MSEC Working Group S. Rowles Internet-Draft A. Yeung, Ed. Intended status: Standards Track P. Tran Expires: September 9, 2010 Cisco Systems March 8, 2010 Group Key Management using IKEv2 draft-yeung-g-ikev2-01 Abstract This document presents a new group key distribution protocol, using group key distribution RFC 3547 with IKEv2 RFC 4306. The new protocol is similar to IKEv2 in message and payload formats as well as message semantics. The protocol is in conformance with MSEC key management architecture that it contains two components: member registration and group rekeying, both downloading group security associations from the Group Controller Key Server to a member of the group. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on September 9, 2010. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. Rowles, et al. Expires September 9, 2010 [Page 1] Internet-Draft G-IKEv2 March 2010 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. Table of Contents 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 5 1.1. Why do we need another GSA protocol? . . . . . . . . . . . 5 1.2. G-IKEv2 Payloads . . . . . . . . . . . . . . . . . . . . . 6 2. G-IKEv2 integration into IKEv2 protocol . . . . . . . . . . . 7 2.1. UDP port . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. G-IKEv2 Protocol . . . . . . . . . . . . . . . . . . . . . . . 8 3.1. G-IKEv2 member registration and secure channel establishment . . . . . . . . . . . . . . . . . . . . . . 8 3.1.1. IKE_SA_INIT exchange . . . . . . . . . . . . . . . . . 8 3.1.2. GSA_AUTH exchange . . . . . . . . . . . . . . . . . . 9 3.1.3. IKEv2 Header Initialization . . . . . . . . . . . . . 10 3.1.4. GM Registration Operations . . . . . . . . . . . . . . 10 3.1.5. GCKS Registration Operations . . . . . . . . . . . . . 10 3.2. G-IKEv2 group maintenance channel . . . . . . . . . . . . 11 3.2.1. G-IKEv2 REKEY exchange request . . . . . . . . . . . . 11 3.2.2. Forward and Backward Access Control . . . . . . . . . 12 3.2.3. Forward Access Control Requirements . . . . . . . . . 12 3.2.4. Deletion of SAs . . . . . . . . . . . . . . . . . . . 13 3.2.5. GCKS Operations . . . . . . . . . . . . . . . . . . . 14 3.2.6. GM Operations . . . . . . . . . . . . . . . . . . . . 14 4. Header and Payload Formats . . . . . . . . . . . . . . . . . . 15 4.1. The G-IKEv2 Header . . . . . . . . . . . . . . . . . . . . 15 4.2. IDgroup Payload . . . . . . . . . . . . . . . . . . . . . 15 4.3. Group Security Association Payload . . . . . . . . . . . . 15 4.3.1. Payloads following the GSA Payload . . . . . . . . . . 16 4.4. KEK Payload . . . . . . . . . . . . . . . . . . . . . . . 17 4.4.1. KEK Attributes . . . . . . . . . . . . . . . . . . . . 18 4.4.2. KEK_MANAGEMENT_ALGORITHM . . . . . . . . . . . . . . . 18 4.4.3. KEK_ALGORITHM . . . . . . . . . . . . . . . . . . . . 19 4.4.3.1. KEK_ALG_AES_CBC . . . . . . . . . . . . . . . . . 19 4.4.3.2. KEK_ALG_AES_GCM . . . . . . . . . . . . . . . . . 19 4.4.4. KEK_KEY_LENGTH . . . . . . . . . . . . . . . . . . . . 19 Rowles, et al. Expires September 9, 2010 [Page 2] Internet-Draft G-IKEv2 March 2010 4.4.5. KEK_KEY_LIFETIME . . . . . . . . . . . . . . . . . . . 20 4.4.6. SIG_HASH_ALGORITHM . . . . . . . . . . . . . . . . . . 20 4.4.7. SIG_ALGORITHM . . . . . . . . . . . . . . . . . . . . 20 4.4.7.1. SIG_ALG_RSA . . . . . . . . . . . . . . . . . . . 20 4.4.7.2. SIG_ALG_DSS . . . . . . . . . . . . . . . . . . . 21 4.4.7.3. SIG_ALG_ECDSS . . . . . . . . . . . . . . . . . . 21 4.4.7.4. SIG_ALG_RSA_PSS . . . . . . . . . . . . . . . . . 21 4.4.8. SIG_KEY_LENGTH . . . . . . . . . . . . . . . . . . . . 21 4.5. GSA TEK Payload . . . . . . . . . . . . . . . . . . . . . 21 4.5.1. TEK Protocol-Specific Payload . . . . . . . . . . . . 22 4.6. GSA Group Associated Policy Payload . . . . . . . . . . . 24 4.6.1. Activation Time Delay . . . . . . . . . . . . . . . . 25 4.6.2. Deactivation_Time_Delay . . . . . . . . . . . . . . . 25 4.6.3. Sender ID . . . . . . . . . . . . . . . . . . . . . . 25 4.6.3.1. GCKS semantics . . . . . . . . . . . . . . . . . . 26 4.6.3.2. GM semantics . . . . . . . . . . . . . . . . . . . 27 4.7. Key Download Payload . . . . . . . . . . . . . . . . . . . 27 4.7.1. TEK Download Type . . . . . . . . . . . . . . . . . . 29 4.7.1.1. TEK_ALGORITHM_KEY . . . . . . . . . . . . . . . . 29 4.7.1.2. TEK_INTEGRITY_KEY . . . . . . . . . . . . . . . . 29 4.7.1.3. TEK_SOURCE_AUTH_KEY . . . . . . . . . . . . . . . 30 4.7.2. KEK Download Type . . . . . . . . . . . . . . . . . . 30 4.7.2.1. KEK_ALGORITHM_KEY . . . . . . . . . . . . . . . . 30 4.7.2.2. SIG_ALGORITHM_KEY . . . . . . . . . . . . . . . . 30 4.7.3. LKH Download Type . . . . . . . . . . . . . . . . . . 30 4.7.3.1. LKH_DOWNLOAD_ARRAY . . . . . . . . . . . . . . . . 31 4.7.3.2. LKH_UPDATE_ARRAY . . . . . . . . . . . . . . . . . 33 4.7.3.3. SIG_ALGORITHM_KEY . . . . . . . . . . . . . . . . 34 4.8. Sequence Number Payload . . . . . . . . . . . . . . . . . 34 4.9. Delete Payload . . . . . . . . . . . . . . . . . . . . . . 34 4.10. Notify Payload . . . . . . . . . . . . . . . . . . . . . . 35 4.11. Signature Payload . . . . . . . . . . . . . . . . . . . . 35 5. Security Considerations . . . . . . . . . . . . . . . . . . . 37 5.1. GSA registration and secure channel . . . . . . . . . . . 37 5.2. GSA maintenance channel . . . . . . . . . . . . . . . . . 37 5.2.1. Authentication/Authorization . . . . . . . . . . . . . 37 5.2.2. Confidentiality . . . . . . . . . . . . . . . . . . . 37 5.2.3. Man-in-the-Middle Attack Protection . . . . . . . . . 37 5.2.4. Replay/Reflection Attack Protection . . . . . . . . . 37 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 6.1. New registries . . . . . . . . . . . . . . . . . . . . . . 38 6.2. New payload and exchange types to existing IKEv2 registry . . . . . . . . . . . . . . . . . . . . . . . . . 38 6.3. Payload Types . . . . . . . . . . . . . . . . . . . . . . 38 6.4. New Name spaces . . . . . . . . . . . . . . . . . . . . . 39 Rowles, et al. Expires September 9, 2010 [Page 3] Internet-Draft G-IKEv2 March 2010 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 40 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 41 8.1. Normative References . . . . . . . . . . . . . . . . . . . 41 8.2. Informative References . . . . . . . . . . . . . . . . . . 41 Appendix A. Differences between G-IKEv2 and RFC 3547 . . . . . . 43 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 44 Rowles, et al. Expires September 9, 2010 [Page 4] Internet-Draft G-IKEv2 March 2010 1. Introduction and Overview This document presents a group key management protocol protected by IKEv2. The group is protected by the security association derived in the mutual authentication between the group member and the group controller/key server (GCKS) using IKEv2 [RFC4306]. The GCKS downloads policy and keys after the GCKS authenticates the client. The initial exchange uses IKE_SA_INIT exchange in IKEv2. The new payloads for G-IKEv2 are added in the GSA_AUTH exchange. The result of the GSA_AUTH is that the GCKS downloads policy and keys for the group to the Group Members (GM). This document will reference the IKEv2 RFCs [4306 and 4718] but otherwise is intended to be a standalone document. [RFC3547] presented GDOI using the ISAKMP domain of interpretation. This document is updating the group security protocol to use IKEv2 without any need for a domain of interpretation, but will instead distinguish G-IKEv2 from IKEv2 by the port being used. The message semantics of IKEv2 will be maintained in that all communications consist of pairs of messages. The exception is in the case that when rekeys are issued in a multicast domain, the previous model [RFC3547] will be maintained: a multicast rekey sent by the GCKS will not expect a response from the GM. A number of payloads were deemed unnecessary since [RFC3547]. These are described in Appendix A. 1.1. Why do we need another GSA protocol? GDOI protocol specified in [RFC3547] is protected by IKEv1 phase1 security association defined in [RFC2407], [RFC2408] and [RFC2409]; these documents are obsoleted and replaced by a new version of the IKE protocol defined in RFC 4306. G-IKEv2 provides group key management between the group member and group controller key server using the new IKEv2 protocol and inherits the following key advantages over GDOI: 1. Provide a simple mechanism for the responder to keep minimal state and avoid DOS attack from forged IP address using cookie challenge exchange. 2. Improve performance and network latency by the reduced number of initial messages to complete the G-IKEv2 protocol from (9 messages in main mode and quick mode, 6 messages in aggressive mode and quick) to 4 messages. 3. Fix cryptographic weakness with authentication HASH (ikev1 authentication HASH specified in RFC-2409 does not include all ISAKMP payloads and does not include ISAKMP header). This issue is documented at [IKE-HASH] Rowles, et al. Expires September 9, 2010 [Page 5] Internet-Draft G-IKEv2 March 2010 4. Improve protocol reliability where all unicast messages are ack'ed and sequenced. 5. Well defined behavior for error conditions to improve interoperability. 1.2. G-IKEv2 Payloads 1. IDg (group ID) - The GM requests the GCKS for membership into the group by sending its IDg payload. 2. GSA (Group Security Association) - The GCKS sends the group policy to the GM using this payload. 3. GSA KEK (Group Security Association Key Encryption Key) - The KEK Payload MAY be sent as part of the group policy to ensure that the GCKS will send rekeys using the security credentials of the KEK. 4. GSA GAP (Group Associated Policy) - The GAP payload is providing the capability to send unique sender specific information to the group members as well as unique group policy specific to the group. [Section 4.6]. 5. GSA TEK (Group Security Association Traffic Encryption Key) - The GSA TEK Payload MAY be sent as part of the group policy to ensure that the GCKS will send the keying material for the group members to communicate securely amongst each other. 6. KD (Key Download) - The GCKS sends the control and data keys to the GM using the KD payload. 7. SEQ (Sequence Number Payload) - The SEQ payload provides anti- replay protection for the rekey message. 8. SIG (Signature Payload) The SIG payload provides a signed hash of the GCKS rekey message, which is verified by the GM. Rowles, et al. Expires September 9, 2010 [Page 6] Internet-Draft G-IKEv2 March 2010 2. G-IKEv2 integration into IKEv2 protocol The G-IKEv2 protocol provides the security mechanisms of IKEv2 (peer authentication, confidentiality, message_integrity) to protect the group negotiations required for G-IKEv2. The G-IKEv2 exchange further provides group authorization, and secure policy and key download from the GCKS to its group members. 2.1. UDP port G-IKEv2 SHOULD use port 848 since GDOI [RFC3547] and G-IKEv2 are related protocols where both provide group key management between group member and the group controller key server. The version number in the IKEv2 header distinguishes the G-IKEv2 protocol from GDOI protocol [RFC3547]. Rowles, et al. Expires September 9, 2010 [Page 7] Internet-Draft G-IKEv2 March 2010 3. G-IKEv2 Protocol 3.1. G-IKEv2 member registration and secure channel establishment The registration protocol consists of two exchanges, IKE_SA_INIT and GSA_AUTH. Each exchange consists of request/response pairs. The first exchange IKE_SA_INIT is defined in IKEv2 [RFC4306]. This exchange negotiates cryptographic algorithms, exchanges nonces and does a Diffie-Hellman exchange between the member and the Group Controller Key Server (GCKS). The second exchange GSA_AUTH authenticates the previous messages, exchange identities and certificates, and downloads the data security keys (TEKs) and/or group key encrypting key (KEK) or KEK array. Parts of these messages are encrypted and integrity protected with keys established through the IKE_SA_INIT exchange, so the identities are hidden from eavesdroppers and all fields in all the messages are authenticated. The GCKS MAY authorize group members to be allowed into the group as part of the GSA_AUTH exchange. In the following descriptions, the payloads contained in the message are indicated by names as listed below. Notation Payload ------------------------------------------------------------ AUTH Authentication CERT Certificate CERTREQ Certificate Request GSA Group Security Association HDR IKEv2 Header IDg Identification - Group IDi Identification - Initiator IDr Identification - Responder KD Key Download KE Key Exchange Ni, Nr Nonce SA Security Association SEQ Sequence Number of rekey message The details of the contents of each payload are described in Section 4. Payloads that may optionally appear will be shown in brackets, such as [CERTREQ], indicate that optionally a certificate request payload can be included. 3.1.1. IKE_SA_INIT exchange Rowles, et al. Expires September 9, 2010 [Page 8] Internet-Draft G-IKEv2 March 2010 Member (Initiator) GCKS (Responder) -------------------- ------------------ HDR, SAi1, KEi, Ni --> <-- HDR, SAr1, KEr, Nr, [CERTREQ,] The group member initiates the IKE_SA_INIT exchange to the GCKS to negotiate cryptographic algorithms, exchange nonces, and perform a Diffie-Hellman exchange. 3.1.2. GSA_AUTH exchange The security properties of the GSA_AUTH exchange are the same as the properties of the IKE_SA_AUTH exchange. It is used to authenticate the GSA_INIT messages, exchange identities and certificates. G-IKEv2 also uses this exchange for group member registration and optionally authorization. Initiator (Member) Responder (GCKS) -------------------- ------------------ HDR, SK { IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, IDg } --> After an unauthenticated secure channel is established by IKE_SA_INIT exchange, the member initiates a registration request to join a group indicated by IDg payload. <-- HDR, SK { IDr, [CERT,] AUTH, [SEQ,] GSA, KD } The GCKS MAY inform the group member the current value of the rekey sequence number using the SEQ payload. The first GSA_REKEY request's sequence number the member receives MUST be greater than SEQ value. The SEQ payload MUST be present if the GSA payload contains an GSA KEK attribute, indicating that the GCKS will be sending rekeys. The GCKS also informs the member of the cryptographic policies of the group in the GSA payload, which contains the KEK and/or TEK policy, and/or the policy in the GAP and the authentication transforms. The KD payload contains the KEK and/or TEK keying material. The SPIs for the data traffic are also determined by the GCKS and downloaded in the GSA payload. The GSA KEK attribute contains the G-IKEv2 SPI for the Re-key SA, which is not negotiated but downloaded. The GSA TEK attribute contains a SPI as defined in Section 4.5.1 of this document. If a Re-key SA is defined in the SA payload, indicated by the presence of the GSA KEK attribute, then the KD will contain the SA KEK; if one or more Data-security SAs are defined in the GSA payload, the KD will contain the TEKs. The GAP payload MAY specify the sender specific information if any of the AES counter-based modes Rowles, et al. Expires September 9, 2010 [Page 9] Internet-Draft G-IKEv2 March 2010 are being used to provide unique sender information to the GMs. The GAP payload may also provide the ATD or DTD providing specifying activation and deactivation delays for SAs generated from the TEKs. G-IKEv2 member registration MAY have a few more messages exchange if the EAP method, cookie challenge (for DoS) and invalid KE are used. In addition to the IKEv2 error handling, GCKS can reject the registration request when IDg is invalid or authorization fail, etc. In these cases, see Section 4.10, the GSA_AUTH response will include notify indicate errors. The member SHOULD send an IKEv2 delete using the INFORMATIONAL message exchange to bring down the authenticated IKE SA. 3.1.3. IKEv2 Header Initialization The Major Version is (2) and Minor Version number (0) according to IKEv2 [RFC4306], and maintained in this document. The G-IKEv2 GSA- INIT uses the SPI according to IKEv2 [RFC4306],section 2.6. 3.1.4. GM Registration Operations A G-IKEv2 Initiator (GM) requesting registration contacts the GCKS using the IKE_SA_INIT exchange and receives the response from the GCKS. This exchange is unchanged from the IKEv2 protocol. Upon completion of parsing and verifying the IKE_SA_INIT response, it sends the GSA_AUTH message with the IKEv2 payloads from IKE_SA_AUTH along with the Group ID informing the GCKS of the group the initiator wishes to join. The initiator then parses the response from the GCKS authenticating the exchange using the IKEv2 payloads, then accessing the SEQ, GSA, and KD. The SEQ is optionally accessed if rekey is desired in the system, where SEQ provides the current sequence number of the most recent rekey message. The GSA is parsed providing the TEK and/or KEK and/or the GAP policy. Finally the KD is parsed providing the keying material for the TEK and/or KEK. 3.1.5. GCKS Registration Operations A G-IKEv2 GCKS receives the IKE_SA_INIT message and responds with the IKE_SA_INIT response unchanged from IKEv2. Upon receiving the GSA_AUTH message, and after authenticating the peer, the GCKS locates the group the initiator wishes to join, extracts the policy for that group, and generates the policy in the GSA payload, along with the keying material in the KD payload. Optionally, the GAP payload may provide SSID information if the AES counter modes are being used as the transforms to provide unique sender information to the GMs, as well as ATD or DTD if it is desired to address the activation and deactivation time delays of the TEK SA. If the GCKS desires Rowles, et al. Expires September 9, 2010 [Page 10] Internet-Draft G-IKEv2 March 2010 authorization, the GCKS authorizes the peer against the specified credentials before sending the GSA_AUTH response. The support for the G-IKEv2 group maintenance channel is optional, the SEQ SHOULD be sent if it is supported. 3.2. G-IKEv2 group maintenance channel The GCKS MAY send the GSA Rekey if the KEK attribute is present in the G-IKEv2 registration. Though the G-IKEv2 Rekey is optional, it plays a crucial role for large and dynamic groups. The GCKS is responsible for rekeying of the secure group per the group policy. The GCKS uses multicast to transport the rekey message. The G-IKEv2 protocol uses GSA_REKEY exchange type in G-IKEv2 header identifying it as a rekey message. This rekey message is protected by the registration exchanges. 3.2.1. G-IKEv2 REKEY exchange request The GCKS initiates the G-IKEv2 Rekey securely using IP multicast. Since multicast rekey does not require a response and it sends to multiple GMs, G-IKEv2 Rekeying SHOULD not support windowing. The anti-replay protection is supported by the SEQ payload. The GCKS Rekey message replaces the Rekey GSA KEK or KEK array, and/or creates a new Data-Security SA TEK. The SSID attribute in the SA GAP payload SHOULD NOT be part of the Rekey Exchange as this is sender specific information and the Rekey Exchange is group specific. The GCKS initiates the GSA_REKEY exchange as following: Members (Responder) GCKS (Initiator) -------------------- ------------------ <-- HDR, SK { SEQ, GSA, KD, SIG } HDR is defined in Section 4.1. The SEQ payload is defined in Section 4.8. The GSA payload contains the current rekey and data security SA payloads. The GSA may contain a new data security SA and/or a new rekey SA, which, optionally contains an LKH rekey SA, Section 4.3. The KD represents the keys for the policy sent in the GSA. If the data security SA is being refreshed in this rekey message, the IPSec keys are updated in the KD, and/or if the rekey SA is being refreshed in this rekey message, the rekey Key or the LKH KEK array is updated in the KD payload. The SIG payload is a signature of the hash of the message, not including the G-IKEv2 header, to ensure the integrity of the rekey message. Rowles, et al. Expires September 9, 2010 [Page 11] Internet-Draft G-IKEv2 March 2010 After adding the Signature of the above Hash to the rekey message, the current KEK encryption key encrypts all the payloads following the HDR. 3.2.2. Forward and Backward Access Control Through G-IKEv2 rekey, the G-IKEv2 supports algorithms such as LKH that have the property of denying access to a new group key by a member removed from the group (forward access control) and to an old group key by a member added to the group (backward access control). An unrelated notion to PFS, "forward access control" and "backward access control" have been called "perfect forward security" and "perfect backward security" in the literature [RFC2627]. Group management algorithms providing forward and backward access control other than LKH have been proposed in the literature, including OFT [OFT] and Subset Difference [NNL]. These algorithms could be used with G-IKEv2, but are not specified as a part of this document. Support for group management algorithms is supported via the KEY_MANAGEMENT_ALGORITHM attribute which is sent in the SA_KEK payload. G-IKEv2 specifies one method by which LKH can be used for forward and backward access control. Other methods of using LKH, as well as other group management algorithms such as OFT or Subset Difference may be added to G-IKEv2 as part of a later document. Any such addition MUST be due to a Standards Action as defined in [RFC2434]. 3.2.3. Forward Access Control Requirements When group membership is altered using a group management algorithm new SA_TEKs (and their associated keys) are usually also needed. New SAs and keys ensure that members who were denied access can no longer participate in the group. If forward access control is a desired property of the group, new SA_TEKs and the associated key packets in the KD payload MUST NOT be included in a G-IKEv2 rekey message which changes group membership. This is required because the SA_TEK policy and the associated key packets in the KD payload are not protected with the new KEK. A second G-IKEv2 rekey message can deliver the new SA_TEKS and their associated keys because it will be protected with the new KEK, and thus will not be visible to the members who were denied access. If forward access control policy for the group includes keeping group policy changes from members that are denied access to the group, then two sequential G-IKEv2 rekey messages changing the group KEK MUST be Rowles, et al. Expires September 9, 2010 [Page 12] Internet-Draft G-IKEv2 March 2010 sent by the GCKS. The first G-IKEv2 rekey message creates a new KEK for the group. Group members, which are denied access, will not be able to access the new KEK, but will see the group policy since the G-IKEv2 rekey message is protected under the current KEK. A subsequent G-IKEv2 rekey message containing the changed group policy and again changing the KEK allows complete forward access control. A G-IKEv2 rekey message MUST NOT change the policy without creating a new KEK. If other methods of using LKH or other group management algorithms are added to G-IKEv2, those methods MAY remove the above restrictions requiring multiple G-IKEv2 rekey messages, providing those methods specify how forward access control policy is maintained within a single G-IKEv2 rekey message. 3.2.4. Deletion of SAs There are occasions the GCKS may want to signal to receivers to delete policy at the end of a broadcast, or if group policy has changed. Deletion of keys MAY be accomplished by sending the G-IKEv2 Delete Payload [RFC4306], section 3.11 as part of the G-IKEv2 Rekey Exchange. One or more Delete payloads MAY be placed following the HDR payload in the G-IKEv2 Rekey Exchange. The Protocol-ID field contains TEK protocol id values, defined in section 4.6 of this document. In order to delete a KEK SA, the value of zero MUST be used as the protocol id. Note that only one protocol id value can be defined in a Delete payload. If a TEK and a KEK SA must be deleted, they must be sent in different Delete payloads. Similarly, if a TEK specifying ESP and a TEK specifying AH need to be deleted, they must be sent in different Delete payloads. When a policy delete is required the GCKS sends a rekey of the following format: Members (Responder) GCKS (Initiator) -------------------- ------------------ <-- HDR, SK { DEL, [GSA], [KD], SIG } The GSA MAY specify the remaining active time of the remaining policy by using the DTD attribute in the GAP Payload. If a GCKS has no further SAs to send to group members, the SA and KD payloads MUST be omitted from the message. There may be circumstances where the GCKS may want to start over with a clean slate. If the administrator is no longer confident in the integrity of the group, the GCKS can signal deletion of all policy of a particular TEK protocol by sending a TEK with a SPI value equal to zero in the delete payload. For Rowles, et al. Expires September 9, 2010 [Page 13] Internet-Draft G-IKEv2 March 2010 example, if the GCKS wihses to remove all the KEKs and all the TEKs in the group, the GCKS SHOULD send a delete payload with a spi of zero and a protocol_id of a TEK protocol_id value define in Section 4.5, followed by another delete paylad with a spi of zero and and protocol_id of zero, indicating that the KEK SA should be deleted. 3.2.5. GCKS Operations The GCKS may initiate a rekey message if group membership and/or policy has changed, or if the keys are about to expire. The GCKS builds the rekey message with value of the SEQ payload that is one greater than the previous rekey. The GSA and KD follow with the same characteristics as in the GSA_Registration exchange. The SIG payload is created by hashing the string "G-IKEv2" and the message created so far, and then digitally signed. Finally, the payloads following the HDR are encrypted using the current KEK encryption key. 3.2.6. GM Operations The group member receives the Rekey Message from the GCKS, decrypts the message using the current KEK, validates the signature, verifies the value in SEQ payload is one or more greater than that of the last rekey SA received, and processes the GSA and KD payloads. The group member then downloads the new data security SA and/or new Rekey SA. The parsing of the payloads is similar to the registration exchange. Rowles, et al. Expires September 9, 2010 [Page 14] Internet-Draft G-IKEv2 March 2010 4. Header and Payload Formats Refer to IKEv2 [RFC4306] for existing payloads. 4.1. The G-IKEv2 Header G-IKEv2 uses the same IKE header format as specified in RFC 4306 section 3.1. Several new payload formats are required in the group security exchanges. Next Payload Type Value ----------------- ----- Group Identification (IDg) TBD Group Security Association (GSA) TBD GSA KEK Payload (GSAK) TBD GSA GAP Payload (GGAP) TBD GSA TEK Payload (GSAT) TBD Key Download (KD) TBD Sequence Number Payload (SEQ) TBD Signature Payload (SIG) TBD New exchange types GSA_AUTH and GSA_REKEY are added to the IKEv2 [RFC4306] protocol. Exchange Type Value -------------- ----- GSA_AUTH TBD GSA_REKEY TBD Major Version is 2 and Minor Version is 0 as in IKEv2 [RFC4306]. IKE SA initiator SPI, IKE SA responder SPI, Flags, Message Id are as specified in [RFC4306]. 4.2. IDgroup Payload The IDg Payload allows the group member to indicate which group it wants to join. The payload is constructed by using the IKEv2 [RFC4306] Identification Payload. 4.3. Group Security Association Payload The Group Security Association payload is used by the GCKS to assert security attributes for both Re-key and Data-security SAs. Rowles, et al. Expires September 9, 2010 [Page 15] Internet-Draft G-IKEv2 March 2010 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! GSA Attribute Next Payload ! RESERVED2 ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The Security Association Payload fields are defined as follows: o Next Payload (1 octet) -- Identifies the next payload for the G-IKEv2 registrationG-IKEv2 registration or the G-IKEv2 rekey message as defined above. The next payload MUST NOT be a GSAK Payload or GSAT Payload type, but the next non-Security Association type payload. o RESERVED (1 octet) -- Must be zero. o Payload Length (2 octets) -- Is the octet length of the current payload including the generic header and all TEK and KEK payloads. o GSA Attribute Next Payload (1 octet) -- Must be either a GSAK Payload or a GSAT Payload or GAP payload. See Section 4.3.1 for a description of which circumstances are required for each payload type to be present. o RESERVED2 (2 octets) -- Must be zero. 4.3.1. Payloads following the GSA Payload Payloads that define specific security association attributes for the KEK and/or TEKs used by the group MUST follow the GSA payload. How many of each payload is dependent upon the group policy. There may be zero or one GSA KEK Payload, zero or more GAP Payloads, and zero or more GSA TEK Payloads, where either one GSA KEK or GSA TEK payload MUST be present. When present, the order of the SA attribute payloads MUST be: KEK, GAP(s), TEK(s). This latitude allows various group policies to be accommodated. For example if the group policy does not require the use of a Re-key SA, the GCKS would not need to send an GSA KEK attribute to the group member since all SA updates would be performed using the Registration SA. Alternatively, group policy might use a Re-key SA but choose to download a KEK to the group member only as part of the Registration SA. Therefore, the KEK policy (in the GSA KEK attribute) would not be necessary as part of the Re-key SA message GSA payload. Specifying multiple GSA TEKs allows multiple sessions to be part of Rowles, et al. Expires September 9, 2010 [Page 16] Internet-Draft G-IKEv2 March 2010 the same group and multiple streams to be associated with a session (e.g., video, audio, and text) but each with individual security association policy. 4.4. KEK Payload The GSA KEK (GSAK) payload contains security attributes for the KEK method for a group and parameters specific to the G-IKEv2 registration operation. The source and destination identities describe the identities used for the G-IKEv2 registration datagram. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! ! ~ SPI ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! ! ~ ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! ! ~ ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ~ KEK Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The GSAK Payload fields are defined as follows: o Next Payload (1 octet) -- Identifies the next payload for the G-IKEv2 registration or the G-IKEv2 rekey message. The only valid next payload types for this message are a GSA TEK Payload or zero to indicate there is no GSA TEK payload. o RESERVED (1 octet) -- Must be zero. o Payload Length (2 octets) -- Length of this payload, including the KEK attributes. o SPI (16 octets) -- Security Parameter Index for the KEK. The SPI must be the IKEv2 Header SPI pair where the first 8 octets become the "Initiator's SPI" field of the G-IKEv2 rekey message IKEv2 HDR, and the second 8 octets become the "Responder's SPI" in the same HDR. As described above, these SPIs are assigned by the Rowles, et al. Expires September 9, 2010 [Page 17] Internet-Draft G-IKEv2 March 2010 GCKS. o Source & Destination Traffic Selectors - Substructures describing the source and destination of the identities. These identities refer to the source and destination of the next KEK rekey SA. Defined format and values are specified by IKEv2 [RFC4306], section 3.13.1. o KEK Attributes -- Contains KEK policy attributes associated with the group. The following sections describe the possible attributes. Any or all attributes may be optional, depending on the group policy. 4.4.1. KEK Attributes The following attributes may be present in a GSA KEK Payload. The attributes must follow the format defined in IKEv2 [RFC4306] section 3.3.5. In the table, attributes that are defined as TV are marked as Basic (B); attributes that are defined as TLV are marked as Variable (V). ID Class Value Type -------- ----- ---- RESERVED 0 KEK_MANAGEMENT_ALGORITHM 1 B KEK_ALGORITHM 2 B KEK_KEY_LENGTH 3 B KEK_KEY_LIFETIME 4 V SIG_HASH_ALGORITHM 5 B SIG_ALGORITHM 6 B SIG_KEY_LENGTH 7 B The following attributes may only be included in a G-IKEv2 registration message: KEK_MANAGEMENT_ALGORITHM. Minimum attributes that must be sent as part of an GSA KEK: KEK_ALGORITHM, KEK_KEY_LENGTH (if the cipher definition includes a variable length key), KEK_KEY_LIFETIME, SIG_HASH_ALGORITHM (except for DSA based algorithms), SIG_ALGORITHM, and SIG_KEY_LENGTH. 4.4.2. KEK_MANAGEMENT_ALGORITHM The KEK_MANAGEMENT_ALGORITHM class specifies the group KEK management algorithm used to provide forward or backward access control (i.e., used to exclude group members). Defined values are specified in the following table. Rowles, et al. Expires September 9, 2010 [Page 18] Internet-Draft G-IKEv2 March 2010 KEK Management Type Value ------------------- ----- RESERVED 0 LKH 1 Standards Action 2-127 Private Use 128-255 4.4.3. KEK_ALGORITHM The KEK_ALGORITHM class specifies the encryption algorithm using with the KEK. Defined values are specified in the following table. Algorithm Type Value -------------- ----- RESERVED 0 KEK_ALG_AES_CBC 1 KEK_ALG_AES_GCM 2 Standards Action 3-127 Private Use 128-255 If a KEK_MANAGEMENT_ALGORITHM is defined which defines multiple keys (e.g., LKH), and if the management algorithm does not specify the algorithm for those keys, then the algorithm defined by the KEK_ALGORITHM attribute MUST be used for all keys which are included as part of the management. 4.4.3.1. KEK_ALG_AES_CBC This algorithm specifies AES as described in [FIPS197]. The mode of operation for AES is Cipher Block Chaining (CBC) as recommended in [SP800-38A]. 4.4.3.2. KEK_ALG_AES_GCM This algorithm specifies AES as described in [FIPS197]. The mode of operation for AES is Galois/Counter Mode (GCM) as recommended in [SP800-38D]. 4.4.4. KEK_KEY_LENGTH The KEK_KEY_LENGTH class specifies the KEK Algorithm key length (in bits). The Group Controller/Key Server (GCKS) adds the KEK_KEY_LEN attribute to the GSA payload when distributing KEK policy to group members. The group member verifies whether or not it has the capability of using a cipher key of that size. If the cipher definition includes a fixed key length, the group member can make its decision solely using Rowles, et al. Expires September 9, 2010 [Page 19] Internet-Draft G-IKEv2 March 2010 KEK_ALGORITHM attribute and does not need the KEK_KEY_LEN attribute. Sending the KEK_KEY_LEN attribute in the GSA payload is OPTIONAL if the KEK cipher has a fixed key length. 4.4.5. KEK_KEY_LIFETIME The KEK_KEY_LIFETIME class specifies the maximum time for which the KEK is valid. The GCKS may refresh the KEK at any time before the end of the valid period. The value is a four (4) octet number defining a valid time period in seconds. 4.4.6. SIG_HASH_ALGORITHM SIG_HASH_ALGORITHM specifies the SIG payload hash algorithm. The following tables define the algorithms for SIG_HASH_ALGORITHM. Algorithm Type Value -------------- ----- RESERVED 0 SIG_HASH_SHA256 1 SIG_HASH_SHA384 2 SIG_HASH_SHA512 3 Standards Action 4-127 Private Use 128-255 4.4.7. SIG_ALGORITHM The SIG_ALGORITHM class specifies the SIG payload signature algorithm. Defined values are specified in the following table. Algorithm Type Value -------------- ----- RESERVED 0 SIG_ALG_RSA 1 SIG_ALG_DSS 2 SIG_ALG_ECDSS 3 SIG_ALG_RSA_PSS 4 Standards Action 5-127 Private Use 128-255 A G-IKEv2 implementation MUST support the following algorithm attribute: SIG_ALG_RSA. 4.4.7.1. SIG_ALG_RSA This algorithm specifies the RSA digital signature algorithm as described in [RSA]. Rowles, et al. Expires September 9, 2010 [Page 20] Internet-Draft G-IKEv2 March 2010 4.4.7.2. SIG_ALG_DSS This algorithm specifies the DSS digital signature algorithm as described in [FIPS186-2]. 4.4.7.3. SIG_ALG_ECDSS This algorithm specifies the Elliptic Curve digital signature algorithm as described in [FIPS186-2]. 4.4.7.4. SIG_ALG_RSA_PSS This algorithm specifies the RSA digital signature algorithm using the EMSA-PSS encoding method, as described in [RFC3447]. 4.4.8. SIG_KEY_LENGTH The SIG_KEY_LENGTH value MUST be a number representing the length of the KEK encryption key in bits. 4.5. GSA TEK Payload The GSA TEK (GSAT) payload contains security attributes for a single TEK associated with a group. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Protocol-ID ! TEK Protocol-Specific Payload ~ +-+-+-+-+-+-+-+-+ ~ ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The GSAT Payload fields are defined as follows: o Next Payload (1 octet) -- Identifies the next payload for the G-IKEv2 registration or the G-IKEv2 rekey message. The only valid next payload types for this message are another GSAT Payload or zero to indicate there are no more security association attributes. o RESERVED (1 octet) -- Must be zero. o Payload Length (2 octets) -- Length of this payload, including the TEK Protocol-Specific Payload. Rowles, et al. Expires September 9, 2010 [Page 21] Internet-Draft G-IKEv2 March 2010 o Protocol-ID (1 octet) -- Value specifying the Security Protocol. The following table defines values for the Security Protocol Protocol ID Value ----------- ----- RESERVED 0 GSA_PROTO_IPSEC_ESP 1 GSA_PROTO_IPSEC_AH 2 Standards Action 3-127 Private Use 128-255 Support for the GSA_PROTO_IPSEC_AH GSA TEK is OPTIONAL. o TEK Protocol-Specific Payload (variable) -- Payload which describes the attributes specific for the Protocol-ID. 4.5.1. TEK Protocol-Specific Payload The TEK Protocol-Specific payload contains of two traffic selectors for source and destination of the protecting traffic, SPI, Transform, and GSA Life Attributes. The TEK Protocol-Specific payload for ESP is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! SPI ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! | | ~ ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! | | ~ ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! GSA Life Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The GSAT Payload fields are defined as follows: Rowles, et al. Expires September 9, 2010 [Page 22] Internet-Draft G-IKEv2 March 2010 o SPI (4 octets) -- Security Parameter Index. o Source & Destination Traffic Selectors - The traffic selectors describe the source and the destination of the protecting traffic. The format and values are defined in IKEv2 [RFC4306], section 3.13.1. o Transform -- A substructure specifies the transform information. The format and values are defined in IKEv2 [RFC4306], section 3.3.2. o GSA Life Attributes -- The GSA Life Attributes are defined as below. The attributes must follow the format defined in IKEv2 [RFC4306], section 3.3.5. Attribute Types Rowles, et al. Expires September 9, 2010 [Page 23] Internet-Draft G-IKEv2 March 2010 class value type ------------------------------------------------- GSA Life Type 1 B GSA Life Duration 2 V Class Values GSA Life Type GSA Duration Specifies the time-to-live for the overall security association. When the GSA expires, all keys downloaded under the association (AH or ESP) must be re-rekeyed. The life type values are: RESERVED 0 seconds 1 kilobytes 2 Values 3-61439 are reserved to IANA and will be allocated using the Standards Action method. Values 61440-65535 are for private use. For a given Life Type, the value of the Life Duration attribute defines the actual length of the component lifetime -- either a number of seconds, or a number of Kbytes that can be protected. If unspecified, the default value shall be assumed to be 28800 seconds (8 hours). An GSA Life Duration attribute MUST always follow an GSA Life Type which describes the units of duration. 4.6. GSA Group Associated Policy Payload [RFC3547] provides for the distribution of policy in the G-IKEv2 registration exchange in an SA payload. Policy can define G-IKEv2 rekey policy (GSA KEK) or traffic encryption policy (GSA TEK) such as IPsec policy. There is a need to distribute group policy that fits into neither category. Some of this policy is generic to the group, and some is sender-specific policy for a particular group member. G-IKEv2 distributes this associated group policy in a new payload called the GSA Group Associated Policy (GSA SAP). The GSA GAP payload follows any GSA KEK payload, and is placed before any GSA TEK payloads. In the case that group policy does not include an GSA KEK, the GSA Attribute Next Payload field in the GSA payload MAY indicate the GSA GAP payload. Rowles, et al. Expires September 9, 2010 [Page 24] Internet-Draft G-IKEv2 March 2010 The GSA GAP payload is defined as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Group Associated Policy Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The GSA GAP payload fields are defined as follows: o Next Payload (1 octet) -- Identifies the next payload present in the G-IKEv2 registration or the G-IKEv2 rekey message. The only valid next payload type for this message is an GSA TEK or zero to indicate there are no more security association attributes. o RESERVED (1 octet) -- Must be zero. o Payload Length (2 octets) -- Length of this payload, including the GSA GAP header and Attributes. o Group Associated Policy Attributes (variable) -- Contains attributes following the format defined in Section 3.3.5 of [RFC4306]. Several group associated policy attributes are defined below. 4.6.1. Activation Time Delay The Activation Time Delay (ATD) attribute allows the GCKS to specify how long a after the start of a re-key event that a group member is to activate new TEKs. If a group member receives a TEK with an ATD value, but discovers that it has no current SAs matching the policy in the TEK, then it SHOULD create and install SAs from the TEK immediately. 4.6.2. Deactivation_Time_Delay The Deactivation Time Delay (DTD) attribute allows the GCKS to specify how long a after the start of a re-key event that a group member is to deactivate existing TEKs. The value is in seconds. 4.6.3. Sender ID Several new AES counter-based modes of operation have been specified for ESP [RFC3686], [RFC4106], [RFC4309], [RFC4543] and AH [RFC4543]. These AES counter-based modes require that no two senders in the Rowles, et al. Expires September 9, 2010 [Page 25] Internet-Draft G-IKEv2 March 2010 group ever send a packet with the same IV. This requirement can be met using the method described in [I-D.ietf-msec-ipsec-group-counter- modes], which requires each sender to be allocated a unique Sender ID (SID). The SENDER_ID attribute is used to distribute a SID to a group member during the GSA_AUTH exchange messages. Other algorithms with the same need may be defined in the future; the sender MUST use the IV construction method described above with those algorithms as well. The SENDER_ID attribute value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! SID Length ! SID Value ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! o SID Length (1 octet) -- A natural number defining the number of bits to be used in the SID field of the counter mode transform nonce. o SID Value (variable) -- The Sender ID value allocated to the group member. 4.6.3.1. GCKS semantics The GCKS maintains a SID counter (SIDC). It is incremented each time a SENDER_ID attribute is distributed to a group member. The first group member to register is given the SID of 1. Any group member registering will be given a new SID value, which allows group members to act as a group sender when an older SID value becomes unusable (as described in the next section). A GCKS MAY allocate multiple SID values in one SA SSA payload. Allocating several SID values at the same time to a group member expected to send at a high rate would obviate the need for the group member to re-register as frequently. If a GCKS allocates all SID values, it can no longer respond to G-IKEv2 registrations and must re-initialize the entire group. This is done by issuing DELETE notifications for all ESP and AH SAs in a G-IKEv2 rekey message, resetting the SIDC to zero, and creating new ESP and AH SAs that match the group policy. When group members re-register, the SIDs are allocated again beginning with the value 1 as described above. Each re-registering Rowles, et al. Expires September 9, 2010 [Page 26] Internet-Draft G-IKEv2 March 2010 group member will be given a new SID and the new group policy. The SENDER_ID attribute MUST NOT be sent as part of a GSA_REKEY exchange message, because distributing the same sender-specific policy to more than one group member may reduce the security of the group. 4.6.3.2. GM semantics The SENDER_ID attribute value distributed to the group member MUST be used by that group member as the Sender Identifier (SID) field portion of the IV. The SID is used for all counter mode SAs distributed by the GCKS to be used for communications sent as a part of this group. When the Sender-Specific IV (SSIV) field for any IPsec SA is exhausted, the group member MUST no longer act as a sender using its active SID. The group member SHOULD re-register, during which time the GCKS will issue a new SID to the group member. The new SID replaces the existing SID used by this group member, and also resets the SSIV value to it's starting value. A group member MAY re-register prior to the actual exhaustion of the SSIV field to avoid dropping data packets due to the exhaustion of available SSIV values combined with a particular SID value. A group member MUST NOT process SENDER_ID attribute present in a GSA_REKEY exchange message. 4.7. Key Download Payload The Key Download Payload contains group keys for the group specified in the SA Payload. These key download payloads can have several security attributes applied to them based upon the security policy of the group as defined by the associated SA Payload. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Number of Key Packets ! RESERVED2 ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ~ Key Packets ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The Key Download Payload fields are defined as follows: Rowles, et al. Expires September 9, 2010 [Page 27] Internet-Draft G-IKEv2 March 2010 o Next Payload (1 octet) -- Identifier for the payload type of the next payload in the message. If the current payload is the last in the message, then this field will be zero. o RESERVED (1 octet) -- Unused, set to zero. o Payload Length (2 octets) -- Length in octets of the current payload, including the generic payload header. o Number of Key Packets (2 octets) -- Contains the total number of both TEK and Rekey arrays being passed in this data block. o Key Packets Several types of key packets are defined. Each Key Packet has the following format. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! KD Type ! RESERVED ! KD Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! SPI Size ! SPI (variable) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ~ Key Packet Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! o Key Download (KD) Type (1 octet) -- Identifier for the Key Data field of this Key Packet. Key Download Type Value ----------------- ----- RESERVED 0 TEK 1 KEK 2 LKH 3 Standards Action 4-127 Private Use 128-255 "KEK" is a single key whereas LKH is an array of key-encrypting keys. o RESERVED (1 octet) -- Unused, set to zero. o Key Download Length (2 octets) -- Length in octets of the Key Packet data, including the Key Packet header. o SPI Size (1 octet) -- Value specifying the length in octets of the SPI as defined by the Protocol-Id. Rowles, et al. Expires September 9, 2010 [Page 28] Internet-Draft G-IKEv2 March 2010 o SPI (variable length) -- Security Parameter Index which matches a SPI previously sent in an GSAK or GSAT Payload. o Key Packet Attributes (variable length) -- Contains Key information. The format of this field is specific to the value of the KD Type field. The following sections describe the format of each KD Type. 4.7.1. TEK Download Type The following attributes may be present in a TEK Download Type. Exactly one attribute matching each type sent in the GSAT payload MUST be present. The attributes must follow the format defined in IKEv2 (Section 3.3.5 of [RFC4306]). In the table, attributes defined as TV are marked as Basic (B); attributes defined as TLV are marked as Variable (V). TEK Class Value Type --------- ----- ---- RESERVED 0 TEK_ALGORITHM_KEY 1 V TEK_INTEGRITY_KEY 2 V TEK_SOURCE_AUTH_KEY 3 V If no TEK key packets are included in a Registration KD payload, the group member can expect to receive the TEK as part of a Re-key SA. At least one TEK must be included in each Re-key KD payload. Multiple TEKs may be included if multiple streams associated with the SA are to be rekeyed. 4.7.1.1. TEK_ALGORITHM_KEY The TEK_ALGORITHM_KEY class declares that the encryption key for this SPI is contained as the Key Packet Attribute. The encryption algorithm that will use this key was specified in the GSAT payload. In the case that the algorithm requires multiple keys, all keys will be included in one attribute. 4.7.1.2. TEK_INTEGRITY_KEY The TEK_INTEGRITY_KEY class declares that the integrity key for this SPI is contained as the Key Packet Attribute. The integrity algorithm that will use this key was specified in the GSAT payload. Thus, G-IKEv2 assumes that both the symmetric encryption and integrity keys are pushed to the mebmber. SHA256 keys will consist of 256 bits. Rowles, et al. Expires September 9, 2010 [Page 29] Internet-Draft G-IKEv2 March 2010 4.7.1.3. TEK_SOURCE_AUTH_KEY The TEK_SOURCE_AUTH_KEY class declares that the source authentication key for this SPI is contained in the Key Packet Attribute. The source authentication algorithm that will use this key was specified in the GSAT payload. 4.7.2. KEK Download Type The following attributes may be present in a KEK Download Type. Exactly one attribute matching each type sent in the GSAK payload MUST be present. The attributes must follow the format defined in IKEv2 (Section 3.3.5 of [RFC4306]). In the table, attributes defined as TV are marked as Basic (B); attributes defined as TLV are marked as Variable (V). KEK Class Value Type --------- ----- ---- RESERVED 0 KEK_ALGORITHM_KEY 1 V SIG_ALGORITHM_KEY 2 V If the KEK key packet is included, there MUST be only one present in the KD payload. 4.7.2.1. KEK_ALGORITHM_KEY The KEK_ALGORITHM_KEY class declares the encryption key for this SPI is contained in the Key Packet Attribute. The encryption algorithm that will use this key was specified in the GSAK payload. If the mode of operation for the algorithm requires an Initialization Vector (IV), an explicit IV MUST be included in the KEK_ALGORITHM_KEY before the actual key. 4.7.2.2. SIG_ALGORITHM_KEY The SIG_ALGORITHM_KEY class declares that the public key for this SPI is contained in the Key Packet Attribute, which may be useful when no public key infrastructure is available. The signature algorithm that will use this key was specified in the GSAK payload. 4.7.3. LKH Download Type The LKH key packet is comprised of attributes representing different leaves in the LKH key tree. The following attributes are used to pass an LKH KEK array in the KD Rowles, et al. Expires September 9, 2010 [Page 30] Internet-Draft G-IKEv2 March 2010 payload. The attributes must follow the format defined in IKEv2 (Section 3.3.5 of [RFC4306]). In the table, attributes defined as TV are marked as Basic (B); attributes defined as TLV are marked as Variable (V). KEK Class Value Type --------- ----- ---- RESERVED 0 LKH_DOWNLOAD_ARRAY 1 V LKH_UPDATE_ARRAY 2 V SIG_ALGORITHM_KEY 3 V Standards Action 4-127 Private Use 128-255 If an LKH key packet is included in the KD payload, there must be only one present. 4.7.3.1. LKH_DOWNLOAD_ARRAY This attribute is used to download a set of keys to a group member. It MUST NOT be included in a IKEv2 rekey message KD payload if the IKEv2 rekey is sent to more than the group member. If an LKH_DOWNLOAD_ARRAY attribute is included in a KD payload, there must be only one present. This attribute consists of a header block, followed by one or more LKH keys. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH Version ! # of LKH Keys ! RESERVED ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH Keys ! ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The KEK_LKH attribute fields are defined as follows: o LKH version (1 octet) -- Contains the version of the LKH protocol which the data is formatted in. Must be one. o Number of LKH Keys (2 octets) -- This value is the number of distinct LKH keys in this sequence. o RESERVED (1 octet) -- Unused, set to zero. Each LKH Key is defined as follows: Rowles, et al. Expires September 9, 2010 [Page 31] Internet-Draft G-IKEv2 March 2010 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH ID ! Key Type ! RESERVED ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Key Creation Date ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Key expiration Date ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Key Handle ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! ~ Key Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ o LKH ID (2 octets) -- This is the position of this key in the binary tree structure used by LKH. o Key Type (1 octet) -- This is the encryption algorithm for which this key data is to be used. This value is specified in Section 4.4.3. o RESERVED (1 octet) -- Unused, set to zero. o Key Creation Date (4 octets) -- This is the time value of when this key data was originally generated. A time value of zero indicates that there is no time before which this key is not valid. o Key Expiration Date (4 octets) -- This is the time value of when this key is no longer valid for use. A time value of zero indicates that this key does not have an expiration time. o Key Handle (4 octets) -- This is the randomly generated value to uniquely identify a key within an LKH ID. o Key Data (variable length) -- This is the actual encryption key data, which is dependent on the Key Type algorithm for its format. If the mode of operation for the algorithm requires an Initialization Vector (IV), an explicit IV MUST be included in the Key Data field before the actual key. The Key Creation Date and Key expiration Dates MAY be zero. This is necessary in the case where time synchronization within the group is not possible. The first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute contains the Leaf identifier and key for the group member. The rest Rowles, et al. Expires September 9, 2010 [Page 32] Internet-Draft G-IKEv2 March 2010 of the LKH Key structures contain keys along the path of the key tree in order from the leaf, culminating in the group KEK. 4.7.3.2. LKH_UPDATE_ARRAY This attribute is used to update the keys for a group. It is most likely to be included in a G-IKEv2 rekey message KD payload to rekey the entire group. This attribute consists of a header block, followed by one or more LKH keys, as defined in Section 4.7.3.1. There may be any number of UPDATE_ARRAY attributes included in a KD payload. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH Version ! # of LKH Keys ! RESERVED ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH ID ! RESERVED2 ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Key Handle ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH Keys ! ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ o LKH version (1 octet) -- Contains the version of the LKH protocol which the data is formatted in. Must be one. o Number of LKH Keys (2 octets) -- This value is the number of distinct LKH keys in this sequence. o RESERVED (1 octet) -- Unused, set to zero. o LKH ID (2 octets) -- This is the node identifier associated with the key used to encrypt the first LKH Key. o RESERVED2 (2 octets) -- Unused, set to zero. o Key Handle (4 octets) -- This is the value to uniquely identify the key within the LKH ID which was used to encrypt the first LKH key. The LKH Keys are as defined in Section 4.7.3.1. The LKH Key structures contain keys along the path of the key tree in order from the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in the group KEK. The Key Data field of each LKH Key is encrypted with the LKH key preceding it in the LKH_UPDATE_ARRAY attribute. The first Rowles, et al. Expires September 9, 2010 [Page 33] Internet-Draft G-IKEv2 March 2010 LKH Key is encrypted under the key defined by the LKH ID and Key Handle found in the LKH_UPDATE_ARRAY header. 4.7.3.3. SIG_ALGORITHM_KEY The SIG_ALGORITHM_KEY class declares that the public key for this SPI is contained in the Key Packet Attribute, which may be useful when no public key infrastructure is available. The signature algorithm that will use this key was specified in the GSAK payload. 4.8. Sequence Number Payload The Sequence Number Payload (SEQ) provides an anti-replay protection for GSA rekey messages. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Sequence Number ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ o Next Payload (1 octet) -- Identifier for the payload type of the next payload in the message. If the current payload is the last in the message, then this field will be zero. o RESERVED (1 octet) -- Unused, set to zero. o Payload Length (2 octets) -- Length in octets of the current payload, including the generic payload header. o Sequence Number (4 octets) -- The sequence number of the rekey message. 4.9. Delete Payload There are occasions the GCKS may want to signal to receivers to delete policy at the end of a broadcast, or if policy has changed. Deletion of keys MAY be accomplished by sending an IKEv2 Delete Payload, section 3.11 of [RFC4306] as part of the G-IKEv2 Rekey Exchange. One or more Delete payloads MAY be placed following the HDR payload in the G-IKEv2 Rekey Exchange. The Protocol-ID field contains TEK protocol id values. In order to delete a KEK SA, the value of zero MUST be used as the protocol id. Rowles, et al. Expires September 9, 2010 [Page 34] Internet-Draft G-IKEv2 March 2010 Note that only one protocol id value can be defined in a Delete payload. If a TEK and a KEK SA must be deleted, they must be sent in different Delete payloads. 4.10. Notify Payload G-IKEv2 uses the same notify payload as specified in [RFC4306], section 3.10. There are additional notify message types introduced by G-IKEv2 to commununicate error conditions and status. NOTIFY MESSAGES - ERROR TYPES Value ------------------------------------------------------------------- INVALID_GROUP_ID - TBD Indicates the group id sent during registration process is invalid. AUTHORIZATION_FAILED - TBD Sent in the response to GSA_AUTH message when authorization failed. 4.11. Signature Payload The Signature Payload contains data generated by the digital signature function (selected during the SA establishment exchange), over some part of the rekey message. This payload is used to verify the integrity of the data in the GCKS rekey message, and may be of use for non-repudiation services. Below shows the format of the Signature Payload. 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! ~ Signature Data ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Signature Payload fields are defined as follows: o Next Payload (1 octet) - Identifier for the payload type of the next payload in the message. If the current payload is the last in the message, then this field will be 0. o RESERVED (1 octet) - Unused, set to 0. Rowles, et al. Expires September 9, 2010 [Page 35] Internet-Draft G-IKEv2 March 2010 o Payload Length (2 octets) - Length in octets of the current payload, including the generic payload header. o Signature Data (variable length) - Data that results from applying the digital signature function to the GCKS rekey message. Rowles, et al. Expires September 9, 2010 [Page 36] Internet-Draft G-IKEv2 March 2010 5. Security Considerations 5.1. GSA registration and secure channel G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT and IKE_AUTH inheriting all the security considerations documented in [RFC4306] section 5 Security Considerations, including authentication, confidentiality, protection against man-in-the middle, protection against replay/reflection attacks, and denial of service protection. In addition, G-IKEv2 brings in the capability to authorize a particular group member regardless of whether they have the IKEv2 credentials. 5.2. GSA maintenance channel The GSA maintenance channel is cryptographically and integrity protected using the cryptographic algorithm and key negotiagated in the GSA member registration exchanged. 5.2.1. Authentication/Authorization Authentication is implicit, the public key of the identity is distributed during the registration, and the receiver of the rekey message uses that public key and identity to verify the message is come from the authorized GCKS. 5.2.2. Confidentiality Confidentiality is provided by distributing a confidentiality key as part of the GSA member registration exchange. 5.2.3. Man-in-the-Middle Attack Protection GSA maintenance channel is integrity protected by using digital signature. 5.2.4. Replay/Reflection Attack Protection The GSA rekey message includes a monotonically increasing sequence number to protect against replay and reflection attacks. A group member will recognize a replayed message by comparing the sequence number to that of the last received rekey message, any rekey message contains sequence number less than or equal to the last received value SHOULD be discarded. Implementations SHOULD keep a record of recently received GSA rekey messages for this comparsion. Rowles, et al. Expires September 9, 2010 [Page 37] Internet-Draft G-IKEv2 March 2010 6. IANA Considerations 6.1. New registries A new set of registries are created for this draft. KEK Attributes Registry, see Section 4.4.1 KEK Management Algorithm Registry, see Section 4.4.2 KEK Algorithm Registry, see Section 4.4.3 SIG Hash Algorithm Registry, see Section 4.4.6 SIG Algorithm Registry, see Section 4.4.7 GSA TEK Payload Protocol ID Type Registry, see Section 4.5 GSA Life Attributes Registry, see Section 4.5 Key Download Type Registry, see Section 4.7 TEK Download Type Registry, see Section 4.7.1 KEK Download Type Registry, see Section 4.7.2 LKH Download Type Registry, see Section 4.7.3 6.2. New payload and exchange types to existing IKEv2 registry The present document describes new IKEv2 Next Payload types, see Section 4.1 The present document describes new IKEv2 Exchanges types, see Section 4.1 The present document describes new IKEv2 Notify Payload types, see Section 4.10 6.3. Payload Types The present document defines new ISAKMP Next Payload types. See Section 5.0 for the payloads defined in this document, including the Next Payload values defined by the IANA to identify these payloads. Rowles, et al. Expires September 9, 2010 [Page 38] Internet-Draft G-IKEv2 March 2010 6.4. New Name spaces The present document describes many new name spaces for use in the GDOI payloads. Those may be found in subsections under Section 5.0. A new GDOI registry has been created for these name spaces. Portions of name spaces marked "RESERVED" are reserved for IANA allocation. New values MUST be added due to a Standards Action as defined in [RFC2434]. Portions of name spaces marked "Private Use" may be allocated by implementations for their own purposes. Rowles, et al. Expires September 9, 2010 [Page 39] Internet-Draft G-IKEv2 March 2010 7. Acknowledgements The authors thank Lakshminath Dondeti and Jing Xiang for originating the GKDP document and providing the basis behind the protocol. The authors also thank reviewers: Brian Weis, Kavitha Kamarthy, Lewis Chen, Cheryl Madson, and Raghunandan P. Rowles, et al. Expires September 9, 2010 [Page 40] Internet-Draft G-IKEv2 March 2010 8. References 8.1. Normative References [FIPS186-2] "Digital Signature Standard (DSS)", United States of America, National Institute of Science and Technology Federal Information Processing Standard (FIPS) 186-2, January 2001. [FIPS197] "Advanced Encryption Standard (AES)", United States of America, National Institute of Science and Technology Federal Information Processing Standard (FIPS) 197, November 2001. [RSA] TRSA Laboratories, "PKCS #1 v2.0: RSA Encryption Standard", 1998. [SP800-38A] Dworkin, M., "Recommendation for Block Cipher Modes of Operation", United States of America, National Institute of Science and Technology NIST Special Publication 800-38A 2001 Edition, December 2001. [SP800-38D] Dworkin, M., "Recommendation for Block Cipher Modes of Operation", United States of America, National Institute of Science and Technology NIST Special Publication 800-38D 2007 Edition, December 2001. 8.2. Informative References [IKE-HASH] Kivienen, T., "Fixing IKE Phase 1 & 2 Authentication HASHs", November 2001, . [RFC2407] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. [RFC2408] Maughan, D., Schneider, M., and M. Schertler, "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998. [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an Rowles, et al. Expires September 9, 2010 [Page 41] Internet-Draft G-IKEv2 March 2010 IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. [RFC2627] Wallner, D., Harder, E., and R. Agee, "Key Management for Multicast: Issues and Architectures", RFC 2627, June 1999. [RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The Group Domain of Interpretation", RFC 3547, July 2003. [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)", RFC 3686, January 2004. [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, "Multicast Security (MSEC) Group Key Management Architecture", RFC 4046, April 2005. [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC 4106, June 2005. [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005. [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)", RFC 4309, December 2005. [RFC4430] Sakane, S., Kamada, K., Thomas, M., and J. Vilhuber, "Kerberized Internet Negotiation of Keys (KINK)", RFC 4430, March 2006. [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, May 2006. Rowles, et al. Expires September 9, 2010 [Page 42] Internet-Draft G-IKEv2 March 2010 Appendix A. Differences between G-IKEv2 and RFC 3547 POP/CERT - The Proof of Possession and associated Certificate payloads are no longer needed since the GCKS authorization capability adequately provides the authorization. KE Payload - The KE payload is no longer needed with the availability of newer algorithms such as AES and GCM which provide adequate protection therefore not needing the PFS capability the KE payload offers. DOI/Situation - The DOI and Situation fields in the SA payload are no longer needed in the G-IKEv2 protocol as port 848 will distinguish the IKEv2 messages from the G-IKEv2 messages. Rowles, et al. Expires September 9, 2010 [Page 43] Internet-Draft G-IKEv2 March 2010 Authors' Addresses Sheela Rowles Cisco Systems 170 W. Tasman Drive San Jose, California 95134-1706 USA Phone: +1-408-527-7677 Email: sheela@cisco.com Aldous Yeung (editor) Cisco Systems 170 W. Tasman Drive San Jose, California 95134-1706 USA Phone: +1-408-853-2032 Email: cyyeung@cisco.com Paulina Tran Cisco Systems 170 W. Tasman Drive San Jose, California 95134-1706 USA Phone: +1-408-526-8902 Email: ptran@cisco.com Rowles, et al. Expires September 9, 2010 [Page 44]