Re: [MSEC] GDOI support for IEC 62351

Brian Weis <> Fri, 02 August 2013 19:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3A90311E80E7 for <>; Fri, 2 Aug 2013 12:28:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -111.754
X-Spam-Status: No, score=-111.754 tagged_above=-999 required=5 tests=[AWL=0.845, BAYES_00=-2.599, GB_I_INVITATION=-2, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RQlAmUQ4IBEQ for <>; Fri, 2 Aug 2013 12:28:00 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 83E3E11E80C5 for <>; Fri, 2 Aug 2013 12:28:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=2058; q=dns/txt; s=iport; t=1375471680; x=1376681280; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=ARk1Sh1QOuEwZxtz3SPmridBwHSqzp/g4zUCgg3vMxo=; b=ehHHNmnwysZPkg3MDkOuIdKqJlTxzclE1vxaQKNSyI4ce1Q0TyBeJ0p6 sTyljEjaJMa/4dZnVCVWFMkSNPdEIYPBcq0jx75AV69E817MpNPnCAJ9l +jPh/0y7LFEmxl1jcyGV0RQD3AOULrhqxKCClL9vxvgoXJOYtCCMISf2I I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="4.89,803,1367971200"; d="scan'208";a="85209342"
Received: from ([]) by with ESMTP; 02 Aug 2013 19:27:59 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id r72JRtLu002522 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 2 Aug 2013 19:27:57 GMT
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Brian Weis <>
In-Reply-To: <>
Date: Fri, 2 Aug 2013 21:27:55 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
X-Mailer: Apple Mail (2.1503)
Cc:, Sean Turner <>
Subject: Re: [MSEC] GDOI support for IEC 62351
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multicast Security List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Aug 2013 19:28:05 -0000


Sean had some good feedback, and there is a new version now: <>. GDOI implementers should note that both RFC 3547 and RFC 6407 relied upon the ID Types defined in the IPsec DOI, which wasn't quite the right thing to do. So please note that Section 4 (IANA Considerations) now adds a registry of ID types for the GDOI DOI. This came about because this I-D adds a new value.

The GDOI DOI list of ID Types is copy-and-paste from the IPsec DOI, plus the new ID type added. So all of the old values are still valid, they are just administratively defined in the GDOI IANA registry now rather than the IPsec registry. This should not have a negative effect on implementations but it's worth pointing out.

Comments on the Internet-Draft are still requested.


On Jul 23, 2013, at 1:56 AM, Brian Weis <> wrote:

> Greetings,
> The IEC 62351 power utility automation standards group has chosen to use GDOI (RFC 6407) as their key management method to distribute group keys. The keys protect multicast traffic streams sent by devices monitoring the power grid, and other multicast streams as well. To do this they require some new GDOI payloads. This message is an invitation to review and comment on the new definitions, which are defined in <>. Since the MSEC WG is not currently active, we hope to progress the draft as an individual submission soon and would appreciate any feedback. If you have comments, please post them to the MSEC list ( or send them to the authors ( 
> Thanks,
> Brian 
> -- 
> Brian Weis
> Security, Enterprise Networking Group, Cisco Systems
> Telephone: +1 408 526 4796
> Email:

Brian Weis
Security, Enterprise Networking Group, Cisco Systems
Telephone: +1 408 526 4796