Multicast Extensions to the Security Architecture for the Internet Protocol
RFC 5374

 
Document Type RFC - Proposed Standard (November 2008; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 5374 (Proposed Standard)
Telechat date
Responsible AD Tim Polk
Send notices to msec-chairs@ietf.org, draft-ietf-msec-ipsec-extensions@ietf.org
Network Working Group                                            B. Weis
Request for Comments: 5374                                 Cisco Systems
Category: Standards Track                                       G. Gross
                                           Secure Multicast Networks LLC
                                                             D. Ignjatic
                                                                 Polycom
                                                           November 2008

                      Multicast Extensions to the
            Security Architecture for the Internet Protocol

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (c) 2008 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (http://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Abstract

   The Security Architecture for the Internet Protocol describes
   security services for traffic at the IP layer.  That architecture
   primarily defines services for Internet Protocol (IP) unicast
   packets.  This document describes how the IPsec security services are
   applied to IP multicast packets.  These extensions are relevant only
   for an IPsec implementation that supports multicast.

Weis, et al.                Standards Track                     [Page 1]
RFC 5374            Multicast Extensions to RFC 4301       November 2008

Table of Contents

   1. Introduction ....................................................3
      1.1. Scope ......................................................3
      1.2. Terminology ................................................4
   2. Overview of IP Multicast Operation ..............................6
   3. Security Association Modes ......................................7
      3.1. Tunnel Mode with Address Preservation ......................7
   4. Security Association ............................................8
      4.1. Major IPsec Databases ......................................8
           4.1.1. Group Security Policy Database (GSPD) ...............8
           4.1.2. Security Association Database (SAD) ................12
           4.1.3. Group Peer Authorization Database (GPAD) ...........12
      4.2. Group Security Association (GSA) ..........................14
           4.2.1. Concurrent IPsec SA Life Spans and Re-key Rollover .15
      4.3. Data Origin Authentication ................................17
      4.4. Group SA and Key Management ...............................18
           4.4.1. Co-Existence of Multiple Key Management Protocols ..18
   5. IP Traffic Processing ..........................................18
      5.1. Outbound IP Traffic Processing ............................18
      5.2. Inbound IP Traffic Processing .............................19
   6. Security Considerations ........................................22
      6.1. Security Issues Solved by IPsec Multicast Extensions ......22
      6.2. Security Issues Not Solved by IPsec Multicast Extensions ..23
           6.2.1. Outsider Attacks ...................................23
           6.2.2. Insider Attacks ....................................23
      6.3. Implementation or Deployment Issues that Impact Security ..24
           6.3.1. Homogeneous Group Cryptographic Algorithm
                  Capabilities .......................................24
           6.3.2. Groups that Span Two or More Security
                  Policy Domains .....................................24
           6.3.3. Source-Specific Multicast Group Sender
                  Transient Locators .................................25
   7. Acknowledgements ...............................................25
   8. References .....................................................25
      8.1. Normative References ......................................25
      8.2. Informative References ....................................26
   Appendix A - Multicast Application Service Models .................28
      A.1 Unidirectional Multicast Applications ......................28
      A.2 Bi-directional Reliable Multicast Applications .............28
      A.3 Any-To-Any Multicast Applications ..........................30
Show full document text