MSEC Working Group B. Weis Internet-Draft S. Rowles Intended status: Standards Track Cisco Systems Expires: September 7, 2009 March 6, 2009 Updates to the Group Domain of Interpretation (GDOI) draft-ietf-msec-gdoi-update-04 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on September 7, 2009. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Weis & Rowles Expires September 7, 2009 [Page 1] Internet-Draft GDOI Update March 2009 Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Weis & Rowles Expires September 7, 2009 [Page 2] Internet-Draft GDOI Update March 2009 Abstract This memo describes updates to the Group Domain of Interpretation (GDOI) . It provides clarification where the original text is unclear. It also includes adds several new algorithm attribute values, including complete support for algorithm agility. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 5 2. RFC 3547 Clarification . . . . . . . . . . . . . . . . . . . . 6 2.1. SA KEK Payload . . . . . . . . . . . . . . . . . . . . . . 6 2.2. SA TEK Payload . . . . . . . . . . . . . . . . . . . . . . 6 2.3. KD Payload . . . . . . . . . . . . . . . . . . . . . . . . 7 2.4. SEQ Payload . . . . . . . . . . . . . . . . . . . . . . . 7 2.5. POP Payload . . . . . . . . . . . . . . . . . . . . . . . 8 2.6. CERT Payload . . . . . . . . . . . . . . . . . . . . . . . 8 2.7. SIG Payload . . . . . . . . . . . . . . . . . . . . . . . 8 2.8. KE Payload . . . . . . . . . . . . . . . . . . . . . . . . 8 2.9. Attribute behavour . . . . . . . . . . . . . . . . . . . . 9 2.10. Deletion of SAs . . . . . . . . . . . . . . . . . . . . . 9 3. Authorization . . . . . . . . . . . . . . . . . . . . . . . . 10 4. Harmonization with RFC 5374 . . . . . . . . . . . . . . . . . 12 4.1. Group Security Policy Database Attributes . . . . . . . . 12 4.1.1. Address Preservation . . . . . . . . . . . . . . . . . 12 4.1.2. SA Direction . . . . . . . . . . . . . . . . . . . . . 12 4.1.3. Re-key rollover . . . . . . . . . . . . . . . . . . . 13 5. New GDOI Attributes . . . . . . . . . . . . . . . . . . . . . 14 5.1. Signature Hash Algorithm . . . . . . . . . . . . . . . . . 14 5.2. Support of AH . . . . . . . . . . . . . . . . . . . . . . 14 5.3. Group Associated Policy . . . . . . . . . . . . . . . . . 16 5.3.1. ACTIVATION_TIME_DELAY . . . . . . . . . . . . . . . . 17 5.3.2. DEACTIVATION_TIME_DELAY . . . . . . . . . . . . . . . 17 5.3.3. SENDER_ID . . . . . . . . . . . . . . . . . . . . . . 17 5.3.3.1. GCKS Semantics . . . . . . . . . . . . . . . . . . 18 5.3.3.2. Group Member Semantics . . . . . . . . . . . . . . 18 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 7. Security Considerations . . . . . . . . . . . . . . . . . . . 21 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22 Weis & Rowles Expires September 7, 2009 [Page 3] Internet-Draft GDOI Update March 2009 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 9.1. Normative References . . . . . . . . . . . . . . . . . . . 23 9.2. Informative References . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25 Weis & Rowles Expires September 7, 2009 [Page 4] Internet-Draft GDOI Update March 2009 1. Introduction The Group Domain of Interpretation (GDOI) [RFC3547] is a group key management protocol fitting into the Multicast Security Group Key Management Architecture [RFC4046]. GDOI is used to disseminate policy and corresponding secrets to a group of participants. GDOI is implemented on hosts and intermediate systems to protect group IP communication (e.g., IP multicast packets) by encapsulating them with the IP Encapsulating Security Payload (ESP) [RFC4303] packets. Several factors have prompted new for updates to GDOI including: o the discovery of inconsistencies in RFC 3547, which need clarification (Section 2), o the publishing of an attack on the protocol (Section 3) o the publishing of the Multicast Extensions to the Security Architecture for the Internet Protocol [RFC5374], which has implications to the policy distributed by group key management (Section 4), o the need for new GDOI algorithm attributes, including the need to support SHA-256 [FIPS.180-2.2002] as an alternative to the SHA-1 and MD5 hash algorithms (Section 5). The clarification and modifications in this memo update RFC 3547. 1.1. Requirements notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Weis & Rowles Expires September 7, 2009 [Page 5] Internet-Draft GDOI Update March 2009 2. RFC 3547 Clarification Implementation experience of RFC 3547 has revealed a few areas of text that are not sufficiently precise. This section provides clarifying text for those areas. 2.1. SA KEK Payload Section 5.3 of RFC 4357 defines the SA KEK payload. It includes the "POP Key Length" field,The units of this field are not explicitly specified in RFC 3547. The value MUST be a number representing the length of key in bits. In the case of POP_ALG_RSA, the value represents the size of the modulus. Section 5.3 of RFC 4357 also defines the POP Algorithm of type of POP_ALG_RSA, but does not specify which PKCS#1 [RFC3447] encoding method is employed. To match existing practice, this memo requires that it be the EMSA-PKCS1-v1_5 encoding method. The units of the SIG_KEY_LENGTH KEK attribute value was not explicitly specified in section 5.3.8 of RFC 3547. The value MUST be a number representing the length of the KEK encryption key in bits. The Group Controller/Key Server (GCKS) adds the KEK_KEY_LEN attribute to the SA payload when distributing KEK policy to group members. The group member verifies whether or not it has the capability of using a cipher key of that size. If the cipher definition includes a fixed key length (e.g., KEK_ALG_3DES), the group member can make its decision solely using KEK_ALGORITHM attribute and does not need the KEK_KEY_LEN attribute. Sending the KEK_KEY_LEN attribute in the SA payload is OPTIONAL if the KEK cipher has a fixed key length. Minimum attributes that must be sent as part of an SA KEK: KEK_ALGORITHM, KEK_KEY_LENGTH (if the cipher definition includes a variable length key), KEK_KEY_LIFETIME, SIG_HASH_ALGORITHM (except for DSA based algorithms), SIG_ALGORITHM, and SIG_KEY_LENGTH. 2.2. SA TEK Payload Section 5.4.1 of RFC 3547 states that all mandatory IPsec DOI attributes are mandatory in GDOI_PROTO_IPSEC_ESP. However, RFC 2407 lists no such list of mandatory IPsec DOI attributes. This memo requires that the following attributes MUST be supported by an RFC 3547 implementation supporting the GDOI_PROTO_IPSEC_ESP SA TEK: SA Life Type, SA Life Duration, Encapsulation Mode, Authentication Algorithm (if the ESP transform includes authentication). The GDOI_PROTO_IPSEC_ESP attribute is sometimes referred to in RFC Weis & Rowles Expires September 7, 2009 [Page 6] Internet-Draft GDOI Update March 2009 3547 by the truncated name of PROTO_IPSEC_ESP. 2.3. KD Payload Section 5.5.2.1 of RFC 3547 explicitly specifies that if a KEK cipher requires an IV, then the IV must precede the key in the KEK_ALGORITHM_KEY KD payload attribute. However, it should be noted that this IV length is not included in the KEK_KEY_LEN SA payload attribute sent in the SA payload. The KEK_KEY_LEN includes only the actual length of the cipher key. Section 5.5.1.2 of RFC 3547 defines key lengths for the TEK_INTEGRITY_KEY. When the algorithm passes in the SA TEK payload is SHA256, keys will consist of 256 bits. 2.4. SEQ Payload Section 3.2 of RFC 3547 defines a GROUPKEY-PULL message as including a sequence number, which provides anti-replay state associated with a KEK. The SEQ payload has no other use, and is omitted from the GROUPKEY-PULL exchange when a KEK attribute is not included in the SA payload. A KEK sequence number is associated with a single SPI (i.e., the single set of cookie pair values sent in a GROUPKEY-PUSH ISAKMP [RFC2408] HDR). When a new KEK is distributed by a GCKS, it contains a new SPI and resets the sequence number. When a SEQ payload is included in the GROUPKEY-PULL exchange, it includes the most recently used sequence number for the group. At the conclusion of a GROUPKEY-PULL exchange, the initiating group member MUST NOT accept any rekey message with both the KEK attribute SPI value and a sequence number less than or equal to the one received during the GROUPKEY-PULL. When the first group member initiates a GROUPKEY-PULL exchange, the GCKS provides a Sequence Number of zero, since no GROUPKEY-PUSH messages have yet been sent. Note the sequence number increments only with GROUPKEY-PUSH messages. The GROUPKEY-PULL exchange distributes the current sequence number to the group member. The sequence number resets to a value of one with a new KEK attribute. As described in section 5.6 of RFC 3547: "Thus the first packet sent for a given Rekey SA will have a Sequence Number of 1". The sequence number increments with each successive rekey. Weis & Rowles Expires September 7, 2009 [Page 7] Internet-Draft GDOI Update March 2009 2.5. POP Payload RFC 3547 defines the Proof of Possession (POP) payload, which contains a digital signature over a hash. Some RFC 3547 text erroneously describes it as a "prf()". RFC 3547 omitted including a method of specifying the hash function type used in the POP payload. As a result, the GCKS or group member do not have a means by which to agree which hash algorithm should be used. To remedy this omission without changing the protocol, this memo specifies that the hash algorithm passed in the SIG_HASH_ALGORITHM MUST be also used as the POP hash algorithm. 2.6. CERT Payload Receivers of the POP payload need the sender's public key in order to validate the POP. However the source of that public key is not explicitly defined. For example, if the certificate encoding value passed in the CERT payload (defined in Section 3.9 of RFC 2408) does not contain a public key then no public key is available. To remedy this omission, this memo specifies that the certificate passed in the CERT payload MUST be a public key certificate. 2.7. SIG Payload The GROUPKEY-PUSH message defined in Section 4 of RFC 3547 includes a SIG payload. The first paragraph on page 12 is amended as follows. The SIG payload includes a signature of a hash of the entire GROUPKEY-PUSH message (excepting the SIG payload bytes) before it has been encrypted. The HASH is taken over the string 'rekey', the GROUPKEY-PUSH HDR, SEQ, SA, KD, and optionally the CERT payload. The prefixed string ensures that the signature of the Rekey datagram cannot be used for any other purpose in the GDOI protocol. After the SIG payload is created using the signature of the above hash, the current KEK encryption key encrypts all the payloads following the GROUPKEY-PUSH HDR. Note: The rationale for this order of operations is given in Section 6.3.5 of RFC 3547. Section 5.3.7.1 of RFC 4357 defines a SIG_ALGORITHM type of SIG_ALG_RSA, but it omits specifying which PKCS#1 [RFC3447] encoding method is employed. To match existing practice, this memo requires that it be the EMSA-PKCS1-v1_5 encoding method. 2.8. KE Payload The purpose of the KE Payload in GDOI is to encrypt keying material before encrypting the entire GDOI registration message. However, the Weis & Rowles Expires September 7, 2009 [Page 8] Internet-Draft GDOI Update March 2009 specification for computing keying material for the additional encryption function in RFC 3547 is faulty. Furthermore, it has been observed that because the GDOI registration message uses strong ciphers and provides authenticated encryption, additional encryption of the keying material in a GDOI registration message provides negligible value. Therefore, the use of KE payloads is deprecated in this memo. 2.9. Attribute behavour An GDOI implementation MUST abort if it encounters and attribute or capability that it does not understand. 2.10. Deletion of SAs RFC 3547 provides for the condition that the GCKS may want to signal to receivers to delete their SAs, but there may be circumstances where the GCKS may want to start over with a clean slate. If the administrator is no longer confident in the integrity of the group, the GCKS can signal deletion of all policy of a particular TEK protocol by sending a TEK with a SPI value equal to zero in the delete payload. For example, if the GCKS wishes to remove all the KEKs and all the TEKs in the group, the GCKS SHOULD send a delete payload with a spi of zero and a protocol_id of a TEK protocol_id value as defined in section 5.4 of RFC 3547, followed by another delete payload with a spi of zero and a protocol_id of zero, indicating that the KEK SA should be deleted. Weis & Rowles Expires September 7, 2009 [Page 9] Internet-Draft GDOI Update March 2009 3. Authorization Meadows and Pavlovic have published a paper [MP04] describing a means by which a rogue GDOI device (i.e., GCKS or group member) can gain access to a group for which it is not a group member. The rogue device perpetrates a man-in-the-middle attack, which can occur if the following conditions are true: 1. The rogue GDOI participant convinces an authorized member of the group (i.e., victim group member) that it is a GCKS for that group, and it also convinces the GCKS (i.e., victim GCKS) of that group it is an authorized group member. 2. The victim group member, victim GCKS, and rogue group member all share IKEv1 authentication credentials. 3. The victim GCKS does not properly verify that the IKE authentication credentials used to protect a GROUPKEY-PULL protocol are authorized to be join the group. The value of proof-of-possession is to prove that the owner of the identity associated with the Phase 1 key is the same as the owner of the key distributed in the CERT. This attack can be mitigated by adding the Phase 1 identities into the hashed data. This memo replaces the method computing POP_HASH in Section 5.7 of RFC 3547 with the following method: POP_HASH = hash("pop" | IKE-Initiator-P1-ID | IKE-Responder-P1-ID | Ni | Nr) where the fields are hashed as follows: o The string "pop" without a NULL termination character. o The IKE Phase 1 identity of the GCKS as distributed in the "identification Data" portion of the ID payload. Because the length of the identity is variable, the length of the Identification Data MUST be hashed as a four octet value with the length located in the least significant bits (in network byte order). The length value is hashed before the data value. o The IKE Phase 1 identity of the group member as distributed in the "identification Data" portion of the ID payload. Because the length of the identity is variable, the length of the Identification Data MUST be hashed as a four octet value with the length located in the least significant bits (in network byte order). The length value is hashed before the data value. Weis & Rowles Expires September 7, 2009 [Page 10] Internet-Draft GDOI Update March 2009 o The initiator nonce Ni, as passed in the first GROUPKEY-PULL message. o The responder nonce Nr, as passed in the second GROUPKEY-PULL message. This attack can also be mitigated by applying appropriate GCKS and group member authorization. When the use of CERT and POP payloads are not mandated in group policy, the GCKS SHOULD have a means of recognizing authorized group members for each group, where the recognition is based on IKE authentication credentials. For example, the GCKS may have a list of authorized IKE identifiers stored for each Group. The authorization check SHOULD be made after receipt of the ID payload containing a group id the group member is requesting to join. Weis & Rowles Expires September 7, 2009 [Page 11] Internet-Draft GDOI Update March 2009 4. Harmonization with RFC 5374 the Multicast Extensions to the Security Architecture for the Internet Protocol (RFC 5374) introduces new requirements for a group key management system distributing IPsec policy. The following sections describe new GDOI requirements that result from harmonizing with that document. 4.1. Group Security Policy Database Attributes RFC 5374 describes new attributes as part of the Group Security Policy Database (GSPD). These attributes describe policy that a group key management system must convey to a group member in order to support those extensions. The GDOI SA TEK payload distributes IPsec policy using IPsec security association attributes defined in [ISAKMP-REG]. This section defines how GDOI can convey the new attributes as IPsec Security Association Attributes. 4.1.1. Address Preservation Applications use the extensions in RFC 5374 create encapsulate IPsec multicast packets that are IP multicast packets. In order for the GDOI group member to appropriately setup the GSPD, the GCKS must provide that policy to the group member. Depending on group policy, several address preservation methods are possible: no address preservation ("None"), preservation of the original source address ("Source-Only"), preservation of the original destination address ("Destination-Only"), or both addresses ("Source- And-Destination"). This memo adds the "Address Preservation" security association attribute. If this attribute is not included in a GDOI SA TEK payload provided by a GCKS, then Source-And-Destination address preservation has been defined for the SA TEK. 4.1.2. SA Direction Depending on group policy, an IPsec SA created from an SA TEK payload may be required in one or both directions. SA TEK policy used by multiple senders is required to be installed in both the sending and receiving direction ("Symmetric"), whereas SA TEK for a single sender should only be installed in the receiving direction by receivers ("Receiver-Only") and in the sending direction by the sender ("Sender-Only"). This memo adds the "SA Direction" security association attribute. If the attribute is not included in a GDOI SA TEK payload, then the IPsec SA is treated as a Symmetric IPsec SA. Weis & Rowles Expires September 7, 2009 [Page 12] Internet-Draft GDOI Update March 2009 4.1.3. Re-key rollover Section 4.2.1 of RFC 5374 specifies a key rollover method that requires two values be given it from the group key management protocol. The Activation Time Delay (ATD) attribute allows the GCKS to specify how long a after the start of a re-key event that a group member is to activate new TEKs. The Deactivation Time Delay (DTD) attribute allows the GCKS to specify how long a after the start of a re-key event that a group member is to deactivate existing TEKs. This memo adds new attributes by which a GCKS can relay these values to group members as part of the Group Associated Policy described in Section 5. Weis & Rowles Expires September 7, 2009 [Page 13] Internet-Draft GDOI Update March 2009 5. New GDOI Attributes This section contains new attributes to be are defined as part of GDOI. 5.1. Signature Hash Algorithm RFC 3547 defines two signature hash algorithms (MD5 and SHA-1). However, steady advances in technology have rendered both hash algorithms to be weak when used as a signature hash algorithm. The SHA-256 algorithm [FIPS.180-2.2002] has been made available by NIST as a replacement for SHA-1, and is its preferred replacement for both MD5 and SHA-1. A new value for the GDOI SIG_HASH_ALGORITHM attribute is defined by this memo to represent the SHA-256 algorithm: SIG_HASH_SHA256. Support for SIG_HASH_SHA256 is OPTIONAL. 5.2. Support of AH RFC3547 only specifies data-security SAs for one security protocol, IPsec ESP. Typically IPsec implementations use ESP and AH IPsec SAs. This document extends the capability of GDOI to support both ESP and AH. The GROUPKEY-PULL mechanism will establish IPsec ESP SAs and IPsec AH SAs. The GROUPKEY-PUSH will refresh the IPsec ESP SAs and the IPsec AH SAs. Support for AH [RFC4302] is achieved with the introduction of a new SA_TEK Protocol-ID with the name GDOI_PROTO_IPSEC_AH. Support for the GDOI_PROTO_IPSEC_AH SA TEK is OPTIONAL. The TEK Protocol-Specific payload for AH is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Protocol ! SRC ID Type ! SRC ID Port ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! !SRC ID Data Len! SRC Identification Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! DST ID Type ! DST ID Port !DST ID Data Len! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! DST Identification Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Transform ID ! SPI ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! SPI ! RFC 2407 SA Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The SAT Payload fields are defined as follows: Weis & Rowles Expires September 7, 2009 [Page 14] Internet-Draft GDOI Update March 2009 o Protocol (1 octet) -- Value describing an IP protocol ID (e.g., UDP/TCP). A value of zero means that the Protocol field should be ignored. o SRC ID Type (1 octet) -- Value describing the identity information found in the SRC Identification Data field. Defined values are specified by the IPsec Identification Type section in the IANA ISAKMP Registry [ISAKMP-REG]. o SRC ID Port (2 octets) -- Value specifying a port associated with the source Id. A value of zero means that the SRC ID Port field should be ignored. o SRC ID Data Len (1 octet) -- Value specifying the length of the SRC Identification Data field. o SRC Identification Data (variable length) -- Value, as indicated by the SRC ID Type. Set to three bytes of zero for multiple- source multicast groups that use a common TEK for all senders. o DST ID Type (1 octet) -- Value describing the identity information found in the DST Identification Data field. Defined values are specified by the IPsec Identification Type section in the IANA ISAKMP Registry [ISAKMP-REG]. o DST ID Port (1 octet) -- Value describing an IP protocol ID (e.g., UDP/TCP). A value of zero means that the DST Id Port field should be ignored. o DST ID Port (2 octets) -- Value specifying a port associated with the source Id. A value of zero means that the DST ID Port field should be ignored. o DST ID Data Len (1 octet) -- Value specifying the length of the DST Identification Data field. o DST Identification Data (variable length) -- Value, as indicated by the DST ID Type. o Transform ID (1 octet) -- Value specifying which AH transform is to be used. The list of valid values is defined in the IPsec AH Transform Identifiers section of the IANA ISAKMP Registry [ISAKMP-REG]. o SPI (4 octets) -- Security Parameter Index for AH. o RFC 2407 Attributes -- AH Attributes from Section 4.5 of [RFC2407]. The GDOI supports all IPsec DOI SA Attributes for Weis & Rowles Expires September 7, 2009 [Page 15] Internet-Draft GDOI Update March 2009 GDOI_PROTO_IPSEC_AH excluding the Group Description, which MUST NOT be sent by a GDOI implementation and is ignored by a GDOI implementation if received. The Authentication Algorithm attribute of the IPsec DOI is group authentication in GDOI. The following RFC 2407 attributes MUST be sent as part of a GDOI_PROTO_IPSEC_AH attribute: SA Life Type, SA Life Duration, Encapsulation Mode. 5.3. Group Associated Policy RFC 3547 provides for the distribution of policy in the GROUPKEY-PULL exchange in an SA payload. Policy can define GROUPKEY-PUSH policy (SA KEK) or traffic encryption policy (SA TEK) such as IPsec policy. There is a need to distribute group policy that fits into neither category. Some of this policy is generic to the group, and some is sender-specific policy for a particular group member. GDOI distributes this associated group policy in a new payload called the SA Group Associated Policy (SA SAP). The SA GAP payload follows any SA KEK payload, and is placed before any SA TEK payloads. In the case that group policy does not include an SA KEK, the SA Attribute Next Payload field in the SA payload MAY indicate the SA GAP payload. The SA GAP payload is defined as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Next Payload ! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! Group Associated Policy Attributes ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! The SA GAP payload fields are defined as follows: o Next Payload (1 octet) -- Identifies the next payload present in the GROUPKEY-PULL or the GROUPKEY-PUSH message. The only valid next payload type for this message is an SA TEK or zero to indicate there are no more security association attributes. o RESERVED (1 octet) -- Must be zero. o Payload Length (2 octets) -- Length of this payload, including the SA GAP header and Attributes. o Group Associated Policy Attributes (variable) -- Contains attributes following the format defined in Section 3.3 of RFC 2408. Weis & Rowles Expires September 7, 2009 [Page 16] Internet-Draft GDOI Update March 2009 Several group associated policy attributes are defined in this memo. 5.3.1. ACTIVATION_TIME_DELAY This attribute allows a GCKS to set the Activation Time Delay for SAs generated from TEKs. The value is in seconds. If a group member receives a TEK with an ATD value, but discovers that it has no current SAs matching the policy in the TEK, then it SHOULD create and install SAs from the TEK immediately. 5.3.2. DEACTIVATION_TIME_DELAY This attribute allows a GCKS to set the Deactivation Time Delay for SAs generated from TEKs. The value is in seconds. 5.3.3. SENDER_ID Several new AES counter-based modes of operation have been specified for ESP [RFC3686],[RFC4106],[RFC4309],[RFC4543] and AH [RFC4543]. These AES counter-based modes require that no two senders in the group ever send a packet with the same IV. This requirement can be met using the method described in [I-D.ietf-msec-ipsec-group-counter-modes], which requires each sender to be allocated a unique Sender ID (SID). The SENDER_ID attribute is used to distribute a SID to a group member during the GROUPKEY-PULL message. Other algorithms with the same need may be defined in the future; the sender MUST use the IV construction method described above with those algorithms as well. The SENDER_ID attribute value contains the following fields. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! ! SID Length ! SID Value ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-! o SID Length (1 octet) -- A natural number defining the number of bits to be used in the SID field of the counter mode transform nonce. o SID Value (variable) -- The Sender ID value allocated to the group member. Weis & Rowles Expires September 7, 2009 [Page 17] Internet-Draft GDOI Update March 2009 5.3.3.1. GCKS Semantics The GCKS maintains a SID counter (SIDC). It is incremented each time a SENDER_ID attribute is distributed to a group member. The first group member to register is given the SID of 1. Any group member registering will be given a new SID value, which allows group members to act as a group sender when an older SID value becomes unusable (as described in the next section). A GCKS MAY allocate multiple SID values in one SA SSA payload. Allocating several SID values at the same time to a group member expected to send at a high rate would obviate the need for the group member to re-register as frequently. If a GCKS allocates all SID values, it can no longer respond to GDOI registrations and must re-initialize the entire group. This is done by issuing DELETE notifications for all ESP and AH SAs in a GDOI rekey message, resetting the SIDC to zero, and creating new ESP and AH SAs that match the group policy. When group members re-register, the SIDs are allocated again beginning with the value 1 as described above. Each re-registering group member will be given a new SID and the new group policy. The SENDER_ID attribute MUST NOT be sent as part of a GROUPKEY-PUSH message, because distributing the same sender-specific policy to more than one group member may reduce the security of the group. 5.3.3.2. Group Member Semantics The SENDER_ID attribute value distributed to the group member MUST be used by that group member as the Sender Identifier (SID) field portion of the IV. The SID is used for all counter mode SAs distributed by the GCKS to be used for communications sent as a part of this group. When the Sender-Specific IV (SSIV) field for any IPsec SA is exhausted, the group member MUST no longer act as a sender using its active SID. The group member SHOULD re-register, during which time the GCKS will issue a new SID to the group member. The new SID replaces the existing SID used by this group member, and also resets the SSIV value to it's starting value. A group member MAY re- register prior to the actual exhaustion of the SSIV field to avoid dropping data packets due to the exhaustion of available SSIV values combined with a particular SID value. A group member MUST NOT process SENDER_ID attribute present in a GROUPKEY-PUSH message. Weis & Rowles Expires September 7, 2009 [Page 18] Internet-Draft GDOI Update March 2009 6. IANA Considerations The GDOI KEK Attribute named SIG_HASH_ALGORITHM [GDOI-REG] should be assigned a new Algorithm Type value from the RESERVED space to represent the SHA-256 hash algorithm as defined. The new algorithm name should be SIG_HASH_SHA256. A new GDOI SA TEK type Protocol-ID type [GDOI-REG] should be assigned from the RESERVED space. The new algorithm id should be called GDOI_PROTO_IPSEC_AH, and refers to the IPsec AH encapsulation. A new Next Payload Type [ISAKMP-REG] should be assigned. The new type is called "SA Group Associated Policy (GAP)". A new namespace should be created in the GDOI Payloads registry [GDOI-REG] to describe SA SSA Payload Values. The following rules apply to define the attributes in SA SSA Payload Values: Attribute Type Value Type ---- ----- ---- RESERVED 0 ACTIVATION_TIME_DELAY 1 B DEACTIVATION_TIME_DELAY 2 B SENDER_ID 3 V Reserved to IANA 2-127 Private Use 128-255 A new IPSEC Security Association Attribute [ISAKMP-REG] defining the preservation of IP addresses is needed. The attribute class is called "Address Preservation", and it is a Basic type. The following rules apply to define the values of the attribute: Name Value ---- ----- Reserved 0 None 1 Source-Only 2 Destination-Only 3 Source-And-Destination 4 Reserved to IANA 5-61439 Private Use 61440-65535 A new IPSEC Security Association Attribute [ISAKMP-REG] defining the SA direction is needed. The attribute class is called "SA Direction", and it is a Basic type. The following rules apply to define the values of the attribute: Weis & Rowles Expires September 7, 2009 [Page 19] Internet-Draft GDOI Update March 2009 Name Value ---- ----- Reserved 0 Sender-Only 1 Receiver-Only 2 Symmetric 3 Reserved to IANA 4-61439 Private Use 61440-65535 Weis & Rowles Expires September 7, 2009 [Page 20] Internet-Draft GDOI Update March 2009 7. Security Considerations This memo describes additional clarification and adds additional attributes to be passed within the GDOI protocol. The security considerations in RFC 3547 remain accurate, with the following additions. o Several minor cryptographic hash algorithm agility issues are resolved, and the stronger SHA-256 cryptographic hash algorithm is added. o Protocol analysis has revealed a man-in-the-middle attack when the GCKS does not authorize group members based on their IKE authentication credentials. This is true even when a CERT and POP payloads are used for authorization. Although suggested as an option in RFC 3547, a GDOI device (group member or GCKS) SHOULD NOT accept an identity in a CERT payload that does not match the IKE identity used to authenticate the group member. o Any SA TEK specifying a counter-based mode of operation with multiple senders MUST construct the IVs in each SA TEK according to [I-D.ietf-msec-ipsec-group-counter-modes]. The SID MUST either be pre-configured on all group members or distributed using the SENDER_ID attribute in the SA GAP payload. However, use of the SENDER_ID attribute is RECOMMENDED. Weis & Rowles Expires September 7, 2009 [Page 21] Internet-Draft GDOI Update March 2009 8. Acknowledgements The authors are grateful to Catherine Meadows for her careful review and suggestions for mitigating the man-in-the-middle attack she had previously identified. Weis & Rowles Expires September 7, 2009 [Page 22] Internet-Draft GDOI Update March 2009 9. References 9.1. Normative References [I-D.ietf-msec-ipsec-group-counter-modes] McGrew, D. and B. Weis, "Using Counter Modes with Encapsulating Security Payload (ESP) and Authentication Header (AH) to Protect Group Traffic", draft-ietf-msec-ipsec-group-counter-modes-03 (work in progress), March 2009. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The Group Domain of Interpretation", RFC 3547, July 2003. [RFC5374] Weis, B., Gross, G., and D. Ignjatic, "Multicast Extensions to the Security Architecture for the Internet Protocol", RFC 5374, November 2008. 9.2. Informative References [FIPS.180-2.2002] National Institute of Standards and Technology, "Secure Hash Standard", FIPS PUB 180-2, August 2002, . [GDOI-REG] Internet Assigned Numbers Authority, "Group Domain of Interpretation (GDOI) Payload Type Values", IANA Registry, December 2004, . [ISAKMP-REG] Internet Assigned Numbers Authority, "Internet Security Association and Key Management Protocol (ISAKMP) Identifiers ISAKMP Attributes", IANA Registry, January 2006, . [MP04] Meadows, C. and D. Pavlovic, "Deriving, Attacking, and Defending the GDOI Protocol", ESORICS 2004 pp. 53-72, September 2004. [RFC2407] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. Weis & Rowles Expires September 7, 2009 [Page 23] Internet-Draft GDOI Update March 2009 [RFC2408] Maughan, D., Schneider, M., and M. Schertler, "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998. [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC 3447, February 2003. [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)", RFC 3686, January 2004. [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, "Multicast Security (MSEC) Group Key Management Architecture", RFC 4046, April 2005. [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC 4106, June 2005. [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December 2005. [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005. [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)", RFC 4309, December 2005. [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, May 2006. Weis & Rowles Expires September 7, 2009 [Page 24] Internet-Draft GDOI Update March 2009 Authors' Addresses Brian Weis Cisco Systems 170 W. Tasman Drive San Jose, California 95134-1706 USA Phone: +1-408-526-4796 Email: bew@cisco.com Sheela Rowles Cisco Systems 170 W. Tasman Drive San Jose, California 95134-1706 USA Phone: +1-408-527-7677 Email: sheela@cisco.com Weis & Rowles Expires September 7, 2009 [Page 25]