< draft-ietf-msec-mikey-rsa-r-01.txt   draft-ietf-msec-mikey-rsa-r-02.txt >
MSEC WG D. Ignjatic MSEC WG D. Ignjatic
Internet-Draft Polycom Internet-Draft Polycom
Expires: April 22, 2006 L. Dondeti Expires: August 4, 2006 L. Dondeti
QUALCOMM QUALCOMM
F. Audet F. Audet
P. Lin P. Lin
Nortel Nortel
October 19, 2005 JAN 31, 2006
An additional mode of key distribution in MIKEY: MIKEY-RSA-R An additional mode of key distribution in MIKEY: MIKEY-RSA-R
draft-ietf-msec-mikey-rsa-r-01 draft-ietf-msec-mikey-rsa-r-02
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 38 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 22, 2006. This Internet-Draft will expire on August 4, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
Abstract Abstract
The MIKEY specification describes several modes of key distribution The Multimedia Internet Keying (MIKEY) specification describes
to setup secure RTP sessions -- using pre-shared keys, public-keys, several modes of key distribution to setup Secure Real-time Rransport
and optionally a Diffie-Hellman key exchange. In the public-key Protocol (SRTP) sessions -- using pre-shared keys, public keys, and
mode, the Initiator encrypts a random key with the Responder's public optionally a Diffie-Hellman key exchange. In the public-key mode,
key and sends it to the Responder. In many communication scenarios, the Initiator encrypts a random key with the Responder's public key
the Initiator may not know the Responder's public key or in some and sends it to the Responder. In many communication scenarios, the
cases the Responder's ID (e.g., call forwarding) in advance. We Initiator may not know the Responder's public key, or in some cases
propose a new MIKEY mode that works well in such scenarios. This the Responder's ID (e.g., call forwarding) in advance. We propose a
mode also enhances the group key management support in MIKEY. new MIKEY mode that works well in such scenarios. This mode also
enhances the group key management support in MIKEY; it supports
member-initiated group key download (in contrast to group manager
pushing the group keys to all members).
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology used in this document . . . . . . . . . . . . 3 1.1. Terminology used in this document . . . . . . . . . . . . 3
2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Description of the MIKEY modes . . . . . . . . . . . . . . 3 2.1. Description of the MIKEY modes . . . . . . . . . . . . . . 3
2.2. Use case motivating the proposed mode . . . . . . . . . . 4 2.2. Use case motivating the proposed mode . . . . . . . . . . 4
2.3. Case for multiple key download . . . . . . . . . . . . . . 5
3. A new MIKEY-RSA mode: MIKEY-RSA-R . . . . . . . . . . . . . . 5 3. A new MIKEY-RSA mode: MIKEY-RSA-R . . . . . . . . . . . . . . 5
3.1. Outline . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. Outline . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2. Components of the I_MESSAGE . . . . . . . . . . . . . . . 6 3.2. Components of the I_MESSAGE . . . . . . . . . . . . . . . 5
3.3. Components of the R_MESSAGE . . . . . . . . . . . . . . . 7 3.3. Components of the R_MESSAGE . . . . . . . . . . . . . . . 6
3.4. Additions to RFC 3830 message types and other values . . . 8 3.4. Additions to RFC 3830 message types and other values . . . 8
3.4.1. Modified Table 6.1a from RFC 3830 . . . . . . . . . . 9 3.4.1. Modified Table 6.1a from RFC 3830 . . . . . . . . . . 9
3.4.2. Modified Table 6.12 from RFC 3830 . . . . . . . . . . 9 3.4.2. Modified Table 6.12 from RFC 3830 . . . . . . . . . . 9
3.4.3. Modified Table 6.15 from RFC 3830 . . . . . . . . . . 10 3.4.3. Modified Table 6.15 from RFC 3830 . . . . . . . . . . 10
4. Sending multiple TGKs in MIKEY messages . . . . . . . . . . . 10 4. Applicability of the RSA-R and RSA modes . . . . . . . . . . . 10
5. Applicability of the RSA-R and RSA modes . . . . . . . . . . . 10 4.1. Limitations . . . . . . . . . . . . . . . . . . . . . . . 11
5.1. Limitations . . . . . . . . . . . . . . . . . . . . . . . 11 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
5.2. Impact of the Responder choosing the TGK . . . . . . . . . 11 5.1. Impact of the Responder choosing the TGK . . . . . . . . . 12
6. Security Considerations . . . . . . . . . . . . . . . . . . . 12 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 8.1. Normative References . . . . . . . . . . . . . . . . . . . 13
9.1. Normative References . . . . . . . . . . . . . . . . . . . 13 8.2. Informative References . . . . . . . . . . . . . . . . . . 13
9.2. Informative References . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14
Intellectual Property and Copyright Statements . . . . . . . . . . 15 Intellectual Property and Copyright Statements . . . . . . . . . . 15
1. Introduction 1. Introduction
The MIKEY protocol [RFC3830] has three different methods for key The MIKEY protocol [RFC3830] has three different methods for key
transport or exchange: a pre-shared key mode (PSK), a public-key transport or exchange: a pre-shared key mode (PSK), a public-key
(RSA) mode, and an optional Diffie-Hellman exchange (DHE) mode. In (RSA) mode, and an optional Diffie-Hellman exchange (DHE) mode. In
addition, there is also an optional DH-HMAC mode [I-D.ietf-msec- addition, there is also an optional DH-HMAC mode [I-D.ietf-msec-
mikey-dhhmac], bringing the total number of modes to four. The mikey-dhhmac], bringing the total number of modes to four. The
primary motivation in the protocol design is efficiency and thus all primary motivation for the MIKEY protocol design is low-latency
the exchanges finish in one-half to 1 round-trip; this offers no room requirements of real-time communication, and thus all the exchanges
for security parameter negotiation of the key management protocol finish in one-half to 1 round-trip; note that this offers no room for
itself. In this document, we note that the MIKEY modes are security parameter negotiation of the key management protocol itself.
insufficient to address some deployment scenarious and common use In this document, we note that the MIKEY modes defined in RFC3830
cases, and propose a new mode called MIKEY-RSA in Reverse mode, or [RFC3830] and [I-D.ietf-msec-mikey-dhhmac] are insufficient to
simply as MIKEY-RSA-R. address some deployment scenarious and common use cases, and propose
a new mode called MIKEY-RSA in Reverse mode, or simply as
Next, MIKEY currently supports the delivery of a single TGK. In MIKEY-RSA-R.
group communication scenarios, the center or sender may need to
establish more than a single TGK. The multiple keys might be to
establish a unicast key and a group key simultaneously or to
establish more than a single group key. Running multiple instances
of MIKEY to receive multiple keys is the only alternative and that is
clearly inefficient.
1.1. Terminology used in this document 1.1. Terminology used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, RFC 2119 document are to be interpreted as described in BCP 14, RFC 2119
[RFC2119]. [RFC2119].
2. Motivation 2. Motivation
As noted in the introduction, the MIKEY specification and other As noted in the introduction, the MIKEY specification and other
proposals define four different modes of efficient key management for proposals define four different modes of efficient key management for
real-time applications. The modes differ from each other in either real-time applications. Those modes differ from each other in either
the authentication method of choice (public-key, or symmetric shared the authentication method of choice (public-key, or symmetric shared
key-based), or the key establishment method of choice (key download, key-based), or the key establishment method of choice (key download,
or key agreement using a Diffie-Hellman exchange). We summarize the or key agreement using a Diffie-Hellman exchange). We summarize the
modes, their advantages, and shortcomings in the following and also modes, their advantages, and shortcomings in the following and also
describe use cases where these modes might be insufficient or describe use cases where these modes are unusable or inefficient.
inefficient.
2.1. Description of the MIKEY modes 2.1. Description of the MIKEY modes
In the PSK mode, the Initiator selects a TEK Generation Key (TGK), The PSK mode requires that the Initiator and the Responder have a
encrypts and authenticates it with the PSK, and sends it to the common secret key established offline. In this mode, the Initiator
Responder as part of the first message, viz., I_MESSAGE. The PSK selects a TEK Generation Key (TGK), encrypts it with a key derived
mode requires that the Initiator and the Responder have a common from the PSK, and sends it to the Responder as part of the first
secret key established offline. The PSK mode does not scale to use message, namely, I_MESSAGE. The I_MESSAGE is replay protected with
cases where any user may want to communicate to any other user in an timestamps, and integrity protected with another key derived from the
Enterprise or the Internet at large. The RSA mode might be more PSK. An optional Verification message from the Responder to the
suitable for such applications. Initiator provides mutual authentication. This mode does not scale
well as it requires pre-establishment of a shared key between
communicating parties; for example, consider the use cases where any
user may want to communicate to any other user in an Enterprise or
the Internet at large. The RSA mode might be more suitable for such
applications.
In the RSA mode, the Initiator selects a TGK, encrypts and In the RSA mode, the Initiator selects a TGK, encrypts and
authenticates it with an envelope key, and sends it to the Responder authenticates it with an envelope key, and sends it to the Responder
as part of the first message, viz., I_MESSAGE. The Initiator as part of the I_MESSAGE. The Initiator includes the envelope key,
includes the envelope key, encrypted with the Responder's public key, encrypted with the Responder's public key, in I_MESSAGE. The
in I_MESSAGE. The I_MESSAGE is replay protected with timestamps, and I_MESSAGE is replay protected with timestamps, and signed with the
signed with the Initiator's public key. The Initiator's ID, CERT and Initiator's public key. The Initiator's ID, Certificate (CERT) and
the Responder's ID that the Initiator intends to talk may be included the Responder's ID that the Initiator intends to talk may be included
in I_MESSAGE. If the Initiator knows several public-keys of the in I_MESSAGE. If the Initiator knows several public-keys of the
Responder, it can indicate the key used in a CHASH payload. The RSA Responder, it can indicate the key used in the optional CHASH
mode works as long as the Initiator knows the Responder's ID and CERT payload. An optional Verification message from the Responder to the
(or can obtain the CERT independent of the MIKEY protocol). RFC 3830 Initiator provides mutual authentication. The RSA mode works well if
the Initiator knows the Responder's ID and the corresponding CERT (or
can obtain the CERT independent of the MIKEY protocol). RFC 3830
suggests that an Initiator, in the event that it does not have the suggests that an Initiator, in the event that it does not have the
Responder's CERT, may obtain the CERT from a directory agent using Responder's CERT, may obtain the CERT from a directory agent using
one or more round trips. However, in some cases, the Initiator may one or more round trips. However, in some cases, the Initiator may
not even know the Responder's ID in advance, and because of that or not even know the Responder's ID in advance, and because of that or
for other reasons cannot obtain the Responder's CERT. for other reasons cannot obtain the Responder's CERT.
In addition to the case where the Responder may have several IDs, In addition to the case where the Responder may have several IDs,
some applications may allow for the Responder's ID to change some applications may allow for the Responder's ID to change
unilaterally, as is typical in telephony (e.g., forwarding). In unilaterally, as is typical in telephony (e.g., forwarding). In
those cases and in others, the Initiator might be willing to let the those cases and in others, the Initiator might be willing to let the
other party establish identity and prove it via an Initiator-trusted other party establish identity and prove it via an Initiator-trusted
third party (e.g., a Certification Authority or CA). third party (e.g., a Certification Authority or CA).
The DH mode or the DH-HMAC mode of MIKEY might be useful in cases The DH mode or the DH-HMAC mode of MIKEY might be useful in cases
where the Initiator does not have access to the Responder's exact where the Initiator does not have access to the Responder's exact
identity and/or CERT. In these modes, the two parties engage in an identity and/or CERT. In these modes, the two parties engage in an
authenticated DH exchange to derive the TGK. However, the DH modes authenticated DH exchange to derive the TGK. On the downside, the DH
have higher computational and communication overhead compared to the modes have higher computational and communication overhead compared
RSA and the PSK modes. More importantly, these modes are unsuitable to the RSA and the PSK modes. More importantly, these modes are
for group key distribution. unsuitable for group key distribution.
In summary, in some communication scenarios -- where the Initiator In summary, in some communication scenarios -- where the Initiator
might not have the correct ID and/or the CERT of the Responder -- might not have the correct ID and/or the CERT of the Responder --
none of the MIKEY modes described in [RFC3830] and [I-D.ietf-msec- none of the MIKEY modes described in [RFC3830] and [I-D.ietf-msec-
mikey-dhhmac] are suitable/efficient for SRTP [RFC3711] key mikey-dhhmac] are suitable/efficient for SRTP [RFC3711] key
establishment. establishment.
2.2. Use case motivating the proposed mode 2.2. Use case motivating the proposed mode
In addition to the issues listed above, there are some types of In addition to the issues listed above, there are some types of
applications that motivate the new MIKEY mode design proposed in this applications that motivate the new MIKEY mode design proposed in this
document. document.
Note that in the MIKEY-RSA mode (as in case of the PSK mode), the Note that in the MIKEY-RSA mode (as in case of the PSK mode), the
Initiator proposes the RTP security policy, and chooses the TGK. Initiator proposes the SRTP security policy, and chooses the TGK.
However, it is also possible that the Initiator wants to allow the However, it is also possible that the Initiator wants to allow the
Responder to specify the security policy and send the TGK. This Responder to specify the security policy and send the TGK. Consider
would be the case in some multicast and group conferencing scenarios. for example the case of a conferencing scenario where the convener
Consider for example the case of a conferencing scenario where the sends an invitation to a group of people to attend a meeting. The
convener sends an invitation to a group of people to attend a procedure then might be for the invitees to request the convener for
meeting. The procedure then might be for the invitees to request the group key material by sending a MIKEY I_MESSAGE. Thus, in the MIKEY
convener for group key material by sending a MIKEY I_MESSAGE. Thus, definition of initiators and responders, the Initiator is asking the
in the MIKEY definition of initiators and responders, the Initiator Responder for keying material. Note that this mode of operation is
is asking the Responder for keying material. Note that this mode of inline with the MSEC group key management architecture [RFC4046].
operation is inline with the MSEC group key management architecture
[RFC4046].
2.3. Case for multiple key download
The MIKEY modes as specified today support the delivery of a single
TGK. In many applications it is necessary to deliver separate keys
for encryption of different streams or programs or in the simplest
case to establish a point-to-point key in addition to a group key.
Currently, to do that one has to run multiple MIKEY sessions, or
(more specifically) send multiple a=keymgmt MIKEY lines for different
streams. That is clearly inefficient. The recipients of MIKEY
messages would spend cycles evaluating the same credentials multiple
times. For that reason, it is necessary that MIKEY supports delivery
of multiple TGKs within a single MIKEY message. This document
includes a specification of how to include multiple TGKs in MIKEY-
RSA-R (it is definitely plausible to use this technique with MIKEY-
PSK and MIKEY-RSA, but that is for discussion).
3. A new MIKEY-RSA mode: MIKEY-RSA-R 3. A new MIKEY-RSA mode: MIKEY-RSA-R
3.1. Outline 3.1. Outline
The proposed solution requires 1 full round trip. The Initiator The proposed MIKEY mode requires 1 full round trip. The Initiator
sends a signed I_MESSAGE to the intended Responder requesting the sends a signed I_MESSAGE to the intended Responder requesting the
Responder to send the SRTP keying material. The I_MESSAGE MAY Responder to send the SRTP keying material. The I_MESSAGE MAY
contain the Initiator's CERT or a link to the CERT, and similarly the contain the Initiator's CERT or a link (URL) to the CERT, and
Responder's reply, R_MESSAGE MAY contain the Responder's CERT or a similarly the Responder's reply, R_MESSAGE MAY contain the
link to it. The Responder can use the Initiator's public key from Responder's CERT or a link to it. The Responder can use the
the CERT in the I_MESSAGE to send the encrypted TGK in the R_MESSAGE. Initiator's public key from the CERT in the I_MESSAGE to send the
Upon receiving the R_MESSAGE, the Initiator can use the CERT in the encrypted TGK in the R_MESSAGE. Upon receiving the R_MESSAGE, the
R_MESSAGE to verify whether the Responder is in fact the party that Initiator can use the CERT in the R_MESSAGE to verify whether the
it wants to communicate to, and accept the TGK. We refer to this Responder is in fact the party that it wants to communicate to, and
protocol as MIKEY-RSA in the reverse mode, or simply as MIKEY-RSA-R. accept the TGK. We refer to this protocol as MIKEY-RSA in the
reverse mode, or simply as MIKEY-RSA-R.
The MIKEY-RSA-R mode exchange is defined as follows: The MIKEY-RSA-R mode exchange is defined as follows:
Initiator Responder Initiator Responder
--------- --------- --------- ---------
I_MESSAGE = HDR, T, [IDi|CERTi], [IDr], {SP}, SIGNi I_MESSAGE = HDR, T, [RAND], [IDi|CERTi], [IDr], {SP}, SIGNi
R_MESSAGE = HDR, [GenExt(CSB-ID)], T, RAND, [IDr|CERTr], [SP], KEMAC, R_MESSAGE = HDR, [GenExt(CSB-ID)], T, [RAND], [IDr|CERTr], [SP],
PKE, SIGNr KEMAC, PKE, SIGNr
Figure 1: MIKEY-RSA-R mode Figure 1: MIKEY-RSA-R mode
3.2. Components of the I_MESSAGE 3.2. Components of the I_MESSAGE
This method requires a full round trip to download the TGKs. The MIKEY-RSA-R requires a full round trip to download the TGKs. The
I_MESSAGE MUST have the MIKEY HDR and the timestamp payload for I_MESSAGE MUST have the MIKEY HDR and the timestamp payload for
replay protection. The HDR field contains a CSB_ID randomly selected replay protection. The HDR field contains a CSB_ID (Crypto Session
by the Initiator. The V bit MUST be set to '1' and ignored by the Bundle ID) randomly selected by the Initiator. The V bit MUST be set
Responder, as a response is MANDATORY in this mode. The Initiator to '1' and ignored by the Responder, as a response is MANDATORY in
MAY indicate the number of CSs supported and fill in the CS map type this mode. The Initiator MAY indicate the number of CSs supported,
and information. The I_MESSAGE MUST be signed by the Initiator and SHOULD/MUST fill in the CS ID map type and CS ID info fields for
following the procedure to sign MIKEY messages specified in RFC 3830. the RTP/RTCP streams it originates (This is because the sender of the
The SIGNi payload contains this signature. Thus the I_MESSAGE is streams chooses the SSRC which is carried in the CS ID info field;
integrity and replay protected. see Section 6.1.1 of RFC 3830). The I_MESSAGE MUST be signed by the
Initiator following the procedure to sign MIKEY messages specified in
RFC 3830. The SIGNi payload contains this signature. Thus the
I_MESSAGE is integrity and replay protected.
IDi and CERTi SHOULD be included, but they MAY be left out when it The RAND payload SHOULD be included in the I_MESSAGE when MIKEY-RSA-R
can be expected that the peer already knows the other party's ID (or mode is used for unicast communication. It MUST be omitted when this
mode is used to establish group keys. The reason for the inclusion
of the RAND payload in unicast scenarios is to allow for the
Initiator to contribute entropy to the key derivation process (in
addition to the CSB_ID).
IDi and CERTi SHOULD be included, but they MAY be left out when it is
expected that the peer already knows the Initiating party's ID (or
can obtain the certificate in some other manner). For example, this can obtain the certificate in some other manner). For example, this
could be the case if the ID is extracted from SIP. For certificate could be the case if the ID is extracted from SIP. For certificate
handling, authorization, and policies, see Section 4.3. of RFC 3830. handling, authorization, and policies, see Section 4.3. of RFC 3830.
If CERTi is included, it MUST correspond to the private key used to If CERTi is included, it MUST correspond to the private key used to
sign the I_MESSAGE. sign the I_MESSAGE.
If the Responder has multiple Identities, the Initiator MAY also If the Responder has multiple Identities, the Initiator MAY also
include the specific ID, IDr, of the Responder that it wants to include the specific ID, IDr, of the Responder that it wants to
communicate with. communicate with.
The Initiator MAY also send SP payload(s) containing all the security The Initiator MAY also send security policy (SP) payload(s)
policies that it supports. If the Responder's does not support any containing all the security policies that it supports. If the
of the policies included, it should reply with an Error message of Responder does not support any of the policies included, it should
type "Invalid SPpar" (Error no. 10). reply with an Error message of type "Invalid SPpar" (Error no. 10).
The SIGNi is a signature covering the Initiator's MIKEY message, SIGNi is a signature covering the Initiator's MIKEY message,
I_MESSAGE, using the Initiator's signature key (see Section 5.2 of I_MESSAGE, using the Initiator's signature key (see Section 5.2 of
RFC 3830 for the exact definition). I_MESSAGE is signed to protect RFC 3830 for the exact definition). The I_MESSAGE is signed to
against DoS attacks. protect against DoS attacks.
A RAND payload MUST NOT be present in a MIKEY-RSA-R I_MESSAGE.
3.3. Components of the R_MESSAGE 3.3. Components of the R_MESSAGE
Upon receiving an I_MESSAGE of the RSA-R format, the Responder MUST Upon receiving an I_MESSAGE of the RSA-R format, the Responder MUST
respond with one of the following messages: respond with one of the following messages:
o The Responder MUST send an Error message "Message type not o The Responder SHOULD send an Error message "Message type not
supported" (Error no. 13), if it cannot correctly parse the supported" (Error no. 13), if it cannot correctly parse the
received MIKEY message. received MIKEY message. Error no. 13 is not defined in RFC 3830,
and so RFC 3830 compliant implementations MAY return "an
unspecified error occurred" (Error no. 12).
o The Responder MUST send an Error message "Invalid SPpar" (Error o The Responder MUST send an Error message "Invalid SPpar" (Error
no. 10), if it does not support any of the security policies no. 10), if it does not support any of the security policies
included in the SP payload. included in the SP payload.
o The Responder MUST send an R_MESSAGE if SIGNi can be correctly o The Responder MUST send an R_MESSAGE, if SIGNi can be correctly
verified, the timestamp is current, and if an SP payload is verified and the timestamp is current; if an SP payload is present
present, one of the security policies proposed matches the in the I_MESSAGE the Responder MUST return one of the proposed
Responder's local policy. security policies that matches the Responder's local policy.
The HDR payload in the R_MESSAGE is formed following the procedure The HDR payload in the R_MESSAGE is formed following the procedure
described in RFC 3830. Specifically, the CSB ID in the HDR payload described in RFC 3830. Specifically, the CSB ID in the HDR payload
MUST be the same as the one in the HDR of the I_MESSAGE. The MUST be the same as the one in the HDR of the I_MESSAGE. The
Responder MUST fill in the number of CSs and the CS map type and Responder MUST fill in the number of CSs and the CS ID map type and
information fields of the HDR payload. CS ID info fields of the HDR payload.
For group communication, all the members MUST use the same CSB ID in For group communication, all the members MUST use the same CSB ID and
computing the SRTP keying material. Therefore, for group key CS ID in computing the SRTP keying material. Therefore, for group
establishment, the Responder MUST include a General Extension Payload key establishment, the Responder MUST include a General Extension
containing a new CSB ID in the R_MESSAGE. If a new CSB ID is present Payload containing a new CSB ID in the R_MESSAGE. If a new CSB ID is
in the R_MESSAGE, the Initiator and the Responder MUST use that value present in the R_MESSAGE, the Initiator and the Responder MUST use
in key material computation. This payload MUST not be present in that value in key material computation. Furthermore, the complete CS
case of one-to-one communication. map SHOULD be populated by the Responder. The General Extension
Payload carrying a CSB ID MUST NOT be present in case of one-to-one
communication.
When used in group scenarios with bi-directional media the Responder When used in group scenarios with bi-directional media, the Responder
SHOULD include two TGK's or TEK's in the KEMAC payload. The first SHOULD include two TGKs or TEKs in the KEMAC payload. The first TGK
TGK or TEK SHOULD be used for receiving media on the Initiator's side or TEK SHOULD be used for receiving media on the Initiator's side and
and the second one to encrypt/authenticate media originating on the the second one to encrypt/authenticate media originating on the
Initiator's side. This allows all the multicast traffic to be Initiator's side. This allows all the multicast traffic to be
encrypted/authenticated by the same group key while keys used for encrypted/authenticated by the same group key while keys used for
unicast streams from all the group members can still be independent. unicast streams from all the group members can still be independent.
The T payload is exactly the same as that received in the I_MESSAGE. The T payload is exactly the same as that received in the I_MESSAGE.
A RAND payload containing a (pseudo-)random string of 128 or more If the I_MESSAGE did not include the RAND payload, it MUST be present
bits MUST be present in the R_MESSAGE. in the R_MESSAGE. In case it has been included in the I_MESSAGE, it
MUST NOT be present in the R_MESSAGE. In group communication, the
RAND payload is always sent by the Responder and in unicast
communication, either the Initiator or the Responder (but not both)
generate and send the RAND payload.
IDr and CERTr SHOULD be included, but they MAY be left out when it IDr and CERTr SHOULD be included, but they MAY be left out when it
can be expected that the peer already knows the other party's ID (or can be expected that the peer already knows the other party's ID (or
can obtain the certificate in some other manner). For example, this can obtain the certificate in some other manner). For example, this
could be the case if the ID is extracted from SIP. For certificate could be the case if the ID is extracted from SIP. For certificate
handling, authorization, and policies, see Section 4.3. of RFC 3830. handling, authorization, and policies, see Section 4.3. of RFC 3830.
If CERTr is included, it MUST correspond to the private key used to If CERTr is included, it MUST correspond to the private key used to
sign the R_MESSAGE. sign the R_MESSAGE.
An SP payload MAY be included in the R_MESSAGE. If an SP payload was An SP payload MAY be included in the R_MESSAGE. If an SP payload was
in the I_MESSAGE, then R_MESSAGE MUST contain an SP payload in the I_MESSAGE, then R_MESSAGE MUST contain an SP payload
specifying the security policies of the secure RTP session being specifying the security policies of the secure RTP session being
negotiated. negotiated. More specifically, the Initiator may have provided
multiple options, but the Responder must choose one option per
Security Policy Parameter.
The KEMAC payload contains a set of encrypted sub-payloads and a MAC: The KEMAC payload contains a set of encrypted sub-payloads and a MAC:
KEMAC = E(encr_key, IDr || {TGK}) || MAC The first payload (IDr) in KEMAC = E(encr_key, IDr || {TGK}) || MAC. The first payload (IDr) in
KEMAC is the identity of the Responder (not a certificate, but KEMAC is the identity of the Responder (not a certificate, but
generally the same ID as the one specified in the certificate). Each generally the same ID as the one specified in the certificate). Each
of the following payloads (TGK) includes a TGK randomly and of the following payloads (TGK) includes a TGK randomly and
independently chosen by the Responder (and possible other related independently chosen by the Responder (and possible other related
parameters, e.g., the key lifetime). The encrypted part is then parameters, e.g., the key lifetime). The encrypted part is then
followed by a MAC, which is calculated over the KEMAC payload. The followed by a MAC, which is calculated over the KEMAC payload. The
encr_key and the auth_key are derived from the envelope key, env_key, encr_key and the auth_key are derived from the envelope key, env_key,
as specified in Section 4.1.4. of RFC 3830. The payload definitions as specified in Section 4.1.4. of RFC 3830. The payload definitions
are specified in Section 6.2 of RFC 3830. are specified in Section 6.2 of RFC 3830.
skipping to change at page 9, line 17 skipping to change at page 9, line 17
Data type | Value | Comment Data type | Value | Comment
------------------------------------------------------------------ ------------------------------------------------------------------
Pre-shared | 0 | Initiator's pre-shared key message Pre-shared | 0 | Initiator's pre-shared key message
PSK ver msg | 1 | Verification message of a Pre-shared key msg PSK ver msg | 1 | Verification message of a Pre-shared key msg
Public key | 2 | Initiator's public-key transport message Public key | 2 | Initiator's public-key transport message
PK ver msg | 3 | Verification message of a public-key message PK ver msg | 3 | Verification message of a public-key message
D-H init | 4 | Initiator's DH exchange message D-H init | 4 | Initiator's DH exchange message
D-H resp | 5 | Responder's DH exchange message D-H resp | 5 | Responder's DH exchange message
Error | 6 | Error message Error | 6 | Error message
RSA-R I_MSG | 7 | Initiator's public-key message in RSA-R mode DHHMAC init | 7 | DH HMAC message 1
RSA-R R_MSG | 8 | Responder's public-key message in RSA-R mode DHHMAC resp | 8 | DH HMAC message 2
RSA-R I_MSG | 9 | Initiator's public-key message in RSA-R mode
RSA-R R_MSG | 10 | Responder's public-key message in RSA-R mode
Figure 2: Table 6.1a from RFC 3830 (Revised) Figure 2: Table 6.1a from RFC 3830 (Revised)
3.4.2. Modified Table 6.12 from RFC 3830 3.4.2. Modified Table 6.12 from RFC 3830
Modified Table 6.12 from RFC 3830: Modified Table 6.12 from RFC 3830:
Error no | Value | Comment Error no | Value | Comment
------------------------------------------------------- -------------------------------------------------------
Auth failure | 0 | Authentication failure Auth failure | 0 | Authentication failure
skipping to change at page 10, line 13 skipping to change at page 10, line 13
Figure 3: Table 6.12 from RFC 3830 (Revised) Figure 3: Table 6.12 from RFC 3830 (Revised)
3.4.3. Modified Table 6.15 from RFC 3830 3.4.3. Modified Table 6.15 from RFC 3830
Modified Table 6.15 from RFC 3830: Modified Table 6.15 from RFC 3830:
Type | Value | Comment Type | Value | Comment
------------------------------------------------------- -------------------------------------------------------
Vendor ID | 0 | Vendor specific byte string Vendor ID | 0 | Vendor specific byte string
SDP IDs | 1 | List of SDP key mgmt IDs SDP IDs | 1 | List of SDP key mgmt IDs
| | (allocated for use in [KMASP]) | | (allocated for use in [KMASDP])
CSB-ID | 2 | Responder's modified CSB-ID (group mode) CSB-ID | 2 | Responder's modified CSB-ID (group mode)
Figure 4: Table 6.15 from RFC 3830 (Revised) Figure 4: Table 6.15 from RFC 3830 (Revised)
4. Sending multiple TGKs in MIKEY messages 4. Applicability of the RSA-R and RSA modes
There are several possible ways to send multiple TGKs within a single
MIKEY message. First, as specified in the preceding section, a
sender can simply include multiple TGKs in the message in certain
cases. Referring to the preceding section again, we note that in
case of bi-directional media, the sender SHOULD send multiple TGKs.
That might open a chance for interoperability issues.
Another alternative is to use the General Extension payload specified
in RFC3830 and send an additional TGK, perhaps with additional
identification information as in case of the newtype-keyid proposal.
The correct way perhaps is to identify TGKs properly in all MIKEY
messages. This requires a chance in the TGK payload. We would need
to add a key identifier to bind the TGK with media lines or some
metadata thereof. The proposal is to use key naming techniques along
the lines of EAP specifications.
5. Applicability of the RSA-R and RSA modes
MIKEY-RSA-R mode and RSA mode are both very useful: deciding on which MIKEY-RSA-R mode and RSA mode are both very useful: deciding on which
mode to use depends on the application. mode to use depends on the application.
The RSA-R mode is useful when you have reasons to believe that the The RSA-R mode is useful when you have reasons to believe that the
Responder may be different from who you are sending the MIKEY message Responder may be different from who you are sending the MIKEY message
to. This is quite common in telephony and multimedia applications to. This is quite common in telephony and multimedia applications
where the session/call can be retargetted/forwarded. When the where the session/call can be retargeted/forwarded. When the
security policy allows it, it may be appropriate for the Initiator to security policy allows it, it may be appropriate for the Initiator to
have some flexibility in who the Responder may turn out to be. In have some flexibility in who the Responder may turn out to be. In
such cases, the main objective of the Initiator's RSA-R message is to such cases, the main objective of the Initiator's RSA-R message is to
present its public key/certificate to the Responder. present its public key/certificate to the Responder.
The second scenario is when the Initiator already has Responder's The second scenario is when the Initiator already has the Responder's
certificate but wants to allow the Responder to come up with all the certificate but wants to allow the Responder to come up with all the
keying material. This is applicable in conferences where the keying material. This is applicable in conferences where the
Responder is the key distributor and the Initiators contact the Responder is the key distributor and the Initiators contact the
Responder to initiate key dowloand. Notice that this is quite Responder to initiate key download. Notice that this is quite
similar to the group key download model as specified in GDOI similar to the group key download model as specified in GDOI
[RFC3547], GSAKMP, and GKDP protocols (also see [RFC4046]). The [RFC3547], GSAKMP [I-D.ietf-msec-gsakmp-sec], and GKDP [I-D.ietf-
catch however is that the participating entities must know that they msec-gkdp] protocols (also see [RFC4046]). The catch however is that
need to contact a well-known address as far as that conferencing the participating entities must know that they need to contact a
group is concerned. Note that they only need the Responder's well-known address as far as that conferencing group is concerned.
address, not necessarily its CERT. If the group members have the Note that they only need the Responder's address, not necessarily its
Responder's CERT, there is no harm; they simply do not need the CERT CERT. If the group members have the Responder's CERT, there is no
to compose I_MESSAGE. harm; they simply do not need the CERT to compose I_MESSAGE.
The RSA mode is useful when the Initiator knows the Responder's The RSA mode is useful when the Initiator knows the Responder's
identity and CERT. This mode is also useful when the key exchange is identity and CERT. This mode is also useful when the key exchange is
happening in an established session with a Responder (for example, happening in an established session with a Responder (for example,
when switching from a non-secure mode to a secure mode), and when the when switching from a non-secure mode to a secure mode), and when the
policy is such that it is only appropriate to establish a MIKEY policy is such that it is only appropriate to establish a MIKEY
session with the Responder that is targeted by the Initiator. session with the Responder that is targeted by the Initiator.
5.1. Limitations 4.1. Limitations
The RSA-R mode may not easily support 3-way calling, under the The RSA-R mode may not easily support 3-way calling, under the
assumptions that motivated the design. An extra message may be assumptions that motivated the design. An extra message may be
required compared to the MIKEY-RSA mode specified in RFC 3830. required compared to the MIKEY-RSA mode specified in RFC 3830.
Consider that A wants to talk to B and C, but does not have B's or Consider that A wants to talk to B and C, but does not have B's or
C's CERT. A might contact B and request that B supply a key for a C's CERT. A might contact B and request that B supply a key for a
3-way call. Now if B knows C's CERT, then B can simply use the 3-way call. Now if B knows C's CERT, then B can simply use the
MIKEY-RSA mode (as defined in RFC 3830) to send the TGK to C. If not, MIKEY-RSA mode (as defined in RFC 3830) to send the TGK to C. If not,
then the solution is not straightforward. For instance, A might ask then the solution is not straightforward. For instance, A might ask
C to contact B or itself to get the TGK, in effect initiating a 3-way C to contact B or itself to get the TGK, in effect initiating a 3-way
exchange. It should be noted that 3-way calling is typically exchange. It should be noted that 3-way calling is typically
implemented using a bridge, in which case there are no issues (it implemented using a bridge, in which case there are no issues (it
looks like 3 point-to-point sessions, where one end of each session looks like 3 point-to-point sessions, where one end of each session
is a bridge mixing the traffic into a single stream). is a bridge mixing the traffic into a single stream).
5.2. Impact of the Responder choosing the TGK 5. Security Considerations
In the MIKEY-RSA or PSK modes, the Initiator chooses the TGK and the
Responder has the option to accept the key or not. The Responder
then has a chance to verify whether the key is a known weak key (Q:
Is this an issue with AES-CM or AES-f8 TBD). Other than that who
chooses the key has no impact on SRTP (verify this).
Thus, in case of one-to-one communication, there is no impact on the
functionality provided by the MIKEY-RSA mode and our modified mode
being outlined earlier. Whereas MIKEY-RSA mode allows R_MESSAGE to
be optional, in the new mode, it is required. However, as noted
earlier, the new mode allows simpler provisioning at the VoIP entity.
6. Security Considerations
We offer a brief overview of the security properties of the exchange. We offer a brief overview of the security properties of the exchange.
There are two messages, viz., I_MESSAGE and R_MESSAGE. I_MESSAGE is There are two messages, viz., I_MESSAGE and R_MESSAGE. I_MESSAGE is
a signed request by an Initiator requesting the Responder to select a a signed request by an Initiator requesting the Responder to select a
TGK to be used to protect SRTP and SRTCP sessions. TGK to be used to protect SRTP and SRTCP sessions.
The message is signed, which assures the Responder that the claimed The message is signed, which assures the Responder that the claimed
Initiator has indeed generated the message. This automatically Initiator has indeed generated the message. This automatically
provides message integrity as well. provides message integrity as well.
There is a timestamp in I_MESSAGE, which when generated and There is a timestamp in the I_MESSAGE, which when generated and
interpreted in the context of the MIKEY specification assures the interpreted in the context of the MIKEY specification, assures the
Responder that the request is live and not a replay. Indirectly, Responder that the request is live and not a replay. Indirectly,
this also provides protection against a DoS attack. The Responder this also provides protection against a DoS attack in that the
however would have to verify the Initiator's signature and the I_MESSAGE must itself be signed. The Responder however would have to
timestamp, and thus would spend significant computing resources. It verify the Initiator's signature and the timestamp, and thus would
is possible to mitigate this by caching recently received and spend significant computing resources. It is possible to mitigate
verified requests. this by caching recently received and verified requests.
Note that the I_MESSAGE in this method basically equals DoS Note that the I_MESSAGE in this method basically equals DoS
protection properties of the DH method and not the public key method protection properties of the DH method and not the public key method
as there are no payloads encrypted by the Responder's public key in as there are no payloads encrypted by the Responder's public key in
I_MESSAGE. If IDr is not included in the I_MESSAGE, the Responder I_MESSAGE. If IDr is not included in the I_MESSAGE, the Responder
will accept the message and a response (and state) would be created will accept the message and a response (and state) would be created
for the malicious request. for the malicious request.
R_MESSAGE is quite similar to the I_MESSAGE in the MIKEY-RSA mode and The R_MESSAGE is quite similar to the I_MESSAGE in the MIKEY-RSA mode
has all the same security properties. and has all the same security properties.
When using the RSA-R mode, the Responder may turn out to be different When using the RSA-R mode, the Responder may turn out to be different
from who the Initiator sent the MIKEY message to. It is the from who the Initiator sent the MIKEY message to. It is the
responsibility of the Initiator to verify that the identity of the responsibility of the Initiator to verify that the identity of the
Responder is acceptable if it changes from the intended Responder, Responder is acceptable (based on its local policy) if it changes
based on its policy, and to take appropriate action based on the from the intended Responder, and to take appropriate action based on
outcome. In some cases, it could be appropriate to accept the outcome. In some cases, it could be appropriate to accept
Responder's identity if it can be strongly authenticated; in other Responder's identity if it can be strongly authenticated; in other
cases, a blacklist or a whitelist may be appropriate. cases, a blacklist or a whitelist may be appropriate.
7. IANA Considerations When both unicast and multicast streams are negotiated it is
suggested to use multiple instances of MIKEY rather than a single
instance in group mode. Unicast and multicast keys have different
security properties and should not be derived from the same pool.
The authors believe that multiple TGK payloads can be used for this
purpose but the exact method is not specified in MIKEY.
TBD 5.1. Impact of the Responder choosing the TGK
8. Acknowledgments In the MIKEY-RSA or PSK modes, the Initiator chooses the TGK and the
Responder has the option to accept the key or not. In the RSA-R mode
for unicast communication, the Initiator and the Responder contribute
random information in generating the TEK (RAND from the Initiator and
the TGK from the Responder). For group communication, the sender
will choose the TGK and the RAND; note that it is in the interest of
the sender to provide sufficient entropy to TEK generation since the
TEK protects data sent by the Responder.
9. References Thus, in case of one-to-one communication, the RSA-R mode is slightly
better than the RSA mode in that it allows the Initiator as well as
the Responder to contribute entropy to the TEK generation process.
This comes at the expense of the additional message. However, as
noted earlier, the new mode needs the additional message to allow
simpler provisioning.
9.1. Normative References RFC 3830 has additional notes on the security properties of the MIKEY
protocol, key derivation functions and other components.
[RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. 6. IANA Considerations
Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830,
August 2004. This specification requires the following IANA assignments to the
MIKEY registry :
Add to "Error Payload namespace:"
Unsupported message type ------- 13
Add to "Common Header payload name spaces:"
RSA-R I_MSG ------------ 9
RSA-R R_MSG ------------- 10
General Extensions payload name spaces:
CSB-ID ----------------- 2 (Note: another draft may use '2';
please assign next available number)
7. Acknowledgments
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
9.2. Informative References [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K.
Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830,
August 2004.
8.2. Informative References
[RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm,
"Multicast Security (MSEC) Group Key Management "Multicast Security (MSEC) Group Key Management
Architecture", RFC 4046, April 2005. Architecture", RFC 4046, April 2005.
[RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The [RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The
Group Domain of Interpretation", RFC 3547, July 2003. Group Domain of Interpretation", RFC 3547, July 2003.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)", Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, March 2004. RFC 3711, March 2004.
[I-D.ietf-msec-mikey-dhhmac] [I-D.ietf-msec-mikey-dhhmac]
Euchner, M., "HMAC-authenticated Diffie-Hellman for Euchner, M., "HMAC-authenticated Diffie-Hellman for
MIKEY", draft-ietf-msec-mikey-dhhmac-11 (work in MIKEY", draft-ietf-msec-mikey-dhhmac-11 (work in
progress), April 2005. progress), April 2005.
[I-D.ietf-msec-gsakmp-sec]
Harney, H., "GSAKMP: Group Secure Association Group
Management Protocol", draft-ietf-msec-gsakmp-sec-10 (work
in progress), May 2005.
[I-D.ietf-msec-gkdp]
Dondeti, L. and J. Xiang, "GKDP: Group Key Distribution
Protocol", draft-ietf-msec-gkdp-00 (work in progress),
September 2005.
Authors' Addresses Authors' Addresses
Dragan Ignjatic Dragan Ignjatic
Polycom Polycom
1000 W. 14th Street 1000 W. 14th Street
North Vancouver, BC V7P 3P3 North Vancouver, BC V7P 3P3
Canada Canada
Phone: +1 604 982 3424 Phone: +1 604 982 3424
Email: dignjatic@polycom.com Email: dignjatic@polycom.com
skipping to change at page 14, line 40 skipping to change at page 14, line 40
Phone: +1 408 495 3756 Phone: +1 408 495 3756
Email: audet@nortel.com Email: audet@nortel.com
Ping Lin Ping Lin
Nortel Nortel
250 Sidney St. 250 Sidney St.
Belleville, Ontario K8P3Z3 Belleville, Ontario K8P3Z3
Canada Canada
Phone: Phone: +1 613 967 5343
Email: linping@nortel.com Email: linping@nortel.com
Intellectual Property Statement Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
skipping to change at page 15, line 41 skipping to change at page 15, line 41
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 61 change blocks. 
218 lines changed or deleted 238 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/