rfc9838.original   rfc9838.txt 
Network Working Group V. Smyslov Internet Engineering Task Force (IETF) V. Smyslov
Internet-Draft ELVIS-PLUS Request for Comments: 9838 ELVIS-PLUS
Obsoletes: 6407 (if approved) B. Weis Obsoletes: 6407 B. Weis
Intended status: Standards Track Independent Category: Standards Track Independent
Expires: 1 February 2026 31 July 2025 ISSN: 2070-1721 September 2025
Group Key Management using IKEv2 Group Key Management Using the Internet Key Exchange Protocol Version 2
draft-ietf-ipsecme-g-ikev2-23 (IKEv2)
Abstract Abstract
This document presents an extension to the Internet Key Exchange This document presents an extension to the Internet Key Exchange
version 2 (IKEv2) protocol for the purpose of a group key management. Protocol Version 2 (IKEv2) for the purpose of group key management.
The protocol is in conformance with the Multicast Security (MSEC) key The protocol is in conformance with the Multicast Security (MSEC) key
management architecture, which contains two components: member management architecture, which contains two components: member
registration and group rekeying. Both components are required for a registration and group rekeying. Both components are required for a
GCKS (Group Controller/Key Server) to provide authorized Group Group Controller/Key Server (GCKS) to provide authorized Group
Members (GMs) with IPsec group security associations. The group Members (GMs) with IPsec Group Security Associations (GSAs). The
members then exchange IP multicast or other group traffic as IPsec group members then exchange IP multicast or other group traffic as
packets. IPsec packets.
This document obsoletes RFC 6407. This document obsoletes RFC 6407.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 1 February 2026. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9838.
Copyright Notice Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 4 1. Introduction and Overview
1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 6 1.1. Requirements Notation
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Terminology
2. G-IKEv2 Protocol . . . . . . . . . . . . . . . . . . . . . . 8 2. G-IKEv2 Protocol
2.1. G-IKEv2 Integration into IKEv2 Protocol . . . . . . . . . 9 2.1. G-IKEv2 Integration into the IKEv2 Protocol
2.1.1. G-IKEv2 Transport and Port . . . . . . . . . . . . . 9 2.1.1. G-IKEv2 Transport and Port
2.2. G-IKEv2 Payloads . . . . . . . . . . . . . . . . . . . . 9 2.2. G-IKEv2 Payloads
2.3. G-IKEv2 Member Registration and Secure Channel 2.3. G-IKEv2 Member Registration and Secure Channel
Establishment . . . . . . . . . . . . . . . . . . . . . . 11 Establishment
2.3.1. GSA_AUTH Exchange . . . . . . . . . . . . . . . . . . 12 2.3.1. GSA_AUTH Exchange
2.3.2. GSA_REGISTRATION Exchange . . . . . . . . . . . . . . 13 2.3.2. GSA_REGISTRATION Exchange
2.3.3. GM Registration Operations . . . . . . . . . . . . . 14 2.3.3. GM Registration Operations
2.3.4. GCKS Registration Operations . . . . . . . . . . . . 17 2.3.4. GCKS Registration Operations
2.4. Group Maintenance Channel . . . . . . . . . . . . . . . . 19 2.4. Group Maintenance Channel
2.4.1. GSA_REKEY . . . . . . . . . . . . . . . . . . . . . . 20 2.4.1. GSA_REKEY
2.4.2. GSA_INBAND_REKEY Exchange . . . . . . . . . . . . . . 26 2.4.2. GSA_INBAND_REKEY Exchange
2.4.3. Deletion of SAs . . . . . . . . . . . . . . . . . . . 27 2.4.3. Deletion of SAs
2.5. Counter-based modes of operation . . . . . . . . . . . . 28 2.5. Counter-Based Modes of Operation
2.5.1. Allocation of Sender-ID . . . . . . . . . . . . . . . 28 2.5.1. Allocation of Sender-ID
2.5.2. GM Usage of Sender-ID . . . . . . . . . . . . . . . . 30 2.5.2. GM Usage of Sender-ID
2.6. Replay Protection for Multicast Data-Security SAs . . . . 30 2.6. Replay Protection for Multicast Data-Security SAs
2.7. Encryption Transforms with Implicit IV . . . . . . . . . 31 2.7. Encryption Transforms with Implicit IV
3. Group Key Management and Access Control . . . . . . . . . . . 31 3. Group Key Management and Access Control
3.1. Key Wrap Keys . . . . . . . . . . . . . . . . . . . . . . 31 3.1. Key Wrap Keys
3.1.1. Default Key Wrap Key . . . . . . . . . . . . . . . . 32 3.1.1. Default Key Wrap Key
3.2. GCKS Key Management Semantics . . . . . . . . . . . . . . 32 3.2. GCKS Key Management Semantics
3.2.1. Forward Access Control Requirements . . . . . . . . . 33 3.2.1. Forward Access Control Requirements
3.3. GM Key Management Semantics . . . . . . . . . . . . . . . 33 3.3. GM Key Management Semantics
3.4. SA Keys . . . . . . . . . . . . . . . . . . . . . . . . . 35 3.4. SA Keys
4. Header and Payload Formats . . . . . . . . . . . . . . . . . 36 4. Header and Payload Formats
4.1. G-IKEv2 Header . . . . . . . . . . . . . . . . . . . . . 36 4.1. G-IKEv2 Header
4.2. Group Identification Payload . . . . . . . . . . . . . . 36 4.2. Group Identification Payload
4.3. Security Association - GM Supported Transforms Payload . 36 4.3. Security Association - GM Supported Transforms Payload
4.4. Group Security Association Payload . . . . . . . . . . . 36 4.4. Group Security Association Payload
4.4.1. Group Policies . . . . . . . . . . . . . . . . . . . 37 4.4.1. Group Policies
4.4.2. Group Security Association Policy Substructure . . . 38 4.4.2. Group Security Association Policy Substructure
4.4.3. Group-wide Policy Substructure . . . . . . . . . . . 45 4.4.3. Group-Wide Policy Substructure
4.5. Key Download Payload
4.5. Key Download Payload . . . . . . . . . . . . . . . . . . 48 4.5.1. Key Bags
4.5.1. Key Bags . . . . . . . . . . . . . . . . . . . . . . 48 4.5.2. Group Key Bag Substructure
4.5.2. Group Key Bag Substructure . . . . . . . . . . . . . 49 4.5.3. Member Key Bag Substructure
4.5.3. Member Key Bag Substructure . . . . . . . . . . . . . 51 4.5.4. Key Wrapping
4.5.4. Key Wrapping . . . . . . . . . . . . . . . . . . . . 53 4.6. Delete Payload
4.6. Delete Payload . . . . . . . . . . . . . . . . . . . . . 55 4.7. Notify Payload
4.7. Notify Payload . . . . . . . . . . . . . . . . . . . . . 55 4.7.1. INVALID_GROUP_ID Notification
4.7.1. INVALID_GROUP_ID Notification . . . . . . . . . . . . 55 4.7.2. AUTHORIZATION_FAILED Notification
4.7.2. AUTHORIZATION_FAILED Notification . . . . . . . . . . 55 4.7.3. REGISTRATION_FAILED Notification
4.7.3. REGISTRATION_FAILED Notification . . . . . . . . . . 55 4.7.4. GROUP_SENDER Notification
4.7.4. GROUP_SENDER Notification . . . . . . . . . . . . . . 56 4.8. Authentication Payload
4.8. Authentication Payload . . . . . . . . . . . . . . . . . 56 5. Using G-IKEv2 Attributes
5. Using G-IKEv2 Attributes . . . . . . . . . . . . . . . . . . 56 6. Interaction with IKEv2 and ESP Extensions
6. Interaction with IKEv2 and ESP Extensions . . . . . . . . . . 60 6.1. Implicit IV for Counter-Based Ciphers in ESP
6.1. Implicit IV for Counter-Based Ciphers in ESP . . . . . . 60 6.2. Mixing Preshared Keys in IKEv2 for Post-Quantum Security
6.2. Mixing Preshared Keys in IKEv2 for Post-quantum 6.3. Aggregation and Fragmentation Mode for ESP
Security . . . . . . . . . . . . . . . . . . . . . . . . 60 7. GDOI Protocol Extensions
6.3. Aggregation and Fragmentation Mode for ESP . . . . . . . 61 8. Security Considerations
7. GDOI Protocol Extensions . . . . . . . . . . . . . . . . . . 61 8.1. GSA Registration and Secure Channel
8. Security Considerations . . . . . . . . . . . . . . . . . . . 61 8.2. GSA Maintenance Channel
8.1. GSA Registration and Secure Channel . . . . . . . . . . . 61 8.2.1. Authentication/Authorization
8.2. GSA Maintenance Channel . . . . . . . . . . . . . . . . . 62 8.2.2. Confidentiality
8.2.1. Authentication/Authorization . . . . . . . . . . . . 62 8.2.3. Man-in-the-Middle Attack Protection
8.2.2. Confidentiality . . . . . . . . . . . . . . . . . . . 62 8.2.4. Replay/Reflection Attack Protection
8.2.3. Man-in-the-Middle Attack Protection . . . . . . . . . 62 9. IANA Considerations
8.2.4. Replay/Reflection Attack Protection . . . . . . . . . 62 9.1. New Registries
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 62 9.1.1. Guidance for Designated Experts
9.1. Note for Reviewers . . . . . . . . . . . . . . . . . . . 63 9.2. Changes in the Existing IKEv2 Registries
9.2. New Registries . . . . . . . . . . . . . . . . . . . . . 63 10. References
9.2.1. Guidance for Designated Experts . . . . . . . . . . . 65 10.1. Normative References
9.3. Changes in the Existing IKEv2 Registries . . . . . . . . 65 10.2. Informative References
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 67 Appendix A. Use of LKH in G-IKEv2
11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 68 A.1. Notation
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 68 A.2. Group Creation
12.1. Normative References . . . . . . . . . . . . . . . . . . 68 A.3. Simple Group SA Rekey
12.2. Informative References . . . . . . . . . . . . . . . . . 69 A.4. Group Member Exclusion
Appendix A. Use of LKH in G-IKEv2 . . . . . . . . . . . . . . . 73 Acknowledgements
A.1. Notation . . . . . . . . . . . . . . . . . . . . . . . . 73 Contributors
A.2. Group Creation . . . . . . . . . . . . . . . . . . . . . 74 Authors' Addresses
A.3. Simple Group SA Rekey . . . . . . . . . . . . . . . . . . 75
A.4. Group Member Exclusion . . . . . . . . . . . . . . . . . 75
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 76
1. Introduction and Overview 1. Introduction and Overview
This document presents an extension to IKEv2 [RFC7296] called This document presents an extension to IKEv2 [RFC7296] called
G-IKEv2, which allows performing a group key management. A group key G-IKEv2, which allows performing group key management. A group key
management protocol provides IPsec keys and policy to a set of IPsec management protocol provides IPsec keys and policy to a set of IPsec
devices which are authorized to communicate using a Group Security devices that are authorized to communicate using a Group Security
Association (GSA) defined in Multicast Group Security Architecture Association (GSA) defined in Multicast Group Security Architecture
[RFC3740]. The data communications within the group (e.g., IP [RFC3740]. The data communications within the group (e.g., IP
multicast packets) are protected by a key pushed to the group members multicast packets) are protected by a key pushed to the Group Members
(GMs) by the Group Controller/Key Server (GCKS). (GMs) by the Group Controller/Key Server (GCKS).
G-IKEv2 conforms to the Multicast Group Security Architecture G-IKEv2 conforms to "The Multicast Group Security Architecture"
[RFC3740], Multicast Extensions to the Security Architecture for the [RFC3740], "Multicast Extensions to the Security Architecture for the
Internet Protocol [RFC5374] and the Multicast Security (MSEC) Group Internet Protocol" [RFC5374], and "Multicast Security (MSEC) Group
Key Management Architecture [RFC4046]. G-IKEv2 replaces GDOI Key Management Architecture" [RFC4046]. G-IKEv2 replaces "The Group
[RFC6407], which defines a similar group key management protocol Domain of Interpretation" [RFC6407], which defines a similar group
using IKEv1 [RFC2409] (since deprecated by IKEv2). When G-IKEv2 is key management protocol using IKEv1 [RFC2409] (since deprecated by
used, group key management use cases can benefit from the simplicity, IKEv2). When G-IKEv2 is used, group key management use cases can
increased robustness and cryptographic improvements of IKEv2 (see benefit from the simplicity, increased robustness, and cryptographic
Appendix A of [RFC7296]). improvements of IKEv2 (see Appendix A of [RFC7296]).
G-IKEv2 is composed of two phases: registration and rekeying. In the G-IKEv2 is composed of two phases: registration and rekeying. In the
registration phase a GM contacts a GCKS to register to a group and to registration phase, a GM contacts a GCKS to register to a group and
receive the necessary policy and the keying material to be able to receive the necessary policy and the keying material to be able
communicate with the other GMs in the group as well as with the GCKS. communicate with the other GMs in the group as well as with the GCKS.
The rekeying phase allows the GCKS to periodically renew the keying The rekeying phase allows the GCKS to periodically renew the keying
material for both GM-to-GM communications as well as for material for both GM-to-GM communications as well as for
communication between the GM and the GCKS. communication between the GM and the GCKS.
G-IKEv2 defines two ways to perform registration. When a GM first G-IKEv2 defines two ways to perform registration. When a GM first
contacts a GCKS it uses the GSA_AUTH exchange (Section 2.3.1) to contacts a GCKS, it uses the GSA_AUTH exchange (Section 2.3.1) to
register to a group. This exchange happens after the IKE_SA_INIT register to a group. This exchange happens after the IKE_SA_INIT
exchange (similarly to the IKE_AUTH exchange in IKEv2) and results in exchange (similarly to the IKE_AUTH exchange in IKEv2) and results in
establishing an IKE SA between the GM and the GCKS. During this establishing an IKE Security Association (SA) between the GM and the
exchange the GCKS authenticates and authorizes the GM, then pushes GCKS. During this exchange, the GCKS authenticates and authorizes
policy and keys used by the group to the GM. The second new exchange the GM and then pushes policy and keys used by the group to the GM.
type is the GSA_REGISTRATION exchange (Section 2.3.2), which a GM can The second new exchange type is the GSA_REGISTRATION exchange
use within the already established IKE SA with the GCKS (e.g. for (Section 2.3.2), which can be used by the GM within the already-
registering to another group). established IKE SA with the GCKS (e.g., for registering to another
group).
Refreshing the group keys can be performed either in an unicast mode Refreshing the group keys can be performed either in a unicast mode
via the GSA_INBAND_REKEY exchange (Section 2.4.2) performed over a via the GSA_INBAND_REKEY exchange (Section 2.4.2) performed over a
specific IKE SA between a GM and a GCKS or in a multicast mode with specific IKE SA between a GM and a GCKS or in a multicast mode with
the GSA_REKEY pseudo exchange (Section 2.4.1), when new keys are the GSA_REKEY pseudo exchange (Section 2.4.1) when new keys are being
being distributed to all GMs. distributed to all GMs.
Large and small groups may use different sets of these mechanisms. Large and small groups may use different sets of these mechanisms.
When a large group of devices are communicating, the GCKS is likely When a large group of devices are communicating, the GCKS is likely
to use the GSA_REKEY message for efficiency. This is shown in to use the GSA_REKEY message for efficiency. This is shown in
Figure 1, where multicast communications indicated with a double Figure 1, where multicast communications are indicated with a double
line. (Note: For clarity, IKE_SA_INIT is omitted from Figure 1 and line. (Note: For clarity, IKE_SA_INIT is omitted from Figures 1 and
Figure 2). 2.)
+--------+ +--------+
+----IKEv2---->| GCKS |<----IKEv2----+ +----IKEv2---->| GCKS |<----IKEv2----+
| +--------+ | | +--------+ |
| || ^ | | || ^ |
| || | | | || | |
| || GSA_AUTH | | || GSA_AUTH |
| || or | | || or |
| || GSA_REGISTRATION | | || GSA_REGISTRATION |
| || | | | || | |
GSA_AUTH || IKEv2 GSA_AUTH GSA_AUTH || IKEv2 GSA_AUTH
or || | or or || | or
GSA_REGISTRATION GSA_REKEY | GSA_REGISTRATION GSA_REGISTRATION GSA_REKEY | GSA_REGISTRATION
| || | | | || | |
| *==========**================* | | *==========**================* |
| || || | || | | || || | || |
v \/ \/ v \/ v v \/ \/ v \/ v
+-------+ +--------+ +-------+ +-------+ +--------+ +-------+
| GM | ... | GM | ... | GM | | GM | ... | GM | ... | GM |
+-------+ +--------+ +-------+ +-------+ +--------+ +-------+
|| || || || || ||
*=====ESP/AH=====**=====ESP/AH====* *=====ESP/AH=====**=====ESP/AH====*
Figure 1: G-IKEv2 used in large groups Figure 1: G-IKEv2 Used in Large Groups
Alternatively, a small group may simply use the GSA_AUTH or Alternatively, a small group may simply use the GSA_AUTH or
GSA_REGISTRATION as registration protocols, where the GCKS issues GSA_REGISTRATION as registration protocols, where the GCKS issues
rekeys using the GSA_INBAND_REKEY within the same IKE SA. rekeys using the GSA_INBAND_REKEY within the same IKE SA.
GSA_AUTH or GSA_REGISTRATION, GSA_INBAND_REKEY GSA_AUTH or GSA_REGISTRATION, GSA_INBAND_REKEY
+--------------------IKEv2----------------------+ +--------------------IKEv2----------------------+
| | | |
| GSA_AUTH or GSA_REGISTRATION, | | GSA_AUTH or GSA_REGISTRATION, |
| GSA_INBAND_REKEY | | GSA_INBAND_REKEY |
| +-----------IKEv2-------------+ | | +-----------IKEv2-------------+ |
| | | | | | | |
| |GSA_AUTH or GSA_REGISTRATION,| | | |GSA_AUTH or GSA_REGISTRATION,| |
| | GSA_INBAND_REKEY | | | | GSA_INBAND_REKEY | |
| | +--IKEv2-+ | | | | +--IKEv2-+ | |
v v v v v v v v v v v v
+---------+ +----+ +----+ +----+ +---------+ +----+ +----+ +----+
| GCKS/GM | | GM | | GM | | GM | | GCKS/GM | | GM | | GM | | GM |
+---------+ +----+ +----+ +----+ +---------+ +----+ +----+ +----+
|| || || || || || || ||
*==ESP/AH==**=====ESP/AH====**===ESP/AH===* *==ESP/AH==**=====ESP/AH====**===ESP/AH===*
Figure 2: G-IKEv2 used in small groups Figure 2: G-IKEv2 Used in Small Groups
A combination of these approaches is also possible. For example, the A combination of these approaches is also possible. For example, the
GCKS may use more robust GSA_INBAND_REKEY to provide keys for some GCKS may use more robust GSA_INBAND_REKEY to provide keys for some
GMs (for example, those acting as senders in the group) and GSA_REKEY GMs (for example, those acting as senders in the group) and GSA_REKEY
for the rest. Note also, that GCKS may also be a GM (as shown in for the rest. Also note that GCKS may be a GM (as shown in
Figure 2). Figure 2).
IKEv2 message semantics are preserved in that all communications IKEv2 message semantics are preserved in that all communications
consists of message request-response pairs. The exception to this consist of message request-response pairs. The exception to this
rule is the GSA_REKEY pseudo-exchange, which is a single message rule is the GSA_REKEY pseudo-exchange, which is a single message
delivering group updates to the GMs. delivering group updates to the GMs.
1.1. Requirements Notation 1.1. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
1.2. Terminology 1.2. Terminology
It is assumed that readers are familiar with the IPsec architecture It is assumed that readers are familiar with the IPsec architecture
[RFC4301], and its extension for multicast [RFC5374]. This document [RFC4301] and its extension for multicast [RFC5374]. This document
defines an extension to the IKEv2 protocol [RFC7296] and skips many defines an extension to the IKEv2 protocol [RFC7296] and skips many
its details. The notation and conventions from [RFC7296] are used of its details. The notation and conventions from [RFC7296] are used
for describing G-IKEv2 payloads and exchanges. for describing G-IKEv2 payloads and exchanges.
The following key terms are used throughout this document (mostly The following key terms are used throughout this document (mostly
borrowed from Multicast Group Security Architecture [RFC3740], borrowed from [RFC3740], [RFC5374], and [RFC6407]).
Multicast Extensions to the Security Architecture [RFC5374] and GDOI
[RFC6407]).
Group Group:
A set of IPsec devices that communicate to each other using A set of IPsec devices that communicate to each other using
multicast. multicast.
Group Member (GM) Group Member (GM):
An IPsec device that belongs to a group. A Group Member is An IPsec device that belongs to a group. A Group Member is
authorized to be a Group Sender and/or a Group Receiver. authorized to be a Group Sender and/or a Group Receiver.
Group Receiver Group Receiver:
A Group Member that is authorized to receive packets sent to a A Group Member that is authorized to receive packets sent to a
group by a Group Sender. group by a Group Sender.
Group Sender Group Sender:
A Group Member that is authorized to send packets to a group. A Group Member that is authorized to send packets to a group.
Group Key Management (GKM) Protocol Group Key Management (GKM) Protocol:
A key management protocol used by a GCKS to distribute IPsec A key management protocol used by a GCKS to distribute IPsec
Security Association policy and keying material. A GKM protocol Security Association policy and keying material. A GKM protocol
is needed because a group of IPsec devices require the same SAs. is needed because a group of IPsec devices require the same SAs.
For example, when an IPsec SA describes an IP multicast For example, when an IPsec SA describes an IP multicast
destination, the sender and all receivers need to have the group destination, the sender and all receivers need to have the group
SA. SA.
Group Controller/Key Server (GCKS) Group Controller/Key Server (GCKS):
A Group Key Management (GKM) protocol server that manages IPsec A Group Key Management (GKM) protocol server that manages IPsec
state for a group. A GCKS authenticates and provides the IPsec SA state for a group. A GCKS authenticates and provides the IPsec SA
policy and keying material to GMs. policy and keying material to GMs.
Data-Security SA Data-Security SA:
A multicast SA between each multicast sender and the group's A multicast SA between each multicast sender and the group's
receivers. The Data-Security SA protects data between member receivers. The Data-Security SA protects data between member
senders and member receivers. One or more SAs are required for senders and member receivers. One or more SAs are required for
the multicast transmission of data-messages from the Group Sender the multicast transmission of data messages from the Group Sender
to other group members. This specification relies on ESP and AH to other group members. This specification relies on
as protocols for Data-Security SAs. Encapsulating Security Payload (ESP) and Authentication Header
(AH) as protocols for Data-Security SAs.
Rekey SA Rekey SA:
A single multicast SA between the GCKS and all of the group A single multicast SA between the GCKS and all of the group
members. This SA is used for multicast transmission of key members. This SA is used for multicast transmission of key
management messages from the GCKS to all GMs. management messages from the GCKS to all GMs.
Group Security Association (GSA) Group Security Association (GSA):
A collection of Data-Security SAs and Rekey SA necessary for a A collection of Data-Security SAs and Rekey SAs necessary for a
Group Member to receive key updates. A GSA describes the working Group Member to receive key updates. A GSA describes the working
policy for a group. Refer to MSEC Group Key Management policy for a group. Refer to the MSEC Group Key Management
Architecture [RFC4046] for additional information. Architecture [RFC4046] for additional information.
Traffic Encryption Key (TEK) Traffic Encryption Key (TEK):
The symmetric cipher key used in a Data-Security SA (e.g., IPsec The symmetric cipher key used in a Data-Security SA (e.g., IPsec
ESP) to protect traffic. ESP) to protect traffic.
Key Encryption Key (KEK) Key Encryption Key (KEK):
The symmetric key (or a set of keys) used in a Rekey SA to protect The symmetric key (or a set of keys) used in a Rekey SA to protect
its messages. The set of keys may include keys for encryption and its messages. The set of keys may include keys for encryption and
authentication, as well as keys for key wrapping. authentication, as well as keys for key wrapping.
Key Wrap Key (KWK) Key Wrap Key (KWK):
The symmetric cipher key used to protect another key. The symmetric cipher key used to protect another key.
Group-wide (GW) policy Group-wide (GW) policy:
Group policy not related to a particular SA. Group policy not related to a particular SA.
Activation Time Delay (ATD) Activation Time Delay (ATD):
Defines how long Group Senders should wait after receiving new SAs Defines how long Group Senders should wait after receiving new SAs
before starting sending traffic over them. before sending traffic over them.
Deactivation Time Delay (DTD) Deactivation Time Delay (DTD):
Defines how long Group Members should wait after receiving a Defines how long Group Members should wait after receiving a
request to delete Data-Security SAs before actually deleting them. request to delete Data-Security SAs before actually deleting them.
Sender-ID Sender-ID:
A unique identifier of a Group Sender in the context of an active A unique identifier of a Group Sender in the context of an active
GSA, used to form Initialization Vector (IV) in counter-based GSA used to form the Initialization Vector (IV) in counter-based
cipher modes. cipher modes.
Logical Key Hierarchy (LKH) Logical Key Hierarchy (LKH):
A group management method defined in Section 5.4 of Key Management A group management method defined in Section 5.4 of [RFC2627].
for Multicast [RFC2627].
2. G-IKEv2 Protocol 2. G-IKEv2 Protocol
G-IKEv2 is an extension to the IKEv2 protocol [RFC7296] that provides G-IKEv2 is an extension to the IKEv2 protocol [RFC7296] that provides
group authorization, secure policy and keys download from the GCKS to group authorization, secure policy, and keys download from the GCKS
GMs. to GMs.
2.1. G-IKEv2 Integration into IKEv2 Protocol 2.1. G-IKEv2 Integration into the IKEv2 Protocol
G-IKEv2 is compatible with most IKEv2 extensions defined so far (see G-IKEv2 is compatible with most IKEv2 extensions defined so far (see
Section 6 for details). In particular, it is assumed that, if Section 6 for details). In particular, it is assumed that, if
necessary, the IKE_INTERMEDIATE exchanges [RFC9242] may be utilized necessary, the IKE_INTERMEDIATE exchanges [RFC9242] may be utilized
while establishing the registration SA. It is also believed that while establishing the registration SA. It is also believed that
future IKEv2 extensions will be possible to use with G-IKEv2, future IKEv2 extensions will be possible to use with G-IKEv2.
however, some IKEv2 extensions may require special handling when used However, some IKEv2 extensions may require special handling when used
with G-IKEv2. with G-IKEv2.
2.1.1. G-IKEv2 Transport and Port 2.1.1. G-IKEv2 Transport and Port
As IKEv2 extension, G-IKEv2 SHOULD use the IKEv2 ports (500, 4500). As an IKEv2 extension, G-IKEv2 SHOULD use the IKEv2 ports (500,
G-IKEv2 MAY also use TCP transport for registration (unicast) IKE SA, 4500). G-IKEv2 MAY also use TCP transport for registration (unicast)
as defined in TCP Encapsulation of IKEv2 and IPsec [RFC9329]. IKE SA, as defined in TCP Encapsulation of IKEv2 and IPsec [RFC9329].
G-IKEv2 MAY also use UDP port 848, the same as GDOI [RFC6407], G-IKEv2 MAY also use UDP port 848, the same as Group Domain of
because they serve a similar function. The version number in the IKE Interpretation (GDOI) [RFC6407], because they serve a similar
header distinguishes the G-IKEv2 protocol from GDOI protocol function. The version number in the IKE header distinguishes the
[RFC6407]. G-IKEv2 protocol from the GDOI protocol [RFC6407].
Section 2.23 of IKEv2 [RFC7296] describes how IKEv2 supports paths Section 2.23 of [RFC7296] describes how IKEv2 supports paths with
with NATs. G-IKEv2 registration SA doesn't create any unicast IPsec NATs. The G-IKEv2 registration SA doesn't create any unicast IPsec
SAs, thus if a NAT is present between the GM and the GCKS, there is SAs; thus, if a NAT is present between the GM and the GCKS, there is
no unicast ESP traffic to encapsulate in UDP. However, the actions no unicast ESP traffic to encapsulate in UDP. However, the actions
described in this section regarding the IKE SA MUST be honored. The described in this section regarding the IKE SA MUST be honored. The
behavior of GMs and GCKS MUST NOT depend on the port used to create behavior of GMs and GCKS MUST NOT depend on the port used to create
the initial IKE SA. For example, if the GM and the GCKS used UDP the initial IKE SA. For example, if the GM and the GCKS used UDP
port 848 for the IKE_SA_INIT exchange, they will operate the same as port 848 for the IKE_SA_INIT exchange, they will operate the same as
if they had used UDP port 500. if they had used UDP port 500.
2.2. G-IKEv2 Payloads 2.2. G-IKEv2 Payloads
In the following descriptions, the payloads contained in the G-IKEv2 In the following descriptions, the payloads contained in the G-IKEv2
skipping to change at page 10, line 42 skipping to change at line 422
| N | Notify | [RFC7296] | | N | Notify | [RFC7296] |
+----------+----------------------------+-------------+ +----------+----------------------------+-------------+
| SA | Security Association | [RFC7296] | | SA | Security Association | [RFC7296] |
+----------+----------------------------+-------------+ +----------+----------------------------+-------------+
| SAg | Security Association - GM | Section 4.3 | | SAg | Security Association - GM | Section 4.3 |
| | Supported Transforms | | | | Supported Transforms | |
+----------+----------------------------+-------------+ +----------+----------------------------+-------------+
| SK | Encrypted | [RFC7296] | | SK | Encrypted | [RFC7296] |
+----------+----------------------------+-------------+ +----------+----------------------------+-------------+
Table 1: Payloads used in G-IKEv2 Table 1: Payloads Used in G-IKEv2
Payloads defined as part of other IKEv2 extensions MAY also be Payloads defined as part of other IKEv2 extensions MAY also be
included in these messages. Payloads that may optionally appear in included in these messages. Payloads that may optionally appear in
G-IKEv2 messages will be shown in brackets, such as [CERTREQ]. G-IKEv2 messages will be shown in brackets, such as [CERTREQ].
G-IKEv2 defines several new payloads not used in IKEv2: G-IKEv2 defines several new payloads not used in IKEv2:
* IDg (Group ID) -- The GM requests the GCKS for membership into the Group ID (IDg):
group by sending its IDg payload. The GM requests the GCKS for membership into the group by sending
its IDg payload.
* SAg (Security Association -- GM Supported Transforms) -- the GM Security Association - GM Supported Transforms (SAg):
optionally sends supported transforms, so that GCKS may select a The GM optionally sends supported transforms so that GCKS may
policy appropriate for all members of the group (which is not select a policy appropriate for all members of the group (which is
negotiated, unlike SA parameters in IKEv2). not negotiated, unlike SA parameters in IKEv2).
* GSA (Group Security Association) -- The GCKS sends the group Group Security Association (GSA):
policy to the GM using this payload. The GCKS sends the group policy to the GM using this payload.
* KD (Key Download) -- The GCKS sends the keys and the security Key Download (KD):
parameters to the GMs using this payload. The GCKS sends the keys and the security parameters to the GMs
using this payload.
The details of the contents of each payload are described in The details of the contents of each payload are described in
Section 4. Section 4.
2.3. G-IKEv2 Member Registration and Secure Channel Establishment 2.3. G-IKEv2 Member Registration and Secure Channel Establishment
Initial registration is combined with establishing a secure Initial registration is combined with establishing a secure
connection between the entity seeking registration and the GCKS. connection between the entity seeking registration and the GCKS.
This process consists of a minimum of two exchanges, IKE_SA_INIT and This process consists of a minimum of two exchanges, IKE_SA_INIT and
GSA_AUTH; member registration may have a few more messages exchanged GSA_AUTH; member registration may have a few more messages exchanged
if the EAP method, cookie challenge (for DoS protection), negotiation if the Extensible Authentication Protocol (EAP) method, cookie
of key exchange method or IKEv2 extensions based on the IKEv2 challenge (for DoS protection), negotiation of key exchange method,
Intermediate exchange [RFC9242] are used. Each exchange consists of or IKEv2 extensions based on the IKEv2 Intermediate Exchange
request/response pairs. The first exchange IKE_SA_INIT is defined in [RFC9242] are used. Each exchange consists of request/response
IKEv2 [RFC7296]. This exchange negotiates cryptographic algorithms, pairs. The first exchange, called IKE_SA_INIT, is defined in IKEv2
exchanges nonces and computes a shared key between the GM and the [RFC7296]. This exchange negotiates cryptographic algorithms,
exchanges nonces, and computes a shared key between the GM and the
GCKS. In addition to the cryptographic algorithms negotiated for use GCKS. In addition to the cryptographic algorithms negotiated for use
in IKEv2 SA, a key wrap algorithm is also negotiated in this exchange in IKEv2 SA, a key wrap algorithm is also negotiated in this exchange
by means of a new "Key Wrap Algorithm" transform. See Section 4.5.4 by means of a new "Key Wrap Algorithm" transform. See Section 4.5.4
for details. for details.
The second exchange called GSA_AUTH is similar to the IKEv2 IKE_AUTH The second exchange, called GSA_AUTH, is similar to the IKEv2
exchange [RFC7296]. It authenticates the previously exchanged IKE_AUTH exchange [RFC7296]. It authenticates the previously
messages, exchanges identities and certificates. The GSA_AUTH exchanged messages and exchanges identities and certificates. The
messages are encrypted and integrity protected with keys established GSA_AUTH messages are encrypted and integrity protected with keys
through the previous exchanges, so the identities are hidden from established through the previous exchanges, so the identities are
eavesdroppers and all fields in all the messages are authenticated. hidden from eavesdroppers and all fields in all the messages are
The GCKS authorizes group members to be allowed into the group as authenticated. The GCKS authorizes group members to be allowed into
part of the GSA_AUTH exchange. Once the GCKS accepts a GM to join a the group as part of the GSA_AUTH exchange. Once the GCKS accepts a
group it will provide the GM with the data-security keys (TEKs) and/ GM to join a group, it will provide the GM with the data-security
or group key encrypting key (KEK) as part of the GSA_AUTH response keys (TEKs) and/or a group key encrypting key (KEK) as part of the
message. GSA_AUTH response message.
The established secure channel between the GM and the GCKS is in fact The established secure channel between the GM and the GCKS is in fact
IKE SA (as defined in [RFC7296]) and is referred to as such IKE SA (as defined in [RFC7296]) and is referred to as such
throughout this document. However, it is NOT RECOMMENDED to use this throughout this document. However, it is NOT RECOMMENDED to use this
IKE SA for the purpose of creating unicast Child SAs between the GM IKE SA for the purpose of creating unicast Child SAs between the GM
and the GCKS, since authentication requirements for group admission and the GCKS since authentication requirements for group admission
and for unicast communication may differ. In addition, the lifecycle and for unicast communication may differ. In addition, the life
of this IKE SA is determined by the GCKS and this SA can be deleted cycle of this IKE SA is determined by the GCKS and this SA can be
at any time. deleted at any time.
2.3.1. GSA_AUTH Exchange 2.3.1. GSA_AUTH Exchange
The GSA_AUTH exchange is used to authenticate the previous exchanges, The GSA_AUTH exchange is used to authenticate the previous exchanges
exchange identities and certificates. G-IKEv2 also uses this and exchange identities and certificates. G-IKEv2 also uses this
exchange for group member registration and authorization. exchange for group member registration and authorization.
The GSA_AUTH exchange is similar to the IKE_AUTH exchange with the The GSA_AUTH exchange is similar to the IKE_AUTH exchange with the
difference that its goal is to establish multicast Data-Security difference that its goal is to establish a multicast Data-Security
SA(s) and optionally provide GM with the keys for Rekey SA. The set SA(s) and optionally provide GM with the keys for a Rekey SA. The
of payloads in the GSA_AUTH exchange is slightly different, because set of payloads in the GSA_AUTH exchange is slightly different
policy is not negotiated between the group member and the GCKS, but because policy is not negotiated between the group member and the
instead provided by the GCKS for the GM. Note also, that GSA_AUTH GCKS; instead, it is provided by the GCKS for the GM. Also note that
has its own exchange type, which is different from the IKE_AUTH GSA_AUTH has its own exchange type, which is different from the
exchange type. IKE_AUTH exchange type.
Note, that due to the similarities between IKE_AUTH and GSA_AUTH, Note that due to the similarities between IKE_AUTH and GSA_AUTH, most
most IKEv2 extensions to the IKE_AUTH exchange (like Secure Password IKEv2 extensions to the IKE_AUTH exchange (like secure password
authentication [RFC6467]) can also be used with the GSA_AUTH authentication [RFC6467]) can also be used with the GSA_AUTH
exchange. exchange.
Initiator (GM) Responder (GCKS) Initiator (GM) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
HDR, SK{IDi, [CERT,] [CERTREQ,] [IDr,] HDR, SK{IDi, [CERT,] [CERTREQ,] [IDr,]
AUTH, IDg, [SAg,] [N(GROUP_SENDER),] [N]} --> AUTH, IDg, [SAg,] [N(GROUP_SENDER),] [N]} -->
Figure 3: GSA_AUTH Request Figure 3: GSA_AUTH Request
skipping to change at page 13, line 10 skipping to change at line 534
<-- HDR, SK{IDr, [CERT,] <-- HDR, SK{IDr, [CERT,]
AUTH, GSA, KD, [N]} AUTH, GSA, KD, [N]}
Figure 4: GSA_AUTH Normal Response Figure 4: GSA_AUTH Normal Response
The GCKS responds with IDr, optional CERT, and AUTH payloads with the The GCKS responds with IDr, optional CERT, and AUTH payloads with the
same meaning as in IKE_AUTH. It also informs the group member of the same meaning as in IKE_AUTH. It also informs the group member of the
cryptographic policies of the group in the GSA payload and the key cryptographic policies of the group in the GSA payload and the key
material in the KD payload. material in the KD payload.
Possible erors should be handled in accordance with Section 2.21.2 of Possible errors should be handled in accordance with Section 2.21.2
[RFC7296]. In addition to the IKEv2 error handling, the GCKS can of [RFC7296]. In addition to the IKEv2 error handling, the GCKS can
reject the registration request when the IDg is invalid or reject the registration request when the IDg is invalid or
authorization fails, etc. In these cases, see Section 4.7, the authorization fails, etc. In these cases (see Section 4.7), the
GSA_AUTH response will not include the GSA and KD, but will include a GSA_AUTH response will not include the GSA and KD but will include a
Notify payload indicating errors. If a GM included an SAg payload, Notify payload indicating errors. If a GM included an SAg payload
and the GCKS chooses to evaluate it, and the GCKS detects that the and the GCKS chooses to evaluate it and detects that the group member
group member cannot support the security policy defined for the cannot support the security policy defined for the group, then the
group, then the GCKS returns the NO_PROPOSAL_CHOSEN notification. GCKS returns the NO_PROPOSAL_CHOSEN notification. Other types of
Other types of error notifications can be INVALID_GROUP_ID, error notifications can be INVALID_GROUP_ID, AUTHORIZATION_FAILED, or
AUTHORIZATION_FAILED or REGISTRATION_FAILED. REGISTRATION_FAILED.
Initiator (GM) Responder (GCKS) Initiator (GM) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
<-- HDR, SK{IDr, [CERT,] AUTH, N} <-- HDR, SK{IDr, [CERT,] AUTH, N}
Figure 5: GSA_AUTH Error Response for Group-Related Errors Figure 5: GSA_AUTH Error Response for Group-Related Errors
If the GSA_AUTH exchange is completed successfully, but the group If the GSA_AUTH exchange is completed successfully but the group
member finds the policy sent by the GCKS is unacceptable, the member member finds that the policy sent by the GCKS is unacceptable, the
SHOULD inform the GCKS about this by initiating the GSA_REGISTRATION member SHOULD inform the GCKS about this by initiating the
exchange with the IDg payload and the NO_PROPOSAL_CHOSEN notification GSA_REGISTRATION exchange with the IDg payload and the
(see Figure 8). NO_PROPOSAL_CHOSEN notification (see Figure 8).
2.3.2. GSA_REGISTRATION Exchange 2.3.2. GSA_REGISTRATION Exchange
Once the IKE SA between the GM and the GCKS is established, the GM Once the IKE SA between the GM and the GCKS is established, the GM
can use it for other registration requests, if this is needed. In can use it for other registration requests if needed. In this
this scenario the GM will use the GSA_REGISTRATION exchange. scenario, the GM will use the GSA_REGISTRATION exchange. Payloads in
Payloads in the exchange are generated and processed as defined in the exchange are generated and processed as defined in Section 2.3.1.
Section 2.3.1.
Initiator (GM) Responder (GCKS) Initiator (GM) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
HDR, SK{IDg, [SAg,] HDR, SK{IDg, [SAg,]
[N(GROUP_SENDER),] [N]} --> [N(GROUP_SENDER),] [N]} -->
<-- HDR, SK{GSA, KD, [N]} <-- HDR, SK{GSA, KD, [N]}
Figure 6: GSA_REGISTRATION Normal Exchange Figure 6: GSA_REGISTRATION Normal Exchange
As with GSA_AUTH exchange, the GCKS can reject the registration As with GSA_AUTH exchange, the GCKS can reject the registration
request when the IDg is invalid or authorization fails, or GM cannot request when the IDg is invalid or authorization fails, or GM cannot
support the security policy defined for the group (which can be support the security policy defined for the group (which can be
concluded by GCKS by evaluation of SAg payload). In this case the concluded by the GCKS by evaluation of the SAg payload). In this
GCKS returns an appropriate error notification as described in case, the GCKS returns an appropriate error notification as described
Section 2.3.1. in Section 2.3.1.
Initiator (GM) Responder (GCKS) Initiator (GM) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
HDR, SK{IDg, [SAg,] HDR, SK{IDg, [SAg,]
[N(GROUP_SENDER),] [N]} --> [N(GROUP_SENDER),] [N]} -->
<-- HDR, SK{N} <-- HDR, SK{N}
Figure 7: GSA_REGISTRATION Error Exchange Figure 7: GSA_REGISTRATION Error Exchange
This exchange can also be used if the group member finds the policy This exchange can also be used if the group member finds that the
sent by the GCKS is unacceptable or for some reason wants to leave policy sent by the GCKS is unacceptable or wants to leave the group
the group. The group member SHOULD notify the GCKS by sending IDg for some reason. The group member SHOULD notify the GCKS by sending
and the Notify type NO_PROPOSAL_CHOSEN or REGISTRATION_FAILED, as IDg and the Notify type NO_PROPOSAL_CHOSEN or REGISTRATION_FAILED as
shown below. The GCKS in this case MUST remove the GM from the group shown below. In this case, the GCKS MUST remove the GM from the
IDg. group IDg.
Initiator (GM) Responder (GCKS) Initiator (GM) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
HDR, SK{IDg, N} --> HDR, SK{IDg, N} -->
<-- HDR, SK{} <-- HDR, SK{}
Figure 8: GM Reporting Errors in GSA_REGISTRATION Exchange Figure 8: GM Reporting Errors in GSA_REGISTRATION Exchange
2.3.3. GM Registration Operations 2.3.3. GM Registration Operations
A GM requesting registration contacts the GCKS using the IKE_SA_INIT A GM requesting registration contacts the GCKS using the IKE_SA_INIT
exchange. This exchange is unchanged from IKE_SA_INIT in the IKEv2 exchange. This exchange is unchanged from IKE_SA_INIT in the IKEv2
protocol. The IKE_SA_INIT exchange may optionally be followed by one protocol. The IKE_SA_INIT exchange may optionally be followed by one
or more the IKE_INTERMEDIATE exchanges if the GM and the GCKS or more of the IKE_INTERMEDIATE exchanges if the GM and the GCKS
negotiated use of IKEv2 extensions based on this exchange. negotiated use of IKEv2 extensions based on this exchange.
Next the GM sends the GSA_AUTH request message with the IKEv2 Next, the GM sends the GSA_AUTH request message with the IKEv2
payloads from IKE_AUTH (without the SAi2, TSi and TSr payloads) along payloads from IKE_AUTH (without the SAi2, TSi, and TSr payloads)
with the Group ID informing the GCKS of the group the GM wishes to along with the Group ID informing the GCKS of the group the GM wishes
join. An GM intending to emit data traffic MUST send a GROUP_SENDER to join. A GM intending to emit data traffic MUST send a
Notify message type. The GROUP_SENDER notification not only GROUP_SENDER Notify message type. The GROUP_SENDER notification not
signifies that it is a sender, but provides the GM the ability to only signifies that it is a sender but provides the GM the ability to
request Sender-ID values, in case the Data-Security SA supports a request Sender-ID values in case the Data-Security SA supports a
counter mode cipher. Section 2.5.1 includes guidance on requesting counter-mode cipher. Section 2.5.1 includes guidance on requesting
Sender-ID values. Sender-ID values.
A GM may be limited in the Transforms IDs that it is able or willing A GM may be limited in the Transforms IDs that it is able or willing
to use, and may find it useful to inform the GCKS which Transform IDs to use and may find it useful to inform the GCKS which Transform IDs
it is willing to accept for different security protocols by including it is willing to accept for different security protocols by including
the SAg payload into the request message. Proposals for Rekey SA and the SAg payload into the request message. Proposals for Rekey SA and
for Data-Security (AH [RFC4302] and/or ESP [RFC4303]) SAs may be for Data-Security (AH [RFC4302] and/or ESP [RFC4303]) SAs may be
included into SAg. Proposals for Rekey SA are identified by a new included into SAg. Proposals for Rekey SA are identified by new
Protocol ID GIKE_UPDATE with the value <TBA by IANA>. Each Proposal Protocol ID GIKE_UPDATE with the value 6. Each Proposal contains a
contains a list of Transforms that the GM is able and willing to list of Transforms that the GM is able and willing to support for
support for that protocol. Valid transform types depend on the that protocol. Valid transform types depend on the protocol (AH,
protocol (AH, ESP, GIKE_UPDATE) and are defined in Figure 16. Other ESP, GIKE_UPDATE) and are defined in Table 2. Other transform types
transform types SHOULD NOT be included as they will be ignored by the SHOULD NOT be included as they will be ignored by the GCKS. The
GCKS. The SPI length of each Proposal in an SAg is set to zero, and Security Parameter Index (SPI) length of each Proposal in an SAg is
thus the SPI field is empty. The GCKS MUST NOT use SPI length and set to zero, and thus the SPI field is empty. The GCKS MUST NOT use
SPI fields in the SAg payload. SPI length and SPI fields in the SAg payload.
Generally, a single Proposal for each protocol (GIKE_UPDATE, AH/ESP) Generally, a single Proposal for each protocol (GIKE_UPDATE, AH/ESP)
will suffice, because the transforms are not negotiated, the GM will suffice. Because the transforms are not negotiated, the GM
simply alerts the GCKS to restrictions it may have. In particular, simply alerts the GCKS to restrictions it may have. In particular,
the restriction from Section 3.3 of IKEv2 [RFC7296] that AEAD and the restriction from Section 3.3 of [RFC7296] that Authenticated
non-AEAD transforms not be combined in a single proposal doesn't hold Encryption with Associated Data (AEAD) and non-AEAD transforms not be
when the SAg payload is being formed. However if the GM has combined in a single proposal doesn't hold when the SAg payload is
restrictions on combination of algorithms, this can be expressed by being formed. However, if the GM has restrictions on the combination
sending several proposals. of algorithms, this can be expressed by sending several proposals.
Proposal Num field in Proposal substructure is treated specially in The Proposal Num field in the Proposal substructure is treated
SAg payload: it allows a GM to indicate that algorithms used in Rekey specially in the SAg payload: it allows a GM to indicate that
SA and in Data-Security (AH and/or ESP) SAs are dependent. In algorithms used in Rekey SA and in Data-Security (AH and/or ESP) SAs
particular, Proposals for different protocols having the same value are dependent. In particular, Proposals for different protocols
in Proposal Num field are treated as a set, so that if GCKS uses having the same value in the Proposal Num field are treated as a set
transforms from one of such Proposal for one protocol, then it MUST so that if GCKS uses transforms from one of such Proposal for one
only use transforms from one of the Proposals with the same value in protocol, then it MUST only use transforms from one of the Proposals
Proposal Num field for other protocols. For example, a GM may with the same value in the Proposal Num field for other protocols.
support algorithms X and Y for both Rekey and Data-Security SAs, but For example, a GM may support algorithms X and Y for both Rekey and
with a restriction that if X is used in Rekey SA, then only X can be Data-Security SAs, but with a restriction that if X is used in Rekey
used in Data-Security SAs, and the same for Y. Use of the same value SAs, then only X can be used in Data-Security SAs, and the same for
in the Proposal Num field of different proposals indicates that the Y. Use of the same value in the Proposal Num field of different
GM expects these proposals to be used in conjunction with each other. proposals indicates that the GM expects these proposals to be used in
In the simplest case when no dependency between transforms exists, conjunction with each other. In the simplest case when no dependency
all Proposals in SAg payload will have the same value in Proposal Num between transforms exists, all Proposals in the SAg payload will have
field. the same value in the Proposal Num field.
Although the SAg payload is optional, it is RECOMMENDED for the GM to Although the SAg payload is optional, it is RECOMMENDED that the GM
include this payload into the GSA_AUTH request to allow the GCKS to include this payload into the GSA_AUTH request to allow the GCKS to
select an appropriate policy. select an appropriate policy.
A GM MAY also indicate the support for IPcomp by including one or A GM MAY also indicate the support for IPcomp by including one or
more the IPCOMP_SUPPORTED notifications along with the SAg payload in more the IPCOMP_SUPPORTED notifications along with the SAg payload in
the request. The Compression Parameter Index (CPI) in these the request. The Compression Parameter Index (CPI) in these
notifications is set to zero and MUST be ignored by the GCKS. notifications is set to zero and MUST be ignored by the GCKS.
Upon receiving the GSA_AUTH response, the GM parses the response from Upon receiving the GSA_AUTH response, the GM parses the response from
the GCKS authenticating the exchange using the IKEv2 method, then the GCKS authenticating the exchange using the IKEv2 method, then
processes the GSA and KD payloads. processes the GSA and KD payloads.
The GSA payload contains the security policy and cryptographic The GSA payload contains the security policy and cryptographic
protocols used by the group. This policy describes the optional protocols used by the group. This policy describes the optional
Rekey SA (KEK), Data-Security SAs (TEK), and optional Group-wide (GW) Rekey SA (KEK), Data-Security SAs (TEK), and optional Group-wide (GW)
policy. If the policy in the GSA payload is not acceptable to the policy. If the policy in the GSA payload is not acceptable to the
GM, it SHOULD notify the GCKS by initiating a GSA_REGISTRATION GM, it SHOULD notify the GCKS by initiating a GSA_REGISTRATION
exchange with a NO_PROPOSAL_CHOSEN Notify payload (see exchange with a NO_PROPOSAL_CHOSEN Notify payload (see
Section 2.3.2). Note, that this should normally not happen if the GM Section 2.3.2). Note that this should normally not happen if the GM
includes SAg payload in the GSA_AUTH request and the GCKS takes it includes the SAg payload in the GSA_AUTH request and the GCKS takes
into account. Finally the KD payload is parsed providing the keying it into account. Finally, the KD payload is parsed, providing the
material for the TEK and/or KEK. The KD payload contains a list of keying material for the TEK and/or KEK. The KD payload contains a
key bags, where each key bag includes the keying material for SAs list of key bags, where each key bag includes the keying material for
distributed in the GSA payload. Keying material is matched by SAs distributed in the GSA payload. Keying material is matched by
comparing the SPIs in the key bags to SPIs previously included in the comparing the SPIs in the key bags to SPIs previously included in the
GSA payloads. Once TEK keys and policy are matched, the GM provides GSA payloads. Once TEK keys and policy are matched, the GM provides
them to the data-security subsystem, and it is ready to send or them to the data-security subsystem, and it is ready to send or
receive packets matching the TEK policy. receive packets matching the TEK policy.
If the group member is not a sender for a received Data-Security SA, If the group member is not a sender for a received Data-Security SA,
then it MUST install this SA only in the inbound direction. If the then it MUST install this SA only in the inbound direction. If the
group member is a sender for a received Data-Security SA, and it is group member is a sender for a received Data-Security SA, and it is
not going to receive back the data it sends, then it MUST install not going to receive back the data it sends, then it MUST install
this SA only in the outgoing direction. this SA only in the outgoing direction.
If the first Message ID the GM should expect to receive is non-zero, If the first Message ID the GM should expect to receive is non-zero,
the GSA KEK policy includes the attribute GSA_INITIAL_MESSAGE_ID with the GSA KEK policy includes the attribute GSA_INITIAL_MESSAGE_ID with
the expected non-zero value. The value of the attribute MUST be the expected non-zero value. The value of the attribute MUST be
checked by a GM against any previously received Message ID for this checked by a GM against any previously received Message ID for this
group. If it is less than the previously received number, it should group. If it is less than the previously received number, it should
be considered stale and MUST be ignored. This could happen if two be considered stale and MUST be ignored. This could happen if two
GSA_AUTH exchanges happened in parallel, and the Message ID changed. GSA_AUTH exchanges happened in parallel and the Message ID changed.
This attribute is used by the GM to prevent GSA_REKEY message replay This attribute is used by the GM to prevent GSA_REKEY message replay
attacks. The first GSA_REKEY message that the GM receives from the attacks. The first GSA_REKEY message that the GM receives from the
GCKS will have a Message ID greater or equal to the Message ID GCKS will have a Message ID greater than or equal to the Message ID
received in the GSA_INITIAL_MESSAGE_ID attribute. received in the GSA_INITIAL_MESSAGE_ID attribute.
Group members MUST install the Rekey SA only in the inbound Group members MUST install the Rekey SA only in the inbound
direction. direction.
Once a GM successfully registers to the group it MUST replace any Once a GM successfully registers to the group, it MUST replace any
information related to this group (policy, keys) that it might have information related to this group (policy, keys) that it might have
as a result of a previous registration with a new one. as a result of a previous registration with a new one.
Once a GM has received GIKE_UPDATE policy during a registration, the Once a GM has received GIKE_UPDATE policy during a registration, the
IKE SA MAY be closed. By convention, the GCKS closes the IKE SA, the IKE SA MAY be closed. By convention, the GCKS closes the IKE SA; the
GM SHOULD NOT close it. The GKCS MAY choose to keep the IKE SA open GM SHOULD NOT close it. The GCKS MAY choose to keep the IKE SA open
for inband rekey, especially for small groups. If inband rekey is for inband rekey, especially for small groups. If inband rekey is
used, then the initial IKE SA can be rekeyed by any side with the used, then the initial IKE SA can be rekeyed by any side with the
standard IKEv2 mechanism described in Section 1.3.2 of IKEv2 standard IKEv2 mechanism described in Section 1.3.2 of [RFC7296]. If
[RFC7296]. If for some reason the IKE SA is closed and no for some reason the IKE SA is closed and no GIKE_UPDATE policy is
GIKE_UPDATE policy is received during the registration process, the received during the registration process, the GM MUST consider itself
GM MUST consider itself excluded from the group. To continue excluded from the group. To continue participating in the group, the
participating in the group, the GM needs to re-register. GM needs to re-register.
2.3.4. GCKS Registration Operations 2.3.4. GCKS Registration Operations
A G-IKEv2 GCKS listens for incoming requests from group members. A G-IKEv2 GCKS listens for incoming requests from group members.
When the GCKS receives an IKE_SA_INIT request, it selects an IKE When the GCKS receives an IKE_SA_INIT request, it selects an IKE
proposal and generates a nonce and DH to include them in the proposal and generates a nonce and Diffie-Hellman (DH) to include in
IKE_SA_INIT response. the IKE_SA_INIT response.
Upon receiving the GSA_AUTH request, the GCKS authenticates the group Upon receiving the GSA_AUTH request, the GCKS authenticates the group
member via the GSA_AUTH exchange. The GCKS then authorizes the group member via the GSA_AUTH exchange. The GCKS then authorizes the group
member according to group policy before preparing to send the member according to group policy before preparing to send the
GSA_AUTH response. If the GCKS fails to authorize the GM, it GSA_AUTH response. If the GCKS fails to authorize the GM, it
responds with an AUTHORIZATION_FAILED notify message type. The GCKS responds with an AUTHORIZATION_FAILED notify message type. The GCKS
may also respond with an INVALID_GROUP_ID notify message if the may also respond with an INVALID_GROUP_ID notify message if the
requested group is unknown to the GCKS or with an REGISTRATION_FAILED requested group is unknown to the GCKS or with an REGISTRATION_FAILED
notify message if there is a problem with the requested group (for notify message if there is a problem with the requested group (e.g.,
example the capacity of the group is exceeded). if the capacity of the group is exceeded).
The GSA_AUTH response will include the group policy in the GSA The GSA_AUTH response will include the group policy in the GSA
payload and keys in the KD payload. If the GCKS policy includes a payload and keys in the KD payload. If the GCKS policy includes a
group rekey option and the initial Message ID value the GCKS will use group rekey option and the initial Message ID value the GCKS will use
when sending the GSA_REKEY messages to the group members is non-zero, when sending the GSA_REKEY messages to the group members is non-zero,
then this value is specified in the GSA_INITIAL_MESSAGE_ID attribute. then this value is specified in the GSA_INITIAL_MESSAGE_ID attribute.
This Message ID is used to prevent GSA_REKEY message replay attacks This Message ID is used to prevent GSA_REKEY message replay attacks
and will be increased each time a GSA_REKEY message is sent to the and will be increased each time a GSA_REKEY message is sent to the
group. The GCKS data traffic policy is included in the GSA TEK and group. The GCKS data traffic policy is included in the GSA TEK and
keys are included in the KD TEK. The GW policy MAY also be included keys are included in the KD TEK. The GW policy MAY also be included
to provide the ATD and/or DTD (Section 4.4.3.1.1) specifying to provide the Activation Time Delay (ATD) and/or Deactivation Time
activation and deactivation delays for SAs generated from the TEKs. Delay (DTD) (Section 4.4.3.1.1) to specify activation and
If the group member has indicated that it is a sender of data traffic deactivation delays for SAs generated from the TEKs. If the group
and one or more Data Security SAs distributed in the GSA payload member has indicated that it is a sender of data traffic and one or
included a counter mode of operation, the GCKS responds with one or more Data-Security SAs distributed in the GSA payload included a
more Sender-ID values (see Section 2.5). counter mode of operation, the GCKS responds with one or more Sender-
ID values (see Section 2.5).
Multicast Extensions to the Security Architecture [RFC5374] defines Multicast Extensions to the Security Architecture [RFC5374] defines
two modes of operation for multicast Data-Security SAs: transport two modes of operation for multicast Data-Security SAs: transport
mode and tunnel mode with address preservation. In the latter case mode and tunnel mode with address preservation. In the latter case,
outer source and destination addresses are taken from the inner IP outer source and destination addresses are taken from the inner IP
packet. The mode of operation for the Data-Security SAs is packet. The mode of operation for the Data-Security SAs is
determined by the presence of the USE_TRANSPORT_MODE notification in determined by the presence of the USE_TRANSPORT_MODE notification in
the GCKS's response message of the registration exchange: if it is the GCKS's response message of the registration exchange. If it is
present, then SAs are created in transport mode; otherwise, SAs are present, then SAs are created in transport mode; otherwise, SAs are
created in tunnel mode. If multiple Data-Security SAs are being created in tunnel mode. If multiple Data-Security SAs are being
created in a single registration exchange, then all of them will have created in a single registration exchange, then all of them will have
the same mode of operation. the same mode of operation.
If the GCKS receives a GSA_REGISTRATION exchange with a request to If the GCKS receives a GSA_REGISTRATION exchange with a request to
register a GM to a group, the GCKS will need to authorize the GM with register a GM to a group, the GCKS will need to authorize the GM with
the new group (IDg) and respond with the corresponding group policy the new group (IDg) and respond with the corresponding group policy
and keys. If the GCKS fails to authorize the GM, it will respond and keys. If the GCKS fails to authorize the GM, it will respond
with the AUTHORIZATION_FAILED notification. The GCKS may also with the AUTHORIZATION_FAILED notification. The GCKS may also
respond with an INVALID_GROUP_ID or REGISTRATION_FAILED notify respond with an INVALID_GROUP_ID or REGISTRATION_FAILED notify
messages for the reasons described above. messages for the reasons described above.
If a group member includes an SAg in its GSA_AUTH or GSA_REGISTRATION If a group member includes an SAg in its GSA_AUTH or GSA_REGISTRATION
request, the GCKS may evaluate it according to an implementation request, the GCKS may evaluate it according to an implementation-
specific policy. specific policy.
* The GCKS could evaluate the list of Transforms and compare it to * The GCKS could evaluate the list of Transforms and compare it to
its current policy for the group. If the group member did not its current policy for the group. If the group member did not
include all of the ESP, AH or GIKE_UPDATE Transforms that match include all of the ESP, AH, or GIKE_UPDATE Transforms that match
the current group policy or the capabilities of all other the current group policy or the capabilities of all other
currently active GMs, then the GCKS SHOULD return a currently active GMs, then the GCKS SHOULD return a
NO_PROPOSAL_CHOSEN Notification. Alternatively, the GCKS can NO_PROPOSAL_CHOSEN notification. Alternatively, the GCKS can
change the group policy as defined below. change the group policy as defined below.
* The GCKS could store the list of Transforms, with the goal of * The GCKS could store the list of Transforms with the goal of
migrating the group policy to a different Transforms when all of migrating the group policy to a different Transforms when all of
the group members indicate that they can support that Transforms. the group members indicate that they can support that Transforms.
* The GCKS could store the list of Transforms and adjust the current * The GCKS could store the list of Transforms and adjust the current
group policy based on the capabilities of the devices as long as group policy based on the capabilities of the devices as long as
they fall within the acceptable security policy of the GCKS. they fall within the acceptable security policy of the GCKS.
Depending on its policy, the GCKS may have no further need for the Depending on its policy, the GCKS may have no further need for the
IKE SA (e.g., it does not plan to initiate an GSA_INBAND_REKEY IKE SA (e.g., it does not plan to initiate a GSA_INBAND_REKEY
exchange). If the GM does not initiate another registration exchange exchange). If the GM does not initiate another registration exchange
or Notify (e.g., NO_PROPOSAL_CHOSEN), and the GCKS is not intended to or Notify (e.g., NO_PROPOSAL_CHOSEN) and the GCKS is not intended to
use the SA, then after a short period of time the GCKS SHOULD close use the SA, then the GCKS SHOULD close the IKE SA to save resources
the IKE SA to save resources. after a short period of time.
2.4. Group Maintenance Channel 2.4. Group Maintenance Channel
The GCKS is responsible for rekeying the secure group per the group The GCKS is responsible for rekeying the secure group per the group
policy. Rekeying is an operation whereby the GCKS provides policy. Rekeying is an operation whereby the GCKS provides
replacement TEKs and KEK, deleting TEKs, and/or excluding group replacement TEKs and KEKs, deleting TEKs, and/or excluding group
members. The GCKS may initiate a rekey message if group membership members. The GCKS may initiate a rekey message if group membership
and/or policy has changed, or if the keys are about to expire. Two and/or policy has changed or if the keys are about to expire. Two
forms of group maintenance channels are provided in G-IKEv2 to push forms of group maintenance channels are provided in G-IKEv2 to push
new policy to group members. new policy to group members.
GSA_REKEY GSA_REKEY:
The GSA_REKEY is a pseudo-exchange, consisting of a one-way IKEv2 The GSA_REKEY is a pseudo-exchange, consisting of a one-way IKEv2
message sent by the GCKS, where the rekey policy is delivered to message sent by the GCKS where the rekey policy is delivered to
group members using IP multicast as a transport. This method is group members using IP multicast as a transport. This method is
valuable for large and dynamic groups, and where policy may change valuable for large and dynamic groups and where policy may change
frequently and a scalable rekey method is required. When the frequently and a scalable rekey method is required. When the
GSA_REKEY is used, the IKE SA protecting the member registration GSA_REKEY is used, the IKE SA protecting the member registration
exchanges is usually terminated, and group members await policy exchanges is usually terminated and group members await policy
changes from the GCKS via the GSA_REKEY messages. changes from the GCKS via the GSA_REKEY messages.
GSA_INBAND_REKEY GSA_INBAND_REKEY:
The GSA_INBAND_REKEY is a normal IKEv2 exchange using the IKE SA The GSA_INBAND_REKEY is a normal IKEv2 exchange using the IKE SA
that was setup to protecting the member registration exchange. that was set up to protect the member registration exchange. This
This exchange allows the GCKS to rekey without using an exchange allows the GCKS to rekey without using an independent
independent GSA_REKEY pseudo-exchange. The GSA_INBAND_REKEY GSA_REKEY pseudo-exchange. The GSA_INBAND_REKEY exchange provides
exchange provides a reliable policy delivery and is useful when a reliable policy delivery and is useful when G-IKEv2 is used with
G-IKEv2 is used with a small group of cooperating devices. a small group of cooperating devices.
Depending on its policy the GCKS MAY combine these two methods. For Depending on its policy, the GCKS MAY combine these two methods. For
example, it may use the GSA_INBAND_REKEY to deliver key to the GMs in example, the GCKS may use the GSA_INBAND_REKEY to deliver a key to
the group acting as senders (as this would provide reliable keys the GMs in the group acting as senders (as this would provide
delivery), and the GSA_REKEY for the rest GMs. reliable keys delivery) and the GSA_REKEY for the rest of the GMs.
2.4.1. GSA_REKEY 2.4.1. GSA_REKEY
The GCKS initiates the G-IKEv2 Rekey by sending a protected message The GCKS initiates the G-IKEv2 rekey by sending a protected message
to the GMs, usually using IP multicast. Since the Rekey messages do to the GMs, usually using IP multicast. Since the Rekey messages do
not require responses and they are sent to multiple GMs, the not require responses and are sent to multiple GMs, the windowing
windowing mechanism described in Section 2.3 of IKEv2 [RFC7296] MUST mechanism described in Section 2.3 of [RFC7296] MUST NOT be used for
NOT be used for the Rekey messages. The GCKS rekey message replaces the Rekey messages. The GCKS rekey message replaces the current
the current rekey GSA KEK or KEK array (e.g. in case of LKH), and/or rekey GSA KEK or KEK array (e.g., in the case of LKH) and/or creates
creates new Data-Security GSA TEKs. The GM_SENDER_ID attribute in new Data-Security GSA TEKs. The GM_SENDER_ID attribute in the Key
the Key Download payload (defined in Section 4.5.3.3) MUST NOT be Download payload (defined in Section 4.5.3.3) MUST NOT be part of the
part of the Rekey Exchange as this is sender specific information and Rekey Exchange, as this is sender-specific information and the Rekey
the Rekey Exchange is group specific. The GCKS initiates the Exchange is group specific. The GCKS initiates the GSA_REKEY pseudo-
GSA_REKEY pseudo-exchange as following: exchange as following:
GMs (Receivers) GCKS (Sender) GMs (Receivers) GCKS (Sender)
----------------- --------------- ----------------- ---------------
<-- HDR, SK{GSA, KD, [N,] [AUTH]} <-- HDR, SK{GSA, KD, [N,] [AUTH]}
Figure 9: GSA_REKEY Pseudo-Exchange Figure 9: GSA_REKEY Pseudo-Exchange
HDR is defined in Section 4.1. While GSA_REKEY re-uses IKEv2 header, HDR is defined in Section 4.1. While GSA_REKEY reuses the IKEv2
the "IKE SA Initiator's SPI" and the "IKE SA Responder's SPI" fields header, the "IKE SA Initiator's SPI" and the "IKE SA Responder's SPI"
are treated as a single field with a length of 16 octets containing fields are treated as a single field with a length of 16 octets
the SPI of Rekey SA. The value for this field is provided by the containing the SPI of a Rekey SA. The value for this field is
GCKS in the GSA payload (see Section 4.4.2). The Message ID in this provided by the GCKS in the GSA payload (see Section 4.4.2). The
message will start with the value the GCKS sent to the group members Message ID in this message will start with the value the GCKS sent to
in the attribute GSA_INITIAL_MESSAGE_ID or from zero if this the group members in the attribute GSA_INITIAL_MESSAGE_ID or from
attribute wasn't sent. The Message ID will be incremented each time zero if this attribute wasn't sent. The Message ID will be
a new GSA_REKEY message is sent to the group members. incremented each time a new GSA_REKEY message is sent to the group
members.
The GSA payload contains the current policy for rekey and Data- The GSA payload contains the current policy for rekey and Data-
Security SAs. The GSA may contain a new Rekey SA and/or a new Data- Security SAs. The GSA may contain a new Rekey SA and/or a new Data-
Security SAs Section 4.4. Security SAs (Section 4.4).
The KD payload contains the keys for the policy included in the GSA. The KD payload contains the keys for the policy included in the GSA.
If one or more Data-Security SAs are being refreshed in this rekey If one or more Data-Security SAs are being refreshed in this rekey
message, the IPsec keys are updated in the KD, and/or if the rekey SA message, the IPsec keys are updated in the KD, and/or if the Rekey SA
is being refreshed in this rekey message, the rekey Key or the LKH is being refreshed in this rekey message, the rekey Key or the LKH
KEK array (e.g. in case of LKH) is updated in the KD payload. KEK array (e.g., in case of LKH) is updated in the KD payload.
A Delete payload MAY be included to instruct the GM to delete A Delete payload MAY be included to instruct the GM to delete
existing SAs. See Section 4.6 for more detail. existing SAs. See Section 4.6 for more detail.
The AUTH payload MUST be included to authenticate the GSA_REKEY The AUTH payload MUST be included to authenticate the GSA_REKEY
message if the authentication method is based on public key message if the authentication method is based on public key
signatures and MUST NOT be included if authentication is implicit. signatures and MUST NOT be included if authentication is implicit.
In the latter case, the fact that a GM can decrypt the GSA_REKEY In the latter case, the fact that a GM can decrypt the GSA_REKEY
message and verify its ICV proves that the sender of this message message and verify its Integrity Check Value (ICV) proves that the
knows the current KEK, thus authenticating the sender as a member of sender of this message knows the current KEK, thus authenticating the
the group. Note, that implicit authentication doesn't provide source sender as a member of the group. Note that implicit authentication
origin authentication. For this reason using implicit authentication doesn't provide source origin authentication. For this reason, using
for GSA_REKEY is NOT RECOMMENDED unless source origin authentication implicit authentication for GSA_REKEY is NOT RECOMMENDED unless
is not required (for example, in a small group of highly trusted source origin authentication is not required (for example, in a small
GMs). See more about authentication methods in Section 4.4.2.1.1. group of highly trusted GMs). See more about authentication methods
in Section 4.4.2.1.1.
During group member registration, the GCKS sends the authentication During group member registration, the GCKS sends the authentication
key in the KD payload, AUTH_KEY attribute, which the group member key in the KD payload, the AUTH_KEY attribute, which the group member
uses to authenticate the key server. Before the current uses to authenticate the key server. Before the current
authentication key expires, the GCKS will send a new AUTH_KEY to the authentication key expires, the GCKS will send a new AUTH_KEY to the
group members in a GSA_REKEY message. The authentication key that is group members in a GSA_REKEY message. The authentication key that is
sent in the rekey message may be not the same as the authentication sent in the rekey message may not be the same as the authentication
key sent during the GM registration. If implicit authentication is key sent during the GM registration. If implicit authentication is
used, then AUTH_KEY MUST NOT be sent to GMs. used, then AUTH_KEY MUST NOT be sent to GMs.
2.4.1.1. GSA_REKEY Message Authentication 2.4.1.1. GSA_REKEY Message Authentication
The content of the AUTH payload generally depends on the The content of the AUTH payload generally depends on the
authentication method from the Group Controller Authentication Method authentication method from the Group Controller Authentication Method
transform (Section 4.4.2.1.1). This specification defines the use of (GCAUTH) transform (Section 4.4.2.1.1). This specification defines
only one authentication method - Digital Signature, and the AUTH the use of only one authentication method, Digital Signature, and the
payload contains digital signature calculated over the content of the AUTH payload contains a digital signature calculated over the content
not yet encrypted GSA_REKEY message. of the not-yet-encrypted GSA_REKEY message.
The digital signing is applied to the concatenation of two chunks: A The digital signing is applied to the concatenation of two chunks: A
and P. The chunk A starts with the first octet of the G-IKEv2 header and P. Chunk A starts with the first octet of the G-IKEv2 header
(not including prepended four octets of zeros, if port 4500 is used) (not including prepended four octets of zeros, if port 4500 is used)
and continues to the last octet of the Encrypted Payload header. The and continues to the last octet of the Encrypted Payload header.
chunk P consists of the not yet encrypted content of the Encrypted Chunk P consists of the not-yet-encrypted content of the Encrypted
payload, excluding the Initialization Vector, the Padding, the Pad payload, excluding the Initialization Vector, the Padding, the Pad
Length and the Integrity Checksum Data fields (see 3.14 of IKEv2 Length, and the Integrity Checksum Data fields (see Section 3.14 of
[RFC7296] for description of the Encrypted payload). In other words, [RFC7296] for the description of the Encrypted payload). In other
the P chunk is the inner payloads of the Encrypted payload in words, chunk P is the inner payloads of the Encrypted payload in
plaintext form. Figure 10 illustrates the layout of the P and A plaintext form. Figure 11 illustrates the layout of chunks P and A
chunks in the GSA_REKEY message. in the GSA_REKEY message.
Before the calculation of the AUTH payload the inner payloads of Before the calculation of the AUTH payload, the inner payloads of the
Encrypted payload must be fully formed and ready for encryption, Encrypted payload must be fully formed and ready for encryption
except for the content of the AUTH payload. The AUTH payload must except for the content of the AUTH payload. The AUTH payload must
have correct values in the Payload Header, the Auth Method and the have correct values in the Payload Header, the Auth Method, and the
RESERVED fields. The Authentication Data field is zeroed, but the RESERVED fields. The Authentication Data field is zeroed, but the
ASN.1 Length and the AlgorithmIdentifier fields must be properly ASN.1 Length and the AlgorithmIdentifier fields must be properly
filled in, see Signature Authentication in IKEv2 [RFC7427]. filled in; see Signature Authentication in [RFC7427].
For the purpose of the AUTH payload calculation the Length field in For the purpose of the AUTH payload calculation, the Length field in
the IKE header and the Payload Length field in the Encrypted Payload the IKE header and the Payload Length field in the Encrypted Payload
header are adjusted so that they don't count the lengths of header are adjusted so that they don't count the lengths of
Initialization Vector, Integrity Checksum Data and Padding (along Initialization Vector, Integrity Checksum Data, and Padding (along
with Pad Length field). In other words, the Length field in the IKE with Pad Length field). In other words, the Length field in the IKE
header (denoted as AdjustedLen in Figure 10) is set to the sum of the header (denoted as AdjustedLen in Figure 11) is set to the sum of the
lengths of A and P, and the Payload Length field in the Encrypted lengths of A and P, and the Payload Length field in the Encrypted
Payload header (denoted as AdjustedPldLen in Figure 10) is set to the Payload header (denoted as AdjustedPldLen in Figure 11) is set to the
length of P plus the size of the Payload header (four octets). length of P plus the size of the Payload header (four octets).
The input to the digital signature algorithm that computes the The input to the digital signature algorithm that computes the
content of the AUTH payload can be described as: content of the AUTH payload can be described as:
DataToAuthenticate = A | P DataToAuthenticate = A | P
GsaRekeyMessage = GenIKEHDR | EncPayload GsaRekeyMessage = GenIKEHDR | EncPayload
GenIKEHDR = [ four octets 0 if using port 4500 ] | AdjustedIKEHDR GenIKEHDR = [ four octets 0 if using port 4500 ] | AdjustedIKEHDR
AdjustedIKEHDR = SPIi | SPIr | . . . | AdjustedLen AdjustedIKEHDR = SPIi | SPIr | . . . | AdjustedLen
EncPayload = AdjustedEncPldHdr | IV | InnerPlds | Pad | PadLen | ICV EncPayload = AdjustedEncPldHdr | IV | InnerPlds | Pad | PadLen | ICV
AdjustedEncPldHdr = NextPld | C | RESERVED | AdjustedPldLen AdjustedEncPldHdr = NextPld | C | RESERVED | AdjustedPldLen
A = AdjustedIKEHDR | AdjustedEncPldHdr A = AdjustedIKEHDR | AdjustedEncPldHdr
P = InnerPlds P = InnerPlds
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Figure 10
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^ ^ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^ ^
| IKE SA Initiator's SPI | | | | IKE SA Initiator's SPI | | |
| | | | | | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I |
| IKE SA Responder's SPI | K | | IKE SA Responder's SPI | K |
| | E | | | E |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Next Payload | MjVer | MnVer | Exchange Type | Flags | H A | Next Payload | MjVer | MnVer | Exchange Type | Flags | H A
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ d | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ d |
| Message ID | r | | Message ID | r |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| AdjustedLen | | | | AdjustedLen | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ x | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ x |
| Next Payload |C| RESERVED | AdjustedPldLen | | | | Next Payload |C| RESERVED | AdjustedPldLen | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | v +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | v
| | | | | |
~ Initialization Vector ~ E ~ Initialization Vector ~ E
| | n | | n
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ c ^ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ c ^
| | r | | | r |
~ Inner payloads (not yet encrypted) ~ P ~ Inner Payloads (not yet encrypted) ~ P
| | P | | | P |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ l v +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ l v
~ Padding (0-255 octets) | Pad Length | d ~ Padding (0-255 octets) | Pad Length | d
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | | | | |
~ Integrity Checksum Data ~ | ~ Integrity Checksum Data ~ |
| | | | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v
Figure 10: Data to Authenticate in the GSA_REKEY Messages Figure 11: Data to Authenticate in the GSA_REKEY Messages
The authentication data is calculated using the authentication The authentication data is calculated using the authentication
algorithm from the Group Controller Authentication Method transform algorithm from the Group Controller Authentication Method transform
(Section 4.4.2.1.1) and the current authentication key provided in (Section 4.4.2.1.1) and the current authentication key provided in
the AUTH_KEY attribute (Section 4.5.3.2). The calculated the AUTH_KEY attribute (Section 4.5.3.2). The calculated
authentication data is placed into the AUTH payload, the Length authentication data is placed into the AUTH payload, the Length
fields in the IKE Header and the Encryption Payload header are fields in the IKE Header and the Encryption Payload header are
restored, the content of the Encrypted payload is encrypted and the restored, the content of the Encrypted payload is encrypted and the
ICV is computed using the current KEK. ICV is computed using the current KEK.
2.4.1.2. IKE Fragmentation 2.4.1.2. IKE Fragmentation
IKEv2 fragmentation [RFC7383] can be used to perform fragmentation of IKEv2 fragmentation [RFC7383] can be used to perform fragmentation of
large GSA_REKEY messages; however, when the GSA_REKEY message is large GSA_REKEY messages; however, when the GSA_REKEY message is
emitted as an IP multicast packet there is a lack of response from emitted as an IP multicast packet, there is a lack of response from
the GMs. This has the following implications. the GMs. This has the following implications.
* Policy regarding the use of IKE fragmentation is implicit. If a * Policy regarding the use of IKE fragmentation is implicit. If a
GCKS detects that all GMs have negotiated support of IKE GCKS detects that all GMs have negotiated support of IKE
fragmentation in IKE_SA_INIT, then it MAY use IKE fragmentation on fragmentation in IKE_SA_INIT, then it MAY use IKE fragmentation on
large GSA_REKEY messages. large GSA_REKEY messages.
* The GCKS must always use IKE fragmentation based on a pre- * The GCKS must always use IKE fragmentation based on a
configured fragmentation threshold, as there is no way to check if preconfigured fragmentation threshold, as there is no way to check
fragmentation is needed by first sending unfragmented messages and if fragmentation is needed by first sending unfragmented messages
waiting for response. Section 2.5.1 of IKEv2 Fragmentation and waiting for response. Section 2.5.1 of [RFC7383] contains
[RFC7383] contains recommendation on selecting the fragmentation recommendations on selecting the fragmentation threshold.
threshold.
* PMTU mechanism, defined in Section 2.5.2 of IKEv2 Fragmentation * The Path MTU (PMTU) mechanism, defined in Section 2.5.2 of
[RFC7383], cannot be used due to lack of GSA_REKEY response [RFC7383], cannot be used due to lack of GSA_REKEY response
messages. messages.
The calculation of authentication data MUST be applied to whole The calculation of authentication data MUST be applied to whole
messages only, before possible IKE Fragmentation. If the message was messages only before possible IKE Fragmentation. If the message was
received in fragmented form, it should be reconstructed before received in fragmented form, it should be reconstructed before
verifying its authenticity as if it were received unfragmented. The verifying its authenticity as if it were received unfragmented. The
RESERVED field in the reconstructed Encrypted Payload header MUST be RESERVED field in the reconstructed Encrypted Payload header MUST be
set to the value of the RESERVED field in the Encrypted Fragment set to the value of the RESERVED field in the Encrypted Fragment
payload header from the first fragment (that with Fragment Number payload header from the first fragment (with the Fragment Number
equal to 1). equal to 1).
2.4.1.3. GSA_REKEY GCKS Operations 2.4.1.3. GSA_REKEY GCKS Operations
The GCKS builds the rekey message with a Message ID value that is one The GCKS builds the rekey message with a Message ID value that is one
greater than the value included in the previous rekey message. The greater than the value included in the previous rekey message. The
first message sent over a new Rekey SA MUST use Message ID of 0. The first message sent over a new Rekey SA MUST use a Message ID of 0.
GSA, KD and N payloads follow with the same characteristics as in the The GSA, KD, and N payloads follow with the same characteristics as
GSA Registration exchange. The AUTH payload (if present) is created in the GSA Registration exchange. The AUTH payload (if present) is
as defined in Section 2.4.1.1. created as defined in Section 2.4.1.1.
Because GSA_REKEY messages are not acknowledged and could be Because GSA_REKEY messages are not acknowledged and could be
discarded by the network, one or more GMs may not receive the new discarded by the network, one or more GMs may not receive the new
policy. To mitigate such lost messages, during a rekey event the policy. To mitigate such lost messages, during a rekey event, the
GCKS may transmit several copies of an encrypted GSA_REKEY message GCKS may transmit several copies of an encrypted GSA_REKEY message
with the new policy. The (encrypted) retransmitted messages MUST be with the new policy. The (encrypted) retransmitted messages MUST be
bitwise identical and should be sent within a short time interval (a bitwise identical and should be sent within a short time interval (a
few seconds) to ensure that the SA lifetime calculations would not be few seconds) to ensure that the SA lifetime calculations would not be
substantially skewed for the GMs that would receive different copies substantially skewed for the GMs that would receive different copies
of the messages. of the messages.
GCKS may also include one or several GSA_NEXT_SPI attributes GCKS may also include one or several GSA_NEXT_SPI attributes
specifying SPIs for the prospected rekeys, so that listening GMs are specifying SPIs for the prospected rekeys so that listening GMs are
able to detect lost rekey messages and recover from this situation. able to detect lost rekey messages and recover from this situation.
See Sections Section 4.4.2.2.3 for more detail. See Section 4.4.2.2.3 for more detail.
2.4.1.4. GSA_REKEY GM Operations 2.4.1.4. GSA_REKEY GM Operations
When a group member receives the Rekey message from the GCKS it When a group member receives the rekey message from the GCKS, it
decrypts the message and verifies its integrity using the current decrypts the message and verifies its integrity using the current
KEK. If the AUTH payload is present in the decrypted message, then KEK. If the AUTH payload is present in the decrypted message, then
the GM validates authenticity of the message using the key retrieved the GM validates authenticity of the message using the key retrieved
in a previous G-IKEv2 exchange. Then the GM verifies the Message ID, in a previous G-IKEv2 exchange. Then the GM verifies the Message ID
and processes the GSA and KD payloads. The group member then and processes the GSA and KD payloads. The group member then
installs the new Data-Security SA(s) and/or new Rekey SA. The installs the new Data-Security SA(s) and/or a new Rekey SA. The
parsing of the payloads is identical to the parsing done in the parsing of the payloads is identical to the parsing done in the
registration exchange. registration exchange.
Replay protection is achieved by a group member rejecting a GSA_REKEY Replay protection is achieved by a group member rejecting a GSA_REKEY
message which has a Message ID smaller than the current Message ID message that has a Message ID smaller than the current Message ID
that the GM is expecting. The GM expects the Message ID in the first that the GM is expecting. The GM expects the Message ID in the first
GSA_REKEY message it receives to be equal or greater than the Message GSA_REKEY message it receives to be equal to or greater than the
ID it receives in the GSA_INITIAL_MESSAGE_ID attribute. Note, that Message ID it receives in the GSA_INITIAL_MESSAGE_ID attribute. Note
if the GSA_INITIAL_MESSAGE_ID attribute is not received for the Rekey that if the GSA_INITIAL_MESSAGE_ID attribute is not received for the
SA, the GM MUST assume zero as the first expected Message ID. The GM Rekey SA, the GM MUST assume zero as the first expected Message ID.
expects the Message ID in subsequent GSA_REKEY messages to be greater The GM expects the Message ID in subsequent GSA_REKEY messages to be
than the last valid GSA_REKEY message ID it received. greater than the last valid GSA_REKEY message ID it received.
This specification assumes that the GSA_REKEY messages are sent with This specification assumes that the GSA_REKEY messages are sent with
intervals, that are significantly greater than typical network packet intervals that are significantly greater than typical network packet
reordering intervals. reordering intervals.
If the GSA payload includes a Data-Security SA using cipher in a If the GSA payload includes a Data-Security SA using cipher in a
counter-mode of operation and the receiving group member is a sender counter-mode of operation and the receiving group member is a sender
for that SA, the group member uses its current Sender-ID value with for that SA, the group member uses its current Sender-ID value with
the Data-Security SAs to create counter-mode nonces. If it is a the Data-Security SAs to create counter-mode nonces. If it is a
sender and does not hold a current Sender-ID value (for example, when sender and does not hold a current Sender-ID value (for example, when
no counter-mode is employed for other Data-Security SAs), it MUST NOT no counter-mode is employed for other Data-Security SAs), it MUST NOT
install the Data-Security SAs. It MUST initiate a re-registration to install the Data-Security SAs. It MUST initiate a re-registration to
the GCKS in order to obtain an Sender-ID value (along with the the GCKS in order to obtain a Sender-ID value (along with the current
current group policy). group policy).
Once a new Rekey SA is installed as a result of GSA_REKEY message, Once a new Rekey SA is installed as a result of a GSA_REKEY message,
the current Rekey SA (over which the message was received) MUST be the current Rekey SA (over which the message was received) MUST be
silently deleted after waiting DEACTIVATION_TIME_DELAY interval silently deleted after waiting the DEACTIVATION_TIME_DELAY interval
regardless of its expiration time. If the message includes Delete regardless of its expiration time. If the message includes a Delete
payload for existing Data-Security SA, then after installing a new payload for an existing Data-Security SA, then after installing a new
Data-Security SA the old one, identified by the Protocol and SPI Data-Security SA, the old one (identified by the Protocol and SPI
fields in the Delete payload, MUST be silently deleted after waiting fields in the Delete payload) MUST be silently deleted after waiting
DEACTIVATION_TIME_DELAY interval regardless of its expiration time. the DEACTIVATION_TIME_DELAY interval regardless of its expiration
time.
If a Data-Security SA is not rekeyed yet and is about to expire (a If a Data-Security SA is not rekeyed yet and is about to expire (a
"soft lifetime" expiration is described in Section 4.4.2.1 of "soft lifetime" expiration is described in Section 4.4.2.1 of
[RFC4301]), the GM SHOULD initiate a registration to the GCKS. This [RFC4301]), the GM SHOULD initiate a registration to the GCKS. This
registration serves as a request for current SAs, and will result in registration serves as a request for current SAs and will result in
the download of replacement SAs, assuming the GCKS policy has created the download of replacement SAs, assuming the GCKS policy has created
them. A GM SHOULD also initiate a registration request if a Rekey SA them. A GM SHOULD also initiate a registration request if a Rekey SA
is about to expire and not yet replaced with a new one. is about to expire and not yet replaced with a new one.
2.4.2. GSA_INBAND_REKEY Exchange 2.4.2. GSA_INBAND_REKEY Exchange
When the IKE SA protecting the member registration exchange is When the IKE SA protecting the member registration exchange is
maintained while group member participates in the group, the GCKS can maintained while a group member participates in the group, the GCKS
use the GSA_INBAND_REKEY exchange to individually provide policy can use the GSA_INBAND_REKEY exchange to individually provide policy
updates to the group member. updates to the group member.
GM (Responder) GCKS (Initiator) GM (Responder) GCKS (Initiator)
---------------- ------------------ ---------------- ------------------
<-- HDR, SK{GSA, KD, [N]} <-- HDR, SK{GSA, KD, [N]}
HDR, SK{} --> HDR, SK{} -->
Figure 11: GSA_INBAND_REKEY Exchange Figure 12: GSA_INBAND_REKEY Exchange
Because this is a normal IKEv2 exchange, the HDR is treated as Because this is a normal IKEv2 exchange, the HDR is treated as
defined in IKEv2 [RFC7296]. defined in IKEv2 [RFC7296].
2.4.2.1. GSA_INBAND_REKEY GCKS Operations 2.4.2.1. GSA_INBAND_REKEY GCKS Operations
The GSA, KD and N payloads are built in the same manner as in a The GSA, KD, and N payloads are built in the same manner as in a
registration exchange. registration exchange.
2.4.2.2. GSA_INBAND_REKEY GM Operations 2.4.2.2. GSA_INBAND_REKEY GM Operations
The GM processes the GSA, KD and N payloads in the same manner as if The GM processes the GSA, KD, and N payloads in the same manner as if
they were received in a registration exchange. they were received in a registration exchange.
2.4.3. Deletion of SAs 2.4.3. Deletion of SAs
There are occasions when the GCKS may want to signal to group members There are occasions when the GCKS may want to signal to group members
to delete policy when the application sending data traffic has ended, to delete policy when the application sending data traffic has ended
or if group policy has changed. Deletion of SAs is accomplished by or if group policy has changed. Deletion of SAs is accomplished by
sending the Delete Payload described in Section 3.11 of IKEv2 sending the Delete Payload described in Section 3.11 of [RFC7296] as
[RFC7296] as part of the GSA_REKEY pseudo-exchange as shown below. part of the GSA_REKEY pseudo-exchange as shown below.
GMs (Receivers) GCKS (Sender) GMs (Receivers) GCKS (Sender)
---------------- --------------- ---------------- ---------------
<-- HDR, SK{D, [N,] [AUTH]} <-- HDR, SK{D, [N,] [AUTH]}
Figure 12: SA Deletion in GSA_REKEY Figure 13: SA Deletion in GSA_REKEY
If GCKS has a unicast SA with group member then it can use the If GCKS has a unicast SA with a group member, then it can use the
GSA_INBAND_REKEY exchange to delete SAs. GSA_INBAND_REKEY exchange to delete SAs.
GM (Responder) GCKS (Initiator) GM (Responder) GCKS (Initiator)
--------------- ------------------ --------------- ------------------
<-- HDR, SK{D, [N]} <-- HDR, SK{D, [N]}
HDR, SK{} --> HDR, SK{} -->
Figure 13: SA Deletion in GSA_INBAND_REKEY Figure 14: SA Deletion in GSA_INBAND_REKEY
There may be circumstances where the GCKS may want to start over with There may be circumstances where the GCKS may want to start over with
a clean state, for example in case it runs out of available Sender- a clean state, e.g., in case it runs out of available Sender-IDs.
IDs. The GCKS can signal deletion of all the Data-Security SAs by The GCKS can signal deletion of all the Data-Security SAs by sending
sending a Delete payload with an SPI value equal to zero. For a Delete payload with an SPI value equal to zero. For example, if
example, if the GCKS wishes to remove the Rekey SA and all the Data- the GCKS wishes to remove the Rekey SA and all the Data-Security SAs,
Security SAs, the GCKS sends a Delete payload with an SPI of zero and the GCKS sends a Delete payload with an SPI of zero and a Protocol ID
Protocol ID of AH or ESP, followed by another Delete payload with a of AH or ESP, followed by another Delete payload with an SPI of zero
SPI of zero and Protocol ID of GIKE_UPDATE. and a Protocol ID of GIKE_UPDATE.
If a group member receives a Delete payload with zero SPI and If a group member receives a Delete payload with zero SPI and a
protocol ID of GIKE_UPDATE, it means that the group member is Protocol ID of GIKE_UPDATE, it means that the group member is
excluded from the group. Such Delete payload may be received either excluded from the group. Such Delete payload may be received either
in the GSA_REKEY pseudo-exchange or in the GSA_INBAND_REKEY exchange. in the GSA_REKEY pseudo-exchange or in the GSA_INBAND_REKEY exchange.
In this situation the group member MUST re-register if it wants to In this situation, the group member MUST re-register if it wants to
continue participating in this group. The registration is performed continue participating in this group. The registration is performed
as described in Section 2.3. It is RECOMMENDED that a GM waits some as described in Section 2.3. It is RECOMMENDED that a GM waits some
randomly chosen time before initiating a registration request in this randomly chosen time before initiating a registration request in this
situation to avoid overloading the GCKS. This document doesn't situation to avoid overloading the GCKS. This document doesn't
specify the maximum delay, which is implementation-dependent, but it specify the maximum delay, which is implementation-dependent, but it
is believed, that the order of seconds suits most situations. Note, is believed that the order of seconds suits most situations. Note
that if the unicast SA between the group member and the GCKS exists, that if the unicast SA between the group member and the GCKS exists,
then the group member may use the GSA_REGISTRATION exchange to re- then the group member may use the GSA_REGISTRATION exchange to re-
register. However, after excluding an GM from the group the GCKS MAY register. However, after excluding a GM from the group, the GCKS MAY
immediately delete the unicast SA with this GM (if any) if the immediately delete the unicast SA with this GM (if any) if the
credentials of this GM are revoked. credentials of this GM are revoked.
2.5. Counter-based modes of operation 2.5. Counter-Based Modes of Operation
Several counter-based modes of operation have been specified for ESP Several counter-based modes of operation have been specified for ESP
(e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309], (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES CCM [RFC4309],
ChaCha20-Poly1305 [RFC7634], AES-GMAC [RFC4543]) and AH (e.g., AES- ChaCha20-Poly1305 [RFC7634], and AES-GMAC [RFC4543]) and AH (e.g.,
GMAC [RFC4543]). These counter-based modes require that no two AES-GMAC [RFC4543]). These counter-based modes require that no two
senders in the group ever send a packet with the same Initialization senders in the group ever send a packet with the same IV using the
Vector (IV) using the same cipher key and mode. This requirement is same cipher key and mode. This requirement is met in G-IKEv2 when
met in G-IKEv2 when the following measures are taken: the following measures are taken:
* The GCKS distributes a unique key for each Data-Security SA. * The GCKS distributes a unique key for each Data-Security SA.
* The GCKS uses the method described in Using Counter Modes with ESP * The GCKS uses the method described in [RFC6054], which assigns
and AH to Protect Group Traffic [RFC6054], which assigns each each sender a portion of the IV space by provisioning each sender
sender a portion of the IV space by provisioning each sender with with one or more unique Sender-ID values.
one or more unique Sender-ID values.
2.5.1. Allocation of Sender-ID 2.5.1. Allocation of Sender-ID
When at least one Data-Security SA included in the group policy When at least one Data-Security SA included in the group policy
includes a counter-based mode of operation, the GCKS automatically includes a counter-based mode of operation, the GCKS automatically
allocates and distributes one Sender-ID to each group member acting allocates and distributes one Sender-ID to each group member acting
in the role of sender on the Data-Security SA. The Sender-ID value in the role of sender on the Data-Security SA. The Sender-ID value
is used exclusively by the group sender to which it was allocated. is used exclusively by the group sender to which it was allocated.
The group sender uses the same Sender-ID for each Data-Security SA The group sender uses the same Sender-ID for each Data-Security SA
specifying the use of a counter-based mode of operation. A GCKS MUST specifying the use of a counter-based mode of operation. A GCKS MUST
distribute unique keys for each Data-Security SA including a counter- distribute unique keys for each Data-Security SA, including a
based mode of operation in order to maintain unique key and nonce counter-based mode of operation in order to maintain unique key and
usage. nonce usage.
During registration, the group sender can choose to request one or During registration, the group sender can choose to request one or
more Sender-ID values. Requesting a value of 1 is not necessary more Sender-ID values. Requesting a value of 1 is not necessary
since the GCKS will automatically allocate exactly one to the group since the GCKS will automatically allocate exactly one to the group
sender. A group sender MUST request as many Sender-ID values sender. A group sender MUST request as many Sender-ID values
matching the number of encryption modules in which it will be matching the number of encryption modules in which it will be
installing the TEKs in the outbound direction. Alternatively, a installing the TEKs in the outbound direction. Alternatively, a
group sender MAY request more than one Sender-ID and use them group sender MAY request more than one Sender-ID and use them
serially. This could be useful when it is anticipated that the group serially. This could be useful when it is anticipated that the group
sender will exhaust their range of Data- Security SA nonces using a sender will exhaust their range of Data-Security SA nonces using a
single Sender-ID too quickly (e.g., before the time-based policy in single Sender-ID too quickly (e.g., before the time-based policy in
the TEK expires). the TEK expires).
When the group policy includes a counter-based mode of operation, a When the group policy includes a counter-based mode of operation, a
GCKS should use the following method to allocate Sender-ID values, GCKS should use the following method to allocate Sender-ID values,
which ensures that each Sender-ID will be allocated to just one group which ensures that each Sender-ID will be allocated to just one group
sender. sender.
1. A GCKS maintains an Sender-ID counter, which records the Sender- 1. A GCKS maintains a Sender-ID counter, which records the Sender-
IDs that have been allocated. Sender-IDs are allocated IDs that have been allocated. Sender-IDs are allocated
sequentially, with zero as the first allocated value. sequentially with zero as the first allocated value.
2. Each time an Sender-ID is allocated, the current value of the 2. Each time a Sender-ID is allocated, the current value of the
counter is saved and allocated to the group sender. The Sender- counter is saved and allocated to the group sender. The Sender-
ID counter is then incremented in preparation for the next ID counter is then incremented in preparation for the next
allocation. allocation.
3. When the GCKS specifies a counter-based mode of operation in the 3. When the GCKS specifies a counter-based mode of operation in the
Data-Security SA a group sender may request a count of Sender-IDs Data-Security SA, a group sender may request a count of Sender-
during registration in a Notify payload information of type IDs during registration in a Notify payload information of type
SENDER. When the GCKS receives this request, it increments the SENDER. When the GCKS receives this request, it increments the
Sender-ID counter once for each requested Sender-ID, and Sender-ID counter once for each requested Sender-ID and
distributes each Sender-ID value to the group sender. The GCKS distributes each Sender-ID value to the group sender. The GCKS
should have a policy-defined upper bound for the number of should have a policy-defined upper bound for the number of
Sender-ID values that it will return irrespective of the number Sender-ID values that it will return irrespective of the number
requested by the GM. requested by the GM.
4. A GCKS allocates new Sender-ID values for each registration 4. A GCKS allocates new Sender-ID values for each registration
operation by a group sender, regardless of whether the group operation by a group sender, regardless of whether the group
sender had previously contacted the GCKS. In this way, the GCKS sender had previously contacted the GCKS. In this way, the GCKS
is not required to maintaining a record of which Sender-ID values is not required to maintain a record of which Sender-ID values it
it had previously allocated to each group sender. More had previously allocated to each group sender. More importantly,
importantly, since the GCKS cannot reliably detect whether the since the GCKS cannot reliably detect whether the group sender
group sender had sent data on the current group Data-Security SAs had sent data on the current group Data-Security SAs, it does not
it does not know what Data-Security counter-mode nonce values know what Data-Security counter-mode nonce values that a group
that a group sender has used. By distributing new Sender-ID sender has used. By distributing new Sender-ID values, the key
values, the key server ensures that each time a conforming group server ensures that each time a conforming group sender installs
sender installs a Data-Security SA it will use a unique set of a Data-Security SA, it will use a unique set of counter-based
counter-based mode nonces. mode nonces.
5. When the Sender-ID counter maintained by the GCKS reaches its 5. When the Sender-ID counter maintained by the GCKS reaches its
final Sender-ID value, no more Sender-ID values can be final Sender-ID value, no more Sender-ID values can be
distributed. Before distributing any new Sender-ID values, the distributed. Before distributing any new Sender-ID values, the
GCKS MUST exclude all group members from the group as described GCKS MUST exclude all group members from the group as described
in Section 2.4.3. This will result in the group members in Section 2.4.3. This will result in the group members
performing re-registration, during which they will receive new performing re-registration, during which they will receive new
Data-Security SAs and group senders will additionally receive new Data-Security SAs and group senders will additionally receive new
Sender-ID values. The new Sender-ID values can safely be used Sender-ID values. The new Sender-ID values can safely be used
because they are only used with the new Data-Security SAs. because they are only used with the new Data-Security SAs.
2.5.2. GM Usage of Sender-ID 2.5.2. GM Usage of Sender-ID
A GM applies the Sender-ID to Data-Security SAs as follows. A GM applies the Sender-ID to Data-Security SAs as follows:
* The most significant bits of the IV indicated in the * The most significant bits of the IV indicated in the
GWP_SENDER_ID_BITS attribute (Section 4.4.3.1.2) are taken to be GWP_SENDER_ID_BITS attribute (Section 4.4.3.1.2) are taken to be
the Sender-ID field of the IV. the Sender-ID field of the IV.
* The Sender-ID is placed in the least significant bits of the * The Sender-ID is placed in the least significant bits of the
Sender-ID field, where any unused most significant bits are set to Sender-ID field, where any unused most significant bits are set to
zero. If the Sender-ID value doesn't fit into the number of bits zero. If the Sender-ID value doesn't fit into the number of bits
from the GWP_SENDER_ID_BITS attributes, then the GM MUST treat from the GWP_SENDER_ID_BITS attributes, then the GM MUST treat
this as a fatal error and re-register to the group. this as a fatal error and re-register to the group.
2.6. Replay Protection for Multicast Data-Security SAs 2.6. Replay Protection for Multicast Data-Security SAs
IPsec provides anti-replay service as part of its security services. IPsec provides anti-replay service as part of its security services.
With multicast extension for IPsec replay protection is not always With multicast extensions for IPsec, replay protection is not always
possible to achieve (see Section 6.1 of Multicast Group Security possible to achieve (see Section 6.1 of [RFC3740]). In particular,
Architecture [RFC3740]). In particular, if there are many group if there are many group senders for a Data-Security SA, then each of
senders for a Data-Security SA, then each of them will independently them will independently increment the Sequence Number field in the
increment the Sequence Number field in the ESP header (see ESP header (see Section 2.2 of [RFC4303] and Section 2.5 of
Section 2.2 of ESP [RFC4303] and Section 2.5 of AH [RFC4302]) thus [RFC4302]), thus making it impossible for the group receivers to
making it impossible for the group receivers to filter out replayed filter out replayed packets. However, if there is only one group
packets. However, if there is only one group sender for a Data- sender for a Data-Security SA, then it is possible to achieve replay
Security SA, then it is possible to achieve replay protection with protection with some restrictions (see Section 4.4.2.1.3). The GCKS
some restrictions (see Section 4.4.2.1.3). The GCKS MAY create MAY create several Data-Security SAs with the same traffic selectors
several Data-Security SAs with the same traffic selectors allowing allowing only a single group sender in each SA if it is desirable to
only a single group sender in each SA if it is desirable to get get replay protection with multiple (but still a limited number) of
replay protection with multiple (but still limited number) of group group senders.
senders.
IPsec architecture assumes that it is a local matter for an IPsec IPsec architecture assumes that whether anti-replay service is
receiver whether anti-replay service is enabled or not. In other enabled or not is a local matter for an IPsec receiver. In other
words, an IPsec sender always increments the Sequence Number field in words, an IPsec sender always increments the Sequence Number field in
the ESP/AH header and a receiver decides whether to check for the ESP/AH header and a receiver decides whether to check for
replayed packets or not. Since in some cases it is known that the replayed packets or not. Since it is known in some cases that the
replay protection is not possible (like in an SA with many group replay protection is not possible (like in an SA with many group
senders), a new transform ID "32-bit Unspecified Numbers" is defined senders), a new transform ID "32-bit Unspecified Numbers" is defined
for the Sequence Numbers (SN) transform type. Using this transform for the Sequence Numbers (SNs) transform type. Using this transform
ID the the GCKS can inform group members that the uniqueness of ID, the GCKS can inform group members that the uniqueness of sequence
sequence numbers for a given SA is not guaranteed. The decision numbers for a given SA is not guaranteed. The decision of whether to
whether to enable anti-replay service is still a local matter of a GM enable anti-replay service is still a local matter of a GM (in
(in accordance with IPsec architecture). accordance with IPsec architecture).
The GCKS MUST include the Sequence Numbers transform in the GSA The GCKS MUST include the Sequence Numbers transform in the GSA
payload for every Data-Security SA. See Section 4.4.2.1.3 for more payload for every Data-Security SA. See Section 4.4.2.1.3 for more
details. details.
When a Data-Security SA has a single sender, the GCKS MUST be When a Data-Security SA has a single sender, the GCKS MUST be
configured to rekey the SA frequently enough so that the 32-bit configured to rekey the SA frequently enough so that the 32-bit
sequence numbers do not wrap. sequence numbers do not wrap.
2.7. Encryption Transforms with Implicit IV 2.7. Encryption Transforms with Implicit IV
IKEv2 IANA registry for Encryption Algorithm Transform IDs The "Transform Type 1 - Encryption Algorithm Transform IDs" IANA
[IKEV2-IANA] defines several transforms with implicit IV. These registry [IKEV2-IANA] defines several transforms with implicit IV.
transforms rely on ESP Sequence Number for constructing IV (see These transforms rely on ESP Sequence Numbers for constructing IV
Implicit IV for Counter-Based Ciphers in ESP [RFC8750] for details). (see [RFC8750] for details). It requires anti-replay service to be
It requires anti-replay service to be enabled for an ESP SA using enabled for an ESP SA using these encryption transforms. Unless the
these encryption transforms. Unless the properties of sequence properties of sequence numbers for a multicast ESP SA include their
numbers for a multicast ESP SA include their uniqueness (see uniqueness (see Section 2.6), encryption transforms that rely on
Section 2.6), encryption transforms that rely on Sequence Number for Sequence Numbers for IV construction MUST NOT be used. In any case,
IV construction MUST NOT be used. In any case, such transforms MUST such transforms MUST NOT be used for any G-IKEv2 SA (both unicast and
NOT be used for any G-IKEv2 SA (both unicast and multicast). multicast).
3. Group Key Management and Access Control 3. Group Key Management and Access Control
Through the G-IKEv2 rekey, G-IKEv2 supports algorithms such as Through the G-IKEv2 rekey, G-IKEv2 supports algorithms such as
Logical Key Hierarchy (LKH) that have the property of denying access Logical Key Hierarchy (LKH) that have the property of denying access
to a new group key by a member removed from the group (forward access to a new group key by a member removed from the group (forward access
control) and to an old group key by a member added to the group control) and to an old group key by a member added to the group
(backward access control). This is unrelated to PFS (Perfect Forward (backward access control). This is unrelated to the Perfect Forward
Secrecy) property as defined in Section 2.12 of IKEv2 [RFC7296]. Secrecy (PFS) property as defined in Section 2.12 of [RFC7296].
Group management algorithms providing forward and backward access Group management algorithms providing forward and backward access
control other than LKH have been proposed in the literature, control other than LKH have been proposed in the literature,
including OFT [OFT] and Subset Difference [NNL]. These algorithms including OFT [OFT] and Subset Difference [NNL]. These algorithms
could be used with G-IKEv2, but are not specified as a part of this could be used with G-IKEv2 but are not specified as a part of this
document. document.
This specification assumes that all group keys, that are sent to the This specification assumes that all group keys, that are sent to the
GMs by the GCKS, are encrypted with some other keys, called Key Wrap GMs by the GCKS, are encrypted with some other keys, called Key Wrap
Keys (KWK). The Key Wrap Algorithm transform defines the algorithm Keys (KWKs). The Key Wrap Algorithm transform defines the algorithm
used for key wrapping in the context of an SA. used for key wrapping in the context of an SA.
3.1. Key Wrap Keys 3.1. Key Wrap Keys
Every GM always knows at least one KWK -- the KWK that is associated Every GM always knows at least one KWK -- the KWK that is associated
with the IKE SA or multicast Rekey SA over which wrapped keys are with the IKE SA or multicast Rekey SA over which wrapped keys are
sent. In this document it is called default KWK and is denoted as sent. In this document, it is called default KWK and is denoted as
GSK_w. "GSK_w".
For the purpose of forward access control the GCKS may provide each For the purpose of forward access control, the GCKS may provide each
GM with its personal KWK at the time of registration. Additionally, GM with its personal KWK at the time of registration. Additionally,
several intermediate KWKs that form a key hierarchy and are shared several intermediate KWKs that form a key hierarchy and are shared
among several GMs may be provided by the GCKS. among several GMs may be provided by the GCKS.
Each KWK is associated with a key wrap algorithm, specified in the Each KWK is associated with a key wrap algorithm specified in the Key
Key Wrap Algorithm transform. The size of these KWKs is determined Wrap Algorithm transform. The size of these KWKs is determined by
by the used key wrap algorithm, but it SHOULD NOT be less than the the key wrap algorithm used, but it SHOULD NOT be less than the size
size of the key for the Encryption Algorithm transform for the Rekey of the key for the Encryption Algorithm transform for the Rekey SA
SA and for all Data-Security SAs in the group (taking into and for all Data-Security SAs in the group (taking the Key Length
consideration the Key Length attribute if present). attribute into consideration if it is present).
3.1.1. Default Key Wrap Key 3.1.1. Default Key Wrap Key
The default KWK (GSK_w) is only used in the context of a single IKE The default KWK (GSK_w) is only used in the context of a single IKE
SA. Every IKE SA (unicast IKE SA or multicast Rekey SA) will have SA. Every IKE SA (unicast IKE SA or multicast Rekey SA) will have
its own GSK_w. its own GSK_w.
For the unicast IKE SA (used for the GM registration and for the For the unicast IKE SA (used for the GM registration and for the
GSA_INBAND_REKEY exchanges, if they are take place) the GSK_w is GSA_INBAND_REKEY exchanges, if they are take place), the GSK_w is
computed as follows: computed as follows:
GSK_w = prf+(SK_d, "Key Wrap for G-IKEv2") GSK_w = prf+(SK_d, "Key Wrap for G-IKEv2")
where the string "Key Wrap for G-IKEv2" is 20 ASCII characters where the string "Key Wrap for G-IKEv2" is 20 ASCII characters
without null termination. without null termination.
For the multicast Rekey SA the GSK_w is provided along with other SA For the multicast Rekey SA, the GSK_w is provided along with other SA
keys as defined in Section 3.4. keys as defined in Section 3.4.
3.2. GCKS Key Management Semantics 3.2. GCKS Key Management Semantics
Wrapped Key Download method allows the GCKS to employ various key The Wrapped Key Download method allows the GCKS to employ various key
management methods management methods.
* A simple key management methods -- when the GCKS always sends A simple key management method: The GCKS always sends group SA keys
group SA keys encrypted with the GSK_w. encrypted with the GSK_w.
* An LKH key management method -- when the GCKS provides each GM An LKH key management method: The GCKS provides each GM with an
with an individual key at the time of the GM registration individual key at the time of the GM registration (encrypted with
(encrypted with GSK_w). Then the GCKS forms an hierarchy of keys GSK_w). Then, the GCKS forms a hierarchy of keys so that the
so that the group SA keys are encrypted with other keys which are group SA keys are encrypted with other keys that are encrypted
encrypted with other keys and so on, tracing back to the keys for with other keys and so on, tracing back to the keys for each GM.
each GM.
Other key policies may also be employed by the GCKS. Other key policies may also be employed by the GCKS.
3.2.1. Forward Access Control Requirements 3.2.1. Forward Access Control Requirements
When group membership is altered using a group management algorithm When a group membership is altered using a group management
new Data-Security SAs and their associated keys are usually also algorithm, new Data-Security SAs and their associated keys are
needed. New Data-Security SAs and keys ensure that members who were usually also needed. New Data-Security SAs and keys ensure that
denied access can no longer participate in the group. members who were denied access can no longer participate in the
group.
If forward access control is a desired property of the group, new TEK If forward access control is a desired property of the group, a new
policy and the associated keys MUST NOT be included in a G-IKEv2 TEK policy and the associated keys MUST NOT be included in a G-IKEv2
rekey message which changes group membership. This is required rekey message, which changes group membership. This is required
because the GSA TEK policy and the associated keys are not protected because the GSA TEK policy and the associated keys are not protected
with the new KEK. A second G-IKEv2 rekey message can deliver the new with the new KEK. A second G-IKEv2 rekey message can deliver the new
GSA TEK policies and their associated keys because it will be GSA TEK policies and their associated keys because it will be
protected with the new KEK, and thus will not be visible to the protected with the new KEK and thus will not be visible to the
members who were denied access. members who were denied access.
If forward access control policy for the group includes keeping group If forward access control policy for the group includes keeping group
policy changes from members that are denied access to the group, then policy changes from members that are denied access to the group, then
two sequential G-IKEv2 rekey messages changing the group KEK MUST be two sequential G-IKEv2 rekey messages changing the group KEK MUST be
sent by the GCKS. The first G-IKEv2 rekey message creates a new KEK sent by the GCKS. The first G-IKEv2 rekey message creates a new KEK
for the group. Group members, which are denied access, will not be for the group. Group members, which are denied access, will not be
able to access the new KEK, but will see the group policy since the able to access the new KEK, but they will see the group policy since
G-IKEv2 rekey message is protected under the current KEK. A the G-IKEv2 rekey message is protected under the current KEK. A
subsequent G-IKEv2 rekey message containing the changed group policy subsequent G-IKEv2 rekey message containing the changed group policy
and again changing the KEK allows complete forward access control. A and again changing the KEK allows complete forward access control. A
G-IKEv2 rekey message MUST NOT change the policy without creating a G-IKEv2 rekey message MUST NOT change the policy without creating a
new KEK. new KEK.
If other methods of using LKH or other group management algorithms If other methods of using LKH or other group management algorithms
are added to G-IKEv2, those methods MAY remove the above restrictions are added to G-IKEv2, those methods MAY remove the above restrictions
requiring multiple G-IKEv2 rekey messages, providing those methods requiring multiple G-IKEv2 rekey messages, providing those methods
specify how the forward access control policy is maintained within a specify how the forward access control policy is maintained within a
single G-IKEv2 rekey message. single G-IKEv2 rekey message.
3.3. GM Key Management Semantics 3.3. GM Key Management Semantics
This specification defines a GM Key Management semantics in such a This specification defines GM Key Management semantics in such a way
way, that it doesn't depend on the key management method employed by that it doesn't depend on the key management method employed by the
the GCKS. This allows having all the complexity of key management in GCKS. This allows having all the complexity of key management in the
the GCKS, which is free to implement various key management methods, GCKS, which is free to implement various key management methods such
such as direct transmitting of group SA keys or using some kind of as direct transmitting of group SA keys or using some kind of key
key hierarchy (e.g. LKH). For all these policies the GM behavior is hierarchy (e.g., LKH). The GM behavior is the same for all of these
the same. policies.
All keys in G-IKEv2 are transmitted in encrypted form, as specified All keys in G-IKEv2 are transmitted in encrypted form as specified in
in Section 4.5.4. This format includes a 32-bit Key ID (ID of a key Section 4.5.4. This format includes a 32-bit Key ID (ID of a key
that is encrypted) and a 32-bit KWK ID (ID of a key that was used to that is encrypted) and a 32-bit KWK ID (ID of a key that was used to
encrypt this key). Keys may be encrypted either with default KWK encrypt this key). Keys may be encrypted either with a default KWK
(GSK_w) or with other keys, which the GM has received in the WRAP_KEY (GSK_w) or with other keys, which the GM has received in the WRAP_KEY
attributes. If a key was encrypted with GSK_w, then the KWK ID field attributes. If a key was encrypted with GSK_w, then the KWK ID field
is set to zero, otherwise the KWK ID field identifies the key used is set to zero. Otherwise, the KWK ID field identifies the key used
for encryption. Zero Key ID always identifies the key from which the for encryption. A zero Key ID always identifies the key from which
keys for protecting Data-Security SAs and Rekey SA are taken. the keys for protecting Data-Security SAs and Rekey SA are taken.
When a GM receives a message from the GCKS installing new Data- When a GM receives a message from the GCKS installing the new Data-
Security or Rekey SA, it will contain a KD payload with an SA_KEY Security or Rekey SA, it will contain a KD payload with an SA_KEY
attribute containing keying material for this SA. For a Data- attribute containing keying material for this SA. For a Data-
Security SA exactly one SA_KEY attribute will be present with both Security SA, exactly one SA_KEY attribute will be present with both
Key ID and KWK ID fields set to zero. This means that the default Key ID and KWK ID fields set to zero. This means that the default
KWK (GSK_w) should be used to extract this keying material. KWK (GSK_w) should be used to extract this keying material.
For a multicast Rekey SA multiple SA_KEY attributes may be present For a multicast Rekey SA, multiple SA_KEY attributes may be present
depending on the key management method employed by the GCKS. If depending on the key management method employed by the GCKS. If
multiple SA_KEY attributes are present then all of them MUST contain multiple SA_KEY attributes are present, then all of them MUST contain
the same keying material encrypted using different KWKs. The GM in the same keying material encrypted using different KWKs. The GM in
general is unaware of the key management method used by the GCKS and general is unaware of the key management method used by the GCKS and
can always use the same procedure to get the keys. The GM tries to can always use the same procedure to get the keys. The GM tries to
decrypt at least one of the SA_KEY attributes using either the GSK_w decrypt at least one of the SA_KEY attributes using either the GSK_w
or the keys from the WRAP_KEY attributes that are present in the same or the keys from the WRAP_KEY attributes that are present in the same
message or were receives in previous messages. message or were received in previous messages.
We will use the term "Key Path" to describe an ordered sequence of We will use the term "Key Path" to describe an ordered sequence of
keys where each subsequent key was used to encrypt the previous one. keys where each subsequent key was used to encrypt the previous one.
The GM keeps its own Key Path (called Working Key Path) in the memory The GM keeps its own Key Path (called Working Key Path) in the memory
associated with each group it is registered to and updates it when associated with each group it is registered to and updates it when
needed. When the GSA_REKEY message is received the GM processes the needed. When the GSA_REKEY message is received, the GM processes the
received SA_KEY attributes one by one trying to construct a new key received SA_KEY attributes one by one and tries to construct a new
path that starts from one of these attributes and ends with any key key path that starts from one of these attributes and ends with any
in the Working Key Path or with the default KWK (GSK_w). key in the Working Key Path or with the default KWK (GSK_w).
In the simplest case the SA_KEY attribute is encrypted with GSK_w so In the simplest case, the SA_KEY attribute is encrypted with GSK_w so
that the new Key Path is empty. If more complex key management that the new Key Path is empty. If more complex key management
methods are used then a Key Path will contain intermediate keys from methods are used, then a Key Path will contain intermediate keys from
the WRAP_KEY attributes received by a GM so far starting from its the WRAP_KEY attributes received by a GM so far, starting from its
registration to the group. If the GM is able to construct a new Key registration to the group. If the GM is able to construct a new Key
Path using intermediate keys it has, then it is able to decrypt the Path using intermediate keys it has, then it is able to decrypt the
SA_KEY attribute and use its content to form new SA keys. If it is SA_KEY attribute and use its content to form new SA keys. If it is
unable to build a new Key Path, then in means that the GM is excluded unable to build a new Key Path, then it means that the GM is excluded
from the group. from the group.
Depending on the new Key Path the GM should do the following actions Depending on the new Key Path, the GM should do the following actions
to be prepared for future key updates: to be prepared for future key updates:
* If the new Key Path is empty then no actions are needed. This may * If the new Key Path is empty, then no actions are needed. This
happen if no WRAP_KEY attributes from the received message were may happen if no WRAP_KEY attributes from the received message
used. were used.
* If the new Key Path is non-empty and it ends with the default KWK * If the new Key Path is non-empty and it ends with the default KWK
(GSK_w), then the whole new Key Path is stored by the GM as the (GSK_w), then the whole new Key Path is stored by the GM as the
GM's Working Key Path. This situation may only happen at the time GM's Working Key Path. This situation may only happen at the time
the GM is registering to the group, when the GCKS is providing it the GM is registering to the group, when the GCKS is providing the
with its personal key and the other keys from the key tree that GM with its personal key and the other keys from the key tree that
are needed for this GM. These keys form an initial Working Key are needed. These keys form an initial Working Key Path for this
Path for this GM. GM.
* In all other cases the new Key Path will end at some intermediate * In all other cases, the new Key Path will end at some intermediate
key from the GM's current Working Key Path. In this case the new key from the GM's current Working Key Path. In this case, the new
Key Path is constructed by replacing a part of the GM's current Key Path is constructed by replacing a part of the GM's current
Working Key Path from the beginning and up to (but not including) Working Key Path from the beginning and up to (but not including)
the key that the GM has used to decrypt the last key in the new the key that the GM has used to decrypt the last key in the new
Key Path. Key Path.
Appendix A contains an example of how this algorithm works in case of Appendix A contains an example of how this algorithm works in case of
LKH key management method. LKH key management method.
3.4. SA Keys 3.4. SA Keys
The keys that are used for Data-Security SAs or Rekey SA (called here The keys that are used for Data-Security SAs or a Rekey SA (called SA
SA keys) are downloaded to GMs in the form of keying material from keys here) are downloaded to GMs in the form of keying material from
which, according to policy, a set of keys are deterministically which, according to policy, a set of keys are deterministically
extracted. extracted.
For a Data-Security SA the keys are taken in accordance to the third For a Data-Security SA, the keys are taken in accordance to the third
bullet from Section 2.17 of [RFC7296]. In particular, for the ESP bullet from Section 2.17 of [RFC7296]. In particular, for the ESP
and AH SAs the encryption key (if any) MUST be taken from the and AH SAs, the encryption key (if any) MUST be taken from the
leftmost bits of the keying material and the integrity key (if any) leftmost bits of the keying material and the integrity key (if any)
MUST be taken from the remaining bits. MUST be taken from the remaining bits.
For a Rekey SA the following keys are taken from the keying material: For a Rekey SA, the following keys are taken from the keying
material:
GSK_e | GSK_a | GSK_w = KEYMAT GSK_e | GSK_a | GSK_w = KEYMAT
Figure 15
where GSK_e and GSK_a are the keys used for the Encryption Algorithm where GSK_e and GSK_a are the keys used for the Encryption Algorithm
and the Integrity Algorithm transforms for the corresponding SA and and the Integrity Algorithm transforms for the corresponding SA and
GSK_w is a default KWK for this SA. Note, that GSK_w is used with GSK_w is a default KWK for this SA. Note that GSK_w is used with the
the key wrap algorithm specified in the Key Wrap Algorithm transform. key wrap algorithm specified in the Key Wrap Algorithm transform. If
If an AEAD algorithm is used for encryption, then GSK_a key will not an AEAD algorithm is used for encryption, then the GSK_a key will not
be used (GM can use the formula above assuming the length of GSK_a is be used (GM can use the formula above assuming the length of GSK_a is
zero). zero).
4. Header and Payload Formats 4. Header and Payload Formats
The G-IKEv2 is an IKEv2 extension and thus inherits its wire format The G-IKEv2 is an IKEv2 extension and thus inherits its wire format
for data structures. However, the processing of some payloads are for data structures. However, the processing of some payloads are
different. Several new payloads are defined: Group Identification different. Several new payloads are defined: Group Identification
(IDg, Section 4.2), Security Association - GM Supported Transforms (IDg) (Section 4.2), Security Association - GM Supported Transforms
(SAg, Section 4.3), Group Security Association (GSA, Section 4.4), (SAg) (Section 4.3), Group Security Association (GSA) (Section 4.4),
and Key Download (KD, Section 4.5). G-IKEv2 header (Section 4.1), and Key Download (KD) (Section 4.5). The G-IKEv2 header
IDg payload and SAg payload reuse IKEv2 format for the IKEv2 header, (Section 4.1), IDg payload, and SAg payload reuse the IKEv2 format
IDi/IDr payloads and SA payload respectively. New exchange types for the IKEv2 header, IDi/IDr payloads, and SA payload, respectively.
GSA_AUTH, GSA_REGISTRATION, GSA_REKEY and GSA_INBAND_REKEY are also New exchange types GSA_AUTH, GSA_REGISTRATION, GSA_REKEY, and
added. GSA_INBAND_REKEY are also added.
This section describes new payloads and the differences in processing This section describes new payloads and the differences in the
of existing IKEv2 payloads. processing of existing IKEv2 payloads.
4.1. G-IKEv2 Header 4.1. G-IKEv2 Header
G-IKEv2 uses the same IKE header format as specified in [RFC7296] G-IKEv2 uses the same IKE header format as specified in Section 3.1
section 3.1. Major Version is 2 and Minor Version is 0 as in IKEv2. of [RFC7296]. The Major Version is 2 and the Minor Version is 0, as
IKE SA Initiator's SPI, IKE SA Responder's SPI, Flags, Message ID, in IKEv2. IKE SA Initiator's SPI, IKE SA Responder's SPI, Flags,
and Length are as specified in [RFC7296]. Message ID, and Length are as specified in [RFC7296].
4.2. Group Identification Payload 4.2. Group Identification Payload
The Group Identification (IDg) payload allows the group member to The Group Identification (IDg) payload allows the group member to
indicate which group it wants to join. The payload is constructed by indicate which group it wants to join. The payload is constructed by
using the IKEv2 Identification Payload (section 3.5 of [RFC7296]). using the IKEv2 Identification Payload (Section 3.5 of [RFC7296]).
ID type ID_KEY_ID MUST be supported. ID types ID_IPV4_ADDR, ID_FQDN, ID type ID_KEY_ID MUST be supported. ID types ID_IPV4_ADDR, ID_FQDN,
ID_RFC822_ADDR, ID_IPV6_ADDR SHOULD be supported. ID types ID_RFC822_ADDR, and ID_IPV6_ADDR SHOULD be supported. ID types
ID_DER_ASN1_DN and ID_DER_ASN1_GN are not expected to be used. The ID_DER_ASN1_DN and ID_DER_ASN1_GN are not expected to be used. The
Payload Type for the Group Identification payload is fifty (50). Payload Type for the IDg payload is fifty (50).
4.3. Security Association - GM Supported Transforms Payload 4.3. Security Association - GM Supported Transforms Payload
The Security Association - GM Supported Transforms Payload (SAg) The Security Association - GM Supported Transforms (SAg) payload
payload declares which Transforms a GM is willing to accept. The declares which Transforms a GM is willing to accept. The payload is
payload is constructed using the format of the IKEv2 Security constructed using the format of the IKEv2 Security Association
Association payload (section 3.3 of [RFC7296]). The Payload Type for payload (Section 3.3 of [RFC7296]). The Payload Type for SAg
SAg payloads is thirty-three (33), which is identical to the SA payloads is thirty-three (33), which is identical to the SA Payload
Payload Type. Type.
4.4. Group Security Association Payload 4.4. Group Security Association Payload
The Group Security Association (GSA) payload is used by the GCKS to The GSA payload is used by the GCKS to assert security attributes for
assert security attributes for both Rekey SA and Data-Security SAs. both Rekey and Data-Security SAs. The Payload Type for the GSA
The Payload Type for the Group Security Association payload is fifty- payload is fifty-one (51).
one (51).
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length | | Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <Group Policies> ~ ~ <Group Policies> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 14: GSA Payload Format Figure 16: GSA Payload Format
The Security Association Payload fields are defined as follows: The Security Association payload fields are defined as follows:
* Next Payload, C, RESERVED, Payload Length fields comprise the Next Payload, C, RESERVED, and Payload Length fields:
IKEv2 Generic Payload Header and are defined in Section 3.2. of Comprise the IKEv2 Generic Payload Header and are defined in
[RFC7296]. Section 3.2 of [RFC7296].
* Group Policies (variable) -- A set of group policies for the Group Policies (variable):
group. A set of group policies for the group.
4.4.1. Group Policies 4.4.1. Group Policies
Group policies are comprised of two types of policy -- Group SA (GSA) Group policies are comprised of two types: Group SA (GSA) policy and
policy and Group-wide (GW) policy. GSA policy defines parameters for Group-wide (GW) policy. GSA policy defines parameters for the
the Security Association for the group. Depending on the employed Security Association of the group. Depending on the employed
security protocol GSA policies may further be classified as Rekey SA security protocol, GSA policies may further be classified as Rekey SA
policy (GSA KEK) and Data-Security SA policy (GSA TEK). GSA payload policy (GSA KEK) and Data-Security SA policy (GSA TEK). GSA payload
may contain zero or one GSA KEK policy, zero or more GSA TEK may contain zero or one GSA KEK policy, zero or more GSA TEK
policies, and zero or one GW policy, where either one GSA KEK or GSA policies, and zero or one GW policy, where either one GSA KEK or one
TEK policy MUST be present. GSA TEK policy MUST be present.
This latitude allows various group policies to be accommodated. For This latitude allows various group policies to be accommodated. For
example if the group policy does not require the use of a Rekey SA, example, if the group policy does not require the use of a Rekey SA,
the GCKS would not need to send a GSA KEK policy to the group member the GCKS would not need to send a GSA KEK policy to the group member
since all SA updates would be performed using the GSA_INBAND_REKEY since all SA updates would be performed using the GSA_INBAND_REKEY
exchange via the unicast IKE SA. Alternatively, group policy might exchange via the unicast IKE SA. Alternatively, group policy might
use a Rekey SA but choose to download a KEK to the group member only use a Rekey SA but choose to download a KEK to the group member only
as part of the unicast IKE SA. Therefore, the GSA KEK policy would as part of the unicast IKE SA. Therefore, the GSA KEK policy would
not be necessary as part of the GSA_REKEY message. not be necessary as part of the GSA_REKEY message.
Specifying multiple GSA TEKs allows multiple related data streams Specifying multiple GSA TEKs allows multiple related data streams
(e.g., video, audio, and text) to be associated with a session, but (e.g., video, audio, and text) to be associated with a session, but
each protected with an individual security association policy. each are protected with an individual security association policy.
A GW policy allows for the distribution of group-wide policy, such as A GW policy allows for the distribution of group-wide policy, such as
instructions for when to activate and de-activate SAs. instructions for when to activate and deactivate SAs.
Policies are distributed in substructures to the GSA payload. The Policies are distributed in substructures to the GSA payload. The
format of the substructures is defined below in Section 4.4.2 (for format of the substructures is defined in Section 4.4.2 (for GSA
GSA policy) and in Section 4.4.3 (for GW policy). The first octet of policy) and in Section 4.4.3 (for GW policy). The first octet of the
the substructure unambiguously determines its type -- it is zero for substructure unambiguously determines its type; it is zero for GW
GW policy and non-zero (actually, it is a security protocol ID) for policy and non-zero (actually, it is a security Protocol ID) for GSA
GSA policies. policies.
4.4.2. Group Security Association Policy Substructure 4.4.2. Group Security Association Policy Substructure
The GSA policy substructure contains parameters for the SA used with The GSA policy substructure contains parameters for the SA that are
this group. Depending on the security protocol the SA is either a used with this group. Depending on the security protocol, the SA is
Rekey SA or a Data-Security SA (ESP and AH). The GCKS MUST NOT either a Rekey SA or a Data-Security SA (ESP and AH). The GCKS MUST
distribute both ESP and AH policies for the same set of Traffic NOT distribute both ESP and AH policies for the same set of Traffic
Selectors. Selectors.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | SPI Size | Length | | Protocol | SPI Size | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ SPI ~ ~ SPI ~
| | | |
skipping to change at page 39, line 4 skipping to change at line 1695
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <GSA Transforms> ~ ~ <GSA Transforms> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <GSA Attributes> ~ ~ <GSA Attributes> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 15: GSA Policy Substructure Format
Figure 17: GSA Policy Substructure Format
The GSA policy fields are defined as follows: The GSA policy fields are defined as follows:
* Protocol (1 octet) -- Identifies the security protocol for this Protocol (1 octet):
group SA. The values are defined in the IKEv2 Security Protocol Identifies the security protocol for this group SA. The values
Identifiers in [IKEV2-IANA]. The valid values for this field are: are defined in the "IKEv2 Security Protocol Identifiers" registry
<TBA> (GIKE_UPDATE) for Rekey SA and 2 (AH) or 3 (ESP) for Data- in [IKEV2-IANA]. The valid values for this field are 6
Security SAs. (GIKE_UPDATE) for Rekey SA and 2 (AH) or 3 (ESP) for Data-Security
SAs.
* SPI Size (1 octet) -- Size of Security Parameter Index (SPI) for SPI Size (1 octet):
the SA. SPI size depends on the SA protocol. For GIKE_UPDATE it Size of the SPI for the SA. SPI size depends on the SA protocol.
is 16 octets, while for AH and ESP it is 4 octets. It is 16 octets for GIKE_UPDATE and 4 octets for AH and ESP.
* Length (2 octets, unsigned integer) -- Length of this substructure Length (2 octets, unsigned integer):
including the header. Length of this substructure including the header.
* SPI (variable) -- Security Parameter Index for the group SA. The SPI (variable):
size of this field is determined by the SPI Size field. As Security Parameter Index for the group SA. The size of this field
described above, these SPIs are assigned by the GCKS. In case of is determined by the SPI Size field. As described above, these
GIKE_UPDATE the SPI is the IKEv2 Header SPI pair where the first 8 SPIs are assigned by the GCKS. In the case of GIKE_UPDATE, the
octets become the "IKE SA Initiator's SPI" field in the G-IKEv2 SPI is the IKEv2 Header SPI pair where the first 8 octets become
rekey message IKEv2 HDR, and the second 8 octets become the "IKE the "IKE SA Initiator's SPI" field in the G-IKEv2 rekey message
SA Responder's SPI" in the same HDR. IKEv2 HDR, and the second 8 octets become the "IKE SA Responder's
SPI" in the same HDR.
* Source & Destination Traffic Selectors (variable) -- Substructures Source & Destination Traffic Selectors (variable):
describing the source and destination of the network identities. Substructures describing the source and destination of the network
The format for these substructures is defined in IKEv2 [RFC7296], identities. The format for these substructures is defined in
Section 3.13.1. IKEv2 (Section 3.13.1 of [RFC7296]).
For the Rekey SA (with the GIKE_UPDATE protocol) the destination For the Rekey SA (with the GIKE_UPDATE protocol), the destination
traffic selectors MUST define a single multicast IP address, an IP traffic selectors MUST define a single multicast IP address, an IP
protocol (assumed to be UDP) and a single port the GSA_REKEY protocol (assumed to be UDP), and a single port the GSA_REKEY
messages will be destined to. The source traffic selector in this messages will be destined to. In this case, the source traffic
case SHOULD define a single IP address, an IP protocol (assumed to selector SHOULD define a single IP address, an IP protocol
be UDP) and a single port the GSA_REKEY messages will be (assumed to be UDP), and a single port the GSA_REKEY messages will
originated from. The source traffic selector MAY define wildcard be originated from. The source traffic selector MAY define a
IP address and/or wildcard port. For the Data-Security (AH and wildcard IP address and/or wildcard port. For the Data-Security
ESP) SAs the destination traffic selectors will usually define a (AH and ESP) SAs, the destination traffic selectors will usually
single multicast IP address. The source traffic selector in this define a single multicast IP address. The source traffic selector
case will usually define a single IP address or be a wildcard in this case will usually define a single IP address or be a
selector. IP protocol and ports define the characteristics of wildcard selector. An IP protocol and ports define the
traffic protected by this Data-Security SA. characteristics of traffic protected by this Data-Security SA.
If the Data-Security SAs are created in tunnel mode, then it MUST If the Data-Security SAs are created in tunnel mode, then it MUST
be tunnel mode with address preservation (see Multicast Extensions be tunnel mode with address preservation (see Multicast Extensions
to the Security Architecture [RFC5374]. UDP encapsulation of ESP to the Security Architecture [RFC5374]. UDP encapsulation of ESP
packets [RFC3948] cannot be specified in G-IKEv2 and thus it is packets [RFC3948] cannot be specified in G-IKEv2 and thus is not
not used for the multicast Data-Security SAs. used for the multicast Data-Security SAs.
* GSA Transforms (variable) -- A list of Transform Substructures GSA Transforms (variable):
specifies the policy information for the SA. The format is A list of Transform Substructures specifies the policy information
defined in IKEv2 [RFC7296], section 3.3.2. The "Last Substruc" for the SA. The format is defined in IKEv2 (Section 3.3.2 of
field in each Transform Substructure is set to 3 except for the [RFC7296]). The "Last Substruc" field in each Transform
last Transform Substructure, where it is set to 0. Substructure is set to 3 except for the last Transform
Section 4.4.2.1 describes using IKEv2 transforms in GSA policy Substructure, where it is set to 0. Section 4.4.2.1 describes
substructure. using IKEv2 transforms in GSA policy substructure.
* GSA Attributes (variable) -- Contains policy attributes associated GSA Attributes (variable):
with the group SA. The following sections describe the possible Contains policy attributes associated with the group SA. The
attributes. Any or all attributes may be optional, depending on following sections describe the possible attributes. Any or all
the protocol and the group policy. Section 4.4.2.2 defines attributes may be optional, depending on the protocol and the
attributes used in GSA policy substructure. group policy. Section 4.4.2.2 defines attributes used in GSA
policy substructure.
4.4.2.1. GSA Transforms 4.4.2.1. GSA Transforms
GSA policy is defined by means of transforms in the GSA policy GSA policy is defined by the means of transforms in the GSA policy
substructure. For this purpose the transforms defined in [RFC7296] substructure. For this purpose, the transforms defined in [RFC7296]
are used. In addition, new transform types are defined for using in are used. In addition, new transform types are defined for use in
G-IKEv2: Group Controller Authentication Method (GCAUTH) and Key Wrap G-IKEv2: Group Controller Authentication Method (GCAUTH) and Key Wrap
Algorithm (KWA), see Section 9. Algorithm (KWA); see Section 9.
Valid transform types depend on the SA protocol and are summarized in Valid transform types depend on the SA protocol and are summarized in
the table below. Exactly one instance of each mandatory transform the table below. Exactly one instance of each mandatory transform
type and at most one instance of each optional transform type MUST be type and at most one instance of each optional transform type MUST be
present in the GSA policy substructure. present in the GSA policy substructure.
Protocol Mandatory Types Optional Types +=============+=============================+================+
---------------------------------------------------------------- | Protocol | Mandatory Types | Optional Types |
GIKE_UPDATE ENCR, INTEG*, GCAUTH**, KWA +=============+=============================+================+
ESP ENCR, SN INTEG | GIKE_UPDATE | ENCR, INTEG*, GCAUTH**, KWA | |
AH INTEG, SN +-------------+-----------------------------+----------------+
| ESP | ENCR, SN | INTEG |
+-------------+-----------------------------+----------------+
| AH | INTEG, SN | |
+-------------+-----------------------------+----------------+
Figure 16: Valid Transform Types Table 2: Valid Transform Types
(*) If AEAD encryption algorithm is used, then INTEG transform either Notes:
MUST NOT be specified or MUST contain value NONE; otherwise it MUST
be specified and MUST contain value other than NONE.
(**) May only appear at the time of a GM registration, (in the (*): If the AEAD encryption algorithm is used, then INTEG transform
GSA_AUTH and GSA_REGISTRATION exchanges). either MUST NOT be specified or MUST contain value NONE;
otherwise, it MUST be specified and MUST contain a value other
than NONE.
(**): May only appear at the time of a GM registration (in the
GSA_AUTH and GSA_REGISTRATION exchanges).
4.4.2.1.1. Group Controller Authentication Method Transform 4.4.2.1.1. Group Controller Authentication Method Transform
The Group Controller Authentication Method (GCAUTH) transform is used The Group Controller Authentication Method (GCAUTH) transform is used
to convey information of how the GCKS will authenticate the GSA_REKEY to convey information on how the GCKS will authenticate the GSA_REKEY
messages. messages.
This document creates a new IKEv2 IANA registry for transform IDs for This document creates a new IKEv2 IANA registry for transform IDs of
this transform type, which is initially filled as described in this transform type, which has been initially populated as described
Section 9. In particular, the following entries are initially added. in Section 9. In particular, the following entries have been added:
Group Controller Authentication Method Value +========================================+=======+
------------------------------------------------- | Group Controller Authentication Method | Value |
Reserved 0 +========================================+=======+
Implicit 1 | Reserved | 0 |
Digital Signature 2 +----------------------------------------+-------+
| Implicit | 1 |
+----------------------------------------+-------+
| Digital Signature | 2 |
+----------------------------------------+-------+
These transform IDs are defined as follows. Table 3
* Implicit -- means that no authentication of the GSA_REKEY messages These transform IDs are defined as follows:
will be provided by the GCKS besides the ability for the GMs to
correctly decrypt them and verify their ICV. In this case the
GCKS MUST NOT include the AUTH_KEY attribute into the KD payload.
Additionally, the AUTH payload MUST NOT be included in the
GIKE_UPDATE messages.
* Digital Signature -- means that digital signatures will be used by Implicit:
the GCKS to authenticate the GSA_REKEY messages. In this case the No authentication of the GSA_REKEY messages will be provided by
GCKS MUST include the AUTH_KEY attribute containing the public key the GCKS besides the ability for the GMs to correctly decrypt them
into the KD payload at the time the GM is registered to the group. and verify their ICV. In this case, the GCKS MUST NOT include the
To specify the details of the signature algorithm a new attribute AUTH_KEY attribute into the KD payload. Additionally, the AUTH
Signature Algorithm Identifier (<TBA by IANA>) is defined. This payload MUST NOT be included in the GIKE_UPDATE messages.
attribute contains DER-encoded ASN.1 object AlgorithmIdentifier,
which specifies the signature algorithm and the hash function that
the GCKS will use for authentication. The AlgorithmIdentifier
object is defined in Section 4.1.1.2 of Internet X.509 Public Key
Infrastructure Certificate and CRL Profile [RFC5280], see also
Signature Authentication in IKEv2 [RFC7427] for the list of common
AlgorithmIdentifier values used in IKEv2.
In case of the Digital Signature transform ID, the GCKS MUST Digital Signature
Digital signatures will be used by the GCKS to authenticate the
GSA_REKEY messages. In this case, the GCKS MUST include the
AUTH_KEY attribute containing the public key into the KD payload
at the time the GM is registered to the group. To specify the
details of the signature algorithm, a new attribute Signature
Algorithm Identifier (value 18) is defined. This attribute
contains DER-encoded ASN.1 object AlgorithmIdentifier, which
specifies the signature algorithm and the hash function that the
GCKS will use for authentication. The AlgorithmIdentifier object
is defined in Section 4.1.1.2 of [RFC5280]. Also, see [RFC7427]
for the list of common AlgorithmIdentifier values used in IKEv2.
In the case of the Digital Signature transform ID, the GCKS MUST
include the Signature Algorithm Identifier attribute in the Group include the Signature Algorithm Identifier attribute in the Group
Controller Authentication Method transform. In this case the AUTH Controller Authentication Method transform. In this case, the
payload in the GIKE_UPDATE messages MUST contain the Digital AUTH payload in the GIKE_UPDATE messages MUST contain the Digital
Signature authentication method (value 14) and is formatted as Signature authentication method (value 14) and be formatted as
defined in Section 3 of [RFC7427]. The AlgorithmIdentifier ASN.1 defined in Section 3 of [RFC7427]. The AlgorithmIdentifier ASN.1
object in the AUTH payload MUST match the content of the Signature object in the AUTH payload MUST match the content of the Signature
Algorithm Identifier attribute in the Group Controller Algorithm Identifier attribute in the Group Controller
Authentication Method transform. The Signature Algorithm Authentication Method transform. The Signature Algorithm
Identifier attribute is only meaningful for the Digital Signature Identifier attribute is only meaningful for the Digital Signature
transform ID and MUST NOT be used with other transform IDs. transform ID and MUST NOT be used with other transform IDs.
More authentication methods may be defined in future. More authentication methods may be defined in the future.
The authentication method MUST NOT change as a result of rekey The authentication method MUST NOT change as a result of rekey
operations. This means that the Group Controller Authentication operations. This means that the Group Controller Authentication
Method transform MUST NOT appear in the rekey messages, it may only Method transform MUST NOT appear in the rekey messages; it may only
appear in the registration exchange (either GSA_AUTH or appear in the registration exchange (either GSA_AUTH or
GSA_REGISTRATION). GSA_REGISTRATION).
The type of the Group Controller Authentication Method Transform is The type of the Group Controller Authentication Method transform is
<TBA by IANA>. 14.
4.4.2.1.2. Key Wrap Algorithm Transform 4.4.2.1.2. Key Wrap Algorithm Transform
The Key Wrap Algorithm (KWA) transform is used to convey information The Key Wrap Algorithm (KWA) transform is used to convey information
about an algorithm, that is used for key wrapping in G-IKEv2. See about an algorithm that is used for key wrapping in G-IKEv2. See
Section 4.5.4 for details. Section 4.5.4 for details.
This document creates a new IKEv2 IANA registry for the key wrap This document creates a new IKEv2 IANA registry for the key wrap
algorithms which is initially filled as described in Section 9. In algorithms, which has been initially populated as described in
particular, the following entries are initially added. Section 9. In particular, the following entries have been added:
Key Wrap Algorithm Value +====================+=======+
------------------------------------- | Key Wrap Algorithm | Value |
Reserved 0 +====================+=======+
KW_5649_128 1 | Reserved | 0 |
KW_5649_192 2 +--------------------+-------+
KW_5649_256 3 | KW_5649_128 | 1 |
KW_ARX 4 +--------------------+-------+
| KW_5649_192 | 2 |
+--------------------+-------+
| KW_5649_256 | 3 |
+--------------------+-------+
| KW_ARX | 4 |
+--------------------+-------+
These algorithms are defined as follows. Table 4
* KW_5649_128, KW_5649_192, KW_5649_256 -- Key wrap algorithm These algorithms are defined as follows:
defined in [RFC5649] with 128-bit, 192-bit and 256-bit key
respectively. This key wrap algorithm is designed for use with
AES block cipher.
* KW_ARX -- The ARX-KW-8-2-4-GX key wrap algorithm defined in KW_5649_128, KW_5649_192, KW_5649_256:
[ARX-KW]. This key wrap algorithm is designed for use with The key wrap algorithm defined in [RFC5649] with a 128-bit,
Chacha20 stream cipher. 192-bit, and 256-bit key, respectively. This key wrap algorithm
is designed for use with AES block cipher.
More key wrap algorithms may be defined in future. The requirement KW_ARX:
is that these algorithms MUST be able to wrap key material of size up The ARX-KW-8-2-4-GX key wrap algorithm defined in [ARX-KW]. This
to 256 bytes. key wrap algorithm is designed for use with Chacha20 stream
cipher.
The type of the Key Wrap Algorithm transform is <TBA by IANA>. More key wrap algorithms may be defined in the future. The
requirement is that these algorithms MUST be able to wrap key
material of size up to 256 bytes.
The type of the Key Wrap Algorithm transform is 13.
4.4.2.1.3. Sequence Numbers Transform 4.4.2.1.3. Sequence Numbers Transform
The "Sequence Numbers (SN)" transform type is defined in The Sequence Numbers (SNs) transform type is defined in [RFC9827].
[I-D.ietf-ipsecme-ikev2-rename-esn]. This transform describes the This transform describes the properties of sequence numbers of IPsec
properties of sequence numbers of IPsec packets. There are currently packets. There are currently two transform IDs defined for this
two transform IDs defined for this transform type: "32-bit Sequential transform type: "32-bit Sequential Numbers" and "Partially
Numbers" and "Partially Transmitted 64-bit Sequential Numbers" that Transmitted 64-bit Sequential Numbers" that correspond to non-ESN and
correspond to non-ESN and ESN cases from AH [RFC4302] and ESP ESN cases from AH [RFC4302] and ESP [RFC4303] specifications.
[RFC4303] specifications.
Transform ID "32-bit Sequential Numbers" SHOULD be used by the GCKS Transform ID "32-bit Sequential Numbers" SHOULD be used by the GCKS
for single-sender multicast Data-Security SAs utilizing protocols ESP for single-sender multicast Data-Security SAs utilizing protocols ESP
or AH. or AH.
Since both AH [RFC4302] and ESP [RFC4303] are defined in such a way, Since both AH [RFC4302] and ESP [RFC4303] are defined in such a way
that high-order 32 bits of extended sequence numbers are never that high-order 32 bits of extended sequence numbers are never
transmitted, it makes using ESN in multicast Data-Security SAs transmitted, it makes using ESN in multicast Data-Security SAs
problematic, because GMs that join group long after it is created problematic because GMs that join the group long after it is created
will have to somehow learn the current high order 32 bits of ESN for will have to somehow learn the current high-order 32 bits of ESN for
each sender in the group. The algorithm for doing this described in each sender in the group. The algorithm for doing this described in
AH [RFC4302] and ESP [RFC4303] is resource-consuming and is only AH [RFC4302] and ESP [RFC4303] is resource-consuming and is only
suitable when a receiver is able to guess the high-order 32 bits suitable when a receiver is able to guess the high-order 32 bits
close enough to its real value, which is not the case for multicast close enough to its real value, which is not the case for multicast
SAs. For this reason the "Partially Transmitted 64-bit Sequential SAs. For this reason, the "Partially Transmitted 64-bit Sequential
Numbers" transform ID MUST NOT be used for multicast Data-Security Numbers" transform ID MUST NOT be used for multicast Data-Security
SAs utilizing protocols ESP or AH. SAs utilizing protocols ESP or AH.
This document defines a new transform ID "32-bit Unspecified Numbers" This document defines a new transform ID for this transform type:
(<TBA by IANA>) for this transform type. This transform ID defines 32-bit Unspecified Numbers (2). This transform ID defines the
the following properties. Sequence numbers are 32-bit in size and following properties. Sequence numbers are 32 bits in size and are
are transmitted in the Sequence Number field of AH and ESP packets. transmitted in the Sequence Number field of AH and ESP packets. The
The value of sequence numbers is not guaranteed to be unique for the value of sequence numbers is not guaranteed to be unique for the
duration of an SA, thus they are not suitable for replay protection. duration of an SA, thus they are not suitable for replay protection.
This transform ID MUST be used by the GCKS in case of multi-sender This transform ID MUST be used by the GCKS in case of multi-sender
multicast Data-Security SAs utilizing protocols ESP or AH to inform multicast Data-Security SAs utilizing protocols ESP or AH to inform
the GMs that the replay protection is not expected to be possible. the GMs that the replay protection is not expected to be possible.
The GCKS MAY also use this transform ID for single-sender multicast The GCKS MAY also use this transform ID for single-sender multicast
Data-Security SAs if replay protection is not needed (e.g. it is done Data-Security SAs if replay protection is not needed (e.g., it is
on application level). done on the application level).
4.4.2.2. GSA Attributes 4.4.2.2. GSA Attributes
GSA attributes are generally used to provide GMs with additional GSA attributes are generally used to provide GMs with additional
parameters for the GSA policy. Unlike security parameters parameters for the GSA policy. Unlike security parameters
distributed via transforms, which are expected not to change over distributed via transforms, which are expected not to change over
time (unless policy changes), the parameters distributed via GSA time (unless the policy changes), the parameters distributed via GSA
attributes may depend on the time the provision takes place, on the attributes may depend on the time the provision takes place, on the
existence of others group SAs or on other conditions. existence of others group SAs, or on other conditions.
This document creates a new IKEv2 IANA registry for the types of the This document creates a new IKEv2 IANA registry for the types of GSA
GSA attributes which is initially filled as described in Section 9. attributes, which has been initially populated as described in
In particular, the following attributes are initially added. Section 9. In particular, the following attributes have been added:
GSA Attributes Value Format Multi-Valued Used in Protocol +========================+=====+======+============+==============+
--------------------------------------------------------------------- | GSA Attributes |Value|Format|Multi-Valued| Used in |
Reserved 0 | | | | | Protocol |
GSA_KEY_LIFETIME 1 TLV NO GIKE_UPDATE, AH, ESP +========================+=====+======+============+==============+
GSA_INITIAL_MESSAGE_ID 2 TLV NO GIKE_UPDATE | Reserved |0 |
GSA_NEXT_SPI 3 TLV YES GIKE_UPDATE, AH, ESP +------------------------+-----+------+------------+--------------+
| GSA_KEY_LIFETIME |1 |TLV |NO | GIKE_UPDATE, |
| | | | | AH, ESP |
+------------------------+-----+------+------------+--------------+
| GSA_INITIAL_MESSAGE_ID |2 |TLV |NO | GIKE_UPDATE |
+------------------------+-----+------+------------+--------------+
| GSA_NEXT_SPI |3 |TLV |YES | GIKE_UPDATE, |
| | | | | AH, ESP |
+------------------------+-----+------+------------+--------------+
The attributes follow the format defined in the IKEv2 [RFC7296] Table 5
section 3.3.5. The "Format" column defines what attribute format is
The attributes follow the format defined in IKEv2 (Section 3.3.5 of
[RFC7296]). The "Format" column defines what attribute format is
allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi- allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi-
Valued" column defines whether multiple instances of the attribute Valued" column defines whether multiple instances of the attribute
can appear. The "Used in Protocol" column lists the security can appear. The "Used in Protocol" column lists the security
protocols, for which the attribute can be used. protocols, for which the attribute can be used.
4.4.2.2.1. GSA_KEY_LIFETIME Attribute 4.4.2.2.1. GSA_KEY_LIFETIME Attribute
The GSA_KEY_LIFETIME attribute (1) specifies the maximum time for The GSA_KEY_LIFETIME attribute (1) specifies the maximum time for
which the SA is valid. The value is a 4 octet unsigned integer in a which the SA is valid. The value is a 4-octet unsigned integer in
network byte order, specifying a valid time period in seconds. When network byte order, specifying a valid time period in seconds. When
the lifetime expires, the group security association and all the lifetime expires, the GSA and all associated keys MUST be
associated keys MUST be deleted. The GCKS may delete the SA at any deleted. The GCKS may delete the SA at any time before the end of
time before the end of the validity period. the validity period.
A single attribute of this type MUST be included into any GSA policy A single attribute of this type MUST be included into any GSA policy
substructure if multicast rekey is employed by the GCKS. This substructure if multicast rekey is employed by the GCKS. This
attribute SHOULD NOT be used if inband rekey (via the attribute SHOULD NOT be used if inband rekey (via the
GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM. GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM.
4.4.2.2.2. GSA_INITIAL_MESSAGE_ID Attribute 4.4.2.2.2. GSA_INITIAL_MESSAGE_ID Attribute
The GSA_INITIAL_MESSAGE_ID attribute (2) defines the initial Message The GSA_INITIAL_MESSAGE_ID attribute (2) defines the initial Message
ID to be used by the GCKS in the GSA_REKEY messages. The Message ID ID to be used by the GCKS in the GSA_REKEY messages. The Message ID
is a 4 octet unsigned integer in network byte order. is a 4-octet unsigned integer in network byte order.
A single attribute of this type is included into the GSA KEK policy A single attribute of this type is included into the GSA KEK policy
substructure if the initial Message ID of the Rekey SA is non-zero. substructure if the initial Message ID of the Rekey SA is non-zero.
Note, that it is always the case if GMs join the group after some Note that it is always the case if GMs join the group after some
multicast rekey operations have already taken place, so in these multicast rekey operations have already taken place, so in these
cases this attribute will be included into the GSA policy when the GM cases, this attribute will be included into the GSA policy when the
is registered. GM is registered.
This attribute MUST NOT be used if inband rekey (via the This attribute MUST NOT be used if inband rekey (via the
GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM. GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM.
4.4.2.2.3. GSA_NEXT_SPI Attribute 4.4.2.2.3. GSA_NEXT_SPI Attribute
The optional GSA_NEXT_SPI attribute (3) contains SPI that the GCKS The optional GSA_NEXT_SPI attribute (3) contains the SPI that the
reserved for the next Rekey SA or Data-Security SAs replacing the GCKS reserved for the next Rekey SA or Data-Security SAs replacing
current ones. The length of the attribute data is determined by the the current ones. The length of the attribute data is determined by
SPI Size field in the GSA Policy substructure the attribute resides the SPI Size field in the GSA policy substructure the attribute
in (see Section 4.4.2), and the attribute data contains SPI as it resides in (see Section 4.4.2), and the attribute data contains the
would appear on the network. Multiple attributes of this type MAY be SPI as it would appear on the network. Multiple attributes of this
included, meaning that any of the supplied SPIs can be used in the type MAY be included, meaning that any of the supplied SPIs can be
replacement group SA. used in the replacement group SA.
The GM MAY store these values and if later the GM starts receiving The GM MAY store these values. Later on, if the GM starts receiving
messages with one of these SPIs without seeing a rekey message over messages with one of these SPIs without seeing a rekey message over
the current Rekey SA, this may be used as an indication, that the the current Rekey SA, then it may be used as an indication that the
rekey message got lost on its way to this GM. In this case the GM rekey message got lost on its way to this GM. In this case, the GM
SHOULD re-register to the group. SHOULD re-register to the group.
Note, that this method of detecting lost rekey messages can only be Note that this method of detecting lost rekey messages can only be
used by group receivers. Additionally there is no point to include used by group receivers. Additionally, there is no point to include
this attribute in the GSA_INBAND_REKEY messages, since they use this attribute in the GSA_INBAND_REKEY messages since they use
reliable transport. Note also, that the GCKS is free to forget its reliable transport. Also note that the GCKS is free to forget its
promises and not to use the SPIs it sent in the GSA_NEXT_SPI promises and not to use the SPIs it sent in the GSA_NEXT_SPI
attributes before (e.g. in case of the GCKS is rebooted), so the GM attributes before (e.g., in cases where the GCKS is rebooted), so the
must only treat these information as a "best effort" made by the GCKS GM must only treat this information as a "best effort" made by the
to prepare for future rekeys. GCKS to prepare for future rekeys.
This attribute MUST NOT be used if inband rekey (via the This attribute MUST NOT be used if inband rekey (via the
GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM. GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM.
4.4.3. Group-wide Policy Substructure 4.4.3. Group-Wide Policy Substructure
Group specific policy that does not belong to any SA policy can be Group-specific policy that does not belong to any SA policy can be
distributed to all group member using Group-wide (GW) policy distributed to all group members using the Group-wide (GW) policy
substructure. substructure.
The GW policy substructure is defined as follows: The GW policy substructure is defined as follows:
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | RESERVED | Length | | Protocol | RESERVED | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <GW Policy Attributes> ~ ~ <GW Policy Attributes> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 17: GW Policy Substructure Format Figure 18: GW Policy Substructure Format
The GW policy substructure fields are defined as follows: The GW policy substructure fields are defined as follows:
* Protocol (1 octet) -- MUST be zero. This value is reserved in Protocol (1 octet): MUST be zero. This value is reserved (see
Section 9 and is never used for any security protocol, so it is Section 9) and is never used for any security protocol, so it is
used here to indicate that this substructure contains policy not used here to indicate that this substructure contains policy not
related to any specific protocol. related to any specific protocol.
* RESERVED ( octet) -- MUST be zero on transmission, MUST be ignored RESERVED ( octet): MUST be zero on transmission and MUST be ignored
on receipt. on receipt.
* Length (2 octets, unsigned integer) -- Length of this substructure Length (2 octets, unsigned integer): Length of this substructure
including the header. including the header.
* GW Policy Attributes (variable) -- Contains policy attributes GW Policy Attributes (variable): Contains policy attributes
associated with no specific SA. The following sections describe associated with no specific SA. The following sections describe
possible attributes. Any or all attributes may be optional, possible attributes. Any or all attributes may be optional
depending on the group policy. depending on the group policy.
4.4.3.1. GW Policy Attributes 4.4.3.1. GW Policy Attributes
This document creates a new IKEv2 IANA registry for the types of the This document creates a new IKEv2 IANA registry for the types of
group-wide policy attributes which is initially filled as described group-wide policy attributes, which has been initially populated as
in Section 9. In particular, the following attributes are initially described in Section 9. In particular, the following attributes have
added. been added:
GW Policy Attributes Value Format Multi-Valued +======================+=======+========+==============+
-------------------------------------------------------- | GW Policy Attributes | Value | Format | Multi-Valued |
Reserved 0 +======================+=======+========+==============+
GWP_ATD 1 TV NO | Reserved | 0 |
GWP_DTD 2 TV NO +----------------------+-------+--------+--------------+
GWP_SENDER_ID_BITS 3 TV NO | GWP_ATD | 1 | TV | NO |
+----------------------+-------+--------+--------------+
| GWP_DTD | 2 | TV | NO |
+----------------------+-------+--------+--------------+
| GWP_SENDER_ID_BITS | 3 | TV | NO |
+----------------------+-------+--------+--------------+
The attributes follow the format defined in the IKEv2 [RFC7296] Table 6
section 3.3.5. The "Format" column defines what attribute format is
The attributes follow the format defined in the IKEv2 (Section 3.3.5
of [RFC7296]). The "Format" column defines what attribute format is
allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi- allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi-
Valued" column defines whether multiple instances of the attribute Valued" column defines whether multiple instances of the attribute
can appear. can appear.
4.4.3.1.1. GWP_ATD And GWP_DTD Attributes 4.4.3.1.1. GWP_ATD and GWP_DTD Attributes
Section 4.2.1 of Multicast Extensions to the Security Architecture Section 4.2.1 of [RFC5374] specifies a key rollover method that
[RFC5374] specifies a key rollover method that requires two values be requires two values be provided to group members: Activation Time
provided to group members -- Activation Time Delay (ATD) and Delay (ATD) and Deactivation Time Delay (DTD).
Deactivation Time Delay (DTD).
The GWP_ATD attribute (1) allows a GCKS to set the Activation Time The GWP_ATD attribute (1) allows a GCKS to set the Activation Time
Delay for Data-Security SAs of the group. The ATD defines how long Delay for Data-Security SAs of the group. The ATD defines how long
active members of the group (those who sends traffic) should wait active members of the group (those who sends traffic) should wait
after receiving new SAs before staring sending traffic over them. after receiving new SAs before sending traffic over them. Note that
Note, that to achieve smooth rollover passive members of the group to achieve smooth rollover, passive members of the group should
should activate the SAs immediately once they receive them. activate the SAs immediately once they receive them.
The GWP_DTD attribute (2) allows the GCKS to set the Deactivation The GWP_DTD attribute (2) allows the GCKS to set the DTD for
Time Delay for previously distributed SAs. The DTD defines how long previously distributed SAs. The DTD defines how long after receiving
after receiving a request to delete Data-Security SAs passive group a request to delete Data-Security SAs passive group members should
members should wait before actually deleting them. Note that active wait before actually deleting them. Note that active members of the
members of the group should stop sending traffic over these old SAs group should stop sending traffic over these old SAs once new
once new replacement SAs are activated (after time specified in the replacement SAs are activated (after time specified in the GWP_ATD
GWP_ATD attribute). attribute).
The GWP_ATD and GWP_DTD attributes contain 16 bit unsigned integer in The GWP_ATD and GWP_DTD attributes contain a 16-bit unsigned integer
a network byte order, specifying the delay in seconds. These in network byte order, specifying the delay in seconds. These
attributes are OPTIONAL. If one of them or both are not sent by the attributes are OPTIONAL. If one of them or both are not sent by the
GCKS, then no corresponding delay should be employed. GCKS, then no corresponding delay should be employed.
4.4.3.1.2. GWP_SENDER_ID_BITS Attribute 4.4.3.1.2. GWP_SENDER_ID_BITS Attribute
The GWP_SENDER_ID_BITS attribute (3) declares how many bits of the The GWP_SENDER_ID_BITS attribute (3) declares how many bits of the
cipher nonce are taken to represent a Sender-ID value. The bits are cipher nonce are taken to represent a Sender-ID value. The bits are
applied as the most significant bits of the IV, as shown in Figure 1 applied as the most significant bits of the IV, as shown in Figure 1
of Using Counter Modes with ESP and AH to Protect Group Traffic of Using Counter Modes with ESP and AH to Protect Group Traffic
[RFC6054] and specified in Section 2.5.2. Guidance for a GCKS [RFC6054] and as specified in Section 2.5.2. Guidance for a GCKS
choosing the value is provided in Section 3 of Using Counter Modes choosing the value is provided in Section 3 of [RFC6054]. This value
with ESP and AH to Protect Group Traffic [RFC6054]. This value is is applied to each Sender-ID value distributed in the KD payload.
applied to each Sender-ID value distributed in the KD payload.
The GCKS MUST include this attribute if there are more than one The GCKS MUST include this attribute if there are more than one
sender in the group and any of the Data-Security SAs use counter- senders in the group and any of the Data-Security SAs use counter-
based cipher mode. The number of Sender-ID bits is represented as 16 based cipher mode. The number of Sender-ID bits is represented as a
bit unsigned integer in network byte order. 16-bit unsigned integer in network byte order.
4.5. Key Download Payload 4.5. Key Download Payload
The Key Download (KD) payload contains the group keys for the SAs The Key Download (KD) payload contains the group keys for the SAs
specified in the GSA Payload. The Payload Type for the Key Download specified in the GSA payload. The Payload Type for the Key Download
payload is fifty-two (52). payload is fifty-two (52).
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Length | | Next Payload |C| RESERVED | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <Key Bags> ~ ~ <Key Bags> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 18: Key Download Payload Format Figure 19: Key Download Payload Format
The Key Download payload fields are defined as follows: The Key Download payload fields are defined as follows:
* Next Payload, C, RESERVED, Payload Length fields comprise the Next Payload, C, RESERVED, and Length fields:
IKEv2 Generic Payload Header and are defined in Section 3.2. of Comprise the IKEv2 Generic Payload Header and are defined in
[RFC7296]. Section 3.2 of [RFC7296].
* Key Bags (variable) -- A set of Key Bag substructures. Key Bags (variable):
A set of Key Bag substructures.
4.5.1. Key Bags 4.5.1. Key Bags
Keys are distributed in a substructures called key bags. Each key Keys are distributed in substructures called key bags. Each key bag
bag contains one or more keys that are logically related -- either contains one or more keys that are logically related -- these are
these are keys for a single SA (Data-Security SA or Rekey SA) or keys for either a single SA (Data-Security SA or Rekey SA) or a
these are keys for a single group member (in the latter case besides single group member (in the latter case, besides keys, the key bag
keys the key bag may also contain security parameters for this group may also contain security parameters for this group member).
member).
For this reason two types of key bags are defined -- Group Key Bag For this reason, two types of key bags are defined: Group Key Bag and
and Member Key Bag. The type is unambiguously determined by the first Member Key Bag. The type is unambiguously determined by the first
byte of the key bag substructure -- for member key bag it is zero and byte of the key bag substructure. For a Member Key Bag, it is zero,
for group key bag it represents the protocol number, which along with and for Group Key Bag, it represents the protocol number, which along
the following SPI, identify the SA associated with the keys in the with the following SPI, identify the SA associated with the keys in
bag. the bag.
4.5.2. Group Key Bag Substructure 4.5.2. Group Key Bag Substructure
The Group Key Bag substructure contains SA key information. This key The Group Key Bag substructure contains SA key information. This key
information is associated with some group SAs: either with Data- information is associated with some group SAs: either with Data-
Security SAs or with group Rekey SA. Security SAs or with a group Rekey SA.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | SPI Size | Length | | Protocol | SPI Size | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ SPI ~ ~ SPI ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <Group Key Bag Attributes> ~ ~ <Group Key Bag Attributes> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 19: Group Key Bag Substructure Format Figure 20: Group Key Bag Substructure Format
* Protocol (1 octet) -- Identifies the security protocol for this Protocol (1 octet):
key bag. The values are defined in the IKEv2 Security Protocol Identifies the security protocol for this key bag. The values are
Identifiers in [IKEV2-IANA]. The valid values for this field are: defined in the "IKEv2 Security Protocol Identifiers" registry in
<TBA> (GIKE_UPDATE) for KEK Key packet and 2 (AH) or 3 (ESP) for [IKEV2-IANA]. The valid values for this field are: 6
TEK key bag. (GIKE_UPDATE) for KEK Key packet and 2 (AH) or 3 (ESP) for TEK key
bag.
* SPI Size (1 octet) -- Size of Security Parameter Index (SPI) for SPI Size (1 octet):
the corresponding SA. SPI size depends on the security protocol. Size of the SPI for the corresponding SA. SPI size depends on the
For GIKE_UPDATE it is 16 octets, while for AH and ESP it is 4 security protocol. It is 16 octets for GIKE_UPDATE and 4 octets
octets. for AH and ESP.
* Length (2 octets, unsigned integer) -- Length of this substructure Length (2 octets, unsigned integer):
including the header. Length of this substructure including the header.
* SPI (variable) -- Security Parameter Index for the corresponding SPI (variable):
SA. The size of this field is determined by the SPI Size field. Security Parameter Index for the corresponding SA. The size of
In case of GIKE_UPDATE the SPI is the IKEv2 Header SPI pair where this field is determined by the SPI Size field. In the case of
the first 8 octets become the "IKE SA Initiator's SPI" field in GIKE_UPDATE, the SPI is the IKEv2 Header SPI pair where the first
the G-IKEv2 rekey message IKEv2 HDR, and the second 8 octets 8 octets become the "IKE SA Initiator's SPI" field in the G-IKEv2
become the "IKE SA Responder's SPI" in the same HDR. rekey message IKEv2 HDR, and the second 8 octets become the "IKE
SA Responder's SPI" in the same HDR.
* Group Key Bag Attributes (variable) -- Contains Key information Group Key Bag Attributes (variable):
for the corresponding SA. Contains Key information for the corresponding SA.
This document creates a new IKEv2 IANA registry for the types of the This document creates a new IKEv2 IANA registry for the types of
Group Key Bag attributes which is initially filled as described in Group Key Bag attributes, which has been initially populated as
Section 9. In particular, the following attributes are initially described in Section 9. In particular, the following attributes have
added. been added:
Group Key Bag +===============+=======+========+==============+=============+
Attributes Value Format Multi-Valued Used in Protocol | Group Key Bag | Value | Format | Multi-Valued | Used in |
-------------------------------------------------------------------- | Attributes | | | | Protocol |
Reserved 0 +===============+=======+========+==============+=============+
SA_KEY 1 TLV YES* GIKE_UPDATE | Reserved | 0 |
NO AH, ESP +---------------+-------+--------+--------------+-------------+
| SA_KEY | 1 | TLV | YES* | GIKE_UPDATE |
| | | | NO | AH, ESP |
+---------------+-------+--------+--------------+-------------+
(*) Multiple SA_KEY attributes may only appear for the GIKE_UPDATE Table 7
protocol in the GSA_REKEY exchange if the GCKS uses the group key
management method that allows excluding GMs from the group (like
LKH).
The attributes follow the format defined in the IKEv2 [RFC7296] Notes:
section 3.3.5. The "Format" column defines what attribute format is
(*): Multiple SA_KEY attributes may only appear for the GIKE_UPDATE
protocol in the GSA_REKEY exchange if the GCKS uses the group key
management method that allows excluding GMs from the group (like
LKH).
The attributes follow the format defined in IKEv2 (Section 3.3.5 of
[RFC7296]). The "Format" column defines what attribute format is
allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi- allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi-
Valued" column defines whether multiple instances of the attribute Valued" column defines whether multiple instances of the attribute
can appear. The "Used in Protocol" column lists the security can appear. The "Used in Protocol" column lists the security
protocols, for which the attribute can be used. protocols, for which the attribute can be used.
4.5.2.1. SA_KEY Attribute 4.5.2.1. SA_KEY Attribute
The SA_KEY attribute (1) contains a keying material for the The SA_KEY attribute (1) contains a keying material for the
corresponding SA. The content of the attribute is formatted corresponding SA. The content of the attribute is formatted
according to Section 4.5.4 with a precondition that the Key ID field according to Section 4.5.4 with a precondition that the Key ID field
MUST always be zero. The size of the keying material MUST be equal MUST always be zero. The size of the keying material MUST be equal
to the total size of the keys needed to be taken from this keying to the total size of the keys needed to be taken from this keying
material (see Section 3.4) for the corresponding SA. material (see Section 3.4) for the corresponding SA.
If the key bag is for a Data-Security SA (AH or ESP protocols), then If the key bag is for a Data-Security SA (AH or ESP protocols), then
exactly one SA_KEY attribute MUST be present with both Key ID and KWK exactly one SA_KEY attribute MUST be present with both Key ID and KWK
ID fields set to zero. ID fields set to zero.
If the key bag is for a Rekey SA (GIKE_UPDATE protocol), then in the If the key bag is for a Rekey SA (GIKE_UPDATE protocol), then exactly
GSA_AUTH, GSA_REGISTRATION and GSA_INBAND_REKEY exchanges exactly one one SA_KEY attribute MUST be present in the GSA_AUTH,
SA_KEY attribute MUST be present. In the GSA_REKEY exchange at least GSA_REGISTRATION, and GSA_INBAND_REKEY exchanges. In the GSA_REKEY
one SA_KEY attribute MUST be present, and more attributes MAY be exchange, at least one SA_KEY attribute MUST be present, and more
present (depending on the key management method employed by the attributes MAY be present (depending on the key management method
GCKS). employed by the GCKS).
4.5.3. Member Key Bag Substructure 4.5.3. Member Key Bag Substructure
The Member Key Bag substructure contains keys and other parameters The Member Key Bag substructure contains keys and other parameters
that are specific for a member of the group and are not associated that are specific for a member of the group and are not associated
with any particular group SA. with any particular group SA.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | RESERVED | Length | | Protocol | RESERVED | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <Member Key Bag Attributes> ~ ~ <Member Key Bag Attributes> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 20: Member Key Bag Substructure Format Figure 21: Member Key Bag Substructure Format
The Member Key Bag substructure fields are defined as follows: The Member Key Bag substructure fields are defined as follows:
* Protocol (1 octet) -- MUST be zero. This value is reserved in Protocol (1 octet):
Section 9 and is never used for any security protocol, so it is MUST be zero. This value is reserved (see Section 9) and is never
used here to indicate that this key bag is not associated with any used for any security protocol, so it is used here to indicate
particular SA. that this key bag is not associated with any particular SA.
* RESERVED ( octet) -- MUST be zero on transmission, MUST be ignored RESERVED ( octet):
on receipt. MUST be zero on transmission and MUST be ignored on receipt.
* Length (2 octets, unsigned integer) -- Length of this substructure Length (2 octets, unsigned integer):
including the header. Length of this substructure including the header.
* Member Key Bag Attributes (variable) -- Contains Key information Member Key Bag Attributes (variable):
and other parameters exclusively for a particular member of the Contains Key information and other parameters exclusively for a
group. particular member of the group.
The member Key Bag substructure contains sensitive information for a The Member Key Bag substructure contains sensitive information for a
single GM, for this reason it MUST NOT be sent in GSA_REKEY messages single GM. For this reason, it MUST NOT be sent in GSA_REKEY
and MUST only be sent via unicast SA at the time the GM registers to messages and MUST only be sent via unicast SA at the time the GM
the group (in either GSA_AUTH or GSA_REGISTRATION exchanges). registers to the group (in either GSA_AUTH or GSA_REGISTRATION
exchanges).
This document creates a new IKEv2 IANA registry for the types of the This document creates a new IKEv2 IANA registry for the types of
Member Key Bag attributes which is initially filled as described in Member Key Bag attributes, which has been initially populated as
Section 9. In particular, the following attributes are initially described in Section 9. In particular, the following attributes have
added. been added:
Member Key Bag +===========================+=======+========+==============+
Attributes Value Format Multi-Valued | Member Key Bag Attributes | Value | Format | Multi-Valued |
---------------------------------------------------- +===========================+=======+========+==============+
Reserved 0 | Reserved | 0 |
WRAP_KEY 1 TLV YES +---------------------------+-------+--------+--------------+
AUTH_KEY 2 TLV NO | WRAP_KEY | 1 | TLV | YES |
GM_SENDER_ID 3 TLV YES +---------------------------+-------+--------+--------------+
| AUTH_KEY | 2 | TLV | NO |
+---------------------------+-------+--------+--------------+
| GM_SENDER_ID | 3 | TLV | YES |
+---------------------------+-------+--------+--------------+
The attributes follow the format defined in the IKEv2 [RFC7296] Table 8
section 3.3.5. The "Format" column defines what attribute format is
The attributes follow the format defined in the IKEv2 (Section 3.3.5
of [RFC7296]). The "Format" column defines what attribute format is
allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi- allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi-
Valued" column defines whether multiple instances of the attribute Valued" column defines whether multiple instances of the attribute
can appear. can appear.
4.5.3.1. WRAP_KEY Attribute 4.5.3.1. WRAP_KEY Attribute
The WRAP_KEY attribute (1) contains a key that is used to encrypt The WRAP_KEY attribute (1) contains a key that is used to encrypt
other keys. One or more these attributes are sent to GMs if the GCKS other keys. One or more of these attributes are sent to GMs if the
key management method relies on some key hierarchy (e.g. LKH). This GCKS key management method relies on some key hierarchy (e.g., LKH).
attribute MUST NOT be used if inband rekey (via the GSA_INBAND_REKEY This attribute MUST NOT be used if inband rekey (via the
exchange) is employed by the GCKS for the GM. GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM.
The content of the attribute has a format defined in Section 4.5.4 The content of the attribute has a format defined in Section 4.5.4
with a precondition that the Key ID field MUST NOT be zero. The with a precondition that the Key ID field MUST NOT be zero. The
algorithm associated with the key is defined by the Key Wrap algorithm associated with the key is defined by the Key Wrap
Algorithm transform for the SA the WRAP_KEY attributes was sent in. Algorithm transform for the SA the WRAP_KEY attributes was sent in.
The size of the attribute data MUST be equal to the key size for this The size of the attribute data MUST be equal to the key size for this
key wrap algorithm. key wrap algorithm.
Multiple instances of the WRAP_KEY attributes MAY be present in the Multiple instances of the WRAP_KEY attributes MAY be present in the
key bag. key bag.
4.5.3.2. AUTH_KEY Attribute 4.5.3.2. AUTH_KEY Attribute
The AUTH_KEY attribute (2) contains the key that is used to The AUTH_KEY attribute (2) contains the key that is used to
authenticate the GSA_REKEY messages. The content of the attribute authenticate the GSA_REKEY messages. The content of the attribute
depends on the authentication method the GCKS specified in the Group depends on the authentication method the GCKS specified in the Group
Controller Authentication Method transform in the GSA payload. Controller Authentication Method transform in the GSA payload.
* If digital signatures are used for the GSA_REKEY message * If digital signatures are used for the GSA_REKEY message
authentication then the content of the AUTH_KEY attribute is a authentication, then the content of the AUTH_KEY attribute is a
public key used for digital signature authentication. The public public key used for digital signature authentication. The public
key MUST be represented as DER-encoded ASN.1 object key MUST be represented as DER-encoded ASN.1 object
SubjectPublicKeyInfo, defined in Section 4.1.2.7 of Internet X.509 SubjectPublicKeyInfo, defined in Section 4.1.2.7 of [RFC5280].
Public Key Infrastructure Certificate and CRL Profile [RFC5280].
The algorithm field inside the SubjectPublicKeyInfo object MUST The algorithm field inside the SubjectPublicKeyInfo object MUST
match the content of the Signature Algorithm Identifier attribute match the content of the Signature Algorithm Identifier attribute
in the Group Controller Authentication Method transform. When the in the Group Controller Authentication Method transform. When the
id-RSASSA-PSS object identifier appears in the algorithm field of id-RSASSA-PSS object identifier appears in the algorithm field of
the SubjectPublicKeyInfo object, then the parameters field MUST the SubjectPublicKeyInfo object, then the parameters field MUST
include the RSASSA-PSS-params structure. include the RSASSA-PSS-params structure.
Multiple instances of the AUTH_KEY attributes MUST NOT be sent. Multiple instances of the AUTH_KEY attributes MUST NOT be sent.
4.5.3.3. GM_SENDER_ID Attribute 4.5.3.3. GM_SENDER_ID Attribute
The GM_SENDER_ID attribute (3) is used to download one or more The GM_SENDER_ID attribute (3) is used to download one or more
Sender-ID values for the exclusive use of a group member. One or Sender-ID values for the exclusive use of a group member. One or
more of this attributes MUST be sent by the GCKS if the GM informed more of these attributes MUST be sent by the GCKS if the GM informed
the GCKS that it would be a sender (by including the GROUP_SENDER the GCKS that it would be a sender (by including the GROUP_SENDER
notification to the request) and at least one of the Data-Security notification to the request) and if at least one of the Data-Security
SAs included in the GSA payload uses counter-based mode of SAs included in the GSA payload uses a counter-based mode of
encryption. encryption.
If the GMs has requested multiple Sender-ID values in the If the GMs have requested multiple Sender-ID values in the
GROUP_SENDER notification, then the GCKS SHOULD provide it with the GROUP_SENDER notification, then the GCKS SHOULD provide it with the
requested number of Sender-IDs by sending multiple instances of the requested number of Sender-IDs by sending multiple instances of the
GM_SENDER_ID attribute. The GCKS MAY send fewer values than GM_SENDER_ID attribute. The GCKS MAY send fewer values than
requested by the GM (e.g. if it is running out of Sender-IDs), but it requested by the GM (e.g., if it is running out of Sender-IDs), but
MUST NOT send more than requested. it MUST NOT send more than requested.
This attribute MUST NOT appear in the rekey operations (in the This attribute MUST NOT appear in the rekey operations (in the
GSA_REKEY or GSA_INBAND_REKEY exchanges). GSA_REKEY or GSA_INBAND_REKEY exchanges).
4.5.4. Key Wrapping 4.5.4. Key Wrapping
Symmetric keys in G-IKEv2 are never sent in clear inside G-IKEv2 Symmetric keys in G-IKEv2 are never sent in clear inside G-IKEv2
messages. They are always protected with other symmetric keys. This messages. They are always protected with other symmetric keys. This
protection is called key wrapping. Algorithms used for key wrapping protection is called key wrapping. Algorithms used for key wrapping
are usually based on generic encryption algorithms, but their mode of are usually based on generic encryption algorithms, but their mode of
operation is optimized for protecting short high-entropy data with operation is optimized for protecting short high-entropy data with
minimal additional overhead. While in general key wrap algorithms minimal additional overhead. While key wrap algorithms can be
can be generic, in practice they are often tied to the underlying generic in general, they are often tied to the underlying encryption
encryption algorithms. For example, AES Key Wrap with Padding algorithms in practice. For example, AES Key Wrap with Padding
Algorithm [RFC5649] defines key wrapping using AES, and Key Wrapping Algorithm [RFC5649] defines key wrapping using AES, and Key Wrapping
Constructions using SipHash and ChaCha [ARX-KW] defines key wrapping Constructions using SipHash and ChaCha [ARX-KW] define key wrapping
using Chacha20. using Chacha20.
In G-IKEv2 the key wrap algorithm MUST be negotiated in the In G-IKEv2, the key wrap algorithm MUST be negotiated in the
IKE_SA_INIT exchange, so that the GCKS be able to send encrypted keys IKE_SA_INIT exchange so that the GCKS is able to send encrypted keys
to the GM in the GSA_AUTH exchange. In addition, if the GCKS plans to the GM in the GSA_AUTH exchange. In addition, if the GCKS plans
to use the multicast Rekey SA for group rekey, then it MUST specify to use the multicast Rekey SA for group rekey, then it MUST specify
the key wrap algorithm in the GSA payload. Note that key wrap the key wrap algorithm in the GSA payload. Note that key wrap
algorithms for these cases MAY be different - for the unicast SA the algorithms for these cases MAY be different. For the unicast SA, the
key wrap algorithms is negotiated between the GM and the GCKS, while key wrap algorithm is negotiated between the GM and the GCKS, while
for the multicast Rekey SA the key wrap algorithm is provided by the for the multicast Rekey SA, the key wrap algorithm is provided by the
GCKS to the group members as part of the group policy. If SAg GCKS to the group members as part of the group policy. If an SAg
payload is included in the GSA_AUTH request, then it MUST indicate payload is included in the GSA_AUTH request, then it MUST indicate
which key wrap algorithms are supported by the GM. In all these which key wrap algorithms are supported by the GM. In all these
cases the key wrap algorithm is specified in a Key Wrap Algorithm cases, the key wrap algorithm is specified in a Key Wrap Algorithm
transform Section 4.4.2.1.2. transform (see Section 4.4.2.1.2).
The format of the wrapped key is shown in Figure 21. The format of the wrapped key is shown in Figure 22.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key ID | | Key ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| KWK ID | | KWK ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ Encrypted Key ~ ~ Encrypted Key ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 21: Wrapped Key Format Figure 22: Wrapped Key Format
The Wrapped Key fields are defined as follows: The Wrapped Key fields are defined as follows:
* Key ID (4 octets) -- ID of the encrypted key. The value zero Key ID (4 octets):
means that the encrypted key contains SA keys (in the form of ID of the encrypted key. The value zero means that the encrypted
keying material, see Section 3.4)), otherwise it contains some key contains SA keys (in the form of keying material; see
intermediate key. Section 3.4). Otherwise, it contains some intermediate key.
* KWK ID (4 octets) -- ID of the key that was used to encrypt key KWK ID (4 octets):
with specified Key ID. The value zero means that the default KWK ID of the key that was used to encrypt the key with a specified
was used to encrypt the key, otherwise some intermediate key was Key ID. The value zero means that the default KWK was used to
used. encrypt the key. Otherwise, some intermediate key was used.
* Encrypted Key (variable) -- The encrypted key bits. These bits Encrypted Key (variable):
comprise either a single encrypted key or a result of encryption The encrypted key bits. These bits comprise either a single
of a concatenation of keys (key material) for several algorithms. encrypted key or a result of encryption of a concatenation of keys
The format of this fields is determined by the key wrap algorithm (key material) for several algorithms. The format of this field
for the SA the wrapped key is sent over. is determined by the key wrap algorithm for the SA the wrapped key
is sent over.
4.6. Delete Payload 4.6. Delete Payload
Delete payload is used in G-IKEv2 when the GCKS wants to delete Data- Delete payload is used in G-IKEv2 when the GCKS wants to delete Data-
Security and Rekey SAs. The interpretation of the Protocol field in Security and Rekey SAs. The interpretation of the Protocol field in
the Delete payload is extended, so that zero protocol indicates the Delete payload is extended so that zero protocol indicates
deletion of whole Group SA (i.e. all Data-Security SAs and Rekey SA). deletion of whole Group SA (i.e., all Data-Security SAs and the Rekey
See Section 2.4.3 for detail. SA). See Section 2.4.3 for detail.
4.7. Notify Payload 4.7. Notify Payload
G-IKEv2 uses the same Notify payload as specified in [RFC7296], G-IKEv2 uses the same Notify payload as specified in Section 3.10 of
section 3.10. [RFC7296].
There are additional Notify Message types introduced by G-IKEv2 to There are additional Notify Message types introduced by G-IKEv2 to
communicate error conditions and status (see Section 9). communicate error conditions and status (see Section 9).
4.7.1. INVALID_GROUP_ID Notification 4.7.1. INVALID_GROUP_ID Notification
INVALID_GROUP_ID (45) is a new error type notification that indicates INVALID_GROUP_ID (45) is a new error type notification that indicates
that the group ID sent during the registration process is invalid. that the group ID sent during the registration process is invalid.
The Protocol ID and SPI Size fields in the Notify payload MUST be The Protocol ID and SPI Size fields in the Notify payload MUST be
zero. There is no data associated with this notification and the zero. There is no data associated with this notification and the
skipping to change at page 55, line 40 skipping to change at line 2514
AUTHORIZATION_FAILED (46) is a new error type notification that is AUTHORIZATION_FAILED (46) is a new error type notification that is
sent in the response to a GSA_AUTH or GSA_REGISTRATION message when sent in the response to a GSA_AUTH or GSA_REGISTRATION message when
authorization failed. The Protocol ID and SPI Size fields in the authorization failed. The Protocol ID and SPI Size fields in the
Notify payload MUST be zero. There is no data associated with this Notify payload MUST be zero. There is no data associated with this
notification and the content of the Notification Data field MUST be notification and the content of the Notification Data field MUST be
ignored on receipt. ignored on receipt.
4.7.3. REGISTRATION_FAILED Notification 4.7.3. REGISTRATION_FAILED Notification
REGISTRATION_FAILED (<TBA>) is a new error type notification that is REGISTRATION_FAILED (49) is a new error type notification that is
sent by the GCKS when the GM registration request cannot be satisfied sent by the GCKS when the GM registration request cannot be satisfied
for the reasons not related to this particular GM, for example if the for reasons not related to this particular GM, e.g., if the capacity
capacity of the group is exceeded. The Protocol ID and SPI Size of the group is exceeded. The Protocol ID and SPI Size fields in the
fields in the Notify payload MUST be zero. There is no data Notify payload MUST be zero. There is no data associated with this
associated with this notification and the content of the Notification notification and the content of the Notification Data field MUST be
Data field MUST be ignored on receipt. ignored on receipt.
4.7.4. GROUP_SENDER Notification 4.7.4. GROUP_SENDER Notification
GROUP_SENDER (16429) is a new status type notification that is sent GROUP_SENDER (16429) is a new status type notification that is sent
in the GSA_AUTH or the GSA_REGISTRATION exchanges to indicate that in the GSA_AUTH or the GSA_REGISTRATION exchanges to indicate that
the GM intends to be sender of data traffic. The data includes a the GM intends to be sender of data traffic. The data includes a
count of how many Sender-ID values the GM desires. The count MUST be count of how many Sender-ID values the GM desires. The count MUST be
4 octets long and contain the big endian representation of the number 4 octets long and contain the big-endian representation of the number
of requested Sender-IDs. The Protocol ID and SPI Size fields in the of requested Sender-IDs. The Protocol ID and SPI Size fields in the
Notify payload MUST be zero. Notify payload MUST be zero.
4.8. Authentication Payload 4.8. Authentication Payload
G-IKEv2 uses the same Authentication payload as specified in G-IKEv2 uses the same Authentication payload as specified in
[RFC7296], section 3.8, to authenticate the rekey message. However, Section 3.8 of [RFC7296] to authenticate the rekey message. However,
if it is used in the GSA_REKEY messages the content of the payload is if it is used in the GSA_REKEY messages, the content of the payload
computed differently, as described in Section 2.4.1.1. is computed differently as described in Section 2.4.1.1.
5. Using G-IKEv2 Attributes 5. Using G-IKEv2 Attributes
G-IKEv2 defines a number of attributes, that are used to convey G-IKEv2 defines a number of attributes that are used to convey
information from GCKS to GMs. There are some restrictions on where information from the GCKS to GMs. There are some restrictions on
and when these attributes can appear in G-IKEv2 messages, which are where and when these attributes can appear in G-IKEv2 messages, which
defined when the attributes are introduced. For convenience these are defined when the attributes are introduced. For convenience,
restrictions are summarized in Table 2 (for multicast rekey these restrictions are summarized in Table 9 (for multicast rekey
operations) and Table 3 (for inband rekey operations) below. operations) and Table 10 (for inband rekey operations) below.
The following notation is used: The following notations are used:
S A single attribute of this type MUST be present S A single attribute of this type MUST be present.
M Multiple attributes of this type MAY be present M Multiple attributes of this type MAY be present.
[] Attribute is OPTIONAL [] Attribute is OPTIONAL.
- Attribute MUST NOT be present - Attribute MUST NOT be present.
Note, that the restrictions are defined per a substructure Note that the restrictions are defined per a substructure
corresponding attributes are defined for and not per whole G-IKEv2 corresponding attributes are defined for and not per whole G-IKEv2
message. message.
+========================+==================+===========+=======+ +========================+==================+===========+=======+
| Attributes | GSA_AUTH | GSA_REKEY | Notes | | Attributes | GSA_AUTH | GSA_REKEY | Notes |
| | GSA_REGISTRATION | | | | | GSA_REGISTRATION | | |
+========================+==================+===========+=======+ +========================+==================+===========+=======+
| GSA Attributes (Section 4.4.2.2) | | GSA Attributes (Section 4.4.2.2) |
+========================+==================+===========+=======+ +========================+==================+===========+=======+
| GSA_KEY_LIFETIME | S | S | | | GSA_KEY_LIFETIME | S | S | |
+------------------------+------------------+-----------+-------+ +------------------------+------------------+-----------+-------+
| GSA_INITIAL_MESSAGE_ID | [S] | [S] | | | GSA_INITIAL_MESSAGE_ID | [S] | [S] | |
+------------------------+------------------+-----------+-------+ +------------------------+------------------+-----------+-------+
| GSA_NEXT_SPI | [M] | [M] | | | GSA_NEXT_SPI | [M] | [M] | |
+========================+==================+===========+=======+ +========================+==================+===========+=======+
| GW Policy Attributes (Section 4.4.3.1) | | GW Policy Attributes (Section 4.4.3.1) |
+========================+==================+===========+=======+ +========================+==================+===========+=======+
| GWP_ATD | [S] | [S] | | | GWP_ATD | [S] | [S] | |
+------------------------+------------------+-----------+-------+ +------------------------+------------------+-----------+-------+
| GWP_DTD | [S] | [S] | | | GWP_DTD | [S] | [S] | |
+------------------------+------------------+-----------+-------+ +------------------------+------------------+-----------+-------+
| GWP_SENDER_ID_BITS | S | - | 1 | | GWP_SENDER_ID_BITS | S | - | 1 |
+========================+==================+===========+=======+ +========================+==================+===========+=======+
| Key Bag Attributes (Section 4.5.1) | | Key Bag Attributes (Section 4.5.1) |
+========================+==================+===========+=======+ +========================+==================+===========+=======+
| SA_KEY | S | S[M] | 2 | | SA_KEY | S | S[M] | 2 |
+------------------------+------------------+-----------+-------+ +------------------------+------------------+-----------+-------+
| WRAP_KEY | [M] | [M] | 3 | | WRAP_KEY | [M] | [M] | 3 |
+------------------------+------------------+-----------+-------+ +------------------------+------------------+-----------+-------+
| AUTH_KEY | S | [S] | 4 | | AUTH_KEY | S | [S] | 4 |
+------------------------+------------------+-----------+-------+ +------------------------+------------------+-----------+-------+
| GM_SENDER_ID | S[M] | - | 1 | | GM_SENDER_ID | S[M] | - | 1 |
+------------------------+------------------+-----------+-------+ +------------------------+------------------+-----------+-------+
| Notes: |
| |
| (1) The GWP_SENDER_ID_BITS attribute MUST be present if the |
| GCKS policy includes at least one cipher in counter |
| mode of operation and the GM included the GROUP_SENDER |
| notify into the registration request. Otherwise it |
| MUST NOT be present. At least one GM_SENDER_ID |
| attribute MUST be present in the former case (and more |
| MAY be present if the GM requested more Sender-IDs) and |
| it MUST NOT be present in the latter case. |
| |
| (2) For a Data-Security SA exactly one SA_KEY attribute |
| MUST be present. For a Rekey SA one SA_KEY attribute |
| MUST be present in all cases and more these attributes |
| MAY be present in GSA_REKEY exchange. |
| |
| (3) The WRAP_KEY attributes MUST be present if the GCKS |
| employs key management method that relies on key tree |
| (like LKH). |
| |
| (4) The AUTH_KEY attribute MUST be present in the GSA_AUTH |
| / GSA_REGISTRATION exchanges if the GCKS employs |
| authentication method of rekey operations based on |
| digital signatures and MUST NOT be present if implicit |
| authentication is employed. The AUTH_KEY attribute |
| MUST be present in the GSA_REKEY exchange if the GCKS |
| employs authentication method based on digital |
| signatures and wants to change the public key for the |
| following multicast rekey operations. |
+---------------------------------------------------------------+
Table 2: Attributes in G-IKEv2 exchanges with multicast rekey Table 9: Attributes in G-IKEv2 Exchanges with Multicast Rekey
operations Operations
Notes:
(1): The GWP_SENDER_ID_BITS attribute MUST be present if the GCKS
policy includes at least one cipher in counter mode of
operation and if the GM included the GROUP_SENDER notify into
the registration request. Otherwise, it MUST NOT be present.
At least one GM_SENDER_ID attribute MUST be present in the
former case (and more MAY be present if the GM requested more
Sender-IDs), and it MUST NOT be present in the latter case.
(2): For a Data-Security SA, exactly one SA_KEY attribute MUST be
present. For a Rekey SA, one SA_KEY attribute MUST be present
in all cases and more these attributes MAY be present in a
GSA_REKEY exchange.
(3): The WRAP_KEY attribute MUST be present if the GCKS employs a
key management method that relies on a key tree (like LKH).
(4): The AUTH_KEY attribute MUST be present in the GSA_AUTH and
GSA_REGISTRATION exchanges if the GCKS employs an
authentication method of rekey operations based on digital
signatures and MUST NOT be present if implicit authentication
is employed. The AUTH_KEY attribute MUST be present in the
GSA_REKEY exchange if the GCKS employs an authentication method
based on digital signatures and wants to change the public key
for the following multicast rekey operations.
+========================+================+==================+=====+ +========================+================+==================+=====+
| Attributes | GSA_AUTH | GSA_INBAND_REKEY |Notes| | Attributes |GSA_AUTH | GSA_INBAND_REKEY |Notes|
| |GSA_REGISTRATION| | | | |GSA_REGISTRATION| | |
+========================+================+==================+=====+ +========================+================+==================+=====+
| GSA Attributes (Section 4.4.2.2) | | GSA Attributes (Section 4.4.2.2) |
+========================+================+==================+=====+ +========================+================+==================+=====+
| GSA_KEY_LIFETIME | [S] | [S] | | | GSA_KEY_LIFETIME |[S] | [S] | |
+------------------------+----------------+------------------+-----+ +------------------------+----------------+------------------+-----+
| GSA_INITIAL_MESSAGE_ID | - | - | | | GSA_INITIAL_MESSAGE_ID |- | - | |
+------------------------+----------------+------------------+-----+ +------------------------+----------------+------------------+-----+
| GSA_NEXT_SPI | - | - | | | GSA_NEXT_SPI |- | - | |
+========================+================+==================+=====+ +========================+================+==================+=====+
| GW Policy Attributes (Section 4.4.3.1) | | GW Policy Attributes (Section 4.4.3.1) |
+========================+================+==================+=====+ +========================+================+==================+=====+
| GWP_ATD | [S] | [S] | | | GWP_ATD |[S] | [S] | |
+------------------------+----------------+------------------+-----+ +------------------------+----------------+------------------+-----+
| GWP_DTD | [S] | [S] | | | GWP_DTD |[S] | [S] | |
+------------------------+----------------+------------------+-----+ +------------------------+----------------+------------------+-----+
| GWP_SENDER_ID_BITS | S | - | 1 | | GWP_SENDER_ID_BITS |S | - |1 |
+========================+================+==================+=====+ +========================+================+==================+=====+
| Key Bag Attributes (Section 4.5.1) | | Key Bag Attributes (Section 4.5.1) |
+========================+================+==================+=====+ +========================+================+==================+=====+
| SA_KEY | S | S | | | SA_KEY |S | S | |
+------------------------+----------------+------------------+-----+ +------------------------+----------------+------------------+-----+
| WRAP_KEY | - | - | | | WRAP_KEY |- | - | |
+------------------------+----------------+------------------+-----+ +------------------------+----------------+------------------+-----+
| AUTH_KEY | - | - | | | AUTH_KEY |- | - | |
+------------------------+----------------+------------------+-----+ +------------------------+----------------+------------------+-----+
| GM_SENDER_ID | S[M] | - | 1 | | GM_SENDER_ID |S[M] | - |1 |
+------------------------+----------------+------------------+-----+ +------------------------+----------------+------------------+-----+
| Notes: |
| |
| (1) The GWP_SENDER_ID_BITS attribute MUST be present if the |
| GCKS policy includes at least one cipher in counter mode |
| of operation and the GM included the GROUP_SENDER notify |
| into the registration request. Otherwise it MUST NOT be |
| present. At least one GM_SENDER_ID attribute MUST be |
| present in the former case (and more MAY be present if the |
| GM requested more Sender-IDs) and it MUST NOT be present |
| in the latter case. |
+------------------------------------------------------------------+
Table 3: Attributes in G-IKEv2 exchanges with inband rekey Table 10: Attributes in G-IKEv2 Exchanges with Inband Rekey
operations Operations
Notes:
(1): The GWP_SENDER_ID_BITS attribute MUST be present if the GCKS
policy includes at least one cipher in counter mode of
operation and the GM included the GROUP_SENDER notify into the
registration request. Otherwise, it MUST NOT be present. At
least one GM_SENDER_ID attribute MUST be present in the former
case (and more MAY be present if the GM requested more Sender-
IDs), and it MUST NOT be present in the latter case.
6. Interaction with IKEv2 and ESP Extensions 6. Interaction with IKEv2 and ESP Extensions
A number of IKEv2 and ESP extensions is defined that can be used to A number of IKEv2 and ESP extensions are defined that can be used to
extend protocol functionality. G-IKEv2 is compatible with most of extend protocol functionality. G-IKEv2 is compatible with most of
them. In particular, EAP authentication defined in [RFC7296] can be them. In particular, EAP authentication defined in [RFC7296] can be
used to establish registration IKE SA, as well as EAP-only used to establish registration IKE SA, as well as EAP-only
authentication [RFC5998] and Secure Password authentication authentication [RFC5998] and secure password authentication
[RFC6467]. G-IKEv2 is compatible with and can use IKEv2 Redirect [RFC6467]. G-IKEv2 is compatible with and can use IKEv2 Redirect
Mechanism [RFC5685] and IKEv2 Session Resumption [RFC5723]. G-IKEv2 Mechanism [RFC5685] and IKEv2 Session Resumption [RFC5723]. G-IKEv2
is also compatible with Multiple Key Exchanges in IKEv2 framework, is also compatible with Multiple Key Exchanges in the IKEv2
defined in [RFC9370]. framework, as defined in [RFC9370].
The above list of compatible IKEv2 extensions is not exhaustive, The above list of compatible IKEv2 extensions is not exhaustive.
however some IKEv2 extensions require special handling if used in However, some IKEv2 extensions require special handling if used in
G-IKEv2. G-IKEv2.
6.1. Implicit IV for Counter-Based Ciphers in ESP 6.1. Implicit IV for Counter-Based Ciphers in ESP
Using implicit IV for counter-based encryption modes in ESP is Using implicit IV for counter-based encryption modes in ESP is
defined in [RFC8750]. This extension relies on the uniqueness of ESP defined in [RFC8750]. This extension relies on the uniqueness of ESP
sequence numbers. Thus, it cannot be used for multi-sender multicast sequence numbers. Thus, it cannot be used for multi-sender multicast
SAs. However, it is possible to use implicit IV extension for a SAs. However, it is possible to use implicit IV extension for a
single-sender multicast ESP SA. Note, that while implicit IVs can be single-sender multicast ESP SA. Note that while implicit IVs can be
used with ESN, using ESN is prohibited in multicast SAs (see used with ESN, using ESN is prohibited in multicast SAs (see
Section 4.4.2.1.3). Section 4.4.2.1.3).
6.2. Mixing Preshared Keys in IKEv2 for Post-quantum Security 6.2. Mixing Preshared Keys in IKEv2 for Post-Quantum Security
G-IKEv2 can take advantage of the protection provided by Postquantum G-IKEv2 can take advantage of the protection provided by Post-quantum
Preshared Keys (PPK) for IKEv2 [RFC8784]. However, the use of PPK Preshared Keys (PPKs) for IKEv2 [RFC8784]. However, the use of PPKs
leaves the initial IKE SA susceptible to quantum computer (QC) leaves the initial IKE SA susceptible to quantum computer (QC)
attacks. Group SA keys are protected with the default KWK (GSK_w), attacks. Group SA keys are protected with the default KWK (GSK_w),
which is derived from SK_d and thus cannot be broken even by attacker which is derived from SK_d and thus cannot be broken even by an
equipped with a QC. However, other data sent over the initial IKE SA attacker equipped with a QC. However, other data sent over the
may be susceptible to an attacker equipped with a QC of a sufficient initial IKE SA may be susceptible to an attacker equipped with a QC
size. Such an attacker can store all the traffic until it obtains of a sufficient size. Such an attacker can store all the traffic
such a QC and then decrypt it (Store Now Decrypt Later attack). See until it obtains such a QC and then decrypt it (i.e., Store Now
Section 6 of [RFC8784] for details. Decrypt Later attack). See Section 6 of [RFC8784] for details.
While the group keys are protected with PPK and thus are immune to While the group keys are protected with PPK and thus are immune to
QC, GCKS implementations that care about other data sent over initial QC, GCKS implementations that care about other data sent over initial
IKE SA MUST rely on IKEv2 extensions that protect even initial IKE SA IKE SA MUST rely on IKEv2 extensions that protect even initial IKE SA
against QC (like [I-D.ietf-ipsecme-ikev2-qr-alt]). against QC (like [IPSEC-IKEV2-QR-ALT]).
6.3. Aggregation and Fragmentation Mode for ESP 6.3. Aggregation and Fragmentation Mode for ESP
Aggregation and fragmentation mode for ESP is defined in [RFC9347]. Aggregation and fragmentation mode for ESP is defined in [RFC9347].
This mode allows IP packets to be split over several ESP packets, or This mode allows IP packets to be split over several ESP packets or
several IP packets to be aggregated in a single ESP packet. This several IP packets to be aggregated in a single ESP packet. This
mode can only be used with ESP tunnel mode and relies on mode can only be used with ESP tunnel mode and relies on
monotonically increasing sequence numbers in the incoming packets. monotonically increasing sequence numbers in the incoming packets.
Thus, it is impossible to use this mode for multi-sender multicast Thus, it is impossible to use this mode for multi-sender multicast
SAs. Since multicast Data-Security SAs are unidirectional, the SAs. Since multicast Data-Security SAs are unidirectional, the
congestion control feature of aggregation and fragmentation mode congestion control feature of aggregation and fragmentation mode
cannot be used. cannot be used.
It is possible to use the aggregation and fragmentation mode without It is possible to use the aggregation and fragmentation mode without
congestion control for a single-sender multicast ESP SA created in congestion control for a single-sender multicast ESP SA created in
tunnel mode. GMs supporting this mode can send the USE_AGGFRAG tunnel mode. GMs supporting this mode can send the USE_AGGFRAG
notification in the registration request along with the SAg payload. notification in the registration request along with the SAg payload.
If the Data-Security SA(s) to be installed on GMs use the aggregation If the Data-Security SA(s) to be installed on GMs uses the
and fragmentation mode, the GCKS would indicate it by including the aggregation and fragmentation mode, the GCKS would indicate it by
USE_AGGFRAG notification along with the GSA payload in its response. including the USE_AGGFRAG notification along with the GSA payload in
its response.
7. GDOI Protocol Extensions 7. GDOI Protocol Extensions
Few extensions were defined for GDOI protocol [RFC6407], like GDOI Few extensions were defined for the GDOI protocol [RFC6407], like
Support for IEC 62351 Security Services [RFC8052] or GDOI GROUPKEY- GDOI Support for IEC 62351 Security Services [RFC8052] or the GDOI
PUSH Acknowledgement Message [RFC8263]. It is expected that these GROUPKEY-PUSH Acknowledgement Message [RFC8263]. It is expected that
extensions will be redefined for G-IKEv2 in separate documents, if these extensions will be redefined for G-IKEv2 in separate documents,
needed. if needed.
8. Security Considerations 8. Security Considerations
When an entity joins the group and becomes a group member, it has to When an entity joins the group and becomes a group member, it has to
trust the GCKS that only authorized entities are admitted to the trust that the GCKS only authorized entities that are admitted to the
group and has to trust other group members that they will not leak group and has to trust that other group members will not leak the
the information shared within the group. information shared within the group.
8.1. GSA Registration and Secure Channel 8.1. GSA Registration and Secure Channel
G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT protocols, G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT protocols,
inheriting all the security considerations documented in the inheriting all the security considerations documented in Section 5 of
Section 5 of [RFC7296], including authentication, confidentiality, [RFC7296], including authentication, confidentiality, protection
protection against man-in-the-middle, protection against replay/ against man-in-the-middle attacks, protection against replay/
reflection attacks, and denial of service protection. The GSA_AUTH reflection attacks, and denial-of-service protection. The GSA_AUTH
and GSA_REGISTRATION exchanges also take advantage of those and GSA_REGISTRATION exchanges also take advantage of those
protections. In addition, G-IKEv2 brings in the capability to protections. In addition, G-IKEv2 brings in the capability to
authorize a particular group member regardless of whether they have authorize a particular group member regardless of whether they have
the IKEv2 credentials. the IKEv2 credentials.
8.2. GSA Maintenance Channel 8.2. GSA Maintenance Channel
The GSA maintenance channel is cryptographically and integrity The GSA maintenance channel is cryptographically and integrity
protected using the cryptographic algorithm and key negotiated in the protected using the cryptographic algorithm and key negotiated in the
GSA member registration exchange. GSA member registration exchange.
8.2.1. Authentication/Authorization 8.2.1. Authentication/Authorization
The authentication key is distributed during the GM registration, and The authentication key is distributed during the GM registration and
the receiver of the rekey message uses that key to verify the message the receiver of the rekey message uses that key to verify the message
came from the authorized GCKS. An implicit authentication can also came from the authorized GCKS. An implicit authentication can also
be used, in which case the ability of the GM to decrypt and to verify be used, in which case, the ability of the GM to decrypt and to
ICV of the received message proved that a sender of the message is a verify ICV of the received message proved that a sender of the
member of the group. However, implicit authentication doesn't message is a member of the group. However, implicit authentication
provide source origin authentication, so the GM cannot be sure that doesn't provide source origin authentication, so the GM cannot be
the message came from the GCKS. For this reason using implicit sure that the message came from the GCKS. For this reason, using
authentication is NOT RECOMMENDED unless used with a small group of implicit authentication is NOT RECOMMENDED unless used with a small
trusted parties. group of trusted parties.
8.2.2. Confidentiality 8.2.2. Confidentiality
Confidentiality is provided by distributing a confidentiality key as Confidentiality is provided by distributing a confidentiality key as
part of the GSA member registration exchange. part of the GSA member registration exchange.
8.2.3. Man-in-the-Middle Attack Protection 8.2.3. Man-in-the-Middle Attack Protection
GSA maintenance channel is integrity protected by using a digital The GSA maintenance channel is integrity protected by using a digital
signature. signature.
8.2.4. Replay/Reflection Attack Protection 8.2.4. Replay/Reflection Attack Protection
The GSA_REKEY message includes a monotonically increasing sequence The GSA_REKEY message includes a monotonically increasing sequence
number to protect against replay and reflection attacks. A group number to protect against replay and reflection attacks. A group
member will recognize a replayed message by comparing the Message ID member will recognize a replayed message by comparing the Message ID
number to that of the last received rekey message, any rekey message number to that of the last received rekey message. Any rekey message
containing a Message ID number less than or equal to the last containing a Message ID number less than or equal to the last
received value MUST be discarded. Implementations should keep a received value MUST be discarded. Implementations should keep a
record of recently received GSA rekey messages for this comparison. record of recently received GSA rekey messages for this comparison.
The strict role separation between the GCKS and the GMs and, as a The strict role separation between the GCKS and the GMs and, as a
consequence, the limitation for Rekey SA to be outbound/inbound only, consequence, the limitation for a Rekey SA to be outbound/inbound
helps to prevent reflection attack. only, helps to prevent reflection attack.
9. IANA Considerations 9. IANA Considerations
9.1. Note for Reviewers
**** RFC Editor, please DELETE this Section prior to publication! 9.1. New Registries
****
While reviewing the document please note, that some of the
codepoints, that this draft claims to have allocated, in fact have
been allocated by its predecessor, draft-yeung-g-ikev2-07 in 2013, as
part of the early codepoint assignment. This documents makes use of
these already allocated codepoints, renames one of them and allocates
additional codepoints. Note also, that the semantics of the
codepoints allocated by draft-yeung-g-ikev2-07 is preserved,
including for the renamed one.
9.2. New Registries Per this document, new registries have been created for G-IKEv2 under
the "Internet Key Exchange Version 2 (IKEv2) Parameters" registry
group [IKEV2-IANA]. The terms Reserved, Expert Review, and Private
Use are as defined in [RFC8126].
A new set of registries is created for G-IKEv2 on IKEv2 parameters 1. IANA has created the "Transform Type 13 - Key Wrap Algorithm
page [IKEV2-IANA]. The terms Reserved, Expert Review and Private Use Transform IDs" registry. Changes and additions to the unassigned
are to be applied as defined in [RFC8126]. range of this registry are to be made through Expert Review
[RFC8126]. The initial values of the registry are as follows:
1. This document creates a new IANA registry "Transform Type <TBA> +==========================+============+
-- Key Wrap Algorithm Transform IDs". The initial values of the | Key Wrap Algorithm | Value |
new registry are: +==========================+============+
| Reserved | 0 |
+--------------------------+------------+
| KW_5649_128 | 1 |
+--------------------------+------------+
| KW_5649_192 | 2 |
+--------------------------+------------+
| KW_5649_256 | 3 |
+--------------------------+------------+
| KW_ARX | 4 |
+--------------------------+------------+
| Unassigned | 5-1023 |
+--------------------------+------------+
| Reserved for Private Use | 1024-65535 |
+--------------------------+------------+
Key Wrap Algorithm Value Table 11
-----------------------------
Reserved 0
KW_5649_128 1
KW_5649_192 2
KW_5649_256 3
KW_ARX 4
Unassigned 5-1023
Private Use 1024-65535
Changes and additions to the unassigned range of this registry 2. IANA has created the "Transform Type 14 - Group Controller
are by the Expert Review Policy [RFC8126]. Authentication Method Transform IDs" registry. Changes and
additions to the unassigned range of this registry are to be made
through Expert Review [RFC8126]. The initial values of the
registry are as follows:
2. This document creates a new IANA registry "Transform Type <TBA> +========================================+============+
-- Group Controller Authentication Method Transform IDs". The | Group Controller Authentication Method | Value |
initial values of the new registry are: +========================================+============+
| Reserved | 0 |
+----------------------------------------+------------+
| Implicit | 1 |
+----------------------------------------+------------+
| Digital Signature | 2 |
+----------------------------------------+------------+
| Unassigned | 3-1023 |
+----------------------------------------+------------+
| Reserved for Private Use | 1024-65535 |
+----------------------------------------+------------+
Group Controller Authentication Method Value Table 12
-------------------------------------------------
Reserved 0
Implicit 1
Digital Signature 2
Unassigned 3-1023
Private Use 1024-65535
Changes and additions to the unassigned range of this registry 3. IANA has created the "GSA Attributes" registry. Changes and
are by the Expert Review Policy [RFC8126]. additions to the unassigned range of this registry are to be made
through Expert Review [RFC8126]. The initial values of the
registry are as follows:
3. This document creates a new IANA registry "GSA Attributes". The +======================+===========+======+======+============+
initial values of the new registry are: |GSA Attributes |Value |Format|Multi-|Used in |
| | | |Valued|Protocol |
+======================+===========+======+======+============+
|Reserved |0 | |
+----------------------+-----------+------+------+------------+
|GSA_KEY_LIFETIME |1 |TLV |NO |GIKE_UPDATE,|
| | | | |AH, ESP |
+----------------------+-----------+------+------+------------+
|GSA_INITIAL_MESSAGE_ID|2 |TLV |NO |GIKE_UPDATE |
+----------------------+-----------+------+------+------------+
|GSA_NEXT_SPI |3 |TLV |YES |GIKE_UPDATE,|
| | | | |AH, ESP |
+----------------------+-----------+------+------+------------+
|Unassigned |5-16383 | |
+----------------------+-----------+--------------------------+
|Reserved for Private |16384-32767| |
|Use | | |
+----------------------+-----------+--------------------------+
GSA Attributes Value Format Multi-Valued Used in Protocol Table 13
---------------------------------------------------------------------
Reserved 0
GSA_KEY_LIFETIME 1 TLV NO GIKE_UPDATE, AH, ESP
GSA_INITIAL_MESSAGE_ID 2 TLV NO GIKE_UPDATE
GSA_NEXT_SPI 3 TLV YES GIKE_UPDATE, AH, ESP
Unassigned 5-16383
Private Use 16384-32767
4. IANA has created the "Group-wide Policy Attributes" registry.
Changes and additions to the unassigned range of this registry Changes and additions to the unassigned range of this registry
are by the Expert Review Policy [RFC8126]. are to be made through Expert Review [RFC8126]. The initial
values of the registry are as follows:
4. This document creates a new IANA registry "Group-wide Policy +======================+=============+========+==============+
Attributes". The initial values of the new registry are: | GW Policy Attributes | Value | Format | Multi-Valued |
+======================+=============+========+==============+
| Reserved | 0 | |
+----------------------+-------------+--------+--------------+
| GWP_ATD | 1 | TV | NO |
+----------------------+-------------+--------+--------------+
| GWP_DTD | 2 | TV | NO |
+----------------------+-------------+--------+--------------+
| GWP_SENDER_ID_BITS | 3 | TV | NO |
+----------------------+-------------+--------+--------------+
| Unassigned | 4-16383 | |
+----------------------+-------------+-----------------------+
| Reserved for Private | 16384-32767 | |
| Use | | |
+----------------------+-------------+-----------------------+
GW Policy Attributes Value Format Multi-Valued Table 14
--------------------------------------------------------
Reserved 0
GWP_ATD 1 TV NO
GWP_DTD 2 TV NO
GWP_SENDER_ID_BITS 3 TV NO
Unassigned 4-16383
Private Use 16384-32767
5. IANA has created the "Group Key Bag Attributes" registry.
Changes and additions to the unassigned range of this registry Changes and additions to the unassigned range of this registry
are by the Expert Review Policy [RFC8126]. are to be made through Expert Review [RFC8126]. The initial
values of the registry are as follows:
5. This document creates a new IANA registry "Group Key Bag +=============+=============+======+==============+=============+
Attributes". The initial values of the new registry are: | Group Key | Value |Format| Multi-Valued | Used in |
| Bag | | | | Protocol |
| Attributes | | | | |
+=============+=============+======+==============+=============+
| Reserved | 0 | |
+-------------+-------------+------+--------------+-------------+
| SA_KEY | 1 |TLV | YES | GIKE_UPDATE |
| | | | NO | AH, ESP |
+-------------+-------------+------+--------------+-------------+
| Unassigned | 2-16383 | |
+-------------+-------------+-----------------------------------+
| Reserved | 16384-32767 | |
| for | | |
| Private | | |
| Use | | |
+-------------+-------------+-----------------------------------+
Group Key Bag Table 15
Attributes Value Format Multi-Valued Used in Protocol
--------------------------------------------------------------------
Reserved 0
SA_KEY 1 TLV YES GIKE_UPDATE
NO AH, ESP
Unassigned 2-16383
Private Use 16384-32767
6. IANA has created the "Member Key Bag Attributes" registry.
Changes and additions to the unassigned range of this registry Changes and additions to the unassigned range of this registry
are by the Expert Review Policy [RFC8126]. are to be made through Expert Review [RFC8126]. The initial
values of the registry are as follows:
6. This document creates a new IANA registry "Member Key Bag
Attributes". The initial values of the new registry are:
Member Key Bag +================+=============+========+==============+
Attributes Value Format Multi-Valued | Member Key Bag | Value | Format | Multi-Valued |
---------------------------------------------------- | Attributes | | | |
Reserved 0 +================+=============+========+==============+
WRAP_KEY 1 TLV YES | Reserved | 0 | |
AUTH_KEY 2 TLV NO +----------------+-------------+--------+--------------+
GM_SENDER_ID 3 TLV YES | WRAP_KEY | 1 | TLV | YES |
Unassigned 4-16383 +----------------+-------------+--------+--------------+
Private Use 16384-32767 | AUTH_KEY | 2 | TLV | NO |
+----------------+-------------+--------+--------------+
| GM_SENDER_ID | 3 | TLV | YES |
+----------------+-------------+--------+--------------+
| Unassigned | 4-16383 | |
+----------------+-------------+-----------------------+
| Reserved for | 16384-32767 | |
| Private Use | | |
+----------------+-------------+-----------------------+
Changes and additions to the unassigned range of this registry Table 16
are by the Expert Review Policy [RFC8126].
9.2.1. Guidance for Designated Experts 9.1.1. Guidance for Designated Experts
In all cases of Expert Review Policy described here, the Designated In all cases of Expert Review described in this section, the
Expert (DE) is expected to ascertain the existence of suitable designated expert (DE) is expected to ascertain the existence of
documentation (a specification) as described in [RFC8126] and to suitable documentation (a specification) as described in [RFC8126]
verify that the document is permanently and publicly available. The and verify that the document is permanently and publicly available.
DE is also expected to check the clarity of purpose and use of the The DE is also expected to check the clarity of purpose and use of
requested code points. Last, the DE must verify that any the requested code points. Lastly, the DE must verify that any
specification produced outside the IETF does not conflict with work specification produced outside the IETF does not conflict with work
that is active or already published within the IETF. that is active or already published within the IETF.
9.3. Changes in the Existing IKEv2 Registries 9.2. Changes in the Existing IKEv2 Registries
1. This document defines new Exchange Types in the "IKEv2 Exchange 1. In the "IKEv2 Exchange Types" registry, IANA has updated the
Types" registry: references for the following entries to point to this document
and has registered "GSA_INBAND_REKEY":
Value Exchange Type +=======+==================+
---------------------------- | Value | Exchange Type |
39 GSA_AUTH +=======+==================+
40 GSA_REGISTRATION | 39 | GSA_AUTH |
41 GSA_REKEY +-------+------------------+
<TBA> GSA_INBAND_REKEY | 40 | GSA_REGISTRATION |
+-------+------------------+
| 41 | GSA_REKEY |
+-------+------------------+
| 42 | GSA_INBAND_REKEY |
+-------+------------------+
2. This document defines new Payload Types in the "IKEv2 Payload Table 17
Types" registry:
Value Next Payload Type Notation 2. In the "IKEv2 Payload Types" registry, IANA has listed this
---------------------------------------------------- document as a reference for the following entries:
50 Group Identification IDg
51 Group Security Association GSA
52 Key Download KD
3. This document also updates definition of Payload Type 33 in the +=======+============================+==========+
"IKEv2 Payload Types" registry by adding an alternative name and | Value | Next Payload Type | Notation |
notation for it referencing this document: +=======+============================+==========+
| 50 | Group Identification | IDg |
+-------+----------------------------+----------+
| 51 | Group Security Association | GSA |
+-------+----------------------------+----------+
| 52 | Key Download | KD |
+-------+----------------------------+----------+
Value Next Payload Type Notation Table 18
--------------------------------------------------------------------
33 Security Association SA
Security Association - GM Supported Transforms SAg
4. This document makes the following changes in the "Transform Type 3. In the "IKEv2 Payload Types" registry, IANA has updated the
Values" registry: definition of Payload Type 33 and added a reference to this
document as follows:
* Defines two new transform types -- "Key Wrap Algorithm (KWA)" +=======+=========================+==========+===========+
and "Group Controller Authentication Method (GCAUTH)"; | Value | Next Payload Type | Notation | Reference |
+=======+=========================+==========+===========+
| 33 | Security Association | SA | [RFC7296] |
| +-------------------------+----------+-----------+
| | Security Association - | SAg | RFC 9838 |
| | GM Supported Transforms | | |
+-------+-------------------------+----------+-----------+
* Changes the "Used In" column for the values 1 and 3 as Table 19
follows;
* Appends reference to this document to the values 1 and 3; 4. In the "Transform Type Values" registry, IANA has made the
following changes:
Type Description Used In * Registered "Key Wrap Algorithm (KWA)" and "Group Controller
-------------------------------------------------------------------- Authentication Method (GCAUTH)".
1 Encryption Algorithm (ENCR) (IKE, GIKE_UPDATE and ESP)
3 Integrity Algorithm (INTEG) (IKE, GIKE_UPDATE, AH,
optional in ESP)
<TBA> Key Wrap Algorithm (KWA) (IKE, GIKE_UPDATE)
<TBA> Group Controller
Authentication Method (GCAUTH) (GIKE_UPDATE)
5. This document defines a new Attribute Type in the "IKEv2 * Updated the "Used In" column for values 1 and 3 and listed
Transform Attribute Types" registry: this document as an additional reference.
Value Attribute Type Format +======+================================+======================+
------------------------------------------------------ | Type | Description | Used In |
<TBA> Signature Algorithm Identifier TLV +======+================================+======================+
| 1 | Encryption Algorithm (ENCR) | (IKE, GIKE_UPDATE, |
| | | ESP) |
+------+--------------------------------+----------------------+
| 3 | Integrity Algorithm (INTEG) | (IKE, GIKE_UPDATE, |
| | | AH, optional in ESP) |
+------+--------------------------------+----------------------+
| 13 | Key Wrap Algorithm (KWA) | (IKE, GIKE_UPDATE) |
+------+--------------------------------+----------------------+
| 14 | Group Controller | (GIKE_UPDATE) |
| | Authentication Method (GCAUTH) | |
+------+--------------------------------+----------------------+
6. This document defines a new value in the "Transform Type 5 - Table 20
Sequence Numbers Transform IDs" registry:
Number Name 5. In the "IKEv2 Transform Attribute Types" registry, IANA has added
--------------------- the following entry:
<TBA> 32-bit Unspecified Numbers
7. This document defines new Notify Message types in the "IKEv2 +=======+================================+========+
Notify Message Error Types" registry: | Value | Attribute Type | Format |
+=======+================================+========+
| 18 | Signature Algorithm Identifier | TLV |
+-------+--------------------------------+--------+
Value Notify Message Error Type Table 21
-----------------------------------------
45 INVALID_GROUP_ID
46 AUTHORIZATION_FAILED
<TBA> REGISTRATION_FAILED
8. The Notify type with the value 16429 was allocated earlier in the 6. In the "Transform Type 5 - Sequence Numbers Transform IDs"
development of G-IKEv2 document in the "IKEv2 Notify Message registry, IANA has added the following entry:
Status Types" registry with the name SENDER_REQUEST_ID. This
document renames it as follows:
Value Notify Message Status Type +========+============================+
------------------------------------------ | Number | Name |
16429 GROUP_SENDER +========+============================+
| 2 | 32-bit Unspecified Numbers |
+--------+----------------------------+
9. This document defines a new Security Protocol Identifier in the Table 22
"IKEv2 Security Protocol Identifiers" registry:
Protocol ID Protocol 7. In the "IKEv2 Notify Message Error Types" registry, IANA has made
-------------------------- the following changes:
<TBA> GIKE_UPDATE
10. Acknowledgements * Registered "REGISTRATION_FAILED".
The authors thank Lakshminath Dondeti and Jing Xiang for first * Updated the references for "INVALID_GROUP_ID" and
exploring the use of IKEv2 for group key management and providing the "AUTHORIZATION_FAILED" to point to this document.
basis behind the protocol. Mike Sullenberger and Amjad Inamdar were
instrumental in helping resolve many issues in several versions of
the document.
The authors are grateful to Tero Kivinen, Daniel Migault, Gorry +=======+===========================+
Fairhurst, Robert Sparks, Russ Housley and Paul Wouters for their | Value | Notify Message Error Type |
careful reviews and valuable proposals for improving the document +=======+===========================+
quality. | 45 | INVALID_GROUP_ID |
+-------+---------------------------+
| 46 | AUTHORIZATION_FAILED |
+-------+---------------------------+
| 49 | REGISTRATION_FAILED |
+-------+---------------------------+
11. Contributors Table 23
The following individuals made substantial contributions to early 8. The Notify type with the value 16429 was allocated earlier in the
versions of this memo. development of G-IKEv2 document in the "IKEv2 Notify Message
Status Types" registry with the name SENDER_REQUEST_ID. This
document renames it as follows:
Sheela Rowles +=======+============================+
Cisco Systems | Value | Notify Message Status Type |
+=======+============================+
| 16429 | GROUP_SENDER |
+-------+----------------------------+
Aldous Yeung Table 24
Cisco Systems
Email: cyyeung@cisco.com
Paulina Tran 9. In the "IKEv2 Security Protocol Identifiers" registry, IANA has
Cisco Systems added the following entry:
Yoav Nir +=============+=============+
Dell EMC | Protocol ID | Protocol |
Email: ynir.ietf@gmail.com +=============+=============+
| 6 | GIKE_UPDATE |
+-------------+-------------+
12. References Table 25
12.1. Normative References 10. References
[I-D.ietf-ipsecme-ikev2-rename-esn] 10.1. Normative References
Smyslov, V., "Renaming Extended Sequence Number (ESN)
Transform Type in the Internet Key Exchange Protocol
Version 2 (IKEv2)", Work in Progress, Internet-Draft,
draft-ietf-ipsecme-ikev2-rename-esn-05, 16 March 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-
ikev2-rename-esn-05>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
December 2005, <https://www.rfc-editor.org/info/rfc4301>. December 2005, <https://www.rfc-editor.org/info/rfc4301>.
skipping to change at page 69, line 36 skipping to change at line 3164
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
12.2. Informative References [RFC9827] Smyslov, V., "Renaming the Extended Sequence Numbers (ESN)
Transform Type in the Internet Key Exchange Protocol
Version 2 (IKEv2)", RFC 9827, DOI 10.17487/RFC9827,
September 2025, <https://www.rfc-editor.org/info/rfc9827>.
10.2. Informative References
[ARX-KW] Shinichi, S., "ARX-KW, a family of key wrapping [ARX-KW] Shinichi, S., "ARX-KW, a family of key wrapping
constructions using SipHash and ChaCha", January 2020, constructions using SipHash and ChaCha", Cryptology ePrint
Archive, Paper 2020/059, January 2020,
<https://eprint.iacr.org/2020/059.pdf>. <https://eprint.iacr.org/2020/059.pdf>.
[I-D.ietf-ipsecme-ikev2-qr-alt] [IKEV2-IANA]
IANA, "Internet Key Exchange Version 2 (IKEv2)
Parameters",
<http://www.iana.org/assignments/ikev2-parameters>.
[IPSEC-IKEV2-QR-ALT]
Smyslov, V., "Mixing Preshared Keys in the Smyslov, V., "Mixing Preshared Keys in the
IKE_INTERMEDIATE and in the CREATE_CHILD_SA Exchanges of IKE_INTERMEDIATE and in the CREATE_CHILD_SA Exchanges of
IKEv2 for Post-quantum Security", Work in Progress, IKEv2 for Post-quantum Security", Work in Progress,
Internet-Draft, draft-ietf-ipsecme-ikev2-qr-alt-10, 23 May Internet-Draft, draft-ietf-ipsecme-ikev2-qr-alt-10, 23 May
2025, <https://datatracker.ietf.org/doc/html/draft-ietf- 2025, <https://datatracker.ietf.org/doc/html/draft-ietf-
ipsecme-ikev2-qr-alt-10>. ipsecme-ikev2-qr-alt-10>.
[IKEV2-IANA] [NNL] Naor, D., Naor, M., and J. Lotspiech, "Revocation and
IANA, "Internet Key Exchange Version 2 (IKEv2)
Parameters", <http://www.iana.org/assignments/ikev2-
parameters/ikev2-parameters.xhtml>.
[NNL] Naor, D., Noal, M., and J. Lotspiech, "Revocation and
Tracing Schemes for Stateless Receivers", Advances in Tracing Schemes for Stateless Receivers", Advances in
Cryptology, Crypto '01, Springer-Verlag LNCS 2139, 2001, Cryptology - CRYPTO 2001, Lecture Notes in Computer
pp. 41-62, 2001, Science, vol. 2139, pp. 41-62,
DOI 10.1007/3-540-44647-8_3, 2001,
<http://www.wisdom.weizmann.ac.il/~naor/PAPERS/2nl.pdf>. <http://www.wisdom.weizmann.ac.il/~naor/PAPERS/2nl.pdf>.
[OFT] McGrew, D. and A. Sherman, "Key Establishment in Large [OFT] McGrew, D. and A. Sherman, "Key Establishment in Large
Dynamic Groups Using One-Way Function Trees", Dynamic Groups Using One-Way Function Trees", IEEE
Manuscript, submitted to IEEE Transactions on Software Transactions on Software Engineering, vol. 29, no. 5, pp.
Engineering, 1998, <https://pdfs.semanticscholar.org/ 444-458, DOI 10.1109/TSE.2003.1199073, May 1998,
<https://pdfs.semanticscholar.org/
d24c/7b41f7bcc2b6690e1b4d80eaf8c3e1cc5ee5.pdf>. d24c/7b41f7bcc2b6690e1b4d80eaf8c3e1cc5ee5.pdf>.
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, DOI 10.17487/RFC2409, November 1998, (IKE)", RFC 2409, DOI 10.17487/RFC2409, November 1998,
<https://www.rfc-editor.org/info/rfc2409>. <https://www.rfc-editor.org/info/rfc2409>.
[RFC2627] Wallner, D., Harder, E., and R. Agee, "Key Management for [RFC2627] Wallner, D., Harder, E., and R. Agee, "Key Management for
Multicast: Issues and Architectures", RFC 2627, Multicast: Issues and Architectures", RFC 2627,
DOI 10.17487/RFC2627, June 1999, DOI 10.17487/RFC2627, June 1999,
<https://www.rfc-editor.org/info/rfc2627>. <https://www.rfc-editor.org/info/rfc2627>.
skipping to change at page 73, line 13 skipping to change at line 3336
<https://www.rfc-editor.org/info/rfc9347>. <https://www.rfc-editor.org/info/rfc9347>.
[RFC9370] Tjhai, CJ., Tomlinson, M., Bartlett, G., Fluhrer, S., Van [RFC9370] Tjhai, CJ., Tomlinson, M., Bartlett, G., Fluhrer, S., Van
Geest, D., Garcia-Morchon, O., and V. Smyslov, "Multiple Geest, D., Garcia-Morchon, O., and V. Smyslov, "Multiple
Key Exchanges in the Internet Key Exchange Protocol Key Exchanges in the Internet Key Exchange Protocol
Version 2 (IKEv2)", RFC 9370, DOI 10.17487/RFC9370, May Version 2 (IKEv2)", RFC 9370, DOI 10.17487/RFC9370, May
2023, <https://www.rfc-editor.org/info/rfc9370>. 2023, <https://www.rfc-editor.org/info/rfc9370>.
Appendix A. Use of LKH in G-IKEv2 Appendix A. Use of LKH in G-IKEv2
Section 5.4 of [RFC2627] describes the LKH architecture, and how a Section 5.4 of [RFC2627] describes the LKH architecture and how a
GCKS uses LKH to exclude group members. This section clarifies how GCKS uses LKH to exclude group members. This section clarifies how
the LKH architecture is used with G-IKEv2. the LKH architecture is used with G-IKEv2.
A.1. Notation A.1. Notation
In this section we will use the notation X{Y} where a key with ID Y In this section, we will use the notation X{Y}, where a key with ID Y
is encrypted with the key with ID X. The notation GSK_w{Y} means is encrypted with the key with ID X. The notation GSK_w{Y} means
that the default wrap key GSK_w (with zero KWK ID)is used to encrypt that the default wrap key GSK_w (with zero KWK ID)is used to encrypt
key Y, and the notation X{K_sa} means key X is used to encrypt the SA key Y, and the notation X{K_sa} means key X is used to encrypt the SA
key K_sa (wich always has zero Key ID). Note, that GSK_w{K_sa} means key K_sa (which always has a Key ID of zero). Note that GSK_w{K_sa}
that the SA key is encrypted with the default wrap key, in which case means that the SA key is encrypted with the default wrap key, in
both KWK ID and Key ID are zero. which case, both KWK ID and Key ID are zero.
The content of the KD payload will be shown as a sequence of key The content of the KD payload will be shown as a sequence of key
bags. The Group Key Bag substructure will be denoted as GP(SAn)(), bags. The Group Key Bag substructure will be denoted as GP(SAn)()
when n is an SPI for the SA, and the Member Key Bag substructure will when n is an SPI for the SA and the Member Key Bag substructure will
be denoted as MP(). The content of the key bags is shown as SA_KEY be denoted as MP(). The content of the key bags is shown as SA_KEY
and WRAP_KEY attributes with the notation described above. For and WRAP_KEY attributes with the notation described above. For
simplicity the type of the attribute will not be shown, because it is simplicity, the type of the attribute will not be shown because it is
implicitly defined by the type of key bag. implicitly defined by the type of key bag.
Here is the example of KD payload. Below is the example of a KD payload:
KD(GP(SA1)(X{K_sa}),MP(Y{X},Z{Y},GSK_w{Z}) KD(GP(SA1)(X{K_sa}),MP(Y{X},Z{Y},GSK_w{Z})
For simplicity any other attributes in the KD payload are omitted. Figure 23
For simplicity, any other attributes in the KD payload are omitted.
We will also use the notation X->Y->Z to describe the Key Path. In We will also use the notation X->Y->Z to describe the Key Path. In
this case key Y is needed to decrypt key X and key Z is needed to this case, key Y is needed to decrypt key X and key Z is needed to
decrypt key Y. In the example above the keys had the following decrypt key Y. In the example above, the keys had the following
relation: K_sa->X->Y->Z->GSK_w. relation: K_sa->X->Y->Z->GSK_w.
A.2. Group Creation A.2. Group Creation
When a GCKS forms a group, it creates a key tree as shown in the When a GCKS forms a group, it creates a key tree as shown in
figure below. The key tree contains logical keys (which are Figure 24. The key tree contains logical keys (which are represented
represented as the values of their Key IDs in the figure) and a as the values of their Key IDs in the figure) and a private key
private key shared with only a single GM (the GMs are represented as shared with only a single GM (the GMs are represented as letters
letters followed by the corresponding key ID in parentheses in the followed by the corresponding key ID in parentheses in the figure).
figure). The root of the tree contains the multicast Rekey SA key The root of the tree contains the multicast Rekey SA key (which is
(which is represented as SAn(K_san). The figure below assumes that represented as SAn(K_san). The figure below assumes that the Key IDs
the Key IDs are assigned sequentially; this is not a requirement and are assigned sequentially; this is not a requirement and only used
only used for illustrative purposes. The GCKS may create a complete for illustrative purposes. The GCKS may create a complete tree as
tree as shown, or a partial tree which is created on demand as shown or a partial tree, which is created on demand as members join
members join the group. the group.
SA1(K_sa1) SA1(K_sa1)
+------------------------------+ +------------------------------+
1 2 1 2
+---------------+ +---------------+ +---------------+ +---------------+
3 4 5 6 3 4 5 6
+-------+ +-------+ +--------+ +--------+ +-------+ +-------+ +--------+ +--------+
A(7) B(8) C(9) D(10) E(11) F(12) G(13) H(14) A(7) B(8) C(9) D(10) E(11) F(12) G(13) H(14)
Figure 22: Initial LKH tree Figure 24: Initial LKH Tree
When GM A joins the group, the GCKS provides it with the keys in the When GM A joins the group, the GCKS provides it with the keys in the
KD payload of the GSA_AUTH or GSA_REGISTRATION exchange. Given the KD payload of the GSA_AUTH or GSA_REGISTRATION exchange. Given the
tree shown in figure above, the KD payload will be: tree shown in figure above, the KD payload will be:
KD(GP(SA1)(1{K_sa1}),MP(3{1},7{3},GSK_w{7}) KD(GP(SA1)(1{K_sa1}),MP(3{1},7{3},GSK_w{7})
Figure 23: KD Payload for the Group Member A Figure 25: KD Payload for the Group Member A
From these attributes the GM A will construct the Key Path From these attributes, the GM A will construct the Key Path
K_sa1->1->3->7->GSK_w and since it ends up with GSK_w, it will use K_sa1->1->3->7->GSK_w. Since it ends up with GSK_w, it will use all
all the WRAP_KEY attributes present in the path as its Working Key the WRAP_KEY attributes present in the path as its Working Key Path:
Path: 1->3->7. 1->3->7.
Similarly, when other GMs will be joining the group they will be Similarly, when other GMs will be joining the group, they will be
provided with the corresponding keys, so after all the GMs will have provided with the corresponding keys, so after all, the GMs will have
the following Working Key Paths: the following Working Key Paths:
A: 1->3->7 B: 1->3->8 C: 1->4->9, D: 1->4->10 A: 1->3->7 B: 1->3->8 C: 1->4->9, D: 1->4->10
E: 2->5->11 F: 2->5->12 G: 2->6->13 H: 2->6->14 E: 2->5->11 F: 2->5->12 G: 2->6->13 H: 2->6->14
Figure 26
A.3. Simple Group SA Rekey A.3. Simple Group SA Rekey
If the GCKS performs a simple SA rekey without changing group If the GCKS performs a simple SA rekey without changing group
membership, it will only send group key bag in the KD payload with a membership, it will only send a Group Key Gag in the KD payload with
new SA key encrypted with the default KWK. a new SA key encrypted with the default KWK.
KD(GP(SA2)(GSK_w{K_sa2})) KD(GP(SA2)(GSK_w{K_sa2}))
Figure 24: KD Payload for the Simple Group SA Rekey Figure 27: KD Payload for the Simple Group SA Rekey
All the GMs will be able to decrypt it and no changes in their All the GMs will be able to decrypt it and no changes in their
Working Key Paths will happen. Working Key Paths will happen.
A.4. Group Member Exclusion A.4. Group Member Exclusion
If the GKCS has reason to believe that a GM should be excluded, then If the GCKS has reason to believe that a GM should be excluded, then
it can do so by sending a GSA_REKEY message that includes a set of it can do so by sending a GSA_REKEY message that includes a set of
GM_KEY attributes which would allow all GMs except for the excluded GM_KEY attributes, which would allow all GMs, except for the excluded
one to get a new SA key. one, to get a new SA key.
In the example below the GCKS excludes GM F. For this purpose it In the example below, the GCKS excludes GM F. For this purpose, it
changes the key tree as follows, replacing the key 2 with the key 15 changes the key tree as follows, replacing key 2 with key 15 and key
and the key 5 with the key 16. It also generates a new SA key for a 5 with key 16. It also generates a new SA key for a new SA3.
new SA3.
SA3(K_sa3) SA3(K_sa3)
+------------------------------+ +------------------------------+
1 15 1 15
+---------------+ +---------------+ +---------------+ +---------------+
3 4 16 6 3 4 16 6
+-------+ +-------+ +---- +--------+ +-------+ +-------+ +---- +--------+
A(7) B(8) C(9) D(10) E(11) F(12) G(13) H(14) A(7) B(8) C(9) D(10) E(11) F(12) G(13) H(14)
Figure 25: LKH tree after F has been excluded Figure 28: LKH Tree after F Has Been Excluded
Then it sends the following KD payload for the new Rekey SA3: Then it sends the following KD payload for the new Rekey SA3:
KD(GP(SA3)(1{K_sa3},15{K_sa3}),MP(6{15},16{15},11{16}) KD(GP(SA3)(1{K_sa3},15{K_sa3}),MP(6{15},16{15},11{16})
Figure 26: KD Payload for the Group Member F Figure 29: KD Payload for the Group Member F
While processing this KD payload: While processing this KD payload:
* GMs A, B, C and D will be able to decrypt the SA_KEY attribute * GMs A, B, C, and D will be able to decrypt the SA_KEY attribute
1{K_sa3} by using the "1" key from their key path. Since no new 1{K_sa3} by using the "1" key from their key path. Since no new
GM_KEY attributes are in the new Key Path, they won't update their GM_KEY attributes are in the new Key Path, they won't update their
Working Key Paths. Working Key Paths.
* GMs G and H will construct new Key Path 15->6 and will be able to * GMs G and H will construct new Key Path 15->6 and will be able to
decrypt the intermediate key 15 using the key 6 from their Working decrypt the intermediate key 15 using key 6 from their Working Key
Key Paths. So, they will update their Working Key Paths replacing Paths. So, they will update their Working Key Paths replacing
their beginnings up to the key 6 with the new Key Path (thus their beginnings up to key 6 with the new Key Path (thus replacing
replacing the key 2 with the key 15). the key 2 with the key 15).
* GM E will construct new Key Path 16->15->11 and will be able to * GM E will construct a new Key Path 16->15->11 and will be able to
decrypt the intermediate key 16 using the key 11 from its Working decrypt the intermediate key 16 using key 11 from its Working Key
Key Path. So, it will update its Working Key Path replacing its Path. So, it will update its Working Key Path replacing its
beginnings up to the key 11 with the new Key Path (thus replacing beginnings up to key 11 with the new Key Path (thus replacing key
the key 2 with the key 15 and the key 5 with the key 16). 2 with key 15 and key 5 with key 16).
* GM F won't be able to construct any Key Path leading to any key he * GM F won't be able to construct any Key Path leading to any key it
possesses, so it will be unable to decrypt the new SA key for the possesses, so it will be unable to decrypt the new SA key for the
SA3 and thus it will be excluded from the group once the SA3 is SA3. Thus, it will be excluded from the group once the SA3 is
used. used.
Finally, the GMs will have the following Working Key Paths: Finally, the GMs will have the following Working Key Paths:
A: 1->3->7 B: 1->3->8 C: 1->4->9, D: 1->4->10 A: 1->3->7 B: 1->3->8 C: 1->4->9, D: 1->4->10
E: 15->16->11 F: excluded G: 15->6->13 H: 15->6->14 E: 15->16->11 F: excluded G: 15->6->13 H: 15->6->14
Figure 30
Acknowledgements
The authors thank Lakshminath Dondeti and Jing Xiang for first
exploring the use of IKEv2 for group key management and providing the
basis behind the protocol. Mike Sullenberger and Amjad Inamdar were
instrumental in helping resolve many issues in several draft versions
of the document.
The authors are grateful to Tero Kivinen, Daniel Migault, Gorry
Fairhurst, Robert Sparks, Russ Housley, and Paul Wouters for their
careful reviews and valuable proposals for improving the document
quality.
Contributors
The following individuals made substantial contributions to earlier
draft versions of this document.
Sheela Rowles
Cisco Systems
Aldous Yeung
Cisco Systems
Email: cyyeung@cisco.com
Paulina Tran
Cisco Systems
Yoav Nir
Dell EMC
Email: ynir.ietf@gmail.com
Authors' Addresses Authors' Addresses
Valery Smyslov Valery Smyslov
ELVIS-PLUS ELVIS-PLUS
Russian Federation Russian Federation
Email: svan@elvis.ru Email: svan@elvis.ru
Brian Weis Brian Weis
Independent Independent
United States of America United States of America
 End of changes. 521 change blocks. 
1506 lines changed or deleted 1661 lines changed or added

This html diff was produced by rfcdiff 1.48.