idnits 2.17.1 draft-yeung-g-ikev2-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC6407, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 5, 2018) is 2241 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 2627 ** Downref: Normative reference to an Informational RFC: RFC 3740 ** Downref: Normative reference to an Informational RFC: RFC 4046 == Outdated reference: A later version (-11) exists of draft-ietf-ipsecme-qr-ikev2-01 -- Obsolete informational reference (is this intentional?): RFC 2407 (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 2408 (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 2409 (Obsoleted by RFC 4306) Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group B. Weis 3 Internet-Draft Cisco Systems 4 Obsoletes: 6407 (if approved) Y. Nir 5 Intended status: Standards Track Dell EMC 6 Expires: September 6, 2018 V. Smyslov 7 ELVIS-PLUS 8 March 5, 2018 10 Group Key Management using IKEv2 11 draft-yeung-g-ikev2-13 13 Abstract 15 This document presents a group key management protocol defined as a 16 set of IKEv2 exchanges. The protocol is in conformance with the 17 Multicast Security (MSEC) key management architecture, which contains 18 two components: member registration and group rekeying. Both 19 components include a Group Controller/Key Server downloading group 20 security associations to an authorized member of a group. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on September 6, 2018. 39 Copyright Notice 41 Copyright (c) 2018 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 57 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 58 1.2. Relationship to GDOI . . . . . . . . . . . . . . . . . . 4 59 1.3. G-IKEv2 Payloads . . . . . . . . . . . . . . . . . . . . 4 60 2. G-IKEv2 integration into IKEv2 protocol . . . . . . . . . . . 4 61 2.1. UDP port . . . . . . . . . . . . . . . . . . . . . . . . 5 62 3. G-IKEv2 Protocol . . . . . . . . . . . . . . . . . . . . . . 5 63 3.1. G-IKEv2 member registration and secure channel 64 establishment . . . . . . . . . . . . . . . . . . . . . . 5 65 3.1.1. GSA_AUTH exchange . . . . . . . . . . . . . . . . . . 6 66 3.1.2. GSA_REGISTRATION Exchange . . . . . . . . . . . . . . 7 67 3.1.3. IKEv2 Header Initialization . . . . . . . . . . . . . 8 68 3.1.4. GM Registration Operations . . . . . . . . . . . . . 8 69 3.1.5. GCKS Registration Operations . . . . . . . . . . . . 9 70 3.1.6. Interaction with IKEv2 protocols . . . . . . . . . . 10 71 3.2. Group Maintenance Channel . . . . . . . . . . . . . . . . 11 72 3.2.1. GSA_REKEY exchange . . . . . . . . . . . . . . . . . 11 73 3.2.2. GSA_INBAND_REKEY exchange . . . . . . . . . . . . . . 15 74 3.2.3. Deletion of SAs . . . . . . . . . . . . . . . . . . . 16 75 3.3. Counter-based modes of operation . . . . . . . . . . . . 16 76 4. Header and Payload Formats . . . . . . . . . . . . . . . . . 18 77 4.1. The G-IKEv2 Header . . . . . . . . . . . . . . . . . . . 18 78 4.2. Group Identification (IDg) Payload . . . . . . . . . . . 19 79 4.3. Security Association - GM Supported Transforms (SAg) . . 19 80 4.4. Group Security Association Payload . . . . . . . . . . . 19 81 4.4.1. GSA Policy . . . . . . . . . . . . . . . . . . . . . 20 82 4.5. KEK Policy . . . . . . . . . . . . . . . . . . . . . . . 21 83 4.5.1. KEK Attributes . . . . . . . . . . . . . . . . . . . 22 84 4.6. GSA TEK Policy . . . . . . . . . . . . . . . . . . . . . 24 85 4.6.1. TEK ESP and AH Protocol-Specific Policy . . . . . . . 25 86 4.7. GSA Group Associated Policy . . . . . . . . . . . . . . . 27 87 4.7.1. ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY . . . . 28 88 4.8. Key Download Payload . . . . . . . . . . . . . . . . . . 28 89 4.8.1. TEK Download Type . . . . . . . . . . . . . . . . . . 30 90 4.8.2. KEK Download Type . . . . . . . . . . . . . . . . . . 31 91 4.8.3. LKH Download Type . . . . . . . . . . . . . . . . . . 32 92 4.8.4. SID Download Type . . . . . . . . . . . . . . . . . . 35 93 4.9. Delete Payload . . . . . . . . . . . . . . . . . . . . . 36 94 4.10. Notify Payload . . . . . . . . . . . . . . . . . . . . . 37 95 4.11. Authentication Payload . . . . . . . . . . . . . . . . . 37 96 5. Security Considerations . . . . . . . . . . . . . . . . . . . 37 97 5.1. GSA registration and secure channel . . . . . . . . . . . 37 98 5.2. GSA maintenance channel . . . . . . . . . . . . . . . . . 37 99 5.2.1. Authentication/Authorization . . . . . . . . . . . . 38 100 5.2.2. Confidentiality . . . . . . . . . . . . . . . . . . . 38 101 5.2.3. Man-in-the-Middle Attack Protection . . . . . . . . . 38 102 5.2.4. Replay/Reflection Attack Protection . . . . . . . . . 38 103 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 104 6.1. New registries . . . . . . . . . . . . . . . . . . . . . 38 105 6.2. New payload and exchange types added to the existing 106 IKEv2 registry . . . . . . . . . . . . . . . . . . . . . 39 107 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 39 108 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 39 109 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 110 9.1. Normative References . . . . . . . . . . . . . . . . . . 40 111 9.2. Informative References . . . . . . . . . . . . . . . . . 41 112 Appendix A. Use of LKH in G-IKEv2 . . . . . . . . . . . . . . . 43 113 A.1. Group Creation . . . . . . . . . . . . . . . . . . . . . 43 114 A.2. Group Member Exclusion . . . . . . . . . . . . . . . . . 43 115 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 117 1. Introduction and Overview 119 This document presents a group key management protocol protected by 120 IKEv2. The data communications within the group are protected by a 121 key pushed to the group members (GMs) by the Group Controller/Key 122 Server (GCKS) using a set of new IKEv2[RFC7296] exchanges. In 123 G-IKEv2, the GCKS pushes policy and keys for the group to the GM 124 after authenticating it using new payloads included in a new exchange 125 called GSA_AUTH (similar to the IKE_AUTH exchange) or the 126 GSA_REGISTRATION exchange. In G-IKEv2, message semantics of IKEv2 127 are preserved in that all communications consists of message request- 128 response pairs. The exception to this rule is the GSA_REKEY 129 exchange, which is a single message usually delivered as an IP 130 multicast packet. 132 G-IKEv2 is similar to GDOI [RFC6407], which defined a similar group 133 key management protocol using IKEv1 [RFC2409]. 135 G-IKEv2 conforms with the The Multicast Group (MEC) Security 136 Architecture [RFC3740], and the Multicast Security (MSEC) Group Key 137 Management Architecture [RFC4046]. 139 1.1. Requirements Language 141 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 142 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 143 "OPTIONAL" in this document are to be interpreted as described in BCP 144 14 [RFC2119] [RFC8174] when, and only when, they appear in all 145 capitals, as shown here. 147 1.2. Relationship to GDOI 149 GDOI protocol specified in [RFC6407] is protected by IKEv1 phase1 150 security association defined in [RFC2407], [RFC2408] and [RFC2409]; 151 these documents are obsoleted and replaced by a new version of the 152 IKE protocol defined in RFC 7296. G-IKEv2 provides group key 153 management between the Group Member and GCKS using the new IKEv2 154 protocol and inherits the following key advantages over GDOI: 156 1. Provide a simple mechanism for the responder to keep minimal 157 state and avoid DoS attack from forged IP address using cookie 158 challenge exchange. 160 2. Improve performance and network latency by the reduced number of 161 initial messages to complete the G-IKEv2 protocol from (10 162 messages in Main mode and Quick mode, 7 messages in Aggressive 163 mode and Quick) to 4 messages. 165 3. Fix cryptographic weakness with authentication HASH (IKEv1 166 authentication HASH specified in RFC 2409 does not include all 167 ISAKMP payloads and does not include ISAKMP header). This issue 168 is documented at [IKE-HASH]. 170 4. Improve protocol reliability where all unicast messages are 171 acknowledged and sequenced. 173 5. Well defined behavior for error conditions to improve 174 interoperability. 176 1.3. G-IKEv2 Payloads 178 1. IDg (group ID) - The GM requests the GCKS for membership into the 179 group by sending its IDg payload. 181 2. GSA (Group Security Association) - The GCKS sends the group 182 policy to the GM using this payload. 184 3. KD (Key Download) - The GCKS sends the control and data keys to 185 the GM using the KD payload. 187 2. G-IKEv2 integration into IKEv2 protocol 189 The G-IKEv2 protocol uses the security mechanisms of IKEv2 (peer 190 authentication, confidentiality, message integrity) to protect the 191 group negotiations required for G-IKEv2. The G-IKEv2 exchange 192 further provides group authorization, and secure policy and key 193 download from the GCKS to its group members. 195 It is assumed that readers are familiar with the IKEv2 protocol, so 196 this document skips many details that are described in [RFC7296]. 198 2.1. UDP port 200 G-IKEv2 SHOULD use port 848, the same as GDOI [RFC6407], because they 201 serve a similar function. They can use the same ports, just as IKEv1 202 and IKEv2 can share port 500. The version number in the IKEv2 header 203 distinguishes the G-IKEv2 protocol from GDOI protocol [RFC6407]. 205 3. G-IKEv2 Protocol 207 3.1. G-IKEv2 member registration and secure channel establishment 209 The registration protocol consists of a minimum of two message 210 exchanges, IKE_SA_INIT and GSA_AUTH; member registration may have a 211 few more messages exchanged if the EAP method, cookie challenge (for 212 DoS protection) or negotiation of Diffie-Hellman group is included. 213 Each exchange consists of request/response pairs. The first exchange 214 IKE_SA_INIT is defined in IKEv2 [RFC7296]. This exchange negotiates 215 cryptographic algorithms, exchanges nonces and does a Diffie-Hellman 216 exchange between the group member (GM) and the Group Controller/Key 217 Server (GCKS). 219 The second exchange GSA_AUTH authenticates the previous messages, 220 exchanges identities and certificates. These messages are encrypted 221 and integrity protected with keys established through the IKE_SA_INIT 222 exchange, so the identities are hidden from eavesdroppers and all 223 fields in all the messages are authenticated. The GCKS SHOULD 224 authorize group members to be allowed into the group as part of the 225 GSA_AUTH exchange. Once the GCKS accepts a group member to join a 226 group it will download the data security keys (TEKs) and/or group key 227 encrypting key (KEK) or KEK array as part of the GSA_AUTH response 228 message. In the following descriptions, the payloads contained in 229 the message are indicated by names as listed below. Payloads defined 230 as part of other IKEv2 extensions MAY also be included in these 231 exchanges. 233 Notation Payload 234 ------------------------------------------------------------ 235 AUTH Authentication 236 CERT Certificate 237 CERTREQ Certificate Request 238 GSA Group Security Association 239 HDR IKEv2 Header 240 IDg Identification - Group 241 IDi Identification - Initiator 242 IDr Identification - Responder 243 KD Key Download 244 KE Key Exchange 245 Ni, Nr Nonce 246 SA Security Association 247 SAg Security Association - GM Supported Transforms 249 The details of the contents of each payload are described in 250 Section 4. Payloads that may optionally appear will be shown in 251 brackets, such as [ CERTREQ ], to indicate that a certificate request 252 payload can optionally be included. 254 3.1.1. GSA_AUTH exchange 256 After the group member and GCKS use the IKE_SA_INIT exchange to 257 negotiate cryptographic algorithms, exchange nonces, and perform a 258 Diffie-Hellman exchange as defined in IKEv2 [RFC7296], the GSA_AUTH 259 exchange MUST complete before any other exchanges can be done. The 260 security properties of the GSA_AUTH exchange are the same as the 261 properties of the IKE_AUTH exchange. It is used to authenticate the 262 IKE_SA_INIT messages, exchange identities and certificates. G-IKEv2 263 also uses this exchange for group member registration and 264 authorization. Even though the IKE_AUTH does contain the SA2, TSi, 265 and TSr payload the GSA_AUTH does not. They are not needed because 266 policy is not negotiated between the group member and the GCKS, but 267 instead downloaded from the GCKS to the group member. 269 Initiator (Member) Responder (GCKS) 270 -------------------- ------------------ 271 HDR, SK { IDi, [CERT,] [CERTREQ, ] [IDr, ] 272 AUTH, IDg, [SAg, ] [N ] } --> 274 After the IKE_SA_INIT exchange completes, the group member initiates 275 a GSA_AUTH request to join a group indicated by the IDg payload. The 276 GM MAY include an SAg payload declaring which Transforms that it is 277 willing to accept, and also MAY include the Notify payload status 278 type SENDER_ID_REQUEST to request SIDs for a Counter-based cipher 279 from the GCKS. 281 <-- HDR, SK { IDr, [CERT, ] AUTH, [ GSA, KD, ] [D, ] } 283 The GCKS responds with IDr, optional CERT, and AUTH material as if it 284 were an IKE_AUTH. It also informs the group member of the 285 cryptographic policies of the group in the GSA payload and the key 286 material in the KD payload. The GCKS can also include a Delete (D) 287 payload instructing the group member to delete existing SAs it might 288 have as the result of a previous group member registration. 290 In addition to the IKEv2 error handling, the GCKS can reject the 291 registration request when the IDg is invalid or authorization fails, 292 etc. In these cases, see Section 4.10, the GSA_AUTH response will 293 not include the GSA and KD, but will include a Notify payload 294 indicating errors. If the group member included an SAg payload, and 295 the GCKS chooses to evaluate it, and it detects that that group 296 member cannot support the security policy defined for the group, then 297 the GCKS SHOULD return a NO_PROPOSAL_CHOSEN. When the GCKS indicates 298 errors, and the group member cannot resolve the errors, the group 299 member MUST delete the registration IKE SA. 301 Initiator (Member) Responder (GCKS) 302 -------------------- ------------------ 303 <-- HDR, SK { N } 305 If the group member finds the policy sent by the GCKS is 306 unacceptable, the member SHOULD notify the GCKS by sending IDg and 307 the Notify type NO_PROPOSAL_CHOSEN as shown below. 309 Initiator (Member) Responder (GCKS) 310 -------------------- ------------------ 311 HDR, SK {IDg [N,]} --> 313 <-- HDR, SK {} 315 3.1.2. GSA_REGISTRATION Exchange 317 When a secure channel is already established between a GM and the 318 GCKS, the GM registration for a group can reuse the established 319 secure channel. In this scenario the GM will use the 320 GSA_REGISTRATION exchange by including the desired group ID (IDg) to 321 request data security keys (TEKs) and/or group key encrypting keys 322 (KEKs) from the GCKS. If the group member includes an SAg payload, 323 and the GCKS chooses to evaluate it, and it detects that group member 324 cannot support the security policy defined for the group, then the 325 GCKS SHOULD return a NO_PROPOSAL_CHOSEN. The GM MAY also include the 326 Notify payload status type SENDER_ID_REQUEST to request SIDs for a 327 Counter-based cipher from the GCKS. The GCKS response payloads are 328 created and processed as in the GSA_AUTH reply. 330 Initiator (Member) Responder (GCKS) 331 -------------------- ------------------ 332 HDR, SK {IDg, [SAg, ][N ] } --> 334 <-- HDR, SK { GSA, KD, [D ] } 336 This exchange can also be used if the group member finds the policy 337 sent by the GCKS is unacceptable. The group member SHOULD notify the 338 GCKS by sending IDg and the Notify type NO_PROPOSAL_CHOSEN, as shown 339 below. The GCKS MUST unregister the group member. 341 Initiator (Member) Responder (GCKS) 342 -------------------- ------------------ 343 HDR, SK {IDg [N,]} --> 345 <-- HDR, SK {} 347 3.1.3. IKEv2 Header Initialization 349 The Major Version is (2) and Minor Version is (0) according to IKEv2 350 [RFC7296], and maintained in this document. The G-IKEv2 IKE_SA_INIT, 351 GSA_AUTH and GSA_REGISTRATION use the IKE SPI according to IKEv2 352 [RFC7296], section 2.6. 354 3.1.4. GM Registration Operations 356 A G-IKEv2 Initiator (GM) requesting registration contacts the GCKS 357 using the IKE_SA_INIT exchange and receives the response from the 358 GCKS. This exchange is unchanged from the IKE_SA_INIT in IKEv2 359 protocol. 361 Upon completion of parsing and verifying the IKE_SA_INIT response, 362 the GM sends the GSA_AUTH message with the IKEv2 payloads from 363 IKE_AUTH (without the SAi2, TSi and TSr payloads) along with the 364 Group ID informing the GCKS of the group the initiator wishes to 365 join. The initiator MAY specify how many Sender-ID values it would 366 like to receive in the Notify payload status type, SENDER_ID_REQUEST, 367 in case the Data Security SA supports a counter mode cipher (see 368 Section 3.3). 370 An initiator may be limited in the types of Transforms that it is 371 able or willing to use, and may find it useful to inform the GCKS 372 which Transforms that it is willing to accept. It can OPTIONALLY 373 include an SAg payload, which can include ESP and/or AH Proposals. 374 Each Proposal contains a list of Transforms that it is willing to 375 support for that protocol. A Proposal of type ESP can include ENCR, 376 INTEG, and ESN Transforms. A Proposal of type AH can include INTEG, 377 and ESN Transforms. The SPI length of each Proposal in an SAg MUST 378 be zero, and the SPI field is null. Generally, a single Proposal of 379 each type will suffice, because the group member is not negotiating 380 Transform sets, simply alerting the GCKS to restrictions it may have. 382 Upon receiving the GSA_AUTH response, the initiator parses the 383 response from the GCKS authenticating the exchange using the IKEv2 384 method, then processes the GSA and KD. 386 The GSA payload contains the security policy and cryptographic 387 protocols used by the group. This policy describes the Rekey SA 388 (KEK), if present, Data-security SAs (TEK), and other group policy 389 (GAP). If the policy in the GSA payload is not acceptable to the GM, 390 it SHOULD notify the GCKS with a NO_PROPOSAL_CHOSEN Notify payload 391 (see Section 3.1.1 and Section 3.1.2). Finally the KD is parsed 392 providing the keying material for the TEK and/or KEK. The GM 393 interprets the KD key packets, where each key packet includes the 394 keying material for SAs distributed in the GSA payload. Keying 395 material is matched by comparing the SPIs in the key packets to SPIs 396 previously included in the GSA payloads. Once TEK keys and policy 397 are matched, the GM provides them to the data security subsystem, and 398 it is ready to send or receive packets matching the TEK policy. 400 The GSA KEK policy MUST include KEK attribute KEK_MESSAGE_ID with a 401 Message ID. The Message ID in the KEK_MESSAGE_ID attribute MUST be 402 checked against any previously received Message ID for this group. 403 If it is less than the previously received number, it should be 404 considered stale and ignored. This could happen if two GSA_AUTH 405 exchanges happened in parallel, and the Message ID changed. This 406 KEK_MESSAGE_ID is used by the GM to prevent GSA_REKEY message replay 407 attacks. The first GSA_REKEY message that the GM receives from the 408 GCKS must have a Message ID greater or equal to the Message ID 409 received in the KEK_MESSAGE_ID attribute. 411 3.1.5. GCKS Registration Operations 413 A G-IKEv2 GCKS passively listens for incoming requests from group 414 members. When the GCKS receives an IKE_SA_INIT request, it selects 415 an IKE proposal and generates a nonce and DH to include them in the 416 IKE_SA_INIT response. 418 Upon receiving the GSA_AUTH request, the GCKS authenticates the group 419 member using the same procedures as in the IKEv2 IKE_AUTH. The GCKS 420 then authorizes the group member according to group policy before 421 preparing to send the GSA_AUTH response. If the GCKS fails to 422 authorize the GM, it will respond with an AUTHORIZATION_FAILED notify 423 message. 425 The GSA_AUTH response will include the group policy in the GSA 426 payload and keys in the KD payload. If the GCKS policy includes a 427 group rekey option, this policy is constructed in the GSA KEK and the 428 key is constructed in the KD KEK. The GSA KEK MUST include the 429 KEK_MESSAGE_ID attribute, specifying the starting Message ID the GCKS 430 will use when sending the GSA_REKEY message to the group member. 431 This Message ID is used to prevent GSA_REKEY message replay attacks 432 and will be increased each time a GSA_REKEY message is sent to the 433 group. The GCKS data traffic policy is included in the GSA TEK and 434 keys are included in the KD TEK. The GSA GAP MAY also be included to 435 provide the ATD and/or DTD (Section 4.7.1) specifying activation and 436 deactivation delays for SAs generated from the TEKs. If one or more 437 Data Security SAs distributed in the GSA payload included a counter 438 mode of operation, the GCKS includes at least one SID value in the KD 439 payload, and possibly more depending on the request received in the 440 Notify payload status type SENDER_ID_REQUEST requesting the number of 441 SIDs from the group member. 443 If the GCKS receives a GSA_REGISTRATION exchange with a request to 444 register a GM to a group, the GCKS will need to authorize the GM with 445 the new group (IDg) and respond with the corresponding group policy 446 and keys. If the GCKS fails to authorize the GM, it will respond 447 with the AUTHORIZATION_FAILED notification. 449 If a group member includes an SAg in its GSA_AUTH or GSA_REGISTRATION 450 request, the GCKS MAY evaluate it according to an implementation 451 specific policy. 453 o The GCKS could evaluate the list of Transforms and compare it to 454 its current policy for the group. If the group member did not 455 include all of the ESP or AH Transforms in its current policy, 456 then it could return a NO_PROPOSAL_CHOSEN Notification. 458 o The GCKS could store the list of Transforms, with the goal of 459 migrating the group policy to a different Transform when all of 460 the group members indicate that they can support that Transform. 462 o The GCKS could store the list of Transforms and adjust the current 463 group policy based on the capabilities of the devices as long as 464 they fall within the acceptable security policy of the GCKS. 466 3.1.6. Interaction with IKEv2 protocols 468 3.1.6.1. Session Resumption 470 G-IKEv2 is compatible with and can use IKEv2 Session Resumption 471 [RFC5723] except that a GM would include the initial ticket request 472 in a GSA_AUTH exchange instead of an IKE_AUTH exchange. 474 3.1.6.2. Postquantum Preshared Keys for IKEv2 476 G-IKEv2 can take advantage of the protection provided by Postquantum 477 Preshared Keys (PPK) for IKEv2 [I-D.ietf-ipsecme-qr-ikev2]. However, 478 the current PPK draft leaves the initial IKE SA susceptible to 479 quantum computer (QC) attacks. It suggests that for applications 480 using IKEv2 to be QC-secure, an immediate IKE SA rekey should take 481 place followed by a GSA_REGISTRATION exchange. 483 3.2. Group Maintenance Channel 485 The GCKS is responsible for rekeying the secure group per the group 486 policy. Rekeying is an operation whereby the GCKS provides 487 replacement TEKs and KEK, deleting TEKs, and/or excluding group 488 members. The GCKS may initiate a rekey message if group membership 489 and/or policy has changed, or if the keys are about to expire. Two 490 forms of group maintenance channels are provided in G-IKEv2 to push 491 new policy to group members. 493 GSA_REKEY The GSA_REKEY exchange is an exchange initiated by the 494 GCKS, where the rekey policy is usually delivered to group members 495 using IP multicast as a transport. This is valuable for large and 496 dynamic groups, and where policy may change frequently and an 497 scalable rekeying method is required. When the GSA_REKEY exchange 498 is used, the IKEv2 SA protecting the member registration exchanges 499 is terminated, and group members await policy changes from the 500 GCKS via the GSA_REKEY exchange. 502 GSA_INBAND_REKEY The GSA_INBAND_REKEY exchange is a rekey method 503 using the IKEv2 SA that was setup to protecting the member 504 registration exchange. This exchange allows the GCKS to rekey 505 without using an independant GSA_REKEY exchange. The 506 GSA_INBAND_REKEY exchange is useful when G-IKEv2 is used with a 507 small group of cooperating devices. 509 3.2.1. GSA_REKEY exchange 511 The GCKS initiates the G-IKEv2 Rekey securely, usually using IP 512 multicast. Since this rekey does not require a response and it sends 513 to multiple GMs, G-IKEv2 rekeying MUST NOT support IKE SA windowing. 514 The GCKS rekey message replaces the rekey GSA KEK or KEK array, and/ 515 or creates a new Data-Security GSA TEK. The SID Download attribute 516 in the Key Download payload (defined in Section 4.8.4) MUST NOT be 517 part of the Rekey Exchange as this is sender specific information and 518 the Rekey Exchange is group specific. The GCKS initiates the 519 GSA_REKEY exchange as following: 521 Members (Responder) GCKS (Initiator) 522 -------------------- ------------------ 523 <-- HDR, SK { GSA, KD, [D,] AUTH } 525 HDR is defined in Section 4.1. The Message ID in this message will 526 start with the same value the GCKS sent to the group members in the 527 KEK attribute KEK_MESSAGE_ID during registration; this Message ID 528 will be increased each time a new GSA_REKEY message is sent to the 529 group members. 531 The GSA payload contains the current rekey and data security SAs. 532 The GSA may contain a new rekey SA and/or a new data security SA, 533 which, optionally contains an LKH rekey SA, Section 4.4. 535 The KD payload contains the keys for the policy included in the GSA. 536 If the data security SA is being refreshed in this rekey message, the 537 IPsec keys are updated in the KD, and/or if the rekey SA is being 538 refreshed in this rekey message, the rekey Key or the LKH KEK array 539 is updated in the KD payload. 541 A Delete payload MAY be included to instruct the GM to delete 542 existing SAs. 544 The AUTH payload is included to authenticate the GSA_REKEY message 545 using a method defined in the IKEv2 Authentication Method IANA 546 registry [IKEV2-IANA]. The method SHOULD be a digital signature 547 authentication scheme to ensure that the message was originated from 548 an authorized GCKS. A Shared Key Integrity Code SHOULD NOT be used 549 as it doesn't provide source origin authentication (although a small 550 group may not require source origin authentication). During group 551 member registration, the GCKS sends the authentication key in the GSA 552 KEK payload, KEK_AUTH_KEY attribute, which the group member uses to 553 authenticate the key server. Before the current Authentication Key 554 expires, the GCKS will send a new KEK_AUTH_KEY to the group members 555 in a GSA_REKEY message. The AUTH key that is used in the rekey 556 message may not be the same as the authentication key used in 557 GSA_AUTH. Typically a rekey message is sent as multicast and 558 received by all group members, therefore the same AUTH key is 559 distributed to all group members. 561 After adding the AUTH payload to the rekey message, the current KEK 562 encryption key is used to encrypt all of the payloads following the 563 HDR. 565 3.2.1.1. GSA_REKEY GCKS Operations 567 The GCKS builds the rekey message with a Message ID value that is one 568 greater than the value included in the previous rekey. If the 569 message is using a new KEK attribute, the Message ID is reset to 1 in 570 this message. The GSA, KD, and D payloads follow with the same 571 characteristics as in the GSA Registration exchange. The AUTH 572 payload is the final payload added to the message. It is created by 573 hashing the string "G-IKEv2" and the message created so far, and then 574 is digitally signed. Finally, the content of the Encrypted payload 575 is encrypted and authenticated using the current KEK keys. 577 Because GSA_REKEY messages are not acknowledged and could be 578 discarded by the network, one or more GMs may not receive the 579 message. To mitigate such lost messages, during a rekey event the 580 GCKS SHOULD transmit several GSA_REKEY messages with the new policy. 581 When re-transmitting a GSA_REKEY a GCKS needs to ensure that TEK and 582 KEK time-to-live lifetimes are still the correct values. If the 583 lifetimes in a re-tranmitted message are stale, they will represent 584 an artificially lengthened lifetime, possibly resulting in GMs with 585 unsynchronized TEK and KEK lifetimes. 587 3.2.1.2. GSA_REKEY GM Operations 589 When a group member receives the Rekey Message from the GCKS it 590 decrypts the message using the current KEK, validates the signature 591 using the public key retrieved in a previous G-IKEv2 exchange, 592 verifies the Message ID, and processes the GSA and KD payloads. The 593 group member then downloads the new data security SA and/or new Rekey 594 GSA. The parsing of the payloads is identical to the parsing done in 595 the registration exchange. 597 Replay protection is achieved by a group member rejecting a GSA_REKEY 598 message which has a Message ID smaller than the current Message ID 599 that the GM is expecting. The GM expects the Message ID in the first 600 GSA_REKEY message it receives to be equal or greater than the message 601 id it receives in the KEK_MESSAGE_ID attribute. The GM expects the 602 message ID in subsequent GSA_REKEY messages to be greater than the 603 last valid GSA_REKEY message ID it received. 605 If the GSA payload includes a Data-Security SA including a counter- 606 modes of operation and the receiving group member is a sender for 607 that SA, the group member uses its current SID value with the Data- 608 Security SAs to create counter-mode nonces. If it is a sender and 609 does not hold a current SID value, it MUST NOT install the Data- 610 Security SAs. It MAY initiate a GSA_REGISTRATION exchange to the 611 GCKS in order to obtain an SID value (along with current group 612 policy). 614 If the GM receives a notification that a Data-Security SA is about to 615 expire (such as a "soft lifetime" expiration as described in 616 Section 4.4.2.1 of [RFC4301]), it SHOULD initiate a registration to 617 the GCKS. This registration serves as a request for current SAs, and 618 will result in the download of replacement SAs, assuming the GCKS 619 policy has created them. 621 3.2.1.3. Forward and Backward Access Control 623 Through the G-IKEv2 rekey, G-IKEv2 supports algorithms such as LKH 624 that have the property of denying access to a new group key by a 625 member removed from the group (forward access control) and to an old 626 group key by a member added to the group (backward access control). 627 An unrelated notion to PFS, "forward access control" and "backward 628 access control" have been called "perfect forward security" and 629 "perfect backward security" in the literature [RFC2627]. 631 Group management algorithms providing forward and backward access 632 control other than LKH have been proposed in the literature, 633 including OFT [OFT] and Subset Difference [NNL]. These algorithms 634 could be used with G-IKEv2, but are not specified as a part of this 635 document. 637 Support for group management algorithms are supported via the 638 KEY_MANAGEMENT_ALGORITHM attribute which is sent in the GSA KEK 639 policy. G-IKEv2 specifies one method by which LKH can be used for 640 forward and backward access control. Other methods of using LKH, as 641 well as other group management algorithms such as OFT or Subset 642 Difference may be added to G-IKEv2 as part of a later document. 644 3.2.1.3.1. Forward Access Control Requirements 646 When group membership is altered using a group management algorithm 647 new GSA TEKs (and their associated keys) are usually also needed. 648 New GSAs and keys ensure that members who were denied access can no 649 longer participate in the group. 651 If forward access control is a desired property of the group, new GSA 652 TEKs and the associated key packets in the KD payload MUST NOT be 653 included in a G-IKEv2 rekey message which changes group membership. 654 This is required because the GSA TEK policy and the associated key 655 packets in the KD payload are not protected with the new KEK. A 656 second G-IKEv2 rekey message can deliver the new GSA TEKS and their 657 associated key packets because it will be protected with the new KEK, 658 and thus will not be visible to the members who were denied access. 660 If forward access control policy for the group includes keeping group 661 policy changes from members that are denied access to the group, then 662 two sequential G-IKEv2 rekey messages changing the group KEK MUST be 663 sent by the GCKS. The first G-IKEv2 rekey message creates a new KEK 664 for the group. Group members, which are denied access, will not be 665 able to access the new KEK, but will see the group policy since the 666 G-IKEv2 rekey message is protected under the current KEK. A 667 subsequent G-IKEv2 rekey message containing the changed group policy 668 and again changing the KEK allows complete forward access control. A 669 G-IKEv2 rekey message MUST NOT change the policy without creating a 670 new KEK. 672 If other methods of using LKH or other group management algorithms 673 are added to G-IKEv2, those methods MAY remove the above restrictions 674 requiring multiple G-IKEv2 rekey messages, providing those methods 675 specify how the forward access control policy is maintained within a 676 single G-IKEv2 rekey message. 678 3.2.1.4. Fragmentation 680 IKE fragmentation [RFC7383] can be used to perform fragmentation of 681 large GSA_REKEY messages, however when the GSA_REKEY message is 682 emitted as an IP multicast packet there is a lack of response from 683 the GMs. This has the following implications. 685 o Policy regarding the use of IKE fragmentation is implicit. If a 686 GCKS detects that all GMs have negotiated support of IKE 687 fragmentation in IKE_SA_INIT, then it MAY use IKE fragmentation on 688 large GSA_REKEY exchange messages. 690 o The GCKS must always use IKE fragmentation based on a known 691 fragmentation threshold (unspecified in this memo), as there is no 692 way to check if fragmentation is needed by first sending 693 unfragmented messages and waiting for response. 695 o PMTU probing cannot be performed due to lack of GSA_REKEY response 696 message. 698 3.2.2. GSA_INBAND_REKEY exchange 700 When the IKEv2 SA protecting the member registration exchange is 701 maintained while group member participates in the group, the GCKS can 702 use the GSA_INBAND_REKEY exchange to individually provide policy 703 updates to the group member. 705 Member (Responder) GCKS (Initiator) 706 -------------------- ------------------ 707 <-- HDR, SK { GSA, KD, [D,] } 709 HDR, SK {} --> 711 Because this is an IKEv2 exchange, the HDR is treated as defined in 712 [RFC7296]. 714 3.2.2.1. GSA_INBAND_REKEY GCKS Operations 716 The GSA, KD, and D payloads are built in the same manner as in a 717 registration exchange. 719 3.2.2.2. GSA_INBAND_REKEY GM Operations 721 The GM processes the GSA, KD, and D payloads in the same manner as if 722 they were received in a registration exchange. 724 3.2.3. Deletion of SAs 726 There are occasions when the GCKS may want to signal to group members 727 to delete policy at the end of a broadcast, or if group policy has 728 changed. Deletion of keys MAY be accomplished by sending the G-IKEv2 729 Delete Payload [RFC7296], section 3.11 as part of the GSA_REKEY 730 Exchange as shown below. 732 Members (Responder) GCKS (Initiator) 733 -------------------- ------------------ 734 <-- HDR, SK { 735 [GSA ], [KD ], [D, ] AUTH } 737 The GSA MAY specify the remaining active time of the remaining policy 738 by using the DTD attribute in the GSA GAP. If a GCKS has no further 739 SAs to send to group members, the GSA and KD payloads MUST be omitted 740 from the message. There may be circumstances where the GCKS may want 741 to start over with a clean slate. If the administrator is no longer 742 confident in the integrity of the group, the GCKS can signal deletion 743 of all the policies of a particular TEK protocol by sending a TEK 744 with a SPI value equal to zero in the delete payload. For example, 745 if the GCKS wishes to remove all the KEKs and all the TEKs in the 746 group, the GCKS SHOULD send a Delete payload with a SPI of zero and a 747 protocol_id of a TEK protocol_id value defined in Section 4.6, 748 followed by another Delete payload with a SPI of zero and protocol_id 749 of zero, indicating that the KEK SA should be deleted. 751 3.3. Counter-based modes of operation 753 Several new counter-based modes of operation have been specified for 754 ESP (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309], 755 AES-GMAC [RFC4543]) and AH (e.g., AES-GMAC [RFC4543]). These 756 counter-based modes require that no two senders in the group ever 757 send a packet with the same Initialization Vector (IV) using the same 758 cipher key and mode. This requirement is met in G-IKEv2 when the 759 following requirements are met: 761 o The GCKS distributes a unique key for each Data-Security SA. 763 o The GCKS uses the method described in [RFC6054], which assigns each 764 sender a portion of the IV space by provisioning each sender with one 765 or more unique SID values. 767 When at least one Data-Security SA included in the group policy 768 includes a counter-based mode of operation, the GCKS automatically 769 allocates and distributes one SID to each group member acting in the 770 role of sender on the Data-Security SA. The SID value is used 771 exclusively by the group member to which it was allocated. The group 772 member uses the same SID for each Data-Security SA specifying the use 773 of a counter-based mode of operation. A GCKS MUST distribute unique 774 keys for each Data-Security SA including a counter-based mode of 775 operation in order to maintain unique key and nonce usage. 777 During registration, the group member can choose to request one or 778 more SID values. Requesting a value of 1 is not necessary since the 779 GCKS will automatically allocate exactly one to the group member. A 780 group member MUST request as many SIDs matching the number of 781 encryption modules in which it will be installing the TEKs in the 782 outbound direction. Alternatively, a group member MAY request more 783 than one SID and use them serially. This could be useful when it is 784 anticipated that the group member will exhaust their range of Data- 785 Security SA nonces using a single SID too quickly (e.g., before the 786 time-based policy in the TEK expires). 788 When the group policy includes a counter-based mode of operation, a 789 GCKS SHOULD use the following method to allocate SID values, which 790 ensures that each SID will be allocated to just one group member. 792 1. A GCKS maintains an SID-counter, which records the SIDs that have 793 been allocated. SIDs are allocated sequentially, with zero as the 794 first allocated SID. 796 2. Each time an SID is allocated, the current value of the counter 797 is saved and allocated to the group member. The SID-counter is then 798 incremented in preparation for the next allocation. 800 3. When the GCKS specifies a counter-based mode of operation in the 801 Data Security SA a group member may request a count of SIDs during 802 registration in a Notify payload information of type SEND_ID_REQUEST. 803 When the GCKS receives this request, it increments the SID-counter 804 once for each requested SID, and distributes each SID value to the 805 group member. 807 4. A GCKS allocates new SID values for each GSA_REGISTRATION 808 exchange originated by a sender, regardless of whether a group member 809 had previously contacted the GCKS. In this way, the GCKS is not 810 required to maintaining a record of which SID values it had 811 previously allocated to each group member. More importantly, since 812 the GCKS cannot reliably detect whether the group member had sent 813 data on the current group Data-Security SAs it does not know what 814 Data-Security counter-mode nonce values that a group member has used. 815 By distributing new SID values, the key server ensures that each time 816 a conforming group member installs a Data-Security SA it will use a 817 unique set of counter-based mode nonces. 819 5. When the SID-counter maintained by the GCKS reaches its final SID 820 value, no more SID values can be distributed. Before distributing 821 any new SID values, the GCKS MUST delete the Data-Security SAs for 822 the group, followed by creation of new Data-Security SAs, and 823 resetting the SID-counter to its initial value. 825 6. The GCKS SHOULD send a GSA_REKEY message deleting all Data- 826 Security SAs and the Rekey SA for the group. This will result in the 827 group members initiating a new GSA_REGISTRATION exchange, in which 828 they will receive both new SID values and new Data-Security SAs. The 829 new SID values can safely be used because they are only used with the 830 new Data-Security SAs. Note that deletion of the Rekey SA is 831 necessary to ensure that group members receiving a GSA_REKEY exchange 832 before the re-register do not inadvertently use their old SIDs with 833 the new Data-Security SAs. Using the method above, at no time can 834 two group members use the same IV values with the same Data-Security 835 SA key. 837 4. Header and Payload Formats 839 Refer to IKEv2 [RFC7296] for existing payloads. Some payloads used 840 in G-IKEv2 exchanges are not aligned to 4-octet boundaries, which is 841 also the case for some IKEv2 payloads (see Section 3.2 of [RFC7296]). 843 4.1. The G-IKEv2 Header 845 G-IKEv2 uses the same IKE header format as specified in RFC 7296 846 section 3.1. 848 Several new payload formats are required in the group security 849 exchanges. 851 Next Payload Type Value 852 ----------------- ----- 853 Group Identification (IDg) 50 854 Group Security Association (GSA) 51 855 Key Download (KD) 52 857 New exchange types GSA_AUTH, GSA_REGISTRATION and GSA_REKEY are added 858 to the IKEv2 [RFC7296] protocol. 860 Exchange Type Value 861 -------------- ----- 862 GSA_AUTH 39 863 GSA_REGISTRATION 40 864 GSA_REKEY 41 865 GSA_INBAND_REKEY TBD 867 Major Version is 2 and Minor Version is 0 as in IKEv2 [RFC7296]. IKE 868 SA Initiator's SPI, IKE SA Responder's SPI, Flags, Message ID, and 869 Length are as specified in [RFC7296]. 871 4.2. Group Identification (IDg) Payload 873 The IDg Payload allows the group member to indicate which group it 874 wants to join. The payload is constructed by using the IKEv2 875 Identification Payload (section 3.5 of [RFC7296]). ID type ID_KEY_ID 876 MUST be supported. ID types ID_IPV4_ADDR, ID_FQDN, ID_RFC822_ADDR, 877 ID_IPV6_ADDR SHOULD be supported. ID types ID_DER_ASN1_DN and 878 ID_DER_ASN1_GN are not expected to be used. 880 4.3. Security Association - GM Supported Transforms (SAg) 882 The SAg payload declares which Transforms a GM is willing to accept. 883 The payload is constructed using the format of the IKEv2 Security 884 Association payload (section 3.3 of [RFC7296]). The Payload Type for 885 SAg is identical to the SA Payload Type. 887 4.4. Group Security Association Payload 889 The Group Security Association payload is used by the GCKS to assert 890 security attributes for both Rekey and Data-security SAs. 892 0 1 2 3 893 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 894 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 895 | Next Payload |C| RESERVED | Payload Length | 896 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 898 The Security Association Payload fields are defined as follows: 900 o Next Payload (1 octet) -- Identifies the next payload type for the 901 G-IKEv2 registration or the G-IKEv2 rekey message. 903 o Critical (1 bit) -- Set according to [RFC7296]. 905 o RESERVED (7 bits) -- Must be zero. 907 o Payload Length (2 octets) -- Is the octet length of the current 908 payload including the generic header and all TEK and KEK policies. 910 4.4.1. GSA Policy 912 Following the GSA generic payload header are GSA policies for group 913 rekeying (KEK), data traffic SAs (TEK) and/or Group Associated Policy 914 (GAP). There may be zero or one GSA KEK policy, zero or one GAP 915 policies, and zero or more GSA TEK policies, where either one GSA KEK 916 or GSA TEK payload MUST be present. 918 This latitude allows various group policies to be accommodated. For 919 example if the group policy does not require the use of a Rekey SA, 920 the GCKS would not need to send a GSA KEK attribute to the group 921 member since all SA updates would be performed using the Registration 922 SA. Alternatively, group policy might use a Rekey SA but choose to 923 download a KEK to the group member only as part of the Registration 924 SA. Therefore, the GSA KEK policy would not be necessary as part of 925 the GSA_REKEY message. 927 Specifying multiple GSA TEKs allows multiple related data streams 928 (e.g., video, audio, and text) to be associated with a session, but 929 each protected with an individual security association policy. 931 A GAP payload allows for the distribution of group-wise policy, such 932 as instructions for when to activate and de-activate SAs. 934 Policies following the GSA payload use the following common header. 936 0 1 2 3 937 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 939 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 940 | Type | RESERVED | Length | 941 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 943 Type is defined as follows: 945 ID Class Value 946 -------- ----- 947 RESERVED 0 948 KEK 1 949 GAP 2 950 TEK 3 951 Expert Review 4-127 952 Private Use 128-255 954 4.5. KEK Policy 956 The GSA KEK policy contains security attributes for the KEK method 957 for a group and parameters specific to the G-IKEv2 registration 958 operation. The source and destination traffic selectors describe the 959 network identities used for the rekey messages. 961 0 1 2 3 962 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 963 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 964 | Type = 1 ! RESERVED ! Length | 965 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 966 | | 967 ~ SPI ~ 968 | | 969 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 970 | | 971 ~ ~ 972 | | 973 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 974 | | 975 ~ ~ 976 | | 977 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 978 ~ KEK Attributes ~ 979 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 981 The GSA KEK Payload fields are defined as follows: 983 o Type = 1 (1 octet) -- Identifies the GSA payload type as KEK in 984 the G-IKEv2 registration or the G-IKEv2 rekey message. 986 o RESERVED (1 octet) -- Must be zero. 988 o Length (2 octets) -- Length of this structure including KEK 989 attributes. 991 o SPI (16 octets) -- Security Parameter Index for the rekey message. 992 The SPI must be the IKEv2 Header SPI pair where the first 8 octets 993 become the "Initiator's SPI" field in the G-IKEv2 rekey message 994 IKEv2 HDR, and the second 8 octets become the "Responder's SPI" in 995 the same HDR. As described above, these SPIs are assigned by the 996 GCKS. 998 o Source & Destination Traffic Selectors - Substructures describing 999 the source and destination of the network identities. These 1000 identities refer to the source and destination of the next KEK 1001 rekey SA. Defined format and values are specified by IKEv2 1002 [RFC7296], section 3.13.1. 1004 o KEK Attributes -- Contains KEK policy attributes associated with 1005 the group. The following sections describe the possible 1006 attributes. Any or all attributes may be optional, depending on 1007 the group policy. 1009 4.5.1. KEK Attributes 1011 The following attributes may be present in a GSA KEK policy. The 1012 attributes must follow the format defined in the IKEv2 [RFC7296] 1013 section 3.3.5. In the table, attributes that are defined as TV are 1014 marked as Basic (B); attributes that are defined as TLV are marked as 1015 Variable (V). The terms Reserved, Unassigned, and Private Use are to 1016 be applied as defined in [RFC8126]. The registration procedure is 1017 Expert Review. 1019 ID Class Value Type 1020 -------- ----- ---- 1021 Reserved 0 1022 KEK_MANAGEMENT_ALGORITHM 1 B 1023 KEK_ENCR_ALGORITHM 2 B 1024 KEK_KEY_LENGTH 3 B 1025 KEK_KEY_LIFETIME 4 V 1026 KEK_INTEGRITY_ALGORITHM 5 B 1027 KEK_AUTH_METHOD 6 B 1028 KEK_AUTH_HASH 7 B 1029 KEK_MESSAGE_ID 8 V 1030 Unassigned 9-16383 1031 Private Use 16384-32767 1033 The following attributes may only be included in a G-IKEv2 1034 registration message: KEK_MANAGEMENT_ALGORITHM. 1036 Minimum attributes that must be sent as part of an GSA KEK: 1037 KEK_ENCR_ALGORITHM, KEK_KEY_LENGTH (if the cipher definition includes 1038 a variable length key), KEK_MESSAGE_ID, KEK_KEY_LIFETIME, 1039 KEK_INTEGRITY_ALGORITHM, KEK_AUTH_METHOD, and KEK_AUTH_HASH (except 1040 for DSA based algorithms). 1042 4.5.1.1. KEK_MANAGEMENT_ALGORITHM 1044 The KEK_MANAGEMENT_ALGORITHM attribute specifies the group KEK 1045 management algorithm used to provide forward or backward access 1046 control (i.e., used to exclude group members). Defined values are 1047 specified in the following table. The terms Reserved, Unassigned, 1048 and Private Use are to be applied as defined in [RFC8126]. The 1049 registration procedure is Expert Review. 1051 KEK Management Type Value 1052 ------------------- ----- 1053 Reserved 0 1054 LKH 1 1055 Unassigned 2-16383 1056 Private Use 16384-32767 1058 4.5.1.2. KEK_ENCR_ALGORITHM 1060 The KEK_ENCR_ALGORITHM attribute specifies the encryption algorithm 1061 used with the KEK. This value is a value from the IKEv2 Transform 1062 Type 1 - Encryption Algorithm Transform IDs registry[IKEV2-IANA]. If 1063 a KEK_MANAGEMENT_ALGORITHM is defined which defines multiple keys 1064 (e.g., LKH), and if the management algorithm does not specify the 1065 algorithm for those keys, then the algorithm defined by the 1066 KEK_ENCR_ALGORITHM attribute MUST be used for all keys which are 1067 included as part of this KEK management. 1069 4.5.1.3. KEK_KEY_LENGTH 1071 The KEK_KEY_LENGTH attribute specifies the KEK Algorithm key length 1072 (in bits). 1074 The Group Controller/Key Server (GCKS) adds the KEK_KEY_LENGTH 1075 attribute to the GSA payload when distributing KEK policy to group 1076 members. The group member verifies whether or not it has the 1077 capability of using a cipher key of that size. If the cipher 1078 definition includes a fixed key length, the group member can make its 1079 decision solely using the KEK_ENCR_ALGORITHM attribute and does not 1080 need the KEK_KEY_LENGTH attribute. Sending the KEK_KEY_LENGTH 1081 attribute in the GSA payload is OPTIONAL if the KEK cipher has a 1082 fixed key length. 1084 4.5.1.4. KEK_KEY_LIFETIME 1086 The KEK_KEY_LIFETIME attribute specifies the maximum time for which 1087 the KEK is valid. The GCKS may refresh the KEK at any time before 1088 the end of the valid period. The value is a four (4) octet number 1089 defining a valid time period in seconds. 1091 4.5.1.5. KEK_INTEGRITY_ALGORITHM 1093 The KEK_INTEGRITY attribute specifies the integrity algorithm used to 1094 protect the rekey message. This integrity algorithm is a value from 1095 the IKEv2 Transform Type 3 - Integrity Algorithm Transform IDs 1096 registry [IKEV2-IANA]. 1098 4.5.1.6. KEK_AUTH_METHOD 1100 The KEK_AUTH_METHOD attribute specifies the method of authentication 1101 used. This value is from the IKEv2 Authentication Method registry 1102 [IKEV2-IANA]. 1104 4.5.1.7. KEK_AUTH_HASH 1106 The KEK_AUTH_HASH attribute specifies the hash algorithm used to 1107 generate the AUTH key to authenticate GSA_REKEY messages. Hash 1108 algorithms are defined in IANA registry IKEv2 Hash Algorithms 1109 [IKEV2-IANA]. This attribute can be used by a group member to 1110 determine in advance if it supports the algorithm used in the rekey 1111 message. 1113 4.5.1.8. KEK_MESSAGE_ID 1115 The KEK_MESSAGE_ID attribute defines the initial Message ID to be 1116 used by the GCKS in the GSA_REKEY messages. The Message ID is a 4 1117 octet unsigned integer in network byte order. 1119 4.6. GSA TEK Policy 1121 The GSA TEK policy contains security attributes for a single TEK 1122 associated with a group. 1124 0 1 2 3 1125 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1126 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1127 | Type = 3 | RESERVED | Length | 1128 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1129 | Protocol-ID | TEK Protocol-Specific Payload | 1130 +-+-+-+-+-+-+-+-+ ~ 1131 ~ | 1132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1134 The GSA TEK Payload fields are defined as follows: 1136 o Type = 3 (1 octet) -- Identifies the GSA payload type as TEK in 1137 the G-IKEv2 registration or the G-IKEv2 rekey message. 1139 o RESERVED (1 octet) -- Must be zero. 1141 o Length (2 octets) -- Length of this structure, including the TEK 1142 Protocol-Specific Payload. 1144 o Protocol-ID (1 octet) -- Value specifying the Security Protocol. 1145 The following table defines values for the Security Protocol. 1146 Support for the GSA_PROTO_IPSEC_AH GSA TEK is OPTIONAL. The terms 1147 Reserved, Unassigned, and Private Use are to be applied as defined 1148 in [RFC8126]. The registration procedure is Expert Review. 1150 Protocol ID Value 1151 ----------- ----- 1152 Reserved 0 1153 GSA_PROTO_IPSEC_ESP 1 1154 GSA_PROTO_IPSEC_AH 2 1155 Unassigned 3-127 1156 Private Use 128-255 1158 o TEK Protocol-Specific Payload (variable) -- Payload which 1159 describes the attributes specific for the Protocol-ID. 1161 4.6.1. TEK ESP and AH Protocol-Specific Policy 1163 The TEK Protocol-Specific policy contains two traffic selectors one 1164 for the source and one for the destination of the protected traffic, 1165 SPI, Transforms, and Attributes. 1167 The TEK Protocol-Specific policy for ESP and AH is as follows: 1169 0 1 2 3 1170 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1171 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1172 | SPI | 1173 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1174 | | 1175 ~ ~ 1176 | | 1177 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1178 | | 1179 ~ ~ 1180 | | 1181 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1182 | | 1183 ~ ~ 1184 | | 1185 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1186 ~ TEK Attributes ~ 1187 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1189 The GSA TEK Policy fields are defined as follows: 1191 o SPI (4 octets) -- Security Parameter Index. 1193 o Source & Destination Traffic Selectors - The traffic selectors 1194 describe the source and the destination of the protected traffic. 1195 The format and values are defined in IKEv2 [RFC7296], section 1196 3.13.1. 1198 o Transform Substructure List -- A list of Transform Substructures 1199 specifies the transform information. The format and values are 1200 defined in IKEv2 [RFC7296], section 3.3.2. Valid Transform Types 1201 for ESP are ENCR, INTEG, and ESN. Valid Transform Types for AH 1202 are INTEG and ESN. As described in the IKEv2 registries 1203 [IKEV2-IANA]. The Last Substruc value in each Transform 1204 Substructure will be set to 3 except for the last one in the list, 1205 which is set to 0. 1207 o TEK Attributes -- Contains the TEK policy attributes associated 1208 with the group, in the format defined in Section 3.3.5 of 1209 [RFC7296]. All attributes are optional, depending on the group 1210 policy. 1212 Attribute Types are as follows. The terms Reserved, Unassigned, and 1213 Private Use are to be applied as defined in [RFC8126]. The 1214 registration procedure is Expert Review. 1216 ID Class Value Type 1217 -------- ----- ---- 1218 Reserved 0 1219 TEK_KEY_LIFETIME 1 V 1220 TEK_MODE 2 B 1221 Unassigned 3-16383 1222 Private Use 16384-32767 1224 It is NOT RECOMMENDED that the GCKS distribute both ESP and AH 1225 Protocol-Specific Policies for the same set of Traffic Selectors. 1227 4.6.1.1. TEK_KEY_LIFETIME 1229 The TEK_KEY_LIFETIME attribute specifies the maximum time for which 1230 the TEK is valid. When the TEK expires, the AH or ESP security 1231 association and all keys downloaded under the security association 1232 are discarded. The GCKS may refresh the TEK at any time before the 1233 end of the valid period. 1235 The value is a four (4) octet number defining a valid time period in 1236 seconds. If unspecified the default value of 28800 seconds (8 hours) 1237 shall be assumed. 1239 4.6.1.2. TEK_MODE 1241 The value of 0 is used for tunnel mode and 1 for transport mode. In 1242 the absence of this attribute tunnel mode will be used. 1244 4.7. GSA Group Associated Policy 1246 Group specific policy that does not belong to rekey policy (GSA KEK) 1247 or traffic encryption policy (GSA TEK) can be distributed to all 1248 group member using GSA GAP (Group Associated Policy). 1250 The GSA GAP payload is defined as follows: 1252 0 1 2 3 1253 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1254 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1255 | Type = 2 ! RESERVED ! Length | 1256 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1257 ~ Group Associated Policy Attributes ~ 1258 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1260 The GSA GAP payload fields are defined as follows: 1262 o Type = 2 (1 octet) -- Identifies the GSA payload type as GAP in 1263 the G-IKEv2 registration or the G-IKEv2 rekey message. 1265 o RESERVED (1 octet) -- Must be zero. 1267 o Length (2 octets) -- Length of this structure, including the GSA 1268 GAP header and Attributes. 1270 o Group Associated Policy Attributes (variable) -- Contains 1271 attributes following the format defined in Section 3.3.5 of 1272 [RFC7296]. 1274 Attribute Types are as follows. The terms Reserved, Unassigned, and 1275 Private Use are to be applied as defined in [RFC8126]. The 1276 registration procedure is Expert Review. 1278 Attribute Type Value Type 1279 -------------- ----- ---- 1280 Reserved 0 1281 ACTIVATION_TIME_DELAY 1 B 1282 DEACTIVATION_TIME_DELAY 2 B 1283 Unassigned 3-16383 1284 Private Use 16384-32767 1286 4.7.1. ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY 1288 Section 4.2.1 of RFC 5374 specifies a key rollover method that 1289 requires two values be provided to group members. The 1290 ACTIVATION_TIME_DELAY attribute allows a GCKS to set the Activation 1291 Time Delay (ATD) for SAs generated from TEKs. The ATD defines how 1292 long after receiving new SAs that they are to be activated by the GM. 1293 The ATD value is in seconds. 1295 The DEACTIVATION_TIME_DELAY allows the GCKS to set the Deactivation 1296 Time Delay (DTD) for previously distributed SAs. The DTD defines how 1297 long after receiving new SAs it should deactivate SAs that are 1298 destroyed by the rekey event. The value is in seconds. 1300 The values of ATD and DTD are independent. However, the DTD value 1301 should be larger, which allows new SAs to be activated before older 1302 SAs are deactivated. Such a policy ensures that protected group 1303 traffic will always flow without interruption. 1305 4.8. Key Download Payload 1307 The Key Download Payload contains the group keys for the group 1308 specified in the GSA Payload. These key download payloads can have 1309 several security attributes applied to them based upon the security 1310 policy of the group as defined by the associated GSA Payload. 1312 0 1 2 3 1313 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1314 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1315 | Next Payload |C| RESERVED | Length | 1316 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1317 | Number of Key Packets | RESERVED2 | 1318 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 1319 ~ Key Packets ~ 1320 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1322 The Key Download Payload fields are defined as follows: 1324 o Next Payload (1 octet) -- Identifier for the payload type of the 1325 next payload in the message. If the current payload is the last 1326 in the message, then this field will be zero. 1328 o Critical (1 bit) -- Set according to [RFC7296]. 1330 o RESERVED (7 bits) -- Unused, set to zero. 1332 o Payload Length (2 octets) -- Length in octets of the current 1333 payload, including the generic payload header. 1335 o Number of Key Packets (2 octets) -- Contains the total number of 1336 Key Packets passed in this data block. 1338 o Key Packets (variable) -- Contains Key Packets. Several types of 1339 key packets are defined. Each Key Packet has the following 1340 format. 1342 0 1 2 3 1343 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1344 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1345 | KD Type | RESERVED | KD Length | 1346 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1347 | SPI Size | SPI (variable) ~ 1348 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1349 ~ Key Packet Attributes ~ 1350 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1352 o Key Download (KD) Type (1 octet) -- Identifier for the Key Data 1353 field of this Key Packet. In the following table the terms 1354 Reserved, Unassigned, and Private Use are to be applied as defined 1355 in [RFC8126]. The registration procedure is Expert Review. 1357 Key Download Type Value 1358 ----------------- ----- 1359 Reserved 0 1360 TEK 1 1361 KEK 2 1362 LKH 3 1363 SID 4 1364 Unassigned 5-127 1365 Private Use 128-255 1367 o RESERVED (1 octet) -- Unused, set to zero. 1369 o Key Download Length (2 octets) -- Length in octets of the Key 1370 Packet data, including the Key Packet header. 1372 o SPI Size (1 octet) -- Value specifying the length in octets of the 1373 SPI as defined by the Protocol-Id. 1375 o SPI (variable length) -- Security Parameter Index which matches a 1376 SPI previously sent in an GSA KEK or GSA TEK Payload. 1378 o Key Packet Attributes (variable length) -- Contains Key 1379 information. The format of this field is specific to the value of 1380 the KD Type field. The following sections describe the format of 1381 each KD Type. 1383 4.8.1. TEK Download Type 1385 The following attributes may be present in a TEK Download Type. 1386 Exactly one attribute matching each type sent in the GSA TEK payload 1387 MUST be present. The attributes must follow the format defined in 1388 IKEv2 (Section 3.3.5 of [RFC7296]). In the table, attributes defined 1389 as TV are marked as Basic (B); attributes defined as TLV are marked 1390 as Variable (V). The terms Reserved, Unassigned, and Private Use are 1391 to be applied as defined in [RFC8126]. The registration procedure is 1392 Expert Review. 1394 TEK Class Value Type 1395 --------- ----- ---- 1396 Reserved 0 1397 TEK_ALGORITHM_KEY 1 V 1398 TEK_INTEGRITY_KEY 2 V 1399 Unassigned 3-16383 1400 Private Use 16384-32767 1402 It is possible that the GCKS will send no TEK key packets in a 1403 Registration KD payload (as well as no corresponding GSA TEK payloads 1404 in the GSA payload), after which the TEK payloads will be sent in a 1405 rekey message. At least one TEK MUST be included in each Rekey KD 1406 payload. 1408 4.8.1.1. TEK_ALGORITHM_KEY 1410 The TEK_ALGORITHM_KEY class contains encryption keying material for 1411 the corresponding SPI. This keying material will be used with the 1412 encryption algorithm specified in the GSA TEK payload, and according 1413 to the IPsec transform describing that encryption algorithm. The 1414 keying material is treated equivalent to IKEv2 KEYMAT derived for 1415 that IPsec transform. If the encryption algorithm requires a nonce 1416 (e.g., AES-GCM), the nonce is chosen as shown in Section 3.2. 1418 4.8.1.2. TEK_INTEGRITY_KEY 1420 The TEK_INTEGRITY_KEY class declares that the integrity key for the 1421 corresponding SPI is contained in the Key Packet Attribute. Readers 1422 should refer to [IKEV2-IANA] for the latest values. 1424 4.8.2. KEK Download Type 1426 The following attributes may be present in a KEK Download Type. 1427 Exactly one attribute matching each type sent in the GSA KEK payload 1428 MUST be present. The attributes must follow the format defined in 1429 IKEv2 (Section 3.3.5 of [RFC7296]). In the table, attributes defined 1430 as TV are marked as Basic (B); attributes defined as TLV are marked 1431 as Variable (V). The terms Reserved, Unassigned, and Private Use are 1432 to be applied as defined in [RFC8126]. The registration procedure is 1433 Expert Review. 1435 KEK Class Value Type 1436 --------- ----- ---- 1437 Reserved 0 1438 KEK_ENCR_KEY 1 V 1439 KEK_INTEGRITY_KEY 2 V 1440 KEK_AUTH_KEY 3 V 1441 Unassigned 4-16383 1442 Private Use 16384-32767 1444 If the KEK Key Packet is included, there MUST be only one present in 1445 the KD payload. 1447 4.8.2.1. KEK_ENCR_KEY 1449 The KEK_ENCR_KEY class declares that the encryption key for the 1450 corresponding SPI is contained in the Key Packet Attribute. The 1451 encryption algorithm that will use this key was specified in the GSA 1452 KEK payload. 1454 If the mode of operation for the algorithm requires an Initialization 1455 Vector (IV), an explicit IV MUST be included in the KEK_ENCR_KEY 1456 before the actual key. 1458 4.8.2.2. KEK_INTEGRITY_KEY 1460 The KEK_INTEGRITY_KEY class declares the integrity key for this SPI 1461 is contained in the Key Packet Attribute. The integrity algorithm 1462 that will use this key was specified in the GSA KEK payload. 1464 4.8.2.3. KEK_AUTH_KEY 1466 The KEK_AUTH_KEY class declares that the authentication key for this 1467 SPI is contained in the Key Packet Attribute. The signature 1468 algorithm that will use this key was specified in the GSA KEK 1469 payload. An RSA public key format is defined in RFC 3447, 1470 Section A.1.1. DSS public key format is defined in RFC 3279 1471 Section 2.3.2. For ECDSA Public keys, use format described in RFC 1472 5480 Section 2.2. 1474 4.8.3. LKH Download Type 1476 The LKH key packet is comprised of attributes representing different 1477 leaves in the LKH key tree. 1479 The following attributes are used to pass an LKH KEK array in the KD 1480 payload. The attributes must follow the format defined in IKEv2 1481 (Section 3.3.5 of [RFC7296]). In the table, attributes defined as TV 1482 are marked as Basic (B); attributes defined as TLV are marked as 1483 Variable (V). The terms Reserved, Unassigned, and Private Use are to 1484 be applied as defined in [RFC8126]. The registration procedure is 1485 Expert Review. 1487 LKH Download Class Value Type 1488 ------------------ ----- ---- 1489 Reserved 0 1490 LKH_DOWNLOAD_ARRAY 1 V 1491 LKH_UPDATE_ARRAY 2 V 1492 Unassigned 3-16383 1493 Private Use 16384-32767 1495 If an LKH key packet is included in the KD payload, there MUST be 1496 only one present. 1498 4.8.3.1. LKH_DOWNLOAD_ARRAY 1500 The LKH_DOWNLOAD_ARRAY class is used to download a set of LKH keys to 1501 a group member. It MUST NOT be included in a IKEv2 rekey message KD 1502 payload if the IKEv2 rekey is sent to more than one group member. If 1503 an LKH_DOWNLOAD_ARRAY attribute is included in a KD payload, there 1504 MUST be only one present. 1506 This attribute consists of a header block, followed by one or more 1507 LKH keys. 1509 0 1 2 3 1510 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1511 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1512 | # of LKH Keys | RESERVED | 1513 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1514 ~ LKH Keys ~ 1515 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1517 The KEK_LKH attribute fields are defined as follows: 1519 o Number of LKH Keys (2 octets) -- This value is the number of 1520 distinct LKH keys in this sequence. 1522 o RESERVED (1 octet) -- Unused, set to zero. 1524 Each LKH Key is defined as follows: 1526 0 1 2 3 1527 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1528 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1529 ! LKH ID | Encr Alg | 1530 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1531 | Key Handle | 1532 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1533 ~ Key Data ~ 1534 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1536 o LKH ID (2 octets) -- This is the position of this key in the 1537 binary tree structure used by LKH. 1539 o Encr Alg (2 octets) -- This is the encryption algorithm for which 1540 this key data is to be used. This value is specified in 1541 Section 4.5.1.2. 1543 o RESERVED (1 octet) -- Unused, set to zero. 1545 o Key Handle (4 octets) -- This is a randomly generated value to 1546 uniquely identify a key within an LKH ID. 1548 o Key Data (variable length) -- This is the actual encryption key 1549 data, which is dependent on the Encr Alg algorithm for its format. 1550 If the mode of operation for the algorithm requires an 1551 Initialization Vector (IV), an explicit IV MUST be included in the 1552 Key Data field before the actual key. 1554 The first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute 1555 contains the Leaf identifier and key for the group member. The rest 1556 of the LKH Key structures contain keys along the path of the key tree 1557 in the order starting from the leaf, culminating in the group KEK. 1559 4.8.3.2. LKH_UPDATE_ARRAY 1561 The LKH_UPDATE_ARRAY class is used to update the LKH keys for a 1562 group. It is most likely to be included in a G-IKEv2 rekey message 1563 KD payload to rekey the entire group. This attribute consists of a 1564 header block, followed by one or more LKH keys, as defined in 1565 Section 4.8.3.1. 1567 There may be any number of LKH_UPDATE_ARRAY attributes included in a 1568 KD payload. 1570 0 1 2 3 1571 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1572 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1573 | # of LKH Keys | LKH ID | 1574 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1575 | Key Handle | 1576 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1577 ~ LKH Keys ~ 1578 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1580 o Number of LKH Keys (2 octets) -- This value is the number of 1581 distinct LKH keys in this sequence. 1583 o LKH ID (2 octets) -- This is the node identifier associated with 1584 the key used to encrypt the first LKH Key. 1586 o Key Handle (4 octets) -- This is the value that uniquely 1587 identifies the key within the LKH ID which was used to encrypt the 1588 first LKH key. 1590 The LKH Keys are as defined in Section 4.8.3.1. The LKH Key 1591 structures contain keys along the path of the key tree in the order 1592 from the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in 1593 the group KEK. The Key Data field of each LKH Key is encrypted with 1594 the LKH key preceding it in the LKH_UPDATE_ARRAY attribute. The 1595 first LKH Key is encrypted under the key defined by the LKH ID and 1596 Key Handle found in the LKH_UPDATE_ARRAY header. 1598 4.8.4. SID Download Type 1600 The SID attribute is used to download one or more Sender-ID (SID) 1601 values for the exclusive use of a group member. The terms Reserved, 1602 Unassigned, and Private Use are to be applied as defined in 1603 [RFC8126]. The registration procedure is Expert Review. 1605 SID Download Class Value Type 1606 ------------------ ----- ---- 1607 Reserved 0 1608 NUMBER_OF_SID_BITS 1 B 1609 SID_VALUE 2 V 1610 Unassigned 3-16383 1611 Private Use 16384-32767 1613 Because a SID value is intended for a single group member, the SID 1614 Download type MUST NOT be distributed in a GSA_REKEY message 1615 distributed to multiple group members. 1617 4.8.4.1. NUMBER_OF_SID_BITS 1619 The NUMBER_OF_SID_BITS class declares how many bits of the cipher 1620 nonce in which to represent an SID value. This value is applied to 1621 each SID value distributed in the SID Download. 1623 4.8.4.2. SID_VALUE 1625 The SID_VALUE class declares a single SID value for the exclusive use 1626 of this group member. Multiple SID_VALUE attributes MAY be included 1627 in a SID Download. 1629 4.8.4.3. GM Semantics 1631 The SID_VALUE attribute value distributed to the group member MUST be 1632 used by that group member as the SID field portion of the IV for all 1633 Data-Security SAs including a counter-based mode of operation 1634 distributed by the GCKS as a part of this group. When the Sender- 1635 Specific IV (SSIV) field for any Data-Security SA is exhausted, the 1636 group member MUST NOT act as a sender on that SA using its active 1637 SID. The group member SHOULD re-register, at which time the GCKS 1638 will issue a new SID to the group member, along with either the same 1639 Data-Security SAs or replacement ones. The new SID replaces the 1640 existing SID used by this group member, and also resets the SSIV 1641 value to its starting value. A group member MAY re-register prior to 1642 the actual exhaustion of the SSIV field to avoid dropping data 1643 packets due to the exhaustion of available SSIV values combined with 1644 a particular SID value. 1646 A group member MUST ignore an SID Download Type KD payload present in 1647 a GSA-REKEY message, otherwise more than one GM may end up using the 1648 same SID. 1650 4.8.4.4. GCKS Semantics 1652 If any KD payload includes keying material that is associated with a 1653 counter-mode of operation, an SID Download Type KD payload containing 1654 at least one SID_VALUE attribute MUST be included. The GCKS MUST NOT 1655 send the SID Download Type KD payload as part of a GSA_REKEY message, 1656 because distributing the same sender-specific policy to more than one 1657 group member will reduce the security of the group. 1659 4.9. Delete Payload 1661 There are occasions when the GCKS may want to signal to group members 1662 to delete policy at the end of a broadcast, or if policy has changed. 1663 Deletion of keys MAY be accomplished by sending an IKEv2 Delete 1664 Payload, section 3.11 of [RFC7296] as part of the GSA_AUTH or 1665 GSA_REKEY Exchange. One or more Delete payloads MAY be placed 1666 following the HDR payload in the GSA_AUTH or GSA_REKEY Exchange. 1668 The Protocol ID MUST be 41 for GSA_REKEY Exchange, 2 for AH or 3 for 1669 ESP. Note that only one protocol id value can be defined in a Delete 1670 payload. If a TEK and a KEK SA for GSA_REKEY Exchange must be 1671 deleted, they must be sent in different Delete payloads. Similarly, 1672 if a TEK specifying ESP and a TEK specifying AH need to be deleted, 1673 they must be sent in different Delete payloads. 1675 There may be circumstances where the GCKS may want to reset the 1676 policy and keying material for the group. The GCKS can signal 1677 deletion of all policy of a particular TEK by sending a TEK with a 1678 SPI value equal to zero in the delete payload. In the event that the 1679 administrator is no longer confident in the integrity of the group 1680 they may wish to remove all KEK and all the TEKs in the group. This 1681 is done by having the GCKS send a delete payload with a SPI of zero 1682 and a Protocol-ID of AH or ESP to delete all TEKs, followed by 1683 another delete payload with a SPI value of zero and Protocol-ID of 1684 KEK SA to delete the KEK SA. 1686 4.10. Notify Payload 1688 G-IKEv2 uses the same Notify payload as specified in [RFC7296], 1689 section 3.10. 1691 There are additional Notify Message types introduced by G-IKEv2 to 1692 communicate error conditions and status. 1694 NOTIFY messages - error types Value 1695 ------------------------------------------------------------------- 1696 INVALID_GROUP_ID - 45 1697 Indicates the group id sent during the registration process is 1698 invalid. 1700 AUTHORIZATION_FAILED - 46 1701 Sent in the response to a GSA_AUTH message when authorization failed. 1703 NOTIFY messages - status types Value 1704 ------------------------------------------------------------------- 1705 SENDER_ID_REQUEST - 16429 1706 Sent in GSA_AUTH or GSA_REGISTRATION to request SIDs from the GCKS. 1707 The data includes a count of how many SID values it desires. 1709 4.11. Authentication Payload 1711 G-IKEv2 uses the same Authentication payload as specified in 1712 [RFC7296], section 3.8, to sign the rekey message. 1714 5. Security Considerations 1716 5.1. GSA registration and secure channel 1718 G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT protocols, 1719 inheriting all the security considerations documented in [RFC7296] 1720 section 5 Security Considerations, including authentication, 1721 confidentiality, protection against man-in-the-middle, protection 1722 against replay/reflection attacks, and denial of service protection. 1723 The GSA_AUTH and GSA_REGISTRATION exchanges also take advantage of 1724 those protections. In addition, G-IKEv2 brings in the capability to 1725 authorize a particular group member regardless of whether they have 1726 the IKEv2 credentials. 1728 5.2. GSA maintenance channel 1730 The GSA maintenance channel is cryptographically and integrity 1731 protected using the cryptographic algorithm and key negotiated in the 1732 GSA member registration exchanged. 1734 5.2.1. Authentication/Authorization 1736 Authentication is implicit, the public key of the identity is 1737 distributed during the registration, and the receiver of the rekey 1738 message uses that public key and identity to verify the message came 1739 from the authorized GCKS. 1741 5.2.2. Confidentiality 1743 Confidentiality is provided by distributing a confidentiality key as 1744 part of the GSA member registration exchange. 1746 5.2.3. Man-in-the-Middle Attack Protection 1748 GSA maintenance channel is integrity protected by using a digital 1749 signature. 1751 5.2.4. Replay/Reflection Attack Protection 1753 The GSA_REKEY message includes a monotonically increasing sequence 1754 number to protect against replay and reflection attacks. A group 1755 member will recognize a replayed message by comparing the Message ID 1756 number to that of the last received rekey message, any rekey message 1757 containing a Message ID number less than or equal to the last 1758 received value MUST be discarded. Implementations should keep a 1759 record of recently received GSA rekey messages for this comparison. 1761 6. IANA Considerations 1763 6.1. New registries 1765 A new set of registries should be created for G-IKEv2, on a new page 1766 titled Group Key Management using IKEv2 (G-IKEv2) Parameters. The 1767 following registries should be placed on that page. The terms 1768 Reserved, Expert Review and Private Use are to be applied as defined 1769 in [RFC8126]. 1771 GSA Policy Type Registry, see Section 4.4.1 1773 KEK Attributes Registry, see Section 4.5.1 1775 KEK Management Algorithm Registry, see Section 4.5.1.1 1777 GSA TEK Payload Protocol ID Type Registry, see Section 4.6 1779 TEK Attributes Registry, see Section 4.6 1781 Key Download Type Registry, see Section 4.8 1782 TEK Download Type Attributes Registry, see Section 4.8.1 1784 KEK Download Type Attributes Registry, see Section 4.8.2 1786 LKH Download Type Attributes Registry, see Section 4.8.3 1788 SID Download Type Attributes Registry, see Section 4.8.4 1790 6.2. New payload and exchange types added to the existing IKEv2 1791 registry 1793 The following new payloads and exchange types specified in this memo 1794 have already been allocated by IANA and require no further action, 1795 other than replacing the draft name with an RFC number. 1797 The present document describes new IKEv2 Next Payload types, see 1798 Section 4.1 1800 The present document describes new IKEv2 Exchanges types, see 1801 Section 4.1 1803 The present document describes new IKEv2 notification types, see 1804 Section 4.10 1806 7. Acknowledgements 1808 The authors thank Lakshminath Dondeti and Jing Xiang for first 1809 exploring the use of IKEv2 for group key management and providing the 1810 basis behind the protocol. Mike Sullenberger and Amjad Inamdar were 1811 instrumental in helping resolve many issues in several versions of 1812 the document. 1814 8. Contributors 1816 The following individuals made substantial contributions to early 1817 versions of this memo. 1819 Sheela Rowles 1820 Cisco Systems 1821 170 W. Tasman Drive 1822 San Jose, California 95134-1706 1823 USA 1825 Phone: +1-408-527-7677 1826 Email: sheela@cisco.com 1827 Aldous Yeung 1828 Cisco Systems 1829 170 W. Tasman Drive 1830 San Jose, California 95134-1706 1831 USA 1833 Phone: +1-408-853-2032 1834 Email: cyyeung@cisco.com 1836 Paulina Tran 1837 Cisco Systems 1838 170 W. Tasman Drive 1839 San Jose, California 95134-1706 1840 USA 1842 Phone: +1-408-526-8902 1843 Email: ptran@cisco.com 1845 9. References 1847 9.1. Normative References 1849 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1850 Requirement Levels", BCP 14, RFC 2119, 1851 DOI 10.17487/RFC2119, March 1997, 1852 . 1854 [RFC2627] Wallner, D., Harder, E., and R. Agee, "Key Management for 1855 Multicast: Issues and Architectures", RFC 2627, 1856 DOI 10.17487/RFC2627, June 1999, 1857 . 1859 [RFC3740] Hardjono, T. and B. Weis, "The Multicast Group Security 1860 Architecture", RFC 3740, DOI 10.17487/RFC3740, March 2004, 1861 . 1863 [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, 1864 "Multicast Security (MSEC) Group Key Management 1865 Architecture", RFC 4046, DOI 10.17487/RFC4046, April 2005, 1866 . 1868 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1869 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 1870 December 2005, . 1872 [RFC6054] McGrew, D. and B. Weis, "Using Counter Modes with 1873 Encapsulating Security Payload (ESP) and Authentication 1874 Header (AH) to Protect Group Traffic", RFC 6054, 1875 DOI 10.17487/RFC6054, November 2010, 1876 . 1878 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 1879 Kivinen, "Internet Key Exchange Protocol Version 2 1880 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 1881 2014, . 1883 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 1884 Writing an IANA Considerations Section in RFCs", BCP 26, 1885 RFC 8126, DOI 10.17487/RFC8126, June 2017, 1886 . 1888 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1889 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1890 May 2017, . 1892 9.2. Informative References 1894 [I-D.ietf-ipsecme-qr-ikev2] 1895 Fluhrer, S., McGrew, D., Kampanakis, P., and V. Smyslov, 1896 "Postquantum Preshared Keys for IKEv2", draft-ietf- 1897 ipsecme-qr-ikev2-01 (work in progress), December 2017. 1899 [IKE-HASH] 1900 Kivinen, T., "Fixing IKE Phase 1 & 2 Authentication 1901 HASHs", November 2001, . 1904 [IKEV2-IANA] 1905 IANA, "Internet Key Exchange Version 2 (IKEv2) 1906 Parameters", February 2016, 1907 . 1910 [NNL] Naor, D., Noal, M., and J. Lotspiech, "Revocation and 1911 Tracing Schemes for Stateless Receivers", Advances in 1912 Cryptology, Crypto '01, Springer-Verlag LNCS 2139, 2001, 1913 pp. 41-62, 2001, 1914 . 1916 [OFT] McGrew, D. and A. Sherman, "Key Establishment in Large 1917 Dynamic Groups Using One-Way Function Trees", Manuscript, 1918 submitted to IEEE Transactions on Software Engineering, 1919 1998, . 1922 [RFC2407] Piper, D., "The Internet IP Security Domain of 1923 Interpretation for ISAKMP", RFC 2407, 1924 DOI 10.17487/RFC2407, November 1998, 1925 . 1927 [RFC2408] Maughan, D., Schertler, M., Schneider, M., and J. Turner, 1928 "Internet Security Association and Key Management Protocol 1929 (ISAKMP)", RFC 2408, DOI 10.17487/RFC2408, November 1998, 1930 . 1932 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange 1933 (IKE)", RFC 2409, DOI 10.17487/RFC2409, November 1998, 1934 . 1936 [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) 1937 Counter Mode With IPsec Encapsulating Security Payload 1938 (ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004, 1939 . 1941 [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode 1942 (GCM) in IPsec Encapsulating Security Payload (ESP)", 1943 RFC 4106, DOI 10.17487/RFC4106, June 2005, 1944 . 1946 [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM 1947 Mode with IPsec Encapsulating Security Payload (ESP)", 1948 RFC 4309, DOI 10.17487/RFC4309, December 2005, 1949 . 1951 [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message 1952 Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, 1953 DOI 10.17487/RFC4543, May 2006, 1954 . 1956 [RFC5723] Sheffer, Y. and H. Tschofenig, "Internet Key Exchange 1957 Protocol Version 2 (IKEv2) Session Resumption", RFC 5723, 1958 DOI 10.17487/RFC5723, January 2010, 1959 . 1961 [RFC6407] Weis, B., Rowles, S., and T. Hardjono, "The Group Domain 1962 of Interpretation", RFC 6407, DOI 10.17487/RFC6407, 1963 October 2011, . 1965 [RFC7383] Smyslov, V., "Internet Key Exchange Protocol Version 2 1966 (IKEv2) Message Fragmentation", RFC 7383, 1967 DOI 10.17487/RFC7383, November 2014, 1968 . 1970 Appendix A. Use of LKH in G-IKEv2 1972 Section 5.4 of [RFC2627] describes the LKH architecture, and how a 1973 GCKS uses LKH to exclude group members. This section clarifies how 1974 the LKH architecture is used with G-IKEv2. 1976 A.1. Group Creation 1978 When a GCKS forms a group, it creates a key tree as shown in the 1979 figure below. The key tree contains logical keys (represented as 1980 numbers in the figure) and a private key shared with only a single GM 1981 (represented as letters in the figure). Note that the use of numbers 1982 and letters is used for explanatory purposes; in fact, each key would 1983 have an LKH ID, which is two-octet identifier chosen by the GCKS. 1984 The GCKS may create a complete tree as shown, or a partial tree which 1985 is created on demand as members join the group. The top of the key 1986 tree (i.e., "1" in figure) is used as the KEK for the group. 1988 1 1989 +------------------------------+ 1990 2 3 1991 +---------------+ +---------------+ 1992 4 5 6 7 1993 +-------+ +-------+ +--------+ +--------+ 1994 A B C D E F G H 1996 When GM "A" joins the group, the GCKS provides an LKH_DOWNLOAD_ARRAY 1997 in the KD payload of the GSA_AUTH or GSA_REGISTRATION exchange. 1998 Given the tree shown in figure above, the LKH_DOWNLOAD_ARRAY will 1999 contain four LKH Key payloads, each containing an LKH ID and Key 2000 Data. If the LKH ID values were chosen as shown in the figure, four 2001 LKH Keys would be provided to GM "A", in the following order: A, 4, 2002 2, 1. When GM "B" joins the group, it would also be given four LKH 2003 Keys in the following order: B, 4, 2, 1. And so on, until GM "H" 2004 joins the group and is given H, 7, 3, 1. 2006 A.2. Group Member Exclusion 2008 If the GKCS has reason to believe that a GM should be excluded, then 2009 it can do so by sending a GSA_REKEY exchange that includes a set of 2010 LKH_UPDATE_ARRAY attributes in the KD payload. Each LKH_UPDATE_ARRAY 2011 contains a set of LKH Key payloads, in which every GM other than the 2012 excluded GM will be able to determine a set of new logical keys, 2013 which culminate in a new key "1". The excluded GM will observe the 2014 set of LKH_UPDATE_ARRAY attributes, but cannot determine the new 2015 logical keys because each of the "Key Data" fields is encrypted with 2016 a key held by other GMs. The GM will hold no keys to properly 2017 decrypt any of the "Key Data" fields, including key "1" (i.e., the 2018 new KEK). When a subsequent GSA_REKEY exchange is delivered by the 2019 GCKS and protected by the new KEK, the excluded GM will no longer be 2020 able to see the contents of the GSA_REKEY, including new TEKs that 2021 will be delivered to replace existing TEKs. At this point, the GM 2022 will no longer be able to participate in the group. 2024 In the example below, new keys are represented as the number followd 2025 by a "prime" symbol (e.g., "1" becomes "1'"). Each key is encrypted 2026 by another key. This is represented as "{key1}key2", where key2 2027 encrypts key1. For example, "{1'}2' states that a new key "1'" is 2028 encrypted with a new key "2'". 2030 If GM "B" is to be excluded, the GCKS will need to include three 2031 LKH_UPDATE_ARRAY attributes in the GSA_REKEY message. The order of 2032 the atributes does not matter; only the order of the keys within each 2033 attribute. 2035 o One will provide GM "A" with new logical keys that are shared with 2036 B: {4'}A, {2'}4', {1'}2' 2038 o One will provide all GMs holding key "5" with new logical keys: 2039 {2'}5, {1'}2' 2041 o One will provide all GMs holding key "3" with a new KEK: {1'}3 2043 Each GM will look at each LKH_UPDATE_ARRAY attribute and observe an 2044 LKH ID which is present in an LKH Key delivered to them in the 2045 LKH_DOWNLOAD_ARRAY they were given. If they find a matching LKH ID, 2046 then they will decrypt the new key with the logical key immediately 2047 preceding that LKH Key, and so on until they have received the new 1' 2048 key. 2050 The resulting key tree from this rekey event would would be as in the 2051 figure below. 2053 1' 2054 +------------------------------+ 2055 2' 3 2056 +---------------+ +---------------+ 2057 4' 5 6 7 2058 +---+ +-------+ +--------+ +--------+ 2059 A B C D E F G H 2061 Authors' Addresses 2063 Brian Weis 2064 Cisco Systems 2065 170 W. Tasman Drive 2066 San Jose, California 95134-1706 2067 USA 2069 Phone: +1-408-526-4796 2070 Email: bew@cisco.com 2072 Yoav Nir 2073 Dell EMC 2074 9 Andrei Sakharov St 2075 Haifa 3190500 2076 Israel 2078 Email: ynir.ietf@gmail.com 2080 Valery Smyslov 2081 ELVIS-PLUS 2082 PO Box 81 2083 Moscow (Zelenograd) 124460 2084 Russian Federation 2086 Phone: +7 495 276 0211 2087 Email: svan@elvis.ru