MSEC Working Group B. Weis Internet-Draft S. Rowles Intended status: Standards Track Cisco Systems Expires: January 13, 2011 T. Hardjono MIT July 12, 2010 The Group Domain of Interpretation draft-ietf-msec-gdoi-update-06 Abstract This document describes an updated version of the Group Domain of Interpretation (GDOI) protocol specified in RFC 3547. The GDOI provides group key management to support secure group communications according to the architecture specified in RFC 4046. The GDOI manages group security associations, which are used by IPsec and potentially other data security protocols. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 13, 2011. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Weis, et al. Expires January 13, 2011 [Page 1] Internet-Draft GDOI July 2010 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 5 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.3. GDOI Applications . . . . . . . . . . . . . . . . . . . . 6 1.4. Extending GDOI . . . . . . . . . . . . . . . . . . . . . . 6 1.5. Forward and Backward Access Control . . . . . . . . . . . 7 2. GDOI Phase 1 protocol . . . . . . . . . . . . . . . . . . . . 9 2.1. ISAKMP Phase 1 protocol . . . . . . . . . . . . . . . . . 9 3. GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . . . . 10 3.1. Authorization . . . . . . . . . . . . . . . . . . . . . . 10 3.2. Messages . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.3. Initiator Operations . . . . . . . . . . . . . . . . . . . 12 3.4. Receiver Operations . . . . . . . . . . . . . . . . . . . 13 4. GROUPKEY-PUSH Message . . . . . . . . . . . . . . . . . . . . 15 4.1. Use of signature keys . . . . . . . . . . . . . . . . . . 16 4.2. ISAKMP Header Initialization . . . . . . . . . . . . . . . 16 4.3. Deletion of SAs . . . . . . . . . . . . . . . . . . . . . 16 4.4. GCKS Operations . . . . . . . . . . . . . . . . . . . . . 17 4.5. Group Member Operations . . . . . . . . . . . . . . . . . 18 5. Payloads and Defined Values . . . . . . . . . . . . . . . . . 19 5.1. Identification Payload . . . . . . . . . . . . . . . . . . 19 5.2. Security Association Payload . . . . . . . . . . . . . . . 19 5.3. SA KEK payload . . . . . . . . . . . . . . . . . . . . . . 21 5.4. Group Associated Policy . . . . . . . . . . . . . . . . . 27 5.5. SA TEK Payload . . . . . . . . . . . . . . . . . . . . . . 30 Weis, et al. Expires January 13, 2011 [Page 2] Internet-Draft GDOI July 2010 5.6. Key Download Payload . . . . . . . . . . . . . . . . . . . 34 5.7. Sequence Number Payload . . . . . . . . . . . . . . . . . 42 5.8. Nonce . . . . . . . . . . . . . . . . . . . . . . . . . . 43 6. Algorithm Selection . . . . . . . . . . . . . . . . . . . . . 44 6.1. KEK . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 6.2. TEK . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 7. Security Considerations . . . . . . . . . . . . . . . . . . . 46 7.1. ISAKMP Phase 1 . . . . . . . . . . . . . . . . . . . . . . 46 7.2. GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . . 47 7.3. GROUPKEY-PUSH Exchange . . . . . . . . . . . . . . . . . . 49 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 51 8.1. Additions to current registries . . . . . . . . . . . . . 51 8.2. New registries . . . . . . . . . . . . . . . . . . . . . . 51 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 53 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 54 10.1. Normative References . . . . . . . . . . . . . . . . . . . 54 10.2. Informative References . . . . . . . . . . . . . . . . . . 54 Appendix A. Alternate GDOI Phase 1 protocols . . . . . . . . . . 58 A.1. IKEv2 Exchange . . . . . . . . . . . . . . . . . . . . . . 58 A.2. KINK Protocol . . . . . . . . . . . . . . . . . . . . . . 58 Appendix B. Significant Changes from RFC 3547 . . . . . . . . . . 59 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 60 Weis, et al. Expires January 13, 2011 [Page 3] Internet-Draft GDOI July 2010 1. Introduction Secure group and multicast applications require a method by which each group member shares common security policy and keying material. This document describes the Group Domain of Interpretation (GDOI), which is an ISAMKP [RFC2408] Domain of Interpretation (DOI), a group key management system. The GDOI distributes security associations (SAs) for IPsec AH and ESP protocols and potentially other data security protocols used in group applications. The GDOI uses the group key management model defined in [RFC4046], and described more generally by the The Multicast Group Security Architecture [RFC3740]. In this group key management model, the GDOI protocol participants are a "group controller/key server" (GCKS) and a group member (GM). A group member contacts ("registers with") a GCKS to join the group. During the registration mutual authentication and authorization are achieved, after which the GCKS distributes current group policy and keying material to the group member over an authenticated and encrypted session. The GCKS may also initiate contact ("rekeys") group members to provide updates to group policy. ISAKMP defines two "phases" of negotiation (p.16 of [RFC2408]). A Phase 1 security association provides mutual authentication and authorization, and a security association that is used by the protocol participants to execute a phase 2 exchange. This document incorporates (i.e., uses but does not re-define) the Phase 1 security association definition from the Internet DOI [RFC2407], [RFC2409]. Phase 1 security association types other than ISAKMP are possible, and are noted in Appendix A. Requirements of those phase 1 security associations are specified in Section 2. The GDOI includes two new phase 2 ISAKMP exchanges (protocols), as well as necessary new payload definitions to the ISAKMP standard (p. 14 of [RFC2408]). These two new protocols are: 1. The GROUPKEY-PULL registration protocol exchange. This exchange uses "pull" behavior since the member initiates the retrieval of these SAs from a GCKS. It is protected by an ISAKMP phase 1 protocol, as described above. At the culmination of a GROUPKEY- PULL exchange, an authorized group member has received and installed a set of SAs that represent group policy, and it is ready to participate in secure group communications. 2. The GROUPKEY-PUSH rekey protocol exchange. The rekey protocol is a datagram initiated ("pushed") by the GCKS, usually delivered to group members using a IP multicast address. It is treated as a ISAKMP phase 2 protocol, where the "phase 1" cryptographic policy and keying material is included in the group policy distributed by the GCKS in the GROUPKEY-PULL exchange. At the culmination of Weis, et al. Expires January 13, 2011 [Page 4] Internet-Draft GDOI July 2010 a GROUPKEY-PUSH exchange, all authorized group members have received and installed updates to group policy, and can continue to participate in secure group communications. If a group management method is included in group policy (as described in Section 1.5.1), at the conclusion of the GROUPKEY-PUSH exchange some members of the group may have been de-authorized and no longer able to participate in the secure group communications. +--------------------------------------------------------------+ | | | +--------------------+ | | +------>| GDOI GCKS |<------+ | | | +--------------------+ | | | | | | | | GROUPKEY-PULL | GROUPKEY-PULL | | PROTOCOL | PROTOCOL | | | | | | | v GROUPKEY-PUSH v | | +-----------------+ PROTOCOL +-----------------+ | | | | | | | | | | GDOI GM(s) |<-------+-------->| GDOI GM(S) | | | | | | | | | +-----------------+ +-----------------+ | | | ^ | | v | | | +-Data Security Protocol (e.g., ESP)-+ | | | +--------------------------------------------------------------+ Although the GROUPKEY-PUSH specified by this document can be used to refresh a Re-key SA, the most common use of GROUPKEY-PUSH is to establish a Data-security SA for a data security protocol. In summary, GDOI is a group security association management protocol: All GDOI messages are used to create, maintain, or delete security associations for a group. As described above, these security associations protect one or more key-encrypting keys, traffic- encrypting keys, or data shared by group members for multicast and groups security applications. 1.1. Requirements notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Weis, et al. Expires January 13, 2011 [Page 5] Internet-Draft GDOI July 2010 1.2. Terminology The following key terms are used throughout this document. Key Encrypting Key (KEK). The symmetric cipher key used to protect the GROUPKEY-PUSH message. Logical Key Hierarchy (LKH). A group management method defined in Section 5.4 of [RFC2627]. Traffic Encryption Key (TEK). The symmetric cipher key used to protect a data security protocol (e.g., IPsec ESP). 1.3. GDOI Applications Secure multicast applications include video broadcast and multicast file transfer. GDOI can also secure group applications that do not use multicast transport such as video-on-demand where the same encrypted content is delivered to each group member. A GDOI application may require Data-security SAs (such as IPsec ESP SAs), and/or a Rekey-SA (the SA used to protect GROUPKEY-PUSH messages). For example, a secure multicast video broadcast may only need to distribute a single set of Data-Security SAs to protect the time-bounded broadcast. In this case, no Rekey-SA may be necessary because the initial Data-security SAs will not be cryptographically overused, and there is no desire to de-authorize group members. In contrast, an always-on IP multicast application (e.g., stock- ticker delivery service) with many group members may require a policy of frequent change of Data-security SAs and regular de-authorization of group members. In this case, the GCKS policy will regularly replace Data-security SAs with new SAs defining the same traffic selectors but new keying material. This will result in a regularly- scheduled GROUPKEY-PUSH delivering the new SAs. Additionally, the group membership on the GCKS may be frequently adjusted, which will result in GROUPKEY-PUSH exchange delivering a new Rekey SAs protected by a group management method. Each GROUPKEY-PUSH may include Data- security SAs and/or a Rekey SA. In all cases, the relevant policy is defined on the GCKS and relayed to group members. Specific policy choices possible by the GCKS depends on each application and further discussion of policy is beyond the scope of this memo. 1.4. Extending GDOI Not all secure multicast or multimedia applications can use IPsec ESP or AH. Many Real Time Transport Protocol applications, for example, require security above the IP layer to preserve RTP header Weis, et al. Expires January 13, 2011 [Page 6] Internet-Draft GDOI July 2010 compression efficiencies and transport-independence [RFC3550]. A future RTP security protocol may benefit from using GDOI to establish group SAs. Alternatively, GDOI can distribute message authentication code (MAC) policy and keys for legacy applications that have defined their own security associations [I-D.weis-gdoi-mac-tek]. In order to add a new data security protocol, a new RFC MUST specify the data-security SA parameters conveyed by GDOI for that security protocol; these parameters are listed in Section 5.5.2 of this document. Data security protocol SAs MUST protect group traffic. GDOI provides no restriction on whether that group traffic is transmitted as unicast or multicast packets. 1.5. Forward and Backward Access Control Through GROUPKEY-PUSH, the GDOI supports group management methods such as LKH (section 5.4 of [RFC2627]) that have the property of denying access to a new group key by a member removed from the group (forward access control) and to an old group key by a member added to the group (backward access control). An unrelated notion to PFS, "forward access control" and "backward access control" have been called "perfect forward security" and "perfect backward security" in the literature [RFC2627]. Group management algorithms providing forward and backward access control other than LKH have been proposed in the literature, including OFT [OFT] and Subset Difference [NNL]. These algorithms could be used with GDOI, but are not specified as a part of this document. 1.5.1. Forward Access Control Requirements When group membership is altered using a group management algorithm new Data-security SAs are usually also needed. New SAs ensure that members who were denied access can no longer participate in the group. If forward access control is a desired property of the group, new Data-security SAs MUST NOT be included in a GROUPKEY-PUSH message which changes group membership. This is required because the new Data-security SAs are not protected with the new KEK. Instead, two sequential GROUPKEY-PUSH messages must be sent by the GCKS; the first changing the KEK, and the second (protected with the new KEK) distributing the new Data-security SAs. Note that in the above sequence, although the new KEK can effectively Weis, et al. Expires January 13, 2011 [Page 7] Internet-Draft GDOI July 2010 deny access to the group to some group members they will be able to view the new KEK policy. If forward access control policy for the group includes keeping the KEK policy secret as well as the KEK itself secret, then two GROUPKEY-PUSH messages changing the KEK must occur before the new Data-security SAs are transmitted. If other methods of using LKH or other group management algorithms are added to GDOI, those methods MAY remove the above restrictions requiring multiple GROUPKEY-PUSH messages, providing those methods specify how forward access control policy is maintained within a single GROUPKEY-PUSH message. Weis, et al. Expires January 13, 2011 [Page 8] Internet-Draft GDOI July 2010 2. GDOI Phase 1 protocol The GDOI GROUPKEY-PULL exchange is a "phase 2" protocol which MUST be protected by a "phase 1" protocol. The "phase 1" protocol can be any protocol which provides for the following protections: o Peer Authentication o Confidentiality o Message Integrity The following sections describe one such "phase 1" protocol. Other protocols which may be potential "phase 1" protocols are described in Appendix A. However, the use of the protocols listed there are not considered part of this document. 2.1. ISAKMP Phase 1 protocol This document defines how the ISAKMP phase 1 exchanges as defined in [RFC2409] can be used a "phase 1" protocol for GDOI. The following sections define characteristics of the ISAKMP phase 1 protocols that are unique for these exchanges when used for GDOI. Section 7.1 describes how the ISAKMP Phase 1 protocols meet the requirements of a GDOI "phase 1" protocol. 2.1.1. DOI value The Phase 1 SA payload has a DOI value. That value MUST be the GDOI DOI value as defined later in this document. 2.1.2. UDP port IANA has assigned port 848 for the use of GDOI, which allows for an implementation to use separate ISAKMP implementations to service GDOI and IKEv1 [RFC2409]. A GCKS SHOULD listen on this port for GROUPKEY- PULL exchanges, and the GCKS MAY use this port to distribute GROUPKEY-PUSH messages. An ISAKMP phase 1 exchange implementation supporting NAT Traversal [RFC3947] may move to port 4500 to process the GROUPKEY-PULL exchange. Weis, et al. Expires January 13, 2011 [Page 9] Internet-Draft GDOI July 2010 3. GROUPKEY-PULL Exchange The goal of the GROUPKEY-PULL exchange is to establish a Re-key and/or Data-security SAs at the member for a particular group. A Phase 1 SA protects the GROUPKEY-PULL; there MAY be multiple GROUPKEY-PULL exchanges for a given Phase 1 SA. The GROUPKEY-PULL exchange downloads the data security keys (TEKs) and/or group key encrypting key (KEK) or KEK array under the protection of the Phase 1 SA. 3.1. Authorization The Phase 1 identity SHOULD be used by a GCKS to authorize the Phase 2 (GROUPKEY-PULL) request for a group key. Similarly, a group member SHOULD ensure that the Phase 1 identity of the GCKS is an authorized GCKS. When no authorization is performed, it is possible for a rogue GDOI participant to perpetrate a man-in-the-middle attack between a group member and a GCKS [MP04]. 3.2. Messages The GROUPKEY-PULL is a Phase 2 exchange. Phase 1 computes SKEYID_a which is the "key" in the keyed hash used in the GROUPKEY-PULL HASH payloads. When using the Phase 1 defined in this document, SKEYID_a is derived according to [RFC2409]. As with the IKEv1 HASH payload generation (Section 5.5 of [RFC2409], each GROUPKEY-PULL message hashes a uniquely defined set of values. Nonces permute the HASH and provide some protection against replay attacks. Replay protection is important to protect the GCKS from attacks that a key management server will attract. The GROUPKEY-PULL uses nonces to guarantee "liveness", or against replay of a recent GROUPKEY-PULL message. The replay attack is only useful in the context of the current Phase 1. If a GROUPKEY-PULL message is replayed based on a previous Phase 1, the HASH calculation will fail due to a wrong SKEYID_a. The message will fail processing before the nonce is ever evaluated. In order for either peer to get the benefit of the replay protection, it must postpone as much processing as possible until it receives the message in the protocol that proves the peer is live. For example, the Responder MUST NOT adjust its internal state (e.g., keeping a record of the Initiator) until it receives a message with Nr included properly in the HASH payload. Nonces require an additional message in the protocol exchange to ensure that the GCKS does not add a group member until it proves liveliness. The GROUPKEY-PULL member-initiator expects to find its nonce, Ni, in the HASH of a returned message. And the GROUPKEY-PULL Weis, et al. Expires January 13, 2011 [Page 10] Internet-Draft GDOI July 2010 GCKS responder expects to see its nonce, Nr, in the HASH of a returned message before providing group-keying material as in the following exchange. Initiator (Member) Responder (GCKS) ------------------ ---------------- HDR*, HASH(1), Ni, ID --> <-- HDR*, HASH(2), Nr, SA HDR*, HASH(3) --> <-- HDR*, HASH(4), [SEQ,] KD Hashes are computed as follows: HASH(1) = prf(SKEYID_a, M-ID | Ni | ID) HASH(2) = prf(SKEYID_a, M-ID | Ni_b | Nr | SA) HASH(3) = prf(SKEYID_a, M-ID | Ni_b | Nr_b HASH(4) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | SEQ | ] KD) * Protected by the Phase 1 SA, encryption occurs after HDR HDR is an ISAKMP header payload that uses the Phase 1 cookies and a message identifier (M-ID) as in IKEv1. Note that nonces are included in the first two messages, with the GCKS returning only the SA policy payload before liveliness is proven. The HASH payloads [RFC2409] prove that the peer has the Phase 1 secret (SKEYID_a) and the nonce for the exchange identified by message id, M-ID. Once liveliness is established, the last message completes the real processing of downloading the KD payload. In addition to the Nonce and HASH payloads, the member-initiator identifies the group it wishes to join through the ISAKMP ID payload. The GCKS responder informs the member of the current value of the sequence number in the SEQ payload; the sequence number provides anti-replay state associated with a KEK. The SEQ payload has no other use, and is omitted from the GROUPKEY_PULL exchange when a KEK attribute is not included in the SA payload. When a SEQ payload is included in the GROUPKEY-PULL exchange, it includes the most recently used sequence number for the group. At the conclusion of a GROUPKEY-PULL exchange, the initiating group member MUST NOT accept any rekey message with both the KEK attribute SPI value and a sequence number less than or equal to the one received during the GROUPKEY-PULL. When the first group member initiates a GROUPKEY-PULL exchange, the GCKS provides a Sequence Number of zero, since no GROUPKEY-PUSH messages have yet been sent. Note the sequence number increments only with GROUPKEY-PUSH messages. Weis, et al. Expires January 13, 2011 [Page 11] Internet-Draft GDOI July 2010 The GROUPKEY-PULL exchange distributes the current sequence number to the group member. The sequence number resets to a value of one with the usage of a new KEK attribute. Thus the first packet sent for a given Rekey SA will have a Sequence Number of 1. The sequence number increments with each successive rekey. The GCKS responder informs the member of the cryptographic policies of the group in the SA payload, which describes the DOI, KEK and/or TEK keying material, and authentication transforms. The SPIs are also determined by the GCKS and downloaded in the SA payload chain (see Section 5.2). The SA KEK attribute contains the ISAKMP cookie pair for the Re-key SA, which is not negotiated but downloaded. The SA TEK attribute contains a SPI as defined in Section 5.5 of this document. The second message downloads this SA payload. If a Re-key SA is defined in the SA payload, then KD will contain the KEK; if one or more Data-security SAs are defined in the SA payload, KD will contain the TEKs. This is useful if there is an initial set of TEKs for the particular group and can obviate the need for future TEK GROUPKEY-PUSH messages (described in section 4). 3.2.1. ISAKMP Header Initialization Cookies are used in the ISAKMP header to identify a particular GDOI session. The GDOI GROUPKEY-PULL exchange uses cookies according to ISAKMP [RFC2408]. Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0). Major Version is 1 and Minor Version is 0 according to ISAKMP (Section 3.1 of [RFC2408]). The Exchange Type has value 32 for the GDOI GROUPKEY-PULL exchange. Flags, Message ID, and Length are according to ISAKMP (Section 3.1 of [RFC2408]). 3.3. Initiator Operations Before a group member (GDOI initiator) contacts the GCKS, it must determine the group identifier and acceptable Phase 1 policy via an out-of-band method. Phase 1 is initiated using the GDOI DOI in the SA payload. Once Phase 1 is complete, the initiator state machine moves to the GDOI protocol. To construct the first GDOI message the initiator chooses Ni and creates a nonce payload, builds an identity payload including the Weis, et al. Expires January 13, 2011 [Page 12] Internet-Draft GDOI July 2010 group identifier, and generates HASH(1). Upon receipt of the second GDOI message, the initiator validates HASH(2), extracts the nonce Nr, and interprets the SA payload. The SA payload contains policy describing the security protocol and cryptographic protocols used by the group. This policy describes the Re-key SA (if present), Data-security SAs, and other group policy. If the policy in the SA payload is acceptable to the initiator, it continues the protocol. The initiator constructs the third GDOI message by creating HASH(3). Upon receipt of the fourth GDOI message, the initiator validates HASH(4). If SEQ payload is present, the sequence number in the SEQ payload must be checked against any previously received sequence number for this group. If it is less than the previously received number, it should be considered stale and ignored. This could happen if two GROUPKEY-PULL messages happened in parallel, and the sequence number changed between the times the results of two GROUPKEY-PULL messages were returned from the GCKS. The initiator interprets the KD key packets, where each key packet includes the keying material for SAs distributed in the SA payload. Keying material is matched by comparing the SPIs in the key packets to SPIs previously sent in the SA payloads. Once TEK keys and policy are matched, the initiator provides them to the data security subsystem, and it is ready to send or receive packets matching the TEK policy. If this group has a KEK, the KEK policy and keys are marked as ready for use, and the initiator knows to expect the sequence number reset to 1 with the next Rekey SA, which will be encrypted with the new KEK attribute. The initiator is now ready to receive GROUPKEY-PUSH messages. If the KD payload included an LKH array of keys, the initiator takes the last key in the array as the group KEK. The array is then stored without further processing. 3.4. Receiver Operations The GCKS (responder) passively listens for incoming requests from group members. The Phase 1 authenticates the group member and sets up the secure session with them. Upon receipt of the first GDOI message the GCKS validates HASH(1), extracts the Ni and group identifier in the ID payload. It verifies that its database contains the group information for the group Weis, et al. Expires January 13, 2011 [Page 13] Internet-Draft GDOI July 2010 identifier. The GCKS constructs the second GDOI message, including a nonce Nr, and the policy for the group in an SA payload, followed by SA GAP, SA KEK, and/or SA TEK payloads according to the GCKS policy. (See Section 5.2.1 for details on how the GCKS chooses which payloads to send.) Upon receipt of the third GDOI message the GCKS validates HASH(3). The GCKS constructs the fourth GDOI message, including the SEQ payload (if the GCKS sends rekey messages), and the KD payload containing keys corresponding to policy previously sent in the SA TEK and SA KEK payloads. If a group management algorithm is defined as part of group policy, the GCKS will first insert the group member into the group management structure (e.g., a leaf in the LKH tree), and then create an LKH array of keys and include it in the KD payload. The first key in the array is associated with the group member leaf node, followed by each LKH node above it in the tree, culminating with the root node (which is also the KEK). Weis, et al. Expires January 13, 2011 [Page 14] Internet-Draft GDOI July 2010 4. GROUPKEY-PUSH Message GDOI sends control information securely using group communications. Typically this will be using IP multicast distribution of a GROUPKEY- PUSH message but it can also be "pushed" using unicast delivery if IP multicast is not possible. The GROUPKEY-PUSH message replaces a Re- key SA KEK or KEK array, and/or creates a new Data-security SA. Member GCKS or Delegate ------ ---------------- <---- HDR*, SEQ, [D,] SA, KD, SIG * Protected by the Re-key SA KEK; encryption occurs after HDR HDR is defined below. The SEQ payload is defined in the Payloads section. One or more D (Delete) payloads optionally specify the deletion of existing group policy. The SA defines the policy (e.g., protection suite) and attributes (e.g., SPI) for a replacement Re-key SA and/or Data-security SAs. KD is the key download payload as described in the Payloads section. The SIG payload includes a signature of a hash of the entire GROUPKEY-PUSH message (excepting the SIG payload bytes) before it has been encrypted. The HASH is taken over the string 'rekey', the GROUPKEY-PUSH HDR, followed by all payloads preceding the SIG payload. The prefixed string ensures that the signature of the Rekey datagram cannot be used for any other purpose in the GDOI protocol. After the SIG payload is created using the signature of the above hash, with the receiver verifying the signature using a public key retrieved in policy received by a GROUPKEY-PULL exchange, or distributed in an earlier GROUPKEY-PUSH message. The current KEK encryption key (previously distributed in a GROUPKEY-PULL exchange or GROUPKEY-PUSH message) encrypts all the payloads following the GROUPKEY-PUSH HDR. Note: The rationale for this order of operations is given in Section 7.3.5. If the SA defines an LKH KEK array or single KEK, KD contains a KEK or KEK array for a new Re-key SA, which has a new cookie pair. When the KD payload carries a new SA KEK attribute (section 5.3), a Re-key SA is replaced with a new SA having the same group identifier (ID specified in message 1 of section 3.2) and incrementing the same sequence counter, which is initialized in message 4 of section 3.2. Note the first packet for the given Rekey SA encrypted with the new KEK attribute will have a Sequence number of 1. If the SA defines an SA TEK payload, this informs the member that a new Data-security SA has been created, with keying material carried in KD (Section 5.6). If the SA defines a large LKH KEK array (e.g., during group Weis, et al. Expires January 13, 2011 [Page 15] Internet-Draft GDOI July 2010 initialization and batched rekeying), parts of the array MAY be sent in different unique GROUPKEY-PUSH datagrams. However, each of the GROUPKEY-PUSH datagrams MUST be a fully formed GROUPKEY-PUSH datagram. This results in each datagram containing a sequence number and the policy in the SA payload, which corresponds to the KEK array portion sent in the KD payload. 4.1. Use of signature keys In order to avoid overusing its authentication signature key, the GCKS SHOULD NOT use the same key to sign the SIG payload in the GROUPKEY-PUSH message as was used for authentication in the GROUPKEY- PULL exchange. 4.2. ISAKMP Header Initialization Unlike ISAKMP or IKEv1, the cookie pair is completely determined by the GCKS. The cookie pair in the GDOI ISAKMP header identifies the Re- key SA to differentiate the secure groups managed by a GCKS. Thus, GDOI uses the cookie fields as an SPI. Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0). Major Version is 1 and Minor Version is 0 according to ISAKMP (Section 3.1 of [RFC2408]). The Exchange Type has value 33 for the GDOI GROUPKEY-PUSH message. Flags MUST have the Encryption bit set according to [RFC2008, Section 3.1]. All other bits MUST be set to zero. Message ID MUST be set to zero. Length is according to ISAKMP (Section 3.1 of [RFC2408]). 4.3. Deletion of SAs There are times the GCKS may want to signal to receivers to delete SAs, for example at the end of a broadcast. Deletion of keys may be accomplished by sending an ISAKMP Delete payload (Section 3.15 of [RFC2408]) as part of a GDOI GROUPKEY-PUSH message. One or more Delete payloads MAY be placed following the SEQ payload in a GROUPKEY-PUSH message. If a GCKS has no further SAs to send to group members, the SA and KD payloads MUST be omitted from the message. The following fields of the Delete Payload are further defined as Weis, et al. Expires January 13, 2011 [Page 16] Internet-Draft GDOI July 2010 follows: o The Domain of Interpretation field contains the GDOI DOI. o The Protocol-Id field contains TEK protocol id values defined in Section 5.5 of this document. To delete a KEK SA, the value of zero MUST be used as the protocol id. Note that only one protocol id value can be defined in a Delete payload. If a TEK SA and a KEK SA must be deleted, they must be sent in different Delete payloads. There may be circumstances where the GCKS may want to start over with a clean slate. If the administrator is no longer confident in the integrity of the group, the GCKS can signal deletion of all policy of a particular TEK protocol by sending a TEK with a SPI value equal to zero in the delete payload. For example, if the GCKS wishes to remove all the KEKs and all the TEKs in the group, the GCKS SHOULD send a delete payload with a spi of zero and a protocol_id of a TEK protocol_id value, followed by another delete payload with a spi of zero and protocol_id of zero, indicating that the KEK SA should be deleted. 4.4. GCKS Operations GCKS or its delegate may initiate a Rekey message for one of several reasons, e.g., the group membership has changed or keys are due to expire. To begin the rekey datagram the GCKS builds an ISAKMP HDR with the correct cookie pair, and a SEQ payload that includes a sequence number which is one greater than the previous rekey datagram. If the message is using the new KEK attribute for the first time, the SEQ is reset to 1 in this message. An SA payload is then added. This is identical in structure and meaning to a SA payload sent in a GROUPKEY-PULL exchange. If there are changes to the KEK (including due to group members being excluded, in the case of LKH), an SA_KEK attribute is added to the SA. If there are one or more new TEKs then SA_TEK attributes are added to describe that policy. A KD payload is then added. This is identical in structure and meaning to a KD payload sent in a GROUPKEY-PULL exchange. If an SA_KEK attribute was included in the SA payload then corresponding KEK keys (or a KEK update array) is included. A KEK update array is created by first determining which group members have been excluded, and then generating new keys as necessary and distribute LKH update arrays sufficient to provide the new KEK to remaining group members (see Section 5.4.1 of [RFC2627] for details). TEK keys are also sent Weis, et al. Expires January 13, 2011 [Page 17] Internet-Draft GDOI July 2010 for each SA_TEK attribute included in the SA payload. In the penultimate step, the initiator hashes the string "rekey" followed by the key management message already formed. The hash is signed, placed in a SIG payload and added to the datagram. Lastly, the payloads following the HDR are encrypted using the current KEK encryption key. The datagram can now be sent. 4.5. Group Member Operations A group member receiving the GROUPKEY-PUSH datagram matches the cookie pair in the ISAKMP HDR to an existing SA. The message is decrypted, and the form of the datagram is validated. This weeds out obvious ill-formed messages (which may be sent as part of a Denial of Service attack on the group). The sequence number in the SEQ payload is validated to ensure that it is greater than the previously received sequence number, and that it fits within a window of acceptable values. The SIG payload is then validated. If the signature fails, the message is discarded. The SA and KD payloads are processed which results in a new GDOI Rekey SA (if the SA payload included an SA_KEK attribute) and/or new IPsec SAs being added to the system. If the KD payload includes an LKH update array, the group member compares the LKH ID in each key update packet to the LKH IDs that it holds. If it finds a match, it decrypts the key using the key prior to it in the key array and stores the new key in the LKH key array that it holds. The final decryption yields the new group KEK. Weis, et al. Expires January 13, 2011 [Page 18] Internet-Draft GDOI July 2010 5. Payloads and Defined Values This document specifies use of several ISAKMP payloads, which are defined in accordance with RFC 2408. The following payloads are extended or further specified. Next Payload Type Value ----------------- ----- Security Association (SA) 1 Identification (ID) 5 Nonce (N) 10 Several payload formats specific to the group security exchanges are required. Next Payload Type Value ----------------- ----- SA KEK Payload (SAK) 15 SA TEK Payload (SAT) 16 Key Download (KD) 17 Sequence Number (SEQ) 18 SA Group Associated Policy (GAP) TBD-1 5.1. Identification Payload The Identification Payload is defined in RFC 2408. For the GDOI, it is used to identify a group identity that will later be associated with Security Associations for the group. A group identity may map to a specific IP multicast group, or may specify a more general identifier, such as one that represents a set of related multicast streams. When used with the GDOI, the DOI Specific ID Data field MUST be set to 0. When used with the GDOI, the ID_KEY_ID ID Type MUST be supported by a conforming implementation, and MUST specify a four (4)-octet group identifier as its value. Implementations MAY also support other ID Types. 5.2. Security Association Payload The Security Association payload is defined in RFC 2408. For the GDOI, it is used by the GCKS to assert security attributes for both Re-key and Data-security SAs. Weis, et al. Expires January 13, 2011 [Page 19] Internet-Draft GDOI July 2010 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! DOI ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Situation ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! SA Attribute Next Payload ! RESERVED2 ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The Security Association Payload fields are defined as follows: o Next Payload (1 octet) -- Identifies the next payload for the GROUPKEY-PULL or the GROUPKEY-PUSH message as defined above. The next payload MUST NOT be a SAK Payload or SAT Payload type, but the next non-Security Association type payload. o RESERVED (1 octet) -- Must be zero. o Payload Length (2 octets) -- Is the octet length of the current payload including the generic header and all TEK and KEK payloads. o DOI (4 octets) -- Is the GDOI, which is value 2. o Situation (4 octets) -- Must be zero. o SA Attribute Next Payload (1 octet) -- Must be either a SAK Payload or a SAT Payload. See section 5.2.1 for a description of which circumstances are required for each payload type to be present. o RESERVED (2 octets) -- Must be zero. 5.2.1. Payloads following the SA payload Payloads that define specific security association attributes for the KEK and/or TEKs used by the group MUST follow the SA payload. How many of each payload is dependent upon the group policy. There may be zero or one SAK Payloads, zero or more GAP Payloads, and zero or more SAT Payloads, where either one SAK or SAT payload MUST be present. When present, the order of the SA Attributes payloads must be: KEK, GAP, and TEKs. This latitude allows various group policies to be accommodated. For example if the group policy does not require the use of a Re-key SA, the GCKS would not need to send an SA KEK attribute to the group member since all SA updates would be performed using the Registration Weis, et al. Expires January 13, 2011 [Page 20] Internet-Draft GDOI July 2010 SA. Alternatively, group policy might use a Re-key SA but choose to download a KEK to the group member only as part of the Registration SA. Therefore, the KEK policy (in the SA KEK attribute) would not be necessary as part of the Re-key SA message SA payload. Specifying multiple SATs allows multiple sessions to be part of the same group and multiple streams to be associated with a session (e.g., video, audio, and text) but each with individual security association policy. A GAP payload allows for the distribution of group-wise policy, such as instructions as to when to activate and de-activate SAs. 5.3. SA KEK payload The SA KEK (SAK) payload contains security attributes for the KEK method for a group and parameters specific to the GROUPKEY-PULL operation. The source and destination identities describe the identities used for the GROUPKEY-PULL datagram. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Protocol ! SRC ID Type ! SRC ID Port ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! !SRC ID Data Len! SRC Identification Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! DST ID Type ! DST ID Port !DST ID Data Len! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! DST Identification Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! ! ~ SPI ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! RESERVED2 ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ~ KEK Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The SAK Payload fields are defined as follows: o Next Payload (1 octet) -- Identifies the next payload for the GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next payload types for this message are a GAP Payload, SAT Payload or zero Weis, et al. Expires January 13, 2011 [Page 21] Internet-Draft GDOI July 2010 to indicate that no SA Attribute payloads follow. o RESERVED (1 octet) -- Must be zero. o Payload Length (2 octets) -- Length of this payload, including the KEK attributes. o Protocol (1 octet) -- Value describing an IP protocol ID (e.g., UDP/TCP) for the rekey datagram. o SRC ID Type (1 octet) -- Value describing the identity information found in the SRC Identification Data field. Defined values are specified by the IPsec Identification Type section in the IANA isakmpd-registry [ISAKMP-REG]. o SRC ID Port (2 octets) -- Value specifying a port associated with the source Id. A value of zero means that the SRC ID Port field should be ignored. o SRC ID Data Len (1 octet) -- Value specifying the length of the SRC Identification Data field. o SRC Identification Data (variable length) -- Value, as indicated by the SRC ID Type. o DST ID Type (1 octet) -- Value describing the identity information found in the DST Identification Data field. Defined values are specified by the IPsec Identification Type section in the IANA isakmpd-registry [ISAKMP-REG]. o DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g., UDP/TCP). o DST ID Port (2 octets) -- Value specifying a port associated with the source Id. o DST ID Data Len (1 octet) -- Value specifying the length of the DST Identification Data field. o DST Identification Data (variable length) -- Value, as indicated by the DST ID Type. o SPI (16 octets) -- Security Parameter Index for the KEK. The SPI must be the ISAKMP Header cookie pair where the first 8 octets become the "Initiator Cookie" field of the GROUPKEY-PUSH message ISAKMP HDR, and the second 8 octets become the "Responder Cookie" in the same HDR. As described above, these cookies are assigned by the GCKS. Weis, et al. Expires January 13, 2011 [Page 22] Internet-Draft GDOI July 2010 o RESERVED2 (4 octets) -- Must be zero. o KEK Attributes -- Contains KEK policy attributes associated with the group. The following sections describe the possible attributes. Any or all attributes may be optional, depending on the group policy. 5.3.1. KEK Attributes The following attributes may be present in a SAK Payload. The attributes must follow the format defined in ISAKMP (Section 3.3 of [RFC2408]). In the table, attributes that are defined as TV are marked as Basic (B); attributes that are defined as TLV are marked as Variable (V). ID Class Value Type -------- ----- ---- RESERVED 0 KEK_MANAGEMENT_ALGORITHM 1 B KEK_ALGORITHM 2 B KEK_KEY_LENGTH 3 B KEK_KEY_LIFETIME 4 V SIG_HASH_ALGORITHM 5 B SIG_ALGORITHM 6 B SIG_KEY_LENGTH 7 B The KEK_MANAGEMENT_ALGORITHM attribute may only be included in a GROUPKEY-PULL message. 5.3.2. KEK_MANAGEMENT_ALGORITHM The KEK_MANAGEMENT_ALGORITHM class specifies the group KEK management algorithm used to provide forward or backward access control (i.e., used to exclude group members). Defined values are specified in the following table. KEK Management Type Value ------------------- ----- RESERVED 0 LKH 1 RESERVED 2-127 Private Use 128-255 Weis, et al. Expires January 13, 2011 [Page 23] Internet-Draft GDOI July 2010 5.3.2.1. LKH This type indicates the group management method described in Section 5.4 of [RFC2627]. 5.3.3. KEK_ALGORITHM The KEK_ALGORITHM class specifies the encryption algorithm using with the KEK. Defined values are specified in the following table. An GDOI implementation MUST abort if it encounters and attribute or capability that it does not understand. Algorithm Type Value -------------- ----- RESERVED 0 KEK_ALG_DES 1 KEK_ALG_3DES 2 KEK_ALG_AES 3 RESERVED 4-127 Private Use 128-255 If a KEK_MANAGEMENT_ALGORITHM is defined which defines multiple keys (e.g., LKH), and if the management algorithm does not specify the algorithm for those keys, then the algorithm defined by the KEK_ALGORITHM attribute MUST be used for all keys which are included as part of the management. 5.3.3.1. KEK_ALG_DES This type specifies DES using the Cipher Block Chaining (CBC) mode as described in [FIPS81]. 5.3.3.2. KEK_ALG_3DES This type specifies 3DES using three independent keys as described in "Keying Option 1" in [FIPS46-3]. 5.3.3.3. KEK_ALG_AES This type specifies AES as described in [FIPS197]. The mode of operation for AES is Cipher Block Chaining (CBC) as recommended in [SP.800-38A]. 5.3.4. KEK_KEY_LENGTH The KEK_KEY_LENGTH class specifies the KEK Algorithm key length (in bits). The Group Controller/Key Server (GCKS) adds the KEK_KEY_LEN Weis, et al. Expires January 13, 2011 [Page 24] Internet-Draft GDOI July 2010 attribute to the SA payload when distributing KEK policy to group members. The group member verifies whether or not it has the capability of using a cipher key of that size. If the cipher definition includes a fixed key length (e.g., KEK_ALG_3DES), the group member can make its decision solely using KEK_ALGORITHM attribute and does not need the KEK_KEY_LEN attribute. Sending the KEK_KEY_LEN attribute in the SA payload is OPTIONAL if the KEK cipher has a fixed key length. Also, note that the KEK_KEY_LEN includes only the actual length of the cipher key (the IV length is not included in this attribute). 5.3.5. KEK_KEY_LIFETIME The KEK_KEY_LIFETIME class specifies the maximum time for which the KEK is valid. The GCKS may refresh the KEK at any time before the end of the valid period. The value is a four (4) octet number defining a valid time period in seconds. 5.3.6. SIG_HASH_ALGORITHM SIG_HASH_ALGORITHM specifies the SIG payload hash algorithm. The following table defines the algorithms for SIG_HASH_ALGORITHM. Algorithm Type Value -------------- ----- RESERVED 0 SIG_HASH_MD5 1 SIG_HASH_SHA1 2 SIG_HASH_SHA256 TBD-2 SIG_HASH_SHA384 TBD-3 SIG_HASH_SHA512 TBD-4 RESERVED 6-127 Private Use 128-255 The SHA hash algorithms are defined in the Secure Hash Standard[FIPS.180-2.2002]. If the SIG_ALGORITHM is SIG_ALG_ECDSA-256, SIG_ALG_ECDSA-384, or SIG_ALG_ECDSA-521 the hash algorithm is implicit in the definition, and SIG_HASH_ALGORITHM is not required to be present in a SAK Payload. 5.3.7. SIG_ALGORITHM The SIG_ALGORITHM class specifies the SIG payload signature algorithm. Defined values are specified in the following table. Weis, et al. Expires January 13, 2011 [Page 25] Internet-Draft GDOI July 2010 Algorithm Type Value -------------- ----- RESERVED 0 SIG_ALG_RSA 1 SIG_ALG_DSS 2 SIG_ALG_ECDSS 3 SIG_ALG_RSA_PSS TBD-6 SIG_ALG_ECDSA-256 TBD-7 SIG_ALG_ECDSA-384 TBD-8 SIG_ALG_ECDSA-521 TBD-9 RESERVED 8-127 Private Use 128-255 5.3.7.1. SIG_ALG_RSA This algorithm specifies the RSA digital signature algorithm using the EMSA-PKCS1-v1_5 encoding method, as described in [RFC3447]. 5.3.7.2. SIG_ALG_DSS This algorithm specifies the DSS digital signature algorithm as described in Section 4 of [FIPS186-3]. 5.3.7.3. SIG_ALG_ECDSS This algorithm specifies the Elliptic Curve digital signature algorithm as described in Section 5 of [FIPS186-3]. This definition is deprecated in favor of the SIG_ALG_ECDSA family of algorithms. 5.3.7.4. SIG_ALG_RSA_PSS This algorithm specifies the RSA digital signature algorithm using the EMSA-PSS encoding method, as described in [RFC3447]. 5.3.7.5. SIG_ALG_ECDSA-256 This algorithm specifies the 256-bit Random ECP Group, as described in [RFC5903]. The format of the signature in the SIG payload MUST be as specified in [RFC4754]. 5.3.7.6. SIG_ALG_ECDSA-384 This algorithm specifies the 384-bit Random ECP Group, as described in [RFC5903]. The format of the signature in the SIG payload MUST be as specified in [RFC4754]. Weis, et al. Expires January 13, 2011 [Page 26] Internet-Draft GDOI July 2010 5.3.7.7. SIG_ALG_ECDSA-521 This algorithm specifies the 521-bit Random ECP Group, as described in [RFC5903]. The format of the signature in the SIG payload MUST be as specified in [RFC4754]. 5.3.8. SIG_KEY_LENGTH The SIG_KEY_LENGTH class specifies the length of the SIG payload key in bits. 5.4. Group Associated Policy RFC 3547 provides for the distribution of policy in the GROUPKEY-PULL exchange in an SA payload. Policy can define GROUPKEY-PUSH policy (SA KEK) or traffic encryption policy (SA TEK) such as IPsec policy. There is a need to distribute group policy that fits into neither category. Some of this policy is generic to the group, and some is sender-specific policy for a particular group member. GDOI distributes this associated group policy in a new payload called the SA Group Associated Policy (SA GAP). The SA GAP payload follows any SA KEK payload, and is placed before any SA TEK payloads. In the case that group policy does not include an SA KEK, the SA Attribute Next Payload field in the SA payload MAY indicate the SA GAP payload. The SA GAP payload is defined as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Group Associated Policy Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The SA GAP payload fields are defined as follows: o Next Payload (1 octet) -- Identifies the next payload present in the GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next payload type for this message is an SA TEK or zero to indicate there are no more security association attributes. o RESERVED (1 octet) -- Must be zero. o Payload Length (2 octets) -- Length of this payload, including the SA GAP header and Attributes. Weis, et al. Expires January 13, 2011 [Page 27] Internet-Draft GDOI July 2010 o Group Associated Policy Attributes (variable) -- Contains attributes following the format defined in Section 3.3 of RFC 2408. Several group associated policy attributes are defined in this memo. An GDOI implementation MUST abort if it encounters and attribute or capability that it does not understand. 5.4.1. ACTIVATION_TIME_DELAY This attribute allows a GCKS to set the Activation Time Delay for SAs generated from TEKs. The value is in seconds. If a group member receives a TEK with an ATD value, but discovers that it has no current SAs matching the policy in the TEK, then it SHOULD create and install SAs from the TEK immediately. 5.4.2. DEACTIVATION_TIME_DELAY This attribute allows a GCKS to set the Deactivation Time Delay for SAs generated from TEKs. The value is in seconds. 5.4.3. SENDER_ID Several new AES counter-based modes of operation have been specified for ESP [RFC3686],[RFC4106],[RFC4309],[RFC4543] and AH [RFC4543]. These AES counter-based modes require that no two senders in the group ever send a packet with the same IV. This requirement can be met using the method described in [I-D.ietf-msec-ipsec-group-counter-modes], which requires each sender to be allocated a unique Sender ID (SID). The SENDER_ID attribute is used to distribute a SID to a group member during the GROUPKEY-PULL message. Other algorithms with the same need may be defined in the future; the sender MUST use the IV construction method described above with those algorithms as well. The SENDER_ID attribute value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! SID Length ! SID Value ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! o SID Length (1 octet) -- A natural number defining the number of bits to be used in the SID field of the counter mode transform nonce. Weis, et al. Expires January 13, 2011 [Page 28] Internet-Draft GDOI July 2010 o SID Value (variable) -- The Sender ID value allocated to the group member. 5.4.3.1. GCKS Semantics The GCKS maintains a SID counter (SIDC). It is incremented each time a SENDER_ID attribute is distributed to a group member. The first group member to register is given the SID of 1. Any group member registering will be given a new SID value, which allows group members to act as a group sender when an older SID value becomes unusable (as described in the next section). A GCKS MAY allocate multiple SID values in one SA GAP payload. Allocating several SID values at the same time to a group member expected to send at a high rate would obviate the need for the group member to re-register as frequently. If a GCKS allocates all SID values, it can no longer respond to GDOI registrations and must re-initialize the entire group. This is done by issuing DELETE notifications for all ESP and AH SAs in a GDOI rekey message, resetting the SIDC to zero, and creating new ESP and AH SAs that match the group policy. When group members re-register, the SIDs are allocated again beginning with the value 1 as described above. Each re-registering group member will be given a new SID and the new group policy. The SENDER_ID attribute MUST NOT be sent as part of a GROUPKEY-PUSH message, because distributing the same sender-specific policy to more than one group member may reduce the security of the group. 5.4.3.2. Group Member Semantics The SENDER_ID attribute value distributed to the group member MUST be used by that group member as the Sender Identifier (SID) field portion of the IV. The SID is used for all counter mode SAs distributed by the GCKS to be used for communications sent as a part of this group. When the Sender-Specific IV (SSIV) field for any IPsec SA is exhausted, the group member MUST no longer act as a sender using its active SID. The group member SHOULD re-register, during which time the GCKS will issue a new SID to the group member. The new SID replaces the existing SID used by this group member, and also resets the SSIV value to it's starting value. A group member MAY re- register prior to the actual exhaustion of the SSIV field to avoid dropping data packets due to the exhaustion of available SSIV values combined with a particular SID value. Weis, et al. Expires January 13, 2011 [Page 29] Internet-Draft GDOI July 2010 A group member MUST NOT process SENDER_ID attribute present in a GROUPKEY-PUSH message. 5.5. SA TEK Payload The SA TEK (SAT) payload contains security attributes for a single TEK associated with a group. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Protocol-ID ! TEK Protocol-Specific Payload ~ +-+-+-+-+-+-+-+-+ ~ ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The SAT Payload fields are defined as follows: o Next Payload (1 octet) -- Identifies the next payload for the GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next payload types for this message are another SAT Payload or zero to indicate there are no more security association attributes. o RESERVED (1 octet) -- Must be zero. o Payload Length (2 octets) -- Length of this payload, including the TEK Protocol-Specific Payload. o Protocol-ID (1 octet) -- Value specifying the Security Protocol. The following table defines values for the Security Protocol Protocol ID Value ----------- ----- RESERVED 0 GDOI_PROTO_IPSEC_ESP 1 GDOI_PROTO_IPSEC_AH TBD-5 RESERVED 3-127 Private Use 128-255 o TEK Protocol-Specific Payload (variable) -- Payload which describes the attributes specific for the Protocol-ID. Weis, et al. Expires January 13, 2011 [Page 30] Internet-Draft GDOI July 2010 5.5.1. GDOI_PROTO_IPSEC_ESP/GDOI_PROTO_IPSEC_AH The TEK Protocol-Specific payload for ESP and AH is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Protocol ! SRC ID Type ! SRC ID Port ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! !SRC ID Data Len! SRC Identification Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! DST ID Type ! DST ID Port !DST ID Data Len! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! DST Identification Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Transform ID ! SPI ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! SPI ! RFC 2407 SA Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The SAT Payload fields are defined as follows: o Protocol (1 octet) -- Value describing an IP protocol ID (e.g., UDP/TCP). A value of zero means that the Protocol field should be ignored. o SRC ID Type (1 octet) -- Value describing the identity information found in the SRC Identification Data field. Defined values are specified by the IPsec Identification Type section in the IANA isakmpd-registry [ISAKMP-REG]. o SRC ID Port (2 octets) -- Value specifying a port associated with the source Id. A value of zero means that the SRC ID Port field should be ignored. o SRC ID Data Len (1 octet) -- Value specifying the length of the SRC Identification Data field. o SRC Identification Data (variable length) -- Value, as indicated by the SRC ID Type. Set to three bytes of zero for multiple-source multicast groups that use a common TEK for all senders. o DST ID Type (1 octet) -- Value describing the identity information found in the DST Identification Data field. Defined values are specified by the IPsec Identification Type section in the IANA isakmpd-registry [ISAKMP-REG]. Weis, et al. Expires January 13, 2011 [Page 31] Internet-Draft GDOI July 2010 o DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g., UDP/TCP). A value of zero means that the DST Id Prot field should be ignored. o DST ID Port (2 octets) -- Value specifying a port associated with the source Id. A value of zero means that the DST ID Port field should be ignored. o DST ID Data Len (1 octet) -- Value specifying the length of the DST Identification Data field. o DST Identification Data (variable length) -- Value, as indicated by the DST ID Type. o Transform ID (1 octet) -- Value specifying which ESP or AH transform is to be used. The list of valid values is defined in the IPsec ESP or IPsec AH Transform Identifiers section of the IANA isakmpd-registry [ISAKMP-REG]. o SPI (4 octets) -- Security Parameter Index for ESP. o RFC 2407 Attributes -- ESP and AH Attributes from RFC 2407 Section 4.5. The GDOI supports all IPsec DOI SA Attributes for GDOI_PROTO_IPSEC_ESP and GDOI_PROTO_IPSEC_AH excluding the Group Description (section 4.5 of [RFC2407], which MUST NOT be sent by a GDOI implementation and is ignored by a GDOI implementation if received. The following attributes MUST be supported by an implementation supporting ESP and AH: SA Life Type, SA Life Duration, Encapsulation Mode. An implementation supporting ESP must also support the Authentication Algorithm attribute if the ESP transform includes authentication/ The Authentication Algorithm attribute of the IPsec DOI is group authentication in GDOI. 5.5.1.1. Harmonization with RFC 5374 The Multicast Extensions to the Security Architecture for the Internet Protocol (RFC 5374) introduces new requirements for a group key management system distributing IPsec policy. The following sections describe new GDOI requirements that result from harmonizing with that document. 5.5.1.1.1. Group Security Policy Database Attributes RFC 5374 describes new attributes as part of the Group Security Policy Database (GSPD). These attributes describe policy that a group key management system must convey to a group member in order to support those extensions. The GDOI SA TEK payload distributes IPsec policy using IPsec security association attributes defined in Weis, et al. Expires January 13, 2011 [Page 32] Internet-Draft GDOI July 2010 [ISAKMP-REG]. This section defines how GDOI can convey the new attributes as IPsec Security Association Attributes. 5.5.1.1.2. Address Preservation Applications use the extensions in RFC 5374 create encapsulate IPsec multicast packets that are IP multicast packets. In order for the GDOI group member to appropriately setup the GSPD, the GCKS must provide that policy to the group member. Depending on group policy, several address preservation methods are possible: no address preservation ("None"), preservation of the original source address ("Source-Only"), preservation of the original destination address ("Destination-Only"), or both addresses ("Source- And-Destination"). This memo adds the "Address Preservation" security association attribute. If this attribute is not included in a GDOI SA TEK payload provided by a GCKS, then Source-And-Destination address preservation has been defined for the SA TEK. 5.5.1.1.3. SA Direction Depending on group policy, an IPsec SA created from an SA TEK payload may be required in one or both directions. SA TEK policy used by multiple senders is required to be installed in both the sending and receiving direction ("Symmetric"), whereas SA TEK for a single sender should only be installed in the receiving direction by receivers ("Receiver-Only") and in the sending direction by the sender ("Sender-Only"). This memo adds the "SA Direction" security association attribute. If the attribute is not included in a GDOI SA TEK payload, then the IPsec SA is treated as a Symmetric IPsec SA. 5.5.1.1.4. Re-key rollover Section 4.2.1 of RFC 5374 specifies a key rollover method that requires two values be given it from the group key management protocol. The Activation Time Delay (ATD) attribute allows the GCKS to specify how long after the start of a re-key event that a group member is to activate new TEKs. The Deactivation Time Delay (DTD) attribute allows the GCKS to specify how long after the start of a re-key event that a group member is to deactivate existing TEKs. This memo adds new attributes by which a GCKS can relay these values to group members as part of the Group Associated Policy described in Section 5. Weis, et al. Expires January 13, 2011 [Page 33] Internet-Draft GDOI July 2010 5.5.2. Other Security Protocols Besides ESP and AH, GDOI should serve to establish SAs for secure groups needed by other Security Protocols that operate at the transport, application, and internetwork layers. These other Security Protocols, however, are in the process of being developed or do not yet exist. The following information needs to be provided for a Security Protocol to the GDOI. o The Protocol-ID for the particular Security Protocol o The SPI Size o The method of SPI generation o The transforms, attributes and keys needed by the Security Protocol All Security Protocols must provide the information in the bulleted list above to guide the GDOI specification for that protocol. Definitions for the support of those Security Protocols in GDOI will be specified in separate documents. A Security Protocol MAY protect traffic at any level of the network stack. However, in all cases applications of the Security Protocol MUST protect traffic which MAY be shared by more than two entities. 5.6. Key Download Payload The Key Download Payload contains group keys for the group specified in the SA Payload. These key download payloads can have several security attributes applied to them based upon the security policy of the group as defined by the associated SA Payload. Weis, et al. Expires January 13, 2011 [Page 34] Internet-Draft GDOI July 2010 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Number of Key Packets ! RESERVED2 ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ~ Key Packets ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The Key Download Payload fields are defined as follows: o Next Payload (1 octet) -- Identifier for the payload type of the next payload in the message. If the current payload is the last in the message, then this field will be zero. o RESERVED (1 octet) -- Unused, set to zero. o Payload Length (2 octets) -- Length in octets of the current payload, including the generic payload header. o Number of Key Packets (2 octets) -- Contains the total number of both TEK and Rekey arrays being passed in this data block. o Key Packets Several types of key packets are defined. Each Key Packet has the following format. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! KD Type ! RESERVED ! KD Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! SPI Size ! SPI (variable) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ~ Key Packet Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! o Key Download (KD) Type (1 octet) -- Identifier for the Key Data field of this Key Packet. Weis, et al. Expires January 13, 2011 [Page 35] Internet-Draft GDOI July 2010 Key Download Type Value ----------------- ----- RESERVED 0 TEK 1 KEK 2 LKH 3 RESERVED 4-127 Private Use 128-255 "KEK" is a single key whereas LKH is an array of key-encrypting keys. o RESERVED (1 octet) -- Unused, set to zero. o Key Download Length (2 octets) -- Length in octets of the Key Packet data, including the Key Packet header. o SPI Size (1 octet) -- Value specifying the length in octets of the SPI as defined by the Protocol-Id. o SPI (variable length) -- Security Parameter Index which matches a SPI previously sent in an SAK or SAT Payload. o Key Packet Attributes (variable length) -- Contains Key information. The format of this field is specific to the value of the KD Type field. The following sections describe the format of each KD Type. 5.6.1. TEK Download Type The following attributes may be present in a TEK Download Type. Exactly one attribute matching each type sent in the SAT payload MUST be present. The attributes must follow the format defined in ISAKMP (Section 3.3 of [RFC2408]). In the table, attributes defined as TV are marked as Basic (B); attributes defined as TLV are marked as Variable (V). TEK Class Value Type --------- ----- ---- RESERVED 0 TEK_ALGORITHM_KEY 1 V TEK_INTEGRITY_KEY 2 V TEK_SOURCE_AUTH_KEY 3 V If no TEK key packets are included in a Registration KD payload, the group member can expect to receive the TEK as part of a Re-key SA. At least one TEK must be included in each Re-key KD payload. Multiple TEKs may be included if multiple streams associated with the Weis, et al. Expires January 13, 2011 [Page 36] Internet-Draft GDOI July 2010 SA are to be rekeyed. 5.6.1.1. TEK_ALGORITHM_KEY The TEK_ALGORITHM_KEY class declares that the encryption key for this SPI is contained as the Key Packet Attribute. The encryption algorithm that will use this key was specified in the SAT payload. In the case that the algorithm requires multiple keys (e.g., 3DES), all keys will be included in one attribute. DES keys will consist of 64 bits (the 56 key bits with parity bit). Triple DES keys will be specified as a single 192 bit attribute (including parity bits) in the order that the keys are to be used for encryption (e.g., DES_KEY1, DES_KEY2, DES_KEY3). 5.6.1.2. TEK_INTEGRITY_KEY The TEK_INTEGRITY_KEY class declares that the integrity key for this SPI is contained as the Key Packet Attribute. The integrity algorithm that will use this key was specified in the SAT payload. Thus, GDOI assumes that both the symmetric encryption and integrity keys are pushed to the member. HMAC-SHA1 keys will consist of 160 bits[RFC2404], HMAC-MD5 keys will consist of 128 bits[RFC2403]. HMAC-SHA2 and AES-GMAC keys will have a key length equal to the output length of the hash functions [RFC4868][RFC4543]. 5.6.1.3. TEK_SOURCE_AUTH_KEY The TEK_SOURCE_AUTH_KEY class declares that the source authentication key for this SPI is contained in the Key Packet Attribute. The source authentication algorithm that will use this key was specified in the SAT payload. 5.6.2. KEK Download Type The following attributes may be present in a KEK Download Type. Exactly one attribute matching each type sent in the SAK payload MUST be present. The attributes must follow the format defined in ISAKMP (Section 3.3 of [RFC2408]). In the table, attributes defined as TV are marked as Basic (B); attributes defined as TLV are marked as Variable (V). Weis, et al. Expires January 13, 2011 [Page 37] Internet-Draft GDOI July 2010 KEK Class Value Type --------- ----- ---- RESERVED 0 KEK_ALGORITHM_KEY 1 V SIG_ALGORITHM_KEY 2 V If the KEK key packet is included, there MUST be only one present in the KD payload. 5.6.2.1. KEK_ALGORITHM_KEY The KEK_ALGORITHM_KEY class declares the encryption key for this SPI is contained in the Key Packet Attribute. The encryption algorithm that will use this key was specified in the SAK payload. If the mode of operation for the algorithm requires an Initialization Vector (IV), an explicit IV MUST be included in the KEK_ALGORITHM_KEY before the actual key. 5.6.2.2. SIG_ALGORITHM_KEY The SIG_ALGORITHM_KEY class declares that the public key for this SPI is contained in the Key Packet Attribute, which may be useful when no public key infrastructure is available. The signature algorithm that will use this key was specified in the SAK payload. 5.6.3. LKH Download Type The LKH key packet is comprised of attributes representing different nodes in the LKH key tree. The following attributes are used to pass an LKH KEK array in the KD payload. The attributes must follow the format defined in ISAKMP (Section 3.3 of [RFC2408]). In the table, attributes defined as TV are marked as Basic (B); attributes defined as TLV are marked as Variable (V). Weis, et al. Expires January 13, 2011 [Page 38] Internet-Draft GDOI July 2010 KEK Class Value Type --------- ----- ---- RESERVED 0 LKH_DOWNLOAD_ARRAY 1 V LKH_UPDATE_ARRAY 2 V SIG_ALGORITHM_KEY 3 V RESERVED 4-127 Private Use 128-255 If an LKH key packet is included in the KD payload, there must be only one present. 5.6.3.1. LKH_DOWNLOAD_ARRAY This attribute is used to download a set of keys to a group member. It MUST NOT be included in a GROUPKEY-PUSH message KD payload if the GROUPKEY-PUSH is sent to more than the group member. If an LKH_DOWNLOAD_ARRAY attribute is included in a KD payload, there must be only one present. This attribute consists of a header block, followed by one or more LKH keys. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH Version ! # of LKH Keys ! RESERVED ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH Keys ! ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The KEK_LKH attribute fields are defined as follows: o LKH version (1 octet) -- Version of the LKH data format. Must be one. o Number of LKH Keys (2 octets) -- This value is the number of distinct LKH keys in this sequence. o RESERVED (1 octet) -- Unused, set to zero. Each LKH Key is defined as follows: Weis, et al. Expires January 13, 2011 [Page 39] Internet-Draft GDOI July 2010 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH ID ! Key Type ! RESERVED ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Key Creation Date ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Key expiration Date ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Key Handle ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! ~ Key Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ o LKH ID (2 octets) -- Identity of the LKH node. A GCKS is free to choose the ID in an implementation-specific manner (e.g., the position of this key in a binary tree structure used by LKH). o Key Type (1 octet) -- Encryption algorithm for which this key data is to be used. This value is specified in Section 5.3.3. o RESERVED (1 octet) -- Unused, set to zero. o Key Creation Date (4 octets) -- Time value of when this key data was originally generated. A time value of zero indicates that there is no time before which this key is not valid. o Key Expiration Date (4 octets) -- Time value of when this key is no longer valid for use. A time value of zero indicates that this key does not have an expiration time. o Key Handle (4 octets) -- Value assigned by the GCKS to uniquely identify a key within an LKH ID. Each new key distributed by the GCKS for this node will have a key handle identity distinct from previous or successive key handles specified for this node. o Key Data (variable length) -- Key data, which is dependent on the Key Type algorithm for its format. If the mode of operation for the algorithm requires an Initialization Vector (IV), an explicit IV MUST be included in the Key Data field prepended to the actual key. The Key Creation Date and Key expiration Dates MAY be zero. This is necessary in the case where time synchronization within the group is not possible. The first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute contains the Leaf identifier and key for the group member. The rest Weis, et al. Expires January 13, 2011 [Page 40] Internet-Draft GDOI July 2010 of the LKH Key structures contain keys along the path of the key tree in order from the leaf, culminating in the group KEK. 5.6.3.2. LKH_UPDATE_ARRAY This attribute is used to update the keys for a group. It is most likely to be included in a GROUPKEY-PUSH message KD payload to rekey the entire group. This attribute consists of a header block, followed by one or more LKH keys, as defined in the previous section. There may be any number of UPDATE_ARRAY attributes included in a KD payload. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH Version ! # of LKH Keys ! RESERVED ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH ID ! RESERVED2 ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Key Handle ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH Keys ! ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ o LKH version (1 octet) -- Version of the LKH data format. Must be one. o Number of LKH Keys (2 octets) -- Number of distinct LKH keys in this sequence. o RESERVED (1 octet) -- Unused, set to zero. o LKH ID (2 octets) -- Node identifier associated with the key used to encrypt the first LKH Key. o RESERVED2 (2 octets) -- Unused, set to zero. o Key Handle (4 octets) -- Value assigned by the GCKS to uniquely identify the key within the LKH ID used to encrypt the first LKH Key. The LKH Keys are as defined in the previous section. The LKH Key structures contain keys along the path of the key tree in order from the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in the group KEK. The Key Data field of each LKH Key is encrypted with the LKH key preceding it in the LKH_UPDATE_ARRAY attribute. The first Weis, et al. Expires January 13, 2011 [Page 41] Internet-Draft GDOI July 2010 LKH Key is encrypted under the key defined by the LKH ID and Key Handle found in the LKH_UPDATE_ARRAY header. 5.6.3.3. SIG_ALGORITHM_KEY The SIG_ALGORITHM_KEY class declares that the public key for this SPI is contained in the Key Packet Attribute, which may be useful when no public key infrastructure is available. The signature algorithm that will use this key was specified in the SAK payload. 5.7. Sequence Number Payload The Sequence Number Payload (SEQ) provides an anti-replay protection for GROUPKEY-PUSH messages. Its use is similar to the Sequence Number field defined in the IPsec ESP protocol [RFC4303]. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Sequence Number ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Sequence Number Payload fields are defined as follows: o Next Payload (1 octet) -- Identifier for the payload type of the next payload in the message. If the current payload is the last in the message, then this field will be zero. o RESERVED (1 octet) -- Unused, set to zero. o Payload Length (2 octets) -- Length in octets of the current payload, including the generic payload header. o Sequence Number (4 octets) -- This field contains a monotonically increasing counter value for the group. It is initialized to zero by the GCKS, and incremented in each subsequently-transmitted message. Thus the first packet sent for a given Rekey SA will have a Sequence Number of 1. The GDOI implementation keeps a sequence counter as an attribute for the Rekey SA and increments the counter upon receipt of a GROUPKEY-PUSH message. The current value of the sequence number must be transmitted to group members as a part of the Registration SA payload. A group member must keep a sliding receive window. The window must be treated as in the ESP protocol [RFC4303] Section 3.4.3. Weis, et al. Expires January 13, 2011 [Page 42] Internet-Draft GDOI July 2010 5.8. Nonce The data portion of the Nonce payload (i.e., Ni_b and Nr_b included in the HASHs) MUST be a value between 8 and 128 bytes. Weis, et al. Expires January 13, 2011 [Page 43] Internet-Draft GDOI July 2010 6. Algorithm Selection For GDOI implementations to interoperate, they must support one or more security algorithms in common. This section specifies the security algorithm implementation requirements for standards- conformant GDOI implementations. In call cases the choices are intended to maintain at least 112 bits of security [SP.800-131]. Algorithms not referenced in this section can also be used. 6.1. KEK These tables list the algorithm selections for values related to the KEK. Requirement KEK Management Algorithm ----------- --------------------- SHOULD LKH Requirement KEK Algorithm (notes) ----------- --------------------- MUST KEK_ALG_AES with 128-bit keys SHOULD NOT KEK_ALG_DES (1) Requirement KEK Signature Hash Algorithm (notes) ----------- ------------------------------------ MUST SIG_HASH_SHA256 SHOULD SIG_HASH_SHA1 (2) SHOULD NOT SIG_HASH_MD5 (3) Requirement KEK Signature Algorithm (notes) ----------- ------------------------------- MUST SIG_ALG_RSA with 2048-bit keys Notes: (1) DES, with its small key size and corresponding security strength is of questionable security for general use (2) The use of SIG_HASH_SHA1 as a signature hash algorithm used with GROUPKEY-PUSH messages remains safe at the time of this writing, and is a widely deployed signature hash algorithm. (3) Although a real weakness with second preimage resistance with MD5 has not been found at the time of this writing, the security strength of MD5 has been shown to be rapidly declining over time and it's use should be understood and carefully weighed. Weis, et al. Expires January 13, 2011 [Page 44] Internet-Draft GDOI July 2010 6.2. TEK The following table lists the requirements for Security Protocol support for an implementation. Requirement KEK Management Algorithm ----------- --------------------- MUST GDOI_PROTO_IPSEC_ESP Weis, et al. Expires January 13, 2011 [Page 45] Internet-Draft GDOI July 2010 7. Security Considerations GDOI is a security association (SA) management protocol for groups of senders and receivers. Unlike a data security protocol, SA management includes a key establishment protocol to securely establish keys at communication endpoints. This protocol performs entity authentication of the GDOI member or Group Controller/Key Server (GCKS), it provides confidentiality of key management messages, and it provides source authentication of those messages. This protocol also uses best-known practices for defense against man- in-middle, connection hijacking, replay, reflection, and denial-of- service (DOS) attacks on unsecured networks [STS], [RFC2522], [SKEME]. GDOI assumes the network is not secure and may be under the complete control of an attacker. GDOI assumes that the host computer is secure even though the network is insecure. GDOI ultimately establishes keys among members of a group, which MUST be trusted to use those keys in an authorized manner according to group policy. The security of GDOI, therefore, is as good as the degree to which group members can be trusted to protect authenticators, encryption keys, decryption keys, and message authentication keys. There are three phases of GDOI as described in this document: an ISAKMP Phase 1 protocol, a new exchange called GROUPKEY-PULL which is protected by the ISAKMP Phase 1 protocol, and a new message called GROUPKEY-PUSH. Each phase is considered separately below. 7.1. ISAKMP Phase 1 As described in this document, GDOI uses the Phase 1 exchanges defined in [RFC2409] to protect the GROUPKEY-PULL exchange. Therefore all security properties and considerations of those exchanges (as noted in [RFC2409]) are relevant for GDOI. GDOI may inherit the problems of its ancestor protocols [FS00], such as identity exposure, absence of unidirectional authentication, or stateful cookies [PK01]. GDOI could benefit, however, from improvements to its ancestor protocols just as it benefits from years of experience and work embodied in those protocols. To reap the benefits of future IKE improvements, however, GDOI would need to be revised in a future standards-track RFC, which is beyond the scope of this specification. 7.1.1. Authentication Authentication is provided via the mechanisms defined in [RFC2409], namely Pre-Shared Keys or Public Key encryption. Weis, et al. Expires January 13, 2011 [Page 46] Internet-Draft GDOI July 2010 7.1.2. Confidentiality Confidentiality is achieved in Phase 1 through a Diffie-Hellman exchange that provides keying material, and through negotiation of encryption transforms. The Phase 1 protocol will be protecting encryption and integrity keys sent in the GROUPKEY-PULL protocol. The strength of the encryption used for Phase 1 SHOULD exceed that of the keys send in the GROUPKEY- PULL protocol. 7.1.3. Man-in-the-Middle Attack Protection A successful man-in-the-middle or connection-hijacking attack foils entity authentication of one or more of the communicating entities during key establishment. GDOI relies on Phase 1 authentication to defeat man-in-the-middle attacks. 7.1.4. Replay/Reflection Attack Protection In a replay/reflection attack, an attacker captures messages between GDOI entities and subsequently forwards them to a GDOI entity. Replay and reflection attacks seek to gain information from a subsequent GDOI message response or seek to disrupt the operation of a GDOI member or GCKS entity. GDOI relies on the Phase 1 nonce mechanism in combination with a hash-based message authentication code to protect against the replay or reflection of previous key management messages. 7.1.5. Denial of Service Protection A denial of service attacker sends messages to a GDOI entity to cause that entity to perform unneeded message authentication operations. GDOI uses the Phase 1 cookie mechanism to identify spurious messages prior to cryptographic hash processing. This is a "weak" form of denial of service protection in that the GDOI entity must check for good cookies, which can be successfully imitated by a sophisticated attacker. The Phase 1 cookie mechanism is stateful, and commits memory resources for cookies, but stateless cookies are a better defense against denial of service attacks. 7.2. GROUPKEY-PULL Exchange The GROUPKEY-PULL exchange allows a group member to request SAs and keys from a GCKS. It runs as a "phase 2" protocol under protection of the Phase 1 security association. Weis, et al. Expires January 13, 2011 [Page 47] Internet-Draft GDOI July 2010 7.2.1. Authentication Peer authentication is not required in the GROUPKEY-PULL protocol. It is running in the context of the Phase 1 protocol, which has previously authenticated the identity of the peer. Message authentication is provided by HASH payloads in each message, where the HASH is defined to be over SKEYID_a (derived in the Phase 1 exchange), the ISAKMP Message-ID, and all payloads in the message. Because only the two endpoints of the exchange know the SKEYID_a value, this provides confidence that the peer sent the message. 7.2.2. Confidentiality Confidentiality is provided by the Phase 1 security association, after the manner described in [RFC2409]. 7.2.3. Man-in-the-Middle Attack Protection Message authentication (described above) includes a secret known only to the group member and GCKS when constructing a HASH payload. This prevents man-in-the-middle and connection-hijacking attacks because an attacker would not be able to change the message undetected. 7.2.4. Replay/Reflection Attack Protection Nonces provide freshness of the GROUPKEY-PULL exchange. The group member and GCKS exchange nonce values first two messages. These nonces are included in subsequent HASH payload calculations. The Group member and GCKS MUST NOT perform any computationally expensive tasks before receiving a HASH with its own nonce included. The GCKS MUST NOT update the group management state (e.g., LKH key tree) until it receives the third message in the exchange with a valid HASH payload including its own nonce. Implementations SHOULD keep a record of recently received GROUPKEY- PULL messages and reject messages that have already been processed. This enables an early discard of the replayed messages. 7.2.5. Denial of Service Protection A GROUPKEY-PULL message identifies its messages using a cookie pair from the Phase 1 exchange that precedes it. The cookies provide a weak form of denial of service protection as described above, in the sense that a GROUPKEY-PULL message with invalid cookies will be discarded. The replay protection mechanisms described above provide the basis Weis, et al. Expires January 13, 2011 [Page 48] Internet-Draft GDOI July 2010 for denial of service protection. 7.2.6. Authorization A GCKS implementation should maintain an authorization list of authorized group members. Group members will specifically list each authorized GCKS in its Group Peer Authorization Database (GPAD) [RFC5374]. 7.3. GROUPKEY-PUSH Exchange The GROUPKEY-PUSH exchange is a single message that allows a GCKS to send SAs and keys to group members. This is likely to be sent to all members using an IP multicast group. This provides an efficient rekey and group membership adjustment capability. 7.3.1. Authentication The GROUPKEY-PULL exchange identifies a public key that is used for message authentication. The GROUPKEY-PUSH message is digitally signed using the corresponding private key held by the GCKS or its delegate. This digital signature provides source authentication for the message. Thus, GDOI protects the GCKS from impersonation in group environments. 7.3.2. Confidentiality The GCKS encrypts the GROUPKEY-PUSH message with an encryption key that was established by the GROUPKEY-PULL exchange. 7.3.3. Man-in-the-Middle Attack Protection This combination of confidentiality and message authentication services protects the GROUPKEY-PUSH message from man-in-middle and connection-hijacking attacks. 7.3.4. Replay/Reflection Attack Protection The GROUPKEY-PUSH message includes a monotonically increasing sequence number to protect against replay and reflection attacks. A group member will recognize a replayed message by comparing the sequence number to a sliding window, in the same manner as the ESP protocol uses sequence numbers. Implementations SHOULD keep a record of recently received GROUPKEY- PUSH messages and reject duplicate messages. This enables an early discard of the replayed messages. Weis, et al. Expires January 13, 2011 [Page 49] Internet-Draft GDOI July 2010 7.3.5. Denial of Service Protection A cookie pair identifies the security association for the GROUPKEY- PUSH message. The cookies thus serve as a weak form of denial-of- service protection for the GROUPKEY-PUSH message. The digital signature used for message authentication has a much greater computational cost than a message authentication code and could amplify the effects of a denial of service attack on GDOI members who process GROUPKEY-PUSH messages. The added cost of digital signatures is justified by the need to prevent GCKS impersonation: If a shared symmetric key were used for GROUPKEY-PUSH message authentication, then GCKS source authentication would be impossible and any member would be capable of GCKS impersonation. The potential of the digital signature amplifying a denial of service attack is mitigated by the order of operations a group member takes, where the least expensive cryptographic operation is performed first. The group member first decrypts the message using a symmetric cipher. If it is a validly formed message then the sequence number is checked against the replay window. Only if the sequence number is valid is the digital signature verified. Thus in order for a denial of service attack to be mounted, an attacker would need to know both the symmetric encryption key used for confidentiality, and a valid sequence number. Generally speaking this means only current group members can effectively deploy a denial of service attack. 7.3.6. Forward Access Control If a group management algorithm (such as LKH) is used, forward access control may not be ensured in some cases. This can happen if some group members are denied access to the group in the same GROUPKEY- PUSH message as new policy and TEKs are delivered to the group. As discussed in Section 1.5.1, forward access control can be maintained by sending multiple GROUPKEY-PUSH messages, where the group membership changes are sent from the GCKS separate from the new policy and TEKs. Weis, et al. Expires January 13, 2011 [Page 50] Internet-Draft GDOI July 2010 8. IANA Considerations This memo requests IANA to make several additions to existing registries, and to add sever new GDOI registries. When the new registries are added, the following terms are to be applied as described in the Guidelines for Writing an IANA Considerations Section in RFCs [RFC5226]: Standards Action, and Private Use. 8.1. Additions to current registries The GDOI KEK Attribute named SIG_HASH_ALGORITHM [GDOI-REG] should be assigned several new Algorithm Type values from the RESERVED space to represent the SHA-256, SHA-384, and SHA-512 hash algorithms as defined in [FIPS.180-2.2002]. The new algorithm names should be SIG_HASH_SHA256, SIG_HASH_SHA384, and SIG_HASH_SHA512 respectively and have the values of TBD-2, TBD-3, and TBD-4 respectively. The GDOI KEK Attributed named SIG_ALGORITHM [GDOI-REG] should be assigned a new Algorithm Type value from the RESERVED space to represent the RSA PSS encoding type. The new algorithm name should be SIG_ALG_RSA_PSS, and has the value of TBD-6. A new GDOI SA TEK type Protocol-ID type [GDOI-REG] should be assigned from the RESERVED space. The new algorithm id should be called GDOI_PROTO_IPSEC_AH, refers to the IPsec AH encapsulation, and has a value of TBD-5. A new Next Payload Type [ISAKMP-REG] should be assigned. The new type is called "SA Group Associated Policy (GAP)", and has a value of TBD-1. 8.2. New registries A new namespace should be created in the GDOI Payloads registry [GDOI-REG] to describe SA GAP Payload Values. The following rules apply to define the attributes in SA SSA Payload Values: Attribute Type Value Type ---- ----- ---- RESERVED 0 ACTIVATION_TIME_DELAY 1 B DEACTIVATION_TIME_DELAY 2 B SENDER_ID 3 V Standards Action 4-127 Private Use 128-255 A new IPsec Security Association Attribute [ISAKMP-REG] defining the preservation of IP addresses is needed. The attribute class is Weis, et al. Expires January 13, 2011 [Page 51] Internet-Draft GDOI July 2010 called "Address Preservation", and it is a Basic type. The following rules apply to define the values of the attribute: Name Value ---- ----- Reserved 0 None 1 Source-Only 2 Destination-Only 3 Source-And-Destination 4 Standards Action 5-61439 Private Use 61440-65535 A new IPsec Security Association Attribute [ISAKMP-REG] defining the SA direction is needed. The attribute class is called "SA Direction", and it is a Basic type. The following rules apply to define the values of the attribute: Name Value ---- ----- Reserved 0 Sender-Only 1 Receiver-Only 2 Symmetric 3 Standards Action 4-61439 Private Use 61440-65535 Weis, et al. Expires January 13, 2011 [Page 52] Internet-Draft GDOI July 2010 9. Acknowledgements This text updates RFC 3547, and the authors with to thank Mark Baugher and Hugh Harney for their extensive contributions. The authors are grateful to Catherine Meadows for her careful review and suggestions for mitigating the man-in-the-middle attack she had previously identified. Yoav Nir provided many useful technical and editorial comments and suggestions for improvement. Weis, et al. Expires January 13, 2011 [Page 53] Internet-Draft GDOI July 2010 10. References 10.1. Normative References [I-D.ietf-msec-ipsec-group-counter-modes] McGrew, D. and B. Weis, "Using Counter Modes with Encapsulating Security Payload (ESP) and Authentication Header (AH) to Protect Group Traffic", draft-ietf-msec-ipsec-group-counter-modes-05 (work in progress), March 2010. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005. [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005. [RFC5374] Weis, B., Gross, G., and D. Ignjatic, "Multicast Extensions to the Security Architecture for the Internet Protocol", RFC 5374, November 2008. 10.2. Informative References [FIPS.180-2.2002] National Institute of Standards and Technology, "Secure Hash Standard", FIPS PUB 180-2, August 2002, . [FIPS186-3] "Digital Signature Standard (DSS)", United States of America, National Institute of Science and Technology Federal Information Processing Standard (FIPS) 186-2, June 2009. [FIPS197] "Advanced Encryption Standard (AES)", United States of America, National Institute of Science and Technology Federal Information Processing Standard (FIPS) 197, November 2001. [FIPS46-3] "Data Encryption Standard (DES)", United States of America, National Institute of Science and Technology Federal Information Processing Standard (FIPS) 46-3, October 1999. Weis, et al. Expires January 13, 2011 [Page 54] Internet-Draft GDOI July 2010 [FIPS81] "DES Modes of Operation", United States of America, National Institute of Science and Technology Federal Information Processing Standard (FIPS) 81, December 1980. [FS00] Ferguson, N. and B. Schneier, Counterpane, "A Cryptographic Evaluation of IPsec", . [GDOI-REG] Internet Assigned Numbers Authority, "Group Domain of Interpretation (GDOI) Payload Type Values", IANA Registry, December 2004, . [I-D.weis-gdoi-mac-tek] Weis, B. and S. Rowles, "GDOI Generic Message Authentication Code Policy", draft-weis-gdoi-mac-tek-01 (work in progress), June 2010. [ISAKMP-REG] "'Magic Numbers' for ISAKMP Protocol", . [MP04] Meadows, C. and D. Pavlovic, "Deriving, Attacking, and Defending the GDOI Protocol", ESORICS 2004 pp. 53-72, September 2004. [NNL] Naor, D., Noal, M., and J. Lotspiech, "Revocation and Tracing Schemes for Stateless Receivers", Advances in Cryptology, Crypto '01, Springer-Verlag LNCS 2139, 2001, pp. 41-62, 2001, . [OFT] McGrew, D. and A. Sherman, "Key Establishment in Large Dynamic Groups Using One-Way Function Trees", Manuscript, submitted to IEEE Transactions on Software Engineering, 1998, . [PK01] Perlman, R. and C. Kaufman, "Analysis of the IPsec Key Exchange Standard", WET-ICE conference , 2001, . [RFC2403] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within ESP and AH", RFC 2403, November 1998. [RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within ESP and AH", RFC 2404, November 1998. Weis, et al. Expires January 13, 2011 [Page 55] Internet-Draft GDOI July 2010 [RFC2407] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. [RFC2408] Maughan, D., Schneider, M., and M. Schertler, "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998. [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [RFC2522] Karn, P. and W. Simpson, "Photuris: Session-Key Management Protocol", RFC 2522, March 1999. [RFC2627] Wallner, D., Harder, E., and R. Agee, "Key Management for Multicast: Issues and Architectures", RFC 2627, June 1999. [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC 3447, February 2003. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, July 2003. [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)", RFC 3686, January 2004. [RFC3740] Hardjono, T. and B. Weis, "The Multicast Group Security Architecture", RFC 3740, March 2004. [RFC3947] Kivinen, T., Swander, B., Huttunen, A., and V. Volpe, "Negotiation of NAT-Traversal in the IKE", RFC 3947, January 2005. [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, "Multicast Security (MSEC) Group Key Management Architecture", RFC 4046, April 2005. [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC 4106, June 2005. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)", Weis, et al. Expires January 13, 2011 [Page 56] Internet-Draft GDOI July 2010 RFC 4309, December 2005. [RFC4430] Sakane, S., Kamada, K., Thomas, M., and J. Vilhuber, "Kerberized Internet Negotiation of Keys (KINK)", RFC 4430, March 2006. [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, May 2006. [RFC4754] Fu, D. and J. Solinas, "IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)", RFC 4754, January 2007. [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA- 384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. [RFC5903] Fu, D. and J. Solinas, "Elliptic Curve Groups modulo a Prime (ECP Groups) for IKE and IKEv2", RFC 5903, June 2010. [SKEME] Krawczyk, H., "SKEME: A Versatile Secure Key Exchange Mechanism for Internet", ISOC Secure Networks and Distributed Systems Symposium San Diego, 1996. [SP.800-131] Barker, E. and A. Roginsky, "Recommendation for the Transitioning of Cryptographic Algorithms and Key Lengths", United States of America, National Institute of Science and Technology DRAFT NIST Special Publication 800- 131, June 2010. [SP.800-38A] Dworkin, M., "Recommendation for Block Cipher Modes of Operation", United States of America, National Institute of Science and Technology NIST Special Publication 800-38A 2001 Edition, December 2001. [STS] Diffie, W., Van Oorschot, P., and M. Wiener, "Authentication and Authenticated Key Exchanges", Designs, Codes and Cryptography, 2, 107-125 (1992), Kluwer Academic Publishers, 1992. Weis, et al. Expires January 13, 2011 [Page 57] Internet-Draft GDOI July 2010 Appendix A. Alternate GDOI Phase 1 protocols This section describes a manner in which other protocols could be used as GDOI Phase 1 protocols in place of the ISAKMP Phase 1 protocol. However, they are not specified as a part of this document. A separate document MUST be written in order for another protocol to be used as a GDOI Phase 1 protocol. Other possible phase 1 protocols are also described in [RFC4046]. Any GDOI phase 1 protocol MUST satisfy the requirements specified in Section 2 of this document. A.1. IKEv2 Exchange Version 2 of the IKE protocol (IKEv2) [RFC4306] has been published.That protocol simplifies IKE processing, and combines the two phases of IKE. An IKEv2 Phase 1 negotiates an IPsec SA during phase 1, which was not possible in IKE. However, IKEv2 also defines a phase 2 protocol. The phase 2 protocol is protected by the Phase 1, similar in concept to how IKE Quick Mode is protected by the IKE Phase 1 protocols in [RFC2409]. It would be possible to define GDOI as a phase 2 protocol protected by an IKEv2 initial exchange. Alternatively, it would be possible to define a new protocol re-using some of the IKEv2 initial exchange (e.g., IKE_SA_INIT). A.2. KINK Protocol The Kerberized Internet Negotiation of Keys (KINK) [RFC4430] has defined a method of encapsulating an IKEv1 Quick Mode [RFC2409] encapsulated in Kerberos KRB_AP_REQ and KRB_AP_REP payloads. KINK provides a low-latency, computationally inexpensive, easily managed, and cryptographically sound method of setting up IPsec security associations. The KINK message format includes a GDOI field in the KINK header. The [RFC4430] document defines the DOI for the IPsec DOI. A new DOI for KINK could be defined which would encapsulate a GROUPKEY-PULL exchange in the Kerberos KRB_AP_REQ and KRB_AP_REP payloads. As such, GDOI would benefit from the computational efficiencies of KINK. Weis, et al. Expires January 13, 2011 [Page 58] Internet-Draft GDOI July 2010 Appendix B. Significant Changes from RFC 3547 The following significant changes have been made from RFC 3547. o The Proof of Possession (POP) payload was removed from the GROUPKEY-PULL exchange. It provided an alternate form of authorization, but its use was underspecified. Furthermore, Meadows and Pavlovic [MP04] discussed a man-in-the-middle attack on the POP authorization method, which would require changes to its semantics. No known implementation of RFC 3547 supported the POP payload, so it was removed. Removal of the POP payload obviated the need for the CERT payload in that exchange and it was removed as well. o The Key Exchange Payloads (KE_I, KE_R) payloads were removed from the GROUPKEY-PULL exchange. However, the specification for computing keying material for the additional encryption function in RFC 3547 is faulty. Furthermore, it has been observed that because the GDOI registration message uses strong ciphers and provides authenticated encryption, additional encryption of the keying material in a GDOI registration message provides negligible value. Therefore, the use of KE payloads is deprecated in this memo. o The Certificate Payload (CERT) was removed from the GROUPKEY-PUSH exchange. The use of this payload was underspecified. In all known use cases, the public key of used to verify the GROUPKEY- PUSH payload is distributed directly from the key server as part of the GROUPKEY-PULL exchange. o Supported cryptographic algorithms were changed to meet current guidance. Implementations are required to support AES with 128- bit keys to encrypt the rekey message, and SHA-256 for cryptographic signatures. The use of DES is deprecated. o New protocol support for AH. o New protocol definitions were added to conform to the most recent Security Architecture for the Internet Protocol [RFC4301] and the Multicast Extensions to the Security Architecture for the Internet Protocol[RFC5374]. o New protocol definitions were added to support Using Counter Modes with ESP and AH to Protect Group Traffic[I-D.ietf-msec-ipsec-group-counter-modes]. Weis, et al. Expires January 13, 2011 [Page 59] Internet-Draft GDOI July 2010 Authors' Addresses Brian Weis Cisco Systems 170 W. Tasman Drive San Jose, California 95134-1706 USA Phone: +1-408-526-4796 Email: bew@cisco.com Sheela Rowles Cisco Systems 170 W. Tasman Drive San Jose, California 95134-1706 USA Phone: +1-408-527-7677 Email: sheela@cisco.com Thomas Hardjono MIT 77 Massachusetts Ave. Cambridge, Massachusets 02139 USA Phone: +1-781-729-9559 Email: hardjono@mit.edu Weis, et al. Expires January 13, 2011 [Page 60]