idnits 2.17.1 draft-yeung-g-ikev2-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 21, 2016) is 2929 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2407 (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 2408 (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 2409 (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group B. Weis 3 Internet-Draft Cisco Systems 4 Intended status: Standards Track Y. Nir 5 Expires: September 22, 2016 Check Point Software Technologies Ltd. 6 V. Smyslov 7 ELVIS-PLUS 8 March 21, 2016 10 Group Key Management using IKEv2 11 draft-yeung-g-ikev2-10 13 Abstract 15 This document presents a new group key distribution protocol. The 16 protocol is in conformance with MSEC key management architecture it 17 contains two components: member registration and group rekeying, both 18 downloading group security associations from the Group Controller Key 19 Server to a member of the group. The new protocol is similar to 20 IKEv2 in message and payload formats as well as message semantics. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on September 22, 2016. 39 Copyright Notice 41 Copyright (c) 2016 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 57 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 58 1.2. Why do we need another GSA protocol? . . . . . . . . . . 4 59 1.3. G-IKEv2 Payloads . . . . . . . . . . . . . . . . . . . . 4 60 2. G-IKEv2 integration into IKEv2 protocol . . . . . . . . . . . 5 61 2.1. UDP port . . . . . . . . . . . . . . . . . . . . . . . . 5 62 3. G-IKEv2 Protocol . . . . . . . . . . . . . . . . . . . . . . 5 63 3.1. G-IKEv2 member registration and secure channel 64 establishment . . . . . . . . . . . . . . . . . . . . . . 5 65 3.1.1. GSA_AUTH exchange . . . . . . . . . . . . . . . . . . 6 66 3.1.2. GSA_REGISTRATION Exchange . . . . . . . . . . . . . . 7 67 3.1.3. IKEv2 Header Initialization . . . . . . . . . . . . . 8 68 3.1.4. GM Registration Operations . . . . . . . . . . . . . 8 69 3.1.5. GCKS Registration Operations . . . . . . . . . . . . 9 70 3.2. Counter-based modes of operation . . . . . . . . . . . . 9 71 3.3. G-IKEv2 group maintenance channel . . . . . . . . . . . . 11 72 3.3.1. G-IKEv2 GSA_REKEY exchange . . . . . . . . . . . . . 11 73 3.3.2. Forward and Backward Access Control . . . . . . . . . 13 74 3.3.3. Forward Access Control Requirements . . . . . . . . . 13 75 3.3.4. Deletion of SAs . . . . . . . . . . . . . . . . . . . 14 76 3.3.5. GSA_REKEY GCKS Operations . . . . . . . . . . . . . . 14 77 3.3.6. GSA_REKEY GM Operations . . . . . . . . . . . . . . . 15 78 4. Header and Payload Formats . . . . . . . . . . . . . . . . . 16 79 4.1. The G-IKEv2 Header . . . . . . . . . . . . . . . . . . . 16 80 4.2. Group Identification (IDg) Payload . . . . . . . . . . . 16 81 4.3. Group Security Association Payload . . . . . . . . . . . 16 82 4.3.1. GSA policy . . . . . . . . . . . . . . . . . . . . . 17 83 4.4. KEK Policy . . . . . . . . . . . . . . . . . . . . . . . 18 84 4.4.1. KEK Attributes . . . . . . . . . . . . . . . . . . . 19 85 4.4.2. KEK_MANAGEMENT_ALGORITHM . . . . . . . . . . . . . . 20 86 4.4.3. KEK_ENCR_ALGORITHM . . . . . . . . . . . . . . . . . 20 87 4.4.4. KEK_KEY_LENGTH . . . . . . . . . . . . . . . . . . . 20 88 4.4.5. KEK_KEY_LIFETIME . . . . . . . . . . . . . . . . . . 20 89 4.4.6. KEK_INTEGRITY_ALGORITHM . . . . . . . . . . . . . . . 21 90 4.4.7. KEK_AUTH_METHOD . . . . . . . . . . . . . . . . . . . 21 91 4.4.8. KEK_AUTH_HASH . . . . . . . . . . . . . . . . . . . . 21 92 4.4.9. KEK_MESSAGE_ID . . . . . . . . . . . . . . . . . . . 21 93 4.5. GSA TEK Policy . . . . . . . . . . . . . . . . . . . . . 21 94 4.5.1. TEK ESP and AH Protocol-Specific Policy . . . . . . . 22 95 4.6. GSA Group Associated Policy . . . . . . . . . . . . . . . 23 96 4.6.1. ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY . . . . 24 98 4.7. Key Download Payload . . . . . . . . . . . . . . . . . . 25 99 4.7.1. TEK Download Type . . . . . . . . . . . . . . . . . . 26 100 4.7.2. KEK Download Type . . . . . . . . . . . . . . . . . . 27 101 4.7.3. LKH Download Type . . . . . . . . . . . . . . . . . . 28 102 4.7.4. SID Download Type . . . . . . . . . . . . . . . . . . 32 103 4.8. Delete Payload . . . . . . . . . . . . . . . . . . . . . 33 104 4.9. Notify Payload . . . . . . . . . . . . . . . . . . . . . 33 105 4.10. Authentication Payload . . . . . . . . . . . . . . . . . 34 106 5. Security Considerations . . . . . . . . . . . . . . . . . . . 34 107 5.1. GSA registration and secure channel . . . . . . . . . . . 34 108 5.2. GSA maintenance channel . . . . . . . . . . . . . . . . . 34 109 5.2.1. Authentication/Authorization . . . . . . . . . . . . 34 110 5.2.2. Confidentiality . . . . . . . . . . . . . . . . . . . 35 111 5.2.3. Man-in-the-Middle Attack Protection . . . . . . . . . 35 112 5.2.4. Replay/Reflection Attack Protection . . . . . . . . . 35 113 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 114 6.1. New registries . . . . . . . . . . . . . . . . . . . . . 35 115 6.2. New payload and exchange types to existing IKEv2 registry 36 116 6.3. New Name spaces . . . . . . . . . . . . . . . . . . . . . 36 117 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 36 118 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 36 119 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 37 120 9.1. Normative References . . . . . . . . . . . . . . . . . . 37 121 9.2. Informative References . . . . . . . . . . . . . . . . . 37 122 Appendix A. Differences between G-IKEv2 and RFC 6407 . . . . . . 39 123 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40 125 1. Introduction and Overview 127 This document presents a group key management protocol protected by 128 IKEv2. The data communications within the group are protected by a 129 key pushed to the group members (GMs) by the Group Controller/Key 130 Server (GCKS) using IKEv2 [RFC7296]. The GCKS pushes policy and keys 131 for the group to the GM after authenticating it using new payloads 132 included in a new exchange called GSA_AUTH (similar to the IKE_AUTH 133 exchange). This document references IKEv2 [RFC7296] but it intended 134 to be a separate document. GDOI update document [RFC6407] presented 135 GDOI using IKEv1 syntax. This document uses IKEv2 syntax. The 136 message semantics of IKEv2 are preserved, in that all communications 137 consists of message request-response pairs. The exception to this 138 rule are the rekeying messages, which are sent in multicast without a 139 response. A number of payloads were deemed unnecessary since 140 [RFC6407] are described in Appendix A 142 1.1. Requirements Language 144 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 145 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 146 document are to be interpreted as described in RFC 2119 [RFC2119]. 148 1.2. Why do we need another GSA protocol? 150 GDOI protocol specified in [RFC6407] is protected by IKEv1 phase1 151 security association defined in [RFC2407], [RFC2408] and [RFC2409]; 152 these documents are obsoleted and replaced by a new version of the 153 IKE protocol defined in RFC 7296. G-IKEv2 provides group key 154 management between the group member and group controller key server 155 using the new IKEv2 protocol and inherits the following key 156 advantages over GDOI: 158 1. Provide a simple mechanism for the responder to keep minimal 159 state and avoid DOS attack from forged IP address using cookie 160 challenge exchange. 162 2. Improve performance and network latency by the reduced number of 163 initial messages to complete the G-IKEv2 protocol from (10 164 messages in main mode and quick mode, 7 messages in aggressive 165 mode and quick) to 4 messages. 167 3. Fix cryptographic weakness with authentication HASH (ikev1 168 authentication HASH specified in RFC-2409 does not include all 169 ISAKMP payloads and does not include ISAKMP header). This issue 170 is documented at [IKE-HASH]. 172 4. Improve protocol reliability where all unicast messages are 173 acknowledged and sequenced. 175 5. Well defined behavior for error conditions to improve 176 interoperability. 178 1.3. G-IKEv2 Payloads 180 1. IDg (group ID) - The GM requests the GCKS for membership into the 181 group by sending its IDg payload. 183 2. GSA (Group Security Association) - The GCKS sends the group 184 policy to the GM using this payload. 186 3. KD (Key Download) - The GCKS sends the control and data keys to 187 the GM using the KD payload. 189 2. G-IKEv2 integration into IKEv2 protocol 191 The G-IKEv2 protocol provides the security mechanisms of IKEv2 (peer 192 authentication, confidentiality, message integrity) to protect the 193 group negotiations required for G-IKEv2. The G-IKEv2 exchange 194 further provides group authorization, and secure policy and key 195 download from the GCKS to its group members. 197 2.1. UDP port 199 G-IKEv2 SHOULD use port 848, the same as GDOI [RFC6407] , because 200 they serve a similar function, and can use the same ports, just as 201 IKEv1 and IKEv2 can share port 500. The version number in the IKEv2 202 header distinguishes the G-IKEv2 protocol from GDOI protocol 203 [RFC6407]. 205 3. G-IKEv2 Protocol 207 3.1. G-IKEv2 member registration and secure channel establishment 209 The registration protocol consists of minimum two exchanges 210 IKE_SA_INIT and GSA_AUTH; member registration may have a few more 211 messages exchanged if the EAP method, cookie challenge (for DoS) or 212 invalid KE are used. Each exchange consists of request/response 213 pairs. The first exchange IKE_SA_INIT is defined in IKEv2 [RFC7296]. 214 This exchange negotiates cryptographic algorithms, exchanges nonces 215 and does a Diffie-Hellman exchange between the member and the Group 216 Controller Key Server (GCKS). 218 The second exchange GSA_AUTH authenticates the previous messages, 219 exchange identities and certificates. These messages are encrypted 220 and integrity protected with keys established through the IKE_SA_INIT 221 exchange, so the identities are hidden from eavesdroppers and all 222 fields in all the messages are authenticated. The GCKS MAY authorize 223 group members to be allowed into the group as part of the GSA_AUTH 224 exchange. Once the GCKS accepted a group member to join a group it 225 may downloads the data security keys (TEKs) and/or group key 226 encrypting key (KEK) or KEK array as part of GSA_AUTH response 227 message. In the following descriptions, the payloads contained in 228 the message are indicated by names as listed below. 230 Notation Payload 231 ------------------------------------------------------------ 232 AUTH Authentication 233 CERT Certificate 234 CERTREQ Certificate Request 235 GSA Group Security Association 236 HDR IKEv2 Header 237 IDg Identification - Group 238 IDi Identification - Initiator 239 IDr Identification - Responder 240 KD Key Download 241 KE Key Exchange 242 Ni, Nr Nonce SA Security Association 244 The details of the contents of each payload are described in 245 Section 4. Payloads that may optionally appear will be shown in 246 brackets, such as [ CERTREQ ], indicate that optionally a certificate 247 request payload can be included. 249 3.1.1. GSA_AUTH exchange 251 After the group member and GCKS uses IKE_SA_INIT exchange to 252 negotiate cryptographic algorithms, exchange nonces, and perform a 253 Diffie-Hellman exchange as defined in IKEv2 [RFC7296], the GSA_AUTH 254 MUST complete before any other exchanges can be done. The security 255 properties of the GSA_AUTH exchange are the same as the properties of 256 the IKE_AUTH exchange. It is used to authenticate the IKE_SA_INIT 257 messages, exchange identities and certificates. G-IKEv2 also uses 258 this exchange for group member registration and optionally 259 authorization. GSA_AUTH does not include SA2, TSi, and TSr since 260 policy is not negotiated between group member and GCKS but downloaded 261 from the GCKS to the group member. 263 Initiator (Member) Responder (GCKS) 264 -------------------- ------------------ 265 HDR, SK { IDi, [CERT,] [CERTREQ, ] [IDr, ] AUTH, 266 IDg, [N ] } --> 268 After an unauthenticated secure channel is established by IKE_SA_INIT 269 exchange, the member initiates a registration request to join a group 270 indicated by the IDg payload. The GM MAY include the Notify payload 271 status type SENDER_ID_REQUEST to request SIDs for Counter-based 272 cipher from the GCKS. 274 <-- HDR, SK { IDr, [CERT, ] AUTH, [ GSA, KD, ] [D, ] } 276 Besides response with IDr, optional CERT, and AUTH material, the GCKS 277 MAY also informs the member the cryptographic policies of the group 278 in the GSA payload and key material in the KD payload. GCKS can also 279 include Delete payload instructing the group member to delete 280 existing SAs it might have as the result of a previous group member 281 registration. 283 In addition to the IKEv2 error handling, GCKS can reject the 284 registration request when IDg is invalid or authorization fail, etc. 285 In these cases, see Section 4.9, the GSA_AUTH response will include 286 notify indicate errors. The member MUST delete the registration IKE 287 SA. 289 Initiator (Member) Responder (GCKS) 290 -------------------- ------------------ 291 <-- HDR, SK { N } 293 When the group member found the policy sent by the GCKS is 294 unacceptable, the member SHOULD send an IKEv2 delete using the 295 INFORMATION message exchange to bring down the authenticated IKE SA. 297 3.1.2. GSA_REGISTRATION Exchange 299 When a secure channel is already established between GM and KS, the 300 GM registration for a group can reuse the established secure channel. 301 In this scenario the GM will use the GSA_REGISTRATION exchange by 302 including the desired group ID (IDg) to request data security keys 303 (TEKs) and/or group key encrypting keys (KEKs) from the GCKS. The GM 304 MAY also include the Notify payload status type SENDER_ID_REQUEST to 305 request SIDs for Counter-based cipher from the GCKS. 307 Initiator (Member) Responder (GCKS) 308 -------------------- ------------------ 309 HDR, SK {IDg, [N ] } --> 311 <-- HDR, SK { GSA, KD, [D ] } 313 This exchange can also be used when the group member found the policy 314 sent by the GCKS is unacceptable. The group member can notify the 315 GCKS by sending IDg and the NOTIFY type NO_PROPOSAL_CHOSEN as shown 316 below. The GCKS MUST unregister the group member. 318 Initiator (Member) Responder (GCKS) 319 -------------------- ------------------ 320 HDR, SK {IDg [N,]} --> 322 <-- HDR, SK {} 324 3.1.3. IKEv2 Header Initialization 326 The Major Version is (2) and Minor Version number is (0) according to 327 IKEv2 [RFC7296], and maintained in this document. The G-IKEv2 328 IKE_SA_INIT, GSA_AUTH and GSA_REGISTRATION use the IKE SPI according 329 to IKEv2 [RFC7296], section 2.6. 331 3.1.4. GM Registration Operations 333 A G-IKEv2 Initiator (GM) requesting registration contacts the GCKS 334 using the IKE_SA_INIT exchange and receives the response from the 335 GCKS. This exchange is unchanged from the IKE_SA_INIT in IKEv2 336 protocol. 338 Upon completion of parsing and verifying the IKE_SA_INIT response, 339 the GM sends the GSA_AUTH message with the IKEv2 payloads from 340 IKE_AUTH (without the SAi2, TSi and TSr) along with the Group ID 341 informing the GCKS of the group the initiator wishes to join. The 342 initiator MAY specify how many Sender-ID values it would like to 343 receive in the Notify payload status type SENDER_ID_REQUEST in case 344 the Data Security SA supports a counter mode cipher [section 3.2]. 346 Upon receiving the GSA_AUTH, the initiator then parses the response 347 from the GCKS authenticating the exchange using the IKEv2 method, 348 then processing the GSA, and KD. 350 The GSA payload contains the security protocol and cryptographic 351 protocols used by the group. This policy describes the Rekey SA 352 (KEK), if present, Data-security SAs (TEK), and other group policy 353 (GAP). If the policy in the GSA payload is not acceptable to the GM, 354 it SHOULD tear down the session after notifying the GCKS. Finally 355 the KD is parsed providing the keying material for the TEK and/or 356 KEK. The GM interprets the KD key packets, where each key packet 357 includes the keying material for SAs distributed in the GSA payload. 358 Keying material is matched by comparing the SPIs in the key packets 359 to SPIs previously included in the GSA payloads. Once TEK keys and 360 policy are matched, the GM provides them to the data security 361 subsystem, and it is ready to send or receive packets matching the 362 TEK policy. 364 The GSA KEK policy MUST include KEK attribute KEK_MESSAGE_ID with a 365 message id. The message id in the KEK_MESSAGE_ID attribute MUST be 366 checked against any previously received message id for this group. 367 If it is less than the previously received number, it should be 368 considered stale and ignored. This could happen if two GSA_AUTH 369 exchanges happened in parallel, and the message id changed. This 370 KEK_MESSAGE_ID is used by the GM to prevent GSA_REKEY message replay 371 attacks. The first GSA_REKEY message that the GM receives from the 372 GCKS has to have message id greater or equal to the message id 373 received in the KEK_MESSAGE_ID attribute. 375 3.1.5. GCKS Registration Operations 377 A G-IKEv2 GCKS passively listens for incoming requests from group 378 members. The GCKS receives the IKE_SA_INIT request, select the IKE 379 proposal, generates nonce and DH to include them in the IKE_SA_INIT 380 response. 382 Upon receiving the GSA_AUTH request, and after authentication the 383 group member using the same properties as IKEv2, the GCKS locates the 384 group the GM wishes to join, extracts the policy for that group. If 385 the GCKS policy desires authorization, the GCKS authorizes the group 386 member against the specified credentials before preparing to send 387 GSA_AUTH response. The GSA_AUTH response MAY include group policy in 388 GSA payload and keys in the KD payload. If the GCKS policy includes 389 a group rekey option, this policy is constructed in the GSA KEK and 390 the key is constructed in the KD KEK. The GSA KEK MUST include 391 attribute KEK_MESSAGE_ID specifying the starting message id the GCKS 392 will be using when sending the GSA_REKEY message to the group member. 393 This message id is used to prevent replay attacks of the GSA_REKEY 394 message and will be increasing each time a GSA_REKEY message is sent 395 to the group. The GCKS data traffic policy is included in the GSA 396 TEK and keys are included in KD TEK. GSA GAP MAY also be included to 397 provide the ATD and/or DTD [section 4.6.1] specifying activation and 398 deactivation delays for SAs generated from the TEKs. If one or more 399 Data Security SAs distributed in the GSA payload included a counter 400 mode of operation, the GCKS includes at least one SID value in the KD 401 payload, and possibly more depending on the request received in the 402 NOTIFY payload status type SENDER_ID_REQUEST requesting the number of 403 SIDs from the group member. 405 If the GCKS receives a GSA_REGISTRATION exchange with a request to 406 register a GM to a group, the GCKS will need to authorize the GM with 407 the new group (IDg) and respond with corresponding group policy and 408 keys. If the GCKS fails to authorize the GM, it will respond with 409 the AUTHORIZATION_FAILED notify message. 411 3.2. Counter-based modes of operation 413 Several new counter-based modes of operation have been specified for 414 ESP (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309], 415 AES-GMAC [RFC4543]) and AH (e.g., AES-GMAC [RFC4543]). These 416 counter-based modes require that no two senders in the group ever 417 send a packet with the same Initialization Vector (IV) using the same 418 cipher key and mode. This requirement is met in G-IKEv2 when the 419 following requirements are met: 421 o The GCKS distributes a unique key for each Data-Security SA. 423 o The GCKS uses the method described in [RFC6054], which assigns each 424 sender a portion of the IV space by provisioning each sender with one 425 or more unique SID values. 427 When at least one Data-Security SA included in the group policy 428 includes a counter-mode, the GCKS automatically allocates and 429 distributes one SID to each group member acting in the role of sender 430 on the Data-Security SA. The SID value is used exclusively by the 431 group member to which it was allocated. The group member uses the 432 same SID for each Data-Security SA specifying the use of a counter- 433 based mode of operation. A GCKS MUST distribute unique keys for each 434 Data-Security SA including a counter-based mode of operation in order 435 to maintain a unique key and nonce usage. 437 During registration, the group member can choose to request one or 438 more SID values. Requesting a value of 1 is not necessary since the 439 GCKS will automatically allocate exactly one to the sending group 440 member. A group member MUST request as many SIDs matching the number 441 of encryption modules in which it will be installing the TEKs in the 442 outbound direction. Alternatively, a group member MAY request more 443 than one SID and use them serially. This could be useful when it is 444 anticipated that the group member will exhaust their range of Data- 445 Security SA nonces using a single SID too quickly (e.g., before the 446 time-based policy in the TEK expires). 448 When group policy includes a counter-based mode of operation, a GCKS 449 SHOULD use the following method to allocate SID values, which ensures 450 that each SID will be allocated to just one group member. 452 1. A GCKS maintains an SID-counter, which records the SIDs that have 453 been allocated. SIDs are allocated sequentially, with the first SID 454 allocated to be zero. 456 2. Each time an SID is allocated, the current value of the counter 457 is saved and allocated to the group member. The SID-counter is then 458 incremented in preparation for the next allocation. 460 3. When the GCKS specifies a counter-based mode of operation in the 461 Data Security SA, and a group member is a sender, a group member may 462 request a count of SIDs during registration in a NOTIFY payload 463 information type SEND_ID_REQUEST. When the GCKS receives this 464 request, it increments the SID- counter once for each requested SID, 465 and distributes each SID value to the group member. 467 4. A GCKS allocates new SID values for each GSA_REGISTRATION 468 exchange originated by a sender, regardless of whether a group member 469 had previously contacted the GCKS. In this way, the GCKS does not 470 have a requirement of maintaining a record of which SID values it had 471 previously allocated to each group member. More importantly, since 472 the GCKS cannot reliably detect whether the group member had sent 473 data on the current group Data-Security SAs it does not know what 474 Data-Security counter-mode nonce values that a group member has used. 475 By distributing new SID values, the key server ensures that each time 476 a conforming group member installs a Data- Security SA it will use a 477 unique set of counter-based mode nonces. 479 5. When the SID-counter maintained by the GCKS reaches its final SID 480 value, no more SID values can be distributed. Before distributing 481 any new SID values, the GCKS MUST delete the Data- Security SAs for 482 the group, followed by creation of new Data- Security SAs, and 483 resetting the SID-counter to its initial value. 485 6. The GCKS SHOULD send a GSA_REKEY message deleting all Data- 486 Security SAs and the Rekey SA for the group. This will result in the 487 group members initiating a new GSA_REGISTRATION exchange, in which 488 they will receive both new SID values and new Data-Security SAs. The 489 new SID values can safely be used because they are only used with the 490 new Data-Security SAs. Note that deletion of the Rekey SA is 491 necessary to ensure that group members receiving a GSA_REKEY exchange 492 before the re-register do not inadvertently use their old SIDs with 493 the new Data-Security SAs. Using the method above, at no time can 494 two group members use the same IV values with the same Data-Security 495 SA key. 497 3.3. G-IKEv2 group maintenance channel 499 The GCKS indicates that it will be delivering group rekey messages 500 when the KEK policy and keys are present in the G-IKEv2 GSA and KD 501 payloads. Though the G-IKEv2 Rekey is optional, it plays a crucial 502 role for large and dynamic groups. The GCKS is responsible for 503 rekeying of the secure group per the group policy. The GCKS uses 504 multicast to transport the rekey message. The G-IKEv2 protocol uses 505 GSA_REKEY exchange type in G-IKEv2 header identifying it as a rekey 506 message. This rekey message is protected by the registration 507 exchanges. 509 3.3.1. G-IKEv2 GSA_REKEY exchange 511 The GCKS initiates the G-IKEv2 Rekey securely using IP multicast. 512 Since multicast rekey does not require a response and it sends to 513 multiple GMs, G-IKEv2 rekeying MUST NOT support windowing. The GCKS 514 rekey message replaces the rekey GSA KEK or KEK array, and/or creates 515 a new Data-Security GSA TEK. The SID Download attribute in the Key 516 Download payload (defined in Section 4.7.4) MUST NOT be part of the 517 Rekey Exchange as this is sender specific information and the Rekey 518 Exchange is group specific. The GCKS initiates the GSA_REKEY 519 exchange as following: 521 Members (Responder) GCKS (Initiator) 522 -------------------- ------------------ 523 <-- HDR, SK { GSA, KD, [D,] AUTH } 525 HDR is defined in Section 4.1. The message id in this message will 526 start with the same value the GCKS sent to group member in the KEK 527 attribute KEK_MESSAGE_ID during registration; this message id will be 528 increasing each time a new GSA_REKEY message is sent to the group 529 members. 531 The GSA payload contains the current rekey and data security SAs. 532 The GSA may contain a new data security SA and/or a new rekey SA, 533 which, optionally contains an LKH rekey SA, Section 4.3. 535 The KD represents the keys for the policy included in the GSA. If 536 the data security SA is being refreshed in this rekey message, the 537 IPsec keys are updated in the KD, and/or if the rekey SA is being 538 refreshed in this rekey message, the rekey Key or the LKH KEK array 539 is updated in the KD payload. 541 The Delete payload is included to instruct the GM to delete existing 542 SAs. 544 The AUTH payload is included to authenticate GSA_REKEY message using 545 a method defined in the IKEv2 Authentication Method IANA registry 546 [IKEV2-IANA]. The method SHOULD be a digital signature 547 authentication scheme to ensure that the message was originated from 548 an authorized GCKS. Shared Key Integrity Code SHOULD NOT be used as 549 it doesn't provide source origin authentication (although a small 550 group may not require source origin authentication). During group 551 member registration, the GCKS sends the authentication key in the 552 GSAK payload KEK_AUTH_KEY attribute, which the group member uses to 553 authenticate the key server. Before the current Authentication Key 554 expires, GCKS will send a new KEK_AUTH_KEY to its group member in 555 GSA_REKEY message. The AUTH key that is used in the rekey message 556 may not be the same as the authentication key used in GSA_AUTH. 557 Typically rekey message is sent as multicast and receive by all group 558 members, the same AUTH key is distributed to all group members. 560 After adding the AUTH payload to the rekey message, the current KEK 561 encryption key encrypts all payloads following the HDR. 563 3.3.2. Forward and Backward Access Control 565 Through G-IKEv2 rekey, the G-IKEv2 supports algorithms such as LKH 566 that have the property of denying access to a new group key by a 567 member removed from the group (forward access control) and to an old 568 group key by a member added to the group (backward access control). 569 An unrelated notion to PFS, "forward access control" and "backward 570 access control" have been called "perfect forward security" and 571 "perfect backward security" in the literature [RFC2627]. 573 Group management algorithms providing forward and backward access 574 control other than LKH have been proposed in the literature, 575 including OFT [OFT] and Subset Difference [NNL]. These algorithms 576 could be used with G-IKEv2, but are not specified as a part of this 577 document. 579 Support for group management algorithms is supported via the 580 KEY_MANAGEMENT_ALGORITHM attribute which is sent in the GSA KEK 581 policy. G-IKEv2 specifies one method by which LKH can be used for 582 forward and backward access control. Other methods of using LKH, as 583 well as other group management algorithms such as OFT or Subset 584 Difference may be added to G-IKEv2 as part of a later document. Any 585 such addition MUST be due to a Standards Action as defined in 586 [RFC5226]. 588 3.3.3. Forward Access Control Requirements 590 When group membership is altered using a group management algorithm 591 new GSA TEKs (and their associated keys) are usually also needed. 592 New GSAs and keys ensure that members who were denied access can no 593 longer participate in the group. 595 If forward access control is a desired property of the group, new GSA 596 TEKs and the associated key packets in the KD payload MUST NOT be 597 included in a G-IKEv2 rekey message which changes group membership. 598 This is required because the GSA TEK policy and the associated key 599 packets in the KD payload are not protected with the new KEK. A 600 second G-IKEv2 rekey message can deliver the new GSA TEKS and their 601 associated keys because it will be protected with the new KEK, and 602 thus will not be visible to the members who were denied access. 604 If forward access control policy for the group includes keeping group 605 policy changes from members that are denied access to the group, then 606 two sequential G-IKEv2 rekey messages changing the group KEK MUST be 607 sent by the GCKS. The first G-IKEv2 rekey message creates a new KEK 608 for the group. Group members, which are denied access, will not be 609 able to access the new KEK, but will see the group policy since the 610 G-IKEv2 rekey message is protected under the current KEK. A 611 subsequent G-IKEv2 rekey message containing the changed group policy 612 and again changing the KEK allows complete forward access control. A 613 G-IKEv2 rekey message MUST NOT change the policy without creating a 614 new KEK. 616 If other methods of using LKH or other group management algorithms 617 are added to G-IKEv2, those methods MAY remove the above restrictions 618 requiring multiple G-IKEv2 rekey messages, providing those methods 619 specify how forward access control policy is maintained within a 620 single G-IKEv2 rekey message. 622 3.3.4. Deletion of SAs 624 There are occasions the GCKS may want to signal to receivers to 625 delete policy at the end of a broadcast, or if group policy has 626 changed. Deletion of keys MAY be accomplished by sending the G-IKEv2 627 Delete Payload [RFC7296], section 3.11 as part of the G-IKEv2 628 GSA_AUTH or GSA_REKEY Exchange. 630 When a policy delete is required the GCKS sends a rekey of the 631 following format: 633 Members (Responder) GCKS (Initiator) 634 -------------------- ------------------ 635 <-- HDR, SK { 636 [GSA ], [KD ], [D, ] AUTH } 638 The GSA MAY specify the remaining active time of the remaining policy 639 by using the DTD attribute in the GSA GAP. If a GCKS has no further 640 SAs to send to group members, the GSA and KD payloads MUST be omitted 641 from the message. There may be circumstances where the GCKS may want 642 to start over with a clean slate. If the administrator is no longer 643 confident in the integrity of the group, the GCKS can signal deletion 644 of all policy of a particular TEK protocol by sending a TEK with a 645 SPI value equal to zero in the delete payload. For example, if the 646 GCKS wishes to remove all the KEKs and all the TEKs in the group, the 647 GCKS SHOULD send a delete payload with a SPI of zero and a 648 protocol_id of a TEK protocol_id value defined in Section 4.5, 649 followed by another delete payload with a SPI of zero and protocol_id 650 of zero, indicating that the KEK SA should be deleted. 652 3.3.5. GSA_REKEY GCKS Operations 654 The GCKS may initiate a rekey message if group membership and/or 655 policy has changed, or if the keys are about to expire. The GCKS 656 builds the rekey message with value of the message id that is one 657 greater than the previous rekey. If the message is using a new KEK 658 attribute, the message id is reset to 1 in this message. The GSA and 659 KD follow with the same characteristics as in the GSA Registration 660 exchange. The AUTH payload is created by hashing the string 661 "G-IKEv2" and the message created so far, and then digitally signed. 662 Finally, the payloads following the HDR are encrypted using the 663 current KEK encryption key. 665 Because GSA_REKEY messages are not acknowledged and could be 666 discarded by the network, one or more GMs may not receive the 667 message. To mitigate such lost messages, during a rekey even the 668 GCKS SHOULD transmit several GSA_REKEY messages with the new policy. 669 A GCKS MUST NOT re-transmit the same GSA_REKEY message, because time- 670 to-live lifetimes in the message will be incorrect, resulting in GMs 671 with unsynchronized TEK and KEK lifetimes. 673 3.3.6. GSA_REKEY GM Operations 675 The group member receives the Rekey Message from the GCKS, decrypts 676 the message using the current KEK, validates the signature using the 677 public key retrieved in a previous G-IKEv2 exchange, verifies the 678 message id, and processes the GSA and KD payloads. The group member 679 then downloads the new data security SA and/or new Rekey GSA. The 680 parsing of the payloads is identical to the registration exchange. 682 Anti-replay protection is achieved when the group member rejects 683 GSA_REKEY message which has message id smaller than the current 684 message id that the GM is expecting. The GM expects the message id 685 in the first GSA_REKEY message it receives to be equal or greater 686 than the message id it receives in the KEK_MESSAGE_ID attribute. The 687 GM expects the message id in the subsequence GSA_REKEY message to be 688 greater than the last valid GSA_REKEY message it received. 690 If the SA payload includes Data-Security SA including a counter-modes 691 of operation and the receiving group member is a sender for that SA, 692 the group member uses its current SID value with the Data-Security 693 SAs to create counter-mode nonces. If it is a sender and does not 694 hold a current SID value, it MUST NOT install the Data-Security SAs. 695 It MAY initiate a GSA_REGISTRATION exchange to the GCKS in order to 696 obtain an SID value (along with current group policy). 698 If the GM receives a notification that a Data-Security SA is about to 699 expire (such as a "soft lifetime" expiration described in 700 Section 4.4.2.1 of [RFC4301]), it SHOULD initiate a registration to 701 the GCKS. This registration serves as a request for current SAs, and 702 will result in the download of replacement SAs, assuming the GCKS 703 policy has created them. 705 4. Header and Payload Formats 707 Refer to IKEv2 [RFC7296] for existing payloads. 709 4.1. The G-IKEv2 Header 711 G-IKEv2 uses the same IKE header format as specified in RFC 7296 712 section 3.1. 714 Several new payload formats are required in the group security 715 exchanges. 717 Next Payload Type Value 718 ----------------- ----- 719 Group Identification (IDg) 50 720 Group Security Association (GSA) 51 721 Key Download (KD) 52 723 New exchange types GSA_AUTH, GSA_REGISTRATION and GSA_REKEY are added 724 to the IKEv2 [RFC7296] protocol. 726 Exchange Type Value 727 -------------- ----- 728 GSA_AUTH 39 729 GSA_REGISTRATION 40 730 GSA_REKEY 41 732 Major Version is 2 and Minor Version is 0 as in IKEv2 [RFC7296]. IKE 733 SA initiator SPI, IKE SA responder SPI, Flags, Message Id are as 734 specified in [RFC7296]. 736 4.2. Group Identification (IDg) Payload 738 The IDg Payload allows the group member to indicate which group it 739 wants to join. The payload is constructed by using the IKEv2 740 [RFC7296] Identification Payload. ID type ID_KEY_ID MUST be 741 supported. ID types ID_IPV4_ADDR, ID_FQDN, ID_RFC822_ADDR, 742 ID_IPV6_ADDR SHOULD be supported. ID types ID_DER_ASN1_DN and 743 ID_DER_ASN1_GN are not expected to be used. 745 4.3. Group Security Association Payload 747 The Group Security Association payload is used by the GCKS to assert 748 security attributes for both Rekey and Data-security SAs. 750 0 1 2 3 751 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 752 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 753 | Next Payload |C| RESERVED | Payload Length | 754 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 756 The Security Association Payload fields are defined as follows: 758 o Next Payload (1 octet) -- Identifies the next payload type for the 759 G-IKEv2 registration or the G-IKEv2 rekey message. 761 o Critical (1 bit) -- Set according to [RFC7296]. 763 o RESERVED (7 bits) -- Must be zero. 765 o Payload Length (2 octets) -- Is the octet length of the current 766 payload including the generic header and all TEK and KEK policies. 768 4.3.1. GSA policy 770 Following GSA generic payload header are GSA policies for group 771 rekeying (KEK) and/or data traffic SAs (TEK). There may be zero or 772 one GSA KEK policy, zero or more GAP policy, and zero or more GSA TEK 773 policies, where either one GSA KEK or GSA TEK payload MUST be 774 present. 776 This latitude allows various group policies to be accommodated. For 777 example if the group policy does not require the use of a Rekey SA, 778 the GCKS would not need to send an GSA KEK attribute to the group 779 member since all SA updates would be performed using the Registration 780 SA. Alternatively, group policy might use a Rekey SA but choose to 781 download a KEK to the group member only as part of the Registration 782 SA. Therefore, the GSA KEK policy would not be necessary as part of 783 the GSA_REKEY message. 785 Specifying multiple GSA TEKs allows multiple sessions to be part of 786 the same group and multiple streams to be associated with a session 787 (e.g., video, audio, and text) but each with individual security 788 association policy. 790 A GAP payload allows for the distribution of group-wise policy, such 791 as instructions as to when to activate and de-activate SAs. 793 Policies following the GSA payload has common header 794 0 1 2 3 795 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 797 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 798 ! Type ! RESERVED ! Length ! 799 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 801 Type is defined as follow: 803 0 - RESERVED 804 1 - KEK 805 2 - GAP 806 3 - TEK 807 4-240 - RESERVED 808 241-255 - private and experimental 810 4.4. KEK Policy 812 The GSA KEK (GSAK) policy contains security attributes for the KEK 813 method for a group and parameters specific to the G-IKEv2 814 registration operation. The source and destination traffic selectors 815 describe the identities used for the G-IKEv2 registration datagram. 817 0 1 2 3 818 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 819 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 820 ! Type ! RESERVED ! Length ! 821 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 822 ! ! 823 ~ SPI ~ 824 ! ! 825 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 826 ! ! 827 ~ ~ 828 ! ! 829 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 830 ! ! 831 ~ ~ 832 ! ! 833 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 834 ~ KEK Attributes ~ 835 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 837 The GSAK Payload fields are defined as follows: 839 o Type (1 octet) -- Identifies the GSA payload type KEK present in 840 the G-IKEv2 registration or the G-IKEv2 rekey message. 842 o RESERVED (1 octet) -- Must be zero. 844 o Length (2 octets) -- Length of this structure including KEK 845 attributes. 847 o SPI (16 octets) -- Security Parameter Index for the KEK. The SPI 848 must be the IKEv2 Header SPI pair where the first 8 octets become 849 the "Initiator's SPI" field of the G-IKEv2 rekey message IKEv2 850 HDR, and the second 8 octets become the "Responder's SPI" in the 851 same HDR. As described above, these SPIs are assigned by the 852 GCKS. 854 o Source & Destination Traffic Selectors - Substructures describing 855 the source and destination of the identities. These identities 856 refer to the source and destination of the next KEK rekey SA. 857 Defined format and values are specified by IKEv2 [RFC7296], 858 section 3.13.1. 860 o KEK Attributes -- Contains KEK policy attributes associated with 861 the group. The following sections describe the possible 862 attributes. Any or all attributes may be optional, depending on 863 the group policy. 865 4.4.1. KEK Attributes 867 The following attributes may be present in a GSA KEK policy. The 868 attributes must follow the format defined in IKEv2 [RFC7296] section 869 3.3.5. In the table, attributes that are defined as TV are marked as 870 Basic (B); attributes that are defined as TLV are marked as Variable 871 (V). 873 ID Class Value Type 874 -------- ----- ---- 875 RESERVED 0 876 KEK_MANAGEMENT_ALGORITHM 1 B 877 KEK_ENCR_ALGORITHM 2 B 878 KEK_KEY_LENGTH 3 B 879 KEK_KEY_LIFETIME 4 V 880 KEK_INTEGRITY_ALGORITHM 5 B 881 KEK_AUTH_METHOD 6 B 882 KEK_AUTH_HASH 7 B 883 KEK_MESSAGE_ID 8 V 885 The following attributes may only be included in a G-IKEv2 886 registration message: KEK_MANAGEMENT_ALGORITHM. 888 Minimum attributes that must be sent as part of an GSA KEK: 889 KEK_ENCR_ALGORITHM, KEK_KEY_LENGTH (if the cipher definition includes 890 a variable length key), KEK_MESSAGE_ID, KEK_KEY_LIFETIME, 891 KEK_INTEGRITY_ALGORITHM, KEK_AUTH_METHOD and KEK_AUTH_HASH (except 892 for DSA based algorithms). 894 4.4.2. KEK_MANAGEMENT_ALGORITHM 896 The KEK_MANAGEMENT_ALGORITHM class specifies the group KEK management 897 algorithm used to provide forward or backward access control (i.e., 898 used to exclude group members). Defined values are specified in the 899 following table. 901 KEK Management Type Value 902 ------------------- ----- 903 RESERVED 0 904 LKH 1 905 Expert Review 2-127 906 Private Use 128-255 908 4.4.3. KEK_ENCR_ALGORITHM 910 The KEK_ENCR_ALGORITHM class specifies the encryption algorithm using 911 with the KEK. This is the same as IKEv2 encryption algorithm defined 912 in [RFC7296] section 3.3.2. If a KEK_MANAGEMENT_ALGORITHM is defined 913 which defines multiple keys (e.g., LKH), and if the management 914 algorithm does not specify the algorithm for those keys, then the 915 algorithm defined by the KEK_ENCR_ALGORITHM attribute MUST be used 916 for all keys which are included as part of the management. 918 4.4.4. KEK_KEY_LENGTH 920 The KEK_KEY_LENGTH class specifies the KEK Algorithm key length (in 921 bits). 923 The Group Controller/Key Server (GCKS) adds the KEK_KEY_LENGTH 924 attribute to the GSA payload when distributing KEK policy to group 925 members. The group member verifies whether or not it has the 926 capability of using a cipher key of that size. If the cipher 927 definition includes a fixed key length, the group member can make its 928 decision solely using KEK_ENCR_ALGORITHM attribute and does not need 929 the KEK_KEY_LENGTH attribute. Sending the KEK_KEY_LENGTH attribute 930 in the GSA payload is OPTIONAL if the KEK cipher has a fixed key 931 length. 933 4.4.5. KEK_KEY_LIFETIME 935 The KEK_KEY_LIFETIME class specifies the maximum time for which the 936 KEK is valid. The GCKS may refresh the KEK at any time before the 937 end of the valid period. The value is a four (4) octet number 938 defining a valid time period in seconds. 940 4.4.6. KEK_INTEGRITY_ALGORITHM 942 KEK_INTEGRITY specifies the integrity algorithm. This integrity 943 algorithm is specified in IKEv2 RFC 7296 section 3.3.2. 945 4.4.7. KEK_AUTH_METHOD 947 KEK_AUTH_METHOD specifies the method of authentication used. This is 948 the same as IKEv2 Auth Method specified in IKEv2 RFC 7296 section 3.8 950 4.4.8. KEK_AUTH_HASH 952 KEK_AUTH_HASH specifies the hash algorithm uses to generate AUTH key 953 to authenticate GSA_REKEY message. Hash algorithms are defined in 954 IANA registry IKEv2 Hash Algorithms [IKEV2-IANA]. This attribute can 955 be used by group member to determine in advance if it support the 956 algorithm used in the rekey message. 958 4.4.9. KEK_MESSAGE_ID 960 KEK_MESSAGE_ID define the start message id to be used by the GCKS in 961 the GSA_REKEY message. Message ID is 4 octets unsigned integer in 962 network byte order. 964 4.5. GSA TEK Policy 966 The GSA TEK (GSAT) policy contains security attributes for a single 967 TEK associated with a group. 969 0 1 2 3 970 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 971 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 972 ! Type ! RESERVED ! Length ! 973 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 974 ! Protocol-ID ! TEK Protocol-Specific Payload ! 975 +-+-+-+-+-+-+-+-+ ~ 976 ~ ! 977 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 979 The GSAT Payload fields are defined as follows: 981 o Type (1 octet) -- Identifies the GSA payload type TEK present in 982 the G-IKEv2 registration or the G-IKEv2 rekey message. 984 o RESERVED (1 octet) -- Must be zero. 986 o Length (2 octets) -- Length of this structure, including the TEK 987 Protocol-Specific Payload. 989 o Protocol-ID (1 octet) -- Value specifying the Security Protocol. 990 The following table defines values for the Security Protocol 992 Protocol ID Value 993 ----------- ----- 994 RESERVED 0 995 GSA_PROTO_IPSEC_ESP 1 996 GSA_PROTO_IPSEC_AH 2 997 Expert Review 3-127 998 Private Use 128-255 1000 Support for the GSA_PROTO_IPSEC_AH GSA TEK is OPTIONAL. 1002 o TEK Protocol-Specific Payload (variable) -- Payload which 1003 describes the attributes specific for the Protocol-ID. 1005 4.5.1. TEK ESP and AH Protocol-Specific Policy 1007 The TEK Protocol-Specific policy contains of two traffic selectors 1008 for source and destination of the protecting traffic, SPI, Transform, 1009 and Attributes. 1011 The TEK Protocol-Specific policy for ESP is as follows: 1013 0 1 2 3 1014 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1015 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1016 ! SPI ! 1017 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 1018 | | 1019 ~ ~ 1020 | | 1021 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1022 | | 1023 ~ | 1024 | | 1025 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 1026 | | 1027 ~ ~ 1028 | | 1029 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 1030 ! TEK Attributes ~ 1031 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 1033 The GSAT Policy fields are defined as follows: 1035 o SPI (4 octets) -- Security Parameter Index. 1037 o Source & Destination Traffic Selectors - The traffic selectors 1038 describe the source and the destination of the protecting traffic. 1039 The format and values are defined in IKEv2 [RFC7296], section 1040 3.13.1. 1042 o Transform List -- A list of Transform Substructures specifies the 1043 transform information. The format and values are defined in IKEv2 1044 [RFC7296], section 3.3.2. Valid Transform Types for ESP are ENCR, 1045 INTEG, and ESN. Valid Transform Types for AH are INTEG and ESN. 1047 o TEK Attributes -- Contains TEK policy attributes associated with 1048 the group, in the format defined in Section 3.3.5 of [RFC7296]. 1049 All attributes are optional, depending on the group policy. 1051 Attribute Types 1053 class value type 1054 -------------------------------------- 1055 Life Duration 1 V 1057 Specifies the time-to-live for the overall security 1058 association. When the TEK expires, the AH or ESP 1059 security association and all keys downloaded under the 1060 security association are discarded. 1062 The life duration attribute defines the actual length 1063 of the component lifetime in seconds that can be 1064 protected. 1066 If unspecified, the default value shall be assumed to be 1067 28800 seconds (8 hours). 1069 Mode 2 B 1070 In the absence of this attribute tunnel mode will be 1071 used. Value of 1 is used for transport mode. 1073 4.6. GSA Group Associated Policy 1075 Group specific policy that does not belong to rekey policy (GSA KEK) 1076 or traffic encryption policy (GSA TEK) can be distributed to all 1077 group member using GSA GAP (Group Associated Policy). 1079 The GSA GAP payload is defined as follows: 1081 0 1 2 3 1082 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1083 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 1084 ! Type ! RESERVED ! Length ! 1085 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 1086 ! Group Associated Policy Attributes ~ 1087 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 1089 The GSA GAP payload fields are defined as follows: 1091 o Type (1 octet) -- Identifies the GSA payload type GAP present in 1092 the G-IKEv2 registration or the G-IKEv2 rekey message. 1094 o RESERVED (1 octet) -- Must be zero. 1096 o Length (2 octets) -- Length of this structure, including the GSA 1097 GAP header and Attributes. 1099 o Group Associated Policy Attributes (variable) -- Contains 1100 attributes following the format defined in Section 3.3.5 of 1101 [RFC7296]. 1103 Attribute Types: 1105 Attribute Type Value Type 1106 -------------- ----- ---- 1107 RESERVED 0 1108 ACTIVATION_TIME_DELAY 1 B 1109 DEACTIVATION_TIME_DELAY 2 B 1110 Unassigned 3-127 1111 Private Use 128-255 1112 Unassigned 256-32767 1114 Several group associated policy attributes are defined below. A 1115 G-IKEv2 implementation MUST abort if it encounters an attribute or 1116 capability that it does not understand. 1118 4.6.1. ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY 1120 Section 4.2.1 of RFC 5374 specifies a key rollover method that 1121 requires two values be given it from the group key management 1122 protocol. The ACTIVATION_TIME_DELAY attribute allows a GCKS to set 1123 the Activation Time Delay (ATD) for SAs generated from TEKs. The ATD 1124 defines how long after receiving new SAs that they are to be 1125 activated by the GM. The ATD value is in seconds. 1127 The DEACTIVATION_TIME_DELAY allows the GCKS to set the Deactivation 1128 Time Delay (DTD) for previously distributed SAs. The DTD defines how 1129 long after receiving new SAs that it should deactivate SAs that are 1130 destroyed by the rekey event. The value is in seconds. 1132 The values of ATD and DTD are independent. However, the DTD value 1133 should be larger, which allows new SAs to be activated before older 1134 SAs are deactivated. Such a policy ensures that protected group 1135 traffic will always flow without interruption. 1137 4.7. Key Download Payload 1139 The Key Download Payload contains group keys for the group specified 1140 in the GSA Payload. These key download payloads can have several 1141 security attributes applied to them based upon the security policy of 1142 the group as defined by the associated GSA Payload. 1144 0 1 2 3 1145 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1146 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1147 | Next Payload |C| RESERVED | Length | 1148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1149 | Number of Key Packets | RESERVED2 | 1150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 1151 ~ Key Packets ~ 1152 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1154 The Key Download Payload fields are defined as follows: 1156 o Next Payload (1 octet) -- Identifier for the payload type of the 1157 next payload in the message. If the current payload is the last 1158 in the message, then this field will be zero. 1160 o Critical (1 bit) -- Set according to [RFC7296]. 1162 o RESERVED (7 bits) -- Unused, set to zero. 1164 o Payload Length (2 octets) -- Length in octets of the current 1165 payload, including the generic payload header. 1167 o Number of Key Packets (2 octets) -- Contains the total number of 1168 both TEK and Rekey arrays being passed in this data block. 1170 o Key Packets Several types of key packets are defined. Each Key 1171 Packet has the following format. 1173 0 1 2 3 1174 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1175 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1176 | KD Type | RESERVED | KD Length | 1177 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1178 | SPI Size | SPI (variable) ~ 1179 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1180 ~ Key Packet Attributes ~ 1181 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1183 o Key Download (KD) Type (1 octet) -- Identifier for the Key Data 1184 field of this Key Packet. 1186 Key Download Type Value 1187 ----------------- ----- 1188 RESERVED 0 1189 TEK 1 1190 KEK 2 1191 LKH 3 1192 SID 4 1193 Expert Review 5-127 1194 Private Use 128-255 1196 "KEK" is a single key whereas LKH is an array of key-encrypting keys. 1198 o RESERVED (1 octet) -- Unused, set to zero. 1200 o Key Download Length (2 octets) -- Length in octets of the Key 1201 Packet data, including the Key Packet header. 1203 o SPI Size (1 octet) -- Value specifying the length in octets of the 1204 SPI as defined by the Protocol-Id. 1206 o SPI (variable length) -- Security Parameter Index which matches a 1207 SPI previously sent in an GSAK or GSAT Payload. 1209 o Key Packet Attributes (variable length) -- Contains Key 1210 information. The format of this field is specific to the value of 1211 the KD Type field. The following sections describe the format of 1212 each KD Type. 1214 4.7.1. TEK Download Type 1216 The following attributes may be present in a TEK Download Type. 1217 Exactly one attribute matching each type sent in the GSAT payload 1218 MUST be present. The attributes must follow the format defined in 1219 IKEv2 (Section 3.3.5 of [RFC7296]). In the table, attributes defined 1220 as TV are marked as Basic (B); attributes defined as TLV are marked 1221 as Variable (V). 1223 TEK Class Value Type 1224 --------- ----- ---- 1225 RESERVED 0 1226 TEK_ALGORITHM_KEY 1 V 1227 TEK_INTEGRITY_KEY 2 V 1229 It is possible that the GCKS will send no TEK key packets in a 1230 Registration KD payload (as well as no corresponding GSAT payloads in 1231 the GSA payload), after which the TEK payloads will be sent in a 1232 rekey message. At least one TEK MUST be included in each Rekey KD 1233 payload. Multiple TEKs MAY be included if multiple streams 1234 associated with the SA are to be rekeyed. 1236 4.7.1.1. TEK_ALGORITHM_KEY 1238 The TEK_ALGORITHM_KEY class contains encryption keying material for 1239 this SPI. This keying material will be used with the encryption 1240 algorithm specified in the GSAT payload, and according to the IPsec 1241 transform describing that encryption algorithm. The keying material 1242 is treated equivalent to IKEv2 KEYMAT derived for that IPsec 1243 transform. If the encryption algorithm requires a nonce (e.g., AES- 1244 GCM), the nonce is chosen as shown in Section 3.2. 1246 4.7.1.2. TEK_INTEGRITY_KEY 1248 The TEK_INTEGRITY_KEY class declares that the integrity key for this 1249 SPI is contained as the Key Packet Attribute. The integrity 1250 algorithm that will use this key was specified in the GSAT payload. 1251 TEK integrity key type AUTH_HMAC_SHA1_96 keys will consist of 160 1252 bits [RFC2404], and AUTH_HMAC_MD5_96 keys will consist of 128 bits 1253 [RFC2403]. AUTH_HMAC-SHA2_256_128 and AUTH_AES_128_GMAC keys will 1254 have a key length equal to the output length of the hash functions 1255 [RFC4868] [RFC4543]. Readers should refer to [IKEV2-IANA] for the 1256 latest values. 1258 4.7.2. KEK Download Type 1260 The following attributes may be present in a KEK Download Type. 1261 Exactly one attribute matching each type sent in the GSAK payload 1262 MUST be present. The attributes must follow the format defined in 1263 IKEv2 (Section 3.3.5 of [RFC7296]). In the table, attributes defined 1264 as TV are marked as Basic (B); attributes defined as TLV are marked 1265 as Variable (V). 1267 KEK Class Value Type 1268 --------- ----- ---- 1269 RESERVED 0 1270 KEK_ENCR_KEY 1 V 1271 KEK_INTEGRITY_KEY 2 V 1272 KEK_AUTH_KEY 3 V 1274 If the KEK key packet is included, there MUST be only one present in 1275 the KD payload. 1277 4.7.2.1. KEK_ENCR_KEY 1279 The KEK_ENCR_KEY class declares the encryption key for this SPI is 1280 contained in the Key Packet Attribute. The encryption algorithm that 1281 will use this key was specified in the GSAK payload. 1283 If the mode of operation for the algorithm requires an Initialization 1284 Vector (IV), an explicit IV MUST be included in the KEK_ALGORITHM_KEY 1285 before the actual key. 1287 4.7.2.2. KEK_INTEGRITY_KEY 1289 The KEK_INTEGRITY_KEY class declares the integrity key for this SPI 1290 is contained in the Key Packet Attribute. The integrity algorithm 1291 that will use this key was specified in the GSAK payload. 1293 4.7.2.3. KEK_AUTH_KEY 1295 The KEK_AUTH_KEY class declares that the authentication key for this 1296 SPI is contained in the Key Packet Attribute. The signature 1297 algorithm that will use this key was specified in the GSAK payload. 1298 RSA public key format is defined in RFC 3447, Section A.1.1. DSS 1299 public key format is defined in RFC 3270 Section 2.3.2. For ECDSA 1300 Public keys, use format described in RFC 5480 Section 2.2. 1302 4.7.3. LKH Download Type 1304 The LKH key packet is comprised of attributes representing different 1305 leaves in the LKH key tree. 1307 The following attributes are used to pass an LKH KEK array in the KD 1308 payload. The attributes must follow the format defined in IKEv2 1309 (Section 3.3.5 of [RFC7296]). In the table, attributes defined as TV 1310 are marked as Basic (B); attributes defined as TLV are marked as 1311 Variable (V). 1313 KEK Class Value Type 1314 --------- ----- ---- 1315 RESERVED 0 1316 LKH_DOWNLOAD_ARRAY 1 V 1317 LKH_UPDATE_ARRAY 2 V 1318 AUTH_ALGORITHM_KEY 3 V 1319 Expert Review 4-127 1320 Private Use 128-255 1322 If an LKH key packet is included in the KD payload, there MUST be 1323 only one present. 1325 4.7.3.1. LKH_DOWNLOAD_ARRAY 1327 This attribute is used to download a set of keys to a group member. 1328 It MUST NOT be included in a IKEv2 rekey message KD payload if the 1329 IKEv2 rekey is sent to more than one group member. If an 1330 LKH_DOWNLOAD_ARRAY attribute is included in a KD payload, there MUST 1331 be only one present. 1333 This attribute consists of a header block, followed by one or more 1334 LKH keys. 1336 0 1 2 3 1337 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1338 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1339 ! LKH Version ! # of LKH Keys ! RESERVED ! 1340 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1341 ! LKH Keys ! 1342 ~ ~ 1343 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1345 The KEK_LKH attribute fields are defined as follows: 1347 o LKH version (1 octet) -- Contains the version of the LKH protocol 1348 which the data is formatted in. Must be one. 1350 o Number of LKH Keys (2 octets) -- This value is the number of 1351 distinct LKH keys in this sequence. 1353 o RESERVED (1 octet) -- Unused, set to zero. 1355 Each LKH Key is defined as follows: 1357 0 1 2 3 1358 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1359 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1360 ! LKH ID ! Key Type ! RESERVED ! 1361 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1362 ~ Key Creation Date ! 1363 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1364 ~ Key expiration Date ! 1365 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1366 ~ Key Handle ! 1367 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1368 ! ! 1369 ~ Key Data ~ 1370 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1372 o LKH ID (2 octets) -- This is the position of this key in the 1373 binary tree structure used by LKH. 1375 o Key Type (1 octet) -- This is the encryption algorithm for which 1376 this key data is to be used. This value is specified in 1377 Section 4.4.3. 1379 o RESERVED (1 octet) -- Unused, set to zero. 1381 o Key Creation Date (4 octets) -- This is the time value of when 1382 this key data was originally generated. A time value of zero 1383 indicates that there is no time before which this key is not 1384 valid. 1386 o Key Expiration Date (4 octets) -- This is the time value of when 1387 this key is no longer valid for use. A time value of zero 1388 indicates that this key does not have an expiration time. 1390 o Key Handle (4 octets) -- This is the randomly generated value to 1391 uniquely identify a key within an LKH ID. 1393 o Key Data (variable length) -- This is the actual encryption key 1394 data, which is dependent on the Key Type algorithm for its format. 1395 If the mode of operation for the algorithm requires an 1396 Initialization Vector (IV), an explicit IV MUST be included in the 1397 Key Data field before the actual key. 1399 The Key Creation Date and Key expiration Dates MAY be zero. This is 1400 necessary in the case where time synchronization within the group is 1401 not possible. 1403 The first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute 1404 contains the Leaf identifier and key for the group member. The rest 1405 of the LKH Key structures contain keys along the path of the key tree 1406 in the order starting from the leaf, culminating in the group KEK. 1408 4.7.3.2. LKH_UPDATE_ARRAY 1410 This attribute is used to update the keys for a group. It is most 1411 likely to be included in a G-IKEv2 rekey message KD payload to rekey 1412 the entire group. This attribute consists of a header block, 1413 followed by one or more LKH keys, as defined in Section 4.7.3.1. 1415 There may be any number of UPDATE_ARRAY attributes included in a KD 1416 payload. 1418 0 1 2 3 1419 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1420 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1421 ! LKH Version ! # of LKH Keys ! RESERVED ! 1422 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1423 ! LKH ID ! RESERVED2 ! 1424 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1425 ! Key Handle ! 1426 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1427 ! LKH Keys ! 1428 ~ ~ 1429 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1431 o LKH version (1 octet) -- Contains the version of the LKH protocol 1432 which the data is formatted in. Must be one. 1434 o Number of LKH Keys (2 octets) -- This value is the number of 1435 distinct LKH keys in this sequence. 1437 o RESERVED (1 octet) -- Unused, set to zero. 1439 o LKH ID (2 octets) -- This is the node identifier associated with 1440 the key used to encrypt the first LKH Key. 1442 o RESERVED2 (2 octets) -- Unused, set to zero. 1444 o Key Handle (4 octets) -- This is the value to uniquely identify 1445 the key within the LKH ID which was used to encrypt the first LKH 1446 key. 1448 The LKH Keys are as defined in Section 4.7.3.1. The LKH Key 1449 structures contain keys along the path of the key tree in order from 1450 the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in the 1451 group KEK. The Key Data field of each LKH Key is encrypted with the 1452 LKH key preceding it in the LKH_UPDATE_ARRAY attribute. The first 1453 LKH Key is encrypted under the key defined by the LKH ID and Key 1454 Handle found in the LKH_UPDATE_ARRAY header. 1456 4.7.4. SID Download Type 1458 This attribute is used to download one or use more Sender-ID (SID) 1459 values for the exclusive use of a group member. 1461 KEK Class Value Type 1462 --------- ----- ---- 1463 RESERVED 0 1464 NUMBER_OF_SID_BITS 1 B 1465 SID_VALUE 2 V 1466 Expert Review 3-128 1467 Private Use 129-255 1468 Unassigned 256-32767 1470 Because a SID value is intended for a single group member, the SID 1471 Download type MUST NOT be distributed in a GSA_REKEY message 1472 distributed to multiple group members. 1474 4.7.4.1. NUMBER_OF_SID_BITS 1476 The NUMBER_OF_SID_BITS class declares how many bits of the cipher 1477 nonce in which to represent an SID value. This value applied to each 1478 SID value is distributed in the SID Download. 1480 4.7.4.2. SID_VALUE 1482 The SID_VALUE class declares a single SID value for the exclusive use 1483 of the a group member. Multiple SID_VALUE attributes MAY be included 1484 in a SID Download. 1486 4.7.4.3. GM Semantics 1488 The SID_VALUE attribute value distributed to the group member MUST be 1489 used by that group member as the SID field portion of the IV for all 1490 Data-Security SAs including a counter-based mode of operation 1491 distributed by the GCKS as a part of this group. When the Sender- 1492 Specific IV (SSIV) field for any Data-Security SA is exhausted, the 1493 group member MUST no longer act as a sender on that SA using its 1494 active SID. The group member SHOULD re-register, at which time the 1495 GCKS will issue a new SID to the group member, along with either the 1496 same Data-Security SAs or replacement ones. The new SID replaces the 1497 existing SID used by this group member, and also resets the SSIV 1498 value to its starting value. A group member MAY re-register prior to 1499 the actual exhaustion of the SSIV field to avoid dropping data 1500 packets due to the exhaustion of available SSIV values combined with 1501 a particular SID value. 1503 A group member MUST NOT process an SID Download Type KD payload 1504 present in a GSA-REKEY message. 1506 4.7.4.4. GCKS Semantics 1508 If any KD payload includes keying material that is associated with a 1509 counter-mode of operation, a SID Download Type KD payload containing 1510 at least one SID_VALUE attribute MUST be included. The GCKS MUST NOT 1511 send the SID Download Type KD payload as part of a GSA_REKEY message, 1512 because distributing the same sender-specific policy to more than one 1513 group member will reduce the security of the group. 1515 4.8. Delete Payload 1517 There are occasions when the GCKS may want to signal to receivers to 1518 delete policy at the end of a broadcast, or if policy has changed. 1519 Deletion of keys MAY be accomplished by sending an IKEv2 Delete 1520 Payload, section 3.11 of [RFC7296] as part of the GSA_AUTH or 1521 GSA_REKEY Exchange. One or more Delete payloads MAY be placed 1522 following the HDR payload in the GSA_AUTH or GSA_REKEY Exchange. 1524 The Protocol ID MUST be 41 for GSA_REKEY Exchange, 2 for AH or 3 for 1525 ESP. Note that only one protocol id value can be defined in a Delete 1526 payload. If a TEK and a KEK SA for GSA_REKEY Exchange must be 1527 deleted, they must be sent in different Delete payloads. Similarly, 1528 if a TEK specifying ESP and a TEK specifying AH need to be deleted, 1529 they must be sent in different Delete payloads. 1531 There may be circumstances where the GCKS may want to start over with 1532 a clean slate. If the administrator is no longer confident in the 1533 integrity of the group, the GCKS can signal deletion of all policy of 1534 a particular TEK protocol by sending a TEK with an SPI value equal to 1535 zero in the delete payload. For example, if the GCKS wishes to 1536 remove all the KEKs and all the TEKs in the group, the GCKS SHOULD 1537 send a delete payload with an SPI of zero and a Protocol-ID of AH or 1538 ESP Protocol-ID value, followed by another delete payload with an SPI 1539 value of zero and Protocol-ID of KEK SA, indicating that the KEK SA 1540 should be deleted. 1542 4.9. Notify Payload 1544 G-IKEv2 uses the same notify payload as specified in [RFC7296], 1545 section 3.10. 1547 There are additional notify message types introduced by G-IKEv2 to 1548 communicate error conditions and status. 1550 NOTIFY MESSAGES - ERROR TYPES Value 1551 ------------------------------------------------------------------- 1552 INVALID_GROUP_ID - 45 1553 Indicates the group id sent during registration process is invalid. 1555 AUTHORIZATION_FAILED - 46 1556 Sent in the response to GSA_AUTH message when authorization failed. 1558 NOTIFY MESSAGES - STATUS TYPES Value 1559 ------------------------------------------------------------------- 1560 SENDER_REQUEST_ID - 16429 1561 Sent in GSA_AUTH or GSA_REGISTRATION to request SIDs from GCKS. 1562 The data includes a count of how many SID values it desires. 1564 4.10. Authentication Payload 1566 G-IKEv2 uses the same Authentication payload as specified in 1567 [RFC7296], section 3.8, to sign the rekey message. 1569 5. Security Considerations 1571 5.1. GSA registration and secure channel 1573 G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT, GSA_AUTH and 1574 GSA_REGISTRATION inheriting all the security considerations 1575 documented in [RFC7296] section 5 Security Considerations, including 1576 authentication, confidentiality, protection against man-in-the- 1577 middle, protection against replay/reflection attacks, and denial of 1578 service protection. In addition, G-IKEv2 brings in the capability to 1579 authorize a particular group member regardless of whether they have 1580 the IKEv2 credentials. 1582 5.2. GSA maintenance channel 1584 The GSA maintenance channel is cryptographically and integrity 1585 protected using the cryptographic algorithm and key negotiated in the 1586 GSA member registration exchanged. 1588 5.2.1. Authentication/Authorization 1590 Authentication is implicit, the public key of the identity is 1591 distributed during the registration, and the receiver of the rekey 1592 message uses that public key and identity to verify the message is 1593 come from the authorized GCKS. 1595 5.2.2. Confidentiality 1597 Confidentiality is provided by distributing a confidentiality key as 1598 part of the GSA member registration exchange. 1600 5.2.3. Man-in-the-Middle Attack Protection 1602 GSA maintenance channel is integrity protected by using digital 1603 signature. 1605 5.2.4. Replay/Reflection Attack Protection 1607 The GSA rekey message includes a monotonically increasing sequence 1608 number to protect against replay and reflection attacks. A group 1609 member will recognize a replayed message by comparing the message id 1610 number to that of the last received rekey message, any rekey message 1611 contains message id number less than or equal to the last received 1612 value SHOULD be discarded. Implementations SHOULD keep a record of 1613 recently received GSA rekey messages for this comparison. 1615 6. IANA Considerations 1617 6.1. New registries 1619 A new set of registries are created for this draft. 1621 GSA type Registry, see Section 4.3.1 1623 KEK Attributes Registry, see Section 4.4.1 1625 KEK Management Algorithm Registry, see Section 4.4.2 1627 GSA TEK Payload Protocol ID Type Registry, see Section 4.5 1629 TEK Attributes Registry, see Section 4.5 1631 Key Download Type Registry, see Section 4.7 1633 TEK Download Type Registry, see Section 4.7.1 1635 KEK Download Type Registry, see Section 4.7.2 1637 LKH Download Type Registry, see Section 4.7.3 1639 SID Download Type Registry, see Section 4.7.4 1641 6.2. New payload and exchange types to existing IKEv2 registry 1643 The following new payloads and exchange types already allocated by 1644 IANA 1646 The present document describes new IKEv2 Next Payload types, see 1647 Section 4.1 1649 The present document describes new IKEv2 Exchanges types, see 1650 Section 4.1 1652 The present document describes new IKEv2 Notify Payload types, see 1653 Section 4.9 1655 New payload type request to be allocated by IANA 1657 The present document describes a new IKEv2 Security Protocol 1658 Identifiers protocol ID, see Section 4.8. TBD1 represents new IKEv2 1659 Security Protocol Identifiers for GIKEv2_REKEY. 1661 6.3. New Name spaces 1663 The present document describes many new name spaces for use in the 1664 G-IKEv2 payloads. Those may be found in subsections under Section 4. 1665 A new G-IKEv2 registry has been created for these name spaces. 1667 Portions of name spaces marked "RESERVED" are reserved for IANA 1668 allocation. New values MUST be added due to a Standards Action as 1669 defined in [RFC5226]. 1671 Portions of name spaces marked "Private Use" may be allocated by 1672 implementations for their own purposes. 1674 7. Acknowledgements 1676 The authors thank Lakshminath Dondeti and Jing Xiang for first 1677 exploring the use of IKEv2 for group key management and providing the 1678 basis behind the protocol. 1680 8. Contributors 1682 The following individuals made substantial contributions to early 1683 versions of this memo. 1685 Sheela Rowles 1686 Cisco Systems 1687 170 W. Tasman Drive 1688 San Jose, California 95134-1706 1689 USA 1691 Phone: +1-408-527-7677 1692 Email: sheela@cisco.com 1694 Aldous Yeung 1695 Cisco Systems 1696 170 W. Tasman Drive 1697 San Jose, California 95134-1706 1698 USA 1700 Phone: +1-408-853-2032 1701 Email: cyyeung@cisco.com 1703 Paulina Tran 1704 Cisco Systems 1705 170 W. Tasman Drive 1706 San Jose, California 95134-1706 1707 USA 1709 Phone: +1-408-526-8902 1710 Email: ptran@cisco.com 1712 9. References 1714 9.1. Normative References 1716 [RFC6054] McGrew, D. and B. Weis, "Using Counter Modes with 1717 Encapsulating Security Payload (ESP) and Authentication 1718 Header (AH) to Protect Group Traffic", RFC 6054, 1719 DOI 10.17487/RFC6054, November 2010, 1720 . 1722 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 1723 Kivinen, "Internet Key Exchange Protocol Version 2 1724 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 1725 2014, . 1727 9.2. Informative References 1729 [IKE-HASH] 1730 Kivinen, T., "Fixing IKE Phase 1 & 2 Authentication 1731 HASHs", November 2001, . 1734 [IKEV2-IANA] 1735 IANA, "Internet Key Exchange Version 2 (IKEv2) Parameters 1736 - Transform Type 3 - Integrity Algorithm Transfrom IDs", 1737 December 2013, . 1740 [NNL] Naor, D., Noal, M., and J. Lotspiech, "Revocation and 1741 Tracing Schemes for Stateless Receivers", Advances in 1742 Cryptology, Crypto '01, Springer-Verlag LNCS 2139, 2001, 1743 pp. 41-62, 2001, 1744 . 1746 [OFT] McGrew, D. and A. Sherman, "Key Establishment in Large 1747 Dynamic Groups Using One-Way Function Trees", Manuscript, 1748 submitted to IEEE Transactions on Software Engineering, 1749 1998, . 1752 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1753 Requirement Levels", BCP 14, RFC 2119, 1754 DOI 10.17487/RFC2119, March 1997, 1755 . 1757 [RFC2403] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within 1758 ESP and AH", RFC 2403, DOI 10.17487/RFC2403, November 1759 1998, . 1761 [RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within 1762 ESP and AH", RFC 2404, DOI 10.17487/RFC2404, November 1763 1998, . 1765 [RFC2407] Piper, D., "The Internet IP Security Domain of 1766 Interpretation for ISAKMP", RFC 2407, 1767 DOI 10.17487/RFC2407, November 1998, 1768 . 1770 [RFC2408] Maughan, D., Schertler, M., Schneider, M., and J. Turner, 1771 "Internet Security Association and Key Management Protocol 1772 (ISAKMP)", RFC 2408, DOI 10.17487/RFC2408, November 1998, 1773 . 1775 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange 1776 (IKE)", RFC 2409, DOI 10.17487/RFC2409, November 1998, 1777 . 1779 [RFC2627] Wallner, D., Harder, E., and R. Agee, "Key Management for 1780 Multicast: Issues and Architectures", RFC 2627, 1781 DOI 10.17487/RFC2627, June 1999, 1782 . 1784 [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) 1785 Counter Mode With IPsec Encapsulating Security Payload 1786 (ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004, 1787 . 1789 [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode 1790 (GCM) in IPsec Encapsulating Security Payload (ESP)", 1791 RFC 4106, DOI 10.17487/RFC4106, June 2005, 1792 . 1794 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1795 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 1796 December 2005, . 1798 [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM 1799 Mode with IPsec Encapsulating Security Payload (ESP)", 1800 RFC 4309, DOI 10.17487/RFC4309, December 2005, 1801 . 1803 [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message 1804 Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, 1805 DOI 10.17487/RFC4543, May 2006, 1806 . 1808 [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA- 1809 384, and HMAC-SHA-512 with IPsec", RFC 4868, 1810 DOI 10.17487/RFC4868, May 2007, 1811 . 1813 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1814 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 1815 DOI 10.17487/RFC5226, May 2008, 1816 . 1818 [RFC6407] Weis, B., Rowles, S., and T. Hardjono, "The Group Domain 1819 of Interpretation", RFC 6407, DOI 10.17487/RFC6407, 1820 October 2011, . 1822 Appendix A. Differences between G-IKEv2 and RFC 6407 1824 KE Payload - The KE payload is no longer needed with the availability 1825 of newer algorithms such as AES and GCM which provide adequate 1826 protection therefore not needing the PFS capability the KE payload 1827 offers. 1829 SIG Payload - The AUTH payload is used for the same purpose instead. 1831 DOI/Situation - The DOI and Situation fields in the SA payload are no 1832 longer needed in the G-IKEv2 protocol as port 848 will distinguish 1833 the IKEv2 messages from the G-IKEv2 messages. 1835 SEQ Payload - The SEQ payload is no longer needed since IKEv2 header 1836 has message id which is used to prevent message replay attacks. 1838 Authors' Addresses 1840 Brian Weis 1841 Cisco Systems 1842 170 W. Tasman Drive 1843 San Jose, California 95134-1706 1844 USA 1846 Phone: +1-408-526-4796 1847 Email: bew@cisco.com 1849 Yoav Nir 1850 Check Point Software Technologies Ltd. 1851 5 Hasolelim St. 1852 Tel Aviv 67897 1853 Israel 1855 Email: ynir@checkpoint.com 1857 Valery Smyslov 1858 ELVIS-PLUS 1859 PO Box 81 1860 Moscow (Zelenograd) 124460 1861 Russian Federation 1863 Phone: +7 495 276 0211 1864 Email: svan@elvis.ru