Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev2-08.txt
Daniel Migault <mglt.ietf@gmail.com> Fri, 14 April 2023 20:39 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B80FC14CE25 for <ipsec@ietfa.amsl.com>; Fri, 14 Apr 2023 13:39:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fTQqsmOgYhQK for <ipsec@ietfa.amsl.com>; Fri, 14 Apr 2023 13:39:33 -0700 (PDT)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74170C15155B for <ipsec@ietf.org>; Fri, 14 Apr 2023 13:39:33 -0700 (PDT)
Received: by mail-pg1-x530.google.com with SMTP id 191so5603772pga.12 for <ipsec@ietf.org>; Fri, 14 Apr 2023 13:39:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681504772; x=1684096772; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=l3cgGEYkUV1AvVD1kWboBH9dhKOVVz/ldKnWMEe1Kvo=; b=s1IP9mSsOz20ZSHWHiMChSoHU8HwMx0OsPaiJYCcgx5Sss3O/EQsDMRnMjmQkm9Cqu XKnlGVZvy6PniA9HcUrHKxTdZ2CKRK3SMqIv8tU1RFKTgRwHoCgR3tpwyYWLAWAyB7K+ 2Ynh4XuuTM3FSFgVyQYzBDLe7+KHkwvEKKC8aQzI+66OXruwm3TYXv5lt2fP04KdcLUV Vjeq8ZrRaJiTrx/kRZCIh8GPVdatRKXO/g5aRWSUNk6fhIuiuhhO08WnLqR5+RdUa452 HnFbBt8IS4pKJLS8hwD1WVyH2GBvlBV3HfALWdZqFg6EnTd1X7en9ACsXcHHmCSTEU2/ Rwdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681504772; x=1684096772; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=l3cgGEYkUV1AvVD1kWboBH9dhKOVVz/ldKnWMEe1Kvo=; b=Yjaxu3L7jh1Pz3IDaygEm/1FvuwfG8g6o2TRBH1XsHWhGQja4Si6NT5bTWsz8ZlCVe nuP+tjTtu6+hiHooEl9yI2SCRn4Sl7qXYiY8vJovgiRDdO1RKTxZSVGL2bzo37pDKeeJ FW11zVnd30wt8HuBhOkzBD3bqhNBH6FcrzW+ynXfW0Hu0svMhj5erUkxit9YaIuaGx+a Xbv3B/I9xAHXxhDRR7a8L9QTr6hHwqWNetj2gJZ8Dwb3YHH3kpfuQ7mjgvzqEn2NsmUD BlCGC5Xoyt1F/wBioOD3ols4X+8qWn+zxxbY6U/Vbx28WU58ueTnoVt3/K0WYO0F1WQF hDTg==
X-Gm-Message-State: AAQBX9d9RWw3C0t3+24u8uNjPkY46JP/YLBLwxXT9NG1nRYnuoeOvYeP JIn2jgVcA0dY+oWgshG2qIEjIEJnlZF2UNvS0eXDi5/ShPQ=
X-Google-Smtp-Source: AKy350ZOJWqvfi4ReL9jef+DkC9slz4yaNLFN3EYtqEPfyEDmL0AFcCiRQ8AQY1uBrNTKYHuTNZ29PZ2/8uoQyFyU2Y=
X-Received: by 2002:a63:155c:0:b0:51b:49ef:4721 with SMTP id 28-20020a63155c000000b0051b49ef4721mr1117807pgv.3.1681504772290; Fri, 14 Apr 2023 13:39:32 -0700 (PDT)
MIME-Version: 1.0
References: <167836900620.59072.16500629937016724049@ietfa.amsl.com> <194e01d9528d$48fe44f0$dafaced0$@gmail.com> <CADZyTkkXsSG5k7QSzswK3QkZbJ03n7GHj7ysWxm0uRhvrBapJA@mail.gmail.com> <02a001d96d58$a4e45f80$eead1e80$@gmail.com>
In-Reply-To: <02a001d96d58$a4e45f80$eead1e80$@gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Fri, 14 Apr 2023 16:39:20 -0400
Message-ID: <CADZyTk=mB392UdmFn74ZbdxNvsFjeTDHFgMNbnzkTztqhDUWHg@mail.gmail.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: ipsec@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a403bf05f951d6fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/nBZqepyja_c707WZ3h0fYiYyBiI>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev2-08.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Apr 2023 20:39:37 -0000
Hi Valery, Thanks for the follow-up please find inline my response to your comment. Thank you for the clarifications and all my comments have been responded to. Yours, Daniel On Wed, Apr 12, 2023 at 12:05 PM Valery Smyslov <smyslov.ietf@gmail.com> wrote: > Hi Daniel, > > > > thank you for your review. Please see inline (some text is snipped for > readability). > > > > Hi, > > > > I have reviewed the document until section 3.2 (50% of the doc). The > document is on a good path. Most of my comments are editorial - and I am > not expecting any response, and feel free to ignore them. I do have other > comments labeled as DISCUSSION or CLARIFICATION that I think may need more > attention - at least I am interested by the response ;-). > > There are no major issues and my expectation is that the remaining > sections will have no specific issues at all but I need to go through them > and I think the document can be moved forward without these comments. > > > > Yours, > > Daniel > > > > > [snipped] > > > 1. Introduction and Overview > > A group key management protocol provides IPsec keys and policy to a > set of IPsec devices which are authorized to communicate using a > Group Security Association (GSA) defined in [RFC3740]. > <mglt> > This is a nit but I believe that saying striaght forward > """ > This document presents an extension to > IKEv2 [RFC7296] called G-IKEv2, that allows to perform a group key > management. > > """ > > may be clearer. > > </mglt> > > > > This is exactly what is written a few lines below in the same > para :-) > Absolutely, as far as I remember, what I meant is that mentioning this sentence in the beginning tells upfront what the draft is about. Starting with the notion of groups management is I think not the reason we have the draft. Again that was just a nit. The data > communications within the group (e.g., IP multicast packets) are > protected by a key pushed to the group members (GMs) by the Group > Controller/Key Server (GCKS). This document presents an extension to > IKEv2 [RFC7296] called G-IKEv2, that allows to perform a group key > management. > > G-IKEv2 conforms to the Multicast Group Security Architecture > [RFC3740], Multicast Extensions to the Security Architecture for the > Internet Protocol [RFC5374] and the Multicast Security (MSEC) Group > Key Management Architecture [RFC4046]. G-IKEv2 replaces GDOI > > > > Smyslov & Weis Expires 10 September 2023 [Page 3] > > Internet-Draft G-IKEv2 March 2023 > > > [RFC6407], which defines a similar group key management protocol > using IKEv1 [RFC2409] (since deprecated by IKEv2). When G-IKEv2 is > used, group key management use cases can benefit from the simplicity, > increased robustness and cryptographic improvements of IKEv2 (see > Appendix A of [RFC7296]. > > <mglt> > missing ")" > </mglt> > > > > Fixed, thank you. > > > A GM begins a "registration" exchange when it first joins the group. > <mglt> > I think I have a similar comment to my first comment. When I am reading th > esentence I never know if this is a generla sentence or if that is specific > to G-IKEv2. > This is a nit, but I think we should make it clear that we only focuses on > G-IKEv2. Maybe I am biaised as I am not familiar with other generic group > frameworks. > </mglt> > > > > Changed to: > > > > With G-IKEv2 a GM begins a "registration" exchange when it first > joins the group. > > The GCKS authenticates and authorizes GMs, then pushes > > policy and keys used by the group to the GM. > > > ok > With G-IKEv2, the GCKS authenticates and authorizes GMs, then pushes > policy and keys used by the group to the GM. G-IKEv2 includes two > "registration" exchanges. The first is the GSA_AUTH exchange ( > <mglt> > do we have an extra space after the "(" ? > </mglt> > > > > Yes, fixed. > > > Section 2.3.1), which is used when a GM first conatcts a GCKS. > <mglt> > s/conatcts/contacts/ > </mglt> > > > > Fixed. > > > The > second is the GSA_REGISTRATION exchange (Section 2.3.2), which a GM > can use within an established IKE SA. > <mglt> > I think that if we specify that GSA_REGISTRATION is withinan established > IKE_SA we also need to specify GSA_AUTH where the GS_AUTH occurs. > I also think it might be helpful to specify the IKE channel is between the > GM and the GCKS as opposed to anything shared by all GMs. > </mglt> > > > > Changed to: > > > > The first is the GSA_AUTH exchange > > (Section 2.3.1), which is used when a GM first contacts a GCKS and is > > creating an IKE SA between itself and the GCKS. The second is the > > GSA_REGISTRATION exchange (Section 2.3.2), which a GM can use within > > the already established IKE SA. > > > ok > Group rekeys are accomplished > using either the GSA_REKEY pseudo-exchange (a single message > distributed to all GMs, usually as a multicast message), or as a > GSA_INBAND_REKEY exchange delivered individually to group members > using existing IKE SAs). > <mglt> > Maybe s/group memebers/all group members/ > I also beleiev that it would be clearer to have s/existing SAs/their > individual IKE SA/ just to make it clear that each GM has a single > (individual) IKE SA shared with the GCKS. > </mglt> > > I disagree with the first proposal, since it is quite possible > to use both GSA_REKEY and GSA_INBAND_REKEY > > (e.g. to reliably deliver new keys to some GMs, e.g. senders, > and using multicast transport for the rest). > I see. ok. > > > I don’t mind second proposed change. > > > Large and small groups may use different sets of these protocols. > When a large group of devices are communicating, the GCKS is likely > to use the GSA_REKEY message for efficiency. This is shown in > Figure 1. (Note: For clarity, IKE_SA_INIT is omitted from the > figure.) > > +--------+ > +------------->| GCKS |<-------------+ > | +--------+ | > | | ^ | > | | | | > | | GSA_AUTH | > | | or | > | | GSA_REGISTRATION | > | | | | > GSA_AUTH | | GSA_AUTH > or GSA_REKEY | or > GSA_REGISTRATION | | GSA_REGISTRATION > | | | | > | +------------+-----------------+ | > | | | | | | > v v v v v v > +-------+ +--------+ +-------+ > | GM | ... | GM | ... | GM | > +-------+ +--------+ +-------+ > ^ ^ ^ > | | | > +-------ESP-------+-------ESP------+ > > Figure 1: G-IKEv2 used in large groups > > <mglt> > It might be helpful to indicate (inidvidual) IKE channel while the ESP SA > is shared between all GMs. > > > > I think that individual IKE SAs are already shown (GSA_AUTH or > GSA_REGISTRATION). Am I missing your point? > > Or do you want to change them to “IKE SA”? > > > I do not remember what I had exactly in mind, but I think it might be to indicate just IKE versus ESP to make it clear GSA messages are IKE messages. > While ESP is reasonable, we may also indicate if AH is excluded or if the > IPsec communication can include ESP/AH. > </mglt> > > > > Changed to ESP/AH. > > > > > Smyslov & Weis Expires 10 September 2023 [Page 4] > > Internet-Draft G-IKEv2 March 2023 > > > Alternatively, a small group may simply use the GSA_AUTH as a > registration protocol, where the GCKS issues rekeys using the > GSA_INBAND_REKEY within the same IKE SA. The GCKS is also likely to > be a GM in a small group (as shown in Figure 2.) > > <mglt> > """ The GCKS is also likely to > be a GM in a small group (as shown in Figure 2.)""" > is a bit confusing. > I do not see why such p[roperty is restricted to small group nor what kind > of advanatge thjis provides as my understanding is that Groups > communication is only related to the ESP communication nor the IKE > communication. > On the other hand, Figure 1 and Figure 2 mostly highlight multicast IKE > message versus individual IKE message. > We probably need to specify if the GCKS is a GM is orthogonal to > multicast/indiviudal IKE message or not and if that only applies to the > small group why. > </mglt> > > > > This is a good point. I see no reason why GCKS cannot also be a > GM in a large group (with multicast rekey operations). > > So I moved this note to a para right after the figure. > > > [snip] > > > 1.2. Terminology > > It is assumed that readers are familiar with the IPsec architecture > [RFC4301], its extension for multicast [RFC5374]. This document > defines an extension to the IKEv2 protocol [RFC7296], so it is > assumed that readers have good understanding of this protocol. > > > > Smyslov & Weis Expires 10 September 2023 [Page 5] > > Internet-Draft G-IKEv2 March 2023 > > > The following key terms are used throughout this document (mostly > borrowed from [RFC5374] and [RFC6407]). > > Group A set of devices that work together to protect group > communications. > > Group Member (GM) An IPsec device that belongs to a group. A Group > Member is authorized to be a Group Sender and/or a Group Receiver. > > Group Receiver A Group Member that is authorized to receive packets > sent to a group by a Group Sender. > > Group Sender A Group Member that is authorized to send packets to a > group. > > Group Key Management (GKM) Protocol A key management protocol used > by a GCKS to distribute IPsec Security Association policy and > keying material. A GKM protocol is used when a group of IPsec > devices require the same SAs. For example, when an IPsec SA > describes an IP multicast destination, the sender and all > receivers need to have the group SA. > > Group Controller Key Server (GCKS) A Group Key Management (GKM) > protocol server that manages IPsec state for a group. A GCKS > authenticates and provides the IPsec SA policy and keying material > to GKM Group Members. > > Data-Security SA The security policy distributed by a GDOI GCKS > describing traffic that is expected to be protected by group > members. This document described the distribution of IPsec AH and > ESP Data-Security SAs. > > <mglt> > isn't Data-Security SA a kind of GSPD ? > </mglt> > > It is more like ESP/AH SA for multicast. > > The definition is borrowed from RFC 6407. > > I personally find it a bit weird, but that’s what we have :-) > > To add more confusion, RFC 3740 contains a different definition > of this term: > I see ;-) > > > - Data Security SA (DATA): A multicast SA between each multicast > > source speaker and the group's receivers. There may be as many > > data SAs as there are multicast sources allowed by the group's > > policy. > > > > which I like more. Should we use this instead? > > Then the definition of Rekey SA must also be changed. > > > I find it may be confusing to have policies in the definition of an SA, so the second seems clearer to me, but I am not pushing too much. Pick whatever you believe is better. > Rekey SA The security policy protecting Group Key Management > Protocol. > > Group Security Association (GSA) A collection of Data-Security > Associations (SAs) and Rekey SAs necessary for a Group Member to > receive key updates. A GSA describes the working policy for a > group. Refer to [RFC4046] for additional information. > > Traffic Encryption Key (TEK) The symmetric cipher key used in a > Data-Security SA (e.g., IPsec ESP) to protect trafic. > <mglt> > isn't it simply the GSA key ? > </mglt> > > > > No, GSA is a collection of Data-Security SAs and Rekey SA, so > there is no a single key. > > TEK is a key for a single Data-Security SA. > > > I see. I think I did not realize the GSA contains multiple SAs, so having this explicitly even in the TEK definition makes sense - at least to me. > > Key Encryption Key (KEK) The symmetric cipher key used in a Rekey SA > to protect distribution of new keys. > > <mglt> > isn't it simply the GIKE_SA or Rekey_SA key ? > I am not suggesting to change the terminology - especially at that point - > but I have the impression that some very generic terms could gain in > clarity by having a more narrow IPsec/IKEv2 context. I also know it is very > hard to find the right terminology and everyon ehas its own view - so just > take it as a comment. > </mglt> > > > > Yes, KEK is a Rekey SA key. > > > > The terminology for GDOI is a real mess with different existing > RFCs defining the same terms differently. > > I tried to borrow less controversial definitions, but in some > cases I seemed to fail. > > > you did pretty well ;-) > > Key Wrap Key (KWK) The symmetric cipher key used to protect another > key. > > > > Smyslov & Weis Expires 10 September 2023 [Page 6] > > Internet-Draft G-IKEv2 March 2023 > > > Group Associated Policy (GAP) Group-wide policy not related to a > particular SA. > > Sender-ID A unigue identifier of a Group Sender in the context of an > active GSA, used to form Initialization Vector (IV) in counter- > based cipher modes. > > Logical Key Hierarchy (LKH) A group management method defined in > Section 5.4 of [RFC2627]. > > 2. G-IKEv2 Protocol > > 2.1. G-IKEv2 Integration into IKEv2 Protocol > > G-IKEv2 is an extension to IKEv2 and uses its security mechanisms > (peer authentication, confidentiality, message integrity) to ensure > that only authenticated devices have access to the group policy and > keys. G-IKEv2 further provides group authorization, and secure > policy and key download from the GCKS to GMs. > > <mglt> > Reading the last sentence, I am interpretingh it as a consequence of > provindin a GSA. If that is the case, I see this a a much simpler way to > describve what it does. group authorization might be perceived as something > like OAUTH, policies as something more complex. Typically ACE has defined > some quite complex messaging for managing group communications, so stiking > to IPsec might limit such confusion. > </mglt> > > > > Authorization here is an access control for GM entering the > group. How about: > > > > G-IKEv2 is an extension to IKEv2 and uses its security mechanisms > (peer authentication, > > confidentiality, message integrity) to ensure that only > authenticated and authorized > > devices have access to the group policy and keys. > > G-IKEv2 provides secure policy and keys download from the GCKS to > GMs. > > > > Or can you provide a better text? > I think that what I would propose could be: G-IKEv2 is an extension to IKEv2 that provides group authorization, secure policy and key download from the GCKS to GMs. > > > G-IKEv2 is compatible with most IKEv2 extensions defined so far and > it is believed that future IKEv2 extensions will also be possible to > use with G-IKEv2. However some IKEv2 extensions require special > handling if used with G-IKEv2. See Section 6 for more details. > > It is assumed that readers are familiar with the IKEv2 protocol, so > this document skips many details that are described in [RFC7296]. > > 2.1.1. G-IKEv2 Transport and Port > > As IKEv2 extension G-IKEv2 SHOULD use the IKEv2 ports (500, 4500). > G-IKEv2 MAY also use TCP transport for registration (unicast) IKE SA, > as defined in [RFC9329]. G-IKEv2 MAY also use UDP port 848, the same > as GDOI [RFC6407], because they serve a similar function. The > version number in the IKE header distinguishes the G-IKEv2 protocol > from GDOI protocol [RFC6407]. > > Section 2.23 of [RFC7296] describes how IKEv2 deals with NATs. > Despite the fact, that with G-IKEv2 the registration SA doesn't > create any unicast IPsec SAs and thus there is no unicast ESP traffic > between the GM and the GCKS to encapsulate in UDP if NAT is present, > the actions described in this section concerned with the IKE SA MUST > be honored. > <mglt> > Actually the only question I am wondering if whether ther is a child SA or > not. > </mglt> > > > > Data-Security SAs are Child SAs. > > > that was not clear to me when I made the comment. As mentioned earlier, I believe that I missed that GSA contains multiple SA"s". > > [snip] > > > 2.3. G-IKEv2 Member Registration and Secure Channel Establishment > > The registration protocol consists of a minimum of two exchanges, > IKE_SA_INIT and GSA_AUTH; member registration may have a few more > messages exchanged if the EAP method, cookie challenge (for DoS > protection), negotiation of Diffie-Hellman group or IKEv2 extensions > based on [RFC9242] are used. Each exchange consists of request/ > response pairs. > <mglt> > consist of "a" ? -- knowing that english is not my native language... so > just mentioning it in case this makes sense. > </mglt> > > > > It neither is mine, so I leave this to more knowledgeable people > (I suspect this text was written by Brian or some of previous authors). > > > > The first exchange IKE_SA_INIT is defined in IKEv2 > [RFC7296]. This exchange negotiates cryptographic algorithms, > exchanges nonces and computes a shared key between the GM and the > GCKS. > > The second exchange GSA_AUTH authenticates the previously exchanged > messages, exchanges identities and certificates. The GSA_AUTH > messages are encrypted and integrity protected with keys established > through the previous exchanges, > <mglt> > Should we say like the regular IKE_AUTH ? > </mglt> > > > > OK, will clarify. > > > > > so the identities are hidden from > eavesdroppers and all fields in all the messages are authenticated. > The GCKS SHOULD authorize group members to be allowed into the group > as part of the GSA_AUTH exchange. > <mglt> > The "SHOULD" sounds strange to me as I have the impression that completing > the exchange implicilt provides the authorization. > </mglt> > > > > Hm, as far as I understand, the intended meaning is that the > GCKS must authorize the GM unless > > the group is completely public (no restriction on membership). > Can you propose a better text if this is not clear? > > > I would have proposed: The GCKS authorizes group members to be allowed into the group as part of the GSA_AUTH exchange. > > Once the GCKS accepts a group > member > <mglt> > s/group member/GM > </mglt> > > > > OK. > > > to join a group it will download the data security keys (TEKs) > and/or group key encrypting key (KEK) as part of the GSA_AUTH > response message. > <mglt> > I am finding "download" confusing here as I see teh GS_AUTH response > providing the TEK and KEK. > </mglt> > > That is correct. s/download/provide ? > I prefer - but please just change it if you find it useful otherwise, just leave it as it is. > > > Smyslov & Weis Expires 10 September 2023 [Page 9] > > Internet-Draft G-IKEv2 March 2023 > > > 2.3.1. GSA_AUTH exchange > > After the group member and GCKS negotiate cryptographic algorithms, > exchange nonces, and compute shared keys as defined in IKEv2 > [RFC7296], the GSA_AUTH exchange MUST complete before any other > exchanges defined in this document can be done. GSA_AUTH is used to > authenticate the previous exchanges, exchange identities and > certificates. G-IKEv2 also uses this exchange for group member > registration and authorization. > > The GSA_AUTH exchange is identical to the IKE_AUTH exchange with the > difference that its goal is to establish multicast Data-Security SAs > and optionally provide GM with the keys for Rekey SA. The set of > payloads in the GSA_AUTH exchange is slightly different, because > policy is not negotiated between the group member and the GCKS, but > instead downloaded from the GCKS to the group member. > <mglt> > I think we shoudl avoid identicial as there are some difference. Perhaps > something around: > he GSA_AUTH exchange is a specific exchange with a given exchange type > whose purpose is very similar to IKE_AUTH. > > > > May I propose simply: > > > > The GSA_AUTH exchange is similar to the IKE_AUTH exchange with the > > difference that its goal is to establish multicast Data-Security > SAs > > and optionally provide GM with the keys for Rekey SA. > > > There are in my opinion 2 goals, including authenticating the GM which > seems to be missing in the text. > > > > In my reading this goal is hidden inside “similar to the > IKE_AUTH”. > > > sounds good to me. > > I am reading downloaded as defined or dictated by the GCKS. I think that > is good to mention the GIKE_SA is not "agreed". > > > > What is your proposal here? > > > I see more "download" as "provided". > </mglt> > > > > > > > Note also, > that GSA_AUTH has its own exchange type, which is different from the > IKE_AUTH exchange type. > <mglt> > The text above seems to have been introduces since we mentions GSA_AUTH > and IKE_AUTH are "identiical" but not. It opposes what is before and what > follows, so I we should probably remove that paragraph. > </mglt> > > > > If you believe this is obvious, I’ll remove this text. > > > I think we should keep it now that we stated the exchanges are not identical. Let's wait if someone complains. > > Nevertheless, the security properties of the GSA_AUTH exchange are > the same as the properties of the IKE_AUTH exchange and most IKEv2 > extensions to the IKE_AUTH exchange (like [RFC6467]) can also be used > with the GSA_AUTH exchange. > <mglt> > The text above is in my opinion a "simple note". It think it is valuable > but the begining shoudl in my opinion being smoothed or even omitted. > > Note that due to the similarities between IKE_AUTH and GSA_AUTH, most IKEv2 > extensions to the IKE_AUTH exchange (like [RFC6467]) can also be used > with the GSA_AUTH exchange. > </mglt> > > > > OK. > > > > Initiator (GM) Responder (GCKS) > -------------------- ------------------ > HDR, SK{IDi, [CERT,] [CERTREQ,] [IDr,] > AUTH, IDg, [SAg,] [N]} --> > > Figure 3: GSA_AUTH Request > > > A group member initiates a GSA_AUTH request to join a group indicated > <mglt> > Note that all nits and synthax comments I am providing are very much > subject to be ignored, and I just provide them as a personnal suggestion > which could be very wrong - especially as I am not so fluent in english. > > I am wondering if "designated" is not more appropriated than "indicated" > </mglt> > > > > Will leave this to native speakers. > > > by the IDg payload. The GM MAY include an SAg payload declaring > which Transforms it is willing to accept. > <mglt> > I tend to think that MAY means that SAg is useless ;-) Thinking of it, I > do not see any negotiation possible here, so I am wondering if we shoudl > not simply omit SAg. > </mglt> > > > > No, it is not useless. It’s true that there is no negotiation, > but SAg allows a GM to inform GCKS about its capabilities. > > See Section 2.3.3. Actually, this should be “may” instead of > “MAY” here, since later (2.3.3) including an SAg payload is “RECOMMENDED”. > > > Much better works to me. > > A GM that intends to act > as Group Sender SHOULD include a Notify payload status type of > SENDER, which enables the GCKS to provide any additional policy > necessary by group senders. > > <mglt> > SENDER shoudl be added to Fig3. > </mglt> > > Done. > > > > Initiator (GM) Responder (GCKS) > -------------------- ------------------ > <-- HDR, SK{IDr, [CERT,] > AUTH, [GSA, KD,] [N,]} > > Figure 4: GSA_AUTH Normal Response > > <mglt> > optional payload. I have the impression I would have written "[CERT]," > instead of "[CERT,]". The latest looks strange to me but I might be > completly wrong. > </mglt> > > > > There are different styles :-) RFC 7296 uses the latter (See > Appendix C), so we use the same for G-IKEv2. > > > ok I never paid attention to that; -) > > > Smyslov & Weis Expires 10 September 2023 [Page 10] > > Internet-Draft G-IKEv2 March 2023 > > > The GCKS responds with IDr, optional CERT, and AUTH payloads as if it > were an IKE_AUTH. > <mglt> > I think that "as if it were an IKE_AUTH" means "with the same meaning as > in IKE_AUTH". > </mglt> > > > > OK, use this wording. > > > > It also informs the group member of the > cryptographic policies of the group in the GSA payload and the key > material in the KD payload. > <mglt> > My understanding so far is that responses are different when the SENDER > notification is provided, but I do not see these differences. I think that > figure 4 should be split into a response to a request with an (accepted) > SENDER and one without or an ignored SENDER. > </mglt> > > > > No, they are not different (at least at this level of > presentation). > > GCKS provides senders with additional information, such as > Sender-ID > > and may treat them differently while re-keying (e.g use > GSA_INBAND_REKEY > > for reliability). Otherwise there is no difference. > > > ok > > In addition to the IKEv2 error handling, the GCKS can reject the > registration request when the IDg is invalid or authorization fails, > etc. In these cases, see Section 4.7, the GSA_AUTH response will not > include the GSA and KD, but will include a Notify payload indicating > errors. If a GM included an SAg payload, and the GCKS chooses to > evaluate it, and the GCKS detects that the group member cannot > support the security policy defined for the group, then the GCKS > SHOULD return a NO_PROPOSAL_CHOSEN. Other types of error > notifications can be INVALID_GROUP_ID, AUTHORIZATION_FAILED or > REGISTRATION_FAILED. > > <mglt> > SENDER introduces some roles a GM can play, and I beleive we need to > explicitly mention if there is an error associated to that role or not. > </mgt> > > > > I don’t think there is any specific errors for senders. Am I > missing your point? > I think I was thinking a GM may only be allowed to listen and not to send, in which case, the GCSK may notify this to the GM. > > > Initiator (GM) Responder (GCKS) > -------------------- ------------------ > <-- HDR, SK{IDr, [CERT,] AUTH, N} > > Figure 5: GSA_AUTH Error Response > > > If the group member finds the policy sent by the GCKS is > unacceptable, the member SHOULD initiate GSA_REGISTRATION exchange > sending IDg and the Notify NO_PROPOSAL_CHOSEN (see Section 2.3.2)). > > 2.3.2. GSA_REGISTRATION Exchange > > When a secure channel is already established between a GM and the > GCKS, the GM registration for a group can reuse the established > secure channel. In this scenario the GM will use the > GSA_REGISTRATION exchange. Payloads in the exchange are generated > and processed as defined in Section 2.3.1. > > <mglt> > My impression is that GSA_REGISTRATION is not needed as it does not > provides additional functionalities than GSA_AUTH. I am wondering if that > exchange MUST be supported by implementations or if it could be optional - > especially for minimal implementations. > </mglt> > > > > GSA_REGISTRATION may be used if the GM wishes to join several > groups hosted by a single GCKS. > > It is also used to re-register GM to the group in case of > missing GSA_REKEY message (provided IKE SA is up) and to perform some > housekeeping > > (e.g to allow GM to explicitly unregister itself from the > group). I don’t think it is optional to support. > > > [snip] > Actually I was thinking that one method could be mandatory, while the other remains optional to ease implementation. The current specification mandates the two methods. I was basically suggesting that IoT devices may only implement the one that does not require to maintain an IKE_SA over time. > > > Next the GM sends the GSA_AUTH request message with the IKEv2 > payloads from IKE_AUTH (without the SAi2, TSi and TSr payloads) along > with the Group ID informing the GCKS of the group the initiator > wishes to join. > <mglt> > I think the latest sentence can be removed - in my opinion. > </mglt> > > > > Hmm. Unless there is any harm from it, I’d rather to keep it. > > > sure. > An initiator intending to emit data traffic SHOULD > send a SENDER Notify payload status. The SENDER notification not > only signifies that it is a sender, but provides the initiator the > ability to request Sender-ID values, > <mglt> > I think this is the first time the Sender-ID notion is introduced. I > expect this to be described in more details in section 2.5) but since the > explanation is quite deep involving counter mode... maybe that would be > clarifying to have an short sentence explaining these Sender-IDs. > </mglt> > > > > The Sender-ID is introduced in Section 1.2. > > > I probably forgot then ;-) > in case the Data-Security SA > supports a counter mode cipher. Section 2.5) includes guidance on > requesting Sender-ID values. > > A GM may be limited in the types of Transforms that it is able or > willing to use, and may find it useful to inform the GCKS which > Transforms it is willing to accept for different security protocols > by including the SAg payload into the request message. Proposals for > Rekey SA (with protocol GIKE_REKEY) and for Data-Security (AH > [RFC4302] and/or ESP [RFC4303]) SAs may be included into SAg. Each > Proposal contains a list of Transforms that the GM is able and > willing to support for that protocol. Valid transform types depend > on the protocol and are defined in Figure 16. Other transform types > SHOULD NOT be included. The SPI length of each Proposal in an SAg is > set to zero, and thus the SPI field is empty. The GCKS MUST ignore > SPI length and SPI fields in the SAg payload. > > <mglt> > I think protocol coudl be expanded (AH, ESP, GIKE,) for clarity - but that > is very personnal. > > > > Expanded. > > > SHOULD NOT seems to me related to transforms that are unrelated to the > protocol. If that is the case, I tend to think MUST is nmore > appropriated, followed by GCKS MUST ignore them. > </mglt> > > > > The GCKS may ignore any information from the SAg payload. SHOULD > NOT here just saves some space, > > but allows implementations to simplify their code base (e.g. use > the same code as for forming SA payload). > > So I think SHOULD NOT is the right keyword here. > > > [snip] > ok > > Although the SAg payload is optional, it is RECOMMENDED for the GM to > include this payload into the GSA_AUTH request to allow the GCKS to > select an appropriate policy. > <mglt> > I remain to be convinced SAg provides any benefit. The only usage I see is > that it enables a GCKS to check that all nodes support a new algorithm when > that one will be introduced... but will that information prevent a roll > over ?... > > Note that I am fine with the current text as it would enable me not to > implement such exchange. Maybe what I woudl like to understand is whether I > am missing something regarding th eneed of such exchange. > </mglt> > > > > Consider the following use case. Suppose that most of group > members support algorithms A and B, but some support only B. > > When the group is formed the GCKS selects A as the algorithm for > this group (for any reason). If GCKS > > keeps a list of current group members, then it will check if any > new encounter supports A (via the SAg payload). > > In case those few that supports only B try to join the group, > the GCKS may let them in and initiate an immediate > > rekey of the group SA switching algorithm from A to B. This is > very important scenario for algorithm rollover, > > which is impossible without SAg payload. > > > The scenario I had in mind is GM not being updated so the GCKS remain forced to use the oldest transform as opposed to have a policy only connect if you are up-to date. So the reason I raise that comment is that by allowing the nodes to express what they support we force the GCKS to takes the weakest algo as opposed to being updated by itself -- following recommendations. Now, that is also not correct since if one knows there might be some nodes not upgraded - it will only allow the weakest algo independently if other nodes support a new algo. In a word, I am convinced ;-) > > A GM may also indicate the support for IPcomp by inclusion one or > more the IPCOMP_SUPPORTED notifications along with the SAg payload. > The CPI in these notifications is set to zero and MUST be ignored by > the GCKS. > > <mglt> > s/may/MAY/ ? > </mglt> > > > > Perhaps (“MAY” is an uneasy keyword). Changed to MAY. > > > Upon receiving the GSA_AUTH response, the initiator parses the > response from the GCKS authenticating the exchange using the IKEv2 > method, then processes the GSA and KD payloads. > > The GSA payload contains the security policy and cryptographic > protocols used by the group. This policy describes the optional > Rekey SA (KEK), Data-security SAs (TEK), and optional Group > Associated policy (GAP). If the policy in the GSA payload is not > acceptable to the GM, it SHOULD notify the GCKS by initiating a > GSA_REGISTRATION exchange with a NO_PROPOSAL_CHOSEN Notify payload > (see Section 2.3.2). Note, that this should normally not happen if > the GM includes SAg payload in the GSA_AUTH request and the GCKS > takes it into account. Finally the KD payload is parsed providing > the keying material for the TEK and/or KEK. The GM interprets the KD > key packets, where each key packet includes the keying material for > SAs distributed in the GSA payload. > <mglt> > At that stage of reading the document, the text is bit hard to parse for > me. > > > This is an unfortunate result of many edit iterations :-) > > > I do have an idea of what GSA is but KD remains quite obsure at that > point. Note that maybe I missed where in the document it was explained. > > The trext mentions 1 KD payload for TEk KEK - so I interpret the KD as a > list of keys. Next sentence, it mentions "KD key packets" which suggests > that there are multiple KD payloads or that the text refers to keys being > provided outside the GS_AUTH exchange. > > No, there is a single KD payload which contains list of key > packets. > > So, “key packet” is not an IKEv2 payload, it is a substructure > inside the KD payload. > > See section 4.5. > > > > Changed this sentence to: > > > > The KD payload contains a list of key packets, where each key > packet includes the > > keying material for SAs distributed in the GSA payload. > > > much clearer to me. > </mglt> > > > > > Keying material is matched by > <mglt> > I suspect that the key material here refers to the key material associated > toan esp packet. If I am completly lost, maybe I missed a track, if that > is the case, it might be said clearly as the discussion is for the IKE > exchange in this section. > </mglt> > > > > Key material is for each multicast SA specified in the GSA > payload, which can be ESP, AH or GIKE_REKEY. > ok > > comparing the SPIs in the key packets to SPIs previously included in > the GSA payloads. Once TEK keys and policy are matched, the GM > provides them to the data security subsystem, and it is ready to send > or receive packets matching the TEK policy. > > The GSA KEK policy MUST include the attribute GSA_INITIAL_MESSAGE_ID > with a first Message ID the GM should expect to receive if it is non- > zero. The value of the attribute MUST be checked by a GM against any > previously received Message ID for this group. If it is less than > the previously received number, it should be considered stale and > ignored. > <mglt> > I have the impression "should" shoudl be replaced by "MUST be ignored" > </mglt> > > > > I agree. > > > This could happen if two GSA_AUTH exchanges happened in > parallel, and the Message ID changed. This attribute is used by the > GM to prevent GSA_REKEY message replay attacks. The first GSA_REKEY > message that the GM receives from the GCKS must have a Message ID > greater or equal to the Message ID received in the > GSA_INITIAL_MESSAGE_ID attribute. > > Once a GM successfully registers to the group it MUST replace any > information related to this group (policy, keys) that it might have > as a result of a previous registration with a new one. > > > > > > > Smyslov & Weis Expires 10 September 2023 [Page 14] > > Internet-Draft G-IKEv2 March 2023 > > > Once a GM has received GIKE_REKEY policy during a registration the > IKE SA may be closed. However, the GM SHOULD NOT close IKE SA, > <mglt> > IKE_SA. > > I have the impression the only reason to have the IKE_SA open is for rekey > purpose (GSA_REKEY) or not and I do not see this function being negotiated > or advertised. > I think we should assume GSA_REKEY is supported by all modes and if the > GSKS is willing to us ethe IKE channel it MUST mention it somewhere. I also > tend to think the GM should advertise GSA_INBAND_REKEY is supported by the > GM. > > In other words, I thinkl it is important the GCKS is aware of what rekey > method is supported by the GM and it is important the GM does not have to > maintain alive its IKE_SA. > </mglt> > > > > I see your point. It’s true that currently no negotiation is > performed. > > It is assumed that any GM supports both GSA_REKEY and > GSA_INBAND_REKEY. > > It is the GCKS which decides which method to use. For this > reason the GM should keep IKE SA. > > Either the GCKS will close it and use GSA_REKEY or will use it > for GSA_INBAND_REKEY. > > The GCKS may use GSA_INBAND_REKEY only for some GMs (e.g. > senders, if there are few of them) > > and GSA_REKEY for the rest of the group. > > > I can live with it. > it is > the GCKS who makes the decision whether to close or keep it, because > depending on the policy the IKE SA may be used for inband rekeying > for small groups. If inband rekeying is used, then the initial IKE > SA is rekeyed (when necessary) via standard IKEv2 mechanism described > in Section 1.3.2 of [RFC7296]. If for some reason this SA is teared > down and no GIKE_REKEY policy was received during the registration > process, the GM MUST consider itself excluded from the group. To > continue participating in the group the GM should re-register. > <mglt> > In my mind, the GCKS could use concurent methods depending on the > capabilities of the GM - not the reverse. > </mglt> > > > > It may use concurrent methods, but it is assumed that both > GSA_REKEY and GSA_INBAND_REKEY are supported by GMs. > > > > 2.3.4. GCKS Registration Operations > > A G-IKEv2 GCKS passively listens for incoming requests from group > members. When the GCKS receives an IKE_SA_INIT request, it selects > an IKE proposal and generates a nonce and DH to include them in the > IKE_SA_INIT response. > > Upon receiving the GSA_AUTH request, the GCKS authenticates the group > member using the same procedures as in the IKEv2 IKE_AUTH. > <mglt> > s/ using the same procedures as in the IKEv2 IKE_AUTH. /via the GSA_AUTH > exchange. > I think we shoudl stop refering to IKE_AUTH ;-) > </mglt> > > > > OK. > > > > The GCKS > then authorizes the group member according to group policy before > preparing to send the GSA_AUTH response. If the GCKS fails to > authorize the GM, it will respond with an AUTHORIZATION_FAILED notify > message. The GCKS may also respond with an INVALID_GROUP_ID notify > message if the requested group is unknown to the GCKS or with an > REGISTRATION_FAILED notify message if there is a problem with the > requested group (for example the capacity of the group is exceeded). > > The GSA_AUTH response will include the group policy in the GSA > payload and keys in the KD payload. If the GCKS policy includes a > group rekey option, it MUST include the GSA_INITIAL_MESSAGE_ID > attribute, specifying the starting Message ID the GCKS will use when > sending the GSA_REKEY message to the group members if this Message ID > is non-zero. This Message ID is used to prevent GSA_REKEY message > replay attacks and will be increased each time a GSA_REKEY message is > sent to the group. The GCKS data traffic policy is included in the > GSA TEK and keys are included in the KD TEK. The GAP MAY also be > included to provide the ATD and/or DTD (Section 4.4.3.1) specifying > activation and deactivation delays for SAs generated from the TEKs. > If the group member has indicated that it is a sender of data traffic > and one or more Data Security SAs distributed in the GSA payload > included a counter mode of operation, the GCKS responds with one or > more Sender-ID values (see Section 2.5). > > [RFC5374] defines two modes of operation for multicast Data-Securirt > <mglt> > Security > </mglt> > > > > Fixed. > > > SAs: transport mode and tunnel mode with address preservation. In > the latter case outer source and destination addresses are taken from > the inner IP packet. > > > > Smyslov & Weis Expires 10 September 2023 [Page 15] > > Internet-Draft G-IKEv2 March 2023 > > > If the GCKS receives a GSA_REGISTRATION exchange with a request to > register a GM to a group, the GCKS will need to authorize the GM with > the new group (IDg) and respond with the corresponding group policy > and keys. If the GCKS fails to authorize the GM, it will respond > with the AUTHORIZATION_FAILED notification. The GCKS may also > respond with an INVALID_GROUP_ID or REGISTRATION_FAILED notify > messages for the reasons described above. > > If a group member includes an SAg in its GSA_AUTH or GSA_REGISTRATION > request, the GCKS may evaluate it according to an implementation > specific policy. > > * The GCKS could evaluate the list of Transforms and compare it to > its current policy for the group. If the group member did not > include all of the ESP or AH Transforms that match the current > group policy, then the GCKS SHOULD return a NO_PROPOSAL_CHOSEN > Notification. > > * The GCKS could store the list of Transforms, with the goal of > migrating the group policy to a different Transforms when all of > the group members indicate that they can support that Transforms. > > * The GCKS could store the list of Transforms and adjust the current > group policy based on the capabilities of the devices as long as > they fall within the acceptable security policy of the GCKS. > > Depending on its policy, the GCKS may have no need for the IKE SA > (e.g., it does not plan to initiate an GSA_INBAND_REKEY exchange). > If the GM does not initiate another registration exchange or Notify > (e.g., NO_PROPOSAL_CHOSEN), and also does not close the IKE SA and > the GCKS is not intended to use the SA, then after a short period of > time the GCKS SHOULD close the IKE SA. > <mglt>DISCUSSION > I remain not convinced SAg is useful - but will not fight for it ;-). This > is more for a disucssion. > I do have in mind that having the GM undergoing the GCKS is not > appropriated, and that it shoudl be the GCKS instead that adapts to the GMs. > </mglt> > > > > With regard to SAg – see my example above. > > > > Actually this is the GCKS that adapts to the capabilities of GMs > – see second and third clauses. > > > > I changed the first clause to: > > > > * The GCKS could evaluate the list of Transforms and compare it to > > its current policy for the group. If the group member did not > > include all of the ESP, AH or GIKE_REKEY Transforms that match the > > current group policy or the capabilities of all other currently > > active GMs, then the GCKS SHOULD return a NO_PROPOSAL_CHOSEN > > Notification. > > > understood > > 2.4. Group Maintenance Channel > > The GCKS is responsible for rekeying the secure group per the group > policy. Rekeying is an operation whereby the GCKS provides > replacement TEKs and KEK, deleting TEKs, and/or excluding group > members. The GCKS may initiate a rekey message if group membership > and/or policy has changed, or if the keys are about to expire. Two > forms of group maintenance channels are provided in G-IKEv2 to push > new policy to group members. > > GSA_REKEY The GSA_REKEY is a pseudo-exchange, consisting of a one- > way IKEv2 message sent by the GCKS, where the rekey policy is > delivered to group members using IP multicast as a transport. > This method is valuable for large and dynamic groups, and where > policy may change frequently and a scalable rekeying method is > > > > Smyslov & Weis Expires 10 September 2023 [Page 16] > > Internet-Draft G-IKEv2 March 2023 > > > required. When the GSA_REKEY is used, the IKE SA protecting > the member registration exchanges is usually terminated, and > group members await policy changes from the GCKS via the > GSA_REKEY messages. > > GSA_INBAND_REKEY The GSA_INBAND_REKEY is a normal IKEv2 exchange > using the IKE SA that was setup to protecting the member > registration exchange. This exchange allows the GCKS to rekey > without using an independent GSA_REKEY pseudo-exchange. The > GSA_INBAND_REKEY exchange provides a reliable policy delivery > and is useful when G-IKEv2 is used with a small group of > cooperating devices. > > Depending on its policy the GCKS MAY combine these two methods. For > example, it may use the GSA_INBAND_REKEY to deliver key to the GMs in > the group acting as senders (as this would provide reliable keys > delivery), and the GSA_REKEY for the rest GMs. > > 2.4.1. GSA_REKEY > > The GCKS initiates the G-IKEv2 Rekey securely, usually using IP > multicast. Since this rekey does not require a response and it sends > to multiple GMs, G-IKEv2 rekeying MUST NOT use IKE SA windowing > mechanism, described in Section 2.3 of [RFC7296]. The GCKS rekey > message replaces the rekey GSA KEK or KEK array, and/or creates a new > Data-Security GSA TEK. The GM_SID attribute in the Key Download > payload (defined in Section 4.5.3.3) MUST NOT be part of the Rekey > Exchange as this is sender specific information and the Rekey > Exchange is group specific. The GCKS initiates the GSA_REKEY pseudo- > exchange as following: > > > GMs (Receivers) GCKS (Sender) > ----------------- --------------- > <-- HDR, SK{GSA, KD, [N,] [D,] [AUTH]} > > Figure 9: GSA_REKEY Pseudo-Exchange > > > HDR is defined in Section 4.1. > <mglt> > probably "discussed" is more appropriated than "defined". > </mglt> > > > > Why? Isn’t it defined there? > I think I meant "described" at that time and the spell checker transformed it to "discussed" which does not make sense. That said, I cannot remember why I made the comment. > > The Message ID in this message will > start with the value the GCKS sent to the group members in the > attribute GSA_INITIAL_MESSAGE_ID or from zero if this attribute > wasn't sent. The Message ID will be incremented each time a new > GSA_REKEY message is sent to the group members. > > The GSA payload contains the current policy for rekey and Data- > Security SAs. The GSA may contain a new Rekey SA and/or a new Data- > Security SAs Section 4.4. > > > > Smyslov & Weis Expires 10 September 2023 [Page 17] > > Internet-Draft G-IKEv2 March 2023 > > > The KD payload contains the keys for the policy included in the GSA. > If the Data-Security SA is being refreshed in this rekey message, the > IPsec keys are updated in the KD, and/or if the rekey SA is being > refreshed in this rekey message, the rekey Key or the LKH KEK array > is updated in the KD payload. > > A Delete payload MAY be included to instruct the GM to delete > existing SAs. See Section 4.6 for more detail. > > The AUTH payload MUST be included to authenticate the GSA_REKEY > message if the authentication method is based on public key > signatures and MUST NOT be included if authentication is implicit. > <mglt> > It is unclear to me what "authentication is implicit" means. I suppose it > means "we assumes the origin is the KSCS" but we cannot real check that. > </mglt> > > > > Sort of. If no AUTH payload is included, then the receiver only > knows that > > the message was sent by someone who knows the current group key, > i.e. some group member. > > There is no real authentication of the GCKS, the receiver just > trusts that the sender of the > > message is GCKS. Can only be used in small groups of mutually > trusted members. > > > In the latter case, the fact that a GM can decrypt the GSA_REKEY > message and verify its ICV proves that the sender of this message > knows the current KEK, thus authenticating the sender as a member of > the group. Note, that implicit authentication doesn't provide source > origin authentication. For this reason using implicit authentication > for GSA_REKEY is NOT RECOMMENDED unless source origin authentication > is not required (for example, in a small group of highly trusted > GMs). The value of the Auth Method field in the AUTH payload in the > GSA_REKEY message MUST NOT be NULL Authentication. > <mglt> DISCUSSION > I am wondering if I am correct in saying that any GM can perform a > GSA_REKEYunless AUTH is provided. If so, I am wondering if one should even > consider that implicit authentication is permitted. > </mglt> > > > > Yes. See above. > > > > What about whether it is permitted – the GCKS includes > Authentication Method attribute into the GSA payload. > > So, it is the GCKS who decides whether this is permitted or not. > Of course, once it indicated that > > authentication is implicit, any GM may impersonate it. > > > > [snip] > > > It seems strange to me ;-) > > Because GSA_REKEY messages are not acknowledged and could be > discarded by the network, one or more GMs may not receive the new > policy. To mitigate such lost messages, during a rekey event the > GCKS may transmit several GSA_REKEY messages with the new policy. > The retransmitted messages MUST be bitwise identical and SHOULD be > sent within a short time interval (a few seconds) to ensure that > time-to-live would not be substantially skewed for the GMs that would > receive different copies of the messages. > > <mglt> CLARIFICATION > I suspect that bitwise identical concerns the clear text messag ethat is > once decrypted. I am wondering if a version number for the rekey would not > be easier to prevent unecessary replay operations. > > > > This is the same rekey message, that is just sent several times > with a short interval to increase > > the probability of successful delivery. It must be bitwise > identical on the network (after encryption etc.) > ok > > I am also wondering if replaying a rekey message would not open the path > to IV/counters being replayed. > > > > No, since it contains the same encrypted data. No new encryption > operation is performed. > > > That is the reason I was thinking of the clear text. I am not saying that is not clear, but I think mentioning bitwise of the encrypted message may even be clearer. > <mglt> > > > > > Smyslov & Weis Expires 10 September 2023 [Page 21] > > Internet-Draft G-IKEv2 March 2023 > > > GCKS may also include one or several GSA_NEXT_SPI attributes > specifying SPIs for the prospected rekeys, so that listening GMs are > able to detect lost rekey messages and recover from this situation. > See Sections Section 4.4.2.2.3 for more detail. > > 2.4.1.4. GSA_REKEY GM Operations > > When a group member receives the Rekey Message from the GCKS it > decrypts the message using the current KEK, validates its > authenticity using the key retrieved in a previous G-IKEv2 exchange > if AUTH payload is present, verifies the Message ID, and processes > the GSA and KD payloads. The group member then downloads the new > Data-Security SA and/or new Rekey SA. The parsing of the payloads is > identical to the parsing done in the registration exchange. > > Replay protection is achieved by a group member rejecting a GSA_REKEY > message which has a Message ID smaller than the current Message ID > that the GM is expecting. The GM expects the Message ID in the first > GSA_REKEY message it receives to be equal or greater than the Message > ID it receives in the GSA_INITIAL_MESSAGE_ID attribute. Note, that > if no this attribute was received for the Rekey SA, the GM MUST > <mglt> > I suspect a nit "if no this" shoudl probably means "if this" > </mglt> > > > > Why? The intended meaning is that if no GSA_INITIAL_MESSAGE_ID > is sent, then 0 is assumed as initial Message-ID. > > > > Probably “If no such attribute” is more clear... > maybe: if the GSA_INITIAL_MESSAGE_ID attribute is not received > > assume zero as the first expected Message ID. The GM expects the > Message ID in subsequent GSA_REKEY messages to be greater than the > last valid GSA_REKEY message ID it received. > > If the GSA payload includes a Data-Security SA using cipher in a > counter-modes of operation and the receiving group member is a sender > for that SA, the group member uses its current Sender-ID value with > the Data-Security SAs to create counter-mode nonces. If it is a > sender and does not hold a current Sender-ID value, it MUST NOT > install the Data-Security SAs. It MAY initiate a GSA_REGISTRATION > exchange to the GCKS in order to obtain an Sender-ID value (along > with the current group policy). > > Once a new Rekey SA is installed as a result of GSA_REKEY message, > the current Rekey SA (over which the message was received) MUST be > silently deleted after waiting DEACTIVATION_TIME_DELAY interval > regardless of its expiration time. > <mglt> > I suspect DEACTIVATION_TIME_DELAY is a local policy. If that is correct, > it shoudl probably be indicated explicitly. > </mglt> > > > > Currently it is indicated by the GCKS. > > > > [snip] > > > > * The GCKS uses the method described in [RFC6054], which assigns > each sender a portion of the IV space by provisioning each sender > with one or more unique Sender-ID values. > > <mglt>CLARIFICATION > Please add rfc8750. I do not see any issue for now, but Sender-ID seems > problematic. > </mglt> > > > > I do not think RFC 8750 is relevant here. Implicit IVs generally > cannot be used for > > multicast SAs because there may be several senders for a single > such SA. > > Since replay protection in this case cannot be achieved, > sequence numbers > > used by those senders are not coordinated and may overlap. > > For this reason explicit IV is used and the IV includes > Sender-ID value > > that is unique for each sender, making sure no overlap ever > happens. > > > ;-( > > 2.5.1. Allocation of Sender-ID > > When at least one Data-Security SA included in the group policy > includes a counter-based mode of operation, the GCKS automatically > allocates and distributes one Sender-ID to each group member acting > in the role of sender on the Data-Security SA. The Sender-ID value > is used exclusively by the group sender to which it was allocated. > The group sender uses the same Sender-ID for each Data-Security SA > specifying the use of a counter-based mode of operation. A GCKS MUST > distribute unique keys for each Data-Security SA including a counter- > based mode of operation in order to maintain unique key and nonce > usage. > > During registration, the group sender can choose to request one or > more Sender-ID values. Requesting a value of 1 is not necessary > since the GCKS will automatically allocate exactly one to the group > sender. A group sender MUST request as many Sender-ID values > matching the number of encryption modules in which it will be > installing the TEKs in the outbound direction. Alternatively, a > group sender MAY request more than one Sender-ID and use them > serially. This could be useful when it is anticipated that the group > sender will exhaust their range of Data- Security SA nonces using a > single Sender-ID too quickly (e.g., before the time-based policy in > the TEK expires). > <mglt>DISCUSSION > Not sur ethis applies, but if time based policiy is enforced, I think we > shoudl recommend byte-sent based policies as well. > </mglt> > > > > For bye-sent based policies the GCKS must be also a GM and must > > count the number of bytes received. In this case it can initiate > rekey whenever it wants. > > > > Should we mention this explicitly? > > > > [snip] > > > > I think so unless you believe that is not necessary. > > 2.5.2. GM Usage of Sender-ID > > A GM applies the Sender-ID to Data-Security SA as follows. > > * The most significant bits NUMBER_OF_SID_BITS of the IV are taken > to be the Sender-ID field of the IV. > > * The Sender-ID is placed in the least significant bits of the > Sender-ID field, where any unused most significant bits are set to > zero. If the Sender-ID value doesn't fit into the > NUMBER_OF_SID_BITS bits, then the GM MUST treat this as a fatal > error and re-register to the group. > > > <mglt>DISCUSSION > If I got it correctly, the IV is carrying the Sender-ID. Because of the > implicit IV, I am wondering if SPI or SN may be not used instead. > </mglt> > > > > No. SPI indicates the SA, so it is the same for all senders in > this SA. > > SN is not used in most cases (no replay protection if there are > multiple senders in the SA) > > and may overlap, since senders increment it by their own. > > > > ok. ;-( > > > Smyslov & Weis Expires 10 September 2023 [Page 26] > > Internet-Draft G-IKEv2 March 2023 > > > 2.6. Replay Protection for Multicast Data-Security SAs > > IPsec provides replay protection as part of its security services. > With multicast extension for IPsec replay protection is not always > possible to achieve (see Section 6.1 of [RFC3740]). In particular, > if there are many group senders for a Data-Security SA, then each of > them will independently increment the Sequence Number field in the > ESP header (see Section 2 of [RFC4303]) thus making it impossible for > the group receivers to filter out replayed packets. However, if > there is only one group sender for a a Data-Security SA, then it is > <mglt> > "a a Data-Security" repeating the word "a". > </mglt> > > > > Fixed. > > > > [snip] > > > > 3.1.1. Default Key Wrap Key > > The default KWK (GSK_w) is only used in the context of a single IKE > SA. Every IKE SA (unicast IKE SA or multicast Rekey SA) will have > its own GSK_w. The GSK_w is used with the algorithm from the > Encryption Algorithm transform for the SA the GSK_w is used in the > context of. The size of GSK_w MUST be of the key size of this > Encryption Algorithm transform (taking into consideration the Key > Length attribute for this transform if present). > > For the unicast IKE SA (used for the GM registration and for the > GSA_INBAND_REKEY exchanges, if they are take place) the GSK_w is > computed as follows: > > > > > Smyslov & Weis Expires 10 September 2023 [Page 28] > > Internet-Draft G-IKEv2 March 2023 > > > GSK_w = prf+(SK_d, "Key Wrap for G-IKEv2") > > where the string "Key Wrap for G-IKEv2" is 20 ASCII characters > without null termination. > > For the multicast Rekey SA the GSK_w is provided along with other SA > keys as defined in Section 3.4. > > <mglt>CLARIFCATION > I am wondering why do we have KWK for INBAND_REKEY ? The way I see it, is > that KWK is used to wrap TEK KEK to protect them. In INBAND_REKEY, these > keyu woudl already be protected by the IKE channel. > </mglt> > > > > They are protected in case of GSA_REKEY as well. > > > > The reason is to isolate sensitive information (keying material) > from the IKE code. > > KWK allows to hide the keys from all the IKE code that parses > payloads, forms messages, > > deals with transforms, attributes and so on. So IKE level sees > only encrypted keys, > > that it can pass to crypto module (which is presumably be more > protected), which will > > decrypt the keys using KWK and install them for the > corresponding SAs. > > > > Thank you for the very thorough review, > > looking forward for the second part. > > > > The changes made so far are available at > https://github.com/smyslov/G-IKEv2 > > They also incorporate some other changes (inspired by Gorry’s > review, Michael’s review and my own findings). > > > > Regards, > > Valery. > > > > On Thu, Mar 9, 2023 at 8:44 AM Valery Smyslov <smyslov.ietf@gmail.com> > wrote: > > Hi, > > the new version of G-IKEv2 draft is published. It mostly addresses > comments made by Michael. > Still waiting for more reviews... > > Regards, > Valery (for the authors). > > > -----Original Message----- > > From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of > internet-drafts@ietf.org > > Sent: Thursday, March 09, 2023 4:37 PM > > To: i-d-announce@ietf.org > > Cc: ipsec@ietf.org > > Subject: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev2-08.txt > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > This Internet-Draft is a work item of the IP Security Maintenance and > Extensions WG of the IETF. > > > > Title : Group Key Management using IKEv2 > > Authors : Valery Smyslov > > Brian Weis > > Filename : draft-ietf-ipsecme-g-ikev2-08.txt > > Pages : 70 > > Date : 2023-03-09 > > > > Abstract: > > This document presents an extension to the Internet Key Exchange > > version 2 (IKEv2) protocol for the purpose of a group key management. > > The protocol is in conformance with the Multicast Security (MSEC) key > > management architecture, which contains two components: member > > registration and group rekeying. Both components require a Group > > Controller/Key Server to download IPsec group security associations > > to authorized members of a group. The group members then exchange IP > > multicast or other group traffic as IPsec packets. This document > > obsoletes RFC 6407. This documents also updates RFC 7296 by renaming > > one of transform types defined there. > > > > > > The IETF datatracker status page for this Internet-Draft is: > > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-g-ikev2/ > > > > There is also an htmlized version available at: > > https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-g-ikev2-08 > > > > A diff from the previous version is available at: > > https://author-tools.ietf.org/iddiff?url2=draft-ietf-ipsecme-g-ikev2-08 > > > > > > Internet-Drafts are also available by rsync at rsync.ietf.org: > :internet-drafts > > > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > > > > -- > > Daniel Migault > > Ericsson > -- Daniel Migault Ericsson
- [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev2-08… internet-drafts
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev… Daniel Migault
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev… Daniel Migault
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev… Valery Smyslov
- Re: [IPsec] I-D Action: draft-ietf-ipsecme-g-ikev… Daniel Migault