idnits 2.17.1 draft-ietf-ipsecme-g-ikev2-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 10, 2022) is 834 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'CERTREQ' is mentioned on line 2129, but not defined == Missing Reference: 'N' is mentioned on line 912, but not defined == Missing Reference: 'AUTH' is mentioned on line 912, but not defined == Outdated reference: A later version (-12) exists of draft-ietf-ipsecme-ikev2-multiple-ke-04 == Outdated reference: A later version (-09) exists of draft-smyslov-ipsecme-ikev2-qr-alt-04 -- Obsolete informational reference (is this intentional?): RFC 2409 (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 8229 (Obsoleted by RFC 9329) Summary: 0 errors (**), 0 flaws (~~), 6 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group V. Smyslov 3 Internet-Draft ELVIS-PLUS 4 Obsoletes: 6407 (if approved) B. Weis 5 Intended status: Standards Track Independent 6 Expires: July 14, 2022 January 10, 2022 8 Group Key Management using IKEv2 9 draft-ietf-ipsecme-g-ikev2-04 11 Abstract 13 This document presents an extension to the Internet Key Exchange 14 version 2 (IKEv2) protocol for the purpose of a group key management. 15 The protocol is in conformance with the Multicast Security (MSEC) key 16 management architecture, which contains two components: member 17 registration and group rekeying. Both components require a Group 18 Controller/Key Server to download IPsec group security associations 19 to authorized members of a group. The group members then exchange IP 20 multicast or other group traffic as IPsec packets. This document 21 obsoletes RFC 6407. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on July 14, 2022. 40 Copyright Notice 42 Copyright (c) 2022 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 58 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 5 59 1.2. G-IKEv2 Integration into IKEv2 Protocol . . . . . . . . . 5 60 1.2.1. G-IKEv2 Transport and Port . . . . . . . . . . . . . 6 61 1.2.2. IKEv2 Header Initialization . . . . . . . . . . . . . 6 62 1.3. G-IKEv2 Protocol . . . . . . . . . . . . . . . . . . . . 6 63 1.3.1. G-IKEv2 Payloads . . . . . . . . . . . . . . . . . . 6 64 1.4. G-IKEv2 Member Registration and Secure Channel 65 Establishment . . . . . . . . . . . . . . . . . . . . . . 7 66 1.4.1. GSA_AUTH exchange . . . . . . . . . . . . . . . . . . 7 67 1.4.2. GSA_REGISTRATION Exchange . . . . . . . . . . . . . . 9 68 1.4.3. GM Registration Operations . . . . . . . . . . . . . 10 69 1.4.4. GCKS Registration Operations . . . . . . . . . . . . 12 70 1.4.5. Group Maintenance Channel . . . . . . . . . . . . . . 13 71 1.4.6. Counter-based modes of operation . . . . . . . . . . 21 72 2. Group Key Management and Access Control . . . . . . . . . . . 23 73 2.1. Key Wrap Keys . . . . . . . . . . . . . . . . . . . . . . 23 74 2.1.1. Default Key Wrap Key . . . . . . . . . . . . . . . . 24 75 2.2. GCKS Key Management Semantics . . . . . . . . . . . . . . 24 76 2.2.1. Forward Access Control Requirements . . . . . . . . . 25 77 2.3. GM Key Management Semantics . . . . . . . . . . . . . . . 25 78 2.4. Group SA Keys . . . . . . . . . . . . . . . . . . . . . . 27 79 3. Header and Payload Formats . . . . . . . . . . . . . . . . . 28 80 3.1. G-IKEv2 Header . . . . . . . . . . . . . . . . . . . . . 28 81 3.2. Group Identification Payload . . . . . . . . . . . . . . 28 82 3.3. Security Association - GM Supported Transforms Payload . 28 83 3.4. Group Security Association Payload . . . . . . . . . . . 28 84 3.4.1. Group Policies . . . . . . . . . . . . . . . . . . . 29 85 3.4.2. Group Security Association Policy Substructure . . . 30 86 3.4.3. Group Associated Policy Substructure . . . . . . . . 35 87 3.5. Key Download Payload . . . . . . . . . . . . . . . . . . 37 88 3.5.1. Wrapped Key Format . . . . . . . . . . . . . . . . . 38 89 3.5.2. Group Key Packet Substructure . . . . . . . . . . . . 39 90 3.5.3. Member Key Packet Substructure . . . . . . . . . . . 41 91 3.6. Delete Payload . . . . . . . . . . . . . . . . . . . . . 44 92 3.7. Notify Payload . . . . . . . . . . . . . . . . . . . . . 44 93 3.7.1. USE_TRANSPORT_MODE Notification . . . . . . . . . . . 45 94 3.8. Authentication Payload . . . . . . . . . . . . . . . . . 45 95 4. Interaction with other IKEv2 Protocol Extensions . . . . . . 46 96 4.1. Mixing Preshared Keys in IKEv2 for Post-quantum Security 46 98 5. Security Considerations . . . . . . . . . . . . . . . . . . . 48 99 5.1. GSA Registration and Secure Channel . . . . . . . . . . . 48 100 5.2. GSA Maintenance Channel . . . . . . . . . . . . . . . . . 48 101 5.2.1. Authentication/Authorization . . . . . . . . . . . . 48 102 5.2.2. Confidentiality . . . . . . . . . . . . . . . . . . . 48 103 5.2.3. Man-in-the-Middle Attack Protection . . . . . . . . . 48 104 5.2.4. Replay/Reflection Attack Protection . . . . . . . . . 49 105 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 49 106 6.1. New Registries . . . . . . . . . . . . . . . . . . . . . 49 107 6.2. Changes in the Existing IKEv2 Registries . . . . . . . . 51 108 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 52 109 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 52 110 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 53 111 9.1. Normative References . . . . . . . . . . . . . . . . . . 53 112 9.2. Informative References . . . . . . . . . . . . . . . . . 54 113 Appendix A. Use of LKH in G-IKEv2 . . . . . . . . . . . . . . . 57 114 A.1. Notation . . . . . . . . . . . . . . . . . . . . . . . . 57 115 A.2. Group Creation . . . . . . . . . . . . . . . . . . . . . 57 116 A.3. Simple Group SA Rekey . . . . . . . . . . . . . . . . . . 58 117 A.4. Group Member Exclusion . . . . . . . . . . . . . . . . . 59 118 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 60 120 1. Introduction and Overview 122 A group key management protocol provides IPsec keys and policy to a 123 set of IPsec devices which are authorized to communicate using a 124 Group Security Association (GSA) defined in [RFC3740]. The data 125 communications within the group (e.g., IP multicast packets) are 126 protected by a key pushed to the group members (GMs) by the Group 127 Controller/Key Server (GCKS). This document presents an extension to 128 IKEv2 [RFC7296] called G-IKEv2, that allows to perform a group key 129 management. 131 G-IKEv2 conforms to the Multicast Group Security Architecture 132 [RFC3740], Multicast Extensions to the Security Architecture for the 133 Internet Protocol [RFC5374] and the Multicast Security (MSEC) Group 134 Key Management Architecture [RFC4046]. G-IKEv2 replaces GDOI 135 [RFC6407], which defines a similar group key management protocol 136 using IKEv1 [RFC2409] (since deprecated by IKEv2). When G-IKEv2 is 137 used, group key management use cases can benefit from the simplicity, 138 increased robustness and cryptographic improvements of IKEv2 (see 139 Appendix A of [RFC7296]. 141 A GM begins a "registration" exchange when it first joins the group. 142 With G-IKEv2, the GCKS authenticates and authorizes GMs, then pushes 143 policy and keys used by the group to the GM. G-IKEv2 includes two 144 "registration" exchanges. The first is the GSA_AUTH exchange ( 145 Section 1.4.1), which follows an IKE_SA_INIT exchange. The second is 146 the GSA_REGISTRATION exchange (Section 1.4.2), which a GM can use 147 within an established IKE SA. Group rekeys are accomplished using 148 either the GSA_REKEY pseudo-exchange (a single message distributed to 149 all GMs, usually as a multicast message), or as a GSA_INBAND_REKEY 150 exchange delivered individually to group members using existing IKE 151 SAs). 153 Large and small groups may use different sets of these protocols. 154 When a large group of devices are communicating, the GCKS is likely 155 to use the GSA_REKEY message for efficiency. This is shown in 156 Figure 1. (Note: For clarity, IKE_SA_INIT is omitted from the 157 figure.) 159 +--------+ 160 +------------->| GCKS |<-------------+ 161 | +--------+ | 162 | | ^ | 163 | | | | 164 | | GSA_AUTH | 165 | | or | 166 | | GSA_REGISTRATION | 167 | | | | 168 GSA_AUTH | | GSA_AUTH 169 or GSA_REKEY | or 170 GSA_REGISTRATION | | GSA_REGISTRATION 171 | | | | 172 | +------------+-----------------+ | 173 | | | | | | 174 v v v v v v 175 +-------+ +--------+ +-------+ 176 | GM | ... | GM | ... | GM | 177 +-------+ +--------+ +-------+ 178 ^ ^ ^ 179 | | | 180 +-------ESP-------+-------ESP------+ 182 Figure 1: G-IKEv2 used in large groups 184 Alternatively, a small group may simply use the GSA_AUTH as a 185 registration protocol, where the GCKS issues rekeys using the 186 GSA_INBAND_REKEY within the same IKEv2 SA. The GCKS is also likely 187 to be a GM in a small group (as shown in Figure 2.) 188 GSA_AUTH, GSA_INBAND_REKEY 189 +-----------------------------------------------+ 190 | | 191 | GSA_AUTH, GSA_INBAND_REKEY | 192 | +-----------------------------+ | 193 | | | | 194 | | GSA_AUTH, GSA_INBAND_REKEY | | 195 | | +--------+ | | 196 v v v v v v 197 +---------+ +----+ +----+ +----+ 198 | GCKS/GM | | GM | | GM | | GM | 199 +---------+ +----+ +----+ +----+ 200 ^ ^ ^ ^ 201 | | | | 202 +----ESP-----+------ESP-------+-----ESP-----+ 204 Figure 2: G-IKEv2 used in small groups 206 IKEv2 message semantics are preserved in that all communications 207 consists of message request-response pairs. The exception to this 208 rule is the GSA_REKEY pseudo-exchange, which is a single message 209 delivering group updates to the GMs. 211 1.1. Requirements Language 213 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 214 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 215 "OPTIONAL" in this document are to be interpreted as described in BCP 216 14 [RFC2119] [RFC8174] when, and only when, they appear in all 217 capitals, as shown here. 219 1.2. G-IKEv2 Integration into IKEv2 Protocol 221 G-IKEv2 uses the security mechanisms of IKEv2 (peer authentication, 222 confidentiality, message integrity) to ensure that only authenticated 223 devices have access to the group policy and keys. The G-IKEv2 224 exchange further provides group authorization, and secure policy and 225 key download from the GCKS to GMs. Some IKEv2 extensions require 226 special handling if used with G-IKEv2. See Section 4 for more 227 details. 229 It is assumed that readers are familiar with the IKEv2 protocol, so 230 this document skips many details that are described in [RFC7296]. 232 1.2.1. G-IKEv2 Transport and Port 234 G-IKEv2 SHOULD use UDP port 848, the same as GDOI [RFC6407], because 235 they serve a similar function. They can use the same ports, just as 236 IKEv1 and IKEv2 can share port 500. The version number in the IKE 237 header distinguishes the G-IKEv2 protocol from GDOI protocol 238 [RFC6407]. G-IKEv2 MAY also use the IKEv2 ports (500, 4500), which 239 would provide a better integration with IKEv2. G-IKEv2 MAY also use 240 TCP transport for registration (unicast) IKE SA, as defined in 241 [RFC8229]. 243 1.2.2. IKEv2 Header Initialization 245 The Major Version is (2) and Minor Version is (0) according to IKEv2 246 [RFC7296], and maintained in this document. The G-IKEv2 IKE_SA_INIT, 247 GSA_AUTH, GSA_REGISTRATION and GSA_INBAND_REKEY use the IKE SPI 248 according to IKEv2 [RFC7296], section 2.6. 250 1.3. G-IKEv2 Protocol 252 1.3.1. G-IKEv2 Payloads 254 In the following descriptions, the payloads contained in the G-IKEv2 255 messages are indicated by names as listed below. 257 Notation Payload 258 ------------------------------------------------------------ 259 AUTH Authentication 260 CERT Certificate 261 CERTREQ Certificate Request 262 D Delete 263 GSA Group Security Association 264 HDR IKEv2 Header 265 IDg Identification - Group 266 IDi Identification - Initiator 267 IDr Identification - Responder 268 KD Key Download 269 KE Key Exchange 270 Ni, Nr Nonce 271 N Notify 272 SA Security Association 273 SAg Security Association - GM Supported Transforms 275 Payloads defined as part of other IKEv2 extensions MAY also be 276 included in these messages. Payloads that may optionally appear in 277 G-IKEv2 messages will be shown in brackets, such as [CERTREQ]. 279 G-IKEv2 defines several new payloads not used in IKEv2: 281 o IDg (Group ID) - The GM requests the GCKS for membership into the 282 group by sending its IDg payload. 284 o GSA (Group Security Association) - The GCKS sends the group policy 285 to the GM using this payload. 287 o KD (Key Download) - The GCKS sends the keys and the security 288 parameters to the GMs using the KD payload. 290 o SAg (Security Association - GM Supported Transforms) - the GM 291 sends supported transforms, so that GCKS may select a policy 292 appropriate for all members of the group. 294 The details of the contents of each payload are described in 295 Section 3. 297 1.4. G-IKEv2 Member Registration and Secure Channel Establishment 299 The registration protocol consists of a minimum of two messages 300 exchanges, IKE_SA_INIT and GSA_AUTH; member registration may have a 301 few more messages exchanged if the EAP method, cookie challenge (for 302 DoS protection) or negotiation of Diffie-Hellman group is included. 303 Each exchange consists of request/response pairs. The first exchange 304 IKE_SA_INIT is defined in IKEv2 [RFC7296]. This exchange negotiates 305 cryptographic algorithms, exchanges nonces and does a Diffie-Hellman 306 exchange between the group member (GM) and the Group Controller/Key 307 Server (GCKS). 309 The second exchange GSA_AUTH authenticates the previous messages, 310 exchanges identities and certificates. These messages are encrypted 311 and integrity protected with keys established through the IKE_SA_INIT 312 exchange, so the identities are hidden from eavesdroppers and all 313 fields in all the messages are authenticated. The GCKS SHOULD 314 authorize group members to be allowed into the group as part of the 315 GSA_AUTH exchange. Once the GCKS accepts a group member to join a 316 group it will download the data security keys (TEKs) and/or group key 317 encrypting key (KEK) or KEK array as part of the GSA_AUTH response 318 message. 320 1.4.1. GSA_AUTH exchange 322 After the group member and GCKS use the IKE_SA_INIT exchange to 323 negotiate cryptographic algorithms, exchange nonces, and perform a 324 Diffie-Hellman exchange as defined in IKEv2 [RFC7296], the GSA_AUTH 325 exchange MUST complete before any other exchanges can be done. The 326 security properties of the GSA_AUTH exchange are the same as the 327 properties of the IKE_AUTH exchange. It is used to authenticate the 328 IKE_SA_INIT messages, exchange identities and certificates. G-IKEv2 329 also uses this exchange for group member registration and 330 authorization. Even though the IKE_AUTH does contain the SA2, TSi, 331 and TSr payload the GSA_AUTH does not. They are not needed because 332 policy is not negotiated between the group member and the GCKS, but 333 instead downloaded from the GCKS to the group member. 335 Initiator (Member) Responder (GCKS) 336 -------------------- ------------------ 337 HDR, SK{IDi, [CERT,] [CERTREQ,] [IDr,] 338 AUTH, IDg, [SAg,] [N]} --> 340 Figure 3: GSA_AUTH Request 342 After the IKE_SA_INIT exchange completes, the group member initiates 343 a GSA_AUTH request to join a group indicated by the IDg payload. The 344 GM MAY include an SAg payload declaring which Transforms it is 345 willing to accept. A GM that intends to emit data packets SHOULD 346 include a Notify payload status type of SENDER, which enables the 347 GCKS to provide any additional policy necessary by group senders. 349 Initiator (Member) Responder (GCKS) 350 -------------------- ------------------ 351 <-- HDR, SK{IDr, [CERT,] 352 AUTH, [GSA, KD,] [N,] [D]} 354 Figure 4: GSA_AUTH Normal Response 356 The GCKS responds with IDr, optional CERT, and AUTH material as if it 357 were an IKE_AUTH. It also informs the group member of the 358 cryptographic policies of the group in the GSA payload and the key 359 material in the KD payload. The GCKS can also include a Delete (D) 360 payload instructing the group member to delete existing SAs it might 361 have as the result of a previous group member registration. Note, 362 that since the GCKS generally doesn't know which SAs the GM has, the 363 SPI field in the Delete payload(s) SHOULD be set to zero in this 364 case. (See more discussion on the Delete payload in Section 3.6.) 366 In addition to the IKEv2 error handling, the GCKS can reject the 367 registration request when the IDg is invalid or authorization fails, 368 etc. In these cases, see Section 3.7, the GSA_AUTH response will not 369 include the GSA and KD, but will include a Notify payload indicating 370 errors. If the group member included an SAg payload, and the GCKS 371 chooses to evaluate it, and it detects that that group member cannot 372 support the security policy defined for the group, then the GCKS 373 SHOULD return a NO_PROPOSAL_CHOSEN. Other types of notifications can 374 be AUTHORIZATION_FAILED or REGISTRATION_FAILED. 376 Initiator (Member) Responder (GCKS) 377 -------------------- ------------------ 378 <-- HDR, SK{IDr, [CERT,] AUTH, N} 380 Figure 5: GSA_AUTH Error Response 382 If the group member finds the policy sent by the GCKS is 383 unacceptable, the member SHOULD initiate GSA_REGISTRATION exchange 384 sending IDg and the Notify NO_PROPOSAL_CHOSEN (see Section 1.4.2)). 386 1.4.2. GSA_REGISTRATION Exchange 388 When a secure channel is already established between a GM and the 389 GCKS, the GM registration for a group can reuse the established 390 secure channel. In this scenario the GM will use the 391 GSA_REGISTRATION exchange. Payloads in the exchange are generated 392 and processed as defined in Section 1.4.1. 394 Initiator (Member) Responder (GCKS) 395 -------------------- ------------------ 396 HDR, SK{IDg, [SAg,][N ]} --> 397 <-- HDR, SK{GSA,] [N,] [D]} 399 Figure 6: GSA_REGISTRATION Normal Exchange 401 As with GSA_AUTH exchange, the GCKS can reject the registration 402 request when the IDg is invalid or authorization fails, or GM cannot 403 support the security policy defined for the group (which can be 404 concluded by GCKS by evaluation of SAg payload). In this case the 405 GCKS returns an appropriate error notification as described in 406 Section 1.4.1. 408 Initiator (Member) Responder (GCKS) 409 -------------------- ------------------ 410 HDR, SK{IDg, [SAg,] [N]} --> 411 <-- HDR, SK{N} 413 Figure 7: GSA_REGISTRATION Error Exchange 415 This exchange can also be used if the group member finds the policy 416 sent by the GCKS is unacceptable or for some reason wants to leave 417 the group. The group member SHOULD notify the GCKS by sending IDg 418 and the Notify type NO_PROPOSAL_CHOSEN or REGISTRATION_FAILED, as 419 shown below. The GCKS in this case MUST remove the GM from the group 420 IDg. 422 Initiator (Member) Responder (GCKS) 423 -------------------- ------------------ 424 HDR, SK{IDg, N} --> 425 <-- HDR, SK{} 427 Figure 8: GM Reporting Errors in GSA_REGISTRATION Exchange 429 1.4.3. GM Registration Operations 431 A G-IKEv2 Initiator (GM) requesting registration contacts the GCKS 432 using the IKE_SA_INIT exchange and receives the response from the 433 GCKS. This exchange is unchanged from the IKE_SA_INIT in IKEv2 434 protocol. 436 Upon completion of parsing and verifying the IKE_SA_INIT response, 437 the GM sends the GSA_AUTH message with the IKEv2 payloads from 438 IKE_AUTH (without the SAi2, TSi and TSr payloads) along with the 439 Group ID informing the GCKS of the group the initiator wishes to 440 join. An initiator intending to emit data traffic SHOULD send a 441 SENDER Notify payload status. The SENDER notification not only 442 signifies that it is a sender, but provides the initiator the ability 443 to request Sender-ID values, in case the data security SA supports a 444 counter mode cipher. Section 1.4.6) includes guidance on requesting 445 Sender-ID values. 447 A GM may be limited in the types of Transforms that it is able or 448 willing to use, and may find it useful to inform the GCKS which 449 Transforms it is willing to accept for different security protocols. 450 Proposals for Rekey SA (with protocol GIKE_REKEY) and for data 451 security (AH [RFC4302] and/or ESP [RFC4303]) SAs may be included into 452 SAg. Each Proposal contains a list of Transforms that the GM is able 453 to support for that protocol. Valid transform types depend on the 454 protocol and are defined in Figure 15. Other transform types SHOULD 455 NOT be included. The SPI length of each Proposal in an SAg is set to 456 zero, and thus the SPI field is empty. The GCKS MUST ignore SPI 457 field in the SAg payload. 459 Generally, a single Proposal of each type will suffice, because the 460 group member is not negotiating Transform sets, simply alerting the 461 GCKS to restrictions it may have. In particular, the restriction 462 from Section 3.3 of [RFC7296] that AEAD and non-AEAD transforms must 463 not be combined in a single proposal doesn't hold when the SAg 464 payload is being formed. However if the GM has restrictions on 465 combination of algorithms, this can be expressed by sending several 466 proposals. 468 Proposal Num field in Proposal substructure is treated specially in 469 SAg payload: it allows a GM to indicate that algorithms used in Rekey 470 SA and in data security (AH and/or ESP) SAs are dependent. In 471 particular, Proposals of different types having the same value in 472 Proposal Num field are treated as a set, so that if GCKS uses 473 transforms from one of such Proposal for one protocol, then it MUST 474 only use transforms from one of the Proposals with the same value in 475 Proposal Num field for other protocols. For example, a GM may 476 support algorithms X and Y for both Rekey and data security SAs, but 477 with a restriction that if X is used in Rekey SA, then only X can be 478 used in data security SAs, and the same for Y. To indicate this the 479 GM sends several Proposals marking those of them that must be used in 480 conjunction by putting the same value in their Proposal Num field. 481 In the simplest case when no dependency between transforms exists, 482 all Proposals in SAg payload will have the same value in Proposal Num 483 field. 485 Although the SAg payload is optional, it is RECOMMENDED for the GM to 486 include this payload into the GSA_AUTH request to allow the GCKS to 487 select an appropriate policy. 489 A GM may also indicate the support for IPcomp by inclusion one or 490 more the IPCOMP_SUPPORTED notifications along with the SAg payload. 491 The CPI in these notifications is set to zero and MUST be ignored by 492 the GCKS. 494 Upon receiving the GSA_AUTH response, the initiator parses the 495 response from the GCKS authenticating the exchange using the IKEv2 496 method, then processes the GSA and KD. 498 The GSA payload contains the security policy and cryptographic 499 protocols used by the group. This policy describes the Rekey SA 500 (KEK), Data-security SAs (TEK), and other group policy (GAP). If the 501 policy in the GSA payload is not acceptable to the GM, it SHOULD 502 notify the GCKS by initiating a GSA_REGISTRATION exchange with a 503 NO_PROPOSAL_CHOSEN Notify payload (see Section 1.4.2). Note, that 504 this should normally not happen if the GM includes SAg payload in the 505 GSA_AUTH request and the GCKS takes it into account. Finally the KD 506 are parsed providing the keying material for the TEK and/or KEK. The 507 GM interprets the KD key packets, where each key packet includes the 508 keying material for SAs distributed in the GSA payload. Keying 509 material is matched by comparing the SPIs in the key packets to SPIs 510 previously included in the GSA payloads. Once TEK keys and policy 511 are matched, the GM provides them to the data security subsystem, and 512 it is ready to send or receive packets matching the TEK policy. 514 The GSA KEK policy MUST include the attribute GSA_INITIAL_MESSAGE_ID 515 with a first Message ID the GM should expect to receive if it is non- 516 zero. The value of the attribute MUST be checked by a GM against any 517 previously received Message ID for this group. If it is less than 518 the previously received number, it should be considered stale and 519 ignored. This could happen if two GSA_AUTH exchanges happened in 520 parallel, and the Message ID changed. This attribute is used by the 521 GM to prevent GSA_REKEY message replay attacks. The first GSA_REKEY 522 message that the GM receives from the GCKS must have a Message ID 523 greater or equal to the Message ID received in the 524 GSA_INITIAL_MESSAGE_ID attribute. 526 Once a GM has received GSA_REKEY policy during a registration the IKE 527 SA may be closed. However, the GM SHOULD NOT close IKE SA, it is the 528 GCKS who makes the decision whether to close or keep it, because 529 depending on the policy the IKE SA may be used for inband rekeying 530 for small groups. 532 1.4.4. GCKS Registration Operations 534 A G-IKEv2 GCKS passively listens for incoming requests from group 535 members. When the GCKS receives an IKE_SA_INIT request, it selects 536 an IKE proposal and generates a nonce and DH to include them in the 537 IKE_SA_INIT response. 539 Upon receiving the GSA_AUTH request, the GCKS authenticates the group 540 member using the same procedures as in the IKEv2 IKE_AUTH. The GCKS 541 then authorizes the group member according to group policy before 542 preparing to send the GSA_AUTH response. If the GCKS fails to 543 authorize the GM, it will respond with an AUTHORIZATION_FAILED notify 544 message. 546 The GSA_AUTH response will include the group policy in the GSA 547 payload and keys in the KD payload. If the GCKS policy includes a 548 group rekey option, this policy is constructed in the GSA KEK and the 549 key is constructed in the KD KEK. The GSA KEK MUST include the 550 GSA_INITIAL_MESSAGE_ID attribute, specifying the starting Message ID 551 the GCKS will use when sending the GSA_REKEY message to the group 552 member if this Message ID is non-zero. This Message ID is used to 553 prevent GSA_REKEY message replay attacks and will be increased each 554 time a GSA_REKEY message is sent to the group. The GCKS data traffic 555 policy is included in the GSA TEK and keys are included in the KD 556 TEK. The GAP MAY also be included to provide the ATD and/or DTD 557 (Section 3.4.3.1) specifying activation and deactivation delays for 558 SAs generated from the TEKs. If the group member has indicated that 559 it is a sender of data traffic and one or more Data Security SAs 560 distributed in the GSA payload included a counter mode of operation, 561 the GCKS responds with one or more SIDs (see Section 1.4.6). 563 If the GCKS receives a GSA_REGISTRATION exchange with a request to 564 register a GM to a group, the GCKS will need to authorize the GM with 565 the new group (IDg) and respond with the corresponding group policy 566 and keys. If the GCKS fails to authorize the GM, it will respond 567 with the AUTHORIZATION_FAILED notification. 569 If a group member includes an SAg in its GSA_AUTH or GSA_REGISTRATION 570 request, the GCKS MAY evaluate it according to an implementation 571 specific policy. 573 o The GCKS could evaluate the list of Transforms and compare it to 574 its current policy for the group. If the group member did not 575 include all of the ESP or AH Transforms in its current policy, 576 then it could return a NO_PROPOSAL_CHOSEN Notification. 578 o The GCKS could store the list of Transforms, with the goal of 579 migrating the group policy to a different Transform when all of 580 the group members indicate that they can support that Transform. 582 o The GCKS could store the list of Transforms and adjust the current 583 group policy based on the capabilities of the devices as long as 584 they fall within the acceptable security policy of the GCKS. 586 Depending on its policy, the GCKS may have no need for the IKE SA 587 (e.g., it does not plan to initiate an GSA_INBAND_REKEY exchange). 588 If the GM does not initiate another registration exchange or Notify 589 (e.g., NO_PROPOSAL_CHOSEN), and also does not close the IKE SA and 590 the GCKS is not intended to use the SA, then after a short period of 591 time the GCKS SHOULD close the IKEv2 SA. The delay before closing 592 provides for receipt of a GM's error notification in the event of 593 packet loss. 595 1.4.5. Group Maintenance Channel 597 The GCKS is responsible for rekeying the secure group per the group 598 policy. Rekeying is an operation whereby the GCKS provides 599 replacement TEKs and KEK, deleting TEKs, and/or excluding group 600 members. The GCKS may initiate a rekey message if group membership 601 and/or policy has changed, or if the keys are about to expire. Two 602 forms of group maintenance channels are provided in G-IKEv2 to push 603 new policy to group members. 605 GSA_REKEY The GSA_REKEY is a pseudo-exchange initiated by the GCKS, 606 where the rekey policy is usually delivered to group members using 607 IP multicast as a transport. This is not a real IKEv2 exchange, 608 since no response messages are sent. This method is valuable for 609 large and dynamic groups, and where policy may change frequently 610 and a scalable rekeying method is required. When the GSA_REKEY is 611 used, the IKEv2 SA protecting the member registration exchanges is 612 usually terminated, and group members await policy changes from 613 the GCKS via the GSA_REKEY messages. 615 GSA_INBAND_REKEY The GSA_INBAND_REKEY is a normal IKEv2 exchange 616 using the IKEv2 SA that was setup to protecting the member 617 registration exchange. This exchange allows the GCKS to rekey 618 without using an independent GSA_REKEY pseudo-exchange. The 619 GSA_INBAND_REKEY exchange provides a reliable policy delivery and 620 is useful when G-IKEv2 is used with a small group of cooperating 621 devices. 623 Depending on the policy the GCKS MAY combine these two methods. For 624 example, it may use the GSA_INBAND_REKEY to deliver key to the GMs in 625 the group acting as senders (as this would provide reliable keys 626 delivery), and the GSA_REKEY for the rest GMs. 628 1.4.5.1. GSA_REKEY 630 The GCKS initiates the G-IKEv2 Rekey securely, usually using IP 631 multicast. Since this rekey does not require a response and it sends 632 to multiple GMs, G-IKEv2 rekeying MUST NOT support IKE SA windowing. 633 The GCKS rekey message replaces the rekey GSA KEK or KEK array, and/ 634 or creates a new Data-Security GSA TEK. The SID Download attribute 635 in the Key Download payload (defined in Section 3.5.3.2) MUST NOT be 636 part of the Rekey Exchange as this is sender specific information and 637 the Rekey Exchange is group specific. The GCKS initiates the 638 GSA_REKEY pseudo-exchange as following: 640 Members (Responder) GCKS (Initiator) 641 -------------------- ------------------ 642 <-- HDR, SK{GSA, KD, [N,] [D,] [AUTH]} 644 Figure 9: GSA_REKEY Pseudo-Exchange 646 HDR is defined in Section 3.1. The Message ID in this message will 647 start with the value the GCKS sent to the group members in the KEK 648 attribute GSA_INITIAL_MESSAGE_ID or from zero if this attribute 649 wasn't sent. The Message ID will be incremented each time a new 650 GSA_REKEY message is sent to the group members. 652 The GSA payload contains the current rekey and data security SAs. 653 The GSA may contain a new rekey SA and/or a new data security SA 654 Section 3.4. 656 The KD payload contains the keys for the policy included in the GSA. 657 If the data security SA is being refreshed in this rekey message, the 658 IPsec keys are updated in the KD, and/or if the rekey SA is being 659 refreshed in this rekey message, the rekey Key or the LKH KEK array 660 is updated in the KD payload. 662 A Delete payload MAY be included to instruct the GM to delete 663 existing SAs. 665 The AUTH payload MUST be included to authenticate the GSA_REKEY 666 message if the authentication method is based on public key 667 signatures or a dedicated shared secret and MUST NOT be included if 668 authentication is implicit. In a latter case, the fact that a GM can 669 decrypt the GSA_REKEY message and verify its ICV proves that the 670 sender of this message knows the current KEK, thus authenticating 671 that the sender is a member of the group. Shared secret and implicit 672 authentication don't provide source origin authentication. For this 673 reason using them as authentication methods for GSA_REKEY is NOT 674 RECOMMENDED unless source origin authentication is not required (for 675 example, in a small group of highly trusted GMs). If AUTH payload is 676 included then the Auth Method field MUST NOT be NULL Authentication. 678 During group member registration, the GCKS sends the authentication 679 key in the GSA KEK payload, AUTH_KEY attribute, which the group 680 member uses to authenticate the key server. Before the current 681 Authentication Key expires, the GCKS will send a new AUTH_KEY to the 682 group members in a GSA_REKEY message. The AUTH key that is used in 683 the rekey message may be not the same as the authentication key used 684 in GSA_AUTH. If implicit authentication is used, then AUTH_KEY MUST 685 NOT be sent to GMs. 687 1.4.5.1.1. GSA_REKEY Messages Authentication 689 The content of the AUTH payload depends on the authentication method 690 and is either a digital signature or a result of prf applied to the 691 content of the not yet encrypted GSA_REKEY message. 693 The authentication algorithm (prf or digital signing) is applied to 694 the concatenation of two chunks: A and P. The chunk A lasts from the 695 first octet of the G-IKEv2 Header (not including prepended four 696 octets of zeros, if port 4500 is used) to the last octet of the 697 Encrypted Payload header. The chunk P consists of the not yet 698 encrypted content of the Encrypted payload, excluding the 699 Initialization Vector, the Padding, the Pad Length and the Integrity 700 Checksum Data fields (see 3.14 of [RFC7296] for description of the 701 Encrypted payload). In other words, the P chunk is the inner 702 payloads of the Encrypted payload in plaintext form. These inner 703 payloads must be fully formed and ready for encryption except for the 704 AUTH payload. Figure 10 illustrates the layout of the P and A chunks 705 in the GSA_REKEY message. 707 The AUTH payload must have correct values in the Payload Header, the 708 Auth Method and the RESERVED fields. The Authentication Data field 709 is zeroed, but if Digital Signature authentication method is in use, 710 then the ASN.1 Length and the AlgorithmIdentifier fields must be 711 properly filled in, see [RFC7427]. 713 For the purpose of the AUTH payload calculation the Length field in 714 the IKE header and the Payload Length field in the Encrypted Payload 715 header are adjusted so that they don't count the lengths of 716 Initialization Vector, Integrity Checksum Data and Padding (along 717 with Pad Length field). In other words, the Length field in the IKE 718 header (denoted as AdjustedLen in Figure 10 ) is set to the sum of 719 the lengths of A and P, and the Payload Length field in the Encrypted 720 Payload header (denoted as AdjustedPldLen in Figure 10) is set to the 721 length of P plus the size of the Payload header (four octets). 723 DataToAuthenticate = A | P 724 GsaRekeyMessage = GenIKEHDR | EncPayload 725 GenIKEHDR = [ four octets 0 if using port 4500 ] | AdjustedIKEHDR 726 AdjustedIKEHDR = SPIi | SPIr | . . . | AdjustedLen 727 EncPayload = AdjustedEncPldHdr | IV | InnerPlds | Pad | PadLen | ICV 728 AdjustedEncPldHdr = NextPld | C | RESERVED | AdjustedPldLen 729 A = AdjustedIKEHDR | AdjustedEncPldHdr 730 P = InnerPlds 731 1 2 3 732 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 733 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^ ^ 734 | G-IKEv2 SA Initiator's SPI | | | 735 | | | | 736 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I | 737 | G-IKEv2 SA Responder's SPI | K | 738 | | E | 739 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 740 | Next Payload | MjVer | MnVer | Exchange Type | Flags | H A 741 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ d | 742 | Message ID | r | 743 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | 744 | AdjustedLen | | | 745 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ x | 746 | Next Payload |C| RESERVED | AdjustedPldLen | | | 747 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | v 748 | | | 749 ~ Initialization Vector ~ E 750 | | n 751 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ c ^ 752 | | r | 753 ~ Inner payloads (not yet encrypted) ~ P 754 | | P | 755 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ l v 756 ~ Padding (0-255 octets) | Pad Length | d 757 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 758 | | | 759 ~ Integrity Checksum Data ~ | 760 | | | 761 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v 763 Figure 10: Data to Authenticate in the GSA_REKEY Messages 765 The authentication data is calculated using the authentication 766 algorithm from the Authentication Method transform and the key 767 provided before in the AUTH_KEY attribute. Depending on the 768 authentication method the authentication data is either a digital 769 signature or a result of applying prf from the Pseudorandom Function 770 transform. The calculated authentication data is placed into the 771 AUTH payload, the Length fields in the IKE Header and the Encryption 772 Payload header are restored, the content of the Encrypted payload is 773 encrypted and the ICV is computed using the current SKe/SKa keys. 775 The calculation of authentication data MUST be applied to whole 776 messages only, before possible IKE Fragmentation. If the message was 777 received in fragmented form, it should be reconstructed before 778 verifying its authenticity as if it were received unfragmented. The 779 RESERVED field in the reconstructed Encrypted Payload header MUST be 780 set to the value of the RESERVED field in the Encrypted Fragment 781 payload header from the first fragment (that with Fragment Number 782 equal to 1). 784 1.4.5.1.2. GSA_REKEY GCKS Operations 786 The GCKS builds the rekey message with a Message ID value that is one 787 greater than the value included in the previous rekey. If the 788 message is using a new KEK attribute, the Message ID is reset to 0 in 789 this message. The GSA, KD, N and D payloads follow with the same 790 characteristics as in the GSA Registration exchange. 792 The AUTH payload (if present) is created as defined in 793 Section 1.4.5.1.1. 795 Because GSA_REKEY messages are not acknowledged and could be 796 discarded by the network, one or more GMs may not receive the 797 message. To mitigate such lost messages, during a rekey event the 798 GCKS may transmit several GSA_REKEY messages with the new policy. 799 The retransmitted messages MUST be bitwise identical and SHOULD be 800 sent within a short time interval (a few seconds) to ensure that 801 time-to-live would not be substantially skewed for the GMs that would 802 receive different copies of the messages. 804 GCKS may also include one or several GSA_NEXT_SPI attributes 805 specifying SPIs for the prospected rekeys, so that listening GMs are 806 able to detect lost rekey messages and recover from this situation. 807 See Sections Section 3.4.2.2.3 for more detail. 809 1.4.5.1.3. GSA_REKEY GM Operations 811 When a group member receives the Rekey Message from the GCKS it 812 decrypts the message using the current KEK, validates its 813 authenticity using the key retrieved in a previous G-IKEv2 exchange 814 if AUTH payload is present, verifies the Message ID, and processes 815 the GSA and KD payloads. The group member then downloads the new 816 data security SA and/or new rekey SA. The parsing of the payloads is 817 identical to the parsing done in the registration exchange. 819 Replay protection is achieved by a group member rejecting a GSA_REKEY 820 message which has a Message ID smaller than the current Message ID 821 that the GM is expecting. The GM expects the Message ID in the first 822 GSA_REKEY message it receives to be equal or greater than the Message 823 ID it receives in the GSA_INITIAL_MESSAGE_ID attribute. Note, that 824 if no this attribute was received for the Rekey SA, the GM MUST 825 assume zero as the first expected Message ID. The GM expects the 826 Message ID in subsequent GSA_REKEY messages to be greater than the 827 last valid GSA_REKEY message ID it received. 829 If the GSA payload includes a Data-Security SA including a counter- 830 modes of operation and the receiving group member is a sender for 831 that SA, the group member uses its current SID value with the Data- 832 Security SAs to create counter-mode nonces. If it is a sender and 833 does not hold a current SID value, it MUST NOT install the Data- 834 Security SAs. It MAY initiate a GSA_REGISTRATION exchange to the 835 GCKS in order to obtain an SID value (along with current group 836 policy). 838 Once a new Rekey SA is installed as a result of GSA_REKEY message, 839 the current Rekey SA (over which the message was received) MUST be 840 silently deleted after waiting DEACTIVATION_TIME_DELAY interval 841 regardless of its expiration time. If the GSA TEK payload includes 842 GSA_REKEY_SPI attribute then after installing a new Data-Security SA 843 the old one, identified by the SPI in this attribute, MUST be 844 silently deleted after waiting DEACTIVATION_TIME_DELAY interval 845 regardless of its expiration time. 847 If a Data-Security SA is not rekeyed yet and is about to expire (a 848 "soft lifetime" expiration is described in Section 4.4.2.1 of 849 [RFC4301]), the GM SHOULD initiate a registration to the GCKS. This 850 registration serves as a request for current SAs, and will result in 851 the download of replacement SAs, assuming the GCKS policy has created 852 them. A GM SHOULD also initiate a registration request if a Rekey SA 853 is about to expire and not yet replaced with a new one. 855 1.4.5.1.4. IKE Fragmentation 857 IKE fragmentation [RFC7383] can be used to perform fragmentation of 858 large GSA_REKEY messages, however when the GSA_REKEY message is 859 emitted as an IP multicast packet there is a lack of response from 860 the GMs. This has the following implications. 862 o Policy regarding the use of IKE fragmentation is implicit. If a 863 GCKS detects that all GMs have negotiated support of IKE 864 fragmentation in IKE_SA_INIT, then it MAY use IKE fragmentation on 865 large GSA_REKEY messages. 867 o The GCKS must always use IKE fragmentation based on a known 868 fragmentation threshold (unspecified in this memo), as there is no 869 way to check if fragmentation is needed by first sending 870 unfragmented messages and waiting for response. 872 o PMTU probing cannot be performed due to lack of GSA_REKEY response 873 message. 875 1.4.5.2. GSA_INBAND_REKEY Exchange 877 When the IKEv2 SA protecting the member registration exchange is 878 maintained while group member participates in the group, the GCKS can 879 use the GSA_INBAND_REKEY exchange to individually provide policy 880 updates to the group member. 882 Member (Responder) GCKS (Initiator) 883 -------------------- ------------------ 884 <-- HDR, SK{GSA, KD, [N,] [D]} 885 HDR, SK{} --> 887 Figure 11: GSA_INBAND_REKEY Exchange 889 Because this is a normal IKEv2 exchange, the HDR is treated as 890 defined in [RFC7296]. 892 1.4.5.2.1. GSA_INBAND_REKEY GCKS Operations 894 The GSA, KD, N and D payloads are built in the same manner as in a 895 registration exchange. 897 1.4.5.2.2. GSA_INBAND_REKEY GM Operations 899 The GM processes the GSA, KD, N and D payloads in the same manner as 900 if they were received in a registration exchange. 902 1.4.5.3. Deletion of SAs 904 There are occasions when the GCKS may want to signal to group members 905 to delete policy at the end of a broadcast, or if group policy has 906 changed. Deletion of keys MAY be accomplished by sending the G-IKEv2 907 Delete Payload [RFC7296], section 3.11 as part of the GSA_REKEY 908 pseudo-exchange as shown below. 910 Members (Responder) GCKS (Initiator) 911 -------------------- ------------------ 912 <-- HDR, SK{[GSA,] [KD,], [N] [D,] [AUTH]} 914 Figure 12: SA Deletion in GSA_REKEY 916 The GSA MAY specify the remaining active time of the remaining policy 917 by using the DTD attribute in the GSA GAP. If a GCKS has no further 918 SAs to send to group members, the GSA and KD payloads MUST be omitted 919 from the message. There may be circumstances where the GCKS may want 920 to start over with a clean state. If the administrator is no longer 921 confident in the integrity of the group, the GCKS can signal deletion 922 of all the policies of a particular TEK protocol by sending a TEK 923 with a SPI value equal to zero in the delete payload. For example, 924 if the GCKS wishes to remove all the KEKs and all the TEKs in the 925 group, the GCKS SHOULD send a Delete payload with a SPI of zero and 926 Protocol ID of AH or ESP, followed by another Delete payload with a 927 SPI of zero and Protocol ID of GIKE_REKEY, indicating that the KEK SA 928 should be deleted. 930 1.4.6. Counter-based modes of operation 932 Several new counter-based modes of operation have been specified for 933 ESP (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309], 934 ChaCha20-Poly1305 [RFC7634], AES-GMAC [RFC4543]) and AH (e.g., AES- 935 GMAC [RFC4543]). These counter-based modes require that no two 936 senders in the group ever send a packet with the same Initialization 937 Vector (IV) using the same cipher key and mode. This requirement is 938 met in G-IKEv2 when the following requirements are met: 940 o The GCKS distributes a unique key for each Data-Security SA. 942 o The GCKS uses the method described in [RFC6054], which assigns 943 each sender a portion of the IV space by provisioning each sender 944 with one or more unique SID values. 946 1.4.6.1. Allocation of SIDs 948 When at least one Data-Security SA included in the group policy 949 includes a counter-based mode of operation, the GCKS automatically 950 allocates and distributes one SID to each group member acting in the 951 role of sender on the Data-Security SA. The SID value is used 952 exclusively by the group member to which it was allocated. The group 953 member uses the same SID for each Data-Security SA specifying the use 954 of a counter-based mode of operation. A GCKS MUST distribute unique 955 keys for each Data-Security SA including a counter-based mode of 956 operation in order to maintain unique key and nonce usage. 958 During registration, the group member can choose to request one or 959 more SID values. Requesting a value of 1 is not necessary since the 960 GCKS will automatically allocate exactly one to the group member. A 961 group member MUST request as many SIDs matching the number of 962 encryption modules in which it will be installing the TEKs in the 963 outbound direction. Alternatively, a group member MAY request more 964 than one SID and use them serially. This could be useful when it is 965 anticipated that the group member will exhaust their range of Data- 966 Security SA nonces using a single SID too quickly (e.g., before the 967 time-based policy in the TEK expires). 969 When the group policy includes a counter-based mode of operation, a 970 GCKS SHOULD use the following method to allocate SID values, which 971 ensures that each SID will be allocated to just one group member. 973 1. A GCKS maintains an SID-counter, which records the SIDs that have 974 been allocated. SIDs are allocated sequentially, with zero as 975 the first allocated SID. 977 2. Each time an SID is allocated, the current value of the counter 978 is saved and allocated to the group member. The SID-counter is 979 then incremented in preparation for the next allocation. 981 3. When the GCKS specifies a counter-based mode of operation in the 982 data security SA a group member may request a count of SIDs 983 during registration in a Notify payload information of type 984 SENDER. When the GCKS receives this request, it increments the 985 SID-counter once for each requested SID, and distributes each SID 986 value to the group member. The GCKS SHOULD have a policy-defined 987 upper bound for the number of SIDs that it will return 988 irrespective of the number requested by the GM. 990 4. A GCKS allocates new SID values for each GSA_REGISTRATION 991 exchange originated by a sender, regardless of whether a group 992 member had previously contacted the GCKS. In this way, the GCKS 993 is not required to maintaining a record of which SID values it 994 had previously allocated to each group member. More importantly, 995 since the GCKS cannot reliably detect whether the group member 996 had sent data on the current group Data-Security SAs it does not 997 know what Data-Security counter-mode nonce values that a group 998 member has used. By distributing new SID values, the key server 999 ensures that each time a conforming group member installs a Data- 1000 Security SA it will use a unique set of counter-based mode 1001 nonces. 1003 5. When the SID-counter maintained by the GCKS reaches its final SID 1004 value, no more SID values can be distributed. Before 1005 distributing any new SID values, the GCKS MUST delete the Data- 1006 Security SAs for the group, followed by creation of new Data- 1007 Security SAs, and resetting the SID-counter to its initial value. 1009 6. The GCKS SHOULD send a GSA_REKEY message deleting all Data- 1010 Security SAs and the Rekey SA for the group. This will result in 1011 the group members initiating a new GSA_REGISTRATION exchange, in 1012 which they will receive both new SID values and new Data-Security 1013 SAs. The new SID values can safely be used because they are only 1014 used with the new Data-Security SAs. Note that deletion of the 1015 Rekey SA is necessary to ensure that group members receiving a 1016 GSA_REKEY message before the re-register do not inadvertently use 1017 their old SIDs with the new Data-Security SAs. Using the method 1018 above, at no time can two group members use the same IV values 1019 with the same Data-Security SA key. 1021 1.4.6.2. GM Usage of SIDs 1023 A GM applies the SID to data security SA as follows. 1025 o The most significant bits NUMBER_OF_SID_BITS of the IV are taken 1026 to be the SID field of the IV. 1028 o The SID is placed in the least significant bits of the SID field, 1029 where any unused most significant bits are set to zero. If the 1030 SID value doesn't fit into the NUMBER_OF_SID_BITS bits, then the 1031 GM MUST treat this as a fatal error and re-register to the group. 1033 2. Group Key Management and Access Control 1035 Through the G-IKEv2 rekey, G-IKEv2 supports algorithms such as 1036 Logical Key Hierarchy (LKH) that have the property of denying access 1037 to a new group key by a member removed from the group (forward access 1038 control) and to an old group key by a member added to the group 1039 (backward access control). An unrelated notion to PFS, "forward 1040 access control" and "backward access control" have been called 1041 "perfect forward security" and "perfect backward security" in the 1042 literature [RFC2627]. 1044 Group management algorithms providing forward and backward access 1045 control other than LKH have been proposed in the literature, 1046 including OFT [OFT] and Subset Difference [NNL]. These algorithms 1047 could be used with G-IKEv2, but are not specified as a part of this 1048 document. 1050 The Group Key Management Method transform from the GSA policy 1051 specifies how members of the group obtain group keys. This document 1052 specifies a single method for the group key management - Wrapped Key 1053 Download. This method assumes that all group keys are sent to the 1054 GMs by the GCKS encrypted with other keys, called Key Wrap Keys 1055 (KWK). 1057 2.1. Key Wrap Keys 1059 Every GM always knows at least one KWK - the KWK that is associated 1060 with the IKE SA or multicast rekey SA the wrapped keys are sent over. 1061 In this document it is called default KWK and is denoted as SK_w. 1063 The GCKS may also send other keys to GMs that will be used as Key 1064 Wrap Keys for the purpose of building key hierarchy. Each such key 1065 is associated with an encryption algorithm from the Encryption 1066 Algorithm transform used for the SA the key is sent in. The size of 1067 such key MUST be of the size of the key size of this Encryption 1068 Algorithm transform (taking into consideration the Key Length 1069 attribute for this transform if present). This association persists 1070 even if the key is used later in the context of another SA with 1071 possibly different Encryption Algorithm transform. 1073 To have an ability to provide forward access control the GCKS 1074 provides each GM with a personal key at the time of registration. 1075 Besides several intermediate keys that form a key hierarchy and are 1076 shared among several GMs are provided by the GCKS. 1078 2.1.1. Default Key Wrap Key 1080 The default KWK (SK_w) is only used in the context of a single IKE 1081 SA. Every IKE SA (unicast or group rekey) will have its own SK_w. 1082 The SK_w is used with the algorithm from the Encryption Algorithm 1083 transform used for the SA the SK_w is used in. The size of SK_w MUST 1084 be of the key size of this Encryption Algorithm transform (taking 1085 into consideration the Key Length attribute for this transform if 1086 present). 1088 For the unicast IKE SA (used for the GM registration and optionally 1089 for GSA_INBAND_REKEY exchanges) the SK_w is computed as follows: 1091 SK_w = prf+(SK_d, "Key Wrap for G-IKEv2") 1093 where the string "Key Wrap for G-IKEv2" is 20 ASCII characters 1094 without null termination. 1096 For the multicast rekey SA the SK_w is provided along with other SA 1097 keys as defined in Section 2.4. 1099 2.2. GCKS Key Management Semantics 1101 Wrapped Key Download method allows the GCKS to employ various key 1102 management policies. 1104 o A simple key management policy - when the GCKS always sends group 1105 SA keys encrypted with the SK_w. 1107 o An LKH key management policy - when the GCKS provides each GM with 1108 an individual key at the time of GM registration (encrypted with 1109 SK_w). Then the GCKS forms an hierarchy of keys so that the group 1110 SA keys are encrypted with other keys which are encrypted with 1111 other keys and so on, tracing back to the individual GMs' keys. 1113 Other key policies may also be employed by the GCKS. 1115 2.2.1. Forward Access Control Requirements 1117 When group membership is altered using a group management algorithm 1118 new GSA TEKs (and their associated keys) are usually also needed. 1119 New GSAs and keys ensure that members who were denied access can no 1120 longer participate in the group. 1122 If forward access control is a desired property of the group, new GSA 1123 TEKs and the associated key packets in the KD payload MUST NOT be 1124 included in a G-IKEv2 rekey message which changes group membership. 1125 This is required because the GSA TEK policy and the associated key 1126 packets in the KD payload are not protected with the new KEK. A 1127 second G-IKEv2 rekey message can deliver the new GSA TEKS and their 1128 associated key packets because it will be protected with the new KEK, 1129 and thus will not be visible to the members who were denied access. 1131 If forward access control policy for the group includes keeping group 1132 policy changes from members that are denied access to the group, then 1133 two sequential G-IKEv2 rekey messages changing the group KEK MUST be 1134 sent by the GCKS. The first G-IKEv2 rekey message creates a new KEK 1135 for the group. Group members, which are denied access, will not be 1136 able to access the new KEK, but will see the group policy since the 1137 G-IKEv2 rekey message is protected under the current KEK. A 1138 subsequent G-IKEv2 rekey message containing the changed group policy 1139 and again changing the KEK allows complete forward access control. A 1140 G-IKEv2 rekey message MUST NOT change the policy without creating a 1141 new KEK. 1143 If other methods of using LKH or other group management algorithms 1144 are added to G-IKEv2, those methods MAY remove the above restrictions 1145 requiring multiple G-IKEv2 rekey messages, providing those methods 1146 specify how the forward access control policy is maintained within a 1147 single G-IKEv2 rekey message. 1149 2.3. GM Key Management Semantics 1151 This specification defines a GM Key Management semantics in such a 1152 way, that it doesn't depend on the key management policy employed by 1153 the GCKS. This allows having all the complexity of key management in 1154 the GCKS, which is free to implement various key management policies, 1155 such as direct transmitting of group SA keys or using some kind of 1156 key hierarchy (e.g. LKH). For all these policies the GMs' behavior 1157 is the same. 1159 Each key is identified by a 32-bit number called Key ID. Zero Key ID 1160 has a special meaning - it always contains keying material from which 1161 the group SA keys are taken. 1163 All keys in G-IKEv2 are transmitted in encrypted form, which format 1164 is defined in Section 3.5.1. This format specifies a Key ID (ID of a 1165 key that is encrypted in this attribute) and a KWK ID (ID of a key 1166 that was used to encrypt this attribute). Keys may be encrypted 1167 either with default KWK (SK_w) or with other keys, which the GM has 1168 received in the KEY_WRAP_KEY attributes. If a key was encrypted with 1169 SK_w, then the KWK ID field is set to zero, otherwise the KWK ID 1170 field identifies the key used for encryption. 1172 When a GM receives a message from the GCKS installing new data 1173 security or rekey SA, it will contain a KD payload with a SA_KEY 1174 attribute containing keying material for this SA. For a data 1175 security SA exactly one SA_KEY attribute will be present with both 1176 Key ID and KWK ID fields set to zero. This means that the default 1177 KWK (SK_w) should be used to extract this keying material. 1179 For a multicast rekey SA multiple SA_KEY attributes may be present 1180 depending on the key management policy employed by the GCKS. If 1181 multiple SA_KEY attributes are present then all of them MUST contain 1182 the same keying material encrypted using different keys. The GM in 1183 general is unaware of the GCKS's key management policy and can always 1184 use the same procedure to get the keys. In particular, the GM's task 1185 is to find a way to decrypt at least one of the SA_KEY attributes 1186 using either the SK_w or the keys from the KEY_WRAP_KEY attributes 1187 that are present in the same message or were receives in previous 1188 messages. 1190 We will use the term "Key Path" to describe an ordered sequence of 1191 keys where each subsequent key was used to encrypt the previous one. 1192 The GM keeps its own Key Path (called working Key Path) in the memory 1193 associated with each group it is registered to and update it when 1194 needed. When the GSA_REKEY message is received the GM processes the 1195 received SA_KEY attributes one by one trying to construct a new key 1196 path that starts from this attributes and ends with any key in the 1197 working Key Path or with the default KWK (SK_w). 1199 In the simplest case the SA_KEY attribute is encrypted with SK_w so 1200 that the new Key Path is empty. If more complex key management 1201 policies are used then the Key Path will contain intermediate keys, 1202 which will be from the KEY_WRAP_KEY attributes received in the same 1203 messages. If the GM is able to construct a new Key Path, then it is 1204 able to decrypt the SA_KEY attribute and use its content to form the 1205 SA keys. If it is unable to build a new Key Path, then in means that 1206 the GM is excluded from the group. 1208 Depending on the new Key Path the GM should do the following actions 1209 to be prepared for future key updates: 1211 o If the new Key Path is empty then no actions are needed. This may 1212 happen if no KEY_WRAP_KEY attributes from the received message 1213 were used. 1215 o If the new Key Path is non-empty and it ends up with the default 1216 KWK (SK_w), then the whole new Key Path is stored by the GM as the 1217 GM's working Key Path. This situation may only happen at the time 1218 the GM is registering to the group, when the GCKS is providing it 1219 with its personal key and the other keys from the key tree that 1220 are needed for this GM. These keys form an initial working Key 1221 Path. 1223 o In all other cases the new Key Path will end up where some key 1224 from the GM's working Key Path was used. In this case the new Key 1225 Path replaces the part of the GM's working Key Path from the 1226 beginning and up to (but not including) the key that the GM has 1227 used to decrypt the last key in the new Key Path. 1229 Appendix A contains an example of how this algorithm works in case of 1230 LKH key management policy. 1232 2.4. Group SA Keys 1234 Group SA keys are downloaded to GMs in the form of keying material. 1235 The keys are taken from this keying material as if they were 1236 concatenated to form it. 1238 For a data security SA the keys are taken in accordance to the third 1239 bullet from Section 2.17 of [RFC7296]. In particular, for the ESP 1240 and AH SAs the encryption key (if any) MUST be taken from the first 1241 bits of the keying material and the integrity key (if any) MUST be 1242 taken from the remaining bits. 1244 For a group rekey SA the following keys are taken from the keying 1245 material: 1247 SK_e | SK_a | SK_w = KEYMAT 1249 where SK_e and SK_a are the keys used for the Encryption Algorithm 1250 and the Integrity Algorithm transforms for the corresponding SA and 1251 SK_w is a default KWK for this SA. Note, that SK_w is also used with 1252 the Encryption Algorithm transform as well as SK_e. Note also, that 1253 if AEAD algorithm is used for encryption, then SK_a key will not be 1254 used (GM can use the formula above assuming the length of SK_a is 1255 zero). 1257 3. Header and Payload Formats 1259 The G-IKEv2 is an IKEv2 extension and thus inherits its wire format 1260 for data structures. However, the processing of some payloads are 1261 different and several new payloads are defined: Group Identification 1262 (IDg), Group Security Association (GSA) Key Download (KD). New 1263 exchange types GSA_AUTH, GSA_REGISTRATION, GSA_REKEY and 1264 GSA_INBAND_REKEY are also added. 1266 This section describes new payloads and the differences in processing 1267 of existing IKEv2 payloads. 1269 3.1. G-IKEv2 Header 1271 G-IKEv2 uses the same IKE header format as specified in [RFC7296] 1272 section 3.1. Major Version is 2 and Minor Version is 0 as in IKEv2. 1273 IKE SA Initiator's SPI, IKE SA Responder's SPI, Flags, Message ID, 1274 and Length are as specified in [RFC7296]. 1276 3.2. Group Identification Payload 1278 The Group Identification (IDg) payload allows the group member to 1279 indicate which group it wants to join. The payload is constructed by 1280 using the IKEv2 Identification Payload (section 3.5 of [RFC7296]). 1281 ID type ID_KEY_ID MUST be supported. ID types ID_IPV4_ADDR, ID_FQDN, 1282 ID_RFC822_ADDR, ID_IPV6_ADDR SHOULD be supported. ID types 1283 ID_DER_ASN1_DN and ID_DER_ASN1_GN are not expected to be used. The 1284 Payload Type for the Group Identification payload is fifty (50). 1286 3.3. Security Association - GM Supported Transforms Payload 1288 The Security Association - GM Supported Transforms Payload (SAg) 1289 payload declares which Transforms a GM is willing to accept. The 1290 payload is constructed using the format of the IKEv2 Security 1291 Association payload (section 3.3 of [RFC7296]). The Payload Type for 1292 SAg is identical to the SA Payload Type - thirty-three (33). 1294 3.4. Group Security Association Payload 1296 The Group Security Association (GSA) payload is used by the GCKS to 1297 assert security attributes for both Rekey and Data-security SAs. The 1298 Payload Type for the Group Security Association payload is fifty-one 1299 (51). 1301 1 2 3 1302 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1303 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1304 | Next Payload |C| RESERVED | Payload Length | 1305 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1306 | | 1307 ~ ~ 1308 | | 1309 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1311 Figure 13: GSA Payload Format 1313 The Security Association Payload fields are defined as follows: 1315 o Next Payload, C, RESERVED, Payload Length fields comprise the 1316 IKEv2 Generic Payload Header and are defined in Section 3.2. of 1317 [RFC7296]. 1319 o Group Policies (variable) - A set of group policies for the group. 1321 3.4.1. Group Policies 1323 Croup policies are comprised of two types of policy - Group SA (GSA) 1324 policy and Group Associated (GA) policy. GSA policy defines 1325 parameters for the Security Association for the group. Depending on 1326 the employed security protocol GSA policies may further be classified 1327 as rekeying SA policy (GSA KEK) and data traffic SA policy (GSA TEK). 1328 GSA payload may contain zero or one GSA KEK policy, zero or more GSA 1329 TEK policies, and zero or one GA policy, where either one GSA KEK or 1330 GSA TEK policy MUST be present. 1332 This latitude allows various group policies to be accommodated. For 1333 example if the group policy does not require the use of a Rekey SA, 1334 the GCKS would not need to send a GSA KEK policy to the group member 1335 since all SA updates would be performed using the Registration SA. 1336 Alternatively, group policy might use a Rekey SA but choose to 1337 download a KEK to the group member only as part of the Registration 1338 SA. Therefore, the GSA KEK policy would not be necessary as part of 1339 the GSA_REKEY message. 1341 Specifying multiple GSA TEKs allows multiple related data streams 1342 (e.g., video, audio, and text) to be associated with a session, but 1343 each protected with an individual security association policy. 1345 A GAP allows for the distribution of group-wise policy, such as 1346 instructions for when to activate and de-activate SAs. 1348 Policies are distributed in substructures to the GSA payload. The 1349 format of the substructures is defined below in Section 3.4.2 (for 1350 GSA policy) and in Section 3.4.3 (for GA policy). The first octet of 1351 the substructure unambiguously determines its type - it is zero for 1352 GAP and non-zero (actually, it is the security protocol ID) for GSA 1353 policies. 1355 3.4.2. Group Security Association Policy Substructure 1357 The GSA policy substructure contains parameters for the SA used with 1358 this group. Depending on the security protocol the SA is either a 1359 rekey SA or a data security SA (ESP and AH). It is NOT RECOMMENDED 1360 that the GCKS distribute both ESP and AH policies for the same set of 1361 Traffic Selectors. 1363 1 2 3 1364 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1365 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1366 | Protocol | SPI Size | Length | 1367 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1368 | | 1369 ~ SPI ~ 1370 | | 1371 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1372 | | 1373 ~ Source Traffic Selector ~ 1374 | | 1375 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1376 | | 1377 ~ Destination Traffic Selector ~ 1378 | | 1379 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1380 | | 1381 ~ ~ 1382 | | 1383 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1384 | | 1385 ~ ~ 1386 | | 1387 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1389 Figure 14: GSA Policy Substructure Format 1391 The GSA policy fields are defined as follows: 1393 o Protocol (1 octet) - Identifies the security protocol for this 1394 group SA. The values are defined in the IKEv2 Security Protocol 1395 Identifiers in [IKEV2-IANA]. The valid values for this field are: 1397 (GIKE_REKEY) for GSA KEK policy and 2 (AH) or 3 (ESP) for 1398 GSA TEK policy. 1400 o SPI Size (1 octet) - Size of Security Parameter Index (SPI) for 1401 the group SA. SPI size depends on the SA protocol. For 1402 GIKE_REKEY it is 16 octets, while for AH and ESP it is 4 octets. 1404 o Length (2 octets, unsigned integer) - Length of this substructure 1405 including the header. 1407 o SPI (variable) - Security Parameter Index for the group SA. The 1408 size of this field is determined by the SPI Size field. As 1409 described above, these SPIs are assigned by the GCKS. In case of 1410 GIKE_REKEY the SPI must be the IKEv2 Header SPI pair where the 1411 first 8 octets become the "Initiator's SPI" field in the G-IKEv2 1412 rekey message IKEv2 HDR, and the second 8 octets become the 1413 "Responder's SPI" in the same HDR. When selecting SPI the GCKS 1414 MUST make sure that the sole first 8 octets (corresponding to 1415 "Initiator's SPI" field in the IKEv2 header) uniquely identify the 1416 Rekey SA. 1418 o Source & Destination Traffic Selectors - (variable) - 1419 Substructures describing the source and destination of the network 1420 identities. The format for these substructures is defined in 1421 IKEv2 [RFC7296], section 3.13.1. For the group rekey SA (protocol 1422 GIKE_REKEY) the destination traffic selectors MUST define a single 1423 IP address, IP protocol and port the GSA_REKEY messages will be 1424 destined to. The source traffic selector in this case MUST either 1425 define a single IP address, IP protocol and port the GSA_REKEY 1426 messages will be originated from or be a wildcard selector. For 1427 the data security (AH and ESP) SAs the traffic selectors instead 1428 specify characteristics of the traffic to be protected by the 1429 corresponding SA. 1431 o GSA Transforms (variable) - A list of Transform Substructures 1432 specifies the policy information for the group SA. The format is 1433 defined in IKEv2 [RFC7296], section 3.3.2. The Last Substruc 1434 value in each Transform Substructure will be set to 3 except for 1435 the last one in the list, which is set to 0. Section 3.4.2.1 1436 describes using IKEv2 transforms in GSA policy substructure. 1438 o GSA Attributes (variable) - Contains policy attributes associated 1439 with the group SA. The following sections describe the possible 1440 attributes. Any or all attributes may be optional, depending on 1441 the group SA protocol and the group policy. Section 3.4.2.2 1442 defines attributes used in GSA policy. 1444 3.4.2.1. GSA Transforms 1446 GSA policy is defined by means of transforms in GSA policy 1447 substructure. For this purpose the transforms defined in [RFC7296] 1448 are used. In addition, new transform types are defined for using in 1449 G-IKEv2: Authentication Method (AUTH) and Group Key Management Method 1450 (GKM), see Section 6. 1452 Valid Transform Types depend on group SA protocol and are summarized 1453 in the table below. 1455 Protocol Mandatory Types Optional Types 1456 ---------------------------------------------------------- 1457 GIKE_REKEY ENCR, INTEG*, PRF, AUTH, GKM 1458 ESP ENCR INTEG, ESN 1459 AH INTEG ESN 1461 Figure 15: Valid Transform Types 1463 (*) If AEAD encryption algorithm is used, then INTEG transform MUST 1464 NOT be specified, otherwise it MUST be specified. 1466 3.4.2.1.1. Authentication Method Transform 1468 The Authentication Method (AUTH) transform is used in the GIKE_REKEY 1469 policy to convey information of how GCKS will authenticate the 1470 GSA_REKEY messages. This values are from the IKEv2 Authentication 1471 Method registry [IKEV2-IANA]. Note, that this registry defines only 1472 256 possible values, so even that Transform ID field in the Transform 1473 substructure allows for 65536 possible values, in case of the 1474 Authentication Method transform the values 257-65535 MUST NOT be 1475 used. 1477 Among the currently defined authentication methods in the IKEv2 1478 Authentication Method registry, only the following are allowed to be 1479 used in the Authentication Method transform: Shared Key Message 1480 Integrity Code, NULL Authentication and Digital Signature. Other 1481 currently defined authentication methods MUST NOT be used. The 1482 following semantics is associated with each of the allowed methods. 1484 Shared Key Message Integrity Code - GCKS will authenticates the 1485 GSA_REKEY messages by means of shared secret. In this case the 1486 GCKS MUST include the AUTH_KEY attribute containing the shared key 1487 into the KD payload at the time the GM is registered to the group. 1489 NULL Authentication - No additional authentication of the 1490 GSA_REKEY messages will be provided by the GCKS (besides the 1491 ability for the GMs to correctly decrypt them and verify their 1492 ICV). In this case the GCKS MUST NOT include the AUTH_KEY 1493 attribute into the KD payload. 1495 Digital Signature - Digital signatures will be used by the GCKS to 1496 authenticate the GSA_REKEY messages. In this case the GCKS MUST 1497 include the AUTH_KEY attribute containing the public key into the 1498 KD payload at the time the GM is registered to the group. To 1499 specify the details of the signature algorithm a new attribute 1500 Algorithm Identifier () is defined. This attribute 1501 contains DER-encoded ASN.1 object AlgorithmIdentifier, which would 1502 specify the signature algorithm and the hash function that the 1503 GCKS will use for authentication. The AlgorithmIdentifier object 1504 is defined in section 4.1.1.2 of [RFC5280], see also [RFC7427] for 1505 the list of common AlgorithmIdentifier values used in IKEv2. In 1506 case of using digital signature the GCKS MUST include the 1507 Algorithm Identifier attribute in the Authentication Method 1508 transform. 1510 The type of the Authentication Method Transform is . 1512 3.4.2.1.2. Group Key Management Method Transform 1514 The Group Key Management Method (GKM) transform is used in the 1515 GIKE_REKEY policy to convey information of how GCKS will manage the 1516 group keys to provide forward and backward access control (i.e., used 1517 to exclude group members). Possible key management methods are 1518 defined in a new IKEv2 registry "Transform Type - Group Key 1519 Management Methods" (see Section 6). This document defines one 1520 values for this registry: 1522 Wrapped Key Download () - Keys are downloaded by GCKS 1523 to the GMs in encrypted form. This algorithm may provide forward 1524 and backward access control if some form of key hierarchy is used 1525 and each GM is provided with a personal key at the time of 1526 registration. Otherwise no access control is provided. 1528 The type of the Group Key Management Method transform is . 1531 3.4.2.1.3. Extended Sequence Number Transform 1533 Extended Sequence Number (ESN) Transform is defined in [RFC7296] to 1534 allow using 64-bit sequence numbers in ESP and AH. Since both AH 1535 [RFC4302] and ESP [RFC4303] are defined so, that high-order 32 bits 1536 of extended sequence numbers are never transferred on the wire, it 1537 makes using ESN in multicast data security SAs problematic, because 1538 GMs that join group long after it is created will have to somehow 1539 learn the current high order 32 bits of ESN for each sender in the 1540 group. The algorithm for doing this described in [RFC4302] and 1541 [RFC4303] is resource-consuming. For this reason extended sequence 1542 numbers SHOULD NOT be used for multicast data security SAs and thus 1543 the ESN Transform SHOULD NOT be included in the GSA Payload. 1545 3.4.2.2. GSA Attributes 1547 GSA attributes are generally used to provide GMs with additional 1548 parameters for the GSA policy. Unlike security parameters 1549 distributed via transforms, which are expected not to change over 1550 time (unless policy changes), the parameters distributed via GSA 1551 attributes may depend on the time the provision takes place, on the 1552 existence of others group SAs or on other conditions. 1554 This document creates a new IKEv2 IANA registry for the types of the 1555 GSA attributes which is initially filled as described in Section 6. 1556 In particular, the following attributes are initially added. 1558 GSA Attributes Value Type Multiple Used In 1559 --------------------------------------------------------------------- 1560 Reserved 0 1561 GSA_KEY_LIFETIME 1 V N (GIKE_REKEY, AH, ESP) 1562 GSA_INITIAL_MESSAGE_ID 2 V N (GIKE_REKEY) 1563 GSA_NEXT_SPI 3 V Y (GIKE_REKEY, AH, ESP) 1565 The attributes must follow the format defined in the IKEv2 [RFC7296] 1566 section 3.3.5. In the table, attributes that are defined as TV are 1567 marked as Basic (B); attributes that are defined as TLV are marked as 1568 Variable (V). 1570 3.4.2.2.1. GSA_KEY_LIFETIME Attribute 1572 The GSA_KEY_LIFETIME attribute specifies the maximum time for which 1573 the group SA is valid. The value is a 4 octet number defining a 1574 valid time period in seconds. A single attribute of this type MUST 1575 be included into any GSA policy substructure. 1577 When the lifetime expires, the group security association and all 1578 associated keys MUST be deleted. The GCKS may delete the SA at any 1579 time before the end of the valid period. 1581 3.4.2.2.2. GSA_INITIAL_MESSAGE_ID Attribute 1583 The GSA_INITIAL_MESSAGE_ID attribute defines the initial Message ID 1584 to be used by the GCKS in the GSA_REKEY messages. The Message ID is 1585 a 4 octet unsigned integer in network byte order. 1587 A single attribute of this type MUST be included into the GSA KEK 1588 policy substructure if the initial Message ID is non-zero. Note, 1589 that it is always the case if GMs join the group after some multicast 1590 rekey operations have already taken place, so in these cases this 1591 attribute will be included into the GSA policy at the time of GMs' 1592 registration. 1594 3.4.2.2.3. GSA_NEXT_SPI Attribute 1596 The optional GSA_NEXT_SPI attribute contains SPI that the GCKS 1597 reserved for the next group SA replacing this group SA. The length 1598 of the attribute data is determined by the SPI Size field in the GSA 1599 Policy substructure the attribute resides in (see Section 3.4.2), and 1600 the attribute data contains SPI as it would appear on the network. 1601 Multiple attributes of this type MAY be included, meaning that any of 1602 the supplied SPIs can be used in the replacement group SA. 1604 The GM may store these values and if later the GM starts receiving 1605 group SA messages with one of these SPIs without seeing a rekey 1606 message over the current rekey SA, this may be used as an indication, 1607 that the rekey message got lost on its way to this GM. In this case 1608 the GM SHOULD re-register to the group. 1610 Note, that this method of detecting lost rekey messages can only be 1611 used by passive GMs, i.e. those, that only listen and don't send 1612 data. There is also no point to include this attribute in the 1613 GSA_INBAND_REKEY messages, since they use reliable transport. Note 1614 also, that the GCKS is free to forget its promises and not to use the 1615 SPIs it sent in the GSA_NEXT_SPI attributes before (e.g. in case of 1616 the GCKS reboot), so the GM must only treat these information as a 1617 "best effort" made by GCKS to prepare for future rekeys. 1619 3.4.3. Group Associated Policy Substructure 1621 Group specific policy that does not belong to any SA policy can be 1622 distributed to all group member using Group Associated Policy (GAP) 1623 substructure. 1625 The GAP substructure is defined as follows: 1627 1 2 3 1628 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1629 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1630 | ZERO | Length | 1631 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1632 | | 1633 ~ ~ 1634 | | 1635 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1637 Figure 16: GAP Substructure Format 1639 The GAP substructure fields are defined as follows: 1641 o ZERO (2 octets) - MUST be zero. 1643 o Length (2 octets, unsigned integer) - Length of this substructure 1644 including the header. 1646 o GAP Attributes (variable) - Contains policy attributes associated 1647 with no specific SA. The following sections describe the possible 1648 attributes. Any or all attributes may be optional, depending on 1649 the group policy. 1651 This document creates a new IKEv2 IANA registry for the types of the 1652 GAP attributes which is initially filled as described in Section 6. 1653 In particular, the following attributes are initially added. 1655 GAP Attributes Value Type Multiple 1656 ---------------------------------------------------- 1657 Reserved 0 1658 GAP_ATD 1 B N 1659 GAP_DTD 2 B N 1660 GAP_SID_BITS 3 B N 1662 The attributes must follow the format defined in the IKEv2 [RFC7296] 1663 section 3.3.5. In the table, attributes that are defined as TV are 1664 marked as Basic (B); attributes that are defined as TLV are marked as 1665 Variable (V). 1667 3.4.3.1. GAP_ATD And GAP_DTD Attributes 1669 Section 4.2.1 of [RFC5374] specifies a key rollover method that 1670 requires two values be provided to group members - Activation Time 1671 Delay (ATD) and Deactivation Time Delay (DTD). 1673 The GAP_ATD attribute allows a GCKS to set the Activation Time Delay 1674 for data security SAs of the group. The ATD defines how long active 1675 members of the group (those who sends traffic) should wait after 1676 receiving new SAs before staring sending traffic over them. Note, 1677 that to achieve smooth rollover passive members of the group should 1678 activate the SAs immediately once they receive them. 1680 The GAP_DTD attribute allows the GCKS to set the Deactivation Time 1681 Delay for previously distributed SAs. The DTD defines how long after 1682 receiving a request to delete data security SAs passive group members 1683 should wait before actually deleting them. Note that active members 1684 of the group should stop sending traffic over these old SAs once new 1685 replacement SAs are activated (after time specified in the GAP_ATD 1686 attribute). 1688 The GAP_ATD and GAP_DTD attributes contain 16 bit unsigned integer in 1689 a network byte order, specifying the delay in seconds. These 1690 attributes are OPTIONAL. If one of them or both are not sent by the 1691 GCKS, the GMs should use default values for activation and 1692 deactivation time delays. 1694 3.4.3.2. GAP_SID_BITS Attribute 1696 The GAP_SID_BITS attribute declares how many bits of the cipher nonce 1697 are taken to represent an SID value. The bits are applied as the 1698 most significant bits of the IV, as shown in Figure 1 of [RFC6054] 1699 and specified in Section 1.4.6.2. Guidance for a GCKS choosing the 1700 NUMBER_OF_SID_BITS is provided in Section 3 of [RFC6054]. This value 1701 is applied to each SID value distributed in the KD payload. 1703 The GCKS MUST include this attribute if there are more than one 1704 sender in the group and any of the data security SAs use counter- 1705 based cipher mode. The number of SID bits is represented as 16 bit 1706 unsigned integer in network byte order. 1708 3.5. Key Download Payload 1710 The Key Download (KD) payload contains the group keys for the group 1711 specified in the GSA Payload. The Payload Type for the Key Download 1712 payload is fifty-two (52). 1714 1 2 3 1715 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1716 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1717 | Next Payload |C| RESERVED | Length | 1718 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1719 | | 1720 ~ ~ 1721 | | 1722 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1724 Figure 17: Key Download Payload Format 1726 The Key Download payload fields are defined as follows: 1728 o Next Payload, C, RESERVED, Payload Length fields comprise the 1729 IKEv2 Generic Payload Header and are defined in Section 3.2. of 1730 [RFC7296]. 1732 o Key Packets (variable) - Contains Group Key Packet and Member Key 1733 Packet substructures. Each Key Packet contains keys for a single 1734 group rekey or data security SA or a keys and security parameters 1735 for a GM. 1737 Two types of Key Packets are used - Group Key Packet and Member Key 1738 Packet. 1740 3.5.1. Wrapped Key Format 1742 The symmetric keys in G-IKEv2 are never sent in clear. They are 1743 always encrypted with other keys using the format called Wrapped Key 1744 that is shown below (Figure 18). 1746 The keys are encrypted using algorithm that is used to encrypt the 1747 message the keys are sent in. It means, that in case of unicast IKE 1748 SA (used for GMs registration and rekeying using GSA_INBAND_REKEY) 1749 the encryption algorithm will be the one negotiated during the SA 1750 establishment, while for the GSA_REKEY messages the algorithm will be 1751 provided by the GCKS in the Encryption Algorithm transform in the GSA 1752 payload when this multicast SA was being established (not in the same 1753 GSA_REKEY message). 1755 If AEAD mode is used for encryption, then for the purpose of key 1756 encryption the authentication tag MUST NOT be used (both not 1757 calculated and not verified), since the G-IKEv2 provides 1758 authentication of all its messages. In addition there is no AAD in 1759 this case. If encryption algorithm requires padding, then the 1760 encrypted key MUST be padded before encryption to have the required 1761 size. If the encryption algorithm doesn't define the padding 1762 content, then the following scheme SHOULD be used: the Padding bytes 1763 are initialized with a series of (unsigned, 1-byte) integer values. 1764 The first padding byte appended to the plaintext is numbered 1, with 1765 subsequent padding bytes making up a monotonically increasing 1766 sequence: 1, 2, 3, .... The length of the padding is not transmitted 1767 and is implicitly determined, since the length of the key is known. 1769 1 2 3 1770 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1771 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1772 | Key ID | 1773 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1774 | KWK ID | 1775 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1776 | | 1777 ~ IV ~ 1778 | | 1779 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1780 | | 1781 ~ Encrypted Key ~ 1782 | | 1783 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1785 Figure 18: Wrapped Key Format 1787 The Wrapped Key fields are defined as follows: 1789 o Key ID (4 octets) - ID of the encrypted key. The value zero means 1790 that the encrypted key contains keying material for the group SA, 1791 otherwise it contains some intermediate key. 1793 o Key Wrap Key (KWK) ID (4 octets) - ID of the key that was used to 1794 encrypt this key. The value zero means that the default KWK was 1795 used to encrypt the key, otherwise some other key was used. 1797 o IV (variable) - Initialization Vector used for encryption. The 1798 size and the content of IV is defined by the encryption algorithm 1799 employed. 1801 o Encrypted Key (variable) - The encrypted key bits. These bits may 1802 comprise either a single encrypted key or a result of encryption 1803 of a concatenation of keys (key material) for several algorithms. 1805 3.5.2. Group Key Packet Substructure 1807 Group Key Packet substructure contains SA key information. This key 1808 information is associated with some group SAs: either with data 1809 security SAs or with group rekey SA. 1811 1 2 3 1812 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1813 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1814 | Protocol | SPI Size | Length | 1815 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1816 | | 1817 ~ SPI ~ 1818 | | 1819 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1820 | | 1821 ~ ~ 1822 | | 1823 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1825 Figure 19: Group Key Packet Substructure Format 1827 o Protocol (1 octet) - Identifies the security protocol for this key 1828 packet. The values are defined in the IKEv2 Security Protocol 1829 Identifiers in [IKEV2-IANA]. The valid values for this field are: 1830 (GIKE_REKEY) for KEK Key packet and 2 (AH) or 3 (ESP) for 1831 TEK key packet. 1833 o SPI Size (1 octet) - Size of Security Parameter Index (SPI) for 1834 the corresponding SA. SPI size depends on the security protocol. 1835 For GIKE_REKEY it is 16 octets, while for AH and ESP it is 4 1836 octets. 1838 o Length (2 octets, unsigned integer) - Length of this substructure 1839 including the header. 1841 o SPI (variable) - Security Parameter Index for the corresponding 1842 SA. The size of this field is determined by the SPI Size field. 1843 In case of GIKE_REKEY the SPI must be the IKEv2 Header SPI pair 1844 where the first 8 octets become the "Initiator's SPI" field in the 1845 G-IKEv2 rekey message IKEv2 HDR, and the second 8 octets become 1846 the "Responder's SPI" in the same HDR. When selecting SPI the 1847 GCKS MUST make sure that the sole first 8 octets (corresponding to 1848 "Initiator's SPI" field in the IKEv2 header) uniquely identify the 1849 Rekey SA. 1851 o Group Key Download Attributes (variable length) - Contains Key 1852 information for the corresponding SA. 1854 This document creates a new IKEv2 IANA registry for the types of the 1855 Group Key Download attributes which is initially filled as described 1856 in Section 6. In particular, the following attributes are initially 1857 added. 1859 GKD Attributes Value Type Multiple Used In 1860 ------------------------------------------------------------ 1861 Reserved 0 1862 SA_KEY 1 V Y (GIKE_REKEY) 1863 N (AH, ESP) 1865 The attributes must follow the format defined in the IKEv2 [RFC7296] 1866 section 3.3.5. In the table, attributes that are defined as TV are 1867 marked as Basic (B); attributes that are defined as TLV are marked as 1868 Variable (V). 1870 3.5.2.1. SA_KEY Attribute 1872 The SA_KEY attribute contains a keying material for the corresponding 1873 SA. The content of the attribute is formatted according to 1874 Section 3.5.1 with a precondition that the Key ID field MUST be zero. 1875 The size of the keying material MUST be equal to the total size of 1876 the keys needed to be taken from this keying material (see 1877 Section 2.4) for the corresponding SA. 1879 If the Key Packet is for a data security SA (AH or ESP protocols), 1880 then exactly one SA_KEY attribute MUST be present with both Key ID 1881 and KWK ID fields set to zero. 1883 If the Key Packet is for a rekey SA (GIKE_REKEY protocol), then at 1884 least one SA_KEY attribute with zero Key ID MUST be present. 1885 Depending on GCKS key management policy more SA_KEY attributes MAY be 1886 present. 1888 3.5.3. Member Key Packet Substructure 1890 The Member Key Packet substructure contains keys and other parameters 1891 that are specific for the member of the group and are not associated 1892 with any particular group SA. 1894 1 2 3 1895 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1896 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1897 | ZERO | Length | 1898 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1899 | | 1900 ~ ~ 1901 | | 1902 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1904 Figure 20: Member Key Packet Substructure Format 1906 The Member Key Packet substructure fields are defined as follows: 1908 o ZERO (2 octets) - MUST be zero. 1910 o Length (2 octets, unsigned integer) - Length of this substructure 1911 including the header. 1913 o Member Key Download Attributes (variable length) - Contains Key 1914 information and other parameters exclusively for a particular 1915 member of the group. 1917 Member Key Packet substructure contains sensitive information for a 1918 single GM, for this reason it MUST NOT be sent in GSA_REKEY messages 1919 and MUST only be sent via unicast SA at the time the GM registers to 1920 the group (in either GSA_AUTH or GSA_REGISTRATION exchanges). 1922 This document creates a new IKEv2 IANA registry for the types of the 1923 Member Key Download attributes which is initially filled as described 1924 in Section 6. In particular, the following attributes are initially 1925 added. 1927 MKD Attributes Value Type Multiple 1928 ------------------------------------------------ 1929 Reserved 0 1930 KEY_WRAP_KEY 1 V Y 1931 GM_SID 2 V Y 1932 AUTH_KEY 3 V N 1934 The attributes must follow the format defined in the IKEv2 [RFC7296] 1935 section 3.3.5. In the table, attributes that are defined as TV are 1936 marked as Basic (B); attributes that are defined as TLV are marked as 1937 Variable (V). 1939 3.5.3.1. KEY_WRAP_KEY Attribute 1941 The KEY_WRAP_KEY attribute contains a key that is used to encrypt 1942 other keys. One or more the these attributes are sent to GMs if the 1943 GCKS key management policy relies on some key hierarchy (e.g. LKH). 1945 The content of the attribute has a format defined in Section 3.5.1 1946 with a precondition that the Key ID field MUST NOT be zero. The 1947 algorithm associated with the key is from the Encryption Transform 1948 for the SA the KEY_WRAP_KEY attributes was sent in. The size of the 1949 key MUST be equal to the key size for this algorithm. 1951 Multiple instances of the KEY_WRAP_KEY attributes MAY be present in 1952 the key packet. 1954 3.5.3.2. GM_SID Attribute 1956 The GM_SID attribute is used to download one or more Sender-ID (SID) 1957 values for the exclusive use of a group member. One or more of this 1958 attributes MUST be sent by the GCKS if the GM informed the GCKS that 1959 it would be a sender (by inclusion the SENDER notification to the 1960 request) and at least one of the data security SAs included in the 1961 GSA payload uses counter-based mode of encryption. 1963 If the GMs has requested multiple SID values in the SENDER 1964 notification, then the GCKS SHOULD provide it with the requested 1965 number of SIDs by sending multiple instances of the GM_SID attribute. 1966 The GCKS MAY send fewer SIDs than requested by the GM (e.g. if it is 1967 running out of SIDs), but it MUST NOT send more than requested. 1969 3.5.3.3. AUTH_KEY Attribute 1971 The AUTH_KEY attribute contains the key that is used to authenticate 1972 the GSA_REKEY messages. The content of the attribute depends on the 1973 authentication method the GCKS specified in the Authentication Method 1974 transform in the GSA payload. 1976 o If a shared secret is used for the GSA_REKEY messages 1977 authentication then the content of the AUTH_KEY attribute is the 1978 shared secret that MUST be represented in the form of Wrapped Key 1979 (see Section 3.5.1) with zero KWK ID. The Key ID in this case is 1980 arbitrary and MUST be ignored by the GM. 1982 o If digital signatures are used for the GSA_REKEY messages 1983 authentication then the content of the AUTH_KEY attribute is a 1984 public key used for digital signature authentication. The public 1985 key MUST be represented as DER-encoded ASN.1 object 1986 SubjectPublicKeyInfo, defined in section 4.1.2.7 of [RFC5280]. 1987 The signature algorithm that will use this key was specified in 1988 the Algorithm Identifier attribute of the Authentication Method 1989 transform. The key MUST be compatible with this algorithm. An 1990 RSA public key format is defined in [RFC8017], Section A.1. DSS 1991 public key format is defined in [RFC3279] Section 2.3.2. For 1992 ECDSA Public keys, use format described in [RFC5480] Section 2. 1993 Other algorithms added to the IKEv2 Authentication Method registry 1994 are also expected to include a format of the SubjectPublicKeyInfo 1995 object included in the algorithm specification. 1997 Multiple instances of the AUTH_KEY attributes MUST NOT be sent. 1999 3.6. Delete Payload 2001 There are occasions when the GCKS may want to signal to group members 2002 to delete policy at the end of a broadcast, if group policy has 2003 changed, or the GCKS needs to reset the policy and keying material 2004 for the group due to an emergency. Deletion of keys MAY be 2005 accomplished by sending an IKEv2 Delete Payload, section 3.11 of 2006 [RFC7296] as part of a registration or rekey Exchange. Whenever an 2007 SA is to be deleted, the GKCS SHOULD send the Delete Payload in both 2008 registration and rekey exchanges, because GMs with previous group 2009 policy may contact the GCKS using either exchange. 2011 The Protocol ID MUST be GIKE_REKEY () for GSA_REKEY pseudo- 2012 exchange, 2 for AH or 3 for ESP. Note that only one protocol id 2013 value can be defined in a Delete payload. If a TEK and a KEK SA for 2014 GSA_REKEY pseudo-exchange must be deleted, they must be sent in 2015 different Delete payloads. Similarly, if a TEK specifying ESP and a 2016 TEK specifying AH need to be deleted, they must be sent in different 2017 Delete payloads. 2019 There may be circumstances where the GCKS may want to reset the 2020 policy and keying material for the group. The GCKS can signal 2021 deletion of all policy of a particular TEK by sending a TEK with a 2022 SPI value equal to zero in the delete payload. In the event that the 2023 administrator is no longer confident in the integrity of the group 2024 they may wish to remove all KEK and all the TEKs in the group. This 2025 is done by having the GCKS send a delete payload with a SPI of zero 2026 and a Protocol-ID of AH or ESP to delete all TEKs, followed by 2027 another delete payload with a SPI value of zero and Protocol-ID of 2028 KEK SA to delete the KEK SA. 2030 3.7. Notify Payload 2032 G-IKEv2 uses the same Notify payload as specified in [RFC7296], 2033 section 3.10. 2035 There are additional Notify Message types introduced by G-IKEv2 to 2036 communicate error conditions and status (see Section 6). 2038 o INVALID_GROUP_ID (45) - error type notification that indicates 2039 that the group id sent during the registration process is invalid. 2040 The Protocol ID and SPI Size fields in the Notify payload MUST be 2041 zero. There is no data associated with this notification and the 2042 content of the Notification Data field MUST be ignored on receipt. 2044 o AUTHORIZATION_FAILED (46) - error type notification that is sent 2045 in the response to a GSA_AUTH message when authorization failed. 2046 The Protocol ID and SPI Size fields in the Notify payload MUST be 2047 zero. There is no data associated with this notification and the 2048 content of the Notification Data field MUST be ignored on receipt. 2050 o REGISTRATION_FAILED () - error type notification that is sent 2051 by the GCKS when the GM registration request cannot be satisfied. 2052 The Protocol ID and SPI Size fields in the Notify payload MUST be 2053 zero. There is no data associated with this notification and the 2054 content of the Notification Data field MUST be ignored on receipt. 2056 o SENDER (16429) - status type notification that is sent in the 2057 GSA_AUTH or the GSA_REGISTRATION exchanges to indicate that the GM 2058 intends to be sender of data traffic. The data includes a count 2059 of how many SID values the GM desires. The count MUST be 4 octets 2060 long and contain the big endian representation of the number of 2061 requested SIDs. The Protocol ID and SPI Size fields in the Notify 2062 payload MUST be zero. 2064 o REKEY_IS_NEEDED () - status type notification that is sent in 2065 the GSA_AUTH response message to indicate that the GM must perform 2066 an immediate rekey of IKE SA to make it secure against quantum 2067 computers and then start a registration request over. The 2068 Protocol ID and SPI Size fields in the Notify payload MUST be 2069 zero. There is no data associated with this notification and the 2070 content of the Notification Data field MUST be ignored on receipt. 2072 3.7.1. USE_TRANSPORT_MODE Notification 2074 This specification uses USE_TRANSPORT_MODE notification defined in 2075 section 3.10.1 of [RFC7296] to specify which mode data security SAs 2076 should be created in. The GCKS MUST include one USE_TRANSPORT_MODE 2077 notification in a message containing the GSA payload for every data 2078 security SAs specified in this payload that is to be created in 2079 transport mode. In other words, there must be as many these 2080 notifications included in the message as many SAs are created in 2081 transport mode. The Protocol ID, SPI Size and SPI fields of the 2082 Notify Payload MUST correctly specify each such SA. 2084 3.8. Authentication Payload 2086 G-IKEv2 uses the same Authentication payload as specified in 2087 [RFC7296], section 3.8, to authenticate the rekey message. However, 2088 if it is used in the GSA_REKEY messages the content of the payload is 2089 computed differently, as described in Section 1.4.5.1.1. 2091 4. Interaction with other IKEv2 Protocol Extensions 2093 A number of IKEv2 extensions is defined that can be used to extend 2094 protocol functionality. G-IKEv2 is compatible with most of them. In 2095 particular, EAP authentication defined in [RFC7296] can be used to 2096 establish registration IKE SA, as well as Secure Password 2097 authentication ([RFC6467]). G-IKEv2 is compatible with and can use 2098 IKEv2 Session Resumption [RFC5723] except that a GM would include the 2099 initial ticket request in a GSA_AUTH exchange instead of an IKE_AUTH 2100 exchange. G-IKEv2 is also compatible with Multiple Key Exchanges in 2101 IKEv2 framework, defined in [I-D.ietf-ipsecme-ikev2-multiple-ke]. 2103 Some IKEv2 extensions however require special handling if used in 2104 G-IKEv2. 2106 4.1. Mixing Preshared Keys in IKEv2 for Post-quantum Security 2108 G-IKEv2 can take advantage of the protection provided by Postquantum 2109 Preshared Keys (PPK) for IKEv2 [RFC8784]. However, the use of PPK 2110 leaves the initial IKE SA susceptible to quantum computer (QC) 2111 attacks. For this reason an alternative approach for using PPK in 2112 IKEv2 defined in [I-D.smyslov-ipsecme-ikev2-qr-alt] SHOULD be used. 2114 If the alternative approach is not supported by the peers, then the 2115 GCKS MUST NOT send GSA and KD payloads in the GSA_AUTH response 2116 message. Instead, the GCKS MUST return a new notification 2117 REKEY_IS_NEEDED. Upon receiving this notification in the GSA_AUTH 2118 response the GM MUST perform an IKE SA rekey and then initiate a new 2119 GSA_REGISTRATION request for the same group. Below are possible 2120 scenarios involving using PPK. 2122 The GM starts the IKE_SA_INIT exchange requesting using PPK, and the 2123 GCKS responds with agreement to do it, or aborts according to its 2124 "mandatory_or_not" flag: 2126 Initiator (Member) Responder (GCKS) 2127 -------------------- ------------------ 2128 HDR, SAi1, KEi, Ni, N(USE_PPK) --> 2129 <-- DR, SAr1, KEr, Nr, [CERTREQ], 2130 N(USE_PPK) 2132 Figure 21: IKE_SA_INIT Exchange requesting using PPK 2134 The GM then starts the GSA_AUTH exchange with the PPK_ID; if using 2135 PPK is not mandatory for the GM, the NO_PPK_AUTH notification is 2136 included in the request: 2138 Initiator (Member) Responder (GCKS) 2139 -------------------- ------------------ 2140 HDR, SK{IDi, AUTH, IDg, 2141 N(PPK_IDENTITY), N(NO_PPK_AUTH)} --> 2143 Figure 22: GSA_AUTH Request using PPK 2145 If the GCKS has no such PPK and using PPK is not mandatory for it and 2146 the NO_PPK_AUTH is included, then the GCKS continues without PPK; in 2147 this case no rekey is needed: 2149 Initiator (Member) Responder (GCKS) 2150 -------------------- ------------------ 2151 <-- HDR, SK{IDr, AUTH, GSA, KD} 2153 Figure 23: GSA_AUTH Response using no PPK 2155 If the GCKS has no such PPK and either the NO_PPK_AUTH is missing or 2156 using PPK is mandatory for the GCKS, the GCKS aborts the exchange: 2158 Initiator (Member) Responder (GCKS) 2159 -------------------- ------------------ 2160 <-- HDR, SK{N(AUTHENTICATION_FAILED)} 2162 Figure 24: GSA_AUTH Error Response 2164 Assuming the GCKS has the proper PPK it continues with a request to 2165 the GM to immediately perform a rekey by sending the REKEY_IS_NEEDED 2166 notification: 2168 Initiator (Member) Responder (GCKS) 2169 -------------------- ------------------ 2170 <-- HDR, SK{IDr, AUTH, N(PPK_IDENTITY), 2171 N(REKEY_IS_NEEDED) } 2173 Figure 25: GSA_AUTH Response using PPK 2175 The GM initiates the CREATE_CHILD_SA exchange to rekey the initial 2176 IKE SA and then makes a new registration request for the same group 2177 over the new IKE SA: 2179 Initiator (Member) Responder (GCKS) 2180 -------------------- ------------------ 2181 HDR, SK{SA, Ni, KEi} --> 2182 <-- HDR, SK{SA, Nr, KEr} 2183 HDR, SK{IDg} ---> 2184 <-- HDR, SK{GSA, KD} 2186 Figure 26: Rekeying IKE SA followed by GSA_REGISTRATION Exchange 2188 5. Security Considerations 2190 5.1. GSA Registration and Secure Channel 2192 G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT protocols, 2193 inheriting all the security considerations documented in [RFC7296] 2194 section 5 Security Considerations, including authentication, 2195 confidentiality, protection against man-in-the-middle, protection 2196 against replay/reflection attacks, and denial of service protection. 2197 The GSA_AUTH and GSA_REGISTRATION exchanges also take advantage of 2198 those protections. In addition, G-IKEv2 brings in the capability to 2199 authorize a particular group member regardless of whether they have 2200 the IKEv2 credentials. 2202 5.2. GSA Maintenance Channel 2204 The GSA maintenance channel is cryptographically and integrity 2205 protected using the cryptographic algorithm and key negotiated in the 2206 GSA member registration exchanged. 2208 5.2.1. Authentication/Authorization 2210 Authentication is implicit, the public key of the identity is 2211 distributed during the registration, and the receiver of the rekey 2212 message uses that public key and identity to verify the message came 2213 from the authorized GCKS. 2215 5.2.2. Confidentiality 2217 Confidentiality is provided by distributing a confidentiality key as 2218 part of the GSA member registration exchange. 2220 5.2.3. Man-in-the-Middle Attack Protection 2222 GSA maintenance channel is integrity protected by using a digital 2223 signature. 2225 5.2.4. Replay/Reflection Attack Protection 2227 The GSA_REKEY message includes a monotonically increasing sequence 2228 number to protect against replay and reflection attacks. A group 2229 member will recognize a replayed message by comparing the Message ID 2230 number to that of the last received rekey message, any rekey message 2231 containing a Message ID number less than or equal to the last 2232 received value MUST be discarded. Implementations should keep a 2233 record of recently received GSA rekey messages for this comparison. 2235 6. IANA Considerations 2237 6.1. New Registries 2239 A new set of registries is created for G-IKEv2 on IKEv2 parameters 2240 page [IKEV2-IANA]. The terms Reserved, Expert Review and Private Use 2241 are to be applied as defined in [RFC8126]. 2243 This document creates a new IANA registry "Transform Type - 2244 Group Key Management Methods". The initial values of the new 2245 registry are: 2247 Value Group Key Management Method 2248 ------------------------------------------------------- 2249 Reserved 0 2250 Wrapped Key Download 1 2251 Unassigned 2-1023 2252 Private Use 1024-65535 2254 Changes and additions to the unassigned range of this registry are by 2255 the Expert Review Policy [RFC8126]. 2257 This document creates a new IANA registry "GSA Attributes". The 2258 initial values of the new registry are: 2260 GSA Attributes Value Type Multiple Used In 2261 --------------------------------------------------------------------- 2262 Reserved 0 2263 GSA_KEY_LIFETIME 1 V N (GIKE_REKEY, AH, ESP) 2264 GSA_INITIAL_MESSAGE_ID 2 V N (GIKE_REKEY) 2265 GSA_NEXT_SPI 3 V Y (GIKE_REKEY, AH, ESP) 2266 Unassigned 5-16383 2267 Private Use 16384-32767 2269 Changes and additions to the unassigned range of this registry are by 2270 the Expert Review Policy [RFC8126]. 2272 This document creates a new IANA registry "GAP Attributes". The 2273 initial values of the new registry are: 2275 GAP Attributes Value Type Multiple 2276 ---------------------------------------------------- 2277 Reserved 0 2278 GAP_ATD 1 B N 2279 GAP_DTD 2 B N 2280 GAP_SID_BITS 3 B N 2281 Unassigned 4-16383 2282 Private Use 16384-32767 2284 Changes and additions to the unassigned range of this registry are by 2285 the Expert Review Policy [RFC8126]. 2287 This document creates a new IANA registry "Group Key Download 2288 Attributes". The initial values of the new registry are: 2290 GKD Attributes Value Type Multiple Used In 2291 ------------------------------------------------------------ 2292 Reserved 0 2293 SA_KEY 1 V Y (GIKE_REKEY) 2294 N (AH, ESP) 2295 Unassigned 2-16383 2296 Private Use 16384-32767 2298 Changes and additions to the unassigned range of this registry are by 2299 the Expert Review Policy [RFC8126]. 2301 This document creates a new IANA registry "Member Key Download 2302 Attributes". The initial values of the new registry are: 2304 MKD Attributes Value Type Multiple 2305 ------------------------------------------------ 2306 Reserved 0 2307 KEY_WRAP_KEY 1 V Y 2308 GM_SID 2 V Y 2309 AUTH_KEY 3 V N 2310 Unassigned 4-16383 2311 Private Use 16384-32767 2313 Changes and additions to the unassigned range of this registry are by 2314 the Expert Review Policy [RFC8126]. 2316 6.2. Changes in the Existing IKEv2 Registries 2318 This document defines new Exchange Types in the "IKEv2 Exchange 2319 Types" registry: 2321 Value Exchange Type 2322 ---------------------------- 2323 39 GSA_AUTH 2324 40 GSA_REGISTRATION 2325 41 GSA_REKEY 2326 GSA_INBAND_REKEY 2328 This document defines new Payload Types in the "IKEv2 Payload Types" 2329 registry: 2331 Value Next Payload Type Notation 2332 ---------------------------------------------------- 2333 50 Group Identification IDg 2334 51 Group Security Association GSA 2335 52 Key Download KD 2337 This document defines a new Security Protocol Identifier in the 2338 "IKEv2 Security Protocol Identifiers" registry: 2340 GIKE_REKEY 2342 This document defines new Transform Types in the "Transform Type 2343 Values" registry and changes the "Used In" column for the existing 2344 allocations: 2346 Type Description Used In 2347 --------------------------------------------------------------------- 2348 1 Encryption Algorithm (ENCR) (IKE, GIKE_REKEY and ESP) 2349 2 Pseudo-random Function (PRF) (IKE, GIKE_REKEY) 2350 3 Integrity Algorithm (INTEG) (IKE, GIKE_REKEY, AH, 2351 optional in ESP) 2352 4 Diffie-Hellman Group (D-H) (IKE, optional in AH, ESP) 2353 5 Extended Sequence Numbers (ESN) (AH and ESP) 2354 Authentication Method (AUTH) (GIKE_REKEY) 2355 Group Key Management Method (GKM) (GIKE_REKEY) 2357 This document defines a new Attribute Type in the "IKEv2 Transform 2358 Attribute Types" registry: 2360 Value Attribute Type Format 2361 ---------------------------------------------- 2362 Algorithm Identifier TLV 2363 This document defines new Notify Message Types in the "Notify Message 2364 Types - Status Types" registry: 2366 Value Notify Messages - Status Types 2367 ------------------------------------------ 2368 16429 SENDER 2370 The Notify type with the value 16429 was allocated earlier in the 2371 development of G-IKEv2 document with the name SENDER_REQUEST_ID. 2372 This specification changes its name to SENDER. 2374 This document defines new Notify Message Types in the "Notify Message 2375 Types - Error Types" registry: 2377 Value Notify Messages - Error Types 2378 ----------------------------------------- 2379 45 INVALID_GROUP_ID 2380 46 AUTHORIZATION_FAILED 2381 REGISTRATION_FAILED 2383 7. Acknowledgements 2385 The authors thank Lakshminath Dondeti and Jing Xiang for first 2386 exploring the use of IKEv2 for group key management and providing the 2387 basis behind the protocol. Mike Sullenberger and Amjad Inamdar were 2388 instrumental in helping resolve many issues in several versions of 2389 the document. 2391 8. Contributors 2393 The following individuals made substantial contributions to early 2394 versions of this memo. 2396 Sheela Rowles 2397 Cisco Systems 2398 170 W. Tasman Drive 2399 San Jose, California 95134-1706 2400 USA 2402 Phone: +1-408-527-7677 2403 Email: sheela@cisco.com 2404 Aldous Yeung 2405 Cisco Systems 2406 170 W. Tasman Drive 2407 San Jose, California 95134-1706 2408 USA 2410 Phone: +1-408-853-2032 2411 Email: cyyeung@cisco.com 2413 Paulina Tran 2414 Cisco Systems 2415 170 W. Tasman Drive 2416 San Jose, California 95134-1706 2417 USA 2419 Phone: +1-408-526-8902 2420 Email: ptran@cisco.com 2422 Yoav Nir 2423 Dell EMC 2424 9 Andrei Sakharov St 2425 Haifa 3190500 2426 Israel 2428 Email: ynir.ietf@gmail.com 2430 9. References 2432 9.1. Normative References 2434 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2435 Requirement Levels", BCP 14, RFC 2119, 2436 DOI 10.17487/RFC2119, March 1997, 2437 . 2439 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 2440 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 2441 December 2005, . 2443 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, 2444 DOI 10.17487/RFC4302, December 2005, 2445 . 2447 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", 2448 RFC 4303, DOI 10.17487/RFC4303, December 2005, 2449 . 2451 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 2452 Housley, R., and W. Polk, "Internet X.509 Public Key 2453 Infrastructure Certificate and Certificate Revocation List 2454 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 2455 . 2457 [RFC6054] McGrew, D. and B. Weis, "Using Counter Modes with 2458 Encapsulating Security Payload (ESP) and Authentication 2459 Header (AH) to Protect Group Traffic", RFC 6054, 2460 DOI 10.17487/RFC6054, November 2010, 2461 . 2463 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 2464 Kivinen, "Internet Key Exchange Protocol Version 2 2465 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2466 2014, . 2468 [RFC7427] Kivinen, T. and J. Snyder, "Signature Authentication in 2469 the Internet Key Exchange Version 2 (IKEv2)", RFC 7427, 2470 DOI 10.17487/RFC7427, January 2015, 2471 . 2473 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 2474 Writing an IANA Considerations Section in RFCs", BCP 26, 2475 RFC 8126, DOI 10.17487/RFC8126, June 2017, 2476 . 2478 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2479 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2480 May 2017, . 2482 9.2. Informative References 2484 [I-D.ietf-ipsecme-ikev2-multiple-ke] 2485 Tjhai, C., Tomlinson, M., Bartlett, G., Fluhrer, S., 2486 Geest, D. V., Garcia-Morchon, O., and V. Smyslov, 2487 "Multiple Key Exchanges in IKEv2", draft-ietf-ipsecme- 2488 ikev2-multiple-ke-04 (work in progress), September 2021. 2490 [I-D.smyslov-ipsecme-ikev2-qr-alt] 2491 Smyslov, V., "Alternative Approach for Mixing Preshared 2492 Keys in IKEv2 for Post-quantum Security", draft-smyslov- 2493 ipsecme-ikev2-qr-alt-04 (work in progress), August 2021. 2495 [IKEV2-IANA] 2496 IANA, "Internet Key Exchange Version 2 (IKEv2) 2497 Parameters", . 2500 [NNL] Naor, D., Noal, M., and J. Lotspiech, "Revocation and 2501 Tracing Schemes for Stateless Receivers", Advances in 2502 Cryptology, Crypto '01, Springer-Verlag LNCS 2139, 2001, 2503 pp. 41-62, 2001, 2504 . 2506 [OFT] McGrew, D. and A. Sherman, "Key Establishment in Large 2507 Dynamic Groups Using One-Way Function Trees", Manuscript, 2508 submitted to IEEE Transactions on Software Engineering, 2509 1998, . 2512 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange 2513 (IKE)", RFC 2409, DOI 10.17487/RFC2409, November 1998, 2514 . 2516 [RFC2627] Wallner, D., Harder, E., and R. Agee, "Key Management for 2517 Multicast: Issues and Architectures", RFC 2627, 2518 DOI 10.17487/RFC2627, June 1999, 2519 . 2521 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and 2522 Identifiers for the Internet X.509 Public Key 2523 Infrastructure Certificate and Certificate Revocation List 2524 (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April 2525 2002, . 2527 [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) 2528 Counter Mode With IPsec Encapsulating Security Payload 2529 (ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004, 2530 . 2532 [RFC3740] Hardjono, T. and B. Weis, "The Multicast Group Security 2533 Architecture", RFC 3740, DOI 10.17487/RFC3740, March 2004, 2534 . 2536 [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, 2537 "Multicast Security (MSEC) Group Key Management 2538 Architecture", RFC 4046, DOI 10.17487/RFC4046, April 2005, 2539 . 2541 [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode 2542 (GCM) in IPsec Encapsulating Security Payload (ESP)", 2543 RFC 4106, DOI 10.17487/RFC4106, June 2005, 2544 . 2546 [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM 2547 Mode with IPsec Encapsulating Security Payload (ESP)", 2548 RFC 4309, DOI 10.17487/RFC4309, December 2005, 2549 . 2551 [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message 2552 Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, 2553 DOI 10.17487/RFC4543, May 2006, 2554 . 2556 [RFC5374] Weis, B., Gross, G., and D. Ignjatic, "Multicast 2557 Extensions to the Security Architecture for the Internet 2558 Protocol", RFC 5374, DOI 10.17487/RFC5374, November 2008, 2559 . 2561 [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, 2562 "Elliptic Curve Cryptography Subject Public Key 2563 Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, 2564 . 2566 [RFC5723] Sheffer, Y. and H. Tschofenig, "Internet Key Exchange 2567 Protocol Version 2 (IKEv2) Session Resumption", RFC 5723, 2568 DOI 10.17487/RFC5723, January 2010, 2569 . 2571 [RFC6407] Weis, B., Rowles, S., and T. Hardjono, "The Group Domain 2572 of Interpretation", RFC 6407, DOI 10.17487/RFC6407, 2573 October 2011, . 2575 [RFC6467] Kivinen, T., "Secure Password Framework for Internet Key 2576 Exchange Version 2 (IKEv2)", RFC 6467, 2577 DOI 10.17487/RFC6467, December 2011, 2578 . 2580 [RFC7383] Smyslov, V., "Internet Key Exchange Protocol Version 2 2581 (IKEv2) Message Fragmentation", RFC 7383, 2582 DOI 10.17487/RFC7383, November 2014, 2583 . 2585 [RFC7634] Nir, Y., "ChaCha20, Poly1305, and Their Use in the 2586 Internet Key Exchange Protocol (IKE) and IPsec", RFC 7634, 2587 DOI 10.17487/RFC7634, August 2015, 2588 . 2590 [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, 2591 "PKCS #1: RSA Cryptography Specifications Version 2.2", 2592 RFC 8017, DOI 10.17487/RFC8017, November 2016, 2593 . 2595 [RFC8229] Pauly, T., Touati, S., and R. Mantha, "TCP Encapsulation 2596 of IKE and IPsec Packets", RFC 8229, DOI 10.17487/RFC8229, 2597 August 2017, . 2599 [RFC8784] Fluhrer, S., Kampanakis, P., McGrew, D., and V. Smyslov, 2600 "Mixing Preshared Keys in the Internet Key Exchange 2601 Protocol Version 2 (IKEv2) for Post-quantum Security", 2602 RFC 8784, DOI 10.17487/RFC8784, June 2020, 2603 . 2605 Appendix A. Use of LKH in G-IKEv2 2607 Section 5.4 of [RFC2627] describes the LKH architecture, and how a 2608 GCKS uses LKH to exclude group members. This section clarifies how 2609 the LKH architecture is used with G-IKEv2. 2611 A.1. Notation 2613 In this section we will use the notation X{Y} where a key with ID Y 2614 is encrypted with the key with ID X. The notation 0{Y} means that 2615 the default wrap key (SK_w) is used to encrypt key Y, and the 2616 notation X{0} means key X is used to encrypt the group SA key. Note, 2617 that 0{0} means that the group SA key is encrypted with default wrap 2618 key. 2620 The content of the KD payload will be shown as a sequence of Key 2621 Packets. The Group Key Packet substructure will be denoted as SAn(), 2622 when n is an SPI for the SA, and The Member Key Packet substructure 2623 will be denoted as GM(). The content of the Key Packets is shown as 2624 SA_KEY and KEY_WRAP_KEY attributes with the notation described above. 2625 Here is the example of KD payload. 2627 KD(SA1(X{0}),GM(Y{X},Z{Y},0{Z}) 2629 For simplicity any other attributes in the KD payload are omitted. 2631 We will also use the notation X->Y->Z to describe the Key Path, i.e. 2632 the relation between the keys. In this case the keys had the 2633 following relation: Z{Y}, Y{X}. 2635 A.2. Group Creation 2637 When a GCKS forms a group, it creates a key tree as shown in the 2638 figure below. The key tree contains logical keys (which are 2639 represented as the values of their Key IDs in the figure) and a 2640 private key shared with only a single GM (the GMs are represented as 2641 letters followed by the corresponding key ID in parentheses in the 2642 figure). The root of the tree contains the multicast rekey SA key 2643 (which is represented as SAn(0), showing that its Key ID is always 2644 zero). The figure below assumes that the Key IDs are assigned 2645 sequentially; this is not a requirement and only used for 2646 illustrative purposes. The GCKS may create a complete tree as shown, 2647 or a partial tree which is created on demand as members join the 2648 group. 2650 SA1(0) 2651 +------------------------------+ 2652 1 2 2653 +---------------+ +---------------+ 2654 3 4 5 6 2655 +-------+ +-------+ +--------+ +--------+ 2656 A(7) B(8) C(9) D(10) E(11) F(12) G(13) H(14) 2658 Figure 27: Initial LKH tree 2660 When GM A joins the group, the GCKS provides it with the keys in the 2661 KEY_WRAP_KEY attributes in the KD payload of the GSA_AUTH or 2662 GSA_REGISTRATION exchange. Given the tree shown in figure above, the 2663 KD payload will be: 2665 KD(SA1(1{0}),GM(3{1},7{3},0{7}) 2667 KD Payload for the Group Member A 2669 From these attributes the GM A will construct the Key Path 2670 0->1->3->7->0 and since it ends up with SK_w, it will use all the 2671 KEY_WRAP_KEY attributes present in the path as its working Key Path: 2672 1->3->7. 2674 Similarly, when other GMs will be joining the group they will be 2675 provided with the corresponding keys, so after all the GMs will have 2676 the following working Key Paths: 2678 A: 1->3->7 B: 1->3->8 C: 1->4->9, D: 1->4->10 2679 E: 2->5->11 F: 2->5->12 G: 2->6->13 H: 2->6->14 2681 A.3. Simple Group SA Rekey 2683 If the GCKS performs a simple SA rekey without changing group 2684 membership, it will only send Group Key Packet in the KD payload with 2685 a new SA key encrypted with the default KWK. 2687 KD(SA2(0{0})) 2689 KD Payload for the Group Member F 2691 All the GMs will be able to decrypt it and no changes in their 2692 working Key Paths will take place. 2694 A.4. Group Member Exclusion 2696 If the GKCS has reason to believe that a GM should be excluded, then 2697 it can do so by sending a GSA_REKEY message that includes a set of 2698 GM_KEY attributes which would allow all GMs except for the excluded 2699 one to get a new SA key. 2701 In the example below the GCKS excludes GM F. For this purpose it 2702 changes the key tree as follows, replacing the key 2 with the key 15 2703 and the key 5 with the key 16. It also a new SA key for a new SA3. 2705 SA3(0) 2706 +------------------------------+ 2707 1 15 2708 +---------------+ +---------------+ 2709 3 4 16 6 2710 +-------+ +-------+ +---- +--------+ 2711 A(7) B(8) C(9) D(10) E(11) F(12) G(13) H(14) 2713 Figure 28: LKH tree after F has been excluded 2715 Then it sends the following KD payload for the new rekey SA3: 2717 KD(SA3(1{0},SA3(15{0})),GM(6{15},16{15},11{16}) 2719 KD Payload for the Group Member F 2721 While processing this KD payload: 2723 o GMs A, B, C and D will be able to decrypt the SA_KEY attribute 2724 1{0} by using the "1" key from their key path. Since no new 2725 GM_KEY attributes are in the new Key Path, they won't update their 2726 working Key Paths. 2728 o GMs G and H will construct new Key Path 15->0 and will be able to 2729 decrypt the new GM_KEY 15 using the key 6 from their working Key 2730 Paths. So, they will update their working Key Paths replacing 2731 their beginnings up to the key 6 with the new Key Path (thus 2732 replacing the key 2 with the key 15). 2734 o GM E will construct new Key Path 16->15->0 and will be able to 2735 decrypt the new GM_KEY 16 using the key 11 from its working Key 2736 Path. So, it will update its working Key Path replacing its 2737 beginnings up to the key 11 with the new Key Path (thus replacing 2738 the key 2 with the key 15 and the key 5 with the key 16). 2740 o GM F won't be able to construct any Key Path leading to any key he 2741 possesses, so it will be unable to decrypt the new SA key for the 2742 SA3 and thus it will be excluded from the group once the GCKS 2743 starts sending TEK keys using SA3. 2745 Finally, the GMs will have the following working Key Paths: 2747 A: 1->3->7 B: 1->3->8 C: 1->4->9, D: 1->4->10 2748 E: 15->16->11 F: excluded G: 15->6->13 H: 15->6->14 2750 Authors' Addresses 2752 Valery Smyslov 2753 ELVIS-PLUS 2754 PO Box 81 2755 Moscow (Zelenograd) 124460 2756 Russian Federation 2758 Phone: +7 495 276 0211 2759 Email: svan@elvis.ru 2761 Brian Weis 2762 Independent 2763 USA 2765 Email: bew.stds@gmail.com