Multicast Security (MSEC) Group Key Management Architecture
RFC 4046

Document Type RFC - Informational (May 2005; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 4046 (Informational)
Telechat date
Responsible AD Russ Housley
Send notices to <canetti@watson.ibm.com>, <thardjono@verisign.com>
Network Working Group                                         M. Baugher
Request for Comments: 4046                                         Cisco
Category: Informational                                       R. Canetti
                                                                     IBM
                                                              L. Dondeti
                                                                Qualcomm
                                                             F. Lindholm
                                                                Ericsson
                                                              April 2005

      Multicast Security (MSEC) Group Key Management Architecture

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document defines the common architecture for Multicast Security
   (MSEC) key management protocols to support a variety of application,
   transport, and network layer security protocols.  It also defines the
   group security association (GSA), and describes the key management
   protocols that help establish a GSA.  The framework and guidelines
   described in this document permit a modular and flexible design of
   group key management protocols for a variety of different settings
   that are specialized to applications needs.  MSEC key management
   protocols may be used to facilitate secure one-to-many, many-to-many,
   or one-to-one communication.

Table of Contents

   1. Introduction: Purpose of this Document ..........................2
   2. Requirements of a Group Key Management Protocol .................4
   3. Overall Design of Group Key Management Architecture .............6
      3.1. Overview ...................................................6
      3.2. Detailed Description of the GKM Architecture ...............8
      3.3. Properties of the Design ..................................11
      3.4. Group Key Management Block Diagram ........................11
   4. Registration Protocol ..........................................13
      4.1. Registration Protocol via Piggybacking or Protocol Reuse ..13
      4.2. Properties of Alternative Registration Exchange Types .....14

Baugher, et al.              Informational                      [Page 1]
RFC 4046         MSEC Group Key Management Architecture       April 2005

      4.3. Infrastructure for Alternative Registration
           Exchange Types ............................................15
      4.4. De-registration Exchange ..................................16
   5. Rekey Protocol .................................................16
      5.1. Goals of the Rekey Protocol ...............................17
      5.2. Rekey Message Transport and Protection ....................17
      5.3. Reliable Transport of Rekey Messages ......................18
      5.4. State-of-the-art on Reliable Multicast Infrastructure .....20
      5.5. Implosion .................................................21
      5.6. Incorporating Group Key Management Algorithms .............22
      5.7. Stateless, Stateful, and Self-healing Rekeying
           Algorithms ................................................22
      5.8. Interoperability of a GKMA ................................23
   6. Group Security Association .....................................24
      6.1. Group Policy ..............................................24
      6.2. Contents of the Rekey SA ..................................25
           6.2.1. Rekey SA Policy ....................................26
           6.2.2. Group Identity .....................................27
           6.2.3. KEKs ...............................................27
           6.2.4. Authentication Key .................................27
           6.2.5. Replay Protection ..................................27
           6.2.6. Security Parameter Index (SPI) .....................27
      6.3. Contents of the Data SA ...................................27
           6.3.1. Group Identity .....................................28
           6.3.2. Source Identity ....................................28
           6.3.3. Traffic Protection Keys ............................28
           6.3.4. Data Authentication Keys ...........................28
           6.3.5. Sequence Numbers ...................................28
           6.3.6. Security Parameter Index (SPI) .....................28
           6.3.7. Data SA Policy .....................................28
   7. Scalability Considerations .....................................29
   8. Security Considerations ........................................31
Show full document text