rfc9838v1.txt   rfc9838.txt 
Internet Engineering Task Force (IETF) V. Smyslov Internet Engineering Task Force (IETF) V. Smyslov
Request for Comments: 9838 ELVIS-PLUS Request for Comments: 9838 ELVIS-PLUS
Obsoletes: 6407 B. Weis Obsoletes: 6407 B. Weis
Category: Standards Track Independent Category: Standards Track Independent
ISSN: 2070-1721 September 2025 ISSN: 2070-1721 October 2025
Group Key Management Using the Internet Key Exchange Protocol Version 2 Group Key Management Using the Internet Key Exchange Protocol Version 2
(IKEv2) (IKEv2)
Abstract Abstract
This document presents an extension to the Internet Key Exchange This document presents an extension to the Internet Key Exchange
Protocol Version 2 (IKEv2) for the purpose of group key management. Protocol Version 2 (IKEv2) for the purpose of group key management.
The protocol is in conformance with the Multicast Security (MSEC) key The protocol is in conformance with the Multicast Security (MSEC)
management architecture, which contains two components: member Group Key Management architecture, which contains two components:
registration and group rekeying. Both components are required for a member registration and group rekeying. Both components are required
Group Controller/Key Server (GCKS) to provide authorized Group for a Group Controller/Key Server (GCKS) to provide authorized Group
Members (GMs) with IPsec Group Security Associations (GSAs). The Members (GMs) with IPsec Group Security Associations (GSAs). The GMs
group members then exchange IP multicast or other group traffic as then exchange IP multicast or other group traffic as IPsec packets.
IPsec packets.
This document obsoletes RFC 6407. This document obsoletes RFC 6407.
Status of This Memo Status of This Memo
This is an Internet Standards Track document. This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has (IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the received public review and has been approved for publication by the
skipping to change at line 116 skipping to change at line 115
6. Interaction with IKEv2 and ESP Extensions 6. Interaction with IKEv2 and ESP Extensions
6.1. Implicit IV for Counter-Based Ciphers in ESP 6.1. Implicit IV for Counter-Based Ciphers in ESP
6.2. Mixing Preshared Keys in IKEv2 for Post-Quantum Security 6.2. Mixing Preshared Keys in IKEv2 for Post-Quantum Security
6.3. Aggregation and Fragmentation Mode for ESP 6.3. Aggregation and Fragmentation Mode for ESP
7. GDOI Protocol Extensions 7. GDOI Protocol Extensions
8. Security Considerations 8. Security Considerations
8.1. GSA Registration and Secure Channel 8.1. GSA Registration and Secure Channel
8.2. GSA Maintenance Channel 8.2. GSA Maintenance Channel
8.2.1. Authentication/Authorization 8.2.1. Authentication/Authorization
8.2.2. Confidentiality 8.2.2. Confidentiality
8.2.3. Man-in-the-Middle Attack Protection 8.2.3. On-Path Attack Protection
8.2.4. Replay/Reflection Attack Protection 8.2.4. Replay/Reflection Attack Protection
9. IANA Considerations 9. IANA Considerations
9.1. New Registries 9.1. New Registries
9.1.1. Guidance for Designated Experts 9.1.1. Guidance for Designated Experts
9.2. Changes in the Existing IKEv2 Registries 9.2. Changes in the Existing IKEv2 Registries
10. References 10. References
10.1. Normative References 10.1. Normative References
10.2. Informative References 10.2. Informative References
Appendix A. Use of LKH in G-IKEv2 Appendix A. Use of LKH in G-IKEv2
A.1. Notation A.1. Notation
A.2. Group Creation A.2. Group Creation
A.3. Simple Group SA Rekey A.3. Simple Group SA Rekey
A.4. Group Member Exclusion A.4. Group Member Exclusion
Acknowledgements Acknowledgements
Contributors Contributors
Authors' Addresses Authors' Addresses
1. Introduction and Overview 1. Introduction and Overview
This document presents an extension to IKEv2 [RFC7296] called This document presents an extension to IKEv2 [RFC7296] called
G-IKEv2, which allows performing group key management. A group key G-IKEv2, which accommodates group key management. A group key
management protocol provides IPsec keys and policy to a set of IPsec management protocol provides IPsec keys and policy to a set of IPsec
devices that are authorized to communicate using a Group Security devices that are authorized to communicate using a Group Security
Association (GSA) defined in Multicast Group Security Architecture Association (GSA) defined in Multicast Group Security Architecture
[RFC3740]. The data communications within the group (e.g., IP [RFC3740]. The data communications within the group (e.g., IP
multicast packets) are protected by a key pushed to the Group Members multicast packets) are protected by a key pushed to the Group Members
(GMs) by the Group Controller/Key Server (GCKS). (GMs) by the Group Controller/Key Server (GCKS).
G-IKEv2 conforms to "The Multicast Group Security Architecture" G-IKEv2 conforms to "The Multicast Group Security Architecture"
[RFC3740], "Multicast Extensions to the Security Architecture for the [RFC3740], "Multicast Extensions to the Security Architecture for the
Internet Protocol" [RFC5374], and "Multicast Security (MSEC) Group Internet Protocol" [RFC5374], and "Multicast Security (MSEC) Group
skipping to change at line 178 skipping to change at line 177
GCKS. During this exchange, the GCKS authenticates and authorizes GCKS. During this exchange, the GCKS authenticates and authorizes
the GM and then pushes policy and keys used by the group to the GM. the GM and then pushes policy and keys used by the group to the GM.
The second new exchange type is the GSA_REGISTRATION exchange The second new exchange type is the GSA_REGISTRATION exchange
(Section 2.3.2), which can be used by the GM within the already- (Section 2.3.2), which can be used by the GM within the already-
established IKE SA with the GCKS (e.g., for registering to another established IKE SA with the GCKS (e.g., for registering to another
group). group).
Refreshing the group keys can be performed either in a unicast mode Refreshing the group keys can be performed either in a unicast mode
via the GSA_INBAND_REKEY exchange (Section 2.4.2) performed over a via the GSA_INBAND_REKEY exchange (Section 2.4.2) performed over a
specific IKE SA between a GM and a GCKS or in a multicast mode with specific IKE SA between a GM and a GCKS or in a multicast mode with
the GSA_REKEY pseudo exchange (Section 2.4.1) when new keys are being the GSA_REKEY pseudo-exchange (Section 2.4.1) when new keys are being
distributed to all GMs. distributed to all GMs.
Large and small groups may use different sets of these mechanisms. Large and small groups may use different sets of these mechanisms.
When a large group of devices are communicating, the GCKS is likely When a large group of devices are communicating, the GCKS is likely
to use the GSA_REKEY message for efficiency. This is shown in to use the GSA_REKEY message for efficiency. This is shown in
Figure 1, where multicast communications are indicated with a double Figure 1, where multicast communications are indicated with a double
line. (Note: For clarity, IKE_SA_INIT is omitted from Figures 1 and line.
2.)
| Note: For clarity, IKE_SA_INIT is omitted from Figures 1 and 2.
+--------+ +--------+
+----IKEv2---->| GCKS |<----IKEv2----+ +----IKEv2---->| GCKS |<----IKEv2----+
| +--------+ | | +--------+ |
| || ^ | | || ^ |
| || | | | || | |
| || GSA_AUTH | | || GSA_AUTH |
| || or | | || or |
| || GSA_REGISTRATION | | || GSA_REGISTRATION |
| || | | | || | |
skipping to change at line 238 skipping to change at line 238
| GCKS/GM | | GM | | GM | | GM | | GCKS/GM | | GM | | GM | | GM |
+---------+ +----+ +----+ +----+ +---------+ +----+ +----+ +----+
|| || || || || || || ||
*==ESP/AH==**=====ESP/AH====**===ESP/AH===* *==ESP/AH==**=====ESP/AH====**===ESP/AH===*
Figure 2: G-IKEv2 Used in Small Groups Figure 2: G-IKEv2 Used in Small Groups
A combination of these approaches is also possible. For example, the A combination of these approaches is also possible. For example, the
GCKS may use more robust GSA_INBAND_REKEY to provide keys for some GCKS may use more robust GSA_INBAND_REKEY to provide keys for some
GMs (for example, those acting as senders in the group) and GSA_REKEY GMs (for example, those acting as senders in the group) and GSA_REKEY
for the rest. Also note that GCKS may be a GM (as shown in for the rest.
Figure 2).
| Note: GCKS may also be a GM (as shown in Figure 2).
IKEv2 message semantics are preserved in that all communications IKEv2 message semantics are preserved in that all communications
consist of message request-response pairs. The exception to this consist of message request-response pairs. The exception to this
rule is the GSA_REKEY pseudo-exchange, which is a single message rule is the GSA_REKEY pseudo-exchange, which is a single message
delivering group updates to the GMs. delivering group updates to the GMs.
1.1. Requirements Notation 1.1. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
skipping to change at line 270 skipping to change at line 271
for describing G-IKEv2 payloads and exchanges. for describing G-IKEv2 payloads and exchanges.
The following key terms are used throughout this document (mostly The following key terms are used throughout this document (mostly
borrowed from [RFC3740], [RFC5374], and [RFC6407]). borrowed from [RFC3740], [RFC5374], and [RFC6407]).
Group: Group:
A set of IPsec devices that communicate to each other using A set of IPsec devices that communicate to each other using
multicast. multicast.
Group Member (GM): Group Member (GM):
An IPsec device that belongs to a group. A Group Member is An IPsec device that belongs to a group. A GM is authorized to be
authorized to be a Group Sender and/or a Group Receiver. a group sender and/or a group receiver.
Group Receiver: Group Receiver:
A Group Member that is authorized to receive packets sent to a A GM that is authorized to receive packets sent to a group by a
group by a Group Sender. group sender.
Group Sender: Group Sender:
A Group Member that is authorized to send packets to a group. A GM that is authorized to send packets to a group.
Group Key Management (GKM) Protocol: Group Key Management (GKM) Protocol:
A key management protocol used by a GCKS to distribute IPsec A key management protocol used by a GCKS to distribute IPsec
Security Association policy and keying material. A GKM protocol Security Association policy and keying material. A GKM protocol
is needed because a group of IPsec devices require the same SAs. is needed because a group of IPsec devices require the same SAs.
For example, when an IPsec SA describes an IP multicast For example, when an IPsec SA describes an IP multicast
destination, the sender and all receivers need to have the group destination, the sender and all receivers need to have the group
SA. SA.
Group Controller/Key Server (GCKS): Group Controller/Key Server (GCKS):
A Group Key Management (GKM) protocol server that manages IPsec A Group Key Management (GKM) protocol server that manages IPsec
state for a group. A GCKS authenticates and provides the IPsec SA state for a group. A GCKS authenticates and provides the IPsec SA
policy and keying material to GMs. policy and keying material to GMs.
Data-Security SA: Data-Security SA:
A multicast SA between each multicast sender and the group's A multicast SA between each multicast sender and the group's
receivers. The Data-Security SA protects data between member receivers. The Data-Security SA protects data between member
senders and member receivers. One or more SAs are required for senders and member receivers. One or more SAs are required for
the multicast transmission of data messages from the Group Sender the multicast transmission of data messages from the group sender
to other group members. This specification relies on to other GMs. This specification relies on Encapsulating Security
Encapsulating Security Payload (ESP) and Authentication Header Payload (ESP) and Authentication Header (AH) as protocols for
(AH) as protocols for Data-Security SAs. Data-Security SAs.
Rekey SA: Rekey SA:
A single multicast SA between the GCKS and all of the group A single multicast SA between the GCKS and all of the GMs. This
members. This SA is used for multicast transmission of key SA is used for multicast transmission of key management messages
management messages from the GCKS to all GMs. from the GCKS to all GMs.
Group SA:
A Data-Security SA or Rekey SA that is shared as part of group
policy.
Group Security Association (GSA): Group Security Association (GSA):
A collection of Data-Security SAs and Rekey SAs necessary for a A collection of Data-Security SAs and Rekey SAs necessary for a GM
Group Member to receive key updates. A GSA describes the working to receive key updates. A GSA describes the working policy for a
policy for a group. Refer to the MSEC Group Key Management group. Refer to the MSEC Group Key Management Architecture
Architecture [RFC4046] for additional information. [RFC4046] for additional information.
Traffic Encryption Key (TEK): Traffic Encryption Key (TEK):
The symmetric cipher key used in a Data-Security SA (e.g., IPsec The symmetric cipher key used in a Data-Security SA (e.g., IPsec
ESP) to protect traffic. ESP) to protect traffic.
Key Encryption Key (KEK): Key Encryption Key (KEK):
The symmetric key (or a set of keys) used in a Rekey SA to protect The symmetric key (or a set of keys) used in a Rekey SA to protect
its messages. The set of keys may include keys for encryption and its messages. The set of keys may include keys for encryption and
authentication, as well as keys for key wrapping. authentication, as well as keys for key wrapping.
Key Wrap Key (KWK): Key Wrap Key (KWK):
The symmetric cipher key used to protect another key. The symmetric cipher key used to protect another key.
Group-wide (GW) policy: Group-Wide (GW) policy:
Group policy not related to a particular SA. Group policy not related to a particular SA.
Activation Time Delay (ATD): Activation Time Delay (ATD):
Defines how long Group Senders should wait after receiving new SAs Defines how long group senders should wait after receiving new SAs
before sending traffic over them. before sending traffic over them.
Deactivation Time Delay (DTD): Deactivation Time Delay (DTD):
Defines how long Group Members should wait after receiving a Defines how long GMs should wait after receiving a request to
request to delete Data-Security SAs before actually deleting them. delete Data-Security SAs before actually deleting them.
Sender-ID: Sender-ID:
A unique identifier of a Group Sender in the context of an active A unique identifier of a group sender in the context of an active
GSA used to form the Initialization Vector (IV) in counter-based GSA used to form the Initialization Vector (IV) in counter-based
cipher modes. cipher modes.
Logical Key Hierarchy (LKH): Logical Key Hierarchy (LKH):
A group management method defined in Section 5.4 of [RFC2627]. A group management method defined in Section 5.4 of [RFC2627].
2. G-IKEv2 Protocol 2. G-IKEv2 Protocol
G-IKEv2 is an extension to the IKEv2 protocol [RFC7296] that provides G-IKEv2 is an extension to the IKEv2 protocol [RFC7296] that provides
group authorization, secure policy, and keys download from the GCKS group authorization, secure policy, and keys download from the GCKS
skipping to change at line 363 skipping to change at line 368
Section 6 for details). In particular, it is assumed that, if Section 6 for details). In particular, it is assumed that, if
necessary, the IKE_INTERMEDIATE exchanges [RFC9242] may be utilized necessary, the IKE_INTERMEDIATE exchanges [RFC9242] may be utilized
while establishing the registration SA. It is also believed that while establishing the registration SA. It is also believed that
future IKEv2 extensions will be possible to use with G-IKEv2. future IKEv2 extensions will be possible to use with G-IKEv2.
However, some IKEv2 extensions may require special handling when used However, some IKEv2 extensions may require special handling when used
with G-IKEv2. with G-IKEv2.
2.1.1. G-IKEv2 Transport and Port 2.1.1. G-IKEv2 Transport and Port
As an IKEv2 extension, G-IKEv2 SHOULD use the IKEv2 ports (500, As an IKEv2 extension, G-IKEv2 SHOULD use the IKEv2 ports (500,
4500). G-IKEv2 MAY also use TCP transport for registration (unicast) 4500). G-IKEv2 MAY use TCP transport for the IKE SA used for
IKE SA, as defined in TCP Encapsulation of IKEv2 and IPsec [RFC9329]. registration (which is unicast), as defined in TCP Encapsulation of
G-IKEv2 MAY also use UDP port 848, the same as Group Domain of IKEv2 and IPsec [RFC9329]. G-IKEv2 MAY also use UDP port 848, the
Interpretation (GDOI) [RFC6407], because they serve a similar same as Group Domain of Interpretation (GDOI) [RFC6407], because they
function. The version number in the IKE header distinguishes the serve a similar function. The version number in the IKE header
G-IKEv2 protocol from the GDOI protocol [RFC6407]. distinguishes the G-IKEv2 protocol from the GDOI protocol [RFC6407].
Section 2.23 of [RFC7296] describes how IKEv2 supports paths with Section 2.23 of [RFC7296] describes how IKEv2 supports paths with
NATs. The G-IKEv2 registration SA doesn't create any unicast IPsec NATs. The G-IKEv2 registration SA doesn't create any unicast IPsec
SAs; thus, if a NAT is present between the GM and the GCKS, there is SAs; thus, if a NAT is present between the GM and the GCKS, there is
no unicast ESP traffic to encapsulate in UDP. However, the actions no unicast ESP traffic to encapsulate in UDP. However, the actions
described in this section regarding the IKE SA MUST be honored. The described in this section regarding the IKE SA MUST be honored. The
behavior of GMs and GCKS MUST NOT depend on the port used to create behavior of GMs and GCKS MUST NOT depend on the port used to create
the initial IKE SA. For example, if the GM and the GCKS used UDP the initial IKE SA. For example, if the GM and the GCKS used UDP
port 848 for the IKE_SA_INIT exchange, they will operate the same as port 848 for the IKE_SA_INIT exchange, they will operate the same as
if they had used UDP port 500. if they had used UDP port 500.
2.2. G-IKEv2 Payloads 2.2. G-IKEv2 Payloads
In the following descriptions, the payloads contained in the G-IKEv2 In the following descriptions, the payloads contained in the G-IKEv2
messages are indicated by names as listed below. messages are indicated by names as listed below.
+==========+============================+=============+ +==========+=============================+=============+
| Notation | Payload | Defined in | | Notation | Payload | Defined in |
+==========+============================+=============+ +==========+=============================+=============+
| AUTH | Authentication | [RFC7296] | | AUTH | Authentication | [RFC7296] |
+----------+----------------------------+-------------+ +----------+-----------------------------+-------------+
| CERT | Certificate | [RFC7296] | | CERT | Certificate | [RFC7296] |
+----------+----------------------------+-------------+ +----------+-----------------------------+-------------+
| CERTREQ | Certificate Request | [RFC7296] | | CERTREQ | Certificate Request | [RFC7296] |
+----------+----------------------------+-------------+ +----------+-----------------------------+-------------+
| D | Delete | [RFC7296] | | D | Delete | [RFC7296] |
+----------+----------------------------+-------------+ +----------+-----------------------------+-------------+
| GSA | Group Security Association | Section 4.4 | | GSA | Group Security Association | Section 4.4 |
+----------+----------------------------+-------------+ +----------+-----------------------------+-------------+
| HDR | IKEv2 Header | [RFC7296] | | HDR | IKE header (not a payload) | [RFC7296] |
+----------+----------------------------+-------------+ +----------+-----------------------------+-------------+
| IDg | Identification - Group | Section 4.2 | | IDg | Group Identification | Section 4.2 |
+----------+----------------------------+-------------+ +----------+-----------------------------+-------------+
| IDi | Identification - Initiator | [RFC7296] | | IDi | Identification - Initiator | [RFC7296] |
+----------+----------------------------+-------------+ +----------+-----------------------------+-------------+
| IDr | Identification - Responder | [RFC7296] | | IDr | Identification - Responder | [RFC7296] |
+----------+----------------------------+-------------+ +----------+-----------------------------+-------------+
| KD | Key Download | Section 4.5 | | KD | Key Download | Section 4.5 |
+----------+----------------------------+-------------+ +----------+-----------------------------+-------------+
| KE | Key Exchange | [RFC7296] | | KE | Key Exchange | [RFC7296] |
+----------+----------------------------+-------------+ +----------+-----------------------------+-------------+
| Ni, Nr | Nonce | [RFC7296] | | Ni, Nr | Nonce | [RFC7296] |
+----------+----------------------------+-------------+ +----------+-----------------------------+-------------+
| N | Notify | [RFC7296] | | N | Notify | [RFC7296] |
+----------+----------------------------+-------------+ +----------+-----------------------------+-------------+
| SA | Security Association | [RFC7296] | | SA | Security Association | [RFC7296] |
+----------+----------------------------+-------------+ +----------+-----------------------------+-------------+
| SAg | Security Association - GM | Section 4.3 | | SAg | Security Association - GM | Section 4.3 |
| | Supported Transforms | | | | Supported Transforms | |
+----------+----------------------------+-------------+ +----------+-----------------------------+-------------+
| SK | Encrypted | [RFC7296] | | SK | Encrypted and Authenticated | [RFC7296] |
+----------+----------------------------+-------------+ | | (also known as Encrypted) | |
+----------+-----------------------------+-------------+
Table 1: Payloads Used in G-IKEv2 Table 1: Payloads Used in G-IKEv2
Payloads defined as part of other IKEv2 extensions MAY also be Payloads defined as part of other IKEv2 extensions MAY also be
included in these messages. Payloads that may optionally appear in included in these messages. Payloads that may optionally appear in
G-IKEv2 messages will be shown in brackets, such as [CERTREQ]. G-IKEv2 messages will be shown in brackets, such as [CERTREQ].
G-IKEv2 defines several new payloads not used in IKEv2: G-IKEv2 defines several new payloads not used in IKEv2:
Group ID (IDg): Group Identification (IDg):
The GM requests the GCKS for membership into the group by sending The GM requests the GCKS for membership into the group by sending
its IDg payload. its IDg payload.
Security Association - GM Supported Transforms (SAg): Security Association - GM Supported Transforms (SAg):
The GM optionally sends supported transforms so that GCKS may The GM optionally sends supported transforms so that GCKS may
select a policy appropriate for all members of the group (which is select a policy appropriate for all members of the group (which is
not negotiated, unlike SA parameters in IKEv2). not negotiated, unlike SA parameters in IKEv2).
Group Security Association (GSA): Group Security Association (GSA):
The GCKS sends the group policy to the GM using this payload. The GCKS sends the group policy to the GM using this payload.
skipping to change at line 473 skipping to change at line 479
in IKEv2 SA, a key wrap algorithm is also negotiated in this exchange in IKEv2 SA, a key wrap algorithm is also negotiated in this exchange
by means of a new "Key Wrap Algorithm" transform. See Section 4.5.4 by means of a new "Key Wrap Algorithm" transform. See Section 4.5.4
for details. for details.
The second exchange, called GSA_AUTH, is similar to the IKEv2 The second exchange, called GSA_AUTH, is similar to the IKEv2
IKE_AUTH exchange [RFC7296]. It authenticates the previously IKE_AUTH exchange [RFC7296]. It authenticates the previously
exchanged messages and exchanges identities and certificates. The exchanged messages and exchanges identities and certificates. The
GSA_AUTH messages are encrypted and integrity protected with keys GSA_AUTH messages are encrypted and integrity protected with keys
established through the previous exchanges, so the identities are established through the previous exchanges, so the identities are
hidden from eavesdroppers and all fields in all the messages are hidden from eavesdroppers and all fields in all the messages are
authenticated. The GCKS authorizes group members to be allowed into authenticated. The GCKS authorizes GMs to be allowed into the group
the group as part of the GSA_AUTH exchange. Once the GCKS accepts a as part of the GSA_AUTH exchange. Once the GCKS accepts a GM to join
GM to join a group, it will provide the GM with the data-security a group, it will provide the GM with the data-security keys (TEKs)
keys (TEKs) and/or a group key encrypting key (KEK) as part of the and/or a group key encrypting key (KEK) as part of the GSA_AUTH
GSA_AUTH response message. response message.
The established secure channel between the GM and the GCKS is in fact The established secure channel between the GM and the GCKS is in fact
IKE SA (as defined in [RFC7296]) and is referred to as such IKE SA (as defined in [RFC7296]) and is referred to as such
throughout this document. However, it is NOT RECOMMENDED to use this throughout this document. However, it is NOT RECOMMENDED to use this
IKE SA for the purpose of creating unicast Child SAs between the GM IKE SA for the purpose of creating unicast Child SAs between the GM
and the GCKS since authentication requirements for group admission and the GCKS since authentication requirements for group admission
and for unicast communication may differ. In addition, the life and for unicast communication may differ. In addition, the life
cycle of this IKE SA is determined by the GCKS and this SA can be cycle of this IKE SA is determined by the GCKS and this SA can be
deleted at any time. deleted at any time.
2.3.1. GSA_AUTH Exchange 2.3.1. GSA_AUTH Exchange
The GSA_AUTH exchange is used to authenticate the previous exchanges The GSA_AUTH exchange is used to authenticate the previous exchanges
and exchange identities and certificates. G-IKEv2 also uses this and exchange identities and certificates. G-IKEv2 also uses this
exchange for group member registration and authorization. exchange for GM registration and authorization.
The GSA_AUTH exchange is similar to the IKE_AUTH exchange with the The GSA_AUTH exchange is similar to the IKE_AUTH exchange with the
difference that its goal is to establish a multicast Data-Security difference that its goal is to establish a multicast Data-Security
SA(s) and optionally provide GM with the keys for a Rekey SA. The SA(s) and optionally provide GM with the keys for a Rekey SA. The
set of payloads in the GSA_AUTH exchange is slightly different set of payloads in the GSA_AUTH exchange is slightly different
because policy is not negotiated between the group member and the because policy is not negotiated between the GM and the GCKS;
GCKS; instead, it is provided by the GCKS for the GM. Also note that instead, it is provided by the GCKS for the GM. Also note that
GSA_AUTH has its own exchange type, which is different from the GSA_AUTH has its own exchange type, which is different from the
IKE_AUTH exchange type. IKE_AUTH exchange type.
Note that due to the similarities between IKE_AUTH and GSA_AUTH, most | Note: Due to the similarities between IKE_AUTH and GSA_AUTH,
IKEv2 extensions to the IKE_AUTH exchange (like secure password | most IKEv2 extensions to the IKE_AUTH exchange (like secure
authentication [RFC6467]) can also be used with the GSA_AUTH | password authentication [RFC6467]) can also be used with the
exchange. | GSA_AUTH exchange.
Initiator (GM) Responder (GCKS) Initiator (GM) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
HDR, SK{IDi, [CERT,] [CERTREQ,] [IDr,] HDR, SK{IDi, [CERT,] [CERTREQ,] [IDr,]
AUTH, IDg, [SAg,] [N(GROUP_SENDER),] [N]} --> AUTH, IDg, [SAg,] [N(GROUP_SENDER),] [N]} -->
Figure 3: GSA_AUTH Request Figure 3: GSA_AUTH Request
A group member initiates a GSA_AUTH request to join a group indicated A GM initiates a GSA_AUTH request to join a group indicated by the
by the IDg payload. The GM may include an SAg payload declaring IDg payload. The GM may include an SAg payload declaring which
which Transforms it is willing to accept. A GM that intends to act Transforms it is willing to accept. A GM that intends to act as
as Group Sender MUST include a Notify payload status type of group sender MUST include a Notify payload status type of
GROUP_SENDER, which enables the GCKS to provide any additional policy GROUP_SENDER, which enables the GCKS to provide any additional policy
necessary by group senders. necessary by group senders.
Initiator (GM) Responder (GCKS) Initiator (GM) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
<-- HDR, SK{IDr, [CERT,] <-- HDR, SK{IDr, [CERT,]
AUTH, GSA, KD, [N]} AUTH, GSA, KD, [N]}
Figure 4: GSA_AUTH Normal Response Figure 4: GSA_AUTH Normal Response
The GCKS responds with IDr, optional CERT, and AUTH payloads with the The GCKS responds with IDr, optional CERT, and AUTH payloads with the
same meaning as in IKE_AUTH. It also informs the group member of the same meaning as in IKE_AUTH. It also informs the GM of the
cryptographic policies of the group in the GSA payload and the key cryptographic policies of the group in the GSA payload and the key
material in the KD payload. material in the KD payload.
Possible errors should be handled in accordance with Section 2.21.2 Possible errors should be handled in accordance with Section 2.21.2
of [RFC7296]. In addition to the IKEv2 error handling, the GCKS can of [RFC7296]. In addition to the IKEv2 error handling, the GCKS can
reject the registration request when the IDg is invalid or reject the registration request when the IDg is invalid or
authorization fails, etc. In these cases (see Section 4.7), the authorization fails, etc. In these cases (see Section 4.7), the
GSA_AUTH response will not include the GSA and KD but will include a GSA_AUTH response will not include the GSA and KD but will include a
Notify payload indicating errors. If a GM included an SAg payload Notify payload indicating errors. If a GM included an SAg payload
and the GCKS chooses to evaluate it and detects that the group member and the GCKS chooses to evaluate it and detects that the GM cannot
cannot support the security policy defined for the group, then the support the security policy defined for the group, then the GCKS
GCKS returns the NO_PROPOSAL_CHOSEN notification. Other types of returns the NO_PROPOSAL_CHOSEN notification. Other types of error
error notifications can be INVALID_GROUP_ID, AUTHORIZATION_FAILED, or notifications can be INVALID_GROUP_ID, AUTHORIZATION_FAILED, or
REGISTRATION_FAILED. REGISTRATION_FAILED.
Initiator (GM) Responder (GCKS) Initiator (GM) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
<-- HDR, SK{IDr, [CERT,] AUTH, N} <-- HDR, SK{IDr, [CERT,] AUTH, N}
Figure 5: GSA_AUTH Error Response for Group-Related Errors Figure 5: GSA_AUTH Error Response for Group-Related Errors
If the GSA_AUTH exchange is completed successfully but the group If the GSA_AUTH exchange is completed successfully but the GM finds
member finds that the policy sent by the GCKS is unacceptable, the that the policy sent by the GCKS is unacceptable, the member SHOULD
member SHOULD inform the GCKS about this by initiating the inform the GCKS about this by initiating the GSA_REGISTRATION
GSA_REGISTRATION exchange with the IDg payload and the exchange with the IDg payload and the NO_PROPOSAL_CHOSEN notification
NO_PROPOSAL_CHOSEN notification (see Figure 8). (see Figure 8).
2.3.2. GSA_REGISTRATION Exchange 2.3.2. GSA_REGISTRATION Exchange
Once the IKE SA between the GM and the GCKS is established, the GM Once the IKE SA between the GM and the GCKS is established, the GM
can use it for other registration requests if needed. In this can use it for other registration requests if needed. In this
scenario, the GM will use the GSA_REGISTRATION exchange. Payloads in scenario, the GM will use the GSA_REGISTRATION exchange. Payloads in
the exchange are generated and processed as defined in Section 2.3.1. the exchange are generated and processed as defined in Section 2.3.1.
Initiator (GM) Responder (GCKS) Initiator (GM) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
skipping to change at line 588 skipping to change at line 594
in Section 2.3.1. in Section 2.3.1.
Initiator (GM) Responder (GCKS) Initiator (GM) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
HDR, SK{IDg, [SAg,] HDR, SK{IDg, [SAg,]
[N(GROUP_SENDER),] [N]} --> [N(GROUP_SENDER),] [N]} -->
<-- HDR, SK{N} <-- HDR, SK{N}
Figure 7: GSA_REGISTRATION Error Exchange Figure 7: GSA_REGISTRATION Error Exchange
This exchange can also be used if the group member finds that the This exchange can also be used if the GM finds that the policy sent
policy sent by the GCKS is unacceptable or wants to leave the group by the GCKS is unacceptable or wants to leave the group for some
for some reason. The group member SHOULD notify the GCKS by sending reason. The GM SHOULD notify the GCKS by sending IDg and the Notify
IDg and the Notify type NO_PROPOSAL_CHOSEN or REGISTRATION_FAILED as type NO_PROPOSAL_CHOSEN or REGISTRATION_FAILED as shown below. In
shown below. In this case, the GCKS MUST remove the GM from the this case, the GCKS MUST remove the GM from the group denoted in IDg.
group IDg.
Initiator (GM) Responder (GCKS) Initiator (GM) Responder (GCKS)
-------------------- ------------------ -------------------- ------------------
HDR, SK{IDg, N} --> HDR, SK{IDg, N} -->
<-- HDR, SK{} <-- HDR, SK{}
Figure 8: GM Reporting Errors in GSA_REGISTRATION Exchange Figure 8: GM Reporting Errors in GSA_REGISTRATION Exchange
2.3.3. GM Registration Operations 2.3.3. GM Registration Operations
A GM requesting registration contacts the GCKS using the IKE_SA_INIT A GM requesting registration contacts the GCKS using the IKE_SA_INIT
exchange. This exchange is unchanged from IKE_SA_INIT in the IKEv2 exchange. This exchange is unchanged from IKE_SA_INIT in the IKEv2
protocol. The IKE_SA_INIT exchange may optionally be followed by one protocol. The IKE_SA_INIT exchange may optionally be followed by one
or more of the IKE_INTERMEDIATE exchanges if the GM and the GCKS or more of the IKE_INTERMEDIATE exchanges if the GM and the GCKS
negotiated use of IKEv2 extensions based on this exchange. negotiated use of IKEv2 extensions based on this exchange.
Next, the GM sends the GSA_AUTH request message with the IKEv2 Next, the GM sends the GSA_AUTH request message with the IKEv2
payloads from IKE_AUTH (without the SAi2, TSi, and TSr payloads) payloads from IKE_AUTH (without the SAi2, TSi, and TSr payloads)
along with the Group ID informing the GCKS of the group the GM wishes along with the Group ID informing the GCKS of the group the GM wishes
to join. A GM intending to emit data traffic MUST send a to join. A GM intending to emit data traffic MUST send a
GROUP_SENDER Notify message type. The GROUP_SENDER notification not GROUP_SENDER notification. The GROUP_SENDER notification not only
only signifies that it is a sender but provides the GM the ability to signifies that it is a sender but provides the GM the ability to
request Sender-ID values in case the Data-Security SA supports a request Sender-ID values in case the Data-Security SA supports a
counter-mode cipher. Section 2.5.1 includes guidance on requesting counter-mode cipher. Section 2.5.1 includes guidance on requesting
Sender-ID values. Sender-ID values.
A GM may be limited in the Transforms IDs that it is able or willing A GM may be limited in the Transforms IDs that it is able or willing
to use and may find it useful to inform the GCKS which Transform IDs to use and may find it useful to inform the GCKS which Transform IDs
it is willing to accept for different security protocols by including it is willing to accept for different security protocols by including
the SAg payload into the request message. Proposals for Rekey SA and the SAg payload into the request message. Proposals for Rekey SA and
for Data-Security (AH [RFC4302] and/or ESP [RFC4303]) SAs may be for Data-Security (AH [RFC4302] and/or ESP [RFC4303]) SAs may be
included into SAg. Proposals for Rekey SA are identified by new included into SAg. Proposals for Rekey SA are identified by a new
Protocol ID GIKE_UPDATE with the value 6. Each Proposal contains a Security Protocol Identifier GIKE_UPDATE with the value 6. Each
list of Transforms that the GM is able and willing to support for Proposal contains a list of Transforms that the GM is able and
that protocol. Valid transform types depend on the protocol (AH, willing to support for that protocol. Valid Transform Types depend
ESP, GIKE_UPDATE) and are defined in Table 2. Other transform types on the protocol (AH, ESP, GIKE_UPDATE) and are defined in Table 2.
SHOULD NOT be included as they will be ignored by the GCKS. The Other Transform Types SHOULD NOT be included as they will be ignored
Security Parameter Index (SPI) length of each Proposal in an SAg is by the GCKS. The Security Parameter Index (SPI) length of each
set to zero, and thus the SPI field is empty. The GCKS MUST NOT use Proposal in an SAg is set to zero, and thus the SPI field is empty.
SPI length and SPI fields in the SAg payload. The GCKS MUST NOT use SPI length and SPI fields in the SAg payload.
Generally, a single Proposal for each protocol (GIKE_UPDATE, AH/ESP) Generally, a single Proposal for each protocol (GIKE_UPDATE, AH/ESP)
will suffice. Because the transforms are not negotiated, the GM will suffice. Because the transforms are not negotiated, the GM
simply alerts the GCKS to restrictions it may have. In particular, simply alerts the GCKS to restrictions it may have. In particular,
the restriction from Section 3.3 of [RFC7296] that Authenticated the restriction from Section 3.3 of [RFC7296] that Authenticated
Encryption with Associated Data (AEAD) and non-AEAD transforms not be Encryption with Associated Data (AEAD) and non-AEAD transforms not be
combined in a single proposal doesn't hold when the SAg payload is combined in a single proposal doesn't hold when the SAg payload is
being formed. However, if the GM has restrictions on the combination being formed. However, if the GM has restrictions on the combination
of algorithms, this can be expressed by sending several proposals. of algorithms, this can be expressed by sending several proposals.
skipping to change at line 675 skipping to change at line 680
A GM MAY also indicate the support for IPcomp by including one or A GM MAY also indicate the support for IPcomp by including one or
more the IPCOMP_SUPPORTED notifications along with the SAg payload in more the IPCOMP_SUPPORTED notifications along with the SAg payload in
the request. The Compression Parameter Index (CPI) in these the request. The Compression Parameter Index (CPI) in these
notifications is set to zero and MUST be ignored by the GCKS. notifications is set to zero and MUST be ignored by the GCKS.
Upon receiving the GSA_AUTH response, the GM parses the response from Upon receiving the GSA_AUTH response, the GM parses the response from
the GCKS authenticating the exchange using the IKEv2 method, then the GCKS authenticating the exchange using the IKEv2 method, then
processes the GSA and KD payloads. processes the GSA and KD payloads.
The GSA payload contains the security policy and cryptographic The GSA payload contains the security policy and cryptographic
protocols used by the group. This policy describes the optional protocols used by the group. This policy describes zero or more
Rekey SA (KEK), Data-Security SAs (TEK), and optional Group-wide (GW) Data-Security SAs (TEK), zero or one Rekey SA (KEK), and zero or one
policy. If the policy in the GSA payload is not acceptable to the GW policy (although at least one TEK or KEK policy MUST be Present).
GM, it SHOULD notify the GCKS by initiating a GSA_REGISTRATION If the policy in the GSA payload is not acceptable to the GM, it
exchange with a NO_PROPOSAL_CHOSEN Notify payload (see SHOULD notify the GCKS by initiating a GSA_REGISTRATION exchange with
Section 2.3.2). Note that this should normally not happen if the GM a NO_PROPOSAL_CHOSEN Notify payload (see Section 2.3.2). Note that
includes the SAg payload in the GSA_AUTH request and the GCKS takes this should normally not happen if the GM includes the SAg payload in
it into account. Finally, the KD payload is parsed, providing the the GSA_AUTH request and the GCKS takes it into account. Finally,
keying material for the TEK and/or KEK. The KD payload contains a the KD payload is parsed, providing the keying material for the TEK
list of key bags, where each key bag includes the keying material for and/or KEK. The KD payload contains a list of key bags, where each
SAs distributed in the GSA payload. Keying material is matched by key bag includes the keying material for SAs distributed in the GSA
comparing the SPIs in the key bags to SPIs previously included in the payload. Keying material is matched by comparing the SPIs in the key
GSA payloads. Once TEK keys and policy are matched, the GM provides bags to SPIs previously included in the GSA payloads. Once TEK keys
them to the data-security subsystem, and it is ready to send or and policy are matched, the GM provides them to the data-security
receive packets matching the TEK policy. subsystem, and it is ready to send or receive packets matching the
TEK policy.
If the group member is not a sender for a received Data-Security SA, If the GM is not a sender for a received Data-Security SA, then it
then it MUST install this SA only in the inbound direction. If the MUST install this SA only in the inbound direction. If the GM is a
group member is a sender for a received Data-Security SA, and it is sender for a received Data-Security SA, and it is not going to
not going to receive back the data it sends, then it MUST install receive back the data it sends, then it MUST install this SA only in
this SA only in the outgoing direction. the outgoing direction.
If the first Message ID the GM should expect to receive is non-zero, If the first Message ID the GM should expect to receive is non-zero,
the GSA KEK policy includes the attribute GSA_INITIAL_MESSAGE_ID with the GSA KEK policy includes the attribute GSA_INITIAL_MESSAGE_ID with
the expected non-zero value. The value of the attribute MUST be the expected non-zero value. The value of the attribute MUST be
checked by a GM against any previously received Message ID for this checked by a GM against any previously received Message ID for this
group. If it is less than the previously received number, it should group. If it is less than the previously received number, it should
be considered stale and MUST be ignored. This could happen if two be considered stale and MUST be ignored. This could happen if two
GSA_AUTH exchanges happened in parallel and the Message ID changed. GSA_AUTH exchanges happened in parallel and the Message ID changed.
This attribute is used by the GM to prevent GSA_REKEY message replay This attribute is used by the GM to prevent GSA_REKEY message replay
attacks. The first GSA_REKEY message that the GM receives from the attacks. The first GSA_REKEY message that the GM receives from the
GCKS will have a Message ID greater than or equal to the Message ID GCKS will have a Message ID greater than or equal to the Message ID
received in the GSA_INITIAL_MESSAGE_ID attribute. received in the GSA_INITIAL_MESSAGE_ID attribute.
Group members MUST install the Rekey SA only in the inbound GMs MUST install the Rekey SA only in the inbound direction.
direction.
Once a GM successfully registers to the group, it MUST replace any Once a GM successfully registers to the group, it MUST replace any
information related to this group (policy, keys) that it might have information related to this group (policy, keys) that it might have
as a result of a previous registration with a new one. as a result of a previous registration with a new one.
Once a GM has received GIKE_UPDATE policy during a registration, the Once a GM has received the GIKE_UPDATE policy during a registration,
IKE SA MAY be closed. By convention, the GCKS closes the IKE SA; the the IKE SA MAY be closed. By convention, the GCKS closes the IKE SA;
GM SHOULD NOT close it. The GCKS MAY choose to keep the IKE SA open the GM SHOULD NOT close it. The GCKS MAY choose to keep the IKE SA
for inband rekey, especially for small groups. If inband rekey is open for inband rekey, especially for small groups. If inband rekey
used, then the initial IKE SA can be rekeyed by any side with the is used, then the initial IKE SA can be rekeyed by any side with the
standard IKEv2 mechanism described in Section 1.3.2 of [RFC7296]. If standard IKEv2 mechanism described in Section 1.3.2 of [RFC7296]. If
for some reason the IKE SA is closed and no GIKE_UPDATE policy is for some reason the IKE SA is closed and no GIKE_UPDATE policy is
received during the registration process, the GM MUST consider itself received during the registration process, the GM MUST consider itself
excluded from the group. To continue participating in the group, the excluded from the group. To continue participating in the group, the
GM needs to re-register. GM needs to re-register.
2.3.4. GCKS Registration Operations 2.3.4. GCKS Registration Operations
A G-IKEv2 GCKS listens for incoming requests from group members. A G-IKEv2 GCKS listens for incoming requests from GMs. When the GCKS
When the GCKS receives an IKE_SA_INIT request, it selects an IKE receives an IKE_SA_INIT request, it selects an IKE proposal and
proposal and generates a nonce and Diffie-Hellman (DH) to include in generates a nonce and Diffie-Hellman (DH) to include in the
the IKE_SA_INIT response. IKE_SA_INIT response.
Upon receiving the GSA_AUTH request, the GCKS authenticates the group Upon receiving the GSA_AUTH request, the GCKS authenticates the GM
member via the GSA_AUTH exchange. The GCKS then authorizes the group via the GSA_AUTH exchange. The GCKS then authorizes the GM according
member according to group policy before preparing to send the to group policy before preparing to send the GSA_AUTH response. If
GSA_AUTH response. If the GCKS fails to authorize the GM, it the GCKS fails to authorize the GM, it responds with an
responds with an AUTHORIZATION_FAILED notify message type. The GCKS AUTHORIZATION_FAILED notification. The GCKS may also respond with an
may also respond with an INVALID_GROUP_ID notify message if the INVALID_GROUP_ID notification if the requested group is unknown to
requested group is unknown to the GCKS or with an REGISTRATION_FAILED the GCKS or with an REGISTRATION_FAILED notification if there is a
notify message if there is a problem with the requested group (e.g., problem with the requested group (e.g., if the capacity of the group
if the capacity of the group is exceeded). is exceeded).
The GSA_AUTH response will include the group policy in the GSA The GSA_AUTH response will include the group policy in the GSA
payload and keys in the KD payload. If the GCKS policy includes a payload and keys in the KD payload. If the GCKS policy includes a
group rekey option and the initial Message ID value the GCKS will use group rekey option and the initial Message ID value the GCKS will use
when sending the GSA_REKEY messages to the group members is non-zero, when sending the GSA_REKEY messages to the GMs is non-zero, then this
then this value is specified in the GSA_INITIAL_MESSAGE_ID attribute. value is specified in the GSA_INITIAL_MESSAGE_ID attribute. This
This Message ID is used to prevent GSA_REKEY message replay attacks Message ID is used to prevent GSA_REKEY message replay attacks and
and will be increased each time a GSA_REKEY message is sent to the will be increased each time a GSA_REKEY message is sent to the group.
group. The GCKS data traffic policy is included in the GSA TEK and The GCKS data traffic policy is included in the GSA TEK and keys are
keys are included in the KD TEK. The GW policy MAY also be included included in the KD TEK. The GW policy MAY also be included to
to provide the Activation Time Delay (ATD) and/or Deactivation Time provide the Activation Time Delay (ATD) and/or Deactivation Time
Delay (DTD) (Section 4.4.3.1.1) to specify activation and Delay (DTD) (Section 4.4.3.1.1) to specify activation and
deactivation delays for SAs generated from the TEKs. If the group deactivation delays for SAs generated from the TEKs. If the GM has
member has indicated that it is a sender of data traffic and one or indicated that it is a sender of data traffic and one or more Data-
more Data-Security SAs distributed in the GSA payload included a Security SAs distributed in the GSA payload included a counter mode
counter mode of operation, the GCKS responds with one or more Sender- of operation, the GCKS responds with one or more Sender-ID values
ID values (see Section 2.5). (see Section 2.5).
Multicast Extensions to the Security Architecture [RFC5374] defines Multicast Extensions to the Security Architecture [RFC5374] defines
two modes of operation for multicast Data-Security SAs: transport two modes of operation for multicast Data-Security SAs: transport
mode and tunnel mode with address preservation. In the latter case, mode and tunnel mode with address preservation. In the latter case,
outer source and destination addresses are taken from the inner IP outer source and destination addresses are taken from the inner IP
packet. The mode of operation for the Data-Security SAs is packet. The mode of operation for the Data-Security SAs is
determined by the presence of the USE_TRANSPORT_MODE notification in determined by the presence of the USE_TRANSPORT_MODE notification in
the GCKS's response message of the registration exchange. If it is the GCKS's response message of the registration exchange. If it is
present, then SAs are created in transport mode; otherwise, SAs are present, then SAs are created in transport mode; otherwise, SAs are
created in tunnel mode. If multiple Data-Security SAs are being created in tunnel mode. If multiple Data-Security SAs are being
skipping to change at line 781 skipping to change at line 786
the same mode of operation. the same mode of operation.
If the GCKS receives a GSA_REGISTRATION exchange with a request to If the GCKS receives a GSA_REGISTRATION exchange with a request to
register a GM to a group, the GCKS will need to authorize the GM with register a GM to a group, the GCKS will need to authorize the GM with
the new group (IDg) and respond with the corresponding group policy the new group (IDg) and respond with the corresponding group policy
and keys. If the GCKS fails to authorize the GM, it will respond and keys. If the GCKS fails to authorize the GM, it will respond
with the AUTHORIZATION_FAILED notification. The GCKS may also with the AUTHORIZATION_FAILED notification. The GCKS may also
respond with an INVALID_GROUP_ID or REGISTRATION_FAILED notify respond with an INVALID_GROUP_ID or REGISTRATION_FAILED notify
messages for the reasons described above. messages for the reasons described above.
If a group member includes an SAg in its GSA_AUTH or GSA_REGISTRATION If a GM includes an SAg in its GSA_AUTH or GSA_REGISTRATION request,
request, the GCKS may evaluate it according to an implementation- the GCKS may evaluate it according to an implementation-specific
specific policy. policy.
* The GCKS could evaluate the list of Transforms and compare it to * The GCKS could evaluate the list of Transforms and compare it to
its current policy for the group. If the group member did not its current policy for the group. If the GM did not include all
include all of the ESP, AH, or GIKE_UPDATE Transforms that match of the ESP, AH, or GIKE_UPDATE Transforms that match the current
the current group policy or the capabilities of all other group policy or the capabilities of all other currently active
currently active GMs, then the GCKS SHOULD return a GMs, then the GCKS SHOULD return a NO_PROPOSAL_CHOSEN
NO_PROPOSAL_CHOSEN notification. Alternatively, the GCKS can notification. Alternatively, the GCKS can change the group policy
change the group policy as defined below. as defined below.
* The GCKS could store the list of Transforms with the goal of * The GCKS could store the list of Transforms with the goal of
migrating the group policy to a different Transforms when all of migrating the group policy from the current set of transforms to a
the group members indicate that they can support that Transforms. different one once all of the GMs indicate that they can support
transforms from the new set.
* The GCKS could store the list of Transforms and adjust the current * The GCKS could store the list of Transforms and adjust the current
group policy based on the capabilities of the devices as long as group policy based on the capabilities of the devices as long as
they fall within the acceptable security policy of the GCKS. they fall within the acceptable security policy of the GCKS.
Depending on its policy, the GCKS may have no further need for the Depending on its policy, the GCKS may have no further need for the
IKE SA (e.g., it does not plan to initiate a GSA_INBAND_REKEY IKE SA (e.g., it does not plan to initiate a GSA_INBAND_REKEY
exchange). If the GM does not initiate another registration exchange exchange). If the GM does not initiate another registration exchange
or Notify (e.g., NO_PROPOSAL_CHOSEN) and the GCKS is not intended to or Notify (e.g., NO_PROPOSAL_CHOSEN) and the GCKS is not intended to
use the SA, then the GCKS SHOULD close the IKE SA to save resources use the SA, then the GCKS SHOULD close the IKE SA to save resources
after a short period of time. after a short period of time.
2.4. Group Maintenance Channel 2.4. Group Maintenance Channel
The GCKS is responsible for rekeying the secure group per the group The GCKS is responsible for rekeying the secure group per the group
policy. Rekeying is an operation whereby the GCKS provides policy. Rekeying is an operation whereby the GCKS provides
replacement TEKs and KEKs, deleting TEKs, and/or excluding group replacement TEK(s) and/or KEK, deleting TEK(s), and/or excluding GMs.
members. The GCKS may initiate a rekey message if group membership The GCKS may initiate a rekey message if group membership and/or
and/or policy has changed or if the keys are about to expire. Two policy has changed or if the keys are about to expire. Two forms of
forms of group maintenance channels are provided in G-IKEv2 to push group maintenance channels are provided in G-IKEv2 to push new policy
new policy to group members. to GMs.
GSA_REKEY: GSA_REKEY:
The GSA_REKEY is a pseudo-exchange, consisting of a one-way IKEv2 The GSA_REKEY is a pseudo-exchange, consisting of a one-way IKEv2
message sent by the GCKS where the rekey policy is delivered to message sent by the GCKS where the rekey policy is delivered to
group members using IP multicast as a transport. This method is GMs using IP multicast as a transport. This method is valuable
valuable for large and dynamic groups and where policy may change for large and dynamic groups and where policy may change
frequently and a scalable rekey method is required. When the frequently and a scalable rekey method is required. When the
GSA_REKEY is used, the IKE SA protecting the member registration GSA_REKEY is used, the IKE SA protecting the member registration
exchanges is usually terminated and group members await policy exchanges is usually terminated and GMs await policy changes from
changes from the GCKS via the GSA_REKEY messages. the GCKS via the GSA_REKEY messages.
GSA_INBAND_REKEY: GSA_INBAND_REKEY:
The GSA_INBAND_REKEY is a normal IKEv2 exchange using the IKE SA The GSA_INBAND_REKEY is a normal IKEv2 exchange using the IKE SA
that was set up to protect the member registration exchange. This that was set up to protect the member registration exchange. This
exchange allows the GCKS to rekey without using an independent exchange allows the GCKS to rekey without using an independent
GSA_REKEY pseudo-exchange. The GSA_INBAND_REKEY exchange provides GSA_REKEY pseudo-exchange. The GSA_INBAND_REKEY exchange provides
a reliable policy delivery and is useful when G-IKEv2 is used with a reliable policy delivery and is useful when G-IKEv2 is used with
a small group of cooperating devices. a small group of cooperating devices.
Depending on its policy, the GCKS MAY combine these two methods. For Depending on its policy, the GCKS MAY combine these two methods. For
skipping to change at line 849 skipping to change at line 855
reliable keys delivery) and the GSA_REKEY for the rest of the GMs. reliable keys delivery) and the GSA_REKEY for the rest of the GMs.
2.4.1. GSA_REKEY 2.4.1. GSA_REKEY
The GCKS initiates the G-IKEv2 rekey by sending a protected message The GCKS initiates the G-IKEv2 rekey by sending a protected message
to the GMs, usually using IP multicast. Since the Rekey messages do to the GMs, usually using IP multicast. Since the Rekey messages do
not require responses and are sent to multiple GMs, the windowing not require responses and are sent to multiple GMs, the windowing
mechanism described in Section 2.3 of [RFC7296] MUST NOT be used for mechanism described in Section 2.3 of [RFC7296] MUST NOT be used for
the Rekey messages. The GCKS rekey message replaces the current the Rekey messages. The GCKS rekey message replaces the current
rekey GSA KEK or KEK array (e.g., in the case of LKH) and/or creates rekey GSA KEK or KEK array (e.g., in the case of LKH) and/or creates
new Data-Security GSA TEKs. The GM_SENDER_ID attribute in the Key new Data-Security SAs. The GM_SENDER_ID attribute in the Key
Download payload (defined in Section 4.5.3.3) MUST NOT be part of the Download payload (defined in Section 4.5.3.3) MUST NOT be part of the
Rekey Exchange, as this is sender-specific information and the Rekey Rekey Exchange, as this is sender-specific information and the Rekey
Exchange is group specific. The GCKS initiates the GSA_REKEY pseudo- Exchange is group specific. The GCKS initiates the GSA_REKEY pseudo-
exchange as following: exchange as following:
GMs (Receivers) GCKS (Sender) GMs (Receivers) GCKS (Sender)
----------------- --------------- ----------------- ---------------
<-- HDR, SK{GSA, KD, [N,] [AUTH]} <-- HDR, SK{GSA, KD, [N,] [AUTH]}
Figure 9: GSA_REKEY Pseudo-Exchange Figure 9: GSA_REKEY Pseudo-Exchange
HDR is defined in Section 4.1. While GSA_REKEY reuses the IKEv2 HDR is defined in Section 4.1. While GSA_REKEY reuses the IKEv2
header, the "IKE SA Initiator's SPI" and the "IKE SA Responder's SPI" header, the "IKE SA Initiator's SPI" and the "IKE SA Responder's SPI"
fields are treated as a single field with a length of 16 octets fields are treated as a single field with a length of 16 octets
containing the SPI of a Rekey SA. The value for this field is containing the SPI of a Rekey SA. The value for this field is
provided by the GCKS in the GSA payload (see Section 4.4.2). The provided by the GCKS in the GSA payload (see Section 4.4.2). The
Message ID in this message will start with the value the GCKS sent to Message ID in this message will start with the value the GCKS sent to
the group members in the attribute GSA_INITIAL_MESSAGE_ID or from the GMs in the attribute GSA_INITIAL_MESSAGE_ID or from zero if this
zero if this attribute wasn't sent. The Message ID will be attribute wasn't sent. The Message ID will be incremented each time
incremented each time a new GSA_REKEY message is sent to the group a new GSA_REKEY message is sent to the GMs.
members.
The GSA payload contains the current policy for rekey and Data- The GSA payload contains the current policy for rekey and Data-
Security SAs. The GSA may contain a new Rekey SA and/or a new Data- Security SAs. The GSA may contain a new Rekey SA and/or a new Data-
Security SAs (Section 4.4). Security SA(s) (Section 4.4).
The KD payload contains the keys for the policy included in the GSA. The KD payload contains the keys for the policy included in the GSA.
If one or more Data-Security SAs are being refreshed in this rekey If one or more Data-Security SAs are being refreshed in this rekey
message, the IPsec keys are updated in the KD, and/or if the Rekey SA message, the IPsec keys are updated in the KD, and/or if the Rekey SA
is being refreshed in this rekey message, the rekey Key or the LKH is being refreshed in this rekey message, the rekey Key or the LKH
KEK array (e.g., in case of LKH) is updated in the KD payload. KEK array (e.g., in case of LKH) is updated in the KD payload.
A Delete payload MAY be included to instruct the GM to delete A Delete payload MAY be included to instruct the GM to delete
existing SAs. See Section 4.6 for more detail. existing SAs. See Section 4.6 for more detail.
skipping to change at line 898 skipping to change at line 903
In the latter case, the fact that a GM can decrypt the GSA_REKEY In the latter case, the fact that a GM can decrypt the GSA_REKEY
message and verify its Integrity Check Value (ICV) proves that the message and verify its Integrity Check Value (ICV) proves that the
sender of this message knows the current KEK, thus authenticating the sender of this message knows the current KEK, thus authenticating the
sender as a member of the group. Note that implicit authentication sender as a member of the group. Note that implicit authentication
doesn't provide source origin authentication. For this reason, using doesn't provide source origin authentication. For this reason, using
implicit authentication for GSA_REKEY is NOT RECOMMENDED unless implicit authentication for GSA_REKEY is NOT RECOMMENDED unless
source origin authentication is not required (for example, in a small source origin authentication is not required (for example, in a small
group of highly trusted GMs). See more about authentication methods group of highly trusted GMs). See more about authentication methods
in Section 4.4.2.1.1. in Section 4.4.2.1.1.
During group member registration, the GCKS sends the authentication During GM registration, the GCKS sends the authentication key in the
key in the KD payload, the AUTH_KEY attribute, which the group member KD payload, the AUTH_KEY attribute, which the GM uses to authenticate
uses to authenticate the key server. Before the current the key server. Before the current authentication key expires, the
authentication key expires, the GCKS will send a new AUTH_KEY to the GCKS will send a new AUTH_KEY to the GMs in a GSA_REKEY message. The
group members in a GSA_REKEY message. The authentication key that is authentication key that is sent in the rekey message may not be the
sent in the rekey message may not be the same as the authentication same as the authentication key sent during the GM registration. If
key sent during the GM registration. If implicit authentication is implicit authentication is used, then AUTH_KEY MUST NOT be sent to
used, then AUTH_KEY MUST NOT be sent to GMs. GMs.
2.4.1.1. GSA_REKEY Message Authentication 2.4.1.1. GSA_REKEY Message Authentication
The content of the AUTH payload generally depends on the The content of the AUTH payload generally depends on the
authentication method from the Group Controller Authentication Method authentication method from the Group Controller Authentication Method
(GCAUTH) transform (Section 4.4.2.1.1). This specification defines (GCAUTH) transform (Section 4.4.2.1.1). This specification defines
the use of only one authentication method, Digital Signature, and the the use of only one authentication method, Digital Signature, and the
AUTH payload contains a digital signature calculated over the content AUTH payload contains a digital signature calculated over the content
of the not-yet-encrypted GSA_REKEY message. of the not-yet-encrypted GSA_REKEY message.
The digital signing is applied to the concatenation of two chunks: A The digital signing is applied to the concatenation of two chunks: A
and P. Chunk A starts with the first octet of the G-IKEv2 header and P. Chunk A starts with the first octet of the G-IKEv2 header
(not including prepended four octets of zeros, if port 4500 is used) (not including prepended four octets of zeros, if port 4500 is used)
and continues to the last octet of the Encrypted Payload header. and continues to the last octet of the Encrypted Payload header.
Chunk P consists of the not-yet-encrypted content of the Encrypted Chunk P consists of the not-yet-encrypted content of the Encrypted
payload, excluding the Initialization Vector, the Padding, the Pad payload, excluding the Initialization Vector, the Padding, the Pad
Length, and the Integrity Checksum Data fields (see Section 3.14 of Length, and the Integrity Checksum Data fields (see Section 3.14 of
[RFC7296] for the description of the Encrypted payload). In other [RFC7296] for the description of the Encrypted payload). In other
words, chunk P is the inner payloads of the Encrypted payload in words, chunk P is the inner payloads of the Encrypted payload in
plaintext form. Figure 11 illustrates the layout of chunks P and A plaintext form. Figure 10 illustrates the layout of chunks P and A
in the GSA_REKEY message. in the GSA_REKEY message.
Before the calculation of the AUTH payload, the inner payloads of the Before the calculation of the AUTH payload, the inner payloads of the
Encrypted payload must be fully formed and ready for encryption Encrypted payload must be fully formed and ready for encryption
except for the content of the AUTH payload. The AUTH payload must except for the content of the AUTH payload. The AUTH payload must
have correct values in the Payload Header, the Auth Method, and the have correct values in the Payload header, the Auth Method, and the
RESERVED fields. The Authentication Data field is zeroed, but the RESERVED fields. The Authentication Data field is zeroed, but the
ASN.1 Length and the AlgorithmIdentifier fields must be properly ASN.1 Length and the AlgorithmIdentifier fields must be properly
filled in; see Signature Authentication in [RFC7427]. filled in; see Signature Authentication in [RFC7427].
For the purpose of the AUTH payload calculation, the Length field in For the purpose of the AUTH payload calculation, the Length field in
the IKE header and the Payload Length field in the Encrypted Payload the IKE header and the Payload Length field in the Encrypted Payload
header are adjusted so that they don't count the lengths of header are adjusted so that they don't count the lengths of
Initialization Vector, Integrity Checksum Data, and Padding (along Initialization Vector, Integrity Checksum Data, and Padding (along
with Pad Length field). In other words, the Length field in the IKE with Pad Length field). In other words, the Length field in the IKE
header (denoted as AdjustedLen in Figure 11) is set to the sum of the header (denoted as AdjustedLen in Figure 10) is set to the sum of the
lengths of A and P, and the Payload Length field in the Encrypted lengths of A and P, and the Payload Length field in the Encrypted
Payload header (denoted as AdjustedPldLen in Figure 11) is set to the Payload header (denoted as AdjustedPldLen in Figure 10) is set to the
length of P plus the size of the Payload header (four octets). length of P plus the size of the Payload header (four octets).
The input to the digital signature algorithm that computes the The input to the digital signature algorithm that computes the
content of the AUTH payload can be described as: content of the AUTH payload can be described as:
DataToAuthenticate = A | P DataToAuthenticate = A | P
GsaRekeyMessage = GenIKEHDR | EncPayload GsaRekeyMessage = GenIKEHDR | EncPayload
GenIKEHDR = [ four octets 0 if using port 4500 ] | AdjustedIKEHDR GenIKEHDR = [ four octets 0 if using port 4500 ] | AdjustedIKEHDR
AdjustedIKEHDR = SPIi | SPIr | . . . | AdjustedLen AdjustedIKEHDR = SPIi | SPIr | . . . | AdjustedLen
EncPayload = AdjustedEncPldHdr | IV | InnerPlds | Pad | PadLen | ICV EncPayload = AdjustedEncPldHdr | IV | InnerPlds | Pad | PadLen | ICV
AdjustedEncPldHdr = NextPld | C | RESERVED | AdjustedPldLen AdjustedEncPldHdr = NextPld | C | RESERVED | AdjustedPldLen
A = AdjustedIKEHDR | AdjustedEncPldHdr A = AdjustedIKEHDR | AdjustedEncPldHdr
P = InnerPlds P = InnerPlds
Figure 10
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^ ^ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^ ^
| IKE SA Initiator's SPI | | | | IKE SA Initiator's SPI | | |
| | | | | | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I |
| IKE SA Responder's SPI | K | | IKE SA Responder's SPI | K |
| | E | | | E |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Next Payload | MjVer | MnVer | Exchange Type | Flags | H A | Next Payload | MjVer | MnVer | Exchange Type | Flags | h A
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ d | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ d |
| Message ID | r | | Message ID | r |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| AdjustedLen | | | | AdjustedLen | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ x | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ x |
| Next Payload |C| RESERVED | AdjustedPldLen | | | | Next Payload |C| RESERVED | AdjustedPldLen | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | v +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | v
| | | | | |
~ Initialization Vector ~ E ~ Initialization Vector ~ E
| | n | | n
skipping to change at line 992 skipping to change at line 995
~ Inner Payloads (not yet encrypted) ~ P ~ Inner Payloads (not yet encrypted) ~ P
| | P | | | P |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ l v +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ l v
~ Padding (0-255 octets) | Pad Length | d ~ Padding (0-255 octets) | Pad Length | d
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | | | | |
~ Integrity Checksum Data ~ | ~ Integrity Checksum Data ~ |
| | | | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v
Figure 11: Data to Authenticate in the GSA_REKEY Messages Figure 10: Data to Authenticate in the GSA_REKEY Messages
The authentication data is calculated using the authentication The authentication data is calculated using the authentication
algorithm from the Group Controller Authentication Method transform algorithm from the Group Controller Authentication Method transform
(Section 4.4.2.1.1) and the current authentication key provided in (Section 4.4.2.1.1) and the current authentication key provided in
the AUTH_KEY attribute (Section 4.5.3.2). The calculated the AUTH_KEY attribute (Section 4.5.3.2). The calculated
authentication data is placed into the AUTH payload, the Length authentication data is placed into the AUTH payload, the Length
fields in the IKE Header and the Encryption Payload header are fields in the IKE header and the Encryption Payload header are
restored, the content of the Encrypted payload is encrypted and the restored, the content of the Encrypted payload is encrypted and the
ICV is computed using the current KEK. ICV is computed using the current KEK.
2.4.1.2. IKE Fragmentation 2.4.1.2. IKE Fragmentation
IKEv2 fragmentation [RFC7383] can be used to perform fragmentation of IKEv2 fragmentation [RFC7383] can be used to perform fragmentation of
large GSA_REKEY messages; however, when the GSA_REKEY message is large GSA_REKEY messages; however, when the GSA_REKEY message is
emitted as an IP multicast packet, there is a lack of response from emitted as an IP multicast packet, there is a lack of response from
the GMs. This has the following implications. the GMs. This has the following implications.
skipping to change at line 1060 skipping to change at line 1063
substantially skewed for the GMs that would receive different copies substantially skewed for the GMs that would receive different copies
of the messages. of the messages.
GCKS may also include one or several GSA_NEXT_SPI attributes GCKS may also include one or several GSA_NEXT_SPI attributes
specifying SPIs for the prospected rekeys so that listening GMs are specifying SPIs for the prospected rekeys so that listening GMs are
able to detect lost rekey messages and recover from this situation. able to detect lost rekey messages and recover from this situation.
See Section 4.4.2.2.3 for more detail. See Section 4.4.2.2.3 for more detail.
2.4.1.4. GSA_REKEY GM Operations 2.4.1.4. GSA_REKEY GM Operations
When a group member receives the rekey message from the GCKS, it When a GM receives the rekey message from the GCKS, it decrypts the
decrypts the message and verifies its integrity using the current message and verifies its integrity using the current KEK. If the
KEK. If the AUTH payload is present in the decrypted message, then AUTH payload is present in the decrypted message, then the GM
the GM validates authenticity of the message using the key retrieved validates authenticity of the message using the key retrieved in a
in a previous G-IKEv2 exchange. Then the GM verifies the Message ID previous G-IKEv2 exchange. Then the GM verifies the Message ID and
and processes the GSA and KD payloads. The group member then processes the GSA and KD payloads. The GM then installs the new
installs the new Data-Security SA(s) and/or a new Rekey SA. The Data-Security SA(s) and/or a new Rekey SA. The parsing of the
parsing of the payloads is identical to the parsing done in the payloads is identical to the parsing done in the registration
registration exchange. exchange.
Replay protection is achieved by a group member rejecting a GSA_REKEY Replay protection is achieved by a GM rejecting a GSA_REKEY message
message that has a Message ID smaller than the current Message ID that has a Message ID smaller than the current Message ID that the GM
that the GM is expecting. The GM expects the Message ID in the first is expecting. The GM expects the Message ID in the first GSA_REKEY
GSA_REKEY message it receives to be equal to or greater than the message it receives to be equal to or greater than the Message ID it
Message ID it receives in the GSA_INITIAL_MESSAGE_ID attribute. Note receives in the GSA_INITIAL_MESSAGE_ID attribute. Note that if the
that if the GSA_INITIAL_MESSAGE_ID attribute is not received for the GSA_INITIAL_MESSAGE_ID attribute is not received for the Rekey SA,
Rekey SA, the GM MUST assume zero as the first expected Message ID. the GM MUST assume zero as the first expected Message ID. The GM
The GM expects the Message ID in subsequent GSA_REKEY messages to be expects the Message ID in subsequent GSA_REKEY messages to be greater
greater than the last valid GSA_REKEY message ID it received. than the last valid GSA_REKEY message ID it received.
This specification assumes that the GSA_REKEY messages are sent with This specification assumes that the GSA_REKEY messages are sent with
intervals that are significantly greater than typical network packet intervals that are significantly greater than typical network packet
reordering intervals. reordering intervals.
If the GSA payload includes a Data-Security SA using cipher in a If the GSA payload includes a Data-Security SA using cipher in a
counter-mode of operation and the receiving group member is a sender counter-mode of operation and the receiving GM is a sender for that
for that SA, the group member uses its current Sender-ID value with SA, the GM uses its current Sender-ID value with the Data-Security
the Data-Security SAs to create counter-mode nonces. If it is a SAs to create counter-mode nonces. If it is a sender and does not
sender and does not hold a current Sender-ID value (for example, when hold a current Sender-ID value (for example, when no counter-mode is
no counter-mode is employed for other Data-Security SAs), it MUST NOT employed for other Data-Security SAs), it MUST NOT install the Data-
install the Data-Security SAs. It MUST initiate a re-registration to Security SAs. It MUST initiate a re-registration to the GCKS in
the GCKS in order to obtain a Sender-ID value (along with the current order to obtain a Sender-ID value (along with the current group
group policy). policy).
Once a new Rekey SA is installed as a result of a GSA_REKEY message, Once a new Rekey SA is installed as a result of a GSA_REKEY message,
the current Rekey SA (over which the message was received) MUST be the current Rekey SA (over which the message was received) MUST be
silently deleted after waiting the DEACTIVATION_TIME_DELAY interval silently deleted after waiting the DEACTIVATION_TIME_DELAY interval
regardless of its expiration time. If the message includes a Delete regardless of its expiration time. If the message includes a Delete
payload for an existing Data-Security SA, then after installing a new payload for an existing Data-Security SA, then after installing a new
Data-Security SA, the old one (identified by the Protocol and SPI Data-Security SA, the old one (identified by the Protocol and SPI
fields in the Delete payload) MUST be silently deleted after waiting fields in the Delete payload) MUST be silently deleted after waiting
the DEACTIVATION_TIME_DELAY interval regardless of its expiration the DEACTIVATION_TIME_DELAY interval regardless of its expiration
time. time.
skipping to change at line 1115 skipping to change at line 1118
"soft lifetime" expiration is described in Section 4.4.2.1 of "soft lifetime" expiration is described in Section 4.4.2.1 of
[RFC4301]), the GM SHOULD initiate a registration to the GCKS. This [RFC4301]), the GM SHOULD initiate a registration to the GCKS. This
registration serves as a request for current SAs and will result in registration serves as a request for current SAs and will result in
the download of replacement SAs, assuming the GCKS policy has created the download of replacement SAs, assuming the GCKS policy has created
them. A GM SHOULD also initiate a registration request if a Rekey SA them. A GM SHOULD also initiate a registration request if a Rekey SA
is about to expire and not yet replaced with a new one. is about to expire and not yet replaced with a new one.
2.4.2. GSA_INBAND_REKEY Exchange 2.4.2. GSA_INBAND_REKEY Exchange
When the IKE SA protecting the member registration exchange is When the IKE SA protecting the member registration exchange is
maintained while a group member participates in the group, the GCKS maintained while a GM participates in the group, the GCKS can use the
can use the GSA_INBAND_REKEY exchange to individually provide policy GSA_INBAND_REKEY exchange to individually provide policy updates to
updates to the group member. the GM.
GM (Responder) GCKS (Initiator) GM (Responder) GCKS (Initiator)
---------------- ------------------ ---------------- ------------------
<-- HDR, SK{GSA, KD, [N]} <-- HDR, SK{GSA, KD, [N]}
HDR, SK{} --> HDR, SK{} -->
Figure 12: GSA_INBAND_REKEY Exchange Figure 11: GSA_INBAND_REKEY Exchange
Because this is a normal IKEv2 exchange, the HDR is treated as Because this is a normal IKEv2 exchange, the HDR is treated as
defined in IKEv2 [RFC7296]. defined in IKEv2 [RFC7296].
2.4.2.1. GSA_INBAND_REKEY GCKS Operations 2.4.2.1. GSA_INBAND_REKEY GCKS Operations
The GSA, KD, and N payloads are built in the same manner as in a The GSA, KD, and N payloads are built in the same manner as in a
registration exchange. registration exchange.
2.4.2.2. GSA_INBAND_REKEY GM Operations 2.4.2.2. GSA_INBAND_REKEY GM Operations
The GM processes the GSA, KD, and N payloads in the same manner as if The GM processes the GSA, KD, and N payloads in the same manner as if
they were received in a registration exchange. they were received in a registration exchange.
2.4.3. Deletion of SAs 2.4.3. Deletion of SAs
There are occasions when the GCKS may want to signal to group members There are occasions when the GCKS may want to signal to GMs to delete
to delete policy when the application sending data traffic has ended policy when the application sending data traffic has ended or if
or if group policy has changed. Deletion of SAs is accomplished by group policy has changed. Deletion of SAs is accomplished by sending
sending the Delete Payload described in Section 3.11 of [RFC7296] as the Delete Payload described in Section 3.11 of [RFC7296] as part of
part of the GSA_REKEY pseudo-exchange as shown below. the GSA_REKEY pseudo-exchange as shown below.
GMs (Receivers) GCKS (Sender) GMs (Receivers) GCKS (Sender)
---------------- --------------- ---------------- ---------------
<-- HDR, SK{D, [N,] [AUTH]} <-- HDR, SK{D, [N,] [AUTH]}
Figure 13: SA Deletion in GSA_REKEY Figure 12: SA Deletion in GSA_REKEY
If GCKS has a unicast SA with a group member, then it can use the If GCKS has a unicast SA with a GM, then it can use the
GSA_INBAND_REKEY exchange to delete SAs. GSA_INBAND_REKEY exchange to delete SAs.
GM (Responder) GCKS (Initiator) GM (Responder) GCKS (Initiator)
--------------- ------------------ --------------- ------------------
<-- HDR, SK{D, [N]} <-- HDR, SK{D, [N]}
HDR, SK{} --> HDR, SK{} -->
Figure 14: SA Deletion in GSA_INBAND_REKEY Figure 13: SA Deletion in GSA_INBAND_REKEY
There may be circumstances where the GCKS may want to start over with There may be circumstances where the GCKS may want to start over with
a clean state, e.g., in case it runs out of available Sender-IDs. a clean state, e.g., in case it runs out of available Sender-IDs.
The GCKS can signal deletion of all the Data-Security SAs by sending The GCKS can signal deletion of all the Data-Security SAs by sending
a Delete payload with an SPI value equal to zero. For example, if a Delete payload with an SPI value equal to zero. For example, if
the GCKS wishes to remove the Rekey SA and all the Data-Security SAs, the GCKS wishes to remove the Rekey SA and all the Data-Security SAs,
the GCKS sends a Delete payload with an SPI of zero and a Protocol ID the GCKS sends a Delete payload with an SPI of zero and a Protocol ID
of AH or ESP, followed by another Delete payload with an SPI of zero of AH or ESP, followed by another Delete payload with an SPI of zero
and a Protocol ID of GIKE_UPDATE. and a Protocol ID of GIKE_UPDATE.
If a group member receives a Delete payload with zero SPI and a If a GM receives a Delete payload with zero SPI and a Protocol ID of
Protocol ID of GIKE_UPDATE, it means that the group member is GIKE_UPDATE, it means that the GM is excluded from the group. Such
excluded from the group. Such Delete payload may be received either Delete payload may be received either in the GSA_REKEY pseudo-
in the GSA_REKEY pseudo-exchange or in the GSA_INBAND_REKEY exchange. exchange or in the GSA_INBAND_REKEY exchange. In this situation, the
In this situation, the group member MUST re-register if it wants to GM MUST re-register if it wants to continue participating in this
continue participating in this group. The registration is performed group. The registration is performed as described in Section 2.3.
as described in Section 2.3. It is RECOMMENDED that a GM waits some It is RECOMMENDED that a GM waits some randomly chosen time before
randomly chosen time before initiating a registration request in this initiating a registration request in this situation to avoid
situation to avoid overloading the GCKS. This document doesn't overloading the GCKS. This document doesn't specify the maximum
specify the maximum delay, which is implementation-dependent, but it delay, which is implementation-dependent, but it is believed that the
is believed that the order of seconds suits most situations. Note order of seconds suits most situations. Note that if the unicast SA
that if the unicast SA between the group member and the GCKS exists, between the GM and the GCKS exists, then the GM may use the
then the group member may use the GSA_REGISTRATION exchange to re- GSA_REGISTRATION exchange to re-register. However, after excluding a
register. However, after excluding a GM from the group, the GCKS MAY GM from the group, the GCKS MAY immediately delete the unicast SA
immediately delete the unicast SA with this GM (if any) if the with this GM (if any) if the credentials of this GM are revoked.
credentials of this GM are revoked.
2.5. Counter-Based Modes of Operation 2.5. Counter-Based Modes of Operation
Several counter-based modes of operation have been specified for ESP Several counter-based modes of operation have been specified for ESP
(e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES CCM [RFC4309], (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309],
ChaCha20-Poly1305 [RFC7634], and AES-GMAC [RFC4543]) and AH (e.g., ChaCha20-Poly1305 [RFC7634], and AES-GMAC [RFC4543]) and AH (e.g.,
AES-GMAC [RFC4543]). These counter-based modes require that no two AES-GMAC [RFC4543]). These counter-based modes require that no two
senders in the group ever send a packet with the same IV using the senders in the group ever send a packet with the same IV using the
same cipher key and mode. This requirement is met in G-IKEv2 when same cipher key and mode. This requirement is met in G-IKEv2 when
the following measures are taken: the following measures are taken:
* The GCKS distributes a unique key for each Data-Security SA. * The GCKS distributes a unique key for each Data-Security SA.
* The GCKS uses the method described in [RFC6054], which assigns * The GCKS uses the method described in [RFC6054], which assigns
each sender a portion of the IV space by provisioning each sender each sender a portion of the IV space by provisioning each sender
with one or more unique Sender-ID values. with one or more unique Sender-ID values.
2.5.1. Allocation of Sender-ID 2.5.1. Allocation of Sender-ID
When at least one Data-Security SA included in the group policy When at least one Data-Security SA included in the group policy
includes a counter-based mode of operation, the GCKS automatically includes a counter-based mode of operation, the GCKS automatically
allocates and distributes one Sender-ID to each group member acting allocates and distributes one Sender-ID to each GM acting in the role
in the role of sender on the Data-Security SA. The Sender-ID value of sender on the Data-Security SA. The Sender-ID value is used
is used exclusively by the group sender to which it was allocated. exclusively by the group sender to which it was allocated. The group
The group sender uses the same Sender-ID for each Data-Security SA sender uses the same Sender-ID for each Data-Security SA specifying
specifying the use of a counter-based mode of operation. A GCKS MUST the use of a counter-based mode of operation. A GCKS MUST distribute
distribute unique keys for each Data-Security SA, including a unique keys for each Data-Security SA, including a counter-based mode
counter-based mode of operation in order to maintain unique key and of operation in order to maintain unique key and nonce usage.
nonce usage.
During registration, the group sender can choose to request one or During registration, the group sender can choose to request one or
more Sender-ID values. Requesting a value of 1 is not necessary more Sender-ID values. Requesting a value of 1 is not necessary
since the GCKS will automatically allocate exactly one to the group since the GCKS will automatically allocate exactly one to the group
sender. A group sender MUST request as many Sender-ID values sender. A group sender MUST request as many Sender-ID values
matching the number of encryption modules in which it will be matching the number of encryption modules in which it will be
installing the TEKs in the outbound direction. Alternatively, a installing the TEKs in the outbound direction. Alternatively, a
group sender MAY request more than one Sender-ID and use them group sender MAY request more than one Sender-ID and use them
serially. This could be useful when it is anticipated that the group serially. This could be useful when it is anticipated that the group
sender will exhaust their range of Data-Security SA nonces using a sender will exhaust their range of Data-Security SA nonces using a
skipping to change at line 1270 skipping to change at line 1271
had sent data on the current group Data-Security SAs, it does not had sent data on the current group Data-Security SAs, it does not
know what Data-Security counter-mode nonce values that a group know what Data-Security counter-mode nonce values that a group
sender has used. By distributing new Sender-ID values, the key sender has used. By distributing new Sender-ID values, the key
server ensures that each time a conforming group sender installs server ensures that each time a conforming group sender installs
a Data-Security SA, it will use a unique set of counter-based a Data-Security SA, it will use a unique set of counter-based
mode nonces. mode nonces.
5. When the Sender-ID counter maintained by the GCKS reaches its 5. When the Sender-ID counter maintained by the GCKS reaches its
final Sender-ID value, no more Sender-ID values can be final Sender-ID value, no more Sender-ID values can be
distributed. Before distributing any new Sender-ID values, the distributed. Before distributing any new Sender-ID values, the
GCKS MUST exclude all group members from the group as described GCKS MUST exclude all GMs from the group as described in
in Section 2.4.3. This will result in the group members Section 2.4.3. This will result in the GMs performing re-
performing re-registration, during which they will receive new registration, during which they will receive new Data-Security
Data-Security SAs and group senders will additionally receive new SAs and group senders will additionally receive new Sender-ID
Sender-ID values. The new Sender-ID values can safely be used values. The new Sender-ID values can safely be used because they
because they are only used with the new Data-Security SAs. are only used with the new Data-Security SAs.
2.5.2. GM Usage of Sender-ID 2.5.2. GM Usage of Sender-ID
A GM applies the Sender-ID to Data-Security SAs as follows: A GM applies the Sender-ID to Data-Security SAs as follows:
* The most significant bits of the IV indicated in the * The most significant bits of the IV indicated in the
GWP_SENDER_ID_BITS attribute (Section 4.4.3.1.2) are taken to be GWP_SENDER_ID_BITS attribute (Section 4.4.3.1.2) are taken to be
the Sender-ID field of the IV. the Sender-ID field of the IV.
* The Sender-ID is placed in the least significant bits of the * The Sender-ID is placed in the least significant bits of the
skipping to change at line 1314 skipping to change at line 1315
allowing only a single group sender in each SA if it is desirable to allowing only a single group sender in each SA if it is desirable to
get replay protection with multiple (but still a limited number) of get replay protection with multiple (but still a limited number) of
group senders. group senders.
IPsec architecture assumes that whether anti-replay service is IPsec architecture assumes that whether anti-replay service is
enabled or not is a local matter for an IPsec receiver. In other enabled or not is a local matter for an IPsec receiver. In other
words, an IPsec sender always increments the Sequence Number field in words, an IPsec sender always increments the Sequence Number field in
the ESP/AH header and a receiver decides whether to check for the ESP/AH header and a receiver decides whether to check for
replayed packets or not. Since it is known in some cases that the replayed packets or not. Since it is known in some cases that the
replay protection is not possible (like in an SA with many group replay protection is not possible (like in an SA with many group
senders), a new transform ID "32-bit Unspecified Numbers" is defined senders), a new Transform ID "32-bit Unspecified Numbers" is defined
for the Sequence Numbers (SNs) transform type. Using this transform for the Sequence Numbers (SNs) Transform Type. Using this Transform
ID, the GCKS can inform group members that the uniqueness of sequence ID, the GCKS can inform GMs that the uniqueness of sequence numbers
numbers for a given SA is not guaranteed. The decision of whether to for a given SA is not guaranteed. The decision of whether to enable
enable anti-replay service is still a local matter of a GM (in anti-replay service is still a local matter of a GM (in accordance
accordance with IPsec architecture). with IPsec architecture).
The GCKS MUST include the Sequence Numbers transform in the GSA The GCKS MUST include the Sequence Numbers transform in the GSA
payload for every Data-Security SA. See Section 4.4.2.1.3 for more payload for every Data-Security SA. See Section 4.4.2.1.3 for more
details. details.
When a Data-Security SA has a single sender, the GCKS MUST be When a Data-Security SA has a single sender, the GCKS MUST be
configured to rekey the SA frequently enough so that the 32-bit configured to rekey the SA frequently enough so that the 32-bit
sequence numbers do not wrap. sequence numbers do not wrap.
2.7. Encryption Transforms with Implicit IV 2.7. Encryption Transforms with Implicit IV
skipping to change at line 1352 skipping to change at line 1353
3. Group Key Management and Access Control 3. Group Key Management and Access Control
Through the G-IKEv2 rekey, G-IKEv2 supports algorithms such as Through the G-IKEv2 rekey, G-IKEv2 supports algorithms such as
Logical Key Hierarchy (LKH) that have the property of denying access Logical Key Hierarchy (LKH) that have the property of denying access
to a new group key by a member removed from the group (forward access to a new group key by a member removed from the group (forward access
control) and to an old group key by a member added to the group control) and to an old group key by a member added to the group
(backward access control). This is unrelated to the Perfect Forward (backward access control). This is unrelated to the Perfect Forward
Secrecy (PFS) property as defined in Section 2.12 of [RFC7296]. Secrecy (PFS) property as defined in Section 2.12 of [RFC7296].
Group management algorithms providing forward and backward access Group management algorithms providing forward and backward access
control other than LKH have been proposed in the literature, control other than LKH have also been proposed, for example, OFT
including OFT [OFT] and Subset Difference [NNL]. These algorithms [OFT] and Subset Difference [NNL]. These algorithms could be used
could be used with G-IKEv2 but are not specified as a part of this with G-IKEv2 but are not specified as a part of this document.
document.
This specification assumes that all group keys, that are sent to the This specification assumes that all group keys, that are sent to the
GMs by the GCKS, are encrypted with some other keys, called Key Wrap GMs by the GCKS, are encrypted with some other keys, called Key Wrap
Keys (KWKs). The Key Wrap Algorithm transform defines the algorithm Keys (KWKs). The Key Wrap Algorithm transform defines the algorithm
used for key wrapping in the context of an SA. used for key wrapping in the context of an SA.
3.1. Key Wrap Keys 3.1. Key Wrap Keys
Every GM always knows at least one KWK -- the KWK that is associated Every GM always knows at least one KWK -- the KWK that is associated
with the IKE SA or multicast Rekey SA over which wrapped keys are with the IKE SA or multicast Rekey SA over which wrapped keys are
skipping to change at line 1387 skipping to change at line 1387
of the key for the Encryption Algorithm transform for the Rekey SA of the key for the Encryption Algorithm transform for the Rekey SA
and for all Data-Security SAs in the group (taking the Key Length and for all Data-Security SAs in the group (taking the Key Length
attribute into consideration if it is present). attribute into consideration if it is present).
3.1.1. Default Key Wrap Key 3.1.1. Default Key Wrap Key
The default KWK (GSK_w) is only used in the context of a single IKE The default KWK (GSK_w) is only used in the context of a single IKE
SA. Every IKE SA (unicast IKE SA or multicast Rekey SA) will have SA. Every IKE SA (unicast IKE SA or multicast Rekey SA) will have
its own GSK_w. its own GSK_w.
For the unicast IKE SA (used for the GM registration and for the For the unicast IKE SA (used for the GM registration and for
GSA_INBAND_REKEY exchanges, if they are take place), the GSK_w is GSA_INBAND_REKEY exchanges if they appear), the GSK_w is computed as
computed as follows: follows:
GSK_w = prf+(SK_d, "Key Wrap for G-IKEv2") GSK_w = prf+(SK_d, "Key Wrap for G-IKEv2")
where the string "Key Wrap for G-IKEv2" is 20 ASCII characters where the string "Key Wrap for G-IKEv2" is 20 ASCII characters
without null termination. without null termination.
For the multicast Rekey SA, the GSK_w is provided along with other SA For the multicast Rekey SA, the GSK_w is provided along with other SA
keys as defined in Section 3.4. keys as defined in Section 3.4.
3.2. GCKS Key Management Semantics 3.2. GCKS Key Management Semantics
skipping to change at line 1436 skipping to change at line 1436
because the GSA TEK policy and the associated keys are not protected because the GSA TEK policy and the associated keys are not protected
with the new KEK. A second G-IKEv2 rekey message can deliver the new with the new KEK. A second G-IKEv2 rekey message can deliver the new
GSA TEK policies and their associated keys because it will be GSA TEK policies and their associated keys because it will be
protected with the new KEK and thus will not be visible to the protected with the new KEK and thus will not be visible to the
members who were denied access. members who were denied access.
If forward access control policy for the group includes keeping group If forward access control policy for the group includes keeping group
policy changes from members that are denied access to the group, then policy changes from members that are denied access to the group, then
two sequential G-IKEv2 rekey messages changing the group KEK MUST be two sequential G-IKEv2 rekey messages changing the group KEK MUST be
sent by the GCKS. The first G-IKEv2 rekey message creates a new KEK sent by the GCKS. The first G-IKEv2 rekey message creates a new KEK
for the group. Group members, which are denied access, will not be for the group. GMs, which are denied access, will not be able to
able to access the new KEK, but they will see the group policy since access the new KEK, but they will see the group policy since the
the G-IKEv2 rekey message is protected under the current KEK. A G-IKEv2 rekey message is protected under the current KEK. A
subsequent G-IKEv2 rekey message containing the changed group policy subsequent G-IKEv2 rekey message containing the changed group policy
and again changing the KEK allows complete forward access control. A and again changing the KEK allows complete forward access control. A
G-IKEv2 rekey message MUST NOT change the policy without creating a G-IKEv2 rekey message MUST NOT change the policy without creating a
new KEK. new KEK.
If other methods of using LKH or other group management algorithms If other methods of using LKH or other group management algorithms
are added to G-IKEv2, those methods MAY remove the above restrictions are added to G-IKEv2, those methods MAY remove the above restrictions
requiring multiple G-IKEv2 rekey messages, providing those methods requiring multiple G-IKEv2 rekey messages, providing those methods
specify how the forward access control policy is maintained within a specify how the forward access control policy is maintained within a
single G-IKEv2 rekey message. single G-IKEv2 rekey message.
skipping to change at line 1549 skipping to change at line 1549
bullet from Section 2.17 of [RFC7296]. In particular, for the ESP bullet from Section 2.17 of [RFC7296]. In particular, for the ESP
and AH SAs, the encryption key (if any) MUST be taken from the and AH SAs, the encryption key (if any) MUST be taken from the
leftmost bits of the keying material and the integrity key (if any) leftmost bits of the keying material and the integrity key (if any)
MUST be taken from the remaining bits. MUST be taken from the remaining bits.
For a Rekey SA, the following keys are taken from the keying For a Rekey SA, the following keys are taken from the keying
material: material:
GSK_e | GSK_a | GSK_w = KEYMAT GSK_e | GSK_a | GSK_w = KEYMAT
Figure 15
where GSK_e and GSK_a are the keys used for the Encryption Algorithm where GSK_e and GSK_a are the keys used for the Encryption Algorithm
and the Integrity Algorithm transforms for the corresponding SA and and the Integrity Algorithm transforms, respectively, for the
GSK_w is a default KWK for this SA. Note that GSK_w is used with the corresponding SA and GSK_w is a default KWK for this SA. Note that
key wrap algorithm specified in the Key Wrap Algorithm transform. If GSK_w is used with the key wrap algorithm specified in the Key Wrap
an AEAD algorithm is used for encryption, then the GSK_a key will not Algorithm transform. If an AEAD algorithm is used for encryption,
be used (GM can use the formula above assuming the length of GSK_a is then the GSK_a key will not be used (GM can use the formula above
zero). assuming the length of GSK_a is zero).
4. Header and Payload Formats 4. Header and Payload Formats
The G-IKEv2 is an IKEv2 extension and thus inherits its wire format The G-IKEv2 is an IKEv2 extension and thus inherits its wire format
for data structures. However, the processing of some payloads are for data structures. However, the processing of some payloads are
different. Several new payloads are defined: Group Identification different. Several new payloads are defined: Group Identification
(IDg) (Section 4.2), Security Association - GM Supported Transforms (IDg) (Section 4.2), Security Association - GM Supported Transforms
(SAg) (Section 4.3), Group Security Association (GSA) (Section 4.4), (SAg) (Section 4.3), Group Security Association (GSA) (Section 4.4),
and Key Download (KD) (Section 4.5). The G-IKEv2 header and Key Download (KD) (Section 4.5). The G-IKEv2 header
(Section 4.1), IDg payload, and SAg payload reuse the IKEv2 format (Section 4.1), IDg payload, and SAg payload reuse the IKEv2 format
skipping to change at line 1584 skipping to change at line 1582
4.1. G-IKEv2 Header 4.1. G-IKEv2 Header
G-IKEv2 uses the same IKE header format as specified in Section 3.1 G-IKEv2 uses the same IKE header format as specified in Section 3.1
of [RFC7296]. The Major Version is 2 and the Minor Version is 0, as of [RFC7296]. The Major Version is 2 and the Minor Version is 0, as
in IKEv2. IKE SA Initiator's SPI, IKE SA Responder's SPI, Flags, in IKEv2. IKE SA Initiator's SPI, IKE SA Responder's SPI, Flags,
Message ID, and Length are as specified in [RFC7296]. Message ID, and Length are as specified in [RFC7296].
4.2. Group Identification Payload 4.2. Group Identification Payload
The Group Identification (IDg) payload allows the group member to The Group Identification (IDg) payload allows the GM to indicate
indicate which group it wants to join. The payload is constructed by which group it wants to join. The payload is constructed by using
using the IKEv2 Identification Payload (Section 3.5 of [RFC7296]). the IKEv2 Identification Payload (Section 3.5 of [RFC7296]). ID type
ID type ID_KEY_ID MUST be supported. ID types ID_IPV4_ADDR, ID_FQDN, ID_KEY_ID MUST be supported. ID types ID_IPV4_ADDR, ID_FQDN,
ID_RFC822_ADDR, and ID_IPV6_ADDR SHOULD be supported. ID types ID_RFC822_ADDR, and ID_IPV6_ADDR SHOULD be supported. ID types
ID_DER_ASN1_DN and ID_DER_ASN1_GN are not expected to be used. The ID_DER_ASN1_DN and ID_DER_ASN1_GN are not expected to be used. The
Payload Type for the IDg payload is fifty (50). Payload Type for the IDg payload is fifty (50).
4.3. Security Association - GM Supported Transforms Payload 4.3. Security Association - GM Supported Transforms Payload
The Security Association - GM Supported Transforms (SAg) payload The Security Association - GM Supported Transforms (SAg) payload
declares which Transforms a GM is willing to accept. The payload is declares which Transforms a GM is willing to accept. The payload is
constructed using the format of the IKEv2 Security Association constructed using the format of the IKEv2 Security Association
payload (Section 3.3 of [RFC7296]). The Payload Type for SAg payload (Section 3.3 of [RFC7296]). The Payload Type for SAg
skipping to change at line 1617 skipping to change at line 1615
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length | | Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <Group Policies> ~ ~ <Group Policies> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 16: GSA Payload Format Figure 14: GSA Payload Format
The Security Association payload fields are defined as follows: The GSA payload fields are defined as follows:
Next Payload, C, RESERVED, and Payload Length fields: Next Payload, C, RESERVED, and Payload Length fields:
Comprise the IKEv2 Generic Payload Header and are defined in Comprise the IKEv2 generic payload header and are defined in
Section 3.2 of [RFC7296]. Section 3.2 of [RFC7296].
Group Policies (variable): Group Policies (variable):
A set of group policies for the group. A set of group policies for the group.
4.4.1. Group Policies 4.4.1. Group Policies
Group policies are comprised of two types: Group SA (GSA) policy and Group policies are comprised of two types: group SA policy and group-
Group-wide (GW) policy. GSA policy defines parameters for the wide (GW) policy. Group SA policy defines parameters for the
Security Association of the group. Depending on the employed Security Association of the group. Depending on the employed
security protocol, GSA policies may further be classified as Rekey SA security protocol, group SA policies may further be classified as
policy (GSA KEK) and Data-Security SA policy (GSA TEK). GSA payload Rekey SA (GSA KEK) policy and Data-Security (GSA TEK) SA policy. GSA
may contain zero or one GSA KEK policy, zero or more GSA TEK payload may contain zero or one GSA KEK policy, zero or more GSA TEK
policies, and zero or one GW policy, where either one GSA KEK or one policies, and zero or one GW policy, where either one GSA KEK or one
GSA TEK policy MUST be present. GSA TEK policy MUST be present.
This latitude allows various group policies to be accommodated. For This latitude allows various group policies to be accommodated. For
example, if the group policy does not require the use of a Rekey SA, example, if the group policy does not require the use of a Rekey SA,
the GCKS would not need to send a GSA KEK policy to the group member the GCKS would not need to send a GSA KEK policy to the group member
since all SA updates would be performed using the GSA_INBAND_REKEY since all SA updates would be performed using the GSA_INBAND_REKEY
exchange via the unicast IKE SA. Alternatively, group policy might exchange via the unicast IKE SA. Alternatively, group policy might
use a Rekey SA but choose to download a KEK to the group member only use a Rekey SA but choose to download a KEK to the GM only as part of
as part of the unicast IKE SA. Therefore, the GSA KEK policy would the unicast IKE SA. Therefore, the GSA KEK policy would not be
not be necessary as part of the GSA_REKEY message. necessary as part of the GSA_REKEY message.
Specifying multiple GSA TEKs allows multiple related data streams Specifying multiple GSA TEKs allows multiple related data streams
(e.g., video, audio, and text) to be associated with a session, but (e.g., video, audio, and text) to be associated with a session, but
each are protected with an individual security association policy. each are protected with an individual Security Association.
A GW policy allows for the distribution of group-wide policy, such as A GW policy allows for the distribution of group-wide policy, such as
instructions for when to activate and deactivate SAs. instructions for when to activate and deactivate SAs.
Policies are distributed in substructures to the GSA payload. The Policies are distributed in substructures to the GSA payload. The
format of the substructures is defined in Section 4.4.2 (for GSA format of the substructures is defined in Section 4.4.2 (for group SA
policy) and in Section 4.4.3 (for GW policy). The first octet of the policy) and in Section 4.4.3 (for GW policy). The first octet of the
substructure unambiguously determines its type; it is zero for GW substructure unambiguously determines its type; it is zero for GW
policy and non-zero (actually, it is a security Protocol ID) for GSA policy and non-zero (actually, it contains a Security Protocol
policies. Identifier) for group SA policies.
4.4.2. Group Security Association Policy Substructure 4.4.2. Group Security Association Policy Substructure
The GSA policy substructure contains parameters for the SA that are The group SA policy substructure contains parameters for a single SA
used with this group. Depending on the security protocol, the SA is that is used with this group. Depending on the security protocol,
either a Rekey SA or a Data-Security SA (ESP and AH). The GCKS MUST the SA is either a Rekey SA or a Data-Security SA (ESP and AH). The
NOT distribute both ESP and AH policies for the same set of Traffic GCKS MUST NOT distribute both ESP and AH policies for the same set of
Selectors. Traffic Selectors.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | SPI Size | Length | | Protocol | SPI Size | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ SPI ~ ~ SPI ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ Source Traffic Selector ~ ~ Source Traffic Selector ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ Destination Traffic Selector ~ ~ Destination Traffic Selector ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <GSA Transforms> ~ ~ <Group SA Transforms> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <GSA Attributes> ~ ~ <Group SA Attributes> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 17: GSA Policy Substructure Format Figure 15: Group SA Policy Substructure Format
The GSA policy fields are defined as follows: The group SA policy fields are defined as follows:
Protocol (1 octet): Protocol (1 octet):
Identifies the security protocol for this group SA. The values Identifies the security protocol for this group SA. The values
are defined in the "IKEv2 Security Protocol Identifiers" registry are defined in the "IKEv2 Security Protocol Identifiers" registry
in [IKEV2-IANA]. The valid values for this field are 6 in [IKEV2-IANA]. The valid values for this field are 6
(GIKE_UPDATE) for Rekey SA and 2 (AH) or 3 (ESP) for Data-Security (GIKE_UPDATE) for Rekey SA and 2 (AH) or 3 (ESP) for Data-Security
SAs. SAs.
SPI Size (1 octet): SPI Size (1 octet):
Size of the SPI for the SA. SPI size depends on the SA protocol. Size of the SPI for the SA. SPI size depends on the SA protocol.
It is 16 octets for GIKE_UPDATE and 4 octets for AH and ESP. It is 16 octets for GIKE_UPDATE and 4 octets for AH and ESP.
Length (2 octets, unsigned integer): Length (2 octets, unsigned integer):
Length of this substructure including the header. Length of this substructure including the header.
SPI (variable): SPI (variable):
Security Parameter Index for the group SA. The size of this field Security Parameter Index for the group SA. The size of this field
is determined by the SPI Size field. As described above, these is determined by the SPI Size field. As described above, these
SPIs are assigned by the GCKS. In the case of GIKE_UPDATE, the SPIs are assigned by the GCKS. In the case of GIKE_UPDATE, the
SPI is the IKEv2 Header SPI pair where the first 8 octets become SPI is the IKEv2 header SPI pair where the first 8 octets become
the "IKE SA Initiator's SPI" field in the G-IKEv2 rekey message the "IKE SA Initiator's SPI" field in the G-IKEv2 rekey message
IKEv2 HDR, and the second 8 octets become the "IKE SA Responder's IKEv2 HDR, and the second 8 octets become the "IKE SA Responder's
SPI" in the same HDR. SPI" in the same HDR.
Source & Destination Traffic Selectors (variable): Source & Destination Traffic Selectors (variable):
Substructures describing the source and destination of the network Substructures describing the source and destination of the network
identities. The format for these substructures is defined in identities. The format for these substructures is defined in
IKEv2 (Section 3.13.1 of [RFC7296]). IKEv2 (Section 3.13.1 of [RFC7296]).
For the Rekey SA (with the GIKE_UPDATE protocol), the destination For the Rekey SA (with the GIKE_UPDATE protocol), the destination
skipping to change at line 1748 skipping to change at line 1746
in this case will usually define a single IP address or be a in this case will usually define a single IP address or be a
wildcard selector. An IP protocol and ports define the wildcard selector. An IP protocol and ports define the
characteristics of traffic protected by this Data-Security SA. characteristics of traffic protected by this Data-Security SA.
If the Data-Security SAs are created in tunnel mode, then it MUST If the Data-Security SAs are created in tunnel mode, then it MUST
be tunnel mode with address preservation (see Multicast Extensions be tunnel mode with address preservation (see Multicast Extensions
to the Security Architecture [RFC5374]. UDP encapsulation of ESP to the Security Architecture [RFC5374]. UDP encapsulation of ESP
packets [RFC3948] cannot be specified in G-IKEv2 and thus is not packets [RFC3948] cannot be specified in G-IKEv2 and thus is not
used for the multicast Data-Security SAs. used for the multicast Data-Security SAs.
GSA Transforms (variable): Group SA Transforms (variable):
A list of Transform Substructures specifies the policy information A list of Transform Substructures specifies the policy information
for the SA. The format is defined in IKEv2 (Section 3.3.2 of for the SA. The format is defined in IKEv2 (Section 3.3.2 of
[RFC7296]). The "Last Substruc" field in each Transform [RFC7296]). The "Last Substruc" field in each Transform
Substructure is set to 3 except for the last Transform Substructure is set to 3 except for the last Transform
Substructure, where it is set to 0. Section 4.4.2.1 describes Substructure, where it is set to 0. Section 4.4.2.1 describes
using IKEv2 transforms in GSA policy substructure. using IKEv2 transforms in the group SA policy substructure.
GSA Attributes (variable): Group SA Attributes (variable):
Contains policy attributes associated with the group SA. The Contains policy attributes associated with the group SA. The
following sections describe the possible attributes. Any or all following sections describe the possible attributes. Any or all
attributes may be optional, depending on the protocol and the attributes may be optional, depending on the protocol and the
group policy. Section 4.4.2.2 defines attributes used in GSA group policy. Section 4.4.2.2 defines attributes used in the
policy substructure. group SA policy substructure.
4.4.2.1. GSA Transforms 4.4.2.1. Group SA Transforms
GSA policy is defined by the means of transforms in the GSA policy Group SA policy is defined by the means of transforms in the group SA
substructure. For this purpose, the transforms defined in [RFC7296] policy substructure. For this purpose, the transforms defined in
are used. In addition, new transform types are defined for use in [RFC7296] are used. In addition, new Transform Types are defined for
G-IKEv2: Group Controller Authentication Method (GCAUTH) and Key Wrap use in G-IKEv2: Group Controller Authentication Method (GCAUTH) and
Algorithm (KWA); see Section 9. Key Wrap Algorithm (KWA); see Section 9.
Valid transform types depend on the SA protocol and are summarized in Valid Transform Types depend on the SA protocol and are summarized in
the table below. Exactly one instance of each mandatory transform the table below. Exactly one instance of each mandatory Transform
type and at most one instance of each optional transform type MUST be Type and at most one instance of each optional Transform Type MUST be
present in the GSA policy substructure. present in the group SA policy substructure.
+=============+=============================+================+ +=============+=============================+================+
| Protocol | Mandatory Types | Optional Types | | Protocol | Mandatory Types | Optional Types |
+=============+=============================+================+ +=============+=============================+================+
| GIKE_UPDATE | ENCR, INTEG*, GCAUTH**, KWA | | | GIKE_UPDATE | ENCR, INTEG*, GCAUTH**, KWA | |
+-------------+-----------------------------+----------------+ +-------------+-----------------------------+----------------+
| ESP | ENCR, SN | INTEG | | ESP | ENCR, SN | INTEG |
+-------------+-----------------------------+----------------+ +-------------+-----------------------------+----------------+
| AH | INTEG, SN | | | AH | INTEG, SN | |
+-------------+-----------------------------+----------------+ +-------------+-----------------------------+----------------+
skipping to change at line 1804 skipping to change at line 1802
(**): May only appear at the time of a GM registration (in the (**): May only appear at the time of a GM registration (in the
GSA_AUTH and GSA_REGISTRATION exchanges). GSA_AUTH and GSA_REGISTRATION exchanges).
4.4.2.1.1. Group Controller Authentication Method Transform 4.4.2.1.1. Group Controller Authentication Method Transform
The Group Controller Authentication Method (GCAUTH) transform is used The Group Controller Authentication Method (GCAUTH) transform is used
to convey information on how the GCKS will authenticate the GSA_REKEY to convey information on how the GCKS will authenticate the GSA_REKEY
messages. messages.
This document creates a new IKEv2 IANA registry for transform IDs of This document creates a new IKEv2 IANA registry for Transform IDs of
this transform type, which has been initially populated as described this Transform Type, which has been initially populated as described
in Section 9. In particular, the following entries have been added: in Section 9. In particular, the following entries have been added:
+========================================+=======+ +=======+========================================+
| Group Controller Authentication Method | Value | | Value | Group Controller Authentication Method |
+========================================+=======+ +=======+========================================+
| Reserved | 0 | | 0 | Reserved |
+----------------------------------------+-------+ +-------+----------------------------------------+
| Implicit | 1 | | 1 | Implicit |
+----------------------------------------+-------+ +-------+----------------------------------------+
| Digital Signature | 2 | | 2 | Digital Signature |
+----------------------------------------+-------+ +-------+----------------------------------------+
Table 3 Table 3: Group Controller Authentication
Method Transform IDs
These transform IDs are defined as follows: These Transform IDs are defined as follows:
Implicit: Implicit:
No authentication of the GSA_REKEY messages will be provided by No authentication of the GSA_REKEY messages will be provided by
the GCKS besides the ability for the GMs to correctly decrypt them the GCKS besides the ability for the GMs to correctly decrypt them
and verify their ICV. In this case, the GCKS MUST NOT include the and verify their ICV. In this case, the GCKS MUST NOT include the
AUTH_KEY attribute into the KD payload. Additionally, the AUTH AUTH_KEY attribute into the KD payload. Additionally, the AUTH
payload MUST NOT be included in the GIKE_UPDATE messages. payload MUST NOT be included in the GIKE_UPDATE messages.
Digital Signature Digital Signature
Digital signatures will be used by the GCKS to authenticate the Digital signatures will be used by the GCKS to authenticate the
skipping to change at line 1842 skipping to change at line 1841
AUTH_KEY attribute containing the public key into the KD payload AUTH_KEY attribute containing the public key into the KD payload
at the time the GM is registered to the group. To specify the at the time the GM is registered to the group. To specify the
details of the signature algorithm, a new attribute Signature details of the signature algorithm, a new attribute Signature
Algorithm Identifier (value 18) is defined. This attribute Algorithm Identifier (value 18) is defined. This attribute
contains DER-encoded ASN.1 object AlgorithmIdentifier, which contains DER-encoded ASN.1 object AlgorithmIdentifier, which
specifies the signature algorithm and the hash function that the specifies the signature algorithm and the hash function that the
GCKS will use for authentication. The AlgorithmIdentifier object GCKS will use for authentication. The AlgorithmIdentifier object
is defined in Section 4.1.1.2 of [RFC5280]. Also, see [RFC7427] is defined in Section 4.1.1.2 of [RFC5280]. Also, see [RFC7427]
for the list of common AlgorithmIdentifier values used in IKEv2. for the list of common AlgorithmIdentifier values used in IKEv2.
In the case of the Digital Signature transform ID, the GCKS MUST In the case of the Digital Signature Transform ID, the GCKS MUST
include the Signature Algorithm Identifier attribute in the Group include the Signature Algorithm Identifier attribute in the Group
Controller Authentication Method transform. In this case, the Controller Authentication Method transform. In this case, the
AUTH payload in the GIKE_UPDATE messages MUST contain the Digital AUTH payload in the GIKE_UPDATE messages MUST contain the Digital
Signature authentication method (value 14) and be formatted as Signature authentication method (value 14) and be formatted as
defined in Section 3 of [RFC7427]. The AlgorithmIdentifier ASN.1 defined in Section 3 of [RFC7427]. The AlgorithmIdentifier ASN.1
object in the AUTH payload MUST match the content of the Signature object in the AUTH payload MUST match the content of the Signature
Algorithm Identifier attribute in the Group Controller Algorithm Identifier attribute in the Group Controller
Authentication Method transform. The Signature Algorithm Authentication Method transform. The Signature Algorithm
Identifier attribute is only meaningful for the Digital Signature Identifier attribute is only meaningful for the Digital Signature
transform ID and MUST NOT be used with other transform IDs. Transform ID and MUST NOT be used with other Transform IDs.
More authentication methods may be defined in the future. More authentication methods may be defined in the future.
The authentication method MUST NOT change as a result of rekey The authentication method MUST NOT change as a result of rekey
operations. This means that the Group Controller Authentication operations. This means that the Group Controller Authentication
Method transform MUST NOT appear in the rekey messages; it may only Method transform MUST NOT appear in the rekey messages; it may only
appear in the registration exchange (either GSA_AUTH or appear in the registration exchange (either GSA_AUTH or
GSA_REGISTRATION). GSA_REGISTRATION).
The type of the Group Controller Authentication Method transform is The type of the Group Controller Authentication Method transform is
skipping to change at line 1875 skipping to change at line 1874
4.4.2.1.2. Key Wrap Algorithm Transform 4.4.2.1.2. Key Wrap Algorithm Transform
The Key Wrap Algorithm (KWA) transform is used to convey information The Key Wrap Algorithm (KWA) transform is used to convey information
about an algorithm that is used for key wrapping in G-IKEv2. See about an algorithm that is used for key wrapping in G-IKEv2. See
Section 4.5.4 for details. Section 4.5.4 for details.
This document creates a new IKEv2 IANA registry for the key wrap This document creates a new IKEv2 IANA registry for the key wrap
algorithms, which has been initially populated as described in algorithms, which has been initially populated as described in
Section 9. In particular, the following entries have been added: Section 9. In particular, the following entries have been added:
+====================+=======+ +=======+====================+
| Key Wrap Algorithm | Value | | Value | Key Wrap Algorithm |
+====================+=======+ +=======+====================+
| Reserved | 0 | | 0 | Reserved |
+--------------------+-------+ +-------+--------------------+
| KW_5649_128 | 1 | | 1 | KW_5649_128 |
+--------------------+-------+ +-------+--------------------+
| KW_5649_192 | 2 | | 2 | KW_5649_192 |
+--------------------+-------+ +-------+--------------------+
| KW_5649_256 | 3 | | 3 | KW_5649_256 |
+--------------------+-------+ +-------+--------------------+
| KW_ARX | 4 | | 4 | KW_ARX |
+--------------------+-------+ +-------+--------------------+
Table 4 Table 4: Key Wrap
Algorithm Transform IDs
These algorithms are defined as follows: These algorithms are defined as follows:
KW_5649_128, KW_5649_192, KW_5649_256: KW_5649_128, KW_5649_192, KW_5649_256:
The key wrap algorithm defined in [RFC5649] with a 128-bit, The key wrap algorithm defined in [RFC5649] with a 128-bit,
192-bit, and 256-bit key, respectively. This key wrap algorithm 192-bit, and 256-bit key, respectively. This key wrap algorithm
is designed for use with AES block cipher. is designed for use with AES block cipher.
KW_ARX: KW_ARX:
The ARX-KW-8-2-4-GX key wrap algorithm defined in [ARX-KW]. This The ARX-KW-8-2-4-GX key wrap algorithm defined in [ARX-KW]. This
key wrap algorithm is designed for use with Chacha20 stream key wrap algorithm is designed for use with Chacha20 stream
cipher. cipher.
More key wrap algorithms may be defined in the future. The More key wrap algorithms may be defined in the future. The
requirement is that these algorithms MUST be able to wrap key requirement is that these algorithms must be able to wrap key
material of size up to 256 bytes. material of size up to 256 bytes.
The type of the Key Wrap Algorithm transform is 13. The type of the Key Wrap Algorithm transform is 13.
4.4.2.1.3. Sequence Numbers Transform 4.4.2.1.3. Sequence Numbers Transform
The Sequence Numbers (SNs) transform type is defined in [RFC9827]. The Sequence Numbers (SNs) Transform Type is defined in [RFC9827].
This transform describes the properties of sequence numbers of IPsec This transform describes the properties of sequence numbers of IPsec
packets. There are currently two transform IDs defined for this packets. There are currently two Transform IDs defined for this
transform type: "32-bit Sequential Numbers" and "Partially Transform Type: "32-bit Sequential Numbers" and "Partially
Transmitted 64-bit Sequential Numbers" that correspond to non-ESN and Transmitted 64-bit Sequential Numbers" that correspond to non-ESN and
ESN cases from AH [RFC4302] and ESP [RFC4303] specifications. ESN cases from AH [RFC4302] and ESP [RFC4303] specifications.
Transform ID "32-bit Sequential Numbers" SHOULD be used by the GCKS Transform ID "32-bit Sequential Numbers" SHOULD be used by the GCKS
for single-sender multicast Data-Security SAs utilizing protocols ESP for single-sender multicast Data-Security SAs utilizing protocols ESP
or AH. or AH.
Since both AH [RFC4302] and ESP [RFC4303] are defined in such a way Since both AH [RFC4302] and ESP [RFC4303] are defined in such a way
that high-order 32 bits of extended sequence numbers are never that high-order 32 bits of extended sequence numbers are never
transmitted, it makes using ESN in multicast Data-Security SAs transmitted, it makes using ESN in multicast Data-Security SAs
problematic because GMs that join the group long after it is created problematic because GMs that join the group long after it is created
will have to somehow learn the current high-order 32 bits of ESN for will have to somehow learn the current high-order 32 bits of ESN for
each sender in the group. The algorithm for doing this described in each sender in the group. The algorithm for doing this described in
AH [RFC4302] and ESP [RFC4303] is resource-consuming and is only AH [RFC4302] and ESP [RFC4303] is resource-consuming and is only
suitable when a receiver is able to guess the high-order 32 bits suitable when a receiver is able to guess the high-order 32 bits
close enough to its real value, which is not the case for multicast close enough to its real value, which is not the case for multicast
SAs. For this reason, the "Partially Transmitted 64-bit Sequential SAs. For this reason, the "Partially Transmitted 64-bit Sequential
Numbers" transform ID MUST NOT be used for multicast Data-Security Numbers" Transform ID MUST NOT be used for multicast Data-Security
SAs utilizing protocols ESP or AH. SAs utilizing protocols ESP or AH.
This document defines a new transform ID for this transform type: This document defines a new Transform ID for this Transform Type:
32-bit Unspecified Numbers (2). This transform ID defines the "32-bit Unspecified Numbers" (2). This Transform ID defines the
following properties. Sequence numbers are 32 bits in size and are following properties:
transmitted in the Sequence Number field of AH and ESP packets. The
value of sequence numbers is not guaranteed to be unique for the * Sequence numbers are 32 bits in size and are transmitted in the
duration of an SA, thus they are not suitable for replay protection. Sequence Number field of AH and ESP packets.
This transform ID MUST be used by the GCKS in case of multi-sender
* The value of sequence numbers is not guaranteed to be unique for
the duration of an SA, thus they are not suitable for replay
protection.
This Transform ID MUST be used by the GCKS in case of multi-sender
multicast Data-Security SAs utilizing protocols ESP or AH to inform multicast Data-Security SAs utilizing protocols ESP or AH to inform
the GMs that the replay protection is not expected to be possible. the GMs that the replay protection is not expected to be possible.
The GCKS MAY also use this transform ID for single-sender multicast The GCKS MAY also use this Transform ID for single-sender multicast
Data-Security SAs if replay protection is not needed (e.g., it is Data-Security SAs if replay protection is not needed (e.g., it is
done on the application level). done on the application level).
4.4.2.2. GSA Attributes 4.4.2.2. Group SA Attributes
GSA attributes are generally used to provide GMs with additional Group SA attributes are generally used to provide GMs with additional
parameters for the GSA policy. Unlike security parameters parameters for the group SA policy. Unlike security parameters
distributed via transforms, which are expected not to change over distributed via transforms, which are expected not to change over
time (unless the policy changes), the parameters distributed via GSA time (unless the policy changes), the parameters distributed via
attributes may depend on the time the provision takes place, on the group SA attributes may depend on the time the provision takes place,
existence of others group SAs, or on other conditions. on the existence of other group SAs, or on other conditions.
This document creates a new IKEv2 IANA registry for the types of GSA This document creates a new IKEv2 IANA registry for the types of
attributes, which has been initially populated as described in group SA attributes, which has been initially populated as described
Section 9. In particular, the following attributes have been added: in Section 9. In particular, the following attributes have been
added:
+========================+=====+======+============+==============+ +=====+========================+======+============+==============+
| GSA Attributes |Value|Format|Multi-Valued| Used in | |Value| Group SA Attributes |Format|Multi-Valued| Used in |
| | | | | Protocol | | | | | | Protocol |
+========================+=====+======+============+==============+ +=====+========================+======+============+==============+
| Reserved |0 | |0 | Reserved | |
+------------------------+-----+------+------------+--------------+ +-----+------------------------+------+------------+--------------+
| GSA_KEY_LIFETIME |1 |TLV |NO | GIKE_UPDATE, | |1 | GSA_KEY_LIFETIME |TLV |NO | GIKE_UPDATE, |
| | | | | AH, ESP | | | | | | AH, ESP |
+------------------------+-----+------+------------+--------------+ +-----+------------------------+------+------------+--------------+
| GSA_INITIAL_MESSAGE_ID |2 |TLV |NO | GIKE_UPDATE | |2 | GSA_INITIAL_MESSAGE_ID |TLV |NO | GIKE_UPDATE |
+------------------------+-----+------+------------+--------------+ +-----+------------------------+------+------------+--------------+
| GSA_NEXT_SPI |3 |TLV |YES | GIKE_UPDATE, | |3 | GSA_NEXT_SPI |TLV |YES | GIKE_UPDATE, |
| | | | | AH, ESP | | | | | | AH, ESP |
+------------------------+-----+------+------------+--------------+ +-----+------------------------+------+------------+--------------+
Table 5 Table 5: Group SA Attributes
The attributes follow the format defined in IKEv2 (Section 3.3.5 of The attributes follow the format defined in IKEv2 (Section 3.3.5 of
[RFC7296]). The "Format" column defines what attribute format is [RFC7296]). The "Format" column defines what attribute format is
allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi- allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi-
Valued" column defines whether multiple instances of the attribute Valued" column defines whether multiple instances of the attribute
can appear. The "Used in Protocol" column lists the security can appear. The "Used in Protocol" column lists the security
protocols, for which the attribute can be used. protocols, for which the attribute can be used.
4.4.2.2.1. GSA_KEY_LIFETIME Attribute 4.4.2.2.1. GSA_KEY_LIFETIME Attribute
The GSA_KEY_LIFETIME attribute (1) specifies the maximum time for The GSA_KEY_LIFETIME attribute (1) specifies the maximum time for
which the SA is valid. The value is a 4-octet unsigned integer in which the SA is valid. The value is a 4-octet unsigned integer in
network byte order, specifying a valid time period in seconds. When network byte order, specifying a valid time period in seconds. When
the lifetime expires, the GSA and all associated keys MUST be the lifetime expires, the GSA and all associated keys MUST be
deleted. The GCKS may delete the SA at any time before the end of deleted. The GCKS may delete the SA at any time before the end of
the validity period. the validity period.
A single attribute of this type MUST be included into any GSA policy A single attribute of this type MUST be included into any group SA
substructure if multicast rekey is employed by the GCKS. This policy substructure if multicast rekey is employed by the GCKS. This
attribute SHOULD NOT be used if inband rekey (via the attribute SHOULD NOT be used if inband rekey (via the
GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM. GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM.
4.4.2.2.2. GSA_INITIAL_MESSAGE_ID Attribute 4.4.2.2.2. GSA_INITIAL_MESSAGE_ID Attribute
The GSA_INITIAL_MESSAGE_ID attribute (2) defines the initial Message The GSA_INITIAL_MESSAGE_ID attribute (2) defines the initial Message
ID to be used by the GCKS in the GSA_REKEY messages. The Message ID ID to be used by the GCKS in the GSA_REKEY messages. The Message ID
is a 4-octet unsigned integer in network byte order. is a 4-octet unsigned integer in network byte order.
A single attribute of this type is included into the GSA KEK policy A single attribute of this type is included into the GSA KEK policy
substructure if the initial Message ID of the Rekey SA is non-zero. substructure if the initial Message ID of the Rekey SA is non-zero.
Note that it is always the case if GMs join the group after some Note that it is always true if a GM joins the group after some
multicast rekey operations have already taken place, so in these multicast rekey operations have already taken place in this group.
cases, this attribute will be included into the GSA policy when the In this case, this attribute will be included into the group SA
GM is registered. policy when the GM is registered.
This attribute MUST NOT be used if inband rekey (via the This attribute MUST NOT be used if inband rekey (via the
GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM. GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM.
4.4.2.2.3. GSA_NEXT_SPI Attribute 4.4.2.2.3. GSA_NEXT_SPI Attribute
The optional GSA_NEXT_SPI attribute (3) contains the SPI that the The optional GSA_NEXT_SPI attribute (3) contains the SPI that the
GCKS reserved for the next Rekey SA or Data-Security SAs replacing GCKS reserved for the next Rekey SA or Data-Security SAs replacing
the current ones. The length of the attribute data is determined by the current ones. The length of the attribute data is determined by
the SPI Size field in the GSA policy substructure the attribute the SPI Size field in the group SA policy substructure the attribute
resides in (see Section 4.4.2), and the attribute data contains the resides in (see Section 4.4.2), and the attribute data contains the
SPI as it would appear on the network. Multiple attributes of this SPI as it would appear on the network. Multiple attributes of this
type MAY be included, meaning that any of the supplied SPIs can be type MAY be included, meaning that any of the supplied SPIs can be
used in the replacement group SA. used in the replacement group SA.
The GM MAY store these values. Later on, if the GM starts receiving The GM MAY store these values. Later on, if the GM starts receiving
messages with one of these SPIs without seeing a rekey message over messages with one of these SPIs without seeing a rekey message over
the current Rekey SA, then it may be used as an indication that the the current Rekey SA, then it may be used as an indication that the
rekey message got lost on its way to this GM. In this case, the GM rekey message got lost on its way to this GM. In this case, the GM
SHOULD re-register to the group. SHOULD re-register to the group.
skipping to change at line 2047 skipping to change at line 2053
attributes before (e.g., in cases where the GCKS is rebooted), so the attributes before (e.g., in cases where the GCKS is rebooted), so the
GM must only treat this information as a "best effort" made by the GM must only treat this information as a "best effort" made by the
GCKS to prepare for future rekeys. GCKS to prepare for future rekeys.
This attribute MUST NOT be used if inband rekey (via the This attribute MUST NOT be used if inband rekey (via the
GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM. GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM.
4.4.3. Group-Wide Policy Substructure 4.4.3. Group-Wide Policy Substructure
Group-specific policy that does not belong to any SA policy can be Group-specific policy that does not belong to any SA policy can be
distributed to all group members using the Group-wide (GW) policy distributed to all GMs using the GW policy substructure.
substructure.
The GW policy substructure is defined as follows: The GW policy substructure is defined as follows:
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | RESERVED | Length | | Protocol | RESERVED | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <GW Policy Attributes> ~ ~ <GW Policy Attributes> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 18: GW Policy Substructure Format Figure 16: GW Policy Substructure Format
The GW policy substructure fields are defined as follows: The GW policy substructure fields are defined as follows:
Protocol (1 octet): MUST be zero. This value is reserved (see Protocol (1 octet):
Section 9) and is never used for any security protocol, so it is MUST be zero. This value is reserved (see Section 9) and is never
used here to indicate that this substructure contains policy not used for any security protocol, so it is used here to indicate
related to any specific protocol. that this substructure contains policy not related to any specific
protocol.
RESERVED ( octet): MUST be zero on transmission and MUST be ignored RESERVED (1 octet):
on receipt. MUST be zero on transmission and MUST be ignored on receipt.
Length (2 octets, unsigned integer): Length of this substructure Length (2 octets, unsigned integer):
including the header. Length of this substructure including the header.
GW Policy Attributes (variable): Contains policy attributes GW Policy Attributes (variable):
associated with no specific SA. The following sections describe Contains policy attributes associated with no specific SA. The
possible attributes. Any or all attributes may be optional following sections describe possible attributes. Any or all
depending on the group policy. attributes may be optional depending on the group policy.
4.4.3.1. GW Policy Attributes 4.4.3.1. GW Policy Attributes
This document creates a new IKEv2 IANA registry for the types of This document creates a new IKEv2 IANA registry for the types of
group-wide policy attributes, which has been initially populated as group-wide policy attributes, which has been initially populated as
described in Section 9. In particular, the following attributes have described in Section 9. In particular, the following attributes have
been added: been added:
+======================+=======+========+==============+ +=======+======================+========+==============+
| GW Policy Attributes | Value | Format | Multi-Valued | | Value | GW Policy Attributes | Format | Multi-Valued |
+======================+=======+========+==============+ +=======+======================+========+==============+
| Reserved | 0 | | 0 | Reserved | |
+----------------------+-------+--------+--------------+ +-------+----------------------+--------+--------------+
| GWP_ATD | 1 | TV | NO | | 1 | GWP_ATD | TV | NO |
+----------------------+-------+--------+--------------+ +-------+----------------------+--------+--------------+
| GWP_DTD | 2 | TV | NO | | 2 | GWP_DTD | TV | NO |
+----------------------+-------+--------+--------------+ +-------+----------------------+--------+--------------+
| GWP_SENDER_ID_BITS | 3 | TV | NO | | 3 | GWP_SENDER_ID_BITS | TV | NO |
+----------------------+-------+--------+--------------+ +-------+----------------------+--------+--------------+
Table 6 Table 6: GW Policy Attributes
The attributes follow the format defined in the IKEv2 (Section 3.3.5 The attributes follow the format defined in the IKEv2 (Section 3.3.5
of [RFC7296]). The "Format" column defines what attribute format is of [RFC7296]). The "Format" column defines what attribute format is
allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi- allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi-
Valued" column defines whether multiple instances of the attribute Valued" column defines whether multiple instances of the attribute
can appear. can appear.
4.4.3.1.1. GWP_ATD and GWP_DTD Attributes 4.4.3.1.1. GWP_ATD and GWP_DTD Attributes
Section 4.2.1 of [RFC5374] specifies a key rollover method that Section 4.2.1 of [RFC5374] specifies a key rollover method that
requires two values be provided to group members: Activation Time requires two values be provided to GMs: Activation Time Delay (ATD)
Delay (ATD) and Deactivation Time Delay (DTD). and Deactivation Time Delay (DTD).
The GWP_ATD attribute (1) allows a GCKS to set the Activation Time The GWP_ATD attribute (1) allows a GCKS to set the Activation Time
Delay for Data-Security SAs of the group. The ATD defines how long Delay for Data-Security SAs of the group. The ATD defines how long
active members of the group (those who sends traffic) should wait active members of the group (those who sends traffic) should wait
after receiving new SAs before sending traffic over them. Note that after receiving new SAs before sending traffic over them. Note that
to achieve smooth rollover, passive members of the group should to achieve smooth rollover, passive members of the group should
activate the SAs immediately once they receive them. activate the SAs immediately once they receive them.
The GWP_DTD attribute (2) allows the GCKS to set the DTD for The GWP_DTD attribute (2) allows the GCKS to set the DTD for
previously distributed SAs. The DTD defines how long after receiving previously distributed SAs. The DTD defines how long after receiving
a request to delete Data-Security SAs passive group members should a request to delete Data-Security SAs passive GMs should wait before
wait before actually deleting them. Note that active members of the actually deleting them. Note that active members of the group should
group should stop sending traffic over these old SAs once new stop sending traffic over these old SAs once new replacement SAs are
replacement SAs are activated (after time specified in the GWP_ATD activated (after time specified in the GWP_ATD attribute).
attribute).
The GWP_ATD and GWP_DTD attributes contain a 16-bit unsigned integer The GWP_ATD and GWP_DTD attributes contain a 16-bit unsigned integer
in network byte order, specifying the delay in seconds. These in network byte order, specifying the delay in seconds. These
attributes are OPTIONAL. If one of them or both are not sent by the attributes are OPTIONAL. If one of them or both are not sent by the
GCKS, then no corresponding delay should be employed. GCKS, then no corresponding delay should be employed.
4.4.3.1.2. GWP_SENDER_ID_BITS Attribute 4.4.3.1.2. GWP_SENDER_ID_BITS Attribute
The GWP_SENDER_ID_BITS attribute (3) declares how many bits of the The GWP_SENDER_ID_BITS attribute (3) declares how many bits of the
cipher nonce are taken to represent a Sender-ID value. The bits are cipher nonce are taken to represent a Sender-ID value. The bits are
skipping to change at line 2159 skipping to change at line 2164
4.5. Key Download Payload 4.5. Key Download Payload
The Key Download (KD) payload contains the group keys for the SAs The Key Download (KD) payload contains the group keys for the SAs
specified in the GSA payload. The Payload Type for the Key Download specified in the GSA payload. The Payload Type for the Key Download
payload is fifty-two (52). payload is fifty-two (52).
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Length | | Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <Key Bags> ~ ~ <Key Bags> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 19: Key Download Payload Format Figure 17: Key Download Payload Format
The Key Download payload fields are defined as follows: The Key Download payload fields are defined as follows:
Next Payload, C, RESERVED, and Length fields: Next Payload, C, RESERVED, and Payload Length fields:
Comprise the IKEv2 Generic Payload Header and are defined in Comprise the IKEv2 generic payload header and are defined in
Section 3.2 of [RFC7296]. Section 3.2 of [RFC7296].
Key Bags (variable): Key Bags (variable):
A set of Key Bag substructures. A set of key bag substructures.
4.5.1. Key Bags 4.5.1. Key Bags
Keys are distributed in substructures called key bags. Each key bag Keys are distributed in substructures called key bags. Each key bag
contains one or more keys that are logically related -- these are contains one or more keys that are logically related -- these are
keys for either a single SA (Data-Security SA or Rekey SA) or a keys for either a single SA (Data-Security SA or Rekey SA) or a
single group member (in the latter case, besides keys, the key bag single GM (in the latter case, besides keys, the key bag may also
may also contain security parameters for this group member). contain security parameters for this GM).
For this reason, two types of key bags are defined: Group Key Bag and For this reason, two types of key bags are defined: Group Key Bag and
Member Key Bag. The type is unambiguously determined by the first Member Key Bag. The type is unambiguously determined by the first
byte of the key bag substructure. For a Member Key Bag, it is zero, byte of the key bag substructure; for a Member Key Bag, it is zero
and for Group Key Bag, it represents the protocol number, which along and for a Group Key Bag, it contains a Security Protocol Identifier,
with the following SPI, identify the SA associated with the keys in which is always non-zero. For a Group Key Bag, the Protocol along
the bag. with the SPI (see Figure 18) identify the SA that is associated with
the keys in this bag.
4.5.2. Group Key Bag Substructure 4.5.2. Group Key Bag Substructure
The Group Key Bag substructure contains SA key information. This key The Group Key Bag substructure contains SA key information. This key
information is associated with some group SAs: either with Data- information is associated with some group SAs: either with Data-
Security SAs or with a group Rekey SA. Security SAs or with a group Rekey SA.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at line 2212 skipping to change at line 2218
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ SPI ~ ~ SPI ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <Group Key Bag Attributes> ~ ~ <Group Key Bag Attributes> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 20: Group Key Bag Substructure Format Figure 18: Group Key Bag Substructure Format
Protocol (1 octet): Protocol (1 octet):
Identifies the security protocol for this key bag. The values are Identifies the security protocol for this key bag. The values are
defined in the "IKEv2 Security Protocol Identifiers" registry in defined in the "IKEv2 Security Protocol Identifiers" registry in
[IKEV2-IANA]. The valid values for this field are: 6 [IKEV2-IANA]. The valid values for this field are: 6
(GIKE_UPDATE) for KEK Key packet and 2 (AH) or 3 (ESP) for TEK key (GIKE_UPDATE) for KEK Key packet and 2 (AH) or 3 (ESP) for TEK key
bag. bag.
SPI Size (1 octet): SPI Size (1 octet):
Size of the SPI for the corresponding SA. SPI size depends on the Size of the SPI for the corresponding SA. SPI size depends on the
security protocol. It is 16 octets for GIKE_UPDATE and 4 octets security protocol. It is 16 octets for GIKE_UPDATE and 4 octets
for AH and ESP. for AH and ESP.
Length (2 octets, unsigned integer): Length (2 octets, unsigned integer):
Length of this substructure including the header. Length of this substructure including the header.
SPI (variable): SPI (variable):
Security Parameter Index for the corresponding SA. The size of Security Parameter Index for the corresponding SA. The size of
this field is determined by the SPI Size field. In the case of this field is determined by the SPI Size field. In the case of
GIKE_UPDATE, the SPI is the IKEv2 Header SPI pair where the first GIKE_UPDATE, the SPI is the IKEv2 header SPI pair where the first
8 octets become the "IKE SA Initiator's SPI" field in the G-IKEv2 8 octets become the "IKE SA Initiator's SPI" field in the G-IKEv2
rekey message IKEv2 HDR, and the second 8 octets become the "IKE rekey message IKEv2 HDR, and the second 8 octets become the "IKE
SA Responder's SPI" in the same HDR. SA Responder's SPI" in the same HDR.
Group Key Bag Attributes (variable): Group Key Bag Attributes (variable):
Contains Key information for the corresponding SA. Contains key information for the corresponding SA.
This document creates a new IKEv2 IANA registry for the types of This document creates a new IKEv2 IANA registry for the types of
Group Key Bag attributes, which has been initially populated as Group Key Bag attributes, which has been initially populated as
described in Section 9. In particular, the following attributes have described in Section 9. In particular, the following attributes have
been added: been added:
+===============+=======+========+==============+=============+ +=======+===============+========+==============+=============+
| Group Key Bag | Value | Format | Multi-Valued | Used in | | Value | Group Key Bag | Format | Multi-Valued | Used in |
| Attributes | | | | Protocol | | | Attributes | | | Protocol |
+===============+=======+========+==============+=============+ +=======+===============+========+==============+=============+
| Reserved | 0 | | 0 | Reserved | |
+---------------+-------+--------+--------------+-------------+ +-------+---------------+--------+--------------+-------------+
| SA_KEY | 1 | TLV | YES* | GIKE_UPDATE | | 1 | SA_KEY | TLV | YES* | GIKE_UPDATE |
| | | | NO | AH, ESP | | | | | NO | AH, ESP |
+---------------+-------+--------+--------------+-------------+ +-------+---------------+--------+--------------+-------------+
Table 7 Table 7: Group Key Bag Attributes
Notes: Notes:
(*): Multiple SA_KEY attributes may only appear for the GIKE_UPDATE (*): Multiple SA_KEY attributes may only appear for the GIKE_UPDATE
protocol in the GSA_REKEY exchange if the GCKS uses the group key protocol in the GSA_REKEY pseudo-exchange if the GCKS uses the
management method that allows excluding GMs from the group (like group key management method that allows excluding GMs from the
LKH). group (like LKH).
The attributes follow the format defined in IKEv2 (Section 3.3.5 of The attributes follow the format defined in IKEv2 (Section 3.3.5 of
[RFC7296]). The "Format" column defines what attribute format is [RFC7296]). The "Format" column defines what attribute format is
allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi- allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi-
Valued" column defines whether multiple instances of the attribute Valued" column defines whether multiple instances of the attribute
can appear. The "Used in Protocol" column lists the security can appear. The "Used in Protocol" column lists the security
protocols, for which the attribute can be used. protocols, for which the attribute can be used.
4.5.2.1. SA_KEY Attribute 4.5.2.1. SA_KEY Attribute
skipping to change at line 2287 skipping to change at line 2293
to the total size of the keys needed to be taken from this keying to the total size of the keys needed to be taken from this keying
material (see Section 3.4) for the corresponding SA. material (see Section 3.4) for the corresponding SA.
If the key bag is for a Data-Security SA (AH or ESP protocols), then If the key bag is for a Data-Security SA (AH or ESP protocols), then
exactly one SA_KEY attribute MUST be present with both Key ID and KWK exactly one SA_KEY attribute MUST be present with both Key ID and KWK
ID fields set to zero. ID fields set to zero.
If the key bag is for a Rekey SA (GIKE_UPDATE protocol), then exactly If the key bag is for a Rekey SA (GIKE_UPDATE protocol), then exactly
one SA_KEY attribute MUST be present in the GSA_AUTH, one SA_KEY attribute MUST be present in the GSA_AUTH,
GSA_REGISTRATION, and GSA_INBAND_REKEY exchanges. In the GSA_REKEY GSA_REGISTRATION, and GSA_INBAND_REKEY exchanges. In the GSA_REKEY
exchange, at least one SA_KEY attribute MUST be present, and more pseudo-exchange, at least one SA_KEY attribute MUST be present, and
attributes MAY be present (depending on the key management method more attributes MAY be present (depending on the key management
employed by the GCKS). method employed by the GCKS).
4.5.3. Member Key Bag Substructure 4.5.3. Member Key Bag Substructure
The Member Key Bag substructure contains keys and other parameters The Member Key Bag substructure contains keys and other parameters
that are specific for a member of the group and are not associated that are specific for a member of the group and are not associated
with any particular group SA. with any particular group SA.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | RESERVED | Length | | Protocol | RESERVED | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ <Member Key Bag Attributes> ~ ~ <Member Key Bag Attributes> ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 21: Member Key Bag Substructure Format Figure 19: Member Key Bag Substructure Format
The Member Key Bag substructure fields are defined as follows: The Member Key Bag substructure fields are defined as follows:
Protocol (1 octet): Protocol (1 octet):
MUST be zero. This value is reserved (see Section 9) and is never MUST be zero. This value is reserved (see Section 9) and is never
used for any security protocol, so it is used here to indicate used for any security protocol, so it is used here to indicate
that this key bag is not associated with any particular SA. that this key bag is not associated with any particular SA.
RESERVED ( octet): RESERVED ( octet):
MUST be zero on transmission and MUST be ignored on receipt. MUST be zero on transmission and MUST be ignored on receipt.
Length (2 octets, unsigned integer): Length (2 octets, unsigned integer):
Length of this substructure including the header. Length of this substructure including the header.
Member Key Bag Attributes (variable): Member Key Bag Attributes (variable):
Contains Key information and other parameters exclusively for a Contains key information and other parameters exclusively for a
particular member of the group. particular member of the group.
The Member Key Bag substructure contains sensitive information for a The Member Key Bag substructure contains sensitive information for a
single GM. For this reason, it MUST NOT be sent in GSA_REKEY single GM. For this reason, it MUST NOT be sent in GSA_REKEY
messages and MUST only be sent via unicast SA at the time the GM messages and MUST only be sent via unicast SA at the time the GM
registers to the group (in either GSA_AUTH or GSA_REGISTRATION registers to the group (in either GSA_AUTH or GSA_REGISTRATION
exchanges). exchanges).
This document creates a new IKEv2 IANA registry for the types of This document creates a new IKEv2 IANA registry for the types of
Member Key Bag attributes, which has been initially populated as Member Key Bag attributes, which has been initially populated as
described in Section 9. In particular, the following attributes have described in Section 9. In particular, the following attributes have
been added: been added:
+===========================+=======+========+==============+ +=======+===========================+========+==============+
| Member Key Bag Attributes | Value | Format | Multi-Valued | | Value | Member Key Bag Attributes | Format | Multi-Valued |
+===========================+=======+========+==============+ +=======+===========================+========+==============+
| Reserved | 0 | | 0 | Reserved |
+---------------------------+-------+--------+--------------+ +-------+---------------------------+--------+--------------+
| WRAP_KEY | 1 | TLV | YES | | 1 | WRAP_KEY | TLV | YES |
+---------------------------+-------+--------+--------------+ +-------+---------------------------+--------+--------------+
| AUTH_KEY | 2 | TLV | NO | | 2 | AUTH_KEY | TLV | NO |
+---------------------------+-------+--------+--------------+ +-------+---------------------------+--------+--------------+
| GM_SENDER_ID | 3 | TLV | YES | | 3 | GM_SENDER_ID | TLV | YES |
+---------------------------+-------+--------+--------------+ +-------+---------------------------+--------+--------------+
Table 8 Table 8: Member Key Bag Attributes
The attributes follow the format defined in the IKEv2 (Section 3.3.5 The attributes follow the format defined in the IKEv2 (Section 3.3.5
of [RFC7296]). The "Format" column defines what attribute format is of [RFC7296]). The "Format" column defines what attribute format is
allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi- allowed: Type/Length/Value (TLV) or Type/Value (TV). The "Multi-
Valued" column defines whether multiple instances of the attribute Valued" column defines whether multiple instances of the attribute
can appear. can appear.
4.5.3.1. WRAP_KEY Attribute 4.5.3.1. WRAP_KEY Attribute
The WRAP_KEY attribute (1) contains a key that is used to encrypt The WRAP_KEY attribute (1) contains a key that is used to encrypt
skipping to change at line 2394 skipping to change at line 2400
public key used for digital signature authentication. The public public key used for digital signature authentication. The public
key MUST be represented as DER-encoded ASN.1 object key MUST be represented as DER-encoded ASN.1 object
SubjectPublicKeyInfo, defined in Section 4.1.2.7 of [RFC5280]. SubjectPublicKeyInfo, defined in Section 4.1.2.7 of [RFC5280].
The algorithm field inside the SubjectPublicKeyInfo object MUST The algorithm field inside the SubjectPublicKeyInfo object MUST
match the content of the Signature Algorithm Identifier attribute match the content of the Signature Algorithm Identifier attribute
in the Group Controller Authentication Method transform. When the in the Group Controller Authentication Method transform. When the
id-RSASSA-PSS object identifier appears in the algorithm field of id-RSASSA-PSS object identifier appears in the algorithm field of
the SubjectPublicKeyInfo object, then the parameters field MUST the SubjectPublicKeyInfo object, then the parameters field MUST
include the RSASSA-PSS-params structure. include the RSASSA-PSS-params structure.
* In case of implicit authentication, the AUTH_KEY Attribute is not
used and MUST be absent (see Section 2.4.1).
Multiple instances of the AUTH_KEY attributes MUST NOT be sent. Multiple instances of the AUTH_KEY attributes MUST NOT be sent.
4.5.3.3. GM_SENDER_ID Attribute 4.5.3.3. GM_SENDER_ID Attribute
The GM_SENDER_ID attribute (3) is used to download one or more The GM_SENDER_ID attribute (3) is used to download one or more
Sender-ID values for the exclusive use of a group member. One or Sender-ID values for the exclusive use of a GM. One or more of these
more of these attributes MUST be sent by the GCKS if the GM informed attributes MUST be sent by the GCKS if the GM informed the GCKS that
the GCKS that it would be a sender (by including the GROUP_SENDER it would be a sender (by including the GROUP_SENDER notification to
notification to the request) and if at least one of the Data-Security the request) and if at least one of the Data-Security SAs included in
SAs included in the GSA payload uses a counter-based mode of the GSA payload uses a counter-based mode of encryption.
encryption.
If the GMs have requested multiple Sender-ID values in the If the GMs have requested multiple Sender-ID values in the
GROUP_SENDER notification, then the GCKS SHOULD provide it with the GROUP_SENDER notification, then the GCKS SHOULD provide it with the
requested number of Sender-IDs by sending multiple instances of the requested number of Sender-IDs by sending multiple instances of the
GM_SENDER_ID attribute. The GCKS MAY send fewer values than GM_SENDER_ID attribute. The GCKS MAY send fewer values than
requested by the GM (e.g., if it is running out of Sender-IDs), but requested by the GM (e.g., if it is running out of Sender-IDs), but
it MUST NOT send more than requested. it MUST NOT send more than requested.
This attribute MUST NOT appear in the rekey operations (in the This attribute MUST NOT appear in the rekey operations (in the
GSA_REKEY or GSA_INBAND_REKEY exchanges). GSA_REKEY pseudo-exchange or in the GSA_INBAND_REKEY exchange).
4.5.4. Key Wrapping 4.5.4. Key Wrapping
Symmetric keys in G-IKEv2 are never sent in clear inside G-IKEv2 Symmetric keys in G-IKEv2 are never sent in clear inside G-IKEv2
messages. They are always protected with other symmetric keys. This messages. They are always protected with other symmetric keys. This
protection is called key wrapping. Algorithms used for key wrapping protection is called key wrapping. Algorithms used for key wrapping
are usually based on generic encryption algorithms, but their mode of are usually based on generic encryption algorithms, but their mode of
operation is optimized for protecting short high-entropy data with operation is optimized for protecting short high-entropy data with
minimal additional overhead. While key wrap algorithms can be minimal additional overhead. While key wrap algorithms can be
generic in general, they are often tied to the underlying encryption generic in general, they are often tied to the underlying encryption
algorithms in practice. For example, AES Key Wrap with Padding algorithms in practice. For example, AES Key Wrap with Padding
Algorithm [RFC5649] defines key wrapping using AES, and Key Wrapping Algorithm [RFC5649] defines key wrapping using AES, and Key Wrapping
Constructions using SipHash and ChaCha [ARX-KW] define key wrapping Constructions using SipHash and ChaCha [ARX-KW] define key wrapping
using Chacha20. using Chacha20.
In G-IKEv2, the key wrap algorithm MUST be negotiated in the In G-IKEv2, the key wrap algorithm MUST be negotiated in the
IKE_SA_INIT exchange so that the GCKS is able to send encrypted keys IKE_SA_INIT exchange so that the GCKS is able to send encrypted keys
to the GM in the GSA_AUTH exchange. In addition, if the GCKS plans to the GM in the GSA_AUTH exchange. In addition, if the GCKS plans
to use the multicast Rekey SA for group rekey, then it MUST specify to use the multicast Rekey SA for group rekey, then it MUST specify
the key wrap algorithm in the GSA payload. Note that key wrap the key wrap algorithm in the group SA policy for the Rekey SA inside
algorithms for these cases MAY be different. For the unicast SA, the the GSA payload. Note that key wrap algorithms for these cases MAY
key wrap algorithm is negotiated between the GM and the GCKS, while be different. For the unicast SA, the key wrap algorithm is
for the multicast Rekey SA, the key wrap algorithm is provided by the negotiated between the GM and the GCKS, while for the multicast Rekey
GCKS to the group members as part of the group policy. If an SAg SA, the key wrap algorithm is provided by the GCKS to the GMs as part
payload is included in the GSA_AUTH request, then it MUST indicate of the group policy. If an SAg payload is included in the GSA_AUTH
which key wrap algorithms are supported by the GM. In all these request, then it MUST indicate which key wrap algorithms are
cases, the key wrap algorithm is specified in a Key Wrap Algorithm supported by the GM. In all these cases, the key wrap algorithm is
transform (see Section 4.4.2.1.2). specified in a Key Wrap Algorithm transform (see Section 4.4.2.1.2).
The format of the wrapped key is shown in Figure 22. The format of the wrapped key is shown in Figure 20.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key ID | | Key ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| KWK ID | | KWK ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
~ Encrypted Key ~ ~ Encrypted Key ~
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 22: Wrapped Key Format Figure 20: Wrapped Key Format
The Wrapped Key fields are defined as follows: The Wrapped Key fields are defined as follows:
Key ID (4 octets): Key ID (4 octets):
ID of the encrypted key. The value zero means that the encrypted ID of the encrypted key. The value zero means that the encrypted
key contains SA keys (in the form of keying material; see key contains SA keys (in the form of keying material; see
Section 3.4). Otherwise, it contains some intermediate key. Section 3.4). Otherwise, it contains some intermediate key.
KWK ID (4 octets): KWK ID (4 octets):
ID of the key that was used to encrypt the key with a specified ID of the key that was used to encrypt the key with a specified
skipping to change at line 2492 skipping to change at line 2500
Security and Rekey SAs. The interpretation of the Protocol field in Security and Rekey SAs. The interpretation of the Protocol field in
the Delete payload is extended so that zero protocol indicates the Delete payload is extended so that zero protocol indicates
deletion of whole Group SA (i.e., all Data-Security SAs and the Rekey deletion of whole Group SA (i.e., all Data-Security SAs and the Rekey
SA). See Section 2.4.3 for detail. SA). See Section 2.4.3 for detail.
4.7. Notify Payload 4.7. Notify Payload
G-IKEv2 uses the same Notify payload as specified in Section 3.10 of G-IKEv2 uses the same Notify payload as specified in Section 3.10 of
[RFC7296]. [RFC7296].
There are additional Notify Message types introduced by G-IKEv2 to There are additional Notify message types introduced by G-IKEv2 to
communicate error conditions and status (see Section 9). communicate error conditions and status (see Section 9).
4.7.1. INVALID_GROUP_ID Notification 4.7.1. INVALID_GROUP_ID Notification
INVALID_GROUP_ID (45) is a new error type notification that indicates INVALID_GROUP_ID (45) is a new error type notification that indicates
that the group ID sent during the registration process is invalid. that the IDg payload sent during the registration process denotes an
The Protocol ID and SPI Size fields in the Notify payload MUST be invalid group. The Protocol ID and SPI Size fields in the Notify
zero. There is no data associated with this notification and the payload MUST be zero. There is no data associated with this
content of the Notification Data field MUST be ignored on receipt. notification and the content of the Notification Data field MUST be
ignored on receipt.
4.7.2. AUTHORIZATION_FAILED Notification 4.7.2. AUTHORIZATION_FAILED Notification
AUTHORIZATION_FAILED (46) is a new error type notification that is AUTHORIZATION_FAILED (46) is a new error type notification that is
sent in the response to a GSA_AUTH or GSA_REGISTRATION message when sent in the response to a GSA_AUTH or GSA_REGISTRATION message when
authorization failed. The Protocol ID and SPI Size fields in the authorization failed. The Protocol ID and SPI Size fields in the
Notify payload MUST be zero. There is no data associated with this Notify payload MUST be zero. There is no data associated with this
notification and the content of the Notification Data field MUST be notification and the content of the Notification Data field MUST be
ignored on receipt. ignored on receipt.
skipping to change at line 2558 skipping to change at line 2567
The following notations are used: The following notations are used:
S A single attribute of this type MUST be present. S A single attribute of this type MUST be present.
M Multiple attributes of this type MAY be present. M Multiple attributes of this type MAY be present.
[] Attribute is OPTIONAL. [] Attribute is OPTIONAL.
- Attribute MUST NOT be present. - Attribute MUST NOT be present.
Note that the restrictions are defined per a substructure Note that the restrictions are defined per a substructure for which
corresponding attributes are defined for and not per whole G-IKEv2 corresponding attributes are defined and not per a whole G-IKEv2
message. message.
+========================+==================+===========+=======+ +========================+==================+===========+=======+
| Attributes | GSA_AUTH | GSA_REKEY | Notes | | Attributes | GSA_AUTH | GSA_REKEY | Notes |
| | GSA_REGISTRATION | | | | | GSA_REGISTRATION | | |
+========================+==================+===========+=======+ +========================+==================+===========+=======+
| GSA Attributes (Section 4.4.2.2) | | Group SA Attributes (Section 4.4.2.2) |
+========================+==================+===========+=======+ +========================+==================+===========+=======+
| GSA_KEY_LIFETIME | S | S | | | GSA_KEY_LIFETIME | S | S | |
+------------------------+------------------+-----------+-------+ +------------------------+------------------+-----------+-------+
| GSA_INITIAL_MESSAGE_ID | [S] | [S] | | | GSA_INITIAL_MESSAGE_ID | [S] | [S] | |
+------------------------+------------------+-----------+-------+ +------------------------+------------------+-----------+-------+
| GSA_NEXT_SPI | [M] | [M] | | | GSA_NEXT_SPI | [M] | [M] | |
+========================+==================+===========+=======+ +========================+==================+===========+=======+
| GW Policy Attributes (Section 4.4.3.1) | | GW Policy Attributes (Section 4.4.3.1) |
+========================+==================+===========+=======+ +========================+==================+===========+=======+
| GWP_ATD | [S] | [S] | | | GWP_ATD | [S] | [S] | |
skipping to change at line 2607 skipping to change at line 2616
(1): The GWP_SENDER_ID_BITS attribute MUST be present if the GCKS (1): The GWP_SENDER_ID_BITS attribute MUST be present if the GCKS
policy includes at least one cipher in counter mode of policy includes at least one cipher in counter mode of
operation and if the GM included the GROUP_SENDER notify into operation and if the GM included the GROUP_SENDER notify into
the registration request. Otherwise, it MUST NOT be present. the registration request. Otherwise, it MUST NOT be present.
At least one GM_SENDER_ID attribute MUST be present in the At least one GM_SENDER_ID attribute MUST be present in the
former case (and more MAY be present if the GM requested more former case (and more MAY be present if the GM requested more
Sender-IDs), and it MUST NOT be present in the latter case. Sender-IDs), and it MUST NOT be present in the latter case.
(2): For a Data-Security SA, exactly one SA_KEY attribute MUST be (2): For a Data-Security SA, exactly one SA_KEY attribute MUST be
present. For a Rekey SA, one SA_KEY attribute MUST be present present. For a Rekey SA, exactly one SA_KEY attribute MUST be
in all cases and more these attributes MAY be present in a present in the GSA_AUTH and the GSA_REGISTRATION exchange. In
GSA_REKEY exchange. the GSA_REKEY pseudo-exchange, at least one SA_KEY attribute
MUST be present and more of these attributes MAY be present.
(3): The WRAP_KEY attribute MUST be present if the GCKS employs a (3): The WRAP_KEY attribute MUST be present if the GCKS employs a
key management method that relies on a key tree (like LKH). key management method that relies on a key tree (like LKH).
(4): The AUTH_KEY attribute MUST be present in the GSA_AUTH and (4): The AUTH_KEY attribute MUST be present in the GSA_AUTH and
GSA_REGISTRATION exchanges if the GCKS employs an GSA_REGISTRATION exchanges if the GCKS employs an
authentication method of rekey operations based on digital authentication method of rekey operations based on digital
signatures and MUST NOT be present if implicit authentication signatures and MUST NOT be present if implicit authentication
is employed. The AUTH_KEY attribute MUST be present in the is employed. The AUTH_KEY attribute MUST be present in the
GSA_REKEY exchange if the GCKS employs an authentication method GSA_REKEY pseudo-exchange if the GCKS employs an authentication
based on digital signatures and wants to change the public key method based on digital signatures and wants to change the
for the following multicast rekey operations. public key for the following multicast rekey operations.
+========================+================+==================+=====+ +========================+================+==================+=====+
| Attributes |GSA_AUTH | GSA_INBAND_REKEY |Notes| | Attributes |GSA_AUTH | GSA_INBAND_REKEY |Notes|
| |GSA_REGISTRATION| | | | |GSA_REGISTRATION| | |
+========================+================+==================+=====+ +========================+================+==================+=====+
| GSA Attributes (Section 4.4.2.2) | | Group SA Attributes (Section 4.4.2.2) |
+========================+================+==================+=====+ +========================+================+==================+=====+
| GSA_KEY_LIFETIME |[S] | [S] | | | GSA_KEY_LIFETIME |[S] | [S] | |
+------------------------+----------------+------------------+-----+ +------------------------+----------------+------------------+-----+
| GSA_INITIAL_MESSAGE_ID |- | - | | | GSA_INITIAL_MESSAGE_ID |- | - | |
+------------------------+----------------+------------------+-----+ +------------------------+----------------+------------------+-----+
| GSA_NEXT_SPI |- | - | | | GSA_NEXT_SPI |- | - | |
+========================+================+==================+=====+ +========================+================+==================+=====+
| GW Policy Attributes (Section 4.4.3.1) | | GW Policy Attributes (Section 4.4.3.1) |
+========================+================+==================+=====+ +========================+================+==================+=====+
| GWP_ATD |[S] | [S] | | | GWP_ATD |[S] | [S] | |
skipping to change at line 2709 skipping to change at line 2719
which is derived from SK_d and thus cannot be broken even by an which is derived from SK_d and thus cannot be broken even by an
attacker equipped with a QC. However, other data sent over the attacker equipped with a QC. However, other data sent over the
initial IKE SA may be susceptible to an attacker equipped with a QC initial IKE SA may be susceptible to an attacker equipped with a QC
of a sufficient size. Such an attacker can store all the traffic of a sufficient size. Such an attacker can store all the traffic
until it obtains such a QC and then decrypt it (i.e., Store Now until it obtains such a QC and then decrypt it (i.e., Store Now
Decrypt Later attack). See Section 6 of [RFC8784] for details. Decrypt Later attack). See Section 6 of [RFC8784] for details.
While the group keys are protected with PPK and thus are immune to While the group keys are protected with PPK and thus are immune to
QC, GCKS implementations that care about other data sent over initial QC, GCKS implementations that care about other data sent over initial
IKE SA MUST rely on IKEv2 extensions that protect even initial IKE SA IKE SA MUST rely on IKEv2 extensions that protect even initial IKE SA
against QC (like [IPSEC-IKEV2-QR-ALT]). against QC (like [RFC9867]).
6.3. Aggregation and Fragmentation Mode for ESP 6.3. Aggregation and Fragmentation Mode for ESP
Aggregation and fragmentation mode for ESP is defined in [RFC9347]. Aggregation and fragmentation mode for ESP is defined in [RFC9347].
This mode allows IP packets to be split over several ESP packets or This mode allows IP packets to be split over several ESP packets or
several IP packets to be aggregated in a single ESP packet. This several IP packets to be aggregated in a single ESP packet. This
mode can only be used with ESP tunnel mode and relies on mode can only be used with ESP tunnel mode and relies on
monotonically increasing sequence numbers in the incoming packets. monotonically increasing sequence numbers in the incoming packets.
Thus, it is impossible to use this mode for multi-sender multicast Thus, it is impossible to use this mode for multi-sender multicast
SAs. Since multicast Data-Security SAs are unidirectional, the SAs. Since multicast Data-Security SAs are unidirectional, the
skipping to change at line 2742 skipping to change at line 2752
7. GDOI Protocol Extensions 7. GDOI Protocol Extensions
Few extensions were defined for the GDOI protocol [RFC6407], like Few extensions were defined for the GDOI protocol [RFC6407], like
GDOI Support for IEC 62351 Security Services [RFC8052] or the GDOI GDOI Support for IEC 62351 Security Services [RFC8052] or the GDOI
GROUPKEY-PUSH Acknowledgement Message [RFC8263]. It is expected that GROUPKEY-PUSH Acknowledgement Message [RFC8263]. It is expected that
these extensions will be redefined for G-IKEv2 in separate documents, these extensions will be redefined for G-IKEv2 in separate documents,
if needed. if needed.
8. Security Considerations 8. Security Considerations
When an entity joins the group and becomes a group member, it has to When an entity joins the group and becomes a GM, it has to trust that
trust that the GCKS only authorized entities that are admitted to the the GCKS only authorized entities that are admitted to the group and
group and has to trust that other group members will not leak the has to trust that other GMs will not leak the information shared
information shared within the group. within the group.
8.1. GSA Registration and Secure Channel 8.1. GSA Registration and Secure Channel
G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT protocols, G-IKEv2 registration procedure uses IKEv2 initial exchanges,
inheriting all the security considerations documented in Section 5 of inheriting all the security considerations documented in Section 5 of
[RFC7296], including authentication, confidentiality, protection [RFC7296], including authentication, confidentiality, on-path attack
against man-in-the-middle attacks, protection against replay/ protection, protection against replay/reflection attacks, and denial-
reflection attacks, and denial-of-service protection. The GSA_AUTH of-service protection. The GSA_REGISTRATION exchange also takes
and GSA_REGISTRATION exchanges also take advantage of those advantage of those protections. In addition, G-IKEv2 brings in the
protections. In addition, G-IKEv2 brings in the capability to capability to authorize a particular GM regardless of whether they
authorize a particular group member regardless of whether they have have the IKEv2 credentials.
the IKEv2 credentials.
8.2. GSA Maintenance Channel 8.2. GSA Maintenance Channel
The GSA maintenance channel is cryptographically and integrity The GSA maintenance channel is cryptographically and integrity
protected using the cryptographic algorithm and key negotiated in the protected using the cryptographic algorithm and key negotiated in the
GSA member registration exchange. GSA member registration exchange.
8.2.1. Authentication/Authorization 8.2.1. Authentication/Authorization
The authentication key is distributed during the GM registration and The authentication key is distributed during the GM registration and
the receiver of the rekey message uses that key to verify the message the receiver of the rekey message uses that key to verify the message
came from the authorized GCKS. An implicit authentication can also came from the authorized GCKS. An implicit authentication can also
be used, in which case, the ability of the GM to decrypt and to be used, in which case, the ability of the GM to decrypt and to
verify ICV of the received message proved that a sender of the verify ICV of incoming messages is used as a proof that the sender
message is a member of the group. However, implicit authentication knows group keys and therefore is a member of the group. However,
doesn't provide source origin authentication, so the GM cannot be implicit authentication doesn't provide source origin authentication,
sure that the message came from the GCKS. For this reason, using so the GM cannot be sure that the message came from the GCKS. For
implicit authentication is NOT RECOMMENDED unless used with a small this reason, using implicit authentication is NOT RECOMMENDED unless
group of trusted parties. used with a small group of trusted parties.
8.2.2. Confidentiality 8.2.2. Confidentiality
Confidentiality is provided by distributing a confidentiality key as Confidentiality is provided by distributing a confidentiality key as
part of the GSA member registration exchange. part of the GSA member registration exchange.
8.2.3. Man-in-the-Middle Attack Protection 8.2.3. On-Path Attack Protection
The GSA maintenance channel is integrity protected by using a digital The GSA maintenance channel is integrity protected by using a digital
signature. signature.
8.2.4. Replay/Reflection Attack Protection 8.2.4. Replay/Reflection Attack Protection
The GSA_REKEY message includes a monotonically increasing sequence The GSA_REKEY message includes a monotonically increasing sequence
number to protect against replay and reflection attacks. A group number to protect against replay and reflection attacks. A GM will
member will recognize a replayed message by comparing the Message ID recognize a replayed message by comparing the Message ID number to
number to that of the last received rekey message. Any rekey message that of the last received rekey message. Any rekey message
containing a Message ID number less than or equal to the last containing a Message ID number less than or equal to the last
received value MUST be discarded. Implementations should keep a received value MUST be discarded. Implementations should keep a
record of recently received GSA rekey messages for this comparison. record of recently received GSA rekey messages for this comparison.
The strict role separation between the GCKS and the GMs and, as a The strict role separation between the GCKS and the GMs and, as a
consequence, the limitation for a Rekey SA to be outbound/inbound consequence, the limitation for a Rekey SA to be outbound/inbound
only, helps to prevent reflection attack. only, helps to prevent reflection attack.
9. IANA Considerations 9. IANA Considerations
9.1. New Registries 9.1. New Registries
Per this document, new registries have been created for G-IKEv2 under Per this document, new registries have been created for G-IKEv2 under
the "Internet Key Exchange Version 2 (IKEv2) Parameters" registry the "Internet Key Exchange Version 2 (IKEv2) Parameters" registry
group [IKEV2-IANA]. The terms Reserved, Expert Review, and Private group [IKEV2-IANA]. The terms Reserved, Expert Review, and Private
Use are as defined in [RFC8126]. Use are as defined in [RFC8126].
1. IANA has created the "Transform Type 13 - Key Wrap Algorithm 1. IANA has created the "Transform Type 13 - Key Wrap Algorithm
Transform IDs" registry. Changes and additions to the unassigned Transform IDs" registry. The registration policy for this
range of this registry are to be made through Expert Review registry is Expert Review [RFC8126]. The initial values of the
[RFC8126]. The initial values of the registry are as follows: registry are as follows:
+==========================+============+ +============+==========================+
| Key Wrap Algorithm | Value | | Value | Key Wrap Algorithm |
+==========================+============+ +============+==========================+
| Reserved | 0 | | 0 | Reserved |
+--------------------------+------------+ +------------+--------------------------+
| KW_5649_128 | 1 | | 1 | KW_5649_128 |
+--------------------------+------------+ +------------+--------------------------+
| KW_5649_192 | 2 | | 2 | KW_5649_192 |
+--------------------------+------------+ +------------+--------------------------+
| KW_5649_256 | 3 | | 3 | KW_5649_256 |
+--------------------------+------------+ +------------+--------------------------+
| KW_ARX | 4 | | 4 | KW_ARX |
+--------------------------+------------+ +------------+--------------------------+
| Unassigned | 5-1023 | | 5-1023 | Unassigned |
+--------------------------+------------+ +------------+--------------------------+
| Reserved for Private Use | 1024-65535 | | 1024-65535 | Reserved for Private Use |
+--------------------------+------------+ +------------+--------------------------+
Table 11 Table 11
2. IANA has created the "Transform Type 14 - Group Controller 2. IANA has created the "Transform Type 14 - Group Controller
Authentication Method Transform IDs" registry. Changes and Authentication Method Transform IDs" registry. The registration
additions to the unassigned range of this registry are to be made policy for this registry is Expert Review [RFC8126]. The initial
through Expert Review [RFC8126]. The initial values of the values of the registry are as follows:
registry are as follows:
+========================================+============+ +============+========================================+
| Group Controller Authentication Method | Value | | Value | Group Controller Authentication Method |
+========================================+============+ +============+========================================+
| Reserved | 0 | | 0 | Reserved |
+----------------------------------------+------------+ +------------+----------------------------------------+
| Implicit | 1 | | 1 | Implicit |
+----------------------------------------+------------+ +------------+----------------------------------------+
| Digital Signature | 2 | | 2 | Digital Signature |
+----------------------------------------+------------+ +------------+----------------------------------------+
| Unassigned | 3-1023 | | 3-1023 | Unassigned |
+----------------------------------------+------------+ +------------+----------------------------------------+
| Reserved for Private Use | 1024-65535 | | 1024-65535 | Reserved for Private Use |
+----------------------------------------+------------+ +------------+----------------------------------------+
Table 12 Table 12
3. IANA has created the "GSA Attributes" registry. Changes and 3. IANA has created the "Group SA Attributes" registry. The
additions to the unassigned range of this registry are to be made registration policy for this registry is Expert Review [RFC8126].
through Expert Review [RFC8126]. The initial values of the The initial values of the registry are as follows:
registry are as follows:
+======================+===========+======+======+============+ +===========+======================+======+======+============+
|GSA Attributes |Value |Format|Multi-|Used in | |Value |Group SA Attributes |Format|Multi-|Used in |
| | | |Valued|Protocol | | | | |Valued|Protocol |
+======================+===========+======+======+============+ +===========+======================+======+======+============+
|Reserved |0 | | |0 |Reserved | |
+----------------------+-----------+------+------+------------+ +-----------+----------------------+------+------+------------+
|GSA_KEY_LIFETIME |1 |TLV |NO |GIKE_UPDATE,| |1 |GSA_KEY_LIFETIME |TLV |NO |GIKE_UPDATE,|
| | | | |AH, ESP | | | | | |AH, ESP |
+----------------------+-----------+------+------+------------+ +-----------+----------------------+------+------+------------+
|GSA_INITIAL_MESSAGE_ID|2 |TLV |NO |GIKE_UPDATE | |2 |GSA_INITIAL_MESSAGE_ID|TLV |NO |GIKE_UPDATE |
+----------------------+-----------+------+------+------------+ +-----------+----------------------+------+------+------------+
|GSA_NEXT_SPI |3 |TLV |YES |GIKE_UPDATE,| |3 |GSA_NEXT_SPI |TLV |YES |GIKE_UPDATE,|
| | | | |AH, ESP | | | | | |AH, ESP |
+----------------------+-----------+------+------+------------+ +-----------+----------------------+------+------+------------+
|Unassigned |5-16383 | | |4-16383 |Unassigned | |
+----------------------+-----------+--------------------------+ +-----------+----------------------+--------------------------+
|Reserved for Private |16384-32767| | |16384-32767|Reserved for Private | |
|Use | | | | |Use | |
+----------------------+-----------+--------------------------+ +-----------+----------------------+--------------------------+
Table 13 Table 13
4. IANA has created the "Group-wide Policy Attributes" registry. 4. IANA has created the "Group-Wide Policy Attributes" registry.
Changes and additions to the unassigned range of this registry The registration policy for this registry is Expert Review
are to be made through Expert Review [RFC8126]. The initial [RFC8126]. The initial values of the registry are as follows:
values of the registry are as follows:
+======================+=============+========+==============+ +=============+======================+========+==============+
| GW Policy Attributes | Value | Format | Multi-Valued | | Value | GW Policy Attributes | Format | Multi-Valued |
+======================+=============+========+==============+ +=============+======================+========+==============+
| Reserved | 0 | | | 0 | Reserved | |
+----------------------+-------------+--------+--------------+ +-------------+----------------------+--------+--------------+
| GWP_ATD | 1 | TV | NO | | 1 | GWP_ATD | TV | NO |
+----------------------+-------------+--------+--------------+ +-------------+----------------------+--------+--------------+
| GWP_DTD | 2 | TV | NO | | 2 | GWP_DTD | TV | NO |
+----------------------+-------------+--------+--------------+ +-------------+----------------------+--------+--------------+
| GWP_SENDER_ID_BITS | 3 | TV | NO | | 3 | GWP_SENDER_ID_BITS | TV | NO |
+----------------------+-------------+--------+--------------+ +-------------+----------------------+--------+--------------+
| Unassigned | 4-16383 | | | 4-16383 | Unassigned | |
+----------------------+-------------+-----------------------+ +-------------+----------------------+-----------------------+
| Reserved for Private | 16384-32767 | | | 16384-32767 | Reserved for Private | |
| Use | | | | | Use | |
+----------------------+-------------+-----------------------+ +-------------+----------------------+-----------------------+
Table 14 Table 14
5. IANA has created the "Group Key Bag Attributes" registry. 5. IANA has created the "Group Key Bag Attributes" registry. The
Changes and additions to the unassigned range of this registry registration policy for this registry is Expert Review [RFC8126].
are to be made through Expert Review [RFC8126]. The initial The initial values of the registry are as follows:
values of the registry are as follows:
+=============+=============+======+==============+=============+ +=============+=============+======+==============+=============+
| Group Key | Value |Format| Multi-Valued | Used in | | Value | Group Key |Format| Multi-Valued | Used in |
| Bag | | | | Protocol | | | Bag | | | Protocol |
| Attributes | | | | | | | Attributes | | | |
+=============+=============+======+==============+=============+ +=============+=============+======+==============+=============+
| Reserved | 0 | | | 0 | Reserved | |
+-------------+-------------+------+--------------+-------------+ +-------------+-------------+------+--------------+-------------+
| SA_KEY | 1 |TLV | YES | GIKE_UPDATE | | 1 | SA_KEY |TLV | YES | GIKE_UPDATE |
| | | | NO | AH, ESP | | | | | NO | AH, ESP |
+-------------+-------------+------+--------------+-------------+ +-------------+-------------+------+--------------+-------------+
| Unassigned | 2-16383 | | | 2-16383 | Unassigned | |
+-------------+-------------+-----------------------------------+ +-------------+-------------+-----------------------------------+
| Reserved | 16384-32767 | | | 16384-32767 | Reserved | |
| for | | | | | for | |
| Private | | | | | Private | |
| Use | | | | | Use | |
+-------------+-------------+-----------------------------------+ +-------------+-------------+-----------------------------------+
Table 15 Table 15
6. IANA has created the "Member Key Bag Attributes" registry. 6. IANA has created the "Member Key Bag Attributes" registry. The
Changes and additions to the unassigned range of this registry registration policy for this registry is Expert Review [RFC8126].
are to be made through Expert Review [RFC8126]. The initial The initial values of the registry are as follows:
values of the registry are as follows:
+================+=============+========+==============+ +=============+================+========+==============+
| Member Key Bag | Value | Format | Multi-Valued | | Value | Member Key Bag | Format | Multi-Valued |
| Attributes | | | | | | Attributes | | |
+================+=============+========+==============+ +=============+================+========+==============+
| Reserved | 0 | | | 0 | Reserved | |
+----------------+-------------+--------+--------------+ +-------------+----------------+--------+--------------+
| WRAP_KEY | 1 | TLV | YES | | 1 | WRAP_KEY | TLV | YES |
+----------------+-------------+--------+--------------+ +-------------+----------------+--------+--------------+
| AUTH_KEY | 2 | TLV | NO | | 2 | AUTH_KEY | TLV | NO |
+----------------+-------------+--------+--------------+ +-------------+----------------+--------+--------------+
| GM_SENDER_ID | 3 | TLV | YES | | 3 | GM_SENDER_ID | TLV | YES |
+----------------+-------------+--------+--------------+ +-------------+----------------+--------+--------------+
| Unassigned | 4-16383 | | | 4-16383 | Unassigned | |
+----------------+-------------+-----------------------+ +-------------+----------------+-----------------------+
| Reserved for | 16384-32767 | | | 16384-32767 | Reserved for | |
| Private Use | | | | | Private Use | |
+----------------+-------------+-----------------------+ +-------------+----------------+-----------------------+
Table 16 Table 16
9.1.1. Guidance for Designated Experts 9.1.1. Guidance for Designated Experts
In all cases of Expert Review described in this section, the In all cases of Expert Review described in this section, the
designated expert (DE) is expected to ascertain the existence of designated expert (DE) is expected to ascertain the existence of
suitable documentation (a specification) as described in [RFC8126] suitable documentation (a specification) as described in [RFC8126]
and verify that the document is permanently and publicly available. and verify that the document is permanently and publicly available.
The DE is also expected to check the clarity of purpose and use of The DE is also expected to check the clarity of purpose and use of
skipping to change at line 3088 skipping to change at line 3092
+=======+===========================+ +=======+===========================+
| 45 | INVALID_GROUP_ID | | 45 | INVALID_GROUP_ID |
+-------+---------------------------+ +-------+---------------------------+
| 46 | AUTHORIZATION_FAILED | | 46 | AUTHORIZATION_FAILED |
+-------+---------------------------+ +-------+---------------------------+
| 49 | REGISTRATION_FAILED | | 49 | REGISTRATION_FAILED |
+-------+---------------------------+ +-------+---------------------------+
Table 23 Table 23
8. The Notify type with the value 16429 was allocated earlier in the 8. An earlier draft of this document [G-IKEV2] registered the Notify
development of G-IKEv2 document in the "IKEv2 Notify Message type 16429 in the "IKEv2 Notify Message Status Types" registry
Status Types" registry with the name SENDER_REQUEST_ID. This with the name SENDER_REQUEST_ID. Per this document, IANA has
document renames it as follows: renamed it as follows:
+=======+============================+ +=======+============================+
| Value | Notify Message Status Type | | Value | Notify Message Status Type |
+=======+============================+ +=======+============================+
| 16429 | GROUP_SENDER | | 16429 | GROUP_SENDER |
+-------+----------------------------+ +-------+----------------------------+
Table 24 Table 24
9. In the "IKEv2 Security Protocol Identifiers" registry, IANA has 9. In the "IKEv2 Security Protocol Identifiers" registry, IANA has
skipping to change at line 3176 skipping to change at line 3180
Version 2 (IKEv2)", RFC 9827, DOI 10.17487/RFC9827, Version 2 (IKEv2)", RFC 9827, DOI 10.17487/RFC9827,
September 2025, <https://www.rfc-editor.org/info/rfc9827>. September 2025, <https://www.rfc-editor.org/info/rfc9827>.
10.2. Informative References 10.2. Informative References
[ARX-KW] Shinichi, S., "ARX-KW, a family of key wrapping [ARX-KW] Shinichi, S., "ARX-KW, a family of key wrapping
constructions using SipHash and ChaCha", Cryptology ePrint constructions using SipHash and ChaCha", Cryptology ePrint
Archive, Paper 2020/059, January 2020, Archive, Paper 2020/059, January 2020,
<https://eprint.iacr.org/2020/059.pdf>. <https://eprint.iacr.org/2020/059.pdf>.
[G-IKEV2] Rowles, S., Yeung, A., Tran, P., and Y. Nir, "Group Key
Management using IKEv2", Work in Progress, Internet-Draft,
draft-yeung-g-ikev2-07, 5 November 2013,
<https://datatracker.ietf.org/doc/html/draft-yeung-
g-ikev2-07>.
[IKEV2-IANA] [IKEV2-IANA]
IANA, "Internet Key Exchange Version 2 (IKEv2) IANA, "Internet Key Exchange Version 2 (IKEv2)
Parameters", Parameters",
<http://www.iana.org/assignments/ikev2-parameters>. <http://www.iana.org/assignments/ikev2-parameters>.
[IPSEC-IKEV2-QR-ALT]
Smyslov, V., "Mixing Preshared Keys in the
IKE_INTERMEDIATE and in the CREATE_CHILD_SA Exchanges of
IKEv2 for Post-quantum Security", Work in Progress,
Internet-Draft, draft-ietf-ipsecme-ikev2-qr-alt-10, 23 May
2025, <https://datatracker.ietf.org/doc/html/draft-ietf-
ipsecme-ikev2-qr-alt-10>.
[NNL] Naor, D., Naor, M., and J. Lotspiech, "Revocation and [NNL] Naor, D., Naor, M., and J. Lotspiech, "Revocation and
Tracing Schemes for Stateless Receivers", Advances in Tracing Schemes for Stateless Receivers", Advances in
Cryptology - CRYPTO 2001, Lecture Notes in Computer Cryptology - CRYPTO 2001, Lecture Notes in Computer
Science, vol. 2139, pp. 41-62, Science, vol. 2139, pp. 41-62,
DOI 10.1007/3-540-44647-8_3, 2001, DOI 10.1007/3-540-44647-8_3, 2001,
<http://www.wisdom.weizmann.ac.il/~naor/PAPERS/2nl.pdf>. <http://www.wisdom.weizmann.ac.il/~naor/PAPERS/2nl.pdf>.
[OFT] McGrew, D. and A. Sherman, "Key Establishment in Large [OFT] McGrew, D. and A. Sherman, "Key Establishment in Large
Dynamic Groups Using One-Way Function Trees", IEEE Dynamic Groups Using One-Way Function Trees", IEEE
Transactions on Software Engineering, vol. 29, no. 5, pp. Transactions on Software Engineering, vol. 29, no. 5, pp.
skipping to change at line 3334 skipping to change at line 3336
Traffic Flow Security (IP-TFS)", RFC 9347, Traffic Flow Security (IP-TFS)", RFC 9347,
DOI 10.17487/RFC9347, January 2023, DOI 10.17487/RFC9347, January 2023,
<https://www.rfc-editor.org/info/rfc9347>. <https://www.rfc-editor.org/info/rfc9347>.
[RFC9370] Tjhai, CJ., Tomlinson, M., Bartlett, G., Fluhrer, S., Van [RFC9370] Tjhai, CJ., Tomlinson, M., Bartlett, G., Fluhrer, S., Van
Geest, D., Garcia-Morchon, O., and V. Smyslov, "Multiple Geest, D., Garcia-Morchon, O., and V. Smyslov, "Multiple
Key Exchanges in the Internet Key Exchange Protocol Key Exchanges in the Internet Key Exchange Protocol
Version 2 (IKEv2)", RFC 9370, DOI 10.17487/RFC9370, May Version 2 (IKEv2)", RFC 9370, DOI 10.17487/RFC9370, May
2023, <https://www.rfc-editor.org/info/rfc9370>. 2023, <https://www.rfc-editor.org/info/rfc9370>.
[RFC9867] Smyslov, V., "Mixing Preshared Keys in the
IKE_INTERMEDIATE and CREATE_CHILD_SA Exchanges of the
Internet Key Exchange Protocol Version 2 (IKEv2) for Post-
Quantum Security", RFC 9867, DOI 10.17487/RFC9867, October
2025, <https://www.rfc-editor.org/info/rfc9867>.
Appendix A. Use of LKH in G-IKEv2 Appendix A. Use of LKH in G-IKEv2
Section 5.4 of [RFC2627] describes the LKH architecture and how a Section 5.4 of [RFC2627] describes the LKH architecture and how a
GCKS uses LKH to exclude group members. This section clarifies how GCKS uses LKH to exclude GMs. This section clarifies how the LKH
the LKH architecture is used with G-IKEv2. architecture is used with G-IKEv2.
A.1. Notation A.1. Notation
In this section, we will use the notation X{Y}, where a key with ID Y In this section, we will use the notation X{Y}, where a key with ID Y
is encrypted with the key with ID X. The notation GSK_w{Y} means is encrypted with the key with ID X. The notation GSK_w{Y} means
that the default wrap key GSK_w (with zero KWK ID)is used to encrypt that the default wrap key GSK_w (with zero KWK ID)is used to encrypt
key Y, and the notation X{K_sa} means key X is used to encrypt the SA key Y, and the notation X{K_sa} means key X is used to encrypt the SA
key K_sa (which always has a Key ID of zero). Note that GSK_w{K_sa} key K_sa (which always has a Key ID of zero). Note that GSK_w{K_sa}
means that the SA key is encrypted with the default wrap key, in means that the SA key is encrypted with the default wrap key, in
which case, both KWK ID and Key ID are zero. which case, both KWK ID and Key ID are zero.
skipping to change at line 3362 skipping to change at line 3370
when n is an SPI for the SA and the Member Key Bag substructure will when n is an SPI for the SA and the Member Key Bag substructure will
be denoted as MP(). The content of the key bags is shown as SA_KEY be denoted as MP(). The content of the key bags is shown as SA_KEY
and WRAP_KEY attributes with the notation described above. For and WRAP_KEY attributes with the notation described above. For
simplicity, the type of the attribute will not be shown because it is simplicity, the type of the attribute will not be shown because it is
implicitly defined by the type of key bag. implicitly defined by the type of key bag.
Below is the example of a KD payload: Below is the example of a KD payload:
KD(GP(SA1)(X{K_sa}),MP(Y{X},Z{Y},GSK_w{Z}) KD(GP(SA1)(X{K_sa}),MP(Y{X},Z{Y},GSK_w{Z})
Figure 23 Figure 21: Example of a KD Payload
For simplicity, any other attributes in the KD payload are omitted. For simplicity, any other attributes in the KD payload are omitted.
We will also use the notation X->Y->Z to describe the Key Path. In We will also use the notation X->Y->Z to describe the Key Path. In
this case, key Y is needed to decrypt key X and key Z is needed to this case, key Y is needed to decrypt key X and key Z is needed to
decrypt key Y. In the example above, the keys had the following decrypt key Y. In the example above, the keys had the following
relation: K_sa->X->Y->Z->GSK_w. relation: K_sa->X->Y->Z->GSK_w.
A.2. Group Creation A.2. Group Creation
When a GCKS forms a group, it creates a key tree as shown in When a GCKS forms a group, it creates a key tree as shown in
Figure 24. The key tree contains logical keys (which are represented Figure 22. The key tree contains logical keys (which are represented
as the values of their Key IDs in the figure) and a private key as the values of their Key IDs in the figure) and a private key
shared with only a single GM (the GMs are represented as letters shared with only a single GM (the GMs are represented as letters
followed by the corresponding key ID in parentheses in the figure). followed by the corresponding key ID in parentheses in the figure).
The root of the tree contains the multicast Rekey SA key (which is The root of the tree contains the multicast Rekey SA key (which is
represented as SAn(K_san). The figure below assumes that the Key IDs represented as SAn(K_san). The figure below assumes that the Key IDs
are assigned sequentially; this is not a requirement and only used are assigned sequentially; this is not a requirement and only used
for illustrative purposes. The GCKS may create a complete tree as for illustrative purposes. The GCKS may create a complete tree as
shown or a partial tree, which is created on demand as members join shown or a partial tree, which is created on demand as members join
the group. the group.
SA1(K_sa1) SA1(K_sa1)
+------------------------------+ +------------------------------+
1 2 1 2
+---------------+ +---------------+ +---------------+ +---------------+
3 4 5 6 3 4 5 6
+-------+ +-------+ +--------+ +--------+ +-------+ +-------+ +--------+ +--------+
A(7) B(8) C(9) D(10) E(11) F(12) G(13) H(14) A(7) B(8) C(9) D(10) E(11) F(12) G(13) H(14)
Figure 24: Initial LKH Tree Figure 22: Initial LKH Tree
When GM A joins the group, the GCKS provides it with the keys in the When GM A joins the group, the GCKS provides it with the keys in the
KD payload of the GSA_AUTH or GSA_REGISTRATION exchange. Given the KD payload of the GSA_AUTH or GSA_REGISTRATION exchange. Given the
tree shown in figure above, the KD payload will be: tree shown in figure above, the KD payload will be:
KD(GP(SA1)(1{K_sa1}),MP(3{1},7{3},GSK_w{7}) KD(GP(SA1)(1{K_sa1}),MP(3{1},7{3},GSK_w{7})
Figure 25: KD Payload for the Group Member A Figure 23: KD Payload for the Group Member A
From these attributes, the GM A will construct the Key Path From these attributes, the GM A will construct the Key Path
K_sa1->1->3->7->GSK_w. Since it ends up with GSK_w, it will use all K_sa1->1->3->7->GSK_w. Since it ends up with GSK_w, it will use all
the WRAP_KEY attributes present in the path as its Working Key Path: the WRAP_KEY attributes present in the path as its Working Key Path:
1->3->7. 1->3->7.
Similarly, when other GMs will be joining the group, they will be Similarly, when other GMs join the group, they will be provided with
provided with the corresponding keys, so after all, the GMs will have the corresponding keys and thus the GMs will have the following
the following Working Key Paths: Working Key Paths:
A: 1->3->7 B: 1->3->8 C: 1->4->9, D: 1->4->10 A: 1->3->7 B: 1->3->8 C: 1->4->9, D: 1->4->10
E: 2->5->11 F: 2->5->12 G: 2->6->13 H: 2->6->14 E: 2->5->11 F: 2->5->12 G: 2->6->13 H: 2->6->14
Figure 26 Figure 24: Key Paths for all GMs
A.3. Simple Group SA Rekey A.3. Simple Group SA Rekey
If the GCKS performs a simple SA rekey without changing group If the GCKS performs a simple SA rekey without changing group
membership, it will only send a Group Key Gag in the KD payload with membership, it will only send a Group Key Bag in the KD payload with
a new SA key encrypted with the default KWK. a new SA key encrypted with the default KWK.
KD(GP(SA2)(GSK_w{K_sa2})) KD(GP(SA2)(GSK_w{K_sa2}))
Figure 27: KD Payload for the Simple Group SA Rekey Figure 25: KD Payload for the Simple Group SA Rekey
All the GMs will be able to decrypt it and no changes in their All the GMs will be able to decrypt it and no changes in their
Working Key Paths will happen. Working Key Paths will happen.
A.4. Group Member Exclusion A.4. Group Member Exclusion
If the GCKS has reason to believe that a GM should be excluded, then If the GCKS has reason to believe that a GM should be excluded, then
it can do so by sending a GSA_REKEY message that includes a set of it can do so by sending a GSA_REKEY message that includes a set of
GM_KEY attributes, which would allow all GMs, except for the excluded GM_KEY attributes, which would allow all GMs, except for the excluded
one, to get a new SA key. one, to get a new SA key.
skipping to change at line 3449 skipping to change at line 3457
5 with key 16. It also generates a new SA key for a new SA3. 5 with key 16. It also generates a new SA key for a new SA3.
SA3(K_sa3) SA3(K_sa3)
+------------------------------+ +------------------------------+
1 15 1 15
+---------------+ +---------------+ +---------------+ +---------------+
3 4 16 6 3 4 16 6
+-------+ +-------+ +---- +--------+ +-------+ +-------+ +---- +--------+
A(7) B(8) C(9) D(10) E(11) F(12) G(13) H(14) A(7) B(8) C(9) D(10) E(11) F(12) G(13) H(14)
Figure 28: LKH Tree after F Has Been Excluded Figure 26: LKH Tree after F Has Been Excluded
Then it sends the following KD payload for the new Rekey SA3: Then it sends the following KD payload for the new Rekey SA3:
KD(GP(SA3)(1{K_sa3},15{K_sa3}),MP(6{15},16{15},11{16}) KD(GP(SA3)(1{K_sa3},15{K_sa3}),MP(6{15},16{15},11{16})
Figure 29: KD Payload for the Group Member F Figure 27: KD Payload for the Group Member F
While processing this KD payload: While processing this KD payload:
* GMs A, B, C, and D will be able to decrypt the SA_KEY attribute * GMs A, B, C, and D will be able to decrypt the SA_KEY attribute
1{K_sa3} by using the "1" key from their key path. Since no new 1{K_sa3} by using the "1" key from their key path. Since no new
GM_KEY attributes are in the new Key Path, they won't update their GM_KEY attributes are in the new Key Path, they won't update their
Working Key Paths. Working Key Paths.
* GMs G and H will construct new Key Path 15->6 and will be able to * GMs G and H will construct new Key Path 15->6 and will be able to
decrypt the intermediate key 15 using key 6 from their Working Key decrypt the intermediate key 15 using key 6 from their Working Key
skipping to change at line 3486 skipping to change at line 3494
* GM F won't be able to construct any Key Path leading to any key it * GM F won't be able to construct any Key Path leading to any key it
possesses, so it will be unable to decrypt the new SA key for the possesses, so it will be unable to decrypt the new SA key for the
SA3. Thus, it will be excluded from the group once the SA3 is SA3. Thus, it will be excluded from the group once the SA3 is
used. used.
Finally, the GMs will have the following Working Key Paths: Finally, the GMs will have the following Working Key Paths:
A: 1->3->7 B: 1->3->8 C: 1->4->9, D: 1->4->10 A: 1->3->7 B: 1->3->8 C: 1->4->9, D: 1->4->10
E: 15->16->11 F: excluded G: 15->6->13 H: 15->6->14 E: 15->16->11 F: excluded G: 15->6->13 H: 15->6->14
Figure 30 Figure 28: Key Paths for all GMs after Exclusion of a GM
Acknowledgements Acknowledgements
The authors thank Lakshminath Dondeti and Jing Xiang for first The authors thank Lakshminath Dondeti and Jing Xiang for first
exploring the use of IKEv2 for group key management and providing the exploring the use of IKEv2 for group key management and providing the
basis behind the protocol. Mike Sullenberger and Amjad Inamdar were basis behind the protocol. Mike Sullenberger and Amjad Inamdar were
instrumental in helping resolve many issues in several draft versions instrumental in helping resolve many issues in several draft versions
of the document. of the document.
The authors are grateful to Tero Kivinen, Daniel Migault, Gorry The authors are grateful to Tero Kivinen, Daniel Migault, Gorry
 End of changes. 202 change blocks. 
704 lines changed or deleted 712 lines changed or added

This html diff was produced by rfcdiff 1.48.