Acknowledgements
The authors thank Ran Canetti, Cathy Meadows, Andrea Colegrove, and
Lakshminath Dondeti. Ran has advised the authors on secure group
cryptography, which has led to changes in the exchanges and payload
definitions. Cathy identified several problems in previous versions
of this document, including a replay attack against the proof of
possession exchange, as well as several man-in-the-middle attacks.
Andrea contributed to the group policy section of this document.
Lakshminath identified several protocol issues that needed further
specification and helped to resolve them.
10. References
10.1. Normative References
[AES-MODES] "Recommendation for Block Cipher Modes of Operation",
United States of American, National Institute of Science
and Technology, NIST Special Publication 800-38A 2001
Edition, December 2001.
[FIPS46-3] "Data Encryption Standard (DES)", United States of
American, National Institute of Science and Technology,
Federal Information Processing Standard (FIPS) 46-3,
October 1999.
[FIPS81] "DES Modes of Operation", United States of American,
National Institute of Science and Technology, Federal
Information Processing Standard (FIPS) 81, December
1980.
[FIPS186-2] "Digital Signature Standard (DSS)", United States of
American, National Institute of Science and Technology,
Federal Information Processing Standard (FIPS) 186-2,
January 2000.
[FIPS197] "Advanced Encryption Standard (AES)", United States of
American, National Institute of Science and Technology,
Federal Information Processing Standard (FIPS) 197,
November 2001.
[IPSEC-REG] http://www.iana.org/assignments/ipsec-registry
[ISAKMP-REG] http://www.iana.org/assignments/isakmp-registry
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Level", BCP 14, RFC 2119, March 1997.
Baugher, et. al. Standards Track [Page 43]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
[RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998
[RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", RFC 2406, November 1998.
[RFC2407] Piper, D., "The Internet IP Domain of Interpretation for
ISAKMP", RFC 2407, November 1998.
[RFC2408] Maughan, D., Shertler, M., Schneider, M. and J. Turner,
"Internet Security Association and Key Management
Protocol", RFC 2408, November 1998.
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[RFC2412] Orman, H., "The OAKLEY Key Determination Protocol", RFC
2412, November 1998.
[RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 2434,
October 1998.
[RFC2522] Karn, P. and W. Simpson, "Photuris: Session-Key
Management Protocol", RFC 2522, March 1999.
[RFC2627] Wallner, D., Harder, E. and R. Agee, "Key Management for
Multicast: Issues and Architectures", RFC 2627,
September 1998.
[RSA] RSA Laboratories, "PKCS #1 v2.0: RSA Encryption
Standard", October 1998.
10.2. Informative References
[FS00] N. Ferguson and B. Schneier, "A Cryptographic Evaluation
of IPsec, CounterPane",
http://www.counterpane.com/ipsec.html.
[GKMARCH] M. Baugher, R. Canetti, L. Dondeti, F. Lindholm, "Group
Key Management Architecture", Work in Progress.
[IKEv2] D. Harkins, et. al., "Proposal for the IKEv2 protocol",
Work In Progress.
[KINK] M. Thomas, J. Vilhuber, "Kerberized Internet Negotiation
of Keys (KINK)", Work in Progress.
Baugher, et. al. Standards Track [Page 44]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
[NNL] D. Naor, M. Naor and J. Lotspiech, "Revocation and
Tracing Schemes for Stateless Receivers", Advances in
Cryptology, Crypto '01, Springer-Verlag LNCS 2139, 2001,
pp. 41-62. A full version of the paper appears in
http://www.wisdom.weizmann.ac.il/~naor/.
[OFT] D. Mcgrew and A. Sherman, "Key Establishment in Large
Dynamic Groups Using One-Way Function Trees", Manuscript
submitted to IEEE Transactions on Software Engineering.
A full version of the paper
appears in http://download.nai.com/products/media/nai/
misc/oft052098.ps, 1998
[PK01] R.Perlman, C.Kaufman, "Analysis of the IPsec Key
Exchange Standard", WET-ICE conference, 2001.
http://sec.femto.org/wetice-2001/papers/radia-paper.pdf
[RFC2093] Harney, H., and C. Muckenhirn, "Group Key Management
Protocol (GKMP) Specification," RFC 2093, July 1997.
[RFC2094] Harney, H. and C. Muckenhirn, "Group Key Management
Protocol (GKMP) Architecture," RFC 2094, July 1997.
[RFC2367] McDonald, D., Metz, C. and B. Phan, "PF_KEY Key
Management API, Version 2", RFC 2367, July 1998.
[RFC3550] Schulzrinne, H., Casner, S., Jacobson, V. and R.
Frederick, "RTP: A Transport Protocol for Real-Time
Applications", RFC 3550, June 2003.
[SKEME] H. Krawczyk, "SKEME: A Versatile Secure Key Exchange
Mechanism for Internet", ISOC Secure Networks and
Distributed Systems Symposium, San Diego, 1996.
[STS] Diffie, P. van Oorschot, M. J. Wiener, "Authentication
and Authenticated Key Exchanges, Designs, Codes and
Cryptography", 2, 107-125 (1992), Kluwer Academic
Publishers.
Baugher, et. al. Standards Track [Page 45]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
Appendix A: Alternate GDOI Phase 1 protocols
This section describes a manner in which other protocols could be
used as GDOI Phase 1 protocols in place of the ISAKMP Phase 1
protocol. However, they are not specified as a part of this
document. A separate document MUST be written in order for another
protocol to be used as a GDOI Phase 1 protocol.
Other possible phase 1 protocols are also described in [GKMARCH].
Any GDOI phase 1 protocol MUST satisfy the requirements specified in
Section 2 of this document.
A.1. IKEv2 Phase 1 protocol
Version 2 of the IKE protocol (IKEv2) is a work in progress [IKEv2].
That protocol seeks to simplify the IKE Phase 1 and Phase 2
protocols, and improve the security of the IKE protocol. An IKEv2
Phase 1 negotiates an IPSEC SA during phase 1, which was not possible
in IKE. However, IKEv2 also defines a phase 2 protocol. The phase 2
protocol is protected by the Phase 1, similar in concept to how IKE
Quick Mode is protected by the IKE Phase 1 protocols in [RFC2409].
IKEv2 may not include a DOI value in the SA payload. However, since
GDOI uses a unique port, choice of a phase 2 protocol in the SA
payload using a GDOI value is not necessary. It is expected that an
IKEv2 Phase 1 protocol definition could be run on the GDOI port. The
SA payload in the protocol would be specific to GDOI, or omitted if
not needed at all.
The GROUPKEY-PULL protocol would follow the IKEv2 Phase 1 protocol in
the same manner as described in this document.
A.2. KINK Protocol
A work in progress [KINK] has defined a method of encapsulating an
IKE Quick Mode [RFC2409] encapsulated in Kerberos KRB_AP_REQ and
KRB_AP_REP payloads. KINK provides a low-latency, computationally
inexpensive, easily managed, and cryptographically sound method of
setting up IPSec security associations.
The KINK message format includes a GDOI field in the KINK header.
The [KINK] document defines the DOI for the IPSEC DOI.
A new DOI for KINK could be defined which would encapsulate a
GROUPKEY-PULL exchange in the Kerberos KRB_AP_REQ and KRB_AP_REP
payloads. As such, GDOI would benefit from the computational
efficiencies of KINK.
Baugher, et. al. Standards Track [Page 46]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
Authors' Addresses
Mark Baugher
Cisco Systems
5510 SW Orchid Street
Portland, OR 97219, USA
Phone: (503) 245-4543
EMail: mbaugher@cisco.com
Thomas Hardjono
VeriSign
401 Edgewater Place, Suite 280
Wakefield, MA 01880
Phone: 781-245-6996
EMail: thardjono@verisign.com
Hugh Harney
Sparta
9861 Broken Land Parkway
Columbia, MD 21046
Phone: (410) 381-9400 x203
EMail: hh@sparta.com
Brian Weis
Cisco Systems
170 W. Tasman Drive,
San Jose, CA 95134-1706, USA
Phone: (408) 526-4796
EMail: bew@cisco.com
Baugher, et. al. Standards Track [Page 47]
^L
RFC 3547 GDOI Domain of Interpretation July 2003
Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Baugher, et. al. Standards Track [Page 48]
^L
|
