Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev2-08.txt
Daniel Migault <mglt.ietf@gmail.com> Tue, 28 March 2023 19:47 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2628C151B3B for <ipsec@ietfa.amsl.com>; Tue, 28 Mar 2023 12:47:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K_aVw-Z35-Xo for <ipsec@ietfa.amsl.com>; Tue, 28 Mar 2023 12:47:39 -0700 (PDT)
Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC731C1516E9 for <ipsec@ietf.org>; Tue, 28 Mar 2023 12:47:38 -0700 (PDT)
Received: by mail-yb1-xb2e.google.com with SMTP id e65so16580482ybh.10 for <ipsec@ietf.org>; Tue, 28 Mar 2023 12:47:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680032857; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=fFCbLoXpDxzrDVpgWhR/cjaduVgBeHzAaoT2DxKN0a4=; b=RKgiIO4Rte68vZvdV4CdFW6KGTCbHxCFXi1G2nSb4VZRgcRZmTGLyBGlA2bLwrGzks fQD49dksLZNlAzKOFO8Rf2iKAnnhKQ5NDdS2pZIqK7Eyd8HDpSw51DybuC9zaJHG8JhJ O5Y5MroYz37Tj+wQuRyP2MiFURSwj4YVYPZ1Wzy8tz0n1qZ2pEFIBqijUlA/JGLEUPQ7 Lf8S5BUf52PhXGYI50IEeYPLSxEsG2JhcS9fcIVzQZxDsE8CY2acx85zK0L7K1cHSxry qXppcfuXkRFBw9NyUdf1w9LNPmvUqMUg5AZzO2E7JuuyjfBd8OXkav9Nd3EfnGos31Tb qJNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680032857; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=fFCbLoXpDxzrDVpgWhR/cjaduVgBeHzAaoT2DxKN0a4=; b=ENUZhFHcdMP3uw2GIaPBS9bFG6xWG5oeu529fTuIqmRSJ7e9oLKcyABsPNQuKrbL5K Xd4JJ0PO2WqhUU/hJp7gFtb4KE0jJ/7F4OkPOUlcTgmYFItlYkl8ZVxm8JUucGkCJVI8 nOBREagpOGQP/4GKW2qAtG5QovDmoT9r0n7+5SVFWAGo+fq4Os10VPG/SFnwSNqsbnjV Rzd4NNiGP1h6D08sav29uJa4htesXF2NL8DQu2NcG4A6PTQSk3H/+kXuOi1eaThaiosl uBaWbgmRaRGqMS/Gi07mFCDcdvYenrCVlfNyrbzV8a1tqUz+uvasjV1OR8rfH+Yiwtcz 425Q==
X-Gm-Message-State: AAQBX9evnUfTW+j44QPRs4Y11kFkBImfNSU3CEvMT3Z+N/f92BjhPOg/ LSyxHLqOhMl8fXUeaatSXr+BLSKUZfXqfP97QMQ=
X-Google-Smtp-Source: AKy350abvDVuH5hb/B2g8mznLJ36vDdi6LvcTK9Erd/rdTeIG4oL3lCVgmkf3xxWtxJ2kICNNFfTZ7cnF9xUvinhHzg=
X-Received: by 2002:a25:c750:0:b0:b45:e545:7c50 with SMTP id w77-20020a25c750000000b00b45e5457c50mr10886140ybe.0.1680032855628; Tue, 28 Mar 2023 12:47:35 -0700 (PDT)
MIME-Version: 1.0
References: <167836900620.59072.16500629937016724049@ietfa.amsl.com> <194e01d9528d$48fe44f0$dafaced0$@gmail.com>
In-Reply-To: <194e01d9528d$48fe44f0$dafaced0$@gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 28 Mar 2023 15:47:24 -0400
Message-ID: <CADZyTkkXsSG5k7QSzswK3QkZbJ03n7GHj7ysWxm0uRhvrBapJA@mail.gmail.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: ipsec@ietf.org
Content-Type: multipart/alternative; boundary="000000000000921d8205f7fb21b3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/l4rEQzSzsn0vH6hJdkIrsnRp_8U>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev2-08.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 19:47:42 -0000
Hi,
I have reviewed the document until section 3.2 (50% of the doc). The
document is on a good path. Most of my comments are editorial - and I am
not expecting any response, and feel free to ignore them. I do have other
comments labeled as DISCUSSION or CLARIFICATION that I think may need more
attention - at least I am interested by the response ;-).
There are no major issues and my expectation is that the remaining sections
will have no specific issues at all but I need to go through them and I
think the document can be moved forward without these comments.
Yours,
Daniel
Network Working Group V. Smyslov
Internet-Draft ELVIS-PLUS
Obsoletes: 6407 (if approved) B. Weis
Updates: 7296 (if approved) Independent
Intended status: Standards Track 9 March 2023
Expires: 10 September 2023
Group Key Management using IKEv2
draft-ietf-ipsecme-g-ikev2-08
Abstract
This document presents an extension to the Internet Key Exchange
version 2 (IKEv2) protocol for the purpose of a group key management.
The protocol is in conformance with the Multicast Security (MSEC) key
management architecture, which contains two components: member
registration and group rekeying. Both components require a Group
Controller/Key Server to download IPsec group security associations
to authorized members of a group. The group members then exchange IP
multicast or other group traffic as IPsec packets. This document
obsoletes RFC 6407. This documents also updates RFC 7296 by renaming
one of transform types defined there.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 10 September 2023.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
Smyslov & Weis Expires 10 September 2023 [Page 1]
Internet-Draft G-IKEv2 March 2023
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 5
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. G-IKEv2 Protocol . . . . . . . . . . . . . . . . . . . . . . 7
2.1. G-IKEv2 Integration into IKEv2 Protocol . . . . . . . . . 7
2.1.1. G-IKEv2 Transport and Port . . . . . . . . . . . . . 7
2.2. G-IKEv2 Payloads . . . . . . . . . . . . . . . . . . . . 8
2.3. G-IKEv2 Member Registration and Secure Channel
Establishment . . . . . . . . . . . . . . . . . . . . . . 9
2.3.1. GSA_AUTH exchange . . . . . . . . . . . . . . . . . . 10
2.3.2. GSA_REGISTRATION Exchange . . . . . . . . . . . . . . 11
2.3.3. GM Registration Operations . . . . . . . . . . . . . 12
2.3.4. GCKS Registration Operations . . . . . . . . . . . . 15
2.4. Group Maintenance Channel . . . . . . . . . . . . . . . . 16
2.4.1. GSA_REKEY . . . . . . . . . . . . . . . . . . . . . . 17
2.4.2. GSA_INBAND_REKEY Exchange . . . . . . . . . . . . . . 23
2.4.3. Deletion of SAs . . . . . . . . . . . . . . . . . . . 23
2.5. Counter-based modes of operation . . . . . . . . . . . . 24
2.5.1. Allocation of Sender-ID . . . . . . . . . . . . . . . 25
2.5.2. GM Usage of Sender-ID . . . . . . . . . . . . . . . . 26
2.6. Replay Protection for Multicast Data-Security SAs . . . . 27
3. Group Key Management and Access Control . . . . . . . . . . . 27
3.1. Key Wrap Keys . . . . . . . . . . . . . . . . . . . . . . 28
3.1.1. Default Key Wrap Key . . . . . . . . . . . . . . . . 28
3.2. GCKS Key Management Semantics . . . . . . . . . . . . . . 29
3.2.1. Forward Access Control Requirements . . . . . . . . . 29
3.3. GM Key Management Semantics . . . . . . . . . . . . . . . 30
3.4. SA Keys . . . . . . . . . . . . . . . . . . . . . . . . . 32
4. Header and Payload Formats . . . . . . . . . . . . . . . . . 32
4.1. G-IKEv2 Header . . . . . . . . . . . . . . . . . . . . . 32
4.2. Group Identification Payload . . . . . . . . . . . . . . 33
4.3. Security Association - GM Supported Transforms Payload . 33
4.4. Group Security Association Payload . . . . . . . . . . . 33
4.4.1. Group Policies . . . . . . . . . . . . . . . . . . . 34
4.4.2. Group Security Association Policy Substructure . . . 34
4.4.3. Group Associated Policy Substructure . . . . . . . . 41
4.5. Key Download Payload . . . . . . . . . . . . . . . . . . 43
Smyslov & Weis Expires 10 September 2023 [Page 2]
Internet-Draft G-IKEv2 March 2023
4.5.1. Wrapped Key Format . . . . . . . . . . . . . . . . . 43
4.5.2. Group Key Packet Substructure . . . . . . . . . . . . 45
4.5.3. Member Key Packet Substructure . . . . . . . . . . . 47
4.6. Delete Payload . . . . . . . . . . . . . . . . . . . . . 49
4.7. Notify Payload . . . . . . . . . . . . . . . . . . . . . 50
4.7.1. USE_TRANSPORT_MODE Notification . . . . . . . . . . . 51
4.8. Authentication Payload . . . . . . . . . . . . . . . . . 51
5. Usigng G-IKEv2 Attributes . . . . . . . . . . . . . . . . . . 51
6. Interaction with other IKEv2 Protocol Extensions . . . . . . 53
6.1. Mixing Preshared Keys in IKEv2 for Post-quantum
Security . . . . . . . . . . . . . . . . . . . . . . . . 54
7. Security Considerations . . . . . . . . . . . . . . . . . . . 56
7.1. GSA Registration and Secure Channel . . . . . . . . . . . 56
7.2. GSA Maintenance Channel . . . . . . . . . . . . . . . . . 56
7.2.1. Authentication/Authorization . . . . . . . . . . . . 56
7.2.2. Confidentiality . . . . . . . . . . . . . . . . . . . 57
7.2.3. Man-in-the-Middle Attack Protection . . . . . . . . . 57
7.2.4. Replay/Reflection Attack Protection . . . . . . . . . 57
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57
8.1. New Registries . . . . . . . . . . . . . . . . . . . . . 57
8.2. Changes in the Existing IKEv2 Registries . . . . . . . . 59
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 61
10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 61
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 62
11.1. Normative References . . . . . . . . . . . . . . . . . . 62
11.2. Informative References . . . . . . . . . . . . . . . . . 63
Appendix A. Use of LKH in G-IKEv2 . . . . . . . . . . . . . . . 66
A.1. Notation . . . . . . . . . . . . . . . . . . . . . . . . 66
A.2. Group Creation . . . . . . . . . . . . . . . . . . . . . 67
A.3. Simple Group SA Rekey . . . . . . . . . . . . . . . . . . 68
A.4. Group Member Exclusion . . . . . . . . . . . . . . . . . 68
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 69
1. Introduction and Overview
A group key management protocol provides IPsec keys and policy to a
set of IPsec devices which are authorized to communicate using a
Group Security Association (GSA) defined in [RFC3740].
<mglt>
This is a nit but I believe that saying striaght forward
"""
This document presents an extension to
IKEv2 [RFC7296] called G-IKEv2, that allows to perform a group key
management.
"""
may be clearer.
</mglt>
The data
communications within the group (e.g., IP multicast packets) are
protected by a key pushed to the group members (GMs) by the Group
Controller/Key Server (GCKS). This document presents an extension to
IKEv2 [RFC7296] called G-IKEv2, that allows to perform a group key
management.
G-IKEv2 conforms to the Multicast Group Security Architecture
[RFC3740], Multicast Extensions to the Security Architecture for the
Internet Protocol [RFC5374] and the Multicast Security (MSEC) Group
Key Management Architecture [RFC4046]. G-IKEv2 replaces GDOI
Smyslov & Weis Expires 10 September 2023 [Page 3]
Internet-Draft G-IKEv2 March 2023
[RFC6407], which defines a similar group key management protocol
using IKEv1 [RFC2409] (since deprecated by IKEv2). When G-IKEv2 is
used, group key management use cases can benefit from the simplicity,
increased robustness and cryptographic improvements of IKEv2 (see
Appendix A of [RFC7296].
<mglt>
missing ")"
</mglt>
A GM begins a "registration" exchange when it first joins the group.
<mglt>
I think I have a similar comment to my first comment. When I am reading th
esentence I never know if this is a generla sentence or if that is specific
to G-IKEv2.
This is a nit, but I think we should make it clear that we only focuses on
G-IKEv2. Maybe I am biaised as I am not familiar with other generic group
frameworks.
</mglt>
With G-IKEv2, the GCKS authenticates and authorizes GMs, then pushes
policy and keys used by the group to the GM. G-IKEv2 includes two
"registration" exchanges. The first is the GSA_AUTH exchange (
<mglt>
do we have an extra space after the "(" ?
</mglt>
Section 2.3.1), which is used when a GM first conatcts a GCKS.
<mglt>
s/conatcts/contacts/
</mglt>
The
second is the GSA_REGISTRATION exchange (Section 2.3.2), which a GM
can use within an established IKE SA.
<mglt>
I think that if we specify that GSA_REGISTRATION is withinan established
IKE_SA we also need to specify GSA_AUTH where the GS_AUTH occurs.
I also think it might be helpful to specify the IKE channel is between the
GM and the GCKS as opposed to anything shared by all GMs.
</mglt>
Group rekeys are accomplished
using either the GSA_REKEY pseudo-exchange (a single message
distributed to all GMs, usually as a multicast message), or as a
GSA_INBAND_REKEY exchange delivered individually to group members
using existing IKE SAs).
<mglt>
Maybe s/group memebers/all group members/
I also beleiev that it would be clearer to have s/existing SAs/their
individual IKE SA/ just to make it clear that each GM has a single
(individual) IKE SA shared with the GCKS.
</mglt>
Large and small groups may use different sets of these protocols.
When a large group of devices are communicating, the GCKS is likely
to use the GSA_REKEY message for efficiency. This is shown in
Figure 1. (Note: For clarity, IKE_SA_INIT is omitted from the
figure.)
+--------+
+------------->| GCKS |<-------------+
| +--------+ |
| | ^ |
| | | |
| | GSA_AUTH |
| | or |
| | GSA_REGISTRATION |
| | | |
GSA_AUTH | | GSA_AUTH
or GSA_REKEY | or
GSA_REGISTRATION | | GSA_REGISTRATION
| | | |
| +------------+-----------------+ |
| | | | | |
v v v v v v
+-------+ +--------+ +-------+
| GM | ... | GM | ... | GM |
+-------+ +--------+ +-------+
^ ^ ^
| | |
+-------ESP-------+-------ESP------+
Figure 1: G-IKEv2 used in large groups
<mglt>
It might be helpful to indicate (inidvidual) IKE channel while the ESP SA
is shared between all GMs.
While ESP is reasonable, we may also indicate if AH is excluded or if the
IPsec communication can include ESP/AH.
</mglt>
Smyslov & Weis Expires 10 September 2023 [Page 4]
Internet-Draft G-IKEv2 March 2023
Alternatively, a small group may simply use the GSA_AUTH as a
registration protocol, where the GCKS issues rekeys using the
GSA_INBAND_REKEY within the same IKE SA. The GCKS is also likely to
be a GM in a small group (as shown in Figure 2.)
<mglt>
""" The GCKS is also likely to
be a GM in a small group (as shown in Figure 2.)"""
is a bit confusing.
I do not see why such p[roperty is restricted to small group nor what kind
of advanatge thjis provides as my understanding is that Groups
communication is only related to the ESP communication nor the IKE
communication.
On the other hand, Figure 1 and Figure 2 mostly highlight multicast IKE
message versus individual IKE message.
We probably need to specify if the GCKS is a GM is orthogonal to
multicast/indiviudal IKE message or not and if that only applies to the
small group why.
</mglt>
GSA_AUTH, GSA_INBAND_REKEY
+-----------------------------------------------+
| |
| GSA_AUTH, GSA_INBAND_REKEY |
| +-----------------------------+ |
| | | |
| | GSA_AUTH, GSA_INBAND_REKEY | |
| | +--------+ | |
v v v v v v
+---------+ +----+ +----+ +----+
| GCKS/GM | | GM | | GM | | GM |
+---------+ +----+ +----+ +----+
^ ^ ^ ^
| | | |
+----ESP-----+------ESP-------+-----ESP-----+
Figure 2: G-IKEv2 used in small groups
A combination of these approaches is also possible. For example, the
GCKS may use more robust GSA_INBAND_REKEY to provide keys for some
GMs (for example, those acting as senders in the group) and GSA_REKEY
for the rest.
IKEv2 message semantics are preserved in that all communications
consists of message request-response pairs. The exception to this
rule is the GSA_REKEY pseudo-exchange, which is a single message
delivering group updates to the GMs.
1.1. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
1.2. Terminology
It is assumed that readers are familiar with the IPsec architecture
[RFC4301], its extension for multicast [RFC5374]. This document
defines an extension to the IKEv2 protocol [RFC7296], so it is
assumed that readers have good understanding of this protocol.
Smyslov & Weis Expires 10 September 2023 [Page 5]
Internet-Draft G-IKEv2 March 2023
The following key terms are used throughout this document (mostly
borrowed from [RFC5374] and [RFC6407]).
Group A set of devices that work together to protect group
communications.
Group Member (GM) An IPsec device that belongs to a group. A Group
Member is authorized to be a Group Sender and/or a Group Receiver.
Group Receiver A Group Member that is authorized to receive packets
sent to a group by a Group Sender.
Group Sender A Group Member that is authorized to send packets to a
group.
Group Key Management (GKM) Protocol A key management protocol used
by a GCKS to distribute IPsec Security Association policy and
keying material. A GKM protocol is used when a group of IPsec
devices require the same SAs. For example, when an IPsec SA
describes an IP multicast destination, the sender and all
receivers need to have the group SA.
Group Controller Key Server (GCKS) A Group Key Management (GKM)
protocol server that manages IPsec state for a group. A GCKS
authenticates and provides the IPsec SA policy and keying material
to GKM Group Members.
Data-Security SA The security policy distributed by a GDOI GCKS
describing traffic that is expected to be protected by group
members. This document described the distribution of IPsec AH and
ESP Data-Security SAs.
<mglt>
isn't Data-Security SA a kind of GSPD ?
</mglt>
Rekey SA The security policy protecting Group Key Management
Protocol.
Group Security Association (GSA) A collection of Data-Security
Associations (SAs) and Rekey SAs necessary for a Group Member to
receive key updates. A GSA describes the working policy for a
group. Refer to [RFC4046] for additional information.
Traffic Encryption Key (TEK) The symmetric cipher key used in a
Data-Security SA (e.g., IPsec ESP) to protect trafic.
<mglt>
isn't it simply the GSA key ?
</mglt>
Key Encryption Key (KEK) The symmetric cipher key used in a Rekey SA
to protect distribution of new keys.
<mglt>
isn't it simply the GIKE_SA or Rekey_SA key ?
I am not suggesting to change the terminology - especially at that point -
but I have the impression that some very generic terms could gain in
clarity by having a more narrow IPsec/IKEv2 context. I also know it is very
hard to find the right terminology and everyon ehas its own view - so just
take it as a comment.
</mglt>
Key Wrap Key (KWK) The symmetric cipher key used to protect another
key.
Smyslov & Weis Expires 10 September 2023 [Page 6]
Internet-Draft G-IKEv2 March 2023
Group Associated Policy (GAP) Group-wide policy not related to a
particular SA.
Sender-ID A unigue identifier of a Group Sender in the context of an
active GSA, used to form Initialization Vector (IV) in counter-
based cipher modes.
Logical Key Hierarchy (LKH) A group management method defined in
Section 5.4 of [RFC2627].
2. G-IKEv2 Protocol
2.1. G-IKEv2 Integration into IKEv2 Protocol
G-IKEv2 is an extension to IKEv2 and uses its security mechanisms
(peer authentication, confidentiality, message integrity) to ensure
that only authenticated devices have access to the group policy and
keys. G-IKEv2 further provides group authorization, and secure
policy and key download from the GCKS to GMs.
<mglt>
Reading the last sentence, I am interpretingh it as a consequence of
provindin a GSA. If that is the case, I see this a a much simpler way to
describve what it does. group authorization might be perceived as something
like OAUTH, policies as something more complex. Typically ACE has defined
some quite complex messaging for managing group communications, so stiking
to IPsec might limit such confusion.
</mglt>
G-IKEv2 is compatible with most IKEv2 extensions defined so far and
it is believed that future IKEv2 extensions will also be possible to
use with G-IKEv2. However some IKEv2 extensions require special
handling if used with G-IKEv2. See Section 6 for more details.
It is assumed that readers are familiar with the IKEv2 protocol, so
this document skips many details that are described in [RFC7296].
2.1.1. G-IKEv2 Transport and Port
As IKEv2 extension G-IKEv2 SHOULD use the IKEv2 ports (500, 4500).
G-IKEv2 MAY also use TCP transport for registration (unicast) IKE SA,
as defined in [RFC9329]. G-IKEv2 MAY also use UDP port 848, the same
as GDOI [RFC6407], because they serve a similar function. The
version number in the IKE header distinguishes the G-IKEv2 protocol
from GDOI protocol [RFC6407].
Section 2.23 of [RFC7296] describes how IKEv2 deals with NATs.
Despite the fact, that with G-IKEv2 the registration SA doesn't
create any unicast IPsec SAs and thus there is no unicast ESP traffic
between the GM and the GCKS to encapsulate in UDP if NAT is present,
the actions described in this section concerned with the IKE SA MUST
be honored.
<mglt>
Actually the only question I am wondering if whether ther is a child SA or
not.
</mglt>
If the GM and the GCKS used UDP port 848 for the
IKE_SA_INIT exchange, they MUST behave as if they used UDP port 500.
Smyslov & Weis Expires 10 September 2023 [Page 7]
Internet-Draft G-IKEv2 March 2023
2.2. G-IKEv2 Payloads
In the following descriptions, the payloads contained in the G-IKEv2
messages are indicated by names as listed below.
+==========+============================+=============+
| Notation | Payload | Defined in |
+==========+============================+=============+
| AUTH | Authentication | [RFC7296] |
+----------+----------------------------+-------------+
| CERT | Certificate | [RFC7296] |
+----------+----------------------------+-------------+
| CERTREQ | Certificate Request | [RFC7296] |
+----------+----------------------------+-------------+
| D | Delete | [RFC7296] |
+----------+----------------------------+-------------+
| GSA | Group Security Association | Section 4.4 |
+----------+----------------------------+-------------+
| HDR | IKEv2 Header | [RFC7296] |
+----------+----------------------------+-------------+
| IDg | Identification - Group | Section 4.2 |
+----------+----------------------------+-------------+
| IDi | Identification - Initiator | [RFC7296] |
+----------+----------------------------+-------------+
| IDr | Identification - Responder | [RFC7296] |
+----------+----------------------------+-------------+
| KD | Key Download | Section 4.5 |
+----------+----------------------------+-------------+
| KE | Key Exchange | [RFC7296] |
+----------+----------------------------+-------------+
| Ni, Nr | Nonce | [RFC7296] |
+----------+----------------------------+-------------+
| N | Notify | [RFC7296] |
+----------+----------------------------+-------------+
| SA | Security Association | [RFC7296] |
+----------+----------------------------+-------------+
| SAg | Security Association - GM | Section 4.3 |
| | Supported Transforms | |
+----------+----------------------------+-------------+
| SK | Encrypted | [RFC7296] |
+----------+----------------------------+-------------+
Table 1: Payloads used in the protocol
Payloads defined as part of other IKEv2 extensions MAY also be
included in these messages. Payloads that may optionally appear in
G-IKEv2 messages will be shown in brackets, such as [CERTREQ].
Smyslov & Weis Expires 10 September 2023 [Page 8]
Internet-Draft G-IKEv2 March 2023
G-IKEv2 defines several new payloads not used in IKEv2:
* IDg (Group ID) -- The GM requests the GCKS for membership into the
group by sending its IDg payload.
* GSA (Group Security Association) -- The GCKS sends the group
policy to the GM using this payload.
* KD (Key Download) -- The GCKS sends the keys and the security
parameters to the GMs using the KD payload.
* SAg (Security Association -- GM Supported Transforms) -- the GM
sends supported transforms, so that GCKS may select a policy
appropriate for all members of the group.
The details of the contents of each payload are described in
Section 4.
2.3. G-IKEv2 Member Registration and Secure Channel Establishment
The registration protocol consists of a minimum of two exchanges,
IKE_SA_INIT and GSA_AUTH; member registration may have a few more
messages exchanged if the EAP method, cookie challenge (for DoS
protection), negotiation of Diffie-Hellman group or IKEv2 extensions
based on [RFC9242] are used. Each exchange consists of request/
response pairs.
<mglt>
consist of "a" ? -- knowing that english is not my native language... so
just mentioning it in case this makes sense.
</mglt>
The first exchange IKE_SA_INIT is defined in IKEv2
[RFC7296]. This exchange negotiates cryptographic algorithms,
exchanges nonces and computes a shared key between the GM and the
GCKS.
The second exchange GSA_AUTH authenticates the previously exchanged
messages, exchanges identities and certificates. The GSA_AUTH
messages are encrypted and integrity protected with keys established
through the previous exchanges,
<mglt>
Should we say like the regular IKE_AUTH ?
</mglt>
so the identities are hidden from
eavesdroppers and all fields in all the messages are authenticated.
The GCKS SHOULD authorize group members to be allowed into the group
as part of the GSA_AUTH exchange.
<mglt>
The "SHOULD" sounds strange to me as I have the impression that completing
the exchange implicilt provides the authorization.
</mglt>
Once the GCKS accepts a group
member
<mglt>
s/group member/GM
</mglt>
to join a group it will download the data security keys (TEKs)
and/or group key encrypting key (KEK) as part of the GSA_AUTH
response message.
<mglt>
I am finding "download" confusing here as I see teh GS_AUTH response
providing the TEK and KEK.
</mglt>
Smyslov & Weis Expires 10 September 2023 [Page 9]
Internet-Draft G-IKEv2 March 2023
2.3.1. GSA_AUTH exchange
After the group member and GCKS negotiate cryptographic algorithms,
exchange nonces, and compute shared keys as defined in IKEv2
[RFC7296], the GSA_AUTH exchange MUST complete before any other
exchanges defined in this document can be done. GSA_AUTH is used to
authenticate the previous exchanges, exchange identities and
certificates. G-IKEv2 also uses this exchange for group member
registration and authorization.
The GSA_AUTH exchange is identical to the IKE_AUTH exchange with the
difference that its goal is to establish multicast Data-Security SAs
and optionally provide GM with the keys for Rekey SA. The set of
payloads in the GSA_AUTH exchange is slightly different, because
policy is not negotiated between the group member and the GCKS, but
instead downloaded from the GCKS to the group member.
<mglt>
I think we shoudl avoid identicial as there are some difference. Perhaps
something around:
he GSA_AUTH exchange is a specific exchange with a given exchange type
whose purpose is very similar to IKE_AUTH.
There are in my opinion 2 goals, including authenticating the GM which
seems to be missing in the text.
I am reading downloaded as defined or dictated by the GCKS. I think that is
good to mention the GIKE_SA is not "agreed".
</mglt>
Note also,
that GSA_AUTH has its own exchange type, which is different from the
IKE_AUTH exchange type.
<mglt>
The text above seems to have been introduces since we mentions GSA_AUTH and
IKE_AUTH are "identiical" but not. It opposes what is before and what
follows, so I we should probably remove that paragraph.
</mglt>
Nevertheless, the security properties of the GSA_AUTH exchange are
the same as the properties of the IKE_AUTH exchange and most IKEv2
extensions to the IKE_AUTH exchange (like [RFC6467]) can also be used
with the GSA_AUTH exchange.
<mglt>
The text above is in my opinion a "simple note". It think it is valuable
but the begining shoudl in my opinion being smoothed or even omitted.
Note that due to the similarities between IKE_AUTH and GSA_AUTH, most IKEv2
extensions to the IKE_AUTH exchange (like [RFC6467]) can also be used
with the GSA_AUTH exchange.
</mglt>
Initiator (GM) Responder (GCKS)
-------------------- ------------------
HDR, SK{IDi, [CERT,] [CERTREQ,] [IDr,]
AUTH, IDg, [SAg,] [N]} -->
Figure 3: GSA_AUTH Request
A group member initiates a GSA_AUTH request to join a group indicated
<mglt>
Note that all nits and synthax comments I am providing are very much
subject to be ignored, and I just provide them as a personnal suggestion
which could be very wrong - especially as I am not so fluent in english.
I am wondering if "designated" is not more appropriated than "indicated"
</mglt>
by the IDg payload. The GM MAY include an SAg payload declaring
which Transforms it is willing to accept.
<mglt>
I tend to think that MAY means that SAg is useless ;-) Thinking of it, I do
not see any negotiation possible here, so I am wondering if we shoudl not
simply omit SAg.
</mglt>
A GM that intends to act
as Group Sender SHOULD include a Notify payload status type of
SENDER, which enables the GCKS to provide any additional policy
necessary by group senders.
<mglt>
SENDER shoudl be added to Fig3.
</mglt>
Initiator (GM) Responder (GCKS)
-------------------- ------------------
<-- HDR, SK{IDr, [CERT,]
AUTH, [GSA, KD,] [N,]}
Figure 4: GSA_AUTH Normal Response
<mglt>
optional payload. I have the impression I would have written "[CERT],"
instead of "[CERT,]". The latest looks strange to me but I might be
completly wrong.
</mglt>
Smyslov & Weis Expires 10 September 2023 [Page 10]
Internet-Draft G-IKEv2 March 2023
The GCKS responds with IDr, optional CERT, and AUTH payloads as if it
were an IKE_AUTH.
<mglt>
I think that "as if it were an IKE_AUTH" means "with the same meaning as in
IKE_AUTH".
</mglt>
It also informs the group member of the
cryptographic policies of the group in the GSA payload and the key
material in the KD payload.
<mglt>
My understanding so far is that responses are different when the SENDER
notification is provided, but I do not see these differences. I think that
figure 4 should be split into a response to a request with an (accepted)
SENDER and one without or an ignored SENDER.
</mglt>
In addition to the IKEv2 error handling, the GCKS can reject the
registration request when the IDg is invalid or authorization fails,
etc. In these cases, see Section 4.7, the GSA_AUTH response will not
include the GSA and KD, but will include a Notify payload indicating
errors. If a GM included an SAg payload, and the GCKS chooses to
evaluate it, and the GCKS detects that the group member cannot
support the security policy defined for the group, then the GCKS
SHOULD return a NO_PROPOSAL_CHOSEN. Other types of error
notifications can be INVALID_GROUP_ID, AUTHORIZATION_FAILED or
REGISTRATION_FAILED.
<mglt>
SENDER introduces some roles a GM can play, and I beleive we need to
explicitly mention if there is an error associated to that role or not.
</mgt>
Initiator (GM) Responder (GCKS)
-------------------- ------------------
<-- HDR, SK{IDr, [CERT,] AUTH, N}
Figure 5: GSA_AUTH Error Response
If the group member finds the policy sent by the GCKS is
unacceptable, the member SHOULD initiate GSA_REGISTRATION exchange
sending IDg and the Notify NO_PROPOSAL_CHOSEN (see Section 2.3.2)).
2.3.2. GSA_REGISTRATION Exchange
When a secure channel is already established between a GM and the
GCKS, the GM registration for a group can reuse the established
secure channel. In this scenario the GM will use the
GSA_REGISTRATION exchange. Payloads in the exchange are generated
and processed as defined in Section 2.3.1.
<mglt>
My impression is that GSA_REGISTRATION is not needed as it does not
provides additional functionalities than GSA_AUTH. I am wondering if that
exchange MUST be supported by implementations or if it could be optional -
especially for minimal implementations.
</mglt>
Initiator (GM) Responder (GCKS)
-------------------- ------------------
HDR, SK{IDg, [SAg,][N ]} -->
<-- HDR, SK{GSA,] [N,]}
Smyslov & Weis Expires 10 September 2023 [Page 11]
Internet-Draft G-IKEv2 March 2023
Figure 6: GSA_REGISTRATION Normal Exchange
As with GSA_AUTH exchange, the GCKS can reject the registration
request when the IDg is invalid or authorization fails, or GM cannot
support the security policy defined for the group (which can be
concluded by GCKS by evaluation of SAg payload). In this case the
GCKS returns an appropriate error notification as described in
Section 2.3.1.
Initiator (GM) Responder (GCKS)
-------------------- ------------------
HDR, SK{IDg, [SAg,] [N]} -->
<-- HDR, SK{N}
Figure 7: GSA_REGISTRATION Error Exchange
This exchange can also be used if the group member finds the policy
sent by the GCKS is unacceptable. The group member SHOULD notify the
GCKS by sending IDg and the Notify type NO_PROPOSAL_CHOSEN, as shown
below. The GCKS in this case MUST remove the GM from the group IDg.
Initiator (GM) Responder (GCKS)
-------------------- ------------------
HDR, SK{IDg, N} -->
<-- HDR, SK{}
Figure 8: GM Reporting Errors in GSA_REGISTRATION Exchange
2.3.3. GM Registration Operations
A GM requesting registration contacts the GCKS using the IKE_SA_INIT
exchange and receives the response from the GCKS. This exchange is
unchanged from the IKE_SA_INIT in IKEv2 protocol.
The IKE_SA_INIT
exchange may optionally be followed by one or more the
IKE_INTERMEDIATE exchanges if the GM and the GCKS negotiated using
IKEv2 extensions based on this exchange.
Smyslov & Weis Expires 10 September 2023 [Page 12]
Internet-Draft G-IKEv2 March 2023
Next the GM sends the GSA_AUTH request message with the IKEv2
payloads from IKE_AUTH (without the SAi2, TSi and TSr payloads) along
with the Group ID informing the GCKS of the group the initiator
wishes to join.
<mglt>
I think the latest sentence can be removed - in my opinion.
</mglt>
An initiator intending to emit data traffic SHOULD
send a SENDER Notify payload status. The SENDER notification not
only signifies that it is a sender, but provides the initiator the
ability to request Sender-ID values,
<mglt>
I think this is the first time the Sender-ID notion is introduced. I expect
this to be described in more details in section 2.5) but since the
explanation is quite deep involving counter mode... maybe that would be
clarifying to have an short sentence explaining these Sender-IDs.
</mglt>
in case the Data-Security SA
supports a counter mode cipher. Section 2.5) includes guidance on
requesting Sender-ID values.
A GM may be limited in the types of Transforms that it is able or
willing to use, and may find it useful to inform the GCKS which
Transforms it is willing to accept for different security protocols
by including the SAg payload into the request message. Proposals for
Rekey SA (with protocol GIKE_REKEY) and for Data-Security (AH
[RFC4302] and/or ESP [RFC4303]) SAs may be included into SAg. Each
Proposal contains a list of Transforms that the GM is able and
willing to support for that protocol. Valid transform types depend
on the protocol and are defined in Figure 16. Other transform types
SHOULD NOT be included. The SPI length of each Proposal in an SAg is
set to zero, and thus the SPI field is empty. The GCKS MUST ignore
SPI length and SPI fields in the SAg payload.
<mglt>
I think protocol coudl be expanded (AH, ESP, GIKE,) for clarity - but that
is very personnal.
SHOULD NOT seems to me related to transforms that are unrelated to the
protocol. If that is the case, I tend to think MUST is nmore appropriated,
followed by GCKS MUST ignore them.
</mglt>
Generally, a single Proposal of each type will suffice, because the
group member is not negotiating Transform sets, simply alerting the
GCKS to restrictions it may have. In particular, the restriction
from Section 3.3 of [RFC7296] that AEAD and non-AEAD transforms must
not be combined in a single proposal doesn't hold when the SAg
payload is being formed. However if the GM has restrictions on
combination of algorithms, this can be expressed by sending several
proposals.
Proposal Num field in Proposal substructure is treated specially in
SAg payload: it allows a GM to indicate that algorithms used in Rekey
SA and in Data-Security (AH and/or ESP) SAs are dependent. In
particular, Proposals of different types having the same value in
Proposal Num field are treated as a set, so that if GCKS uses
transforms from one of such Proposal for one protocol, then it MUST
only use transforms from one of the Proposals with the same value in
Proposal Num field for other protocols. For example, a GM may
support algorithms X and Y for both Rekey and Data-Security SAs, but
with a restriction that if X is used in Rekey SA, then only X can be
used in Data-Security SAs, and the same for Y. To indicate this the
GM sends several Proposals marking those of them that must be used in
conjunction by putting the same value in their Proposal Num field.
In the simplest case when no dependency between transforms exists,
all Proposals in SAg payload will have the same value in Proposal Num
field.
Smyslov & Weis Expires 10 September 2023 [Page 13]
Internet-Draft G-IKEv2 March 2023
Although the SAg payload is optional, it is RECOMMENDED for the GM to
include this payload into the GSA_AUTH request to allow the GCKS to
select an appropriate policy.
<mglt>
I remain to be convinced SAg provides any benefit. The only usage I see is
that it enables a GCKS to check that all nodes support a new algorithm when
that one will be introduced... but will that information prevent a roll
over ?...
Note that I am fine with the current text as it would enable me not to
implement such exchange. Maybe what I woudl like to understand is whether I
am missing something regarding th eneed of such exchange.
</mglt>
A GM may also indicate the support for IPcomp by inclusion one or
more the IPCOMP_SUPPORTED notifications along with the SAg payload.
The CPI in these notifications is set to zero and MUST be ignored by
the GCKS.
<mglt>
s/may/MAY/ ?
</mglt>
Upon receiving the GSA_AUTH response, the initiator parses the
response from the GCKS authenticating the exchange using the IKEv2
method, then processes the GSA and KD payloads.
The GSA payload contains the security policy and cryptographic
protocols used by the group. This policy describes the optional
Rekey SA (KEK), Data-security SAs (TEK), and optional Group
Associated policy (GAP). If the policy in the GSA payload is not
acceptable to the GM, it SHOULD notify the GCKS by initiating a
GSA_REGISTRATION exchange with a NO_PROPOSAL_CHOSEN Notify payload
(see Section 2.3.2). Note, that this should normally not happen if
the GM includes SAg payload in the GSA_AUTH request and the GCKS
takes it into account. Finally the KD payload is parsed providing
the keying material for the TEK and/or KEK. The GM interprets the KD
key packets, where each key packet includes the keying material for
SAs distributed in the GSA payload.
<mglt>
At that stage of reading the document, the text is bit hard to parse for me.
I do have an idea of what GSA is but KD remains quite obsure at that point.
Note that maybe I missed where in the document it was explained.
The trext mentions 1 KD payload for TEk KEK - so I interpret the KD as a
list of keys. Next sentence, it mentions "KD key packets" which suggests
that there are multiple KD payloads or that the text refers to keys being
provided outside the GS_AUTH exchange.
</mglt>
Keying material is matched by
<mglt>
I suspect that the key material here refers to the key material associated
toan esp packet. If I am completly lost, maybe I missed a track, if that is
the case, it might be said clearly as the discussion is for the IKE
exchange in this section.
</mglt>
comparing the SPIs in the key packets to SPIs previously included in
the GSA payloads. Once TEK keys and policy are matched, the GM
provides them to the data security subsystem, and it is ready to send
or receive packets matching the TEK policy.
The GSA KEK policy MUST include the attribute GSA_INITIAL_MESSAGE_ID
with a first Message ID the GM should expect to receive if it is non-
zero. The value of the attribute MUST be checked by a GM against any
previously received Message ID for this group. If it is less than
the previously received number, it should be considered stale and
ignored.
<mglt>
I have the impression "should" shoudl be replaced by "MUST be ignored"
</mglt>
This could happen if two GSA_AUTH exchanges happened in
parallel, and the Message ID changed. This attribute is used by the
GM to prevent GSA_REKEY message replay attacks. The first GSA_REKEY
message that the GM receives from the GCKS must have a Message ID
greater or equal to the Message ID received in the
GSA_INITIAL_MESSAGE_ID attribute.
Once a GM successfully registers to the group it MUST replace any
information related to this group (policy, keys) that it might have
as a result of a previous registration with a new one.
Smyslov & Weis Expires 10 September 2023 [Page 14]
Internet-Draft G-IKEv2 March 2023
Once a GM has received GIKE_REKEY policy during a registration the
IKE SA may be closed. However, the GM SHOULD NOT close IKE SA,
<mglt>
IKE_SA.
I have the impression the only reason to have the IKE_SA open is for rekey
purpose (GSA_REKEY) or not and I do not see this function being negotiated
or advertised.
I think we should assume GSA_REKEY is supported by all modes and if the
GSKS is willing to us ethe IKE channel it MUST mention it somewhere. I also
tend to think the GM should advertise GSA_INBAND_REKEY is supported by the
GM.
In other words, I thinkl it is important the GCKS is aware of what rekey
method is supported by the GM and it is important the GM does not have to
maintain alive its IKE_SA.
</mglt>
it is
the GCKS who makes the decision whether to close or keep it, because
depending on the policy the IKE SA may be used for inband rekeying
for small groups. If inband rekeying is used, then the initial IKE
SA is rekeyed (when necessary) via standard IKEv2 mechanism described
in Section 1.3.2 of [RFC7296]. If for some reason this SA is teared
down and no GIKE_REKEY policy was received during the registration
process, the GM MUST consider itself excluded from the group. To
continue participating in the group the GM should re-register.
<mglt>
In my mind, the GCKS could use concurent methods depending on the
capabilities of the GM - not the reverse.
</mglt>
2.3.4. GCKS Registration Operations
A G-IKEv2 GCKS passively listens for incoming requests from group
members. When the GCKS receives an IKE_SA_INIT request, it selects
an IKE proposal and generates a nonce and DH to include them in the
IKE_SA_INIT response.
Upon receiving the GSA_AUTH request, the GCKS authenticates the group
member using the same procedures as in the IKEv2 IKE_AUTH.
<mglt>
s/ using the same procedures as in the IKEv2 IKE_AUTH. /via the GSA_AUTH
exchange.
I think we shoudl stop refering to IKE_AUTH ;-)
</mglt>
The GCKS
then authorizes the group member according to group policy before
preparing to send the GSA_AUTH response. If the GCKS fails to
authorize the GM, it will respond with an AUTHORIZATION_FAILED notify
message. The GCKS may also respond with an INVALID_GROUP_ID notify
message if the requested group is unknown to the GCKS or with an
REGISTRATION_FAILED notify message if there is a problem with the
requested group (for example the capacity of the group is exceeded).
The GSA_AUTH response will include the group policy in the GSA
payload and keys in the KD payload. If the GCKS policy includes a
group rekey option, it MUST include the GSA_INITIAL_MESSAGE_ID
attribute, specifying the starting Message ID the GCKS will use when
sending the GSA_REKEY message to the group members if this Message ID
is non-zero. This Message ID is used to prevent GSA_REKEY message
replay attacks and will be increased each time a GSA_REKEY message is
sent to the group. The GCKS data traffic policy is included in the
GSA TEK and keys are included in the KD TEK. The GAP MAY also be
included to provide the ATD and/or DTD (Section 4.4.3.1) specifying
activation and deactivation delays for SAs generated from the TEKs.
If the group member has indicated that it is a sender of data traffic
and one or more Data Security SAs distributed in the GSA payload
included a counter mode of operation, the GCKS responds with one or
more Sender-ID values (see Section 2.5).
[RFC5374] defines two modes of operation for multicast Data-Securirt
<mglt>
Security
</mglt>
SAs: transport mode and tunnel mode with address preservation. In
the latter case outer source and destination addresses are taken from
the inner IP packet.
Smyslov & Weis Expires 10 September 2023 [Page 15]
Internet-Draft G-IKEv2 March 2023
If the GCKS receives a GSA_REGISTRATION exchange with a request to
register a GM to a group, the GCKS will need to authorize the GM with
the new group (IDg) and respond with the corresponding group policy
and keys. If the GCKS fails to authorize the GM, it will respond
with the AUTHORIZATION_FAILED notification. The GCKS may also
respond with an INVALID_GROUP_ID or REGISTRATION_FAILED notify
messages for the reasons described above.
If a group member includes an SAg in its GSA_AUTH or GSA_REGISTRATION
request, the GCKS may evaluate it according to an implementation
specific policy.
* The GCKS could evaluate the list of Transforms and compare it to
its current policy for the group. If the group member did not
include all of the ESP or AH Transforms that match the current
group policy, then the GCKS SHOULD return a NO_PROPOSAL_CHOSEN
Notification.
* The GCKS could store the list of Transforms, with the goal of
migrating the group policy to a different Transforms when all of
the group members indicate that they can support that Transforms.
* The GCKS could store the list of Transforms and adjust the current
group policy based on the capabilities of the devices as long as
they fall within the acceptable security policy of the GCKS.
Depending on its policy, the GCKS may have no need for the IKE SA
(e.g., it does not plan to initiate an GSA_INBAND_REKEY exchange).
If the GM does not initiate another registration exchange or Notify
(e.g., NO_PROPOSAL_CHOSEN), and also does not close the IKE SA and
the GCKS is not intended to use the SA, then after a short period of
time the GCKS SHOULD close the IKE SA.
<mglt>DISCUSSION
I remain not convinced SAg is useful - but will not fight for it ;-). This
is more for a disucssion.
I do have in mind that having the GM undergoing the GCKS is not
appropriated, and that it shoudl be the GCKS instead that adapts to the GMs.
</mglt>
2.4. Group Maintenance Channel
The GCKS is responsible for rekeying the secure group per the group
policy. Rekeying is an operation whereby the GCKS provides
replacement TEKs and KEK, deleting TEKs, and/or excluding group
members. The GCKS may initiate a rekey message if group membership
and/or policy has changed, or if the keys are about to expire. Two
forms of group maintenance channels are provided in G-IKEv2 to push
new policy to group members.
GSA_REKEY The GSA_REKEY is a pseudo-exchange, consisting of a one-
way IKEv2 message sent by the GCKS, where the rekey policy is
delivered to group members using IP multicast as a transport.
This method is valuable for large and dynamic groups, and where
policy may change frequently and a scalable rekeying method is
Smyslov & Weis Expires 10 September 2023 [Page 16]
Internet-Draft G-IKEv2 March 2023
required. When the GSA_REKEY is used, the IKE SA protecting
the member registration exchanges is usually terminated, and
group members await policy changes from the GCKS via the
GSA_REKEY messages.
GSA_INBAND_REKEY The GSA_INBAND_REKEY is a normal IKEv2 exchange
using the IKE SA that was setup to protecting the member
registration exchange. This exchange allows the GCKS to rekey
without using an independent GSA_REKEY pseudo-exchange. The
GSA_INBAND_REKEY exchange provides a reliable policy delivery
and is useful when G-IKEv2 is used with a small group of
cooperating devices.
Depending on its policy the GCKS MAY combine these two methods. For
example, it may use the GSA_INBAND_REKEY to deliver key to the GMs in
the group acting as senders (as this would provide reliable keys
delivery), and the GSA_REKEY for the rest GMs.
2.4.1. GSA_REKEY
The GCKS initiates the G-IKEv2 Rekey securely, usually using IP
multicast. Since this rekey does not require a response and it sends
to multiple GMs, G-IKEv2 rekeying MUST NOT use IKE SA windowing
mechanism, described in Section 2.3 of [RFC7296]. The GCKS rekey
message replaces the rekey GSA KEK or KEK array, and/or creates a new
Data-Security GSA TEK. The GM_SID attribute in the Key Download
payload (defined in Section 4.5.3.3) MUST NOT be part of the Rekey
Exchange as this is sender specific information and the Rekey
Exchange is group specific. The GCKS initiates the GSA_REKEY pseudo-
exchange as following:
GMs (Receivers) GCKS (Sender)
----------------- ---------------
<-- HDR, SK{GSA, KD, [N,] [D,] [AUTH]}
Figure 9: GSA_REKEY Pseudo-Exchange
HDR is defined in Section 4.1.
<mglt>
probably "discussed" is more appropriated than "defined".
</mglt>
The Message ID in this message will
start with the value the GCKS sent to the group members in the
attribute GSA_INITIAL_MESSAGE_ID or from zero if this attribute
wasn't sent. The Message ID will be incremented each time a new
GSA_REKEY message is sent to the group members.
The GSA payload contains the current policy for rekey and Data-
Security SAs. The GSA may contain a new Rekey SA and/or a new Data-
Security SAs Section 4.4.
Smyslov & Weis Expires 10 September 2023 [Page 17]
Internet-Draft G-IKEv2 March 2023
The KD payload contains the keys for the policy included in the GSA.
If the Data-Security SA is being refreshed in this rekey message, the
IPsec keys are updated in the KD, and/or if the rekey SA is being
refreshed in this rekey message, the rekey Key or the LKH KEK array
is updated in the KD payload.
A Delete payload MAY be included to instruct the GM to delete
existing SAs. See Section 4.6 for more detail.
The AUTH payload MUST be included to authenticate the GSA_REKEY
message if the authentication method is based on public key
signatures and MUST NOT be included if authentication is implicit.
<mglt>
It is unclear to me what "authentication is implicit" means. I suppose it
means "we assumes the origin is the KSCS" but we cannot real check that.
</mglt>
In the latter case, the fact that a GM can decrypt the GSA_REKEY
message and verify its ICV proves that the sender of this message
knows the current KEK, thus authenticating the sender as a member of
the group. Note, that implicit authentication doesn't provide source
origin authentication. For this reason using implicit authentication
for GSA_REKEY is NOT RECOMMENDED unless source origin authentication
is not required (for example, in a small group of highly trusted
GMs). The value of the Auth Method field in the AUTH payload in the
GSA_REKEY message MUST NOT be NULL Authentication.
<mglt> DISCUSSION
I am wondering if I am correct in saying that any GM can perform a
GSA_REKEYunless AUTH is provided. If so, I am wondering if one should even
consider that implicit authentication is permitted.
</mglt>
During group member registration, the GCKS sends the authentication
key in the KD payload, AUTH_KEY attribute, which the group member
uses to authenticate the key server. Before the current
Authentication Key expires, the GCKS will send a new AUTH_KEY to the
group members in a GSA_REKEY message. The AUTH key that is sent in
the rekey message may be not the same as the authentication key sent
during the GM registration. If implicit authentication is used, then
AUTH_KEY MUST NOT be sent to GMs.
2.4.1.1. GSA_REKEY Messages Authentication
The content of the AUTH payload depends on the authentication method
and is either a digital signature or a result of prf applied to the
content of the not yet encrypted GSA_REKEY message.
Smyslov & Weis Expires 10 September 2023 [Page 18]
Internet-Draft G-IKEv2 March 2023
The authentication algorithm (prf or digital signing) is applied to
the concatenation of two chunks: A and P. The chunk A lasts from the
first octet of the G-IKEv2 header (not including prepended four
octets of zeros, if port 4500 is used) to the last octet of the
Encrypted Payload header. The chunk P consists of the not yet
encrypted content of the Encrypted payload, excluding the
Initialization Vector, the Padding, the Pad Length and the Integrity
Checksum Data fields (see 3.14 of [RFC7296] for description of the
Encrypted payload). In other words, the P chunk is the inner
payloads of the Encrypted payload in plaintext form. Figure 10
illustrates the layout of the P and A chunks in the GSA_REKEY
message.
Before the AUTH payload calculation the inner payloads of Encrypted
payload must be fully formed and ready for encryption except for the
AUTH payload. The AUTH payload must have correct values in the
Payload Header, the Auth Method and the RESERVED fields. The
Authentication Data field is zeroed, but if Digital Signature
authentication method is in use, then the ASN.1 Length and the
AlgorithmIdentifier fields must be properly filled in, see [RFC7427].
For the purpose of the AUTH payload calculation the Length field in
the IKE header and the Payload Length field in the Encrypted Payload
header are adjusted so that they don't count the lengths of
Initialization Vector, Integrity Checksum Data and Padding (along
with Pad Length field). In other words, the Length field in the IKE
header (denoted as AdjustedLen in Figure 10 ) is set to the sum of
the lengths of A and P, and the Payload Length field in the Encrypted
Payload header (denoted as AdjustedPldLen in Figure 10) is set to the
length of P plus the size of the Payload header (four octets).
DataToAuthenticate = A | P
GsaRekeyMessage = GenIKEHDR | EncPayload
GenIKEHDR = [ four octets 0 if using port 4500 ] | AdjustedIKEHDR
AdjustedIKEHDR = SPIi | SPIr | . . . | AdjustedLen
EncPayload = AdjustedEncPldHdr | IV | InnerPlds | Pad | PadLen | ICV
AdjustedEncPldHdr = NextPld | C | RESERVED | AdjustedPldLen
A = AdjustedIKEHDR | AdjustedEncPldHdr
P = InnerPlds
Smyslov & Weis Expires 10 September 2023 [Page 19]
Internet-Draft G-IKEv2 March 2023
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^ ^
| G-IKEv2 SA Initiator's SPI | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I |
| G-IKEv2 SA Responder's SPI | K |
| | E |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Next Payload | MjVer | MnVer | Exchange Type | Flags | H A
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ d |
| Message ID | r |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| AdjustedLen | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ x |
| Next Payload |C| RESERVED | AdjustedPldLen | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | v
| | |
~ Initialization Vector ~ E
| | n
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ c ^
| | r |
~ Inner payloads (not yet encrypted) ~ P
| | P |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ l v
~ Padding (0-255 octets) | Pad Length | d
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | |
~ Integrity Checksum Data ~ |
| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v
Figure 10: Data to Authenticate in the GSA_REKEY Messages
The authentication data is calculated using the authentication
algorithm from the Authentication Method transform and the current
authentication key provided in the AUTH_KEY attribute. Depending on
the authentication method the authentication data is a digital
signature or a result of applying prf from the Pseudorandom Function
transform. The calculated authentication data is placed into the
AUTH payload, the Length fields in the IKE Header and the Encryption
Payload header are restored, the content of the Encrypted payload is
encrypted and the ICV is computed using the current KEK keys.
Smyslov & Weis Expires 10 September 2023 [Page 20]
Internet-Draft G-IKEv2 March 2023
2.4.1.2. IKE Fragmentation
IKE fragmentation [RFC7383] can be used to perform fragmentation of
large GSA_REKEY messages, however when the GSA_REKEY message is
emitted as an IP multicast packet there is a lack of response from
the GMs. This has the following implications.
* Policy regarding the use of IKE fragmentation is implicit. If a
GCKS detects that all GMs have negotiated support of IKE
fragmentation in IKE_SA_INIT, then it MAY use IKE fragmentation on
large GSA_REKEY messages.
* The GCKS must always use IKE fragmentation based on a known
fragmentation threshold (unspecified in this memo), as there is no
way to check if fragmentation is needed by first sending
unfragmented messages and waiting for response.
* PMTU probing cannot be performed due to lack of GSA_REKEY response
message.
The calculation of authentication data MUST be applied to whole
messages only, before possible IKE Fragmentation. If the message was
received in fragmented form, it should be reconstructed before
verifying its authenticity as if it were received unfragmented. The
RESERVED field in the reconstructed Encrypted Payload header MUST be
set to the value of the RESERVED field in the Encrypted Fragment
payload header from the first fragment (that with Fragment Number
equal to 1).
2.4.1.3. GSA_REKEY GCKS Operations
The GCKS builds the rekey message with a Message ID value that is one
greater than the value included in the previous rekey message. The
first message sent over a new Rekey SA must have the Message ID 0.
The GSA, KD, N and D payloads follow with the same characteristics as
in the GSA Registration exchange. The AUTH payload (if present) is
created as defined in Section 2.4.1.1.
Because GSA_REKEY messages are not acknowledged and could be
discarded by the network, one or more GMs may not receive the new
policy. To mitigate such lost messages, during a rekey event the
GCKS may transmit several GSA_REKEY messages with the new policy.
The retransmitted messages MUST be bitwise identical and SHOULD be
sent within a short time interval (a few seconds) to ensure that
time-to-live would not be substantially skewed for the GMs that would
receive different copies of the messages.
<mglt> CLARIFICATION
I suspect that bitwise identical concerns the clear text messag ethat is
once decrypted. I am wondering if a version number for the rekey would not
be easier to prevent unecessary replay operations.
I am also wondering if replaying a rekey message would not open the path to
IV/counters being replayed.
<mglt>
Smyslov & Weis Expires 10 September 2023 [Page 21]
Internet-Draft G-IKEv2 March 2023
GCKS may also include one or several GSA_NEXT_SPI attributes
specifying SPIs for the prospected rekeys, so that listening GMs are
able to detect lost rekey messages and recover from this situation.
See Sections Section 4.4.2.2.3 for more detail.
2.4.1.4. GSA_REKEY GM Operations
When a group member receives the Rekey Message from the GCKS it
decrypts the message using the current KEK, validates its
authenticity using the key retrieved in a previous G-IKEv2 exchange
if AUTH payload is present, verifies the Message ID, and processes
the GSA and KD payloads. The group member then downloads the new
Data-Security SA and/or new Rekey SA. The parsing of the payloads is
identical to the parsing done in the registration exchange.
Replay protection is achieved by a group member rejecting a GSA_REKEY
message which has a Message ID smaller than the current Message ID
that the GM is expecting. The GM expects the Message ID in the first
GSA_REKEY message it receives to be equal or greater than the Message
ID it receives in the GSA_INITIAL_MESSAGE_ID attribute. Note, that
if no this attribute was received for the Rekey SA, the GM MUST
<mglt>
I suspect a nit "if no this" shoudl probably means "if this"
</mglt>
assume zero as the first expected Message ID. The GM expects the
Message ID in subsequent GSA_REKEY messages to be greater than the
last valid GSA_REKEY message ID it received.
If the GSA payload includes a Data-Security SA using cipher in a
counter-modes of operation and the receiving group member is a sender
for that SA, the group member uses its current Sender-ID value with
the Data-Security SAs to create counter-mode nonces. If it is a
sender and does not hold a current Sender-ID value, it MUST NOT
install the Data-Security SAs. It MAY initiate a GSA_REGISTRATION
exchange to the GCKS in order to obtain an Sender-ID value (along
with the current group policy).
Once a new Rekey SA is installed as a result of GSA_REKEY message,
the current Rekey SA (over which the message was received) MUST be
silently deleted after waiting DEACTIVATION_TIME_DELAY interval
regardless of its expiration time.
<mglt>
I suspect DEACTIVATION_TIME_DELAY is a local policy. If that is correct, it
shoudl probably be indicated explicitly.
</mglt>
If the message includes Delete
payload for existing Data-security SA, then after installing a new
Data-Security SA the old one, identified by the Protocol and SPI
fields in the Delete payload, MUST be silently deleted after waiting
DEACTIVATION_TIME_DELAY interval regardless of its expiration time.
Smyslov & Weis Expires 10 September 2023 [Page 22]
Internet-Draft G-IKEv2 March 2023
If a Data-Security SA is not rekeyed yet and is about to expire (a
"soft lifetime" expiration is described in Section 4.4.2.1 of
[RFC4301]), the GM SHOULD initiate a registration to the GCKS. This
registration serves as a request for current SAs, and will result in
the download of replacement SAs, assuming the GCKS policy has created
them. A GM SHOULD also initiate a registration request if a Rekey SA
is about to expire and not yet replaced with a new one.
2.4.2. GSA_INBAND_REKEY Exchange
When the IKE SA protecting the member registration exchange is
maintained while group member participates in the group, the GCKS can
use the GSA_INBAND_REKEY exchange to individually provide policy
updates to the group member.
GM (Responder) GCKS (Initiator)
---------------- ------------------
<-- HDR, SK{GSA, KD, [N,] [D]}
HDR, SK{} -->
Figure 11: GSA_INBAND_REKEY Exchange
Because this is a normal IKEv2 exchange, the HDR is treated as
defined in [RFC7296].
2.4.2.1. GSA_INBAND_REKEY GCKS Operations
The GSA, KD, N and D payloads are built in the same manner as in a
registration exchange.
2.4.2.2. GSA_INBAND_REKEY GM Operations
The GM processes the GSA, KD, N and D payloads in the same manner as
if they were received in a registration exchange.
2.4.3. Deletion of SAs
There are occasions when the GCKS may want to signal to group members
to delete policy at the end of a broadcast, or if group policy has
changed. Deletion of SAs is accomplished by sending the G-IKEv2
Delete Payload [RFC7296], section 3.11 as part of the GSA_REKEY
pseudo-exchange as shown below.
GMs (Receivers) GCKS (Sender)
---------------- ---------------
<-- HDR, SK{[GSA,] [KD,] [N,] [D,] [AUTH]}
Smyslov & Weis Expires 10 September 2023 [Page 23]
Internet-Draft G-IKEv2 March 2023
Figure 12: SA Deletion in GSA_REKEY
If GCKS has a unicast SA with group member then it can use the
GSA_INBAND_REKEY exchange to delete SAs.
GM (Responder) GCKS (Initiator)
--------------- ------------------
<-- HDR, SK{[GSA,] [KD,] [N,] [D,]}
HDR, SK{} -->
Figure 13: SA Deletion in GSA_INBAND_REKEY
The GCKS MAY specify the remaining active time of the policy by using
the GAP_DTD attribute in the GSA GAP substructure.
If a GCKS has no
further SAs to send to group members, the GSA and KD payloads MUST be
omitted from the message.
There may be circumstances where the GCKS may want to start over with
a clean state, for example in case it runs out of available Sender-
IDs. The GCKS can signal deletion of all the Data-security SAs by
sending a Delete payload with an SPI value equal to zero. For
example, if the GCKS wishes to remove the Rekey SA and all the Data-
security SAs, the GCKS sends a Delete payload with an SPI of zero and
Protocol ID of AH or ESP, followed by another Delete payload with a
SPI of zero and Protocol ID of GIKE_REKEY.
If a group member receives a Delete payload with zero SPI and
protocol ID of GIKE_REKEY either via multicast Rekey SA or via
unicast SA using the GSA_INBAND_REKEY exchange, it means that the
group member is excluded from the group. The group member MUST re-
register if it wants to continue participating in this group. The
registration is performed as described in Section 2.3. Note, that if
the GSA_INBAND_REKEY exchange is used to exclude a group member from
the group, and thus the unicast SA between the group member and the
GCKS exists, then this SA persists after this exchange and the group
member may use the GSA_REGISTRATION exchange to re-register.
2.5. Counter-based modes of operation
Several counter-based modes of operation have been specified for ESP
(e.g., AES-CTR [RFC3686], AES-GCM [RFC4106], AES-CCM [RFC4309],
ChaCha20-Poly1305 [RFC7634], AES-GMAC [RFC4543]) and AH (e.g., AES-
GMAC [RFC4543]). These counter-based modes require that no two
senders in the group ever send a packet with the same Initialization
Vector (IV) using the same cipher key and mode. This requirement is
Smyslov & Weis Expires 10 September 2023 [Page 24]
Internet-Draft G-IKEv2 March 2023
met in G-IKEv2 when the following requirements are met:
* The GCKS distributes a unique key for each Data-Security SA.
* The GCKS uses the method described in [RFC6054], which assigns
each sender a portion of the IV space by provisioning each sender
with one or more unique Sender-ID values.
<mglt>CLARIFICATION
Please add rfc8750. I do not see any issue for now, but Sender-ID seems
problematic.
</mglt>
2.5.1. Allocation of Sender-ID
When at least one Data-Security SA included in the group policy
includes a counter-based mode of operation, the GCKS automatically
allocates and distributes one Sender-ID to each group member acting
in the role of sender on the Data-Security SA. The Sender-ID value
is used exclusively by the group sender to which it was allocated.
The group sender uses the same Sender-ID for each Data-Security SA
specifying the use of a counter-based mode of operation. A GCKS MUST
distribute unique keys for each Data-Security SA including a counter-
based mode of operation in order to maintain unique key and nonce
usage.
During registration, the group sender can choose to request one or
more Sender-ID values. Requesting a value of 1 is not necessary
since the GCKS will automatically allocate exactly one to the group
sender. A group sender MUST request as many Sender-ID values
matching the number of encryption modules in which it will be
installing the TEKs in the outbound direction. Alternatively, a
group sender MAY request more than one Sender-ID and use them
serially. This could be useful when it is anticipated that the group
sender will exhaust their range of Data- Security SA nonces using a
single Sender-ID too quickly (e.g., before the time-based policy in
the TEK expires).
<mglt>DISCUSSION
Not sur ethis applies, but if time based policiy is enforced, I think we
shoudl recommend byte-sent based policies as well.
</mglt>
When the group policy includes a counter-based mode of operation, a
GCKS SHOULD use the following method to allocate Sender-ID values,
which ensures that each Sender-ID will be allocated to just one group
sender.
1. A GCKS maintains an Sender-ID counter, which records the Sender-
IDs that have been allocated. Sender-IDs are allocated
sequentially, with zero as the first allocated value.
2. Each time an Sender-ID is allocated, the current value of the
counter is saved and allocated to the group sender. The Sender-
ID counter is then incremented in preparation for the next
allocation.
Smyslov & Weis Expires 10 September 2023 [Page 25]
Internet-Draft G-IKEv2 March 2023
3. When the GCKS specifies a counter-based mode of operation in the
Data-Security SA a group sender may request a count of Sender-IDs
during registration in a Notify payload information of type
SENDER. When the GCKS receives this request, it increments the
Sender-ID counter once for each requested Sender-ID, and
distributes each Sender-ID value to the group sender. The GCKS
SHOULD have a policy-defined upper bound for the number of
Sender-ID values that it will return irrespective of the number
requested by the GM.
4. A GCKS allocates new Sender-ID values for each registration
operation by a group sender, regardless of whether the group
sender had previously contacted the GCKS. In this way, the GCKS
is not required to maintaining a record of which Sender-ID values
it had previously allocated to each group sender. More
importantly, since the GCKS cannot reliably detect whether the
group sender had sent data on the current group Data-Security SAs
it does not know what Data-Security counter-mode nonce values
that a group sender has used. By distributing new Sender-ID
values, the key server ensures that each time a conforming group
sender installs a Data-Security SA it will use a unique set of
counter-based mode nonces.
5. When the Sender-ID counter maintained by the GCKS reaches its
final Sender-ID value, no more Sender-ID values can be
distributed. Before distributing any new Sender-ID values, the
GCKS MUST exclude all group members from the group as described
in Section 2.4.3. This will result in the group members
performing re-registration, during which they will receive new
Data-Security SAs and group senders will additionally receive new
Sender-ID values. The new Sender-ID values can safely be used
because they are only used with the new Data-Security SAs.
2.5.2. GM Usage of Sender-ID
A GM applies the Sender-ID to Data-Security SA as follows.
* The most significant bits NUMBER_OF_SID_BITS of the IV are taken
to be the Sender-ID field of the IV.
* The Sender-ID is placed in the least significant bits of the
Sender-ID field, where any unused most significant bits are set to
zero. If the Sender-ID value doesn't fit into the
NUMBER_OF_SID_BITS bits, then the GM MUST treat this as a fatal
error and re-register to the group.
<mglt>DISCUSSION
If I got it correctly, the IV is carrying the Sender-ID. Because of the
implicit IV, I am wondering if SPI or SN may be not used instead.
</mglt>
Smyslov & Weis Expires 10 September 2023 [Page 26]
Internet-Draft G-IKEv2 March 2023
2.6. Replay Protection for Multicast Data-Security SAs
IPsec provides replay protection as part of its security services.
With multicast extension for IPsec replay protection is not always
possible to achieve (see Section 6.1 of [RFC3740]). In particular,
if there are many group senders for a Data-Security SA, then each of
them will independently increment the Sequence Number field in the
ESP header (see Section 2 of [RFC4303]) thus making it impossible for
the group receivers to filter out replayed packets. However, if
there is only one group sender for a a Data-Security SA, then it is
<mglt>
"a a Data-Security" repeating the word "a".
</mglt>
possible to achieve replay protection with some restrictions (see
Section 4.4.2.1.3). The GCKS may create several Data-Security SAs
with the same traffic selectors allowing only a single group sender
in each SA if it is desirable to get replay protection with multiple
(but still limited number) of group senders.
IPsec architecture assumes that it is a local matter for an IPsec
receiver whether replay protection is active or not. In other words,
an IPsec sender always increments the Sequence Number field in the
ESP header and a receiver decides whether to check for replayed
packets or not. With multicast extension for IPsec this approach
generally isn't applicable, since group members don't know how many
group senders exist for a particular Data-Security SA. For this
reason the status or replay protection must be part of the policy
downloaded to GMs by GCKS.
For this purpose this specification re-uses the Extended Sequence
Numbers transform, defined in Section 3.3.2 [RFC7296]. This
specification renames this transform to "Replay Protection" and adds
a new value for possible Transform IDs: "Not Used" (<TBA by IANA>).
The GCKS MUST include this transform in the GSA payload for every
Data-Security SA. Note, that this specification prohibits using
Extended Sequence Numbers (see Section 4.4.2.1.3).
3. Group Key Management and Access Control
Through the G-IKEv2 rekey, G-IKEv2 supports algorithms such as
Logical Key Hierarchy (LKH) that have the property of denying access
to a new group key by a member removed from the group (forward access
control) and to an old group key by a member added to the group
(backward access control). An unrelated notion to PFS, "forward
access control" and "backward access control" have been called
"perfect forward security" and "perfect backward security" in the
literature [RFC2627].
Smyslov & Weis Expires 10 September 2023 [Page 27]
Internet-Draft G-IKEv2 March 2023
Group management algorithms providing forward and backward access
control other than LKH have been proposed in the literature,
including OFT [OFT] and Subset Difference [NNL]. These algorithms
could be used with G-IKEv2, but are not specified as a part of this
document.
The Group Key Management Method transform from the GSA policy
specifies how members of the group obtain group keys. This document
specifies a single method for the group key management -- Wrapped Key
Download. This method assumes that all group keys are sent to the
GMs by the GCKS encrypted with some other keys, called Key Wrap Keys
(KWK).
3.1. Key Wrap Keys
Every GM always knows at least one KWK -- the KWK that is associated
with the IKE SA or multicast Rekey SA the wrapped keys are sent over.
In this document it is called default KWK and is denoted as GSK_w.
The GCKS may also send other keys to GMs that will be used as Key
Wrap Keys for the purpose of building key hierarchy. Each KWK is
associated with an encryption algorithm from the Encryption Algorithm
transform used for the SA the key is sent over. The size of a KWK
MUST be of the size of the key for this Encryption Algorithm
transform (taking into consideration the Key Length attribute for
this transform if present). This association persists even if the
key is used later in the context of another SA with possibly
different Encryption Algorithm transform.
To have an ability to provide forward access control the GCKS
provides each GM with a personal key at the time of registration.
Besides, several intermediate keys that form a key hierarchy and are
shared among several GMs may be provided by the GCKS.
3.1.1. Default Key Wrap Key
The default KWK (GSK_w) is only used in the context of a single IKE
SA. Every IKE SA (unicast IKE SA or multicast Rekey SA) will have
its own GSK_w. The GSK_w is used with the algorithm from the
Encryption Algorithm transform for the SA the GSK_w is used in the
context of. The size of GSK_w MUST be of the key size of this
Encryption Algorithm transform (taking into consideration the Key
Length attribute for this transform if present).
For the unicast IKE SA (used for the GM registration and for the
GSA_INBAND_REKEY exchanges, if they are take place) the GSK_w is
computed as follows:
Smyslov & Weis Expires 10 September 2023 [Page 28]
Internet-Draft G-IKEv2 March 2023
GSK_w = prf+(SK_d, "Key Wrap for G-IKEv2")
where the string "Key Wrap for G-IKEv2" is 20 ASCII characters
without null termination.
For the multicast Rekey SA the GSK_w is provided along with other SA
keys as defined in Section 3.4.
<mglt>CLARIFCATION
I am wondering why do we have KWK for INBAND_REKEY ? The way I see it, is
that KWK is used to wrap TEK KEK to protect them. In INBAND_REKEY, these
keyu woudl already be protected by the IKE channel.
</mglt>
On Thu, Mar 9, 2023 at 8:44 AM Valery Smyslov <smyslov.ietf@gmail.com>
wrote:
> Hi,
>
> the new version of G-IKEv2 draft is published. It mostly addresses
> comments made by Michael.
> Still waiting for more reviews...
>
> Regards,
> Valery (for the authors).
>
> > -----Original Message-----
> > From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of
> internet-drafts@ietf.org
> > Sent: Thursday, March 09, 2023 4:37 PM
> > To: i-d-announce@ietf.org
> > Cc: ipsec@ietf.org
> > Subject: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev2-08.txt
> >
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> > This Internet-Draft is a work item of the IP Security Maintenance and
> Extensions WG of the IETF.
> >
> > Title : Group Key Management using IKEv2
> > Authors : Valery Smyslov
> > Brian Weis
> > Filename : draft-ietf-ipsecme-g-ikev2-08.txt
> > Pages : 70
> > Date : 2023-03-09
> >
> > Abstract:
> > This document presents an extension to the Internet Key Exchange
> > version 2 (IKEv2) protocol for the purpose of a group key management.
> > The protocol is in conformance with the Multicast Security (MSEC) key
> > management architecture, which contains two components: member
> > registration and group rekeying. Both components require a Group
> > Controller/Key Server to download IPsec group security associations
> > to authorized members of a group. The group members then exchange IP
> > multicast or other group traffic as IPsec packets. This document
> > obsoletes RFC 6407. This documents also updates RFC 7296 by renaming
> > one of transform types defined there.
> >
> >
> > The IETF datatracker status page for this Internet-Draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-g-ikev2/
> >
> > There is also an htmlized version available at:
> > https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-g-ikev2-08
> >
> > A diff from the previous version is available at:
> > https://author-tools.ietf.org/iddiff?url2=draft-ietf-ipsecme-g-ikev2-08
> >
> >
> > Internet-Drafts are also available by rsync at rsync.ietf.org:
> :internet-drafts
> >
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
--
Daniel Migault
Ericsson
- [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev2-08… internet-drafts
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev… Daniel Migault
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev… Daniel Migault
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev… Daniel Migault