< draft-ietf-ipsecme-g-ikev2-05.txt   draft-ietf-ipsecme-g-ikev2-06.txt >
Network Working Group V. Smyslov Network Working Group V. Smyslov
Internet-Draft ELVIS-PLUS Internet-Draft ELVIS-PLUS
Obsoletes: 6407 (if approved) B. Weis Obsoletes: 6407 (if approved) B. Weis
Intended status: Standards Track Independent Updates: 7296 (if approved) Independent
Expires: September 19, 2022 March 18, 2022 Intended status: Standards Track April 6, 2022
Expires: October 8, 2022
Group Key Management using IKEv2 Group Key Management using IKEv2
draft-ietf-ipsecme-g-ikev2-05 draft-ietf-ipsecme-g-ikev2-06
Abstract Abstract
This document presents an extension to the Internet Key Exchange This document presents an extension to the Internet Key Exchange
version 2 (IKEv2) protocol for the purpose of a group key management. version 2 (IKEv2) protocol for the purpose of a group key management.
The protocol is in conformance with the Multicast Security (MSEC) key The protocol is in conformance with the Multicast Security (MSEC) key
management architecture, which contains two components: member management architecture, which contains two components: member
registration and group rekeying. Both components require a Group registration and group rekeying. Both components require a Group
Controller/Key Server to download IPsec group security associations Controller/Key Server to download IPsec group security associations
to authorized members of a group. The group members then exchange IP to authorized members of a group. The group members then exchange IP
multicast or other group traffic as IPsec packets. This document multicast or other group traffic as IPsec packets. This document
obsoletes RFC 6407. obsoletes RFC 6407. This documents also updates RFC 7296 by renaming
one of transform types defined there.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 19, 2022. This Internet-Draft will expire on October 8, 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 23 skipping to change at page 2, line 25
1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 5 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 5
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. G-IKEv2 Protocol . . . . . . . . . . . . . . . . . . . . . . 7 2. G-IKEv2 Protocol . . . . . . . . . . . . . . . . . . . . . . 7
2.1. G-IKEv2 Integration into IKEv2 Protocol . . . . . . . . . 7 2.1. G-IKEv2 Integration into IKEv2 Protocol . . . . . . . . . 7
2.1.1. G-IKEv2 Transport and Port . . . . . . . . . . . . . 7 2.1.1. G-IKEv2 Transport and Port . . . . . . . . . . . . . 7
2.2. G-IKEv2 Payloads . . . . . . . . . . . . . . . . . . . . 8 2.2. G-IKEv2 Payloads . . . . . . . . . . . . . . . . . . . . 8
2.3. G-IKEv2 Member Registration and Secure Channel 2.3. G-IKEv2 Member Registration and Secure Channel
Establishment . . . . . . . . . . . . . . . . . . . . . . 9 Establishment . . . . . . . . . . . . . . . . . . . . . . 9
2.3.1. GSA_AUTH exchange . . . . . . . . . . . . . . . . . . 9 2.3.1. GSA_AUTH exchange . . . . . . . . . . . . . . . . . . 9
2.3.2. GSA_REGISTRATION Exchange . . . . . . . . . . . . . . 11 2.3.2. GSA_REGISTRATION Exchange . . . . . . . . . . . . . . 11
2.3.3. GM Registration Operations . . . . . . . . . . . . . 11 2.3.3. GM Registration Operations . . . . . . . . . . . . . 12
2.3.4. GCKS Registration Operations . . . . . . . . . . . . 14 2.3.4. GCKS Registration Operations . . . . . . . . . . . . 14
2.4. Group Maintenance Channel . . . . . . . . . . . . . . . . 15 2.4. Group Maintenance Channel . . . . . . . . . . . . . . . . 15
2.4.1. GSA_REKEY . . . . . . . . . . . . . . . . . . . . . . 16 2.4.1. GSA_REKEY . . . . . . . . . . . . . . . . . . . . . . 16
2.4.2. GSA_INBAND_REKEY Exchange . . . . . . . . . . . . . . 22 2.4.2. GSA_INBAND_REKEY Exchange . . . . . . . . . . . . . . 22
2.4.3. Deletion of SAs . . . . . . . . . . . . . . . . . . . 22 2.4.3. Deletion of SAs . . . . . . . . . . . . . . . . . . . 22
2.5. Counter-based modes of operation . . . . . . . . . . . . 23 2.5. Counter-based modes of operation . . . . . . . . . . . . 23
2.5.1. Allocation of SIDs . . . . . . . . . . . . . . . . . 24 2.5.1. Allocation of SIDs . . . . . . . . . . . . . . . . . 24
2.5.2. GM Usage of SIDs . . . . . . . . . . . . . . . . . . 25 2.5.2. GM Usage of SIDs . . . . . . . . . . . . . . . . . . 25
3. Group Key Management and Access Control . . . . . . . . . . . 25 2.6. Replay Protection for Multicast Data-Security SAs . . . . 25
3. Group Key Management and Access Control . . . . . . . . . . . 26
3.1. Key Wrap Keys . . . . . . . . . . . . . . . . . . . . . . 26 3.1. Key Wrap Keys . . . . . . . . . . . . . . . . . . . . . . 26
3.1.1. Default Key Wrap Key . . . . . . . . . . . . . . . . 26 3.1.1. Default Key Wrap Key . . . . . . . . . . . . . . . . 27
3.2. GCKS Key Management Semantics . . . . . . . . . . . . . . 27 3.2. GCKS Key Management Semantics . . . . . . . . . . . . . . 27
3.2.1. Forward Access Control Requirements . . . . . . . . . 27 3.2.1. Forward Access Control Requirements . . . . . . . . . 28
3.3. GM Key Management Semantics . . . . . . . . . . . . . . . 28 3.3. GM Key Management Semantics . . . . . . . . . . . . . . . 28
3.4. SA Keys . . . . . . . . . . . . . . . . . . . . . . . . . 30 3.4. SA Keys . . . . . . . . . . . . . . . . . . . . . . . . . 30
4. Header and Payload Formats . . . . . . . . . . . . . . . . . 30 4. Header and Payload Formats . . . . . . . . . . . . . . . . . 31
4.1. G-IKEv2 Header . . . . . . . . . . . . . . . . . . . . . 30 4.1. G-IKEv2 Header . . . . . . . . . . . . . . . . . . . . . 31
4.2. Group Identification Payload . . . . . . . . . . . . . . 30 4.2. Group Identification Payload . . . . . . . . . . . . . . 31
4.3. Security Association - GM Supported Transforms Payload . 31 4.3. Security Association - GM Supported Transforms Payload . 31
4.4. Group Security Association Payload . . . . . . . . . . . 31 4.4. Group Security Association Payload . . . . . . . . . . . 32
4.4.1. Group Policies . . . . . . . . . . . . . . . . . . . 31 4.4.1. Group Policies . . . . . . . . . . . . . . . . . . . 32
4.4.2. Group Security Association Policy Substructure . . . 32 4.4.2. Group Security Association Policy Substructure . . . 33
4.4.3. Group Associated Policy Substructure . . . . . . . . 39 4.4.3. Group Associated Policy Substructure . . . . . . . . 40
4.5. Key Download Payload . . . . . . . . . . . . . . . . . . 41 4.5. Key Download Payload . . . . . . . . . . . . . . . . . . 42
4.5.1. Wrapped Key Format . . . . . . . . . . . . . . . . . 41 4.5.1. Wrapped Key Format . . . . . . . . . . . . . . . . . 42
4.5.2. Group Key Packet Substructure . . . . . . . . . . . . 43 4.5.2. Group Key Packet Substructure . . . . . . . . . . . . 44
4.5.3. Member Key Packet Substructure . . . . . . . . . . . 45 4.5.3. Member Key Packet Substructure . . . . . . . . . . . 46
4.6. Delete Payload . . . . . . . . . . . . . . . . . . . . . 47 4.6. Delete Payload . . . . . . . . . . . . . . . . . . . . . 48
4.7. Notify Payload . . . . . . . . . . . . . . . . . . . . . 47 4.7. Notify Payload . . . . . . . . . . . . . . . . . . . . . 48
4.7.1. USE_TRANSPORT_MODE Notification . . . . . . . . . . . 48 4.7.1. USE_TRANSPORT_MODE Notification . . . . . . . . . . . 49
4.8. Authentication Payload . . . . . . . . . . . . . . . . . 49 4.8. Authentication Payload . . . . . . . . . . . . . . . . . 50
5. Usigng G-IKEv2 Attributes . . . . . . . . . . . . . . . . . . 49 5. Usigng G-IKEv2 Attributes . . . . . . . . . . . . . . . . . . 50
6. Interaction with other IKEv2 Protocol Extensions . . . . . . 51 6. Interaction with other IKEv2 Protocol Extensions . . . . . . 52
6.1. Mixing Preshared Keys in IKEv2 for Post-quantum Security 52 6.1. Mixing Preshared Keys in IKEv2 for Post-quantum Security 53
7. Security Considerations . . . . . . . . . . . . . . . . . . . 54 7. Security Considerations . . . . . . . . . . . . . . . . . . . 55
7.1. GSA Registration and Secure Channel . . . . . . . . . . . 54 7.1. GSA Registration and Secure Channel . . . . . . . . . . . 55
7.2. GSA Maintenance Channel . . . . . . . . . . . . . . . . . 54 7.2. GSA Maintenance Channel . . . . . . . . . . . . . . . . . 55
7.2.1. Authentication/Authorization . . . . . . . . . . . . 54 7.2.1. Authentication/Authorization . . . . . . . . . . . . 55
7.2.2. Confidentiality . . . . . . . . . . . . . . . . . . . 54 7.2.2. Confidentiality . . . . . . . . . . . . . . . . . . . 55
7.2.3. Man-in-the-Middle Attack Protection . . . . . . . . . 55 7.2.3. Man-in-the-Middle Attack Protection . . . . . . . . . 55
7.2.4. Replay/Reflection Attack Protection . . . . . . . . . 55 7.2.4. Replay/Reflection Attack Protection . . . . . . . . . 55
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 55 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56
8.1. New Registries . . . . . . . . . . . . . . . . . . . . . 55 8.1. New Registries . . . . . . . . . . . . . . . . . . . . . 56
8.2. Changes in the Existing IKEv2 Registries . . . . . . . . 57 8.2. Changes in the Existing IKEv2 Registries . . . . . . . . 57
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 58 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 59
10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 58 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 60
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 59 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 60
11.1. Normative References . . . . . . . . . . . . . . . . . . 59 11.1. Normative References . . . . . . . . . . . . . . . . . . 60
11.2. Informative References . . . . . . . . . . . . . . . . . 60 11.2. Informative References . . . . . . . . . . . . . . . . . 61
Appendix A. Use of LKH in G-IKEv2 . . . . . . . . . . . . . . . 63 Appendix A. Use of LKH in G-IKEv2 . . . . . . . . . . . . . . . 65
A.1. Notation . . . . . . . . . . . . . . . . . . . . . . . . 63 A.1. Notation . . . . . . . . . . . . . . . . . . . . . . . . 65
A.2. Group Creation . . . . . . . . . . . . . . . . . . . . . 64 A.2. Group Creation . . . . . . . . . . . . . . . . . . . . . 65
A.3. Simple Group SA Rekey . . . . . . . . . . . . . . . . . . 65 A.3. Simple Group SA Rekey . . . . . . . . . . . . . . . . . . 66
A.4. Group Member Exclusion . . . . . . . . . . . . . . . . . 65 A.4. Group Member Exclusion . . . . . . . . . . . . . . . . . 66
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 66 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 68
1. Introduction and Overview 1. Introduction and Overview
A group key management protocol provides IPsec keys and policy to a A group key management protocol provides IPsec keys and policy to a
set of IPsec devices which are authorized to communicate using a set of IPsec devices which are authorized to communicate using a
Group Security Association (GSA) defined in [RFC3740]. The data Group Security Association (GSA) defined in [RFC3740]. The data
communications within the group (e.g., IP multicast packets) are communications within the group (e.g., IP multicast packets) are
protected by a key pushed to the group members (GMs) by the Group protected by a key pushed to the group members (GMs) by the Group
Controller/Key Server (GCKS). This document presents an extension to Controller/Key Server (GCKS). This document presents an extension to
IKEv2 [RFC7296] called G-IKEv2, that allows to perform a group key IKEv2 [RFC7296] called G-IKEv2, that allows to perform a group key
skipping to change at page 8, line 5 skipping to change at page 8, line 7
G-IKEv2 SHOULD use UDP port 848, the same as GDOI [RFC6407], because G-IKEv2 SHOULD use UDP port 848, the same as GDOI [RFC6407], because
they serve a similar function. They can use the same ports, just as they serve a similar function. They can use the same ports, just as
IKEv1 and IKEv2 can share port 500. The version number in the IKE IKEv1 and IKEv2 can share port 500. The version number in the IKE
header distinguishes the G-IKEv2 protocol from GDOI protocol header distinguishes the G-IKEv2 protocol from GDOI protocol
[RFC6407]. G-IKEv2 MAY also use the IKEv2 ports (500, 4500), which [RFC6407]. G-IKEv2 MAY also use the IKEv2 ports (500, 4500), which
would provide a better integration with IKEv2. G-IKEv2 MAY also use would provide a better integration with IKEv2. G-IKEv2 MAY also use
TCP transport for registration (unicast) IKE SA, as defined in TCP transport for registration (unicast) IKE SA, as defined in
[RFC8229]. [RFC8229].
Section 2.23 of [RFC7296] describes how IKEv2 deals with NATs.
Despite the fact, that with G-IKEv2 the registration SA doesn't
create any unicast IPsec SAs and thus there is no unicast ESP traffic
between the GM and the GCKS to encapsulate in UDP if NAT is present,
the actions described in this section concerned with the IKE SA MUST
be honored. If the GM and the GCKS used UDP port 848 for the
IKE_SA_INIT exchange, they MUST behave as if they used UDP port 500.
2.2. G-IKEv2 Payloads 2.2. G-IKEv2 Payloads
In the following descriptions, the payloads contained in the G-IKEv2 In the following descriptions, the payloads contained in the G-IKEv2
messages are indicated by names as listed below. messages are indicated by names as listed below.
Notation Payload Notation Payload
------------------------------------------------------------ ------------------------------------------------------------
AUTH Authentication AUTH Authentication
CERT Certificate CERT Certificate
CERTREQ Certificate Request CERTREQ Certificate Request
skipping to change at page 8, line 34 skipping to change at page 8, line 44
N Notify N Notify
SA Security Association SA Security Association
SAg Security Association - GM Supported Transforms SAg Security Association - GM Supported Transforms
Payloads defined as part of other IKEv2 extensions MAY also be Payloads defined as part of other IKEv2 extensions MAY also be
included in these messages. Payloads that may optionally appear in included in these messages. Payloads that may optionally appear in
G-IKEv2 messages will be shown in brackets, such as [CERTREQ]. G-IKEv2 messages will be shown in brackets, such as [CERTREQ].
G-IKEv2 defines several new payloads not used in IKEv2: G-IKEv2 defines several new payloads not used in IKEv2:
o IDg (Group ID) - The GM requests the GCKS for membership into the o IDg (Group ID) -- The GM requests the GCKS for membership into the
group by sending its IDg payload. group by sending its IDg payload.
o GSA (Group Security Association) - The GCKS sends the group policy o GSA (Group Security Association) -- The GCKS sends the group
to the GM using this payload. policy to the GM using this payload.
o KD (Key Download) - The GCKS sends the keys and the security o KD (Key Download) -- The GCKS sends the keys and the security
parameters to the GMs using the KD payload. parameters to the GMs using the KD payload.
o SAg (Security Association - GM Supported Transforms) - the GM o SAg (Security Association -- GM Supported Transforms) -- the GM
sends supported transforms, so that GCKS may select a policy sends supported transforms, so that GCKS may select a policy
appropriate for all members of the group. appropriate for all members of the group.
The details of the contents of each payload are described in The details of the contents of each payload are described in
Section 4. Section 4.
2.3. G-IKEv2 Member Registration and Secure Channel Establishment 2.3. G-IKEv2 Member Registration and Secure Channel Establishment
The registration protocol consists of a minimum of two exchanges, The registration protocol consists of a minimum of two exchanges,
IKE_SA_INIT and GSA_AUTH; member registration may have a few more IKE_SA_INIT and GSA_AUTH; member registration may have a few more
skipping to change at page 16, line 6 skipping to change at page 16, line 9
The GCKS is responsible for rekeying the secure group per the group The GCKS is responsible for rekeying the secure group per the group
policy. Rekeying is an operation whereby the GCKS provides policy. Rekeying is an operation whereby the GCKS provides
replacement TEKs and KEK, deleting TEKs, and/or excluding group replacement TEKs and KEK, deleting TEKs, and/or excluding group
members. The GCKS may initiate a rekey message if group membership members. The GCKS may initiate a rekey message if group membership
and/or policy has changed, or if the keys are about to expire. Two and/or policy has changed, or if the keys are about to expire. Two
forms of group maintenance channels are provided in G-IKEv2 to push forms of group maintenance channels are provided in G-IKEv2 to push
new policy to group members. new policy to group members.
GSA_REKEY The GSA_REKEY is a pseudo-exchange initiated by the GCKS, GSA_REKEY The GSA_REKEY is a pseudo-exchange initiated by the GCKS,
where the rekey policy is usually delivered to group members using where the rekey policy is usually delivered to group members
IP multicast as a transport. This is not a real IKEv2 exchange, using IP multicast as a transport. This is not a real IKEv2
since no response messages are sent. This method is valuable for exchange, since no response messages are sent. This method is
large and dynamic groups, and where policy may change frequently valuable for large and dynamic groups, and where policy may
and a scalable rekeying method is required. When the GSA_REKEY is change frequently and a scalable rekeying method is required.
used, the IKE SA protecting the member registration exchanges is When the GSA_REKEY is used, the IKE SA protecting the member
usually terminated, and group members await policy changes from registration exchanges is usually terminated, and group members
the GCKS via the GSA_REKEY messages. await policy changes from the GCKS via the GSA_REKEY messages.
GSA_INBAND_REKEY The GSA_INBAND_REKEY is a normal IKEv2 exchange GSA_INBAND_REKEY The GSA_INBAND_REKEY is a normal IKEv2 exchange
using the IKE SA that was setup to protecting the member using the IKE SA that was setup to protecting the member
registration exchange. This exchange allows the GCKS to rekey registration exchange. This exchange allows the GCKS to rekey
without using an independent GSA_REKEY pseudo-exchange. The without using an independent GSA_REKEY pseudo-exchange. The
GSA_INBAND_REKEY exchange provides a reliable policy delivery and GSA_INBAND_REKEY exchange provides a reliable policy delivery
is useful when G-IKEv2 is used with a small group of cooperating and is useful when G-IKEv2 is used with a small group of
devices. cooperating devices.
Depending on its policy the GCKS MAY combine these two methods. For Depending on its policy the GCKS MAY combine these two methods. For
example, it may use the GSA_INBAND_REKEY to deliver key to the GMs in example, it may use the GSA_INBAND_REKEY to deliver key to the GMs in
the group acting as senders (as this would provide reliable keys the group acting as senders (as this would provide reliable keys
delivery), and the GSA_REKEY for the rest GMs. delivery), and the GSA_REKEY for the rest GMs.
2.4.1. GSA_REKEY 2.4.1. GSA_REKEY
The GCKS initiates the G-IKEv2 Rekey securely, usually using IP The GCKS initiates the G-IKEv2 Rekey securely, usually using IP
multicast. Since this rekey does not require a response and it sends multicast. Since this rekey does not require a response and it sends
skipping to change at page 17, line 20 skipping to change at page 17, line 23
If the Data-Security SA is being refreshed in this rekey message, the If the Data-Security SA is being refreshed in this rekey message, the
IPsec keys are updated in the KD, and/or if the rekey SA is being IPsec keys are updated in the KD, and/or if the rekey SA is being
refreshed in this rekey message, the rekey Key or the LKH KEK array refreshed in this rekey message, the rekey Key or the LKH KEK array
is updated in the KD payload. is updated in the KD payload.
A Delete payload MAY be included to instruct the GM to delete A Delete payload MAY be included to instruct the GM to delete
existing SAs. See Section 4.6 for more detail. existing SAs. See Section 4.6 for more detail.
The AUTH payload MUST be included to authenticate the GSA_REKEY The AUTH payload MUST be included to authenticate the GSA_REKEY
message if the authentication method is based on public key message if the authentication method is based on public key
signatures or a dedicated shared secret and MUST NOT be included if signatures and MUST NOT be included if authentication is implicit.
authentication is implicit. In a latter case, the fact that a GM can In the latter case, the fact that a GM can decrypt the GSA_REKEY
decrypt the GSA_REKEY message and verify its ICV proves that the message and verify its ICV proves that the sender of this message
sender of this message knows the current KEK, thus authenticating knows the current KEK, thus authenticating the sender as a member of
that the sender is a member of the group. Shared secret and implicit the group. Note, that implicit authentication doesn't provide source
authentication don't provide source origin authentication. For this origin authentication. For this reason using implicit authentication
reason using implicit authentication for GSA_REKEY is NOT RECOMMENDED for GSA_REKEY is NOT RECOMMENDED unless source origin authentication
unless source origin authentication is not required (for example, in is not required (for example, in a small group of highly trusted
a small group of highly trusted GMs). If AUTH payload is included GMs). The value of the Auth Method field in the AUTH payload in the
then the Auth Method field MUST NOT be NULL Authentication. GSA_REKEY message MUST NOT be NULL Authentication.
During group member registration, the GCKS sends the authentication During group member registration, the GCKS sends the authentication
key in the KD payload, AUTH_KEY attribute, which the group member key in the KD payload, AUTH_KEY attribute, which the group member
uses to authenticate the key server. Before the current uses to authenticate the key server. Before the current
Authentication Key expires, the GCKS will send a new AUTH_KEY to the Authentication Key expires, the GCKS will send a new AUTH_KEY to the
group members in a GSA_REKEY message. The AUTH key that is sent in group members in a GSA_REKEY message. The AUTH key that is sent in
the rekey message may be not the same as the authentication key sent the rekey message may be not the same as the authentication key sent
during the GM registration. If implicit authentication is used, then during the GM registration. If implicit authentication is used, then
AUTH_KEY MUST NOT be sent to GMs. AUTH_KEY MUST NOT be sent to GMs.
skipping to change at page 25, line 35 skipping to change at page 25, line 35
A GM applies the SID to Data-Security SA as follows. A GM applies the SID to Data-Security SA as follows.
o The most significant bits NUMBER_OF_SID_BITS of the IV are taken o The most significant bits NUMBER_OF_SID_BITS of the IV are taken
to be the SID field of the IV. to be the SID field of the IV.
o The SID is placed in the least significant bits of the SID field, o The SID is placed in the least significant bits of the SID field,
where any unused most significant bits are set to zero. If the where any unused most significant bits are set to zero. If the
SID value doesn't fit into the NUMBER_OF_SID_BITS bits, then the SID value doesn't fit into the NUMBER_OF_SID_BITS bits, then the
GM MUST treat this as a fatal error and re-register to the group. GM MUST treat this as a fatal error and re-register to the group.
2.6. Replay Protection for Multicast Data-Security SAs
IPsec provides replay protection as part of its security services.
With multicast extension for IPsec replay protection is not always
possible to acieve (see Section 6.1 of [RFC3740]). In particular, if
there are many group senders for a Data-Security SA, then each of
them will independently incement the Sequence Number field in the ESP
header (see Section 2 of [RFC4303]) thus making impossible for the
group receivers to filter out replayed packets. However, if there is
only one group sender for a a Data-Security SA, then it is possible
to acieve replay protection with some restrictions (see
Section 4.4.2.1.3). The GCKS may create several Data-Security SAs
with the same traffic selectors allowing only a single group sender
in each SA if it is desirable to get replay protection with multiple
(but still limited number) of group senders.
In IPsec architecture assumes that it is a local matter for an IPsec
receiver whether replay protection is active or not. In other words,
an IPsec sender always increments the Sequence Number field in the
ESP header and a receiver decides whether to check for replayed
packets or not. With multicast extension for IPsec this approach
generally isn't applicable, since group members don't know how many
group senders exist for a particular Data-Security SA. For this
reason the status or replay protection must be part of the policy
downloaded to GMs by GCKS.
For this purpose this specification re-uses the Extended Sequence
Numbers transform, defined in Section 3.3.2 [RFC7296]. This
specification renames this transform to "Replay Protection" and adds
a new value for possible Transform IDs: "Not Used" (<TBA by IANA>).
The GCKS MUST include this transform in the GSA payload for every
Data-Security SA. Note, that this specification prohibits using
Extended Sequence Numbers (see Section 4.4.2.1.3).
3. Group Key Management and Access Control 3. Group Key Management and Access Control
Through the G-IKEv2 rekey, G-IKEv2 supports algorithms such as Through the G-IKEv2 rekey, G-IKEv2 supports algorithms such as
Logical Key Hierarchy (LKH) that have the property of denying access Logical Key Hierarchy (LKH) that have the property of denying access
to a new group key by a member removed from the group (forward access to a new group key by a member removed from the group (forward access
control) and to an old group key by a member added to the group control) and to an old group key by a member added to the group
(backward access control). An unrelated notion to PFS, "forward (backward access control). An unrelated notion to PFS, "forward
access control" and "backward access control" have been called access control" and "backward access control" have been called
"perfect forward security" and "perfect backward security" in the "perfect forward security" and "perfect backward security" in the
literature [RFC2627]. literature [RFC2627].
Group management algorithms providing forward and backward access Group management algorithms providing forward and backward access
control other than LKH have been proposed in the literature, control other than LKH have been proposed in the literature,
including OFT [OFT] and Subset Difference [NNL]. These algorithms including OFT [OFT] and Subset Difference [NNL]. These algorithms
could be used with G-IKEv2, but are not specified as a part of this could be used with G-IKEv2, but are not specified as a part of this
document. document.
The Group Key Management Method transform from the GSA policy The Group Key Management Method transform from the GSA policy
specifies how members of the group obtain group keys. This document specifies how members of the group obtain group keys. This document
specifies a single method for the group key management - Wrapped Key specifies a single method for the group key management -- Wrapped Key
Download. This method assumes that all group keys are sent to the Download. This method assumes that all group keys are sent to the
GMs by the GCKS encrypted with some other keys, called Key Wrap Keys GMs by the GCKS encrypted with some other keys, called Key Wrap Keys
(KWK). (KWK).
3.1. Key Wrap Keys 3.1. Key Wrap Keys
Every GM always knows at least one KWK - the KWK that is associated Every GM always knows at least one KWK -- the KWK that is associated
with the IKE SA or multicast Rekey SA the wrapped keys are sent over. with the IKE SA or multicast Rekey SA the wrapped keys are sent over.
In this document it is called default KWK and is denoted as GSK_w. In this document it is called default KWK and is denoted as GSK_w.
The GCKS may also send other keys to GMs that will be used as Key The GCKS may also send other keys to GMs that will be used as Key
Wrap Keys for the purpose of building key hierarchy. Each KWK is Wrap Keys for the purpose of building key hierarchy. Each KWK is
associated with an encryption algorithm from the Encryption Algorithm associated with an encryption algorithm from the Encryption Algorithm
transform used for the SA the key is sent over. The size of a KWK transform used for the SA the key is sent over. The size of a KWK
MUST be of the size of the key for this Encryption Algorithm MUST be of the size of the key for this Encryption Algorithm
transform (taking into consideration the Key Length attribute for transform (taking into consideration the Key Length attribute for
this transform if present). This association persists even if the this transform if present). This association persists even if the
skipping to change at page 27, line 13 skipping to change at page 27, line 47
without null termination. without null termination.
For the multicast Rekey SA the GSK_w is provided along with other SA For the multicast Rekey SA the GSK_w is provided along with other SA
keys as defined in Section 3.4. keys as defined in Section 3.4.
3.2. GCKS Key Management Semantics 3.2. GCKS Key Management Semantics
Wrapped Key Download method allows the GCKS to employ various key Wrapped Key Download method allows the GCKS to employ various key
management methods management methods
o A simple key management methods - when the GCKS always sends group o A simple key management methods -- when the GCKS always sends
SA keys encrypted with the GSK_w. group SA keys encrypted with the GSK_w.
o An LKH key management method - when the GCKS provides each GM with o An LKH key management method -- when the GCKS provides each GM
an individual key at the time of the GM registration (encrypted with an individual key at the time of the GM registration
with GSK_w). Then the GCKS forms an hierarchy of keys so that the (encrypted with GSK_w). Then the GCKS forms an hierarchy of keys
group SA keys are encrypted with other keys which are encrypted so that the group SA keys are encrypted with other keys which are
with other keys and so on, tracing back to the individual GMs' encrypted with other keys and so on, tracing back to the
keys. individual GMs' keys.
Other key policies may also be employed by the GCKS. Other key policies may also be employed by the GCKS.
3.2.1. Forward Access Control Requirements 3.2.1. Forward Access Control Requirements
When group membership is altered using a group management algorithm When group membership is altered using a group management algorithm
new Data-Security SAs and their associated keys are usually also new Data-Security SAs and their associated keys are usually also
needed. New Data-Security SAs and keys ensure that members who were needed. New Data-Security SAs and keys ensure that members who were
denied access can no longer participate in the group. denied access can no longer participate in the group.
skipping to change at page 28, line 22 skipping to change at page 29, line 8
This specification defines a GM Key Management semantics in such a This specification defines a GM Key Management semantics in such a
way, that it doesn't depend on the key management method employed by way, that it doesn't depend on the key management method employed by
the GCKS. This allows having all the complexity of key management in the GCKS. This allows having all the complexity of key management in
the GCKS, which is free to implement various key management methods, the GCKS, which is free to implement various key management methods,
such as direct transmitting of group SA keys or using some kind of such as direct transmitting of group SA keys or using some kind of
key hierarchy (e.g. LKH). For all these policies the GM behavior is key hierarchy (e.g. LKH). For all these policies the GM behavior is
the same. the same.
Each key that a GM receives in G-IKEv2 is identified by a 32-bit Each key that a GM receives in G-IKEv2 is identified by a 32-bit
number called Key ID. Zero Key ID has a special meaning - it always number called Key ID. Zero Key ID has a special meaning -- it always
contains keying material from which the keys for protecting Data- contains keying material from which the keys for protecting Data-
Security SAs and Rekey SA are taken. Security SAs and Rekey SA are taken.
All keys in G-IKEv2 are transmitted in encrypted form, as specified All keys in G-IKEv2 are transmitted in encrypted form, as specified
in Section 4.5.1. This format includes a Key ID (ID of a key that is in Section 4.5.1. This format includes a Key ID (ID of a key that is
encrypted) and a KWK ID (ID of a key that was used to encrypt this encrypted) and a KWK ID (ID of a key that was used to encrypt this
key). Keys may be encrypted either with default KWK (GSK_w) or with key). Keys may be encrypted either with default KWK (GSK_w) or with
other keys, which the GM has received in the WRAP_KEY attributes. If other keys, which the GM has received in the WRAP_KEY attributes. If
a key was encrypted with GSK_w, then the KWK ID field is set to zero, a key was encrypted with GSK_w, then the KWK ID field is set to zero,
otherwise the KWK ID field identifies the key used for encryption. otherwise the KWK ID field identifies the key used for encryption.
skipping to change at page 31, line 4 skipping to change at page 31, line 35
G-IKEv2 uses the same IKE header format as specified in [RFC7296] G-IKEv2 uses the same IKE header format as specified in [RFC7296]
section 3.1. Major Version is 2 and Minor Version is 0 as in IKEv2. section 3.1. Major Version is 2 and Minor Version is 0 as in IKEv2.
IKE SA Initiator's SPI, IKE SA Responder's SPI, Flags, Message ID, IKE SA Initiator's SPI, IKE SA Responder's SPI, Flags, Message ID,
and Length are as specified in [RFC7296]. and Length are as specified in [RFC7296].
4.2. Group Identification Payload 4.2. Group Identification Payload
The Group Identification (IDg) payload allows the group member to The Group Identification (IDg) payload allows the group member to
indicate which group it wants to join. The payload is constructed by indicate which group it wants to join. The payload is constructed by
using the IKEv2 Identification Payload (section 3.5 of [RFC7296]). using the IKEv2 Identification Payload (section 3.5 of [RFC7296]).
ID type ID_KEY_ID MUST be supported. ID types ID_IPV4_ADDR, ID_FQDN, ID type ID_KEY_ID MUST be supported. ID types ID_IPV4_ADDR, ID_FQDN,
ID_RFC822_ADDR, ID_IPV6_ADDR SHOULD be supported. ID types ID_RFC822_ADDR, ID_IPV6_ADDR SHOULD be supported. ID types
ID_DER_ASN1_DN and ID_DER_ASN1_GN are not expected to be used. The ID_DER_ASN1_DN and ID_DER_ASN1_GN are not expected to be used. The
Payload Type for the Group Identification payload is fifty (50). Payload Type for the Group Identification payload is fifty (50).
4.3. Security Association - GM Supported Transforms Payload 4.3. Security Association - GM Supported Transforms Payload
The Security Association - GM Supported Transforms Payload (SAg) The Security Association - GM Supported Transforms Payload (SAg)
payload declares which Transforms a GM is willing to accept. The payload declares which Transforms a GM is willing to accept. The
payload is constructed using the format of the IKEv2 Security payload is constructed using the format of the IKEv2 Security
Association payload (section 3.3 of [RFC7296]). The Payload Type for Association payload (section 3.3 of [RFC7296]). The Payload Type for
SAg is identical to the SA Payload Type - thirty-three (33). SAg is identical to the SA Payload Type -- thirty-three (33).
4.4. Group Security Association Payload 4.4. Group Security Association Payload
The Group Security Association (GSA) payload is used by the GCKS to The Group Security Association (GSA) payload is used by the GCKS to
assert security attributes for both Rekey SA and Data-security SAs. assert security attributes for both Rekey SA and Data-security SAs.
The Payload Type for the Group Security Association payload is fifty- The Payload Type for the Group Security Association payload is fifty-
one (51). one (51).
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
skipping to change at page 31, line 43 skipping to change at page 32, line 30
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 14: GSA Payload Format Figure 14: GSA Payload Format
The Security Association Payload fields are defined as follows: The Security Association Payload fields are defined as follows:
o Next Payload, C, RESERVED, Payload Length fields comprise the o Next Payload, C, RESERVED, Payload Length fields comprise the
IKEv2 Generic Payload Header and are defined in Section 3.2. of IKEv2 Generic Payload Header and are defined in Section 3.2. of
[RFC7296]. [RFC7296].
o Group Policies (variable) - A set of group policies for the group. o Group Policies (variable) -- A set of group policies for the
group.
4.4.1. Group Policies 4.4.1. Group Policies
Croup policies are comprised of two types of policy - Group SA (GSA) Croup policies are comprised of two types of policy -- Group SA (GSA)
policy and Group Associated (GA) policy. GSA policy defines policy and Group Associated (GA) policy. GSA policy defines
parameters for the Security Association for the group. Depending on parameters for the Security Association for the group. Depending on
the employed security protocol GSA policies may further be classified the employed security protocol GSA policies may further be classified
as Rekey SA policy (GSA KEK) and Data-Security SA policy (GSA TEK). as Rekey SA policy (GSA KEK) and Data-Security SA policy (GSA TEK).
GSA payload may contain zero or one GSA KEK policy, zero or more GSA GSA payload may contain zero or one GSA KEK policy, zero or more GSA
TEK policies, and zero or one GA policy, where either one GSA KEK or TEK policies, and zero or one GA policy, where either one GSA KEK or
GSA TEK policy MUST be present. GSA TEK policy MUST be present.
This latitude allows various group policies to be accommodated. For This latitude allows various group policies to be accommodated. For
example if the group policy does not require the use of a Rekey SA, example if the group policy does not require the use of a Rekey SA,
the GCKS would not need to send a GSA KEK policy to the group member the GCKS would not need to send a GSA KEK policy to the group member
since all SA updates would be performed using the GSA_INBAND_REKEY since all SA updates would be performed using the GSA_INBAND_REKEY
exchange via the unicast IKE SA. Alternatively, group policy might exchange via the unicast IKE SA. Alternatively, group policy might
use a Rekey SA but choose to download a KEK to the group member only use a Rekey SA but choose to download a KEK to the group member only
skipping to change at page 32, line 28 skipping to change at page 33, line 15
Specifying multiple GSA TEKs allows multiple related data streams Specifying multiple GSA TEKs allows multiple related data streams
(e.g., video, audio, and text) to be associated with a session, but (e.g., video, audio, and text) to be associated with a session, but
each protected with an individual security association policy. each protected with an individual security association policy.
A GAP allows for the distribution of group-wise policy, such as A GAP allows for the distribution of group-wise policy, such as
instructions for when to activate and de-activate SAs. instructions for when to activate and de-activate SAs.
Policies are distributed in substructures to the GSA payload. The Policies are distributed in substructures to the GSA payload. The
format of the substructures is defined below in Section 4.4.2 (for format of the substructures is defined below in Section 4.4.2 (for
GSA policy) and in Section 4.4.3 (for GA policy). The first octet of GSA policy) and in Section 4.4.3 (for GA policy). The first octet of
the substructure unambiguously determines its type - it is zero for the substructure unambiguously determines its type -- it is zero for
GAP and non-zero (actually, it is a security protocol ID) for GSA GAP and non-zero (actually, it is a security protocol ID) for GSA
policies. policies.
4.4.2. Group Security Association Policy Substructure 4.4.2. Group Security Association Policy Substructure
The GSA policy substructure contains parameters for the SA used with The GSA policy substructure contains parameters for the SA used with
this group. Depending on the security protocol the SA is either a this group. Depending on the security protocol the SA is either a
Rekey SA or a Data-Security SA (ESP and AH). It is NOT RECOMMENDED Rekey SA or a Data-Security SA (ESP and AH). It is NOT RECOMMENDED
that the GCKS distribute both ESP and AH policies for the same set of that the GCKS distribute both ESP and AH policies for the same set of
Traffic Selectors. Traffic Selectors.
skipping to change at page 33, line 35 skipping to change at page 34, line 35
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <GSA Attributes> ~ ~ <GSA Attributes> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 15: GSA Policy Substructure Format Figure 15: GSA Policy Substructure Format
The GSA policy fields are defined as follows: The GSA policy fields are defined as follows:
o Protocol (1 octet) - Identifies the security protocol for this o Protocol (1 octet) -- Identifies the security protocol for this
group SA. The values are defined in the IKEv2 Security Protocol group SA. The values are defined in the IKEv2 Security Protocol
Identifiers in [IKEV2-IANA]. The valid values for this field are: Identifiers in [IKEV2-IANA]. The valid values for this field are:
<TBA> (GIKE_REKEY) for Rekey SA and 2 (AH) or 3 (ESP) for Data- <TBA> (GIKE_REKEY) for Rekey SA and 2 (AH) or 3 (ESP) for Data-
Security SAs. Security SAs.
o SPI Size (1 octet) - Size of Security Parameter Index (SPI) for o SPI Size (1 octet) -- Size of Security Parameter Index (SPI) for
the SA. SPI size depends on the SA protocol. For GIKE_REKEY it the SA. SPI size depends on the SA protocol. For GIKE_REKEY it
is 16 octets, while for AH and ESP it is 4 octets. is 16 octets, while for AH and ESP it is 4 octets.
o Length (2 octets, unsigned integer) - Length of this substructure o Length (2 octets, unsigned integer) -- Length of this substructure
including the header. including the header.
o SPI (variable) - Security Parameter Index for the group SA. The o SPI (variable) -- Security Parameter Index for the group SA. The
size of this field is determined by the SPI Size field. As size of this field is determined by the SPI Size field. As
described above, these SPIs are assigned by the GCKS. In case of described above, these SPIs are assigned by the GCKS. In case of
GIKE_REKEY the SPI must be the IKEv2 Header SPI pair where the GIKE_REKEY the SPI must be the IKEv2 Header SPI pair where the
first 8 octets become the "Initiator's SPI" field in the G-IKEv2 first 8 octets become the "Initiator's SPI" field in the G-IKEv2
rekey message IKEv2 HDR, and the second 8 octets become the rekey message IKEv2 HDR, and the second 8 octets become the
"Responder's SPI" in the same HDR. When selecting SPI the GCKS "Responder's SPI" in the same HDR. When selecting SPI the GCKS
MUST make sure that the sole first 8 octets (corresponding to MUST make sure that the sole first 8 octets (corresponding to
"Initiator's SPI" field in the IKEv2 header) uniquely identify the "Initiator's SPI" field in the IKEv2 header) uniquely identify the
Rekey SA. Rekey SA.
o Source & Destination Traffic Selectors - (variable) - o Source & Destination Traffic Selectors - (variable) --
Substructures describing the source and destination of the network Substructures describing the source and destination of the network
identities. The format for these substructures is defined in identities. The format for these substructures is defined in
IKEv2 [RFC7296], section 3.13.1. For the Rekey SA (with protocol IKEv2 [RFC7296], section 3.13.1. For the Rekey SA (with the
GIKE_REKEY) the destination traffic selectors MUST define a single GIKE_REKEY protocol) the destination traffic selectors MUST define
multicast IP address, IP protocol and port the GSA_REKEY messages a single multicast IP address, an IP protocol (assumed to be UDP)
will be destined to. The source traffic selector in this case and a single port the GSA_REKEY messages will be destined to. The
MUST either define a single IP address, IP protocol and port the source traffic selector in this case MUST either define a single
GSA_REKEY messages will be originated from or be a wildcard IP address, an IP protocol (assumed to be UDP) and a single port
the GSA_REKEY messages will be originated from or be a wildcard
selector. For the Data-Security (AH and ESP) SAs the destination selector. For the Data-Security (AH and ESP) SAs the destination
traffic selectors SHOULD define a single multicast IP address. traffic selectors SHOULD define a single multicast IP address.
The source traffic selector in this case SHOULD define a single IP The source traffic selector in this case SHOULD define a single IP
address or be a wildcard selector. IP protocol and ports define address or be a wildcard selector. IP protocol and ports define
the characteristics of traffic protected by this Data-Security SA. the characteristics of traffic protected by this Data-Security SA.
If the Data-Security SAs are created in tunnel mode, then it MUST
BE tunnel mode with address preservation (see [RFC5374]. UDP
encapsulation [RFC3948] is not used for the multicast Data-
Security SAs.
o GSA Transforms (variable) - A list of Transform Substructures o GSA Transforms (variable) -- A list of Transform Substructures
specifies the policy information for the SA. The format is specifies the policy information for the SA. The format is
defined in IKEv2 [RFC7296], section 3.3.2. The Last Substruc defined in IKEv2 [RFC7296], section 3.3.2. The Last Substruc
value in each Transform Substructure will be set to 3 except for value in each Transform Substructure will be set to 3 except for
the last one in the list, which is set to 0. Section 4.4.2.1 the last one in the list, which is set to 0. Section 4.4.2.1
describes using IKEv2 transforms in GSA policy substructure. describes using IKEv2 transforms in GSA policy substructure.
o GSA Attributes (variable) - Contains policy attributes associated o GSA Attributes (variable) -- Contains policy attributes associated
with the group SA. The following sections describe the possible with the group SA. The following sections describe the possible
attributes. Any or all attributes may be optional, depending on attributes. Any or all attributes may be optional, depending on
the protocol and the group policy. Section 4.4.2.2 defines the protocol and the group policy. Section 4.4.2.2 defines
attributes used in GSA policy substructure. attributes used in GSA policy substructure.
4.4.2.1. GSA Transforms 4.4.2.1. GSA Transforms
GSA policy is defined by means of transforms in the GSA policy GSA policy is defined by means of transforms in the GSA policy
substructure. For this purpose the transforms defined in [RFC7296] substructure. For this purpose the transforms defined in [RFC7296]
are used. In addition, new transform types are defined for using in are used. In addition, new transform types are defined for using in
G-IKEv2: Authentication Method (AUTH) and Group Key Management Method G-IKEv2: Authentication Method (AUTH) and Group Key Management Method
(GKM), see Section 8. (GKM), see Section 8.
Valid Transform Types depend on the SA protocol and are summarized in Valid Transform Types depend on the SA protocol and are summarized in
the table below. the table below.
Protocol Mandatory Types Optional Types Protocol Mandatory Types Optional Types
------------------------------------------------------------ ------------------------------------------------------------
GIKE_REKEY ENCR, INTEG*, PRF, AUTH**, GKM** GIKE_REKEY ENCR, INTEG*, PRF, AUTH**, GKM**
ESP ENCR INTEG, ESN ESP ENCR INTEG, RP
AH INTEG ESN AH INTEG RP
Figure 16: Valid Transform Types Figure 16: Valid Transform Types
(*) If AEAD encryption algorithm is used, then INTEG transform MUST (*) If AEAD encryption algorithm is used, then INTEG transform MUST
NOT be specified, otherwise it MUST be specified. NOT be specified, otherwise it MUST be specified.
(**) May only appear at the time of a GM registration, (in the (**) May only appear at the time of a GM registration, (in the
GSA_aUTH and GSA_REGISTRATION exchanges). GSA_aUTH and GSA_REGISTRATION exchanges).
4.4.2.1.1. Authentication Method Transform 4.4.2.1.1. Authentication Method Transform
skipping to change at page 35, line 32 skipping to change at page 36, line 35
policy to convey information of how GCKS will authenticate the policy to convey information of how GCKS will authenticate the
GSA_REKEY messages. This values are from the IKEv2 Authentication GSA_REKEY messages. This values are from the IKEv2 Authentication
Method registry [IKEV2-IANA]. Note, that this registry defines only Method registry [IKEV2-IANA]. Note, that this registry defines only
values in a range 0-255, so even that Transform ID field in the values in a range 0-255, so even that Transform ID field in the
Transform substructure allows for 65536 possible values, in case of Transform substructure allows for 65536 possible values, in case of
the Authentication Method transform the values 256-65535 MUST NOT the Authentication Method transform the values 256-65535 MUST NOT
appear. appear.
Among the currently defined authentication methods in the IKEv2 Among the currently defined authentication methods in the IKEv2
Authentication Method registry, only the following are allowed to be Authentication Method registry, only the following are allowed to be
used in the Authentication Method transform: Shared Key Message used in the Authentication Method transform: NULL Authentication and
Integrity Code, NULL Authentication and Digital Signature. Other Digital Signature. Other currently defined authentication methods
currently defined authentication methods MUST NOT be used. The MUST NOT be used. The following semantics is associated with each of
following semantics is associated with each of the allowed methods. the allowed methods.
Shared Key Message Integrity Code - GCKS will authenticates the NULL Authentication -- No additional authentication of the GSA_REKEY
GSA_REKEY messages by means of shared secret. In this case the messages will be provided by the GCKS besides the ability for
GCKS MUST include the AUTH_KEY attribute containing the shared key the GMs to correctly decrypt them and verify their ICV. In
into the KD payload at the time the GM is registered to the group. this case the GCKS MUST NOT include the AUTH_KEY attribute into
the KD payload. Additionally, the AUTH payload MUST NOT be
included in the GIKE_REKEY messages.
NULL Authentication - No additional authentication of the Digital Signature -- Digital signatures will be used by the GCKS to
GSA_REKEY messages will be provided by the GCKS besides the authenticate the GSA_REKEY messages. In this case the GCKS
ability for the GMs to correctly decrypt them and verify their MUST include the AUTH_KEY attribute containing the public key
ICV. In this case the GCKS MUST NOT include the AUTH_KEY into the KD payload at the time the GM is registered to the
attribute into the KD payload. Additionally, the AUTH payload group. To specify the details of the signature algorithm a new
MUST NOT be included in the GIKE_REKEY messages. attribute Algorithm Identifier (<TBA by IANA>) is defined.
Digital Signature - Digital signatures will be used by the GCKS to This attribute contains DER-encoded ASN.1 object
authenticate the GSA_REKEY messages. In this case the GCKS MUST AlgorithmIdentifier, which would specify the signature
include the AUTH_KEY attribute containing the public key into the algorithm and the hash function that the GCKS will use for
KD payload at the time the GM is registered to the group. To authentication. The AlgorithmIdentifier object is defined in
specify the details of the signature algorithm a new attribute section 4.1.1.2 of [RFC5280], see also [RFC7427] for the list
Algorithm Identifier (<TBA by IANA>) is defined. This attribute of common AlgorithmIdentifier values used in IKEv2. In case of
contains DER-encoded ASN.1 object AlgorithmIdentifier, which would using digital signature the GCKS MUST include the Algorithm
specify the signature algorithm and the hash function that the Identifier attribute in the Authentication Method transform.
GCKS will use for authentication. The AlgorithmIdentifier object
is defined in section 4.1.1.2 of [RFC5280], see also [RFC7427] for
the list of common AlgorithmIdentifier values used in IKEv2. In
case of using digital signature the GCKS MUST include the
Algorithm Identifier attribute in the Authentication Method
transform.
The authentication method MUST NOT change as a result of rekey The authentication method MUST NOT change as a result of rekey
operations. This means that the Authentication Method transform may operations. This means that the Authentication Method transform may
not appear in the rekey messages, it may only appear in the not appear in the rekey messages, it may only appear in the
registration exchange (either GSA_AUTH or GSA_REGISTRATION). registration exchange (either GSA_AUTH or GSA_REGISTRATION).
The type of the Authentication Method Transform is <TBA by IANA>. The type of the Authentication Method Transform is <TBA by IANA>.
4.4.2.1.2. Group Key Management Method Transform 4.4.2.1.2. Group Key Management Method Transform
The Group Key Management Method (GKM) transform is used in the The Group Key Management Method (GKM) transform is used in the
GIKE_REKEY policy to convey information of how GCKS will manage the GIKE_REKEY policy to convey information of how GCKS will manage the
group keys to provide forward and backward access control (i.e., used group keys to provide forward and backward access control (i.e., used
to exclude group members). Possible key management methods are to exclude group members). Possible key management methods are
defined in a new IKEv2 registry "Transform Type <TBA> - Group Key defined in a new IKEv2 registry "Transform Type <TBA> -- Group Key
Management Methods" (see Section 8). This document defines one Management Methods" (see Section 8). This document defines one
values for this registry: values for this registry:
Wrapped Key Download (<TBA by IANA>) - Keys are downloaded by GCKS Wrapped Key Download (<TBA by IANA>) -- Keys are downloaded by GCKS
to the GMs in encrypted form. This algorithm may provide forward to the GMs in encrypted form. This algorithm may provide
and backward access control if some form of key hierarchy is used forward and backward access control if some form of key
and each GM is provided with a personal key at the time of hierarchy is used and each GM is provided with a personal key
registration. Otherwise no access control is provided. at the time of registration. Otherwise no access control is
provided.
The group key management method MUST NOT change as a result of rekey The group key management method MUST NOT change as a result of rekey
operations. This means that the Group Key Management Method operations. This means that the Group Key Management Method
transform may not appear in the rekey messages, it may only appear in transform may not appear in the rekey messages, it may only appear in
the registration exchange (either GSA_AUTH or GSA_REGISTRATION). the registration exchange (either GSA_AUTH or GSA_REGISTRATION).
The type of the Group Key Management Method transform is <TBA by The type of the Group Key Management Method transform is <TBA by
IANA>. IANA>.
4.4.2.1.3. Extended Sequence Number Transform 4.4.2.1.3. Replay Protection Transform
Extended Sequence Number (ESN) Transform is defined in [RFC7296] to The "Extended Sequence Number (ESN)" Transform is defined in
allow using 64-bit sequence numbers in ESP and AH. Since both AH [RFC7296]. This specification renames this transform to "Replay
[RFC4302] and ESP [RFC4303] are defined so, that high-order 32 bits Protection (RP)". This transform allows to specify whether the
of extended sequence numbers are never transmitted, it makes using 64-bit Extended Sequence Numbers (ESN) are to be used in ESP and AH.
ESN in multicast Data-Security SAs problematic, because GMs that join
group long after it is created will have to somehow learn the current Since both AH [RFC4302] and ESP [RFC4303] are defined in such a way,
high order 32 bits of ESN for each sender in the group. The that high-order 32 bits of extended sequence numbers are never
algorithm for doing this described in [RFC4302] and [RFC4303] is transmitted, it makes using ESN in multicast Data-Security SAs
resource-consuming. For this reason extended sequence numbers SHOULD problematic, because GMs that join group long after it is created
NOT be used for multicast Data-Security SAs and thus the ESN will have to somehow learn the current high order 32 bits of ESN for
Transform SHOULD NOT be included in the GSA Payload. each sender in the group. The algorithm for doing this described in
[RFC4302] and [RFC4303] is resource-consuming and is only suitable
when a receiver is able to guess the high-order 32 bits close enough
to its real value, which is not the case for multicast SAs. For this
reason extended sequence numbers MUST NOT be used for multicast Data-
Security SAs and thus the value "Extended Sequence Numbers" (1) for
the Replay Protection transform type MUST NOT be used in the GSA
Payload. The GCKS MUST estimate the data rate and rekey Data-
Security SAs freuently enough so that Sequence Numbers (SN) don't
wrap.
4.4.2.2. GSA Attributes 4.4.2.2. GSA Attributes
GSA attributes are generally used to provide GMs with additional GSA attributes are generally used to provide GMs with additional
parameters for the GSA policy. Unlike security parameters parameters for the GSA policy. Unlike security parameters
distributed via transforms, which are expected not to change over distributed via transforms, which are expected not to change over
time (unless policy changes), the parameters distributed via GSA time (unless policy changes), the parameters distributed via GSA
attributes may depend on the time the provision takes place, on the attributes may depend on the time the provision takes place, on the
existence of others group SAs or on other conditions. existence of others group SAs or on other conditions.
skipping to change at page 39, line 27 skipping to change at page 40, line 30
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <GAP Attributes> ~ ~ <GAP Attributes> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 17: GAP Substructure Format Figure 17: GAP Substructure Format
The GAP substructure fields are defined as follows: The GAP substructure fields are defined as follows:
o Protocol (1 octet) - MUST be zero. This value is reserved in o Protocol (1 octet) -- MUST be zero. This value is reserved in
Section 8 and is never used for any security protocol, so it is Section 8 and is never used for any security protocol, so it is
used here to indicate that this substructure contains policy not used here to indicate that this substructure contains policy not
related to any specific protocol. related to any specific protocol.
o RESERVED ( octet) - MUST be zero on transmission, MUST be ignored o RESERVED ( octet) -- MUST be zero on transmission, MUST be ignored
on receipt. on receipt.
o Length (2 octets, unsigned integer) - Length of this substructure o Length (2 octets, unsigned integer) -- Length of this substructure
including the header. including the header.
o GAP Attributes (variable) - Contains policy attributes associated o GAP Attributes (variable) -- Contains policy attributes associated
with no specific SA. The following sections describe possible with no specific SA. The following sections describe possible
attributes. Any or all attributes may be optional, depending on attributes. Any or all attributes may be optional, depending on
the group policy. the group policy.
This document creates a new IKEv2 IANA registry for the types of the This document creates a new IKEv2 IANA registry for the types of the
GAP attributes which is initially filled as described in Section 8. GAP attributes which is initially filled as described in Section 8.
In particular, the following attributes are initially added. In particular, the following attributes are initially added.
GAP Attributes Value Type Multiple GAP Attributes Value Type Multiple
---------------------------------------------------- ----------------------------------------------------
skipping to change at page 40, line 13 skipping to change at page 41, line 20
GAP_SID_BITS 3 B N GAP_SID_BITS 3 B N
The attributes must follow the format defined in the IKEv2 [RFC7296] The attributes must follow the format defined in the IKEv2 [RFC7296]
section 3.3.5. In the table, attributes that are defined as TV are section 3.3.5. In the table, attributes that are defined as TV are
marked as Basic (B); attributes that are defined as TLV are marked as marked as Basic (B); attributes that are defined as TLV are marked as
Variable (V). Variable (V).
4.4.3.1. GAP_ATD And GAP_DTD Attributes 4.4.3.1. GAP_ATD And GAP_DTD Attributes
Section 4.2.1 of [RFC5374] specifies a key rollover method that Section 4.2.1 of [RFC5374] specifies a key rollover method that
requires two values be provided to group members - Activation Time requires two values be provided to group members -- Activation Time
Delay (ATD) and Deactivation Time Delay (DTD). Delay (ATD) and Deactivation Time Delay (DTD).
The GAP_ATD attribute (1) allows a GCKS to set the Activation Time The GAP_ATD attribute (1) allows a GCKS to set the Activation Time
Delay for Data-Security SAs of the group. The ATD defines how long Delay for Data-Security SAs of the group. The ATD defines how long
active members of the group (those who sends traffic) should wait active members of the group (those who sends traffic) should wait
after receiving new SAs before staring sending traffic over them. after receiving new SAs before staring sending traffic over them.
Note, that to achieve smooth rollover passive members of the group Note, that to achieve smooth rollover passive members of the group
should activate the SAs immediately once they receive them. should activate the SAs immediately once they receive them.
The GAP_DTD attribute (2) allows the GCKS to set the Deactivation The GAP_DTD attribute (2) allows the GCKS to set the Deactivation
Time Delay for previously distributed SAs. The DTD defines how long Time Delay for previously distributed SAs. The DTD defines how long
after receiving a request to delete Data-Security SAs passive group after receiving a request to delete Data-Security SAs passive group
members should wait before actually deleting them. Note that active members should wait before actually deleting them. Note that active
members of the group should stop sending traffic over these old SAs members of the group should stop sending traffic over these old SAs
once new replacement SAs are activated (after time specified in the once new replacement SAs are activated (after time specified in the
GAP_ATD attribute). GAP_ATD attribute).
The GAP_ATD and GAP_DTD attributes contain 16 bit unsigned integer in The GAP_ATD and GAP_DTD attributes contain 16 bit unsigned integer in
a network byte order, specifying the delay in seconds. These a network byte order, specifying the delay in seconds. These
attributes are OPTIONAL. If one of them or both are not sent by the attributes are OPTIONAL. If one of them or both are not sent by the
GCKS, the GMs should use default values for activation and GCKS, then no corresponding delay should be employed.
deactivation time delays.
4.4.3.2. GAP_SID_BITS Attribute 4.4.3.2. GAP_SID_BITS Attribute
The GAP_SID_BITS attribute (3) declares how many bits of the cipher The GAP_SID_BITS attribute (3) declares how many bits of the cipher
nonce are taken to represent an SID value. The bits are applied as nonce are taken to represent an SID value. The bits are applied as
the most significant bits of the IV, as shown in Figure 1 of the most significant bits of the IV, as shown in Figure 1 of
[RFC6054] and specified in Section 2.5.2. Guidance for a GCKS [RFC6054] and specified in Section 2.5.2. Guidance for a GCKS
choosing the NUMBER_OF_SID_BITS is provided in Section 3 of choosing the NUMBER_OF_SID_BITS is provided in Section 3 of
[RFC6054]. This value is applied to each SID value distributed in [RFC6054]. This value is applied to each SID value distributed in
the KD payload. the KD payload.
skipping to change at page 41, line 29 skipping to change at page 42, line 34
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 18: Key Download Payload Format Figure 18: Key Download Payload Format
The Key Download payload fields are defined as follows: The Key Download payload fields are defined as follows:
o Next Payload, C, RESERVED, Payload Length fields comprise the o Next Payload, C, RESERVED, Payload Length fields comprise the
IKEv2 Generic Payload Header and are defined in Section 3.2. of IKEv2 Generic Payload Header and are defined in Section 3.2. of
[RFC7296]. [RFC7296].
o Key Packets (variable) - Contains Group Key Packet and Member Key o Key Packets (variable) -- Contains Group Key Packet and Member Key
Packet substructures. Each Key Packet contains keys for a single Packet substructures. Each Key Packet contains keys for a single
group rekey or Data-Security SA or a keys and security parameters group rekey or Data-Security SA or a keys and security parameters
for a GM. for a GM.
Two types of Key Packets are used - Group Key Packet and Member Key Two types of Key Packets are used -- Group Key Packet and Member Key
Packet. Packet.
4.5.1. Wrapped Key Format 4.5.1. Wrapped Key Format
The symmetric keys in G-IKEv2 are never sent in clear. They are The symmetric keys in G-IKEv2 are never sent in clear. They are
always encrypted with other keys using the format called Wrapped Key always encrypted with other keys using the format called Wrapped Key
that is shown below (Figure 19). that is shown below (Figure 19).
The keys are encrypted using algorithm that is used to encrypt the The keys are encrypted using algorithm that is used to encrypt the
message the keys are sent in. It means, that in case of unicast IKE message the keys are sent in. It means, that in case of unicast IKE
skipping to change at page 42, line 36 skipping to change at page 43, line 41
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ Encrypted Key ~ ~ Encrypted Key ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 19: Wrapped Key Format Figure 19: Wrapped Key Format
The Wrapped Key fields are defined as follows: The Wrapped Key fields are defined as follows:
o Key ID (4 octets) - ID of the encrypted key. The value zero means o Key ID (4 octets) -- ID of the encrypted key. The value zero
that the encrypted key contains SA keys (in the form of keying means that the encrypted key contains SA keys (in the form of
material, see Section 3.4)), otherwise it contains some keying material, see Section 3.4)), otherwise it contains some
intermediate key. intermediate key.
o KWK ID (4 octets) - ID of the key that was used to encrypt key o KWK ID (4 octets) -- ID of the key that was used to encrypt key
with specified Key ID. The value zero means that the default KWK with specified Key ID. The value zero means that the default KWK
was used to encrypt the key, otherwise some intermediate key was was used to encrypt the key, otherwise some intermediate key was
used. used.
o IV (variable) - Initialization Vector used for encryption. The o IV (variable) -- Initialization Vector used for encryption. The
size and the content of IV is defined by the employed encryption size and the content of IV is defined by the employed encryption
transform. transform.
o Encrypted Key (variable) - The encrypted key bits. These bits may o Encrypted Key (variable) -- The encrypted key bits. These bits
comprise either a single encrypted key or a result of encryption may comprise either a single encrypted key or a result of
of a concatenation of keys (key material) for several algorithms. encryption of a concatenation of keys (key material) for several
algorithms.
4.5.2. Group Key Packet Substructure 4.5.2. Group Key Packet Substructure
Group Key Packet substructure contains SA key information. This key Group Key Packet substructure contains SA key information. This key
information is associated with some group SAs: either with Data- information is associated with some group SAs: either with Data-
Security SAs or with group Rekey SA. Security SAs or with group Rekey SA.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 43, line 31 skipping to change at page 44, line 36
~ SPI ~ ~ SPI ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <Group Key Packet Attributes> ~ ~ <Group Key Packet Attributes> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 20: Group Key Packet Substructure Format Figure 20: Group Key Packet Substructure Format
o Protocol (1 octet) - Identifies the security protocol for this key o Protocol (1 octet) -- Identifies the security protocol for this
packet. The values are defined in the IKEv2 Security Protocol key packet. The values are defined in the IKEv2 Security Protocol
Identifiers in [IKEV2-IANA]. The valid values for this field are: Identifiers in [IKEV2-IANA]. The valid values for this field are:
<TBA> (GIKE_REKEY) for KEK Key packet and 2 (AH) or 3 (ESP) for <TBA> (GIKE_REKEY) for KEK Key packet and 2 (AH) or 3 (ESP) for
TEK key packet. TEK key packet.
o SPI Size (1 octet) - Size of Security Parameter Index (SPI) for o SPI Size (1 octet) -- Size of Security Parameter Index (SPI) for
the corresponding SA. SPI size depends on the security protocol. the corresponding SA. SPI size depends on the security protocol.
For GIKE_REKEY it is 16 octets, while for AH and ESP it is 4 For GIKE_REKEY it is 16 octets, while for AH and ESP it is 4
octets. octets.
o Length (2 octets, unsigned integer) - Length of this substructure o Length (2 octets, unsigned integer) -- Length of this substructure
including the header. including the header.
o SPI (variable) - Security Parameter Index for the corresponding o SPI (variable) -- Security Parameter Index for the corresponding
SA. The size of this field is determined by the SPI Size field. SA. The size of this field is determined by the SPI Size field.
In case of GIKE_REKEY the SPI must be the IKEv2 Header SPI pair In case of GIKE_REKEY the SPI must be the IKEv2 Header SPI pair
where the first 8 octets become the "Initiator's SPI" field in the where the first 8 octets become the "Initiator's SPI" field in the
G-IKEv2 rekey message IKEv2 HDR, and the second 8 octets become G-IKEv2 rekey message IKEv2 HDR, and the second 8 octets become
the "Responder's SPI" in the same HDR. When selecting SPI the the "Responder's SPI" in the same HDR. When selecting SPI the
GCKS MUST make sure that the sole first 8 octets (corresponding to GCKS MUST make sure that the sole first 8 octets (corresponding to
"Initiator's SPI" field in the IKEv2 header) uniquely identify the "Initiator's SPI" field in the IKEv2 header) uniquely identify the
Rekey SA. Rekey SA.
o Group Key Packet Attributes (variable length) - Contains Key o Group Key Packet Attributes (variable length) -- Contains Key
information for the corresponding SA. information for the corresponding SA.
This document creates a new IKEv2 IANA registry for the types of the This document creates a new IKEv2 IANA registry for the types of the
Group Key Packet attributes which is initially filled as described in Group Key Packet attributes which is initially filled as described in
Section 8. In particular, the following attributes are initially Section 8. In particular, the following attributes are initially
added. added.
Group Key Packet Group Key Packet
Attributes Value Type Multiple Protocol Attributes Value Type Multiple Protocol
---------------------------------------------------------- ----------------------------------------------------------
skipping to change at page 45, line 25 skipping to change at page 46, line 28
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <Member Key Packet Attributes> ~ ~ <Member Key Packet Attributes> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 21: Member Key Packet Substructure Format Figure 21: Member Key Packet Substructure Format
The Member Key Packet substructure fields are defined as follows: The Member Key Packet substructure fields are defined as follows:
o Protocol (1 octet) - MUST be zero. This value is reserved in o Protocol (1 octet) -- MUST be zero. This value is reserved in
Section 8 and is never used for any security protocol, so it is Section 8 and is never used for any security protocol, so it is
used here to indicate that this Key Packet is not associated with used here to indicate that this Key Packet is not associated with
any particular SA. any particular SA.
o RESERVED ( octet) - MUST be zero on transmission, MUST be ignored o RESERVED ( octet) -- MUST be zero on transmission, MUST be ignored
on receipt. on receipt.
o Length (2 octets, unsigned integer) - Length of this substructure o Length (2 octets, unsigned integer) -- Length of this substructure
including the header. including the header.
o Member Key Packet Attributes (variable length) - Contains Key o Member Key Packet Attributes (variable length) -- Contains Key
information and other parameters exclusively for a particular information and other parameters exclusively for a particular
member of the group. member of the group.
Member Key Packet substructure contains sensitive information for a Member Key Packet substructure contains sensitive information for a
single GM, for this reason it MUST NOT be sent in GSA_REKEY messages single GM, for this reason it MUST NOT be sent in GSA_REKEY messages
and MUST only be sent via unicast SA at the time the GM registers to and MUST only be sent via unicast SA at the time the GM registers to
the group (in either GSA_AUTH or GSA_REGISTRATION exchanges). the group (in either GSA_AUTH or GSA_REGISTRATION exchanges).
This document creates a new IKEv2 IANA registry for the types of the This document creates a new IKEv2 IANA registry for the types of the
Member Key Packet attributes which is initially filled as described Member Key Packet attributes which is initially filled as described
skipping to change at page 46, line 42 skipping to change at page 47, line 42
Multiple instances of the WRAP_KEY attributes MAY be present in the Multiple instances of the WRAP_KEY attributes MAY be present in the
key packet. key packet.
4.5.3.2. AUTH_KEY Attribute 4.5.3.2. AUTH_KEY Attribute
The AUTH_KEY attribute (2) contains the key that is used to The AUTH_KEY attribute (2) contains the key that is used to
authenticate the GSA_REKEY messages. The content of the attribute authenticate the GSA_REKEY messages. The content of the attribute
depends on the authentication method the GCKS specified in the depends on the authentication method the GCKS specified in the
Authentication Method transform in the GSA payload. Authentication Method transform in the GSA payload.
o If a shared secret is used for the GSA_REKEY messages
authentication then the content of the AUTH_KEY attribute is the
shared secret that MUST be represented in the form of Wrapped Key
(see Section 4.5.1) with zero KWK ID. The Key ID in this case is
arbitrary and MUST be ignored by the GM.
o If digital signatures are used for the GSA_REKEY messages o If digital signatures are used for the GSA_REKEY messages
authentication then the content of the AUTH_KEY attribute is a authentication then the content of the AUTH_KEY attribute is a
public key used for digital signature authentication. The public public key used for digital signature authentication. The public
key MUST be represented as DER-encoded ASN.1 object key MUST be represented as DER-encoded ASN.1 object
SubjectPublicKeyInfo, defined in section 4.1.2.7 of [RFC5280]. SubjectPublicKeyInfo, defined in section 4.1.2.7 of [RFC5280].
The signature algorithm that will use this key was specified in The signature algorithm that will use this key was specified in
the Algorithm Identifier attribute of the Authentication Method the Algorithm Identifier attribute of the Authentication Method
transform. The key MUST be compatible with this algorithm. An transform. The key MUST be compatible with this algorithm. An
RSA public key format is defined in [RFC8017], Section A.1. DSS RSA public key format is defined in [RFC8017], Section A.1. DSS
public key format is defined in [RFC3279] Section 2.3.2. For public key format is defined in [RFC3279] Section 2.3.2. For
ECDSA Public keys, use format described in [RFC5480] Section 2. ECDSA Public keys, use format described in [RFC5480] Section 2.
Other algorithms added to the IKEv2 Authentication Method registry Other algorithms added to the IKEv2 Authentication Method registry
are also expected to include a format of the SubjectPublicKeyInfo are also expected to include a format of the SubjectPublicKeyInfo
object included in the algorithm specification. object included in the algorithm specification.
Multiple instances of the AUTH_KEY attributes MUST NOT be sent. This Multiple instances of the AUTH_KEY attributes MUST NOT be sent. This
attribute MUST NOT appear in the rekey operations (in the GSA_REKEY attribute MUST NOT appear in the rekey operations (in the GSA_REKEY
or GSA_INBAND_REKEY exchanges). or GSA_INBAND_REKEY exchanges).
4.5.3.3. GM_SID Attribute 4.5.3.3. GM_SID Attribute
skipping to change at page 48, line 5 skipping to change at page 48, line 47
See Section 2.4.3 for detail. See Section 2.4.3 for detail.
4.7. Notify Payload 4.7. Notify Payload
G-IKEv2 uses the same Notify payload as specified in [RFC7296], G-IKEv2 uses the same Notify payload as specified in [RFC7296],
section 3.10. section 3.10.
There are additional Notify Message types introduced by G-IKEv2 to There are additional Notify Message types introduced by G-IKEv2 to
communicate error conditions and status (see Section 8). communicate error conditions and status (see Section 8).
o INVALID_GROUP_ID (45) - error type notification that indicates o INVALID_GROUP_ID (45) -- error type notification that indicates
that the group ID sent during the registration process is invalid. that the group ID sent during the registration process is invalid.
The Protocol ID and SPI Size fields in the Notify payload MUST be The Protocol ID and SPI Size fields in the Notify payload MUST be
zero. There is no data associated with this notification and the zero. There is no data associated with this notification and the
content of the Notification Data field MUST be ignored on receipt. content of the Notification Data field MUST be ignored on receipt.
o AUTHORIZATION_FAILED (46) - error type notification that is sent o AUTHORIZATION_FAILED (46) -- error type notification that is sent
in the response to a GSA_AUTH or GSA_REGISTRATION message when in the response to a GSA_AUTH or GSA_REGISTRATION message when
authorization failed. The Protocol ID and SPI Size fields in the authorization failed. The Protocol ID and SPI Size fields in the
Notify payload MUST be zero. There is no data associated with Notify payload MUST be zero. There is no data associated with
this notification and the content of the Notification Data field this notification and the content of the Notification Data field
MUST be ignored on receipt. MUST be ignored on receipt.
o REGISTRATION_FAILED (<TBA>) - error type notification that is sent o REGISTRATION_FAILED (<TBA>) -- error type notification that is
by the GCKS when the GM registration request cannot be satisfied sent by the GCKS when the GM registration request cannot be
for the reasons not related to this particular GM, for example if satisfied for the reasons not related to this particular GM, for
the capacity of the group is exceeded. The Protocol ID and SPI example if the capacity of the group is exceeded. The Protocol ID
Size fields in the Notify payload MUST be zero. There is no data and SPI Size fields in the Notify payload MUST be zero. There is
associated with this notification and the content of the no data associated with this notification and the content of the
Notification Data field MUST be ignored on receipt. Notification Data field MUST be ignored on receipt.
o SENDER (16429) - status type notification that is sent in the o SENDER (16429) -- status type notification that is sent in the
GSA_AUTH or the GSA_REGISTRATION exchanges to indicate that the GM GSA_AUTH or the GSA_REGISTRATION exchanges to indicate that the GM
intends to be sender of data traffic. The data includes a count intends to be sender of data traffic. The data includes a count
of how many SID values the GM desires. The count MUST be 4 octets of how many SID values the GM desires. The count MUST be 4 octets
long and contain the big endian representation of the number of long and contain the big endian representation of the number of
requested SIDs. The Protocol ID and SPI Size fields in the Notify requested SIDs. The Protocol ID and SPI Size fields in the Notify
payload MUST be zero. payload MUST be zero.
o REKEY_IS_NEEDED (<TBA>) - status type notification that is sent in o REKEY_IS_NEEDED (<TBA>) -- status type notification that is sent
the GSA_AUTH response message to indicate that the GM must perform in the GSA_AUTH response message to indicate that the GM must
an immediate rekey of IKE SA to make it secure against quantum perform an immediate rekey of IKE SA to make it secure against
computers and then start a registration request over. The quantum computers and then start a registration request over. The
Protocol ID and SPI Size fields in the Notify payload MUST be Protocol ID and SPI Size fields in the Notify payload MUST be
zero. There is no data associated with this notification and the zero. There is no data associated with this notification and the
content of the Notification Data field MUST be ignored on receipt. content of the Notification Data field MUST be ignored on receipt.
4.7.1. USE_TRANSPORT_MODE Notification 4.7.1. USE_TRANSPORT_MODE Notification
This specification uses USE_TRANSPORT_MODE notification defined in This specification uses the USE_TRANSPORT_MODE notification defined
section 3.10.1 of [RFC7296] to specify which mode Data-Security SAs in section 3.10.1 of [RFC7296] to specify the mode Data-Security SAs
should be created in. The GCKS MUST include one USE_TRANSPORT_MODE should be created in. The GCKS MUST include the USE_TRANSPORT_MODE
notification in a message containing the GSA payload for every Data- notification in a message containing the GSA payload if Data-Security
Security SAs specified in this payload that is to be created in SAs are to be created in transport mode and MUST NOT include if they
transport mode. In other words, there must be as many these are to be created in tunnel mode.
notifications included in the message as many SAs are created in
transport mode. The Protocol ID, SPI Size and SPI fields of the Note, that it is not possible with this specification to create a
Notify Payload MUST correctly specify each such SA. group where some Data-Security SAs use transport mode and the others
use tunnel mode. If such a configuration is needed two different
groups must be defined.
4.8. Authentication Payload 4.8. Authentication Payload
G-IKEv2 uses the same Authentication payload as specified in G-IKEv2 uses the same Authentication payload as specified in
[RFC7296], section 3.8, to authenticate the rekey message. However, [RFC7296], section 3.8, to authenticate the rekey message. However,
if it is used in the GSA_REKEY messages the content of the payload is if it is used in the GSA_REKEY messages the content of the payload is
computed differently, as described in Section 2.4.1.1. computed differently, as described in Section 2.4.1.1.
5. Usigng G-IKEv2 Attributes 5. Usigng G-IKEv2 Attributes
skipping to change at page 50, line 25 skipping to change at page 51, line 25
| GAP_ATD | [S] | [S] | | GAP_ATD | [S] | [S] |
| | | | | | | |
| GAP_DTD | [S] | [S] | | GAP_DTD | [S] | [S] |
| | | | | | | |
| GAP_SID_BITS | S* | - | | GAP_SID_BITS | S* | - |
| | | | | | | |
| SA_KEY | S | S/[M]** | | SA_KEY | S | S/[M]** |
| | | | | | | |
| WRAP_KEY | [M]** | [M]** | | WRAP_KEY | [M]** | [M]** |
| | | | | | | |
| AUTH_KEY | [S]*** | - | | AUTH_KEY | S*** | [S]**** |
| | | | | | | |
| GM_SID | S*/[M]* | - | | GM_SID | S*/[M]* | - |
+-------------------------+--------------------+--------------------+ +-------------------------+--------------------+--------------------+
Table 1: Using attributes in G-IKEv2 exchanges when multicast rekey Table 1: Using attributes in G-IKEv2 exchanges when multicast rekey
is used is used
* The GAP_SID_BITS attribute must be present if the GCKS policy * The GAP_SID_BITS attribute must be present if the GCKS policy
includes at least one cipher in counter mode of operation and includes at least one cipher in counter mode of operation and
the GM included the SENDER notify into the registration the GM included the SENDER notify into the registration
skipping to change at page 51, line 5 skipping to change at page 51, line 47
GM_SID attribute must be present in the former case (and more GM_SID attribute must be present in the former case (and more
may be present if the GM requested more SIDs) and no GM_SID may be present if the GM requested more SIDs) and no GM_SID
attributes must be present in the latter case. attributes must be present in the latter case.
** The WRAP_KEY attributes may be present if the GCKS employs key ** The WRAP_KEY attributes may be present if the GCKS employs key
management method that relies on key tree (like LKH). management method that relies on key tree (like LKH).
*** The AUTH_KEY attribute must be present if the GCKS employs *** The AUTH_KEY attribute must be present if the GCKS employs
authentication method other than NULL Authentication. authentication method other than NULL Authentication.
*** The AUTH_KEY attribute may be present if the GCKS employs
authentication method based on digital signatures and wants to
change the public key for the following multicast rekey
operations.
+-------------------------+--------------------+--------------------+ +-------------------------+--------------------+--------------------+
| Attributes | GSA_AUTH | GSA_INBAND_REKEY | | Attributes | GSA_AUTH | GSA_INBAND_REKEY |
| | GSA_REGISTRATION | | | | GSA_REGISTRATION | |
+-------------------------+--------------------+--------------------+ +-------------------------+--------------------+--------------------+
| GSA_KEY_LIFETIME | [S] | [S] | | GSA_KEY_LIFETIME | [S] | [S] |
| | | | | | | |
| GSA_INITIAL_MESSAGE_ID | - | - | | GSA_INITIAL_MESSAGE_ID | - | - |
| | | | | | | |
| GSA_NEXT_SPI | - | - | | GSA_NEXT_SPI | - | - |
| | | | | | | |
skipping to change at page 52, line 14 skipping to change at page 53, line 14
The above list of compatible IKEv2 extensions is not exhaustive, The above list of compatible IKEv2 extensions is not exhaustive,
however some IKEv2 extensions require special handling if used in however some IKEv2 extensions require special handling if used in
G-IKEv2. G-IKEv2.
6.1. Mixing Preshared Keys in IKEv2 for Post-quantum Security 6.1. Mixing Preshared Keys in IKEv2 for Post-quantum Security
G-IKEv2 can take advantage of the protection provided by Postquantum G-IKEv2 can take advantage of the protection provided by Postquantum
Preshared Keys (PPK) for IKEv2 [RFC8784]. However, the use of PPK Preshared Keys (PPK) for IKEv2 [RFC8784]. However, the use of PPK
leaves the initial IKE SA susceptible to quantum computer (QC) leaves the initial IKE SA susceptible to quantum computer (QC)
attacks. Since group SA keys are protected with the default KWK attacks. While group SA keys are protected with the default KWK
(GSK_w), which is derived from SK_d and thus cannot be broken even by (GSK_w), which is derived from SK_d and thus cannot be broken even by
attacker tquipped with a QC, authentication of these keys relies on attacker equipped with a QC, authentication of these keys relies on
authentication of IKE SA messages, which is not secure against QC authentication of IKE SA messages, which is not secure against QC
until the initial IKE SA is rekeyed. In additional, the other until the initial IKE SA is rekeyed. In additional, the other
content of IKE SA messages may also be visible to an attacker with a content of IKE SA messages may also be visible to an attacker with a
QC. See Section 6 of [RFC8784] for details. For this reason an QC. See Section 6 of [RFC8784] for details.
alternative approach for using PPK in IKEv2 defined in
[I-D.smyslov-ipsecme-ikev2-qr-alt] SHOULD be used.
If the alternative approach is not supported by the peers, then the For these reasons the GCKS MUST NOT send GSA and KD payloads in the
GCKS MUST NOT send GSA and KD payloads in the GSA_AUTH response GSA_AUTH response message and MUST return a new notification
message. Instead, the GCKS MUST return a new notification REKEY_IS_NEEDED instead. Upon receiving this notification in the
REKEY_IS_NEEDED. Upon receiving this notification in the GSA_AUTH GSA_AUTH response the GM MUST perform an IKE SA rekey and then
response the GM MUST perform an IKE SA rekey and then initiate a new initiate a new GSA_REGISTRATION request for the same group. Below
GSA_REGISTRATION request for the same group. Below are possible are possible scenarios involving using PPK.
scenarios involving using PPK.
The GM starts the IKE_SA_INIT exchange requesting using PPK, and the The GM starts the IKE_SA_INIT exchange requesting using PPK, and the
GCKS responds with agreement to do it, or aborts according to its GCKS responds with agreement to do it, or aborts according to its
"mandatory_or_not" flag: "mandatory_or_not" flag:
Initiator (Member) Responder (GCKS) Initiator (Member) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
HDR, SAi1, KEi, Ni, N(USE_PPK) --> HDR, SAi1, KEi, Ni, N(USE_PPK) -->
<-- DR, SAr1, KEr, Nr, [CERTREQ], <-- DR, SAr1, KEr, Nr, [CERTREQ],
N(USE_PPK) N(USE_PPK)
skipping to change at page 54, line 14 skipping to change at page 54, line 48
Initiator (Member) Responder (GCKS) Initiator (Member) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
HDR, SK{SA, Ni, KEi} --> HDR, SK{SA, Ni, KEi} -->
<-- HDR, SK{SA, Nr, KEr} <-- HDR, SK{SA, Nr, KEr}
HDR, SK{IDg} ---> HDR, SK{IDg} --->
<-- HDR, SK{GSA, KD} <-- HDR, SK{GSA, KD}
Figure 27: Rekeying IKE SA followed by GSA_REGISTRATION Exchange Figure 27: Rekeying IKE SA followed by GSA_REGISTRATION Exchange
Note, that [I-D.smyslov-ipsecme-ikev2-qr-alt] MAY be used to make the
initial IKE SA secure against QC.
7. Security Considerations 7. Security Considerations
7.1. GSA Registration and Secure Channel 7.1. GSA Registration and Secure Channel
G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT protocols, G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT protocols,
inheriting all the security considerations documented in [RFC7296] inheriting all the security considerations documented in [RFC7296]
section 5 Security Considerations, including authentication, section 5 Security Considerations, including authentication,
confidentiality, protection against man-in-the-middle, protection confidentiality, protection against man-in-the-middle, protection
against replay/reflection attacks, and denial of service protection. against replay/reflection attacks, and denial of service protection.
The GSA_AUTH and GSA_REGISTRATION exchanges also take advantage of The GSA_AUTH and GSA_REGISTRATION exchanges also take advantage of
skipping to change at page 54, line 41 skipping to change at page 55, line 32
protected using the cryptographic algorithm and key negotiated in the protected using the cryptographic algorithm and key negotiated in the
GSA member registration exchanged. GSA member registration exchanged.
7.2.1. Authentication/Authorization 7.2.1. Authentication/Authorization
The authentication key is distributed during the GM registration, and The authentication key is distributed during the GM registration, and
the receiver of the rekey message uses that key to verify the message the receiver of the rekey message uses that key to verify the message
came from the authorized GCKS. An implicit authentication can also came from the authorized GCKS. An implicit authentication can also
be used, in which case the ability of the GM to decrypt and to verify be used, in which case the ability of the GM to decrypt and to verify
ICV of the received message proved taht a sender of the message is a ICV of the received message proved taht a sender of the message is a
member of the group. However, implicit authentication as well as member of the group. However, implicit authentication doesn't
authentication with preshared key don't provide source origin provide source origin authentication, so the GM cannot be sure that
authentication, so the GM cannot be sure that the message came from the message came from the GCKS. For this reason using implicit
the GCKS. For this reason using implicit authentication and authentication is NOT RECOMMENDED unless in a small group of trusted
authentication with preshared key is NOT RECOMMENDED unless in a parties.
small group of trusted parties.
7.2.2. Confidentiality 7.2.2. Confidentiality
Confidentiality is provided by distributing a confidentiality key as Confidentiality is provided by distributing a confidentiality key as
part of the GSA member registration exchange. part of the GSA member registration exchange.
7.2.3. Man-in-the-Middle Attack Protection 7.2.3. Man-in-the-Middle Attack Protection
GSA maintenance channel is integrity protected by using a digital GSA maintenance channel is integrity protected by using a digital
signature. signature.
skipping to change at page 57, line 26 skipping to change at page 58, line 21
This document defines new Payload Types in the "IKEv2 Payload Types" This document defines new Payload Types in the "IKEv2 Payload Types"
registry: registry:
Value Next Payload Type Notation Value Next Payload Type Notation
---------------------------------------------------- ----------------------------------------------------
50 Group Identification IDg 50 Group Identification IDg
51 Group Security Association GSA 51 Group Security Association GSA
52 Key Download KD 52 Key Download KD
This document defines a new Security Protocol Identifier in the This document makes the following changes to the "Transform Type
"IKEv2 Security Protocol Identifiers" registry: Values" registry:
<TBA> GIKE_REKEY o Defines two new transform types -- "Authentication Method (AUTH)"
and "Group Key Management Method (GKM)";
This document defines new Transform Types in the "Transform Type o Renames existing transform type "Extended Sequence Numbers (ESN)"
Values" registry and changes the "Used In" column for the existing to "Replay Protection (RP)";
allocations:
o Changes the "Used In" column for the existing allocations as
follows;
Type Description Used In Type Description Used In
--------------------------------------------------------------------- ---------------------------------------------------------------------
1 Encryption Algorithm (ENCR) IKE, GIKE_REKEY and ESP 1 Encryption Algorithm (ENCR) IKE, GIKE_REKEY and ESP
2 Pseudo-random Function (PRF) IKE, GIKE_REKEY 2 Pseudo-random Function (PRF) IKE, GIKE_REKEY
3 Integrity Algorithm (INTEG) IKE, GIKE_REKEY, AH, 3 Integrity Algorithm (INTEG) IKE, GIKE_REKEY, AH,
optional in ESP optional in ESP
4 Diffie-Hellman Group (D-H) IKE, optional in AH, ESP 4 Diffie-Hellman Group (D-H) IKE, optional in AH, ESP
5 Extended Sequence Numbers (ESN) AH and ESP 5 Replay Protection (RP) AH and ESP
<TBA> Authentication Method (AUTH) GIKE_REKEY <TBA> Authentication Method (AUTH) GIKE_REKEY
<TBA> Group Key Management Method (GKM) GIKE_REKEY <TBA> Group Key Management Method (GKM) GIKE_REKEY
This document defines a new Attribute Type in the "IKEv2 Transform This document defines a new Attribute Type in the "IKEv2 Transform
Attribute Types" registry: Attribute Types" registry:
Value Attribute Type Format Value Attribute Type Format
---------------------------------------------- ----------------------------------------------
<TBA> Algorithm Identifier TLV <TBA> Algorithm Identifier TLV
This document renames the "Transform Type 5 - Extended Sequence
Numbers Transform IDs" registry to "Transform Type 5 - Replay
Protection Transform IDs" and also adds a new value into this
registry:
Number Name
---------------------
<TBA> Not Used
This document defines new Notify Message Types in the "Notify Message
Types - Error Types" registry:
Value Notify Messages - Error Types
-----------------------------------------
45 INVALID_GROUP_ID
46 AUTHORIZATION_FAILED
<TBA> REGISTRATION_FAILED
This document defines new Notify Message Types in the "Notify Message This document defines new Notify Message Types in the "Notify Message
Types - Status Types" registry: Types - Status Types" registry:
Value Notify Messages - Status Types Value Notify Messages - Status Types
------------------------------------------ ------------------------------------------
16429 SENDER 16429 SENDER
The Notify type with the value 16429 was allocated earlier in the The Notify type with the value 16429 was allocated earlier in the
development of G-IKEv2 document with the name SENDER_REQUEST_ID. development of G-IKEv2 document with the name SENDER_REQUEST_ID.
This specification changes its name to SENDER. This specification changes its name to SENDER.
This document defines new Notify Message Types in the "Notify Message This document defines a new Security Protocol Identifier in the
Types - Error Types" registry: "IKEv2 Security Protocol Identifiers" registry:
Value Notify Messages - Error Types Protocol ID Protocol
----------------------------------------- --------------------------
45 INVALID_GROUP_ID <TBA> GIKE_REKEY
46 AUTHORIZATION_FAILED
<TBA> REGISTRATION_FAILED
9. Acknowledgements 9. Acknowledgements
The authors thank Lakshminath Dondeti and Jing Xiang for first The authors thank Lakshminath Dondeti and Jing Xiang for first
exploring the use of IKEv2 for group key management and providing the exploring the use of IKEv2 for group key management and providing the
basis behind the protocol. Mike Sullenberger and Amjad Inamdar were basis behind the protocol. Mike Sullenberger and Amjad Inamdar were
instrumental in helping resolve many issues in several versions of instrumental in helping resolve many issues in several versions of
the document. the document.
The authors are grateful to Tero Kivinen for his careful review and The authors are grateful to Tero Kivinen for his careful review and
skipping to change at page 60, line 47 skipping to change at page 62, line 14
[I-D.ietf-ipsecme-ikev2-intermediate] [I-D.ietf-ipsecme-ikev2-intermediate]
Smyslov, V., "Intermediate Exchange in the IKEv2 Smyslov, V., "Intermediate Exchange in the IKEv2
Protocol", draft-ietf-ipsecme-ikev2-intermediate-10 (work Protocol", draft-ietf-ipsecme-ikev2-intermediate-10 (work
in progress), March 2022. in progress), March 2022.
[I-D.ietf-ipsecme-ikev2-multiple-ke] [I-D.ietf-ipsecme-ikev2-multiple-ke]
Tjhai, C., Tomlinson, M., Bartlett, G., Fluhrer, S., Tjhai, C., Tomlinson, M., Bartlett, G., Fluhrer, S.,
Geest, D. V., Garcia-Morchon, O., and V. Smyslov, Geest, D. V., Garcia-Morchon, O., and V. Smyslov,
"Multiple Key Exchanges in IKEv2", draft-ietf-ipsecme- "Multiple Key Exchanges in IKEv2", draft-ietf-ipsecme-
ikev2-multiple-ke-04 (work in progress), September 2021. ikev2-multiple-ke-05 (work in progress), March 2022.
[I-D.smyslov-ipsecme-ikev2-qr-alt] [I-D.smyslov-ipsecme-ikev2-qr-alt]
Smyslov, V., "Alternative Approach for Mixing Preshared Smyslov, V., "Alternative Approach for Mixing Preshared
Keys in IKEv2 for Post-quantum Security", draft-smyslov- Keys in IKEv2 for Post-quantum Security", draft-smyslov-
ipsecme-ikev2-qr-alt-04 (work in progress), August 2021. ipsecme-ikev2-qr-alt-04 (work in progress), August 2021.
[IKEV2-IANA] [IKEV2-IANA]
IANA, "Internet Key Exchange Version 2 (IKEv2) IANA, "Internet Key Exchange Version 2 (IKEv2)
Parameters", <http://www.iana.org/assignments/ikev2- Parameters", <http://www.iana.org/assignments/ikev2-
parameters/ikev2-parameters.xhtml#ikev2-parameters-7>. parameters/ikev2-parameters.xhtml#ikev2-parameters-7>.
skipping to change at page 61, line 46 skipping to change at page 63, line 14
[RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES)
Counter Mode With IPsec Encapsulating Security Payload Counter Mode With IPsec Encapsulating Security Payload
(ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004, (ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004,
<https://www.rfc-editor.org/info/rfc3686>. <https://www.rfc-editor.org/info/rfc3686>.
[RFC3740] Hardjono, T. and B. Weis, "The Multicast Group Security [RFC3740] Hardjono, T. and B. Weis, "The Multicast Group Security
Architecture", RFC 3740, DOI 10.17487/RFC3740, March 2004, Architecture", RFC 3740, DOI 10.17487/RFC3740, March 2004,
<https://www.rfc-editor.org/info/rfc3740>. <https://www.rfc-editor.org/info/rfc3740>.
[RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M.
Stenberg, "UDP Encapsulation of IPsec ESP Packets",
RFC 3948, DOI 10.17487/RFC3948, January 2005,
<https://www.rfc-editor.org/info/rfc3948>.
[RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm,
"Multicast Security (MSEC) Group Key Management "Multicast Security (MSEC) Group Key Management
Architecture", RFC 4046, DOI 10.17487/RFC4046, April 2005, Architecture", RFC 4046, DOI 10.17487/RFC4046, April 2005,
<https://www.rfc-editor.org/info/rfc4046>. <https://www.rfc-editor.org/info/rfc4046>.
[RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
(GCM) in IPsec Encapsulating Security Payload (ESP)", (GCM) in IPsec Encapsulating Security Payload (ESP)",
RFC 4106, DOI 10.17487/RFC4106, June 2005, RFC 4106, DOI 10.17487/RFC4106, June 2005,
<https://www.rfc-editor.org/info/rfc4106>. <https://www.rfc-editor.org/info/rfc4106>.
 End of changes. 97 change blocks. 
242 lines changed or deleted 322 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/