tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 6407

 
 
 

The Group Domain of Interpretation

Part 2 of 3, p. 19 to 45
Prev RFC Part       Next RFC Part

 


prevText      Top      Up      ToC       Page 19 
5.  Payloads and Defined Values

   This document specifies use of several ISAKMP payloads, which are
   defined in accordance with [RFC2408].  The following payloads are
   used as defined in [RFC2408].

                  Next Payload Type            Value
                  -----------------            -----
                  Hash Payload (HASH)            8
                  Signature (SIG)                9

   The following payloads are extended or further specified.

                  Next Payload Type            Value
                  -----------------            -----
                  Security Association (SA)      1
                  Identification (ID)            5
                  Nonce (N)                     10
                  Delete (D)                    12

   Several payload formats specific to the group security exchanges are
   required.

                  Next Payload Type                Value
                  -----------------                -----
                  SA KEK (SAK)                      15
                  SA TEK (SAT)                      16
                  Key Download (KD)                 17
                  Sequence Number (SEQ)             18
                  Group Associated Policy (GAP)     22

   All multi-octet fields in GDOI payloads representing integers are
   laid out in big endian order (also known as "most significant byte
   first" or "network byte order").

Top      Up      ToC       Page 20 
   All payloads including an ISAKMP Generic Payload Header create a
   Payload Length field that includes the length of the generic payload
   header (Section 3.2 of [RFC2408]).

5.1.  Identification Payload

   The Identification payload is defined in [RFC2408].  For the GDOI, it
   is used to identify a group identity that will later be associated
   with security associations for the group.  A group identity may map
   to a specific IPv4 or IPv6 multicast address, or may specify a more
   general identifier, such as one that represents a set of related
   multicast streams.

   When used with the GDOI, the DOI-Specific ID Data field MUST be set
   to 0.

   When used with the GDOI, the ID_KEY_ID ID Type MUST be supported by a
   conforming implementation and MUST specify a 4-octet group identifier
   as its value.  Implementations MAY also support other ID Types.

5.2.  Security Association Payload

   The Security Association payload is defined in [RFC2408].  For the
   GDOI, it is used by the GCKS to assert security attributes for both
   Rekey and Data-Security SAs.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ! Next Payload  !   RESERVED    !         Payload Length        !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                              DOI                              !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !                           Situation                           !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ! SA Attribute Next Payload     !          RESERVED2            !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

                  Figure 4. Security Association Payload

   The Security Association payload fields are defined as follows:

   o  Next Payload (1 octet) -- Identifies the next payload for the
      GROUPKEY-PULL or the GROUPKEY-PUSH message as defined above.  The
      next payload MUST NOT be an SA Attribute payload; it MUST be the
      next payload following the Security Association type payload.

   o  RESERVED (1 octet) -- MUST be zero.

Top      Up      ToC       Page 21 
   o  Payload Length (2 octets) -- Is the octet length of the current
      payload including the generic header and all TEK and KEK payloads.

   o  DOI (4 octets) -- Is the GDOI, which is value 2.

   o  Situation (4 octets) -- MUST be zero.

   o  SA Attribute Next Payload (2 octets) -- MUST be the code for an SA
      Attribute payload type.  See Section 5.2.1 for a description of
      which circumstances are required for each payload type to be
      present.

   o  RESERVED (2 octets) -- MUST be zero.

5.2.1.  SA Attribute Payloads

   Payloads that define specific security association attributes for the
   KEK and/or TEKs used by the group MUST follow the SA payload.  How
   many of each payload is dependent upon the group policy.  There may
   be zero or one SAK payload, zero or one GAP payload, and zero or more
   SAT payloads, where either one SAK or SAT payload MUST be present.
   When present, the order of the SA Attribute payloads MUST be: SAK,
   GAP, and SATs.

   This latitude regarding SA Attribute payloads allows various group
   policies to be accommodated.  For example, if the group policy does
   not require the use of a Rekey SA, the GCKS would not need to send an
   SA KEK attribute to the group member since all SA updates would be
   performed using the Registration SA.  Alternatively, group policy
   might use a Rekey SA but choose to download a KEK to the group member
   only as part of the Registration SA.  Therefore, the KEK policy (in
   the SA KEK attribute) would not be necessary as part of the Rekey SA
   message SA payload.

   Specifying multiple SATs allows multiple sessions to be part of the
   same group and multiple streams to be associated with a session
   (e.g., video, audio, and text) but each with individual security
   association policy.

   A GAP payload allows for the distribution of group-wide policy, such
   as instructions as to when to activate and deactivate SAs.

5.3.  SA KEK Payload

   The SA KEK (SAK) payload contains security attributes for the KEK
   method for a group and parameters specific to the GROUPKEY-PULL
   operation.  The source and destination identities describe the
   identities used for the GROUPKEY-PULL datagram.

Top      Up      ToC       Page 22 
       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ! Next Payload  !   RESERVED    !         Payload Length        !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !    Protocol   !  SRC ID Type  !         SRC ID Port           !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !SRC ID Data Len!          SRC Identification Data              ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ! DST ID Type   !         DST ID Port           !DST ID Data Len!
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !                    DST Identification Data                    ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !                                                               !
      ~                              SPI                              ~
      !                                                               !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !                           RESERVED2                           !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ~                        KEK Attributes                         ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

                         Figure 5. SA KEK Payload

   The SAK payload fields are defined as follows:

   o  Next Payload (1 octet) -- Identifies the next payload for the
      GROUPKEY-PULL or the GROUPKEY-PUSH message.  The only valid next
      payload types for this message are a GAP payload, SAT payload, or
      zero to indicate that no SA Attribute payloads follow.

   o  RESERVED (1 octet) -- MUST be zero.

   o  Payload Length (2 octets) -- Length of this payload, including the
      KEK attributes.

   o  Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
      UDP/TCP) [PROT-REG] for the GROUPKEY-PUSH datagram.

   o  SRC ID Type (1 octet) -- Value describing the identity information
      found in the SRC Identification Data field.  Defined values are
      specified by the IPsec Identification Type section in the IANA
      ISAKMP registry [ISAKMP-REG].

   o  SRC ID Port (2 octets) -- Value specifying a port associated with
      the source ID.  A value of zero means that the SRC ID Port field
      MUST be ignored.

Top      Up      ToC       Page 23 
   o  SRC ID Data Len (1 octet) -- Value specifying the length (in
      octets) of the SRC Identification Data field.

   o  SRC Identification Data (variable length) -- Value, as indicated
      by the SRC ID Type.

   o  DST ID Type (1 octet) -- Value describing the identity information
      found in the DST Identification Data field.  Defined values are
      specified by the IPsec Identification Type section in the IANA
      ISAKMP registry [ISAKMP-REG].

   o  DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g.,
      UDP/TCP) [PROT-REG].

   o  DST ID Port (2 octets) -- Value specifying a port associated with
      the source ID.

   o  DST ID Data Len (1 octet) -- Value specifying the length (in
      octets) of the DST Identification Data field.

   o  DST Identification Data (variable length) -- Value, as indicated
      by the DST ID Type.

   o  SPI (16 octets) -- Security Parameter Index for the KEK.  The SPI
      is the ISAKMP Header cookie pair where the first 8 octets become
      the "Initiator Cookie" field of the GROUPKEY-PUSH message ISAKMP
      HDR, and the second 8 octets become the "Responder Cookie" in the
      same HDR.  As described above, these cookies are assigned by the
      GCKS.

   o  RESERVED2 (4 octets) -- MUST be zero.  These octets represent
      fields previously defined but no longer used by GDOI.

   o  KEK Attributes -- Contains KEK policy attributes associated with
      the group.  The following attributes may be present in a SAK
      payload.  The attributes must follow the format defined in ISAKMP
      (Section 3.3 of [RFC2408]).  In the table, attributes that are
      defined as TV are marked as Basic (B); attributes that are defined
      as TLV are marked as Variable (V).

Top      Up      ToC       Page 24 
                ID Class                   Value    Type
                --------                   -----    ----
                RESERVED                     0
                KEK_MANAGEMENT_ALGORITHM     1        B
                KEK_ALGORITHM                2        B
                KEK_KEY_LENGTH               3        B
                KEK_KEY_LIFETIME             4        V
                SIG_HASH_ALGORITHM           5        B
                SIG_ALGORITHM                6        B
                SIG_KEY_LENGTH               7        B
                RESERVED                     8        B
                Unassigned                  9-127
                Private Use               128-255
                Unassigned                256-32767

   The KEK_ALGORITHM and SIG_ALGORITHM attributes MUST be included;
   others are OPTIONAL and are included depending on group policy.  The
   KEK_MANAGEMENT_ALGORITHM attribute MUST NOT be included in a
   GROUPKEY-PULL message, and MUST be ignored if present.

5.3.1.  KEK_MANAGEMENT_ALGORITHM

   The KEK_MANAGEMENT_ALGORITHM class specifies the group KEK management
   algorithm used to provide forward or backward access control (i.e.,
   used to exclude group members).  Defined values are specified in the
   following table.

                  KEK Management Type               Value
                  -------------------               -----
                  Reserved                            0
                  LKH                                 1
                  Unassigned                         2-127
                  Private Use                      128-255
                  Unassigned                       256-65535

5.3.1.1.  LKH

   This type indicates the group management method described in Section
   5.4 of [RFC2627].  A general discussion of LKH operations can also be
   found in Section 6.3 of "Multicast and Group Security" [HD03]

5.3.2.  KEK_ALGORITHM

   The KEK_ALGORITHM class specifies the encryption algorithm in which
   the KEK is used to provide confidentiality for the GROUPKEY-PUSH
   message.  Defined values are specified in the following table.  A
   GDOI implementation MUST abort if it encounters an attribute or
   capability that it does not understand.

Top      Up      ToC       Page 25 
                   Algorithm Type      Value
                   --------------      -----
                   RESERVED               0
                   KEK_ALG_DES            1
                   KEK_ALG_3DES           2
                   KEK_ALG_AES            3
                   Unassigned            4-127
                   Private Use         128-255
                   Unassigned          256-32767

   If a KEK_MANAGEMENT_ALGORITHM is defined that specifies multiple keys
   (e.g., LKH), and if the management algorithm does not specify the
   algorithm for those keys, then the algorithm defined by the
   KEK_ALGORITHM attribute MUST be used for all keys that are included
   as part of the management.

5.3.2.1.  KEK_ALG_DES

   This type specifies DES using the Cipher Block Chaining (CBC) mode as
   described in [FIPS81].

5.3.2.2.  KEK_ALG_3DES

   This type specifies 3DES using three independent keys as described in
   "Keying Option 1" in [FIPS46-3].

5.3.2.3.  KEK_ALG_AES

   This type specifies AES as described in [FIPS197].  The mode of
   operation for AES is CBC as defined in [SP.800-38A].

5.3.3.  KEK_KEY_LENGTH

   The KEK_KEY_LENGTH class specifies the KEK Algorithm key length (in
   bits).  The Group Controller/Key Server (GCKS) adds the
   KEK_KEY_LENGTH attribute to the SA payload when distributing KEK
   policy to group members.  The group member verifies whether or not it
   has the capability of using a cipher key of that size.  If the cipher
   definition includes a fixed key length (e.g., KEK_ALG_3DES), the
   group member can make its decision solely using the KEK_ALGORITHM
   attribute and does not need the KEK_KEY_LENGTH attribute.  Sending
   the KEK_KEY_LENGTH attribute in the SA payload is OPTIONAL if the KEK
   cipher has a fixed key length.  Also, note that the KEK_KEY_LEN
   includes only the actual length of the cipher key (the IV length is
   not included in this attribute).

Top      Up      ToC       Page 26 
5.3.4.  KEK_KEY_LIFETIME

   The KEK_KEY_LIFETIME class specifies the maximum time for which the
   KEK is valid.  The GCKS may refresh the KEK at any time before the
   end of the valid period.  The value is a 4-octet number defining a
   valid time period in seconds.

5.3.5.  SIG_HASH_ALGORITHM

   SIG_HASH_ALGORITHM specifies the SIG payload hash algorithm.  The
   following table defines the algorithms for SIG_HASH_ALGORITHM.

                   Algorithm Type     Value
                   --------------     -----
                   Reserved             0
                   SIG_HASH_MD5         1
                   SIG_HASH_SHA1        2
                   SIG_HASH_SHA256      3
                   SIG_HASH_SHA384      4
                   SIG_HASH_SHA512      5
                   Unassigned          6-127
                   Private Use       128-255
                   Unassigned        256-65535

   The SHA hash algorithms are defined in the Secure Hash Standard
   [FIPS180-3.2008].

   If the SIG_ALGORITHM is SIG_ALG_ECDSA-256, SIG_ALG_ECDSA-384, or
   SIG_ALG_ECDSA-521, the hash algorithm is implicit in the definition,
   and SIG_HASH_ALGORITHM is OPTIONAL in a SAK payload.

5.3.6.  SIG_ALGORITHM

   The SIG_ALGORITHM class specifies the SIG payload signature
   algorithm.  Defined values are specified in the following table.

                   Algorithm Type      Value
                   --------------      -----
                   Reserved              0
                   SIG_ALG_RSA           1
                   SIG_ALG_DSS           2
                   SIG_ALG_ECDSS         3
                   SIG_ALG_ECDSA-256     4
                   SIG_ALG_ECDSA-384     5
                   SIG_ALG_ECDSA-521     6
                   Unassigned           7-127
                   Private Use        128-255
                   Unassigned         256-65535

Top      Up      ToC       Page 27 
5.3.6.1.  SIG_ALG_RSA

   This algorithm specifies the RSA digital signature algorithm using
   the EMSA-PKCS1-v1_5 encoding method, as described in [RFC3447].

5.3.6.2.  SIG_ALG_DSS

   This algorithm specifies the DSS digital signature algorithm as
   described in Section 4 of [FIPS186-3].

5.3.6.3.  SIG_ALG_ECDSS

   This algorithm specifies the Elliptic Curve Digital Signature
   Algorithm as described in Section 5 of [FIPS186-3].  This definition
   is deprecated in favor of the SIG_ALG_ECDSA family of algorithms.

5.3.6.4.  SIG_ALG_ECDSA-256

   This algorithm specifies the 256-bit Random ECP Group, as described
   in [RFC5903].  The format of the signature in the SIG payload MUST be
   as specified in [RFC4754].

5.3.6.5.  SIG_ALG_ECDSA-384

   This algorithm specifies the 384-bit Random ECP Group, as described
   in [RFC5903].  The format of the signature in the SIG payload MUST be
   as specified in [RFC4754].

5.3.6.6.  SIG_ALG_ECDSA-521

   This algorithm specifies the 521-bit Random ECP Group, as described
   in [RFC5903].  The format of the signature in the SIG payload MUST be
   as specified in [RFC4754].

5.3.7.  SIG_KEY_LENGTH

   The SIG_KEY_LENGTH class specifies the length of the SIG payload key
   in bits.

5.4.  Group Associated Policy

   A GCKS may have group-specific policy that is not distributed in an
   SA TEK or SA KEK.  Some of this policy is relevant to all group
   members, and some is sender-specific policy for a particular group
   member.  The former can be distributed in either a GROUPKEY-PULL or
   GROUPKEY-PUSH exchange, whereas the latter MUST only be sent in a
   GROUPKEY-PULL exchange.  Additionally, a group member sometimes has
   the need to make policy requests for resources of the GCKS in a

Top      Up      ToC       Page 28 
   GROUPKEY-PULL exchange.  GDOI distributes this associated group
   policy and the policy requests in the Group Associated Policy (GAP)
   payload.

   The GAP payload can be distributed by the GCKS as part of the SA
   payload.  It follows any SA KEK payload and is placed before any SA
   TEK payloads.  In the case that group policy does not include an SA
   KEK, the SA Attribute Next Payload field in the SA payload MAY
   indicate the GAP payload.

   The GAP payload can be optionally included by a group member in
   message 3 of the GROUPKEY-PULL exchange in order to make policy
   requests.

   The GAP payload is defined as follows:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload  !   RESERVED    !        Payload Length         !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !               Group Associated Policy Attributes              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

                           Figure 6. GAP Payload

   The GAP payload fields are defined as follows:

   o  Next Payload (1 octet) -- Identifies the next payload present in
      the GROUPKEY-PULL or the GROUPKEY-PUSH message.  The only valid
      next payload type for this message is an SA TEK or zero to
      indicate there are no more security association attributes.

   o  RESERVED (1 octet) -- MUST be zero.

   o  Payload Length (2 octets) -- Length of this payload, including the
      GAP header and Attributes.

   o  Group Associated Policy Attributes (variable) -- Contains
      attributes following the format defined in Section 3.3 of
      [RFC2408].  In the table, attributes that are defined as TV are
      marked as Basic (B); attributes that are defined as TLV are marked
      as Variable (V).

Top      Up      ToC       Page 29 
              Attribute Type         Value       Type
              --------------         -----       ----
              RESERVED                 0
              ACTIVATION_TIME_DELAY    1          B
              DEACTIVATION_TIME_DELAY  2          B
              SENDER_ID_REQUEST        3          B
              Unassigned              4-127
              Private Use           128-255
              Unassigned            256-32767

   Several group associated policy attributes are defined in this memo.
   A GDOI implementation MUST abort if it encounters an attribute or
   capability that it does not understand.  The values for these
   attributes are included in the IANA Considerations section of this
   memo.

5.4.1.  ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY

   Section 4.2.1 of [RFC5374] specifies a key rollover method that
   requires two values be given it from the group key management
   protocol.  The ACTIVATION_TIME_DELAY attribute allows a GCKS to set
   the Activation Time Delay (ATD) for SAs generated from TEKs.  The ATD
   defines how long after receiving new SAs that they are to be
   activated by the GM.  The ATD value is in seconds.

   The DEACTIVATION_TIME_DELAY allows the GCKS to set the Deactivation
   Time Delay (DTD) for previously distributed SAs.  The DTD defines how
   long after receiving new SAs that it SHOULD deactivate SAs that are
   destroyed by the rekey event.  The value is in seconds.

   The values of ATD and DTD are independent.  However, the most
   effective policy will have the DTD value be the larger value, as this
   allows new SAs to be activated before older SAs are deactivated.
   Such a policy ensures that protected group traffic will always flow
   without interruption.

5.4.2.  SENDER_ID_REQUEST

   The SENDER_ID_REQUEST attribute is used by a group member to request
   SIDs during the GROUPKEY-PULL message, and includes a count of how
   many SID values it desires.

Top      Up      ToC       Page 30 
5.5.  SA TEK Payload

   The SA TEK (SAT) payload contains security attributes for a single
   TEK associated with a group.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ! Next Payload  !   RESERVED    !         Payload Length        !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ! Protocol-ID   !       TEK Protocol-Specific Payload           ~
      +-+-+-+-+-+-+-+-+                                               ~
      ~                                                               ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

                         Figure 7. SA TEK Payload

   The SAT payload fields are defined as follows:

   o  Next Payload (1 octet) -- Identifies the next payload for the
      GROUPKEY-PULL or the GROUPKEY-PUSH message.  The only valid next
      payload types for this message are another SAT payload or zero to
      indicate there are no more security association attributes.

   o  RESERVED (1 octet) -- MUST be zero.

   o  Payload Length (2 octets) -- Length of this payload, including the
      TEK Protocol-Specific Payload.

   o  Protocol-ID (1 octet) -- Value specifying the Security Protocol.
      The following table defines values for the Security Protocol.

             Protocol ID                       Value
             -----------                       -----
             RESERVED                            0
             GDOI_PROTO_IPSEC_ESP                1
             GDOI_PROTO_IPSEC_AH                 2
             Unassigned                         3-127
             Private Use                      128-255

   o  TEK Protocol-Specific Payload (variable) -- Payload which
      describes the attributes specific for the Protocol-ID.

Top      Up      ToC       Page 31 
5.5.1.  GDOI_PROTO_IPSEC_ESP/GDOI_PROTO_IPSEC_AH

   The TEK Protocol-Specific payload for ESP and AH is as follows:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !    Protocol   !  SRC ID Type  !         SRC ID Port           !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !SRC ID Data Len!          SRC Identification Data              ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ! DST ID Type   !         DST ID Port           !DST ID Data Len!
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ! DST Identification Data                                       ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ! Transform ID  !                        SPI                    !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !      SPI      !       RFC 2407 SA Attributes                  ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

                       Figure 8. ESP/AH TEK Payload

   The SAT payload fields are defined as follows:

   o  Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
      UDP/TCP) [PROT-REG].  A value of zero means that the Protocol
      field MUST be ignored.

   o  SRC ID Type (1 octet) -- Value describing the identity information
      found in the SRC Identification Data field.  Defined values are
      specified by the IPsec Identification Type section in the IANA
      ISAKMP registry [ISAKMP-REG].

   o  SRC ID Port (2 octets) -- Value specifying a port associated with
      the source ID.  A value of zero means that the SRC ID Port field
      MUST be ignored.

   o  SRC ID Data Len (1 octet) -- Value specifying the length (in
      octets) of the SRC Identification Data field.

   o  SRC Identification Data (variable length) -- Value, as indicated
      by the SRC ID Type.  Set to 3 octets or zero for multiple-source
      multicast groups that use a common TEK for all senders.

   o  DST ID Type (1 octet) -- Value describing the identity information
      found in the DST Identification Data field.  Defined values are
      specified by the IPsec Identification Type section in the IANA
      ISAKMP registry [ISAKMP-REG].

Top      Up      ToC       Page 32 
   o  DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g.,
      UDP/TCP) [PROT-REG].  A value of zero means that the DST ID Prot
      field MUST be ignored.

   o  DST ID Port (2 octets) -- Value specifying a port associated with
      the source ID.  A value of zero means that the DST ID Port field
      MUST be ignored.

   o  DST ID Data Len (1 octet) -- Value specifying the length (in
      octets) of the DST Identification Data field.

   o  DST Identification Data (variable length) -- Value, as indicated
      by the DST ID Type.

   o  Transform ID (1 octet) -- Value specifying which ESP or AH
      transform is to be used.  The list of valid values is defined in
      the IPsec ESP or IPsec AH Transform Identifiers section of the
      IANA ISAKMP registry [ISAKMP-REG].

   o  SPI (4 octets) -- Security Parameter Index for ESP.

   o  RFC 2407 Attributes -- ESP and AH Attributes from Section 4.5 of
      [RFC2407].  The GDOI supports all IPsec DOI SA Attributes for
      GDOI_PROTO_IPSEC_ESP and GDOI_PROTO_IPSEC_AH, excluding the Group
      Description (Section 4.5 of [RFC2407]), which MUST NOT be sent by
      a GDOI implementation and is ignored by a GDOI implementation if
      received.  The following attributes MUST be supported by an
      implementation supporting ESP and AH: SA Life Type, SA Life
      Duration, and Encapsulation Mode.  An implementation supporting
      ESP MUST also support the Authentication Algorithm attribute if
      the ESP transform includes authentication.  The Authentication
      Algorithm attribute of the IPsec DOI is group authentication in
      GDOI.

5.5.1.1.  New IPsec Security Association Attributes

   "Multicast Extensions to the Security Architecture for the Internet
   Protocol" (RFC 5374) introduces new requirements for a group key
   management system distributing IPsec policy.  It also defines new
   attributes as part of the Group Security Policy Database (GSPD).
   These attributes describe policy that a group key management system
   must convey to a group member in order to support those extensions.
   The GDOI SA TEK payload distributes IPsec policy using IPsec security
   association attributes defined in [ISAKMP-REG].  This section defines
   how GDOI can convey the new attributes as IPsec Security Association
   Attributes.

Top      Up      ToC       Page 33 
5.5.1.1.1.  Address Preservation

   Applications use the extensions in [RFC5374] to copy the IP addresses
   into the outer IP header when encapsulating an IP packet as an IPsec
   tunnel mode packet.  This allows an IP multicast packet to continue
   to be routed as a IP multicast packet.  This attribute also provides
   the necessary policy so that the GDOI group member can appropriately
   set up the GSPD.  The following table defines values for the Address
   Preservation attribute.

              Address Preservation Type               Value
              -------------------------               -----
              Reserved                                  0
              None                                      1
              Source-Only                               2
              Destination-Only                          3
              Source-and-Destination                    4
              Unassigned                               5-61439
              Private Use                          61440-65535

   Depending on group policy, several address preservation methods are
   possible: no address preservation ("None"), preservation of the
   original source address ("Source-Only"), preservation of the original
   destination address ("Destination-Only"), or both addresses ("Source-
   and-Destination").  If this attribute is not included in a GDOI SA
   TEK payload provided by a GCKS, then Source-and-Destination address
   preservation has been defined for the SA TEK.

5.5.1.1.2.  SA Direction

   Depending on group policy, an IPsec SA created from an SA TEK payload
   is defined to be in the sending and/or receiving direction.  The
   following table defines values for the SA Direction attribute.

              Name                      Value
              ----                      -----
              Reserved                    0
              Sender-Only                 1
              Receiver-Only               2
              Symmetric                   3
              Unassigned                 4-61439
              Private Use            61440-65535

   SA TEK policy used by multiple senders MUST be installed in both the
   sending and receiving direction ("Symmetric"), whereas SA TEK for a
   single sender SHOULD be installed in the receiving direction by
   receivers ("Receiver-Only") and in the sending direction by the
   sender ("Sender-Only").

Top      Up      ToC       Page 34 
   An SA TEK payload that does not include the SA Direction attribute is
   treated as a Symmetric IPsec SA.  Note that Symmetric is the only
   value that can be meaningfully described for an SA TEK distributed in
   a GROUPKEY-PUSH message.  Alternatively, Receiver-Only could be
   distributed, but group senders would need to be configured to not
   receive GROUPKEY-PUSH messages in order to retain their role.

5.5.2.  Other Security Protocols

   Besides ESP and AH, GDOI should serve to establish SAs for secure
   groups needed by other Security Protocols that operate at the
   transport, application, and internetwork layers.  These other
   Security Protocols, however, are in the process of being developed or
   do not yet exist.

   The following information needs to be provided for a Security
   Protocol to the GDOI.

   o  The Protocol-ID for the particular Security Protocol

   o  The SPI Size

   o  The method of SPI generation

   o  The transforms, attributes, and keys needed by the Security
      Protocol

   All Security Protocols MUST provide the information in the bulleted
   list above to guide the GDOI specification for that protocol.
   Definitions for the support of those Security Protocols in GDOI will
   be specified in separate documents.

   A Security Protocol MAY protect traffic at any level of the network
   stack.  However, in all cases, applications of the Security Protocol
   MUST protect traffic that MAY be shared by more than two entities.

5.6.  Key Download Payload

   The Key Download payload contains group keys for the group specified
   in the SA payload.  These Key Download payloads can have several
   security attributes applied to them based upon the security policy of
   the group as defined by the associated SA payload.

Top      Up      ToC       Page 35 
       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ! Next Payload  !   RESERVED    !         Payload Length        !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ! Number of Key Packets         !            RESERVED2          !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ~                    Key Packets                                ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

                      Figure 9. Key Download Payload

   The Key Download payload fields are defined as follows:

   o  Next Payload (1 octet) -- Identifier for the payload type of the
      next payload in the message.  If the current payload is the last
      in the message, then this field will be zero.

   o  RESERVED (1 octet) -- Unused; set to zero.

   o  Payload Length (2 octets) -- Length in octets of the current
      payload, including the generic payload header.

   o  Number of Key Packets (2 octets) -- Contains the total number of
      key packets being passed in this data block.

   o  Key Packets (variable) -- Several types of key packets are
      defined.  Each key packet has the following format.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !   KD Type     !   RESERVED    !            KD Length          !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !    SPI Size   !                   SPI (variable)              ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ~                    Key Packet Attributes                      ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

                            Figure 10. Key Packet

   o  Key Download (KD) Type (1 octet) -- Identifier for the Key Data
      field of this key packet.

Top      Up      ToC       Page 36 
                          Key Download Type        Value
                          -----------------        -----
                          Reserved                   0
                          TEK                        1
                          KEK                        2
                          LKH                        3
                          SID                        4
                          Unassigned                4-127
                          Private Use             128-255

   "KEK" is a single key, whereas LKH is an array of key-encrypting
   keys.

   o  Reserved (1 octet) -- Unused; set to zero.

   o  Key Download Length (2 octets) -- Length in octets of the Key
      Packet data, including the Key Packet header.

   o  SPI Size (1 octet) -- Value specifying the length in octets of the
      SPI as defined by the Protocol-ID.

   o  SPI (variable length) -- Security Parameter Index, which matches a
      SPI previously sent in a SAK or SAT payload.

   o  Key Packet Attributes (variable length) -- Contains key
      information.  The format of this field is specific to the value of
      the KD Type field.  The following sections describe the format of
      each KD Type.

5.6.1.  TEK Download Type

   The following attributes may be present in a TEK Download Type.
   Exactly one attribute matching each type sent in the SAT payload MUST
   be present.  The attributes must follow the format defined in ISAKMP
   (Section 3.3 of [RFC2408]).  In the table, attributes defined as TV
   are marked as Basic (B); attributes defined as TLV are marked as
   Variable (V).

                TEK Class                 Value      Type
                ---------                 -----      ----
                RESERVED                     0
                TEK_ALGORITHM_KEY            1        V
                TEK_INTEGRITY_KEY            2        V
                TEK_SOURCE_AUTH_KEY          3        V
                Unassigned                  4-127
                Private Use               128-255
                Unassigned                256-32767

Top      Up      ToC       Page 37 
   If no TEK key packets are included in a Registration KD payload, the
   group member can expect to receive the TEK as part of a Rekey SA.  At
   least one TEK must be included in each Rekey KD payload.  Multiple
   TEKs may be included if multiple streams associated with the SA are
   to be rekeyed.

   When an algorithm specification specifies the format of the keying
   material, the value transported in the KD payload for that key is
   passed according to that specification.  The keying material may
   contain information besides a key.  For example, "The Use of Galois/
   Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)"
   [RFC4106] defines a salt value as part of KEYMAT.

5.6.1.1.  TEK_ALGORITHM_KEY

   The TEK_ALGORITHM_KEY class declares that the encryption key for this
   SPI is contained as the Key Packet Attribute.  The encryption
   algorithm that will use this key was specified in the SAT payload.

   In the case that the algorithm requires multiple keys (e.g., 3DES),
   all keys will be included in one attribute.

   DES keys will consist of 64 bits (the 56 key bits with parity bits).
   Triple DES keys will be specified as a single 192-bit attribute
   (including parity bits) in the order that the keys are to be used for
   encryption (e.g., DES_KEY1, DES_KEY2, DES_KEY3).

5.6.1.2.  TEK_INTEGRITY_KEY

   The TEK_INTEGRITY_KEY class declares that the integrity key for this
   SPI is contained as the Key Packet Attribute.  The integrity
   algorithm that will use this key was specified in the SAT payload.
   Thus, GDOI assumes that both the symmetric encryption and integrity
   keys are pushed to the GM.  HMAC-SHA1 keys will consist of 160 bits
   [RFC2404], and HMAC-MD5 keys will consist of 128 bits [RFC2403].
   HMAC-SHA2 and AES-GMAC keys will have a key length equal to the
   output length of the hash functions [RFC4868] [RFC4543].

5.6.1.3.  TEK_SOURCE_AUTH_KEY

   The TEK_SOURCE_AUTH_KEY class declares that the source authentication
   key for this SPI is contained in the Key Packet Attribute.  The
   source authentication algorithm that will use this key was specified
   in the SAT payload.

Top      Up      ToC       Page 38 
5.6.2.  KEK Download Type

   The following attributes may be present in a KEK Download Type.
   Exactly one attribute matching each type sent in the SAK payload MUST
   be present.  The attributes MUST follow the format defined in ISAKMP
   (Section 3.3 of [RFC2408]).  In the table, attributes defined as TV
   are marked as Basic (B); attributes defined as TLV are marked as
   Variable (V).

                KEK Class                 Value      Type
                ---------                 -----      ----
                RESERVED                     0
                KEK_ALGORITHM_KEY            1        V
                SIG_ALGORITHM_KEY            2        V
                Unassigned                  3-127
                Private Use               128-255
                Unassigned                256-32767

   If the KEK key packet is included, there MUST be only one present in
   the KD payload.

5.6.2.1.  KEK_ALGORITHM_KEY

   The KEK_ALGORITHM_KEY class declares the encryption key for this SPI
   is contained in the Key Packet Attribute.  The encryption algorithm
   that will use this key was specified in the SAK payload.

   If the mode of operation for the algorithm requires an IV, an
   explicit IV MUST be included in the KEK_ALGORITHM_KEY before the
   actual key.

5.6.2.2.  SIG_ALGORITHM_KEY

   The SIG_ALGORITHM_KEY class declares that the public key for this SPI
   is contained in the Key Packet Attribute, which may be useful when no
   public key infrastructure is available.  The signature algorithm that
   will use this key was specified in the SAK payload.

5.6.3.  LKH Download Type

   The LKH key packet is comprised of attributes representing different
   nodes in the LKH key tree.

   The following attributes are used to pass an LKH KEK array in the KD
   payload.  The attributes MUST follow the format defined in ISAKMP
   (Section 3.3 of [RFC2408]).  In the table, attributes defined as TV
   are marked as Basic (B); attributes defined as TLV are marked as
   Variable (V).

Top      Up      ToC       Page 39 
                KEK Class                 Value      Type
                ---------                 -----      ----
                RESERVED                     0
                LKH_DOWNLOAD_ARRAY           1        V
                LKH_UPDATE_ARRAY             2        V
                SIG_ALGORITHM_KEY            3        V
                Unassigned                  4-127
                Private Use               128-255
                Unassigned                256-32767

   If an LKH key packet is included in the KD payload, there MUST be
   only one present.

5.6.3.1.  LKH_DOWNLOAD_ARRAY

   This attribute is used to download a set of keys to a group member.
   It MUST NOT be included in a GROUPKEY-PUSH message KD payload if the
   GROUPKEY-PUSH is sent to more than the group member.  If an
   LKH_DOWNLOAD_ARRAY attribute is included in a KD payload, there MUST
   be only one present.

   This attribute consists of a header block, followed by one or more
   LKH keys.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !  LKH Version  !          # of LKH Keys        !  RESERVED     !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                             LKH Keys                          !
      ~                                                               ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                       Figure 11. LKH Download Array

   The KEK_LKH attribute fields are defined as follows:

   o  LKH version (1 octet) -- Version of the LKH data format.  Must be
      one.

   o  Number of LKH Keys (2 octets) -- This value is the number of
      distinct LKH keys in this sequence.

   o  RESERVED (1 octet) -- Unused; set to zero.  Each LKH Key is
      defined as follows:

Top      Up      ToC       Page 40 
       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !             LKH ID            !    Key Type   !    RESERVED   !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                        Key Creation Date                      !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                       Key Expiration Date                     !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                           Key Handle                          !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                                                               !
      ~                            Key Data                           ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                              Figure 12. LKH Key

   o  LKH ID (2 octets) -- Identity of the LKH node.  A GCKS is free to
      choose the ID in an implementation-specific manner (e.g., the
      position of this key in a binary tree structure used by LKH).

   o  Key Type (1 octet) -- Encryption algorithm for which this key data
      is to be used.  This value is specified in Section 5.3.3.

   o  RESERVED (1 octet) -- Unused; set to zero.

   o  Key Creation Date (4 octets) -- Unsigned time value defining a
      valid time period in seconds representing the number of seconds
      since 0 hours, 0 minutes, 0 seconds, January 1, 1970, Coordinated
      Universal Time (UTC), without including leap seconds.  [RFC5905].
      This is the time when this key data was originally generated.  A
      time value of zero indicates that there is no time before which
      this key is not valid.

   o  Key Expiration Date (4 octets) -- Unsigned time value defining a
      valid time period in seconds representing the number of seconds
      since 0 hours, 0 minutes, 0 seconds, January 1, 1970, Coordinated
      Universal Time (UTC), without including leap seconds.  [RFC5905].
      This is the time when this key is no longer valid for use.  A time
      value of zero indicates that this key does not have an expiration
      time.

   o  Key Handle (4 octets) -- Value assigned by the GCKS to uniquely
      identify a key within an LKH ID.  Each new key distributed by the
      GCKS for this node will have a key handle identity distinct from
      previous or successive key handles specified for this node.

Top      Up      ToC       Page 41 
   o  Key Data (variable length) -- Key data, which is dependent on the
      Key Type algorithm for its format.  If the mode of operation for
      the algorithm requires an IV, an explicit IV MUST be included in
      the Key Data field prepended to the actual key.

   The Key Creation Date and Key Expiration Dates MAY be zero.  This is
   necessary in the case where time synchronization within the group is
   not possible.

   The first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute
   contains the Leaf identifier and key for the group member.  The rest
   of the LKH Key structures contain keys along the path of the key tree
   in order from the leaf, culminating in the group KEK.

5.6.3.2.  LKH_UPDATE_ARRAY

   This attribute is used to update the keys for a group.  It is most
   likely to be included in a GROUPKEY-PUSH message KD payload to rekey
   the entire group.  This attribute consists of a header block,
   followed by one or more LKH keys, as defined in the previous section.

   There may be any number of UPDATE_ARRAY attributes included in a KD
   payload.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !  LKH Version  !          # of LKH Keys        !  RESERVED     !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !            LKH ID             !           RESERVED2           !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                           Key Handle                          !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                            LKH Keys                           !
      ~                                                               ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                        Figure 13. LKH Update Array

   o  LKH version (1 octet) -- Version of the LKH data format.  Must be
      one.

   o  Number of LKH Keys (2 octets) -- Number of distinct LKH keys in
      this sequence.

   o  RESERVED (1 octet) -- Unused; set to zero.

Top      Up      ToC       Page 42 
   o  LKH ID (2 octets) -- Node identifier associated with the key used
      to encrypt the first LKH Key.

   o  RESERVED2 (2 octets) -- Unused; set to zero.

   o  Key Handle (4 octets) -- Value assigned by the GCKS to uniquely
      identify the key within the LKH ID used to encrypt the first LKH
      Key.

   The LKH Keys are as defined in the previous section.  The LKH Key
   structures contain keys along the path of the key tree in order from
   the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in the
   group KEK.  The Key Data field of each LKH Key is encrypted with the
   LKH key preceding it in the LKH_UPDATE_ARRAY attribute.  The first
   LKH Key is encrypted under the key defined by the LKH ID and Key
   Handle found in the LKH_UPDATE_ARRAY header.

5.6.3.3.  SIG_ALGORITHM_KEY

   The SIG_ALGORITHM_KEY class declares that the public key for this SPI
   is contained in the Key Packet Attribute, which may be useful when no
   public key infrastructure is available.  The signature algorithm that
   will use this key was specified in the SAK payload.

5.6.4.  SID Download Type

   This attribute is used to download one or more Sender-ID (SID) values
   for the exclusive use of a group member.

   The SID Download Type does not require an SPI.  When the KD Type is
   SID, the SPI Size field MUST be zero, and the SPI field is omitted.

                SID Class                 Value      Type
                ---------                 -----      ----
                RESERVED                     0
                NUMBER_OF_SID_BITS           1        B
                SID_VALUE                    2        V
                Unassigned                 3-128
                Private Use              129-255
                Unassigned               256-32767

   Because a SID value is intended for a single group member, the SID
   Download type MUST NOT be distributed in a GROUPKEY-PUSH message
   distributed to multiple group members.

Top      Up      ToC       Page 43 
5.6.4.1.  NUMBER_OF_SID_BITS

   The NUMBER_OF_SID_BITS class declares how many bits of the cipher
   nonce in which to represent a SID value.  This value is applied to
   each SID value distributed in the SID Download.

5.6.4.2.  SID_VALUE

   The SID_VALUE class declares a single SID value for the exclusive use
   of the group member.  Multiple SID_VALUE attributes MAY be included
   in a SID Download.

5.6.4.3.  Group Member Semantics

   The SID_VALUE attribute value distributed to the group member MUST be
   used by that group member as the SID field portion of the IV for all
   Data-Security SAs including a counter-based mode of operation
   distributed by the GCKS as a part of this group.

   When the Sender-Specific IV (SSIV) field for any Data-Security SA is
   exhausted, the group member MUST no longer act as a sender on that SA
   using its active SID.  The group member SHOULD re-register, at which
   time the GCKS will issue a new SID to the group member, along with
   either the same Data-Security SAs or replacement ones.  The new SID
   replaces the existing SID used by this group member and also resets
   the SSIV value to its starting value.  A group member MAY re-register
   prior to the actual exhaustion of the SSIV field to avoid dropping
   data packets due to the exhaustion of available SSIV values combined
   with a particular SID value.

   GROUPKEY-PUSH message may include Data-Security SAs that are
   distributed to the group member for the first time.  A SID previously
   issued to the receiving group member is used with counter-based mode
   of operation Data-Security SAs on which the group member acts as a
   sender.  Because this Data-Security SA has not previously been used
   for transmission, the SSIV field should be set to its starting value.

5.6.4.4.  GCKS Semantics

   If any KD payload includes keying material that is associated with a
   counter-mode of operation, a SID Download Type KD payload containing
   at least one SID_VALUE attribute MUST be included.

   The GCKS MUST NOT send the SID Download Type KD payload as part of a
   GROUPKEY-PUSH message because distributing the same sender-specific
   policy to more than one group member will reduce the security of the
   group.

Top      Up      ToC       Page 44 
5.7.  Sequence Number Payload

   The Sequence Number (SEQ) Payload provides an anti-replay protection
   for GROUPKEY-PUSH messages.  Its use is similar to the Sequence
   Number field defined in the IPsec ESP protocol [RFC4303].

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ! Next Payload  !   RESERVED    !         Payload Length        !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                      Sequence Number                          !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                    Figure 14. Sequence Number Payload

   The Sequence Number Payload fields are defined as follows:

   o  Next Payload (1 octet) -- Identifier for the payload type of the
      next payload in the message.  If the current payload is the last
      in the message, then this field will be zero.

   o  RESERVED (1 octet) -- Unused; set to zero.

   o  Payload Length (2 octets) -- Length in octets of the current
      payload, including the generic payload header.  MUST be a value of
      8.

   o  Sequence Number (4 octets) -- This field contains a monotonically
      increasing counter value for the group.  It is initialized to zero
      by the GCKS and incremented in each subsequently transmitted
      message.  Thus, the first packet sent for a given Rekey SA will
      have a Sequence Number of 1.  The GDOI implementation keeps a
      sequence counter as an attribute for the Rekey SA and increments
      the counter upon receipt of a GROUPKEY-PUSH message.  The current
      value of the sequence number MUST be transmitted to group members
      as a part of the Registration SA payload.

5.8.  Nonce

   The data portion of the Nonce payload (i.e., Ni_b and Nr_b included
   in the HASHs) MUST be a value between 8 and 128 octets.

Top      Up      ToC       Page 45 
5.9.  Delete

   There are times the GCKS may want to signal to receivers to delete
   SAs, for example, at the end of a broadcast.  Deletion of keys may be
   accomplished by sending an ISAKMP Delete payload (Section 3.15 of
   [RFC2408]) as part of a GDOI GROUPKEY-PUSH message.

   One or more Delete payloads MAY be placed following the SEQ payload
   in a GROUPKEY-PUSH message.  If a GCKS has no further SAs to send to
   group members, the SA and KD payloads MUST be omitted from the
   message.

   The following fields of the Delete payload are further defined as
   follows:

   o  The Domain of Interpretation field contains the GDOI DOI.

   o  The Protocol-ID field contains TEK protocol ID values defined in
      Section 5.5 of this document.  To delete a KEK SA, the value of
      zero MUST be used as the protocol ID.  Note that only one protocol
      ID value can be defined in a Delete payload.  Thus, if a TEK SA
      and a KEK SA are to be deleted, their SPI values MUST be sent in
      different Delete payloads.

   There may be circumstances where the GCKS may want to start over with
   a clean slate.  If the administrator is no longer confident in the
   integrity of the group, the GCKS can signal deletion of all policy of
   a particular TEK protocol by sending a TEK with an SPI value equal to
   zero in the delete payload.  For example, if the GCKS wishes to
   remove all the KEKs and all the TEKs in the group, the GCKS SHOULD
   send a delete payload with an SPI of zero and a Protocol-ID of a TEK
   Protocol-ID value, followed by another delete payload with an SPI
   value of zero and Protocol-ID of zero, indicating that the KEK SA
   should be deleted.



(page 45 continued on part 3)

Next RFC Part