idnits 2.17.1 draft-yeung-g-ikev2-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 11, 2019) is 1870 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 2627 ** Downref: Normative reference to an Informational RFC: RFC 3740 ** Downref: Normative reference to an Informational RFC: RFC 4046 == Outdated reference: A later version (-11) exists of draft-ietf-ipsecme-qr-ikev2-07 -- Obsolete informational reference (is this intentional?): RFC 2409 (Obsoleted by RFC 4306) Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group B. Weis 3 Internet-Draft Independent 4 Obsoletes: 6407 (if approved) V. Smyslov 5 Intended status: Standards Track ELVIS-PLUS 6 Expires: September 12, 2019 March 11, 2019 8 Group Key Management using IKEv2 9 draft-yeung-g-ikev2-15 11 Abstract 13 This document presents a set of IKEv2 exchanges that comprise a group 14 key management protocol. The protocol is in conformance with the 15 Multicast Security (MSEC) key management architecture, which contains 16 two components: member registration and group rekeying. Both 17 components require a Group Controller/Key Server to download IPsec 18 group security associations to authorized members of a group. The 19 group members then exchange IP multicast or other group traffic as 20 IPsec packets. This document obsoletes RFC 6407. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on September 12, 2019. 39 Copyright Notice 41 Copyright (c) 2019 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 57 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 5 58 1.2. G-IKEv2 Payloads . . . . . . . . . . . . . . . . . . . . 5 59 2. G-IKEv2 integration into IKEv2 protocol . . . . . . . . . . . 6 60 2.1. UDP port . . . . . . . . . . . . . . . . . . . . . . . . 6 61 3. G-IKEv2 Protocol . . . . . . . . . . . . . . . . . . . . . . 6 62 3.1. G-IKEv2 member registration and secure channel 63 establishment . . . . . . . . . . . . . . . . . . . . . . 6 64 3.1.1. GSA_AUTH exchange . . . . . . . . . . . . . . . . . . 7 65 3.1.2. GSA_REGISTRATION Exchange . . . . . . . . . . . . . . 8 66 3.1.3. IKEv2 Header Initialization . . . . . . . . . . . . . 9 67 3.1.4. GM Registration Operations . . . . . . . . . . . . . 9 68 3.1.5. GCKS Registration Operations . . . . . . . . . . . . 10 69 3.1.6. Interaction with IKEv2 protocols . . . . . . . . . . 12 70 3.2. Group Maintenance Channel . . . . . . . . . . . . . . . . 12 71 3.2.1. GSA_REKEY exchange . . . . . . . . . . . . . . . . . 13 72 3.2.2. GSA_INBAND_REKEY exchange . . . . . . . . . . . . . . 17 73 3.2.3. Deletion of SAs . . . . . . . . . . . . . . . . . . . 17 74 3.3. Counter-based modes of operation . . . . . . . . . . . . 18 75 3.3.1. Allocation of SIDs . . . . . . . . . . . . . . . . . 18 76 3.3.2. GM Usage of SIDs . . . . . . . . . . . . . . . . . . 20 77 4. Header and Payload Formats . . . . . . . . . . . . . . . . . 20 78 4.1. The G-IKEv2 Header . . . . . . . . . . . . . . . . . . . 20 79 4.2. Group Identification (IDg) Payload . . . . . . . . . . . 21 80 4.3. Security Association - GM Supported Transforms (SAg) . . 21 81 4.4. Group Security Association Payload . . . . . . . . . . . 21 82 4.4.1. GSA Policy . . . . . . . . . . . . . . . . . . . . . 21 83 4.4.2. KEK Policy . . . . . . . . . . . . . . . . . . . . . 23 84 4.4.3. GSA TEK Policy . . . . . . . . . . . . . . . . . . . 26 85 4.4.4. GSA Group Associated Policy . . . . . . . . . . . . . 29 86 4.5. Key Download Payload . . . . . . . . . . . . . . . . . . 30 87 4.5.1. TEK Download Type . . . . . . . . . . . . . . . . . . 32 88 4.5.2. KEK Download Type . . . . . . . . . . . . . . . . . . 33 89 4.5.3. LKH Download Type . . . . . . . . . . . . . . . . . . 34 90 4.5.4. SID Download Type . . . . . . . . . . . . . . . . . . 37 91 4.6. Delete Payload . . . . . . . . . . . . . . . . . . . . . 38 92 4.7. Notify Payload . . . . . . . . . . . . . . . . . . . . . 39 93 4.8. Authentication Payload . . . . . . . . . . . . . . . . . 39 94 5. Security Considerations . . . . . . . . . . . . . . . . . . . 39 95 5.1. GSA registration and secure channel . . . . . . . . . . . 40 96 5.2. GSA maintenance channel . . . . . . . . . . . . . . . . . 40 97 5.2.1. Authentication/Authorization . . . . . . . . . . . . 40 98 5.2.2. Confidentiality . . . . . . . . . . . . . . . . . . . 40 99 5.2.3. Man-in-the-Middle Attack Protection . . . . . . . . . 40 100 5.2.4. Replay/Reflection Attack Protection . . . . . . . . . 40 101 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41 102 6.1. New registries . . . . . . . . . . . . . . . . . . . . . 41 103 6.2. New payload and exchange types added to the existing 104 IKEv2 registry . . . . . . . . . . . . . . . . . . . . . 41 105 6.3. Changes to previous allocations . . . . . . . . . . . . . 42 106 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 42 107 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 42 108 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 109 9.1. Normative References . . . . . . . . . . . . . . . . . . 43 110 9.2. Informative References . . . . . . . . . . . . . . . . . 44 111 Appendix A. Use of LKH in G-IKEv2 . . . . . . . . . . . . . . . 45 112 A.1. Group Creation . . . . . . . . . . . . . . . . . . . . . 45 113 A.2. Group Member Exclusion . . . . . . . . . . . . . . . . . 46 114 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 47 116 1. Introduction and Overview 118 A group key management protocol provides IPsec keys and policy to a 119 set of IPsec devices which are authorized to communicate using a 120 Group Security Association (GSA) defined in [RFC3740]. The data 121 communications within the group (e.g., IP multicast packets) are 122 protected by a key pushed to the group members (GMs) by the Group 123 Controller/Key Server (GCKS). This document presents a set of IKEv2 124 [RFC7296] exchanges that comprise a group key management protocol. 126 A GM begins a "registration" exchange when it first joins the group. 127 With G-IKEv2, the GCKS authenticates and authorizes GMs, then pushes 128 policy and keys used by the group to the GM. G-IKEv2 includes two 129 "registration" exchanges. The first is the GSA_AUTH exchange ( 130 Section 3.1.1), which follows an IKE_SA_INIT exchange. The second is 131 the GSA_REGISTRATION exchange ( Section 3.1.2), which a GM can use 132 within an established IKE SA. Group rekeys are accomplished using 133 either the GSA_REKEY exchange (a single message distributed to all 134 GMs, usually as a multicast message), or as a GSA_INBAND_REKEY 135 exchange delivered individually to group members using existing IKE 136 SAs). 138 Large and small groups may used different sets of these protocols. 139 When a large group of devices are communicating, the GCKS is likely 140 to use the GSA_REKEY message for efficiency. This is shown in 141 Figure 1. (Note: For clarity, IKE_SA_INIT is omitted from the 142 figure.) 143 +--------+ 144 +------------->| GCKS |<-------------+ 145 | +--------+ | 146 | | ^ | 147 | | | | 148 | | GSA_AUTH | 149 | | or | 150 | | GSA_REGISTRATION | 151 | | | | 152 GSA_AUTH | | GSA_AUTH 153 or GSA_REKEY | or 154 GSA_REGISTRATION | | GSA_REGISTRATION 155 | | | | 156 | +------------+-----------------+ | 157 | | | | | | 158 v v v v v v 159 +-------+ +--------+ +-------+ 160 | GM | ... | GM | ... | GM | 161 +-------+ +--------+ +-------+ 162 ^ ^ ^ 163 | | | 164 +-------ESP-------+-------ESP------+ 166 Figure 1: G-IKEv2 used in large groups 168 Alternatively, a small group may simply use the GSA_AUTH as a 169 registration protocol, where he GCKS issues rekeys using the 170 GSA_INBAND_REKEY within the same IKEv2 SA. The GCKS is also likely 171 to be a GM in a small group (as shown in Figure 2.) 172 GSA_AUTH, GSA_INBAND_REKEY 173 +-----------------------------------------------+ 174 | | 175 | GSA_AUTH, GSA_INBAND_REKEY | 176 | +-----------------------------+ | 177 | | | | 178 | | GSA_AUTH, GSA_INBAND_REKEY | | 179 | | +--------+ | | 180 v v v v v v 181 +---------+ +----+ +----+ +----+ 182 | GCKS/GM | | GM | | GM | | GM | 183 +---------+ +----+ +----+ +----+ 184 ^ ^ ^ ^ 185 | | | | 186 +----ESP-----+------ESP-------+-----ESP-----+ 188 Figure 2: G-IKEv2 used in small groups 190 IKEv2 message semantics are preserved in that all communications 191 consists of message request-response pairs. The exception to this 192 rule is the GSA_REKEY exchange, which is a single message delivering 193 group updates to the GMs. 195 G-IKEv2 conforms with the The Multicast Group (MEC) Security 196 Architecture [RFC3740], and the Multicast Security (MSEC) Group Key 197 Management Architecture [RFC4046]. G-IKEv2 replaces GDOI [RFC6407], 198 which defines a similar group key management protocol using IKEv1 199 [RFC2409] (since deprecated by IKEv2). When G-IKEv2 is used, group 200 key management use cases can benefit from the simplicity, increased 201 robustness and cryptographic improvements of IKEv2 (see Appendix A of 202 [RFC7296]. 204 1.1. Requirements Language 206 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 207 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 208 "OPTIONAL" in this document are to be interpreted as described in BCP 209 14 [RFC2119] [RFC8174] when, and only when, they appear in all 210 capitals, as shown here. 212 1.2. G-IKEv2 Payloads 214 1. IDg (group ID) - The GM requests the GCKS for membership into the 215 group by sending its IDg payload. 217 2. GSA (Group Security Association) - The GCKS sends the group 218 policy to the GM using this payload. 220 3. KD (Key Download) - The GCKS sends the control and data keys to 221 the GM using the KD payload. 223 2. G-IKEv2 integration into IKEv2 protocol 225 G-IKEv2 uses the security mechanisms of IKEv2 (peer authentication, 226 confidentiality, message integrity) to ensure that only authenticated 227 devices have access to the group policy and keys. The G-IKEv2 228 exchange further provides group authorization, and secure policy and 229 key download from the GCKS to GMs. 231 It is assumed that readers are familiar with the IKEv2 protocol, so 232 this document skips many details that are described in [RFC7296]. 234 2.1. UDP port 236 G-IKEv2 SHOULD use port 848, the same as GDOI [RFC6407], because they 237 serve a similar function. They can use the same ports, just as IKEv1 238 and IKEv2 can share port 500. The version number in the IKEv2 header 239 distinguishes the G-IKEv2 protocol from GDOI protocol [RFC6407]. 240 G-IKEv2 MAY also use port the IKEv2 ports (500, 4500), which would 241 provide a better integration with IKEv2. 243 3. G-IKEv2 Protocol 245 3.1. G-IKEv2 member registration and secure channel establishment 247 The registration protocol consists of a minimum of two message 248 exchanges, IKE_SA_INIT and GSA_AUTH; member registration may have a 249 few more messages exchanged if the EAP method, cookie challenge (for 250 DoS protection) or negotiation of Diffie-Hellman group is included. 251 Each exchange consists of request/response pairs. The first exchange 252 IKE_SA_INIT is defined in IKEv2 [RFC7296]. This exchange negotiates 253 cryptographic algorithms, exchanges nonces and does a Diffie-Hellman 254 exchange between the group member (GM) and the Group Controller/Key 255 Server (GCKS). 257 The second exchange GSA_AUTH authenticates the previous messages, 258 exchanges identities and certificates. These messages are encrypted 259 and integrity protected with keys established through the IKE_SA_INIT 260 exchange, so the identities are hidden from eavesdroppers and all 261 fields in all the messages are authenticated. The GCKS SHOULD 262 authorize group members to be allowed into the group as part of the 263 GSA_AUTH exchange. Once the GCKS accepts a group member to join a 264 group it will download the data security keys (TEKs) and/or group key 265 encrypting key (KEK) or KEK array as part of the GSA_AUTH response 266 message. In the following descriptions, the payloads contained in 267 the message are indicated by names as listed below. Payloads defined 268 as part of other IKEv2 extensions MAY also be included in these 269 exchanges. 271 Notation Payload 272 ------------------------------------------------------------ 273 AUTH Authentication 274 CERT Certificate 275 CERTREQ Certificate Request 276 GSA Group Security Association 277 HDR IKEv2 Header 278 IDg Identification - Group 279 IDi Identification - Initiator 280 IDr Identification - Responder 281 KD Key Download 282 KE Key Exchange 283 Ni, Nr Nonce 284 SA Security Association 285 SAg Security Association - GM Supported Transforms 287 The details of the contents of each payload are described in 288 Section 4. Payloads that may optionally appear will be shown in 289 brackets, such as [ CERTREQ ], to indicate that a certificate request 290 payload can optionally be included. 292 3.1.1. GSA_AUTH exchange 294 After the group member and GCKS use the IKE_SA_INIT exchange to 295 negotiate cryptographic algorithms, exchange nonces, and perform a 296 Diffie-Hellman exchange as defined in IKEv2 [RFC7296], the GSA_AUTH 297 exchange MUST complete before any other exchanges can be done. The 298 security properties of the GSA_AUTH exchange are the same as the 299 properties of the IKE_AUTH exchange. It is used to authenticate the 300 IKE_SA_INIT messages, exchange identities and certificates. G-IKEv2 301 also uses this exchange for group member registration and 302 authorization. Even though the IKE_AUTH does contain the SA2, TSi, 303 and TSr payload the GSA_AUTH does not. They are not needed because 304 policy is not negotiated between the group member and the GCKS, but 305 instead downloaded from the GCKS to the group member. 307 Initiator (Member) Responder (GCKS) 308 -------------------- ------------------ 309 HDR, SK { IDi, [CERT,] [CERTREQ, ] [IDr, ] 310 AUTH, IDg, [SAg, ] [N ] } --> 312 After the IKE_SA_INIT exchange completes, the group member initiates 313 a GSA_AUTH request to join a group indicated by the IDg payload. The 314 GM MAY include an SAg payload declaring which Transforms that it is 315 willing to accept. A GM that intends to emit data packets SHOULD 316 include a Notify payload status type of SENDER, which enables the 317 GCKS to provide any additional policy necessary by group senders. 319 <-- HDR, SK { IDr, [CERT, ] AUTH, [ GSA, KD, ] [D, ] } 321 The GCKS responds with IDr, optional CERT, and AUTH material as if it 322 were an IKE_AUTH. It also informs the group member of the 323 cryptographic policies of the group in the GSA payload and the key 324 material in the KD payload. The GCKS can also include a Delete (D) 325 payload instructing the group member to delete existing SAs it might 326 have as the result of a previous group member registration. (See 327 more discussion on the Delete payload in Section 4.6.) 329 In addition to the IKEv2 error handling, the GCKS can reject the 330 registration request when the IDg is invalid or authorization fails, 331 etc. In these cases, see Section 4.7, the GSA_AUTH response will not 332 include the GSA and KD, but will include a Notify payload indicating 333 errors. If the group member included an SAg payload, and the GCKS 334 chooses to evaluate it, and it detects that that group member cannot 335 support the security policy defined for the group, then the GCKS 336 SHOULD return a NO_PROPOSAL_CHOSEN. When the GCKS indicates errors, 337 and the group member cannot resolve the errors, the group member MUST 338 delete the registration IKE SA. 340 Initiator (Member) Responder (GCKS) 341 -------------------- ------------------ 342 <-- HDR, SK { N } 344 If the group member finds the policy sent by the GCKS is 345 unacceptable, the member SHOULD notify the GCKS by sending IDg and 346 the Notify type NO_PROPOSAL_CHOSEN as shown below. 348 Initiator (Member) Responder (GCKS) 349 -------------------- ------------------ 350 HDR, SK {IDg [N,]} --> 352 <-- HDR, SK {} 354 3.1.2. GSA_REGISTRATION Exchange 356 When a secure channel is already established between a GM and the 357 GCKS, the GM registration for a group can reuse the established 358 secure channel. In this scenario the GM will use the 359 GSA_REGISTRATION exchange. Payloads in the exchange are generated 360 and processed as defined in Section 3.1.1. 362 Initiator (Member) Responder (GCKS) 363 -------------------- ------------------ 364 HDR, SK {IDg, [SAg, ][N ] } --> 366 <-- HDR, SK { GSA, KD, [D ] } 368 This exchange can also be used if the group member finds the policy 369 sent by the GCKS is unacceptable. The group member SHOULD notify the 370 GCKS by sending IDg and the Notify type NO_PROPOSAL_CHOSEN, as shown 371 below. The GCKS MUST unregister the group member. 373 Initiator (Member) Responder (GCKS) 374 -------------------- ------------------ 375 HDR, SK {IDg [N,]} --> 377 <-- HDR, SK {} 379 3.1.3. IKEv2 Header Initialization 381 The Major Version is (2) and Minor Version is (0) according to IKEv2 382 [RFC7296], and maintained in this document. The G-IKEv2 IKE_SA_INIT, 383 GSA_AUTH and GSA_REGISTRATION use the IKE SPI according to IKEv2 384 [RFC7296], section 2.6. 386 3.1.4. GM Registration Operations 388 A G-IKEv2 Initiator (GM) requesting registration contacts the GCKS 389 using the IKE_SA_INIT exchange and receives the response from the 390 GCKS. This exchange is unchanged from the IKE_SA_INIT in IKEv2 391 protocol. 393 Upon completion of parsing and verifying the IKE_SA_INIT response, 394 the GM sends the GSA_AUTH message with the IKEv2 payloads from 395 IKE_AUTH (without the SAi2, TSi and TSr payloads) along with the 396 Group ID informing the GCKS of the group the initiator wishes to 397 join. An initiator intending to emit data traffic SHOULD send a 398 SENDER Notify payload status. The SENDER not only signifies that it 399 is a sender, but provides the initiator the ability to request 400 Sender-ID values, in case the Data Security SA supports a counter 401 mode cipher. Section 3.3) includes guidance on requesting Sender-ID 402 values. 404 An initiator may be limited in the types of Transforms that it is 405 able or willing to use, and may find it useful to inform the GCKS 406 which Transforms that it is willing to accept. It can OPTIONALLY 407 include an SAg payload, which can include ESP and/or AH Proposals. 408 Each Proposal contains a list of Transforms that it is willing to 409 support for that protocol. A Proposal of type ESP can include ENCR, 410 INTEG, and ESN Transforms. A Proposal of type AH can include INTEG, 411 and ESN Transforms. The SPI length of each Proposal in an SAg MUST 412 be zero, and the SPI field is null. Generally, a single Proposal of 413 each type will suffice, because the group member is not negotiating 414 Transform sets, simply alerting the GCKS to restrictions it may have. 416 Upon receiving the GSA_AUTH response, the initiator parses the 417 response from the GCKS authenticating the exchange using the IKEv2 418 method, then processes the GSA and KD. 420 The GSA payload contains the security policy and cryptographic 421 protocols used by the group. This policy describes the Rekey SA 422 (KEK), if present, Data-security SAs (TEK), and other group policy 423 (GAP). If the policy in the GSA payload is not acceptable to the GM, 424 it SHOULD notify the GCKS with a NO_PROPOSAL_CHOSEN Notify payload 425 (see Section 3.1.1 and Section 3.1.2). Finally the KD is parsed 426 providing the keying material for the TEK and/or KEK. The GM 427 interprets the KD key packets, where each key packet includes the 428 keying material for SAs distributed in the GSA payload. Keying 429 material is matched by comparing the SPIs in the key packets to SPIs 430 previously included in the GSA payloads. Once TEK keys and policy 431 are matched, the GM provides them to the data security subsystem, and 432 it is ready to send or receive packets matching the TEK policy. 434 The GSA KEK policy MUST include KEK attribute KEK_MESSAGE_ID with a 435 Message ID. The Message ID in the KEK_MESSAGE_ID attribute MUST be 436 checked against any previously received Message ID for this group. 437 If it is less than the previously received number, it should be 438 considered stale and ignored. This could happen if two GSA_AUTH 439 exchanges happened in parallel, and the Message ID changed. This 440 KEK_MESSAGE_ID is used by the GM to prevent GSA_REKEY message replay 441 attacks. The first GSA_REKEY message that the GM receives from the 442 GCKS must have a Message ID greater or equal to the Message ID 443 received in the KEK_MESSAGE_ID attribute. 445 If a GM has received GSA_REKEY policy during a registration, and it 446 does not need to initiate any additional exchanges to the GCKS, then 447 the GM SHOULD close the IKE SA. 449 3.1.5. GCKS Registration Operations 451 A G-IKEv2 GCKS passively listens for incoming requests from group 452 members. When the GCKS receives an IKE_SA_INIT request, it selects 453 an IKE proposal and generates a nonce and DH to include them in the 454 IKE_SA_INIT response. 456 Upon receiving the GSA_AUTH request, the GCKS authenticates the group 457 member using the same procedures as in the IKEv2 IKE_AUTH. The GCKS 458 then authorizes the group member according to group policy before 459 preparing to send the GSA_AUTH response. If the GCKS fails to 460 authorize the GM, it will respond with an AUTHORIZATION_FAILED notify 461 message. 463 The GSA_AUTH response will include the group policy in the GSA 464 payload and keys in the KD payload. If the GCKS policy includes a 465 group rekey option, this policy is constructed in the GSA KEK and the 466 key is constructed in the KD KEK. The GSA KEK MUST include the 467 KEK_MESSAGE_ID attribute, specifying the starting Message ID the GCKS 468 will use when sending the GSA_REKEY message to the group member. 469 This Message ID is used to prevent GSA_REKEY message replay attacks 470 and will be increased each time a GSA_REKEY message is sent to the 471 group. The GCKS data traffic policy is included in the GSA TEK and 472 keys are included in the KD TEK. The GSA GAP MAY also be included to 473 provide the ATD and/or DTD (Section 4.4.4.1) specifying activation 474 and deactivation delays for SAs generated from the TEKs. If the 475 group member has indicated that it is a sender of data traffic and 476 one or more Data Security SAs distributed in the GSA payload included 477 a counter mode of operation, the GCKS responds with one or more SIDs 478 (see Section 3.3). 480 If the GCKS receives a GSA_REGISTRATION exchange with a request to 481 register a GM to a group, the GCKS will need to authorize the GM with 482 the new group (IDg) and respond with the corresponding group policy 483 and keys. If the GCKS fails to authorize the GM, it will respond 484 with the AUTHORIZATION_FAILED notification. 486 If a group member includes an SAg in its GSA_AUTH or GSA_REGISTRATION 487 request, the GCKS MAY evaluate it according to an implementation 488 specific policy. 490 o The GCKS could evaluate the list of Transforms and compare it to 491 its current policy for the group. If the group member did not 492 include all of the ESP or AH Transforms in its current policy, 493 then it could return a NO_PROPOSAL_CHOSEN Notification. 495 o The GCKS could store the list of Transforms, with the goal of 496 migrating the group policy to a different Transform when all of 497 the group members indicate that they can support that Transform. 499 o The GCKS could store the list of Transforms and adjust the current 500 group policy based on the capabilities of the devices as long as 501 they fall within the acceptable security policy of the GCKS. 503 Depending on its policy, the GCKS may have no need for the IKE SA 504 (e.g., it does not plan to initiate an GSA_INBAND_REKEY exchange). 505 If the GM does not initiate another registration exchange or Notify 506 (e.g., NO_PROPOSAL_CHOSEN), and also does not close the IKE SA and 507 the GCKS is not intended to use the SA, then after a short period of 508 time the GCKS SHOULD close the IKEv2 SA. The delay before closing 509 provides for receipt of a GM's error notification in the event of 510 packet loss. 512 3.1.6. Interaction with IKEv2 protocols 514 3.1.6.1. Session Resumption 516 G-IKEv2 is compatible with and can use IKEv2 Session Resumption 517 [RFC5723] except that a GM would include the initial ticket request 518 in a GSA_AUTH exchange instead of an IKE_AUTH exchange. 520 3.1.6.2. Postquantum Preshared Keys for IKEv2 522 G-IKEv2 can take advantage of the protection provided by Postquantum 523 Preshared Keys (PPK) for IKEv2 [I-D.ietf-ipsecme-qr-ikev2]. However, 524 the current PPK draft leaves the initial IKE SA susceptible to 525 quantum computer (QC) attacks. It suggests that for applications 526 using IKEv2 to be QC-secure, an immediate IKE SA rekey should take 527 place followed by a GSA_REGISTRATION exchange. 529 3.2. Group Maintenance Channel 531 The GCKS is responsible for rekeying the secure group per the group 532 policy. Rekeying is an operation whereby the GCKS provides 533 replacement TEKs and KEK, deleting TEKs, and/or excluding group 534 members. The GCKS may initiate a rekey message if group membership 535 and/or policy has changed, or if the keys are about to expire. Two 536 forms of group maintenance channels are provided in G-IKEv2 to push 537 new policy to group members. 539 GSA_REKEY The GSA_REKEY exchange is an exchange initiated by the 540 GCKS, where the rekey policy is usually delivered to group members 541 using IP multicast as a transport. This is valuable for large and 542 dynamic groups, and where policy may change frequently and an 543 scalable rekeying method is required. When the GSA_REKEY exchange 544 is used, the IKEv2 SA protecting the member registration exchanges 545 is terminated, and group members await policy changes from the 546 GCKS via the GSA_REKEY exchange. 548 GSA_INBAND_REKEY The GSA_INBAND_REKEY exchange is a rekey method 549 using the IKEv2 SA that was setup to protecting the member 550 registration exchange. This exchange allows the GCKS to rekey 551 without using an independent GSA_REKEY exchange. The 552 GSA_INBAND_REKEY exchange is useful when G-IKEv2 is used with a 553 small group of cooperating devices. 555 3.2.1. GSA_REKEY exchange 557 The GCKS initiates the G-IKEv2 Rekey securely, usually using IP 558 multicast. Since this rekey does not require a response and it sends 559 to multiple GMs, G-IKEv2 rekeying MUST NOT support IKE SA windowing. 560 The GCKS rekey message replaces the rekey GSA KEK or KEK array, and/ 561 or creates a new Data-Security GSA TEK. The SID Download attribute 562 in the Key Download payload (defined in Section 4.5.4) MUST NOT be 563 part of the Rekey Exchange as this is sender specific information and 564 the Rekey Exchange is group specific. The GCKS initiates the 565 GSA_REKEY exchange as following: 567 Members (Responder) GCKS (Initiator) 568 -------------------- ------------------ 569 <-- HDR, SK { GSA, KD, [D,] AUTH } 571 HDR is defined in Section 4.1. The Message ID in this message will 572 start with the same value the GCKS sent to the group members in the 573 KEK attribute KEK_MESSAGE_ID during registration; this Message ID 574 will be increased each time a new GSA_REKEY message is sent to the 575 group members. 577 The GSA payload contains the current rekey and data security SAs. 578 The GSA may contain a new rekey SA and/or a new data security SA, 579 which, optionally contains an LKH rekey SA, Section 4.4. 581 The KD payload contains the keys for the policy included in the GSA. 582 If the data security SA is being refreshed in this rekey message, the 583 IPsec keys are updated in the KD, and/or if the rekey SA is being 584 refreshed in this rekey message, the rekey Key or the LKH KEK array 585 is updated in the KD payload. 587 A Delete payload MAY be included to instruct the GM to delete 588 existing SAs. 590 The AUTH payload is included to authenticate the GSA_REKEY message 591 using a method defined in the IKEv2 Authentication Method IANA 592 registry [IKEV2-IANA]. The method SHOULD be a digital signature 593 authentication scheme to ensure that the message was originated from 594 an authorized GCKS. A Shared Key Integrity Code SHOULD NOT be used 595 unless source origin authentication is not required (for example, in 596 a small group of highly trusted GMs). During group member 597 registration, the GCKS sends the authentication key in the GSA KEK 598 payload, KEK_AUTH_KEY attribute, which the group member uses to 599 authenticate the key server. Before the current Authentication Key 600 expires, the GCKS will send a new KEK_AUTH_KEY to the group members 601 in a GSA_REKEY message. The AUTH key that is used in the rekey 602 message may not be the same as the authentication key used in 603 GSA_AUTH. Typically a rekey message is sent as multicast and 604 received by all group members, therefore the same AUTH key is 605 distributed to all group members. 607 After adding the AUTH payload to the rekey message, the current KEK 608 encryption key is used to encrypt all of the payloads following the 609 HDR. 611 3.2.1.1. GSA_REKEY GCKS Operations 613 The GCKS builds the rekey message with a Message ID value that is one 614 greater than the value included in the previous rekey. If the 615 message is using a new KEK attribute, the Message ID is reset to 1 in 616 this message. The GSA, KD, and D payloads follow with the same 617 characteristics as in the GSA Registration exchange. The AUTH 618 payload is the final payload added to the message. It is created by 619 hashing the string "G-IKEv2" and the message created so far, and then 620 is digitally signed. Finally, the content of the Encrypted payload 621 is encrypted and authenticated using the current KEK keys. 623 Because GSA_REKEY messages are not acknowledged and could be 624 discarded by the network, one or more GMs may not receive the 625 message. To mitigate such lost messages, during a rekey event the 626 GCKS SHOULD transmit several GSA_REKEY messages with the new policy. 627 When re-transmitting a GSA_REKEY a GCKS needs to ensure that TEK and 628 KEK time-to-live lifetimes are still the correct values. If the 629 lifetimes in a re-transmitted message are stale, they will represent 630 an artificially lengthened lifetime, possibly resulting in GMs with 631 unsynchronized TEK and KEK lifetimes. 633 3.2.1.2. GSA_REKEY GM Operations 635 When a group member receives the Rekey Message from the GCKS it 636 decrypts the message using the current KEK, validates the signature 637 using the public key retrieved in a previous G-IKEv2 exchange, 638 verifies the Message ID, and processes the GSA and KD payloads. The 639 group member then downloads the new data security SA and/or new Rekey 640 GSA. The parsing of the payloads is identical to the parsing done in 641 the registration exchange. 643 Replay protection is achieved by a group member rejecting a GSA_REKEY 644 message which has a Message ID smaller than the current Message ID 645 that the GM is expecting. The GM expects the Message ID in the first 646 GSA_REKEY message it receives to be equal or greater than the message 647 id it receives in the KEK_MESSAGE_ID attribute. The GM expects the 648 message ID in subsequent GSA_REKEY messages to be greater than the 649 last valid GSA_REKEY message ID it received. 651 If the GSA payload includes a Data-Security SA including a counter- 652 modes of operation and the receiving group member is a sender for 653 that SA, the group member uses its current SID value with the Data- 654 Security SAs to create counter-mode nonces. If it is a sender and 655 does not hold a current SID value, it MUST NOT install the Data- 656 Security SAs. It MAY initiate a GSA_REGISTRATION exchange to the 657 GCKS in order to obtain an SID value (along with current group 658 policy). 660 If the GM receives a notification that a Data-Security SA is about to 661 expire (such as a "soft lifetime" expiration as described in 662 Section 4.4.2.1 of [RFC4301]), it SHOULD initiate a registration to 663 the GCKS. This registration serves as a request for current SAs, and 664 will result in the download of replacement SAs, assuming the GCKS 665 policy has created them. 667 3.2.1.3. Forward and Backward Access Control 669 Through the G-IKEv2 rekey, G-IKEv2 supports algorithms such as LKH 670 that have the property of denying access to a new group key by a 671 member removed from the group (forward access control) and to an old 672 group key by a member added to the group (backward access control). 673 An unrelated notion to PFS, "forward access control" and "backward 674 access control" have been called "perfect forward security" and 675 "perfect backward security" in the literature [RFC2627]. 677 Group management algorithms providing forward and backward access 678 control other than LKH have been proposed in the literature, 679 including OFT [OFT] and Subset Difference [NNL]. These algorithms 680 could be used with G-IKEv2, but are not specified as a part of this 681 document. 683 Support for group management algorithms are supported via the 684 KEY_MANAGEMENT_ALGORITHM attribute which is sent in the GSA KEK 685 policy. G-IKEv2 specifies one method by which LKH can be used for 686 forward and backward access control. Other methods of using LKH, as 687 well as other group management algorithms such as OFT or Subset 688 Difference may be added to G-IKEv2 as part of a later document. 690 3.2.1.3.1. Forward Access Control Requirements 692 When group membership is altered using a group management algorithm 693 new GSA TEKs (and their associated keys) are usually also needed. 694 New GSAs and keys ensure that members who were denied access can no 695 longer participate in the group. 697 If forward access control is a desired property of the group, new GSA 698 TEKs and the associated key packets in the KD payload MUST NOT be 699 included in a G-IKEv2 rekey message which changes group membership. 700 This is required because the GSA TEK policy and the associated key 701 packets in the KD payload are not protected with the new KEK. A 702 second G-IKEv2 rekey message can deliver the new GSA TEKS and their 703 associated key packets because it will be protected with the new KEK, 704 and thus will not be visible to the members who were denied access. 706 If forward access control policy for the group includes keeping group 707 policy changes from members that are denied access to the group, then 708 two sequential G-IKEv2 rekey messages changing the group KEK MUST be 709 sent by the GCKS. The first G-IKEv2 rekey message creates a new KEK 710 for the group. Group members, which are denied access, will not be 711 able to access the new KEK, but will see the group policy since the 712 G-IKEv2 rekey message is protected under the current KEK. A 713 subsequent G-IKEv2 rekey message containing the changed group policy 714 and again changing the KEK allows complete forward access control. A 715 G-IKEv2 rekey message MUST NOT change the policy without creating a 716 new KEK. 718 If other methods of using LKH or other group management algorithms 719 are added to G-IKEv2, those methods MAY remove the above restrictions 720 requiring multiple G-IKEv2 rekey messages, providing those methods 721 specify how the forward access control policy is maintained within a 722 single G-IKEv2 rekey message. 724 3.2.1.4. Fragmentation 726 IKE fragmentation [RFC7383] can be used to perform fragmentation of 727 large GSA_REKEY messages, however when the GSA_REKEY message is 728 emitted as an IP multicast packet there is a lack of response from 729 the GMs. This has the following implications. 731 o Policy regarding the use of IKE fragmentation is implicit. If a 732 GCKS detects that all GMs have negotiated support of IKE 733 fragmentation in IKE_SA_INIT, then it MAY use IKE fragmentation on 734 large GSA_REKEY exchange messages. 736 o The GCKS must always use IKE fragmentation based on a known 737 fragmentation threshold (unspecified in this memo), as there is no 738 way to check if fragmentation is needed by first sending 739 unfragmented messages and waiting for response. 741 o PMTU probing cannot be performed due to lack of GSA_REKEY response 742 message. 744 3.2.2. GSA_INBAND_REKEY exchange 746 When the IKEv2 SA protecting the member registration exchange is 747 maintained while group member participates in the group, the GCKS can 748 use the GSA_INBAND_REKEY exchange to individually provide policy 749 updates to the group member. 751 Member (Responder) GCKS (Initiator) 752 -------------------- ------------------ 753 <-- HDR, SK { GSA, KD, [D,] } 755 HDR, SK {} --> 757 Because this is an IKEv2 exchange, the HDR is treated as defined in 758 [RFC7296]. 760 3.2.2.1. GSA_INBAND_REKEY GCKS Operations 762 The GSA, KD, and D payloads are built in the same manner as in a 763 registration exchange. 765 3.2.2.2. GSA_INBAND_REKEY GM Operations 767 The GM processes the GSA, KD, and D payloads in the same manner as if 768 they were received in a registration exchange. 770 3.2.3. Deletion of SAs 772 There are occasions when the GCKS may want to signal to group members 773 to delete policy at the end of a broadcast, or if group policy has 774 changed. Deletion of keys MAY be accomplished by sending the G-IKEv2 775 Delete Payload [RFC7296], section 3.11 as part of the GSA_REKEY 776 Exchange as shown below. 778 Members (Responder) GCKS (Initiator) 779 -------------------- ------------------ 780 <-- HDR, SK { 781 [GSA ], [KD ], [D, ] AUTH } 783 The GSA MAY specify the remaining active time of the remaining policy 784 by using the DTD attribute in the GSA GAP. If a GCKS has no further 785 SAs to send to group members, the GSA and KD payloads MUST be omitted 786 from the message. There may be circumstances where the GCKS may want 787 to start over with a clean slate. If the administrator is no longer 788 confident in the integrity of the group, the GCKS can signal deletion 789 of all the policies of a particular TEK protocol by sending a TEK 790 with a SPI value equal to zero in the delete payload. For example, 791 if the GCKS wishes to remove all the KEKs and all the TEKs in the 792 group, the GCKS SHOULD send a Delete payload with a SPI of zero and a 793 protocol_id of a TEK protocol_id value defined in Section 4.4.3, 794 followed by another Delete payload with a SPI of zero and protocol_id 795 of zero, indicating that the KEK SA should be deleted. 797 3.3. Counter-based modes of operation 799 Several new counter-based modes of operation have been specified for 800 ESP (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309], 801 AES-GMAC [RFC4543]) and AH (e.g., AES-GMAC [RFC4543]). These 802 counter-based modes require that no two senders in the group ever 803 send a packet with the same Initialization Vector (IV) using the same 804 cipher key and mode. This requirement is met in G-IKEv2 when the 805 following requirements are met: 807 o The GCKS distributes a unique key for each Data-Security SA. 809 o The GCKS uses the method described in [RFC6054], which assigns each 810 sender a portion of the IV space by provisioning each sender with one 811 or more unique SID values. 813 3.3.1. Allocation of SIDs 815 When at least one Data-Security SA included in the group policy 816 includes a counter-based mode of operation, the GCKS automatically 817 allocates and distributes one SID to each group member acting in the 818 role of sender on the Data-Security SA. The SID value is used 819 exclusively by the group member to which it was allocated. The group 820 member uses the same SID for each Data-Security SA specifying the use 821 of a counter-based mode of operation. A GCKS MUST distribute unique 822 keys for each Data-Security SA including a counter-based mode of 823 operation in order to maintain unique key and nonce usage. 825 During registration, the group member can choose to request one or 826 more SID values. Requesting a value of 1 is not necessary since the 827 GCKS will automatically allocate exactly one to the group member. A 828 group member MUST request as many SIDs matching the number of 829 encryption modules in which it will be installing the TEKs in the 830 outbound direction. Alternatively, a group member MAY request more 831 than one SID and use them serially. This could be useful when it is 832 anticipated that the group member will exhaust their range of Data- 833 Security SA nonces using a single SID too quickly (e.g., before the 834 time-based policy in the TEK expires). 836 When the group policy includes a counter-based mode of operation, a 837 GCKS SHOULD use the following method to allocate SID values, which 838 ensures that each SID will be allocated to just one group member. 840 1. A GCKS maintains an SID-counter, which records the SIDs that have 841 been allocated. SIDs are allocated sequentially, with zero as the 842 first allocated SID. 844 2. Each time an SID is allocated, the current value of the counter 845 is saved and allocated to the group member. The SID-counter is then 846 incremented in preparation for the next allocation. 848 3. When the GCKS specifies a counter-based mode of operation in the 849 Data Security SA a group member may request a count of SIDs during 850 registration in a Notify payload information of type SENDER. When 851 the GCKS receives this request, it increments the SID-counter once 852 for each requested SID, and distributes each SID value to the group 853 member. The GCKS SHOULD have a policy-defined upper bound for the 854 number of SIDs that it will return irrespective of the number 855 requested by the GM. 857 4. A GCKS allocates new SID values for each GSA_REGISTRATION 858 exchange originated by a sender, regardless of whether a group member 859 had previously contacted the GCKS. In this way, the GCKS is not 860 required to maintaining a record of which SID values it had 861 previously allocated to each group member. More importantly, since 862 the GCKS cannot reliably detect whether the group member had sent 863 data on the current group Data-Security SAs it does not know what 864 Data-Security counter-mode nonce values that a group member has used. 865 By distributing new SID values, the key server ensures that each time 866 a conforming group member installs a Data-Security SA it will use a 867 unique set of counter-based mode nonces. 869 5. When the SID-counter maintained by the GCKS reaches its final SID 870 value, no more SID values can be distributed. Before distributing 871 any new SID values, the GCKS MUST delete the Data-Security SAs for 872 the group, followed by creation of new Data-Security SAs, and 873 resetting the SID-counter to its initial value. 875 6. The GCKS SHOULD send a GSA_REKEY message deleting all Data- 876 Security SAs and the Rekey SA for the group. This will result in the 877 group members initiating a new GSA_REGISTRATION exchange, in which 878 they will receive both new SID values and new Data-Security SAs. The 879 new SID values can safely be used because they are only used with the 880 new Data-Security SAs. Note that deletion of the Rekey SA is 881 necessary to ensure that group members receiving a GSA_REKEY exchange 882 before the re-register do not inadvertently use their old SIDs with 883 the new Data-Security SAs. Using the method above, at no time can 884 two group members use the same IV values with the same Data-Security 885 SA key. 887 3.3.2. GM Usage of SIDs 889 A GM applies the SID to Data Security SA as follows. 891 1. The most significant bits NUMBER_OF_SID_BITS of the IV are taken 892 to be the SID field of the IV. 894 2. The SID is placed in the least significant bits of the SID field, 895 where any unused most significant bits are set to zero. 897 4. Header and Payload Formats 899 Refer to IKEv2 [RFC7296] for existing payloads. Some payloads used 900 in G-IKEv2 exchanges are not aligned to 4-octet boundaries, which is 901 also the case for some IKEv2 payloads (see Section 3.2 of [RFC7296]). 903 4.1. The G-IKEv2 Header 905 G-IKEv2 uses the same IKE header format as specified in RFC 7296 906 section 3.1. 908 Several new payload formats are required in the group security 909 exchanges. 911 Next Payload Type Value 912 ----------------- ----- 913 Group Identification (IDg) 50 914 Group Security Association (GSA) 51 915 Key Download (KD) 52 917 New exchange types GSA_AUTH, GSA_REGISTRATION and GSA_REKEY are added 918 to the IKEv2 [RFC7296] protocol. 920 Exchange Type Value 921 -------------- ----- 922 GSA_AUTH 39 923 GSA_REGISTRATION 40 924 GSA_REKEY 41 925 GSA_INBAND_REKEY TBD 927 Major Version is 2 and Minor Version is 0 as in IKEv2 [RFC7296]. IKE 928 SA Initiator's SPI, IKE SA Responder's SPI, Flags, Message ID, and 929 Length are as specified in [RFC7296]. 931 4.2. Group Identification (IDg) Payload 933 The IDg Payload allows the group member to indicate which group it 934 wants to join. The payload is constructed by using the IKEv2 935 Identification Payload (section 3.5 of [RFC7296]). ID type ID_KEY_ID 936 MUST be supported. ID types ID_IPV4_ADDR, ID_FQDN, ID_RFC822_ADDR, 937 ID_IPV6_ADDR SHOULD be supported. ID types ID_DER_ASN1_DN and 938 ID_DER_ASN1_GN are not expected to be used. 940 4.3. Security Association - GM Supported Transforms (SAg) 942 The SAg payload declares which Transforms a GM is willing to accept. 943 The payload is constructed using the format of the IKEv2 Security 944 Association payload (section 3.3 of [RFC7296]). The Payload Type for 945 SAg is identical to the SA Payload Type. 947 4.4. Group Security Association Payload 949 The Group Security Association payload is used by the GCKS to assert 950 security attributes for both Rekey and Data-security SAs. 952 0 1 2 3 953 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 954 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 955 | Next Payload |C| RESERVED | Payload Length | 956 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 958 The Security Association Payload fields are defined as follows: 960 o Next Payload (1 octet) -- Identifies the next payload type for the 961 G-IKEv2 registration or the G-IKEv2 rekey message. 963 o Critical (1 bit) -- Set according to [RFC7296]. 965 o RESERVED (7 bits) -- Must be zero. 967 o Payload Length (2 octets) -- Is the octet length of the current 968 payload including the generic header and all TEK and KEK policies. 970 4.4.1. GSA Policy 972 Following the GSA generic payload header are GSA policies for group 973 rekeying (KEK), data traffic SAs (TEK) and/or Group Associated Policy 974 (GAP). There may be zero or one GSA KEK policy, zero or one GAP 975 policies, and zero or more GSA TEK policies, where either one GSA KEK 976 or GSA TEK payload MUST be present. 978 This latitude allows various group policies to be accommodated. For 979 example if the group policy does not require the use of a Rekey SA, 980 the GCKS would not need to send a GSA KEK attribute to the group 981 member since all SA updates would be performed using the Registration 982 SA. Alternatively, group policy might use a Rekey SA but choose to 983 download a KEK to the group member only as part of the Registration 984 SA. Therefore, the GSA KEK policy would not be necessary as part of 985 the GSA_REKEY message. 987 Specifying multiple GSA TEKs allows multiple related data streams 988 (e.g., video, audio, and text) to be associated with a session, but 989 each protected with an individual security association policy. 991 A GAP payload allows for the distribution of group-wise policy, such 992 as instructions for when to activate and de-activate SAs. 994 Policies are distributed in substructures to the GSA payload, and 995 include the following header. 997 0 1 2 3 998 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1000 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1001 | Type | RESERVED | Length | 1002 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1004 The payload fields are defined as follows: 1006 o Type (1 octet) -- Identifies the substructure type. In the 1007 following table the terms Reserved, Unassigned, and Private Use 1008 are to be applied as defined in [RFC8126]. The registration 1009 procedure is Expert Review. 1011 Type Value 1012 -------- ----- 1013 Reserved 0 1014 KEK 1 1015 GAP 2 1016 TEK 3 1017 Unassigned 4-127 1018 Private Use 128-255 1020 o RESERVED (1 octet) -- Unused, set to zero. 1022 o Length (2 octets) -- Length in octets of the substructure, 1023 including its header. 1025 4.4.2. KEK Policy 1027 The GSA KEK policy contains security attributes for the KEK method 1028 for a group and parameters specific to the G-IKEv2 registration 1029 operation. The source and destination traffic selectors describe the 1030 network identities used for the rekey messages. 1032 0 1 2 3 1033 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1034 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1035 | Type = 1 ! RESERVED ! Length | 1036 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1037 | | 1038 ~ SPI ~ 1039 | | 1040 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1041 | | 1042 ~ ~ 1043 | | 1044 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1045 | | 1046 ~ ~ 1047 | | 1048 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1049 | | 1050 ~ ~ 1051 | | 1052 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1053 ~ KEK Attributes ~ 1054 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1056 The GSA KEK Payload fields are defined as follows: 1058 o Type = 1 (1 octet) -- Identifies the GSA payload type as KEK in 1059 the G-IKEv2 registration or the G-IKEv2 rekey message. 1061 o RESERVED (1 octet) -- Must be zero. 1063 o Length (2 octets) -- Length of this structure including KEK 1064 attributes. 1066 o SPI (16 octets) -- Security Parameter Index for the rekey message. 1067 The SPI must be the IKEv2 Header SPI pair where the first 8 octets 1068 become the "Initiator's SPI" field in the G-IKEv2 rekey message 1069 IKEv2 HDR, and the second 8 octets become the "Responder's SPI" in 1070 the same HDR. As described above, these SPIs are assigned by the 1071 GCKS. 1073 o Source & Destination Traffic Selectors - Substructures describing 1074 the source and destination of the network identities. These 1075 identities refer to the source and destination of the next KEK 1076 rekey SA. Defined format and values are specified by IKEv2 1077 [RFC7296], section 3.13.1. 1079 o Transform Substructure List -- A list of Transform Substructures 1080 specifies the transform information. The format is defined in 1081 IKEv2 [RFC7296], section 3.3.2, and values are described in the 1082 IKEv2 registries [IKEV2-IANA]. Valid Transform Types are ENCR, 1083 INTEG. The Last Substruc value in each Transform Substructure 1084 will be set to 3 except for the last one in the list, which is set 1085 to 0. 1087 o KEK Attributes -- Contains KEK policy attributes associated with 1088 the group. The following sections describe the possible 1089 attributes. Any or all attributes may be optional, depending on 1090 the group policy. 1092 4.4.2.1. KEK Attributes 1094 The following attributes may be present in a GSA KEK policy. The 1095 attributes must follow the format defined in the IKEv2 [RFC7296] 1096 section 3.3.5. In the table, attributes that are defined as TV are 1097 marked as Basic (B); attributes that are defined as TLV are marked as 1098 Variable (V). The terms Reserved, Unassigned, and Private Use are to 1099 be applied as defined in [RFC8126]. The registration procedure is 1100 Expert Review. 1102 KEK Attributes Value Type 1103 -------------- ----- ---- 1104 Reserved 0 1105 KEK_MANAGEMENT_ALGORITHM 1 B 1106 Reserved 2 1107 Reserved 3 1108 KEK_KEY_LIFETIME 4 V 1109 Reserved 5 1110 KEK_AUTH_METHOD 6 B 1111 KEK_AUTH_HASH 7 B 1112 KEK_MESSAGE_ID 8 V 1113 Unassigned 9-16383 1114 Private Use 16384-32767 1116 The following attributes may only be included in a G-IKEv2 1117 registration message: KEK_MANAGEMENT_ALGORITHM. 1119 Minimum attributes that must be sent as part of an GSA KEK: 1120 KEK_ENCR_ALGORITHM, KEK_KEY_LENGTH (if the cipher definition includes 1121 a variable length key), KEK_MESSAGE_ID, KEK_KEY_LIFETIME, 1122 KEK_INTEGRITY_ALGORITHM, KEK_AUTH_METHOD. 1124 4.4.2.1.1. KEK_MANAGEMENT_ALGORITHM 1126 The KEK_MANAGEMENT_ALGORITHM attribute specifies the group KEK 1127 management algorithm used to provide forward or backward access 1128 control (i.e., used to exclude group members). Defined values are 1129 specified in the following table. The terms Reserved, Unassigned, 1130 and Private Use are to be applied as defined in [RFC8126]. The 1131 registration procedure is Expert Review. 1133 KEK Management Type Value 1134 ------------------- ----- 1135 Reserved 0 1136 LKH 1 1137 Unassigned 2-16383 1138 Private Use 16384-32767 1140 4.4.2.1.2. KEK_ENCR_ALGORITHM 1142 The KEK_ENCR_ALGORITHM attribute specifies the encryption algorithm 1143 used with the KEK. This value is a value from the IKEv2 Transform 1144 Type 1 - Encryption Algorithm Transform IDs registry[IKEV2-IANA]. If 1145 a KEK_MANAGEMENT_ALGORITHM is defined which defines multiple keys 1146 (e.g., LKH), and if the management algorithm does not specify the 1147 algorithm for those keys, then the algorithm defined by the 1148 KEK_ENCR_ALGORITHM attribute MUST be used for all keys which are 1149 included as part of this KEK management. 1151 4.4.2.1.3. KEK_KEY_LENGTH 1153 The KEK_KEY_LENGTH attribute specifies the KEK Algorithm key length 1154 (in bits). 1156 The Group Controller/Key Server (GCKS) adds the KEK_KEY_LENGTH 1157 attribute to the GSA payload when distributing KEK policy to group 1158 members. The group member verifies whether or not it has the 1159 capability of using a cipher key of that size. If the cipher 1160 definition includes a fixed key length, the group member can make its 1161 decision solely using the KEK_ENCR_ALGORITHM attribute and does not 1162 need the KEK_KEY_LENGTH attribute. Sending the KEK_KEY_LENGTH 1163 attribute in the GSA payload is OPTIONAL if the KEK cipher has a 1164 fixed key length. 1166 4.4.2.1.4. KEK_KEY_LIFETIME 1168 The KEK_KEY_LIFETIME attribute specifies the maximum time for which 1169 the KEK is valid. The GCKS may refresh the KEK at any time before 1170 the end of the valid period. The value is a four (4) octet number 1171 defining a valid time period in seconds. 1173 4.4.2.1.5. KEK_INTEGRITY_ALGORITHM 1175 The KEK_INTEGRITY_ALGORITHM attribute specifies the integrity 1176 algorithm used to protect the rekey message. This integrity 1177 algorithm is a value from the IKEv2 Transform Type 3 - Integrity 1178 Algorithm Transform IDs registry [IKEV2-IANA]. 1180 4.4.2.1.6. KEK_AUTH_METHOD 1182 The KEK_AUTH_METHOD attribute specifies the method of authentication 1183 used. This value is from the IKEv2 Authentication Method registry 1184 [IKEV2-IANA]. 1186 4.4.2.1.7. KEK_AUTH_HASH 1188 The KEK_AUTH_HASH attribute specifies the hash algorithm used to 1189 generate the AUTH key to authenticate GSA_REKEY messages. Hash 1190 algorithms are defined in IANA registry IKEv2 Hash Algorithms 1191 [IKEV2-IANA]. 1193 This attribute SHOULD NOT be sent if the KEK_AUTH_METHOD implies a 1194 particular hash algorithm (e.g., for DSA-based algorithms). 1195 Furthermore, it is not necessary for the GCKS to send it if the GM is 1196 known to support the algorithm because it declared it in a 1197 SIGNATURE_HASH_ALGORITHMS notification during registration. 1199 4.4.2.1.8. KEK_MESSAGE_ID 1201 The KEK_MESSAGE_ID attribute defines the initial Message ID to be 1202 used by the GCKS in the GSA_REKEY messages. The Message ID is a 4 1203 octet unsigned integer in network byte order. 1205 4.4.3. GSA TEK Policy 1207 The GSA TEK policy contains security attributes for a single TEK 1208 associated with a group. 1210 0 1 2 3 1211 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1212 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1213 | Type = 3 | RESERVED | Length | 1214 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1215 | Protocol-ID | TEK Protocol-Specific Payload | 1216 +-+-+-+-+-+-+-+-+ ~ 1217 ~ | 1218 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1220 The GSA TEK Payload fields are defined as follows: 1222 o Type = 3 (1 octet) -- Identifies the GSA payload type as TEK in 1223 the G-IKEv2 registration or the G-IKEv2 rekey message. 1225 o RESERVED (1 octet) -- Must be zero. 1227 o Length (2 octets) -- Length of this structure, including the TEK 1228 Protocol-Specific Payload. 1230 o Protocol-ID (1 octet) -- Value specifying the Security Protocol. 1231 The following table defines values for the Security Protocol. 1232 Support for the GSA_PROTO_IPSEC_AH GSA TEK is OPTIONAL. The terms 1233 Reserved, Unassigned, and Private Use are to be applied as defined 1234 in [RFC8126]. The registration procedure is Expert Review. 1236 Protocol ID Value 1237 ----------- ----- 1238 Reserved 0 1239 GSA_PROTO_IPSEC_ESP 1 1240 GSA_PROTO_IPSEC_AH 2 1241 Unassigned 3-127 1242 Private Use 128-255 1244 o TEK Protocol-Specific Payload (variable) -- Payload which 1245 describes the attributes specific for the Protocol-ID. 1247 4.4.3.1. TEK ESP and AH Protocol-Specific Policy 1249 The TEK Protocol-Specific policy contains two traffic selectors one 1250 for the source and one for the destination of the protected traffic, 1251 SPI, Transforms, and Attributes. 1253 The TEK Protocol-Specific policy for ESP and AH is as follows: 1255 0 1 2 3 1256 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1257 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1258 | SPI | 1259 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1260 | | 1261 ~ ~ 1262 | | 1263 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1264 | | 1265 ~ ~ 1266 | | 1267 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1268 | | 1269 ~ ~ 1270 | | 1271 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1272 ~ TEK Attributes ~ 1273 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1275 The GSA TEK Policy fields are defined as follows: 1277 o SPI (4 octets) -- Security Parameter Index. 1279 o Source & Destination Traffic Selectors - The traffic selectors 1280 describe the source and the destination of the protected traffic. 1281 The format and values are defined in IKEv2 [RFC7296], section 1282 3.13.1. 1284 o Transform Substructure List -- A list of Transform Substructures 1285 specifies the transform information. The format is defined in 1286 IKEv2 [RFC7296], section 3.3.2, and values are described in the 1287 IKEv2 registries [IKEV2-IANA]. Valid Transform Types for ESP are 1288 ENCR, INTEG, and ESN. Valid Transform Types for AH are INTEG and 1289 ESN. The Last Substruc value in each Transform Substructure will 1290 be set to 3 except for the last one in the list, which is set to 1291 0. A Transform Substructure with attributes (e.g, the ENCR Key 1292 Length), they are included within the Transform Substructure as 1293 usual. 1295 o TEK Attributes -- Contains the TEK policy attributes associated 1296 with the group, in the format defined in Section 3.3.5 of 1297 [RFC7296]. All attributes are optional, depending on the group 1298 policy. 1300 Attribute Types are as follows. The terms Reserved, Unassigned, and 1301 Private Use are to be applied as defined in [RFC8126]. The 1302 registration procedure is Expert Review. 1304 TEK Attributes Value Type 1305 -------------- ----- ---- 1306 Reserved 0 1307 TEK_KEY_LIFETIME 1 V 1308 TEK_MODE 2 B 1309 Unassigned 3-16383 1310 Private Use 16384-32767 1312 It is NOT RECOMMENDED that the GCKS distribute both ESP and AH 1313 Protocol-Specific Policies for the same set of Traffic Selectors. 1315 4.4.3.1.1. TEK_KEY_LIFETIME 1317 The TEK_KEY_LIFETIME attribute specifies the maximum time for which 1318 the TEK is valid. When the TEK expires, the AH or ESP security 1319 association and all keys downloaded under the security association 1320 are discarded. The GCKS may refresh the TEK at any time before the 1321 end of the valid period. 1323 The value is a four (4) octet number defining a valid time period in 1324 seconds. If unspecified the default value of 28800 seconds (8 hours) 1325 shall be assumed. 1327 4.4.3.1.2. TEK_MODE 1329 The value of 0 is used for tunnel mode and 1 for transport mode. In 1330 the absence of this attribute tunnel mode will be used. 1332 4.4.4. GSA Group Associated Policy 1334 Group specific policy that does not belong to rekey policy (GSA KEK) 1335 or traffic encryption policy (GSA TEK) can be distributed to all 1336 group member using GSA GAP (Group Associated Policy). 1338 The GSA GAP payload is defined as follows: 1340 0 1 2 3 1341 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1342 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1343 | Type = 2 ! RESERVED ! Length | 1344 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1345 ~ Group Associated Policy Attributes ~ 1346 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1348 The GSA GAP payload fields are defined as follows: 1350 o Type = 2 (1 octet) -- Identifies the GSA payload type as GAP in 1351 the G-IKEv2 registration or the G-IKEv2 rekey message. 1353 o RESERVED (1 octet) -- Must be zero. 1355 o Length (2 octets) -- Length of this structure, including the GSA 1356 GAP header and Attributes. 1358 o Group Associated Policy Attributes (variable) -- Contains 1359 attributes following the format defined in Section 3.3.5 of 1360 [RFC7296]. 1362 Attribute Types are as follows. The terms Reserved, Unassigned, and 1363 Private Use are to be applied as defined in [RFC8126]. The 1364 registration procedure is Expert Review. 1366 Attribute Type Value Type 1367 -------------- ----- ---- 1368 Reserved 0 1369 ACTIVATION_TIME_DELAY 1 B 1370 DEACTIVATION_TIME_DELAY 2 B 1371 Unassigned 3-16383 1372 Private Use 16384-32767 1374 4.4.4.1. ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY 1376 Section 4.2.1 of RFC 5374 specifies a key rollover method that 1377 requires two values be provided to group members. The 1378 ACTIVATION_TIME_DELAY attribute allows a GCKS to set the Activation 1379 Time Delay (ATD) for SAs generated from TEKs. The ATD defines how 1380 long after receiving new SAs that they are to be activated by the GM. 1381 The ATD value is in seconds. 1383 The DEACTIVATION_TIME_DELAY allows the GCKS to set the Deactivation 1384 Time Delay (DTD) for previously distributed SAs. The DTD defines how 1385 long after receiving new SAs it should deactivate SAs that are 1386 destroyed by the rekey event. The value is in seconds. 1388 The values of ATD and DTD are independent. However, the DTD value 1389 should be larger, which allows new SAs to be activated before older 1390 SAs are deactivated. Such a policy ensures that protected group 1391 traffic will always flow without interruption. 1393 4.5. Key Download Payload 1395 The Key Download Payload contains the group keys for the group 1396 specified in the GSA Payload. These key download payloads can have 1397 several security attributes applied to them based upon the security 1398 policy of the group as defined by the associated GSA Payload. 1400 0 1 2 3 1401 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1402 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1403 | Next Payload |C| RESERVED | Length | 1404 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1405 | Number of Key Packets | RESERVED2 | 1406 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! 1407 ~ Key Packets ~ 1408 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1410 The Key Download Payload fields are defined as follows: 1412 o Next Payload (1 octet) -- Identifier for the payload type of the 1413 next payload in the message. If the current payload is the last 1414 in the message, then this field will be zero. 1416 o Critical (1 bit) -- Set according to [RFC7296]. 1418 o RESERVED (7 bits) -- Unused, set to zero. 1420 o Payload Length (2 octets) -- Length in octets of the current 1421 payload, including the generic payload header. 1423 o Number of Key Packets (2 octets) -- Contains the total number of 1424 Key Packets passed in this data block. 1426 o Key Packets (variable) -- Contains Key Packets. Several types of 1427 key packets are defined. Each Key Packet has the following 1428 format. 1430 0 1 2 3 1431 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1432 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1433 | KD Type | RESERVED | KD Length | 1434 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1435 | SPI Size | SPI (variable) ~ 1436 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1437 ~ Key Packet Attributes ~ 1438 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1440 o Key Download (KD) Type (1 octet) -- Identifier for the Key Data 1441 field of this Key Packet. In the following table the terms 1442 Reserved, Unassigned, and Private Use are to be applied as defined 1443 in [RFC8126]. The registration procedure is Expert Review. 1445 Key Download Type Value 1446 ----------------- ----- 1447 Reserved 0 1448 TEK 1 1449 KEK 2 1450 LKH 3 1451 SID 4 1452 Unassigned 5-127 1453 Private Use 128-255 1455 o RESERVED (1 octet) -- Unused, set to zero. 1457 o Key Download Length (2 octets) -- Length in octets of the Key 1458 Packet data, including the Key Packet header. 1460 o SPI Size (1 octet) -- Value specifying the length in octets of the 1461 SPI as defined by the Protocol-Id. 1463 o SPI (variable length) -- Security Parameter Index which matches a 1464 SPI previously sent in an GSA KEK or GSA TEK Payload. 1466 o Key Packet Attributes (variable length) -- Contains Key 1467 information. The format of this field is specific to the value of 1468 the KD Type field. The following sections describe the format of 1469 each KD Type. 1471 4.5.1. TEK Download Type 1473 The following attributes may be present in a TEK Download Type. 1474 Exactly one attribute matching each type sent in the GSA TEK payload 1475 MUST be present. The attributes must follow the format defined in 1476 IKEv2 (Section 3.3.5 of [RFC7296]). In the table, attributes defined 1477 as TV are marked as Basic (B); attributes defined as TLV are marked 1478 as Variable (V). The terms Reserved, Unassigned, and Private Use are 1479 to be applied as defined in [RFC8126]. The registration procedure is 1480 Expert Review. 1482 TEK Class Value Type 1483 --------- ----- ---- 1484 Reserved 0 1485 TEK_ALGORITHM_KEY 1 V 1486 TEK_INTEGRITY_KEY 2 V 1487 Unassigned 3-16383 1488 Private Use 16384-32767 1490 It is possible that the GCKS will send no TEK key packets in a 1491 Registration KD payload (as well as no corresponding GSA TEK payloads 1492 in the GSA payload), after which the TEK payloads will be sent in a 1493 rekey message. At least one TEK MUST be included in each Rekey KD 1494 payload. 1496 4.5.1.1. TEK_ALGORITHM_KEY 1498 The TEK_ALGORITHM_KEY class contains encryption keying material for 1499 the corresponding SPI. This keying material will be used with the 1500 encryption algorithm specified in the GSA TEK payload, and according 1501 to the IPsec transform describing that encryption algorithm. The 1502 keying material is treated equivalent to IKEv2 KEYMAT derived for 1503 that IPsec transform. If the encryption algorithm requires a nonce 1504 (e.g., AES-GCM), the nonce is chosen as shown in Section 3.2. 1506 4.5.1.2. TEK_INTEGRITY_KEY 1508 The TEK_INTEGRITY_KEY class declares that the integrity key for the 1509 corresponding SPI is contained in the Key Packet Attribute. Readers 1510 should refer to [IKEV2-IANA] for the latest values. 1512 4.5.2. KEK Download Type 1514 The following attributes may be present in a KEK Download Type. 1515 Exactly one attribute matching each type sent in the GSA KEK payload 1516 MUST be present. The attributes must follow the format defined in 1517 IKEv2 (Section 3.3.5 of [RFC7296]). In the table, attributes defined 1518 as TV are marked as Basic (B); attributes defined as TLV are marked 1519 as Variable (V). The terms Reserved, Unassigned, and Private Use are 1520 to be applied as defined in [RFC8126]. The registration procedure is 1521 Expert Review. 1523 KEK Class Value Type 1524 --------- ----- ---- 1525 Reserved 0 1526 KEK_ENCR_KEY 1 V 1527 KEK_INTEGRITY_KEY 2 V 1528 KEK_AUTH_KEY 3 V 1529 Unassigned 4-16383 1530 Private Use 16384-32767 1532 If the KEK Key Packet is included, there MUST be only one present in 1533 the KD payload. 1535 4.5.2.1. KEK_ENCR_KEY 1537 The KEK_ENCR_KEY class declares that the encryption key for the 1538 corresponding SPI is contained in the Key Packet Attribute. The 1539 encryption algorithm that will use this key was specified in the GSA 1540 KEK payload. 1542 If the mode of operation for the algorithm requires an Initialization 1543 Vector (IV), an explicit IV MUST be included in the KEK_ENCR_KEY 1544 before the actual key. 1546 4.5.2.2. KEK_INTEGRITY_KEY 1548 The KEK_INTEGRITY_KEY class declares the integrity key for this SPI 1549 is contained in the Key Packet Attribute. The integrity algorithm 1550 that will use this key was specified in the GSA KEK payload. 1552 4.5.2.3. KEK_AUTH_KEY 1554 The KEK_AUTH_KEY class declares that the authentication key for this 1555 SPI is contained in the Key Packet Attribute. The signature 1556 algorithm that will use this key was specified in the GSA KEK 1557 payload. An RSA public key format is defined in RFC 3447, 1558 Section A.1.1. DSS public key format is defined in RFC 3279 1559 Section 2.3.2. For ECDSA Public keys, use format described in RFC 1560 5480 Section 2.2. Other algorithms added to the IKEv2 Authentication 1561 Method registry are also expected to include a format of the public 1562 key included in the algorithm specification. 1564 4.5.3. LKH Download Type 1566 The LKH key packet is comprised of attributes representing different 1567 leaves in the LKH key tree. 1569 The following attributes are used to pass an LKH KEK array in the KD 1570 payload. The attributes must follow the format defined in IKEv2 1571 (Section 3.3.5 of [RFC7296]). In the table, attributes defined as TV 1572 are marked as Basic (B); attributes defined as TLV are marked as 1573 Variable (V). The terms Reserved, Unassigned, and Private Use are to 1574 be applied as defined in [RFC8126]. The registration procedure is 1575 Expert Review. 1577 LKH Download Class Value Type 1578 ------------------ ----- ---- 1579 Reserved 0 1580 LKH_DOWNLOAD_ARRAY 1 V 1581 LKH_UPDATE_ARRAY 2 V 1582 Unassigned 3-16383 1583 Private Use 16384-32767 1585 If an LKH key packet is included in the KD payload, there MUST be 1586 only one present. 1588 4.5.3.1. LKH_DOWNLOAD_ARRAY 1590 The LKH_DOWNLOAD_ARRAY class is used to download a set of LKH keys to 1591 a group member. It MUST NOT be included in a IKEv2 rekey message KD 1592 payload if the IKEv2 rekey is sent to more than one group member. If 1593 an LKH_DOWNLOAD_ARRAY attribute is included in a KD payload, there 1594 MUST be only one present. 1596 This attribute consists of a header block, followed by one or more 1597 LKH keys. 1599 0 1 2 3 1600 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1601 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1602 | # of LKH Keys | RESERVED | 1603 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1604 ~ LKH Keys ~ 1605 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1607 The KEK_LKH attribute fields are defined as follows: 1609 o Number of LKH Keys (2 octets) -- This value is the number of 1610 distinct LKH keys in this sequence. 1612 o RESERVED (1 octet) -- Unused, set to zero. 1614 Each LKH Key is defined as follows: 1616 0 1 2 3 1617 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1618 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1619 ! LKH ID | Encr Alg | 1620 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1621 | Key Handle | 1622 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1623 ~ Key Data ~ 1624 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1626 o LKH ID (2 octets) -- This is the position of this key in the 1627 binary tree structure used by LKH. 1629 o Encr Alg (2 octets) -- This is the encryption algorithm for which 1630 this key data is to be used. This value is specified in 1631 Section 4.4.2.1.2. 1633 o RESERVED (1 octet) -- Unused, set to zero. 1635 o Key Handle (4 octets) -- This is a randomly generated value to 1636 uniquely identify a key within an LKH ID. 1638 o Key Data (variable length) -- This is the actual encryption key 1639 data, which is dependent on the Encr Alg algorithm for its format. 1640 If the mode of operation for the algorithm requires an 1641 Initialization Vector (IV), an explicit IV MUST be included in the 1642 Key Data field before the actual key. 1644 The first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute 1645 contains the Leaf identifier and key for the group member. The rest 1646 of the LKH Key structures contain keys along the path of the key tree 1647 in the order starting from the leaf, culminating in the group KEK. 1649 4.5.3.2. LKH_UPDATE_ARRAY 1651 The LKH_UPDATE_ARRAY class is used to update the LKH keys for a 1652 group. It is most likely to be included in a G-IKEv2 rekey message 1653 KD payload to rekey the entire group. This attribute consists of a 1654 header block, followed by one or more LKH keys, as defined in 1655 Section 4.5.3.1. 1657 There may be any number of LKH_UPDATE_ARRAY attributes included in a 1658 KD payload. 1660 0 1 2 3 1661 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1662 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1663 | # of LKH Keys | LKH ID | 1664 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1665 | Key Handle | 1666 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1667 ~ LKH Keys ~ 1668 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1670 o Number of LKH Keys (2 octets) -- This value is the number of 1671 distinct LKH keys in this sequence. 1673 o LKH ID (2 octets) -- This is the node identifier associated with 1674 the key used to encrypt the first LKH Key. 1676 o Key Handle (4 octets) -- This is the value that uniquely 1677 identifies the key within the LKH ID which was used to encrypt the 1678 first LKH key. 1680 The LKH Keys are as defined in Section 4.5.3.1. The LKH Key 1681 structures contain keys along the path of the key tree in the order 1682 from the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in 1683 the group KEK. The Key Data field of each LKH Key is encrypted with 1684 the LKH key preceding it in the LKH_UPDATE_ARRAY attribute. The 1685 first LKH Key is encrypted under the key defined by the LKH ID and 1686 Key Handle found in the LKH_UPDATE_ARRAY header. 1688 4.5.4. SID Download Type 1690 The SID attribute is used to download one or more Sender-ID (SID) 1691 values for the exclusive use of a group member. The terms Reserved, 1692 Unassigned, and Private Use are to be applied as defined in 1693 [RFC8126]. The registration procedure is Expert Review. 1695 SID Download Class Value Type 1696 ------------------ ----- ---- 1697 Reserved 0 1698 NUMBER_OF_SID_BITS 1 B 1699 SID_VALUE 2 V 1700 Unassigned 3-16383 1701 Private Use 16384-32767 1703 Because a SID value is intended for a single group member, the SID 1704 Download type MUST NOT be distributed in a GSA_REKEY message 1705 distributed to multiple group members. 1707 4.5.4.1. NUMBER_OF_SID_BITS 1709 The NUMBER_OF_SID_BITS class declares how many bits of the cipher 1710 nonce in which to represent an SID value. The bits are applied as 1711 the most significant bits of the IV, as shown in Figure 1 of 1712 [RFC6054] and specified in Section 3.3.2. Guidance for a GCKS 1713 choosing the NUMBER_OF_SID_BITS is provided in Section 3 of 1714 [RFC6054]. 1716 This value is applied to each SID value distributed in the SID 1717 Download. 1719 4.5.4.2. SID_VALUE 1721 The SID_VALUE class declares a single SID value for the exclusive use 1722 of this group member. Multiple SID_VALUE attributes MAY be included 1723 in a SID Download. 1725 4.5.4.3. GM Semantics 1727 The SID_VALUE attribute value distributed to the group member MUST be 1728 used by that group member as the SID field portion of the IV for all 1729 Data-Security SAs including a counter-based mode of operation 1730 distributed by the GCKS as a part of this group. When the Sender- 1731 Specific IV (SSIV) field for any Data-Security SA is exhausted, the 1732 group member MUST NOT act as a sender on that SA using its active 1733 SID. The group member SHOULD re-register, at which time the GCKS 1734 will issue a new SID to the group member, along with either the same 1735 Data-Security SAs or replacement ones. The new SID replaces the 1736 existing SID used by this group member, and also resets the SSIV 1737 value to its starting value. A group member MAY re-register prior to 1738 the actual exhaustion of the SSIV field to avoid dropping data 1739 packets due to the exhaustion of available SSIV values combined with 1740 a particular SID value. 1742 A group member MUST ignore an SID Download Type KD payload present in 1743 a GSA-REKEY message, otherwise more than one GM may end up using the 1744 same SID. 1746 4.5.4.4. GCKS Semantics 1748 If any KD payload includes keying material that is associated with a 1749 counter-mode of operation, an SID Download Type KD payload containing 1750 at least one SID_VALUE attribute MUST be included. The GCKS MUST NOT 1751 send the SID Download Type KD payload as part of a GSA_REKEY message, 1752 because distributing the same sender-specific policy to more than one 1753 group member will reduce the security of the group. 1755 4.6. Delete Payload 1757 There are occasions when the GCKS may want to signal to group members 1758 to delete policy at the end of a broadcast, if group policy has 1759 changed, or the GCKS needs to reset the policy and keying material 1760 for the group due to an emergency. Deletion of keys MAY be 1761 accomplished by sending an IKEv2 Delete Payload, section 3.11 of 1762 [RFC7296] as part of a registration or rekey Exchange. Whenever an 1763 SA is to be deleted, the GKCS SHOULD send the Delete Payload in both 1764 registration and rekey exchanges, because GMs with previous group 1765 policy may contact the GCKS using either exchange. 1767 The Protocol ID MUST be 41 for GSA_REKEY Exchange, 2 for AH or 3 for 1768 ESP. Note that only one protocol id value can be defined in a Delete 1769 payload. If a TEK and a KEK SA for GSA_REKEY Exchange must be 1770 deleted, they must be sent in different Delete payloads. Similarly, 1771 if a TEK specifying ESP and a TEK specifying AH need to be deleted, 1772 they must be sent in different Delete payloads. 1774 There may be circumstances where the GCKS may want to reset the 1775 policy and keying material for the group. The GCKS can signal 1776 deletion of all policy of a particular TEK by sending a TEK with a 1777 SPI value equal to zero in the delete payload. In the event that the 1778 administrator is no longer confident in the integrity of the group 1779 they may wish to remove all KEK and all the TEKs in the group. This 1780 is done by having the GCKS send a delete payload with a SPI of zero 1781 and a Protocol-ID of AH or ESP to delete all TEKs, followed by 1782 another delete payload with a SPI value of zero and Protocol-ID of 1783 KEK SA to delete the KEK SA. 1785 4.7. Notify Payload 1787 G-IKEv2 uses the same Notify payload as specified in [RFC7296], 1788 section 3.10. 1790 There are additional Notify Message types introduced by G-IKEv2 to 1791 communicate error conditions and status. 1793 NOTIFY messages - error types Value 1794 ------------------------------------------------------------------- 1795 INVALID_GROUP_ID - 45 1796 Indicates the group id sent during the registration process is 1797 invalid. 1799 AUTHORIZATION_FAILED - 46 1800 Sent in the response to a GSA_AUTH message when authorization 1801 failed. 1803 REGISTRATION_FAILED - TBD-1 1804 Sent by the GCKS when the GM registration request cannot be 1805 satisfied. 1807 NOTIFY messages - status types Value 1808 ------------------------------------------------------------------- 1809 SENDER - 16429 1810 Sent in GSA_AUTH or GSA_REGISTRATION to indicate that the GM 1811 intends to be sender of data traffic. The data includes a count of 1812 how many SID values the GM desires. The count MUST be 4 octets long 1813 and contain the big endian representation of the number of 1814 requested SIDs. 1816 4.8. Authentication Payload 1818 G-IKEv2 uses the same Authentication payload as specified in 1819 [RFC7296], section 3.8, to sign the rekey message. 1821 5. Security Considerations 1822 5.1. GSA registration and secure channel 1824 G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT protocols, 1825 inheriting all the security considerations documented in [RFC7296] 1826 section 5 Security Considerations, including authentication, 1827 confidentiality, protection against man-in-the-middle, protection 1828 against replay/reflection attacks, and denial of service protection. 1829 The GSA_AUTH and GSA_REGISTRATION exchanges also take advantage of 1830 those protections. In addition, G-IKEv2 brings in the capability to 1831 authorize a particular group member regardless of whether they have 1832 the IKEv2 credentials. 1834 5.2. GSA maintenance channel 1836 The GSA maintenance channel is cryptographically and integrity 1837 protected using the cryptographic algorithm and key negotiated in the 1838 GSA member registration exchanged. 1840 5.2.1. Authentication/Authorization 1842 Authentication is implicit, the public key of the identity is 1843 distributed during the registration, and the receiver of the rekey 1844 message uses that public key and identity to verify the message came 1845 from the authorized GCKS. 1847 5.2.2. Confidentiality 1849 Confidentiality is provided by distributing a confidentiality key as 1850 part of the GSA member registration exchange. 1852 5.2.3. Man-in-the-Middle Attack Protection 1854 GSA maintenance channel is integrity protected by using a digital 1855 signature. 1857 5.2.4. Replay/Reflection Attack Protection 1859 The GSA_REKEY message includes a monotonically increasing sequence 1860 number to protect against replay and reflection attacks. A group 1861 member will recognize a replayed message by comparing the Message ID 1862 number to that of the last received rekey message, any rekey message 1863 containing a Message ID number less than or equal to the last 1864 received value MUST be discarded. Implementations should keep a 1865 record of recently received GSA rekey messages for this comparison. 1867 6. IANA Considerations 1869 6.1. New registries 1871 A new set of registries should be created for G-IKEv2, on a new page 1872 titled Group Key Management using IKEv2 (G-IKEv2) Parameters. The 1873 following registries should be placed on that page. The terms 1874 Reserved, Expert Review and Private Use are to be applied as defined 1875 in [RFC8126]. 1877 GSA Policy Type Registry, see Section 4.4.1 1879 KEK Attributes Registry, see Section 4.4.2.1 1881 KEK Management Algorithm Registry, see Section 4.4.2.1.1 1883 GSA TEK Payload Protocol ID Type Registry, see Section 4.4.3 1885 TEK Attributes Registry, see Section 4.4.3 1887 Key Download Type Registry, see Section 4.5 1889 TEK Download Type Attributes Registry, see Section 4.5.1 1891 KEK Download Type Attributes Registry, see Section 4.5.2 1893 LKH Download Type Attributes Registry, see Section 4.5.3 1895 SID Download Type Attributes Registry, see Section 4.5.4 1897 6.2. New payload and exchange types added to the existing IKEv2 1898 registry 1900 The following new payloads and exchange types specified in this memo 1901 have already been allocated by IANA and require no further action, 1902 other than replacing the draft name with an RFC number. 1904 The present document describes new IKEv2 Next Payload types, see 1905 Section 4.1 1907 The present document describes new IKEv2 Exchanges types, see 1908 Section 4.1 1910 The present document describes new IKEv2 notification types, see 1911 Section 4.7 1913 6.3. Changes to previous allocations 1915 Section 4.7 indicates an allocation in the IKEv2 Notify Message Types 1916 - Status Types registry has been made. This NOTIFY type was 1917 allocated earlier in the development of G-IKEv2. The number is 1918 16429, and was allocated with the name SENDER_REQUEST_ID. The name 1919 should be changed to SENDER. 1921 7. Acknowledgements 1923 The authors thank Lakshminath Dondeti and Jing Xiang for first 1924 exploring the use of IKEv2 for group key management and providing the 1925 basis behind the protocol. Mike Sullenberger and Amjad Inamdar were 1926 instrumental in helping resolve many issues in several versions of 1927 the document. 1929 8. Contributors 1931 The following individuals made substantial contributions to early 1932 versions of this memo. 1934 Sheela Rowles 1935 Cisco Systems 1936 170 W. Tasman Drive 1937 San Jose, California 95134-1706 1938 USA 1940 Phone: +1-408-527-7677 1941 Email: sheela@cisco.com 1943 Aldous Yeung 1944 Cisco Systems 1945 170 W. Tasman Drive 1946 San Jose, California 95134-1706 1947 USA 1949 Phone: +1-408-853-2032 1950 Email: cyyeung@cisco.com 1952 Paulina Tran 1953 Cisco Systems 1954 170 W. Tasman Drive 1955 San Jose, California 95134-1706 1956 USA 1958 Phone: +1-408-526-8902 1959 Email: ptran@cisco.com 1960 Yoav Nir 1961 Dell EMC 1962 9 Andrei Sakharov St 1963 Haifa 3190500 1964 Israel 1966 Email: ynir.ietf@gmail.com 1968 9. References 1970 9.1. Normative References 1972 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1973 Requirement Levels", BCP 14, RFC 2119, 1974 DOI 10.17487/RFC2119, March 1997, 1975 . 1977 [RFC2627] Wallner, D., Harder, E., and R. Agee, "Key Management for 1978 Multicast: Issues and Architectures", RFC 2627, 1979 DOI 10.17487/RFC2627, June 1999, 1980 . 1982 [RFC3740] Hardjono, T. and B. Weis, "The Multicast Group Security 1983 Architecture", RFC 3740, DOI 10.17487/RFC3740, March 2004, 1984 . 1986 [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, 1987 "Multicast Security (MSEC) Group Key Management 1988 Architecture", RFC 4046, DOI 10.17487/RFC4046, April 2005, 1989 . 1991 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1992 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 1993 December 2005, . 1995 [RFC6054] McGrew, D. and B. Weis, "Using Counter Modes with 1996 Encapsulating Security Payload (ESP) and Authentication 1997 Header (AH) to Protect Group Traffic", RFC 6054, 1998 DOI 10.17487/RFC6054, November 2010, 1999 . 2001 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 2002 Kivinen, "Internet Key Exchange Protocol Version 2 2003 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2004 2014, . 2006 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 2007 Writing an IANA Considerations Section in RFCs", BCP 26, 2008 RFC 8126, DOI 10.17487/RFC8126, June 2017, 2009 . 2011 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2012 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2013 May 2017, . 2015 9.2. Informative References 2017 [I-D.ietf-ipsecme-qr-ikev2] 2018 Fluhrer, S., McGrew, D., Kampanakis, P., and V. Smyslov, 2019 "Postquantum Preshared Keys for IKEv2", draft-ietf- 2020 ipsecme-qr-ikev2-07 (work in progress), January 2019. 2022 [IKEV2-IANA] 2023 IANA, "Internet Key Exchange Version 2 (IKEv2) 2024 Parameters", February 2016, 2025 . 2028 [NNL] Naor, D., Noal, M., and J. Lotspiech, "Revocation and 2029 Tracing Schemes for Stateless Receivers", Advances in 2030 Cryptology, Crypto '01, Springer-Verlag LNCS 2139, 2001, 2031 pp. 41-62, 2001, 2032 . 2034 [OFT] McGrew, D. and A. Sherman, "Key Establishment in Large 2035 Dynamic Groups Using One-Way Function Trees", Manuscript, 2036 submitted to IEEE Transactions on Software Engineering, 2037 1998, . 2040 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange 2041 (IKE)", RFC 2409, DOI 10.17487/RFC2409, November 1998, 2042 . 2044 [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) 2045 Counter Mode With IPsec Encapsulating Security Payload 2046 (ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004, 2047 . 2049 [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode 2050 (GCM) in IPsec Encapsulating Security Payload (ESP)", 2051 RFC 4106, DOI 10.17487/RFC4106, June 2005, 2052 . 2054 [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM 2055 Mode with IPsec Encapsulating Security Payload (ESP)", 2056 RFC 4309, DOI 10.17487/RFC4309, December 2005, 2057 . 2059 [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message 2060 Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, 2061 DOI 10.17487/RFC4543, May 2006, 2062 . 2064 [RFC5723] Sheffer, Y. and H. Tschofenig, "Internet Key Exchange 2065 Protocol Version 2 (IKEv2) Session Resumption", RFC 5723, 2066 DOI 10.17487/RFC5723, January 2010, 2067 . 2069 [RFC6407] Weis, B., Rowles, S., and T. Hardjono, "The Group Domain 2070 of Interpretation", RFC 6407, DOI 10.17487/RFC6407, 2071 October 2011, . 2073 [RFC7383] Smyslov, V., "Internet Key Exchange Protocol Version 2 2074 (IKEv2) Message Fragmentation", RFC 7383, 2075 DOI 10.17487/RFC7383, November 2014, 2076 . 2078 Appendix A. Use of LKH in G-IKEv2 2080 Section 5.4 of [RFC2627] describes the LKH architecture, and how a 2081 GCKS uses LKH to exclude group members. This section clarifies how 2082 the LKH architecture is used with G-IKEv2. 2084 A.1. Group Creation 2086 When a GCKS forms a group, it creates a key tree as shown in the 2087 figure below. The key tree contains logical keys (represented as 2088 numbers in the figure) and a private key shared with only a single GM 2089 (represented as letters in the figure). Note that the use of numbers 2090 and letters is used for explanatory purposes; in fact, each key would 2091 have an LKH ID, which is two-octet identifier chosen by the GCKS. 2092 The GCKS may create a complete tree as shown, or a partial tree which 2093 is created on demand as members join the group. The top of the key 2094 tree (i.e., "1" in Figure 3) is used as the KEK for the group. 2096 1 2097 +------------------------------+ 2098 2 3 2099 +---------------+ +---------------+ 2100 4 5 6 7 2101 +-------+ +-------+ +--------+ +--------+ 2102 A B C D E F G H 2104 Figure 3: Initial LKH tree 2106 When GM "A" joins the group, the GCKS provides an LKH_DOWNLOAD_ARRAY 2107 in the KD payload of the GSA_AUTH or GSA_REGISTRATION exchange. 2108 Given the tree shown in figure above, the LKH_DOWNLOAD_ARRAY will 2109 contain four LKH Key payloads, each containing an LKH ID and Key 2110 Data. If the LKH ID values were chosen as shown in the figure, four 2111 LKH Keys would be provided to GM "A", in the following order: A, 4, 2112 2, 1. When GM "B" joins the group, it would also be given four LKH 2113 Keys in the following order: B, 4, 2, 1. And so on, until GM "H" 2114 joins the group and is given H, 7, 3, 1. 2116 A.2. Group Member Exclusion 2118 If the GKCS has reason to believe that a GM should be excluded, then 2119 it can do so by sending a GSA_REKEY exchange that includes a set of 2120 LKH_UPDATE_ARRAY attributes in the KD payload. Each LKH_UPDATE_ARRAY 2121 contains a set of LKH Key payloads, in which every GM other than the 2122 excluded GM will be able to determine a set of new logical keys, 2123 which culminate in a new key "1". The excluded GM will observe the 2124 set of LKH_UPDATE_ARRAY attributes, but cannot determine the new 2125 logical keys because each of the "Key Data" fields is encrypted with 2126 a key held by other GMs. The GM will hold no keys to properly 2127 decrypt any of the "Key Data" fields, including key "1" (i.e., the 2128 new KEK). When a subsequent GSA_REKEY exchange is delivered by the 2129 GCKS and protected by the new KEK, the excluded GM will no longer be 2130 able to see the contents of the GSA_REKEY, including new TEKs that 2131 will be delivered to replace existing TEKs. At this point, the GM 2132 will no longer be able to participate in the group. 2134 In the example below, new keys are represented as the number followed 2135 by a "prime" symbol (e.g., "1" becomes "1'"). Each key is encrypted 2136 by another key. This is represented as "{key1}key2", where key2 2137 encrypts key1. For example, "{1'}2' states that a new key "1'" is 2138 encrypted with a new key "2'". 2140 If GM "B" is to be excluded, the GCKS will need to include three 2141 LKH_UPDATE_ARRAY attributes in the GSA_REKEY message. The order of 2142 the attributes does not matter; only the order of the keys within 2143 each attribute. 2145 o One will provide GM "A" with new logical keys that are shared with 2146 B: {4'}A, {2'}4', {1'}2' 2148 o One will provide all GMs holding key "5" with new logical keys: 2149 {2'}5, {1'}2' 2151 o One will provide all GMs holding key "3" with a new KEK: {1'}3 2153 Each GM will look at each LKH_UPDATE_ARRAY attribute and observe an 2154 LKH ID which is present in an LKH Key delivered to them in the 2155 LKH_DOWNLOAD_ARRAY they were given. If they find a matching LKH ID, 2156 then they will decrypt the new key with the logical key immediately 2157 preceding that LKH Key, and so on until they have received the new 1' 2158 key. 2160 The resulting key tree from this rekey event would would be shown in 2161 Figure 4. 2163 1' 2164 +------------------------------+ 2165 2' 3 2166 +---------------+ +---------------+ 2167 4' 5 6 7 2168 +---+ +-------+ +--------+ +--------+ 2169 A B C D E F G H 2171 Figure 4: LKH tree after B has been excluded 2173 Authors' Addresses 2175 Brian Weis 2176 Independent 2177 USA 2179 Email: bew.stds@gmail.com 2181 Valery Smyslov 2182 ELVIS-PLUS 2183 PO Box 81 2184 Moscow (Zelenograd) 124460 2185 Russian Federation 2187 Phone: +7 495 276 0211 2188 Email: svan@elvis.ru