Tech-invite3GPPspaceIETF RFCsSIP
93929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 6407

The Group Domain of Interpretation

Pages: 64
Proposed Standard
Errata
Obsoletes:  3547
Part 2 of 3 – Pages 19 to 45
First   Prev   Next

Top   ToC   RFC6407 - Page 19   prevText

5. Payloads and Defined Values

This document specifies use of several ISAKMP payloads, which are defined in accordance with [RFC2408]. The following payloads are used as defined in [RFC2408]. Next Payload Type Value ----------------- ----- Hash Payload (HASH) 8 Signature (SIG) 9 The following payloads are extended or further specified. Next Payload Type Value ----------------- ----- Security Association (SA) 1 Identification (ID) 5 Nonce (N) 10 Delete (D) 12 Several payload formats specific to the group security exchanges are required. Next Payload Type Value ----------------- ----- SA KEK (SAK) 15 SA TEK (SAT) 16 Key Download (KD) 17 Sequence Number (SEQ) 18 Group Associated Policy (GAP) 22 All multi-octet fields in GDOI payloads representing integers are laid out in big endian order (also known as "most significant byte first" or "network byte order").
Top   ToC   RFC6407 - Page 20
   All payloads including an ISAKMP Generic Payload Header create a
   Payload Length field that includes the length of the generic payload
   header (Section 3.2 of [RFC2408]).

5.1. Identification Payload

The Identification payload is defined in [RFC2408]. For the GDOI, it is used to identify a group identity that will later be associated with security associations for the group. A group identity may map to a specific IPv4 or IPv6 multicast address, or may specify a more general identifier, such as one that represents a set of related multicast streams. When used with the GDOI, the DOI-Specific ID Data field MUST be set to 0. When used with the GDOI, the ID_KEY_ID ID Type MUST be supported by a conforming implementation and MUST specify a 4-octet group identifier as its value. Implementations MAY also support other ID Types.

5.2. Security Association Payload

The Security Association payload is defined in [RFC2408]. For the GDOI, it is used by the GCKS to assert security attributes for both Rekey and Data-Security SAs. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! DOI ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Situation ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! SA Attribute Next Payload ! RESERVED2 ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! Figure 4. Security Association Payload The Security Association payload fields are defined as follows: o Next Payload (1 octet) -- Identifies the next payload for the GROUPKEY-PULL or the GROUPKEY-PUSH message as defined above. The next payload MUST NOT be an SA Attribute payload; it MUST be the next payload following the Security Association type payload. o RESERVED (1 octet) -- MUST be zero.
Top   ToC   RFC6407 - Page 21
   o  Payload Length (2 octets) -- Is the octet length of the current
      payload including the generic header and all TEK and KEK payloads.

   o  DOI (4 octets) -- Is the GDOI, which is value 2.

   o  Situation (4 octets) -- MUST be zero.

   o  SA Attribute Next Payload (2 octets) -- MUST be the code for an SA
      Attribute payload type.  See Section 5.2.1 for a description of
      which circumstances are required for each payload type to be
      present.

   o  RESERVED (2 octets) -- MUST be zero.

5.2.1. SA Attribute Payloads

Payloads that define specific security association attributes for the KEK and/or TEKs used by the group MUST follow the SA payload. How many of each payload is dependent upon the group policy. There may be zero or one SAK payload, zero or one GAP payload, and zero or more SAT payloads, where either one SAK or SAT payload MUST be present. When present, the order of the SA Attribute payloads MUST be: SAK, GAP, and SATs. This latitude regarding SA Attribute payloads allows various group policies to be accommodated. For example, if the group policy does not require the use of a Rekey SA, the GCKS would not need to send an SA KEK attribute to the group member since all SA updates would be performed using the Registration SA. Alternatively, group policy might use a Rekey SA but choose to download a KEK to the group member only as part of the Registration SA. Therefore, the KEK policy (in the SA KEK attribute) would not be necessary as part of the Rekey SA message SA payload. Specifying multiple SATs allows multiple sessions to be part of the same group and multiple streams to be associated with a session (e.g., video, audio, and text) but each with individual security association policy. A GAP payload allows for the distribution of group-wide policy, such as instructions as to when to activate and deactivate SAs.

5.3. SA KEK Payload

The SA KEK (SAK) payload contains security attributes for the KEK method for a group and parameters specific to the GROUPKEY-PULL operation. The source and destination identities describe the identities used for the GROUPKEY-PULL datagram.
Top   ToC   RFC6407 - Page 22
       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ! Next Payload  !   RESERVED    !         Payload Length        !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !    Protocol   !  SRC ID Type  !         SRC ID Port           !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !SRC ID Data Len!          SRC Identification Data              ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ! DST ID Type   !         DST ID Port           !DST ID Data Len!
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !                    DST Identification Data                    ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !                                                               !
      ~                              SPI                              ~
      !                                                               !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !                           RESERVED2                           !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ~                        KEK Attributes                         ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

                         Figure 5. SA KEK Payload

   The SAK payload fields are defined as follows:

   o  Next Payload (1 octet) -- Identifies the next payload for the
      GROUPKEY-PULL or the GROUPKEY-PUSH message.  The only valid next
      payload types for this message are a GAP payload, SAT payload, or
      zero to indicate that no SA Attribute payloads follow.

   o  RESERVED (1 octet) -- MUST be zero.

   o  Payload Length (2 octets) -- Length of this payload, including the
      KEK attributes.

   o  Protocol (1 octet) -- Value describing an IP protocol ID (e.g.,
      UDP/TCP) [PROT-REG] for the GROUPKEY-PUSH datagram.

   o  SRC ID Type (1 octet) -- Value describing the identity information
      found in the SRC Identification Data field.  Defined values are
      specified by the IPsec Identification Type section in the IANA
      ISAKMP registry [ISAKMP-REG].

   o  SRC ID Port (2 octets) -- Value specifying a port associated with
      the source ID.  A value of zero means that the SRC ID Port field
      MUST be ignored.
Top   ToC   RFC6407 - Page 23
   o  SRC ID Data Len (1 octet) -- Value specifying the length (in
      octets) of the SRC Identification Data field.

   o  SRC Identification Data (variable length) -- Value, as indicated
      by the SRC ID Type.

   o  DST ID Type (1 octet) -- Value describing the identity information
      found in the DST Identification Data field.  Defined values are
      specified by the IPsec Identification Type section in the IANA
      ISAKMP registry [ISAKMP-REG].

   o  DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g.,
      UDP/TCP) [PROT-REG].

   o  DST ID Port (2 octets) -- Value specifying a port associated with
      the source ID.

   o  DST ID Data Len (1 octet) -- Value specifying the length (in
      octets) of the DST Identification Data field.

   o  DST Identification Data (variable length) -- Value, as indicated
      by the DST ID Type.

   o  SPI (16 octets) -- Security Parameter Index for the KEK.  The SPI
      is the ISAKMP Header cookie pair where the first 8 octets become
      the "Initiator Cookie" field of the GROUPKEY-PUSH message ISAKMP
      HDR, and the second 8 octets become the "Responder Cookie" in the
      same HDR.  As described above, these cookies are assigned by the
      GCKS.

   o  RESERVED2 (4 octets) -- MUST be zero.  These octets represent
      fields previously defined but no longer used by GDOI.

   o  KEK Attributes -- Contains KEK policy attributes associated with
      the group.  The following attributes may be present in a SAK
      payload.  The attributes must follow the format defined in ISAKMP
      (Section 3.3 of [RFC2408]).  In the table, attributes that are
      defined as TV are marked as Basic (B); attributes that are defined
      as TLV are marked as Variable (V).
Top   ToC   RFC6407 - Page 24
                ID Class                   Value    Type
                --------                   -----    ----
                RESERVED                     0
                KEK_MANAGEMENT_ALGORITHM     1        B
                KEK_ALGORITHM                2        B
                KEK_KEY_LENGTH               3        B
                KEK_KEY_LIFETIME             4        V
                SIG_HASH_ALGORITHM           5        B
                SIG_ALGORITHM                6        B
                SIG_KEY_LENGTH               7        B
                RESERVED                     8        B
                Unassigned                  9-127
                Private Use               128-255
                Unassigned                256-32767

   The KEK_ALGORITHM and SIG_ALGORITHM attributes MUST be included;
   others are OPTIONAL and are included depending on group policy.  The
   KEK_MANAGEMENT_ALGORITHM attribute MUST NOT be included in a
   GROUPKEY-PULL message, and MUST be ignored if present.

5.3.1. KEK_MANAGEMENT_ALGORITHM

The KEK_MANAGEMENT_ALGORITHM class specifies the group KEK management algorithm used to provide forward or backward access control (i.e., used to exclude group members). Defined values are specified in the following table. KEK Management Type Value ------------------- ----- Reserved 0 LKH 1 Unassigned 2-127 Private Use 128-255 Unassigned 256-65535
5.3.1.1. LKH
This type indicates the group management method described in Section 5.4 of [RFC2627]. A general discussion of LKH operations can also be found in Section 6.3 of "Multicast and Group Security" [HD03]

5.3.2. KEK_ALGORITHM

The KEK_ALGORITHM class specifies the encryption algorithm in which the KEK is used to provide confidentiality for the GROUPKEY-PUSH message. Defined values are specified in the following table. A GDOI implementation MUST abort if it encounters an attribute or capability that it does not understand.
Top   ToC   RFC6407 - Page 25
                   Algorithm Type      Value
                   --------------      -----
                   RESERVED               0
                   KEK_ALG_DES            1
                   KEK_ALG_3DES           2
                   KEK_ALG_AES            3
                   Unassigned            4-127
                   Private Use         128-255
                   Unassigned          256-32767

   If a KEK_MANAGEMENT_ALGORITHM is defined that specifies multiple keys
   (e.g., LKH), and if the management algorithm does not specify the
   algorithm for those keys, then the algorithm defined by the
   KEK_ALGORITHM attribute MUST be used for all keys that are included
   as part of the management.

5.3.2.1. KEK_ALG_DES
This type specifies DES using the Cipher Block Chaining (CBC) mode as described in [FIPS81].
5.3.2.2. KEK_ALG_3DES
This type specifies 3DES using three independent keys as described in "Keying Option 1" in [FIPS46-3].
5.3.2.3. KEK_ALG_AES
This type specifies AES as described in [FIPS197]. The mode of operation for AES is CBC as defined in [SP.800-38A].

5.3.3. KEK_KEY_LENGTH

The KEK_KEY_LENGTH class specifies the KEK Algorithm key length (in bits). The Group Controller/Key Server (GCKS) adds the KEK_KEY_LENGTH attribute to the SA payload when distributing KEK policy to group members. The group member verifies whether or not it has the capability of using a cipher key of that size. If the cipher definition includes a fixed key length (e.g., KEK_ALG_3DES), the group member can make its decision solely using the KEK_ALGORITHM attribute and does not need the KEK_KEY_LENGTH attribute. Sending the KEK_KEY_LENGTH attribute in the SA payload is OPTIONAL if the KEK cipher has a fixed key length. Also, note that the KEK_KEY_LEN includes only the actual length of the cipher key (the IV length is not included in this attribute).
Top   ToC   RFC6407 - Page 26

5.3.4. KEK_KEY_LIFETIME

The KEK_KEY_LIFETIME class specifies the maximum time for which the KEK is valid. The GCKS may refresh the KEK at any time before the end of the valid period. The value is a 4-octet number defining a valid time period in seconds.

5.3.5. SIG_HASH_ALGORITHM

SIG_HASH_ALGORITHM specifies the SIG payload hash algorithm. The following table defines the algorithms for SIG_HASH_ALGORITHM. Algorithm Type Value -------------- ----- Reserved 0 SIG_HASH_MD5 1 SIG_HASH_SHA1 2 SIG_HASH_SHA256 3 SIG_HASH_SHA384 4 SIG_HASH_SHA512 5 Unassigned 6-127 Private Use 128-255 Unassigned 256-65535 The SHA hash algorithms are defined in the Secure Hash Standard [FIPS180-3.2008]. If the SIG_ALGORITHM is SIG_ALG_ECDSA-256, SIG_ALG_ECDSA-384, or SIG_ALG_ECDSA-521, the hash algorithm is implicit in the definition, and SIG_HASH_ALGORITHM is OPTIONAL in a SAK payload.

5.3.6. SIG_ALGORITHM

The SIG_ALGORITHM class specifies the SIG payload signature algorithm. Defined values are specified in the following table. Algorithm Type Value -------------- ----- Reserved 0 SIG_ALG_RSA 1 SIG_ALG_DSS 2 SIG_ALG_ECDSS 3 SIG_ALG_ECDSA-256 4 SIG_ALG_ECDSA-384 5 SIG_ALG_ECDSA-521 6 Unassigned 7-127 Private Use 128-255 Unassigned 256-65535
Top   ToC   RFC6407 - Page 27
5.3.6.1. SIG_ALG_RSA
This algorithm specifies the RSA digital signature algorithm using the EMSA-PKCS1-v1_5 encoding method, as described in [RFC3447].
5.3.6.2. SIG_ALG_DSS
This algorithm specifies the DSS digital signature algorithm as described in Section 4 of [FIPS186-3].
5.3.6.3. SIG_ALG_ECDSS
This algorithm specifies the Elliptic Curve Digital Signature Algorithm as described in Section 5 of [FIPS186-3]. This definition is deprecated in favor of the SIG_ALG_ECDSA family of algorithms.
5.3.6.4. SIG_ALG_ECDSA-256
This algorithm specifies the 256-bit Random ECP Group, as described in [RFC5903]. The format of the signature in the SIG payload MUST be as specified in [RFC4754].
5.3.6.5. SIG_ALG_ECDSA-384
This algorithm specifies the 384-bit Random ECP Group, as described in [RFC5903]. The format of the signature in the SIG payload MUST be as specified in [RFC4754].
5.3.6.6. SIG_ALG_ECDSA-521
This algorithm specifies the 521-bit Random ECP Group, as described in [RFC5903]. The format of the signature in the SIG payload MUST be as specified in [RFC4754].

5.3.7. SIG_KEY_LENGTH

The SIG_KEY_LENGTH class specifies the length of the SIG payload key in bits.

5.4. Group Associated Policy

A GCKS may have group-specific policy that is not distributed in an SA TEK or SA KEK. Some of this policy is relevant to all group members, and some is sender-specific policy for a particular group member. The former can be distributed in either a GROUPKEY-PULL or GROUPKEY-PUSH exchange, whereas the latter MUST only be sent in a GROUPKEY-PULL exchange. Additionally, a group member sometimes has the need to make policy requests for resources of the GCKS in a
Top   ToC   RFC6407 - Page 28
   GROUPKEY-PULL exchange.  GDOI distributes this associated group
   policy and the policy requests in the Group Associated Policy (GAP)
   payload.

   The GAP payload can be distributed by the GCKS as part of the SA
   payload.  It follows any SA KEK payload and is placed before any SA
   TEK payloads.  In the case that group policy does not include an SA
   KEK, the SA Attribute Next Payload field in the SA payload MAY
   indicate the GAP payload.

   The GAP payload can be optionally included by a group member in
   message 3 of the GROUPKEY-PULL exchange in order to make policy
   requests.

   The GAP payload is defined as follows:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       ! Next Payload  !   RESERVED    !        Payload Length         !
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
       !               Group Associated Policy Attributes              ~
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

                           Figure 6. GAP Payload

   The GAP payload fields are defined as follows:

   o  Next Payload (1 octet) -- Identifies the next payload present in
      the GROUPKEY-PULL or the GROUPKEY-PUSH message.  The only valid
      next payload type for this message is an SA TEK or zero to
      indicate there are no more security association attributes.

   o  RESERVED (1 octet) -- MUST be zero.

   o  Payload Length (2 octets) -- Length of this payload, including the
      GAP header and Attributes.

   o  Group Associated Policy Attributes (variable) -- Contains
      attributes following the format defined in Section 3.3 of
      [RFC2408].  In the table, attributes that are defined as TV are
      marked as Basic (B); attributes that are defined as TLV are marked
      as Variable (V).
Top   ToC   RFC6407 - Page 29
              Attribute Type         Value       Type
              --------------         -----       ----
              RESERVED                 0
              ACTIVATION_TIME_DELAY    1          B
              DEACTIVATION_TIME_DELAY  2          B
              SENDER_ID_REQUEST        3          B
              Unassigned              4-127
              Private Use           128-255
              Unassigned            256-32767

   Several group associated policy attributes are defined in this memo.
   A GDOI implementation MUST abort if it encounters an attribute or
   capability that it does not understand.  The values for these
   attributes are included in the IANA Considerations section of this
   memo.

5.4.1. ACTIVATION_TIME_DELAY/DEACTIVATION_TIME_DELAY

Section 4.2.1 of [RFC5374] specifies a key rollover method that requires two values be given it from the group key management protocol. The ACTIVATION_TIME_DELAY attribute allows a GCKS to set the Activation Time Delay (ATD) for SAs generated from TEKs. The ATD defines how long after receiving new SAs that they are to be activated by the GM. The ATD value is in seconds. The DEACTIVATION_TIME_DELAY allows the GCKS to set the Deactivation Time Delay (DTD) for previously distributed SAs. The DTD defines how long after receiving new SAs that it SHOULD deactivate SAs that are destroyed by the rekey event. The value is in seconds. The values of ATD and DTD are independent. However, the most effective policy will have the DTD value be the larger value, as this allows new SAs to be activated before older SAs are deactivated. Such a policy ensures that protected group traffic will always flow without interruption.

5.4.2. SENDER_ID_REQUEST

The SENDER_ID_REQUEST attribute is used by a group member to request SIDs during the GROUPKEY-PULL message, and includes a count of how many SID values it desires.
Top   ToC   RFC6407 - Page 30

5.5. SA TEK Payload

The SA TEK (SAT) payload contains security attributes for a single TEK associated with a group. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Protocol-ID ! TEK Protocol-Specific Payload ~ +-+-+-+-+-+-+-+-+ ~ ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! Figure 7. SA TEK Payload The SAT payload fields are defined as follows: o Next Payload (1 octet) -- Identifies the next payload for the GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next payload types for this message are another SAT payload or zero to indicate there are no more security association attributes. o RESERVED (1 octet) -- MUST be zero. o Payload Length (2 octets) -- Length of this payload, including the TEK Protocol-Specific Payload. o Protocol-ID (1 octet) -- Value specifying the Security Protocol. The following table defines values for the Security Protocol. Protocol ID Value ----------- ----- RESERVED 0 GDOI_PROTO_IPSEC_ESP 1 GDOI_PROTO_IPSEC_AH 2 Unassigned 3-127 Private Use 128-255 o TEK Protocol-Specific Payload (variable) -- Payload which describes the attributes specific for the Protocol-ID.
Top   ToC   RFC6407 - Page 31

5.5.1. GDOI_PROTO_IPSEC_ESP/GDOI_PROTO_IPSEC_AH

The TEK Protocol-Specific payload for ESP and AH is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Protocol ! SRC ID Type ! SRC ID Port ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! !SRC ID Data Len! SRC Identification Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! DST ID Type ! DST ID Port !DST ID Data Len! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! DST Identification Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Transform ID ! SPI ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! SPI ! RFC 2407 SA Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! Figure 8. ESP/AH TEK Payload The SAT payload fields are defined as follows: o Protocol (1 octet) -- Value describing an IP protocol ID (e.g., UDP/TCP) [PROT-REG]. A value of zero means that the Protocol field MUST be ignored. o SRC ID Type (1 octet) -- Value describing the identity information found in the SRC Identification Data field. Defined values are specified by the IPsec Identification Type section in the IANA ISAKMP registry [ISAKMP-REG]. o SRC ID Port (2 octets) -- Value specifying a port associated with the source ID. A value of zero means that the SRC ID Port field MUST be ignored. o SRC ID Data Len (1 octet) -- Value specifying the length (in octets) of the SRC Identification Data field. o SRC Identification Data (variable length) -- Value, as indicated by the SRC ID Type. Set to 3 octets or zero for multiple-source multicast groups that use a common TEK for all senders. o DST ID Type (1 octet) -- Value describing the identity information found in the DST Identification Data field. Defined values are specified by the IPsec Identification Type section in the IANA ISAKMP registry [ISAKMP-REG].
Top   ToC   RFC6407 - Page 32
   o  DST ID Prot (1 octet) -- Value describing an IP protocol ID (e.g.,
      UDP/TCP) [PROT-REG].  A value of zero means that the DST ID Prot
      field MUST be ignored.

   o  DST ID Port (2 octets) -- Value specifying a port associated with
      the source ID.  A value of zero means that the DST ID Port field
      MUST be ignored.

   o  DST ID Data Len (1 octet) -- Value specifying the length (in
      octets) of the DST Identification Data field.

   o  DST Identification Data (variable length) -- Value, as indicated
      by the DST ID Type.

   o  Transform ID (1 octet) -- Value specifying which ESP or AH
      transform is to be used.  The list of valid values is defined in
      the IPsec ESP or IPsec AH Transform Identifiers section of the
      IANA ISAKMP registry [ISAKMP-REG].

   o  SPI (4 octets) -- Security Parameter Index for ESP.

   o  RFC 2407 Attributes -- ESP and AH Attributes from Section 4.5 of
      [RFC2407].  The GDOI supports all IPsec DOI SA Attributes for
      GDOI_PROTO_IPSEC_ESP and GDOI_PROTO_IPSEC_AH, excluding the Group
      Description (Section 4.5 of [RFC2407]), which MUST NOT be sent by
      a GDOI implementation and is ignored by a GDOI implementation if
      received.  The following attributes MUST be supported by an
      implementation supporting ESP and AH: SA Life Type, SA Life
      Duration, and Encapsulation Mode.  An implementation supporting
      ESP MUST also support the Authentication Algorithm attribute if
      the ESP transform includes authentication.  The Authentication
      Algorithm attribute of the IPsec DOI is group authentication in
      GDOI.

5.5.1.1. New IPsec Security Association Attributes
"Multicast Extensions to the Security Architecture for the Internet Protocol" (RFC 5374) introduces new requirements for a group key management system distributing IPsec policy. It also defines new attributes as part of the Group Security Policy Database (GSPD). These attributes describe policy that a group key management system must convey to a group member in order to support those extensions. The GDOI SA TEK payload distributes IPsec policy using IPsec security association attributes defined in [ISAKMP-REG]. This section defines how GDOI can convey the new attributes as IPsec Security Association Attributes.
Top   ToC   RFC6407 - Page 33
5.5.1.1.1. Address Preservation
Applications use the extensions in [RFC5374] to copy the IP addresses into the outer IP header when encapsulating an IP packet as an IPsec tunnel mode packet. This allows an IP multicast packet to continue to be routed as a IP multicast packet. This attribute also provides the necessary policy so that the GDOI group member can appropriately set up the GSPD. The following table defines values for the Address Preservation attribute. Address Preservation Type Value ------------------------- ----- Reserved 0 None 1 Source-Only 2 Destination-Only 3 Source-and-Destination 4 Unassigned 5-61439 Private Use 61440-65535 Depending on group policy, several address preservation methods are possible: no address preservation ("None"), preservation of the original source address ("Source-Only"), preservation of the original destination address ("Destination-Only"), or both addresses ("Source- and-Destination"). If this attribute is not included in a GDOI SA TEK payload provided by a GCKS, then Source-and-Destination address preservation has been defined for the SA TEK.
5.5.1.1.2. SA Direction
Depending on group policy, an IPsec SA created from an SA TEK payload is defined to be in the sending and/or receiving direction. The following table defines values for the SA Direction attribute. Name Value ---- ----- Reserved 0 Sender-Only 1 Receiver-Only 2 Symmetric 3 Unassigned 4-61439 Private Use 61440-65535 SA TEK policy used by multiple senders MUST be installed in both the sending and receiving direction ("Symmetric"), whereas SA TEK for a single sender SHOULD be installed in the receiving direction by receivers ("Receiver-Only") and in the sending direction by the sender ("Sender-Only").
Top   ToC   RFC6407 - Page 34
   An SA TEK payload that does not include the SA Direction attribute is
   treated as a Symmetric IPsec SA.  Note that Symmetric is the only
   value that can be meaningfully described for an SA TEK distributed in
   a GROUPKEY-PUSH message.  Alternatively, Receiver-Only could be
   distributed, but group senders would need to be configured to not
   receive GROUPKEY-PUSH messages in order to retain their role.

5.5.2. Other Security Protocols

Besides ESP and AH, GDOI should serve to establish SAs for secure groups needed by other Security Protocols that operate at the transport, application, and internetwork layers. These other Security Protocols, however, are in the process of being developed or do not yet exist. The following information needs to be provided for a Security Protocol to the GDOI. o The Protocol-ID for the particular Security Protocol o The SPI Size o The method of SPI generation o The transforms, attributes, and keys needed by the Security Protocol All Security Protocols MUST provide the information in the bulleted list above to guide the GDOI specification for that protocol. Definitions for the support of those Security Protocols in GDOI will be specified in separate documents. A Security Protocol MAY protect traffic at any level of the network stack. However, in all cases, applications of the Security Protocol MUST protect traffic that MAY be shared by more than two entities.

5.6. Key Download Payload

The Key Download payload contains group keys for the group specified in the SA payload. These Key Download payloads can have several security attributes applied to them based upon the security policy of the group as defined by the associated SA payload.
Top   ToC   RFC6407 - Page 35
       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ! Next Payload  !   RESERVED    !         Payload Length        !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ! Number of Key Packets         !            RESERVED2          !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ~                    Key Packets                                ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

                      Figure 9. Key Download Payload

   The Key Download payload fields are defined as follows:

   o  Next Payload (1 octet) -- Identifier for the payload type of the
      next payload in the message.  If the current payload is the last
      in the message, then this field will be zero.

   o  RESERVED (1 octet) -- Unused; set to zero.

   o  Payload Length (2 octets) -- Length in octets of the current
      payload, including the generic payload header.

   o  Number of Key Packets (2 octets) -- Contains the total number of
      key packets being passed in this data block.

   o  Key Packets (variable) -- Several types of key packets are
      defined.  Each key packet has the following format.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !   KD Type     !   RESERVED    !            KD Length          !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      !    SPI Size   !                   SPI (variable)              ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!
      ~                    Key Packet Attributes                      ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-!

                            Figure 10. Key Packet

   o  Key Download (KD) Type (1 octet) -- Identifier for the Key Data
      field of this key packet.
Top   ToC   RFC6407 - Page 36
                          Key Download Type        Value
                          -----------------        -----
                          Reserved                   0
                          TEK                        1
                          KEK                        2
                          LKH                        3
                          SID                        4
                          Unassigned                4-127
                          Private Use             128-255

   "KEK" is a single key, whereas LKH is an array of key-encrypting
   keys.

   o  Reserved (1 octet) -- Unused; set to zero.

   o  Key Download Length (2 octets) -- Length in octets of the Key
      Packet data, including the Key Packet header.

   o  SPI Size (1 octet) -- Value specifying the length in octets of the
      SPI as defined by the Protocol-ID.

   o  SPI (variable length) -- Security Parameter Index, which matches a
      SPI previously sent in a SAK or SAT payload.

   o  Key Packet Attributes (variable length) -- Contains key
      information.  The format of this field is specific to the value of
      the KD Type field.  The following sections describe the format of
      each KD Type.

5.6.1. TEK Download Type

The following attributes may be present in a TEK Download Type. Exactly one attribute matching each type sent in the SAT payload MUST be present. The attributes must follow the format defined in ISAKMP (Section 3.3 of [RFC2408]). In the table, attributes defined as TV are marked as Basic (B); attributes defined as TLV are marked as Variable (V). TEK Class Value Type --------- ----- ---- RESERVED 0 TEK_ALGORITHM_KEY 1 V TEK_INTEGRITY_KEY 2 V TEK_SOURCE_AUTH_KEY 3 V Unassigned 4-127 Private Use 128-255 Unassigned 256-32767
Top   ToC   RFC6407 - Page 37
   If no TEK key packets are included in a Registration KD payload, the
   group member can expect to receive the TEK as part of a Rekey SA.  At
   least one TEK must be included in each Rekey KD payload.  Multiple
   TEKs may be included if multiple streams associated with the SA are
   to be rekeyed.

   When an algorithm specification specifies the format of the keying
   material, the value transported in the KD payload for that key is
   passed according to that specification.  The keying material may
   contain information besides a key.  For example, "The Use of Galois/
   Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)"
   [RFC4106] defines a salt value as part of KEYMAT.

5.6.1.1. TEK_ALGORITHM_KEY
The TEK_ALGORITHM_KEY class declares that the encryption key for this SPI is contained as the Key Packet Attribute. The encryption algorithm that will use this key was specified in the SAT payload. In the case that the algorithm requires multiple keys (e.g., 3DES), all keys will be included in one attribute. DES keys will consist of 64 bits (the 56 key bits with parity bits). Triple DES keys will be specified as a single 192-bit attribute (including parity bits) in the order that the keys are to be used for encryption (e.g., DES_KEY1, DES_KEY2, DES_KEY3).
5.6.1.2. TEK_INTEGRITY_KEY
The TEK_INTEGRITY_KEY class declares that the integrity key for this SPI is contained as the Key Packet Attribute. The integrity algorithm that will use this key was specified in the SAT payload. Thus, GDOI assumes that both the symmetric encryption and integrity keys are pushed to the GM. HMAC-SHA1 keys will consist of 160 bits [RFC2404], and HMAC-MD5 keys will consist of 128 bits [RFC2403]. HMAC-SHA2 and AES-GMAC keys will have a key length equal to the output length of the hash functions [RFC4868] [RFC4543].
5.6.1.3. TEK_SOURCE_AUTH_KEY
The TEK_SOURCE_AUTH_KEY class declares that the source authentication key for this SPI is contained in the Key Packet Attribute. The source authentication algorithm that will use this key was specified in the SAT payload.
Top   ToC   RFC6407 - Page 38

5.6.2. KEK Download Type

The following attributes may be present in a KEK Download Type. Exactly one attribute matching each type sent in the SAK payload MUST be present. The attributes MUST follow the format defined in ISAKMP (Section 3.3 of [RFC2408]). In the table, attributes defined as TV are marked as Basic (B); attributes defined as TLV are marked as Variable (V). KEK Class Value Type --------- ----- ---- RESERVED 0 KEK_ALGORITHM_KEY 1 V SIG_ALGORITHM_KEY 2 V Unassigned 3-127 Private Use 128-255 Unassigned 256-32767 If the KEK key packet is included, there MUST be only one present in the KD payload.
5.6.2.1. KEK_ALGORITHM_KEY
The KEK_ALGORITHM_KEY class declares the encryption key for this SPI is contained in the Key Packet Attribute. The encryption algorithm that will use this key was specified in the SAK payload. If the mode of operation for the algorithm requires an IV, an explicit IV MUST be included in the KEK_ALGORITHM_KEY before the actual key.
5.6.2.2. SIG_ALGORITHM_KEY
The SIG_ALGORITHM_KEY class declares that the public key for this SPI is contained in the Key Packet Attribute, which may be useful when no public key infrastructure is available. The signature algorithm that will use this key was specified in the SAK payload.

5.6.3. LKH Download Type

The LKH key packet is comprised of attributes representing different nodes in the LKH key tree. The following attributes are used to pass an LKH KEK array in the KD payload. The attributes MUST follow the format defined in ISAKMP (Section 3.3 of [RFC2408]). In the table, attributes defined as TV are marked as Basic (B); attributes defined as TLV are marked as Variable (V).
Top   ToC   RFC6407 - Page 39
                KEK Class                 Value      Type
                ---------                 -----      ----
                RESERVED                     0
                LKH_DOWNLOAD_ARRAY           1        V
                LKH_UPDATE_ARRAY             2        V
                SIG_ALGORITHM_KEY            3        V
                Unassigned                  4-127
                Private Use               128-255
                Unassigned                256-32767

   If an LKH key packet is included in the KD payload, there MUST be
   only one present.

5.6.3.1. LKH_DOWNLOAD_ARRAY
This attribute is used to download a set of keys to a group member. It MUST NOT be included in a GROUPKEY-PUSH message KD payload if the GROUPKEY-PUSH is sent to more than the group member. If an LKH_DOWNLOAD_ARRAY attribute is included in a KD payload, there MUST be only one present. This attribute consists of a header block, followed by one or more LKH keys. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH Version ! # of LKH Keys ! RESERVED ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH Keys ! ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 11. LKH Download Array The KEK_LKH attribute fields are defined as follows: o LKH version (1 octet) -- Version of the LKH data format. Must be one. o Number of LKH Keys (2 octets) -- This value is the number of distinct LKH keys in this sequence. o RESERVED (1 octet) -- Unused; set to zero. Each LKH Key is defined as follows:
Top   ToC   RFC6407 - Page 40
       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !             LKH ID            !    Key Type   !    RESERVED   !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                        Key Creation Date                      !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                       Key Expiration Date                     !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                           Key Handle                          !
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      !                                                               !
      ~                            Key Data                           ~
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                              Figure 12. LKH Key

   o  LKH ID (2 octets) -- Identity of the LKH node.  A GCKS is free to
      choose the ID in an implementation-specific manner (e.g., the
      position of this key in a binary tree structure used by LKH).

   o  Key Type (1 octet) -- Encryption algorithm for which this key data
      is to be used.  This value is specified in Section 5.3.3.

   o  RESERVED (1 octet) -- Unused; set to zero.

   o  Key Creation Date (4 octets) -- Unsigned time value defining a
      valid time period in seconds representing the number of seconds
      since 0 hours, 0 minutes, 0 seconds, January 1, 1970, Coordinated
      Universal Time (UTC), without including leap seconds.  [RFC5905].
      This is the time when this key data was originally generated.  A
      time value of zero indicates that there is no time before which
      this key is not valid.

   o  Key Expiration Date (4 octets) -- Unsigned time value defining a
      valid time period in seconds representing the number of seconds
      since 0 hours, 0 minutes, 0 seconds, January 1, 1970, Coordinated
      Universal Time (UTC), without including leap seconds.  [RFC5905].
      This is the time when this key is no longer valid for use.  A time
      value of zero indicates that this key does not have an expiration
      time.

   o  Key Handle (4 octets) -- Value assigned by the GCKS to uniquely
      identify a key within an LKH ID.  Each new key distributed by the
      GCKS for this node will have a key handle identity distinct from
      previous or successive key handles specified for this node.
Top   ToC   RFC6407 - Page 41
   o  Key Data (variable length) -- Key data, which is dependent on the
      Key Type algorithm for its format.  If the mode of operation for
      the algorithm requires an IV, an explicit IV MUST be included in
      the Key Data field prepended to the actual key.

   The Key Creation Date and Key Expiration Dates MAY be zero.  This is
   necessary in the case where time synchronization within the group is
   not possible.

   The first LKH Key structure in an LKH_DOWNLOAD_ARRAY attribute
   contains the Leaf identifier and key for the group member.  The rest
   of the LKH Key structures contain keys along the path of the key tree
   in order from the leaf, culminating in the group KEK.

5.6.3.2. LKH_UPDATE_ARRAY
This attribute is used to update the keys for a group. It is most likely to be included in a GROUPKEY-PUSH message KD payload to rekey the entire group. This attribute consists of a header block, followed by one or more LKH keys, as defined in the previous section. There may be any number of UPDATE_ARRAY attributes included in a KD payload. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH Version ! # of LKH Keys ! RESERVED ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH ID ! RESERVED2 ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Key Handle ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! LKH Keys ! ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 13. LKH Update Array o LKH version (1 octet) -- Version of the LKH data format. Must be one. o Number of LKH Keys (2 octets) -- Number of distinct LKH keys in this sequence. o RESERVED (1 octet) -- Unused; set to zero.
Top   ToC   RFC6407 - Page 42
   o  LKH ID (2 octets) -- Node identifier associated with the key used
      to encrypt the first LKH Key.

   o  RESERVED2 (2 octets) -- Unused; set to zero.

   o  Key Handle (4 octets) -- Value assigned by the GCKS to uniquely
      identify the key within the LKH ID used to encrypt the first LKH
      Key.

   The LKH Keys are as defined in the previous section.  The LKH Key
   structures contain keys along the path of the key tree in order from
   the LKH ID found in the LKH_UPDATE_ARRAY header, culminating in the
   group KEK.  The Key Data field of each LKH Key is encrypted with the
   LKH key preceding it in the LKH_UPDATE_ARRAY attribute.  The first
   LKH Key is encrypted under the key defined by the LKH ID and Key
   Handle found in the LKH_UPDATE_ARRAY header.

5.6.3.3. SIG_ALGORITHM_KEY
The SIG_ALGORITHM_KEY class declares that the public key for this SPI is contained in the Key Packet Attribute, which may be useful when no public key infrastructure is available. The signature algorithm that will use this key was specified in the SAK payload.

5.6.4. SID Download Type

This attribute is used to download one or more Sender-ID (SID) values for the exclusive use of a group member. The SID Download Type does not require an SPI. When the KD Type is SID, the SPI Size field MUST be zero, and the SPI field is omitted. SID Class Value Type --------- ----- ---- RESERVED 0 NUMBER_OF_SID_BITS 1 B SID_VALUE 2 V Unassigned 3-128 Private Use 129-255 Unassigned 256-32767 Because a SID value is intended for a single group member, the SID Download type MUST NOT be distributed in a GROUPKEY-PUSH message distributed to multiple group members.
Top   ToC   RFC6407 - Page 43
5.6.4.1. NUMBER_OF_SID_BITS
The NUMBER_OF_SID_BITS class declares how many bits of the cipher nonce in which to represent a SID value. This value is applied to each SID value distributed in the SID Download.
5.6.4.2. SID_VALUE
The SID_VALUE class declares a single SID value for the exclusive use of the group member. Multiple SID_VALUE attributes MAY be included in a SID Download.
5.6.4.3. Group Member Semantics
The SID_VALUE attribute value distributed to the group member MUST be used by that group member as the SID field portion of the IV for all Data-Security SAs including a counter-based mode of operation distributed by the GCKS as a part of this group. When the Sender-Specific IV (SSIV) field for any Data-Security SA is exhausted, the group member MUST no longer act as a sender on that SA using its active SID. The group member SHOULD re-register, at which time the GCKS will issue a new SID to the group member, along with either the same Data-Security SAs or replacement ones. The new SID replaces the existing SID used by this group member and also resets the SSIV value to its starting value. A group member MAY re-register prior to the actual exhaustion of the SSIV field to avoid dropping data packets due to the exhaustion of available SSIV values combined with a particular SID value. GROUPKEY-PUSH message may include Data-Security SAs that are distributed to the group member for the first time. A SID previously issued to the receiving group member is used with counter-based mode of operation Data-Security SAs on which the group member acts as a sender. Because this Data-Security SA has not previously been used for transmission, the SSIV field should be set to its starting value.
5.6.4.4. GCKS Semantics
If any KD payload includes keying material that is associated with a counter-mode of operation, a SID Download Type KD payload containing at least one SID_VALUE attribute MUST be included. The GCKS MUST NOT send the SID Download Type KD payload as part of a GROUPKEY-PUSH message because distributing the same sender-specific policy to more than one group member will reduce the security of the group.
Top   ToC   RFC6407 - Page 44

5.7. Sequence Number Payload

The Sequence Number (SEQ) Payload provides an anti-replay protection for GROUPKEY-PUSH messages. Its use is similar to the Sequence Number field defined in the IPsec ESP protocol [RFC4303]. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Sequence Number ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 14. Sequence Number Payload The Sequence Number Payload fields are defined as follows: o Next Payload (1 octet) -- Identifier for the payload type of the next payload in the message. If the current payload is the last in the message, then this field will be zero. o RESERVED (1 octet) -- Unused; set to zero. o Payload Length (2 octets) -- Length in octets of the current payload, including the generic payload header. MUST be a value of 8. o Sequence Number (4 octets) -- This field contains a monotonically increasing counter value for the group. It is initialized to zero by the GCKS and incremented in each subsequently transmitted message. Thus, the first packet sent for a given Rekey SA will have a Sequence Number of 1. The GDOI implementation keeps a sequence counter as an attribute for the Rekey SA and increments the counter upon receipt of a GROUPKEY-PUSH message. The current value of the sequence number MUST be transmitted to group members as a part of the Registration SA payload.

5.8. Nonce

The data portion of the Nonce payload (i.e., Ni_b and Nr_b included in the HASHs) MUST be a value between 8 and 128 octets.
Top   ToC   RFC6407 - Page 45

5.9. Delete

There are times the GCKS may want to signal to receivers to delete SAs, for example, at the end of a broadcast. Deletion of keys may be accomplished by sending an ISAKMP Delete payload (Section 3.15 of [RFC2408]) as part of a GDOI GROUPKEY-PUSH message. One or more Delete payloads MAY be placed following the SEQ payload in a GROUPKEY-PUSH message. If a GCKS has no further SAs to send to group members, the SA and KD payloads MUST be omitted from the message. The following fields of the Delete payload are further defined as follows: o The Domain of Interpretation field contains the GDOI DOI. o The Protocol-ID field contains TEK protocol ID values defined in Section 5.5 of this document. To delete a KEK SA, the value of zero MUST be used as the protocol ID. Note that only one protocol ID value can be defined in a Delete payload. Thus, if a TEK SA and a KEK SA are to be deleted, their SPI values MUST be sent in different Delete payloads. There may be circumstances where the GCKS may want to start over with a clean slate. If the administrator is no longer confident in the integrity of the group, the GCKS can signal deletion of all policy of a particular TEK protocol by sending a TEK with an SPI value equal to zero in the delete payload. For example, if the GCKS wishes to remove all the KEKs and all the TEKs in the group, the GCKS SHOULD send a delete payload with an SPI of zero and a Protocol-ID of a TEK Protocol-ID value, followed by another delete payload with an SPI value of zero and Protocol-ID of zero, indicating that the KEK SA should be deleted.


(page 45 continued on part 3)

Next Section