idnits 2.17.1 draft-ietf-ipsecme-g-ikev2-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 9, 2020) is 1540 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'AUTH' is mentioned on line 594, but not defined == Missing Reference: 'CERTREQ' is mentioned on line 1002, but not defined ** Downref: Normative reference to an Informational RFC: RFC 2627 ** Downref: Normative reference to an Informational RFC: RFC 3740 ** Downref: Normative reference to an Informational RFC: RFC 4046 == Outdated reference: A later version (-11) exists of draft-ietf-ipsecme-qr-ikev2-10 == Outdated reference: A later version (-09) exists of draft-smyslov-ipsecme-ikev2-qr-alt-00 -- Obsolete informational reference (is this intentional?): RFC 2409 (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 3447 (Obsoleted by RFC 8017) -- Obsolete informational reference (is this intentional?): RFC 8229 (Obsoleted by RFC 9329) Summary: 3 errors (**), 0 flaws (~~), 5 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group B. Weis 3 Internet-Draft Independent 4 Obsoletes: 6407 (if approved) V. Smyslov 5 Intended status: Standards Track ELVIS-PLUS 6 Expires: July 12, 2020 January 9, 2020 8 Group Key Management using IKEv2 9 draft-ietf-ipsecme-g-ikev2-00 11 Abstract 13 This document presents a set of IKEv2 exchanges that comprise a group 14 key management protocol. The protocol is in conformance with the 15 Multicast Security (MSEC) key management architecture, which contains 16 two components: member registration and group rekeying. Both 17 components require a Group Controller/Key Server to download IPsec 18 group security associations to authorized members of a group. The 19 group members then exchange IP multicast or other group traffic as 20 IPsec packets. This document obsoletes RFC 6407. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on July 12, 2020. 39 Copyright Notice 41 Copyright (c) 2020 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 57 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 5 58 1.2. G-IKEv2 Integration into IKEv2 Protocol . . . . . . . . . 5 59 1.2.1. G-IKEv2 Transport and Port . . . . . . . . . . . . . 5 60 1.2.2. IKEv2 Header Initialization . . . . . . . . . . . . . 6 61 1.3. G-IKEv2 Protocol . . . . . . . . . . . . . . . . . . . . 6 62 1.3.1. G-IKEv2 Payloads . . . . . . . . . . . . . . . . . . 6 63 1.4. G-IKEv2 Member Registration and Secure Channel 64 Establishment . . . . . . . . . . . . . . . . . . . . . . 7 65 1.4.1. GSA_AUTH exchange . . . . . . . . . . . . . . . . . . 7 66 1.4.2. GSA_REGISTRATION Exchange . . . . . . . . . . . . . . 9 67 1.4.3. GM Registration Operations . . . . . . . . . . . . . 10 68 1.4.4. GCKS Registration Operations . . . . . . . . . . . . 11 69 1.4.5. Group Maintenance Channel . . . . . . . . . . . . . . 12 70 1.4.6. Counter-based modes of operation . . . . . . . . . . 19 71 1.5. Interaction with IKEv2 Protocol Extensions . . . . . . . 21 72 1.5.1. Postquantum Preshared Keys for IKEv2 . . . . . . . . 21 73 2. Header and Payload Formats . . . . . . . . . . . . . . . . . 23 74 2.1. The G-IKEv2 Header . . . . . . . . . . . . . . . . . . . 23 75 2.2. Group Identification (IDg) Payload . . . . . . . . . . . 24 76 2.3. Security Association - GM Supported Transforms (SAg) . . 24 77 2.4. Group Security Association Payload . . . . . . . . . . . 24 78 2.4.1. GSA Policy . . . . . . . . . . . . . . . . . . . . . 25 79 2.4.2. KEK Policy . . . . . . . . . . . . . . . . . . . . . 26 80 2.4.3. GSA TEK Policy . . . . . . . . . . . . . . . . . . . 30 81 2.4.4. GSA Group Associated Policy . . . . . . . . . . . . . 33 82 2.5. Key Download Payload . . . . . . . . . . . . . . . . . . 34 83 2.5.1. TEK Download Type . . . . . . . . . . . . . . . . . . 36 84 2.5.2. KEK Download Type . . . . . . . . . . . . . . . . . . 37 85 2.5.3. LKH Download Type . . . . . . . . . . . . . . . . . . 38 86 2.5.4. SID Download Type . . . . . . . . . . . . . . . . . . 40 87 2.6. Delete Payload . . . . . . . . . . . . . . . . . . . . . 42 88 2.7. Notify Payload . . . . . . . . . . . . . . . . . . . . . 42 89 2.8. Authentication Payload . . . . . . . . . . . . . . . . . 43 90 3. Security Considerations . . . . . . . . . . . . . . . . . . . 43 91 3.1. GSA Registration and Secure Channel . . . . . . . . . . . 43 92 3.2. GSA Maintenance Channel . . . . . . . . . . . . . . . . . 44 93 3.2.1. Authentication/Authorization . . . . . . . . . . . . 44 94 3.2.2. Confidentiality . . . . . . . . . . . . . . . . . . . 44 95 3.2.3. Man-in-the-Middle Attack Protection . . . . . . . . . 44 96 3.2.4. Replay/Reflection Attack Protection . . . . . . . . . 44 98 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44 99 4.1. New Registries . . . . . . . . . . . . . . . . . . . . . 44 100 4.2. New Payload and Exchange Types Added to the Existing 101 IKEv2 Registry . . . . . . . . . . . . . . . . . . . . . 45 102 4.3. Changes to Previous Allocations . . . . . . . . . . . . . 45 103 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 45 104 6. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 46 105 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 46 106 7.1. Normative References . . . . . . . . . . . . . . . . . . 47 107 7.2. Informative References . . . . . . . . . . . . . . . . . 48 108 Appendix A. Use of LKH in G-IKEv2 . . . . . . . . . . . . . . . 50 109 A.1. Group Creation . . . . . . . . . . . . . . . . . . . . . 50 110 A.2. Group Member Exclusion . . . . . . . . . . . . . . . . . 51 111 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52 113 1. Introduction and Overview 115 A group key management protocol provides IPsec keys and policy to a 116 set of IPsec devices which are authorized to communicate using a 117 Group Security Association (GSA) defined in [RFC3740]. The data 118 communications within the group (e.g., IP multicast packets) are 119 protected by a key pushed to the group members (GMs) by the Group 120 Controller/Key Server (GCKS). This document presents a set of IKEv2 121 [RFC7296] exchanges that comprise a group key management protocol. 123 A GM begins a "registration" exchange when it first joins the group. 124 With G-IKEv2, the GCKS authenticates and authorizes GMs, then pushes 125 policy and keys used by the group to the GM. G-IKEv2 includes two 126 "registration" exchanges. The first is the GSA_AUTH exchange ( 127 Section 1.4.1), which follows an IKE_SA_INIT exchange. The second is 128 the GSA_REGISTRATION exchange ( Section 1.4.2), which a GM can use 129 within an established IKE SA. Group rekeys are accomplished using 130 either the GSA_REKEY exchange (a single message distributed to all 131 GMs, usually as a multicast message), or as a GSA_INBAND_REKEY 132 exchange delivered individually to group members using existing IKE 133 SAs). 135 Large and small groups may use different sets of these protocols. 136 When a large group of devices are communicating, the GCKS is likely 137 to use the GSA_REKEY message for efficiency. This is shown in 138 Figure 1. (Note: For clarity, IKE_SA_INIT is omitted from the 139 figure.) 140 +--------+ 141 +------------->| GCKS |<-------------+ 142 | +--------+ | 143 | | ^ | 144 | | | | 145 | | GSA_AUTH | 146 | | or | 147 | | GSA_REGISTRATION | 148 | | | | 149 GSA_AUTH | | GSA_AUTH 150 or GSA_REKEY | or 151 GSA_REGISTRATION | | GSA_REGISTRATION 152 | | | | 153 | +------------+-----------------+ | 154 | | | | | | 155 v v v v v v 156 +-------+ +--------+ +-------+ 157 | GM | ... | GM | ... | GM | 158 +-------+ +--------+ +-------+ 159 ^ ^ ^ 160 | | | 161 +-------ESP-------+-------ESP------+ 163 Figure 1: G-IKEv2 used in large groups 165 Alternatively, a small group may simply use the GSA_AUTH as a 166 registration protocol, where the GCKS issues rekeys using the 167 GSA_INBAND_REKEY within the same IKEv2 SA. The GCKS is also likely 168 to be a GM in a small group (as shown in Figure 2.) 170 GSA_AUTH, GSA_INBAND_REKEY 171 +-----------------------------------------------+ 172 | | 173 | GSA_AUTH, GSA_INBAND_REKEY | 174 | +-----------------------------+ | 175 | | | | 176 | | GSA_AUTH, GSA_INBAND_REKEY | | 177 | | +--------+ | | 178 v v v v v v 179 +---------+ +----+ +----+ +----+ 180 | GCKS/GM | | GM | | GM | | GM | 181 +---------+ +----+ +----+ +----+ 182 ^ ^ ^ ^ 183 | | | | 184 +----ESP-----+------ESP-------+-----ESP-----+ 186 Figure 2: G-IKEv2 used in small groups 188 IKEv2 message semantics are preserved in that all communications 189 consists of message request-response pairs. The exception to this 190 rule is the GSA_REKEY exchange, which is a single message delivering 191 group updates to the GMs. 193 G-IKEv2 conforms with the Multicast Group Security Architecture 194 [RFC3740], and the Multicast Security (MSEC) Group Key Management 195 Architecture [RFC4046]. G-IKEv2 replaces GDOI [RFC6407], which 196 defines a similar group key management protocol using IKEv1 [RFC2409] 197 (since deprecated by IKEv2). When G-IKEv2 is used, group key 198 management use cases can benefit from the simplicity, increased 199 robustness and cryptographic improvements of IKEv2 (see Appendix A of 200 [RFC7296]. 202 1.1. Requirements Language 204 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 205 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 206 "OPTIONAL" in this document are to be interpreted as described in BCP 207 14 [RFC2119] [RFC8174] when, and only when, they appear in all 208 capitals, as shown here. 210 1.2. G-IKEv2 Integration into IKEv2 Protocol 212 G-IKEv2 uses the security mechanisms of IKEv2 (peer authentication, 213 confidentiality, message integrity) to ensure that only authenticated 214 devices have access to the group policy and keys. The G-IKEv2 215 exchange further provides group authorization, and secure policy and 216 key download from the GCKS to GMs. Some IKEv2 extensions require 217 special handling if used with G-IKEv2. See Section 1.5 for more 218 details. 220 It is assumed that readers are familiar with the IKEv2 protocol, so 221 this document skips many details that are described in [RFC7296]. 223 1.2.1. G-IKEv2 Transport and Port 225 G-IKEv2 SHOULD use UDP port 848, the same as GDOI [RFC6407], because 226 they serve a similar function. They can use the same ports, just as 227 IKEv1 and IKEv2 can share port 500. The version number in the IKE 228 header distinguishes the G-IKEv2 protocol from GDOI protocol 229 [RFC6407]. G-IKEv2 MAY also use the IKEv2 ports (500, 4500), which 230 would provide a better integration with IKEv2. G-IKEv2 MAY also use 231 TCP transport for registration (unicast) IKE SA, as defined in 232 [RFC8229]. 234 1.2.2. IKEv2 Header Initialization 236 The Major Version is (2) and Minor Version is (0) according to IKEv2 237 [RFC7296], and maintained in this document. The G-IKEv2 IKE_SA_INIT, 238 GSA_AUTH, GSA_REGISTRATION and GSA_INBAND_REKEY use the IKE SPI 239 according to IKEv2 [RFC7296], section 2.6. 241 1.3. G-IKEv2 Protocol 243 1.3.1. G-IKEv2 Payloads 245 In the following descriptions, the payloads contained in the G-IKEv2 246 messages are indicated by names as listed below. 248 Notation Payload 249 ------------------------------------------------------------ 250 AUTH Authentication 251 CERT Certificate 252 CERTREQ Certificate Request 253 GSA Group Security Association 254 HDR IKEv2 Header 255 IDg Identification - Group 256 IDi Identification - Initiator 257 IDr Identification - Responder 258 KD Key Download 259 KE Key Exchange 260 Ni, Nr Nonce 261 SA Security Association 262 SAg Security Association - GM Supported Transforms 264 Payloads defined as part of other IKEv2 extensions MAY also be 265 included in these messages. Payloads that may optionally appear will 266 be shown in brackets, such as [ CERTREQ ], to indicate that a 267 certificate request payload can optionally be included. 269 G-IKEv2 defines several new payloads not used in IKEv2: 271 o IDg (Group ID) - The GM requests the GCKS for membership into the 272 group by sending its IDg payload. 274 o GSA (Group Security Association) - The GCKS sends the group policy 275 to the GM using this payload. 277 o KD (Key Download) - The GCKS sends the control and data keys to 278 the GM using the KD payload. 280 o SAg (Security Association - GM Supported Transforms) - the GM 281 sends supported transforms, so that GCKS may select a policy 282 appropriate for all members of the group. 284 The details of the contents of each payload are described in 285 Section 2. 287 1.4. G-IKEv2 Member Registration and Secure Channel Establishment 289 The registration protocol consists of a minimum of two messages 290 exchanges, IKE_SA_INIT and GSA_AUTH; member registration may have a 291 few more messages exchanged if the EAP method, cookie challenge (for 292 DoS protection) or negotiation of Diffie-Hellman group is included. 293 Each exchange consists of request/response pairs. The first exchange 294 IKE_SA_INIT is defined in IKEv2 [RFC7296]. This exchange negotiates 295 cryptographic algorithms, exchanges nonces and does a Diffie-Hellman 296 exchange between the group member (GM) and the Group Controller/Key 297 Server (GCKS). 299 The second exchange GSA_AUTH authenticates the previous messages, 300 exchanges identities and certificates. These messages are encrypted 301 and integrity protected with keys established through the IKE_SA_INIT 302 exchange, so the identities are hidden from eavesdroppers and all 303 fields in all the messages are authenticated. The GCKS SHOULD 304 authorize group members to be allowed into the group as part of the 305 GSA_AUTH exchange. Once the GCKS accepts a group member to join a 306 group it will download the data security keys (TEKs) and/or group key 307 encrypting key (KEK) or KEK array as part of the GSA_AUTH response 308 message. 310 1.4.1. GSA_AUTH exchange 312 After the group member and GCKS use the IKE_SA_INIT exchange to 313 negotiate cryptographic algorithms, exchange nonces, and perform a 314 Diffie-Hellman exchange as defined in IKEv2 [RFC7296], the GSA_AUTH 315 exchange MUST complete before any other exchanges can be done. The 316 security properties of the GSA_AUTH exchange are the same as the 317 properties of the IKE_AUTH exchange. It is used to authenticate the 318 IKE_SA_INIT messages, exchange identities and certificates. G-IKEv2 319 also uses this exchange for group member registration and 320 authorization. Even though the IKE_AUTH does contain the SA2, TSi, 321 and TSr payload the GSA_AUTH does not. They are not needed because 322 policy is not negotiated between the group member and the GCKS, but 323 instead downloaded from the GCKS to the group member. 325 Initiator (Member) Responder (GCKS) 326 -------------------- ------------------ 327 HDR, SK { IDi, [CERT,] [CERTREQ, ] [IDr, ] 328 AUTH, IDg, [SAg, ] [N ] } --> 330 Figure 3: GSA_AUTH Request 332 After the IKE_SA_INIT exchange completes, the group member initiates 333 a GSA_AUTH request to join a group indicated by the IDg payload. The 334 GM MAY include an SAg payload declaring which Transforms that it is 335 willing to accept. A GM that intends to emit data packets SHOULD 336 include a Notify payload status type of SENDER, which enables the 337 GCKS to provide any additional policy necessary by group senders. 339 Initiator (Member) Responder (GCKS) 340 -------------------- ------------------ 341 <-- HDR, SK { IDr, [CERT, ] 342 AUTH, [ GSA, KD, ] [D, ] } 344 Figure 4: GSA_AUTH Normal Response 346 The GCKS responds with IDr, optional CERT, and AUTH material as if it 347 were an IKE_AUTH. It also informs the group member of the 348 cryptographic policies of the group in the GSA payload and the key 349 material in the KD payload. The GCKS can also include a Delete (D) 350 payload instructing the group member to delete existing SAs it might 351 have as the result of a previous group member registration. Note, 352 that since the GCKS generally doesn't know which SAs the GM has, the 353 SPI field in the Delete payload(s) SHOULD be set to zero in this 354 case. (See more discussion on the Delete payload in Section 2.6.) 356 In addition to the IKEv2 error handling, the GCKS can reject the 357 registration request when the IDg is invalid or authorization fails, 358 etc. In these cases, see Section 2.7, the GSA_AUTH response will not 359 include the GSA and KD, but will include a Notify payload indicating 360 errors. If the group member included an SAg payload, and the GCKS 361 chooses to evaluate it, and it detects that that group member cannot 362 support the security policy defined for the group, then the GCKS 363 SHOULD return a NO_PROPOSAL_CHOSEN. Other types of notifications can 364 be AUTHORIZATION_FAILED or REGISTRATION_FAILED. 366 Initiator (Member) Responder (GCKS) 367 -------------------- ------------------ 368 <-- HDR, SK { IDr, [CERT, ] AUTH, N } 370 Figure 5: GSA_AUTH Error Response 372 If the group member finds the policy sent by the GCKS is 373 unacceptable, the member SHOULD initiate GSA_REGISTRATION exchange 374 sending IDg and the Notify NO_PROPOSAL_CHOSEN (see Section 1.4.2)). 376 1.4.2. GSA_REGISTRATION Exchange 378 When a secure channel is already established between a GM and the 379 GCKS, the GM registration for a group can reuse the established 380 secure channel. In this scenario the GM will use the 381 GSA_REGISTRATION exchange. Payloads in the exchange are generated 382 and processed as defined in Section 1.4.1. 384 Initiator (Member) Responder (GCKS) 385 -------------------- ------------------ 386 HDR, SK {IDg, [SAg, ][N ] } --> 387 <-- HDR, SK { GSA, KD, [D ] } 389 Figure 6: GSA_REGISTRATION Normal Exchange 391 As with GSA_AUTH exchange, the GCKS can reject the registration 392 request when the IDg is invalid or authorization fails, or GM cannot 393 support the security policy defined for the group (which can be 394 concluded by GCKS by evaluation of SAg payload). In this case the 395 GCKS returns an appropriate error notification as described in 396 Section 1.4.1. 398 Initiator (Member) Responder (GCKS) 399 -------------------- ------------------ 400 HDR, SK {IDg, [SAg, ][N ] } --> 401 <-- HDR, SK { N } 403 Figure 7: GSA_REGISTRATION Error Exchange 405 This exchange can also be used if the group member finds the policy 406 sent by the GCKS is unacceptable or for some reason wants to 407 unregister itself from the group. The group member SHOULD notify the 408 GCKS by sending IDg and the Notify type NO_PROPOSAL_CHOSEN or 409 REGISTRATION_FAILED, as shown below. The GCKS MUST unregister the 410 group member. 412 Initiator (Member) Responder (GCKS) 413 -------------------- ------------------ 414 HDR, SK {IDg, N } --> 415 <-- HDR, SK {} 417 Figure 8: GM Reporting Errors in GSA_REGISTRATION Exchange 419 1.4.3. GM Registration Operations 421 A G-IKEv2 Initiator (GM) requesting registration contacts the GCKS 422 using the IKE_SA_INIT exchange and receives the response from the 423 GCKS. This exchange is unchanged from the IKE_SA_INIT in IKEv2 424 protocol. 426 Upon completion of parsing and verifying the IKE_SA_INIT response, 427 the GM sends the GSA_AUTH message with the IKEv2 payloads from 428 IKE_AUTH (without the SAi2, TSi and TSr payloads) along with the 429 Group ID informing the GCKS of the group the initiator wishes to 430 join. An initiator intending to emit data traffic SHOULD send a 431 SENDER Notify payload status. The SENDER not only signifies that it 432 is a sender, but provides the initiator the ability to request 433 Sender-ID values, in case the Data Security SA supports a counter 434 mode cipher. Section 1.4.6) includes guidance on requesting Sender- 435 ID values. 437 An initiator may be limited in the types of Transforms that it is 438 able or willing to use, and may find it useful to inform the GCKS 439 which Transforms that it is willing to accept. It can OPTIONALLY 440 include an SAg payload, which can include ESP and/or AH Proposals. 441 Each Proposal contains a list of Transforms that it is willing to 442 support for that protocol. A Proposal of type ESP can include ENCR, 443 INTEG, and ESN Transforms. A Proposal of type AH can include INTEG, 444 and ESN Transforms. The SPI length of each Proposal in an SAg is set 445 to zero, and thus the SPI field is null. The GCKS MUST ignore SPI 446 field in the SAg payload. Generally, a single Proposal of each type 447 will suffice, because the group member is not negotiating Transform 448 sets, simply alerting the GCKS to restrictions it may have, however 449 if the GM has restrictions on combination of algorithms, this can be 450 expressed by sending several proposals. 452 Upon receiving the GSA_AUTH response, the initiator parses the 453 response from the GCKS authenticating the exchange using the IKEv2 454 method, then processes the GSA and KD. 456 The GSA payload contains the security policy and cryptographic 457 protocols used by the group. This policy describes the Rekey SA 458 (KEK), if present, Data-security SAs (TEK), and other group policy 459 (GAP). If the policy in the GSA payload is not acceptable to the GM, 460 it SHOULD notify the GCKS by initiating a GSA_REGISTRATION exchange 461 with a NO_PROPOSAL_CHOSEN Notify payload (see Section 1.4.2). Note, 462 that this should normally not happen if the GM includes SAg payload 463 in the GSA_AUTH request and the GCKS takes it into account. Finally 464 the KD is parsed providing the keying material for the TEK and/or 465 KEK. The GM interprets the KD key packets, where each key packet 466 includes the keying material for SAs distributed in the GSA payload. 468 Keying material is matched by comparing the SPIs in the key packets 469 to SPIs previously included in the GSA payloads. Once TEK keys and 470 policy are matched, the GM provides them to the data security 471 subsystem, and it is ready to send or receive packets matching the 472 TEK policy. 474 The GSA KEK policy MUST include KEK attribute KEK_MESSAGE_ID with a 475 Message ID. The Message ID in the KEK_MESSAGE_ID attribute MUST be 476 checked against any previously received Message ID for this group. 477 If it is less than the previously received number, it should be 478 considered stale and ignored. This could happen if two GSA_AUTH 479 exchanges happened in parallel, and the Message ID changed. This 480 KEK_MESSAGE_ID is used by the GM to prevent GSA_REKEY message replay 481 attacks. The first GSA_REKEY message that the GM receives from the 482 GCKS must have a Message ID greater or equal to the Message ID 483 received in the KEK_MESSAGE_ID attribute. 485 Once a GM has received GSA_REKEY policy during a registration the IKE 486 SA may be closed. However, the GM SHOULD NOT close IKE SA, it is the 487 GCKS who makes the decision whether to close or keep it, because 488 depending on the policy the IKE SA may be used for inband rekeying 489 for small groups. 491 1.4.4. GCKS Registration Operations 493 A G-IKEv2 GCKS passively listens for incoming requests from group 494 members. When the GCKS receives an IKE_SA_INIT request, it selects 495 an IKE proposal and generates a nonce and DH to include them in the 496 IKE_SA_INIT response. 498 Upon receiving the GSA_AUTH request, the GCKS authenticates the group 499 member using the same procedures as in the IKEv2 IKE_AUTH. The GCKS 500 then authorizes the group member according to group policy before 501 preparing to send the GSA_AUTH response. If the GCKS fails to 502 authorize the GM, it will respond with an AUTHORIZATION_FAILED notify 503 message. 505 The GSA_AUTH response will include the group policy in the GSA 506 payload and keys in the KD payload. If the GCKS policy includes a 507 group rekey option, this policy is constructed in the GSA KEK and the 508 key is constructed in the KD KEK. The GSA KEK MUST include the 509 KEK_MESSAGE_ID attribute, specifying the starting Message ID the GCKS 510 will use when sending the GSA_REKEY message to the group member. 511 This Message ID is used to prevent GSA_REKEY message replay attacks 512 and will be increased each time a GSA_REKEY message is sent to the 513 group. The GCKS data traffic policy is included in the GSA TEK and 514 keys are included in the KD TEK. The GSA GAP MAY also be included to 515 provide the ATD and/or DTD (Section 2.4.4.1) specifying activation 516 and deactivation delays for SAs generated from the TEKs. If the 517 group member has indicated that it is a sender of data traffic and 518 one or more Data Security SAs distributed in the GSA payload included 519 a counter mode of operation, the GCKS responds with one or more SIDs 520 (see Section 1.4.6). 522 If the GCKS receives a GSA_REGISTRATION exchange with a request to 523 register a GM to a group, the GCKS will need to authorize the GM with 524 the new group (IDg) and respond with the corresponding group policy 525 and keys. If the GCKS fails to authorize the GM, it will respond 526 with the AUTHORIZATION_FAILED notification. 528 If a group member includes an SAg in its GSA_AUTH or GSA_REGISTRATION 529 request, the GCKS MAY evaluate it according to an implementation 530 specific policy. 532 o The GCKS could evaluate the list of Transforms and compare it to 533 its current policy for the group. If the group member did not 534 include all of the ESP or AH Transforms in its current policy, 535 then it could return a NO_PROPOSAL_CHOSEN Notification. 537 o The GCKS could store the list of Transforms, with the goal of 538 migrating the group policy to a different Transform when all of 539 the group members indicate that they can support that Transform. 541 o The GCKS could store the list of Transforms and adjust the current 542 group policy based on the capabilities of the devices as long as 543 they fall within the acceptable security policy of the GCKS. 545 Depending on its policy, the GCKS may have no need for the IKE SA 546 (e.g., it does not plan to initiate an GSA_INBAND_REKEY exchange). 547 If the GM does not initiate another registration exchange or Notify 548 (e.g., NO_PROPOSAL_CHOSEN), and also does not close the IKE SA and 549 the GCKS is not intended to use the SA, then after a short period of 550 time the GCKS SHOULD close the IKEv2 SA. The delay before closing 551 provides for receipt of a GM's error notification in the event of 552 packet loss. 554 1.4.5. Group Maintenance Channel 556 The GCKS is responsible for rekeying the secure group per the group 557 policy. Rekeying is an operation whereby the GCKS provides 558 replacement TEKs and KEK, deleting TEKs, and/or excluding group 559 members. The GCKS may initiate a rekey message if group membership 560 and/or policy has changed, or if the keys are about to expire. Two 561 forms of group maintenance channels are provided in G-IKEv2 to push 562 new policy to group members. 564 GSA_REKEY The GSA_REKEY exchange is an exchange initiated by the 565 GCKS, where the rekey policy is usually delivered to group members 566 using IP multicast as a transport. This is valuable for large and 567 dynamic groups, and where policy may change frequently and an 568 scalable rekeying method is required. When the GSA_REKEY exchange 569 is used, the IKEv2 SA protecting the member registration exchanges 570 is terminated, and group members await policy changes from the 571 GCKS via the GSA_REKEY exchange. 573 GSA_INBAND_REKEY The GSA_INBAND_REKEY exchange is a rekey method 574 using the IKEv2 SA that was setup to protecting the member 575 registration exchange. This exchange allows the GCKS to rekey 576 without using an independent GSA_REKEY exchange. The 577 GSA_INBAND_REKEY exchange is useful when G-IKEv2 is used with a 578 small group of cooperating devices. 580 1.4.5.1. GSA_REKEY Exchange 582 The GCKS initiates the G-IKEv2 Rekey securely, usually using IP 583 multicast. Since this rekey does not require a response and it sends 584 to multiple GMs, G-IKEv2 rekeying MUST NOT support IKE SA windowing. 585 The GCKS rekey message replaces the rekey GSA KEK or KEK array, and/ 586 or creates a new Data-Security GSA TEK. The SID Download attribute 587 in the Key Download payload (defined in Section 2.5.4) MUST NOT be 588 part of the Rekey Exchange as this is sender specific information and 589 the Rekey Exchange is group specific. The GCKS initiates the 590 GSA_REKEY exchange as following: 592 Members (Responder) GCKS (Initiator) 593 -------------------- ------------------ 594 <-- HDR, SK { GSA, KD, [D,] [AUTH] } 596 Figure 9: GSA_REKEY Exchange 598 HDR is defined in Section 2.1. The Message ID in this message will 599 start with the same value the GCKS sent to the group members in the 600 KEK attribute KEK_MESSAGE_ID during registration; this Message ID 601 will be increased each time a new GSA_REKEY message is sent to the 602 group members. 604 The GSA payload contains the current rekey and data security SAs. 605 The GSA may contain a new rekey SA and/or a new data security SA, 606 which, optionally contains an LKH rekey SA, Section 2.4. 608 The KD payload contains the keys for the policy included in the GSA. 609 If the data security SA is being refreshed in this rekey message, the 610 IPsec keys are updated in the KD, and/or if the rekey SA is being 611 refreshed in this rekey message, the rekey Key or the LKH KEK array 612 is updated in the KD payload. 614 A Delete payload MAY be included to instruct the GM to delete 615 existing SAs. 617 The AUTH payload MUST be included to authenticate the GSA_REKEY 618 message if the authentication method is based on public key 619 signatures and MUST NOT be included if it is based on shared secret. 620 In a latter case, the fact that a GM can decrypt the GSA_REKEY 621 message and verify its ICV proves that the sender of this message 622 knows the current KEK, thus authenticating that the sender is a 623 member of the group. Shared secret authentication doesen't provide 624 source origin authentication. For this reason using it as 625 authentication method for multicast Rekey is NOT RECOMMENDED unless 626 source origin authentication is not required (for example, in a small 627 group of highly trusted GMs). If AUTH payload is included then the 628 Auth Method field MUST be one specifying using digital signatures. 630 During group member registration, the GCKS sends the authentication 631 key in the GSA KEK payload, KEK_AUTH_KEY attribute, which the group 632 member uses to authenticate the key server. Before the current 633 Authentication Key expires, the GCKS will send a new KEK_AUTH_KEY to 634 the group members in a GSA_REKEY message. The AUTH key that is used 635 in the rekey message may be not the same as the authentication key 636 used in GSA_AUTH. 638 1.4.5.1.1. GSA_REKEY GCKS Operations 640 The GCKS builds the rekey message with a Message ID value that is one 641 greater than the value included in the previous rekey. If the 642 message is using a new KEK attribute, the Message ID is reset to 1 in 643 this message. The GSA, KD, and D payloads follow with the same 644 characteristics as in the GSA Registration exchange. 646 If present the AUTH payload is created as follows. First the message 647 is prepared, all payloads are formed and included in the message, but 648 the content of the Encrypted payload is not yet encrypted. However, 649 the Encrypted payload must be fully formed, including correct values 650 in IV, Padding and Pad Length and fields. The AUTH payload is 651 included in the message with the correct values in the Payload Header 652 (including Next Payload, Payload Length and Auth Method fields). The 653 Authentication Data field is zeroed for the purposes of signature 654 calculation, but if Digiatal Signature authentication method is in 655 use, then the ASN.1 Length and the AlgorithmIdentifier fields must be 656 properly filled in, see [RFC7427]. The signature is computed using 657 the signature algorithm from the KEK_AUTH_METHOD attribute (along 658 with the KEK_AUTH_HASH if KEK_AUTH_METHOD is not Digital Signature) 659 and the private key corresponding to the public key from the 660 KEK_AUTH_KEY attribute. It is computed over the block of data 661 starting from the first octet of IKE Header (but non including non- 662 ESP marker if it is present) to the last octet of the (not yet 663 encrypted) Encrypted Payload (i.e. up to and including Pad Length 664 field). Then the signature is placed into the Signature Value of the 665 AUTH payload, the content of the Encrypted payload is encrypted and 666 the ICV is computed using current KEK keys. 668 Because GSA_REKEY messages are not acknowledged and could be 669 discarded by the network, one or more GMs may not receive the 670 message. To mitigate such lost messages, during a rekey event the 671 GCKS may transmit several GSA_REKEY messages with the new policy. 672 The retransmitted messages MUST be bitwise identical and SHOULD be 673 sent within a short time interval (a few seconds) to ensure that 674 time-to-live would not not substantially skewed for the GMs that 675 would receive different copies of the messages. 677 GCKS may also include one or several KEK_NEXT_SPI/TEK_NEXT_SPI 678 attributes specifying SPIs for the prospected rekeys, so that 679 listening GMs are able to detect lost rekey messages and recover from 680 this situation. See Sections Section 2.4.2.1.6 and Section 2.4.3.1.4 681 for more detail. 683 1.4.5.1.2. GSA_REKEY GM Operations 685 When a group member receives the Rekey Message from the GCKS it 686 decrypts the message using the current KEK, validates the signature 687 using the public key retrieved in a previous G-IKEv2 exchange if AUTH 688 payload is present, verifies the Message ID, and processes the GSA 689 and KD payloads. The group member then downloads the new data 690 security SA and/or new Rekey SA. The parsing of the payloads is 691 identical to the parsing done in the registration exchange. 693 Replay protection is achieved by a group member rejecting a GSA_REKEY 694 message which has a Message ID smaller than the current Message ID 695 that the GM is expecting. The GM expects the Message ID in the first 696 GSA_REKEY message it receives to be equal or greater than the message 697 id it receives in the KEK_MESSAGE_ID attribute. The GM expects the 698 message ID in subsequent GSA_REKEY messages to be greater than the 699 last valid GSA_REKEY message ID it received. 701 If the GSA payload includes a Data-Security SA including a counter- 702 modes of operation and the receiving group member is a sender for 703 that SA, the group member uses its current SID value with the Data- 704 Security SAs to create counter-mode nonces. If it is a sender and 705 does not hold a current SID value, it MUST NOT install the Data- 706 Security SAs. It MAY initiate a GSA_REGISTRATION exchange to the 707 GCKS in order to obtain an SID value (along with current group 708 policy). 710 Once a new Rekey SA is installed as a result of GSA_REKEY message, 711 the current Rekey SA (over which the message was received) MUST be 712 silently deleted after waiting DEACTIVATION_TIME_DELAY interval 713 regardless of its expiration time. If the GSA TEK payload includes 714 TEK_REKEY_SPI attribute then after installing a new Data-Security SA 715 the old one, identified by the SPI in this attribute, MUST be 716 silently deleted after waiting DEACTIVATION_TIME_DELAY interval 717 regardless of its expiration time. 719 If a Data-Security SA is not rekeyed yet and is about to expire (a 720 "soft lifetime" expiration is described in Section 4.4.2.1 of 721 [RFC4301]), the GM SHOULD initiate a registration to the GCKS. This 722 registration serves as a request for current SAs, and will result in 723 the download of replacement SAs, assuming the GCKS policy has created 724 them. A GM SHOULD also initiate a registration request if a Rekey SA 725 is about to expire and not yet replaced with a new one. 727 1.4.5.1.3. Forward and Backward Access Control 729 Through the G-IKEv2 rekey, G-IKEv2 supports algorithms such as LKH 730 that have the property of denying access to a new group key by a 731 member removed from the group (forward access control) and to an old 732 group key by a member added to the group (backward access control). 733 An unrelated notion to PFS, "forward access control" and "backward 734 access control" have been called "perfect forward security" and 735 "perfect backward security" in the literature [RFC2627]. 737 Group management algorithms providing forward and backward access 738 control other than LKH have been proposed in the literature, 739 including OFT [OFT] and Subset Difference [NNL]. These algorithms 740 could be used with G-IKEv2, but are not specified as a part of this 741 document. 743 Support for group management algorithms are supported via the 744 KEY_MANAGEMENT_ALGORITHM attribute which is sent in the GSA KEK 745 policy. G-IKEv2 specifies one method by which LKH can be used for 746 forward and backward access control. Other methods of using LKH, as 747 well as other group management algorithms such as OFT or Subset 748 Difference may be added to G-IKEv2 as part of a later document. 750 1.4.5.1.3.1. Forward Access Control Requirements 752 When group membership is altered using a group management algorithm 753 new GSA TEKs (and their associated keys) are usually also needed. 755 New GSAs and keys ensure that members who were denied access can no 756 longer participate in the group. 758 If forward access control is a desired property of the group, new GSA 759 TEKs and the associated key packets in the KD payload MUST NOT be 760 included in a G-IKEv2 rekey message which changes group membership. 761 This is required because the GSA TEK policy and the associated key 762 packets in the KD payload are not protected with the new KEK. A 763 second G-IKEv2 rekey message can deliver the new GSA TEKS and their 764 associated key packets because it will be protected with the new KEK, 765 and thus will not be visible to the members who were denied access. 767 If forward access control policy for the group includes keeping group 768 policy changes from members that are denied access to the group, then 769 two sequential G-IKEv2 rekey messages changing the group KEK MUST be 770 sent by the GCKS. The first G-IKEv2 rekey message creates a new KEK 771 for the group. Group members, which are denied access, will not be 772 able to access the new KEK, but will see the group policy since the 773 G-IKEv2 rekey message is protected under the current KEK. A 774 subsequent G-IKEv2 rekey message containing the changed group policy 775 and again changing the KEK allows complete forward access control. A 776 G-IKEv2 rekey message MUST NOT change the policy without creating a 777 new KEK. 779 If other methods of using LKH or other group management algorithms 780 are added to G-IKEv2, those methods MAY remove the above restrictions 781 requiring multiple G-IKEv2 rekey messages, providing those methods 782 specify how the forward access control policy is maintained within a 783 single G-IKEv2 rekey message. 785 1.4.5.1.4. Fragmentation 787 IKE fragmentation [RFC7383] can be used to perform fragmentation of 788 large GSA_REKEY messages, however when the GSA_REKEY message is 789 emitted as an IP multicast packet there is a lack of response from 790 the GMs. This has the following implications. 792 o Policy regarding the use of IKE fragmentation is implicit. If a 793 GCKS detects that all GMs have negotiated support of IKE 794 fragmentation in IKE_SA_INIT, then it MAY use IKE fragmentation on 795 large GSA_REKEY exchange messages. 797 o The GCKS must always use IKE fragmentation based on a known 798 fragmentation threshold (unspecified in this memo), as there is no 799 way to check if fragmentation is needed by first sending 800 unfragmented messages and waiting for response. 802 o PMTU probing cannot be performed due to lack of GSA_REKEY response 803 message. 805 1.4.5.2. GSA_INBAND_REKEY Exchange 807 When the IKEv2 SA protecting the member registration exchange is 808 maintained while group member participates in the group, the GCKS can 809 use the GSA_INBAND_REKEY exchange to individually provide policy 810 updates to the group member. 812 Member (Responder) GCKS (Initiator) 813 -------------------- ------------------ 814 <-- HDR, SK { GSA, KD, [D,] } 815 HDR, SK {} --> 817 Figure 10: GSA_INBAND_REKEY Exchange 819 Because this is an IKEv2 exchange, the HDR is treated as defined in 820 [RFC7296]. 822 1.4.5.2.1. GSA_INBAND_REKEY GCKS Operations 824 The GSA, KD, and D payloads are built in the same manner as in a 825 registration exchange. 827 1.4.5.2.2. GSA_INBAND_REKEY GM Operations 829 The GM processes the GSA, KD, and D payloads in the same manner as if 830 they were received in a registration exchange. 832 1.4.5.3. Deletion of SAs 834 There are occasions when the GCKS may want to signal to group members 835 to delete policy at the end of a broadcast, or if group policy has 836 changed. Deletion of keys MAY be accomplished by sending the G-IKEv2 837 Delete Payload [RFC7296], section 3.11 as part of the GSA_REKEY 838 Exchange as shown below. 840 Members (Responder) GCKS (Initiator) 841 -------------------- ------------------ 842 <-- HDR, SK { [GSA ], [KD ], [D, ] [AUTH ] } 844 Figure 11: SA Deletion in GSA_REKEY 846 The GSA MAY specify the remaining active time of the remaining policy 847 by using the DTD attribute in the GSA GAP. If a GCKS has no further 848 SAs to send to group members, the GSA and KD payloads MUST be omitted 849 from the message. There may be circumstances where the GCKS may want 850 to start over with a clean slate. If the administrator is no longer 851 confident in the integrity of the group, the GCKS can signal deletion 852 of all the policies of a particular TEK protocol by sending a TEK 853 with a SPI value equal to zero in the delete payload. For example, 854 if the GCKS wishes to remove all the KEKs and all the TEKs in the 855 group, the GCKS SHOULD send a Delete payload with a SPI of zero and a 856 protocol_id of a TEK protocol_id value defined in Section 2.4.3, 857 followed by another Delete payload with a SPI of zero and protocol_id 858 of zero, indicating that the KEK SA should be deleted. 860 1.4.6. Counter-based modes of operation 862 Several new counter-based modes of operation have been specified for 863 ESP (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309], 864 AES-GMAC [RFC4543]) and AH (e.g., AES-GMAC [RFC4543]). These 865 counter-based modes require that no two senders in the group ever 866 send a packet with the same Initialization Vector (IV) using the same 867 cipher key and mode. This requirement is met in G-IKEv2 when the 868 following requirements are met: 870 o The GCKS distributes a unique key for each Data-Security SA. 872 o The GCKS uses the method described in [RFC6054], which assigns each 873 sender a portion of the IV space by provisioning each sender with one 874 or more unique SID values. 876 1.4.6.1. Allocation of SIDs 878 When at least one Data-Security SA included in the group policy 879 includes a counter-based mode of operation, the GCKS automatically 880 allocates and distributes one SID to each group member acting in the 881 role of sender on the Data-Security SA. The SID value is used 882 exclusively by the group member to which it was allocated. The group 883 member uses the same SID for each Data-Security SA specifying the use 884 of a counter-based mode of operation. A GCKS MUST distribute unique 885 keys for each Data-Security SA including a counter-based mode of 886 operation in order to maintain unique key and nonce usage. 888 During registration, the group member can choose to request one or 889 more SID values. Requesting a value of 1 is not necessary since the 890 GCKS will automatically allocate exactly one to the group member. A 891 group member MUST request as many SIDs matching the number of 892 encryption modules in which it will be installing the TEKs in the 893 outbound direction. Alternatively, a group member MAY request more 894 than one SID and use them serially. This could be useful when it is 895 anticipated that the group member will exhaust their range of Data- 896 Security SA nonces using a single SID too quickly (e.g., before the 897 time-based policy in the TEK expires). 899 When the group policy includes a counter-based mode of operation, a 900 GCKS SHOULD use the following method to allocate SID values, which 901 ensures that each SID will be allocated to just one group member. 903 1. A GCKS maintains an SID-counter, which records the SIDs that have 904 been allocated. SIDs are allocated sequentially, with zero as the 905 first allocated SID. 907 2. Each time an SID is allocated, the current value of the counter 908 is saved and allocated to the group member. The SID-counter is then 909 incremented in preparation for the next allocation. 911 3. When the GCKS specifies a counter-based mode of operation in the 912 Data Security SA a group member may request a count of SIDs during 913 registration in a Notify payload information of type SENDER. When 914 the GCKS receives this request, it increments the SID-counter once 915 for each requested SID, and distributes each SID value to the group 916 member. The GCKS SHOULD have a policy-defined upper bound for the 917 number of SIDs that it will return irrespective of the number 918 requested by the GM. 920 4. A GCKS allocates new SID values for each GSA_REGISTRATION 921 exchange originated by a sender, regardless of whether a group member 922 had previously contacted the GCKS. In this way, the GCKS is not 923 required to maintaining a record of which SID values it had 924 previously allocated to each group member. More importantly, since 925 the GCKS cannot reliably detect whether the group member had sent 926 data on the current group Data-Security SAs it does not know what 927 Data-Security counter-mode nonce values that a group member has used. 928 By distributing new SID values, the key server ensures that each time 929 a conforming group member installs a Data-Security SA it will use a 930 unique set of counter-based mode nonces. 932 5. When the SID-counter maintained by the GCKS reaches its final SID 933 value, no more SID values can be distributed. Before distributing 934 any new SID values, the GCKS MUST delete the Data-Security SAs for 935 the group, followed by creation of new Data-Security SAs, and 936 resetting the SID-counter to its initial value. 938 6. The GCKS SHOULD send a GSA_REKEY message deleting all Data- 939 Security SAs and the Rekey SA for the group. This will result in the 940 group members initiating a new GSA_REGISTRATION exchange, in which 941 they will receive both new SID values and new Data-Security SAs. The 942 new SID values can safely be used because they are only used with the 943 new Data-Security SAs. Note that deletion of the Rekey SA is 944 necessary to ensure that group members receiving a GSA_REKEY exchange 945 before the re-register do not inadvertently use their old SIDs with 946 the new Data-Security SAs. Using the method above, at no time can 947 two group members use the same IV values with the same Data-Security 948 SA key. 950 1.4.6.2. GM Usage of SIDs 952 A GM applies the SID to Data Security SA as follows. 954 1. The most significant bits NUMBER_OF_SID_BITS of the IV are taken 955 to be the SID field of the IV. 957 2. The SID is placed in the least significant bits of the SID field, 958 where any unused most significant bits are set to zero. If the SID 959 value doesn't fit into the NUMBER_OF_SID_BITS bits, then the GM MUST 960 treat this as a fatal error and re-register to the group. 962 1.5. Interaction with IKEv2 Protocol Extensions 964 IKEv2 defines a number of extensions that can be used to extend 965 protocol functionality. G-IKEv2 is compatible with most of such 966 extensions. In particular, EAP authentication defined in [RFC7296] 967 can be used to establish registration IKE SA, as well as Secure 968 Password authentication ([RFC6467]). G-IKEv2 is compatible with and 969 can use IKEv2 Session Resumption [RFC5723] except that a GM would 970 include the initial ticket request in a GSA_AUTH exchange instead of 971 an IKE_AUTH exchange. G-IKEv2 is also compatible with Quantum Safe 972 Key Exchange framework, defined in 973 [I-D.tjhai-ipsecme-hybrid-qske-ikev2]. 975 Some IKEv2 extensions however require special handling if used in 976 G-IKEv2. 978 1.5.1. Postquantum Preshared Keys for IKEv2 980 G-IKEv2 can take advantage of the protection provided by Postquantum 981 Preshared Keys (PPK) for IKEv2 [I-D.ietf-ipsecme-qr-ikev2]. However, 982 the use of PPK leaves the initial IKE SA susceptible to quantum 983 computer (QC) attacks. For this reason an alternative approach for 984 using PPK in IKEv2 defined in [I-D.smyslov-ipsecme-ikev2-qr-alt] 985 SHOULD be used. 987 If the alternative approach is not supported by the peers, then the 988 GCKS MUST NOT send GSA and KD payloads in the GSA_AUTH response 989 message. Instead, the GCKS MUST return a new notification 990 REKEY_IS_NEEDED. Upon receiving this notification in the GSA_AUTH 991 response the GM MUST perform an IKE SA rekey and then initiate a new 992 GSA_REGISTRATION request for the same group. Below are possible 993 scenarios involving using PPK. 995 GM begins IKE_SA_INIT requesting PPK, and GCKS responds with 996 willingness to do it, or aborts according to its "mandatory_or_not" 997 flag: 999 Initiator (Member) Responder (GCKS) 1000 -------------------- ------------------ 1001 HDR, SAi1, KEi, Ni, N(USE_PPK) ---> 1002 <--- HDR, SAr1, KEr, Nr, [CERTREQ], 1003 N(USE_PPK) 1005 Figure 12: IKE_SA_INIT Exchange requesting using PPK 1007 GM begins GSA_AUTH with PPK_ID; if using PPK is not mandatory for the 1008 GM, N(NO_PPK_AUTH) is included too: 1010 Initiator (Member) Responder (GCKS) 1011 -------------------- ------------------ 1012 HDR, SK {IDi, AUTH, IDg, 1013 N(PPK_IDENTITY), N(NO_PPK_AUTH) } ---> 1015 Figure 13: GSA_AUTH Request using PPK 1017 If GCKS has no such PPK and using PPK is not mandatory for it and 1018 N(NO_PPK_AUTH) is included, then the GCKS continues w/o PPK; in this 1019 case no rekey is needed: 1021 Initiator (Member) Responder (GCKS) 1022 -------------------- ------------------ 1023 <--- HDR, SK { IDr, AUTH, GSA, KD } 1025 Figure 14: GSA_AUTH Response using no PPK 1027 If GCKS has no such PPK and either N(NO_PPK_AUTH) is missing or using 1028 PPK is mandatory for GCKS, the GCKS aborts the exchange: 1030 Initiator (Member) Responder (GCKS) 1031 -------------------- ------------------ 1032 <--- HDR, SK { N(AUTHENTICATION_FAILED) } 1034 Figure 15: GSA_AUTH Error Response 1036 Assuming GCKS has a proper PPK the GCKS continues with request to GM 1037 to immediately perform a rekey: 1039 Initiator (Member) Responder (GCKS) 1040 -------------------- ------------------ 1041 <--- HDR, SK{IDr, AUTH, N(PPK_IDENTITY), 1042 N(REKEY_IS_NEEDED) } 1044 Figure 16: GSA_AUTH Response using PPK 1046 GM initiates CREATE_CHILD_SA to rekey IKE SA and then makes a new 1047 registration request for the same group over the new IKE SA: 1049 Initiator (Member) Responder (GCKS) 1050 -------------------- ------------------ 1051 HDR, SK {SA, Ni, KEi } ---> 1052 <--- HDR, SK {SA, Nr, KEr } 1053 HDR, SK {IDg } ---> 1054 <--- HDR, SK { GSA, KD } 1056 Figure 17: Rekeying IKE SA followed by GSA_REGISTRATION Exchange 1058 2. Header and Payload Formats 1060 Refer to IKEv2 [RFC7296] for existing payloads. Some payloads used 1061 in G-IKEv2 exchanges are not aligned to 4-octet boundaries, which is 1062 also the case for some IKEv2 payloads (see Section 3.2 of [RFC7296]). 1064 2.1. The G-IKEv2 Header 1066 G-IKEv2 uses the same IKE header format as specified in [RFC7296] 1067 section 3.1. 1069 Several new payload formats are required in the group security 1070 exchanges. 1072 Next Payload Type Value 1073 ----------------- ----- 1074 Group Identification (IDg) 50 1075 Group Security Association (GSA) 51 1076 Key Download (KD) 52 1078 New exchange types GSA_AUTH, GSA_REGISTRATION and GSA_REKEY are added 1079 to the IKEv2 [RFC7296] protocol. 1081 Exchange Type Value 1082 -------------- ----- 1083 GSA_AUTH 39 1084 GSA_REGISTRATION 40 1085 GSA_REKEY 41 1086 GSA_INBAND_REKEY TBD 1088 Major Version is 2 and Minor Version is 0 as in IKEv2 [RFC7296]. IKE 1089 SA Initiator's SPI, IKE SA Responder's SPI, Flags, Message ID, and 1090 Length are as specified in [RFC7296]. 1092 2.2. Group Identification (IDg) Payload 1094 The IDg Payload allows the group member to indicate which group it 1095 wants to join. The payload is constructed by using the IKEv2 1096 Identification Payload (section 3.5 of [RFC7296]). ID type ID_KEY_ID 1097 MUST be supported. ID types ID_IPV4_ADDR, ID_FQDN, ID_RFC822_ADDR, 1098 ID_IPV6_ADDR SHOULD be supported. ID types ID_DER_ASN1_DN and 1099 ID_DER_ASN1_GN are not expected to be used. 1101 2.3. Security Association - GM Supported Transforms (SAg) 1103 The SAg payload declares which Transforms a GM is willing to accept. 1104 The payload is constructed using the format of the IKEv2 Security 1105 Association payload (section 3.3 of [RFC7296]). The Payload Type for 1106 SAg is identical to the SA Payload Type (33). 1108 2.4. Group Security Association Payload 1110 The Group Security Association payload is used by the GCKS to assert 1111 security attributes for both Rekey and Data-security SAs. 1113 1 2 3 1114 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1115 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1116 | Next Payload |C| RESERVED | Payload Length | 1117 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1119 Figure 18: GSA Payload Format 1121 The Security Association Payload fields are defined as follows: 1123 o Next Payload (1 octet) -- Identifies the next payload type for the 1124 G-IKEv2 registration or the G-IKEv2 rekey message. 1126 o Critical (1 bit) -- Set according to [RFC7296]. 1128 o RESERVED (7 bits) -- Must be zero. 1130 o Payload Length (2 octets) -- Is the octet length of the current 1131 payload including the generic header and all TEK and KEK policies. 1133 2.4.1. GSA Policy 1135 Following the GSA generic payload header are GSA policies for group 1136 rekeying (KEK), data traffic SAs (TEK) and/or Group Associated Policy 1137 (GAP). There may be zero or one GSA KEK policy, zero or one GAP 1138 policies, and zero or more GSA TEK policies, where either one GSA KEK 1139 or GSA TEK payload MUST be present. 1141 This latitude allows various group policies to be accommodated. For 1142 example if the group policy does not require the use of a Rekey SA, 1143 the GCKS would not need to send a GSA KEK attribute to the group 1144 member since all SA updates would be performed using the Registration 1145 SA. Alternatively, group policy might use a Rekey SA but choose to 1146 download a KEK to the group member only as part of the Registration 1147 SA. Therefore, the GSA KEK policy would not be necessary as part of 1148 the GSA_REKEY message. 1150 Specifying multiple GSA TEKs allows multiple related data streams 1151 (e.g., video, audio, and text) to be associated with a session, but 1152 each protected with an individual security association policy. 1154 A GAP payload allows for the distribution of group-wise policy, such 1155 as instructions for when to activate and de-activate SAs. 1157 Policies are distributed in substructures to the GSA payload, and 1158 include the following header. 1160 1 2 3 1161 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1162 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1163 | Type | RESERVED | Length | 1164 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1166 Figure 19: GSA Policy Generic Header Format 1168 The payload fields are defined as follows: 1170 o Type (1 octet) -- Identifies the substructure type. In the 1171 following table the terms Reserved, Unassigned, and Private Use 1172 are to be applied as defined in [RFC8126]. The registration 1173 procedure is Expert Review. 1175 Type Value 1176 -------- ----- 1177 Reserved 0 1178 KEK 1 1179 GAP 2 1180 TEK 3 1181 Unassigned 4-127 1182 Private Use 128-255 1184 o RESERVED (1 octet) -- Unused, set to zero. 1186 o Length (2 octets) -- Length in octets of the substructure, 1187 including its header. 1189 2.4.2. KEK Policy 1191 The GSA KEK policy contains security attributes for the KEK method 1192 for a group and parameters specific to the G-IKEv2 registration 1193 operation. The source and destination traffic selectors describe the 1194 network identities used for the rekey messages. 1196 1 2 3 1197 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1198 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1199 | Type = 1 | RESERVED | Length | 1200 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1201 | | 1202 ~ SPI ~ 1203 | | 1204 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1205 | | 1206 ~ ~ 1207 | | 1208 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1209 | | 1210 ~ ~ 1211 | | 1212 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1213 | | 1214 ~ ~ 1215 | | 1216 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1217 ~ KEK Attributes ~ 1218 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1220 Figure 20: KEK Policy Format 1222 The GSA KEK Payload fields are defined as follows: 1224 o Type = 1 (1 octet) -- Identifies the GSA payload type as KEK in 1225 the G-IKEv2 registration or the G-IKEv2 rekey message. 1227 o RESERVED (1 octet) -- Must be zero. 1229 o Length (2 octets) -- Length of this structure including KEK 1230 attributes. 1232 o SPI (16 octets) -- Security Parameter Index for the rekey message. 1233 The SPI must be the IKEv2 Header SPI pair where the first 8 octets 1234 become the "Initiator's SPI" field in the G-IKEv2 rekey message 1235 IKEv2 HDR, and the second 8 octets become the "Responder's SPI" in 1236 the same HDR. As described above, these SPIs are assigned by the 1237 GCKS. When selecting SPI the GCKS MUST make sure that the sole 1238 first 8 octets (corresponding to "Initiator's SPI" field in the 1239 IKEv2 header) uniquely identify the Rekey SA. 1241 o Source & Destination Traffic Selectors - Substructures describing 1242 the source and destination of the network identities. These 1243 identities refer to the source and destination of the next KEK 1244 rekey SA. Defined format and values are specified by IKEv2 1245 [RFC7296], section 3.13.1. 1247 o Transform Substructure List -- A list of Transform Substructures 1248 specifies the transform information. The format is defined in 1249 IKEv2 [RFC7296], section 3.3.2, and values are described in the 1250 IKEv2 registries [IKEV2-IANA]. Valid Transform Types are ENCR, 1251 INTEG. The Last Substruc value in each Transform Substructure 1252 will be set to 3 except for the last one in the list, which is set 1253 to 0. 1255 o KEK Attributes -- Contains KEK policy attributes associated with 1256 the group. The following sections describe the possible 1257 attributes. Any or all attributes may be optional, depending on 1258 the group policy. 1260 2.4.2.1. KEK Attributes 1262 The following attributes may be present in a GSA KEK policy. The 1263 attributes must follow the format defined in the IKEv2 [RFC7296] 1264 section 3.3.5. In the table, attributes that are defined as TV are 1265 marked as Basic (B); attributes that are defined as TLV are marked as 1266 Variable (V). The terms Reserved, Unassigned, and Private Use are to 1267 be applied as defined in [RFC8126]. The registration procedure is 1268 Expert Review. 1270 KEK Attributes Value Type Mandatory 1271 -------------- ----- ---- --------- 1272 Reserved 0 1273 KEK_MANAGEMENT_ALGORITHM 1 B N 1274 Reserved 2 1275 Reserved 3 1276 KEK_KEY_LIFETIME 4 V Y 1277 Reserved 5 1278 KEK_AUTH_METHOD 6 B Y 1279 KEK_AUTH_HASH 7 B N 1280 KEK_MESSAGE_ID 8 V Y (*) 1281 KEK_NEXT_SPI 9 V N 1282 Unassigned 10-16383 1283 Private Use 16384-32767 1285 (*) the KEK_MESSAGE_ID MUST be included in a G-IKEv2 registration 1286 message and MUST NOT be included in rekey messages. 1288 The following attributes may only be included in a G-IKEv2 1289 registration message: KEK_MANAGEMENT_ALGORITHM, KEK_MESSAGE_ID. 1291 2.4.2.1.1. KEK_MANAGEMENT_ALGORITHM 1293 The KEK_MANAGEMENT_ALGORITHM attribute specifies the group KEK 1294 management algorithm used to provide forward or backward access 1295 control (i.e., used to exclude group members). Defined values are 1296 specified in the following table. The terms Reserved, Unassigned, 1297 and Private Use are to be applied as defined in [RFC8126]. The 1298 registration procedure is Expert Review. 1300 KEK Management Type Value 1301 ------------------- ----- 1302 Reserved 0 1303 LKH 1 1304 Unassigned 2-16383 1305 Private Use 16384-32767 1307 2.4.2.1.2. KEK_KEY_LIFETIME 1309 The KEK_KEY_LIFETIME attribute specifies the maximum time for which 1310 the KEK is valid. The GCKS may refresh the KEK at any time before 1311 the end of the valid period. The value is a four (4) octet number 1312 defining a valid time period in seconds. 1314 2.4.2.1.3. KEK_AUTH_METHOD 1316 The KEK_AUTH_METHOD attribute specifies the method of authentication 1317 used. This value is from the IKEv2 Authentication Method registry 1318 [IKEV2-IANA]. The method must either specify using some public key 1319 signatures or Shared Key Message Integrity Code. Other 1320 authentication methods MUST NOT be used. 1322 2.4.2.1.4. KEK_AUTH_HASH 1324 The KEK_AUTH_HASH attribute specifies the hash algorithm used to 1325 generate the AUTH key to authenticate GSA_REKEY messages. Hash 1326 algorithms are defined in IANA registry IKEv2 Hash Algorithms 1327 [IKEV2-IANA]. 1329 This attribute SHOULD NOT be sent if the KEK_AUTH_METHOD implies a 1330 particular hash algorithm (e.g., for DSA-based algorithms). 1331 Furthermore, it is not necessary for the GCKS to send it if the GM is 1332 known to support the algorithm because it declared it in a 1333 SIGNATURE_HASH_ALGORITHMS notification during registration (see 1334 [RFC7427]). 1336 2.4.2.1.5. KEK_MESSAGE_ID 1338 The KEK_MESSAGE_ID attribute defines the initial Message ID to be 1339 used by the GCKS in the GSA_REKEY messages. The Message ID is a 4 1340 octet unsigned integer in network byte order. 1342 2.4.2.1.6. KEK_NEXT_SPI 1344 The KEK_NEXT_SPI attribute may optionally be included by GCKS in 1345 GSA_REKEY message, indicating what IKE SPIs are intended be used for 1346 the next rekey SA. The attribute data MUST be 16 octets in length 1347 specifying the pair of IKE SPIs as they appear in the IKE header. 1348 Multiple attributes of this type MAY be included, meaning that any of 1349 the supplied SPIs can be used for the next rekey. 1351 The GM may save these values and if later the GM starts receiving IKE 1352 messages with one of these SPIs without seeing a rekey message over 1353 the current rekey SA, this may be used as an indication, that the 1354 rekey message was lost on its way to this GM. In this case the GM 1355 SHOULD re-register to the group. 1357 Note, that this method of detecting missed rekeys can only be used by 1358 passive GMs, i.e. those, that only listen and don't send data. It's 1359 also no point to include this attribute in the GSA_INBAND_REKEY 1360 messages, since they use reliable transport. Note also, that the 1361 GCKS is free to forget its promises and not to use the SPIs it sent 1362 in the KEK_NEXT_SPI attributes before (e.g. in case of GCKS reboot), 1363 so the GM must only treat these information as a "best effort" made 1364 by GCKS to prepare for future rekeys. 1366 2.4.3. GSA TEK Policy 1368 The GSA TEK policy contains security attributes for a single TEK 1369 associated with a group. 1371 1 2 3 1372 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1373 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1374 | Type = 3 | RESERVED | Length | 1375 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1376 | Protocol-ID | TEK Protocol-Specific Payload | 1377 +-+-+-+-+-+-+-+-+ ~ 1378 ~ | 1379 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1381 Figure 21: TEK Policy Generic Header Format 1383 The GSA TEK Payload fields are defined as follows: 1385 o Type = 3 (1 octet) -- Identifies the GSA payload type as TEK in 1386 the G-IKEv2 registration or the G-IKEv2 rekey message. 1388 o RESERVED (1 octet) -- Must be zero. 1390 o Length (2 octets) -- Length of this structure, including the TEK 1391 Protocol-Specific Payload. 1393 o Protocol-ID (1 octet) -- Value specifying the Security Protocol. 1394 The following table defines values for the Security Protocol. 1395 Support for the GSA_PROTO_IPSEC_AH GSA TEK is OPTIONAL. The terms 1396 Reserved, Unassigned, and Private Use are to be applied as defined 1397 in [RFC8126]. The registration procedure is Expert Review. 1399 Protocol ID Value 1400 ----------- ----- 1401 Reserved 0 1402 GSA_PROTO_IPSEC_ESP 1 1403 GSA_PROTO_IPSEC_AH 2 1404 Unassigned 3-127 1405 Private Use 128-255 1407 o TEK Protocol-Specific Payload (variable) -- Payload which 1408 describes the attributes specific for the Protocol-ID. 1410 2.4.3.1. TEK ESP and AH Protocol-Specific Policy 1412 The TEK Protocol-Specific policy contains two traffic selectors one 1413 for the source and one for the destination of the protected traffic, 1414 SPI, Transforms, and Attributes. 1416 The TEK Protocol-Specific policy for ESP and AH is as follows: 1418 1 2 3 1419 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1420 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1421 | SPI | 1422 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1423 | | 1424 ~ ~ 1425 | | 1426 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1427 | | 1428 ~ ~ 1429 | | 1430 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1431 | | 1432 ~ ~ 1433 | | 1434 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1435 ~ TEK Attributes ~ 1436 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1438 Figure 22: AH and ESP TEK Policy Format 1440 The GSA TEK Policy fields are defined as follows: 1442 o SPI (4 octets) -- Security Parameter Index. 1444 o Source & Destination Traffic Selectors - The traffic selectors 1445 describe the source and the destination of the protected traffic. 1446 The format and values are defined in IKEv2 [RFC7296], section 1447 3.13.1. 1449 o Transform Substructure List -- A list of Transform Substructures 1450 specifies the transform information. The format is defined in 1451 IKEv2 [RFC7296], section 3.3.2, and values are described in the 1452 IKEv2 registries [IKEV2-IANA]. Valid Transform Types for ESP are 1453 ENCR, INTEG, and ESN. Valid Transform Types for AH are INTEG and 1454 ESN. The Last Substruc value in each Transform Substructure will 1455 be set to 3 except for the last one in the list, which is set to 1456 0. A Transform Substructure with attributes (e.g., the ENCR Key 1457 Length), they are included within the Transform Substructure as 1458 usual. 1460 o TEK Attributes -- Contains the TEK policy attributes associated 1461 with the group, in the format defined in Section 3.3.5 of 1462 [RFC7296]. All attributes are optional, depending on the group 1463 policy. 1465 Attribute Types are as follows. The terms Reserved, Unassigned, and 1466 Private Use are to be applied as defined in [RFC8126]. The 1467 registration procedure is Expert Review. 1469 TEK Attributes Value Type Mandatory 1470 -------------- ----- ---- --------- 1471 Reserved 0 1472 TEK_KEY_LIFETIME 1 V N 1473 TEK_MODE 2 B Y 1474 TEK_REKEY_SPI 3 V N 1475 TEK_NEXT_SPI 4 V N 1476 Unassigned 5-16383 1477 Private Use 16384-32767 1479 It is NOT RECOMMENDED that the GCKS distribute both ESP and AH 1480 Protocol-Specific Policies for the same set of Traffic Selectors. 1482 2.4.3.1.1. TEK_KEY_LIFETIME 1484 The TEK_KEY_LIFETIME attribute specifies the maximum time for which 1485 the TEK is valid. When the TEK expires, the AH or ESP security 1486 association and all keys downloaded under the security association 1487 are discarded. The GCKS may refresh the TEK at any time before the 1488 end of the valid period. 1490 The value is a four (4) octet number defining a valid time period in 1491 seconds. If unspecified the default value of 28800 seconds (8 hours) 1492 shall be assumed. 1494 2.4.3.1.2. TEK_MODE 1496 The value of 0 is used for tunnel mode and 1 for transport mode. In 1497 the absence of this attribute tunnel mode will be used. 1499 2.4.3.1.3. TEK_REKEY_SPI 1501 This attribute contains an SPI for the SA that is being rekeyed. The 1502 size of SPI depends on the protocol, for ESP and AH it is 4 octets, 1503 so the size of the data MUST be 4 octets for AH and ESP. 1505 If this attribute is included in the rekey message, the GM SHOULD 1506 delete the SA corresponding to this SPI once the new SA is installed 1507 and regardless of the expiration time of the SA to be deleted (but 1508 after waiting DEACTIVATION_TIME_DELAY time period). 1510 2.4.3.1.4. TEK_NEXT_SPI 1512 This attribute contains an SPI that the GCKS reserved for the next 1513 rekey. The size of SPI depends on the protocol, for ESP and AH it is 1514 4 octets, so the size of the data MUST be 4 octets for AH and ESP. 1515 Multiple attributes of this type MAY be included, which means that 1516 any of the provided SPIs can be used in the next rekey. 1518 The GM may save these values and if later the GM starts receiving 1519 IPsec messages with one of these SPIs without seeing a rekey message 1520 for it, this may be used as an indication, that the rekey message was 1521 lost on its way to this GM. In this case the GM SHOULD re-register 1522 to the group. 1524 Note, that this method of detecting missed rekey messages can only be 1525 used by passive GMs, i.e. those, that only listen and don't send 1526 data. It's also no point to include this attribute in the 1527 GSA_INBAND_REKEY messages, since they use reliable transport. Note 1528 also, that the GCKS is free to forget its promises and not to use the 1529 SPIs it sent in the TEK_NEXT_SPI attributes before (e.g. in case of 1530 GCKS reboot), so the GM must only treat these information as a "best 1531 effort" made by GCKS to prepare for future rekeys. 1533 2.4.4. GSA Group Associated Policy 1535 Group specific policy that does not belong to rekey policy (GSA KEK) 1536 or traffic encryption policy (GSA TEK) can be distributed to all 1537 group member using GSA GAP (Group Associated Policy). 1539 The GSA GAP payload is defined as follows: 1541 1 2 3 1542 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1543 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1544 | Type = 2 | RESERVED | Length | 1545 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1546 ~ Group Associated Policy Attributes ~ 1547 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1549 Figure 23: GAP Policy Format 1551 The GSA GAP payload fields are defined as follows: 1553 o Type = 2 (1 octet) -- Identifies the GSA payload type as GAP in 1554 the G-IKEv2 registration or the G-IKEv2 rekey message. 1556 o RESERVED (1 octet) -- Must be zero. 1558 o Length (2 octets) -- Length of this structure, including the GSA 1559 GAP header and Attributes. 1561 o Group Associated Policy Attributes (variable) -- Contains 1562 attributes following the format defined in Section 3.3.5 of 1563 [RFC7296]. 1565 Attribute Types are as follows. The terms Reserved, Unassigned, and 1566 Private Use are to be applied as defined in [RFC8126]. The 1567 registration procedure is Expert Review. 1569 Attribute Type Value Type 1570 -------------- ----- ---- 1571 Reserved 0 1572 ACTIVATION_TIME_DELAY 1 B 1573 DEACTIVATION_TIME_DELAY 2 B 1574 Unassigned 3-16383 1575 Private Use 16384-32767 1577 2.4.4.1. ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY 1579 Section 4.2.1 of [RFC5374] specifies a key rollover method that 1580 requires two values be provided to group members. The 1581 ACTIVATION_TIME_DELAY attribute allows a GCKS to set the Activation 1582 Time Delay (ATD) for SAs generated from TEKs. The ATD defines how 1583 long after receiving new SAs that they are to be activated by the GM. 1584 The ATD value is in seconds. 1586 The DEACTIVATION_TIME_DELAY allows the GCKS to set the Deactivation 1587 Time Delay (DTD) for previously distributed SAs. The DTD defines how 1588 long after receiving new SAs it should deactivate SAs that are 1589 destroyed by the rekey event. The value is in seconds. 1591 The values of ATD and DTD are independent. However, the DTD value 1592 should be larger, which allows new SAs to be activated before older 1593 SAs are deactivated. Such a policy ensures that protected group 1594 traffic will always flow without interruption. 1596 2.5. Key Download Payload 1598 The Key Download Payload contains the group keys for the group 1599 specified in the GSA Payload. These key download payloads can have 1600 several security attributes applied to them based upon the security 1601 policy of the group as defined by the associated GSA Payload. 1603 1 2 3 1604 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1605 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1606 | Next Payload |C| RESERVED | Length | 1607 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1608 ~ Key Packets ~ 1609 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1611 Figure 24: Key Download Payload Format 1613 The Key Download Payload fields are defined as follows: 1615 o Next Payload (1 octet) -- Identifier for the payload type of the 1616 next payload in the message. If the current payload is the last 1617 in the message, then this field will be zero. 1619 o Critical (1 bit) -- Set according to [RFC7296]. 1621 o RESERVED (7 bits) -- Unused, set to zero. 1623 o Payload Length (2 octets) -- Length in octets of the current 1624 payload, including the generic payload header. 1626 o Key Packets (variable) -- Contains Key Packets. Several types of 1627 key packets are defined. Each Key Packet has the following 1628 format. 1630 1 2 3 1631 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1632 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1633 | KD Type | RESERVED | KD Length | 1634 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1635 | SPI Size | SPI (variable) ~ 1636 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1637 ~ Key Packet Attributes ~ 1638 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1640 Figure 25: Key Packet Format 1642 o Key Download (KD) Type (1 octet) -- Identifier for the Key Data 1643 field of this Key Packet. In the following table the terms 1644 Reserved, Unassigned, and Private Use are to be applied as defined 1645 in [RFC8126]. The registration procedure is Expert Review. 1647 Key Download Type Value 1648 ----------------- ----- 1649 Reserved 0 1650 TEK 1 1651 KEK 2 1652 LKH 3 1653 SID 4 1654 Unassigned 5-127 1655 Private Use 128-255 1657 o RESERVED (1 octet) -- Unused, set to zero. 1659 o Key Download Length (2 octets) -- Length in octets of the Key 1660 Packet data, including the Key Packet header. 1662 o SPI Size (1 octet) -- Value specifying the length in octets of the 1663 SPI as defined by the Protocol-Id. 1665 o SPI (variable length) -- Security Parameter Index which matches a 1666 SPI previously sent in an GSA KEK or GSA TEK Payload. 1668 o Key Packet Attributes (variable length) -- Contains Key 1669 information. The format of this field is specific to the value of 1670 the KD Type field. The following sections describe the format of 1671 each KD Type. 1673 2.5.1. TEK Download Type 1675 The following attributes may be present in a TEK Download Type. 1676 Exactly one attribute matching each type sent in the GSA TEK payload 1677 MUST be present. The attributes must follow the format defined in 1678 IKEv2 (Section 3.3.5 of [RFC7296]). In the table, attributes defined 1679 as TV are marked as Basic (B); attributes defined as TLV are marked 1680 as Variable (V). The terms Reserved, Unassigned, and Private Use are 1681 to be applied as defined in [RFC8126]. The registration procedure is 1682 Expert Review. 1684 TEK KD Attributes Value Type Mandatory 1685 ----------------- ----- ---- --------- 1686 Reserved 0-2 1687 TEK_KEYMAT 3 V Y 1688 Unassigned 4-16383 1689 Private Use 16384-32767 1691 It is possible that the GCKS will send no TEK key packets in a 1692 Registration KD payload (as well as no corresponding GSA TEK payloads 1693 in the GSA payload), after which the TEK payloads will be sent in a 1694 rekey message. 1696 2.5.1.1. TEK_KEYMAT 1698 The TEK_KEYMAT attribute contains keying material for the 1699 corresponding SPI. This keying material will be used with the 1700 transform specified in the GSA TEK payload. The keying material is 1701 treated equivalent to IKEv2 KEYMAT derived for that IPsec transform. 1703 2.5.2. KEK Download Type 1705 The following attributes may be present in a KEK Download Type. 1706 Exactly one attribute matching each type sent in the GSA KEK payload 1707 MUST be present. The attributes must follow the format defined in 1708 IKEv2 (Section 3.3.5 of [RFC7296]). In the table, attributes defined 1709 as TV are marked as Basic (B); attributes defined as TLV are marked 1710 as Variable (V). The terms Reserved, Unassigned, and Private Use are 1711 to be applied as defined in [RFC8126]. The registration procedure is 1712 Expert Review. 1714 KEK KD Attributes Value Type Mandatory 1715 ----------------- ----- ---- --------- 1716 Reserved 0 1717 KEK_ENCR_KEY 1 V Y 1718 KEK_INTEGRITY_KEY 2 V N 1719 KEK_AUTH_KEY 3 V N 1720 Unassigned 4-16383 1721 Private Use 16384-32767 1723 If the KEK Key Packet is included, there MUST be only one present in 1724 the KD payload. 1726 2.5.2.1. KEK_ENCR_KEY 1728 The KEK_ENCR_KEY attribute type declares that the encryption key for 1729 the corresponding SPI is contained in the Key Packet Attribute. The 1730 encryption algorithm that will use this key was specified in the GSA 1731 KEK payload. 1733 2.5.2.2. KEK_INTEGRITY_KEY 1735 The KEK_INTEGRITY_KEY attribute type declares the integrity key for 1736 this SPI is contained in the Key Packet Attribute. The integrity 1737 algorithm that will use this key was specified in the GSA KEK 1738 payload. 1740 2.5.2.3. KEK_AUTH_KEY 1742 The KEK_AUTH_KEY attribute type declares that the authentication key 1743 for this SPI is contained in the Key Packet Attribute. The signature 1744 algorithm that will use this key was specified in the GSA KEK 1745 payload. An RSA public key format is defined in [RFC3447], 1746 Section A.1.1. DSS public key format is defined in [RFC3279] 1747 Section 2.3.2. For ECDSA Public keys, use format described in 1748 [RFC5480] Section 2.2. Other algorithms added to the IKEv2 1749 Authentication Method registry are also expected to include a format 1750 of the public key included in the algorithm specification. 1752 2.5.3. LKH Download Type 1754 The LKH key packet is comprised of attributes representing different 1755 leaves in the LKH key tree. 1757 The following attributes are used to pass an LKH KEK array in the KD 1758 payload. The attributes must follow the format defined in IKEv2 1759 (Section 3.3.5 of [RFC7296]). In the table, attributes defined as TV 1760 are marked as Basic (B); attributes defined as TLV are marked as 1761 Variable (V). The terms Reserved, Unassigned, and Private Use are to 1762 be applied as defined in [RFC8126]. The registration procedure is 1763 Expert Review. 1765 LKH KD Attributes Value Type 1766 ----------------- ----- ---- 1767 Reserved 0 1768 LKH_DOWNLOAD_ARRAY 1 V 1769 LKH_UPDATE_ARRAY 2 V 1770 Unassigned 3-16383 1771 Private Use 16384-32767 1773 If an LKH key packet is included in the KD payload, there MUST be 1774 only one present. 1776 2.5.3.1. LKH_DOWNLOAD_ARRAY 1778 The LKH_DOWNLOAD_ARRAY attribute type is used to download a set of 1779 LKH keys to a group member. It MUST NOT be included in a IKEv2 rekey 1780 message KD payload if the IKEv2 rekey is sent to more than one group 1781 member. If an LKH_DOWNLOAD_ARRAY attribute is included in a KD 1782 payload, there MUST be only one present. 1784 This attribute consists of a header block, followed by one or more 1785 LKH keys. 1787 1 2 3 1788 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1789 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1790 | # of LKH Keys | RESERVED | 1791 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1792 ~ LKH Keys ~ 1793 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1795 Figure 26: LKH_DOWNLOAD_ARRAY Format 1797 The KEK_LKH attribute fields are defined as follows: 1799 o Number of LKH Keys (2 octets) -- This value is the number of 1800 distinct LKH keys in this sequence. 1802 o RESERVED (2 octets) -- Unused, set to zero. 1804 Each LKH Key is defined as follows: 1806 1 2 3 1807 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1808 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1809 | LKH ID | Encr Alg | 1810 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1811 | Key Handle | 1812 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1813 ~ Key Data ~ 1814 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1816 Figure 27: LKH Key Format 1818 o LKH ID (2 octets) -- This is the position of this key in the 1819 binary tree structure used by LKH. 1821 o Encr Alg (2 octets) -- This is the encryption algorithm for which 1822 this key data is to be used. This value is specified in the ENCR 1823 transform in the GSA payload. 1825 o Key Handle (4 octets) -- This is a randomly generated value to 1826 uniquely identify a key within an LKH ID. 1828 o Key Data (variable length) -- This is the actual encryption key 1829 data, which is dependent on the Encr Alg algorithm for its format. 1831 The first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute 1832 contains the Leaf identifier and key for the group member. The rest 1833 of the LKH Key structures contain keys along the path of the key tree 1834 in the order starting from the leaf, culminating in the group KEK. 1836 2.5.3.2. LKH_UPDATE_ARRAY 1838 The LKH_UPDATE_ARRAY attribute type is used to update the LKH keys 1839 for a group. It is most likely to be included in a G-IKEv2 rekey 1840 message KD payload to rekey the entire group. This attribute 1841 consists of a header block, followed by one or more LKH keys, as 1842 defined in Section 2.5.3.1. 1844 There may be any number of LKH_UPDATE_ARRAY attributes included in a 1845 KD payload. 1847 1 2 3 1848 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1849 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1850 | # of LKH Keys | LKH ID | 1851 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1852 | Key Handle | 1853 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1854 ~ LKH Keys ~ 1855 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1857 Figure 28: LKH_UPDATE_ARRAY Format 1859 o Number of LKH Keys (2 octets) -- This value is the number of 1860 distinct LKH keys in this sequence. 1862 o LKH ID (2 octets) -- This is the node identifier associated with 1863 the key used to encrypt the first LKH Key. 1865 o Key Handle (4 octets) -- This is the value that uniquely 1866 identifies the key within the LKH ID which was used to encrypt the 1867 first LKH key. 1869 The LKH Keys are as defined in Section 2.5.3.1. The LKH Key 1870 structures contain keys along the path of the key tree in the order 1871 from the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in 1872 the group KEK. The Key Data field of each LKH Key is encrypted with 1873 the LKH key preceding it in the LKH_UPDATE_ARRAY attribute. The 1874 first LKH Key is encrypted under the key defined by the LKH ID and 1875 Key Handle found in the LKH_UPDATE_ARRAY header. 1877 2.5.4. SID Download Type 1879 The SID attribute is used to download one or more Sender-ID (SID) 1880 values for the exclusive use of a group member. The terms Reserved, 1881 Unassigned, and Private Use are to be applied as defined in 1882 [RFC8126]. The registration procedure is Expert Review. 1884 SID KD Attributes Value Type 1885 ----------------- ----- ---- 1886 Reserved 0 1887 NUMBER_OF_SID_BITS 1 B 1888 SID_VALUE 2 V 1889 Unassigned 3-16383 1890 Private Use 16384-32767 1892 Because a SID value is intended for a single group member, the SID 1893 Download type MUST NOT be distributed in a GSA_REKEY message 1894 distributed to multiple group members. 1896 2.5.4.1. NUMBER_OF_SID_BITS 1898 The NUMBER_OF_SID_BITS attribute type declares how many bits of the 1899 cipher nonce in which to represent an SID value. The bits are 1900 applied as the most significant bits of the IV, as shown in Figure 1 1901 of [RFC6054] and specified in Section 1.4.6.2. Guidance for a GCKS 1902 choosing the NUMBER_OF_SID_BITS is provided in Section 3 of 1903 [RFC6054]. 1905 This value is applied to each SID value distributed in the SID 1906 Download. 1908 2.5.4.2. SID_VALUE 1910 The SID_VALUE attribute type declares a single SID value for the 1911 exclusive use of this group member. Multiple SID_VALUE attributes 1912 MAY be included in a SID Download. 1914 2.5.4.3. GM Semantics 1916 The SID_VALUE attribute value distributed to the group member MUST be 1917 used by that group member as the SID field portion of the IV for all 1918 Data-Security SAs including a counter-based mode of operation 1919 distributed by the GCKS as a part of this group. When the Sender- 1920 Specific IV (SSIV) field for any Data-Security SA is exhausted, the 1921 group member MUST NOT act as a sender on that SA using its active 1922 SID. The group member SHOULD re-register, at which time the GCKS 1923 will issue a new SID to the group member, along with either the same 1924 Data-Security SAs or replacement ones. The new SID replaces the 1925 existing SID used by this group member, and also resets the SSIV 1926 value to its starting value. A group member MAY re-register prior to 1927 the actual exhaustion of the SSIV field to avoid dropping data 1928 packets due to the exhaustion of available SSIV values combined with 1929 a particular SID value. 1931 A group member MUST ignore an SID Download Type KD payload present in 1932 a GSA-REKEY message, otherwise more than one GM may end up using the 1933 same SID. 1935 2.5.4.4. GCKS Semantics 1937 If any KD payload includes keying material that is associated with a 1938 counter-mode of operation, an SID Download Type KD payload containing 1939 at least one SID_VALUE attribute MUST be included. The GCKS MUST NOT 1940 send the SID Download Type KD payload as part of a GSA_REKEY message, 1941 because distributing the same sender-specific policy to more than one 1942 group member will reduce the security of the group. 1944 2.6. Delete Payload 1946 There are occasions when the GCKS may want to signal to group members 1947 to delete policy at the end of a broadcast, if group policy has 1948 changed, or the GCKS needs to reset the policy and keying material 1949 for the group due to an emergency. Deletion of keys MAY be 1950 accomplished by sending an IKEv2 Delete Payload, section 3.11 of 1951 [RFC7296] as part of a registration or rekey Exchange. Whenever an 1952 SA is to be deleted, the GKCS SHOULD send the Delete Payload in both 1953 registration and rekey exchanges, because GMs with previous group 1954 policy may contact the GCKS using either exchange. 1956 The Protocol ID MUST be 41 for GSA_REKEY Exchange, 2 for AH or 3 for 1957 ESP. Note that only one protocol id value can be defined in a Delete 1958 payload. If a TEK and a KEK SA for GSA_REKEY Exchange must be 1959 deleted, they must be sent in different Delete payloads. Similarly, 1960 if a TEK specifying ESP and a TEK specifying AH need to be deleted, 1961 they must be sent in different Delete payloads. 1963 There may be circumstances where the GCKS may want to reset the 1964 policy and keying material for the group. The GCKS can signal 1965 deletion of all policy of a particular TEK by sending a TEK with a 1966 SPI value equal to zero in the delete payload. In the event that the 1967 administrator is no longer confident in the integrity of the group 1968 they may wish to remove all KEK and all the TEKs in the group. This 1969 is done by having the GCKS send a delete payload with a SPI of zero 1970 and a Protocol-ID of AH or ESP to delete all TEKs, followed by 1971 another delete payload with a SPI value of zero and Protocol-ID of 1972 KEK SA to delete the KEK SA. 1974 2.7. Notify Payload 1976 G-IKEv2 uses the same Notify payload as specified in [RFC7296], 1977 section 3.10. 1979 There are additional Notify Message types introduced by G-IKEv2 to 1980 communicate error conditions and status. 1982 NOTIFY messages - error types Value 1983 ------------------------------------------------------------------- 1984 INVALID_GROUP_ID - 45 1985 AUTHORIZATION_FAILED - 46 1986 REGISTRATION_FAILED - TBD 1988 INVALID_GROUP_ID indicates the group id sent during the registration 1989 process is invalid. 1991 AUTHORIZATION_FAILED is sent in the response to a GSA_AUTH message 1992 when authorization failed. 1994 REGISTRATION_FAILED is sent by the GCKS when the GM registration 1995 request cannot be satisfied. 1997 NOTIFY messages - status types Value 1998 ------------------------------------------------------------------- 1999 SENDER - 16429 2000 REKEY_IS_NEEDED - TBD 2002 SENDER notification is sent in GSA_AUTH or GSA_REGISTRATION to 2003 indicate that the GM intends to be sender of data traffic. The data 2004 includes a count of how many SID values the GM desires. The count 2005 MUST be 4 octets long and contain the big endian representation of 2006 the number of requested SIDs. 2008 REKEY_IS_NEEDED is sent in GSA_AUTH response message to indicate that 2009 the GM must perform an immediate rekey of IKE SA to make it secure 2010 against quantum computers and then start a registration request over. 2012 2.8. Authentication Payload 2014 G-IKEv2 uses the same Authentication payload as specified in 2015 [RFC7296], section 3.8, to sign the rekey message. 2017 3. Security Considerations 2019 3.1. GSA Registration and Secure Channel 2021 G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT protocols, 2022 inheriting all the security considerations documented in [RFC7296] 2023 section 5 Security Considerations, including authentication, 2024 confidentiality, protection against man-in-the-middle, protection 2025 against replay/reflection attacks, and denial of service protection. 2026 The GSA_AUTH and GSA_REGISTRATION exchanges also take advantage of 2027 those protections. In addition, G-IKEv2 brings in the capability to 2028 authorize a particular group member regardless of whether they have 2029 the IKEv2 credentials. 2031 3.2. GSA Maintenance Channel 2033 The GSA maintenance channel is cryptographically and integrity 2034 protected using the cryptographic algorithm and key negotiated in the 2035 GSA member registration exchanged. 2037 3.2.1. Authentication/Authorization 2039 Authentication is implicit, the public key of the identity is 2040 distributed during the registration, and the receiver of the rekey 2041 message uses that public key and identity to verify the message came 2042 from the authorized GCKS. 2044 3.2.2. Confidentiality 2046 Confidentiality is provided by distributing a confidentiality key as 2047 part of the GSA member registration exchange. 2049 3.2.3. Man-in-the-Middle Attack Protection 2051 GSA maintenance channel is integrity protected by using a digital 2052 signature. 2054 3.2.4. Replay/Reflection Attack Protection 2056 The GSA_REKEY message includes a monotonically increasing sequence 2057 number to protect against replay and reflection attacks. A group 2058 member will recognize a replayed message by comparing the Message ID 2059 number to that of the last received rekey message, any rekey message 2060 containing a Message ID number less than or equal to the last 2061 received value MUST be discarded. Implementations should keep a 2062 record of recently received GSA rekey messages for this comparison. 2064 4. IANA Considerations 2066 4.1. New Registries 2068 A new set of registries should be created for G-IKEv2, on a new page 2069 titled Group Key Management using IKEv2 (G-IKEv2) Parameters. The 2070 following registries should be placed on that page. The terms 2071 Reserved, Expert Review and Private Use are to be applied as defined 2072 in [RFC8126]. 2074 GSA Policy Type Registry, see Section 2.4.1 2075 KEK Attributes Registry, see Section 2.4.2.1 2077 KEK Management Algorithm Registry, see Section 2.4.2.1.1 2079 GSA TEK Payload Protocol ID Type Registry, see Section 2.4.3 2081 TEK Attributes Registry, see Section 2.4.3 2083 Key Download Type Registry, see Section 2.5 2085 TEK Download Type Attributes Registry, see Section 2.5.1 2087 KEK Download Type Attributes Registry, see Section 2.5.2 2089 LKH Download Type Attributes Registry, see Section 2.5.3 2091 SID Download Type Attributes Registry, see Section 2.5.4 2093 4.2. New Payload and Exchange Types Added to the Existing IKEv2 2094 Registry 2096 The following new payloads and exchange types specified in this memo 2097 have already been allocated by IANA and require no further action, 2098 other than replacing the draft name with an RFC number. 2100 The present document describes new IKEv2 Next Payload types, see 2101 Section 2.1 2103 The present document describes new IKEv2 Exchanges types, see 2104 Section 2.1 2106 The present document describes new IKEv2 notification types, see 2107 Section 2.7 2109 4.3. Changes to Previous Allocations 2111 Section 4.7 indicates an allocation in the IKEv2 Notify Message Types 2112 - Status Types registry has been made. This NOTIFY type was 2113 allocated earlier in the development of G-IKEv2. The number is 2114 16429, and was allocated with the name SENDER_REQUEST_ID. The name 2115 should be changed to SENDER. 2117 5. Acknowledgements 2119 The authors thank Lakshminath Dondeti and Jing Xiang for first 2120 exploring the use of IKEv2 for group key management and providing the 2121 basis behind the protocol. Mike Sullenberger and Amjad Inamdar were 2122 instrumental in helping resolve many issues in several versions of 2123 the document. 2125 6. Contributors 2127 The following individuals made substantial contributions to early 2128 versions of this memo. 2130 Sheela Rowles 2131 Cisco Systems 2132 170 W. Tasman Drive 2133 San Jose, California 95134-1706 2134 USA 2136 Phone: +1-408-527-7677 2137 Email: sheela@cisco.com 2139 Aldous Yeung 2140 Cisco Systems 2141 170 W. Tasman Drive 2142 San Jose, California 95134-1706 2143 USA 2145 Phone: +1-408-853-2032 2146 Email: cyyeung@cisco.com 2148 Paulina Tran 2149 Cisco Systems 2150 170 W. Tasman Drive 2151 San Jose, California 95134-1706 2152 USA 2154 Phone: +1-408-526-8902 2155 Email: ptran@cisco.com 2157 Yoav Nir 2158 Dell EMC 2159 9 Andrei Sakharov St 2160 Haifa 3190500 2161 Israel 2163 Email: ynir.ietf@gmail.com 2165 7. References 2166 7.1. Normative References 2168 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2169 Requirement Levels", BCP 14, RFC 2119, 2170 DOI 10.17487/RFC2119, March 1997, 2171 . 2173 [RFC2627] Wallner, D., Harder, E., and R. Agee, "Key Management for 2174 Multicast: Issues and Architectures", RFC 2627, 2175 DOI 10.17487/RFC2627, June 1999, 2176 . 2178 [RFC3740] Hardjono, T. and B. Weis, "The Multicast Group Security 2179 Architecture", RFC 3740, DOI 10.17487/RFC3740, March 2004, 2180 . 2182 [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, 2183 "Multicast Security (MSEC) Group Key Management 2184 Architecture", RFC 4046, DOI 10.17487/RFC4046, April 2005, 2185 . 2187 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 2188 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 2189 December 2005, . 2191 [RFC6054] McGrew, D. and B. Weis, "Using Counter Modes with 2192 Encapsulating Security Payload (ESP) and Authentication 2193 Header (AH) to Protect Group Traffic", RFC 6054, 2194 DOI 10.17487/RFC6054, November 2010, 2195 . 2197 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 2198 Kivinen, "Internet Key Exchange Protocol Version 2 2199 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2200 2014, . 2202 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 2203 Writing an IANA Considerations Section in RFCs", BCP 26, 2204 RFC 8126, DOI 10.17487/RFC8126, June 2017, 2205 . 2207 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2208 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2209 May 2017, . 2211 7.2. Informative References 2213 [I-D.ietf-ipsecme-qr-ikev2] 2214 Fluhrer, S., McGrew, D., Kampanakis, P., and V. Smyslov, 2215 "Mixing Preshared Keys in IKEv2 for Post-quantum 2216 Resistance", draft-ietf-ipsecme-qr-ikev2-10 (work in 2217 progress), December 2019. 2219 [I-D.smyslov-ipsecme-ikev2-qr-alt] 2220 Smyslov, V., "An Alternative Approach for Postquantum 2221 Preshared Keys in IKEv2", draft-smyslov-ipsecme-ikev2-qr- 2222 alt-00 (work in progress), October 2019. 2224 [I-D.tjhai-ipsecme-hybrid-qske-ikev2] 2225 Tjhai, C., Tomlinson, M., grbartle@cisco.com, g., Fluhrer, 2226 S., Geest, D., Garcia-Morchon, O., and V. Smyslov, 2227 "Framework to Integrate Post-quantum Key Exchanges into 2228 Internet Key Exchange Protocol Version 2 (IKEv2)", draft- 2229 tjhai-ipsecme-hybrid-qske-ikev2-04 (work in progress), 2230 July 2019. 2232 [IKEV2-IANA] 2233 IANA, "Internet Key Exchange Version 2 (IKEv2) 2234 Parameters", . 2237 [NNL] Naor, D., Noal, M., and J. Lotspiech, "Revocation and 2238 Tracing Schemes for Stateless Receivers", Advances in 2239 Cryptology, Crypto '01, Springer-Verlag LNCS 2139, 2001, 2240 pp. 41-62, 2001, 2241 . 2243 [OFT] McGrew, D. and A. Sherman, "Key Establishment in Large 2244 Dynamic Groups Using One-Way Function Trees", Manuscript, 2245 submitted to IEEE Transactions on Software Engineering, 2246 1998, . 2249 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange 2250 (IKE)", RFC 2409, DOI 10.17487/RFC2409, November 1998, 2251 . 2253 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and 2254 Identifiers for the Internet X.509 Public Key 2255 Infrastructure Certificate and Certificate Revocation List 2256 (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April 2257 2002, . 2259 [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography 2260 Standards (PKCS) #1: RSA Cryptography Specifications 2261 Version 2.1", RFC 3447, DOI 10.17487/RFC3447, February 2262 2003, . 2264 [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) 2265 Counter Mode With IPsec Encapsulating Security Payload 2266 (ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004, 2267 . 2269 [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode 2270 (GCM) in IPsec Encapsulating Security Payload (ESP)", 2271 RFC 4106, DOI 10.17487/RFC4106, June 2005, 2272 . 2274 [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM 2275 Mode with IPsec Encapsulating Security Payload (ESP)", 2276 RFC 4309, DOI 10.17487/RFC4309, December 2005, 2277 . 2279 [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message 2280 Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, 2281 DOI 10.17487/RFC4543, May 2006, 2282 . 2284 [RFC5374] Weis, B., Gross, G., and D. Ignjatic, "Multicast 2285 Extensions to the Security Architecture for the Internet 2286 Protocol", RFC 5374, DOI 10.17487/RFC5374, November 2008, 2287 . 2289 [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, 2290 "Elliptic Curve Cryptography Subject Public Key 2291 Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, 2292 . 2294 [RFC5723] Sheffer, Y. and H. Tschofenig, "Internet Key Exchange 2295 Protocol Version 2 (IKEv2) Session Resumption", RFC 5723, 2296 DOI 10.17487/RFC5723, January 2010, 2297 . 2299 [RFC6407] Weis, B., Rowles, S., and T. Hardjono, "The Group Domain 2300 of Interpretation", RFC 6407, DOI 10.17487/RFC6407, 2301 October 2011, . 2303 [RFC6467] Kivinen, T., "Secure Password Framework for Internet Key 2304 Exchange Version 2 (IKEv2)", RFC 6467, 2305 DOI 10.17487/RFC6467, December 2011, 2306 . 2308 [RFC7383] Smyslov, V., "Internet Key Exchange Protocol Version 2 2309 (IKEv2) Message Fragmentation", RFC 7383, 2310 DOI 10.17487/RFC7383, November 2014, 2311 . 2313 [RFC7427] Kivinen, T. and J. Snyder, "Signature Authentication in 2314 the Internet Key Exchange Version 2 (IKEv2)", RFC 7427, 2315 DOI 10.17487/RFC7427, January 2015, 2316 . 2318 [RFC8229] Pauly, T., Touati, S., and R. Mantha, "TCP Encapsulation 2319 of IKE and IPsec Packets", RFC 8229, DOI 10.17487/RFC8229, 2320 August 2017, . 2322 Appendix A. Use of LKH in G-IKEv2 2324 Section 5.4 of [RFC2627] describes the LKH architecture, and how a 2325 GCKS uses LKH to exclude group members. This section clarifies how 2326 the LKH architecture is used with G-IKEv2. 2328 A.1. Group Creation 2330 When a GCKS forms a group, it creates a key tree as shown in the 2331 figure below. The key tree contains logical keys (represented as 2332 numbers in the figure) and a private key shared with only a single GM 2333 (represented as letters in the figure). Note that the use of numbers 2334 and letters is used for explanatory purposes; in fact, each key would 2335 have an LKH ID, which is two-octet identifier chosen by the GCKS. 2336 The GCKS may create a complete tree as shown, or a partial tree which 2337 is created on demand as members join the group. The top of the key 2338 tree (i.e., "1" in Figure 29) is used as the KEK for the group. 2340 1 2341 +------------------------------+ 2342 2 3 2343 +---------------+ +---------------+ 2344 4 5 6 7 2345 +-------+ +-------+ +--------+ +--------+ 2346 A B C D E F G H 2348 Figure 29: Initial LKH tree 2350 When GM "A" joins the group, the GCKS provides an LKH_DOWNLOAD_ARRAY 2351 in the KD payload of the GSA_AUTH or GSA_REGISTRATION exchange. 2352 Given the tree shown in figure above, the LKH_DOWNLOAD_ARRAY will 2353 contain four LKH Key payloads, each containing an LKH ID and Key 2354 Data. If the LKH ID values were chosen as shown in the figure, four 2355 LKH Keys would be provided to GM "A", in the following order: A, 4, 2356 2, 1. When GM "B" joins the group, it would also be given four LKH 2357 Keys in the following order: B, 4, 2, 1. And so on, until GM "H" 2358 joins the group and is given H, 7, 3, 1. 2360 A.2. Group Member Exclusion 2362 If the GKCS has reason to believe that a GM should be excluded, then 2363 it can do so by sending a GSA_REKEY exchange that includes a set of 2364 LKH_UPDATE_ARRAY attributes in the KD payload. Each LKH_UPDATE_ARRAY 2365 contains a set of LKH Key payloads, in which every GM other than the 2366 excluded GM will be able to determine a set of new logical keys, 2367 which culminate in a new key "1". The excluded GM will observe the 2368 set of LKH_UPDATE_ARRAY attributes, but cannot determine the new 2369 logical keys because each of the "Key Data" fields is encrypted with 2370 a key held by other GMs. The GM will hold no keys to properly 2371 decrypt any of the "Key Data" fields, including key "1" (i.e., the 2372 new KEK). When a subsequent GSA_REKEY exchange is delivered by the 2373 GCKS and protected by the new KEK, the excluded GM will no longer be 2374 able to see the contents of the GSA_REKEY, including new TEKs that 2375 will be delivered to replace existing TEKs. At this point, the GM 2376 will no longer be able to participate in the group. 2378 In the example below, new keys are represented as the number followed 2379 by a "prime" symbol (e.g., "1" becomes "1'"). Each key is encrypted 2380 by another key. This is represented as "{key1}key2", where key2 2381 encrypts key1. For example, "{1'}2' states that a new key "1'" is 2382 encrypted with a new key "2'". 2384 If GM "B" is to be excluded, the GCKS will need to include three 2385 LKH_UPDATE_ARRAY attributes in the GSA_REKEY message. The order of 2386 the attributes does not matter; only the order of the keys within 2387 each attribute. 2389 o One will provide GM "A" with new logical keys that are shared with 2390 B: {4'}A, {2'}4', {1'}2' 2392 o One will provide all GMs holding key "5" with new logical keys: 2393 {2'}5, {1'}2' 2395 o One will provide all GMs holding key "3" with a new KEK: {1'}3 2397 Each GM will look at each LKH_UPDATE_ARRAY attribute and observe an 2398 LKH ID which is present in an LKH Key delivered to them in the 2399 LKH_DOWNLOAD_ARRAY they were given. If they find a matching LKH ID, 2400 then they will decrypt the new key with the logical key immediately 2401 preceding that LKH Key, and so on until they have received the new 1' 2402 key. 2404 The resulting key tree from this rekey event would would be shown in 2405 Figure 30. 2407 1' 2408 +------------------------------+ 2409 2' 3 2410 +---------------+ +---------------+ 2411 4' 5 6 7 2412 +---+ +-------+ +--------+ +--------+ 2413 A B C D E F G H 2415 Figure 30: LKH tree after B has been excluded 2417 Authors' Addresses 2419 Brian Weis 2420 Independent 2421 USA 2423 Email: bew.stds@gmail.com 2425 Valery Smyslov 2426 ELVIS-PLUS 2427 PO Box 81 2428 Moscow (Zelenograd) 124460 2429 Russian Federation 2431 Phone: +7 495 276 0211 2432 Email: svan@elvis.ru