Network Working Group V. Smyslov Internet-Draft ELVIS-PLUS Obsoletes: 6407 (if approved) B. Weis Updates: 7296 (if approved) Independent Intended status: Standards Track April 6, 2022 Expires: October 8, 2022 Group Key Management using IKEv2 draft-ietf-ipsecme-g-ikev2-06 Abstract This document presents an extension to the Internet Key Exchange version 2 (IKEv2) protocol for the purpose of a group key management. The protocol is in conformance with the Multicast Security (MSEC) key management architecture, which contains two components: member registration and group rekeying. Both components require a Group Controller/Key Server to download IPsec group security associations to authorized members of a group. The group members then exchange IP multicast or other group traffic as IPsec packets. This document obsoletes RFC 6407. This documents also updates RFC 7296 by renaming one of transform types defined there. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on October 8, 2022. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents Smyslov & Weis Expires October 8, 2022 [Page 1] Internet-Draft G-IKEv2 April 2022 (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 5 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 2. G-IKEv2 Protocol . . . . . . . . . . . . . . . . . . . . . . 7 2.1. G-IKEv2 Integration into IKEv2 Protocol . . . . . . . . . 7 2.1.1. G-IKEv2 Transport and Port . . . . . . . . . . . . . 7 2.2. G-IKEv2 Payloads . . . . . . . . . . . . . . . . . . . . 8 2.3. G-IKEv2 Member Registration and Secure Channel Establishment . . . . . . . . . . . . . . . . . . . . . . 9 2.3.1. GSA_AUTH exchange . . . . . . . . . . . . . . . . . . 9 2.3.2. GSA_REGISTRATION Exchange . . . . . . . . . . . . . . 11 2.3.3. GM Registration Operations . . . . . . . . . . . . . 12 2.3.4. GCKS Registration Operations . . . . . . . . . . . . 14 2.4. Group Maintenance Channel . . . . . . . . . . . . . . . . 15 2.4.1. GSA_REKEY . . . . . . . . . . . . . . . . . . . . . . 16 2.4.2. GSA_INBAND_REKEY Exchange . . . . . . . . . . . . . . 22 2.4.3. Deletion of SAs . . . . . . . . . . . . . . . . . . . 22 2.5. Counter-based modes of operation . . . . . . . . . . . . 23 2.5.1. Allocation of SIDs . . . . . . . . . . . . . . . . . 24 2.5.2. GM Usage of SIDs . . . . . . . . . . . . . . . . . . 25 2.6. Replay Protection for Multicast Data-Security SAs . . . . 25 3. Group Key Management and Access Control . . . . . . . . . . . 26 3.1. Key Wrap Keys . . . . . . . . . . . . . . . . . . . . . . 26 3.1.1. Default Key Wrap Key . . . . . . . . . . . . . . . . 27 3.2. GCKS Key Management Semantics . . . . . . . . . . . . . . 27 3.2.1. Forward Access Control Requirements . . . . . . . . . 28 3.3. GM Key Management Semantics . . . . . . . . . . . . . . . 28 3.4. SA Keys . . . . . . . . . . . . . . . . . . . . . . . . . 30 4. Header and Payload Formats . . . . . . . . . . . . . . . . . 31 4.1. G-IKEv2 Header . . . . . . . . . . . . . . . . . . . . . 31 4.2. Group Identification Payload . . . . . . . . . . . . . . 31 4.3. Security Association - GM Supported Transforms Payload . 31 4.4. Group Security Association Payload . . . . . . . . . . . 32 4.4.1. Group Policies . . . . . . . . . . . . . . . . . . . 32 4.4.2. Group Security Association Policy Substructure . . . 33 4.4.3. Group Associated Policy Substructure . . . . . . . . 40 4.5. Key Download Payload . . . . . . . . . . . . . . . . . . 42 4.5.1. Wrapped Key Format . . . . . . . . . . . . . . . . . 42 Smyslov & Weis Expires October 8, 2022 [Page 2] Internet-Draft G-IKEv2 April 2022 4.5.2. Group Key Packet Substructure . . . . . . . . . . . . 44 4.5.3. Member Key Packet Substructure . . . . . . . . . . . 46 4.6. Delete Payload . . . . . . . . . . . . . . . . . . . . . 48 4.7. Notify Payload . . . . . . . . . . . . . . . . . . . . . 48 4.7.1. USE_TRANSPORT_MODE Notification . . . . . . . . . . . 49 4.8. Authentication Payload . . . . . . . . . . . . . . . . . 50 5. Usigng G-IKEv2 Attributes . . . . . . . . . . . . . . . . . . 50 6. Interaction with other IKEv2 Protocol Extensions . . . . . . 52 6.1. Mixing Preshared Keys in IKEv2 for Post-quantum Security 53 7. Security Considerations . . . . . . . . . . . . . . . . . . . 55 7.1. GSA Registration and Secure Channel . . . . . . . . . . . 55 7.2. GSA Maintenance Channel . . . . . . . . . . . . . . . . . 55 7.2.1. Authentication/Authorization . . . . . . . . . . . . 55 7.2.2. Confidentiality . . . . . . . . . . . . . . . . . . . 55 7.2.3. Man-in-the-Middle Attack Protection . . . . . . . . . 55 7.2.4. Replay/Reflection Attack Protection . . . . . . . . . 55 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56 8.1. New Registries . . . . . . . . . . . . . . . . . . . . . 56 8.2. Changes in the Existing IKEv2 Registries . . . . . . . . 57 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 59 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 60 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 60 11.1. Normative References . . . . . . . . . . . . . . . . . . 60 11.2. Informative References . . . . . . . . . . . . . . . . . 61 Appendix A. Use of LKH in G-IKEv2 . . . . . . . . . . . . . . . 65 A.1. Notation . . . . . . . . . . . . . . . . . . . . . . . . 65 A.2. Group Creation . . . . . . . . . . . . . . . . . . . . . 65 A.3. Simple Group SA Rekey . . . . . . . . . . . . . . . . . . 66 A.4. Group Member Exclusion . . . . . . . . . . . . . . . . . 66 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 68 1. Introduction and Overview A group key management protocol provides IPsec keys and policy to a set of IPsec devices which are authorized to communicate using a Group Security Association (GSA) defined in [RFC3740]. The data communications within the group (e.g., IP multicast packets) are protected by a key pushed to the group members (GMs) by the Group Controller/Key Server (GCKS). This document presents an extension to IKEv2 [RFC7296] called G-IKEv2, that allows to perform a group key management. G-IKEv2 conforms to the Multicast Group Security Architecture [RFC3740], Multicast Extensions to the Security Architecture for the Internet Protocol [RFC5374] and the Multicast Security (MSEC) Group Key Management Architecture [RFC4046]. G-IKEv2 replaces GDOI [RFC6407], which defines a similar group key management protocol using IKEv1 [RFC2409] (since deprecated by IKEv2). When G-IKEv2 is Smyslov & Weis Expires October 8, 2022 [Page 3] Internet-Draft G-IKEv2 April 2022 used, group key management use cases can benefit from the simplicity, increased robustness and cryptographic improvements of IKEv2 (see Appendix A of [RFC7296]. A GM begins a "registration" exchange when it first joins the group. With G-IKEv2, the GCKS authenticates and authorizes GMs, then pushes policy and keys used by the group to the GM. G-IKEv2 includes two "registration" exchanges. The first is the GSA_AUTH exchange ( Section 2.3.1), which is used when a GM first conatcts a GCKS. The second is the GSA_REGISTRATION exchange (Section 2.3.2), which a GM can use within an established IKE SA. Group rekeys are accomplished using either the GSA_REKEY pseudo-exchange (a single message distributed to all GMs, usually as a multicast message), or as a GSA_INBAND_REKEY exchange delivered individually to group members using existing IKE SAs). Large and small groups may use different sets of these protocols. When a large group of devices are communicating, the GCKS is likely to use the GSA_REKEY message for efficiency. This is shown in Figure 1. (Note: For clarity, IKE_SA_INIT is omitted from the figure.) +--------+ +------------->| GCKS |<-------------+ | +--------+ | | | ^ | | | | | | | GSA_AUTH | | | or | | | GSA_REGISTRATION | | | | | GSA_AUTH | | GSA_AUTH or GSA_REKEY | or GSA_REGISTRATION | | GSA_REGISTRATION | | | | | +------------+-----------------+ | | | | | | | v v v v v v +-------+ +--------+ +-------+ | GM | ... | GM | ... | GM | +-------+ +--------+ +-------+ ^ ^ ^ | | | +-------ESP-------+-------ESP------+ Figure 1: G-IKEv2 used in large groups Smyslov & Weis Expires October 8, 2022 [Page 4] Internet-Draft G-IKEv2 April 2022 Alternatively, a small group may simply use the GSA_AUTH as a registration protocol, where the GCKS issues rekeys using the GSA_INBAND_REKEY within the same IKE SA. The GCKS is also likely to be a GM in a small group (as shown in Figure 2.) GSA_AUTH, GSA_INBAND_REKEY +-----------------------------------------------+ | | | GSA_AUTH, GSA_INBAND_REKEY | | +-----------------------------+ | | | | | | | GSA_AUTH, GSA_INBAND_REKEY | | | | +--------+ | | v v v v v v +---------+ +----+ +----+ +----+ | GCKS/GM | | GM | | GM | | GM | +---------+ +----+ +----+ +----+ ^ ^ ^ ^ | | | | +----ESP-----+------ESP-------+-----ESP-----+ Figure 2: G-IKEv2 used in small groups A combination of these approaches is also possible. For example, the GCKS may use more robust GSA_INBAND_REKEY to provide keys for some GMs (for example, those acting as senders in the group) and GSA_REKEY for the rest. IKEv2 message semantics are preserved in that all communications consists of message request-response pairs. The exception to this rule is the GSA_REKEY pseudo-exchange, which is a single message delivering group updates to the GMs. 1.1. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 1.2. Terminology It is assumed that readers are familiar with the IPsec architecture [RFC4301], its extension for multicast [RFC5374]. This document defines an extension to the IKEv2 protocol [RFC7296], so it is assumed that readers have good understanding of this protocol. Smyslov & Weis Expires October 8, 2022 [Page 5] Internet-Draft G-IKEv2 April 2022 The following key terms are used throughout this document (mostly borrowed from [RFC5374] and [RFC6407]). Group A set of devices that work together to protect group communications. Group Member (GM) An IPsec device that belongs to a group. A Group Member is authorized to be a Group Sender and/or a Group Receiver. Group Receiver A Group Member that is authorized to receive packets sent to a group by a Group Sender. Group Sender A Group Member that is authorized to send packets to a group. Group Key Management (GKM) Protocol A key management protocol used by a GCKS to distribute IPsec Security Association policy and keying material. A GKM protocol is used when a group of IPsec devices require the same SAs. For example, when an IPsec SA describes an IP multicast destination, the sender and all receivers need to have the group SA. Group Controller Key Server (GCKS) A Group Key Management (GKM) protocol server that manages IPsec state for a group. A GCKS authenticates and provides the IPsec SA policy and keying material to GKM Group Members. Data-Security SA The security policy distributed by a GDOI GCKS describing traffic that is expected to be protected by group members. This document described the distribution of IPsec AH and ESP Data-Security SAs. Rekey SA The security policy protecting Group Key Management Protocol. Group Security Association (GSA) A collection of Data-Security Associations (SAs) and Rekey SAs necessary for a Group Member to receive key updates. A GSA describes the working policy for a group. Refer to [RFC4046] for additional information. Traffic Encryption Key (TEK) Smyslov & Weis Expires October 8, 2022 [Page 6] Internet-Draft G-IKEv2 April 2022 The symmetric cipher key used in a Data-Security SA (e.g., IPsec ESP) to protect trafic. Key Encryption Key (KEK) The symmetric cipher key used in a Rekey SA to protect distribution of new keys. Key Wrap Key (KWK) The symmetric cipher key used to protect another key. Group Associated Policy (GAP) Group-wide policy not related to a particular SA. Sender-ID (SID) A unigue identifier of a Group Sender in the context of an active GSA, used to form Initialization Vector (IV) in counter- based cipher modes. Logical Key Hierarchy (LKH) A group management method defined in Section 5.4 of [RFC2627]. 2. G-IKEv2 Protocol 2.1. G-IKEv2 Integration into IKEv2 Protocol G-IKEv2 is an extension to IKEv2 and uses its security mechanisms (peer authentication, confidentiality, message integrity) to ensure that only authenticated devices have access to the group policy and keys. G-IKEv2 further provides group authorization, and secure policy and key download from the GCKS to GMs. G-IKEv2 is compatible with most IKEv2 extensions defined so far and it is believed that future IKEv2 extensions will also be possible to use with G-IKEv2. However some IKEv2 extensions require special handling if used with G-IKEv2. See Section 6 for more details. It is assumed that readers are familiar with the IKEv2 protocol, so this document skips many details that are described in [RFC7296]. 2.1.1. G-IKEv2 Transport and Port G-IKEv2 SHOULD use UDP port 848, the same as GDOI [RFC6407], because they serve a similar function. They can use the same ports, just as IKEv1 and IKEv2 can share port 500. The version number in the IKE header distinguishes the G-IKEv2 protocol from GDOI protocol [RFC6407]. G-IKEv2 MAY also use the IKEv2 ports (500, 4500), which would provide a better integration with IKEv2. G-IKEv2 MAY also use Smyslov & Weis Expires October 8, 2022 [Page 7] Internet-Draft G-IKEv2 April 2022 TCP transport for registration (unicast) IKE SA, as defined in [RFC8229]. Section 2.23 of [RFC7296] describes how IKEv2 deals with NATs. Despite the fact, that with G-IKEv2 the registration SA doesn't create any unicast IPsec SAs and thus there is no unicast ESP traffic between the GM and the GCKS to encapsulate in UDP if NAT is present, the actions described in this section concerned with the IKE SA MUST be honored. If the GM and the GCKS used UDP port 848 for the IKE_SA_INIT exchange, they MUST behave as if they used UDP port 500. 2.2. G-IKEv2 Payloads In the following descriptions, the payloads contained in the G-IKEv2 messages are indicated by names as listed below. Notation Payload ------------------------------------------------------------ AUTH Authentication CERT Certificate CERTREQ Certificate Request D Delete GSA Group Security Association HDR IKEv2 Header IDg Identification - Group IDi Identification - Initiator IDr Identification - Responder KD Key Download KE Key Exchange Ni, Nr Nonce N Notify SA Security Association SAg Security Association - GM Supported Transforms Payloads defined as part of other IKEv2 extensions MAY also be included in these messages. Payloads that may optionally appear in G-IKEv2 messages will be shown in brackets, such as [CERTREQ]. G-IKEv2 defines several new payloads not used in IKEv2: o IDg (Group ID) -- The GM requests the GCKS for membership into the group by sending its IDg payload. o GSA (Group Security Association) -- The GCKS sends the group policy to the GM using this payload. o KD (Key Download) -- The GCKS sends the keys and the security parameters to the GMs using the KD payload. Smyslov & Weis Expires October 8, 2022 [Page 8] Internet-Draft G-IKEv2 April 2022 o SAg (Security Association -- GM Supported Transforms) -- the GM sends supported transforms, so that GCKS may select a policy appropriate for all members of the group. The details of the contents of each payload are described in Section 4. 2.3. G-IKEv2 Member Registration and Secure Channel Establishment The registration protocol consists of a minimum of two exchanges, IKE_SA_INIT and GSA_AUTH; member registration may have a few more messages exchanged if the EAP method, cookie challenge (for DoS protection), negotiation of Diffie-Hellman group or IKEv2 extensions based on [I-D.ietf-ipsecme-ikev2-intermediate] are used. Each exchange consists of request/response pairs. The first exchange IKE_SA_INIT is defined in IKEv2 [RFC7296]. This exchange negotiates cryptographic algorithms, exchanges nonces and computes a shared key between the GM and the GCKS. The second exchange GSA_AUTH authenticates the previously exchanged messages, exchanges identities and certificates. The GSA_AUTH messages are encrypted and integrity protected with keys established through the previous exchanges, so the identities are hidden from eavesdroppers and all fields in all the messages are authenticated. The GCKS SHOULD authorize group members to be allowed into the group as part of the GSA_AUTH exchange. Once the GCKS accepts a group member to join a group it will download the data security keys (TEKs) and/or group key encrypting key (KEK) as part of the GSA_AUTH response message. 2.3.1. GSA_AUTH exchange After the group member and GCKS negotiate cryptographic algorithms, exchange nonces, and compute shared keys as defined in IKEv2 [RFC7296], the GSA_AUTH exchange MUST complete before any other exchanges defined in this document can be done. GSA_AUTH is used to authenticate the previous exchanges, exchange identities and certificates. G-IKEv2 also uses this exchange for group member registration and authorization. The GSA_AUTH exchange is identical to the IKE_AUTH exchange with the difference that its goal is to establish multicast Data-Security SAs and optionally provide GM with the keys for Rekey SA. The set of payloads in the GSA_AUTH exchange is slightly different, because policy is not negotiated between the group member and the GCKS, but instead downloaded from the GCKS to the group member. Note also, that GSA_AUTH has its own exchange type, which is different from the IKE_AUTH exchange type. Smyslov & Weis Expires October 8, 2022 [Page 9] Internet-Draft G-IKEv2 April 2022 Nevertheless, the security properties of the GSA_AUTH exchange are the same as the properties of the IKE_AUTH exchange and most IKEv2 extensions to the IKE_AUTH exchange (like [RFC6467]) can also be used with the GSA_AUTH exchange. Initiator (Member) Responder (GCKS) -------------------- ------------------ HDR, SK{IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, IDg, [SAg,] [N]} --> Figure 3: GSA_AUTH Request A group member initiates a GSA_AUTH request to join a group indicated by the IDg payload. The GM MAY include an SAg payload declaring which Transforms it is willing to accept. A GM that intends to act as Group Sender SHOULD include a Notify payload status type of SENDER, which enables the GCKS to provide any additional policy necessary by group senders. Initiator (Member) Responder (GCKS) -------------------- ------------------ <-- HDR, SK{IDr, [CERT,] AUTH, [GSA, KD,] [N,]} Figure 4: GSA_AUTH Normal Response The GCKS responds with IDr, optional CERT, and AUTH payloads as if it were an IKE_AUTH. It also informs the group member of the cryptographic policies of the group in the GSA payload and the key material in the KD payload. In addition to the IKEv2 error handling, the GCKS can reject the registration request when the IDg is invalid or authorization fails, etc. In these cases, see Section 4.7, the GSA_AUTH response will not include the GSA and KD, but will include a Notify payload indicating errors. If a GM included an SAg payload, and the GCKS chooses to evaluate it, and the GCKS detects that the group member cannot support the security policy defined for the group, then the GCKS SHOULD return a NO_PROPOSAL_CHOSEN. Other types of error notifications can be INVALID_GROUP_ID, AUTHORIZATION_FAILED or REGISTRATION_FAILED. Initiator (Member) Responder (GCKS) -------------------- ------------------ <-- HDR, SK{IDr, [CERT,] AUTH, N} Figure 5: GSA_AUTH Error Response Smyslov & Weis Expires October 8, 2022 [Page 10] Internet-Draft G-IKEv2 April 2022 If the group member finds the policy sent by the GCKS is unacceptable, the member SHOULD initiate GSA_REGISTRATION exchange sending IDg and the Notify NO_PROPOSAL_CHOSEN (see Section 2.3.2)). 2.3.2. GSA_REGISTRATION Exchange When a secure channel is already established between a GM and the GCKS, the GM registration for a group can reuse the established secure channel. In this scenario the GM will use the GSA_REGISTRATION exchange. Payloads in the exchange are generated and processed as defined in Section 2.3.1. Initiator (Member) Responder (GCKS) -------------------- ------------------ HDR, SK{IDg, [SAg,][N ]} --> <-- HDR, SK{GSA,] [N,]} Figure 6: GSA_REGISTRATION Normal Exchange As with GSA_AUTH exchange, the GCKS can reject the registration request when the IDg is invalid or authorization fails, or GM cannot support the security policy defined for the group (which can be concluded by GCKS by evaluation of SAg payload). In this case the GCKS returns an appropriate error notification as described in Section 2.3.1. Initiator (Member) Responder (GCKS) -------------------- ------------------ HDR, SK{IDg, [SAg,] [N]} --> <-- HDR, SK{N} Figure 7: GSA_REGISTRATION Error Exchange This exchange can also be used if the group member finds the policy sent by the GCKS is unacceptable. The group member SHOULD notify the GCKS by sending IDg and the Notify type NO_PROPOSAL_CHOSEN, as shown below. The GCKS in this case MUST remove the GM from the group IDg. Initiator (Member) Responder (GCKS) -------------------- ------------------ HDR, SK{IDg, N} --> <-- HDR, SK{} Figure 8: GM Reporting Errors in GSA_REGISTRATION Exchange Smyslov & Weis Expires October 8, 2022 [Page 11] Internet-Draft G-IKEv2 April 2022 2.3.3. GM Registration Operations A G-IKEv2 Initiator (GM) requesting registration contacts the GCKS using the IKE_SA_INIT exchange and receives the response from the GCKS. This exchange is unchanged from the IKE_SA_INIT in IKEv2 protocol. The IKE_SA_INIT exchange may optionally be followed by one or more the IKE_INTERMEDIATE exchanges if the GM and the GCKS negotiated using IKEv2 extensions based on this exchange. Next the GM sends the GSA_AUTH request message with the IKEv2 payloads from IKE_AUTH (without the SAi2, TSi and TSr payloads) along with the Group ID informing the GCKS of the group the initiator wishes to join. An initiator intending to emit data traffic SHOULD send a SENDER Notify payload status. The SENDER notification not only signifies that it is a sender, but provides the initiator the ability to request Sender-ID (SID) values, in case the Data-Security SA supports a counter mode cipher. Section 2.5) includes guidance on requesting Sender-ID values. A GM may be limited in the types of Transforms that it is able or willing to use, and may find it useful to inform the GCKS which Transforms it is willing to accept for different security protocols by including the SAg payload into the request message. Proposals for Rekey SA (with protocol GIKE_REKEY) and for Data-Security (AH [RFC4302] and/or ESP [RFC4303]) SAs may be included into SAg. Each Proposal contains a list of Transforms that the GM is able and willing to support for that protocol. Valid transform types depend on the protocol and are defined in Figure 16. Other transform types SHOULD NOT be included. The SPI length of each Proposal in an SAg is set to zero, and thus the SPI field is empty. The GCKS MUST ignore SPI length and SPI fields in the SAg payload. Generally, a single Proposal of each type will suffice, because the group member is not negotiating Transform sets, simply alerting the GCKS to restrictions it may have. In particular, the restriction from Section 3.3 of [RFC7296] that AEAD and non-AEAD transforms must not be combined in a single proposal doesn't hold when the SAg payload is being formed. However if the GM has restrictions on combination of algorithms, this can be expressed by sending several proposals. Proposal Num field in Proposal substructure is treated specially in SAg payload: it allows a GM to indicate that algorithms used in Rekey SA and in Data-Security (AH and/or ESP) SAs are dependent. In particular, Proposals of different types having the same value in Proposal Num field are treated as a set, so that if GCKS uses transforms from one of such Proposal for one protocol, then it MUST only use transforms from one of the Proposals with the same value in Smyslov & Weis Expires October 8, 2022 [Page 12] Internet-Draft G-IKEv2 April 2022 Proposal Num field for other protocols. For example, a GM may support algorithms X and Y for both Rekey and Data-Security SAs, but with a restriction that if X is used in Rekey SA, then only X can be used in Data-Security SAs, and the same for Y. To indicate this the GM sends several Proposals marking those of them that must be used in conjunction by putting the same value in their Proposal Num field. In the simplest case when no dependency between transforms exists, all Proposals in SAg payload will have the same value in Proposal Num field. Although the SAg payload is optional, it is RECOMMENDED for the GM to include this payload into the GSA_AUTH request to allow the GCKS to select an appropriate policy. A GM may also indicate the support for IPcomp by inclusion one or more the IPCOMP_SUPPORTED notifications along with the SAg payload. The CPI in these notifications is set to zero and MUST be ignored by the GCKS. Upon receiving the GSA_AUTH response, the initiator parses the response from the GCKS authenticating the exchange using the IKEv2 method, then processes the GSA and KD payloads. The GSA payload contains the security policy and cryptographic protocols used by the group. This policy describes the optional Rekey SA (KEK), Data-security SAs (TEK), and optional Group Associated policy (GAP). If the policy in the GSA payload is not acceptable to the GM, it SHOULD notify the GCKS by initiating a GSA_REGISTRATION exchange with a NO_PROPOSAL_CHOSEN Notify payload (see Section 2.3.2). Note, that this should normally not happen if the GM includes SAg payload in the GSA_AUTH request and the GCKS takes it into account. Finally the KD payload is parsed providing the keying material for the TEK and/or KEK. The GM interprets the KD key packets, where each key packet includes the keying material for SAs distributed in the GSA payload. Keying material is matched by comparing the SPIs in the key packets to SPIs previously included in the GSA payloads. Once TEK keys and policy are matched, the GM provides them to the data security subsystem, and it is ready to send or receive packets matching the TEK policy. The GSA KEK policy MUST include the attribute GSA_INITIAL_MESSAGE_ID with a first Message ID the GM should expect to receive if it is non- zero. The value of the attribute MUST be checked by a GM against any previously received Message ID for this group. If it is less than the previously received number, it should be considered stale and ignored. This could happen if two GSA_AUTH exchanges happened in parallel, and the Message ID changed. This attribute is used by the GM to prevent GSA_REKEY message replay attacks. The first GSA_REKEY Smyslov & Weis Expires October 8, 2022 [Page 13] Internet-Draft G-IKEv2 April 2022 message that the GM receives from the GCKS must have a Message ID greater or equal to the Message ID received in the GSA_INITIAL_MESSAGE_ID attribute. Once a GM successfully registers to the group it MUST replace any information related to this group (policy, keys) that it might have as a result of a previous registration with a new one. Once a GM has received GIKE_REKEY policy during a registration the IKE SA may be closed. However, the GM SHOULD NOT close IKE SA, it is the GCKS who makes the decision whether to close or keep it, because depending on the policy the IKE SA may be used for inband rekeying for small groups. If inband rekeying is used, then the initial IKE SA is rekeyed (when necessary) via standard IKEv2 mechanism described in Section 1.3.2 of [RFC7296]. If for some reason this SA is teared down and no GIKE_REKEY policy was received during the registration process, the GM MUST consider itself excluded from the group. To continue participating in the group the GM should re-register. 2.3.4. GCKS Registration Operations A G-IKEv2 GCKS passively listens for incoming requests from group members. When the GCKS receives an IKE_SA_INIT request, it selects an IKE proposal and generates a nonce and DH to include them in the IKE_SA_INIT response. Upon receiving the GSA_AUTH request, the GCKS authenticates the group member using the same procedures as in the IKEv2 IKE_AUTH. The GCKS then authorizes the group member according to group policy before preparing to send the GSA_AUTH response. If the GCKS fails to authorize the GM, it will respond with an AUTHORIZATION_FAILED notify message. The GCKS may also respond with an INVALID_GROUP_ID notify message if the requested group is unknown to the GCKS or with an REGISTRATION_FAILED notify message if there is a problem with the requested group (for example the capacity of the group is exceeded). The GSA_AUTH response will include the group policy in the GSA payload and keys in the KD payload. If the GCKS policy includes a group rekey option, it MUST include the GSA_INITIAL_MESSAGE_ID attribute, specifying the starting Message ID the GCKS will use when sending the GSA_REKEY message to the group members if this Message ID is non-zero. This Message ID is used to prevent GSA_REKEY message replay attacks and will be increased each time a GSA_REKEY message is sent to the group. The GCKS data traffic policy is included in the GSA TEK and keys are included in the KD TEK. The GAP MAY also be included to provide the ATD and/or DTD (Section 4.4.3.1) specifying activation and deactivation delays for SAs generated from the TEKs. If the group member has indicated that it is a sender of data traffic Smyslov & Weis Expires October 8, 2022 [Page 14] Internet-Draft G-IKEv2 April 2022 and one or more Data Security SAs distributed in the GSA payload included a counter mode of operation, the GCKS responds with one or more SIDs (see Section 2.5). [RFC5374] defines two modes of operation for multicast Data-Securirt SAs: transport mode and tunnel mode with address preservation. In the latter case outer source and destination addresses are taken from the inner IP packet. If the GCKS receives a GSA_REGISTRATION exchange with a request to register a GM to a group, the GCKS will need to authorize the GM with the new group (IDg) and respond with the corresponding group policy and keys. If the GCKS fails to authorize the GM, it will respond with the AUTHORIZATION_FAILED notification. The GCKS may also respond with an INVALID_GROUP_ID or REGISTRATION_FAILED notify messages for the reasons described above. If a group member includes an SAg in its GSA_AUTH or GSA_REGISTRATION request, the GCKS may evaluate it according to an implementation specific policy. o The GCKS could evaluate the list of Transforms and compare it to its current policy for the group. If the group member did not include all of the ESP or AH Transforms that match the current group policy, then the GCKS SHOULD return a NO_PROPOSAL_CHOSEN Notification. o The GCKS could store the list of Transforms, with the goal of migrating the group policy to a different Transforms when all of the group members indicate that they can support that Transforms. o The GCKS could store the list of Transforms and adjust the current group policy based on the capabilities of the devices as long as they fall within the acceptable security policy of the GCKS. Depending on its policy, the GCKS may have no need for the IKE SA (e.g., it does not plan to initiate an GSA_INBAND_REKEY exchange). If the GM does not initiate another registration exchange or Notify (e.g., NO_PROPOSAL_CHOSEN), and also does not close the IKE SA and the GCKS is not intended to use the SA, then after a short period of time the GCKS SHOULD close the IKE SA. 2.4. Group Maintenance Channel The GCKS is responsible for rekeying the secure group per the group policy. Rekeying is an operation whereby the GCKS provides replacement TEKs and KEK, deleting TEKs, and/or excluding group members. The GCKS may initiate a rekey message if group membership Smyslov & Weis Expires October 8, 2022 [Page 15] Internet-Draft G-IKEv2 April 2022 and/or policy has changed, or if the keys are about to expire. Two forms of group maintenance channels are provided in G-IKEv2 to push new policy to group members. GSA_REKEY The GSA_REKEY is a pseudo-exchange initiated by the GCKS, where the rekey policy is usually delivered to group members using IP multicast as a transport. This is not a real IKEv2 exchange, since no response messages are sent. This method is valuable for large and dynamic groups, and where policy may change frequently and a scalable rekeying method is required. When the GSA_REKEY is used, the IKE SA protecting the member registration exchanges is usually terminated, and group members await policy changes from the GCKS via the GSA_REKEY messages. GSA_INBAND_REKEY The GSA_INBAND_REKEY is a normal IKEv2 exchange using the IKE SA that was setup to protecting the member registration exchange. This exchange allows the GCKS to rekey without using an independent GSA_REKEY pseudo-exchange. The GSA_INBAND_REKEY exchange provides a reliable policy delivery and is useful when G-IKEv2 is used with a small group of cooperating devices. Depending on its policy the GCKS MAY combine these two methods. For example, it may use the GSA_INBAND_REKEY to deliver key to the GMs in the group acting as senders (as this would provide reliable keys delivery), and the GSA_REKEY for the rest GMs. 2.4.1. GSA_REKEY The GCKS initiates the G-IKEv2 Rekey securely, usually using IP multicast. Since this rekey does not require a response and it sends to multiple GMs, G-IKEv2 rekeying MUST NOT use IKE SA windowing mechanism, described in Section 2.3 of [RFC7296]. The GCKS rekey message replaces the rekey GSA KEK or KEK array, and/or creates a new Data-Security GSA TEK. The GM_SID attribute in the Key Download payload (defined in Section 4.5.3.3) MUST NOT be part of the Rekey Exchange as this is sender specific information and the Rekey Exchange is group specific. The GCKS initiates the GSA_REKEY pseudo- exchange as following: Members (Responder) GCKS (Initiator) -------------------- ------------------ <-- HDR, SK{GSA, KD, [N,] [D,] [AUTH]} Figure 9: GSA_REKEY Pseudo-Exchange HDR is defined in Section 4.1. The Message ID in this message will start with the value the GCKS sent to the group members in the Smyslov & Weis Expires October 8, 2022 [Page 16] Internet-Draft G-IKEv2 April 2022 attribute GSA_INITIAL_MESSAGE_ID or from zero if this attribute wasn't sent. The Message ID will be incremented each time a new GSA_REKEY message is sent to the group members. The GSA payload contains the current policy for rekey and Data- Security SAs. The GSA may contain a new Rekey SA and/or a new Data- Security SAs Section 4.4. The KD payload contains the keys for the policy included in the GSA. If the Data-Security SA is being refreshed in this rekey message, the IPsec keys are updated in the KD, and/or if the rekey SA is being refreshed in this rekey message, the rekey Key or the LKH KEK array is updated in the KD payload. A Delete payload MAY be included to instruct the GM to delete existing SAs. See Section 4.6 for more detail. The AUTH payload MUST be included to authenticate the GSA_REKEY message if the authentication method is based on public key signatures and MUST NOT be included if authentication is implicit. In the latter case, the fact that a GM can decrypt the GSA_REKEY message and verify its ICV proves that the sender of this message knows the current KEK, thus authenticating the sender as a member of the group. Note, that implicit authentication doesn't provide source origin authentication. For this reason using implicit authentication for GSA_REKEY is NOT RECOMMENDED unless source origin authentication is not required (for example, in a small group of highly trusted GMs). The value of the Auth Method field in the AUTH payload in the GSA_REKEY message MUST NOT be NULL Authentication. During group member registration, the GCKS sends the authentication key in the KD payload, AUTH_KEY attribute, which the group member uses to authenticate the key server. Before the current Authentication Key expires, the GCKS will send a new AUTH_KEY to the group members in a GSA_REKEY message. The AUTH key that is sent in the rekey message may be not the same as the authentication key sent during the GM registration. If implicit authentication is used, then AUTH_KEY MUST NOT be sent to GMs. 2.4.1.1. GSA_REKEY Messages Authentication The content of the AUTH payload depends on the authentication method and is either a digital signature or a result of prf applied to the content of the not yet encrypted GSA_REKEY message. The authentication algorithm (prf or digital signing) is applied to the concatenation of two chunks: A and P. The chunk A lasts from the first octet of the G-IKEv2 header (not including prepended four Smyslov & Weis Expires October 8, 2022 [Page 17] Internet-Draft G-IKEv2 April 2022 octets of zeros, if port 4500 is used) to the last octet of the Encrypted Payload header. The chunk P consists of the not yet encrypted content of the Encrypted payload, excluding the Initialization Vector, the Padding, the Pad Length and the Integrity Checksum Data fields (see 3.14 of [RFC7296] for description of the Encrypted payload). In other words, the P chunk is the inner payloads of the Encrypted payload in plaintext form. Figure 10 illustrates the layout of the P and A chunks in the GSA_REKEY message. Before the AUTH payload calculation the inner payloads of Encrypted payload must be fully formed and ready for encryption except for the AUTH payload. The AUTH payload must have correct values in the Payload Header, the Auth Method and the RESERVED fields. The Authentication Data field is zeroed, but if Digital Signature authentication method is in use, then the ASN.1 Length and the AlgorithmIdentifier fields must be properly filled in, see [RFC7427]. For the purpose of the AUTH payload calculation the Length field in the IKE header and the Payload Length field in the Encrypted Payload header are adjusted so that they don't count the lengths of Initialization Vector, Integrity Checksum Data and Padding (along with Pad Length field). In other words, the Length field in the IKE header (denoted as AdjustedLen in Figure 10 ) is set to the sum of the lengths of A and P, and the Payload Length field in the Encrypted Payload header (denoted as AdjustedPldLen in Figure 10) is set to the length of P plus the size of the Payload header (four octets). DataToAuthenticate = A | P GsaRekeyMessage = GenIKEHDR | EncPayload GenIKEHDR = [ four octets 0 if using port 4500 ] | AdjustedIKEHDR AdjustedIKEHDR = SPIi | SPIr | . . . | AdjustedLen EncPayload = AdjustedEncPldHdr | IV | InnerPlds | Pad | PadLen | ICV AdjustedEncPldHdr = NextPld | C | RESERVED | AdjustedPldLen A = AdjustedIKEHDR | AdjustedEncPldHdr P = InnerPlds Smyslov & Weis Expires October 8, 2022 [Page 18] Internet-Draft G-IKEv2 April 2022 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^ ^ | G-IKEv2 SA Initiator's SPI | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I | | G-IKEv2 SA Responder's SPI | K | | | E | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Next Payload | MjVer | MnVer | Exchange Type | Flags | H A +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ d | | Message ID | r | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | AdjustedLen | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ x | | Next Payload |C| RESERVED | AdjustedPldLen | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | v | | | ~ Initialization Vector ~ E | | n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ c ^ | | r | ~ Inner payloads (not yet encrypted) ~ P | | P | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ l v ~ Padding (0-255 octets) | Pad Length | d +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | ~ Integrity Checksum Data ~ | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v Figure 10: Data to Authenticate in the GSA_REKEY Messages The authentication data is calculated using the authentication algorithm from the Authentication Method transform and the current authentication key provided in the AUTH_KEY attribute. Depending on the authentication method the authentication data is a digital signature or a result of applying prf from the Pseudorandom Function transform. The calculated authentication data is placed into the AUTH payload, the Length fields in the IKE Header and the Encryption Payload header are restored, the content of the Encrypted payload is encrypted and the ICV is computed using the current KEK keys. Smyslov & Weis Expires October 8, 2022 [Page 19] Internet-Draft G-IKEv2 April 2022 2.4.1.2. IKE Fragmentation IKE fragmentation [RFC7383] can be used to perform fragmentation of large GSA_REKEY messages, however when the GSA_REKEY message is emitted as an IP multicast packet there is a lack of response from the GMs. This has the following implications. o Policy regarding the use of IKE fragmentation is implicit. If a GCKS detects that all GMs have negotiated support of IKE fragmentation in IKE_SA_INIT, then it MAY use IKE fragmentation on large GSA_REKEY messages. o The GCKS must always use IKE fragmentation based on a known fragmentation threshold (unspecified in this memo), as there is no way to check if fragmentation is needed by first sending unfragmented messages and waiting for response. o PMTU probing cannot be performed due to lack of GSA_REKEY response message. The calculation of authentication data MUST be applied to whole messages only, before possible IKE Fragmentation. If the message was received in fragmented form, it should be reconstructed before verifying its authenticity as if it were received unfragmented. The RESERVED field in the reconstructed Encrypted Payload header MUST be set to the value of the RESERVED field in the Encrypted Fragment payload header from the first fragment (that with Fragment Number equal to 1). 2.4.1.3. GSA_REKEY GCKS Operations The GCKS builds the rekey message with a Message ID value that is one greater than the value included in the previous rekey message. The first message sent over a new Rekey SA must have the Message ID 0. The GSA, KD, N and D payloads follow with the same characteristics as in the GSA Registration exchange. The AUTH payload (if present) is created as defined in Section 2.4.1.1. Because GSA_REKEY messages are not acknowledged and could be discarded by the network, one or more GMs may not receive the new policy. To mitigate such lost messages, during a rekey event the GCKS may transmit several GSA_REKEY messages with the new policy. The retransmitted messages MUST be bitwise identical and SHOULD be sent within a short time interval (a few seconds) to ensure that time-to-live would not be substantially skewed for the GMs that would receive different copies of the messages. Smyslov & Weis Expires October 8, 2022 [Page 20] Internet-Draft G-IKEv2 April 2022 GCKS may also include one or several GSA_NEXT_SPI attributes specifying SPIs for the prospected rekeys, so that listening GMs are able to detect lost rekey messages and recover from this situation. See Sections Section 4.4.2.2.3 for more detail. 2.4.1.4. GSA_REKEY GM Operations When a group member receives the Rekey Message from the GCKS it decrypts the message using the current KEK, validates its authenticity using the key retrieved in a previous G-IKEv2 exchange if AUTH payload is present, verifies the Message ID, and processes the GSA and KD payloads. The group member then downloads the new Data-Security SA and/or new Rekey SA. The parsing of the payloads is identical to the parsing done in the registration exchange. Replay protection is achieved by a group member rejecting a GSA_REKEY message which has a Message ID smaller than the current Message ID that the GM is expecting. The GM expects the Message ID in the first GSA_REKEY message it receives to be equal or greater than the Message ID it receives in the GSA_INITIAL_MESSAGE_ID attribute. Note, that if no this attribute was received for the Rekey SA, the GM MUST assume zero as the first expected Message ID. The GM expects the Message ID in subsequent GSA_REKEY messages to be greater than the last valid GSA_REKEY message ID it received. If the GSA payload includes a Data-Security SA using cipher in a counter-modes of operation and the receiving group member is a sender for that SA, the group member uses its current SID value with the Data-Security SAs to create counter-mode nonces. If it is a sender and does not hold a current SID value, it MUST NOT install the Data- Security SAs. It MAY initiate a GSA_REGISTRATION exchange to the GCKS in order to obtain an SID value (along with the current group policy). Once a new Rekey SA is installed as a result of GSA_REKEY message, the current Rekey SA (over which the message was received) MUST be silently deleted after waiting DEACTIVATION_TIME_DELAY interval regardless of its expiration time. If the message includes Delete payload for existing Data-security SA, then after installing a new Data-Security SA the old one, identified by the Protocol and SPI fields in the Delete payload, MUST be silently deleted after waiting DEACTIVATION_TIME_DELAY interval regardless of its expiration time. If a Data-Security SA is not rekeyed yet and is about to expire (a "soft lifetime" expiration is described in Section 4.4.2.1 of [RFC4301]), the GM SHOULD initiate a registration to the GCKS. This registration serves as a request for current SAs, and will result in the download of replacement SAs, assuming the GCKS policy has created Smyslov & Weis Expires October 8, 2022 [Page 21] Internet-Draft G-IKEv2 April 2022 them. A GM SHOULD also initiate a registration request if a Rekey SA is about to expire and not yet replaced with a new one. 2.4.2. GSA_INBAND_REKEY Exchange When the IKE SA protecting the member registration exchange is maintained while group member participates in the group, the GCKS can use the GSA_INBAND_REKEY exchange to individually provide policy updates to the group member. Member (Responder) GCKS (Initiator) -------------------- ------------------ <-- HDR, SK{GSA, KD, [N,] [D]} HDR, SK{} --> Figure 11: GSA_INBAND_REKEY Exchange Because this is a normal IKEv2 exchange, the HDR is treated as defined in [RFC7296]. 2.4.2.1. GSA_INBAND_REKEY GCKS Operations The GSA, KD, N and D payloads are built in the same manner as in a registration exchange. 2.4.2.2. GSA_INBAND_REKEY GM Operations The GM processes the GSA, KD, N and D payloads in the same manner as if they were received in a registration exchange. 2.4.3. Deletion of SAs There are occasions when the GCKS may want to signal to group members to delete policy at the end of a broadcast, or if group policy has changed. Deletion of SAs is accomplished by sending the G-IKEv2 Delete Payload [RFC7296], section 3.11 as part of the GSA_REKEY pseudo-exchange as shown below. Members (Responder) GCKS (Initiator) -------------------- ------------------ <-- HDR, SK{[GSA,] [KD,] [N,] [D,] [AUTH]} Figure 12: SA Deletion in GSA_REKEY If GCKS has a unicast SA with group member then it can use the GSA_INBAND_REKEY exchange to delete SAs. Smyslov & Weis Expires October 8, 2022 [Page 22] Internet-Draft G-IKEv2 April 2022 Member (Responder) GCKS (Initiator) -------------------- ------------------ <-- HDR, SK{[GSA,] [KD,] [N,] [D,]} HDR, SK{} --> Figure 13: SA Deletion in GSA_INBAND_REKEY The GCKS MAY specify the remaining active time of the policy by using the GAP_DTD attribute in the GSA GAP substructure. If a GCKS has no further SAs to send to group members, the GSA and KD payloads MUST be omitted from the message. There may be circumstances where the GCKS may want to start over with a clean state, for example in case it runs out of available SIDs. The GCKS can signal deletion of all the Data-security SAs by sending a Delete payload with an SPI value equal to zero. For example, if the GCKS wishes to remove the Rekey SA and all the Data-security SAs, the GCKS sends a Delete payload with an SPI of zero and Protocol ID of AH or ESP, followed by another Delete payload with a SPI of zero and Protocol ID of GIKE_REKEY. If a group member receives a Delete payload with zero SPI and protocol ID of GIKE_REKEY either via multicast Rekey SA or via unicast SA using the GSA_INBAND_REKEY exchange, it means that the group member is excluded from the group. The group member MUST re- register if it wants to continue participating in this group. The registration is performed as described in Section 2.3. Note, that if the GSA_INBAND_REKEY exchange is used to exclude a group member from the group, and thus the unicast SA between the group member and the GCKS exists, then this SA persists after this exchange and the group member may use the GSA_REGISTRATION exchange to re-register. 2.5. Counter-based modes of operation Several counter-based modes of operation have been specified for ESP (e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309], ChaCha20-Poly1305 [RFC7634], AES-GMAC [RFC4543]) and AH (e.g., AES- GMAC [RFC4543]). These counter-based modes require that no two senders in the group ever send a packet with the same Initialization Vector (IV) using the same cipher key and mode. This requirement is met in G-IKEv2 when the following requirements are met: o The GCKS distributes a unique key for each Data-Security SA. o The GCKS uses the method described in [RFC6054], which assigns each sender a portion of the IV space by provisioning each sender with one or more unique SID values. Smyslov & Weis Expires October 8, 2022 [Page 23] Internet-Draft G-IKEv2 April 2022 2.5.1. Allocation of SIDs When at least one Data-Security SA included in the group policy includes a counter-based mode of operation, the GCKS automatically allocates and distributes one SID to each group member acting in the role of sender on the Data-Security SA. The SID value is used exclusively by the group sender to which it was allocated. The group sender uses the same SID for each Data-Security SA specifying the use of a counter-based mode of operation. A GCKS MUST distribute unique keys for each Data-Security SA including a counter-based mode of operation in order to maintain unique key and nonce usage. During registration, the group sender can choose to request one or more SID values. Requesting a value of 1 is not necessary since the GCKS will automatically allocate exactly one to the group sender. A group sender MUST request as many SIDs matching the number of encryption modules in which it will be installing the TEKs in the outbound direction. Alternatively, a group sender MAY request more than one SID and use them serially. This could be useful when it is anticipated that the group sender will exhaust their range of Data- Security SA nonces using a single SID too quickly (e.g., before the time-based policy in the TEK expires). When the group policy includes a counter-based mode of operation, a GCKS SHOULD use the following method to allocate SID values, which ensures that each SID will be allocated to just one group sender. 1. A GCKS maintains an SID-counter, which records the SIDs that have been allocated. SIDs are allocated sequentially, with zero as the first allocated SID. 2. Each time an SID is allocated, the current value of the counter is saved and allocated to the group sender. The SID-counter is then incremented in preparation for the next allocation. 3. When the GCKS specifies a counter-based mode of operation in the Data-Security SA a group sender may request a count of SIDs during registration in a Notify payload information of type SENDER. When the GCKS receives this request, it increments the SID-counter once for each requested SID, and distributes each SID value to the group sender. The GCKS SHOULD have a policy-defined upper bound for the number of SIDs that it will return irrespective of the number requested by the GM. 4. A GCKS allocates new SID values for each registration operation by a group sender, regardless of whether the group sender had previously contacted the GCKS. In this way, the GCKS is not required to maintaining a record of which SID values it had Smyslov & Weis Expires October 8, 2022 [Page 24] Internet-Draft G-IKEv2 April 2022 previously allocated to each group sender. More importantly, since the GCKS cannot reliably detect whether the group sender had sent data on the current group Data-Security SAs it does not know what Data-Security counter-mode nonce values that a group sender has used. By distributing new SID values, the key server ensures that each time a conforming group sender installs a Data- Security SA it will use a unique set of counter-based mode nonces. 5. When the SID-counter maintained by the GCKS reaches its final SID value, no more SID values can be distributed. Before distributing any new SID values, the GCKS MUST exclude all group members from the group as described in Section 2.4.3. This will result in the group members performing re-registration, during which they will receive new Data-Security SAs and group senders will additionally receive new SID values. The new SID values can safely be used because they are only used with the new Data- Security SAs. 2.5.2. GM Usage of SIDs A GM applies the SID to Data-Security SA as follows. o The most significant bits NUMBER_OF_SID_BITS of the IV are taken to be the SID field of the IV. o The SID is placed in the least significant bits of the SID field, where any unused most significant bits are set to zero. If the SID value doesn't fit into the NUMBER_OF_SID_BITS bits, then the GM MUST treat this as a fatal error and re-register to the group. 2.6. Replay Protection for Multicast Data-Security SAs IPsec provides replay protection as part of its security services. With multicast extension for IPsec replay protection is not always possible to acieve (see Section 6.1 of [RFC3740]). In particular, if there are many group senders for a Data-Security SA, then each of them will independently incement the Sequence Number field in the ESP header (see Section 2 of [RFC4303]) thus making impossible for the group receivers to filter out replayed packets. However, if there is only one group sender for a a Data-Security SA, then it is possible to acieve replay protection with some restrictions (see Section 4.4.2.1.3). The GCKS may create several Data-Security SAs with the same traffic selectors allowing only a single group sender in each SA if it is desirable to get replay protection with multiple (but still limited number) of group senders. Smyslov & Weis Expires October 8, 2022 [Page 25] Internet-Draft G-IKEv2 April 2022 In IPsec architecture assumes that it is a local matter for an IPsec receiver whether replay protection is active or not. In other words, an IPsec sender always increments the Sequence Number field in the ESP header and a receiver decides whether to check for replayed packets or not. With multicast extension for IPsec this approach generally isn't applicable, since group members don't know how many group senders exist for a particular Data-Security SA. For this reason the status or replay protection must be part of the policy downloaded to GMs by GCKS. For this purpose this specification re-uses the Extended Sequence Numbers transform, defined in Section 3.3.2 [RFC7296]. This specification renames this transform to "Replay Protection" and adds a new value for possible Transform IDs: "Not Used" (). The GCKS MUST include this transform in the GSA payload for every Data-Security SA. Note, that this specification prohibits using Extended Sequence Numbers (see Section 4.4.2.1.3). 3. Group Key Management and Access Control Through the G-IKEv2 rekey, G-IKEv2 supports algorithms such as Logical Key Hierarchy (LKH) that have the property of denying access to a new group key by a member removed from the group (forward access control) and to an old group key by a member added to the group (backward access control). An unrelated notion to PFS, "forward access control" and "backward access control" have been called "perfect forward security" and "perfect backward security" in the literature [RFC2627]. Group management algorithms providing forward and backward access control other than LKH have been proposed in the literature, including OFT [OFT] and Subset Difference [NNL]. These algorithms could be used with G-IKEv2, but are not specified as a part of this document. The Group Key Management Method transform from the GSA policy specifies how members of the group obtain group keys. This document specifies a single method for the group key management -- Wrapped Key Download. This method assumes that all group keys are sent to the GMs by the GCKS encrypted with some other keys, called Key Wrap Keys (KWK). 3.1. Key Wrap Keys Every GM always knows at least one KWK -- the KWK that is associated with the IKE SA or multicast Rekey SA the wrapped keys are sent over. In this document it is called default KWK and is denoted as GSK_w. Smyslov & Weis Expires October 8, 2022 [Page 26] Internet-Draft G-IKEv2 April 2022 The GCKS may also send other keys to GMs that will be used as Key Wrap Keys for the purpose of building key hierarchy. Each KWK is associated with an encryption algorithm from the Encryption Algorithm transform used for the SA the key is sent over. The size of a KWK MUST be of the size of the key for this Encryption Algorithm transform (taking into consideration the Key Length attribute for this transform if present). This association persists even if the key is used later in the context of another SA with possibly different Encryption Algorithm transform. To have an ability to provide forward access control the GCKS provides each GM with a personal key at the time of registration. Besides, several intermediate keys that form a key hierarchy and are shared among several GMs may be provided by the GCKS. 3.1.1. Default Key Wrap Key The default KWK (GSK_w) is only used in the context of a single IKE SA. Every IKE SA (unicast IKE SA or multicast Rekey SA) will have its own GSK_w. The GSK_w is used with the algorithm from the Encryption Algorithm transform for the SA the GSK_w is used in the context of. The size of GSK_w MUST be of the key size of this Encryption Algorithm transform (taking into consideration the Key Length attribute for this transform if present). For the unicast IKE SA (used for the GM registration and for the GSA_INBAND_REKEY exchanges, if they are take place) the GSK_w is computed as follows: GSK_w = prf+(SK_d, "Key Wrap for G-IKEv2") where the string "Key Wrap for G-IKEv2" is 20 ASCII characters without null termination. For the multicast Rekey SA the GSK_w is provided along with other SA keys as defined in Section 3.4. 3.2. GCKS Key Management Semantics Wrapped Key Download method allows the GCKS to employ various key management methods o A simple key management methods -- when the GCKS always sends group SA keys encrypted with the GSK_w. o An LKH key management method -- when the GCKS provides each GM with an individual key at the time of the GM registration (encrypted with GSK_w). Then the GCKS forms an hierarchy of keys Smyslov & Weis Expires October 8, 2022 [Page 27] Internet-Draft G-IKEv2 April 2022 so that the group SA keys are encrypted with other keys which are encrypted with other keys and so on, tracing back to the individual GMs' keys. Other key policies may also be employed by the GCKS. 3.2.1. Forward Access Control Requirements When group membership is altered using a group management algorithm new Data-Security SAs and their associated keys are usually also needed. New Data-Security SAs and keys ensure that members who were denied access can no longer participate in the group. If forward access control is a desired property of the group, new TEK policy and the associated keys MUST NOT be included in a G-IKEv2 rekey message which changes group membership. This is required because the GSA TEK policy and the associated keys are not protected with the new KEK. A second G-IKEv2 rekey message can deliver the new GSA TEKS and their associated keys because it will be protected with the new KEK, and thus will not be visible to the members who were denied access. If forward access control policy for the group includes keeping group policy changes from members that are denied access to the group, then two sequential G-IKEv2 rekey messages changing the group KEK MUST be sent by the GCKS. The first G-IKEv2 rekey message creates a new KEK for the group. Group members, which are denied access, will not be able to access the new KEK, but will see the group policy since the G-IKEv2 rekey message is protected under the current KEK. A subsequent G-IKEv2 rekey message containing the changed group policy and again changing the KEK allows complete forward access control. A G-IKEv2 rekey message MUST NOT change the policy without creating a new KEK. If other methods of using LKH or other group management algorithms are added to G-IKEv2, those methods MAY remove the above restrictions requiring multiple G-IKEv2 rekey messages, providing those methods specify how the forward access control policy is maintained within a single G-IKEv2 rekey message. 3.3. GM Key Management Semantics This specification defines a GM Key Management semantics in such a way, that it doesn't depend on the key management method employed by the GCKS. This allows having all the complexity of key management in the GCKS, which is free to implement various key management methods, such as direct transmitting of group SA keys or using some kind of Smyslov & Weis Expires October 8, 2022 [Page 28] Internet-Draft G-IKEv2 April 2022 key hierarchy (e.g. LKH). For all these policies the GM behavior is the same. Each key that a GM receives in G-IKEv2 is identified by a 32-bit number called Key ID. Zero Key ID has a special meaning -- it always contains keying material from which the keys for protecting Data- Security SAs and Rekey SA are taken. All keys in G-IKEv2 are transmitted in encrypted form, as specified in Section 4.5.1. This format includes a Key ID (ID of a key that is encrypted) and a KWK ID (ID of a key that was used to encrypt this key). Keys may be encrypted either with default KWK (GSK_w) or with other keys, which the GM has received in the WRAP_KEY attributes. If a key was encrypted with GSK_w, then the KWK ID field is set to zero, otherwise the KWK ID field identifies the key used for encryption. When a GM receives a message from the GCKS installing new Data- Security or Rekey SA, it will contain a KD payload with an SA_KEY attribute containing keying material for this SA. For a Data- Security SA exactly one SA_KEY attribute will be present with both Key ID and KWK ID fields set to zero. This means that the default KWK (GSK_w) should be used to extract this keying material. For a multicast Rekey SA multiple SA_KEY attributes may be present depending on the key management method employed by the GCKS. If multiple SA_KEY attributes are present then all of them MUST contain the same keying material encrypted using different KWKs. The GM in general is unaware of the GCKS's key management method and can always use the same procedure to get the keys. In particular, the GM's task is to find a way to decrypt at least one of the SA_KEY attributes using either the GSK_w or the keys from the WRAP_KEY attributes that are present in the same message or were receives in previous messages. We will use the term "Key Path" to describe an ordered sequence of keys where each subsequent key was used to encrypt the previous one. The GM keeps its own Key Path (called Working Key Path) in the memory associated with each group it is registered to and updates it when needed. When the GSA_REKEY message is received the GM processes the received SA_KEY attributes one by one trying to construct a new key path that starts from this attributes and ends with any key in the Working Key Path or with the default KWK (GSK_w). In the simplest case the SA_KEY attribute is encrypted with GSK_w so that the new Key Path is empty. If more complex key management methods are used then a Key Path will contain intermediate keys from the WRAP_KEY attributes received by a GM so far starting from its registration to the group. If the GM is able to construct a new Key Smyslov & Weis Expires October 8, 2022 [Page 29] Internet-Draft G-IKEv2 April 2022 Path using intermediate keys it has, then it is able to decrypt the SA_KEY attribute and use its content to form new SA keys. If it is unable to build a new Key Path, then in means that the GM is excluded from the group. Depending on the new Key Path the GM should do the following actions to be prepared for future key updates: o If the new Key Path is empty then no actions are needed. This may happen if no WRAP_KEY attributes from the received message were used. o If the new Key Path is non-empty and it ends with the default KWK (GSK_w), then the whole new Key Path is stored by the GM as the GM's Working Key Path. This situation may only happen at the time the GM is registering to the group, when the GCKS is providing it with its personal key and the other keys from the key tree that are needed for this GM. These keys form an initial Working Key Path for this GM. o In all other cases the new Key Path will end at some intermediate key from the GM's current Working Key Path. In this case the new Key Path is constructed by replacing a part of the GM's current Working Key Path from the beginning and up to (but not including) the key that the GM has used to decrypt the last key in the new Key Path. Appendix A contains an example of how this algorithm works in case of LKH key management method. 3.4. SA Keys Keys used for Data-Security SAs or Rekey SA (called here SA keys) are downloaded to GMs in the form of keying material. The keys for each algorithm employed in an SA are taken from this keying material as if they were concatenated to form it. For a Data-Security SA the keys are taken in accordance to the third bullet from Section 2.17 of [RFC7296]. In particular, for the ESP and AH SAs the encryption key (if any) MUST be taken from the first bits of the keying material and the integrity key (if any) MUST be taken from the remaining bits. For a Rekey SA the following keys are taken from the keying material: GSK_e | GSK_a | GSK_w = KEYMAT Smyslov & Weis Expires October 8, 2022 [Page 30] Internet-Draft G-IKEv2 April 2022 where GSK_e and GSK_a are the keys used for the Encryption Algorithm and the Integrity Algorithm transforms for the corresponding SA and GSK_w is a default KWK for this SA. Note, that GSK_w is also used with the Encryption Algorithm transform as well as GSK_e. If an AEAD algorithm is used for encryption, then SK_a key will not be used (GM can use the formula above assuming the length of SK_a is zero). 4. Header and Payload Formats The G-IKEv2 is an IKEv2 extension and thus inherits its wire format for data structures. However, the processing of some payloads are different and several new payloads are defined: Group Identification (IDg), Group Security Association (GSA) Key Download (KD). New exchange types GSA_AUTH, GSA_REGISTRATION, GSA_REKEY and GSA_INBAND_REKEY are also added. This section describes new payloads and the differences in processing of existing IKEv2 payloads. 4.1. G-IKEv2 Header G-IKEv2 uses the same IKE header format as specified in [RFC7296] section 3.1. Major Version is 2 and Minor Version is 0 as in IKEv2. IKE SA Initiator's SPI, IKE SA Responder's SPI, Flags, Message ID, and Length are as specified in [RFC7296]. 4.2. Group Identification Payload The Group Identification (IDg) payload allows the group member to indicate which group it wants to join. The payload is constructed by using the IKEv2 Identification Payload (section 3.5 of [RFC7296]). ID type ID_KEY_ID MUST be supported. ID types ID_IPV4_ADDR, ID_FQDN, ID_RFC822_ADDR, ID_IPV6_ADDR SHOULD be supported. ID types ID_DER_ASN1_DN and ID_DER_ASN1_GN are not expected to be used. The Payload Type for the Group Identification payload is fifty (50). 4.3. Security Association - GM Supported Transforms Payload The Security Association - GM Supported Transforms Payload (SAg) payload declares which Transforms a GM is willing to accept. The payload is constructed using the format of the IKEv2 Security Association payload (section 3.3 of [RFC7296]). The Payload Type for SAg is identical to the SA Payload Type -- thirty-three (33). Smyslov & Weis Expires October 8, 2022 [Page 31] Internet-Draft G-IKEv2 April 2022 4.4. Group Security Association Payload The Group Security Association (GSA) payload is used by the GCKS to assert security attributes for both Rekey SA and Data-security SAs. The Payload Type for the Group Security Association payload is fifty- one (51). 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Payload |C| RESERVED | Payload Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 14: GSA Payload Format The Security Association Payload fields are defined as follows: o Next Payload, C, RESERVED, Payload Length fields comprise the IKEv2 Generic Payload Header and are defined in Section 3.2. of [RFC7296]. o Group Policies (variable) -- A set of group policies for the group. 4.4.1. Group Policies Croup policies are comprised of two types of policy -- Group SA (GSA) policy and Group Associated (GA) policy. GSA policy defines parameters for the Security Association for the group. Depending on the employed security protocol GSA policies may further be classified as Rekey SA policy (GSA KEK) and Data-Security SA policy (GSA TEK). GSA payload may contain zero or one GSA KEK policy, zero or more GSA TEK policies, and zero or one GA policy, where either one GSA KEK or GSA TEK policy MUST be present. This latitude allows various group policies to be accommodated. For example if the group policy does not require the use of a Rekey SA, the GCKS would not need to send a GSA KEK policy to the group member since all SA updates would be performed using the GSA_INBAND_REKEY exchange via the unicast IKE SA. Alternatively, group policy might use a Rekey SA but choose to download a KEK to the group member only as part of the unicast IKE SA. Therefore, the GSA KEK policy would not be necessary as part of the GSA_REKEY message. Smyslov & Weis Expires October 8, 2022 [Page 32] Internet-Draft G-IKEv2 April 2022 Specifying multiple GSA TEKs allows multiple related data streams (e.g., video, audio, and text) to be associated with a session, but each protected with an individual security association policy. A GAP allows for the distribution of group-wise policy, such as instructions for when to activate and de-activate SAs. Policies are distributed in substructures to the GSA payload. The format of the substructures is defined below in Section 4.4.2 (for GSA policy) and in Section 4.4.3 (for GA policy). The first octet of the substructure unambiguously determines its type -- it is zero for GAP and non-zero (actually, it is a security protocol ID) for GSA policies. 4.4.2. Group Security Association Policy Substructure The GSA policy substructure contains parameters for the SA used with this group. Depending on the security protocol the SA is either a Rekey SA or a Data-Security SA (ESP and AH). It is NOT RECOMMENDED that the GCKS distribute both ESP and AH policies for the same set of Traffic Selectors. Smyslov & Weis Expires October 8, 2022 [Page 33] Internet-Draft G-IKEv2 April 2022 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol | SPI Size | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ SPI ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Source Traffic Selector ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Destination Traffic Selector ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 15: GSA Policy Substructure Format The GSA policy fields are defined as follows: o Protocol (1 octet) -- Identifies the security protocol for this group SA. The values are defined in the IKEv2 Security Protocol Identifiers in [IKEV2-IANA]. The valid values for this field are: (GIKE_REKEY) for Rekey SA and 2 (AH) or 3 (ESP) for Data- Security SAs. o SPI Size (1 octet) -- Size of Security Parameter Index (SPI) for the SA. SPI size depends on the SA protocol. For GIKE_REKEY it is 16 octets, while for AH and ESP it is 4 octets. o Length (2 octets, unsigned integer) -- Length of this substructure including the header. o SPI (variable) -- Security Parameter Index for the group SA. The size of this field is determined by the SPI Size field. As described above, these SPIs are assigned by the GCKS. In case of GIKE_REKEY the SPI must be the IKEv2 Header SPI pair where the first 8 octets become the "Initiator's SPI" field in the G-IKEv2 Smyslov & Weis Expires October 8, 2022 [Page 34] Internet-Draft G-IKEv2 April 2022 rekey message IKEv2 HDR, and the second 8 octets become the "Responder's SPI" in the same HDR. When selecting SPI the GCKS MUST make sure that the sole first 8 octets (corresponding to "Initiator's SPI" field in the IKEv2 header) uniquely identify the Rekey SA. o Source & Destination Traffic Selectors - (variable) -- Substructures describing the source and destination of the network identities. The format for these substructures is defined in IKEv2 [RFC7296], section 3.13.1. For the Rekey SA (with the GIKE_REKEY protocol) the destination traffic selectors MUST define a single multicast IP address, an IP protocol (assumed to be UDP) and a single port the GSA_REKEY messages will be destined to. The source traffic selector in this case MUST either define a single IP address, an IP protocol (assumed to be UDP) and a single port the GSA_REKEY messages will be originated from or be a wildcard selector. For the Data-Security (AH and ESP) SAs the destination traffic selectors SHOULD define a single multicast IP address. The source traffic selector in this case SHOULD define a single IP address or be a wildcard selector. IP protocol and ports define the characteristics of traffic protected by this Data-Security SA. If the Data-Security SAs are created in tunnel mode, then it MUST BE tunnel mode with address preservation (see [RFC5374]. UDP encapsulation [RFC3948] is not used for the multicast Data- Security SAs. o GSA Transforms (variable) -- A list of Transform Substructures specifies the policy information for the SA. The format is defined in IKEv2 [RFC7296], section 3.3.2. The Last Substruc value in each Transform Substructure will be set to 3 except for the last one in the list, which is set to 0. Section 4.4.2.1 describes using IKEv2 transforms in GSA policy substructure. o GSA Attributes (variable) -- Contains policy attributes associated with the group SA. The following sections describe the possible attributes. Any or all attributes may be optional, depending on the protocol and the group policy. Section 4.4.2.2 defines attributes used in GSA policy substructure. 4.4.2.1. GSA Transforms GSA policy is defined by means of transforms in the GSA policy substructure. For this purpose the transforms defined in [RFC7296] are used. In addition, new transform types are defined for using in G-IKEv2: Authentication Method (AUTH) and Group Key Management Method (GKM), see Section 8. Smyslov & Weis Expires October 8, 2022 [Page 35] Internet-Draft G-IKEv2 April 2022 Valid Transform Types depend on the SA protocol and are summarized in the table below. Protocol Mandatory Types Optional Types ------------------------------------------------------------ GIKE_REKEY ENCR, INTEG*, PRF, AUTH**, GKM** ESP ENCR INTEG, RP AH INTEG RP Figure 16: Valid Transform Types (*) If AEAD encryption algorithm is used, then INTEG transform MUST NOT be specified, otherwise it MUST be specified. (**) May only appear at the time of a GM registration, (in the GSA_aUTH and GSA_REGISTRATION exchanges). 4.4.2.1.1. Authentication Method Transform The Authentication Method (AUTH) transform is used in the GIKE_REKEY policy to convey information of how GCKS will authenticate the GSA_REKEY messages. This values are from the IKEv2 Authentication Method registry [IKEV2-IANA]. Note, that this registry defines only values in a range 0-255, so even that Transform ID field in the Transform substructure allows for 65536 possible values, in case of the Authentication Method transform the values 256-65535 MUST NOT appear. Among the currently defined authentication methods in the IKEv2 Authentication Method registry, only the following are allowed to be used in the Authentication Method transform: NULL Authentication and Digital Signature. Other currently defined authentication methods MUST NOT be used. The following semantics is associated with each of the allowed methods. NULL Authentication -- No additional authentication of the GSA_REKEY messages will be provided by the GCKS besides the ability for the GMs to correctly decrypt them and verify their ICV. In this case the GCKS MUST NOT include the AUTH_KEY attribute into the KD payload. Additionally, the AUTH payload MUST NOT be included in the GIKE_REKEY messages. Digital Signature -- Digital signatures will be used by the GCKS to authenticate the GSA_REKEY messages. In this case the GCKS MUST include the AUTH_KEY attribute containing the public key into the KD payload at the time the GM is registered to the group. To specify the details of the signature algorithm a new attribute Algorithm Identifier () is defined. Smyslov & Weis Expires October 8, 2022 [Page 36] Internet-Draft G-IKEv2 April 2022 This attribute contains DER-encoded ASN.1 object AlgorithmIdentifier, which would specify the signature algorithm and the hash function that the GCKS will use for authentication. The AlgorithmIdentifier object is defined in section 4.1.1.2 of [RFC5280], see also [RFC7427] for the list of common AlgorithmIdentifier values used in IKEv2. In case of using digital signature the GCKS MUST include the Algorithm Identifier attribute in the Authentication Method transform. The authentication method MUST NOT change as a result of rekey operations. This means that the Authentication Method transform may not appear in the rekey messages, it may only appear in the registration exchange (either GSA_AUTH or GSA_REGISTRATION). The type of the Authentication Method Transform is . 4.4.2.1.2. Group Key Management Method Transform The Group Key Management Method (GKM) transform is used in the GIKE_REKEY policy to convey information of how GCKS will manage the group keys to provide forward and backward access control (i.e., used to exclude group members). Possible key management methods are defined in a new IKEv2 registry "Transform Type -- Group Key Management Methods" (see Section 8). This document defines one values for this registry: Wrapped Key Download () -- Keys are downloaded by GCKS to the GMs in encrypted form. This algorithm may provide forward and backward access control if some form of key hierarchy is used and each GM is provided with a personal key at the time of registration. Otherwise no access control is provided. The group key management method MUST NOT change as a result of rekey operations. This means that the Group Key Management Method transform may not appear in the rekey messages, it may only appear in the registration exchange (either GSA_AUTH or GSA_REGISTRATION). The type of the Group Key Management Method transform is . 4.4.2.1.3. Replay Protection Transform The "Extended Sequence Number (ESN)" Transform is defined in [RFC7296]. This specification renames this transform to "Replay Protection (RP)". This transform allows to specify whether the 64-bit Extended Sequence Numbers (ESN) are to be used in ESP and AH. Smyslov & Weis Expires October 8, 2022 [Page 37] Internet-Draft G-IKEv2 April 2022 Since both AH [RFC4302] and ESP [RFC4303] are defined in such a way, that high-order 32 bits of extended sequence numbers are never transmitted, it makes using ESN in multicast Data-Security SAs problematic, because GMs that join group long after it is created will have to somehow learn the current high order 32 bits of ESN for each sender in the group. The algorithm for doing this described in [RFC4302] and [RFC4303] is resource-consuming and is only suitable when a receiver is able to guess the high-order 32 bits close enough to its real value, which is not the case for multicast SAs. For this reason extended sequence numbers MUST NOT be used for multicast Data- Security SAs and thus the value "Extended Sequence Numbers" (1) for the Replay Protection transform type MUST NOT be used in the GSA Payload. The GCKS MUST estimate the data rate and rekey Data- Security SAs freuently enough so that Sequence Numbers (SN) don't wrap. 4.4.2.2. GSA Attributes GSA attributes are generally used to provide GMs with additional parameters for the GSA policy. Unlike security parameters distributed via transforms, which are expected not to change over time (unless policy changes), the parameters distributed via GSA attributes may depend on the time the provision takes place, on the existence of others group SAs or on other conditions. This document creates a new IKEv2 IANA registry for the types of the GSA attributes which is initially filled as described in Section 8. In particular, the following attributes are initially added. GSA Attributes Value Type Multiple Protocol --------------------------------------------------------------------- Reserved 0 GSA_KEY_LIFETIME 1 V N GIKE_REKEY, AH, ESP GSA_INITIAL_MESSAGE_ID 2 V N GIKE_REKEY GSA_NEXT_SPI 3 V Y GIKE_REKEY, AH, ESP The attributes must follow the format defined in the IKEv2 [RFC7296] section 3.3.5. In the table, attributes that are defined as TV are marked as Basic (B); attributes that are defined as TLV are marked as Variable (V). 4.4.2.2.1. GSA_KEY_LIFETIME Attribute The GSA_KEY_LIFETIME attribute (1) specifies the maximum time for which the SA is valid. The value is a 4 octet unsigned integer in a network byte order, specifying a valid time period in seconds. A single attribute of this type MUST be included into any GSA policy substructure. Smyslov & Weis Expires October 8, 2022 [Page 38] Internet-Draft G-IKEv2 April 2022 When the lifetime expires, the group security association and all associated keys MUST be deleted. The GCKS may delete the SA at any time before the end of the validity period. This attribute SHOULD NOT be used if inband rekeying (via the GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM. 4.4.2.2.2. GSA_INITIAL_MESSAGE_ID Attribute The GSA_INITIAL_MESSAGE_ID attribute (2) defines the initial Message ID to be used by the GCKS in the GSA_REKEY messages. The Message ID is a 4 octet unsigned integer in network byte order. A single attribute of this type MUST be included into the GSA KEK policy substructure if the initial Message ID of the Rekey SA is non- zero. Note, that it is always the case if GMs join the group after some multicast rekey operations have already taken place, so in these cases this attribute will be included into the GSA policy at the time of GMs' registration. This attribute MUST NOT be used if inband rekeying (via the GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM. 4.4.2.2.3. GSA_NEXT_SPI Attribute The optional GSA_NEXT_SPI attribute (3) contains SPI that the GCKS reserved for the next Rekey SA or Data-Security SAs replacing the current ones. The length of the attribute data is determined by the SPI Size field in the GSA Policy substructure the attribute resides in (see Section 4.4.2), and the attribute data contains SPI as it would appear on the network. Multiple attributes of this type MAY be included, meaning that any of the supplied SPIs can be used in the replacement group SA. The GM MAY store these values and if later the GM starts receiving messages with one of these SPIs without seeing a rekey message over the current Rekey SA, this may be used as an indication, that the rekey message got lost on its way to this GM. In this case the GM SHOULD re-register to the group. Note, that this method of detecting lost rekey messages can only be used by group receivers. Additionally there is no point to include this attribute in the GSA_INBAND_REKEY messages, since they use reliable transport. Note also, that the GCKS is free to forget its promises and not to use the SPIs it sent in the GSA_NEXT_SPI attributes before (e.g. in case of the GCKS is rebooted), so the GM must only treat these information as a "best effort" made by the GCKS to prepare for future rekeys. Smyslov & Weis Expires October 8, 2022 [Page 39] Internet-Draft G-IKEv2 April 2022 This attribute MUST NOT be used if inband rekeying (via the GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM. 4.4.3. Group Associated Policy Substructure Group specific policy that does not belong to any SA policy can be distributed to all group member using Group Associated Policy (GAP) substructure. The GAP substructure is defined as follows: 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol | RESERVED | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 17: GAP Substructure Format The GAP substructure fields are defined as follows: o Protocol (1 octet) -- MUST be zero. This value is reserved in Section 8 and is never used for any security protocol, so it is used here to indicate that this substructure contains policy not related to any specific protocol. o RESERVED ( octet) -- MUST be zero on transmission, MUST be ignored on receipt. o Length (2 octets, unsigned integer) -- Length of this substructure including the header. o GAP Attributes (variable) -- Contains policy attributes associated with no specific SA. The following sections describe possible attributes. Any or all attributes may be optional, depending on the group policy. This document creates a new IKEv2 IANA registry for the types of the GAP attributes which is initially filled as described in Section 8. In particular, the following attributes are initially added. Smyslov & Weis Expires October 8, 2022 [Page 40] Internet-Draft G-IKEv2 April 2022 GAP Attributes Value Type Multiple ---------------------------------------------------- Reserved 0 GAP_ATD 1 B N GAP_DTD 2 B N GAP_SID_BITS 3 B N The attributes must follow the format defined in the IKEv2 [RFC7296] section 3.3.5. In the table, attributes that are defined as TV are marked as Basic (B); attributes that are defined as TLV are marked as Variable (V). 4.4.3.1. GAP_ATD And GAP_DTD Attributes Section 4.2.1 of [RFC5374] specifies a key rollover method that requires two values be provided to group members -- Activation Time Delay (ATD) and Deactivation Time Delay (DTD). The GAP_ATD attribute (1) allows a GCKS to set the Activation Time Delay for Data-Security SAs of the group. The ATD defines how long active members of the group (those who sends traffic) should wait after receiving new SAs before staring sending traffic over them. Note, that to achieve smooth rollover passive members of the group should activate the SAs immediately once they receive them. The GAP_DTD attribute (2) allows the GCKS to set the Deactivation Time Delay for previously distributed SAs. The DTD defines how long after receiving a request to delete Data-Security SAs passive group members should wait before actually deleting them. Note that active members of the group should stop sending traffic over these old SAs once new replacement SAs are activated (after time specified in the GAP_ATD attribute). The GAP_ATD and GAP_DTD attributes contain 16 bit unsigned integer in a network byte order, specifying the delay in seconds. These attributes are OPTIONAL. If one of them or both are not sent by the GCKS, then no corresponding delay should be employed. 4.4.3.2. GAP_SID_BITS Attribute The GAP_SID_BITS attribute (3) declares how many bits of the cipher nonce are taken to represent an SID value. The bits are applied as the most significant bits of the IV, as shown in Figure 1 of [RFC6054] and specified in Section 2.5.2. Guidance for a GCKS choosing the NUMBER_OF_SID_BITS is provided in Section 3 of [RFC6054]. This value is applied to each SID value distributed in the KD payload. Smyslov & Weis Expires October 8, 2022 [Page 41] Internet-Draft G-IKEv2 April 2022 The GCKS MUST include this attribute if there are more than one sender in the group and any of the Data-Security SAs use counter- based cipher mode. The number of SID bits is represented as 16 bit unsigned integer in network byte order. 4.5. Key Download Payload The Key Download (KD) payload contains the group keys for the SAs specified in the GSA Payload. The Payload Type for the Key Download payload is fifty-two (52). 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Payload |C| RESERVED | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 18: Key Download Payload Format The Key Download payload fields are defined as follows: o Next Payload, C, RESERVED, Payload Length fields comprise the IKEv2 Generic Payload Header and are defined in Section 3.2. of [RFC7296]. o Key Packets (variable) -- Contains Group Key Packet and Member Key Packet substructures. Each Key Packet contains keys for a single group rekey or Data-Security SA or a keys and security parameters for a GM. Two types of Key Packets are used -- Group Key Packet and Member Key Packet. 4.5.1. Wrapped Key Format The symmetric keys in G-IKEv2 are never sent in clear. They are always encrypted with other keys using the format called Wrapped Key that is shown below (Figure 19). The keys are encrypted using algorithm that is used to encrypt the message the keys are sent in. It means, that in case of unicast IKE SA (used for GMs registration and rekeying using GSA_INBAND_REKEY) the encryption algorithm will be the one negotiated during the IKE SA establishment, while for a GSA_REKEY message the algorithm will be Smyslov & Weis Expires October 8, 2022 [Page 42] Internet-Draft G-IKEv2 April 2022 provided by the GCKS in the Encryption Algorithm transform in the GSA payload when this multicast SA was being established. If AEAD mode is used for encryption, then for the purpose of key encryption the authentication tag MUST NOT be used (both not calculated and not verified), since the G-IKEv2 provides authentication of all its messages. In addition there is no AAD in this case. If encryption algorithm requires padding, then the encrypted key MUST be padded before encryption to have the required size. If the encryption algorithm doesn't define the padding content, then the following scheme SHOULD be used: the Padding bytes are initialized with a series of (unsigned, 1-byte) integer values. The first padding byte appended to the plaintext is numbered 1, with subsequent padding bytes making up a monotonically increasing sequence: 1, 2, 3, .... The length of the padding is not transmitted and is implicitly determined, since the length of the key is known. 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | KWK ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ IV ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Encrypted Key ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 19: Wrapped Key Format The Wrapped Key fields are defined as follows: o Key ID (4 octets) -- ID of the encrypted key. The value zero means that the encrypted key contains SA keys (in the form of keying material, see Section 3.4)), otherwise it contains some intermediate key. o KWK ID (4 octets) -- ID of the key that was used to encrypt key with specified Key ID. The value zero means that the default KWK was used to encrypt the key, otherwise some intermediate key was used. Smyslov & Weis Expires October 8, 2022 [Page 43] Internet-Draft G-IKEv2 April 2022 o IV (variable) -- Initialization Vector used for encryption. The size and the content of IV is defined by the employed encryption transform. o Encrypted Key (variable) -- The encrypted key bits. These bits may comprise either a single encrypted key or a result of encryption of a concatenation of keys (key material) for several algorithms. 4.5.2. Group Key Packet Substructure Group Key Packet substructure contains SA key information. This key information is associated with some group SAs: either with Data- Security SAs or with group Rekey SA. 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol | SPI Size | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ SPI ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 20: Group Key Packet Substructure Format o Protocol (1 octet) -- Identifies the security protocol for this key packet. The values are defined in the IKEv2 Security Protocol Identifiers in [IKEV2-IANA]. The valid values for this field are: (GIKE_REKEY) for KEK Key packet and 2 (AH) or 3 (ESP) for TEK key packet. o SPI Size (1 octet) -- Size of Security Parameter Index (SPI) for the corresponding SA. SPI size depends on the security protocol. For GIKE_REKEY it is 16 octets, while for AH and ESP it is 4 octets. o Length (2 octets, unsigned integer) -- Length of this substructure including the header. o SPI (variable) -- Security Parameter Index for the corresponding SA. The size of this field is determined by the SPI Size field. In case of GIKE_REKEY the SPI must be the IKEv2 Header SPI pair Smyslov & Weis Expires October 8, 2022 [Page 44] Internet-Draft G-IKEv2 April 2022 where the first 8 octets become the "Initiator's SPI" field in the G-IKEv2 rekey message IKEv2 HDR, and the second 8 octets become the "Responder's SPI" in the same HDR. When selecting SPI the GCKS MUST make sure that the sole first 8 octets (corresponding to "Initiator's SPI" field in the IKEv2 header) uniquely identify the Rekey SA. o Group Key Packet Attributes (variable length) -- Contains Key information for the corresponding SA. This document creates a new IKEv2 IANA registry for the types of the Group Key Packet attributes which is initially filled as described in Section 8. In particular, the following attributes are initially added. Group Key Packet Attributes Value Type Multiple Protocol ---------------------------------------------------------- Reserved 0 SA_KEY 1 V N/Y* GIKE_REKEY, N AH, ESP (*) Multiple SA_KEY attributes may only appear for the GIKE_REKEY protocol in the GSA_REKEY exchange if the GCKS uses the Group Key Management method that allows excluding GMs from the group (like LKH). The attributes must follow the format defined in the IKEv2 [RFC7296] section 3.3.5. In the table, attributes that are defined as TV are marked as Basic (B); attributes that are defined as TLV are marked as Variable (V). 4.5.2.1. SA_KEY Attribute The SA_KEY attribute (1) contains a keying material for the corresponding SA. The content of the attribute is formatted according to Section 4.5.1 with a precondition that the Key ID field MUST always be zero. The size of the keying material MUST be equal to the total size of the keys needed to be taken from this keying material (see Section 3.4) for the corresponding SA. If the Key Packet is for a Data-Security SA (AH or ESP protocols), then exactly one SA_KEY attribute MUST be present with both Key ID and KWK ID fields set to zero. If the Key Packet is for a Rekey SA (GIKE_REKEY protocol), then in the GSA_AUTH, GSA_REGISTRATION and GSA_INBAND_REKEY exchanges exactly one SA_KEY attribute MUST be present. In the GSA_REKEY exchange at Smyslov & Weis Expires October 8, 2022 [Page 45] Internet-Draft G-IKEv2 April 2022 least one SA_KEY attribute MUST be present, and more attributes MAY be present (depending on the key management method employed by the GCKS). 4.5.3. Member Key Packet Substructure The Member Key Packet substructure contains keys and other parameters that are specific for a member of the group and are not associated with any particular group SA. 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol | RESERVED | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 21: Member Key Packet Substructure Format The Member Key Packet substructure fields are defined as follows: o Protocol (1 octet) -- MUST be zero. This value is reserved in Section 8 and is never used for any security protocol, so it is used here to indicate that this Key Packet is not associated with any particular SA. o RESERVED ( octet) -- MUST be zero on transmission, MUST be ignored on receipt. o Length (2 octets, unsigned integer) -- Length of this substructure including the header. o Member Key Packet Attributes (variable length) -- Contains Key information and other parameters exclusively for a particular member of the group. Member Key Packet substructure contains sensitive information for a single GM, for this reason it MUST NOT be sent in GSA_REKEY messages and MUST only be sent via unicast SA at the time the GM registers to the group (in either GSA_AUTH or GSA_REGISTRATION exchanges). This document creates a new IKEv2 IANA registry for the types of the Member Key Packet attributes which is initially filled as described in Section 8. In particular, the following attributes are initially added. Smyslov & Weis Expires October 8, 2022 [Page 46] Internet-Draft G-IKEv2 April 2022 Member Key Packet Attributes Value Type Multiple ------------------------------------------------ Reserved 0 WRAP_KEY 1 V Y AUTH_KEY 2 V N GM_SID 3 V Y The attributes must follow the format defined in the IKEv2 [RFC7296] section 3.3.5. In the table, attributes that are defined as TV are marked as Basic (B); attributes that are defined as TLV are marked as Variable (V). 4.5.3.1. WRAP_KEY Attribute The WRAP_KEY attribute (1) contains a key that is used to encrypt other keys. One or more these attributes are sent to GMs if the GCKS key management method relies on some key hierarchy (e.g. LKH). This attribute MUST NOT be used if inband rekeying (via the GSA_INBAND_REKEY exchange) is employed by the GCKS for the GM. The content of the attribute has a format defined in Section 4.5.1 with a precondition that the Key ID field MUST NOT be zero. The algorithm associated with the key is from the Encryption Transform for the SA the WRAP_KEY attributes was sent in. The size of the key MUST be equal to the key size for this algorithm. Multiple instances of the WRAP_KEY attributes MAY be present in the key packet. 4.5.3.2. AUTH_KEY Attribute The AUTH_KEY attribute (2) contains the key that is used to authenticate the GSA_REKEY messages. The content of the attribute depends on the authentication method the GCKS specified in the Authentication Method transform in the GSA payload. o If digital signatures are used for the GSA_REKEY messages authentication then the content of the AUTH_KEY attribute is a public key used for digital signature authentication. The public key MUST be represented as DER-encoded ASN.1 object SubjectPublicKeyInfo, defined in section 4.1.2.7 of [RFC5280]. The signature algorithm that will use this key was specified in the Algorithm Identifier attribute of the Authentication Method transform. The key MUST be compatible with this algorithm. An RSA public key format is defined in [RFC8017], Section A.1. DSS public key format is defined in [RFC3279] Section 2.3.2. For ECDSA Public keys, use format described in [RFC5480] Section 2. Smyslov & Weis Expires October 8, 2022 [Page 47] Internet-Draft G-IKEv2 April 2022 Other algorithms added to the IKEv2 Authentication Method registry are also expected to include a format of the SubjectPublicKeyInfo object included in the algorithm specification. Multiple instances of the AUTH_KEY attributes MUST NOT be sent. This attribute MUST NOT appear in the rekey operations (in the GSA_REKEY or GSA_INBAND_REKEY exchanges). 4.5.3.3. GM_SID Attribute The GM_SID attribute (3) is used to download one or more Sender-ID values for the exclusive use of a group member. One or more of this attributes MUST be sent by the GCKS if the GM informed the GCKS that it would be a sender (by inclusion the SENDER notification to the request) and at least one of the Data-Security SAs included in the GSA payload uses counter-based mode of encryption. If the GMs has requested multiple SID values in the SENDER notification, then the GCKS SHOULD provide it with the requested number of SIDs by sending multiple instances of the GM_SID attribute. The GCKS MAY send fewer SIDs than requested by the GM (e.g. if it is running out of SIDs), but it MUST NOT send more than requested. This attribute MUST NOT appear in the rekey operations (in the GSA_REKEY or GSA_INBAND_REKEY exchanges). 4.6. Delete Payload Delete payload is used in G-IKEv2 when the GCKS wants to delete Data- Security and Rekey SAs. The interpretation of the Protocol field in the Delete payload is extended, so that zero protocol indicates deletion of whole Group SA (i.e. all Data-Security SAs and Rekey SA). See Section 2.4.3 for detail. 4.7. Notify Payload G-IKEv2 uses the same Notify payload as specified in [RFC7296], section 3.10. There are additional Notify Message types introduced by G-IKEv2 to communicate error conditions and status (see Section 8). o INVALID_GROUP_ID (45) -- error type notification that indicates that the group ID sent during the registration process is invalid. The Protocol ID and SPI Size fields in the Notify payload MUST be zero. There is no data associated with this notification and the content of the Notification Data field MUST be ignored on receipt. Smyslov & Weis Expires October 8, 2022 [Page 48] Internet-Draft G-IKEv2 April 2022 o AUTHORIZATION_FAILED (46) -- error type notification that is sent in the response to a GSA_AUTH or GSA_REGISTRATION message when authorization failed. The Protocol ID and SPI Size fields in the Notify payload MUST be zero. There is no data associated with this notification and the content of the Notification Data field MUST be ignored on receipt. o REGISTRATION_FAILED () -- error type notification that is sent by the GCKS when the GM registration request cannot be satisfied for the reasons not related to this particular GM, for example if the capacity of the group is exceeded. The Protocol ID and SPI Size fields in the Notify payload MUST be zero. There is no data associated with this notification and the content of the Notification Data field MUST be ignored on receipt. o SENDER (16429) -- status type notification that is sent in the GSA_AUTH or the GSA_REGISTRATION exchanges to indicate that the GM intends to be sender of data traffic. The data includes a count of how many SID values the GM desires. The count MUST be 4 octets long and contain the big endian representation of the number of requested SIDs. The Protocol ID and SPI Size fields in the Notify payload MUST be zero. o REKEY_IS_NEEDED () -- status type notification that is sent in the GSA_AUTH response message to indicate that the GM must perform an immediate rekey of IKE SA to make it secure against quantum computers and then start a registration request over. The Protocol ID and SPI Size fields in the Notify payload MUST be zero. There is no data associated with this notification and the content of the Notification Data field MUST be ignored on receipt. 4.7.1. USE_TRANSPORT_MODE Notification This specification uses the USE_TRANSPORT_MODE notification defined in section 3.10.1 of [RFC7296] to specify the mode Data-Security SAs should be created in. The GCKS MUST include the USE_TRANSPORT_MODE notification in a message containing the GSA payload if Data-Security SAs are to be created in transport mode and MUST NOT include if they are to be created in tunnel mode. Note, that it is not possible with this specification to create a group where some Data-Security SAs use transport mode and the others use tunnel mode. If such a configuration is needed two different groups must be defined. Smyslov & Weis Expires October 8, 2022 [Page 49] Internet-Draft G-IKEv2 April 2022 4.8. Authentication Payload G-IKEv2 uses the same Authentication payload as specified in [RFC7296], section 3.8, to authenticate the rekey message. However, if it is used in the GSA_REKEY messages the content of the payload is computed differently, as described in Section 2.4.1.1. 5. Usigng G-IKEv2 Attributes G-IKEv2 defines a number of attributes, that are used to convey information from GCKS to GMs. There are some restrictions on where and when these attributes can appear in G-IKEv2 messages, which are defined when the attributes are introduced. For convenience these restrictions are summarized in Table 1 (for multicast rekey operations) and Table 2 (for inband rekey operations) below. The following notation is used: S A single attribute of this type must be present M Multiple attributes of this type may be present [] Attribute is optional - Attribute must not be present Note, that the restrictions are defined per a substructure corresponding attributes are defined for and not per whole G-IKEv2 message. Smyslov & Weis Expires October 8, 2022 [Page 50] Internet-Draft G-IKEv2 April 2022 +-------------------------+--------------------+--------------------+ | Attributes | GSA_AUTH | GSA_REKEY | | | GSA_REGISTRATION | | +-------------------------+--------------------+--------------------+ | GSA_KEY_LIFETIME | S | S | | | | | | GSA_INITIAL_MESSAGE_ID | [S] | [S] | | | | | | GSA_NEXT_SPI | [M] | [M] | | | | | | GAP_ATD | [S] | [S] | | | | | | GAP_DTD | [S] | [S] | | | | | | GAP_SID_BITS | S* | - | | | | | | SA_KEY | S | S/[M]** | | | | | | WRAP_KEY | [M]** | [M]** | | | | | | AUTH_KEY | S*** | [S]**** | | | | | | GM_SID | S*/[M]* | - | +-------------------------+--------------------+--------------------+ Table 1: Using attributes in G-IKEv2 exchanges when multicast rekey is used * The GAP_SID_BITS attribute must be present if the GCKS policy includes at least one cipher in counter mode of operation and the GM included the SENDER notify into the registration request. Otherwise it must not be present. At least one GM_SID attribute must be present in the former case (and more may be present if the GM requested more SIDs) and no GM_SID attributes must be present in the latter case. ** The WRAP_KEY attributes may be present if the GCKS employs key management method that relies on key tree (like LKH). *** The AUTH_KEY attribute must be present if the GCKS employs authentication method other than NULL Authentication. *** The AUTH_KEY attribute may be present if the GCKS employs authentication method based on digital signatures and wants to change the public key for the following multicast rekey operations. Smyslov & Weis Expires October 8, 2022 [Page 51] Internet-Draft G-IKEv2 April 2022 +-------------------------+--------------------+--------------------+ | Attributes | GSA_AUTH | GSA_INBAND_REKEY | | | GSA_REGISTRATION | | +-------------------------+--------------------+--------------------+ | GSA_KEY_LIFETIME | [S] | [S] | | | | | | GSA_INITIAL_MESSAGE_ID | - | - | | | | | | GSA_NEXT_SPI | - | - | | | | | | GAP_ATD | [S] | [S] | | | | | | GAP_DTD | [S] | [S] | | | | | | GAP_SID_BITS | S* | - | | | | | | SA_KEY | S | S | | | | | | WRAP_KEY | - | - | | | | | | AUTH_KEY | - | - | | | | | | GM_SID | S*/[M]* | - | +-------------------------+--------------------+--------------------+ Table 2: Using attributes in G-IKEv2 exchanges when inband rekey is used * The GAP_SID_BITS attribute must be present if the GCKS policy includes at least one cipher in counter mode of operation and the GM included the SENDER notify into the registration request. Otherwise it must not be present. At least one GM_SID attribute must be present in the former case (and more may be present if the GM requested more SIDs) and no GM_SID attributes must be present in the latter case. 6. Interaction with other IKEv2 Protocol Extensions A number of IKEv2 extensions is defined that can be used to extend protocol functionality. G-IKEv2 is compatible with most of them. In particular, EAP authentication defined in [RFC7296] can be used to establish registration IKE SA, as well as EAP-only authentication [RFC5998] and Secure Password authentication [RFC6467]. G-IKEv2 is compatible with and can use IKEv2 Redirect Mechanism [RFC5685] and IKEv2 Session Resumption [RFC5723]. G-IKEv2 is also compatible with Multiple Key Exchanges in IKEv2 framework, defined in [I-D.ietf-ipsecme-ikev2-multiple-ke]. Smyslov & Weis Expires October 8, 2022 [Page 52] Internet-Draft G-IKEv2 April 2022 The above list of compatible IKEv2 extensions is not exhaustive, however some IKEv2 extensions require special handling if used in G-IKEv2. 6.1. Mixing Preshared Keys in IKEv2 for Post-quantum Security G-IKEv2 can take advantage of the protection provided by Postquantum Preshared Keys (PPK) for IKEv2 [RFC8784]. However, the use of PPK leaves the initial IKE SA susceptible to quantum computer (QC) attacks. While group SA keys are protected with the default KWK (GSK_w), which is derived from SK_d and thus cannot be broken even by attacker equipped with a QC, authentication of these keys relies on authentication of IKE SA messages, which is not secure against QC until the initial IKE SA is rekeyed. In additional, the other content of IKE SA messages may also be visible to an attacker with a QC. See Section 6 of [RFC8784] for details. For these reasons the GCKS MUST NOT send GSA and KD payloads in the GSA_AUTH response message and MUST return a new notification REKEY_IS_NEEDED instead. Upon receiving this notification in the GSA_AUTH response the GM MUST perform an IKE SA rekey and then initiate a new GSA_REGISTRATION request for the same group. Below are possible scenarios involving using PPK. The GM starts the IKE_SA_INIT exchange requesting using PPK, and the GCKS responds with agreement to do it, or aborts according to its "mandatory_or_not" flag: Initiator (Member) Responder (GCKS) -------------------- ------------------ HDR, SAi1, KEi, Ni, N(USE_PPK) --> <-- DR, SAr1, KEr, Nr, [CERTREQ], N(USE_PPK) Figure 22: IKE_SA_INIT Exchange requesting using PPK The GM then starts the GSA_AUTH exchange with the PPK_ID; if using PPK is not mandatory for the GM, the NO_PPK_AUTH notification is included in the request: Initiator (Member) Responder (GCKS) -------------------- ------------------ HDR, SK{IDi, AUTH, IDg, N(PPK_IDENTITY), N(NO_PPK_AUTH)} --> Figure 23: GSA_AUTH Request using PPK Smyslov & Weis Expires October 8, 2022 [Page 53] Internet-Draft G-IKEv2 April 2022 If the GCKS has no such PPK and using PPK is not mandatory for it and the NO_PPK_AUTH is included, then the GCKS continues without PPK; in this case no rekey is needed: Initiator (Member) Responder (GCKS) -------------------- ------------------ <-- HDR, SK{IDr, AUTH, GSA, KD} Figure 24: GSA_AUTH Response using no PPK If the GCKS has no such PPK and either the NO_PPK_AUTH is missing or using PPK is mandatory for the GCKS, the GCKS aborts the exchange: Initiator (Member) Responder (GCKS) -------------------- ------------------ <-- HDR, SK{N(AUTHENTICATION_FAILED)} Figure 25: GSA_AUTH Error Response Assuming the GCKS has the proper PPK it continues with a request to the GM to immediately perform a rekey by sending the REKEY_IS_NEEDED notification: Initiator (Member) Responder (GCKS) -------------------- ------------------ <-- HDR, SK{IDr, AUTH, N(PPK_IDENTITY), N(REKEY_IS_NEEDED) } Figure 26: GSA_AUTH Response using PPK The GM initiates the CREATE_CHILD_SA exchange to rekey the initial IKE SA and then makes a new registration request for the same group over the new IKE SA: Initiator (Member) Responder (GCKS) -------------------- ------------------ HDR, SK{SA, Ni, KEi} --> <-- HDR, SK{SA, Nr, KEr} HDR, SK{IDg} ---> <-- HDR, SK{GSA, KD} Figure 27: Rekeying IKE SA followed by GSA_REGISTRATION Exchange Note, that [I-D.smyslov-ipsecme-ikev2-qr-alt] MAY be used to make the initial IKE SA secure against QC. Smyslov & Weis Expires October 8, 2022 [Page 54] Internet-Draft G-IKEv2 April 2022 7. Security Considerations 7.1. GSA Registration and Secure Channel G-IKEv2 registration exchange uses IKEv2 IKE_SA_INIT protocols, inheriting all the security considerations documented in [RFC7296] section 5 Security Considerations, including authentication, confidentiality, protection against man-in-the-middle, protection against replay/reflection attacks, and denial of service protection. The GSA_AUTH and GSA_REGISTRATION exchanges also take advantage of those protections. In addition, G-IKEv2 brings in the capability to authorize a particular group member regardless of whether they have the IKEv2 credentials. 7.2. GSA Maintenance Channel The GSA maintenance channel is cryptographically and integrity protected using the cryptographic algorithm and key negotiated in the GSA member registration exchanged. 7.2.1. Authentication/Authorization The authentication key is distributed during the GM registration, and the receiver of the rekey message uses that key to verify the message came from the authorized GCKS. An implicit authentication can also be used, in which case the ability of the GM to decrypt and to verify ICV of the received message proved taht a sender of the message is a member of the group. However, implicit authentication doesn't provide source origin authentication, so the GM cannot be sure that the message came from the GCKS. For this reason using implicit authentication is NOT RECOMMENDED unless in a small group of trusted parties. 7.2.2. Confidentiality Confidentiality is provided by distributing a confidentiality key as part of the GSA member registration exchange. 7.2.3. Man-in-the-Middle Attack Protection GSA maintenance channel is integrity protected by using a digital signature. 7.2.4. Replay/Reflection Attack Protection The GSA_REKEY message includes a monotonically increasing sequence number to protect against replay and reflection attacks. A group member will recognize a replayed message by comparing the Message ID Smyslov & Weis Expires October 8, 2022 [Page 55] Internet-Draft G-IKEv2 April 2022 number to that of the last received rekey message, any rekey message containing a Message ID number less than or equal to the last received value MUST be discarded. Implementations should keep a record of recently received GSA rekey messages for this comparison. 8. IANA Considerations 8.1. New Registries A new set of registries is created for G-IKEv2 on IKEv2 parameters page [IKEV2-IANA]. The terms Reserved, Expert Review and Private Use are to be applied as defined in [RFC8126]. This document creates a new IANA registry "Transform Type - Group Key Management Methods". The initial values of the new registry are: Value Group Key Management Method ------------------------------------------------------- Reserved 0 Wrapped Key Download 1 Unassigned 2-1023 Private Use 1024-65535 Changes and additions to the unassigned range of this registry are by the Expert Review Policy [RFC8126]. This document creates a new IANA registry "GSA Attributes". The initial values of the new registry are: GSA Attributes Value Type Multiple Protocol --------------------------------------------------------------------- Reserved 0 GSA_KEY_LIFETIME 1 V N GIKE_REKEY, AH, ESP GSA_INITIAL_MESSAGE_ID 2 V N GIKE_REKEY GSA_NEXT_SPI 3 V Y GIKE_REKEY, AH, ESP Unassigned 5-16383 Private Use 16384-32767 Changes and additions to the unassigned range of this registry are by the Expert Review Policy [RFC8126]. This document creates a new IANA registry "GAP Attributes". The initial values of the new registry are: Smyslov & Weis Expires October 8, 2022 [Page 56] Internet-Draft G-IKEv2 April 2022 GAP Attributes Value Type Multiple ---------------------------------------------------- Reserved 0 GAP_ATD 1 B N GAP_DTD 2 B N GAP_SID_BITS 3 B N Unassigned 4-16383 Private Use 16384-32767 Changes and additions to the unassigned range of this registry are by the Expert Review Policy [RFC8126]. This document creates a new IANA registry "Group Key Packet Attributes". The initial values of the new registry are: Group Key Packet Attributes Value Type Multiple Protocol ------------------------------------------------------------ Reserved 0 SA_KEY 1 V Y GIKE_REKEY, N AH, ESP Unassigned 2-16383 Private Use 16384-32767 Changes and additions to the unassigned range of this registry are by the Expert Review Policy [RFC8126]. This document creates a new IANA registry "Member Key Packet Attributes". The initial values of the new registry are: Member Key Packet Attributes Value Type Multiple ------------------------------------------------ Reserved 0 WRAP_KEY 1 V Y AUTH_KEY 2 V N GM_SID 3 V Y Unassigned 4-16383 Private Use 16384-32767 Changes and additions to the unassigned range of this registry are by the Expert Review Policy [RFC8126]. 8.2. Changes in the Existing IKEv2 Registries This document defines new Exchange Types in the "IKEv2 Exchange Types" registry: Smyslov & Weis Expires October 8, 2022 [Page 57] Internet-Draft G-IKEv2 April 2022 Value Exchange Type ---------------------------- 39 GSA_AUTH 40 GSA_REGISTRATION 41 GSA_REKEY GSA_INBAND_REKEY This document defines new Payload Types in the "IKEv2 Payload Types" registry: Value Next Payload Type Notation ---------------------------------------------------- 50 Group Identification IDg 51 Group Security Association GSA 52 Key Download KD This document makes the following changes to the "Transform Type Values" registry: o Defines two new transform types -- "Authentication Method (AUTH)" and "Group Key Management Method (GKM)"; o Renames existing transform type "Extended Sequence Numbers (ESN)" to "Replay Protection (RP)"; o Changes the "Used In" column for the existing allocations as follows; Type Description Used In --------------------------------------------------------------------- 1 Encryption Algorithm (ENCR) IKE, GIKE_REKEY and ESP 2 Pseudo-random Function (PRF) IKE, GIKE_REKEY 3 Integrity Algorithm (INTEG) IKE, GIKE_REKEY, AH, optional in ESP 4 Diffie-Hellman Group (D-H) IKE, optional in AH, ESP 5 Replay Protection (RP) AH and ESP Authentication Method (AUTH) GIKE_REKEY Group Key Management Method (GKM) GIKE_REKEY This document defines a new Attribute Type in the "IKEv2 Transform Attribute Types" registry: Value Attribute Type Format ---------------------------------------------- Algorithm Identifier TLV This document renames the "Transform Type 5 - Extended Sequence Numbers Transform IDs" registry to "Transform Type 5 - Replay Smyslov & Weis Expires October 8, 2022 [Page 58] Internet-Draft G-IKEv2 April 2022 Protection Transform IDs" and also adds a new value into this registry: Number Name --------------------- Not Used This document defines new Notify Message Types in the "Notify Message Types - Error Types" registry: Value Notify Messages - Error Types ----------------------------------------- 45 INVALID_GROUP_ID 46 AUTHORIZATION_FAILED REGISTRATION_FAILED This document defines new Notify Message Types in the "Notify Message Types - Status Types" registry: Value Notify Messages - Status Types ------------------------------------------ 16429 SENDER The Notify type with the value 16429 was allocated earlier in the development of G-IKEv2 document with the name SENDER_REQUEST_ID. This specification changes its name to SENDER. This document defines a new Security Protocol Identifier in the "IKEv2 Security Protocol Identifiers" registry: Protocol ID Protocol -------------------------- GIKE_REKEY 9. Acknowledgements The authors thank Lakshminath Dondeti and Jing Xiang for first exploring the use of IKEv2 for group key management and providing the basis behind the protocol. Mike Sullenberger and Amjad Inamdar were instrumental in helping resolve many issues in several versions of the document. The authors are grateful to Tero Kivinen for his careful review and valuable proposals how to improve the document. Smyslov & Weis Expires October 8, 2022 [Page 59] Internet-Draft G-IKEv2 April 2022 10. Contributors The following individuals made substantial contributions to early versions of this memo. Sheela Rowles Cisco Systems 170 W. Tasman Drive San Jose, California 95134-1706 USA Phone: +1-408-527-7677 Email: sheela@cisco.com Aldous Yeung Cisco Systems 170 W. Tasman Drive San Jose, California 95134-1706 USA Phone: +1-408-853-2032 Email: cyyeung@cisco.com Paulina Tran Cisco Systems 170 W. Tasman Drive San Jose, California 95134-1706 USA Phone: +1-408-526-8902 Email: ptran@cisco.com Yoav Nir Dell EMC 9 Andrei Sakharov St Haifa 3190500 Israel Email: ynir.ietf@gmail.com 11. References 11.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . Smyslov & Weis Expires October 8, 2022 [Page 60] Internet-Draft G-IKEv2 April 2022 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005, . [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, DOI 10.17487/RFC4302, December 2005, . [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, DOI 10.17487/RFC4303, December 2005, . [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, . [RFC6054] McGrew, D. and B. Weis, "Using Counter Modes with Encapsulating Security Payload (ESP) and Authentication Header (AH) to Protect Group Traffic", RFC 6054, DOI 10.17487/RFC6054, November 2010, . [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014, . [RFC7427] Kivinen, T. and J. Snyder, "Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)", RFC 7427, DOI 10.17487/RFC7427, January 2015, . [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 11.2. Informative References Smyslov & Weis Expires October 8, 2022 [Page 61] Internet-Draft G-IKEv2 April 2022 [I-D.ietf-ipsecme-ikev2-intermediate] Smyslov, V., "Intermediate Exchange in the IKEv2 Protocol", draft-ietf-ipsecme-ikev2-intermediate-10 (work in progress), March 2022. [I-D.ietf-ipsecme-ikev2-multiple-ke] Tjhai, C., Tomlinson, M., Bartlett, G., Fluhrer, S., Geest, D. V., Garcia-Morchon, O., and V. Smyslov, "Multiple Key Exchanges in IKEv2", draft-ietf-ipsecme- ikev2-multiple-ke-05 (work in progress), March 2022. [I-D.smyslov-ipsecme-ikev2-qr-alt] Smyslov, V., "Alternative Approach for Mixing Preshared Keys in IKEv2 for Post-quantum Security", draft-smyslov- ipsecme-ikev2-qr-alt-04 (work in progress), August 2021. [IKEV2-IANA] IANA, "Internet Key Exchange Version 2 (IKEv2) Parameters", . [NNL] Naor, D., Noal, M., and J. Lotspiech, "Revocation and Tracing Schemes for Stateless Receivers", Advances in Cryptology, Crypto '01, Springer-Verlag LNCS 2139, 2001, pp. 41-62, 2001, . [OFT] McGrew, D. and A. Sherman, "Key Establishment in Large Dynamic Groups Using One-Way Function Trees", Manuscript, submitted to IEEE Transactions on Software Engineering, 1998, . [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, DOI 10.17487/RFC2409, November 1998, . [RFC2627] Wallner, D., Harder, E., and R. Agee, "Key Management for Multicast: Issues and Architectures", RFC 2627, DOI 10.17487/RFC2627, June 1999, . [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April 2002, . Smyslov & Weis Expires October 8, 2022 [Page 62] Internet-Draft G-IKEv2 April 2022 [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004, . [RFC3740] Hardjono, T. and B. Weis, "The Multicast Group Security Architecture", RFC 3740, DOI 10.17487/RFC3740, March 2004, . [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. Stenberg, "UDP Encapsulation of IPsec ESP Packets", RFC 3948, DOI 10.17487/RFC3948, January 2005, . [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, "Multicast Security (MSEC) Group Key Management Architecture", RFC 4046, DOI 10.17487/RFC4046, April 2005, . [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC 4106, DOI 10.17487/RFC4106, June 2005, . [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)", RFC 4309, DOI 10.17487/RFC4309, December 2005, . [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, DOI 10.17487/RFC4543, May 2006, . [RFC5374] Weis, B., Gross, G., and D. Ignjatic, "Multicast Extensions to the Security Architecture for the Internet Protocol", RFC 5374, DOI 10.17487/RFC5374, November 2008, . [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, "Elliptic Curve Cryptography Subject Public Key Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, . [RFC5685] Devarapalli, V. and K. Weniger, "Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 5685, DOI 10.17487/RFC5685, November 2009, . Smyslov & Weis Expires October 8, 2022 [Page 63] Internet-Draft G-IKEv2 April 2022 [RFC5723] Sheffer, Y. and H. Tschofenig, "Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption", RFC 5723, DOI 10.17487/RFC5723, January 2010, . [RFC5998] Eronen, P., Tschofenig, H., and Y. Sheffer, "An Extension for EAP-Only Authentication in IKEv2", RFC 5998, DOI 10.17487/RFC5998, September 2010, . [RFC6407] Weis, B., Rowles, S., and T. Hardjono, "The Group Domain of Interpretation", RFC 6407, DOI 10.17487/RFC6407, October 2011, . [RFC6467] Kivinen, T., "Secure Password Framework for Internet Key Exchange Version 2 (IKEv2)", RFC 6467, DOI 10.17487/RFC6467, December 2011, . [RFC7383] Smyslov, V., "Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation", RFC 7383, DOI 10.17487/RFC7383, November 2014, . [RFC7634] Nir, Y., "ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec", RFC 7634, DOI 10.17487/RFC7634, August 2015, . [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, "PKCS #1: RSA Cryptography Specifications Version 2.2", RFC 8017, DOI 10.17487/RFC8017, November 2016, . [RFC8229] Pauly, T., Touati, S., and R. Mantha, "TCP Encapsulation of IKE and IPsec Packets", RFC 8229, DOI 10.17487/RFC8229, August 2017, . [RFC8784] Fluhrer, S., Kampanakis, P., McGrew, D., and V. Smyslov, "Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security", RFC 8784, DOI 10.17487/RFC8784, June 2020, . Smyslov & Weis Expires October 8, 2022 [Page 64] Internet-Draft G-IKEv2 April 2022 Appendix A. Use of LKH in G-IKEv2 Section 5.4 of [RFC2627] describes the LKH architecture, and how a GCKS uses LKH to exclude group members. This section clarifies how the LKH architecture is used with G-IKEv2. A.1. Notation In this section we will use the notation X{Y} where a key with ID Y is encrypted with the key with ID X. The notation GSK_w{Y} means that the default wrap key GSK_w (with zero KWK ID)is used to encrypt key Y, and the notation X{K_sa} means key X is used to encrypt the SA key K_sa (wich always has zero Key ID). Note, that GSK_w{K_sa} means that the SA key is encrypted with the default wrap key, in which case both KWK ID and Key ID are zero. For simplicity we will assume that The content of the KD payload will be shown as a sequence of Key Packets. The Group Key Packet substructure will be denoted as GP(SAn)(), when n is an SPI for the SA, and the Member Key Packet substructure will be denoted as MP(). The content of the Key Packets is shown as SA_KEY and WRAP_KEY attributes with the notation described above. For simplicity the type of the attribute will not be shown, because it is implicitly defined by the type of Key Packet. Here is the example of KD payload. KD(GP1(X{K_sa}),MP(Y{X},Z{Y},GSK_w{Z}) For simplicity any other attributes in the KD payload are omitted. We will also use the notation X->Y->Z to describe the Key Path. In this case key Y is needed to dectypt key X and key Z is needed to decrypt key Y. In the example above the keys had the following relation: K_sa->X->Y->Z->GSK_w. A.2. Group Creation When a GCKS forms a group, it creates a key tree as shown in the figure below. The key tree contains logical keys (which are represented as the values of their Key IDs in the figure) and a private key shared with only a single GM (the GMs are represented as letters followed by the corresponding key ID in parentheses in the figure). The root of the tree contains the multicast Rekey SA key (which is represented as SAn(K_san). The figure below assumes that the Key IDs are assigned sequentially; this is not a requirement and only used for illustrative purposes. The GCKS may create a complete tree as shown, or a partial tree which is created on demand as members join the group. Smyslov & Weis Expires October 8, 2022 [Page 65] Internet-Draft G-IKEv2 April 2022 SA1(K_sa1) +------------------------------+ 1 2 +---------------+ +---------------+ 3 4 5 6 +-------+ +-------+ +--------+ +--------+ A(7) B(8) C(9) D(10) E(11) F(12) G(13) H(14) Figure 28: Initial LKH tree When GM A joins the group, the GCKS provides it with the keys in the KD payload of the GSA_AUTH or GSA_REGISTRATION exchange. Given the tree shown in figure above, the KD payload will be: KD(GP(SA1)(1{K_sa1}),MP(3{1},7{3},GSK_w{7}) KD Payload for the Group Member A From these attributes the GM A will construct the Key Path K_sa1->1->3->7->GSK_w and since it ends up with GSK_w, it will use all the WRAP_KEY attributes present in the path as its Working Key Path: 1->3->7. Similarly, when other GMs will be joining the group they will be provided with the corresponding keys, so after all the GMs will have the following Working Key Paths: A: 1->3->7 B: 1->3->8 C: 1->4->9, D: 1->4->10 E: 2->5->11 F: 2->5->12 G: 2->6->13 H: 2->6->14 A.3. Simple Group SA Rekey If the GCKS performs a simple SA rekey without changing group membership, it will only send Group Key Packet in the KD payload with a new SA key encrypted with the default KWK. KD(GP(SA2)(GSK_w{K_sa2})) KD Payload for the Simple Group SA Rekey All the GMs will be able to decrypt it and no changes in their Working Key Paths will happen. A.4. Group Member Exclusion If the GKCS has reason to believe that a GM should be excluded, then it can do so by sending a GSA_REKEY message that includes a set of Smyslov & Weis Expires October 8, 2022 [Page 66] Internet-Draft G-IKEv2 April 2022 GM_KEY attributes which would allow all GMs except for the excluded one to get a new SA key. In the example below the GCKS excludes GM F. For this purpose it changes the key tree as follows, replacing the key 2 with the key 15 and the key 5 with the key 16. It also generates a new SA key for a new SA3. SA3(K_sa3) +------------------------------+ 1 15 +---------------+ +---------------+ 3 4 16 6 +-------+ +-------+ +---- +--------+ A(7) B(8) C(9) D(10) E(11) F(12) G(13) H(14) Figure 29: LKH tree after F has been excluded Then it sends the following KD payload for the new Rekey SA3: KD(GP(SA3)(1{K_sa3},15{K_sa3}),MP(6{15},16{15},11{16}) KD Payload for the Group Member F While processing this KD payload: o GMs A, B, C and D will be able to decrypt the SA_KEY attribute 1{K_sa3} by using the "1" key from their key path. Since no new GM_KEY attributes are in the new Key Path, they won't update their Working Key Paths. o GMs G and H will construct new Key Path 15->6 and will be able to decrypt the intermediate key 15 using the key 6 from their Working Key Paths. So, they will update their Working Key Paths replacing their beginnings up to the key 6 with the new Key Path (thus replacing the key 2 with the key 15). o GM E will construct new Key Path 16->15->11 and will be able to decrypt the intermediate key 16 using the key 11 from its Working Key Path. So, it will update its Working Key Path replacing its beginnings up to the key 11 with the new Key Path (thus replacing the key 2 with the key 15 and the key 5 with the key 16). o GM F won't be able to construct any Key Path leading to any key he possesses, so it will be unable to decrypt the new SA key for the SA3 and thus it will be excluded from the group once the SA3 is used. Smyslov & Weis Expires October 8, 2022 [Page 67] Internet-Draft G-IKEv2 April 2022 Finally, the GMs will have the following Working Key Paths: A: 1->3->7 B: 1->3->8 C: 1->4->9, D: 1->4->10 E: 15->16->11 F: excluded G: 15->6->13 H: 15->6->14 Authors' Addresses Valery Smyslov ELVIS-PLUS PO Box 81 Moscow (Zelenograd) 124460 Russian Federation Phone: +7 495 276 0211 Email: svan@elvis.ru Brian Weis Independent USA Email: bew.stds@gmail.com Smyslov & Weis Expires October 8, 2022 [Page 68]