Multicast IP Security Composite Cryptographic Groups

Document Type Expired Internet-Draft (msec WG)
Last updated 2007-02-07
Replaces draft-gross-msec-ipsec-composite-group
Stream IETF
Intended RFC status (None)
Expired & archived
plain text pdf html
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


The Multicast IP Security extension architecture [Weis] implicitly assumes a basic group endpoint population that shares homogeneous cryptographic capabilities and security policies. In practice, large- scale cryptographic groups may contain a heterogeneous endpoint population that can not be accommodated by that basic multicast IPsec architecture. For example, some endpoints may not have been upgraded to handle the successor algorithm for one that is being retired (e.g. SHA1 transition to SHA-ng). Group deployments that span multiple legal jurisdictions may have a different security policy in each jurisdiction (e.g. key strength). This document defines the "composite cryptographic group" IP security architecture capability. A composite cryptographic group allows multicast IPsec applications to transparently interact with the single logical group that is formed by the union of one or more basic cryptographic groups.


George Gross (
Haitham Cruickshank (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)