MSEC WG                                                       L. Dondeti
Internet-Draft                                                  QUALCOMM
Expires: September 2, 2006                                      J. Xiang
                                                         Nortel Networks
                                                               S. Rowles
                                                                   Cisco
                                                                Mar 2006


                 GKDP: Group Key Distribution Protocol
                        draft-ietf-msec-gkdp-01

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on September 2, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document specifies a group key distribution protocol (GKDP)
   based on IKEv2, the IPsec key management protocol; the new protocol
   is similar to IKEv2 in message and payload formats, and message
   semantics to a large extent.  The protocol in conformance with MSEC
   key management architecture contains two components: member



Dondeti, et al.         Expires September 2, 2006               [Page 1]


Internet-Draft                    GKDP                          Mar 2006


   registration and group rekeying, and downloads a group security
   association from the GCKS to a member.  This protocol is independent
   of IKEv2 except in its likeness.

Conventions Used In This Document

   This document recommends, as policy, what specifications for Internet
   protocols -- and, in particular, IETF standards track protocol
   documents -- should include as normative language within them.  The
   capitalized keywords "SHOULD", "MUST", "REQUIRED", etc. are used in
   the sense of how they would be used within other documents with the
   meanings as specified in BCP 14, RFC 2119 [RFC2119].


Table of Contents

   1.  Revision History . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Introduction and Overview  . . . . . . . . . . . . . . . . . .  3
     2.1.  Why do we need another GSA management protocol?  . . . . .  3
     2.2.  GKDP usage scenarios . . . . . . . . . . . . . . . . . . .  4
   3.  GKDP protocol  . . . . . . . . . . . . . . . . . . . . . . . .  4
     3.1.  Member registration and secure channel establishment . . .  4
       3.1.1.  Initial exchange:GSA_INIT_EXCH . . . . . . . . . . . .  4
       3.1.2.  Authenticated exchange:GSA_AUTH_EXCH . . . . . . . . .  6
     3.2.  GSA maintenance channel  . . . . . . . . . . . . . . . . .  9
       3.2.1.  GSA rekey protocol . . . . . . . . . . . . . . . . . .  9
   4.  Informational exchange . . . . . . . . . . . . . . . . . . . . 11
     4.1.  Notify exchange  . . . . . . . . . . . . . . . . . . . . . 11
     4.2.  Error message  . . . . . . . . . . . . . . . . . . . . . . 11
   5.  Traffic selectors  . . . . . . . . . . . . . . . . . . . . . . 11
   6.  GKDP protocol design details . . . . . . . . . . . . . . . . . 11
   7.  Header and payload formats . . . . . . . . . . . . . . . . . . 12
     7.1.  GKDP header  . . . . . . . . . . . . . . . . . . . . . . . 12
   8.  Security considerations  . . . . . . . . . . . . . . . . . . . 13
   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 13
   10. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 14
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
     11.1. Normative References . . . . . . . . . . . . . . . . . . . 14
     11.2. Informative References . . . . . . . . . . . . . . . . . . 14
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15
   Intellectual Property and Copyright Statements . . . . . . . . . . 16










Dondeti, et al.         Expires September 2, 2006               [Page 2]


Internet-Draft                    GKDP                          Mar 2006


1.  Revision History

   GKDP-xx: Draft tag and title changed to gkdp-xx
   Version 01: The protocol has been renamed GKDP for Group Key
      Distribution Protocol as per discussions at the MSEC meeting at
      IETF-60 and mailing list discussions.  The name GDOIv2 will be
      used for a revision of GDOI which may retain the DOI concept and
      build upon RFC 3547.
   Version 02: This is a major revision with the following additions to
      the specification:

      *


2.  Introduction and Overview

   Security encapsulation protocols such as IPsec and SRTP provide
   confidentiality, message integrity, replay protection, and in some
   instances access control, and data origin authentication.  These
   security services require state establishment, maintenance, and
   teardown for correct operation.  While these security associations
   can be managed manually, automatic key management protocols are
   essential for efficient and scalable operation.  In case of point-to-
   point security associations, IKE and its successor IKEv2 are widely
   used for IPsec SAs, and MIKEY for SRTP associations.  For multi-point
   SAs or group SAs (GSA), GDOI, GSAKMP, and MIKEY have been specified
   by the MSEC WG.  GKDP is designed to be a counterpart - for GSA
   distribution and maintenance - to IKEv2 so we can reuse the work put
   in to its design and analysis, and of course implementation.

2.1.  Why do we need another GSA management protocol?

   Given the collection of key management protocols mentioned above,
   there is a question on the need for yet another group key management
   protocol.  First a look back at history: So far, we have two
   experimental RFCs, viz., RFC 1949 [RFC1949] and RFC 2093 [RFC2093],
   and a standards track RFC, RFC 3547 [RFC3547] specifying or
   describing group key management protocols.  Furthermore there is
   GSAKMP, currently a standards track MSEC I-D, which borrows quite a
   few concepts from IKEv2, but not quite similar to IKEv2.  The
   protocol we propose is mainly to reuse as much as the IKEv2 codebase,
   similar to GDOI reusing payload and message formats of IKE [RFC2409]
   and ISAKMP [RFC2408] .  Consequently, GKDP requires fewer messages
   compared to GDOI, specifically 4 in most cases, compared to 10 in
   main mode and 7 in aggressive mode of GDOI.  We discuss the
   advantages of GKDP, the shortcomings and remedies to address those
   shortcomings.




Dondeti, et al.         Expires September 2, 2006               [Page 3]


Internet-Draft                    GKDP                          Mar 2006


2.2.  GKDP usage scenarios

   GKDP is a key download protocol.  Key download as opposed to key
   negotiation has several interesting use cases.

   o  The first application is multicast security.  As with GDOI, the
      current version of the GKDP spec limits the scope to single sender
      multicast applications.
   o  The second intended application is point to point data security
      associations facilitated by a centralized group key server.
   o  Others to be listed!


3.  GKDP protocol

3.1.  Member registration and secure channel establishment

   The first of two components in GSA establishment and maintenance is
   member registration.

3.1.1.  Initial exchange:GSA_INIT_EXCH

   The first step in the registration protocol is to establish a secure
   channel with the group controller and key server (GCKS).  This
   exchange is similar to IKE_SA_INIT exchange of IKEv2.  The
   registering member proposes various combinations of algorithms in
   SAi1 to constitute the secure channel, along with a nonce, Ni, and a
   DH exponent, KEi.  The GCKS has several options:

   o  In the first, it honors the member's request for registration and
      sends the necessary information to complete the DH exchange: it
      selects and specifies the parameters of the secure channel, and
      includes a nonce Nr, and a public DH value of its own, KEr.
   o  The second option is for the GCKS to consider if the request for
      secure channel establishment is spurious.  The GCCKS has no way to
      tell except to throttle such requests by making the initiator do
      some work before it invests any computing resources.  We refer to
      this mode as the denial-of-service or DoS protection mode
      specified in detail in Section 3.1.1.1 .
   o  Finally, if none of the proposals are acceptable to the GCKS, it
      may reject the initial exchange itself.










Dondeti, et al.         Expires September 2, 2006               [Page 4]


Internet-Draft                    GKDP                          Mar 2006


   GSA_INIT_EXCH message is as follows:


   Member->GCKS: M1:    HDR, SAi1, KEi, Ni
   GCKS->Member: M2:    HDR, SAr1, KEr, Nr, [CERTREQ]


   Figure 1: Secure channel establishment

3.1.1.1.  DoS protection mode

   In typical deployments of multicast or group security services, the
   GCKS address is well-known, which allows adversaries to launch a DoS
   attack by sending bogus GSA_INIT_EXCH messages.  In the normal mode
   of operation, the GCKS responds and needs to maintain state
   (including storing Messages 1 and 2) corresponding to each exchange
   in progress.  Notice that this process might result in the GCKS
   storing unnecessary state about bogus exchanges.  To avoid this
   attack, the GCKS may first choose to verify whether the Intiator is
   live and responding to and processing GKDP messages.

   The GCKS verifies whether a prospective member (or the initiatior of
   the key exchange protocol) is live using the following procedure.
   The GCKS responds to the Initiator's message, by sending a challenge
   - a notify message (see Section 4), containing a a random value or
   generally referred to as a COOKIE; the GCKS MUST choose the COOKIE
   size between 1 and 64 octets.  The Intiator is expected to include
   the received COOKIE as part of modified Message 1, which we refer to
   as "Response Message." (see Figure 2).

   The GCKS may choose to store the COOKIE and other relevant additional
   information such as Initiator's identity (thus reducing the amount of
   state to be stored, but not entirely eliminating it), to verify that
   the Initiator indeed used the COOKIE that was sent by the GCKS.
   Alternatively, it may generate the COOKIE following a local procedure
   (that the Initiator cannot repeat to generate another valid cookie)
   to encode the Initiator's identity, Message 1 etc.  For instance the
   IKEv2 specification suggests the following derivation to generate
   cookies:

   COOKIE = VersionIDofGCKS-Secret | Hash(Ni | IPi | SPIi | GCKS-secret)

   The GCKS may use (TBD) method to expand or truncate the above value
   to generate the COOKIE of size (MUST be between 1-64 octets) based on
   local policy.






Dondeti, et al.         Expires September 2, 2006               [Page 5]


Internet-Draft                    GKDP                          Mar 2006


   DoS protection exchange is as follows:


   Member->GCKS: M1:  HDR(A,0), SAi1, KEi, Ni
   GCKS->Member: CM:   HDR(A,0), N(COOKIE)

   Member->GCKS: RM:   HDR(A,0), N(COOKIE), SAi1, KEi, Ni
   GCKS->Member: M2:  HDR(A,B), SAr1, KEr, Nr, [CERTREQ]

   CM: Challenge Message from the GCKS
   RM: Challenge-Response Message from the Member


   Figure 2: DoS protection mode of GSA_INIT_EXCH

3.1.2.  Authenticated exchange:GSA_AUTH_EXCH

   The GSA_INIT_EXCH (2 message or 4 message version) establishes an
   unauthenticated secure channel between a prospective member and the
   GCKS.  The next step is for the member to request the GCKS to join a
   group; the GCKS evaluates the request and based on the evaluation a)
   accept the request and send the corresponding GSA

   GSA_AUTH_EXCH message is as follows:


   Member->GCKS: M3: HDR, SK{ G-ID, IDi, [ID_CERT,] [ID_CERTREQ,] AUTH,
                  [IDr,] [GM_CERT,] [GM_CERTREQ,] [POP_I] }
   GCKS->Member: M4: HDR, SK{ IDr, [ID_CERT,] AUTH, GSA, [,KD] [,SEQ]
                  [GCKS_CERT,] [,POP_R]}


   Figure 3: Authenticated Exchange

   The various payloads in the GSA_AUTH_EXCH messages have the following
   purposes:

   o  G-ID: The group identity payload constructed using the IKEv2
      Identification Payload specifies the secure group that M3 wants to
      join.
   o  ID_CERT: The optional ID_CERT payload contains a certificate(s)
      asserting the GCKS's or a member's claimed identity as in IDi or
      IDr payloads.
   o  GM_CERT: The optional GM_CERT payload contains a certificate
      asserting the group member's authorization to join the group G-ID
      as member.





Dondeti, et al.         Expires September 2, 2006               [Page 6]


Internet-Draft                    GKDP                          Mar 2006


   o  GCKS_CERT: The optional GCKS_CERT payload contains a certificate
      asserting the GCKS's authorization to serve the role of a group
      controller and key server for the group G-ID.
   o  AUTH: The AUTH payload constitues the "authenticated" portion of
      the 4 or 6 message AKE.  In other words, the member in M3 and the
      GCKS in M4 prove that they are indeed the entities that sent M1
      and M2 respectively.  A pre-established shared secret or a
      certificate (optionally specified in the CERT payload) may be used
      for entity authentication.
   o  POP: Similar to the AUTH payload's use in providing host/entity
      authentication, the POP payload is for member/GCKS authorization
      to assume their claimed roles.  The GM_CERT or GCKS_CERT is used
      to sign a block of data, specified below, to constitute the POP
      payload.
   o  GSA: The GSA payload contains the rekey and data security SA
      payloads.  Note that this SA is not negotiated; the GCKS simply
      sends this SA.
   o  KD: The KD payload contains the secret keys corresponding the
      rekey and the data security SAs included in the GSA payload.
   o  SEQ: The optional SEQ payload MUST be included if the GSA payload
      contains a rekey SA.  The SEQ payload contains a SEQ number for
      replay protection of the rekey messages.

3.1.2.1.  Key material computation

   The key material computation and the AUTH payload are identical to
   that described in the IKEv2 specification.

   Key material and registration SA keys are computed as follows:



   SKEYSEED = prf(Ni | Nr, g^ir)

     {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr }
                 = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr ), where

   prf+ is defined as follows:

      prf+ (K,S) = T1 | T2 | T3 | T4 | ...

      where:
      T1 = prf (K, S | 0x01)
      T2 = prf (K, T1 | S | 0x02)
      T3 = prf (K, T2 | S | 0x03)
      T4 = prf (K, T3 | S | 0x04)





Dondeti, et al.         Expires September 2, 2006               [Page 7]


Internet-Draft                    GKDP                          Mar 2006


   Figure 4: Registration SA key material computation

3.1.2.2.  Member and GCKS authentication and authorization

   GKDP requires mutual authentication between each member and a GCKS,
   as well as mutual authorization.  First the member and the GCKS
   authenticate to each other using pre-shared keys or certificates
   prior to establishing a secure channel.  M3 and M4 contain AUTH
   payloads that essentially protect against man-in-the-middle attacks
   against the DH exchange in M1 and M2.  The member and the GCKS
   construct AUTH payloads by computing an HMAC over or signing a block
   of data containing the message M1 or M2 they sent earlier, the other
   party's nonce payload, and a prf over own identity.  More formally,
   the block of data for HMAC or signature is as follows:

   Auth payload computation:


   Auth payload in M3 is computed over:

   auth-block-M3: M1 || Nr-Payload || prf(SK_pi, IDi-Payload)

   Auth payload in M4 is computed over:

   auth-block-M4: M2 || Ni-Payload || prf(SK_pr, IDr-Payload)

   For shared secret based host authentication AUTH payload is
   computed as follows:

   AUTH = prf(prf(Shared Secret,"KeyPad:GKDP-AUTH-MX"),
                  <auth-block-MX>)


   Figure 5: Auth payload computation

3.1.2.2.1.  Use of asymmetric authentication methods

   GKDP also allows the member and the GCKS to use different
   authentication methods, similar to TLS and IKEv2.  More specifically,
   the GCKS uses a cert to authenticate itself and establish a secure
   channel, and the member uses EAP to send its authentication
   information via the secure channel.

   Members may also use EAP to prove their authorization to join a
   secure group.  For instance, consider a use case where a member may
   use a SIM card for authentication, or a pre-paid SIM card to pay for
   content distributed to a secure group.  In these cases, the
   authentication or authorization information can be sent via EAP.



Dondeti, et al.         Expires September 2, 2006               [Page 8]


Internet-Draft                    GKDP                          Mar 2006


3.1.2.2.2.  Proof of possession

   Proof of possession payload (POP) provides a mechanism so that
   members and/or GCKS can prove to the other party that they are indeed
   authorized to be a member or the GCKS, respectively.  For POP payload
   derivation in GKDP, the member or the GCKS first constructs a message
   block, POP-HASH, containing the two nonces exchanged in GSA_INIT_EXCH
   and the prf over the ID payload as defined in the AUTH payload
   construction.  Next, the member or the GCKS signs the POP-HASH value.

   POP-HASH construction is as follows:

   POP payload :


   POP payload in M3 is constructed over the following message block:

   POP-HASH-M3: "KeyPad:GKDP-POP-M3" ||
                 Ni-Payload || Nr-Payload || prf(SK_pi, IDi-Payload)

   POP payload in M4 is computed over:

   POP-HASH-M4: "KeyPad:GKDP-POP-M4" ||
                Ni-Payload || Nr-Payload || prf(SK_pr, IDr-Payload)


   Figure 6: POP payload computation block

3.2.  GSA maintenance channel

3.2.1.  GSA rekey protocol

   GSA rekey protocol is optional to implement, but it plays a crucial
   role for large and dynamic groups.

   The GCKS is responsible for rekeying of the secure group as per the
   group policy.  The GCKS uses multicast or multi-unicast to transport
   the rekey message.  When multi-unicast is used, it may be appropriate
   in some scenarios to have a reply message from the member(s) to the
   GCKS.  The reply message is optional.











Dondeti, et al.         Expires September 2, 2006               [Page 9]


Internet-Draft                    GKDP                          Mar 2006


   Rekey message is as follows:


   Multicast:
   GCKS->Member:    HDR, SK {[N], SEQ, GSA, KD, [GCKS_CERT,] SIG}

   Unicast:
   GCKS->Member:    HDR, SK {N, SEQ, GSA, KD, [GCKS_CERT,] SIG}
   [Member->GCKS]:    [HDR, SK {N, SEQ, AUTH}]


   Figure 7: Rekey message

3.2.1.1.  Multicast Rekey

   The multicast rekey is multicasted to all the group members that have
   completed the member registration in section 3.1.

   The HDR is the GKDP Header defined in section 5.1

   The Notify Payload MAY be used by the GKCS to inform the group member
   of the type of rekey that is being conveyed or if there is an error
   state to convey to the group member.  The Notify Message may be one
   of the following:

   STATUS          NOTIFY                           TYPE
   KEKUPDATE       40960   Notify the member that rekey SA has expired
   TEKUPDATE       40961   Notify the member that Data SA has expired
   KEKTEKUPDATE    40962   Both the types of SA have expired and will be
                                          refreshed

   ERROR NOTIFY TYPE
                                               TBD

   The SEQ payload contains a sequence number that orders the rekey
   messages.  The group member MUST check to see that the sequence
   number is greater than in the previous rekey message, before acting
   any further on the message.  The sequence number for a new rekey SA
   will start from one.

   The GSA payload contains the current rekey and data security SA
   payloads.  The GSA may contain a new data security SA or a new rekey
   SA or both.  The GSA MAY also contain an LKH rekey SA, TBD.

   The KD represents the keys for the policy sent in the GSA.  If the
   data security SA is being refreshed in this rekey message, the IPSec
   keys are updated in the KD, and/or if the rekey SA is being refreshed
   in this rekey message, the rekey Key is updated in the KD payload.



Dondeti, et al.         Expires September 2, 2006              [Page 10]


Internet-Draft                    GKDP                          Mar 2006


   GKCS-CERT: This optional payload SHOULD not be any different than in
   the registration.

   The SIG payload is a signature of the hash of the message, not
   including the GKDP header, prefixed with the string "GKDP-rekey".
   Hash {"GKDP-rekey", [N], SEQ, GSA, KD, [GKCS-CERT] }

   After adding the Signature of the above Hash to the rekey message, it
   is then encrypted with the rekey SA and multicasted to the group
   members which are registered with the GKCS.

3.2.1.2.  Group Member Reply

3.2.1.3.  Delete via Rekey SA

   The GKCS may want to delete the data security and/or rekey SAs for
   various reasons.  One or more Delete Payloads [RFC 4306, Section
   3.11] MAY follow the SEQ payload in a REKEY message in order to
   delete keys.  If the GKCS has no further SAs to send to the group
   members, the GSA and KD payloads must be omitted from the rekey
   message.
   HDR, SK {[N], SEQ, D, [D], SIG}


4.  Informational exchange

4.1.  Notify exchange

4.2.  Error message


5.  Traffic selectors

   Traffic Selector(TS) allows the GCKS to communicate what kind of
   packets will be forwarded over the newly downloaded GSA.  It can be
   used to implement a Secure Policy Database (SPD).  It can also be
   used to solve other problems such as the replay window with QoS
   issue.  Unlike negotiated key protocol, in whichTraffic Selector can
   be negotiated down e.g. the responder can choose a subset of the
   traffic proposed by the initiator; GKDP is a key downloading protocol
   in which the Traffic Selector sent by the GCKS together with the GSA
   specifies the selection criteria for packets forwarded over the new
   GSA.  For rekeys, TS needs not be specified.


6.  GKDP protocol design details





Dondeti, et al.         Expires September 2, 2006              [Page 11]


Internet-Draft                    GKDP                          Mar 2006


7.  Header and payload formats

   GKDP payload design is based on IKEv2 payloads, to allow reuse of the
   IKEv2 payload processing code.  Furthermore, we draw on the GDOI
   design specified in RFC3547, where possible and appropriate to avoid
   reinvention.

7.1.  GKDP header

   GKDP messages use UDP ports GKDP-PORT and GKDP-NAT-PORT (TBA-IANA),
   with one GKDP message per datagram.  The source and destination IP
   addresses from the IP header are used with role reversal to send the
   response messages.  GKDP messages sent/received on UDP port GKDP-PORT
   follow the format of a UDP header followed by a GDKP header.  GKDP
   messages sent/received on UDP port GKDP-NAT-PORT have four octets of
   zero immediately following the UDP header; the GKDP header follows
   the zeros.  The zeros are not part of part of the GKDP message and
   therefore not part of the payload length fields.  All GKDP messages
   begin with the GKDP header.

   Following the GKDP header -denoted by HDR in GKDP messages - are one
   or more GKDP payloads each identified by a "Next Payload" field in
   the preceding payload.  Payloads are processed in the order in which
   they appear in an GKDP message by invoking the appropriate processing
   routine according to the "Next Payload" field in the IKE header and
   subsequently according to the "Next Payload" field in the IKE payload
   itself until a "Next Payload" field of zero indicates that no
   payloads follow.  If a payload of type "Encrypted" is found, that
   payload is decrypted and its contents parsed as additional payloads.
   An Encrypted payload MUST be the last payload in a packet and an
   encrypted payload MUST NOT contain another encrypted payload.

   IPsecbis multicast group address or the destination address in the IP
   header and the Recipient SPI in the GKDP header identifies an
   instance of an GKDP security association.

   The format of the GKDP header is shown in Figure Figure 11:














Dondeti, et al.         Expires September 2, 2006              [Page 12]


Internet-Draft                    GKDP                          Mar 2006


                          1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                        GKDP Initiator's SPI                   !
      !                                                               !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                        GKDP Responder's SPI                   !
      !                                                               !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !  Next Payload ! MjVer ! MnVer ! Exchange Type !     Flags     !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                          Message ID                           !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                            Length                             !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Figure 11: GKDP Header Format


8.  Security considerations

   TBD

   Since GKDP piggybacks on the IKEv2 protocol and completes
   registration in the last two messages, of the ikev2 protocol, there
   is no opportunity for the group member to reply back to the GKCS that
   it cannot handle the policy sent in the GSA.  In this case, the group
   member can send an informational message to the GKCS, which will then
   have to tear down any state regarding this group member.


9.  IANA Considerations

   This document defines a number of new exchanges, fields and values
   where future assignments are needed from IANA.  This section lists
   what future IANA assignments are needed.

      UDP port number for GKDP exchanges.
      GSA_INIT_EXCH exchange type
      GSA_AUTH_EXCH exchange type
      GSA_INFO_EXCH exchange type
      GSA_REKEY exchange type
      new Payload Types
      G-ID
      SEQ
      GSA





Dondeti, et al.         Expires September 2, 2006              [Page 13]


Internet-Draft                    GKDP                          Mar 2006


      POP
      KD


10.  Acknowledgments

   GKDP is based on IKEv2 and GDOI.  Several sections of this document
   are quite identical to IKEv2 and GDOI specifications; in some cases
   the text may be identical to the text in those specifications.  We
   included the text for completeness of this specification.  We
   appreciate the efforts of the contributors and editors of those
   protocols.


11.  References

11.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3547]  Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The
              Group Domain of Interpretation", RFC 3547, July 2003.

   [I-D.ietf-ipsec-ikev2]
              Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
              draft-ietf-ipsec-ikev2-17 (work in progress),
              October 2004.

11.2.  Informative References

   [RFC1949]  Ballardie, T., "Scalable Multicast Key Distribution",
              RFC 1949, May 1996.

   [RFC2093]  Harney, H. and C. Muckenhirn, "Group Key Management
              Protocol (GKMP) Specification", RFC 2093, July 1997.

   [RFC2408]  Maughan, D., Schneider, M., and M. Schertler, "Internet
              Security Association and Key Management Protocol
              (ISAKMP)", RFC 2408, November 1998.

   [RFC2409]  Harkins, D. and D. Carrel, "The Internet Key Exchange
              (IKE)", RFC 2409, November 1998.

   [I-D.ipsec-rfc2401bis]
              "Security Architecture for the Internet Protocol",
              draft-ipsec-rfc2401bis-00 (work in progress),
              October 2003.



Dondeti, et al.         Expires September 2, 2006              [Page 14]


Internet-Draft                    GKDP                          Mar 2006


Authors' Addresses

   Lakshminath Dondeti
   QUALCOMM
   5775 Morehouse Drive
   San Diego, CA  92121
   US

   Phone: +1 858 845 1267
   Email: ldondeti@qualcomm.com


   Jing Xiang
   Nortel Networks
   600 Technology Park drive
   Billerica, MA  01821
   US

   Phone: +1 978 288 8985
   Email: jxiang@nortel.com


   Sheela Rowles
   Cisco
   US

   Phone:
   Email:























Dondeti, et al.         Expires September 2, 2006              [Page 15]


Internet-Draft                    GKDP                          Mar 2006


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2006).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Dondeti, et al.         Expires September 2, 2006              [Page 16]