Group Domain of Interpretation (GDOI) Protocol Support for IEC 62351 Security Services
draft-weis-gdoi-iec62351-9-10
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2017-06-05
|
10 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2017-01-12
|
10 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2016-11-23
|
10 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2016-11-18
|
10 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2016-11-17
|
10 | (System) | IANA Action state changed to Waiting on RFC Editor from Waiting on Authors |
2016-11-16
|
10 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2016-11-08
|
10 | (System) | RFC Editor state changed to EDIT |
2016-11-08
|
10 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2016-11-08
|
10 | (System) | Announcement was received by RFC Editor |
2016-11-08
|
10 | (System) | IANA Action state changed to In Progress |
2016-11-08
|
10 | Amy Vezza | IESG state changed to Approved-announcement sent from IESG Evaluation::AD Followup |
2016-11-08
|
10 | Amy Vezza | IESG has approved the document |
2016-11-08
|
10 | Amy Vezza | Closed "Approve" ballot |
2016-11-08
|
10 | Amy Vezza | Ballot approval text was generated |
2016-11-07
|
10 | Stephen Farrell | [Ballot comment] Thanks for adding the suggested cautionary text. OLD COMMENTS BELOW, I didn't check 'em. - I'm left wondering why the IETF is doing … [Ballot comment] Thanks for adding the suggested cautionary text. OLD COMMENTS BELOW, I didn't check 'em. - I'm left wondering why the IETF is doing this rather than changing the registration rules for existing registries (e.g. along the lines being followed for TLS1.3) so that IEC could do the work themselves? - The various algorithm codepoints listed at [GDOI-REG] seem fairly outdated. Is it really a good idea to extend those as is being done here by adding new registries for modern ciphers? (It may be the case that we are doing this because there is implementer energy for this, but not for a general revamp of GDOI.) |
2016-11-07
|
10 | Stephen Farrell | [Ballot Position Update] Position for Stephen Farrell has been changed to No Objection from Discuss |
2016-10-28
|
10 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2016-10-28
|
10 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2016-10-28
|
10 | Brian Weis | New version available: draft-weis-gdoi-iec62351-9-10.txt |
2016-10-28
|
10 | (System) | New version approved |
2016-10-28
|
10 | (System) | Request for posting confirmation emailed to previous authors: "Brian Weis" , "Herb Falk" , "Maik Seewald" |
2016-10-28
|
10 | Brian Weis | Uploaded new revision |
2016-10-28
|
09 | Amanda Baber | IANA Review state changed to IANA OK - Actions Needed from IANA - Not OK |
2016-10-27
|
09 | Vijay Gurbani | Request for Last Call review by GENART Completed: Ready. Reviewer: Vijay Gurbani. |
2016-10-27
|
09 | Cindy Morgan | IESG state changed to IESG Evaluation::Revised I-D Needed from Waiting for AD Go-Ahead |
2016-10-27
|
09 | Jari Arkko | [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko |
2016-10-26
|
09 | Joel Jaeggli | [Ballot comment] Carlos Pignataro (cpignata) provided the opsdir review |
2016-10-26
|
09 | Joel Jaeggli | [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli |
2016-10-26
|
09 | Alia Atlas | [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas |
2016-10-25
|
09 | Spencer Dawkins | [Ballot comment] I would support adding a note as Stephen proposed in his Discuss, about the IETF's ability to evaluate this specification in the absence … [Ballot comment] I would support adding a note as Stephen proposed in his Discuss, about the IETF's ability to evaluate this specification in the absence of access to referenced documents. |
2016-10-25
|
09 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2016-10-25
|
09 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2016-10-25
|
09 | Ben Campbell | [Ballot Position Update] New position, No Objection, has been recorded for Ben Campbell |
2016-10-25
|
09 | Suresh Krishnan | [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan |
2016-10-25
|
09 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2016-10-25
|
09 | Alissa Cooper | [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper |
2016-10-25
|
09 | Benoît Claise | [Ballot Position Update] New position, No Objection, has been recorded for Benoit Claise |
2016-10-24
|
09 | Stephen Farrell | [Ballot discuss] I'm not clear how to evaluate the security properties of this protocol given that the IEC specs on which it builds aren't visible … [Ballot discuss] I'm not clear how to evaluate the security properties of this protocol given that the IEC specs on which it builds aren't visible to me. (Or at least I didn't find a version I could access.) That's made worse by my relative ignorance of GDOI as well. So I wonder should the authors or IESG add a note to that effect? Say along the lines of: "This memo extends RFC6407 in order to define extensions needed by IEC62351-9. With the current IANA registry rules setup by RFC6407, this requires a standards action by the IETF - essentially that means the production of this document. As the relevant IEC specifications are not available to the IETF community, it is not possible for this RFC to fully describe the security considerations applying. Implementers therefore need to depend on the security analysis within the IEC specifications. As two different SDOs are involved here, and since group key management is inherently complex, it is possible some security issues have not been identified, so additional analysis of the security of the combined set of specifications may be advisable." I'd be fine with any wording that calls out that the IETF can't really be sure of the overall outcome here. Note that that's not in any way to doubt the authors' own analysis - but given that we know it is quite possible for fewer eyeballs to lead to gaps, and that this really is a complicated beast solving a complicated problem, I'm a bit concerned that we may miss something. |
2016-10-24
|
09 | Stephen Farrell | [Ballot comment] - I'm left wondering why the IETF is doing this rather than changing the registration rules for existing registries (e.g. along the lines … [Ballot comment] - I'm left wondering why the IETF is doing this rather than changing the registration rules for existing registries (e.g. along the lines being followed for TLS1.3) so that IEC could do the work themselves? - The various algorithm codepoints listed at [GDOI-REG] seem fairly outdated. Is it really a good idea to extend those as is being done here by adding new registries for modern ciphers? (It may be the case that we are doing this because there is implementer energy for this, but not for a general revamp of GDOI.) |
2016-10-24
|
09 | Stephen Farrell | [Ballot Position Update] New position, Discuss, has been recorded for Stephen Farrell |
2016-10-24
|
09 | Mirja Kühlewind | [Ballot comment] Maybe s/MUST NOT be specified/MUST NOT be used/ (2x in the security section) because this doc is the spec and not specifying it... |
2016-10-24
|
09 | Mirja Kühlewind | [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind |
2016-10-24
|
09 | (System) | IESG state changed to Waiting for AD Go-Ahead from In Last Call |
2016-10-23
|
09 | Alexey Melnikov | [Ballot comment] I assume that multioctet fields are in network byte order, but this is not mentioned anywhere. |
2016-10-23
|
09 | Alexey Melnikov | [Ballot Position Update] New position, No Objection, has been recorded for Alexey Melnikov |
2016-10-22
|
09 | Kathleen Moriarty | Ballot has been issued |
2016-10-22
|
09 | Kathleen Moriarty | [Ballot Position Update] New position, Yes, has been recorded for Kathleen Moriarty |
2016-10-22
|
09 | Kathleen Moriarty | Created "Approve" ballot |
2016-10-22
|
09 | Kathleen Moriarty | Ballot writeup was changed |
2016-10-22
|
09 | Kathleen Moriarty | Ballot writeup was changed |
2016-10-22
|
09 | Kathleen Moriarty | Ballot writeup was changed |
2016-10-21
|
09 | (System) | IANA Review state changed to IANA - Not OK from IANA - Review Needed |
2016-10-21
|
09 | Sabrina Tanamal | (Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs: The IANA Services Operator has completed its review of draft-weis-gdoi-iec62351-9-08.txt. If any part of this review is inaccurate, please let … (Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs: The IANA Services Operator has completed its review of draft-weis-gdoi-iec62351-9-08.txt. If any part of this review is inaccurate, please let us know. Upon approval of this document, we understand that there are five registry actions to complete. First, in the GDOI ID Payload Type Values subregistry of the Group Domain of Interpretation (GDOI) Payloads registry located at: https://www.iana.org/assignments/gdoi-payloads/ a new value is to be registered as follows: Value: [ TBD-at-registration ] ID Type: GDOI_PROTO_IEC_61850 Reference: [ RFC-to-be ] Question --> We understand the next four requests in section 4 of the document to be requests for the creation of four new registries. For each registry: Where should this new registry be located? Is it a new registry on the List of all IANA maintained protocol parameter registries or is it a subregistry of an existing registry? If it is a subregistry of an existing registry, in which registry will it be contained? Second, a new registry is to be created called the IEC62351-9 Authentication Values registry. The registry will be created in a location to be determined in consultation with the authors (see Question, above). The new registry will be managed through Expert Review and Private Use as defined by RFC 5226. There are initial values in the new registry as follows: Name Value Reference --------------------------+---------+------------------- Reserved 0 [ RFC-to-be ] NONE 1 [ RFC-to-be ] HMAC-SHA256-128 2 [ RFC-to-be ] HMAC-SHA256 3 [ RFC-to-be ] AES-GMAC-128 4 [ RFC-to-be ] AES-GMAC-256 5 [ RFC-to-be ] Expert Review 6-61439 [ RFC-to-be ] Private Use 61440-65535[ RFC-to-be ] Third, a new registry is to be created called the IEC62351-9 Confidentiality Values registry. The registry will be created in a location to be determined in consultation with the authors (see Question, above). The new registry will be managed through Expert Review and Private Use as defined by RFC 5226. There are initial values in the new registry as follows: Name Value Authenticated Encryption Reference ---------------------+-------------+------------------------+------------------------ Reserved 0 [ RFC-to-be ] NONE 1 [ RFC-to-be ] AES-CBC-128 2 N [ RFC-to-be ] AES-CBC-256 3 N [ RFC-to-be ] AES-GCM-128 4 Y [ RFC-to-be ] AES-GCM-256 5 Y [ RFC-to-be ] Expert Review 6-61439 [ RFC-to-be ] Private Use 61440-65535 [ RFC-to-be ] Fourth, a new registry is to be created called the GDOI SA TEK Attributes registry. The registry will be created in a location to be determined in consultation with the authors (see Question, above). The new registry will be managed through Expert Review and Private Use as defined by RFC 5226. There are initial values in the new registry as follows: Attribute Value Type Reference -----------------+---------------+---------+----------------- Reserved 0 [ RFC-to-be ] SA_ATD 1 V [ RFC-to-be ] SA_KDA 2 B [ RFC-to-be ] Expert Review 3-28671 [ RFC-to-be ] Private Use 28672-32767 [ RFC-to-be ] Fifth, a new registry is to be created called the GDOI Identification Payload registry. The registry will be created in a location to be determined in consultation with the authors (see Question, above). The new registry will be managed through Expert Review and Private Use as defined by RFC 5226. There are initial values in the new registry as follows: Name Value Reference -----------------------+-----------+----------------------+ Reserved 0 [ RFC-to-be ] ID_IPV4_ADDR 1 [ RFC-to-be ] ID_FQDN 2 [ RFC-to-be ] ID_USER_FQDN 3 [ RFC-to-be ] ID_IPV4_ADDR_SUBNET 4 [ RFC-to-be ] ID_IPV6_ADDR 5 [ RFC-to-be ] ID_IPV6_ADDR_SUBNET 6 [ RFC-to-be ] ID_IPV4_ADDR_RANGE 7 [ RFC-to-be ] ID_IPV6_ADDR_RANGE 8 [ RFC-to-be ] ID_DER_ASN1_DN 9 [ RFC-to-be ] ID_DER_ASN1_GN 10 [ RFC-to-be ] ID_KEY_ID 11 [ RFC-to-be ] ID_LIST 12 [ RFC-to-be ] ID_OID 13 [ RFC-to-be ] Expert Review 14-61439 [ RFC-to-be ] Private Use 61440-65535 [ RFC-to-be ] We understand that these are the only actions required to be completed upon approval of this document. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. Thank you, Sabrina Tanamal IANA Services Specialist PTI |
2016-10-20
|
09 | Jean Mahoney | Request for Last Call review by GENART is assigned to Vijay Gurbani |
2016-10-20
|
09 | Jean Mahoney | Request for Last Call review by GENART is assigned to Vijay Gurbani |
2016-10-14
|
09 | Brian Weis | New version available: draft-weis-gdoi-iec62351-9-09.txt |
2016-10-14
|
09 | (System) | New version approved |
2016-10-14
|
09 | (System) | Request for posting confirmation emailed to previous authors: "Brian Weis" , "Herb Falk" , "Maik Seewald" |
2016-10-14
|
09 | Brian Weis | Uploaded new revision |
2016-10-12
|
08 | Gunter Van de Velde | Request for Last Call review by OPSDIR Completed: Ready. Reviewer: Carlos Pignataro. |
2016-10-06
|
08 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Has Issues. Reviewer: Yoav Nir. |
2016-09-29
|
08 | Jean Mahoney | Request for Last Call review by GENART is assigned to Vijay Gurbani |
2016-09-29
|
08 | Jean Mahoney | Request for Last Call review by GENART is assigned to Vijay Gurbani |
2016-09-29
|
08 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Yoav Nir |
2016-09-29
|
08 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Yoav Nir |
2016-09-28
|
08 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Carlos Pignataro |
2016-09-28
|
08 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Carlos Pignataro |
2016-09-26
|
08 | Amy Vezza | IANA Review state changed to IANA - Review Needed |
2016-09-26
|
08 | Amy Vezza | The following Last Call announcement was sent out: From: The IESG To: "IETF-Announce" CC: Kathleen.Moriarty.ietf@gmail.com, draft-weis-gdoi-iec62351-9@ietf.org, joe@salowey.net Reply-To: ietf@ietf.org Sender: Subject: Last Call: … The following Last Call announcement was sent out: From: The IESG To: "IETF-Announce" CC: Kathleen.Moriarty.ietf@gmail.com, draft-weis-gdoi-iec62351-9@ietf.org, joe@salowey.net Reply-To: ietf@ietf.org Sender: Subject: Last Call: (GDOI Protocol Support for IEC 62351 Security Services) to Proposed Standard The IESG has received a request from an individual submitter to consider the following document: - 'GDOI Protocol Support for IEC 62351 Security Services' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2016-10-24. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract The IEC 61850 power utility automation family of standards describe methods using Ethernet and IP for distributing control and data frames within and between substations. The IEC 61850-90-5 and IEC 62351-9 standards specify the use of the Group Domain of Interpretation (GDOI) protocol (RFC 6407) to distribute security transforms for some IEC 61850 security protocols. This memo defines GDOI payloads to support those security protocols. The file can be obtained via https://datatracker.ietf.org/doc/draft-weis-gdoi-iec62351-9/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-weis-gdoi-iec62351-9/ballot/ No IPR declarations have been submitted directly on this I-D. There is a possible downref to IEC-62351-9. |
2016-09-26
|
08 | Amy Vezza | IESG state changed to In Last Call from Last Call Requested |
2016-09-26
|
08 | Amy Vezza | Last call announcement was changed |
2016-09-26
|
08 | Kathleen Moriarty | Last call was requested |
2016-09-26
|
08 | Kathleen Moriarty | Ballot approval text was generated |
2016-09-26
|
08 | Kathleen Moriarty | Ballot writeup was generated |
2016-09-26
|
08 | Kathleen Moriarty | IESG state changed to Last Call Requested from Publication Requested |
2016-09-26
|
08 | Kathleen Moriarty | Last call announcement was generated |
2016-09-26
|
08 | Brian Weis | New version approved |
2016-09-26
|
08 | Brian Weis | New version available: draft-weis-gdoi-iec62351-9-08.txt |
2016-09-26
|
08 | Brian Weis | Request for posting confirmation emailed to previous authors: "Brian Weis" , "Herb Falk" , "Maik Seewald" |
2016-09-26
|
08 | (System) | Uploaded new revision |
2016-09-26
|
07 | Kathleen Moriarty | Placed on agenda for telechat - 2016-10-27 |
2016-09-21
|
07 | Joseph Salowey | 1. Summary The document shepherd is Joe Salowey. The responsible Area Director is Kathleen Moriarty. This document extends an IETF protocol (GDOI, published as RFC … 1. Summary The document shepherd is Joe Salowey. The responsible Area Director is Kathleen Moriarty. This document extends an IETF protocol (GDOI, published as RFC 7407), which distributes IPsec security association policy and keying material used to protect IP multicast packets . The IEC 61850 power utility automation family of standards defines it’s own transport security methods for multicast packets, and these standards specify the use of GDOI to provide the necessary policy and keying material. This draft specifies how the IEC 61850 policy and keying material is distributed within the GDOI protocol. 2. Review and Consensus The document is an individual submission. The logical working group to have progressed this would have been the Multicast Security (MSEC) WG, which has been closed from some time. The document has been reviewed by several individuals in the IETF Security Area, as well as the IEC 61850 working group. An early SecDir review was published on -02 of this document, and the authors believe that each of the comments were addressed.: . 3. Intellectual Property Each author has confirmed conformance with BCP 78/79. There are no IPR disclosures on the document. 4. Other Points No other points have been identified. |
2016-09-19
|
07 | Kathleen Moriarty | IESG process started in state Publication Requested |
2016-09-19
|
07 | Kathleen Moriarty | Shepherding AD changed to Kathleen Moriarty |
2016-09-19
|
07 | Kathleen Moriarty | Notification list changed to "Joseph A. Salowey" <joe@salowey.net> |
2016-09-19
|
07 | Kathleen Moriarty | Document shepherd changed to Joseph A. Salowey |
2016-09-19
|
07 | Kathleen Moriarty | Changed consensus to Yes from Unknown |
2016-09-19
|
07 | Kathleen Moriarty | Intended Status changed to Proposed Standard from None |
2016-09-19
|
07 | Kathleen Moriarty | Stream changed to IETF from None |
2016-03-21
|
07 | Brian Weis | New version available: draft-weis-gdoi-iec62351-9-07.txt |
2015-06-01
|
06 | Brian Weis | New version available: draft-weis-gdoi-iec62351-9-06.txt |
2014-10-26
|
05 | Brian Weis | New version available: draft-weis-gdoi-iec62351-9-05.txt |
2014-05-16
|
04 | Brian Weis | New version available: draft-weis-gdoi-iec62351-9-04.txt |
2014-02-13
|
03 | Brian Weis | New version available: draft-weis-gdoi-iec62351-9-03.txt |
2013-11-07
|
02 | Tero Kivinen | Request for Early review by SECDIR Completed: Has Issues. Reviewer: Yoav Nir. |
2013-11-07
|
02 | Tero Kivinen | Request for Early review by SECDIR is assigned to Yoav Nir |
2013-11-07
|
02 | Tero Kivinen | Request for Early review by SECDIR is assigned to Yoav Nir |
2013-08-02
|
02 | Brian Weis | New version available: draft-weis-gdoi-iec62351-9-02.txt |
2013-07-03
|
01 | Brian Weis | New version available: draft-weis-gdoi-iec62351-9-01.txt |
2013-06-12
|
00 | Brian Weis | New version available: draft-weis-gdoi-iec62351-9-00.txt |