MSEC Working Group B. Weis
Internet-Draft S. Rowles
Intended status: Standards Track Cisco Systems
Expires: September 15, 2011 T. Hardjono
MIT
March 14, 2011
The Group Domain of Interpretation
draft-ietf-msec-gdoi-update-08
Abstract
This document describes an updated version of the Group Domain of
Interpretation (GDOI) protocol specified in RFC 3547. The GDOI
provides group key management to support secure group communications
according to the architecture specified in RFC 4046. The GDOI
manages group security associations, which are used by IPsec and
potentially other data security protocols.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 15, 2011.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Weis, et al. Expires September 15, 2011 [Page 1]
Internet-Draft GDOI March 2011
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Requirements notation . . . . . . . . . . . . . . . . . . 5
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Acronyms and Abbreviations . . . . . . . . . . . . . . . . 6
2. GDOI Phase 1 protocol . . . . . . . . . . . . . . . . . . . . 8
2.1. ISAKMP Phase 1 protocol . . . . . . . . . . . . . . . . . 8
3. GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . . . . 9
3.1. Authorization . . . . . . . . . . . . . . . . . . . . . . 9
3.2. Messages . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.3. Group Member Operations . . . . . . . . . . . . . . . . . 11
3.4. GCKS Operations . . . . . . . . . . . . . . . . . . . . . 13
3.5. Counter-modes of operation . . . . . . . . . . . . . . . . 13
4. GROUPKEY-PUSH Message . . . . . . . . . . . . . . . . . . . . 16
4.1. Use of signature keys . . . . . . . . . . . . . . . . . . 17
4.2. ISAKMP Header Initialization . . . . . . . . . . . . . . . 17
4.3. GCKS Operations . . . . . . . . . . . . . . . . . . . . . 17
4.4. Group Member Operations . . . . . . . . . . . . . . . . . 18
5. Payloads and Defined Values . . . . . . . . . . . . . . . . . 20
5.1. Identification Payload . . . . . . . . . . . . . . . . . . 20
5.2. Security Association Payload . . . . . . . . . . . . . . . 20
5.3. SA KEK payload . . . . . . . . . . . . . . . . . . . . . . 22
5.4. Group Associated Policy . . . . . . . . . . . . . . . . . 28
5.5. SA TEK Payload . . . . . . . . . . . . . . . . . . . . . . 30
5.6. Key Download Payload . . . . . . . . . . . . . . . . . . . 34
5.7. Sequence Number Payload . . . . . . . . . . . . . . . . . 43
Weis, et al. Expires September 15, 2011 [Page 2]
Internet-Draft GDOI March 2011
5.8. Nonce . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.9. Delete . . . . . . . . . . . . . . . . . . . . . . . . . . 44
6. Algorithm Selection . . . . . . . . . . . . . . . . . . . . . 46
6.1. KEK . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
6.2. TEK . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
7. Security Considerations . . . . . . . . . . . . . . . . . . . 48
7.1. ISAKMP Phase 1 . . . . . . . . . . . . . . . . . . . . . . 48
7.2. GROUPKEY-PULL Exchange . . . . . . . . . . . . . . . . . . 49
7.3. GROUPKEY-PUSH Exchange . . . . . . . . . . . . . . . . . . 51
7.4. Forward and Backward Access Control . . . . . . . . . . . 52
7.5. Derivation of keying material . . . . . . . . . . . . . . 54
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 55
8.1. Additions to current registries . . . . . . . . . . . . . 55
8.2. New registries . . . . . . . . . . . . . . . . . . . . . . 55
8.3. Cleanup of existing registries . . . . . . . . . . . . . . 57
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 59
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 60
10.1. Normative References . . . . . . . . . . . . . . . . . . . 60
10.2. Informative References . . . . . . . . . . . . . . . . . . 60
Appendix A. Extending GDOI . . . . . . . . . . . . . . . . . . . 65
A.1. Alternate GDOI Phase 1 protocols . . . . . . . . . . . . . 65
A.2. Supporting new SA TEK types . . . . . . . . . . . . . . . 66
Appendix B. GDOI Applications . . . . . . . . . . . . . . . . . . 67
Appendix C. Significant Changes from RFC 3547 . . . . . . . . . . 68
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 69
Weis, et al. Expires September 15, 2011 [Page 3]
Internet-Draft GDOI March 2011
1. Introduction
Secure group and multicast applications require a method by which
each group member shares common security policy and keying material.
This document describes the Group Domain of Interpretation (GDOI),
which is an ISAMKP [RFC2408] Domain of Interpretation (DOI), a group
key management system. The GDOI distributes security associations
(SAs) for IPsec AH [RFC4302] and ESP [RFC4303] protocols and
potentially other data security protocols used in group applications.
The GDOI uses the group key management model defined in [RFC4046],
and described more generally by the The Multicast Group Security
Architecture [RFC3740].
In this group key management model, the GDOI protocol participants
are a "group controller/key server" (GCKS) and a group member (GM).
A group member contacts ("registers with") a GCKS to join the group.
During the registration mutual authentication and authorization are
achieved, after which the GCKS distributes current group policy and
keying material to the group member over an authenticated and
encrypted session. The GCKS may also initiate contact ("rekeys")
with group members to provide updates to group policy.
ISAKMP defines two "phases" of negotiation (p.16 of [RFC2408]). A
Phase 1 security association provides mutual authentication and
authorization, and a security association that is used by the
protocol participants to execute a phase 2 exchange. This document
incorporates (i.e., uses but does not re-define) the Phase 1 security
association definition from the Internet DOI [RFC2407], [RFC2409].
Phase 1 security association types other than ISAKMP are possible,
and are noted in Appendix A. Requirements of those phase 1 security
associations are specified in Section 2. The GDOI includes two new
phase 2 ISAKMP exchanges (protocols), as well as necessary new
payload definitions to the ISAKMP standard (p. 14 of [RFC2408]).
These two new protocols are:
1. The GROUPKEY-PULL registration protocol exchange. This exchange
uses "pull" behavior since the member initiates the retrieval of
these SAs from a GCKS. It is protected by an ISAKMP phase 1
protocol, as described above. At the culmination of a GROUPKEY-
PULL exchange, an authorized group member has received and
installed a set of SAs that represent group policy, and it is
ready to participate in secure group communications.
2. The GROUPKEY-PUSH rekey protocol exchange. The rekey protocol is
a datagram initiated ("pushed") by the GCKS, usually delivered to
group members using a IP multicast address. The rekey protocol
is an ISAKMP protocol, where cryptographic policy and keying
material ("Re-key SA") is included in the group policy
Weis, et al. Expires September 15, 2011 [Page 4]
Internet-Draft GDOI March 2011
distributed by the GCKS in the GROUPKEY-PULL exchange. At the
culmination of a GROUPKEY-PUSH exchange the key server has sent
group policy to all authorized group members, allowing receiving
group members to participate in secure group communications. If
a group management method is included in group policy (as
described in Section 7.4), at the conclusion of the GROUPKEY-PUSH
exchange some members of the group may have been de-authorized
and no longer able to participate in the secure group
communications.
+--------------------------------------------------------------+
| |
| +--------------------+ |
| +------>| GDOI GCKS |<------+ |
| | +--------------------+ | |
| | | | |
| GROUPKEY-PULL | GROUPKEY-PULL |
| PROTOCOL | PROTOCOL |
| | | | |
| v GROUPKEY-PUSH v |
| +-----------------+ PROTOCOL +-----------------+ |
| | | | | | |
| | GDOI GM(s) |<-------+-------->| GDOI GM(S) | |
| | | | | |
| +-----------------+ +-----------------+ |
| | ^ |
| v | |
| +-Data Security Protocol (e.g., ESP)-+ |
| |
+--------------------------------------------------------------+
Although the GROUPKEY-PUSH protocol specified by this document can be
used to refresh the Re-key SA protecting the GROUPKEY-PUSH protocol,
the most common use of GROUPKEY-PUSH is to establish keying material
and policy for a data security protocol.
In summary, GDOI is a group security association management protocol:
all GDOI messages are used to create, maintain, or delete security
associations for a group. As described above, these security
associations protect one or more data security protocol SAs, a Re-key
SA, and/or other data shared by group members for multicast and
groups security applications.
1.1. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Weis, et al. Expires September 15, 2011 [Page 5]
Internet-Draft GDOI March 2011
1.2. Terminology
The following key terms are used throughout this document.
Data-Security SA. The security policy distributed by a GDOI GCKS
describing traffic that is expected to be protected by group
members. This document described the distribution of IPsec AH
and ESP Data-Security SAs.
Group Controller/Key Server A device that defines group policy and
distributes keys for that policy.[RFC3740]
Group Member. An authorized member of a secure group, sending and/or
receiving IP packets related to the group.
GROUPKEY-PULL. A protocol used by a GDOI Group Member to request
group policy and keying material.
GROUPKEY-PUSH. A protocol used by a GDOI GCKS to distribute updates
of group policy and keying material to authorized group
members.
Key Encrypting Key. The symmetric cipher key used to protect the
GROUPKEY-PUSH message.
Logical Key Hierarchy). A group management method defined in Section
5.4 of [RFC2627].
Re-key SA. The security policy protecting a GROUPKEY-PUSH protocol.
Traffic Encryption Key. The symmetric cipher key used to protect a
data security protocol (e.g., IPsec ESP).
1.3. Acronyms and Abbreviations
The following acronyms and abbreviations are used throughout this
document.
AH IP Authentication Header
ATD Activation Time Delay
DOI Domain of Interpretation
DTD Deactivation Time Delay
Weis, et al. Expires September 15, 2011 [Page 6]
Internet-Draft GDOI March 2011
ESP IP Encapsulating Security Payload
GCKS Group Controller/Key Server
GDOI Group Domain of Interpretation
GAP Group Associated Policy Payload
GM Group Member
IV Initialization Vector
KD Key Download Payload
KEK Key Encryption Key
LKH Lock Key Hierarchy
SA Security Association
SAK SA KEK Payload
SEQ Sequence Number Payload
SAT SA TEK Payload
SID Sender-ID
TEK Traffic Encryption Key
Weis, et al. Expires September 15, 2011 [Page 7]
Internet-Draft GDOI March 2011
2. GDOI Phase 1 protocol
The GDOI GROUPKEY-PULL exchange is a "phase 2" protocol which MUST be
protected by a "phase 1" protocol. The "phase 1" protocol can be any
protocol which provides for the following protections:
o Peer Authentication
o Confidentiality
o Message Integrity
The following sections describe one such "phase 1" protocol. Other
protocols which may be potential "phase 1" protocols are described in
Appendix A. However, the use of the protocols listed there are not
considered part of this document.
2.1. ISAKMP Phase 1 protocol
This document defines how the ISAKMP phase 1 exchanges as defined in
[RFC2409] can be used a "phase 1" protocol for GDOI. The following
sections define characteristics of the ISAKMP phase 1 protocols that
are unique for these exchanges when used for GDOI.
Section 7.1 describes how the ISAKMP Phase 1 protocols meet the
requirements of a GDOI "phase 1" protocol.
2.1.1. DOI value
The Phase 1 SA payload has a DOI value. That value MUST be the GDOI
DOI value as defined later in this document.
2.1.2. UDP port
IANA has assigned port 848 for the use of GDOI, which allows for an
implementation to use separate ISAKMP implementations to service GDOI
and IKEv1 [RFC2409]. A GCKS SHOULD listen on this port for GROUPKEY-
PULL exchanges, and the GCKS MAY use this port to distribute
GROUPKEY-PUSH messages. An ISAKMP phase 1 exchange implementation
supporting NAT Traversal [RFC3947] may move to port 4500 to process
the GROUPKEY-PULL exchange.
Weis, et al. Expires September 15, 2011 [Page 8]
Internet-Draft GDOI March 2011
3. GROUPKEY-PULL Exchange
The goal of the GROUPKEY-PULL exchange is to establish a Re-key
and/or Data-security SAs at the member for a particular group. A
Phase 1 SA protects the GROUPKEY-PULL; there MAY be multiple
GROUPKEY-PULL exchanges for a given Phase 1 SA. The GROUPKEY-PULL
exchange downloads the data security keys (TEKs) and/or group key
encrypting key (KEK) or KEK array under the protection of the Phase 1
SA.
3.1. Authorization
The Phase 1 identity SHOULD be used by a GCKS to authorize the Phase
2 (GROUPKEY-PULL) request for a group key. A group member MUST
ensure that the Phase 1 identity of the GCKS is an authorized GCKS.
When no authorization is performed, it is possible for a rogue GDOI
participant to perpetrate a man-in-the-middle attack between a group
member and a GCKS [MP04].
3.2. Messages
The GROUPKEY-PULL is a Phase 2 exchange. Phase 1 computes SKEYID_a
which is the "key" in the keyed hash used in the GROUPKEY-PULL HASH
payloads. When using the Phase 1 defined in this document, SKEYID_a
is derived according to [RFC2409]. As with the IKEv1 HASH payload
generation (Section 5.5 of [RFC2409], each GROUPKEY-PULL message
hashes a uniquely defined set of values (described below). Nonces
permute the HASH and provide some protection against replay attacks.
Replay protection is important to protect the GCKS from attacks that
a key management server will attract.
The GROUPKEY-PULL uses nonces to guarantee "liveness" as well as
against replay of a recent GROUPKEY-PULL message. The replay attack
is only possible in the context of the current Phase 1. If a
GROUPKEY-PULL message is replayed based on a previous Phase 1, the
HASH calculation will fail due to a wrong SKEYID_a. The message will
fail processing before the nonce is ever evaluated.
In order for either peer to get the benefit of the replay protection,
it must postpone as much processing as possible until it receives the
message in the protocol that proves the peer is live. For example,
the GCKS MUST NOT adjust its internal state (e.g., keeping a record
of the GM) until it receives a message with Nr included properly in
the HASH payload. This requirement ensures that replays of GDOI
messages will not cause the GCKS to change the state of the group
until it has confirmation that the initiating group member is live.
Weis, et al. Expires September 15, 2011 [Page 9]
Internet-Draft GDOI March 2011
Group Member GCKS
------------ ----
HDR*, HASH(1), Ni, ID -->
<-- HDR*, HASH(2), Nr, SA
HDR*, HASH(3) [,GAP] -->
<-- HDR*, HASH(4), [SEQ,] KD
* Protected by the Phase 1 SA, encryption occurs after HDR
HDR is an ISAKMP header payload that uses the Phase 1 cookies and a
message identifier (M-ID) as in IKEv1.
Hashes are computed in the manner described within RFC 2409. Each
HASH computation (shown below) is a prf over the message id (M-ID)
from the ISAKMP header concatenated with the entire message that
follows the hash including all payload headers, but excluding any
padding added for encryption. The GM expects to find its nonce, Ni,
in the HASH of a returned message. And the GCKS expects to see its
nonce, Nr, in the HASH of a returned message. HASH(2), HASH(3), and
HASH(4) also include nonce values previously passed in the protocol
(i.e., Ni or Nr minus the payload header). The nonce passed in Ni is
represented as Ni_b, and the nonce passed in Nr is represented as
Nr_b. The HASH payloads prove that the peer has the Phase 1 secret
(SKEYID_a) and the nonce for the exchange identified by message id,
M-ID.
HASH(1) = prf(SKEYID_a, M-ID | Ni | ID)
HASH(2) = prf(SKEYID_a, M-ID | Ni_b | Nr | SA)
HASH(3) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | GAP ])
HASH(4) = prf(SKEYID_a, M-ID | Ni_b | Nr_b [ | SEQ ] | KD)
In addition to the Nonce and HASH payloads, the GM identifies the
group it wishes to join through the ISAKMP ID payload.
The GCKS informs the member of the cryptographic policies of the
group in the SA payload, which describes the DOI, KEK and/or TEK
keying material, authentication transforms, and other group policy.
The SPIs are also determined by the GCKS and downloaded in the SA
payload chain (see Section 5.2). The SA KEK attribute contains the
ISAKMP cookie pair for the Re-key SA, which is not negotiated but
downloaded. Each SA TEK attribute contains a SPI as defined in
Section 5.5 of this document.
After receiving and parsing the SA payload, the GM responds with an
acknowledgement message proving its liveness. It optionally includes
a GAP payload requesting resources.
Weis, et al. Expires September 15, 2011 [Page 10]
Internet-Draft GDOI March 2011
The GCKS informs the GM of the value of the sequence number in the
SEQ payload. This sequence number provides anti-replay state
associated with a KEK, and its knowledge ensure that the GM will not
accept GROUPKEY-PULL messages sent prior to the GM joining the group.
The SEQ payload has no other use, and is omitted from the
GROUPKEY_PULL exchange when a KEK attribute is not included in the SA
payload. When a SEQ payload is included in the GROUPKEY-PULL
exchange, it includes the most recently used sequence number for the
group. At the conclusion of a GROUPKEY-PULL exchange, the initiating
group member MUST NOT accept any rekey message with both the KEK
attribute SPI value and a sequence number less than or equal to the
one received during the GROUPKEY-PULL. When the first group member
initiates a GROUPKEY-PULL exchange, the GCKS provides a Sequence
Number of zero, since no GROUPKEY-PUSH messages have yet been sent.
Note the sequence number increments only with GROUPKEY-PUSH messages.
The GROUPKEY-PULL exchange distributes the current sequence number to
the group member. The sequence number resets to a value of one with
the usage of a new KEK attribute. Thus the first packet sent for a
given Rekey SA will have a Sequence Number of 1. The sequence number
increments with each successive rekey.
The GCKS always returns a KD payload containing keying material to
the GM. If a Re-key SA is defined in the SA payload, then KD will
contain the KEK; if one or more Data-security SAs are defined in the
SA payload, KD will contain the TEKs.
3.2.1. ISAKMP Header Initialization
Cookies are used in the ISAKMP header to identify a particular GDOI
session. The GDOI GROUPKEY-PULL exchange uses cookies according to
ISAKMP [RFC2408].
Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0).
Major Version is 1 and Minor Version is 0 according to ISAKMP
(Section 3.1 of [RFC2408]).
The Exchange Type has value 32 for the GDOI GROUPKEY-PULL exchange.
Flags, Message ID, and Length are according to ISAKMP (Section 3.1 of
[RFC2408]).
3.3. Group Member Operations
Before a GM contacts the GCKS, it must determine the group identifier
and acceptable Phase 1 policy via an out-of-band method. Phase 1 is
initiated using the GDOI DOI in the SA payload. Once Phase 1 is
complete, the GM state machine moves to the GDOI protocol.
Weis, et al. Expires September 15, 2011 [Page 11]
Internet-Draft GDOI March 2011
To construct the first GDOI message the GM chooses Ni and creates a
nonce payload, builds an identity payload including the group
identifier, and generates HASH(1).
Upon receipt of the second GDOI message, the GM validates HASH(2),
extracts the nonce Nr, and interprets the SA payload. The SA payload
contains policy describing the security protocol and cryptographic
protocols used by the group. This policy describes the Re-key SA (if
present), Data-security SAs, and other group policy. If the policy
in the SA payload is acceptable to the GM, it continues the protocol.
Otherwise, the GM SHOULD tear down the Phase 1 session after first
notifying the GCKS that it is doing so. If a Data-security SA
describes the use of a counter mode cipher, the GM determines whether
it requires more than one Sender-ID (SID) (see Section 3.5). If so,
it includes a GAP payload indicating how many SID values it requires.
When constructing the third GDOI message, it first reviews each Data-
security SA given to it. If any include a cipher counter mode, it
needs to request for one or more Sender-IDs for its exclusive use
within the counter mode nonce. Do to this, the GM will include a GAP
payload with its request, as described in the Section 5.4 section of
this document. The GM the completes construction of the third GDOI
message by creating HASH(3).
Upon receipt of the fourth GDOI message, the GM validates HASH(4).
If the SEQ payload is present, the sequence number in the SEQ payload
must be checked against any previously received sequence number for
this group. If it is less than the previously received number, it
should be considered stale and ignored.
The GM interprets the KD key packets, where each key packet includes
the keying material for SAs distributed in the SA payload. Keying
material is matched by comparing the SPIs in the key packets to SPIs
previously sent in the SA payloads. Once TEK keys and policy are
matched, the GM provides them to the data security subsystem, and it
is ready to send or receive packets matching the TEK policy. If this
group has a KEK, the KEK policy and keys are marked as ready for use,
and the GM knows to expect the sequence number reset to 1 with the
next Rekey SA, which will be encrypted with the new KEK attribute.
The GM is now ready to receive GROUPKEY-PUSH messages.
If the KD payload included an LKH array of keys, the GM takes the
last key in the array as the group KEK. The array is then stored
without further processing.
Weis, et al. Expires September 15, 2011 [Page 12]
Internet-Draft GDOI March 2011
3.4. GCKS Operations
The GCKS passively listens for incoming requests from group members.
The Phase 1 authenticates the group member and sets up the secure
session with them.
Upon receipt of the first GDOI message the GCKS validates HASH(1),
extracts the Ni and group identifier in the ID payload. It verifies
that its database contains the group information for the group
identifier, and that the GM is authorized to participate in the
group.
The GCKS constructs the second GDOI message, including a nonce Nr,
and the policy for the group in an SA payload, followed by SA KEK,
GAP, and/or SA TEK payloads according to the GCKS policy. (See
Section 5.2.1 for details on how the GCKS chooses which payloads to
send.)
Upon receipt of the third GDOI message the GCKS validates HASH(3).
If the message includes a GAP payload, it caches the requests
included in that payload for use of constructing the fourth GDOI
message.
The GCKS constructs the fourth GDOI message, including the SEQ
payload (if the GCKS sends rekey messages), and the KD payload
containing keys corresponding to policy previously sent in the SA TEK
and SA KEK payloads. If a group management algorithm is defined as
part of group policy, the GCKS will first insert the group member
into the group management structure (e.g., a leaf in the LKH tree),
and then create an LKH array of keys and include it in the KD
payload. The first key in the array is associated with the group
member leaf node, followed by each LKH node above it in the tree,
culminating with the root node (which is also the KEK). If one or
more Data-Security SAs distributed in the SA payload included a
counter mode of operation, the GCKS includes at least one SID value
in the KD payload, and possibly more depending on a request received
in the third GDOI message.
3.5. Counter-modes of operation
Several new counter-based modes of operation have been specified for
ESP (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309],
AES-GMAC [RFC4543]) and AH (e.g., AES-GMAC [RFC4543]). These
counter-based modes require that no two senders in the group ever
send a packet with the same Initialization Vector (IV) using the same
cipher key and mode. This requirement is met in GDOI when the
following requirements are met:
Weis, et al. Expires September 15, 2011 [Page 13]
Internet-Draft GDOI March 2011
o The GCKS distributes a unique key for each Data-Security SA.
o The GCKS uses the method described in [RFC6054], which assigns
each sender a portion of the IV space by provisioning each sender
with one or more unique SID values.
When at least one Data-Security SAs included in the group policy
includes a counter-mode, the GCKS automatically allocates and
distributes one SID to each group member acting in the role of sender
on the Data-Security SA. The SID value is used exclusively by the
group member to which it was allocated. The group member uses the
same SID for each Data-Security SA specifying the use of a counter-
based mode of operation. A GCKS MUST distribute unique keys for each
Data-Security SA including a counter-based mode of operation in order
to maintain a unique key and nonce usage.
When a group member receives a Data-Security SA in a SA TEK payload
for which it is a sender, it can choose to request one or more SID
values. Requesting a value of 1 is not necessary since the GCKS will
automatically allocate exactly one to the sending group member. A
group member MUST request as many SIDs matching the number of
encryption modules in which it will be installing the TEKs in the
outbound direction. Alternatively, a group member MAY request more
than one SID and use them serially. This could be useful when it is
anticipated that the group member will exhaust their range of Data-
Security SA nonces using a single SID too quickly (e.g., before the
time-based policy in the TEK expires).
When group policy includes a counter-based mode of operation, a GCKS
SHOULD use the following method to allocate SID values, which ensures
that each SID will be allocated to just one group member.
1. A GCKS maintains an SID-counter, which records which SIDs that
have been allocated. SIDs are allocated sequentially, with the
first SID allocated to be zero.
2. Each time an SID is allocated, the current value of the counter
is saved and allocated to the group member. The SID-counter is
then incremented in preparation for the next allocation.
3. When the GCKS distributes an Data-Security SA specifying a
counter-based mode of operation, and a group member is a sender,
a group member may request a count of SIDs in a GAP payload.
When the GCKS receives this request, it increments the SID-
counter once for each requested SID, and distributes each SID
value to the group member.
Weis, et al. Expires September 15, 2011 [Page 14]
Internet-Draft GDOI March 2011
4. A GCKS allocates new SID values for each GROUPKEY-PULL exchange
originated by a sender, regardless of whether a group member had
previously contacted the GCKS. In this way, the GCKS does not
have a requirement of maintaining a record of which SID values it
had previously allocated to each group member. More importantly,
since the GCKS cannot reliably detect whether the group member
had sent data on the current group Data-Security SAs it does not
know what Data-Security counter-mode nonce values that a group
member has used. By distributing new SID values, the key server
ensures that each time a conforming group member installs a Data-
Security SA it will use a unique set of counter-based mode
nonces.
5. When the SID-counter maintained by the GCKS reaches its final SID
value, no more SID values can be distributed. Before
distributing any new SID values, the GCKS MUST delete the Data-
Security SAs for the group, followed by creation of new Data-
Security SAs, and resetting the SID-counter to its initial value.
6. The GCKS SHOULD send a GROUPKEY-PUSH message deleting all Data-
Security SAs and the Rekey SA for the group. This will result in
the group members initiating a new GROUPKEY-PULL exchange, in
which they will receive both new SID values and new Data-Security
SAs. The new SID values can safely be used because they are only
used with the new Data-Security SAs. Note that deletion of the
Rekey SA is necessary to ensure that group members receiving a
GROUPKEY-PUSH exchange before the re-register do not
inadvertently use their old SIDs with the new Data-Security SAs.
Using the method above, at no time can two group members use the same
IV values with the same Data-Security SA key.
Weis, et al. Expires September 15, 2011 [Page 15]
Internet-Draft GDOI March 2011
4. GROUPKEY-PUSH Message
GDOI sends control information securely using group communications.
Typically this will be using IP multicast distribution of a GROUPKEY-
PUSH message but it can also be "pushed" using unicast delivery if IP
multicast is not possible. The GROUPKEY-PUSH message replaces a Re-
key SA KEK or KEK array, and/or creates a new Data-security SA.
GM GCKS
-- ----
<---- HDR*, SEQ, [D,] SA, KD, SIG
* Protected by the Re-key SA KEK; encryption occurs after HDR
HDR is defined below. The SEQ payload is defined in the Payloads
section. One or more D (Delete) payloads (further described in
Section 5.9) optionally specify the deletion of existing group
policy. The SA defines the group policy for replacement Re-key SA
and/or Data-security SAs as described in the Payloads section, with
the KD providing keying material for those SAs.
The SIG payload includes a signature of a hash of the entire
GROUPKEY-PUSH message (excepting the SIG payload bytes) before it has
been encrypted. The HASH is taken over the string 'rekey', the
GROUPKEY-PUSH HDR, followed by all payloads preceding the SIG
payload. The prefixed string ensures that the signature of the Rekey
datagram cannot be used for any other purpose in the GDOI protocol.
The SIG payload is created using the signature of the above hash,
with the receiver verifying the signature using a public key
retrieved in a previous GDOI exchange. The current KEK encryption
key (also previously distributed in a GROUPKEY-PULL exchange or
GROUPKEY-PUSH message) encrypts all the payloads following the
GROUPKEY-PUSH HDR. Note: The rationale for this order of operations
is given in Section 7.3.5.
If the SA defines the use of a single KEK or an LKH KEK array, KD
MUST contain a corresponding KEK or KEK array for a new Re-key SA,
which has a new cookie pair. When the KD payload carries a new SA
KEK attribute (section 5.3), a Re-key SA is replaced with a new SA
having the same group identifier (ID specified in message 1 of
section 3.2) and incrementing the same sequence counter, which is
initialized in message 4 of section 3.2. Note the first packet for
the given Rekey SA encrypted with the new KEK attribute will have a
Sequence number of 1. If the SA defines an SA TEK payload, this
informs the member that a new Data-security SA has been created, with
keying material carried in KD (Section 5.6).
If the SA defines a large LKH KEK array (e.g., during group
Weis, et al. Expires September 15, 2011 [Page 16]
Internet-Draft GDOI March 2011
initialization and batched rekeying), parts of the array MAY be sent
in different unique GROUPKEY-PUSH datagrams. However, each of the
GROUPKEY-PUSH datagrams MUST be a fully formed GROUPKEY-PUSH
datagram. This results in each datagram containing a sequence number
and the policy in the SA payload, which corresponds to the KEK array
portion sent in the KD payload.
4.1. Use of signature keys
A signing key should not be used in more than one context (e.g., used
for host authentication and also for message authentication). Thus,
the GCKS SHOULD NOT use the same key to sign the SIG payload in the
GROUPKEY-PUSH message as was used for authentication in the GROUPKEY-
PULL exchange.
4.2. ISAKMP Header Initialization
Unlike ISAKMP or IKEv1, the cookie pair is completely determined by
the GCKS. The cookie pair in the GDOI ISAKMP header identifies the
Re-key SA to differentiate the secure groups managed by a GCKS.
Thus, GDOI uses the cookie fields as an SPI.
Next Payload identifies an ISAKMP or GDOI payload (see Section 5.0).
Major Version is 1 and Minor Version is 0 according to ISAKMP
(Section 3.1 of [RFC2408]).
The Exchange Type has value 33 for the GDOI GROUPKEY-PUSH message.
Flags MUST have the Encryption bit set according to [RFC2008, Section
3.1]. All other bits MUST be set to zero.
Message ID MUST be set to zero.
Length is according to ISAKMP (Section 3.1 of [RFC2408]).
4.3. GCKS Operations
GCKS may initiate a Rekey message for one of several reasons, e.g.,
the group membership has changed or keys are due to expire.
To begin the rekey datagram the GCKS builds an ISAKMP HDR with the
correct cookie pair, and a SEQ payload that includes a sequence
number which is one greater than the previous rekey datagram. If the
message is using the new KEK attribute for the first time, the SEQ is
reset to 1 in this message.
An SA payload is then added. This is identical in structure and
Weis, et al. Expires September 15, 2011 [Page 17]
Internet-Draft GDOI March 2011
meaning to a SA payload sent in a GROUPKEY-PULL exchange. If there
are changes to the KEK (including due to group members being
excluded, in the case of LKH), an SA_KEK attribute is added to the
SA. If there are one or more new TEKs then SA_TEK attributes are
added to describe that policy.
A KD payload is then added. This is identical in structure and
meaning to a KD payload sent in a GROUPKEY-PULL exchange. If an
SA_KEK attribute was included in the SA payload then corresponding
KEK keys (or a KEK update array) is included. A KEK update array is
created by first determining which group members have been excluded,
and then generating new keys as necessary and distribute LKH update
arrays sufficient to provide the new KEK to remaining group members
(see Section 5.4.1 of [RFC2627] for details). TEK keys are also sent
for each SA_TEK attribute included in the SA payload.
In the penultimate step, the GCKS creates the SIG payload and adds it
to the datagram.
Lastly, the payloads following the HDR are encrypted using the
current KEK encryption key. The datagram can now be sent.
4.4. Group Member Operations
A group member receiving the GROUPKEY-PUSH datagram matches the
cookie pair in the ISAKMP HDR to an existing SA. The message is
decrypted, and the form of the datagram is validated. This weeds out
obvious ill-formed messages (which may be sent as part of a Denial of
Service attack on the group).
The sequence number in the SEQ payload is validated to ensure that it
is greater than the previously received sequence number, and that it
fits within a window of acceptable values. The SIG payload is then
validated. If the signature fails, the message is discarded.
The SA and KD payloads are processed which results in a new GDOI
Rekey-SA (if the SA payload included an SA_KEK attribute) and/or new
Data-security SAs being added to the system. If the KD payload
includes an LKH update array, the group member compares the LKH ID in
each key update packet to the LKH IDs that it holds. If it finds a
match, it decrypts the key using the key prior to it in the key array
and stores the new key in the LKH key array that it holds. The final
decryption yields the new group KEK.
If the SA payload includes Data-Security SA including a counter-modes
of operation and the receiving group member is a sender for that SA,
the group member uses its current SID value with the Data-Security
SAs to create counter-mode nonces. If it is a sender and does not
Weis, et al. Expires September 15, 2011 [Page 18]
Internet-Draft GDOI March 2011
hold a current SID value, it MUST NOT install the Data-Security SAs.
It MAY initiate a GROUPKEY-PULL exchange to the GCKS in order to
obtain an SID value (along with current group policy).
Weis, et al. Expires September 15, 2011 [Page 19]
Internet-Draft GDOI March 2011
5. Payloads and Defined Values
This document specifies use of several ISAKMP payloads, which are
defined in accordance with RFC 2408. The following payloads are
extended or further specified.
Next Payload Type Value
----------------- -----
Security Association (SA) 1
Identification (ID) 5
Nonce (N) 10
Several payload formats specific to the group security exchanges are
required.
Next Payload Type Value
----------------- -----
SA KEK Payload (SAK) 15
SA TEK Payload (SAT) 16
Key Download (KD) 17
Sequence Number (SEQ) 18
Group Associated Policy (GAP) TBD-1
5.1. Identification Payload
The Identification Payload is defined in RFC 2408. For the GDOI, it
is used to identify a group identity that will later be associated
with Security Associations for the group. A group identity may map
to a specific IP multicast group, or may specify a more general
identifier, such as one that represents a set of related multicast
streams.
When used with the GDOI, the DOI Specific ID Data field MUST be set
to 0.
When used with the GDOI, the ID_KEY_ID ID Type MUST be supported by a
conforming implementation, and MUST specify a four (4)-octet group
identifier as its value. Implementations MAY also support other ID
Types.
5.2. Security Association Payload
The Security Association payload is defined in RFC 2408. For the
GDOI, it is used by the GCKS to assert security attributes for both
Re-key and Data-security SAs.
Weis, et al. Expires September 15, 2011 [Page 20]
Internet-Draft GDOI March 2011
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! DOI !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Situation !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! SA Attribute Next Payload ! RESERVED2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The Security Association Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifies the next payload for the
GROUPKEY-PULL or the GROUPKEY-PUSH message as defined above. The
next payload MUST NOT be a SAK Payload or SAT Payload type, but the
next non-Security Association type payload.
o RESERVED (1 octet) -- Must be zero.
o Payload Length (2 octets) -- Is the octet length of the current
payload including the generic header and all TEK and KEK payloads.
o DOI (4 octets) -- Is the GDOI, which is value 2.
o Situation (4 octets) -- Must be zero.
o SA Attribute Next Payload (1 octet) -- Must be either a SAK Payload
or a SAT Payload. See section 5.2.1 for a description of which
circumstances are required for each payload type to be present.
o RESERVED (2 octets) -- Must be zero.
5.2.1. Payloads following the SA payload
Payloads that define specific security association attributes for the
KEK and/or TEKs used by the group MUST follow the SA payload. How
many of each payload is dependent upon the group policy. There may
be zero or one SAK Payload, zero or one GAP Payload, and zero or more
SAT Payloads, where either one SAK or SAT payload MUST be present.
When present, the order of the SA Attributes payloads must be: KEK,
GAP, and TEKs.
This latitude regarding SA Attributes payloads allows various group
policies to be accommodated. For example if the group policy does
not require the use of a Re-key SA, the GCKS would not need to send
an SA KEK attribute to the group member since all SA updates would be
Weis, et al. Expires September 15, 2011 [Page 21]
Internet-Draft GDOI March 2011
performed using the Registration SA. Alternatively, group policy
might use a Re-key SA but choose to download a KEK to the group
member only as part of the Registration SA. Therefore, the KEK
policy (in the SA KEK attribute) would not be necessary as part of
the Re-key SA message SA payload.
Specifying multiple SATs allows multiple sessions to be part of the
same group and multiple streams to be associated with a session
(e.g., video, audio, and text) but each with individual security
association policy.
A GAP payload allows for the distribution of group-wise policy, such
as instructions as to when to activate and de-activate SAs.
5.3. SA KEK payload
The SA KEK (SAK) payload contains security attributes for the KEK
method for a group and parameters specific to the GROUPKEY-PULL
operation. The source and destination identities describe the
identities used for the GROUPKEY-PULL datagram.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Protocol ! SRC ID Type ! SRC ID Port !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
!SRC ID Data Len! SRC Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! DST ID Type ! DST ID Port !DST ID Data Len!
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! DST Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! !
~ SPI ~
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! RESERVED2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
~ KEK Attributes ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The SAK Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifies the next payload for the
GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next
Weis, et al. Expires September 15, 2011 [Page 22]
Internet-Draft GDOI March 2011
payload types for this message are a GAP Payload, SAT Payload or zero
to indicate that no SA Attribute payloads follow.
o RESERVED (1 octet) -- Must be zero.
o Payload Length (2 octets) -- Length of this payload, including the
KEK attributes.
o Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
UDP/TCP) for the rekey datagram.
o SRC ID Type (1 octet) -- Value describing the identity information
found in the SRC Identification Data field. Defined values are
specified by the IPsec Identification Type section in the IANA
isakmpd-registry [ISAKMP-REG].
o SRC ID Port (2 octets) -- Value specifying a port associated with
the source Id. A value of zero means that the SRC ID Port field
should be ignored.
o SRC ID Data Len (1 octet) -- Value specifying the length of the SRC
Identification Data field.
o SRC Identification Data (variable length) -- Value, as indicated by
the SRC ID Type.
o DST ID Type (1 octet) -- Value describing the identity information
found in the DST Identification Data field. Defined values are
specified by the IPsec Identification Type section in the IANA
isakmpd-registry [ISAKMP-REG].
o DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g.,
UDP/TCP).
o DST ID Port (2 octets) -- Value specifying a port associated with
the source Id.
o DST ID Data Len (1 octet) -- Value specifying the length of the DST
Identification Data field.
o DST Identification Data (variable length) -- Value, as indicated by
the DST ID Type.
o SPI (16 octets) -- Security Parameter Index for the KEK. The SPI
must be the ISAKMP Header cookie pair where the first 8 octets become
the "Initiator Cookie" field of the GROUPKEY-PUSH message ISAKMP HDR,
and the second 8 octets become the "Responder Cookie" in the same
HDR. As described above, these cookies are assigned by the GCKS.
Weis, et al. Expires September 15, 2011 [Page 23]
Internet-Draft GDOI March 2011
o RESERVED2 (4 octets) -- Must be zero. This bytes represent fields
previously defined but no longer used by GDOI.
o KEK Attributes -- Contains KEK policy attributes associated with
the group. The following sections describe the possible attributes.
Any or all attributes may be optional, depending on the group policy.
5.3.1. KEK Attributes
The following attributes may be present in a SAK Payload. The
attributes must follow the format defined in ISAKMP (Section 3.3 of
[RFC2408]). In the table, attributes that are defined as TV are
marked as Basic (B); attributes that are defined as TLV are marked as
Variable (V).
ID Class Value Type
-------- ----- ----
RESERVED 0
KEK_MANAGEMENT_ALGORITHM 1 B
KEK_ALGORITHM 2 B
KEK_KEY_LENGTH 3 B
KEK_KEY_LIFETIME 4 V
SIG_HASH_ALGORITHM 5 B
SIG_ALGORITHM 6 B
SIG_KEY_LENGTH 7 B
KE_OAKLEY_GROUP 8 B
Standards Action 9-127
Private Use 128-255
Unassigned 256-32767
The KEK_MANAGEMENT_ALGORITHM attribute may only be included in a
GROUPKEY-PULL message.
5.3.2. KEK_MANAGEMENT_ALGORITHM
The KEK_MANAGEMENT_ALGORITHM class specifies the group KEK management
algorithm used to provide forward or backward access control (i.e.,
used to exclude group members). Defined values are specified in the
following table.
Weis, et al. Expires September 15, 2011 [Page 24]
Internet-Draft GDOI March 2011
KEK Management Type Value
------------------- -----
RESERVED 0
LKH 1
Standards Action 2-127
Private Use 128-255
5.3.2.1. LKH
This type indicates the group management method described in Section
5.4 of [RFC2627]. A general discussion of LKH operations can also be
found in Section 6.3 of Multicast and Group Security [HD03]
5.3.3. KEK_ALGORITHM
The KEK_ALGORITHM class specifies the encryption algorithm in which
the KEK is used to provide confidentiality for the GROUPKEY-PUSH
message. Defined values are specified in the following table. A
GDOI implementation MUST abort if it encounters an attribute or
capability that it does not understand.
Algorithm Type Value
-------------- -----
RESERVED 0
KEK_ALG_DES 1
KEK_ALG_3DES 2
KEK_ALG_AES 3
Standards Action 4-127
Private Use 128-255
Unassigned 256-32767
If a KEK_MANAGEMENT_ALGORITHM is defined which defines multiple keys
(e.g., LKH), and if the management algorithm does not specify the
algorithm for those keys, then the algorithm defined by the
KEK_ALGORITHM attribute MUST be used for all keys which are included
as part of the management.
5.3.3.1. KEK_ALG_DES
This type specifies DES using the Cipher Block Chaining (CBC) mode as
described in [FIPS81].
5.3.3.2. KEK_ALG_3DES
This type specifies 3DES using three independent keys as described in
"Keying Option 1" in [FIPS46-3].
Weis, et al. Expires September 15, 2011 [Page 25]
Internet-Draft GDOI March 2011
5.3.3.3. KEK_ALG_AES
This type specifies AES as described in [FIPS197]. The mode of
operation for AES is Cipher Block Chaining (CBC) as recommended in
[SP.800-38A].
5.3.4. KEK_KEY_LENGTH
The KEK_KEY_LENGTH class specifies the KEK Algorithm key length (in
bits). The Group Controller/Key Server (GCKS) adds the
KEK_KEY_LENGTH attribute to the SA payload when distributing KEK
policy to group members. The group member verifies whether or not it
has the capability of using a cipher key of that size. If the cipher
definition includes a fixed key length (e.g., KEK_ALG_3DES), the
group member can make its decision solely using the KEK_ALGORITHM
attribute and does not need the KEK_KEY_LENGTH attribute. Sending
the KEK_KEY_LENGTH attribute in the SA payload is OPTIONAL if the KEK
cipher has a fixed key length. Also, note that the KEK_KEY_LEN
includes only the actual length of the cipher key (the IV length is
not included in this attribute).
5.3.5. KEK_KEY_LIFETIME
The KEK_KEY_LIFETIME class specifies the maximum time for which the
KEK is valid. The GCKS may refresh the KEK at any time before the
end of the valid period. The value is a four (4) octet number
defining a valid time period in seconds.
5.3.6. SIG_HASH_ALGORITHM
SIG_HASH_ALGORITHM specifies the SIG payload hash algorithm. The
following table defines the algorithms for SIG_HASH_ALGORITHM.
Weis, et al. Expires September 15, 2011 [Page 26]
Internet-Draft GDOI March 2011
Algorithm Type Value
-------------- -----
RESERVED 0
SIG_HASH_MD5 1
SIG_HASH_SHA1 2
SIG_HASH_SHA256 TBD-2
SIG_HASH_SHA384 TBD-3
SIG_HASH_SHA512 TBD-4
Standards Action 3-127
Private Use 128-255
Unassigned 256-32767
The SHA hash algorithms are defined in the Secure Hash
Standard[FIPS.180-2.2002].
If the SIG_ALGORITHM is SIG_ALG_ECDSA-256, SIG_ALG_ECDSA-384, or
SIG_ALG_ECDSA-521 the hash algorithm is implicit in the definition,
and SIG_HASH_ALGORITHM is not required to be present in a SAK
Payload.
5.3.7. SIG_ALGORITHM
The SIG_ALGORITHM class specifies the SIG payload signature
algorithm. Defined values are specified in the following table.
Algorithm Type Value
-------------- -----
RESERVED 0
SIG_ALG_RSA 1
SIG_ALG_DSS 2
SIG_ALG_ECDSS 3
SIG_ALG_RSA_PSS TBD-6
SIG_ALG_ECDSA-256 TBD-7
SIG_ALG_ECDSA-384 TBD-8
SIG_ALG_ECDSA-521 TBD-9
Standards Action 4-127
Private Use 128-255
Unassigned 256-32767
5.3.7.1. SIG_ALG_RSA
This algorithm specifies the RSA digital signature algorithm using
the EMSA-PKCS1-v1_5 encoding method, as described in [RFC3447].
5.3.7.2. SIG_ALG_DSS
This algorithm specifies the DSS digital signature algorithm as
described in Section 4 of [FIPS186-3].
Weis, et al. Expires September 15, 2011 [Page 27]
Internet-Draft GDOI March 2011
5.3.7.3. SIG_ALG_ECDSS
This algorithm specifies the Elliptic Curve digital signature
algorithm as described in Section 5 of [FIPS186-3]. This definition
is deprecated in favor of the SIG_ALG_ECDSA family of algorithms.
5.3.7.4. SIG_ALG_RSA_PSS
This algorithm specifies the RSA digital signature algorithm using
the EMSA-PSS encoding method, as described in [RFC3447].
5.3.7.5. SIG_ALG_ECDSA-256
This algorithm specifies the 256-bit Random ECP Group, as described
in [RFC5903]. The format of the signature in the SIG payload MUST be
as specified in [RFC4754].
5.3.7.6. SIG_ALG_ECDSA-384
This algorithm specifies the 384-bit Random ECP Group, as described
in [RFC5903]. The format of the signature in the SIG payload MUST be
as specified in [RFC4754].
5.3.7.7. SIG_ALG_ECDSA-521
This algorithm specifies the 521-bit Random ECP Group, as described
in [RFC5903]. The format of the signature in the SIG payload MUST be
as specified in [RFC4754].
5.3.8. SIG_KEY_LENGTH
The SIG_KEY_LENGTH class specifies the length of the SIG payload key
in bits.
5.4. Group Associated Policy
A GCKS may have group-specific policy that is not distributed in an
SA TEK or SA KEK. Some of this policy is relevant to all group
members, and some is sender-specific policy for a particular group
member. The former can be distributed in either a GROUPKEY-PULL or
GROUPKEY-PUSH exchange, whereas the latter MUST only be sent in a
GROUPKEY-PULL exchange. Additionally, a group member sometimes has
the need to make policy requests for resources of the GCKS in a
GROUPKEY-PULL exchange. GDOI distributes this associated group
policy and policy requests in the Group Associated Policy (GAP)
payload.
The GAP payload can be distributed by the GCKS as part of the SA
Weis, et al. Expires September 15, 2011 [Page 28]
Internet-Draft GDOI March 2011
payload. It follows any SA KEK payload, and is placed before any SA
TEK payloads. In the case that group policy does not include an SA
KEK, the SA Attribute Next Payload field in the SA payload MAY
indicate the SA GAP payload.
The GAP payload can be optionally included by a group member in
message 3 of the GROUPKEY-PULL exchange in order to make policy
requests.
The SA GAP payload is defined as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Group Associated Policy Attributes ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The SA GAP payload fields are defined as follows:
o Next Payload (1 octet) -- Identifies the next payload present in
the GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid
next payload type for this message is an SA TEK or zero to
indicate there are no more security association attributes.
o RESERVED (1 octet) -- Must be zero.
o Payload Length (2 octets) -- Length of this payload, including the
SA GAP header and Attributes.
o Group Associated Policy Attributes (variable) -- Contains
attributes following the format defined in Section 3.3 of RFC
2408.
Several group associated policy attributes are defined in this memo.
An GDOI implementation MUST abort if it encounters an attribute or
capability that it does not understand. The values for these
attributes are included in the IANA Considerations section of this
memo.
5.4.1. ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY
Section 4.2.1 of RFC 5374 specifies a key rollover method that
requires two values be given it from the group key management
protocol. The ACTIVATION_TIME_DELAY attribute allows a GCKS to set
the Activation Time Delay (ATD) for SAs generated from TEKs. The ATD
defines how long after receiving new SAs that they are to be
Weis, et al. Expires September 15, 2011 [Page 29]
Internet-Draft GDOI March 2011
activated by the GM. The ATD value is in seconds.
The DEACTIVATION_TIME_DELAY allows the GCKS to set the Deactivation
Time Delay (DTD) for previously distributed SAs. The DTD defines how
long after receiving new SAs that it should deactivate SAs that are
destroyed by the re-key event. The value is in seconds.
The values of ATD and DTD are independent. However, the DTD value
should be larger, which allows new SAs to be activated before older
SAs are deactivated. Such a policy ensures that protected group
traffic will always flow without interruption.
5.4.2. SENDER_ID_REQUEST
The SENDER_ID_REQUEST attribute is used by a group member to request
SIDs during the GROUPKEY-PULL message, and includes a count of how
many SID values it desires.
5.5. SA TEK Payload
The SA TEK (SAT) payload contains security attributes for a single
TEK associated with a group.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Protocol-ID ! TEK Protocol-Specific Payload ~
+-+-+-+-+-+-+-+-+ ~
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The SAT Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifies the next payload for the
GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next
payload types for this message are another SAT Payload or zero to
indicate there are no more security association attributes.
o RESERVED (1 octet) -- Must be zero.
o Payload Length (2 octets) -- Length of this payload, including the
TEK Protocol-Specific Payload.
o Protocol-ID (1 octet) -- Value specifying the Security Protocol.
The following table defines values for the Security Protocol
Weis, et al. Expires September 15, 2011 [Page 30]
Internet-Draft GDOI March 2011
Protocol ID Value
----------- -----
RESERVED 0
GDOI_PROTO_IPSEC_ESP 1
GDOI_PROTO_IPSEC_AH TBD-5
Standards Action 3-127
Private Use 128-255
o TEK Protocol-Specific Payload (variable) -- Payload which describes
the attributes specific for the Protocol-ID.
5.5.1. GDOI_PROTO_IPSEC_ESP/GDOI_PROTO_IPSEC_AH
The TEK Protocol-Specific payload for ESP and AH is as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Protocol ! SRC ID Type ! SRC ID Port !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
!SRC ID Data Len! SRC Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! DST ID Type ! DST ID Port !DST ID Data Len!
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! DST Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Transform ID ! SPI !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! SPI ! RFC 2407 SA Attributes ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The SAT Payload fields are defined as follows:
o Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
UDP/TCP). A value of zero means that the Protocol field should be
ignored.
o SRC ID Type (1 octet) -- Value describing the identity information
found in the SRC Identification Data field. Defined values are
specified by the IPsec Identification Type section in the IANA
isakmpd-registry [ISAKMP-REG].
o SRC ID Port (2 octets) -- Value specifying a port associated with
the source Id. A value of zero means that the SRC ID Port field
should be ignored.
o SRC ID Data Len (1 octet) -- Value specifying the length of the SRC
Weis, et al. Expires September 15, 2011 [Page 31]
Internet-Draft GDOI March 2011
Identification Data field.
o SRC Identification Data (variable length) -- Value, as indicated by
the SRC ID Type. Set to three bytes of zero for multiple-source
multicast groups that use a common TEK for all senders.
o DST ID Type (1 octet) -- Value describing the identity information
found in the DST Identification Data field. Defined values are
specified by the IPsec Identification Type section in the IANA
isakmpd-registry [ISAKMP-REG].
o DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g.,
UDP/TCP). A value of zero means that the DST Id Prot field should be
ignored.
o DST ID Port (2 octets) -- Value specifying a port associated with
the source Id. A value of zero means that the DST ID Port field
should be ignored.
o DST ID Data Len (1 octet) -- Value specifying the length of the DST
Identification Data field.
o DST Identification Data (variable length) -- Value, as indicated by
the DST ID Type.
o Transform ID (1 octet) -- Value specifying which ESP or AH
transform is to be used. The list of valid values is defined in the
IPsec ESP or IPsec AH Transform Identifiers section of the IANA
isakmpd-registry [ISAKMP-REG].
o SPI (4 octets) -- Security Parameter Index for ESP.
o RFC 2407 Attributes -- ESP and AH Attributes from RFC 2407 Section
4.5. The GDOI supports all IPsec DOI SA Attributes for
GDOI_PROTO_IPSEC_ESP and GDOI_PROTO_IPSEC_AH excluding the Group
Description (section 4.5 of [RFC2407], which MUST NOT be sent by a
GDOI implementation and is ignored by a GDOI implementation if
received. The following attributes MUST be supported by an
implementation supporting ESP and AH: SA Life Type, SA Life Duration,
Encapsulation Mode. An implementation supporting ESP must also
support the Authentication Algorithm attribute if the ESP transform
includes authentication/ The Authentication Algorithm attribute of
the IPsec DOI is group authentication in GDOI.
5.5.1.1. New IPsec Security Association Attributes
The Multicast Extensions to the Security Architecture for the
Internet Protocol (RFC 5374) introduces new requirements for a group
Weis, et al. Expires September 15, 2011 [Page 32]
Internet-Draft GDOI March 2011
key management system distributing IPsec policy. It also defines new
attributes as part of the Group Security Policy Database (GSPD).
These attributes describe policy that a group key management system
must convey to a group member in order to support those extensions.
The GDOI SA TEK payload distributes IPsec policy using IPsec security
association attributes defined in [ISAKMP-REG]. This section defines
how GDOI can convey the new attributes as IPsec Security Association
Attributes.
5.5.1.1.1. Address Preservation
Applications use the extensions in RFC 5374 to copy the IP addresses
into the outer IP header when encapsulating an IP packet as an IPsec
tunnel mode packet. This allows an IP multicast packet to continue
to be routed as a IP multicast packet. In order for the GDOI group
member to appropriately set up the GSPD, the GCKS must provide that
policy to the group member.
Depending on group policy, several address preservation methods are
possible: no address preservation ("None"), preservation of the
original source address ("Source-Only"), preservation of the original
destination address ("Destination-Only"), or both addresses ("Source-
And-Destination"). The IANA Considerations section of this memo adds
the "Address Preservation" security association attribute. If this
attribute is not included in a GDOI SA TEK payload provided by a
GCKS, then Source-And-Destination address preservation has been
defined for the SA TEK.
5.5.1.1.2. SA Direction
Depending on group policy, an IPsec SA created from an SA TEK payload
may be required in one or both directions. SA TEK policy used by
multiple senders is required to be installed in both the sending and
receiving direction ("Symmetric"), whereas SA TEK for a single sender
should only be installed in the receiving direction by receivers
("Receiver-Only") and in the sending direction by the sender
("Sender-Only"). The IANA Considerations section of this memo adds
the "SA Direction" security association attribute.
An SA TEK payload that does not include the SA Direction attribute is
treated as a Symmetric IPsec SA. Note that unless Symmetric may be
the only value that can be meaningfully described for an SA TEK
distributed in an GROUPKEY-PUSH message. Alternatively, Receiver-
Only could be distributed, but group senders would need to be
configured to not receive GROUPKEY-PUSH messages in order to retain
their role.
Weis, et al. Expires September 15, 2011 [Page 33]
Internet-Draft GDOI March 2011
5.5.2. Other Security Protocols
Besides ESP and AH, GDOI should serve to establish SAs for secure
groups needed by other Security Protocols that operate at the
transport, application, and internetwork layers. These other
Security Protocols, however, are in the process of being developed or
do not yet exist.
The following information needs to be provided for a Security
Protocol to the GDOI.
o The Protocol-ID for the particular Security Protocol
o The SPI Size
o The method of SPI generation
o The transforms, attributes and keys needed by the Security
Protocol
All Security Protocols must provide the information in the bulleted
list above to guide the GDOI specification for that protocol.
Definitions for the support of those Security Protocols in GDOI will
be specified in separate documents.
A Security Protocol MAY protect traffic at any level of the network
stack. However, in all cases applications of the Security Protocol
MUST protect traffic which MAY be shared by more than two entities.
5.6. Key Download Payload
The Key Download Payload contains group keys for the group specified
in the SA Payload. These key download payloads can have several
security attributes applied to them based upon the security policy of
the group as defined by the associated SA Payload.
Weis, et al. Expires September 15, 2011 [Page 34]
Internet-Draft GDOI March 2011
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! Number of Key Packets ! RESERVED2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
~ Key Packets ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
The Key Download Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifier for the payload type of the
next payload in the message. If the current payload is the last in
the message, then this field will be zero.
o RESERVED (1 octet) -- Unused, set to zero.
o Payload Length (2 octets) -- Length in octets of the current
payload, including the generic payload header.
o Number of Key Packets (2 octets) -- Contains the total number of
both TEK and Rekey arrays being passed in this data block.
o Key Packets (variable) -- Several types of key packets are defined.
Each Key Packet has the following format.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! KD Type ! RESERVED ! KD Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
! SPI Size ! SPI (variable) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
~ Key Packet Attributes ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
o Key Download (KD) Type (1 octet) -- Identifier for the Key Data
field of this Key Packet.
Weis, et al. Expires September 15, 2011 [Page 35]
Internet-Draft GDOI March 2011
Key Download Type Value
----------------- -----
RESERVED 0
TEK 1
KEK 2
LKH 3
SID TBD-7
Standards Action 4-127
Private Use 128-255
"KEK" is a single key whereas LKH is an array of key-encrypting keys.
o RESERVED (1 octet) -- Unused, set to zero.
o Key Download Length (2 octets) -- Length in octets of the Key
Packet data, including the Key Packet header.
o SPI Size (1 octet) -- Value specifying the length in octets of the
SPI as defined by the Protocol-Id.
o SPI (variable length) -- Security Parameter Index which matches a
SPI previously sent in an SAK or SAT Payload.
o Key Packet Attributes (variable length) -- Contains Key
information. The format of this field is specific to the value of
the KD Type field. The following sections describe the format of
each KD Type.
5.6.1. TEK Download Type
The following attributes may be present in a TEK Download Type.
Exactly one attribute matching each type sent in the SAT payload MUST
be present. The attributes must follow the format defined in ISAKMP
(Section 3.3 of [RFC2408]). In the table, attributes defined as TV
are marked as Basic (B); attributes defined as TLV are marked as
Variable (V).
Weis, et al. Expires September 15, 2011 [Page 36]
Internet-Draft GDOI March 2011
TEK Class Value Type
--------- ----- ----
RESERVED 0
TEK_ALGORITHM_KEY 1 V
TEK_INTEGRITY_KEY 2 V
TEK_SOURCE_AUTH_KEY 3 V
Standards Action 4-127
Private Use 128-255
Unassigned 256-32767
If no TEK key packets are included in a Registration KD payload, the
group member can expect to receive the TEK as part of a Re-key SA.
At least one TEK must be included in each Re-key KD payload.
Multiple TEKs may be included if multiple streams associated with the
SA are to be rekeyed.
When an algorithm specification specifies the format of the keying
material, the value transported in the KD payload for that key is
passed according to that specification. The keying material may
contain information besides a key. For example, The Use of Galois/
Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)
[RFC4106] defines a salt value as part of KEYMAT.
5.6.1.1. TEK_ALGORITHM_KEY
The TEK_ALGORITHM_KEY class declares that the encryption key for this
SPI is contained as the Key Packet Attribute. The encryption
algorithm that will use this key was specified in the SAT payload.
In the case that the algorithm requires multiple keys (e.g., 3DES),
all keys will be included in one attribute.
DES keys will consist of 64 bits (the 56 key bits with parity bit).
Triple DES keys will be specified as a single 192 bit attribute
(including parity bits) in the order that the keys are to be used for
encryption (e.g., DES_KEY1, DES_KEY2, DES_KEY3).
5.6.1.2. TEK_INTEGRITY_KEY
The TEK_INTEGRITY_KEY class declares that the integrity key for this
SPI is contained as the Key Packet Attribute. The integrity
algorithm that will use this key was specified in the SAT payload.
Thus, GDOI assumes that both the symmetric encryption and integrity
keys are pushed to the member. HMAC-SHA1 keys will consist of 160
bits[RFC2404], HMAC-MD5 keys will consist of 128 bits[RFC2403].
HMAC-SHA2 and AES-GMAC keys will have a key length equal to the
output length of the hash functions [RFC4868][RFC4543].
Weis, et al. Expires September 15, 2011 [Page 37]
Internet-Draft GDOI March 2011
5.6.1.3. TEK_SOURCE_AUTH_KEY
The TEK_SOURCE_AUTH_KEY class declares that the source authentication
key for this SPI is contained in the Key Packet Attribute. The
source authentication algorithm that will use this key was specified
in the SAT payload.
5.6.2. KEK Download Type
The following attributes may be present in a KEK Download Type.
Exactly one attribute matching each type sent in the SAK payload MUST
be present. The attributes must follow the format defined in ISAKMP
(Section 3.3 of [RFC2408]). In the table, attributes defined as TV
are marked as Basic (B); attributes defined as TLV are marked as
Variable (V).
KEK Class Value Type
--------- ----- ----
RESERVED 0
KEK_ALGORITHM_KEY 1 V
SIG_ALGORITHM_KEY 2 V
Standards Action 3-127
Private Use 128-255
Unassigned 256-32767
If the KEK key packet is included, there MUST be only one present in
the KD payload.
5.6.2.1. KEK_ALGORITHM_KEY
The KEK_ALGORITHM_KEY class declares the encryption key for this SPI
is contained in the Key Packet Attribute. The encryption algorithm
that will use this key was specified in the SAK payload.
If the mode of operation for the algorithm requires an IV, an
explicit IV MUST be included in the KEK_ALGORITHM_KEY before the
actual key.
5.6.2.2. SIG_ALGORITHM_KEY
The SIG_ALGORITHM_KEY class declares that the public key for this SPI
is contained in the Key Packet Attribute, which may be useful when no
public key infrastructure is available. The signature algorithm that
will use this key was specified in the SAK payload.
Weis, et al. Expires September 15, 2011 [Page 38]
Internet-Draft GDOI March 2011
5.6.3. LKH Download Type
The LKH key packet is comprised of attributes representing different
nodes in the LKH key tree.
The following attributes are used to pass an LKH KEK array in the KD
payload. The attributes must follow the format defined in ISAKMP
(Section 3.3 of [RFC2408]). In the table, attributes defined as TV
are marked as Basic (B); attributes defined as TLV are marked as
Variable (V).
KEK Class Value Type
--------- ----- ----
RESERVED 0
LKH_DOWNLOAD_ARRAY 1 V
LKH_UPDATE_ARRAY 2 V
SIG_ALGORITHM_KEY 3 V
Standards Action 4-127
Private Use 128-255
Unassigned 256-32767
If an LKH key packet is included in the KD payload, there must be
only one present.
5.6.3.1. LKH_DOWNLOAD_ARRAY
This attribute is used to download a set of keys to a group member.
It MUST NOT be included in a GROUPKEY-PUSH message KD payload if the
GROUPKEY-PUSH is sent to more than the group member. If an
LKH_DOWNLOAD_ARRAY attribute is included in a KD payload, there must
be only one present.
This attribute consists of a header block, followed by one or more
LKH keys.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH Version ! # of LKH Keys ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH Keys !
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The KEK_LKH attribute fields are defined as follows:
Weis, et al. Expires September 15, 2011 [Page 39]
Internet-Draft GDOI March 2011
o LKH version (1 octet) -- Version of the LKH data format. Must be
one.
o Number of LKH Keys (2 octets) -- This value is the number of
distinct LKH keys in this sequence.
o RESERVED (1 octet) -- Unused, set to zero. Each LKH Key is defined
as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH ID ! Key Type ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Key Creation Date !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Key expiration Date !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Key Handle !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! !
~ Key Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
o LKH ID (2 octets) -- Identity of the LKH node. A GCKS is free to
choose the ID in an implementation-specific manner (e.g., the
position of this key in a binary tree structure used by LKH).
o Key Type (1 octet) -- Encryption algorithm for which this key data
is to be used. This value is specified in Section 5.3.3.
o RESERVED (1 octet) -- Unused, set to zero.
o Key Creation Date (4 octets) -- Time value of when this key data
was originally generated. A time value of zero indicates that there
is no time before which this key is not valid.
o Key Expiration Date (4 octets) -- Time value of when this key is no
longer valid for use. A time value of zero indicates that this key
does not have an expiration time.
o Key Handle (4 octets) -- Value assigned by the GCKS to uniquely
identify a key within an LKH ID. Each new key distributed by the
GCKS for this node will have a key handle identity distinct from
previous or successive key handles specified for this node.
o Key Data (variable length) -- Key data, which is dependent on the
Weis, et al. Expires September 15, 2011 [Page 40]
Internet-Draft GDOI March 2011
Key Type algorithm for its format. If the mode of operation for the
algorithm requires an IV, an explicit IV MUST be included in the Key
Data field prepended to the actual key.
The Key Creation Date and Key expiration Dates MAY be zero. This is
necessary in the case where time synchronization within the group is
not possible.
The first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute
contains the Leaf identifier and key for the group member. The rest
of the LKH Key structures contain keys along the path of the key tree
in order from the leaf, culminating in the group KEK.
5.6.3.2. LKH_UPDATE_ARRAY
This attribute is used to update the keys for a group. It is most
likely to be included in a GROUPKEY-PUSH message KD payload to rekey
the entire group. This attribute consists of a header block,
followed by one or more LKH keys, as defined in the previous section.
There may be any number of UPDATE_ARRAY attributes included in a KD
payload.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH Version ! # of LKH Keys ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH ID ! RESERVED2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Key Handle !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! LKH Keys !
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
o LKH version (1 octet) -- Version of the LKH data format. Must be
one.
o Number of LKH Keys (2 octets) -- Number of distinct LKH keys in
this sequence.
o RESERVED (1 octet) -- Unused, set to zero.
o LKH ID (2 octets) -- Node identifier associated with the key used
to encrypt the first LKH Key.
Weis, et al. Expires September 15, 2011 [Page 41]
Internet-Draft GDOI March 2011
o RESERVED2 (2 octets) -- Unused, set to zero.
o Key Handle (4 octets) -- Value assigned by the GCKS to uniquely
identify the key within the LKH ID used to encrypt the first LKH Key.
The LKH Keys are as defined in the previous section. The LKH Key
structures contain keys along the path of the key tree in order from
the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in the
group KEK. The Key Data field of each LKH Key is encrypted with the
LKH key preceding it in the LKH_UPDATE_ARRAY attribute. The first
LKH Key is encrypted under the key defined by the LKH ID and Key
Handle found in the LKH_UPDATE_ARRAY header.
5.6.3.3. SIG_ALGORITHM_KEY
The SIG_ALGORITHM_KEY class declares that the public key for this SPI
is contained in the Key Packet Attribute, which may be useful when no
public key infrastructure is available. The signature algorithm that
will use this key was specified in the SAK payload.
5.6.4. SID Download Type
This attribute is used to download one or more Sender-ID (SID) values
for the exclusive use of a group member.
SID Class Value Type
--------- ----- ----
RESERVED 0
NUMBER_OF_SID_BITS 1 B
SID_VALUE 2 V
Standards Action 3-128
Private Use 129-255
Unassigned 256-32767
Because a SID value is intended for a single group member, the SID
Download type MUST NOT be distributed in a GROUPKEY_PUSH message
distributed to multiple group members.
5.6.4.1. NUMBER_OF_SID_BITS
The NUMBER_OF_SID_BITS class declares how many bits of the cipher
nonce in which to represent a SID value. This value is applied to
each SID value distributed in the SID Download.
Weis, et al. Expires September 15, 2011 [Page 42]
Internet-Draft GDOI March 2011
5.6.4.2. SID_VALUE
The SID_VALUE class declares a single SID value for the exclusive use
of the a group member. Multiple SID_VALUE attributes MAY be included
in a SID Download.
5.6.4.3. Group Member Semantics
The SID_VALUE attribute value distributed to the group member MUST be
used by that group member as the SID field portion of the IV for all
Data-Security SAs including a counter-based mode of operation
distributed by the GCKS as a part of this group.
When the Sender-Specific IV (SSIV) field for any Data-Security SA is
exhausted, the group member MUST no longer act as a sender on that SA
using its active SID. The group member SHOULD re-register, at which
time the GCKS will issue a new SID to the group member, along with
either the same Data-Security SAs or replacement ones. The new SID
replaces the existing SID used by this group member, and also resets
the SSIV value to its starting value. A group member MAY re-register
prior to the actual exhaustion of the SSIV field to avoid dropping
data packets due to the exhaustion of available SSIV values combined
with a particular SID value.
A group member MUST NOT process an SID Download Type KD payload
present in a GROUPKEY-PUSH message.
5.6.4.4. GCKS Semantics
If any KD payload includes keying material that is associated with a
counter-mode of operation, an SID Download Type KD payload containing
at least one SID_VALUE attribute MUST be included.
The GCKS MUST NOT send the SID Download Type KD payload as part of a
GROUPKEY-PUSH message, because distributing the same sender-specific
policy to more than one group member will reduce the security of the
group.
5.7. Sequence Number Payload
The Sequence Number Payload (SEQ) provides an anti-replay protection
for GROUPKEY-PUSH messages. Its use is similar to the Sequence
Number field defined in the IPsec ESP protocol [RFC4303].
Weis, et al. Expires September 15, 2011 [Page 43]
Internet-Draft GDOI March 2011
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Sequence Number !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Sequence Number Payload fields are defined as follows:
o Next Payload (1 octet) -- Identifier for the payload type of the
next payload in the message. If the current payload is the last in
the message, then this field will be zero.
o RESERVED (1 octet) -- Unused, set to zero.
o Payload Length (2 octets) -- Length in octets of the current
payload, including the generic payload header. Must be a value of 8.
o Sequence Number (4 octets) -- This field contains a monotonically
increasing counter value for the group. It is initialized to zero by
the GCKS, and incremented in each subsequently-transmitted message.
Thus the first packet sent for a given Rekey SA will have a Sequence
Number of 1. The GDOI implementation keeps a sequence counter as an
attribute for the Rekey SA and increments the counter upon receipt of
a GROUPKEY-PUSH message. The current value of the sequence number
must be transmitted to group members as a part of the Registration SA
payload. A group member must keep a sliding receive window. The
window must be treated as in the ESP protocol [RFC4303] Section
3.4.3.
5.8. Nonce
The data portion of the Nonce payload (i.e., Ni_b and Nr_b included
in the HASHs) MUST be a value between 8 and 128 bytes.
5.9. Delete
There are times the GCKS may want to signal to receivers to delete
SAs, for example at the end of a broadcast. Deletion of keys may be
accomplished by sending an ISAKMP Delete payload (Section 3.15 of
[RFC2408]) as part of a GDOI GROUPKEY-PUSH message.
One or more Delete payloads MAY be placed following the SEQ payload
in a GROUPKEY-PUSH message. If a GCKS has no further SAs to send to
group members, the SA and KD payloads MUST be omitted from the
message.
Weis, et al. Expires September 15, 2011 [Page 44]
Internet-Draft GDOI March 2011
The following fields of the Delete Payload are further defined as
follows:
o The Domain of Interpretation field contains the GDOI DOI.
o The Protocol-Id field contains TEK protocol id values defined in
Section 5.5 of this document. To delete a KEK SA, the value of zero
MUST be used as the protocol id. Note that only one protocol id
value can be defined in a Delete payload. If a TEK SA and a KEK SA
must be deleted, they must be sent in different Delete payloads.
There may be circumstances where the GCKS may want to start over with
a clean slate. If the administrator is no longer confident in the
integrity of the group, the GCKS can signal deletion of all policy of
a particular TEK protocol by sending a TEK with a SPI value equal to
zero in the delete payload. For example, if the GCKS wishes to
remove all the KEKs and all the TEKs in the group, the GCKS SHOULD
send a delete payload with a spi of zero and a protocol_id of a TEK
protocol_id value, followed by another delete payload with a spi of
zero and protocol_id of zero, indicating that the KEK SA should be
deleted.
Weis, et al. Expires September 15, 2011 [Page 45]
Internet-Draft GDOI March 2011
6. Algorithm Selection
For GDOI implementations to interoperate, they must support one or
more security algorithms in common. This section specifies the
security algorithm implementation requirements for standards-
conformant GDOI implementations. In all cases the choices are
intended to maintain at least 112 bits of security [SP.800-131].
Algorithms not referenced in this section MAY be used.
6.1. KEK
These tables list the algorithm selections for values related to the
KEK.
Requirement KEK Management Algorithm
----------- ---------------------
SHOULD LKH
Requirement KEK Algorithm (notes)
----------- ---------------------
MUST KEK_ALG_AES with 128-bit keys
SHOULD NOT KEK_ALG_DES (1)
Requirement KEK Signature Hash Algorithm (notes)
----------- ------------------------------------
MUST SIG_HASH_SHA256
SHOULD SIG_HASH_SHA1 (2)
SHOULD NOT SIG_HASH_MD5 (3)
Requirement KEK Signature Algorithm (notes)
----------- -------------------------------
MUST SIG_ALG_RSA with 2048-bit keys
Notes:
(1) DES, with its small key size and corresponding security strength
is of questionable security for general use
(2) The use of SIG_HASH_SHA1 as a signature hash algorithm used with
GROUPKEY-PUSH messages remains safe at the time of this writing,
and is a widely deployed signature hash algorithm.
(3) Although a real weakness with second preimage resistance with
MD5 has not been found at the time of this writing, the security
strength of MD5 has been shown to be rapidly declining over time
and it's use should be understood and carefully weighed.
Weis, et al. Expires September 15, 2011 [Page 46]
Internet-Draft GDOI March 2011
6.2. TEK
The following table lists the requirements for Security Protocol
support for an implementation.
Requirement KEK Management Algorithm
----------- ---------------------
MUST GDOI_PROTO_IPSEC_ESP
Weis, et al. Expires September 15, 2011 [Page 47]
Internet-Draft GDOI March 2011
7. Security Considerations
GDOI is a security association (SA) management protocol for groups of
senders and receivers. This protocol performs authentication of
communicating protocol participants (Group Member, Group Controller/
Key Server). It provides confidentiality of key management messages,
and it provides source authentication of those messages. GDOI
includes defenses against man-in-middle, connection hijacking,
replay, reflection, and denial-of-service (DOS) attacks on unsecured
networks. GDOI assumes the network is not secure and may be under
the complete control of an attacker.
GDOI assumes that the group members and GCKS are secure even though
the network is insecure. GDOI ultimately establishes keys among
members of a group, which MUST be trusted to use those keys in an
authorized manner according to group policy. An GDOI entity
compromised by an attacker may reveal the secrets necessary to
eavesdrop on group traffic and/or take the identity of a group
sender, so host security is of the utmost important once. The latter
threat could be mitigated by using source origin authentication in
the Data-Security SAs (e.g., the use of RSA signatures [RFC4359] or
TESLA [RFC4082]). The choice of Data-Security SAs is a matter of
group policy and is not within the scope of this memo.
There are three phases of GDOI as described in this document: an
ISAKMP Phase 1 protocol, the GROUPKEY-PULL exchange protected by the
ISAKMP Phase 1 protocol, and the GROUPKEY-PUSH message. Each phase
is considered separately below.
7.1. ISAKMP Phase 1
GDOI uses the Phase 1 exchanges defined in [RFC2409] to protect the
GROUPKEY-PULL exchange. Therefore all security properties and
considerations of those exchanges (as noted in [RFC2409]) are
relevant for GDOI.
GDOI may inherit the problems of its ancestor protocols [FS00], such
as identity exposure, absence of unidirectional authentication, or
stateful cookies [PK01].
7.1.1. Authentication
Authentication is provided via the mechanisms defined in [RFC2409],
namely Pre-Shared Keys or Public Key encryption.
Weis, et al. Expires September 15, 2011 [Page 48]
Internet-Draft GDOI March 2011
7.1.2. Confidentiality
Confidentiality is achieved in Phase 1 through a Diffie-Hellman
exchange that provides keying material, and through negotiation of
encryption transforms.
The Phase 1 protocol will be protecting encryption and integrity keys
sent in the GROUPKEY-PULL protocol. The strength of the encryption
used for Phase 1 SHOULD exceed that of the keys send in the GROUPKEY-
PULL protocol.
7.1.3. Man-in-the-Middle Attack Protection
A successful man-in-the-middle or connection-hijacking attack foils
entity authentication of one or more of the communicating entities
during key establishment. GDOI relies on Phase 1 authentication to
defeat man-in-the-middle attacks.
7.1.4. Replay/Reflection Attack Protection
In a replay/reflection attack, an attacker captures messages between
GDOI entities and subsequently forwards them to a GDOI entity.
Replay and reflection attacks seek to gain information from a
subsequent GDOI message response or seek to disrupt the operation of
a GDOI member or GCKS entity. GDOI relies on the Phase 1 nonce
mechanism in combination with a hash-based message authentication
code to protect against the replay or reflection of previous key
management messages.
7.1.5. Denial of Service Protection
A denial of service attacker sends messages to a GDOI entity to cause
that entity to perform unneeded message authentication operations.
GDOI uses the Phase 1 cookie mechanism to identify spurious messages
prior to cryptographic hash processing. This is a "weak" form of
denial of service protection in that the GDOI entity must check for
good cookies, which can be successfully imitated by a sophisticated
attacker. The Phase 1 cookie mechanism is stateful, and commits
memory resources for cookies.
7.2. GROUPKEY-PULL Exchange
The GROUPKEY-PULL exchange allows a group member to request SAs and
keys from a GCKS. It runs as a "phase 2" protocol under protection
of the Phase 1 security association.
Weis, et al. Expires September 15, 2011 [Page 49]
Internet-Draft GDOI March 2011
7.2.1. Authentication
Peer authentication is not required in the GROUPKEY-PULL protocol.
It is running in the context of the Phase 1 protocol, which has
previously authenticated the identity of the peer.
Message authentication is provided by HASH payloads in each message,
where the HASH is defined to be over SKEYID_a (derived in the Phase 1
exchange), the ISAKMP Message-ID, and all payloads in the message.
Because only the two endpoints of the exchange know the SKEYID_a
value, this provides confidence that the peer sent the message.
7.2.2. Confidentiality
Confidentiality is provided by the Phase 1 security association,
after the manner described in [RFC2409].
7.2.3. Man-in-the-Middle Attack Protection
Message authentication (described above) includes a secret known only
to the group member and GCKS when constructing a HASH payload. This
prevents man-in-the-middle and connection-hijacking attacks because
an attacker would not be able to change the message undetected.
7.2.4. Replay Protection
A GROUPKEY-PULL message identifies its messages using a cookie pair
from the Phase 1 exchange that precedes it. A GROUPKEY-PULL message
with invalid cookies will be discarded. Therefore, GDOI messages
that are not associated with a current GDOI session will be discarded
without further processing.
Replayed GDOI messages that are associated with a current GDOI
session will be decrypted and authenticated. The M-ID in the HDR
identifies a session. Replayed packets will be processed according
to the state machine of that session. Packets not matching that
state machine will be discarded without processing.
7.2.5. Denial of Service Protection
GCKS implementations SHOULD keep a record of recently received
GROUPKEY-PULL messages (e.g., a hash of the packet) and reject
messages that have already been processed. This provides Denial of
Service and Replay Protection of previously sent messages. An
implementation MAY choose to rate-limit the receipt of GDOI messages
in order to mitigate avoid overloading its computational resources.
The GCKS SHOULD NOT perform any computationally expensive tasks
Weis, et al. Expires September 15, 2011 [Page 50]
Internet-Draft GDOI March 2011
before receiving a HASH with its own nonce included. The GCKS MUST
NOT update the group management state (e.g., LKH key tree, SID-
counter) until it receives the third message in the exchange with a
valid HASH payload including its own nonce.
7.2.6. Authorization
A GCKS implementation SHOULD maintain an authorization list of
authorized group members. Group members MUST specifically list each
authorized GCKS in its Group Peer Authorization Database (GPAD)
[RFC5374].
7.3. GROUPKEY-PUSH Exchange
The GROUPKEY-PUSH exchange is a single message that allows a GCKS to
send SAs and keys to group members. This is likely to be sent to all
members using an IP multicast group. This message provides an
efficient rekey and group membership adjustment capability.
7.3.1. Authentication
The GROUPKEY-PULL exchange distributes a public key that is used for
message authentication. The GROUPKEY-PUSH message is digitally
signed using the corresponding private key held by the GCKS. This
digital signature provides source authentication for the message.
Thus, GDOI protects the GCKS from impersonation in group
environments.
7.3.2. Confidentiality
The GCKS encrypts the GROUPKEY-PUSH message with an encryption key
that was distributed in the GROUPKEY-PULL exchange or a previous
GROUPKEY-PUSH exchange. The encryption key may be a simple KEK, or
the result of a group management method (e.g., LKH) calculation.
7.3.3. Man-in-the-Middle Attack Protection
This combination of confidentiality and message authentication
services protects the GROUPKEY-PUSH message from man-in-middle and
connection-hijacking attacks.
7.3.4. Replay/Reflection Attack Protection
The GROUPKEY-PUSH message includes a monotonically increasing
sequence number to protect against replay and reflection attacks. A
group member will discard sequence numbers associated with the
current KEK SPI that have the same or lower value as the most
recently received replay number.
Weis, et al. Expires September 15, 2011 [Page 51]
Internet-Draft GDOI March 2011
Implementations SHOULD keep a record (e.g., a hash value) of recently
received GROUPKEY-PUSH messages and reject duplicate messages prior
to performing cryptographic operations. This enables an early
discard of the replayed messages.
7.3.5. Denial of Service Protection
A cookie pair identifies the security association for the GROUPKEY-
PUSH message. The cookies thus serve as a weak form of denial-of-
service protection for the GROUPKEY-PUSH message.
The digital signature used for message authentication has a much
greater computational cost than a message authentication code and
could amplify the effects of a denial of service attack on GDOI
members who process GROUPKEY-PUSH messages. The added cost of
digital signatures is justified by the need to prevent GCKS
impersonation: If a shared symmetric key were used for GROUPKEY-PUSH
message authentication, then GCKS source authentication would be
impossible and any member would be capable of GCKS impersonation.
The potential of the digital signature amplifying a denial of service
attack is mitigated by the order of operations a group member takes,
where the least expensive cryptographic operation is performed first.
The group member first decrypts the message using a symmetric cipher.
If it is a validly formed message then the sequence number is checked
against the replay window. Only if the sequence number is valid is
the digital signature verified. Thus in order for a denial of
service attack to be mounted, an attacker would need to know both the
symmetric encryption key used for confidentiality, and a valid
sequence number. Generally speaking this means only current group
members can effectively deploy a denial of service attack.
7.4. Forward and Backward Access Control
Through GROUPKEY-PUSH, the GDOI supports group management methods
such as LKH (section 5.4 of [RFC2627]) that have the property of
denying access to a new group key by a member removed from the group
(forward access control) and to an old group key by a member added to
the group (backward access control). The concepts "forward access
control" and "backward access control" have also been described as
"perfect forward security" and "perfect backward security"
respectively in the literature [RFC2627].
Group management algorithms providing forward and backward access
control other than LKH have been proposed in the literature,
including OFT [OFT] and Subset Difference [NNL]. These algorithms
could be used with GDOI, but are not specified as a part of this
document.
Weis, et al. Expires September 15, 2011 [Page 52]
Internet-Draft GDOI March 2011
7.4.1. Forward Access Control Requirements
When group membership is altered using a group management algorithm
new Data-security SAs are usually also needed. New SAs ensure that
members who were denied access can no longer participate in the
group.
If forward access control is a desired property of the group, new
Data-security SAs MUST NOT be included in a GROUPKEY-PUSH message
which changes group membership. This is required because the new
Data-security SAs are not protected with the new KEK. Instead, two
sequential GROUPKEY-PUSH messages must be sent by the GCKS; the first
changing the KEK, and the second (protected with the new KEK)
distributing the new Data-security SAs.
Note that in the above sequence, although the new KEK can effectively
deny access to the group to some group members they will be able to
view the new KEK policy. If forward access control policy for the
group includes keeping the KEK policy secret as well as the KEK
itself secret, then two GROUPKEY-PUSH messages changing the KEK must
occur before the new Data-security SAs are transmitted.
If other methods of using LKH or other group management algorithms
are added to GDOI, those methods MAY remove the above restrictions
requiring multiple GROUPKEY-PUSH messages, providing those methods
specify how forward access control policy is maintained within a
single GROUPKEY-PUSH message.
7.4.2. Backward Access Control Requirements
If backward access control is a desired property of the group, a new
member MUST NOT be given Data-security SAs that were used prior to it
joining the group. This can be accomplished if the GCKS provides
only the Rekey SA to the new member in a GROUPKEY-PULL exchange,
followed by a GROUPKEY-PUSH message that both deletes current Data-
security SAs, and provides new replacement Data-security SAs. The
new group member will effectively join the group at such time as the
existing members begin sending on the Data-security SAs.
If there is a possibility that the new group member has stored
GROUPKEY-PUSH messages delivered prior to joining the group, then the
above procedure is not sufficient. In this case, to achieve backward
access control the GCKS needs to return a new Rekey SA to the group
member in a GROUPKEY-PULL exchange rather than the existing one. The
GCKS would subsequently deliver two GROUPKEY-PUSH messages. The
first, intended for existing group members, distributes the new
Rekey-SA to existing members. The GCKS would then deliver the second
GROUPKEY-PUSH message using the new Rekey-SA that both deletes
Weis, et al. Expires September 15, 2011 [Page 53]
Internet-Draft GDOI March 2011
current Data-security SAs, and provides new replacement Data-security
SAs. Both preexisting and new members would process the second
GROUPKEY-PUSH message, and all would be able to communicate using the
new Data-security SAs.
7.5. Derivation of keying material
A GCKS distributes keying material associated with Data-Security SAs
and the Rekey SA. Because these security associations are used by a
set of group members, this keying material is not related to any pair
wise connection, and there is no requirement in The Multicast Group
Security Architecture [RFC3740] for group members to permute group
keying material. Because the GCKS is solely responsible for the
generation of the keying material, the GCKS MUST derive the keying
material using a strong random number generator. Because there are
no interoperability concerns with key generation, no method is
prescribed in GDOI.
Weis, et al. Expires September 15, 2011 [Page 54]
Internet-Draft GDOI March 2011
8. IANA Considerations
This memo requests IANA to make several additions to existing
registries, and to add sever new GDOI registries. When the new
registries are added, the following terms are to be applied as
described in the Guidelines for Writing an IANA Considerations
Section in RFCs [RFC5226]: Standards Action, and Private Use.
8.1. Additions to current registries
The GDOI KEK Attribute named SIG_HASH_ALGORITHM [GDOI-REG] should be
assigned several new Algorithm Type values from the RESERVED space to
represent the SHA-256, SHA-384, and SHA-512 hash algorithms as
defined in [FIPS.180-2.2002]. The new algorithm names should be
SIG_HASH_SHA256, SIG_HASH_SHA384, and SIG_HASH_SHA512 respectively
and have the values of TBD-2, TBD-3, and TBD-4 respectively.
The GDOI KEK Attributed named SIG_ALGORITHM [GDOI-REG] should be
assigned a new Algorithm Type value from the RESERVED space to
represent the RSA PSS encoding type. The new algorithm name should
be SIG_ALG_RSA_PSS, and has the value of TBD-6.
A new GDOI SA TEK type Protocol-ID type [GDOI-REG] should be assigned
from the RESERVED space. The new algorithm id should be called
GDOI_PROTO_IPSEC_AH, refers to the IPsec AH encapsulation, and has a
value of TBD-5.
A new Next Payload Type [ISAKMP-REG] should be assigned. The new
type is called "SA Group Associated Policy (GAP)", and has a value of
TBD-1.
A new Key Download Type Section 5.6 should be assigned. The new type
is called "SID", and has a value of TBD-7.
8.2. New registries
A new namespace should be created in the GDOI Payloads registry
[GDOI-REG] to describe SA GAP Payload Values. The following rules
apply to define the attributes in SA SSA Payload Values:
Weis, et al. Expires September 15, 2011 [Page 55]
Internet-Draft GDOI March 2011
Attribute Type Value Type
---- ----- ----
RESERVED 0
ACTIVATION_TIME_DELAY 1 B
DEACTIVATION_TIME_DELAY 2 B
SENDER_ID_REQUEST 3 B
Standards Action 4-127
Private Use 128-255
Unassigned 256-32767
A new IPsec Security Association Attribute [ISAKMP-REG] defining the
preservation of IP addresses is needed. The attribute class is
called "Address Preservation", and it is a Basic type. The following
rules apply to define the values of the attribute:
Name Value
---- -----
Reserved 0
None 1
Source-Only 2
Destination-Only 3
Source-And-Destination 4
Standards Action 5-61439
Private Use 61440-65535
A new IPsec Security Association Attribute [ISAKMP-REG] defining the
SA direction is needed. The attribute class is called "SA
Direction", and it is a Basic type. The following rules apply to
define the values of the attribute:
Name Value
---- -----
Reserved 0
Sender-Only 1
Receiver-Only 2
Symmetric 3
Standards Action 4-61439
Private Use 61440-65535
When the SID "Key Download Type" (described in the previous section)
has a set of attributes. The attributes must follow the format
defined in ISAKMP (Section 3.3 of [RFC2408]). In the table,
attributes defined as TV are marked as Basic (B); attributes defined
as TLV are marked as Variable (V).
Weis, et al. Expires September 15, 2011 [Page 56]
Internet-Draft GDOI March 2011
SID Class Value Type
--------- ----- ----
RESERVED 0
NUMBER_OF_SID_BITS 1 B
SID_VALUE 2 V
Standards Action 3-128
Private Use 129-255
Unassigned 256-32767
8.3. Cleanup of existing registries
Several existing GDOI Payloads registries do not use the terms in RFC
5226 and/or do not describe the entire range of possible values. The
following sections correct these registries.
8.3.1. Pop Algorithm
Values 4-127 are to be designated Standards Action. Values 256-32767
are to be added and designated Unassigned.
8.3.2. KEK Attributes
Values 9-127 are to added and designated Standards Action. Values
128-255 are to be added and designated Private Use. Values 256-32767
are to be added and designated Unassigned.
8.3.3. KEK_MANAGEMENT_ALGORITHM
Values 2-127 are to be designated Standards Action. Values 256-65535
are to be added and designated Unassigned.
8.3.4. KEK_ALGORITHM
Values 4-127 are to be designated Standards Action. Values 256-65535
are to be added and designated Unassigned.
8.3.5. SIG_HASH_ALGORITHM
Values 3-127 are to be designated Standards Action. Values 256-65535
are to be added and designated Unassigned.
8.3.6. SIG_ALGORITHM
Values 4-127 are to be designated Standards Action. Values 256-65535
are to be added and designated Unassigned.
Weis, et al. Expires September 15, 2011 [Page 57]
Internet-Draft GDOI March 2011
8.3.7. SA TEK Payload Values
Values 2-127 are to be designated Standards Action.
8.3.8. Key Download Types
Values 4-127 are to be designated Standards Action.
8.3.9. TEK Download Type
Values 4-127 are to be added and designated Standards Action. Values
128-255 are to be added and designated Private Use. Values 256-32767
are to be added and designated Unassigned.
8.3.10. KEK Download Type
Values 3-127 are to be designated Standards Action. Values 128-255
are to be added and designated Private Use. Values 256-32767 are to
be added and designated Unassigned.
8.3.11. LKH Download Type
Values 4-127 are to be designated Standards Action. Values 256-32767
are to be added and designated Unassigned.
Weis, et al. Expires September 15, 2011 [Page 58]
Internet-Draft GDOI March 2011
9. Acknowledgements
This text updates RFC 3547, and the authors wish to thank Mark
Baugher and Hugh Harney for their extensive contributions that led to
this updated version of GDOI.
The authors are grateful to Catherine Meadows for her careful review
and suggestions for mitigating the man-in-the-middle attack she had
previously identified. Yoav Nir and Vincent Roca provided many
useful technical and editorial comments and suggestions for
improvement.
Weis, et al. Expires September 15, 2011 [Page 59]
Internet-Draft GDOI March 2011
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
December 2005.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, December 2005.
[RFC5374] Weis, B., Gross, G., and D. Ignjatic, "Multicast
Extensions to the Security Architecture for the Internet
Protocol", RFC 5374, November 2008.
[RFC6054] McGrew, D. and B. Weis, "Using Counter Modes with
Encapsulating Security Payload (ESP) and Authentication
Header (AH) to Protect Group Traffic", RFC 6054,
November 2010.
10.2. Informative References
[FIPS.180-2.2002]
National Institute of Standards and Technology, "Secure
Hash Standard", FIPS PUB 180-2, August 2002, <http://
csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf>.
[FIPS186-3]
"Digital Signature Standard (DSS)", United States of
America, National Institute of Science and
Technology Federal Information Processing Standard (FIPS)
186-2, June 2009.
[FIPS197] "Advanced Encryption Standard (AES)", United States of
America, National Institute of Science and
Technology Federal Information Processing Standard (FIPS)
197, November 2001.
[FIPS46-3]
"Data Encryption Standard (DES)", United States of
America, National Institute of Science and
Technology Federal Information Processing Standard (FIPS)
46-3, October 1999.
[FIPS81] "DES Modes of Operation", United States of America,
National Institute of Science and Technology Federal
Weis, et al. Expires September 15, 2011 [Page 60]
Internet-Draft GDOI March 2011
Information Processing Standard (FIPS) 81, December 1980.
[FS00] Ferguson, N. and B. Schneier, Counterpane, "A
Cryptographic Evaluation of IPsec",
<http://www.counterpane.com/ipsec.html>.
[GDOI-REG]
Internet Assigned Numbers Authority, "Group Domain of
Interpretation (GDOI) Payload Type Values", IANA Registry,
December 2004,
<http://www.iana.org/assignments/gdoi-payloads>.
[HD03] Hardjono, T. and L. Dondeti, "Multicast and Group
Security", Artech House Computer Security Series, ISBN
1-58053-342-6, 2003.
[I-D.weis-gdoi-mac-tek]
Weis, B. and S. Rowles, "GDOI Generic Message
Authentication Code Policy", draft-weis-gdoi-mac-tek-02
(work in progress), March 2011.
[ISAKMP-REG]
"'Magic Numbers' for ISAKMP Protocol",
<http://www.iana.org/assignments/isakmp-registry>.
[MP04] Meadows, C. and D. Pavlovic, "Deriving, Attacking, and
Defending the GDOI Protocol", ESORICS 2004 pp. 53-72,
September 2004.
[NNL] Naor, D., Noal, M., and J. Lotspiech, "Revocation and
Tracing Schemes for Stateless Receivers", Advances in
Cryptology, Crypto '01, Springer-Verlag LNCS 2139, 2001,
pp. 41-62, 2001,
<http://www.wisdom.weizmann.ac.il/~naor/>.
[OFT] McGrew, D. and A. Sherman, "Key Establishment in Large
Dynamic Groups Using One-Way Function Trees", Manuscript,
submitted to IEEE Transactions on Software Engineering,
1998, <http://download.nai.com/products/media/nai/misc/
oft052098.ps>.
[PK01] Perlman, R. and C. Kaufman, "Analysis of the IPsec Key
Exchange Standard", WET-ICE conference , 2001,
<http://sec.femto.org/wetice-2001/papers/radia-paper.pdf>.
[RFC2403] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within
ESP and AH", RFC 2403, November 1998.
Weis, et al. Expires September 15, 2011 [Page 61]
Internet-Draft GDOI March 2011
[RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within
ESP and AH", RFC 2404, November 1998.
[RFC2407] Piper, D., "The Internet IP Security Domain of
Interpretation for ISAKMP", RFC 2407, November 1998.
[RFC2408] Maughan, D., Schneider, M., and M. Schertler, "Internet
Security Association and Key Management Protocol
(ISAKMP)", RFC 2408, November 1998.
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[RFC2627] Wallner, D., Harder, E., and R. Agee, "Key Management for
Multicast: Issues and Architectures", RFC 2627, June 1999.
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1", RFC 3447, February 2003.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, July 2003.
[RFC3686] Housley, R., "Using Advanced Encryption Standard (AES)
Counter Mode With IPsec Encapsulating Security Payload
(ESP)", RFC 3686, January 2004.
[RFC3740] Hardjono, T. and B. Weis, "The Multicast Group Security
Architecture", RFC 3740, March 2004.
[RFC3947] Kivinen, T., Swander, B., Huttunen, A., and V. Volpe,
"Negotiation of NAT-Traversal in the IKE", RFC 3947,
January 2005.
[RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm,
"Multicast Security (MSEC) Group Key Management
Architecture", RFC 4046, April 2005.
[RFC4082] Perrig, A., Song, D., Canetti, R., Tygar, J., and B.
Briscoe, "Timed Efficient Stream Loss-Tolerant
Authentication (TESLA): Multicast Source Authentication
Transform Introduction", RFC 4082, June 2005.
[RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
(GCM) in IPsec Encapsulating Security Payload (ESP)",
RFC 4106, June 2005.
Weis, et al. Expires September 15, 2011 [Page 62]
Internet-Draft GDOI March 2011
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM
Mode with IPsec Encapsulating Security Payload (ESP)",
RFC 4309, December 2005.
[RFC4359] Weis, B., "The Use of RSA/SHA-1 Signatures within
Encapsulating Security Payload (ESP) and Authentication
Header (AH)", RFC 4359, January 2006.
[RFC4430] Sakane, S., Kamada, K., Thomas, M., and J. Vilhuber,
"Kerberized Internet Negotiation of Keys (KINK)",
RFC 4430, March 2006.
[RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message
Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543,
May 2006.
[RFC4754] Fu, D. and J. Solinas, "IKE and IKEv2 Authentication Using
the Elliptic Curve Digital Signature Algorithm (ECDSA)",
RFC 4754, January 2007.
[RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-
384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
[RFC5903] Fu, D. and J. Solinas, "Elliptic Curve Groups modulo a
Prime (ECP Groups) for IKE and IKEv2", RFC 5903,
June 2010.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)",
RFC 5996, September 2010.
[SP.800-131]
Barker, E. and A. Roginsky, "Recommendation for the
Transitioning of Cryptographic Algorithms and Key
Lengths", United States of America, National Institute of
Science and Technology DRAFT NIST Special Publication 800-
131, June 2010.
[SP.800-38A]
Dworkin, M., "Recommendation for Block Cipher Modes of
Operation", United States of America, National Institute
Weis, et al. Expires September 15, 2011 [Page 63]
Internet-Draft GDOI March 2011
of Science and Technology NIST Special Publication 800-38A
2001 Edition, December 2001.
Weis, et al. Expires September 15, 2011 [Page 64]
Internet-Draft GDOI March 2011
Appendix A. Extending GDOI
A.1. Alternate GDOI Phase 1 protocols
This section describes a manner in which other protocols could be
used as GDOI Phase 1 protocols in place of the ISAKMP Phase 1
protocol. However, they are not specified as a part of this
document. A separate document MUST be written in order for another
protocol to be used as a GDOI Phase 1 protocol.
Other possible phase 1 protocols are also described in [RFC4046].
Any GDOI phase 1 protocol MUST satisfy the requirements specified in
Section 2 of this document.
A.1.1. IKEv2 Exchange
Version 2 of the IKE protocol (IKEv2) [RFC5996] has been published.
That protocol simplifies IKE processing, and combines the two phases
of IKE. An IKEv2 Phase 1 negotiates an IPsec SA during phase 1,
which was not possible in IKE. However, IKEv2 also defines a phase 2
protocol. The phase 2 protocol is protected by the Phase 1, similar
in concept to how IKE Quick Mode is protected by the IKE Phase 1
protocols in [RFC2409].
It would be possible to define GDOI as a phase 2 protocol protected
by an IKEv2 initial exchange. Alternatively, it would be possible to
define a new protocol re-using some of the IKEv2 initial exchange
(e.g., IKE_SA_INIT).
A.1.2. KINK Protocol
The Kerberized Internet Negotiation of Keys (KINK) [RFC4430] has
defined a method of encapsulating an IKEv1 Quick Mode [RFC2409]
encapsulated in Kerberos KRB_AP_REQ and KRB_AP_REP payloads. KINK
provides a low-latency, computationally inexpensive, easily managed,
and cryptographically sound method of setting up IPsec security
associations.
The KINK message format includes a DOI field in the KINK header. The
[RFC4430] document defines the DOI for the IPsec DOI.
A new DOI for KINK could be defined which would encapsulate a
GROUPKEY-PULL exchange in the Kerberos KRB_AP_REQ and KRB_AP_REP
payloads. As such, GDOI would benefit from the computational
efficiencies of KINK.
Weis, et al. Expires September 15, 2011 [Page 65]
Internet-Draft GDOI March 2011
A.2. Supporting new SA TEK types
Not all secure multicast or multimedia applications can use IPsec ESP
or AH. Many Real Time Transport Protocol applications, for example,
require security above the IP layer to preserve RTP header
compression efficiencies and transport-independence [RFC3550].
Alternatively, GDOI can distribute message authentication code (MAC)
policy and keys for legacy applications that have defined their own
security associations [I-D.weis-gdoi-mac-tek].
In order to add a new data security protocol, a new RFC MUST specify
the data-security SA parameters conveyed by GDOI for that security
protocol; these parameters are listed in Section 5.5.2 of this
document.
Data security protocol SAs MUST protect group traffic. GDOI provides
no restriction on whether that group traffic is transmitted as
unicast or multicast packets.
Weis, et al. Expires September 15, 2011 [Page 66]
Internet-Draft GDOI March 2011
Appendix B. GDOI Applications
GDOI can be used to distribute keys for several secure multicast
applications, where different applications have different key
management requirements. This section outlines two example ways that
GDOI can be used. Other examples can be found in Section 10 of
[HD03].
A simple application is secure delivery of periodic multicast content
over an organization's IP network, perhaps a multicast video
broadcast. Assuming the content delivery time frame is bounded and
the group membership is not expected to change over time, there is no
need for group policy to include a GROUPKEY-PUSH exchange, and
there's no need for the GCKS to distribute a Re-key SA. Thus, the
GDOI GCKS may only need to distribute a single set of Data-Security
SAs to protect the time-bounded broadcast.
In contrast, a persistent IP multicast application (e.g., stock-
ticker delivery service) may have many group members, where the group
membership changes over time. A periodic change of Data-security SAs
may be desirable, and the potential for change in group membership
requires the use of a group management method enabling de-
authorization of group members. The GDOI GCKS will distribute the
current set of Data-Security SAs and a Re-key SA to registering group
members. It will then deliver regularly-scheduled GROUPKEY-PUSH
protocol delivering the new SAs for the group. Additionally, the
group membership on the GCKS may be frequently adjusted, which will
result in GROUPKEY-PUSH exchange delivering a new Rekey SAs protected
by a group management method. Each GROUPKEY-PUSH may include Data-
security SAs and/or a Rekey SA.
In each example the relevant policy is defined on the GCKS and
relayed to group members using the GROUPKEY-PULL and/or GROUPKEY-PUSH
protocols. Specific policy choices configured by the GCKS
administrator depends on each application.
Weis, et al. Expires September 15, 2011 [Page 67]
Internet-Draft GDOI March 2011
Appendix C. Significant Changes from RFC 3547
The following significant changes have been made from RFC 3547.
o The Proof of Possession (POP) payload was removed from the
GROUPKEY-PULL exchange. It provided an alternate form of
authorization, but its use was underspecified. Furthermore,
Meadows and Pavlovic [MP04] discussed a man-in-the-middle attack
on the POP authorization method, which would require changes to
its semantics. No known implementation of RFC 3547 supported the
POP payload, so it was removed. Removal of the POP payload
obviated the need for the CERT payload in that exchange and it was
removed as well.
o The Key Exchange Payloads (KE_I, KE_R) payloads were removed from
the GROUPKEY-PULL exchange. However, the specification for
computing keying material for the additional encryption function
in RFC 3547 is faulty. Furthermore, it has been observed that
because the GDOI registration message uses strong ciphers and
provides authenticated encryption, additional encryption of the
keying material in a GDOI registration message provides negligible
value. Therefore, the use of KE payloads is deprecated in this
memo.
o The Certificate Payload (CERT) was removed from the GROUPKEY-PUSH
exchange. The use of this payload was underspecified. In all
known use cases, the public key of used to verify the GROUPKEY-
PUSH payload is distributed directly from the key server as part
of the GROUPKEY-PULL exchange.
o Supported cryptographic algorithms were changed to meet current
guidance. Implementations are required to support AES with 128-
bit keys to encrypt the rekey message, and SHA-256 for
cryptographic signatures. The use of DES is deprecated.
o New protocol support for AH.
o New protocol definitions were added to conform to the most recent
Security Architecture for the Internet Protocol [RFC4301] and the
Multicast Extensions to the Security Architecture for the Internet
Protocol[RFC5374]. This includes addition of the GAP payload.
o New protocol definitions and semantics were added to support Using
Counter Modes with ESP and AH to Protect Group Traffic[RFC6054].
o Specification to IANA to better clarify the use of the GDOI
Payloads registry.
Weis, et al. Expires September 15, 2011 [Page 68]
Internet-Draft GDOI March 2011
Authors' Addresses
Brian Weis
Cisco Systems
170 W. Tasman Drive
San Jose, California 95134-1706
USA
Phone: +1-408-526-4796
Email: bew@cisco.com
Sheela Rowles
Cisco Systems
170 W. Tasman Drive
San Jose, California 95134-1706
USA
Phone: +1-408-527-7677
Email: sheela@cisco.com
Thomas Hardjono
MIT
77 Massachusetts Ave.
Cambridge, Massachusets 02139
USA
Phone: +1-781-729-9559
Email: hardjono@mit.edu
Weis, et al. Expires September 15, 2011 [Page 69]