The Multicast Group Security Architecture
RFC 3740

Document Type RFC - Informational (March 2004; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 3740 (Informational)
Telechat date
Responsible AD Russ Housley
Send notices to (None)
Network Working Group                                        T. Hardjono
Request for Comments: 3740                                      Verisign
Category: Informational                                          B. Weis
                                                                   Cisco
                                                              March 2004

               The Multicast Group Security Architecture

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

   This document provides an overview and rationale of the multicast
   security architecture used to secure data packets of large multicast
   groups.  The document begins by introducing a Multicast Security
   Reference Framework, and proceeds to identify the security services
   that may be part of a secure multicast solution.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.1.  Scope. . . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.2.  Summary of Contents of Document. . . . . . . . . . . . .  3
       1.3.  Audience . . . . . . . . . . . . . . . . . . . . . . . .  4
       1.4.  Terminology. . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Architectural Design: The Multicast Security Reference
       Framework. . . . . . . . . . . . . . . . . . . . . . . . . . .  4
       2.1.  The Reference Framework. . . . . . . . . . . . . . . . .  4
       2.2.  Elements of the Centralized Reference Framework. . . . .  5
             2.2.1.  Group Controller and Key Server. . . . . . . . .  6
             2.2.2.  Sender and Receiver. . . . . . . . . . . . . . .  7
             2.2.3.  Policy Server. . . . . . . . . . . . . . . . . .  7
       2.3.  Elements of the Distributed Reference Framework. . . . .  8
   3.  Functional Areas . . . . . . . . . . . . . . . . . . . . . . .  9
       3.1.  Multicast Data Handling. . . . . . . . . . . . . . . . .  9
       3.2.  Group Key Management . . . . . . . . . . . . . . . . . . 10
       3.3.  Multicast Security Policies. . . . . . . . . . . . . . . 11
   4.  Group Security Associations (GSA). . . . . . . . . . . . . . . 12
       4.1.  The Security Association . . . . . . . . . . . . . . . . 12

Hardjono & Weis              Informational                      [Page 1]
RFC 3740         Multicast Group Security Architecture        March 2004

       4.2.  Structure of a GSA: Introduction . . . . . . . . . . . . 13
       4.3.  Structure of a GSA: Reasoning. . . . . . . . . . . . . . 14
       4.4.  Definition of GSA. . . . . . . . . . . . . . . . . . . . 15
       4.5.  Typical Compositions of a GSA. . . . . . . . . . . . . . 17
   5.  Security Services. . . . . . . . . . . . . . . . . . . . . . . 17
       5.1.  Multicast Data Confidentiality . . . . . . . . . . . . . 18
       5.2.  Multicast Source Authentication and Data Integrity . . . 18
       5.3.  Multicast Group Authentication . . . . . . . . . . . . . 19
       5.4.  Multicast Group Membership Management. . . . . . . . . . 19
       5.5.  Multicast Key Management . . . . . . . . . . . . . . . . 20
       5.6.  Multicast Policy Management. . . . . . . . . . . . . . . 21
   6.  Security Considerations. . . . . . . . . . . . . . . . . . . . 22
       6.1.  Multicast Data Handling. . . . . . . . . . . . . . . . . 22
       6.2.  Group Key Management . . . . . . . . . . . . . . . . . . 22
       6.3.  Multicast Security Policies. . . . . . . . . . . . . . . 22
   7.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
       8.1.  Normative References . . . . . . . . . . . . . . . . . . 23
       8.2.  Informative References . . . . . . . . . . . . . . . . . 23
   9.  Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25
   10. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 26

1.  Introduction

   Securing IP multicast group communication is a complex task that
   involves many aspects.  Consequently, a secure IP multicast protocol
   suite must have a number of functional areas that address different
   aspects of the solution.  This document describes those functional
   areas and how they are related.

1.1.  Scope

   This architecture is concerned with the securing of large multicast
   groups.  Whereas it can also be used for smaller groups, it is not
   necessarily the most efficient means.  Other architectures (e.g., the
   Cliques architecture [STW]) can be more efficient for small ad-hoc
   group communication.

   This architecture is "end to end", and does not require multicast
Show full document text