<?xmlversion="1.0" encoding="US-ASCII"?> <?rfc toc="yes"?> <?rfc tocompact="no"?> <?rfc tocdepth="3"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?>version='1.0' encoding='UTF-8'?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" submissionType="IETF" docName="draft-ietf-ipsecme-g-ikev2-23" number="9838" ipr="trust200902"obsoletes="6407">consensus="true" updates="" obsoletes="6407" tocInclude="true" tocDepth="3" symRefs="true" sortRefs="true" version="3" xml:lang="en"> <!-- [rfced] Because this document obsoletes RFC 6407, please review the errata reported for RFC 6407 (https://www.rfc-editor.org/errata_search.php?rfc=6407) and let us know if you confirm our opinion that none of them are relevant to the content of this document. --> <!-- [rfced] Please note that the title of the document has been updated to expand abbreviations per Section 3.6 of RFC 7322 ("RFC Style Guide"). Original: Group Key Management using IKEv2 Current: Group Key Management Using the Internet Key Exchange Protocol Version 2 (IKEv2) --> <front> <title abbrev="G-IKEv2">Group Key Managementusing IKEv2</title>Using the Internet Key Exchange Protocol Version 2 (IKEv2)</title> <seriesInfo name="RFC" value="9838"/> <author fullname="Valery Smyslov" initials="V." surname="Smyslov"> <organization>ELVIS-PLUS</organization> <address> <postal><street></street> <city></city> <code></code> <region></region><country>Russian Federation</country> </postal><phone></phone><email>svan@elvis.ru</email> </address> </author> <author fullname="Brian Weis" initials="B." surname="Weis"> <organization>Independent</organization> <address> <postal><street></street> <city></city> <code></code> <region></region> <country>USA</country><country>United States of America</country> </postal><phone></phone><email>bew.stds@gmail.com</email> </address> </author> <date/> <area>Security Area</area>month="September" year="2025"/> <area>SEC</area> <workgroup>ipsecme</workgroup> <!-- [rfced] Please insert any keywords (beyond those that appear in the title) for use on https://www.rfc-editor.org/search. --> <keyword>example</keyword> <abstract> <t> This document presents an extension to the Internet Key ExchangeversionProtocol Version 2 (IKEv2)protocolfor the purpose ofagroup key management. The protocol is in conformance with the Multicast Security (MSEC) key management architecture, which contains two components: member registration and group rekeying. Both components are required for aGCKS (GroupGroup Controller/KeyServer)Server (GCKS) to provide authorized Group Members (GMs) with IPsecgroup security associations.Group Security Associations (GSAs). The group members then exchange IP multicast or other group traffic as IPsec packets. </t><t> This<t>This document obsoletes RFC 6407. </t> </abstract> </front> <middle><section title="Introduction<section> <name>Introduction andOverview"> <t> ThisOverview</name> <t>This document presents an extension to IKEv2 <xreftarget="RFC7296"></xref>target="RFC7296"/> called G-IKEv2, which allows performingagroup key management. A group key management protocol provides IPsec keys and policy to a set of IPsec deviceswhichthat are authorized to communicate using a Group Security Association (GSA) defined in Multicast Group Security Architecture <xreftarget="RFC3740"></xref>.target="RFC3740"/>. The data communications within the group (e.g., IP multicast packets) are protected by a key pushed to thegroup membersGroup Members (GMs) by the Group Controller/Key Server (GCKS). </t> <t>G-IKEv2 conforms tothe"The Multicast Group SecurityArchitectureArchitecture" <xreftarget="RFC3740"></xref>, Multicasttarget="RFC3740"/>, "Multicast Extensions to the Security Architecture for the InternetProtocolProtocol" <xreftarget="RFC5374"></xref>target="RFC5374"/>, andthe Multicast"Multicast Security (MSEC) Group Key ManagementArchitectureArchitecture" <xreftarget="RFC4046"></xref>.target="RFC4046"/>. G-IKEv2 replacesGDOI"The Group Domain of Interpretation" <xreftarget="RFC6407"></xref>,target="RFC6407"/>, which defines a similar group key management protocol using IKEv1 <xreftarget="RFC2409"></xref>target="RFC2409"/> (since deprecated by IKEv2). When G-IKEv2 is used, group key management use cases can benefit from the simplicity, increasedrobustnessrobustness, and cryptographic improvements of IKEv2 (seeAppendix A of<xreftarget="RFC7296"></xref>).</t>section="A" target="RFC7296"/>).</t> <t>G-IKEv2 is composed of two phases: registration and rekeying. In the registrationphasephase, a GM contacts a GCKS to register to a group and to receive the necessary policy and the keying material to be able communicate with the other GMs in the group as well as with the GCKS. The rekeying phase allows the GCKS to periodically renew the keying material for both GM-to-GM communications as well as for communication between the GM and the GCKS. </t> <t>G-IKEv2 defines two ways to perform registration. When a GM first contacts aGCKSGCKS, it uses the GSA_AUTH exchange (<xreftarget="gsa_auth" />)target="gsa_auth"/>) to register to a group. This exchange happens after the IKE_SA_INIT exchange (similarly to the IKE_AUTH exchange in IKEv2) and results in establishing an IKESASecurity Association (SA) between the GM and the GCKS. During thisexchangeexchange, the GCKS authenticates and authorizes theGM,GM and then pushes policy and keys used by the group to the GM. The second new exchange type is the GSA_REGISTRATION exchange (<xreftarget="gsa_registration" />),target="gsa_registration"/>), whicha GMcanusebe used by the GM within thealready establishedalready-established IKE SA with the GCKS(e.g.(e.g., for registering to another group). </t><t> Refreshing<t>Refreshing the group keys can be performed either inana unicast mode via the GSA_INBAND_REKEY exchange (<xreftarget="gsa_inband_rekey" />)target="gsa_inband_rekey"/>) performed over a specific IKE SA between a GM and a GCKS or in a multicast mode with the GSA_REKEY pseudo exchange (<xreftarget="gsa_rekey" />),target="gsa_rekey"/>) when new keys are being distributed to all GMs. </t> <t>Large and small groups may use different sets of these mechanisms. When a large group of devices are communicating, the GCKS is likely to use the GSA_REKEY message for efficiency. This is shown in <xreftarget="large-groups"></xref>,target="large-groups"/>, where multicast communications are indicated with a double line. <!-- [rfced] Please review whether any of the notes in this document should be in the <aside> element. It is defined as "a container for content that is semantically less important or tangential to the content that surrounds it" (https://authors.ietf.org/en/rfcxml-vocabulary#aside). --> (Note: For clarity, IKE_SA_INIT is omitted from Figures <xref target="large-groups"/>format="counter"/> and <xref target="small-groups"/>).</t>format="counter"/>.)</t> <figureanchor="large-groups" title="G-IKEv2 usedanchor="large-groups"> <name>G-IKEv2 Used inlarge groups">Large Groups</name> <artworkalign="center"name=""><![CDATA[ +--------+ +----IKEv2---->| GCKS |<----IKEv2----+ | +--------+ | | || ^ | | || | | | || GSA_AUTH | | || or | | || GSA_REGISTRATION | | || | | GSA_AUTH || IKEv2 GSA_AUTH or || | or GSA_REGISTRATION GSA_REKEY | GSA_REGISTRATION | || | | | *==========**================* | | || || | || | v \/ \/ v \/ v +-------+ +--------+ +-------+ | GM | ... | GM | ... | GM | +-------+ +--------+ +-------+ || || || *=====ESP/AH=====**=====ESP/AH====* ]]></artwork> </figure> <t>Alternatively, a small group may simply use the GSA_AUTH or GSA_REGISTRATION as registration protocols, where the GCKS issues rekeys using the GSA_INBAND_REKEY within the same IKE SA. </t> <figureanchor="small-groups" title="G-IKEv2 usedanchor="small-groups"> <name>G-IKEv2 Used insmall groups">Small Groups</name> <artworkalign="center"name=""><![CDATA[ GSA_AUTH or GSA_REGISTRATION, GSA_INBAND_REKEY +--------------------IKEv2----------------------+ | | | GSA_AUTH or GSA_REGISTRATION, | | GSA_INBAND_REKEY | | +-----------IKEv2-------------+ | | | | | | |GSA_AUTH or GSA_REGISTRATION,| | | | GSA_INBAND_REKEY | | | | +--IKEv2-+ | | v v v v v v +---------+ +----+ +----+ +----+ | GCKS/GM | | GM | | GM | | GM | +---------+ +----+ +----+ +----+ || || || || *==ESP/AH==**=====ESP/AH====**===ESP/AH===* ]]></artwork> </figure> <t> A combination of these approaches is also possible. For example, the GCKS may use more robust GSA_INBAND_REKEY to provide keys for some GMs (for example, those acting as senders in the group) and GSA_REKEY for the rest.Note also,Also note that GCKS mayalsobe a GM (as shown in <xreftarget="small-groups"></xref>).target="small-groups"/>). </t> <t>IKEv2 message semantics are preserved in that all communicationsconsistsconsist of message request-response pairs. The exception to this rule is the GSA_REKEY pseudo-exchange, which is a single message delivering group updates to the GMs.</t><section title="Requirements Notation"> <t>The<section> <name>Requirements Notation</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xreftarget="RFC2119"></xref>target="RFC2119"/> <xreftarget="RFC8174"></xref>target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> </section> <sectiontitle="Terminology"anchor="terms"> <name>Terminology</name> <t> It is assumed that readers are familiar with the IPsec architecture <xreftarget="RFC4301" />,target="RFC4301"/> and its extension for multicast <xreftarget="RFC5374" />.target="RFC5374"/>. This document defines an extension to the IKEv2 protocol <xreftarget="RFC7296" />target="RFC7296"/> and skips many of its details. The notation and conventions from <xreftarget="RFC7296" />target="RFC7296"/> are used for describing G-IKEv2 payloads and exchanges. </t><t>The<!--[rfced] As the full titles of RFCs 3740, 5374, and 6407 are included in Section 1, we removed the titles from the following text in Section 1.2. Please let us know of any objections. Original: The following key terms are used throughout this document (mostly borrowed from the Multicast Group Security Architecture<xref target="RFC3740" />,[RFC3740], Multicast Extensions to the Security Architecture [RFC5374], and the Group Domain of Interpretation (GDOI) [RFC6407]). Current: The following key terms are used throughout this document (mostly borrowed from [RFC3740], [RFC5374], and [RFC6407]). --> <t>The following key terms are used throughout this document (mostly borrowed from <xreftarget="RFC5374" />target="RFC3740"/>, <xref target="RFC5374"/>, andGDOI<xreftarget="RFC6407" />).</t>target="RFC6407"/>).</t> <dl anchor="definitions"newline="true"> <dt>Group</dt>newline="true" spacing="normal"> <dt>Group:</dt> <dd>A set of IPsec devices that communicate to each other using multicast.</dd> <dt>Group Member(GM)</dt>(GM):</dt> <dd>An IPsec device that belongs to a group. A Group Member is authorized to be a Group Sender and/or a Group Receiver. </dd> <dt>GroupReceiver</dt>Receiver:</dt> <dd>A Group Member that is authorized to receive packets sent to a group by a Group Sender. </dd> <dt>GroupSender</dt>Sender:</dt> <dd>A Group Member that is authorized to send packets to a group. </dd> <dt>Group Key Management (GKM)Protocol</dt>Protocol:</dt> <dd>A key management protocol used by a GCKS to distribute IPsec Security Association policy and keying material. A GKM protocol is needed because a group of IPsec devices require the same SAs. For example, when an IPsec SA describes an IP multicast destination, the sender and all receivers need to have the group SA. </dd> <dt>Group Controller/Key Server(GCKS)</dt>(GCKS):</dt> <dd>A Group Key Management (GKM) protocol server that manages IPsec state for a group. A GCKS authenticates and provides the IPsec SA policy and keying material to GMs. </dd> <dt>Data-SecuritySA</dt>SA:</dt> <dd>A multicast SA between each multicast sender and the group's receivers. The Data-Security SA protects data between member senders and member receivers. One or more SAs are required for the multicast transmission ofdata-messagesdata messages from the Group Sender to other group members. This specification relies onESPEncapsulating Security Payload (ESP) andAHAuthentication Header (AH) as protocols for Data-Security SAs. </dd> <dt>RekeySA</dt>SA:</dt> <dd>A single multicast SA between the GCKS and all of the group members. This SA is used for multicast transmission of key management messages from the GCKS to all GMs. </dd> <dt>Group Security Association(GSA)</dt>(GSA):</dt> <dd>A collection of Data-Security SAs and RekeySASAs necessary for a Group Member to receive key updates. A GSA describes the working policy for a group. Refer to the MSEC Group Key Management Architecture <xreftarget="RFC4046" />target="RFC4046"/> for additional information. </dd> <dt>Traffic Encryption Key(TEK)</dt>(TEK):</dt> <dd>The symmetric cipher key used in a Data-Security SA (e.g., IPsec ESP) to protect traffic. </dd> <dt>Key Encryption Key(KEK)</dt>(KEK):</dt> <dd>The symmetric key (or a set of keys) used in a Rekey SA to protect its messages. The set of keys may include keys for encryption and authentication, as well as keys for key wrapping. </dd> <dt>Key Wrap Key(KWK)</dt>(KWK):</dt> <dd>The symmetric cipher key used to protect another key. </dd> <dt>Group-wide (GW)policy</dt>policy:</dt> <dd>Group policy not related to a particular SA. </dd> <dt>Activation Time Delay(ATD)</dt>(ATD):</dt> <dd>Defines how long Group Senders should wait after receiving new SAs beforestartingsending traffic over them. </dd> <dt>Deactivation Time Delay(DTD)</dt>(DTD):</dt> <dd>Defines how long Group Members should wait after receiving a request to delete Data-Security SAs before actually deleting them. </dd><dt>Sender-ID</dt><dt>Sender-ID:</dt> <dd>A unique identifier of a Group Sender in the context of an activeGSA,GSA used to form the Initialization Vector (IV) in counter-based cipher modes. </dd> <dt>Logical Key Hierarchy(LKH)</dt>(LKH):</dt> <dd>A group management method defined inSection 5.4 of Key Management for Multicast<xref target="RFC2627"/>.sectionFormat="of" section="5.4"/>. </dd> </dl> </section> </section><section title="G-IKEv2 Protocol"><section> <name>G-IKEv2 Protocol</name> <t>G-IKEv2 is an extension to the IKEv2 protocol <xreftarget="RFC7296" />target="RFC7296"/> that provides group authorization, securepolicypolicy, and keys download from the GCKS to GMs. </t><section title="G-IKEv2<section> <name>G-IKEv2 Integration into the IKEv2Protocol">Protocol</name> <t>G-IKEv2 is compatible with most IKEv2 extensions defined so far (see <xreftarget="ike_ext" />target="ike_ext"/> for details). In particular, it is assumed that, if necessary, the IKE_INTERMEDIATE exchanges <xreftarget="RFC9242" />target="RFC9242"/> may be utilized while establishing the registration SA. It is also believed that future IKEv2 extensions will be possible to use withG-IKEv2, however,G-IKEv2. However, some IKEv2 extensions may require special handling when used with G-IKEv2.</t><section title="G-IKEv2<section> <name>G-IKEv2 Transport andPort">Port</name> <t> As an IKEv2 extension, G-IKEv2 <bcp14>SHOULD</bcp14> use the IKEv2 ports (500, 4500). <!-- [rfced] Should the following sentence be rephrased as shown below to clarify "IKE SA"? Current: G-IKEv2 MAY also use TCP transport for registration (unicast) IKE SA, as defined in TCP Encapsulation of IKEv2 and IPsec [RFC9329]. Perhaps: G-IKEv2 MAY also use TCP transport for the registration (unicast) of IKE SA, as defined in TCP Encapsulation of IKEv2 and IPsec [RFC9329]. --> G-IKEv2 <bcp14>MAY</bcp14> also use TCP transport for registration (unicast) IKE SA, as defined in TCP Encapsulation of IKEv2 and IPsec <xreftarget="RFC9329" />.target="RFC9329"/>. G-IKEv2 <bcp14>MAY</bcp14> also use UDP port 848, the same asGDOIGroup Domain of Interpretation (GDOI) <xreftarget="RFC6407"></xref>,target="RFC6407"/>, because they serve a similar function. The version number in the IKE header distinguishes the G-IKEv2 protocol from the GDOI protocol <xreftarget="RFC6407"></xref>.target="RFC6407"/>. </t><t>Section 2.23 of IKEv2 <xref<t><xref target="RFC7296"/>sectionFormat="of" section="2.23"/> describes how IKEv2 supports paths with NATs. The G-IKEv2 registration SA doesn't create any unicast IPsecSAs, thusSAs; thus, if a NAT is present between the GM and the GCKS, there is no unicast ESP traffic to encapsulate in UDP. However, the actions described in this section regarding the IKE SA <bcp14>MUST</bcp14> be honored. The behavior of GMs and GCKS <bcp14>MUST NOT</bcp14> depend on the port used to create the initial IKE SA. For example, if the GM and the GCKS used UDP port 848 for the IKE_SA_INIT exchange, they will operate the same as if they had used UDP port 500. </t> </section> </section><section title="G-IKEv2 Payloads"><section> <name>G-IKEv2 Payloads</name> <t>In the following descriptions, the payloads contained in the G-IKEv2 messages are indicated by names as listed below.</t><table title="Payloads<!-- [rfced] Please review Table 1 in Section 2.2. We note that there is some variation between the payload names used in this table and those used inG-IKEv2">RFC 7296. For example, in RFC 7296, "HDR" is "IKE header (not a payload)" and "SK" is "Encrypted and Authenticated". Please let us know if we should update this table to match what appears in RFC 7296. In addition, we note the following variations in Table 1 and the running text. Should the payload for "IDg" be updated as "Group Identification" to match Table 18 (i.e., the "IKEv2 Payload Types" IANA registry)? Please let us know how we may make these consistent. IDg: Identification - Group (Table 1) vs. Group Identification (IDg) vs. Group ID (IDg) vs. group IDg vs. group ID --> <table> <name>Payloads Used in G-IKEv2</name> <thead> <tr><th>Notation</th><th>Payload</th><th>Defined<th>Notation</th> <th>Payload</th> <th>Defined in</th> </tr> </thead> <tbody> <tr><td>AUTH</td><td>Authentication</td><td><xref<td>AUTH</td> <td>Authentication</td> <td> <xref target="RFC7296"/></td> </tr> <tr><td>CERT</td><td>Certificate</td><td><xref<td>CERT</td> <td>Certificate</td> <td> <xref target="RFC7296"/></td> </tr> <tr><td>CERTREQ</td><td>Certificate Request</td><td><xref<td>CERTREQ</td> <td>Certificate Request</td> <td> <xref target="RFC7296"/></td> </tr> <tr><td>D</td><td>Delete</td><td><xref<td>D</td> <td>Delete</td> <td> <xref target="RFC7296"/></td> </tr> <tr><td>GSA</td><td>Group<td>GSA</td> <td>Group SecurityAssociation</td><td><xrefAssociation</td> <td> <xref target="gsa_payload"/></td> </tr> <tr><td>HDR</td><td>IKEv2 Header</td><td><xref<td>HDR</td> <td>IKEv2 Header</td> <td> <xref target="RFC7296"/></td> </tr> <tr><td>IDg</td><td>Identification<td>IDg</td> <td>Identification -Group</td><td><xrefGroup</td> <td> <xref target="idg_payload"/></td> </tr> <tr><td>IDi</td><td>Identification<td>IDi</td> <td>Identification -Initiator</td><td><xrefInitiator</td> <td> <xref target="RFC7296"/></td> </tr> <tr><td>IDr</td><td>Identification<td>IDr</td> <td>Identification -Responder</td><td><xrefResponder</td> <td> <xref target="RFC7296"/></td> </tr> <tr><td>KD</td><td>Key Download</td><td><xref<td>KD</td> <td>Key Download</td> <td> <xref target="kd_payload"/></td> </tr> <tr><td>KE</td><td>Key Exchange</td><td><xref<td>KE</td> <td>Key Exchange</td> <td> <xref target="RFC7296"/></td> </tr> <tr> <td>Ni,Nr</td><td>Nonce</td><td><xrefNr</td> <td>Nonce</td> <td> <xref target="RFC7296"/></td> </tr> <tr><td>N</td><td>Notify</td><td><xref<td>N</td> <td>Notify</td> <td> <xref target="RFC7296"/></td> </tr> <tr><td>SA</td><td>Security Association</td><td><xref<td>SA</td> <td>Security Association</td> <td> <xref target="RFC7296"/></td> </tr> <tr><td>SAg</td><td>Security<td>SAg</td> <td>Security Association - GM SupportedTransforms</td><td><xrefTransforms</td> <td> <xref target="sag_payload"/></td> </tr> <tr><td>SK</td><td>Encrypted</td><td><xref<td>SK</td> <td>Encrypted</td> <td> <xref target="RFC7296"/></td> </tr> </tbody> </table> <t> Payloads defined as part of other IKEv2 extensions <bcp14>MAY</bcp14> also be included in these messages. Payloads that may optionally appear in G-IKEv2 messages will be shown in brackets, such as [CERTREQ]. </t> <t>G-IKEv2 defines several new payloads not used in IKEv2:</t><t><list style="symbols"> <t>IDg (Group ID) -- The<dl newline="true" spacing="normal"> <dt>Group ID (IDg):</dt><dd>The GM requests the GCKS for membership into the group by sending its IDgpayload.</t> <t>SAg (Securitypayload.</dd> <dt>Security Association--- GM SupportedTransforms) -- theTransforms (SAg):</dt><dd>The GM optionally sends supportedtransforms,transforms so that GCKS may select a policy appropriate for all members of the group (which is not negotiated, unlike SA parameters inIKEv2).</t> <t>GSA (GroupIKEv2).</dd> <dt>Group SecurityAssociation) -- TheAssociation (GSA):</dt><dd>The GCKS sends the group policy to the GM using thispayload.</t> <t>KD (Key Download) -- Thepayload.</dd> <dt>Key Download (KD):</dt><dd>The GCKS sends the keys and the security parameters to the GMs using thispayload.</t> </list></t>payload.</dd> </dl> <t> The details of the contents of each payload are described in <xreftarget="header_payload"></xref>.target="header_payload"/>. </t> </section> <sectiontitle="G-IKEv2anchor="registration"> <name>G-IKEv2 Member Registration and Secure ChannelEstablishment" anchor="registration">Establishment</name> <t>Initial registration is combined with establishing a secure connection between the entity seeking registration and the GCKS. This process consists of a minimum of two exchanges, IKE_SA_INIT and GSA_AUTH; member registration may have a few more messages exchanged if theEAPExtensible Authentication Protocol (EAP) method, cookie challenge (for DoS protection), negotiation of key exchangemethodmethod, or IKEv2 extensions based on the IKEv2 IntermediateexchangeExchange <xreftarget="RFC9242" />target="RFC9242"/> are used. Each exchange consists of request/response pairs. The firstexchange IKE_SA_INITexchange, called IKE_SA_INIT, is defined in IKEv2 <xreftarget="RFC7296"></xref>.target="RFC7296"/>. This exchange negotiates cryptographic algorithms, exchangesnoncesnonces, and computes a shared key between the GM and the GCKS. In addition to the cryptographic algorithms negotiated for use in IKEv2 SA, a key wrap algorithm is also negotiated in this exchange by means of a new "Key Wrap Algorithm" transform. See <xreftarget="wrapped_key" />target="wrapped_key"/> for details. </t> <t>The secondexchangeexchange, calledGSA_AUTHGSA_AUTH, is similar to the IKEv2 IKE_AUTH exchange <xreftarget="RFC7296"></xref>.target="RFC7296"/>. It authenticates the previously exchangedmessages,messages and exchanges identities and certificates. The GSA_AUTH messages are encrypted and integrity protected with keys established through the previous exchanges, so the identities are hidden from eavesdroppers and all fields in all the messages are authenticated. The GCKS authorizes group members to be allowed into the group as part of the GSA_AUTH exchange. Once the GCKS accepts a GM to join agroupgroup, it will provide the GM with the data-security keys (TEKs) and/or a group key encrypting key (KEK) as part of the GSA_AUTH response message. </t> <t>The established secure channel between the GM and the GCKS is in fact IKE SA (as defined in <xreftarget="RFC7296"></xref>)target="RFC7296"/>) and is referred to as such throughout this document. However, it is <bcp14>NOT RECOMMENDED</bcp14> to use this IKE SA for the purpose of creating unicast Child SAs between the GM and theGCKS,GCKS since authentication requirements for group admission and for unicast communication may differ. In addition, thelifecyclelife cycle of this IKE SA is determined by the GCKS and this SA can be deleted at any time. </t> <sectionanchor="gsa_auth" title="GSA_AUTH Exchange">anchor="gsa_auth"> <name>GSA_AUTH Exchange</name> <t>The GSA_AUTH exchange is used to authenticate the previousexchanges,exchanges and exchange identities and certificates. G-IKEv2 also uses this exchange for group member registration and authorization. </t> <t> The GSA_AUTH exchange is similar to the IKE_AUTH exchange with the difference that its goal is to establish a multicast Data-Security SA(s) and optionally provide GM with the keys for a Rekey SA. The set of payloads in the GSA_AUTH exchange is slightlydifferent,different because policy is not negotiated between the group member and theGCKS, but insteadGCKS; instead, it is provided by the GCKS for the GM.Note also,Also note that GSA_AUTH has its own exchange type, which is different from the IKE_AUTH exchange type. </t><t>Note,<t>Note that due to the similarities between IKE_AUTH and GSA_AUTH, most IKEv2 extensions to the IKE_AUTH exchange (likeSecure Passwordsecure password authentication <xreftarget="RFC6467" />)target="RFC6467"/>) can also be used with the GSA_AUTH exchange. </t> <figuretitle="GSA_AUTH Request"anchor="gsa_auth_request"><preamble></preamble><name>GSA_AUTH Request</name> <artwork><![CDATA[ Initiator (GM) Responder (GCKS) -------------------- ------------------ HDR, SK{IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, IDg, [SAg,] [N(GROUP_SENDER),] [N]} --> ]]></artwork><postamble></postamble></figure> <t>A group member initiates a GSA_AUTH request to join a group indicated by the IDg payload. The GM may include an SAg payload declaring which Transforms it is willing to accept. A GM that intends to act as Group Sender <bcp14>MUST</bcp14> include a Notify payload status type of GROUP_SENDER, which enables the GCKS to provide any additional policy necessary by group senders.</t> <figuretitle="GSA_AUTH Normal Response"anchor="gsa_auth_norm_response"><preamble></preamble><name>GSA_AUTH Normal Response</name> <artwork><![CDATA[ Initiator (GM) Responder (GCKS) -------------------- ------------------ <-- HDR, SK{IDr, [CERT,] AUTH, GSA, KD, [N]} ]]></artwork><postamble></postamble></figure> <t> The GCKS responds with IDr, optional CERT, and AUTH payloads with the same meaning as in IKE_AUTH. It also informs the group member of the cryptographic policies of the group in the GSA payload and the key material in the KD payload. </t> <t> Possibleerorserrors should be handled in accordance withSection 2.21.2 of<xreftarget="RFC7296"/>.target="RFC7296" sectionFormat="of" section="2.21.2"/>. In addition to the IKEv2 error handling, the GCKS can reject the registration request when the IDg is invalid or authorization fails, etc. In thesecases, seecases (see <xreftarget="notify"></xref>,target="notify"/>), the GSA_AUTH response will not include the GSA andKD,KD but will include a Notify payload indicating errors. If a GM included an SAgpayload,payload and the GCKS chooses to evaluateit,it andthe GCKSdetects that the group member cannot support the security policy defined for the group, then the GCKS returns the NO_PROPOSAL_CHOSEN notification. Other types of error notifications can be INVALID_GROUP_ID,AUTHORIZATION_FAILEDAUTHORIZATION_FAILED, or REGISTRATION_FAILED.</t> <figuretitle="GSA_AUTHanchor="gsa_auth_err_response"> <name>GSA_AUTH Error Response for Group-RelatedErrors" anchor="gsa_auth_err_response"> <preamble></preamble>Errors</name> <artwork><![CDATA[ Initiator (GM) Responder (GCKS) -------------------- ------------------ <-- HDR, SK{IDr, [CERT,] AUTH, N} ]]></artwork><postamble></postamble></figure> <t>If the GSA_AUTH exchange is completedsuccessfully,successfully but the group member finds that the policy sent by the GCKS is unacceptable, the member <bcp14>SHOULD</bcp14> inform the GCKS about this by initiating the GSA_REGISTRATION exchange with the IDg payload and the NO_PROPOSAL_CHOSEN notification (see <xreftarget="gsa_registration_gm_error" />).target="gsa_registration_gm_error"/>). </t> </section> <sectionanchor="gsa_registration" title="GSA_REGISTRATION Exchange">anchor="gsa_registration"> <name>GSA_REGISTRATION Exchange</name> <t>Once the IKE SA between the GM and the GCKS is established, the GM can use it for other registrationrequests,requests ifthis isneeded. In thisscenarioscenario, the GM will use the GSA_REGISTRATION exchange. Payloads in the exchange are generated and processed as defined in <xreftarget="gsa_auth"></xref>.</t>target="gsa_auth"/>.</t> <figuretitle="GSA_REGISTRATION Normal Exchange"anchor="gsa_registration_exchange"><preamble></preamble><name>GSA_REGISTRATION Normal Exchange</name> <artwork><![CDATA[ Initiator (GM) Responder (GCKS) -------------------- ------------------ HDR, SK{IDg, [SAg,] [N(GROUP_SENDER),] [N]} --> <-- HDR, SK{GSA, KD, [N]} ]]></artwork><postamble></postamble></figure> <t>As with GSA_AUTH exchange, the GCKS can reject the registration request when the IDg is invalid or authorization fails, or GM cannot support the security policy defined for the group (which can be concluded by the GCKS by evaluation of the SAg payload). In thiscasecase, the GCKS returns an appropriate error notification as described in <xreftarget="gsa_auth" />.target="gsa_auth"/>. </t> <figuretitle="GSA_REGISTRATION Error Exchange"anchor="gsa_registration_err_exchange"><preamble></preamble><name>GSA_REGISTRATION Error Exchange</name> <artwork><![CDATA[ Initiator (GM) Responder (GCKS) -------------------- ------------------ HDR, SK{IDg, [SAg,] [N(GROUP_SENDER),] [N]} --> <-- HDR, SK{N} ]]></artwork><postamble></postamble></figure> <t>This exchange can also be used if the group member finds that the policy sent by the GCKS is unacceptable orfor some reasonwants to leave thegroup.group for some reason. The group member <bcp14>SHOULD</bcp14> notify the GCKS by sending IDg and the Notify type NO_PROPOSAL_CHOSEN orREGISTRATION_FAILED,REGISTRATION_FAILED as shown below.The GCKS inIn thiscasecase, the GCKS <bcp14>MUST</bcp14> remove the GM from the group IDg. </t> <figuretitle="GManchor="gsa_registration_gm_error"> <name>GM Reporting Errors in GSA_REGISTRATIONExchange" anchor="gsa_registration_gm_error"> <preamble></preamble>Exchange</name> <artwork><![CDATA[ Initiator (GM) Responder (GCKS) -------------------- ------------------ HDR, SK{IDg, N} --> <-- HDR, SK{} ]]></artwork> </figure> </section><section title="GM<section> <name>GM RegistrationOperations">Operations</name> <t>A GM requesting registration contacts the GCKS using the IKE_SA_INIT exchange. This exchange is unchanged from IKE_SA_INIT in the IKEv2 protocol. The IKE_SA_INIT exchange may optionally be followed by one or more of the IKE_INTERMEDIATE exchanges if the GM and the GCKS negotiated use of IKEv2 extensions based on this exchange. </t><t>Next<t>Next, the GM sends the GSA_AUTH request message with the IKEv2 payloads from IKE_AUTH (without the SAi2,TSiTSi, and TSr payloads) along with the Group ID informing the GCKS of the group the GM wishes to join.AnA GM intending to emit data traffic <bcp14>MUST</bcp14> send a GROUP_SENDER Notify message type. The GROUP_SENDER notification not only signifies that it is asender,sender but provides the GM the ability to request Sender-IDvalues,values in case the Data-Security SA supports acounter modecounter-mode cipher. <xreftarget="sid_alloc"></xref>target="sid_alloc"/> includes guidance on requesting Sender-ID values.</t> <t>A GM may be limited in the Transforms IDs that it is able or willing touse,use and may find it useful to inform the GCKS which Transform IDs it is willing to accept for different security protocols by including the SAg payload into the request message. Proposals for Rekey SA and for Data-Security (AH <xreftarget="RFC4302" />target="RFC4302"/> and/or ESP <xreftarget="RFC4303" />)target="RFC4303"/>) SAs may be included into SAg. Proposals for Rekey SA are identified byanew Protocol ID GIKE_UPDATE with the value<TBA by IANA>.6. Each Proposal contains a list of Transforms that the GM is able and willing to support for that protocol. Valid transform types depend on the protocol (AH, ESP, GIKE_UPDATE) and are defined in <xreftarget="allowed_transforms" />.target="allowed_transforms"/>. Other transform types <bcp14>SHOULD NOT</bcp14> be included as they will be ignored by the GCKS. TheSPISecurity Parameter Index (SPI) length of each Proposal in an SAg is set to zero, and thus the SPI field is empty. The GCKS <bcp14>MUST NOT</bcp14> use SPI length and SPI fields in the SAg payload. </t> <t>Generally, a single Proposal for each protocol (GIKE_UPDATE, AH/ESP) willsuffice, becausesuffice. Because the transforms are not negotiated, the GM simply alerts the GCKS to restrictions it may have. In particular, the restriction fromSection 3.3 of IKEv2<xref target="RFC7296"/>sectionFormat="of" section="3.3"/> thatAEADAuthenticated Encryption with Associated Data (AEAD) and non-AEAD transforms not be combined in a single proposal doesn't hold when the SAg payload is being formed.HoweverHowever, if the GM has restrictions on the combination of algorithms, this can be expressed by sending several proposals.</t><t>Proposal<t>The Proposal Num field in the Proposal substructure is treated specially in the SAg payload: it allows a GM to indicate that algorithms used in Rekey SA and in Data-Security (AH and/or ESP) SAs are dependent. In particular, Proposals for different protocols having the same value in the Proposal Num field are treated as aset,set so that if GCKS uses transforms from one of such Proposal for one protocol, then it <bcp14>MUST</bcp14> only use transforms from one of the Proposals with the same value in the Proposal Num field for other protocols. For example, a GM may support algorithms X and Y for both Rekey and Data-Security SAs, but with a restriction that if X is used in RekeySA,SAs, then only X can be used in Data-Security SAs, and the same for Y. Use of the same value in the Proposal Num field of different proposals indicates that the GM expects these proposals to be used in conjunction with each other. In the simplest case when no dependency between transforms exists, all Proposals in the SAg payload will have the same value in the Proposal Num field. </t> <t>Although the SAg payload is optional, it is <bcp14>RECOMMENDED</bcp14>forthat the GMtoinclude this payload into the GSA_AUTH request to allow the GCKS to select an appropriate policy. </t> <t>A GM <bcp14>MAY</bcp14> also indicate the support for IPcomp by including one or more the IPCOMP_SUPPORTED notifications along with the SAg payload in the request. The Compression Parameter Index (CPI) in these notifications is set to zero and <bcp14>MUST</bcp14> be ignored by the GCKS. </t> <t>Upon receiving the GSA_AUTH response, the GM parses the response from the GCKS authenticating the exchange using the IKEv2 method, then processes the GSA and KD payloads.</t> <t>The GSA payload contains the security policy and cryptographic protocols used by the group. <!--[rfced] In the following, should "Data-Security SAs" be singular since "TEK" is singular? Also, are all of these items optional (option A), or are only the Rekey SA and Group-wide policy optional (option B)? Original: This policy describes the optional Rekey SA (KEK), Data-Security SAs (TEK), and optional Group-wide (GW) policy. Perhaps A: This policy describes the Rekey SA (KEK), Data-Security SA (TEK), and Group-wide (GW) policy, which are all optional. or Perhaps B: This policy describes the Data-Security SA (TEK), optional Rekey SA (KEK), and optional Group-wide (GW) policy. --> This policy describes the optional Rekey SA (KEK), Data-Security SAs (TEK), and optional Group-wide (GW) policy. If the policy in the GSA payload is not acceptable to the GM, it <bcp14>SHOULD</bcp14> notify the GCKS by initiating a GSA_REGISTRATION exchange with a NO_PROPOSAL_CHOSEN Notify payload (see <xreftarget="gsa_registration"></xref>). Note,target="gsa_registration"/>). Note that this should normally not happen if the GM includes the SAg payload in the GSA_AUTH request and the GCKS takes it into account.FinallyFinally, the KD payload isparsedparsed, providing the keying material for the TEK and/or KEK. The KD payload contains a list of key bags, where each key bag includes the keying material for SAs distributed in the GSA payload. Keying material is matched by comparing the SPIs in the key bags to SPIs previously included in the GSA payloads. Once TEK keys and policy are matched, the GM provides them to the data-security subsystem, and it is ready to send or receive packets matching the TEK policy.</t> <t> If the group member is not a sender for a received Data-Security SA, then it <bcp14>MUST</bcp14> install this SA only in the inbound direction. If the group member is a sender for a received Data-Security SA, and it is not going to receive back the data it sends, then it <bcp14>MUST</bcp14> install this SA only in the outgoing direction. </t> <t>If the first Message ID the GM should expect to receive is non-zero, the GSA KEK policy includes the attribute GSA_INITIAL_MESSAGE_ID with the expected non-zero value. The value of the attribute <bcp14>MUST</bcp14> be checked by a GM against any previously received Message ID for this group. If it is less than the previously received number, it should be considered stale and <bcp14>MUST</bcp14> be ignored. This could happen if two GSA_AUTH exchanges happened inparallel,parallel and the Message ID changed. This attribute is used by the GM to prevent GSA_REKEY message replay attacks. The first GSA_REKEY message that the GM receives from the GCKS will have a Message ID greater than or equal to the Message ID received in the GSA_INITIAL_MESSAGE_ID attribute.</t> <t>Group members <bcp14>MUST</bcp14> install the Rekey SA only in the inbound direction. </t> <t>Once a GM successfully registers to thegroupgroup, it <bcp14>MUST</bcp14> replace any information related to this group (policy, keys) that it might have as a result of a previous registration with a new one. </t> <t>Once a GM has received GIKE_UPDATE policy during a registration, the IKE SA <bcp14>MAY</bcp14> be closed. By convention, the GCKS closes the IKESA,SA; the GM <bcp14>SHOULD NOT</bcp14> close it. TheGKCSGCKS <bcp14>MAY</bcp14> choose to keep the IKE SA open for inband rekey, especially for small groups. If inband rekey is used, then the initial IKE SA can be rekeyed by any side with the standard IKEv2 mechanism described inSection 1.3.2 of IKEv2<xref target="RFC7296"/>.sectionFormat="of" section="1.3.2"/>. If for some reason the IKE SA is closed and no GIKE_UPDATE policy is received during the registration process, the GM <bcp14>MUST</bcp14> consider itself excluded from the group. To continue participating in the group, the GM needs to re-register. </t> </section><section title="GCKS<section> <name>GCKS RegistrationOperations">Operations</name> <t>A G-IKEv2 GCKS listens for incoming requests from group members. When the GCKS receives an IKE_SA_INIT request, it selects an IKE proposal and generates a nonce andDHDiffie-Hellman (DH) to includethemin the IKE_SA_INIT response.</t> <t>Upon receiving the GSA_AUTH request, the GCKS authenticates the group member via the GSA_AUTH exchange. The GCKS then authorizes the group member according to group policy before preparing to send the GSA_AUTH response. If the GCKS fails to authorize the GM, it responds with an AUTHORIZATION_FAILED notify message type. The GCKS may also respond with an INVALID_GROUP_ID notify message if the requested group is unknown to the GCKS or with an REGISTRATION_FAILED notify message if there is a problem with the requested group(for example(e.g., if the capacity of the group is exceeded).</t> <t>The GSA_AUTH response will include the group policy in the GSA payload and keys in the KD payload. If the GCKS policy includes a group rekey option and the initial Message ID value the GCKS will use when sending the GSA_REKEY messages to the group members is non-zero, then this value is specified in the GSA_INITIAL_MESSAGE_ID attribute. This Message ID is used to prevent GSA_REKEY message replay attacks and will be increased each time a GSA_REKEY message is sent to the group. The GCKS data traffic policy is included in the GSA TEK and keys are included in the KD TEK. The GW policy <bcp14>MAY</bcp14> also be included to provide theATDActivation Time Delay (ATD) and/orDTDDeactivation Time Delay (DTD) (<xreftarget="gwp_attr_atd_dtd"></xref>) specifyingtarget="gwp_attr_atd_dtd"/>) to specify activation and deactivation delays for SAs generated from the TEKs. If the group member has indicated that it is a sender of data traffic and one or moreData SecurityData-Security SAs distributed in the GSA payload included a counter mode of operation, the GCKS responds with one or more Sender-ID values (see <xreftarget="counter-modes"></xref>).</t>target="counter-modes"/>).</t> <t> Multicast Extensions to the Security Architecture <xreftarget="RFC5374" />target="RFC5374"/> defines two modes of operation for multicast Data-Security SAs: transport mode and tunnel mode with address preservation. In the lattercasecase, outer source and destination addresses are taken from the inner IP packet. The mode of operation for the Data-Security SAs is determined by the presence of the USE_TRANSPORT_MODE notification in the GCKS's response message of the registrationexchange: ifexchange. If it is present, then SAs are created in transport mode; otherwise, SAs are created in tunnel mode. If multiple Data-Security SAs are being created in a single registration exchange, then all of them will have the same mode of operation. </t> <t>If the GCKS receives a GSA_REGISTRATION exchange with a request to register a GM to a group, the GCKS will need to authorize the GM with the new group (IDg) and respond with the corresponding group policy and keys. If the GCKS fails to authorize the GM, it will respond with the AUTHORIZATION_FAILED notification. The GCKS may also respond with an INVALID_GROUP_ID or REGISTRATION_FAILED notify messages for the reasons described above.</t> <t>If a group member includes an SAg in its GSA_AUTH or GSA_REGISTRATION request, the GCKS may evaluate it according to animplementation specificimplementation-specific policy.<list style="symbols"></t> <ul spacing="normal"> <li> <t>The GCKS could evaluate the list of Transforms and compare it to its current policy for the group. If the group member did not include all of the ESP,AHAH, or GIKE_UPDATE Transforms that match the current group policy or the capabilities of all other currently active GMs, then the GCKS <bcp14>SHOULD</bcp14> return a NO_PROPOSAL_CHOSENNotification.notification. Alternatively, the GCKS can change the group policy as defined below.</t><t>The</li> <li> <!-- [rfced] How may we update the sentence below to clarify the second and third instances of "Transforms"? Original: * The GCKS could store the list of Transforms, with the goal of migrating the group policy to a different Transforms when all of the group members indicate that they can support that Transforms. Perhaps A: * The GCKS could store the list of Transforms with the goal of migrating the group policy to a different Transform when all of the group members indicate that they can support that Transform. or Perhaps B: * The GCKS could store the list of Transforms with the goal of migrating the group policy to a different Transforms list when all of the group members indicate that they can support that Transforms list. --> <t>The GCKS could store the list of Transforms with the goal of migrating the group policy to a different Transforms when all of the group members indicate that they can support that Transforms.</t> </li> <li> <t>The GCKS could store the list of Transforms and adjust the current group policy based on the capabilities of the devices as long as they fall within the acceptable security policy of the GCKS.</t></list></li> </ul> <t> Depending on its policy, the GCKS may have no further need for the IKE SA (e.g., it does not plan to initiateana GSA_INBAND_REKEY exchange). If the GM does not initiate another registration exchange or Notify (e.g.,NO_PROPOSAL_CHOSEN),NO_PROPOSAL_CHOSEN) and the GCKS is not intended to use the SA, thenafter a short period of timethe GCKS <bcp14>SHOULD</bcp14> close the IKE SA to saveresources.</t>resources after a short period of time.</t> </section> </section><section title="Group<section> <name>Group MaintenanceChannel">Channel</name> <t>The GCKS is responsible for rekeying the secure group per the group policy. <!--[rfced] How may we clarify this sentence. Should "KEK" be plural like "TEKs"? Does the GCKS delete the TEKs and/or exclude the group members as shown below? Original: Rekeying is an operation whereby the GCKS provides replacement TEKs and KEK, deleting TEKs, and/or excluding group members. Perhaps: Rekeying is an operation whereby the GCKS provides replacement TEKs and KEKs, deletes TEKs, and/or excludes group members. --> Rekeying is an operation whereby the GCKS provides replacement TEKs and KEKs, deleting TEKs, and/or excluding group members. The GCKS may initiate a rekey message if group membership and/or policy haschanged,changed or if the keys are about to expire. Two forms of group maintenance channels are provided in G-IKEv2 to push new policy to group members.</t> <dlnewline="true"> <dt>GSA_REKEY</dt>newline="true" spacing="normal"> <dt>GSA_REKEY:</dt> <dd>The GSA_REKEY is a pseudo-exchange, consisting of a one-way IKEv2 message sent by theGCKS,GCKS where the rekey policy is delivered to group members using IP multicast as a transport. This method is valuable for large and dynamicgroups,groups and where policy may change frequently and a scalable rekey method is required. When the GSA_REKEY is used, the IKE SA protecting the member registration exchanges is usuallyterminated,terminated and group members await policy changes from the GCKS via the GSA_REKEY messages.</dd><dt>GSA_INBAND_REKEY</dt><dt>GSA_INBAND_REKEY:</dt> <dd>The GSA_INBAND_REKEY is a normal IKEv2 exchange using the IKE SA that wassetupset up toprotectingprotect the member registration exchange. This exchange allows the GCKS to rekey without using an independent GSA_REKEY pseudo-exchange. The GSA_INBAND_REKEY exchange provides a reliable policy delivery and is useful when G-IKEv2 is used with a small group of cooperating devices.</dd> </dl> <t>Depending on itspolicypolicy, the GCKS <bcp14>MAY</bcp14> combine these two methods. For example,itthe GCKS may use the GSA_INBAND_REKEY to deliver a key to the GMs in the group acting as senders (as this would provide reliable keysdelivery),delivery) and the GSA_REKEY for the rest of the GMs. </t> <sectionanchor="gsa_rekey" title="GSA_REKEY">anchor="gsa_rekey"> <name>GSA_REKEY</name> <t>The GCKS initiates the G-IKEv2Rekeyrekey by sending a protected message to the GMs, usually using IP multicast. Since the Rekey messages do not require responses andtheyare sent to multiple GMs, the windowing mechanism described inSection 2.3 of IKEv2<xref target="RFC7296"/>sectionFormat="of" section="2.3"/> <bcp14>MUST NOT</bcp14> be used for the Rekey messages. The GCKS rekey message replaces the current rekey GSA KEK or KEK array(e.g.(e.g., in the case ofLKH),LKH) and/or creates new Data-Security GSA TEKs. The GM_SENDER_ID attribute in the Key Download payload (defined in <xreftarget="mkd_attr_gm_sid"></xref>)target="mkd_attr_gm_sid"/>) <bcp14>MUST NOT</bcp14> be part of the RekeyExchangeExchange, as this issender specificsender-specific information and the Rekey Exchange is group specific. The GCKS initiates the GSA_REKEY pseudo-exchange as following:</t><t><figure title="GSA_REKEY Pseudo-Exchange"<figure anchor="gsa_rekey_exchange"><preamble></preamble><name>GSA_REKEY Pseudo-Exchange</name> <artwork><![CDATA[ GMs (Receivers) GCKS (Sender) ----------------- --------------- <-- HDR, SK{GSA, KD, [N,] [AUTH]} ]]></artwork><postamble></postamble> </figure></t></figure> <t>HDR is defined in <xreftarget="header"></xref>.target="header"/>. While GSA_REKEYre-usesreuses the IKEv2 header, the "IKE SA Initiator's SPI" and the "IKE SA Responder's SPI" fields are treated as a single field with a length of 16 octets containing the SPI of a Rekey SA. The value for this field is provided by the GCKS in the GSA payload (see <xreftarget="gsa_policy" />).target="gsa_policy"/>). The Message ID in this message will start with the value the GCKS sent to the group members in the attribute GSA_INITIAL_MESSAGE_ID or from zero if this attribute wasn't sent. The Message ID will be incremented each time a new GSA_REKEY message is sent to the group members.</t> <t>The GSA payload contains the current policy for rekey and Data-Security SAs. <!--[rfced] Should "a Data-Security SAs" be singular or plural in this sentence (e.g., "a new Data-Security SA" or "new Data-Security SAs")? Original: The GSA may contain a new Rekey SA and/or a new Data- Security SAs Section 4.4. Perhaps: The GSA may contain a new Rekey SA and/or a new Data- Security SA (Section 4.4). --> The GSA may contain a new Rekey SA and/or a new Data-Security SAs<xref target="gsa_payload"></xref>.</t>(<xref target="gsa_payload"/>).</t> <t>The KD payload contains the keys for the policy included in the GSA. If one or more Data-Security SAs are being refreshed in this rekey message, the IPsec keys are updated in the KD, and/or if therekeyRekey SA is being refreshed in this rekey message, the rekey Key or the LKH KEK array(e.g.(e.g., in case of LKH) is updated in the KD payload.</t> <t>A Delete payload <bcp14>MAY</bcp14> be included to instruct the GM to delete existing SAs. See <xreftarget="delete" />target="delete"/> for more detail.</t> <t>The AUTH payload <bcp14>MUST</bcp14> be included to authenticate the GSA_REKEY message if the authentication method is based on public key signatures and <bcp14>MUST NOT</bcp14> be included if authentication is implicit. In the latter case, the fact that a GM can decrypt the GSA_REKEY message and verify itsICVIntegrity Check Value (ICV) proves that the sender of this message knows the current KEK, thus authenticating the sender as a member of the group.Note,Note that implicit authentication doesn't provide source origin authentication. For thisreasonreason, using implicit authentication for GSA_REKEY is <bcp14>NOT RECOMMENDED</bcp14> unless source origin authentication is not required (for example, in a small group of highly trusted GMs). See more about authentication methods in <xreftarget="auth_method" />.target="auth_method"/>. </t> <t> During group member registration, the GCKS sends the authentication key in the KD payload, the AUTH_KEY attribute, which the group member uses to authenticate the key server. Before the current authentication key expires, the GCKS will send a new AUTH_KEY to the group members in a GSA_REKEY message. The authentication key that is sent in the rekey message maybenot be the same as the authentication key sent during the GM registration. If implicit authentication is used, then AUTH_KEY <bcp14>MUST NOT</bcp14> be sent to GMs.</t> <sectionanchor="gsa_rekey_auth" title="GSA_REKEYanchor="gsa_rekey_auth"> <name>GSA_REKEY MessageAuthentication">Authentication</name> <t>The content of the AUTH payload generally depends on the authentication method from the Group Controller Authentication Method (GCAUTH) transform (<xreftarget="auth_method" />).target="auth_method"/>). This specification defines the use of only one authenticationmethod -method, Digital Signature, and the AUTH payload contains a digital signature calculated over the content of thenot yet encryptednot-yet-encrypted GSA_REKEY message. </t> <t>The digital signing is applied to the concatenation of two chunks: A and P.The chunkChunk A starts with the first octet of the G-IKEv2 header (not including prepended four octets of zeros, if port 4500 is used) and continues to the last octet of the Encrypted Payload header.The chunkChunk P consists of thenot yet encryptednot-yet-encrypted content of the Encrypted payload, excluding the Initialization Vector, the Padding, the PadLengthLength, and the Integrity Checksum Data fields (see3.14 of IKEv2<xreftarget="RFC7296" />section="3.14" target="RFC7296"/> for the description of the Encrypted payload). In other words,the Pchunk P is the inner payloads of the Encrypted payload in plaintext form. <xreftarget="auth_data" />target="auth_data"/> illustrates the layout ofthechunks P and Achunksin the GSA_REKEY message. </t> <t>Before the calculation of the AUTHpayloadpayload, the inner payloads of the Encrypted payload must be fully formed and ready forencryption,encryption except for the content of the AUTH payload. The AUTH payload must have correct values in the Payload Header, the AuthMethodMethod, and the RESERVED fields. The Authentication Data field is zeroed, but the ASN.1 Length and the AlgorithmIdentifier fields must be properly filledin,in; see Signature Authentication inIKEv2<xreftarget="RFC7427" />.target="RFC7427"/>. </t> <t>For the purpose of the AUTH payloadcalculationcalculation, the Length field in the IKE header and the Payload Length field in the Encrypted Payload header are adjusted so that they don't count the lengths of Initialization Vector, Integrity ChecksumDataData, and Padding (along with Pad Length field). In other words, the Length field in the IKE header (denoted as AdjustedLen in <xreftarget="auth_data" />)target="auth_data"/>) is set to the sum of the lengths of A and P, and the Payload Length field in the Encrypted Payload header (denoted as AdjustedPldLen in <xreftarget="auth_data" />)target="auth_data"/>) is set to the length of P plus the size of the Payload header (four octets). </t> <t>The input to the digital signature algorithm that computes the content of the AUTH payload can be described as: </t><figure align="center"><figure> <artwork align="left"><![CDATA[ DataToAuthenticate = A | P GsaRekeyMessage = GenIKEHDR | EncPayload GenIKEHDR = [ four octets 0 if using port 4500 ] | AdjustedIKEHDR AdjustedIKEHDR = SPIi | SPIr | . . . | AdjustedLen EncPayload = AdjustedEncPldHdr | IV | InnerPlds | Pad | PadLen | ICV AdjustedEncPldHdr = NextPld | C | RESERVED | AdjustedPldLen A = AdjustedIKEHDR | AdjustedEncPldHdr P = InnerPlds ]]></artwork> </figure> <figurealign="center" anchor="auth_data" title="Dataanchor="auth_data"> <name>Data to Authenticate in the GSA_REKEYMessages">Messages</name> <artwork align="left"><![CDATA[ 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^ ^ | IKE SA Initiator's SPI | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I | | IKE SA Responder's SPI | K | | | E | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Next Payload | MjVer | MnVer | Exchange Type | Flags | H A +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ d | | Message ID | r | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | AdjustedLen | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ x | | Next Payload |C| RESERVED | AdjustedPldLen | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | v | | | ~ Initialization Vector ~ E | | n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ c ^ | | r | ~ InnerpayloadsPayloads (not yet encrypted) ~ P | | P | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ l v ~ Padding (0-255 octets) | Pad Length | d +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | ~ Integrity Checksum Data ~ | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v ]]></artwork> </figure> <t>The authentication data is calculated using the authentication algorithm from the Group Controller Authentication Method transform (<xreftarget="auth_method" />)target="auth_method"/>) and the current authentication key provided in the AUTH_KEY attribute (<xreftarget="mkd_attr_auth_key" />).target="mkd_attr_auth_key"/>). The calculated authentication data is placed into the AUTH payload, the Length fields in the IKE Header and the Encryption Payload header are restored, the content of the Encrypted payload is encrypted and the ICV is computed using the current KEK. </t> </section><section title="IKE Fragmentation"><section> <name>IKE Fragmentation</name> <t>IKEv2 fragmentation <xreftarget="RFC7383"></xref>target="RFC7383"/> can be used to perform fragmentation of large GSA_REKEY messages; however, when the GSA_REKEY message is emitted as an IP multicastpacketpacket, there is a lack of response from the GMs. This has the following implications.<list style="symbols"></t> <ul spacing="normal"> <li> <t>Policy regarding the use of IKE fragmentation is implicit. If a GCKS detects that all GMs have negotiated support of IKE fragmentation in IKE_SA_INIT, then it <bcp14>MAY</bcp14> use IKE fragmentation on large GSA_REKEY messages.</t> </li> <li> <t>The GCKS must always use IKE fragmentation based on apre-configuredpreconfigured fragmentation threshold, as there is no way to check if fragmentation is needed by first sending unfragmented messages and waiting for response.Section 2.5.1 of IKEv2 Fragmentation<xref target="RFC7383"/>sectionFormat="of" section="2.5.1"/> containsrecommendationrecommendations on selecting the fragmentation threshold.</t><t>PMTU</li> <li> <t>The Path MTU (PMTU) mechanism, defined inSection 2.5.2 of IKEv2 Fragmentation<xref target="RFC7383"/>,sectionFormat="of" section="2.5.2"/>, cannot be used due to lack of GSA_REKEY response messages.</t></list></t></li> </ul> <t> The calculation of authentication data <bcp14>MUST</bcp14> be applied to whole messagesonly,only before possible IKE Fragmentation. If the message was received in fragmented form, it should be reconstructed before verifying its authenticity as if it were received unfragmented. <!-- [rfced] FYI: We updated "that with" to "with the" as follows. Original: The RESERVED field in the reconstructed Encrypted Payload header<bcp14>MUST</bcp14>MUST be set to the value of the RESERVED field in the Encrypted Fragment payload header from the first fragment (that with Fragment Number equal to 1). Current: The RESERVED field in the reconstructed Encrypted Payload header MUST be set to the value of the RESERVED field in the Encrypted Fragment payload header from the first fragment (with the Fragment Number equal to 1). --> The RESERVED field in the reconstructed Encrypted Payload header <bcp14>MUST</bcp14> be set to the value of the RESERVED field in the Encrypted Fragment payload header from the first fragment (with the Fragment Number equal to 1). </t> </section><section title="GSA_REKEY<section> <name>GSA_REKEY GCKSOperations">Operations</name> <t>The GCKS builds the rekey message with a Message ID value that is one greater than the value included in the previous rekey message. The first message sent over a new Rekey SA <bcp14>MUST</bcp14> use a Message ID of 0. The GSA,KDKD, and N payloads follow with the same characteristics as in the GSA Registration exchange. The AUTH payload (if present) is created as defined in <xreftarget="gsa_rekey_auth" />.target="gsa_rekey_auth"/>. </t> <t>Because GSA_REKEY messages are not acknowledged and could be discarded by the network, one or more GMs may not receive the new policy. To mitigate such lost messages, during a rekeyeventevent, the GCKS may transmit several copies of an encrypted GSA_REKEY message with the new policy. The (encrypted) retransmitted messages <bcp14>MUST</bcp14> be bitwise identical and should be sent within a short time interval (a few seconds) to ensure that the SA lifetime calculations would not be substantially skewed for the GMs that would receive different copies of the messages. </t> <t> GCKS may also include one or several GSA_NEXT_SPI attributes specifying SPIs for the prospectedrekeys,rekeys so that listening GMs are able to detect lost rekey messages and recover from this situation. SeeSections<xreftarget="gsa_attr_next_spi" />target="gsa_attr_next_spi"/> for more detail. </t> </section><section title="GSA_REKEY<section> <name>GSA_REKEY GMOperations">Operations</name> <t> When a group member receives theRekeyrekey message from theGCKSGCKS, it decrypts the message and verifies its integrity using the current KEK. If the AUTH payload is present in the decrypted message, then the GM validates authenticity of the message using the key retrieved in a previous G-IKEv2 exchange. Then the GM verifies the MessageID,ID and processes the GSA and KD payloads. The group member then installs the new Data-Security SA(s) and/or a new Rekey SA. The parsing of the payloads is identical to the parsing done in the registration exchange.</t> <t>Replay protection is achieved by a group member rejecting a GSA_REKEY messagewhichthat has a Message ID smaller than the current Message ID that the GM is expecting. The GM expects the Message ID in the first GSA_REKEY message it receives to be equal to or greater than the Message ID it receives in the GSA_INITIAL_MESSAGE_ID attribute.Note,Note that if the GSA_INITIAL_MESSAGE_ID attribute is not received for the Rekey SA, the GM <bcp14>MUST</bcp14> assume zero as the first expected Message ID. The GM expects the Message ID in subsequent GSA_REKEY messages to be greater than the last valid GSA_REKEY message ID it received.</t> <t> This specification assumes that the GSA_REKEY messages are sent withintervals,intervals that are significantly greater than typical network packet reordering intervals. </t> <t>If the GSA payload includes a Data-Security SA using cipher in a counter-mode of operation and the receiving group member is a sender for that SA, the group member uses its current Sender-ID value with the Data-Security SAs to create counter-mode nonces. If it is a sender and does not hold a current Sender-ID value (for example, when no counter-mode is employed for other Data-Security SAs), it <bcp14>MUST NOT</bcp14> install the Data-Security SAs. It <bcp14>MUST</bcp14> initiate a re-registration to the GCKS in order to obtainana Sender-ID value (along with the current group policy). </t> <!-- [rfced] We added parentheses to this sentence for ease of reading. Please let us know of any objections. Original: If the message includes Delete payload for existing Data-Security SA, then after installing a new Data-Security SA the old one, identified by the Protocol and SPI fields in the Delete payload, MUST be silently deleted after waiting DEACTIVATION_TIME_DELAY interval regardless of its expiration time. Current: If the message includes a Delete payload for an existing Data-Security SA, then after installing a new Data-Security SA, the old one (identified by the Protocol and SPI fields in the Delete payload) MUST be silently deleted after waiting the DEACTIVATION_TIME_DELAY interval regardless of its expiration time. --> <t>Once a new Rekey SA is installed as a result of a GSA_REKEY message, the current Rekey SA (over which the message was received) <bcp14>MUST</bcp14> be silently deleted after waiting the DEACTIVATION_TIME_DELAY interval regardless of its expiration time. If the message includes a Delete payload for an existing Data-Security SA, then after installing a new Data-SecuritySASA, the oldone, identifiedone (identified by the Protocol and SPI fields in the Deletepayload,payload) <bcp14>MUST</bcp14> be silently deleted after waiting the DEACTIVATION_TIME_DELAY interval regardless of its expiration time. </t> <t>If a Data-Security SA is not rekeyed yet and is about to expire (a "soft lifetime" expiration is described inSection 4.4.2.1 of<xreftarget="RFC4301"></xref>),target="RFC4301" sectionFormat="of" section="4.4.2.1"/>), the GM <bcp14>SHOULD</bcp14> initiate a registration to the GCKS. This registration serves as a request for currentSAs,SAs and will result in the download of replacement SAs, assuming the GCKS policy has created them. A GM <bcp14>SHOULD</bcp14> also initiate a registration request if a Rekey SA is about to expire and not yet replaced with a new one.</t> </section> </section> <sectionanchor="gsa_inband_rekey" title="GSA_INBAND_REKEY Exchange">anchor="gsa_inband_rekey"> <name>GSA_INBAND_REKEY Exchange</name> <t>When the IKE SA protecting the member registration exchange is maintained while a group member participates in the group, the GCKS can use the GSA_INBAND_REKEY exchange to individually provide policy updates to the group member.</t> <figuretitle="GSA_INBAND_REKEY Exchange"anchor="gsa_inband_rekey_exchange"> <name>GSA_INBAND_REKEY Exchange</name> <artwork><![CDATA[ GM (Responder) GCKS (Initiator) ---------------- ------------------ <-- HDR, SK{GSA, KD, [N]} HDR, SK{} --> ]]></artwork> </figure> <t>Because this is a normal IKEv2 exchange, the HDR is treated as defined in IKEv2 <xreftarget="RFC7296"></xref>.</t> <section title="GSA_INBAND_REKEYtarget="RFC7296"/>.</t> <section> <name>GSA_INBAND_REKEY GCKSOperations">Operations</name> <t>The GSA,KDKD, and N payloads are built in the same manner as in a registration exchange.</t> </section><section title="GSA_INBAND_REKEY<section> <name>GSA_INBAND_REKEY GMOperations">Operations</name> <t>The GM processes the GSA,KDKD, and N payloads in the same manner as if they were received in a registration exchange.</t> </section> </section> <sectiontitle="Deletionanchor="deletion"> <name>Deletion ofSAs" anchor="deletion" >SAs</name> <t>There are occasions when the GCKS may want to signal to group members to delete policy when the application sending data traffic hasended,ended or if group policy has changed. Deletion of SAs is accomplished by sending the Delete Payload described inSection 3.11 of IKEv2<xreftarget="RFC7296"></xref>target="RFC7296" sectionFormat="of" section="3.11"/> as part of the GSA_REKEY pseudo-exchange as shown below.</t><t><figure title="SA<figure anchor="gsa_rekey_sa_deletion"> <name>SA Deletion inGSA_REKEY" anchor="gsa_rekey_sa_deletion"> <preamble></preamble>GSA_REKEY</name> <artwork><![CDATA[ GMs (Receivers) GCKS (Sender) ---------------- --------------- <-- HDR, SK{D, [N,] [AUTH]} ]]></artwork><postamble></postamble> </figure></t></figure> <t>If GCKS has a unicast SA with a groupmembermember, then it can use the GSA_INBAND_REKEY exchange to delete SAs. </t><t><figure title="SA<figure anchor="gsa_inband_rekey_sa_deletion"> <name>SA Deletion inGSA_INBAND_REKEY" anchor="gsa_inband_rekey_sa_deletion"> <preamble></preamble>GSA_INBAND_REKEY</name> <artwork><![CDATA[ GM (Responder) GCKS (Initiator) --------------- ------------------ <-- HDR, SK{D, [N]} HDR, SK{} --> ]]></artwork><postamble></postamble> </figure></t></figure> <t>There may be circumstances where the GCKS may want to start over with a clean state,for examplee.g., in case it runs out of available Sender-IDs. The GCKS can signal deletion of all the Data-Security SAs by sending a Delete payload with an SPI value equal to zero. For example, if the GCKS wishes to remove the Rekey SA and all the Data-Security SAs, the GCKS sends a Delete payload with an SPI of zero and a Protocol ID of AH or ESP, followed by another Delete payload withaan SPI of zero and a Protocol ID of GIKE_UPDATE. </t> <t> If a group member receives a Delete payload with zero SPI andprotocola Protocol ID of GIKE_UPDATE, it means that the group member is excluded from the group. Such Delete payload may be received either in the GSA_REKEY pseudo-exchange or in the GSA_INBAND_REKEY exchange. In thissituationsituation, the group member <bcp14>MUST</bcp14> re-register if it wants to continue participating in this group. The registration is performed as described in <xreftarget="registration" />.target="registration"/>. It is <bcp14>RECOMMENDED</bcp14> that a GM waits some randomly chosen time before initiating a registration request in this situation to avoid overloading the GCKS. This document doesn't specify the maximum delay, which is implementation-dependent, but it isbelieved,believed that the order of seconds suits most situations.Note,Note that if the unicast SA between the group member and the GCKS exists, then the group member may use the GSA_REGISTRATION exchange to re-register. However, after excludingana GM from thegroupgroup, the GCKS <bcp14>MAY</bcp14> immediately delete the unicast SA with this GM (if any) if the credentials of this GM are revoked. </t> </section> </section> <sectionanchor="counter-modes" title="Counter-basedanchor="counter-modes"> <name>Counter-Based Modes of Operation</name> <!-- [rfced] We have updated this sentence to use "AES CCM" (per RFC 4309) rather than "AES-CCM". Please let us know any objections. Original: Several counter-based modes of operation have been specified for ESP (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309], ChaCha20-Poly1305 [RFC7634], AES-GMAC [RFC4543]) and AH (e.g., AES- GMAC [RFC4543]). Current: Several counter-based modes ofoperation">operation have been specified for ESP (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES CCM [RFC4309], ChaCha20-Poly1305 [RFC7634], and AES-GMAC [RFC4543]) and AH (e.g., AES- GMAC [RFC4543]). --> <t>Several counter-based modes of operation have been specified for ESP (e.g., AES-CTR <xreftarget="RFC3686"></xref>,target="RFC3686"/>, AES-GCM <xreftarget="RFC4106"></xref>, AES-CCMtarget="RFC4106"/>, AES CCM <xreftarget="RFC4309"></xref>,target="RFC4309"/>, ChaCha20-Poly1305 <xreftarget="RFC7634"></xref>,target="RFC7634"/>, and AES-GMAC <xreftarget="RFC4543"></xref>)target="RFC4543"/>) and AH (e.g., AES-GMAC <xreftarget="RFC4543"></xref>).target="RFC4543"/>). These counter-based modes require that no two senders in the group ever send a packet with the sameInitialization Vector (IV)IV using the same cipher key and mode. This requirement is met in G-IKEv2 when the following measures are taken:<list style="symbols"></t> <ul spacing="normal"> <li> <t>The GCKS distributes a unique key for each Data-Security SA.</t> </li> <li> <t>The GCKS uses the method described inUsing Counter Modes with ESP and AH to Protect Group Traffic<xreftarget="RFC6054"></xref>,target="RFC6054"/>, which assigns each sender a portion of the IV space by provisioning each sender with one or more unique Sender-ID values.</t></list></t></li> </ul> <sectionanchor="sid_alloc" title="Allocationanchor="sid_alloc"> <name>Allocation ofSender-ID">Sender-ID</name> <t>When at least one Data-Security SA included in the group policy includes a counter-based mode of operation, the GCKS automatically allocates and distributes one Sender-ID to each group member acting in the role of sender on the Data-Security SA. The Sender-ID value is used exclusively by the group sender to which it was allocated. The group sender uses the same Sender-ID for each Data-Security SA specifying the use of a counter-based mode of operation. A GCKS <bcp14>MUST</bcp14> distribute unique keys for each Data-SecuritySASA, including a counter-based mode of operation in order to maintain unique key and nonce usage.</t> <t>During registration, the group sender can choose to request one or more Sender-ID values. Requesting a value of 1 is not necessary since the GCKS will automatically allocate exactly one to the group sender. A group sender <bcp14>MUST</bcp14> request as many Sender-ID values matching the number of encryption modules in which it will be installing the TEKs in the outbound direction. Alternatively, a group sender <bcp14>MAY</bcp14> request more than one Sender-ID and use them serially. This could be useful when it is anticipated that the group sender will exhaust their range ofData- SecurityData-Security SA nonces using a single Sender-ID too quickly (e.g., before the time-based policy in the TEK expires).</t> <t>When the group policy includes a counter-based mode of operation, a GCKS should use the following method to allocate Sender-ID values, which ensures that each Sender-ID will be allocated to just one groupsender.<list style="numbers">sender.</t> <ol spacing="normal" type="1"><li> <t>A GCKS maintainsana Sender-ID counter, which records the Sender-IDs that have been allocated. Sender-IDs are allocatedsequentially,sequentially with zero as the first allocated value.</t> </li> <li> <t>Each timeana Sender-ID is allocated, the current value of the counter is saved and allocated to the group sender. The Sender-ID counter is then incremented in preparation for the next allocation.</t> </li> <li> <t>When the GCKS specifies a counter-based mode of operation in the Data-SecuritySASA, a group sender may request a count of Sender-IDs during registration in a Notify payload information of type SENDER. When the GCKS receives this request, it increments the Sender-ID counter once for each requestedSender-ID,Sender-ID and distributes each Sender-ID value to the group sender. The GCKS should have a policy-defined upper bound for the number of Sender-ID values that it will return irrespective of the number requested by the GM.</t> </li> <li> <t>A GCKS allocates new Sender-ID values for each registration operation by a group sender, regardless of whether the group sender had previously contacted the GCKS. In this way, the GCKS is not required tomaintainingmaintain a record of which Sender-ID values it had previously allocated to each group sender. More importantly, since the GCKS cannot reliably detect whether the group sender had sent data on the current group Data-SecuritySAsSAs, it does not know what Data-Security counter-mode nonce values that a group sender has used. By distributing new Sender-ID values, the key server ensures that each time a conforming group sender installs a Data-SecuritySASA, it will use a unique set of counter-based mode nonces.</t> </li> <li> <t>When the Sender-ID counter maintained by the GCKS reaches its final Sender-ID value, no more Sender-ID values can be distributed. Before distributing any new Sender-ID values, the GCKS <bcp14>MUST</bcp14> exclude all group members from the group as described in <xreftarget="deletion" />.target="deletion"/>. This will result in the group members performing re-registration, during which they will receive new Data-Security SAs and group senders will additionally receive new Sender-ID values. The new Sender-ID values can safely be used because they are only used with the new Data-Security SAs.</t></list></t></li> </ol> </section> <sectionanchor="sid-usage" title="GManchor="sid-usage"> <name>GM Usage ofSender-ID">Sender-ID</name> <t>A GM applies the Sender-ID to Data-Security SAs asfollows. <list style="symbols">follows: </t> <ul spacing="normal"> <li> <t>The most significant bits of the IV indicated in the GWP_SENDER_ID_BITS attribute (<xreftarget="gwp_attr_sid_bits" />)target="gwp_attr_sid_bits"/>) are taken to be the Sender-ID field of the IV.</t> </li> <li> <t>The Sender-ID is placed in the least significant bits of the Sender-ID field, where any unused most significant bits are set to zero. If the Sender-ID value doesn't fit into the number of bits from the GWP_SENDER_ID_BITS attributes, then the GM <bcp14>MUST</bcp14> treat this as a fatal error and re-register to the group. </t></list></t></li> </ul> </section> </section> <sectionanchor="seqnum" title="Replayanchor="seqnum"> <name>Replay Protection for Multicast Data-SecuritySAs">SAs</name> <t>IPsec provides anti-replay service as part of its security services. With multicastextensionextensions forIPsecIPsec, replay protection is not always possible to achieve (seeSection 6.1 of Multicast Group Security Architecture<xref target="RFC3740"/>).sectionFormat="of" section="6.1"/>). In particular, if there are many group senders for a Data-Security SA, then each of them will independently increment the Sequence Number field in the ESP header (seeSection 2.2 of ESP<xref target="RFC4303"/>sectionFormat="of" section="2.2"/> andSection 2.5 of AH<xref target="RFC4302"/>)sectionFormat="of" section="2.5"/>), thus making it impossible for the group receivers to filter out replayed packets. However, if there is only one group sender for a Data-Security SA, then it is possible to achieve replay protection with some restrictions (see <xreftarget="antireplay" />).target="antireplay"/>). The GCKS <bcp14>MAY</bcp14> create several Data-Security SAs with the same traffic selectors allowing only a single group sender in each SA if it is desirable to get replay protection with multiple (but still a limited number) of group senders. </t> <t>IPsec architecture assumes thatitwhether anti-replay service is enabled or not is a local matter for an IPsecreceiver whether anti-replay service is enabled or not.receiver. In other words, an IPsec sender always increments the Sequence Number field in the ESP/AH header and a receiver decides whether to check for replayed packets or not. Sincein some casesit is known in some cases that the replay protection is not possible (like in an SA with many group senders), a new transform ID "32-bit Unspecified Numbers" is defined for the Sequence Numbers(SN)(SNs) transform type. Using this transformID theID, the GCKS can inform group members that the uniqueness of sequence numbers for a given SA is not guaranteed. The decision of whether to enable anti-replay service is still a local matter of a GM (in accordance with IPsec architecture). </t><t> The<t>The GCKS <bcp14>MUST</bcp14> include the Sequence Numbers transform in the GSA payload for every Data-Security SA. See <xreftarget="antireplay" />target="antireplay"/> for more details. </t><t> When<t>When a Data-Security SA has a single sender, the GCKS <bcp14>MUST</bcp14> be configured to rekey the SA frequently enough so that the 32-bit sequence numbers do not wrap. </t> </section> <sectionanchor="implicit-iv" title="Encryptionanchor="implicit-iv"> <name>Encryption Transforms with ImplicitIV"> <t>IKEv2 IANA registry forIV</name> <t>The "Transform Type 1 - Encryption Algorithm TransformIDsIDs" IANA registry <xreftarget="IKEV2-IANA" />target="IKEV2-IANA"/> defines several transforms with implicit IV. These transforms rely on ESP SequenceNumberNumbers for constructing IV (seeImplicit IV for Counter-Based Ciphers in ESP<xreftarget="RFC8750" />target="RFC8750"/> for details). It requires anti-replay service to be enabled for an ESP SA using these encryption transforms. Unless the properties of sequence numbers for a multicast ESP SA include their uniqueness (see <xreftarget="seqnum" />),target="seqnum"/>), encryption transforms that rely on SequenceNumberNumbers for IV construction <bcp14>MUST NOT</bcp14> be used. In any case, such transforms <bcp14>MUST NOT</bcp14> be used for any G-IKEv2 SA (both unicast and multicast). </t> </section> </section> <sectionanchor="key_management" title="Groupanchor="key_management"> <name>Group Key Management and AccessControl">Control</name> <t>Through the G-IKEv2 rekey, G-IKEv2 supports algorithms such as Logical Key Hierarchy (LKH) that have the property of denying access to a new group key by a member removed from the group (forward access control) and to an old group key by a member added to the group (backward access control). This is unrelated toPFS (Perfectthe Perfect ForwardSecrecy)Secrecy (PFS) property as defined inSection 2.12 of IKEv2<xref target="RFC7296"/>.sectionFormat="of" section="2.12"/>. </t> <!--[rfced] Please clarify what "literature" refers to here. Original: Group management algorithms providing forward and backward access control other than LKH have been proposed in the literature, including OFT [OFT] and Subset Difference [NNL]. Perhaps: Group management algorithms providing forward and backward access control other than LKH have been proposed in other specifications, for example, OFT [OFT] and Subset Difference [NNL]. --> <t>Group management algorithms providing forward and backward access control other than LKH have been proposed in the literature, including OFT <xreftarget="OFT"></xref>target="OFT"/> and Subset Difference <xreftarget="NNL"></xref>.target="NNL"/>. These algorithms could be used withG-IKEv2,G-IKEv2 but are not specified as a part of this document.</t> <t>This specification assumes that all group keys, that are sent to the GMs by the GCKS, are encrypted with some other keys, called Key Wrap Keys(KWK).(KWKs). The Key Wrap Algorithm transform defines the algorithm used for key wrapping in the context of an SA. </t> <sectionanchor="kwk" title="Keyanchor="kwk"> <name>Key WrapKeys">Keys</name> <t>Every GM always knows at least one KWK -- the KWK that is associated with the IKE SA or multicast Rekey SA over which wrapped keys are sent. In thisdocumentdocument, it is called default KWK and is denoted asGSK_w."GSK_w". </t> <t>For the purpose of forward accesscontrolcontrol, the GCKS may provide each GM with its personal KWK at the time of registration. Additionally, several intermediate KWKs that form a key hierarchy and are shared among several GMs may be provided by the GCKS. </t> <t>Each KWK is associated with a key wrapalgorithm,algorithm specified in the Key Wrap Algorithm transform. The size of these KWKs is determined by theusedkey wrapalgorithm,algorithm used, but it <bcp14>SHOULD NOT</bcp14> be less than the size of the key for the Encryption Algorithm transform for the Rekey SA and for all Data-Security SAs in the group (takinginto considerationthe Key Length attribute into consideration if it is present). </t> <sectionanchor="sk_w" title="Defaultanchor="sk_w"> <name>Default Key WrapKey">Key</name> <t>The default KWK (GSK_w) is only used in the context of a single IKE SA. Every IKE SA (unicast IKE SA or multicast Rekey SA) will have its own GSK_w. </t><t>For<!-- [rfced] May we update "if they are take place" for clarity in the sentence below? Original: For the unicast IKE SA (used for the GM registration and for the GSA_INBAND_REKEY exchanges, if they are take place) the GSK_w is computed as follows:<figure >Perhaps: For the unicast IKE SA (used for the GM registration and for GSA_INBAND_REKEY exchanges if they appear), the GSK_w is computed as follows: --> <t>For the unicast IKE SA (used for the GM registration and for the GSA_INBAND_REKEY exchanges, if they are take place), the GSK_w is computed as follows: </t> <artwork><![CDATA[ GSK_w = prf+(SK_d, "Key Wrap for G-IKEv2") ]]></artwork></figure><!--[rfced] Is "null termination" correct, or should it be "NUL termination"? Current: where the string "Key Wrap for G-IKEv2" is 20 ASCII characters without null termination. --> <t> where the string "Key Wrap for G-IKEv2" is 20 ASCII characters without null termination. </t> <t>For the multicast RekeySASA, the GSK_w is provided along with other SA keys as defined in <xreftarget="group_sa_keys" />.target="group_sa_keys"/>. </t> </section> </section> <sectionanchor="key_gcks_semantics" title="GCKSanchor="key_gcks_semantics"> <name>GCKS Key ManagementSemantics"> <t>WrappedSemantics</name> <t>The Wrapped Key Download method allows the GCKS to employ various key managementmethods <list style="symbols"> <t>Amethods.</t> <dl newline="false" spacing="normal"> <dt>A simple key managementmethods -- when themethod:</dt><dd>The GCKS always sends group SA keys encrypted with theGSK_w. </t> <t>AnGSK_w.</dd> <dt>An LKH key managementmethod -- when themethod:</dt><dd>The GCKS provides each GM with an individual key at the time of the GM registration (encrypted with GSK_w).ThenThen, the GCKS formsana hierarchy of keys so that the group SA keys are encrypted with other keyswhichthat are encrypted with other keys and so on, tracing back to the keys for eachGM. </t> </list>GM.</dd> </dl> <t> Other key policies may also be employed by the GCKS. </t><section title="Forward<section> <name>Forward Access ControlRequirements">Requirements</name> <t>When a group membership is altered using a group managementalgorithmalgorithm, new Data-Security SAs and their associated keys are usually also needed. New Data-Security SAs and keys ensure that members who were denied access can no longer participate in the group.</t> <t>If forward access control is a desired property of the group, a new TEK policy and the associated keys <bcp14>MUST NOT</bcp14> be included in a G-IKEv2 rekeymessagemessage, which changes group membership. This is required because the GSA TEK policy and the associated keys are not protected with the new KEK. A second G-IKEv2 rekey message can deliver the new GSA TEK policies and their associated keys because it will be protected with the newKEK,KEK and thus will not be visible to the members who were denied access.</t> <t>If forward access control policy for the group includes keeping group policy changes from members that are denied access to the group, then two sequential G-IKEv2 rekey messages changing the group KEK <bcp14>MUST</bcp14> be sent by the GCKS. The first G-IKEv2 rekey message creates a new KEK for the group. Group members, which are denied access, will not be able to access the new KEK, but they will see the group policy since the G-IKEv2 rekey message is protected under the current KEK. A subsequent G-IKEv2 rekey message containing the changed group policy and again changing the KEK allows complete forward access control. A G-IKEv2 rekey message <bcp14>MUST NOT</bcp14> change the policy without creating a new KEK.</t> <t>If other methods of using LKH or other group management algorithms are added to G-IKEv2, those methods <bcp14>MAY</bcp14> remove the above restrictions requiring multiple G-IKEv2 rekey messages, providing those methods specify how the forward access control policy is maintained within a single G-IKEv2 rekey message.</t> </section> </section> <sectionanchor="keys_gm_semantics" title="GManchor="keys_gm_semantics"> <name>GM Key ManagementSemantics">Semantics</name> <t>This specification definesaGM Key Management semantics in such away,way that it doesn't depend on the key management method employed by the GCKS. This allows having all the complexity of key management in the GCKS, which is free to implement various key managementmethods,methods such as direct transmitting of group SA keys or using some kind of key hierarchy(e.g.(e.g., LKH).For all these policies theThe GM behavior is thesame.same for all of these policies. </t> <t>All keys in G-IKEv2 are transmitted in encryptedform,form as specified in <xreftarget="wrapped_key" />.target="wrapped_key"/>. This format includes a 32-bit Key ID (ID of a key that is encrypted) and a 32-bit KWK ID (ID of a key that was used to encrypt this key). Keys may be encrypted either with a default KWK (GSK_w) or with other keys, which the GM has received in the WRAP_KEY attributes. If a key was encrypted with GSK_w, then the KWK ID field is set tozero, otherwisezero. Otherwise, the KWK ID field identifies the key used for encryption.ZeroA zero Key ID always identifies the key from which the keys for protecting Data-Security SAs and Rekey SA are taken. </t> <t>When a GM receives a message from the GCKS installing the new Data-Security or Rekey SA, it will contain a KD payload with an SA_KEY attribute containing keying material for this SA. For a Data-SecuritySASA, exactly one SA_KEY attribute will be present with both Key ID and KWK ID fields set to zero. This means that the default KWK (GSK_w) should be used to extract this keying material. </t> <t>For a multicast RekeySASA, multiple SA_KEY attributes may be present depending on the key management method employed by the GCKS. If multiple SA_KEY attributes arepresentpresent, then all of them <bcp14>MUST</bcp14> contain the same keying material encrypted using different KWKs. The GM in general is unaware of the key management method used by the GCKS and can always use the same procedure to get the keys. The GM tries to decrypt at least one of the SA_KEY attributes using either the GSK_w or the keys from the WRAP_KEY attributes that are present in the same message or werereceivesreceived in previous messages. </t> <t>We will use the term "Key Path" to describe an ordered sequence of keys where each subsequent key was used to encrypt the previous one. The GM keeps its own Key Path (called Working Key Path) in the memory associated with each group it is registered to and updates it when needed. When the GSA_REKEY message isreceivedreceived, the GM processes the received SA_KEY attributes one by onetryingand tries to construct a new key path that starts from one of these attributes and ends with any key in the Working Key Path or with the default KWK (GSK_w). </t> <t>In the simplestcasecase, the SA_KEY attribute is encrypted with GSK_w so that the new Key Path is empty. If more complex key management methods areusedused, then a Key Path will contain intermediate keys from the WRAP_KEY attributes received by a GM sofarfar, starting from its registration to the group. If the GM is able to construct a new Key Path using intermediate keys it has, then it is able to decrypt the SA_KEY attribute and use its content to form new SA keys. If it is unable to build a new Key Path, theninit means that the GM is excluded from the group. </t> <t>Depending on the new KeyPathPath, the GM should do the following actions to be prepared for future key updates:<list style="symbols"></t> <ul spacing="normal"> <li> <t>If the new Key Path isemptyempty, then no actions are needed. This may happen if no WRAP_KEY attributes from the received message were used. </t> </li> <li> <t>If the new Key Path is non-empty and it ends with the default KWK (GSK_w), then the whole new Key Path is stored by the GM as the GM's Working Key Path. <!-- [rfced] We have replaced "it" with "GM" for clarity and removed "this GM" to avoid redundancy. Please let us know if this is not correct. Original: This situation may only happen at the time the GM is registering to the group, when the GCKS is providing it with its personal key and the other keys from the key tree that are needed for this GM. Current: This situation may only happen at the time the GM is registering to the group, when the GCKS is providing the GM with its personal key and the other keys from the key tree that are needed. --> This situation may only happen at the time the GM is registering to the group, when the GCKS is providing the GM with its personal key and the other keys from the key tree that are needed. These keys form an initial Working Key Path for this GM. </t> </li> <li> <t>In all othercasescases, the new Key Path will end at some intermediate key from the GM's current Working Key Path. In thiscasecase, the new Key Path is constructed by replacing a part of the GM's current Working Key Path from the beginning and up to (but not including) the key that the GM has used to decrypt the last key in the new Key Path. </t></list></li> </ul> <t> <xreftarget="lkh_key_management" />target="lkh_key_management"/> contains an example of how this algorithm works in case of LKH key management method. </t> </section> <sectionanchor="group_sa_keys" title="SA Keys">anchor="group_sa_keys"> <name>SA Keys</name> <t>The keys that are used for Data-Security SAs or a Rekey SA (calledhereSAkeys)keys here) are downloaded to GMs in the form of keying material from which, according to policy, a set of keys are deterministically extracted. </t> <t>For a Data-SecuritySASA, the keys are taken in accordance to the third bullet fromSection 2.17 of<xref target="RFC7296"/>.sectionFormat="of" section="2.17"/>. In particular, for the ESP and AHSAsSAs, the encryption key (if any) <bcp14>MUST</bcp14> be taken from the leftmost bits of the keying material and the integrity key (if any) <bcp14>MUST</bcp14> be taken from the remaining bits. </t> <t>For a RekeySASA, the following keys are taken from the keying material:<figure ></t> <figure> <artwork><![CDATA[ GSK_e | GSK_a | GSK_w = KEYMAT ]]></artwork> </figure> <t> <!-- [rfced] In this sentence, is GSK_e used for the Encryption Algorithm and GSK_a for the Integrity Algorithm (option A), or are GSK_e and GSK_a used for both the Encryption Algorithm and the Integrity Algorithm (option B)? Original: where GSK_e and GSK_a are the keys used for the Encryption Algorithm and the Integrity Algorithm transforms for the corresponding SA and GSK_w is a default KWK for this SA.Note,Perhaps A: where GSK_e and GSK_a are the keys used for the Encryption Algorithm and the Integrity Algorithm transforms, respectively, for the corresponding SA and GSK_w is a default KWK for this SA. or Perhaps B: where GSK_e and GSK_a are the keys used for both the Encryption Algorithm and the Integrity Algorithm transforms for the corresponding SA and GSK_w is a default KWK for this SA. --> where GSK_e and GSK_a are the keys used for the Encryption Algorithm and the Integrity Algorithm transforms for the corresponding SA and GSK_w is a default KWK for this SA. Note that GSK_w is used with the key wrap algorithm specified in the Key Wrap Algorithm transform. If an AEAD algorithm is used for encryption, then the GSK_a key will not be used (GM can use the formula above assuming the length of GSK_a is zero). </t> </section> </section> <sectionanchor="header_payload" title="Headeranchor="header_payload"> <name>Header and PayloadFormats">Formats</name> <t>The G-IKEv2 is an IKEv2 extension and thus inherits its wire format for data structures. However, the processing of some payloads are different. Several new payloads are defined: Group Identification(IDg, <xref target="idg_payload" />),(IDg) (<xref target="idg_payload"/>), Security Association - GM Supported Transforms(SAg, <xref target="sag_payload" />),(SAg) (<xref target="sag_payload"/>), Group Security Association(GSA, <xref target="gsa_payload" />),(GSA) (<xref target="gsa_payload"/>), and Key Download(KD, <xref target="kd_payload" />).(KD) (<xref target="kd_payload"/>). The G-IKEv2 header (<xreftarget="header" />),target="header"/>), IDgpayloadpayload, and SAg payload reuse the IKEv2 format for the IKEv2 header, IDi/IDrpayloadspayloads, and SApayloadpayload, respectively. New exchange types GSA_AUTH, GSA_REGISTRATION,GSA_REKEYGSA_REKEY, and GSA_INBAND_REKEY are also added. </t> <t>This section describes new payloads and the differences in the processing of existing IKEv2 payloads. </t> <sectionanchor="header" title="G-IKEv2 Header">anchor="header"> <name>G-IKEv2 Header</name> <t>G-IKEv2 uses the same IKE header format as specified in <xref target="RFC7296"/> section 3.1.sectionFormat="of" section="3.1"/>. The Major Version is 2 and the Minor Version is00, as in IKEv2. IKE SA Initiator's SPI, IKE SA Responder's SPI, Flags, Message ID, and Length are as specified in <xreftarget="RFC7296"></xref>.target="RFC7296"/>. </t> </section> <sectiontitle="Group Identification Payload"anchor="idg_payload"> <name>Group Identification Payload</name> <t>The Group Identification (IDg) payload allows the group member to indicate which group it wants to join. The payload is constructed by using the IKEv2 Identification Payload(section 3.5 of <xref target="RFC7296"></xref>).(<xref target="RFC7296" sectionFormat="of" section="3.5"/>). ID type ID_KEY_ID <bcp14>MUST</bcp14> be supported. ID types ID_IPV4_ADDR, ID_FQDN, ID_RFC822_ADDR, and ID_IPV6_ADDR <bcp14>SHOULD</bcp14> be supported. ID types ID_DER_ASN1_DN and ID_DER_ASN1_GN are not expected to be used. The Payload Type for theGroup IdentificationIDg payload is fifty (50). </t> </section> <sectiontitle="Securityanchor="sag_payload"> <name>Security Association - GM Supported TransformsPayload" anchor="sag_payload"> <t>ThePayload</name> <!-- [rfced] FYI - We have updated the following sentence to reduce the repetition of "payload" and to match use in Table 1. Please let us know any objections. Original: The Security Association - GM Supported Transforms Payload (SAg) payload declares which Transforms a GM is willing to accept. Current: The Security Association - GM Supported Transforms (SAg) payload declares which Transforms a GM is willing to accept. --> <t>The Security Association - GM Supported Transforms (SAg) payload declares which Transforms a GM is willing to accept. The payload is constructed using the format of the IKEv2 Security Association payload(section 3.3 of <xref target="RFC7296"></xref>).(<xref target="RFC7296" sectionFormat="of" section="3.3"/>). The Payload Type for SAg payloads is thirty-three (33), which is identical to the SA Payload Type. </t> </section> <sectiontitle="Group Security Association Payload"anchor="gsa_payload"><t>The Group<name>Group Security Association(GSA)Payload</name> <t>The GSA payload is used by the GCKS to assert security attributes for both RekeySAand Data-Security SAs. The Payload Type for theGroup Security AssociationGSA payload is fifty-one (51). </t> <figuretitle="GSA Payload Format"anchor="gsa_payload_format"><preamble></preamble><name>GSA Payload Format</name> <artwork><![CDATA[ 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Payload |C| RESERVED | Payload Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ <Group Policies> ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]></artwork><postamble></postamble></figure> <t>The Security AssociationPayloadpayload fields are defined as follows:<list style="symbols"> <t>Next</t> <dl spacing="normal" newline="true"> <dt>Next Payload, C, RESERVED, and Payload Lengthfields comprisefields:</dt><dd>Comprise the IKEv2 Generic Payload Header and are defined inSection 3.2. of<xreftarget="RFC7296"></xref>.</t> <t>Grouptarget="RFC7296" sectionFormat="of" section="3.2"/>.</dd> <dt>Group Policies(variable) -- A(variable):</dt><dd>A set of group policies for thegroup.</t> </list> </t>group.</dd> </dl> <sectionanchor="group_policy" title="Group Policies">anchor="group_policy"> <name>Group Policies</name> <t>Group policies are comprised of twotypes of policy --types: Group SA (GSA) policy and Group-wide (GW) policy. GSA policy defines parameters for the Security Associationforof the group. Depending on the employed securityprotocolprotocol, GSA policies may further be classified as Rekey SA policy (GSA KEK) and Data-Security SA policy (GSA TEK). GSA payload may contain zero or one GSA KEK policy, zero or more GSA TEK policies, and zero or one GW policy, where either one GSA KEK or one GSA TEK policy <bcp14>MUST</bcp14> be present.</t> <t>This latitude allows various group policies to be accommodated. Forexampleexample, if the group policy does not require the use of a Rekey SA, the GCKS would not need to send a GSA KEK policy to the group member since all SA updates would be performed using the GSA_INBAND_REKEY exchange via the unicast IKE SA. Alternatively, group policy might use a Rekey SA but choose to download a KEK to the group member only as part of the unicast IKE SA. Therefore, the GSA KEK policy would not be necessary as part of the GSA_REKEY message.</t> <t>Specifying multiple GSA TEKs allows multiple related data streams (e.g., video, audio, and text) to be associated with a session, but each are protected with an individual security association policy.</t> <t>A GW policy allows for the distribution of group-wide policy, such as instructions for when to activate andde-activatedeactivate SAs.</t> <t>Policies are distributed in substructures to the GSA payload. The format of the substructures is definedbelowin <xreftarget="gsa_policy" />target="gsa_policy"/> (for GSA policy) and in <xreftarget="gw_policy" />target="gw_policy"/> (for GW policy). The first octet of the substructure unambiguously determines itstype --type; it is zero for GW policy and non-zero (actually, it is a securityprotocolProtocol ID) for GSA policies. </t> </section> <sectiontitle="Groupanchor="gsa_policy"> <name>Group Security Association PolicySubstructure" anchor="gsa_policy">Substructure</name> <t>The GSA policy substructure contains parameters for the SA that are used with this group. Depending on the securityprotocolprotocol, the SA is either a Rekey SA or a Data-Security SA (ESP and AH). The GCKS <bcp14>MUST NOT</bcp14> distribute both ESP and AH policies for the same set of Traffic Selectors. </t><t><figure title="GSA<figure anchor="gsa_format"> <name>GSA Policy SubstructureFormat" anchor="gsa_format"> <preamble></preamble>Format</name> <artwork><![CDATA[ 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol | SPI Size | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ SPI ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Source Traffic Selector ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Destination Traffic Selector ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ <GSA Transforms> ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ <GSA Attributes> ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]></artwork><postamble></postamble> </figure></t></figure> <t>The GSA policy fields are defined asfollows: <ul> <li><t>Protocolfollows:</t> <dl spacing="normal" newline="true"> <dt>Protocol (1octet) -- Identifiesoctet):</dt><dd>Identifies the security protocol for this group SA. The values are defined in theIKEv2"IKEv2 Security ProtocolIdentifiersIdentifiers" registry in <xreftarget="IKEV2-IANA" />.target="IKEV2-IANA"/>. The valid values for this fieldare: <TBA>are 6 (GIKE_UPDATE) for Rekey SA and 2 (AH) or 3 (ESP) for Data-SecuritySAs. </t></li> <li><t>SPISAs.</dd> <dt>SPI Size (1octet) -- Sizeoctet):</dt><dd>Size ofSecurity Parameter Index (SPI)the SPI for the SA. SPI size depends on the SA protocol.For GIKE_UPDATE itIt is 16octets, whileoctets forAHGIKE_UPDATE andESP it is4octets. </t></li> <li><t>Lengthoctets for AH and ESP.</dd> <dt>Length (2 octets, unsignedinteger) -- Lengthinteger):</dt><dd>Length of this substructure including theheader. </t></li> <li><t>SPI (variable) -- Securityheader.</dd> <dt>SPI (variable):</dt><dd>Security Parameter Index for the group SA. The size of this field is determined by the SPI Size field. As described above, these SPIs are assigned by the GCKS. In the case ofGIKE_UPDATEGIKE_UPDATE, the SPI is the IKEv2 Header SPI pair where the first 8 octets become the "IKE SA Initiator's SPI" field in the G-IKEv2 rekey message IKEv2 HDR, and the second 8 octets become the "IKE SA Responder's SPI" in the sameHDR. </t></li> <li><t>SourceHDR.</dd> <dt>Source & Destination Traffic Selectors(variable) -- Substructures(variable):</dt><dd> <t>Substructures describing the source and destination of the network identities. The format for these substructures is defined in IKEv2<xref target="RFC7296"></xref>, Section 3.13.1. </t>(<xref target="RFC7296" sectionFormat="of" section="3.13.1"/>).</t> <t>For the Rekey SA (with the GIKE_UPDATEprotocol)protocol), the destination traffic selectors <bcp14>MUST</bcp14> define a single multicast IP address, an IP protocol (assumed to beUDP)UDP), and a single port the GSA_REKEY messages will be destined to.TheIn this case, the source traffic selectorin this case<bcp14>SHOULD</bcp14> define a single IP address, an IP protocol (assumed to beUDP)UDP), and a single port the GSA_REKEY messages will be originated from. The source traffic selector <bcp14>MAY</bcp14> define a wildcard IP address and/or wildcard port. For the Data-Security (AH and ESP)SAsSAs, the destination traffic selectors will usually define a single multicast IP address. The source traffic selector in this case will usually define a single IP address or be a wildcard selector. An IP protocol and ports define the characteristics of traffic protected by this Data-SecuritySA. </t>SA.</t> <t>If the Data-Security SAs are created in tunnel mode, then it <bcp14>MUST</bcp14> be tunnel mode with address preservation (see Multicast Extensions to the Security Architecture <xreftarget="RFC5374" />.target="RFC5374"/>. UDP encapsulation of ESP packets <xreftarget="RFC3948" />target="RFC3948"/> cannot be specified in G-IKEv2 and thusitis not used for the multicast Data-SecuritySAs. </t></li> <li><t>GSASAs.</t></dd> <dt>GSA Transforms(variable) -- A(variable):</dt><dd>A list of Transform Substructures specifies the policy information for the SA. The format is defined in IKEv2<xref target="RFC7296"></xref>, section 3.3.2.(<xref target="RFC7296" sectionFormat="of" section="3.3.2"/>). <!-- [rfced] Should "Last Substruc" be "Last Substruct" or "Last Substructure" in the sentence below? Or is "Last Substruc" correct here? Original: The "Last Substruc" field in each Transform Substructure is set to 3 except for the last Transform Substructure, where it is set to 0. Perhaps: The "Last Substructure" field in each Transform Substructure is set to 3 except for the last Transform Substructure, where it is set to 0. --> The "Last Substruc" field in each Transform Substructure is set to 3 except for the last Transform Substructure, where it is set to 0. <xreftarget="gsa_transforms" />target="gsa_transforms"/> describes using IKEv2 transforms in GSA policysubstructure. </t></li> <li><t>GSAsubstructure.</dd> <dt>GSA Attributes(variable) -- Contains(variable):</dt><dd>Contains policy attributes associated with the group SA. The following sections describe the possible attributes. Any or all attributes may be optional, depending on the protocol and the group policy. <xreftarget="gsa_attr" />target="gsa_attr"/> defines attributes used in GSA policysubstructure.</t></li> </ul></t>substructure.</dd> </dl> <sectionanchor="gsa_transforms" title="GSA Transforms">anchor="gsa_transforms"> <name>GSA Transforms</name> <t>GSA policy is defined by the means of transforms in the GSA policy substructure. For thispurposepurpose, the transforms defined in <xreftarget="RFC7296" />target="RFC7296"/> are used. In addition, new transform types are defined forusinguse in G-IKEv2: Group Controller Authentication Method (GCAUTH) and Key Wrap Algorithm(KWA),(KWA); see <xreftarget="IANA" />.target="IANA"/>. </t> <t> Valid transform types depend on the SA protocol and are summarized in the table below. Exactly one instance of each mandatory transform type and at most one instance of each optional transform type <bcp14>MUST</bcp14> be present in the GSA policy substructure.<figure align="center" anchor="allowed_transforms" title="Valid</t> <table anchor="allowed_transforms"> <name>Valid TransformTypes"> <artwork align="left"><![CDATA[ Protocol Mandatory Types Optional Types ---------------------------------------------------------------- GIKE_UPDATE ENCR,Types</name> <thead> <tr> <th>Protocol</th> <th>Mandatory Types</th> <th>Optional Types</th> </tr> </thead> <tbody> <tr> <td>GIKE_UPDATE</td> <td>ENCR, INTEG*, GCAUTH**,KWA ESP ENCR, SN INTEG AH INTEG, SN ]]></artwork> </figure> </t> <t>(*) IfKWA</td> <td></td> </tr> <tr> <td>ESP</td> <td>ENCR, SN</td> <td>INTEG</td> </tr> <tr> <td>AH</td> <td>INTEG, SN</td> <td></td> </tr> </tbody> </table> <t>Notes:</t> <dl spacing="normal" newline="false"> <dt>(*):</dt><dd>If the AEAD encryption algorithm is used, then INTEG transform either <bcp14>MUST NOT</bcp14> be specified or <bcp14>MUST</bcp14> contain value NONE;otherwiseotherwise, it <bcp14>MUST</bcp14> be specified and <bcp14>MUST</bcp14> contain a value other thanNONE. </t> <t>(**) MayNONE.</dd> <dt>(**):</dt><dd>May only appear at the time of a GMregistration,registration (in the GSA_AUTH and GSA_REGISTRATIONexchanges). </t>exchanges).</dd> </dl> <sectionanchor="auth_method" title="Groupanchor="auth_method"> <name>Group Controller Authentication MethodTransform">Transform</name> <t>The Group Controller Authentication Method (GCAUTH) transform is used to convey informationofon how the GCKS will authenticate the GSA_REKEY messages. </t> <t> This document creates a new IKEv2 IANA registry for transform IDsforof this transform type, whichishas been initiallyfilledpopulated as described in <xreftarget="IANA" />.target="IANA"/>. In particular, the following entriesare initially added.have been added: </t><figure> <preamble></preamble> <artwork align="center"><![CDATA[ Group<table> <name></name> <thead> <tr> <th>Group Controller AuthenticationMethod Value ------------------------------------------------- Reserved 0 Implicit 1 Digital Signature 2 ]]></artwork> </figure>Method</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Reserved</td><td>0</td> </tr> <tr> <td>Implicit</td><td>1</td> </tr> <tr> <td>Digital Signature</td><td>2</td> </tr> </tbody> </table> <t>These transform IDs are defined asfollows. <ul> <li><t> Implicit -- means that nofollows:</t> <dl spacing="normal" newline="true"> <dt>Implicit:</dt><dd>No authentication of the GSA_REKEY messages will be provided by the GCKS besides the ability for the GMs to correctly decrypt them and verify their ICV. In thiscasecase, the GCKS <bcp14>MUST NOT</bcp14> include the AUTH_KEY attribute into the KD payload. Additionally, the AUTH payload <bcp14>MUST NOT</bcp14> be included in the GIKE_UPDATEmessages.</t></li> <li><t> Digital Signature -- means that digitalmessages.</dd> <dt>Digital Signature</dt><dd><t>Digital signatures will be used by the GCKS to authenticate the GSA_REKEY messages. In thiscasecase, the GCKS <bcp14>MUST</bcp14> include the AUTH_KEY attribute containing the public key into the KD payload at the time the GM is registered to the group. To specify the details of the signaturealgorithmalgorithm, a new attribute Signature Algorithm Identifier(<TBA by IANA>)(value 18) is defined. This attribute contains DER-encoded ASN.1 object AlgorithmIdentifier, which specifies the signature algorithm and the hash function that the GCKS will use for authentication. The AlgorithmIdentifier object is defined inSection 4.1.1.2 of Internet X.509 Public Key Infrastructure Certificate and CRL Profile<xref target="RFC5280"/>,sectionFormat="of" section="4.1.1.2"/>. Also, seealso Signature Authentication in IKEv2<xreftarget="RFC7427" />target="RFC7427"/> for the list of common AlgorithmIdentifier values used in IKEv2.</t> <t>In the case of the Digital Signature transform ID, the GCKS <bcp14>MUST</bcp14> include the Signature Algorithm Identifier attribute in the Group Controller Authentication Method transform. In thiscasecase, the AUTH payload in the GIKE_UPDATE messages <bcp14>MUST</bcp14> contain the Digital Signature authentication method (value 14) andisbe formatted as defined inSection 3 of<xref target="RFC7427"/>.sectionFormat="of" section="3"/>. The AlgorithmIdentifier ASN.1 object in the AUTH payload <bcp14>MUST</bcp14> match the content of the Signature Algorithm Identifier attribute in the Group Controller Authentication Method transform. The Signature Algorithm Identifier attribute is only meaningful for the Digital Signature transform ID and <bcp14>MUST NOT</bcp14> be used with other transformIDs. </t></li> </ul>IDs.</t></dd> </dl> <t> More authentication methods may be defined in the future. </t><t> The<t>The authentication method <bcp14>MUST NOT</bcp14> change as a result of rekey operations. This means that the Group Controller Authentication Method transform <bcp14>MUST NOT</bcp14> appear in the rekeymessages,messages; it may only appear in the registration exchange (either GSA_AUTH or GSA_REGISTRATION). </t> <t>The type of the Group Controller Authentication MethodTransformtransform is<TBA by IANA>.14. </t> </section> <sectionanchor="wrapping_alg" title="Keyanchor="wrapping_alg"> <name>Key Wrap AlgorithmTransform">Transform</name> <t>The Key Wrap Algorithm (KWA) transform is used to convey information about analgorithm,algorithm that is used for key wrapping in G-IKEv2. See <xreftarget="wrapped_key" />target="wrapped_key"/> for details. </t> <t> This document creates a new IKEv2 IANA registry for the key wrapalgorithmsalgorithms, whichishas been initiallyfilledpopulated as described in <xreftarget="IANA" />.target="IANA"/>. In particular, the following entriesare initially added.have been added: </t><figure> <preamble></preamble> <artwork align="center"><![CDATA[ Key<table> <name></name> <thead> <tr> <th>Key WrapAlgorithm Value ------------------------------------- Reserved 0 KW_5649_128 1 KW_5649_192 2 KW_5649_256 3 KW_ARX 4 ]]></artwork> </figure>Algorithm</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Reserved</td> <td>0</td> </tr> <tr> <td>KW_5649_128</td> <td>1</td> </tr> <tr> <td>KW_5649_192</td> <td>2</td> </tr> <tr> <td>KW_5649_256</td> <td>3</td> </tr> <tr> <td>KW_ARX</td> <td>4</td> </tr> </tbody> </table> <t>These algorithms are defined asfollows. <list style="symbols"> <t> KW_5649_128,follows:</t> <dl spacing="normal" newline="true"> <dt>KW_5649_128, KW_5649_192,KW_5649_256 -- KeyKW_5649_256:</dt><dd>The key wrap algorithm defined in <xreftarget="RFC5649" />target="RFC5649"/> with a 128-bit,192-bit192-bit, and 256-bitkeykey, respectively. This key wrap algorithm is designed for use with AES blockcipher.</t> <t> KW_ARX -- Thecipher.</dd> <dt>KW_ARX:</dt><dd>The ARX-KW-8-2-4-GX key wrap algorithm defined in <xreftarget="ARX-KW" />.target="ARX-KW"/>. This key wrap algorithm is designed for use with Chacha20 streamcipher.</t> </list> Morecipher.</dd> </dl> <t>More key wrap algorithms may be defined in the future. The requirement is that these algorithms <bcp14>MUST</bcp14> be able to wrap key material of size up to 256 bytes. </t> <t>The type of the Key Wrap Algorithm transform is<TBA by IANA>.13. </t> </section> <sectionanchor="antireplay" title="Sequenceanchor="antireplay"> <name>Sequence NumbersTransform">Transform</name> <t>The"SequenceSequence Numbers(SN)"(SNs) transform type is defined in <xreftarget="I-D.ietf-ipsecme-ikev2-rename-esn" />.target="RFC9827"/>. This transform describes the properties of sequence numbers of IPsec packets. There are currently two transform IDs defined for this transform type: "32-bit Sequential Numbers" and "Partially Transmitted 64-bit Sequential Numbers" that correspond to non-ESN and ESN cases from AH <xreftarget="RFC4302" />target="RFC4302"/> and ESP <xreftarget="RFC4303" />target="RFC4303"/> specifications. </t><t> Transform<t>Transform ID "32-bit Sequential Numbers" <bcp14>SHOULD</bcp14> be used by the GCKS for single-sender multicast Data-Security SAs utilizing protocols ESP or AH. </t> <t>Since both AH <xreftarget="RFC4302" />target="RFC4302"/> and ESP <xreftarget="RFC4303" />target="RFC4303"/> are defined in such away,way that high-order 32 bits of extended sequence numbers are never transmitted, it makes using ESN in multicast Data-Security SAsproblematic,problematic because GMs that join the group long after it is created will have to somehow learn the currenthigh orderhigh-order 32 bits of ESN for each sender in the group. The algorithm for doing this described in AH <xreftarget="RFC4302" />target="RFC4302"/> and ESP <xreftarget="RFC4303" />target="RFC4303"/> is resource-consuming and is only suitable when a receiver is able to guess the high-order 32 bits close enough to its real value, which is not the case for multicast SAs. For thisreasonreason, the "Partially Transmitted 64-bit Sequential Numbers" transform ID <bcp14>MUST NOT</bcp14> be used for multicast Data-Security SAs utilizing protocols ESP or AH. </t> <t> This document defines a new transform ID"32-bitfor this transform type: 32-bit UnspecifiedNumbers" (<TBANumbers (2). <!-- [rfced] May we restructure the text below as follows for readability? Current: This transform ID defines the following properties. Sequence numbers are 32-bit in size and are transmitted in the Sequence Number field of AH and ESP packets. The value of sequence numbers is not guaranteed to be unique for the duration of an SA, thus they are not suitable for replay protection. This transform ID MUST be used byIANA>)the GCKS in case of multi-sender multicast Data-Security SAs utilizing protocols ESP or AH to inform the GMs that the replay protection is not expected to be possible. The GCKS MAY also use this transform ID for single-sender multicast Data-Security SAs if replay protection is not needed (e.g. it is done on application level). Perhaps: This transform ID defines the following properties: * Sequence numbers are 32 bits in size and are transmitted in the Sequence Number field of AH and ESP packets. * The value of sequence numbers is not guaranteed to be unique for the duration of an SA, thus they are not suitable for replay protection. * This transform ID MUST be used by the GCKS in the case of multi-sender multicast Data-Security SAs utilizing protocols ESP or AH to inform the GMs that the replay protection is not expected to be possible. * The GCKS MAY also use this transformtype.ID for single-sender multicast Data-Security SAs if replay protection is not needed (e.g., it is done on the application level). --> This transform ID defines the following properties. Sequence numbers are32-bit32 bits in size and are transmitted in the Sequence Number field of AH and ESP packets. The value of sequence numbers is not guaranteed to be unique for the duration of an SA, thus they are not suitable for replay protection. This transform ID <bcp14>MUST</bcp14> be used by the GCKS in case of multi-sender multicast Data-Security SAs utilizing protocols ESP or AH to inform the GMs that the replay protection is not expected to be possible. The GCKS <bcp14>MAY</bcp14> also use this transform ID for single-sender multicast Data-Security SAs if replay protection is not needed(e.g.(e.g., it is done on the application level). </t> </section> </section> <sectionanchor="gsa_attr" title="GSA Attributes">anchor="gsa_attr"> <name>GSA Attributes</name> <t>GSA attributes are generally used to provide GMs with additional parameters for the GSA policy. Unlike security parameters distributed via transforms, which are expected not to change over time (unless the policy changes), the parameters distributed via GSA attributes may depend on the time the provision takes place, on the existence of others groupSAsSAs, or on other conditions. </t> <t>This document creates a new IKEv2 IANA registry for the types oftheGSAattributesattributes, whichishas been initiallyfilledpopulated as described in <xreftarget="IANA" />.target="IANA"/>. In particular, the following attributesare initially added. <figure> <artwork align="center"><![CDATA[ GSA Attributes Value Format Multi-Valued Usedhave been added: </t> <table> <name></name> <thead> <tr> <th>GSA Attributes</th> <th>Value</th> <th>Format</th> <th>Multi-Valued</th> <th>Used inProtocol --------------------------------------------------------------------- Reserved 0 GSA_KEY_LIFETIME 1 TLV NO GIKE_UPDATE,Protocol</th> </tr> </thead> <tbody> <tr> <td>Reserved</td> <td colspan="4">0</td> </tr> <tr> <td>GSA_KEY_LIFETIME</td> <td>1</td> <td>TLV</td> <td>NO</td> <td>GIKE_UPDATE, AH,ESP GSA_INITIAL_MESSAGE_ID 2 TLV NO GIKE_UPDATE GSA_NEXT_SPI 3 TLV YES GIKE_UPDATE,ESP</td> </tr> <tr> <td>GSA_INITIAL_MESSAGE_ID</td> <td>2</td> <td>TLV</td> <td>NO</td> <td>GIKE_UPDATE</td> </tr> <tr> <td>GSA_NEXT_SPI</td> <td>3</td> <td>TLV</td> <td>YES</td> <td>GIKE_UPDATE, AH,ESP ]]></artwork> </figure>ESP</td> </tr> </tbody> </table> <t> The attributes follow the format defined intheIKEv2<xref target="RFC7296"></xref> section 3.3.5.(<xref target="RFC7296" sectionFormat="of" section="3.3.5"/>). The "Format" column defines what attribute format is allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi-Valued" column defines whether multiple instances of the attribute can appear. The "Used in Protocol" column lists the security protocols, for which the attribute can be used. </t> <sectionanchor="gsa_attr_key_lifetime" title="GSA_KEY_LIFETIME Attribute">anchor="gsa_attr_key_lifetime"> <name>GSA_KEY_LIFETIME Attribute</name> <t>The GSA_KEY_LIFETIME attribute (1) specifies the maximum time for which the SA is valid. The value is a4 octet4-octet unsigned integer inanetwork byte order, specifying a valid time period in seconds. When the lifetime expires, thegroup security associationGSA and all associated keys <bcp14>MUST</bcp14> be deleted. The GCKS may delete the SA at any time before the end of the validity period. </t> <t>A single attribute of this type <bcp14>MUST</bcp14> be included into any GSA policy substructure if multicast rekey is employed by the GCKS. This attribute <bcp14>SHOULD NOT</bcp14> be used if inband rekey (via the GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM. </t> </section> <sectionanchor="gsa_attr_initial_message_id" title="GSA_INITIAL_MESSAGE_ID Attribute">anchor="gsa_attr_initial_message_id"> <name>GSA_INITIAL_MESSAGE_ID Attribute</name> <t>The GSA_INITIAL_MESSAGE_ID attribute (2) defines the initial Message ID to be used by the GCKS in the GSA_REKEY messages. The Message ID is a4 octet4-octet unsigned integer in network byte order. </t> <t>A single attribute of this type is included into the GSA KEK policy substructure if the initial Message ID of the Rekey SA is non-zero. <!--[rfced] May we rephrase this sentence as shown below for clarity (i.e., remove "in these cases" to reduce redundancy)? Note that we included the lead-in sentence for context. Lead-in sentence: A single attribute of this type is included into the GSA KEK policy substructure if the initial Message ID of the Rekey SA is non-zero. Original: Note, that it is always the case if GMs join the group after some multicast rekey operations have already taken place, so in these cases this attribute will be included into the GSA policy when the GM is registered. Perhaps: Note that this is always the case if GMs join the group after some multicast rekey operations have already taken place, so this attribute will be included into the GSA policy when the GM is registered. --> Note that it is always the case if GMs join the group after some multicast rekey operations have already taken place, so in these cases, this attribute will be included into the GSA policy when the GM is registered. </t> <t>This attribute <bcp14>MUST NOT</bcp14> be used if inband rekey (via the GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM. </t> </section> <sectionanchor="gsa_attr_next_spi" title="GSA_NEXT_SPI Attribute">anchor="gsa_attr_next_spi"> <name>GSA_NEXT_SPI Attribute</name> <t>The optional GSA_NEXT_SPI attribute (3) contains the SPI that the GCKS reserved for the next Rekey SA or Data-Security SAs replacing the current ones. The length of the attribute data is determined by the SPI Size field in the GSAPolicypolicy substructure the attribute resides in (see <xreftarget="gsa_policy" />),target="gsa_policy"/>), and the attribute data contains the SPI as it would appear on the network. Multiple attributes of this type <bcp14>MAY</bcp14> be included, meaning that any of the supplied SPIs can be used in the replacement group SA. </t><t>The<!-- [rfced] We have rephrased the sentence below as follows for clarity. Please let us know any objections. Original: The GM<bcp14>MAY</bcp14>MAY store these values and if later the GM starts receiving messages with one of these SPIs without seeing a rekey message over the current Rekey SA, this may be used as an indication, that the rekey message got lost on its way to this GM. Current: The GM MAY store these values. Later on, if the GM starts receiving messages with one of these SPIs without seeing a rekey message over the current Rekey SA, then it may be used as an indication that the rekey message got lost on its way to this GM. --> <t>The GM <bcp14>MAY</bcp14> store these values. Later on, if the GM starts receiving messages with one of these SPIs without seeing a rekey message over the current Rekey SA, then it may be used as an indication that the rekey message got lost on its way to this GM. In thiscasecase, the GM <bcp14>SHOULD</bcp14> re-register to the group. </t><t>Note,<t>Note that this method of detecting lost rekey messages can only be used by group receivers.AdditionallyAdditionally, there is no point to include this attribute in the GSA_INBAND_REKEYmessages,messages since they use reliable transport.Note also,Also note that the GCKS is free to forget its promises and not to use the SPIs it sent in the GSA_NEXT_SPI attributes before(e.g.(e.g., incase ofcases where the GCKS is rebooted), so the GM must only treatthesethis information as a "best effort" made by the GCKS to prepare for future rekeys. </t> <t>This attribute <bcp14>MUST NOT</bcp14> be used if inband rekey (via the GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM. </t> </section> </section> </section> <sectiontitle="Group-wide Policy Substructure"anchor="gw_policy"><t>Group specific<name>Group-Wide Policy Substructure</name> <t>Group-specific policy that does not belong to any SA policy can be distributed to all groupmembermembers using the Group-wide (GW) policy substructure.</t> <t>The GW policy substructure is defined as follows:</t> <figuretitle="GWanchor="gwp_format"> <name>GW Policy SubstructureFormat" anchor="gwp_format"> <preamble></preamble>Format</name> <artwork><![CDATA[ 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol | RESERVED | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ <GW Policy Attributes> ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]></artwork><postamble></postamble></figure> <t>The GW policy substructure fields are defined as follows:</t><t><list style="symbols"> <t>Protocol<dl spacing="normal" newline="false"> <dt>Protocol (1octet) -- <bcp14>MUST</bcp14>octet):</dt><dd><bcp14>MUST</bcp14> be zero. This value is reservedin(see <xreftarget="IANA" />target="IANA"/>) and is never used for any security protocol, so it is used here to indicate that this substructure contains policy not related to any specificprotocol. </t> <t>RESERVEDprotocol.</dd> <!-- [rfced] Is the space in the parentheses intentional in the text below, or should "( octet)" be updated as "(0 octet)" per the description? Note that there are two instances (Sections 4.4.3 and 4.5.3). Original: * RESERVED ( octet)-- <bcp14>MUST</bcp14>- MUST be zero on transmission,<bcp14>MUST</bcp14>MUST be ignored on receipt.</t> <t>Length--> <dt>RESERVED ( octet):</dt><dd><bcp14>MUST</bcp14> be zero on transmission and <bcp14>MUST</bcp14> be ignored on receipt.</dd> <dt>Length (2 octets, unsignedinteger) -- Lengthinteger):</dt><dd>Length of this substructure including theheader. </t> <t>GWheader.</dd> <dt>GW Policy Attributes(variable) -- Contains(variable):</dt><dd>Contains policy attributes associated with no specific SA. The following sections describe possible attributes. Any or all attributes may beoptional,optional depending on the grouppolicy.</t> </list></t>policy.</dd> </dl> <sectionanchor="gwp_attr" title="GWanchor="gwp_attr"> <name>GW PolicyAttributes">Attributes</name> <t>This document creates a new IKEv2 IANA registry for the types ofthegroup-wide policyattributesattributes, whichishas been initiallyfilledpopulated as described in <xreftarget="IANA" />.target="IANA"/>. In particular, the following attributesare initially added. <figure> <artwork align="center"><![CDATA[ GW Policy Attributes Value Format Multi-Valued -------------------------------------------------------- Reserved 0 GWP_ATD 1 TV NO GWP_DTD 2 TV NO GWP_SENDER_ID_BITS 3 TV NO ]]></artwork> </figure>have been added: </t> <table> <name></name> <thead> <tr> <th>GW Policy Attributes</th> <th>Value</th> <th>Format</th> <th>Multi-Valued</th> </tr> </thead> <tbody> <tr> <td>Reserved</td> <td colspan="3">0</td> </tr> <tr> <td>GWP_ATD</td> <td>1</td> <td>TV</td> <td>NO</td> </tr> <tr> <td>GWP_DTD</td> <td>2</td> <td>TV</td> <td>NO</td> </tr> <tr> <td>GWP_SENDER_ID_BITS</td> <td>3</td> <td>TV</td> <td>NO</td> </tr> </tbody> </table> <t>The attributes follow the format defined in the IKEv2<xref target="RFC7296"></xref> section 3.3.5.(<xref target="RFC7296" sectionFormat="of" section="3.3.5"/>). The "Format" column defines what attribute format is allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi-Valued" column defines whether multiple instances of the attribute can appear. </t> <sectionanchor="gwp_attr_atd_dtd" title="GWP_ATD Andanchor="gwp_attr_atd_dtd"> <name>GWP_ATD and GWP_DTDAttributes"> <t>Section 4.2.1 of Multicast Extensions to the Security Architecture <xrefAttributes</name> <t><xref target="RFC5374"/>sectionFormat="of" section="4.2.1"/> specifies a key rollover method that requires two values be provided to groupmembers --members: Activation Time Delay (ATD) and Deactivation Time Delay (DTD). </t> <t>The GWP_ATD attribute (1) allows a GCKS to set the Activation Time Delay for Data-Security SAs of the group. The ATD defines how long active members of the group (those who sends traffic) should wait after receiving new SAs beforestaringsending traffic over them.Note,Note that to achieve smoothrolloverrollover, passive members of the group should activate the SAs immediately once they receive them. </t> <t>The GWP_DTD attribute (2) allows the GCKS to set theDeactivation Time DelayDTD for previously distributed SAs. The DTD defines how long after receiving a request to delete Data-Security SAs passive group members should wait before actually deleting them. Note that active members of the group should stop sending traffic over these old SAs once new replacement SAs are activated (after time specified in the GWP_ATD attribute). </t> <t>The GWP_ATD and GWP_DTD attributes contain16 bita 16-bit unsigned integer inanetwork byte order, specifying the delay in seconds. These attributes areOPTIONAL.<bcp14>OPTIONAL</bcp14>. If one of them or both are not sent by the GCKS, then no corresponding delay should be employed. </t> </section> <sectionanchor="gwp_attr_sid_bits" title="GWP_SENDER_ID_BITS Attribute">anchor="gwp_attr_sid_bits"> <name>GWP_SENDER_ID_BITS Attribute</name> <t>The GWP_SENDER_ID_BITS attribute (3) declares how many bits of the cipher nonce are taken to represent a Sender-ID value. The bits are applied as the most significant bits of the IV, as shown in Figure 1 of Using Counter Modes with ESP and AH to Protect Group Traffic <xreftarget="RFC6054"></xref>target="RFC6054"/> and as specified in <xreftarget="sid-usage"></xref>.target="sid-usage"/>. Guidance for a GCKS choosing the value is provided inSection 3 of Using Counter Modes with ESP and AH to Protect Group Traffic<xreftarget="RFC6054"></xref>.target="RFC6054" sectionFormat="of" section="3"/>. This value is applied to each Sender-ID value distributed in the KD payload.</t> <t>The GCKS <bcp14>MUST</bcp14> include this attribute if there are more than onesendersenders in the group and any of the Data-Security SAs use counter-based cipher mode. The number of Sender-ID bits is represented as16 bita 16-bit unsigned integer in network byte order. </t> </section> </section> </section> </section> <sectiontitle="Key Download Payload"anchor="kd_payload"> <name>Key Download Payload</name> <t>The Key Download (KD) payload contains the group keys for the SAs specified in the GSAPayload.payload. The Payload Type for the Key Download payload is fifty-two (52). </t> <figuretitle="Keyanchor="kd_payload_format"> <name>Key Download PayloadFormat" anchor="kd_payload_format"> <preamble></preamble>Format</name> <artwork><![CDATA[ 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Payload |C| RESERVED | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ <Key Bags> ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]></artwork><postamble></postamble></figure> <t>The Key Download payload fields are defined as follows:</t><t><list style="symbols"> <t>Next<dl spacing="normal" newline="true"> <!--[rfced] "Length" vs. "Payload Length" a) We note that Figure 16 uses "Payload Length" whereas Figures 17, 18, 19, 20, and 21 use "Length". Is this variance okay, or is an update needed to Figure 16 for consistency? b) In Section 4.5, we note "Length" in Figure 19 but "Payload Length" in the description. We updated the description to reflect "Length" as shown below. If that is not correct, please let us know. Original: Next Payload, C, RESERVED, and Payload Lengthfields comprisefields: Comprise the IKEv2 Generic Payload Header and are defined in Section3.2.3.2 of [RFC7296]. Current: Next Payload, C, RESERVED, and Length fields: Comprise the IKEv2 Generic Payload Header and are defined in Section 3.2 of [RFC7296]. --> <dt>Next Payload, C, RESERVED, and Length fields:</dt><dd> Comprise the IKEv2 Generic Payload Header and are defined in <xreftarget="RFC7296"></xref>.</t> <t>Keytarget="RFC7296" sectionFormat="of" section="3.2"/>.</dd> <dt>Key Bags(variable) -- A(variable):</dt><dd>A set of Key Bagsubstructures. </t> </list> </t>substructures.</dd> </dl> <sectionanchor="key_bag" title="Key Bags">anchor="key_bag"> <name>Key Bags</name> <t> Keys are distributed inasubstructures called key bags. Each key bag contains one or more keys that are logically related --eitherthese are keys for either a single SA (Data-Security SA or Rekey SA) orthese are keys fora single group member (in the lattercasecase, besideskeyskeys, the key bag may also contain security parameters for this group member). </t><t><!-- [rfced] May we rephrase the following text to simplify the sentence structure? Also, does "the following SPI" refer to the SPI in Figure 20? Original: For this reason two types of key bags are defined--- Group Key Bag and Member Key Bag. The type is unambiguously determined by the first byte of the key bag substructure--- for member key bag it is zero and for group key bag it represents the protocol number, which along with the following SPI, identify the SA associated with the keys in the bag. Perhaps: For this reason, two types of key bags are defined: Group Key Bag and Member Key Bag. The type is unambiguously determined by the first byte of the key bag substructure; for a Member Key Bag, it is zero. The Group Key Gag is represented by the protocol number, and the protocol number along with the SPI (see Figure 20) identify the SA that is associated with the keys in the bag. --> <t> For this reason, two types of key bags are defined: Group Key Bag and Member Key Bag. The type is unambiguously determined by the first byte of the key bag substructure. For a Member Key Bag, it is zero, and for Group Key Bag, it represents the protocol number, which along with the following SPI, identify the SA associated with the keys in the bag. </t> </section> <sectionanchor="group_key_bag" title="Groupanchor="group_key_bag"> <name>Group Key BagSubstructure">Substructure</name> <t>The Group Key Bag substructure contains SA key information. This key information is associated with some group SAs: either with Data-Security SAs or with a group Rekey SA. </t> <figuretitle="Groupanchor="group_key_bag_format"> <name>Group Key Bag SubstructureFormat" anchor="group_key_bag_format"> <preamble></preamble>Format</name> <artworkalign="center"><![CDATA[><![CDATA[ 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol | SPI Size | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ SPI ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ <Group Key Bag Attributes> ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]></artwork><postamble></postamble></figure><t><list style="symbols"> <t>Protocol<dl spacing="normal" newline="true"> <dt>Protocol (1octet) -- Identifiesoctet):</dt><dd>Identifies the security protocol for this key bag. The values are defined in theIKEv2"IKEv2 Security ProtocolIdentifiersIdentifiers" registry in <xreftarget="IKEV2-IANA" />.target="IKEV2-IANA"/>. The valid values for this field are:<TBA>6 (GIKE_UPDATE) for KEK Key packet and 2 (AH) or 3 (ESP) for TEK keybag. </t> <t>SPIbag.</dd> <dt>SPI Size (1octet) -- Sizeoctet):</dt><dd>Size ofSecurity Parameter Index (SPI)the SPI for the corresponding SA. SPI size depends on the security protocol.For GIKE_UPDATE itIt is 16octets, whileoctets forAHGIKE_UPDATE andESP it is4octets. </t> <t>Lengthoctets for AH and ESP.</dd> <dt>Length (2 octets, unsignedinteger) -- Lengthinteger):</dt><dd>Length of this substructure including theheader. </t> <t>SPI (variable) -- Securityheader.</dd> <dt>SPI (variable):</dt><dd>Security Parameter Index for the corresponding SA. The size of this field is determined by the SPI Size field. In the case ofGIKE_UPDATEGIKE_UPDATE, the SPI is the IKEv2 Header SPI pair where the first 8 octets become the "IKE SA Initiator's SPI" field in the G-IKEv2 rekey message IKEv2 HDR, and the second 8 octets become the "IKE SA Responder's SPI" in the same HDR.</t> <t>Group</dd> <dt>Group Key Bag Attributes(variable) -- Contains(variable):</dt><dd>Contains Key information for the correspondingSA. </t> </list> </t>SA.</dd> </dl> <t>This document creates a new IKEv2 IANA registry for the types oftheGroup Key Bagattributesattributes, whichishas been initiallyfilledpopulated as described in <xreftarget="IANA" />.target="IANA"/>. In particular, the following attributes have been added: </t> <!-- [rfced] Please review Table 7 and let us know if the format appears as intended. Specifically, areinitially added. <figure> <artwork align="center"><![CDATA[ Groupthe "Multi-Valued" and "Used in Protocol" columns correctly formatted? --> <table> <name></name> <thead> <tr> <th>Group Key BagAttributes Value Format Multi-Valued UsedAttributes</th> <th>Value</th> <th>Format</th> <th>Multi-Valued</th> <th>Used inProtocol -------------------------------------------------------------------- Reserved 0 SA_KEY 1 TLV YES* GIKE_UPDATE NO AH, ESP ]]></artwork> </figure> (*) MultipleProtocol</th> </tr> </thead> <tbody> <tr> <td>Reserved</td> <td colspan="4">0</td> </tr> <tr> <td>SA_KEY</td> <td>1</td> <td>TLV</td> <td>YES*<br/>NO</td> <td>GIKE_UPDATE<br/>AH, ESP</td> </tr> </tbody> </table> <t>Notes:</t> <dl spacing="normal" newline="false"> <dt>(*):</dt><dd>Multiple SA_KEY attributes may only appear for the GIKE_UPDATE protocol in the GSA_REKEY exchange if the GCKS uses the group key management method that allows excluding GMs from the group (likeLKH). </t>LKH).</dd> </dl> <t>The attributes follow the format defined intheIKEv2<xref target="RFC7296"></xref> section 3.3.5.(<xref target="RFC7296" sectionFormat="of" section="3.3.5"/>). The "Format" column defines what attribute format is allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi-Valued" column defines whether multiple instances of the attribute can appear. The "Used in Protocol" column lists the security protocols, for which the attribute can be used. </t> <sectionanchor="gkd_attr_group_key" title="SA_KEY Attribute">anchor="gkd_attr_group_key"> <name>SA_KEY Attribute</name> <t>The SA_KEY attribute (1) contains a keying material for the corresponding SA. The content of the attribute is formatted according to <xreftarget="wrapped_key" />target="wrapped_key"/> with a precondition that the Key ID field <bcp14>MUST</bcp14> always be zero. The size of the keying material <bcp14>MUST</bcp14> be equal to the total size of the keys needed to be taken from this keying material (see <xreftarget="group_sa_keys" />)target="group_sa_keys"/>) for the corresponding SA. </t> <t>If the key bag is for a Data-Security SA (AH or ESP protocols), then exactly one SA_KEY attribute <bcp14>MUST</bcp14> be present with both Key ID and KWK ID fields set to zero. </t><t>If<!-- [rfced] FYI - We rephrased the text below for better sentence flow. Please let us know of any objections. Original: If the key bag is for a Rekey SA (GIKE_UPDATE protocol), then in the GSA_AUTH, GSA_REGISTRATION and GSA_INBAND_REKEY exchanges exactly one SA_KEY attribute<bcp14>MUST</bcp14>MUST be present. Current: If the key bag is for a Rekey SA (GIKE_UPDATE protocol), then exactly one SA_KEY attribute MUST be present in the GSA_AUTH, GSA_REGISTRATION, and GSA_INBAND_REKEY exchanges. --> <t>If the key bag is for a Rekey SA (GIKE_UPDATE protocol), then exactly one SA_KEY attribute <bcp14>MUST</bcp14> be present in the GSA_AUTH, GSA_REGISTRATION, and GSA_INBAND_REKEY exchanges. In the GSA_REKEYexchangeexchange, at least one SA_KEY attribute <bcp14>MUST</bcp14> be present, and more attributes <bcp14>MAY</bcp14> be present (depending on the key management method employed by the GCKS). </t> </section> </section> <sectionanchor="member_key_bag" title="Memberanchor="member_key_bag"> <name>Member Key BagSubstructure" >Substructure</name> <t>The Member Key Bag substructure contains keys and other parameters that are specific for a member of the group and are not associated with any particular group SA. </t> <figuretitle="Memberanchor="mkd_key_bag"> <name>Member Key Bag SubstructureFormat" anchor="mkd_key_bag"> <preamble></preamble>Format</name> <artwork><![CDATA[ 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol | RESERVED | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ <Member Key Bag Attributes> ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]></artwork><postamble></postamble></figure> <t>The Member Key Bag substructure fields are defined as follows:</t><t><list style="symbols"> <t>Protocol<dl spacing="normal" newline="true"> <dt>Protocol (1octet) -- <bcp14>MUST</bcp14>octet):</dt><dd><bcp14>MUST</bcp14> be zero. This value is reservedin(see <xreftarget="IANA" />target="IANA"/>) and is never used for any security protocol, so it is used here to indicate that this key bag is not associated with any particularSA. </t> <t>RESERVEDSA.</dd> <dt>RESERVED (octet) -- <bcp14>MUST</bcp14>octet):</dt><dd><bcp14>MUST</bcp14> be zero ontransmission,transmission and <bcp14>MUST</bcp14> be ignored onreceipt. </t> <t>Lengthreceipt.</dd> <dt>Length (2 octets, unsignedinteger) -- Lengthinteger):</dt><dd>Length of this substructure including theheader. </t> <t>Memberheader.</dd> <dt>Member Key Bag Attributes(variable) -- Contains(variable):</dt><dd>Contains Key information and other parameters exclusively for a particular member of thegroup. </t> </list>group.</dd> </dl> <t> ThememberMember Key Bag substructure contains sensitive information for a singleGM, forGM. For thisreasonreason, it <bcp14>MUST NOT</bcp14> be sent in GSA_REKEY messages and <bcp14>MUST</bcp14> only be sent via unicast SA at the time the GM registers to the group (in either GSA_AUTH or GSA_REGISTRATION exchanges). </t> <t>This document creates a new IKEv2 IANA registry for the types oftheMember Key Bagattributesattributes, whichishas been initiallyfilledpopulated as described in <xreftarget="IANA" />.target="IANA"/>. In particular, the following attributesare initially added. <figure> <artwork align="center"><![CDATA[ Memberhave been added: </t> <table> <name></name> <thead> <tr> <th>Member Key BagAttributes Value Format Multi-Valued ---------------------------------------------------- Reserved 0 WRAP_KEY 1 TLV YES AUTH_KEY 2 TLV NO GM_SENDER_ID 3 TLV YES ]]></artwork> </figure> </t>Attributes</th> <th>Value</th> <th>Format</th> <th>Multi-Valued</th> </tr> </thead> <tbody> <tr> <td>Reserved</td> <td colspan="3">0</td> </tr> <tr> <td>WRAP_KEY</td> <td>1</td> <td>TLV</td> <td>YES</td> </tr> <tr> <td>AUTH_KEY</td> <td>2</td> <td>TLV</td> <td>NO</td> </tr> <tr> <td>GM_SENDER_ID</td> <td>3</td> <td>TLV</td> <td>YES</td> </tr> </tbody> </table> <t>The attributes follow the format defined in the IKEv2<xref target="RFC7296"></xref> section 3.3.5.(<xref target="RFC7296" sectionFormat="of" section="3.3.5"/>). The "Format" column defines what attribute format is allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi-Valued" column defines whether multiple instances of the attribute can appear. </t> <sectionanchor="mkd_attr_kwk" title="WRAP_KEY Attribute">anchor="mkd_attr_kwk"> <name>WRAP_KEY Attribute</name> <t>The WRAP_KEY attribute (1) contains a key that is used to encrypt other keys. One or more of these attributes are sent to GMs if the GCKS key management method relies on some key hierarchy(e.g.(e.g., LKH). This attribute <bcp14>MUST NOT</bcp14> be used if inband rekey (via the GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM. </t> <t>The content of the attribute has a format defined in <xreftarget="wrapped_key" />target="wrapped_key"/> with a precondition that the Key ID field <bcp14>MUST NOT</bcp14> be zero. The algorithm associated with the key is defined by the Key Wrap Algorithm transform for the SA the WRAP_KEY attributes was sent in. The size of the attribute data <bcp14>MUST</bcp14> be equal to the key size for this key wrap algorithm. </t> <t>Multiple instances of the WRAP_KEY attributes <bcp14>MAY</bcp14> be present in the key bag. </t> </section> <sectionanchor="mkd_attr_auth_key" title="AUTH_KEY Attribute">anchor="mkd_attr_auth_key"> <name>AUTH_KEY Attribute</name> <t>The AUTH_KEY attribute (2) contains the key that is used to authenticate the GSA_REKEY messages. The content of the attribute depends on the authentication method the GCKS specified in the Group Controller Authentication Method transform in the GSA payload.<list style="symbols"> <t>If</t> <!-- [rfced] In Section 4.5.3.2, since there is only one list item in this unordered list, would it be appropriate to remove the bullet and make it into a paragraph? Original: * If digital signatures are used for the GSA_REKEY message authentication then the content of the AUTH_KEY attribute is a public key used for digital signature authentication. The public key<bcp14>MUST</bcp14>MUST be represented as DER-encoded ASN.1 object SubjectPublicKeyInfo, defined in Section 4.1.2.7 ofInternet"Internet X.509 Public Key Infrastructure Certificate andCRL ProfileCertificate Revocation List (CRL) Profile" [RFC5280]. The algorithm field inside the SubjectPublicKeyInfo object MUST match the content of the Signature Algorithm Identifier attribute in the Group Controller Authentication Method transform. When the id-RSASSA- PSS object identifier appears in the algorithm field of the SubjectPublicKeyInfo object, then the parameters field MUST include the RSASSA-PSS-params structure. Perhaps: If digital signatures are used for the GSA_REKEY message authentication, then the content of the AUTH_KEY attribute is a public key used for digital signature authentication. The public key MUST be represented as DER-encoded ASN.1 object SubjectPublicKeyInfo, defined in Section 4.1.2.7 of [RFC5280]. The algorithm field inside the SubjectPublicKeyInfo object MUST match the content of the Signature Algorithm Identifier attribute in the Group Controller Authentication Method transform. When the id-RSASSA-PSS object identifier appears in the algorithm field of the SubjectPublicKeyInfo object, then the parameters field MUST include the RSASSA-PSS-params structure. --> <ul spacing="normal"> <li> <t>If digital signatures are used for the GSA_REKEY message authentication, then the content of the AUTH_KEY attribute is a public key used for digital signature authentication. The public key <bcp14>MUST</bcp14> be represented as DER-encoded ASN.1 object SubjectPublicKeyInfo, defined in <xref target="RFC5280"/>.sectionFormat="of" section="4.1.2.7"/>. The algorithm field inside the SubjectPublicKeyInfo object <bcp14>MUST</bcp14> match the content of the Signature Algorithm Identifier attribute in the Group Controller Authentication Method transform. When the id-RSASSA-PSS object identifier appears in the algorithm field of the SubjectPublicKeyInfo object, then the parameters field <bcp14>MUST</bcp14> include the RSASSA-PSS-params structure. </t></list></li> </ul> <t> Multiple instances of the AUTH_KEY attributes <bcp14>MUST NOT</bcp14> be sent. </t> </section> <sectionanchor="mkd_attr_gm_sid" title="GM_SENDER_ID Attribute">anchor="mkd_attr_gm_sid"> <name>GM_SENDER_ID Attribute</name> <t>The GM_SENDER_ID attribute (3) is used to download one or more Sender-ID values for the exclusive use of a group member. One or more ofthisthese attributes <bcp14>MUST</bcp14> be sent by the GCKS if the GM informed the GCKS that it would be a sender (by including the GROUP_SENDER notification to the request) and if at least one of the Data-Security SAs included in the GSA payload uses a counter-based mode of encryption. </t> <t>If the GMshashave requested multiple Sender-ID values in the GROUP_SENDER notification, then the GCKS <bcp14>SHOULD</bcp14> provide it with the requested number of Sender-IDs by sending multiple instances of the GM_SENDER_ID attribute. The GCKS <bcp14>MAY</bcp14> send fewer values than requested by the GM(e.g.(e.g., if it is running out of Sender-IDs), but it <bcp14>MUST NOT</bcp14> send more than requested. </t> <t>This attribute <bcp14>MUST NOT</bcp14> appear in the rekey operations (in the GSA_REKEY or GSA_INBAND_REKEY exchanges). </t> </section> </section> <sectionanchor="wrapped_key" title="Key Wrapping">anchor="wrapped_key"> <name>Key Wrapping</name> <t>Symmetric keys in G-IKEv2 are never sent in clear inside G-IKEv2 messages. They are always protected with other symmetric keys. This protection is called key wrapping. Algorithms used for key wrapping are usually based on generic encryption algorithms, but their mode of operation is optimized for protecting short high-entropy data with minimal additional overhead. Whilein generalkey wrap algorithms can begeneric,generic inpracticegeneral, they are often tied to the underlying encryptionalgorithms.algorithms in practice. For example, AES Key Wrap with Padding Algorithm <xreftarget="RFC5649" />target="RFC5649"/> defines key wrapping using AES, and Key Wrapping Constructions using SipHash and ChaCha <xreftarget="ARX-KW" /> definestarget="ARX-KW"/> define key wrapping using Chacha20. </t><t> In G-IKEv2<t>In G-IKEv2, the key wrap algorithm <bcp14>MUST</bcp14> be negotiated in the IKE_SA_INITexchange,exchange so that the GCKSbeis able to send encrypted keys to the GM in the GSA_AUTH exchange. In addition, if the GCKS plans to use the multicast Rekey SA for group rekey, then it <bcp14>MUST</bcp14> specify the key wrap algorithm in the GSA payload. Note that key wrap algorithms for these cases <bcp14>MAY</bcp14> bedifferent - fordifferent. For the unicastSASA, the key wrapalgorithmsalgorithm is negotiated between the GM and the GCKS, while for the multicast RekeySASA, the key wrap algorithm is provided by the GCKS to the group members as part of the group policy. If an SAg payload is included in the GSA_AUTH request, then it <bcp14>MUST</bcp14> indicate which key wrap algorithms are supported by the GM. In all thesecasescases, the key wrap algorithm is specified in a Key Wrap Algorithm transform (see <xreftarget="wrapping_alg"/>.target="wrapping_alg"/>). </t> <t> The format of the wrapped key is shown in <xreftarget="key_format" />.target="key_format"/>. </t> <figuretitle="Wrapped Key Format"anchor="key_format"><preamble></preamble><name>Wrapped Key Format</name> <artworkalign="center"><![CDATA[><![CDATA[ 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | KWK ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Encrypted Key ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]></artwork><postamble></postamble></figure> <t>The Wrapped Key fields are defined as follows:</t><t><list style="symbols"> <t>Key<dl spacing="normal" newline="true"> <dt>Key ID (4octets) -- IDoctets):</dt><dd>ID of the encrypted key. The value zero means that the encrypted key contains SA keys (in the form of keyingmaterial,material; see <xreftarget="group_sa_keys" />)), otherwisetarget="group_sa_keys"/>). Otherwise, it contains some intermediatekey.</t> <t>KWKkey.</dd> <dt>KWK ID (4octets) -- IDoctets):</dt><dd>ID of the key that was used to encrypt the key with a specified Key ID. The value zero means that the default KWK was used to encrypt thekey, otherwisekey. Otherwise, some intermediate key wasused.</t> <t>Encryptedused.</dd> <dt>Encrypted Key(variable) -- The(variable):</dt><dd>The encrypted key bits. These bits comprise either a single encrypted key or a result of encryption of a concatenation of keys (key material) for several algorithms. The format of thisfieldsfield is determined by the key wrap algorithm for the SA the wrapped key is sentover. </t> </list> </t>over.</dd> </dl> </section> </section> <sectionanchor="delete" title="Delete Payload"> <t> Deleteanchor="delete"> <name>Delete Payload</name> <t>Delete payload is used in G-IKEv2 when the GCKS wants to delete Data-Security and Rekey SAs. The interpretation of the Protocol field in the Delete payload isextended,extended so that zero protocol indicates deletion of whole Group SA(i.e.(i.e., all Data-Security SAs and the Rekey SA). See <xreftarget="deletion" />target="deletion"/> for detail. </t> </section> <sectionanchor="notify" title="Notify Payload">anchor="notify"> <name>Notify Payload</name> <t>G-IKEv2 uses the same Notify payload as specified in <xreftarget="RFC7296"></xref>, section 3.10.target="RFC7296" sectionFormat="of" section="3.10"/>. </t> <t>There are additional Notify Message types introduced by G-IKEv2 to communicate error conditions and status (see <xreftarget="IANA" />).target="IANA"/>). </t> <sectionanchor="inv_gr_id" title="INVALID_GROUP_ID Notification">anchor="inv_gr_id"> <name>INVALID_GROUP_ID Notification</name> <t>INVALID_GROUP_ID (45) is a new error type notification that indicates that the group ID sent during the registration process is invalid. The Protocol ID and SPI Size fields in the Notify payload <bcp14>MUST</bcp14> be zero. There is no data associated with this notification and the content of the Notification Data field <bcp14>MUST</bcp14> be ignored on receipt. </t> </section> <sectionanchor="autz_failed" title="AUTHORIZATION_FAILED Notification">anchor="autz_failed"> <name>AUTHORIZATION_FAILED Notification</name> <t>AUTHORIZATION_FAILED (46) is a new error type notification that is sent in the response to a GSA_AUTH or GSA_REGISTRATION message when authorization failed. The Protocol ID and SPI Size fields in the Notify payload <bcp14>MUST</bcp14> be zero. There is no data associated with this notification and the content of the Notification Data field <bcp14>MUST</bcp14> be ignored on receipt. </t> </section> <sectionanchor="reg_failed" title="REGISTRATION_FAILED Notification">anchor="reg_failed"> <name>REGISTRATION_FAILED Notification</name> <t>REGISTRATION_FAILED(<TBA>)(49) is a new error type notification that is sent by the GCKS when the GM registration request cannot be satisfied forthereasons not related to this particular GM,for examplee.g., if the capacity of the group is exceeded. The Protocol ID and SPI Size fields in the Notify payload <bcp14>MUST</bcp14> be zero. There is no data associated with this notification and the content of the Notification Data field <bcp14>MUST</bcp14> be ignored on receipt. </t> </section> <sectionanchor="sender" title="GROUP_SENDER Notification">anchor="sender"> <name>GROUP_SENDER Notification</name> <t>GROUP_SENDER (16429) is a new status type notification that is sent in the GSA_AUTH or the GSA_REGISTRATION exchanges to indicate that the GM intends to be sender of data traffic. The data includes a count of how many Sender-ID values the GM desires. The count <bcp14>MUST</bcp14> be 4 octets long and contain thebig endianbig-endian representation of the number of requested Sender-IDs. The Protocol ID and SPI Size fields in the Notify payload <bcp14>MUST</bcp14> be zero. </t> </section> </section><section title="Authentication Payload"><section> <name>Authentication Payload</name> <t>G-IKEv2 uses the same Authentication payload as specified in <xreftarget="RFC7296"></xref>, section 3.8,target="RFC7296" sectionFormat="of" section="3.8"/> to authenticate the rekey message. However, if it is used in the GSA_REKEYmessagesmessages, the content of the payload is computeddifferently,differently as described in <xreftarget="gsa_rekey_auth" />.target="gsa_rekey_auth"/>. </t> </section> </section> <sectionanchor="restrictions" title="Usinganchor="restrictions"> <name>Using G-IKEv2Attributes">Attributes</name> <t>G-IKEv2 defines a number ofattributes,attributes that are used to convey information from the GCKS to GMs. There are some restrictions on where and when these attributes can appear in G-IKEv2 messages, which are defined when the attributes are introduced. Forconvenienceconvenience, these restrictions are summarized in <xreftarget="mcast_attr" />target="mcast_attr"/> (for multicast rekey operations) and <xreftarget="inband_attr" />target="inband_attr"/> (for inband rekey operations) below. </t> <t>The followingnotation isnotations are used:<list style="hanging" hangIndent="6" > <t hangText = "S" ></t> <dl newline="false" spacing="normal" indent="5"> <dt>S</dt> <dd> A single attribute of this type <bcp14>MUST</bcp14> bepresent </t> <t hangText = "M" >present. </dd> <dt>M</dt> <dd> Multiple attributes of this type <bcp14>MAY</bcp14> bepresent </t> <t hangText = "[]" >present. </dd> <dt>[]</dt> <dd> Attribute is<bcp14>OPTIONAL</bcp14> </t> <t hangText = "-" ><bcp14>OPTIONAL</bcp14>. </dd> <dt>-</dt> <dd> Attribute <bcp14>MUST NOT</bcp14> bepresent </t> </list>present. </dd> </dl> <t> <!-- [rfced] The following sentence is hard to parse. Would either of the following proposals improve readability and retain the sentence's original meaning? Original: Note, that the restrictions are defined per a substructure corresponding attributes are defined for and not per whole G-IKEv2 message. Perhaps A: Note that the restrictions are defined per a substructure corresponding to the attributes that are defined and not per a whole G-IKEv2 message. or Perhaps B: Note that the restrictions are defined per a substructure for which corresponding attributes are defined and not per a whole G-IKEv2 message. --> Note that the restrictions are defined per a substructure corresponding attributes are defined for and not per whole G-IKEv2 message. </t> <table anchor="mcast_attr"> <name>Attributes in G-IKEv2exchangesExchanges withmulticast rekey operations</name>Multicast Rekey Operations</name> <thead> <tr> <th>Attributes</th> <thalign="center">GSA_AUTH>GSA_AUTH GSA_REGISTRATION</th> <thalign="center">GSA_REKEY</th>>GSA_REKEY</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <th colspan="4"align="center">GSA>GSA Attributes (<xreftarget="gsa_attr" />)</th>target="gsa_attr"/>)</th> </tr> <tr> <td>GSA_KEY_LIFETIME</td> <tdalign="center">S</td>>S</td> <tdalign="center">S</td>>S</td> <tdalign="center"></td>/> </tr> <tr> <td>GSA_INITIAL_MESSAGE_ID</td> <tdalign="center">[S]</td>>[S]</td> <tdalign="center">[S]</td>>[S]</td> <tdalign="center"></td>/> </tr> <tr> <td>GSA_NEXT_SPI</td> <tdalign="center">[M]</td>>[M]</td> <tdalign="center">[M]</td>>[M]</td> <tdalign="center"></td>/> </tr> <tr> <th colspan="4"align="center">GW>GW Policy Attributes (<xreftarget="gwp_attr" />)</th>target="gwp_attr"/>)</th> </tr> <tr> <td>GWP_ATD</td> <tdalign="center">[S]</td>>[S]</td> <tdalign="center">[S]</td>>[S]</td> <tdalign="center"></td>/> </tr> <tr> <td>GWP_DTD</td> <tdalign="center">[S]</td>>[S]</td> <tdalign="center">[S]</td>>[S]</td> <tdalign="center"></td>/> </tr> <tr> <td>GWP_SENDER_ID_BITS</td> <tdalign="center">S</td>>S</td> <tdalign="center">-</td>>-</td> <tdalign="center">1</td>>1</td> </tr> <tr> <th colspan="4"align="center">Key>Key Bag Attributes (<xreftarget="key_bag" />)</th>target="key_bag"/>)</th> </tr> <tr> <td>SA_KEY</td> <tdalign="center">S</td>>S</td> <tdalign="center">S[M]</td>>S[M]</td> <tdalign="center">2</td>>2</td> </tr> <tr> <td>WRAP_KEY</td> <tdalign="center">[M]</td>>[M]</td> <tdalign="center">[M]</td>>[M]</td> <tdalign="center">3</td>>3</td> </tr> <tr> <td>AUTH_KEY</td> <tdalign="center">S</td>>S</td> <tdalign="center">[S]</td>>[S]</td> <tdalign="center">4</td>>4</td> </tr> <tr> <td>GM_SENDER_ID</td> <tdalign="center">S[M]</td>>S[M]</td> <tdalign="center">-</td>>-</td> <tdalign="center">1</td>>1</td> </tr> </tbody><tfoot> <tr> <td colspan="4"> <t> Notes: <list style="hanging" hangIndent="6" > <t hangText = "(1)" > The</table> <t>Notes:</t> <dl newline="false" spacing="normal" indent="6"> <dt>(1):</dt> <dd>The GWP_SENDER_ID_BITS attribute <bcp14>MUST</bcp14> be present if the GCKS policy includes at least one cipher in counter mode of operation and if the GM included the GROUP_SENDER notify into the registration request.OtherwiseOtherwise, it <bcp14>MUST NOT</bcp14> be present. At least one GM_SENDER_ID attribute <bcp14>MUST</bcp14> be present in the former case (and more <bcp14>MAY</bcp14> be present if the GM requested moreSender-IDs)Sender-IDs), and it <bcp14>MUST NOT</bcp14> be present in the lattercase. </t> <t hangText="(2)" >case.</dd> <dt>(2):</dt> <!--[rfced] How may we update this sentence to clarify "and more these attributes MAY be present"? Perhaps "one or more SA_KEY attributes MAY be present in a GSA_REKEY exchange"? Current: For a Data-SecuritySASA, exactly one SA_KEY attribute MUST be present. For a Rekey SA, one SA_KEY attribute MUST be present in all cases and more these attributes MAY be present in a GSA_REKEY exchange. Perhaps: For a Data-Security SA, exactly one SA_KEY attribute MUST be present. For a Rekey SA, one SA_KEY attribute MUST be present in all cases and one or more SA_KEY attributes MAY be present in a GSA_REKEY exchange. --> <dd>For a Data-Security SA, exactly one SA_KEY attribute <bcp14>MUST</bcp14> be present. For a RekeySASA, one SA_KEY attribute <bcp14>MUST</bcp14> be present in all cases and more these attributes <bcp14>MAY</bcp14> be present in a GSA_REKEYexchange. </t> <t hangText = "(3)" > Theexchange.</dd> <dt>(3):</dt> <dd>The WRAP_KEYattributesattribute <bcp14>MUST</bcp14> be present if the GCKS employs a key management method that relies on a key tree (likeLKH). </t> <t hangText = "(4)" > TheLKH).</dd> <dt>(4):</dt> <dd>The AUTH_KEY attribute <bcp14>MUST</bcp14> be present in the GSA_AUTH/and GSA_REGISTRATION exchanges if the GCKS employs an authentication method of rekey operations based on digital signatures and <bcp14>MUST NOT</bcp14> be present if implicit authentication is employed. The AUTH_KEY attribute <bcp14>MUST</bcp14> be present in the GSA_REKEY exchange if the GCKS employs an authentication method based on digital signatures and wants to change the public key for the following multicast rekeyoperations. </t> </list> </t> </td> </tr> </tfoot> </table>operations.</dd> </dl> <table anchor="inband_attr"> <name>Attributes in G-IKEv2exchangesExchanges withinband rekey operations</name>Inband Rekey Operations</name> <thead> <tr> <th>Attributes</th> <thalign="center">GSA_AUTH>GSA_AUTH GSA_REGISTRATION</th> <thalign="center">GSA_INBAND_REKEY</th>>GSA_INBAND_REKEY</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <th colspan="4"align="center">GSA>GSA Attributes (<xreftarget="gsa_attr" />)</th>target="gsa_attr"/>)</th> </tr> <tr> <td>GSA_KEY_LIFETIME</td> <tdalign="center">[S]</td>>[S]</td> <tdalign="center">[S]</td>>[S]</td> <tdalign="center"></td>/> </tr> <tr> <td>GSA_INITIAL_MESSAGE_ID</td> <tdalign="center">-</td>>-</td> <tdalign="center">-</td>>-</td> <tdalign="center"></td>/> </tr> <tr> <td>GSA_NEXT_SPI</td> <tdalign="center">-</td>>-</td> <tdalign="center">-</td>>-</td> <tdalign="center"></td>/> </tr> <tr> <th colspan="4"align="center">GW>GW Policy Attributes (<xreftarget="gwp_attr" />)</th>target="gwp_attr"/>)</th> </tr> <tr> <td>GWP_ATD</td> <tdalign="center">[S]</td>>[S]</td> <tdalign="center">[S]</td>>[S]</td> <tdalign="center"></td>/> </tr> <tr> <td>GWP_DTD</td> <tdalign="center">[S]</td>>[S]</td> <tdalign="center">[S]</td>>[S]</td> <tdalign="center"></td>/> </tr> <tr> <td>GWP_SENDER_ID_BITS</td> <tdalign="center">S</td>>S</td> <tdalign="center">-</td>>-</td> <tdalign="center">1</td>>1</td> </tr> <tr> <th colspan="4"align="center">Key>Key Bag Attributes (<xreftarget="key_bag" />)</th>target="key_bag"/>)</th> </tr> <tr> <td>SA_KEY</td> <tdalign="center">S</td>>S</td> <tdalign="center">S</td>>S</td> <tdalign="center"></td>/> </tr> <tr> <td>WRAP_KEY</td> <tdalign="center">-</td>>-</td> <tdalign="center">-</td>>-</td> <tdalign="center"></td>/> </tr> <tr> <td>AUTH_KEY</td> <tdalign="center">-</td>>-</td> <tdalign="center">-</td>>-</td> <tdalign="center"></td>/> </tr> <tr> <td>GM_SENDER_ID</td> <tdalign="center">S[M]</td>>S[M]</td> <tdalign="center">-</td>>-</td> <tdalign="center">1</td>>1</td> </tr> </tbody><tfoot> <tr> <td colspan="4"> <t> Notes: <list style="hanging" hangIndent="6" > <t hangText = "(1)" > The</table> <t>Notes:</t> <dl newline="false" spacing="normal" indent="6"> <dt>(1):</dt> <dd>The GWP_SENDER_ID_BITS attribute <bcp14>MUST</bcp14> be present if the GCKS policy includes at least one cipher in counter mode of operation and the GM included the GROUP_SENDER notify into the registration request.OtherwiseOtherwise, it <bcp14>MUST NOT</bcp14> be present. At least one GM_SENDER_ID attribute <bcp14>MUST</bcp14> be present in the former case (and more <bcp14>MAY</bcp14> be present if the GM requested moreSender-IDs)Sender-IDs), and it <bcp14>MUST NOT</bcp14> be present in the lattercase. </t> </list> </t> </td> </tr> </tfoot> </table>case.</dd> </dl> </section> <sectiontitle="Interactionanchor="ike_ext"> <name>Interaction with IKEv2 and ESPExtensions" anchor="ike_ext" >Extensions</name> <t>A number of IKEv2 and ESP extensionsisare defined that can be used to extend protocol functionality. G-IKEv2 is compatible with most of them. In particular, EAP authentication defined in <xreftarget="RFC7296" />target="RFC7296"/> can be used to establish registration IKE SA, as well as EAP-only authentication <xreftarget="RFC5998" />target="RFC5998"/> andSecure Passwordsecure password authentication <xreftarget="RFC6467" />.target="RFC6467"/>. G-IKEv2 is compatible with and can use IKEv2 Redirect Mechanism <xreftarget="RFC5685" />target="RFC5685"/> and IKEv2 Session Resumption <xreftarget="RFC5723"></xref>.target="RFC5723"/>. G-IKEv2 is also compatible with Multiple Key Exchanges in the IKEv2 framework, as defined in <xreftarget="RFC9370" />.target="RFC9370"/>. </t> <t>The above list of compatible IKEv2 extensions is notexhaustive, howeverexhaustive. However, some IKEv2 extensions require special handling if used in G-IKEv2. </t><section title="Implicit<section> <name>Implicit IV for Counter-Based Ciphers inESP">ESP</name> <t> Using implicit IV for counter-based encryption modes in ESP is defined in <xreftarget="RFC8750" />.target="RFC8750"/>. This extension relies on the uniqueness of ESP sequence numbers. Thus, it cannot be used for multi-sender multicast SAs. However, it is possible to use implicit IV extension for a single-sender multicast ESP SA.Note,Note that while implicit IVs can be used with ESN, using ESN is prohibited in multicast SAs (see <xreftarget="antireplay" />).target="antireplay"/>). </t> </section><section title="Mixing<section> <name>Mixing Preshared Keys in IKEv2 forPost-quantum Security"> <t> G-IKEv2Post-Quantum Security</name> <t>G-IKEv2 can take advantage of the protection provided byPostquantumPost-quantum Preshared Keys(PPK)(PPKs) for IKEv2 <xreftarget="RFC8784"></xref>.target="RFC8784"/>. However, the use ofPPKPPKs leaves the initial IKE SA susceptible to quantum computer (QC) attacks. Group SA keys are protected with the default KWK (GSK_w), which is derived from SK_d and thus cannot be broken even by an attacker equipped with a QC. However, other data sent over the initial IKE SA may be susceptible to an attacker equipped with a QC of a sufficient size. Such an attacker can store all the traffic until it obtains such a QC and then decrypt it(Store(i.e., Store Now Decrypt Later attack). SeeSection 6 of<xref target="RFC8784"/>sectionFormat="of" section="6"/> for details. </t> <t>While the group keys are protected with PPK and thus are immune to QC, GCKS implementations that care about other data sent over initial IKE SA <bcp14>MUST</bcp14> rely on IKEv2 extensions that protect even initial IKE SA against QC (like <xreftarget="I-D.ietf-ipsecme-ikev2-qr-alt" />).target="I-D.ietf-ipsecme-ikev2-qr-alt"/>). </t> </section><section title="Aggregation<section> <name>Aggregation and Fragmentation Mode forESP"> <t> AggregationESP</name> <t>Aggregation and fragmentation mode for ESP is defined in <xreftarget="RFC9347" />.target="RFC9347"/>. This mode allows IP packets to be split over several ESPpackets,packets or several IP packets to be aggregated in a single ESP packet. This mode can only be used with ESP tunnel mode and relies on monotonically increasing sequence numbers in the incoming packets. Thus, it is impossible to use this mode for multi-sender multicast SAs. Since multicast Data-Security SAs are unidirectional, the congestion control feature of aggregation and fragmentation mode cannot be used. </t> <t> It is possible to use the aggregation and fragmentation mode without congestion control for a single-sender multicast ESP SA created in tunnel mode. GMs supporting this mode can send the USE_AGGFRAG notification in the registration request along with the SAg payload. If the Data-Security SA(s) to be installed on GMsuseuses the aggregation and fragmentation mode, the GCKS would indicate it by including the USE_AGGFRAG notification along with the GSA payload in its response. </t> </section> </section> <sectiontitle="GDOI Protocol Extensions"anchor="gdoi_ext"> <name>GDOI Protocol Extensions</name> <t> Few extensions were defined for the GDOI protocol <xreftarget="RFC6407" />,target="RFC6407"/>, like GDOI Support for IEC 62351 Security Services <xreftarget="RFC8052" />target="RFC8052"/> or the GDOI GROUPKEY-PUSH Acknowledgement Message <xreftarget="RFC8263" />.target="RFC8263"/>. It is expected that these extensions will be redefined for G-IKEv2 in separate documents, if needed. </t> </section><section title="Security Considerations"><section> <name>Security Considerations</name> <t> When an entity joins the group and becomes a group member, it has to trust that the GCKSthatonly authorized entities that are admitted to the group and has to trust that other group membersthat theywill not leak the information shared within the group. </t><section title="GSA<section> <name>GSA Registration and SecureChannel">Channel</name> <t>G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT protocols, inheriting all the security considerations documented inthe Section 5 of<xreftarget="RFC7296"/>,target="RFC7296" sectionFormat="of" section="5"/>, including authentication, confidentiality, protection againstman-in-the-middle,man-in-the-middle attacks, protection against replay/reflection attacks, anddenial of servicedenial-of-service protection. The GSA_AUTH and GSA_REGISTRATION exchanges also take advantage of those protections. In addition, G-IKEv2 brings in the capability to authorize a particular group member regardless of whether they have the IKEv2 credentials.</t> </section><section title="GSA<section> <name>GSA MaintenanceChannel">Channel</name> <t>The GSA maintenance channel is cryptographically and integrity protected using the cryptographic algorithm and key negotiated in the GSA member registration exchange.</t><section title="Authentication/Authorization"><section> <name>Authentication/Authorization</name> <t>The authentication key is distributed during the GMregistration,registration and the receiver of the rekey message uses that key to verify the message came from the authorized GCKS. <!--[rfced] How may we clarify this sentence? Is the sender proven to be a member of the group when the GM "decrypts and verifies the ICV"? Original: An implicit authentication can also be used, in which case, the ability of the GM to decrypt and to verify ICV of the received message proved that a sender of the message is a member of the group. Perhaps: An implicit authentication can also be used, in which case the GM decrypts and verifies the ICV of the received message to prove that a sender of the message is a member of the group. --> An implicit authentication can also be used, in which case, the ability of the GM to decrypt and to verify ICV of the received message proved that a sender of the message is a member of the group. However, implicit authentication doesn't provide source origin authentication, so the GM cannot be sure that the message came from the GCKS. For thisreasonreason, using implicit authentication is <bcp14>NOT RECOMMENDED</bcp14> unless used with a small group of trusted parties. </t> </section><section title="Confidentiality"><section> <name>Confidentiality</name> <t>Confidentiality is provided by distributing a confidentiality key as part of the GSA member registration exchange.</t> </section><section title="Man-in-the-Middle<section> <name>Man-in-the-Middle AttackProtection"> <t>GSAProtection</name> <t>The GSA maintenance channel is integrity protected by using a digital signature.</t> </section><section title="Replay/Reflection<section> <name>Replay/Reflection AttackProtection">Protection</name> <t>The GSA_REKEY message includes a monotonically increasing sequence number to protect against replay and reflection attacks. A group member will recognize a replayed message by comparing the Message ID number to that of the last received rekeymessage, anymessage. Any rekey message containing a Message ID number less than or equal to the last received value <bcp14>MUST</bcp14> be discarded. Implementations should keep a record of recently received GSA rekey messages for this comparison.</t> <t>The strict role separation between the GCKS and the GMs and, as a consequence, the limitation for a Rekey SA to be outbound/inbound only, helps to prevent reflection attack. </t> </section> </section> </section> <sectionanchor="IANA" title="IANA Considerations"> <section title="Noteanchor="IANA"> <name>IANA Considerations</name> <section> <name>New Registries</name> <t>Per this document, new registries have been created forReviewers"> <t> **** RFC Editor,G-IKEv2 under the "Internet Key Exchange Version 2 (IKEv2) Parameters" registry group <xref target="IKEV2-IANA"/>. The terms Reserved, Expert Review, and Private Use are as defined in <xref target="RFC8126"/>.</t> <!-- [rfced] We have included some specific questions about the IANA text below. In addition to responding to those questions, pleaseDELETE this Section priorreview all of the IANA-related updates carefully, including the IANA values in the running text, and let us know if any further updates are needed. Please refer topublication! **** </t> <t> While reviewingthedocument please note,following URL to view the IANA registries: <https://www.iana.org/assignments/ikev2-parameters/> a) For Tables 3-7 and 11-16, may we order the "Value" columns first to match the corresponding IANA registries? b) FYI: For Tables 11-16, we updated "Private Use" to "Reserved for Private Use" to match the corresponding IANA registries. c) Please clarify the text below. Was "new registrations" perhaps intended rather than "changes and additions to the unassigned range"? Note thatsomethere are multiple instances. Original: Changes and additions to the unassigned range of this registry are by thecodepoints, thatExpert Review Policy [RFC8126]. Perhaps: In thisdraft claimsregistry, new registrations are tohave allocated, in fact have been allocatedbe made byits predecessor, draft-yeung-g-ikev2-07 in 2013, as part ofExpert Review [RFC8126]. d) May we update theearly codepoint assignment. This documents makes usetitle ofthese already allocated codepoints, renames one of them and allocates additional codepoints. Note also, thatthesemantics of"Group-wide Policy Attributes" registry to "Group-Wide Policy Attributes" (i.e., make "wide" uppercase as it's an adjective within a hyphenated compound)? e) FYI: For clarity, we added thecodepoints allocated"Reference" column to Table 19 to show that the "Security Association" Payload Type was registered bydraft-yeung-g-ikev2-07RFC 7296. If this ispreserved, includingnot desired, please let us know. f) Is it helpful for therenamed one. </t> </section> <section title="New Registries"> <t>A new setreader if the history ofregistriesthe SENDER_REQUEST_ID registration iscreated for G-IKEv2 on IKEv2 parameters page <xref target="IKEV2-IANA" />. The terms Reserved, Expert Review and Private Use areincluded? If so, should an informative reference to "draft-yeung-g-ikev2-07" (e.g., "[G-IKEV2]") beapplied as definedadded (option A)? Or if the history isn't necessary, is option B preferred? Original: The Notify type with the value 16429 was allocated earlier in<xref target="RFC8126"></xref>.</t> <ol> <li> <t>Thisthe development of G-IKEv2 documentcreates a newin the "IKEv2 Notify Message Status Types" registry with the name SENDER_REQUEST_ID. This document renames it as follows: Perhaps A: An earlier draft of this document [G-IKEV2] registered the Notify type 16429 with the name SENDER_REQUEST_ID. Per this document, IANA has updated the "IKEv2 Notify Message Status Types" registry as follows: or Perhaps B: IANA has registered the following in the "IKEv2 Notify Message Status Types" registry: --> <ol type="1" spacing="normal"> <li> <t>IANA has created the "Transform Type<TBA> --13 - Key Wrap Algorithm TransformIDs". The initial values of the new registry are: <figure> <preamble></preamble> <artwork align="left"><![CDATA[ Key Wrap Algorithm Value ----------------------------- Reserved 0 KW_5649_128 1 KW_5649_192 2 KW_5649_256 3 KW_ARX 4 Unassigned 5-1023 Private Use 1024-65535 ]]></artwork> </figure>IDs" registry. Changes and additions to the unassigned range of this registry areby theto be made through Expert ReviewPolicy<xreftarget="RFC8126" />.</t> </li> <li> <t>This document creates a new IANA registry "Transform Type <TBA> -- Group Controller Authentication Method Transform IDs".target="RFC8126"/>. The initial values of thenewregistryare: <figure> <preamble></preamble> <artwork align="left"><![CDATA[are as follows:</t> <table> <name></name> <thead> <tr> <th>Key Wrap Algorithm</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Reserved</td> <td>0</td> </tr> <tr> <td>KW_5649_128</td> <td>1</td> </tr> <tr> <td>KW_5649_192</td> <td>2</td> </tr> <tr> <td>KW_5649_256</td> <td>3</td> </tr> <tr> <td>KW_ARX</td> <td>4</td> </tr> <tr> <td>Unassigned</td> <td>5-1023</td> </tr> <tr> <td>Reserved for Private Use</td> <td>1024-65535</td> </tr> </tbody> </table> </li> <li> <t>IANA has created the "Transform Type 14 - Group Controller Authentication MethodValue ------------------------------------------------- Reserved 0 Implicit 1 Digital Signature 2 Unassigned 3-1023 Private Use 1024-65535 ]]></artwork> </figure>Transform IDs" registry. Changes and additions to the unassigned range of this registry areby theto be made through Expert ReviewPolicy<xreftarget="RFC8126" />.</t> </li> <li> <t>This document creates a new IANA registry "GSA Attributes".target="RFC8126"/>. The initial values of thenewregistryare: <figure> <preamble></preamble> <artwork align="left"><![CDATA[ GSA Attributes Value Format Multi-Valued Used in Protocol --------------------------------------------------------------------- Reserved 0 GSA_KEY_LIFETIME 1 TLV NO GIKE_UPDATE, AH, ESP GSA_INITIAL_MESSAGE_ID 2 TLV NO GIKE_UPDATE GSA_NEXT_SPI 3 TLV YES GIKE_UPDATE, AH, ESP Unassigned 5-16383are as follows:</t> <table> <name></name> <thead> <tr> <th>Group Controller Authentication Method</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Reserved</td> <td>0</td> </tr> <tr> <td>Implicit</td> <td>1</td> </tr> <tr> <td>Digital Signature</td> <td>2</td> </tr> <tr> <td>Unassigned</td> <td>3-1023</td> </tr> <tr> <td>Reserved for PrivateUse 16384-32767 ]]></artwork> </figure>Use</td> <td>1024-65535</td> </tr> </tbody> </table> </li> <li> <t>IANA has created the "GSA Attributes" registry. Changes and additions to the unassigned range of this registry areby theto be made through Expert ReviewPolicy<xreftarget="RFC8126" />.</t> </li> <li> <t>This document creates a new IANA registry "Group-wide Policy Attributes".target="RFC8126"/>. The initial values of thenewregistryare: <figure> <preamble></preamble> <artwork align="left"><![CDATA[ GW Policy Attributes Value Format Multi-Valued -------------------------------------------------------- Reserved 0 GWP_ATD 1 TV NO GWP_DTD 2 TV NO GWP_SENDER_ID_BITS 3 TV NO Unassigned 4-16383are as follows: </t> <table> <name></name> <thead> <tr> <th>GSA Attributes</th> <th>Value</th> <th>Format</th> <th>Multi-Valued</th> <th>Used in Protocol</th> </tr> </thead> <tbody> <tr> <td>Reserved</td> <td>0</td> <td colspan="3"></td> </tr> <tr> <td>GSA_KEY_LIFETIME</td> <td>1</td> <td>TLV</td> <td>NO</td> <td>GIKE_UPDATE, AH, ESP</td> </tr> <tr> <td>GSA_INITIAL_MESSAGE_ID</td> <td>2</td> <td>TLV</td> <td>NO</td> <td>GIKE_UPDATE</td> </tr> <tr> <td>GSA_NEXT_SPI</td> <td>3</td> <td>TLV</td> <td>YES</td> <td>GIKE_UPDATE, AH, ESP</td> </tr> <tr> <td>Unassigned</td> <td>5-16383</td> <td colspan="3"></td> </tr> <tr> <td>Reserved for PrivateUse 16384-32767 ]]></artwork> </figure>Use</td> <td>16384-32767</td> <td colspan="3"></td> </tr> </tbody> </table> </li> <li> <t>IANA has created the "Group-wide Policy Attributes" registry. Changes and additions to the unassigned range of this registry areby theto be made through Expert ReviewPolicy<xreftarget="RFC8126" />.</t> </li> <li> <t>This document creates a new IANA registry "Group Key Bag Attributes".target="RFC8126"/>. The initial values of thenewregistryare: <figure> <preamble></preamble> <artwork align="left"><![CDATA[ Groupare as follows: </t> <table> <name></name> <thead> <tr> <th>GW Policy Attributes</th> <th>Value</th> <th>Format</th> <th>Multi-Valued</th> </tr> </thead> <tbody> <tr> <td>Reserved</td> <td>0</td> <td colspan="2"></td> </tr> <tr> <td>GWP_ATD</td> <td>1</td> <td>TV</td> <td>NO</td> </tr> <tr> <td>GWP_DTD</td> <td>2</td> <td>TV</td> <td>NO</td> </tr> <tr> <td>GWP_SENDER_ID_BITS</td> <td>3</td> <td>TV</td> <td>NO</td> </tr> <tr> <td>Unassigned</td> <td>4-16383</td> <td colspan="2"></td> </tr> <tr> <td>Reserved for Private Use</td> <td>16384-32767</td> <td colspan="2"></td> </tr> </tbody> </table> </li> <li> <t>IANA has created the "Group Key BagAttributes Value Format Multi-Valued Used in Protocol -------------------------------------------------------------------- Reserved 0 SA_KEY 1 TLV YES GIKE_UPDATE NO AH, ESP Unassigned 2-16383 Private Use 16384-32767 ]]></artwork> </figure>Attributes" registry. Changes and additions to the unassigned range of this registry areby theto be made through Expert ReviewPolicy<xreftarget="RFC8126" />.</t> </li> <li> <t>This document creates a new IANA registry "Member Key Bag Attributes".target="RFC8126"/>. The initial values of thenewregistryare: <figure> <preamble></preamble> <artwork align="left"><![CDATA[ Memberare as follows: </t> <table> <name></name> <thead> <tr> <th>Group Key BagAttributes Value Format Multi-Valued ---------------------------------------------------- Reserved 0 WRAP_KEY 1 TLV YES AUTH_KEY 2 TLV NO GM_SENDER_ID 3 TLV YES Unassigned 4-16383Attributes</th> <th>Value</th> <th>Format</th> <th>Multi-Valued</th> <th>Used in Protocol</th> </tr> </thead> <tbody> <tr> <td>Reserved</td> <td>0</td> <td colspan="3"></td> </tr> <tr> <td>SA_KEY</td> <td>1</td> <td>TLV</td> <td>YES<br/>NO</td> <td>GIKE_UPDATE<br/>AH, ESP</td> </tr> <tr> <td>Unassigned</td> <td>2-16383</td> <td colspan="3"></td> </tr> <tr> <td>Reserved for PrivateUse 16384-32767 ]]></artwork> </figure>Use</td> <td>16384-32767</td> <td colspan="3"></td> </tr> </tbody> </table> </li> <li> <t>IANA has created the "Member Key Bag Attributes" registry. Changes and additions to the unassigned range of this registry areby theto be made through Expert ReviewPolicy<xreftarget="RFC8126" />.</t>target="RFC8126"/>. The initial values of the registry are as follows: </t> <table> <name></name> <thead> <tr> <th>Member Key Bag Attributes</th> <th>Value</th> <th>Format</th> <th>Multi-Valued</th> </tr> </thead> <tbody> <tr> <td>Reserved</td> <td>0</td> <td colspan="2"></td> </tr> <tr> <td>WRAP_KEY</td> <td>1</td> <td>TLV</td> <td>YES</td> </tr> <tr> <td>AUTH_KEY</td> <td>2</td> <td>TLV</td> <td>NO</td> </tr> <tr> <td>GM_SENDER_ID</td> <td>3</td> <td>TLV</td> <td>YES</td> </tr> <tr> <td>Unassigned</td> <td>4-16383</td> <td colspan="2"></td> </tr> <tr> <td>Reserved for Private Use</td> <td>16384-32767</td> <td colspan="2"></td> </tr> </tbody> </table> </li> </ol><section title="Guidance<section> <name>Guidance for DesignatedExperts">Experts</name> <t> In all cases of Expert ReviewPolicydescribedhere,in this section, theDesignated Expertdesignated expert (DE) is expected to ascertain the existence of suitable documentation (a specification) as described in <xreftarget="RFC8126" />target="RFC8126"/> andtoverify that the document is permanently and publicly available. The DE is also expected to check the clarity of purpose and use of the requested code points.Last,Lastly, the DE must verify that any specification produced outside the IETF does not conflict with work that is active or already published within the IETF. </t> </section> </section><section title="Changes<section> <name>Changes in the Existing IKEv2Registries">Registries</name> <ol> <li><t>This document defines new Exchange Types in<t>In the "IKEv2 Exchange Types"registry: <figure align="center"> <artwork align="left"><![CDATA[ Value Exchange Type ---------------------------- 39 GSA_AUTH 40 GSA_REGISTRATION 41 GSA_REKEY <TBA> GSA_INBAND_REKEY ]]></artwork> </figure>registry, IANA has updated the references for the following entries to point to this document and has registered "GSA_INBAND_REKEY": </t> <table> <thead> <tr><th>Value</th><th>Exchange Type</th></tr> </thead> <tbody> <tr><td>39</td><td>GSA_AUTH</td></tr> <tr><td>40</td><td>GSA_REGISTRATION</td></tr> <tr><td>41</td><td>GSA_REKEY</td></tr> <tr><td>42</td><td>GSA_INBAND_REKEY</td></tr> </tbody> </table> </li> <li><t>This document defines new Payload Types in<t>In the "IKEv2 Payload Types"registry: <figure align="center"> <artwork align="left"><![CDATA[ Value Nextregistry, IANA has listed this document as a reference for the following entries: </t> <table> <thead> <tr> <th>Value</th> <th>Next PayloadType Notation ---------------------------------------------------- 50 Group Identification IDg 51 GroupType</th> <th>Notation</th> </tr> </thead> <tbody> <tr> <td>50</td> <td>Group Identification</td> <td>IDg</td> </tr> <tr> <td>51</td> <td>Group SecurityAssociation GSA 52 Key Download KD ]]></artwork> </figure> </t>Association</td> <td>GSA</td> </tr> <tr> <td>52</td> <td>Key Download</td> <td>KD</td> </tr> </tbody> </table> </li> <li><t>This document also updates<t>In the "IKEv2 Payload Types" registry, IANA has updated the definition of Payload Type 33in the "IKEv2 Payload Types" registry by adding an alternative nameandnotation for it referencingadded a reference to thisdocument: <figure align="center"> <artwork align="left"><![CDATA[ Value Nextdocument as follows:</t> <table> <thead> <tr> <th>Value</th> <th>Next PayloadType Notation -------------------------------------------------------------------- 33 Security Association SA SecurityType</th> <th>Notation</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td rowspan="2">33</td> <td>Security Association</td> <td>SA</td> <td><xref target="RFC7296"/></td> </tr> <tr> <td>Security Association - GM SupportedTransforms SAg ]]></artwork> </figure> </t>Transforms</td> <td>SAg</td> <td>RFC 9838</td> </tr> </tbody> </table> </li> <li><t>This document makes the following changes in<t>In the "Transform Type Values"registry: <list style="symbols" > <t>Defines two new transform types --registry, IANA has made the following changes: </t> <ul spacing="normal"> <li>Registered "Key Wrap Algorithm (KWA)" and "Group Controller Authentication Method(GCAUTH)";</t> <t>Changes(GCAUTH)".</li> <li> <t>Updated the "Used In" column forthevalues 1 and 3as follows;</t> <t>Appends reference toand listed this documentto the values 1 and 3;</t> </list> <figure align="center"> <artwork align="left"><![CDATA[ Type Description Used In -------------------------------------------------------------------- 1 Encryptionas an additional reference.</t> </li> </ul> <table> <thead> <tr> <th>Type</th> <th>Description</th> <th>Used In</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Encryption Algorithm(ENCR) (IKE, GIKE_UPDATE and ESP) 3 Integrity(ENCR)</td> <td>(IKE, GIKE_UPDATE, ESP)</td> </tr> <tr> <td>3</td> <td>Integrity Algorithm(INTEG) (IKE,(INTEG)</td> <td>(IKE, GIKE_UPDATE, AH, optional inESP) <TBA> KeyESP)</td> </tr> <tr> <td>13</td> <td>Key Wrap Algorithm(KWA) (IKE, GIKE_UPDATE) <TBA> Group(KWA)</td> <td>(IKE, GIKE_UPDATE)</td> </tr> <tr> <td>14</td> <td>Group Controller Authentication Method(GCAUTH) (GIKE_UPDATE) ]]></artwork> </figure> </t>(GCAUTH)</td> <td>(GIKE_UPDATE)</td> </tr> </tbody> </table> </li> <li><t>This document defines a new Attribute Type in<t>In the "IKEv2 Transform Attribute Types"registry: <figure align="center"> <artwork align="left"><![CDATA[ Value Attribute Type Format ------------------------------------------------------ <TBA> Signature Algorithm Identifier TLV ]]></artwork> </figure>registry, IANA has added the following entry: </t> <table> <thead> <tr> <th>Value</th> <th>Attribute Type</th> <th>Format</th> </tr> </thead> <tbody> <tr> <td>18</td> <td>Signature Algorithm Identifier</td> <td>TLV</td> </tr> </tbody> </table> </li> <li><t>This document defines a new value in<t>In the "Transform Type 5 - Sequence Numbers Transform IDs"registry: <figure align="center"> <artwork align="left"><![CDATA[ Number Name --------------------- <TBA> 32-bit Unspecified Numbers ]]></artwork> </figure>registry, IANA has added the following entry: </t> <table> <thead> <tr> <th>Number</th> <th>Name</th> </tr> </thead> <tbody> <tr> <td>2</td> <td>32-bit Unspecified Numbers</td> </tr> </tbody> </table> </li> <li><t>This document defines new Notify Message types in<t>In the "IKEv2 Notify Message Error Types"registry: <figure align="center"> <artwork align="left"><![CDATA[ Value Notifyregistry, IANA has made the following changes: </t> <ul> <li>Registered "REGISTRATION_FAILED".</li> <li>Updated the references for "INVALID_GROUP_ID" and "AUTHORIZATION_FAILED" to point to this document.</li> </ul> <table> <thead> <tr> <th>Value</th> <th>Notify Message ErrorType ----------------------------------------- 45 INVALID_GROUP_ID 46 AUTHORIZATION_FAILED <TBA> REGISTRATION_FAILED ]]></artwork> </figure> </t>Type</th> </tr> </thead> <tbody> <tr> <td>45</td> <td>INVALID_GROUP_ID</td> </tr> <tr> <td>46</td> <td>AUTHORIZATION_FAILED</td> </tr> <tr> <td>49</td> <td>REGISTRATION_FAILED</td> </tr> </tbody> </table> </li> <li> <t>The Notify type with the value 16429 was allocated earlier in the development of G-IKEv2 document in the "IKEv2 Notify Message Status Types" registry with the name SENDER_REQUEST_ID. This document renames it as follows:<figure align="center"> <artwork align="left"><![CDATA[ Value Notify</t> <table> <thead> <tr> <th>Value</th> <th>Notify Message StatusType ------------------------------------------ 16429 GROUP_SENDER ]]></artwork> </figure> </t>Type</th> </tr> </thead> <tbody> <tr> <td>16429</td> <td>GROUP_SENDER</td> </tr> </tbody> </table> </li> <li><t>This document defines a new Security Protocol Identifier in<t>In the "IKEv2 Security Protocol Identifiers"registry: <figure align="center"> <artwork align="left"><![CDATA[ Protocol ID Protocol -------------------------- <TBA> GIKE_UPDATE ]]></artwork> </figure>registry, IANA has added the following entry: </t> <table> <thead> <tr> <th>Protocol ID</th> <th>Protocol</th> </tr> </thead> <tbody> <tr> <td>6</td> <td>GIKE_UPDATE</td> </tr> </tbody> </table> </li> </ol> </section> </section><section anchor="Acknowledgements" title="Acknowledgements"> <t>The authors thank Lakshminath Dondeti and Jing Xiang for first exploring the use of IKEv2 for group key management and providing the basis behind the protocol. Mike Sullenberger and Amjad Inamdar were instrumental in helping resolve many issues</middle> <back> <displayreference target="I-D.ietf-ipsecme-ikev2-qr-alt" to="IPSEC-IKEV2-QR-ALT"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6054.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7296.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4301.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4302.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4303.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7427.xml"/> <!-- [RFC9827] draft-ietf-ipsecme-ikev2-rename-esn-05; companion doc RFC 9827 is inseveral versionsAUTH48-DONE as ofthe document.</t> <t>The authors are grateful to Tero Kivinen, Daniel Migault, Gorry Fairhurst, Robert Sparks, Russ Housley09/11/25 andPaul Woutersis waiting fortheir careful reviews and valuable proposalsthis doc forimprovingPUB. --> <reference anchor="RFC9827" target="https://www.rfc-editor.org/info/rfc9827"> <front> <title>Renaming thedocument quality. </t> </section> <section anchor="Contributers" title="Contributors"> <t>The following individuals made substantial contributions to early versions of this memo.</t> <t><figure> <preamble></preamble> <artwork><![CDATA[ Sheela Rowles Cisco Systems ]]></artwork> </figure> <figure> <artwork><![CDATA[ Aldous Yeung Cisco Systems Email: cyyeung@cisco.com ]]></artwork> </figure> <figure> <artwork><![CDATA[ Paulina Tran Cisco Systems ]]></artwork> </figure> <figure> <artwork><![CDATA[ Yoav Nir Dell EMC Email: ynir.ietf@gmail.com ]]></artwork> </figure></t> </section> </middle> <back> <references title="Normative References"> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6054.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7296.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4301.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4302.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4303.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7427.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-ipsecme-ikev2-rename-esn.xml"?>Extended Sequence Numbers (ESN) Transform Type in the Internet Key Exchange Protocol Version 2 (IKEv2)</title> <author initials="V." surname="Smyslov" fullname="Valery Smyslov"> <organization>ELVIS-PLUS</organization> </author> <date month='September' year='2025'/> </front> <seriesInfo name="RFC" value="9827"/> <seriesInfo name="DOI" value="10.17487/RFC9827"/> </reference> </references><references title="Informative References"> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2409.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2627.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3740.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4046.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6407.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3686.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4106.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4309.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4543.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5374.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5685.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5998.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5723.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6467.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7383.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7634.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8784.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3948.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9242.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9329.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8750.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9347.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9370.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-ipsecme-ikev2-qr-alt.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8052.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8263.xml"?> <?rfc include="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5649.xml"?><references> <name>Informative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2409.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2627.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3740.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4046.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6407.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3686.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4106.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4309.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4543.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5374.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5685.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5998.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5723.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6467.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7383.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7634.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8784.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3948.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9242.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9329.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8750.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9347.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9370.xml"/> <!-- [I-D.ietf-ipsecme-ikev2-qr-alt] draft-ietf-ipsecme-ikev2-qr-alt-06; IESG State: in RFC-EDITOR as of 09/11/25 --> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-ipsecme-ikev2-qr-alt.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8052.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8263.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5649.xml"/> <reference anchor="ARX-KW" target="https://eprint.iacr.org/2020/059.pdf"> <front> <title>ARX-KW, a family of key wrapping constructions using SipHash and ChaCha</title> <author fullname="" initials="S."surname="Shinichi"></author>surname="Shinichi"/> <date month="January"year="2020" />year="2020"/> </front> <refcontent>Cryptology ePrint Archive, Paper 2020/059</refcontent> </reference> <reference anchor="OFT" target="https://pdfs.semanticscholar.org/d24c/7b41f7bcc2b6690e1b4d80eaf8c3e1cc5ee5.pdf"> <front> <title>Key Establishment in Large Dynamic Groups Using One-Way Function Trees</title> <author fullname="" initials="D." surname="McGrew"><organization></organization><organization/> </author> <author fullname="" initials="A." surname="Sherman"><organization></organization><organization/> </author> <datemonth="" year="1998" />month="May" year="1998"/> </front> <seriesInfoname="Manuscript, " value="submitted to IEEEname="DOI" value="10.1109/TSE.2003.1199073"/> <refcontent>IEEE Transactions on SoftwareEngineering" />Engineering, vol. 29, no. 5, pp. 444-458</refcontent> </reference> <reference anchor="NNL" target="http://www.wisdom.weizmann.ac.il/~naor/PAPERS/2nl.pdf"> <front> <title>Revocation and Tracing Schemes for Stateless Receivers</title> <author fullname="" initials="D." surname="Naor"><organization></organization><organization/> </author> <author fullname="" initials="M."surname="Noal"> <organization></organization>surname="Naor"> <organization/> </author> <author fullname="" initials="J." surname="Lotspiech"><organization></organization><organization/> </author> <date month=""year="2001" />year="2001"/> </front> <seriesInfoname="Advancesname="DOI" value="10.1007/3-540-44647-8_3"/> <refcontent>Advances inCryptology, Crypto '01, " value="Springer-Verlag LNCS 2139,Cryptology - CRYPTO 2001, Lecture Notes in Computer Science, vol. 2139, pp.41-62" />41-62</refcontent> </reference> <reference anchor="IKEV2-IANA"target="http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml">target="http://www.iana.org/assignments/ikev2-parameters"> <front> <title>Internet Key Exchange Version 2 (IKEv2) Parameters</title> <author> <organization>IANA</organization> </author><date /><date/> </front> </reference> </references> </references> <sectionanchor="lkh_key_management" title="Useanchor="lkh_key_management"> <name>Use of LKH inG-IKEv2"> <t>Section 5.4 of <xref target="RFC2627"></xref>G-IKEv2</name> <t><xref target="RFC2627" sectionFormat="of" section="5.4"/> describes the LKHarchitecture,architecture and how a GCKS uses LKH to exclude group members. This section clarifies how the LKH architecture is used with G-IKEv2.</t> <sectionanchor="lkh_notation" title="Notation">anchor="lkh_notation"> <name>Notation</name> <t>In thissectionsection, we will use the notationX{Y}X{Y}, where a key with ID Y is encrypted with the key with ID X. The notation GSK_w{Y} means that the default wrap key GSK_w (with zero KWK ID)is used to encrypt key Y, and the notation X{K_sa} means key X is used to encrypt the SA key K_sa(wich(which always haszeroa KeyID). Note,ID of zero). Note that GSK_w{K_sa} means that the SA key is encrypted with the default wrap key, in whichcasecase, both KWK ID and Key ID are zero. </t> <t>The content of the KD payload will be shown as a sequence of key bags. The Group Key Bag substructure will be denoted asGP(SAn)(),GP(SAn)() when n is an SPI for theSA,SA and the Member Key Bag substructure will be denoted as MP(). The content of the key bags is shown as SA_KEY and WRAP_KEY attributes with the notation described above. Forsimplicitysimplicity, the type of the attribute will not beshown,shown because it is implicitly defined by the type of key bag. </t><t> Here<t>Below is the example of a KDpayload. <figure align="center">payload:</t> <figure> <artworkalign="center"><![CDATA[><![CDATA[ KD(GP(SA1)(X{K_sa}),MP(Y{X},Z{Y},GSK_w{Z}) ]]></artwork> </figure> <t> Forsimplicitysimplicity, any other attributes in the KD payload are omitted. </t> <t>We will also use the notation X->Y->Z to describe the Key Path. In thiscasecase, key Y is needed to decrypt key X and key Z is needed to decrypt key Y. In the exampleaboveabove, the keys had the following relation: K_sa->X->Y->Z->GSK_w. </t> </section><section title="Group Creation"><section> <name>Group Creation</name> <t>When a GCKS forms a group, it creates a key tree as shown inthe figure below.<xref target="initial-tree"/>. The key tree contains logical keys (which are represented as the values of their Key IDs in the figure) and a private key shared with only a single GM (the GMs are represented as letters followed by the corresponding key ID in parentheses in the figure). The root of the tree contains the multicast Rekey SA key (which is represented as SAn(K_san). The figure below assumes that the Key IDs are assigned sequentially; this is not a requirement and only used for illustrative purposes. The GCKS may create a complete tree asshown,shown or a partialtreetree, which is created on demand as members join the group. </t> <figurealign="center" anchor="initial-tree" title="Initialanchor="initial-tree"> <name>Initial LKHtree">Tree</name> <artworkalign="center"><![CDATA[><![CDATA[ SA1(K_sa1) +------------------------------+ 1 2 +---------------+ +---------------+ 3 4 5 6 +-------+ +-------+ +--------+ +--------+ A(7) B(8) C(9) D(10) E(11) F(12) G(13) H(14) ]]></artwork> </figure> <t>When GM A joins the group, the GCKS provides it with the keys in the KD payload of the GSA_AUTH or GSA_REGISTRATION exchange. Given the tree shown in figure above, the KD payload will be:<figure align="center" title="KD</t> <figure> <name>KD Payload for the Group MemberA">A</name> <artworkalign="center"><![CDATA[><![CDATA[ KD(GP(SA1)(1{K_sa1}),MP(3{1},7{3},GSK_w{7}) ]]></artwork> </figure> <t> From theseattributesattributes, the GM A will construct the Key PathK_sa1->1->3->7->GSK_w and sinceK_sa1->1->3->7->GSK_w. Since it ends up with GSK_w, it will use all the WRAP_KEY attributes present in the path as its Working Key Path: 1->3->7. </t> <!-- [rfced] May we replace "so after all" with "and thus" in the sentence below for improved clarity? Current: Similarly, when other GMs will be joining the group, they will be provided with the corresponding keys, so after all, the GMs will have the following Working Key Paths: Perhaps: Similarly, when other GMs join the group, they will be provided with the corresponding keys and thus the GMs will have the following Working Key Paths: --> <t>Similarly, when other GMs will be joining thegroupgroup, they will be provided with the corresponding keys, so afterallall, the GMs will have the following Working Key Paths:<figure align="center"></t> <figure> <artwork align="left"><![CDATA[ A: 1->3->7 B: 1->3->8 C: 1->4->9, D: 1->4->10 E: 2->5->11 F: 2->5->12 G: 2->6->13 H: 2->6->14 ]]></artwork> </figure></t></section><section title="Simple<section> <name>Simple Group SARekey">Rekey</name> <t>If the GCKS performs a simple SA rekey without changing group membership, it will only sendgroup key baga Group Key Gag in the KD payload with a new SA key encrypted with the default KWK.<figure align="center" title="KD</t> <figure> <name>KD Payload for the Simple Group SARekey">Rekey</name> <artworkalign="center"><![CDATA[><![CDATA[ KD(GP(SA2)(GSK_w{K_sa2})) ]]></artwork> </figure> <t> All the GMs will be able to decrypt it and no changes in their Working Key Paths will happen. </t> </section><section title="Group<section> <name>Group MemberExclusion">Exclusion</name> <t>If theGKCSGCKS has reason to believe that a GM should be excluded, then it can do so by sending a GSA_REKEY message that includes a set of GM_KEYattributesattributes, which would allow allGMsGMs, except for the excludedoneone, to get a new SA key. </t> <t>In the examplebelowbelow, the GCKS excludes GM F. For thispurposepurpose, it changes the key tree as follows, replacingthekey 2 withthekey 15 andthekey 5 withthekey 16. It also generates a new SA key for a new SA3. </t> <figurealign="center" anchor="updated-tree" title="LKH treeanchor="updated-tree"> <name>LKH Tree after Fhas been excluded">Has Been Excluded</name> <artworkalign="center"><![CDATA[><![CDATA[ SA3(K_sa3) +------------------------------+ 1 15 +---------------+ +---------------+ 3 4 16 6 +-------+ +-------+ +---- +--------+ A(7) B(8) C(9) D(10) E(11) F(12) G(13) H(14) ]]></artwork> </figure> <t>Then it sends the following KD payload for the new Rekey SA3:<figure align="center" title="KD</t> <figure> <name>KD Payload for the Group MemberF">F</name> <artworkalign="center"><![CDATA[><![CDATA[ KD(GP(SA3)(1{K_sa3},15{K_sa3}),MP(6{15},16{15},11{16}) ]]></artwork> </figure> <t> While processing this KDpayload: <list style="symbols">payload:</t> <ul spacing="normal"> <li> <t>GMs A, B,CC, and D will be able to decrypt the SA_KEY attribute 1{K_sa3} by using the "1" key from their key path. Since no new GM_KEY attributes are in the new Key Path, they won't update their Working Key Paths. </t> </li> <li> <t>GMs G and H will construct new Key Path 15->6 and will be able to decrypt the intermediate key 15 usingthekey 6 from their Working Key Paths. So, they will update their Working Key Paths replacing their beginnings up tothekey 6 with the new Key Path (thus replacing the key 2 with the key 15). </t> </li> <li> <t>GM E will construct a new Key Path 16->15->11 and will be able to decrypt the intermediate key 16 usingthekey 11 from its Working Key Path. So, it will update its Working Key Path replacing its beginnings up tothekey 11 with the new Key Path (thus replacingthekey 2 withthekey 15 andthekey 5 withthekey 16). </t> </li> <li> <t>GM F won't be able to construct any Key Path leading to any keyheit possesses, so it will be unable to decrypt the new SA key for theSA3 and thusSA3. Thus, it will be excluded from the group once the SA3 is used. </t></list> </t></li> </ul> <t>Finally, the GMs will have the following Working Key Paths:<figure align="center"></t> <figure> <artwork align="left"><![CDATA[ A: 1->3->7 B: 1->3->8 C: 1->4->9, D: 1->4->10 E: 15->16->11 F: excluded G: 15->6->13 H: 15->6->14 ]]></artwork> </figure> </section> </section> <section anchor="Acknowledgements" numbered="false"> <name>Acknowledgements</name> <t>The authors thank <contact fullname="Lakshminath Dondeti"/> and <contact fullname="Jing Xiang"/> for first exploring the use of IKEv2 for group key management and providing the basis behind the protocol. <contact fullname="Mike Sullenberger"/> and <contact fullname="Amjad Inamdar"/> were instrumental in helping resolve many issues in several draft versions of the document.</t> <t>The authors are grateful to <contact fullname="Tero Kivinen"/>, <contact fullname="Daniel Migault"/>, <contact fullname="Gorry Fairhurst"/>, <contact fullname="Robert Sparks"/>, <contact fullname="Russ Housley"/>, and <contact fullname="Paul Wouters"/> for their careful reviews and valuable proposals for improving the document quality. </t> </section> <section anchor="Contributors" numbered="false"> <name>Contributors</name> <t>The following individuals made substantial contributions to earlier draft versions of this document.</t> <contact fullname="Sheela Rowles"> <organization>Cisco Systems</organization> </contact> <contact fullname="Aldous Yeung"> <organization>Cisco Systems</organization> <address> <email>cyyeung@cisco.com</email> </address> </contact> <contact fullname="Paulina Tran"> <organization>Cisco Systems</organization> </contact> <contact fullname="Yoav Nir"> <organization>Dell EMC</organization> <address> <email>ynir.ietf@gmail.com</email> </address> </contact> </section> <!-- [rfced] Abbreviations a) FYI - We have added expansions for abbreviations upon first use per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review each expansion in the document carefully to ensure correctness. b) We note that some abbreviations are expanded multiple times throughout the document. If there are no objections, we will update terms to use their abbreviations after their first expansions for consistency. One example (see the document for more examples): Group Member -> GM --> <!-- [rfced] Terminology a) Please review the following terms for capitalization and let us know which form you prefer (uppercase or lowercase) for consistency. Data-Security vs. data-security [Note: Only two instances of "data-security" are lowercase; should they be uppercase?] Group Member vs. group member Group Receiver vs. group receiver Group Sender vs. group sender Group-wide policy vs. group-wide policy GSA registration exchange vs. GSA_REGISTRATION exchange Header vs. header (when referring to specific headers, e.g., Payload Header vs. IKE header) Key Bag vs. key bag Key information vs. key information Key Wrap Algorithm vs. key wrap algorithm Notify Message vs. Notify message vs. notify message Security Association vs. security association [Note: should the security association policy be uppercase (e.g., "Security Association policy")? Transform(s) vs. transform(s) Transform ID vs. transform ID b) We note that the following terms are used inconsistently. Please review and let us know which form you prefer to use throughout the document. Data-Security GSA TEK vs. GSA TEK vs. Data-Security SA policy (GSA TEK) [Note: Are any of these terms the same?] group key management vs. group key management protocol Multicast Security (MSEC) Group Key Management Architecture vs. Multicast Security (MSEC) key management architecture c) FYI: We updated the text to reflect the forms on the right for consistency. Please let us know of any objections. G-IKEv2 Rekey -> G-IKEv2 rekey GKCS -> GCKS group key bag -> Group Key Bag group security association -> Group Security Association GSA Policy -> GSA policy= IKEv2 Intermediate exchange -> IKEv2 Intermediate Exchange (per RFC 9242) member Key Bag and member key bag -> Member Key Bag NO_PROPOSAL_CHOSEN Notification -> NO_PROPOSAL_CHOSEN notification protocol ID -> Protocol ID Rekey message -> rekey message rekey SA -> Rekey SA Security Association Payload -> Security Association payload (per RFC 7296) Secure Password authentication -> secure password authentication (per RFC 6467) --> <!-- [rfced] Some figures and tables were updated during the formatting process and do not have titles. Would you like to add titles to the figures and tables below for consistency throughout the document? If so, please let us know the desired text. Current: Figure 10 Figure 15 Figure 16 Figure 24 Figure 27 Figure 31 Tables 3-8 Tables 11-25 --> <!-- [rfced] Please review the "Inclusive Language" portion of the online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> and let us know if any changes are needed. Updates of this nature typically result in more precise language, which is helpful for readers. For example, please consider whether the term "man-in-the-middle" should be updated. --> </back> </rfc>