1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
|
<pre>Network Working Group B. Weis
Request for Comments: 5374 Cisco Systems
Category: Standards Track G. Gross
Secure Multicast Networks LLC
D. Ignjatic
Polycom
November 2008
<span class="h1">Multicast Extensions to the</span>
<span class="h1">Security Architecture for the Internet Protocol</span>
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (c) 2008 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents (<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/</a>
<a href="http://trustee.ietf.org/license-info">license-info</a>) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract
The Security Architecture for the Internet Protocol describes
security services for traffic at the IP layer. That architecture
primarily defines services for Internet Protocol (IP) unicast
packets. This document describes how the IPsec security services are
applied to IP multicast packets. These extensions are relevant only
for an IPsec implementation that supports multicast.
<span class="grey">Weis, et al. Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-1.1">1.1</a>. Scope ......................................................<a href="#page-3">3</a>
<a href="#section-1.2">1.2</a>. Terminology ................................................<a href="#page-4">4</a>
<a href="#section-2">2</a>. Overview of IP Multicast Operation ..............................<a href="#page-6">6</a>
<a href="#section-3">3</a>. Security Association Modes ......................................<a href="#page-7">7</a>
<a href="#section-3.1">3.1</a>. Tunnel Mode with Address Preservation ......................<a href="#page-7">7</a>
<a href="#section-4">4</a>. Security Association ............................................<a href="#page-8">8</a>
<a href="#section-4.1">4.1</a>. Major IPsec Databases ......................................<a href="#page-8">8</a>
<a href="#section-4.1.1">4.1.1</a>. Group Security Policy Database (GSPD) ...............<a href="#page-8">8</a>
<a href="#section-4.1.2">4.1.2</a>. Security Association Database (SAD) ................<a href="#page-12">12</a>
<a href="#section-4.1.3">4.1.3</a>. Group Peer Authorization Database (GPAD) ...........<a href="#page-12">12</a>
<a href="#section-4.2">4.2</a>. Group Security Association (GSA) ..........................<a href="#page-14">14</a>
4.2.1. Concurrent IPsec SA Life Spans and Re-key Rollover .15
<a href="#section-4.3">4.3</a>. Data Origin Authentication ................................<a href="#page-17">17</a>
<a href="#section-4.4">4.4</a>. Group SA and Key Management ...............................<a href="#page-18">18</a>
<a href="#section-4.4.1">4.4.1</a>. Co-Existence of Multiple Key Management Protocols ..18
<a href="#section-5">5</a>. IP Traffic Processing ..........................................<a href="#page-18">18</a>
<a href="#section-5.1">5.1</a>. Outbound IP Traffic Processing ............................<a href="#page-18">18</a>
<a href="#section-5.2">5.2</a>. Inbound IP Traffic Processing .............................<a href="#page-19">19</a>
<a href="#section-6">6</a>. Security Considerations ........................................<a href="#page-22">22</a>
<a href="#section-6.1">6.1</a>. Security Issues Solved by IPsec Multicast Extensions ......<a href="#page-22">22</a>
<a href="#section-6.2">6.2</a>. Security Issues Not Solved by IPsec Multicast Extensions ..23
<a href="#section-6.2.1">6.2.1</a>. Outsider Attacks ...................................<a href="#page-23">23</a>
<a href="#section-6.2.2">6.2.2</a>. Insider Attacks ....................................<a href="#page-23">23</a>
<a href="#section-6.3">6.3</a>. Implementation or Deployment Issues that Impact Security ..24
6.3.1. Homogeneous Group Cryptographic Algorithm
Capabilities .......................................<a href="#page-24">24</a>
6.3.2. Groups that Span Two or More Security
Policy Domains .....................................<a href="#page-24">24</a>
6.3.3. Source-Specific Multicast Group Sender
Transient Locators .................................<a href="#page-25">25</a>
<a href="#section-7">7</a>. Acknowledgements ...............................................<a href="#page-25">25</a>
<a href="#section-8">8</a>. References .....................................................<a href="#page-25">25</a>
<a href="#section-8.1">8.1</a>. Normative References ......................................<a href="#page-25">25</a>
<a href="#section-8.2">8.2</a>. Informative References ....................................<a href="#page-26">26</a>
<a href="#appendix-A">Appendix A</a> - Multicast Application Service Models .................<a href="#page-28">28</a>
<a href="#appendix-A.1">A.1</a> Unidirectional Multicast Applications ......................<a href="#page-28">28</a>
<a href="#appendix-A.2">A.2</a> Bi-directional Reliable Multicast Applications .............<a href="#page-28">28</a>
<a href="#appendix-A.3">A.3</a> Any-To-Any Multicast Applications ..........................<a href="#page-30">30</a>
<a href="#appendix-B">Appendix B</a> - ASN.1 for a GSPD Entry ...............................<a href="#page-30">30</a>
<a href="#appendix-B.1">B.1</a> Fields Specific to a GSPD Entry ............................<a href="#page-30">30</a>
<a href="#appendix-B.2">B.2</a> SPDModule ..................................................<a href="#page-31">31</a>
<span class="grey">Weis, et al. Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
The Security Architecture for the Internet Protocol [<a href="./rfc4301" title=""Security Architecture for the Internet Protocol"">RFC4301</a>]
provides security services for traffic at the IP layer. It describes
an architecture for IPsec-compliant systems and a set of security
services for the IP layer. These security services primarily
describe services and semantics for IPsec Security Associations (SAs)
shared between two IPsec devices. Typically, this includes SAs with
traffic selectors that include a unicast address in the IP
destination field, and results in an IPsec packet with a unicast
address in the IP destination field. The security services defined
in <a href="./rfc4301">RFC 4301</a> can also be used to tunnel IP multicast packets, where
the tunnel is a pairwise association between two IPsec devices. <a href="./rfc4301">RFC</a>
<a href="./rfc4301">4301</a> defined manually keyed transport mode IPsec SA support for IP
packets with a multicast address in the IP destination address field.
However, <a href="./rfc4301">RFC 4301</a> did not define the interaction of an IPsec
subsystem with a Group Key Management protocol or the semantics of a
tunnel mode IPsec SA with an IP multicast address in the outer IP
header.
This document describes OPTIONAL extensions to <a href="./rfc4301">RFC 4301</a> that further
define the IPsec security architecture in order for groups of IPsec
devices to share SAs. In particular, it supports SAs with traffic
selectors that include a multicast address in the IP destination
field and that result in an IPsec packet with an IP multicast address
in the IP destination field. It also describes additional semantics
for IPsec Group Key Management (GKM) subsystems. Note that this
document uses the term "GKM protocol" generically and therefore does
not assume a particular GKM protocol.
An IPsec implementation that does not support multicast is not
required to support these extensions.
Throughout this document, <a href="./rfc4301">RFC 4301</a> semantics remain unchanged by the
presence of these multicast extensions unless specifically noted to
the contrary.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Scope</span>
The IPsec extensions described in this document support IPsec
Security Associations that result in IPsec packets with IPv4 or IPv6
multicast group addresses as the destination address. Both
Any-Source Multicast (ASM) and Source-Specific Multicast (SSM)
[<a href="./rfc3569" title=""An Overview of Source-Specific Multicast (SSM)"">RFC3569</a>] group addresses are supported. These extensions are used
when management policy requires that IP multicast packets protected
by IPsec remain IP multicast packets. When management policy
<span class="grey">Weis, et al. Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
requires that the IP multicast packets be encapsulated as IP unicast
packets (e.g., because the network connected to the unprotected
interface does not support IP multicast), the extensions in this
document are not used.
These extensions also support Security Associations with IPv4
Broadcast addresses that result in an IPv4 link-level Broadcast
packet, and IPv6 Anycast addresses [<a href="./rfc2526" title=""Reserved IPv6 Subnet Anycast Addresses"">RFC2526</a>] that result in an IPv6
Anycast packet. These destination address types share many of the
same characteristics of multicast addresses because there may be
multiple candidate receivers of a packet protected by IPsec.
The IPsec architecture does not make requirements upon entities not
participating in IPsec (e.g., network devices between IPsec
endpoints). As such, these multicast extensions do not require
intermediate systems in a multicast-enabled network to participate in
IPsec. In particular, no requirements are placed on the use of
multicast routing protocols (e.g., Protocol Independent Multicast -
Sparse Mode (PIM-SM) [<a href="./rfc4601" title=""Protocol Independent Multicast - Sparse Mode (PIM-SM): Protocol Specification (Revised)"">RFC4601</a>]) or multicast admission protocols
(e.g., Internet Group Management Protocol (IGMP) [<a href="./rfc3376" title=""Internet Group Management Protocol, Version 3"">RFC3376</a>]).
All implementation models of IPsec (e.g., "bump-in-the-stack",
"bump-in-the-wire") are supported.
This version of the multicast IPsec extension specification requires
that all IPsec devices participating in a Security Association be
homogeneous. They MUST share a common set of cryptographic transform
and protocol-handling capabilities. The semantics of an "IPsec
composite group" [<a href="#ref-COMPGRP" title=""Multicast IP Security Composite Cryptographic Groups"">COMPGRP</a>], a heterogeneous IPsec cryptographic group
formed from the union of two or more sub-groups, is an area for
future standardization.
<span class="h3"><a class="selflink" id="section-1.2" href="#section-1.2">1.2</a>. Terminology</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a href="./rfc2119">RFC 2119</a> [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
The following key terms are used throughout this document.
Any-Source Multicast (ASM)
The Internet Protocol (IP) multicast service model as defined in
<a href="./rfc1112">RFC 1112</a> [<a href="./rfc1112" title=""Host extensions for IP multicasting"">RFC1112</a>]. In this model, one or more senders source
packets to a single IP multicast address. When receivers join the
group, they receive all packets sent to that IP multicast address.
This is known as a (*,G) group.
<span class="grey">Weis, et al. Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
Group
A set of devices that work together to protect group
communications.
Group Controller Key Server (GCKS)
A Group Key Management (GKM) protocol server that manages IPsec
state for a group. A GCKS authenticates and provides the IPsec SA
policy and keying material to GKM Group Members.
Group Key Management (GKM) Protocol
A key management protocol used by a GCKS to distribute IPsec
Security Association policy and keying material. A GKM protocol
is used when a group of IPsec devices require the same SAs. For
example, when an IPsec SA describes an IP multicast destination,
the sender and all receivers need to have the group SA.
Group Key Management Subsystem
A subsystem in an IPsec device implementing a Group Key Management
protocol. The GKM subsystem provides IPsec SAs to the IPsec
subsystem on the IPsec device. Refer to <a href="./rfc3547">RFC 3547</a> [<a href="./rfc3547" title=""The Group Domain of Interpretation"">RFC3547</a>] and
<a href="./rfc4535">RFC 4535</a> [<a href="./rfc4535" title=""GSAKMP: Group Secure Association Key Management Protocol"">RFC4535</a>] for additional information.
Group Member
An IPsec device that belongs to a group. A Group Member is
authorized to be a Group Sender and/or a Group Receiver.
Group Owner
An administrative entity that chooses the policy for a group.
Group Security Association (GSA)
A collection of IPsec Security Associations (SAs) and GKM
subsystem SAs necessary for a Group Member to receive key updates.
A GSA describes the working policy for a group. Refer to <a href="./rfc4046">RFC 4046</a>
[<a href="./rfc4046" title=""Multicast Security (MSEC) Group Key Management Architecture"">RFC4046</a>] for additional information.
Group Security Policy Database (GSPD)
The GSPD is a multicast-capable security policy database, as
mentioned in <a href="./rfc3740">RFC 3740</a> and <a href="./rfc4301#section-4.4.1.1">Section 4.4.1.1. of RFC 4301</a>. Its
semantics are a superset of the unicast Security Policy Database
(SPD) defined by <a href="./rfc4301#section-4.4.1">Section 4.4.1 of RFC 4301</a>. Unlike a unicast
SPD-S, in which point-to-point traffic selectors are inherently
bi-directional, multicast security traffic selectors in the GSPD-S
include a "sender only", "receiver only", or "symmetric"
directional attribute. Refer to <a href="#section-4.1.1">Section 4.1.1</a> for more details.
GSPD-S, GSPD-I, GSPD-O
Group Security Policy Database (secure traffic), (inbound), and
(outbound), respectively. See <a href="./rfc4301#section-4.4.1">Section 4.4.1 of RFC 4301</a>.
<span class="grey">Weis, et al. Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
Group Receiver
A Group Member that is authorized to receive packets sent to a
group by a Group Sender.
Group Sender
A Group Member that is authorized to send packets to a group.
Source-Specific Multicast (SSM)
The Internet Protocol (IP) multicast service model as defined in
<a href="./rfc3569">RFC 3569</a> [<a href="./rfc3569" title=""An Overview of Source-Specific Multicast (SSM)"">RFC3569</a>]. In this model, each combination of a sender
and an IP multicast address is considered a group. This is known
as an (S,G) group.
Tunnel Mode with Address Preservation
A type of IPsec tunnel mode used by security gateway
implementations when encapsulating IP multicast packets such that
they remain IP multicast packets. This mode is necessary for IP
multicast routing to correctly route IP multicast packets
protected by IPsec.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Overview of IP Multicast Operation</span>
IP multicasting is a means of sending a single packet to a "host
group", a set of zero or more hosts identified by a single IP
destination address. IP multicast packets are delivered to all
members of the group either with "best-efforts" reliability [<a href="./rfc1112" title=""Host extensions for IP multicasting"">RFC1112</a>]
or as part of a reliable stream (e.g., NACK-Oriented Reliable
Multicast (NORM) [<a href="./rfc3940" title=""Negative-acknowledgment (NACK)-Oriented Reliable Multicast (NORM) Protocol"">RFC3940</a>]).
A sender to an IP multicast group sets the destination of the packet
to an IP address that has been allocated for IP multicast. Allocated
IP multicast addresses are defined in [<a href="./rfc3171" title=""IANA Guidelines for IPv4 Multicast Address Assignments"">RFC3171</a>], [<a href="./rfc3306" title=""Unicast-Prefix-based IPv6 Multicast Addresses"">RFC3306</a>], and
[<a href="./rfc3307" title=""Allocation Guidelines for IPv6 Multicast Addresses"">RFC3307</a>]. Potential receivers of the packet "join" the IP multicast
group by registering with a network routing device ([<a href="./rfc3376" title=""Internet Group Management Protocol, Version 3"">RFC3376</a>],
[<a href="./rfc3810" title=""Multicast Listener Discovery Version 2 (MLDv2) for IPv6"">RFC3810</a>]), signaling its intent to receive packets sent to a
particular IP multicast group.
Network routing devices configured to pass IP multicast packets
participate in multicast routing protocols (e.g., PIM-SM) [<a href="./rfc4601" title=""Protocol Independent Multicast - Sparse Mode (PIM-SM): Protocol Specification (Revised)"">RFC4601</a>].
Multicast routing protocols maintain state regarding which devices
have registered to receive packets for a particular IP multicast
group. When a router receives an IP multicast packet, it forwards a
copy of the packet out of each interface for which there are known
receivers.
<span class="grey">Weis, et al. Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Security Association Modes</span>
IPsec supports two modes of use: transport mode and tunnel mode. In
transport mode, IP Authentication Header (AH) [<a href="./rfc4302" title=""IP Authentication Header"">RFC4302</a>] and IP
Encapsulating Security Payload (ESP) [<a href="./rfc4303" title=""IP Encapsulating Security Payload (ESP)"">RFC4303</a>] provide protection
primarily for next layer protocols; in tunnel mode, AH and ESP are
applied to tunneled IP packets.
A host implementation of IPsec using the multicast extensions MAY use
either transport mode or tunnel mode to encapsulate an IP multicast
packet. These processing rules are identical to the rules described
in <a href="./rfc4301#section-4.1">Section 4.1 of [RFC4301]</a>. However, the destination address for
the IPsec packet is an IP multicast address, rather than a unicast
host address.
A security gateway implementation of IPsec MUST use a tunnel mode SA,
for the reasons described in <a href="./rfc4301#section-4.1">Section 4.1 of [RFC4301]</a>. In
particular, the security gateway needs to use tunnel mode to
encapsulate incoming fragments, since IPsec cannot directly operate
on fragments.
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Tunnel Mode with Address Preservation</span>
New (tunnel) header construction semantics are required when tunnel
mode is used to encapsulate IP multicast packets that are to remain
IP multicast packets. These semantics are due to the following
unique requirements of IP multicast routing protocols (e.g., PIM-SM
[<a href="./rfc4601" title=""Protocol Independent Multicast - Sparse Mode (PIM-SM): Protocol Specification (Revised)"">RFC4601</a>]). This document describes these new header construction
semantics as "tunnel mode with address preservation", which is
described as follows.
- When an IP multicast packet is received by a host or router, the
destination address of the packet is compared to the local IP
multicast state. If the (outer) destination IP address of an IP
multicast packet is set to another IP address, the host or router
receiving the IP multicast packet will not process it properly.
Therefore, an IPsec security gateway needs to populate the
multicast IP destination address in the outer header using the
destination address from the inner header after IPsec tunnel
encapsulation.
- IP multicast routing protocols typically create multicast
distribution trees based on the source address as well as the group
address. If an IPsec security gateway populates the (outer) source
address of an IP multicast packet (with its own IP address, as
called for in <a href="./rfc4301">RFC 4301</a>), the resulting IPsec-protected packet may
fail Reverse Path Forwarding (RPF) checks performed by other
routers. A failed RPF check may result in the packet being
<span class="grey">Weis, et al. Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
dropped. To accommodate routing protocol RPF checks, the security
gateway implementing the IPsec multicast extensions SHOULD populate
the outer IP address from the original packet IP source address.
However, it should be noted that a security gateway performing
source address preservation will not receive ICMP Path MTU (PMTU)
or other messages intended for the security gateway (triggered by
packets that have had the outer IP source address set to that of
the inner header). Security gateway applications not requiring
source address preservation will be able to receive ICMP PMTU
messages and process them as described in <a href="./rfc4301#section-6.1">Section 6.1 of RFC 4301</a>.
Because some applications of address preservation may require that
only the destination address be preserved, specification of
destination address preservation and source address preservation are
separated in the above description. Destination address preservation
and source address preservation attributes are described in the Group
Security Policy Database (GSPD) (defined later in this document), and
are copied into corresponding Security Association Database (SAD)
entries.
Address preservation is applicable only for tunnel mode IPsec SAs
that specify the IP version of the encapsulating header to be the
same version as that of the inner header. When the IP versions are
different, IP multicast packets can be encapsulated using a tunnel
interface, for example as described in [<a href="./rfc4891" title=""Using IPsec to Secure IPv6-in-IPv4 Tunnels"">RFC4891</a>], where the tunnel is
also treated as an interface by IP multicast routing protocols.
In summary, propagating both the IP source and destination addresses
of the inner IP header into the outer (tunnel) header allows IP
multicast routing protocols to route a packet properly when the
packet is protected by IPsec. This result is necessary in order for
the multicast extensions to allow a host or security gateway to
provide IPsec services for IP multicast packets. This method of <a href="./rfc4301">RFC</a>
<a href="./rfc4301">4301</a> tunnel mode is known as "tunnel mode with address preservation".
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Security Association</span>
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Major IPsec Databases</span>
The following sections describe the GKM subsystem and IPsec extension
interactions with the IPsec databases. The major IPsec databases
need expanded semantics to fully support multicast.
<span class="h4"><a class="selflink" id="section-4.1.1" href="#section-4.1.1">4.1.1</a>. Group Security Policy Database (GSPD)</span>
The Group Security Policy Database is a security policy database
capable of supporting both unicast Security Associations as defined
by <a href="./rfc4301">RFC 4301</a> and the multicast extensions defined by this
<span class="grey">Weis, et al. Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
specification. The GSPD is considered to be the SPD, with the
addition of the semantics relating to the multicast extensions
described in this section. <a href="#appendix-B">Appendix B</a> provides an example of an
ASN.1 definition of a GSPD entry.
This document describes a new "address preservation" (AP) flag
indicating that tunnel mode with address preservation is to be
applied to a GSPD entry. The AP flag has two attributes: AP-L, used
in the processing of the local tunnel address, and AP-R, used in the
processing of the remote tunnel process. This flag is added to the
GSPD "Processing info" field of the GSPD. The following text
reproduced from <a href="./rfc4301#section-4.4.1.2">Section 4.4.1.2 of RFC 4301</a> is amended to include
this additional processing. (Note: for brevity, only the "Processing
info" text related to tunnel processing has been reproduced.)
o Processing info -- which action is required -- PROTECT,
BYPASS, or DISCARD. There is just one action that goes with
all the selector sets, not a separate action for each set.
If the required processing is PROTECT, the entry contains the
following information.
- IPsec mode -- tunnel or transport
- (if tunnel mode) local tunnel address -- For a non-mobile
host, if there is just one interface, this is
straightforward; if there are multiple interfaces, this
must be statically configured. For a mobile host, the
specification of the local address is handled externally to
IPsec. If tunnel mode with address preservation is
specified for the local tunnel address, the AP-L attribute
is set to TRUE for the local tunnel address and the local
tunnel address is unspecified. The presence of the AP-L
attribute indicates that the inner IP header source address
will be copied to the outer IP header source address during
IP header construction for tunnel mode.
- (if tunnel mode) remote tunnel address -- There is no
standard way to determine this. See Section 4.5.3 of <a href="./rfc4301">RFC</a>
<a href="./rfc4301">4301</a>, "Locating a Security Gateway". If tunnel mode with
address preservation is specified for the remote tunnel
address, the AP-R attribute is set to TRUE for the remote
tunnel address and the remote tunnel address is
unspecified. The presence of the AP-R attribute indicates
that the inner IP header destination address will be copied
to the outer IP header destination address during IP header
construction for tunnel mode.
This document describes unique directionality processing for GSPD
entries with a remote IP multicast address. Since an IP multicast
address must not be sent as the source address of an IP packet
<span class="grey">Weis, et al. Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
[<a href="./rfc1112" title=""Host extensions for IP multicasting"">RFC1112</a>], directionality of Local and Remote addresses and ports is
maintained during incoming SPD-S and SPD-I checks rather than being
swapped. <a href="./rfc4301#section-4.4.1">Section 4.4.1 of RFC 4301</a> is amended as follows:
Representing Directionality in an SPD Entry
For traffic protected by IPsec, the Local and Remote address
and ports in an SPD entry are swapped to represent
directionality, consistent with IKE conventions. In general,
the protocols that IPsec deals with have the property of
requiring symmetric SAs with flipped Local/Remote IP
addresses. However, SPD entries with a remote IP multicast
address do not have their Local and Remote addresses and
ports in an SPD entry swapped during incoming SPD-S and SPD-I
checks.
A new Group Security Policy Database (GSPD) attribute is introduced:
GSPD entry directionality. The following text is added to the bullet
list of SPD fields described in <a href="./rfc4301#section-4.4.1.2">Section 4.4.1.2 of RFC 4301</a>.
o Directionality -- can be one of three types: "symmetric",
"sender only", or "receiver only". "Symmetric" indicates
that a pair of SAs are to be created (one in each direction,
as specified by <a href="./rfc4301">RFC 4301</a>). GSPD entries marked as "sender
only" indicate that one SA is to be created in the outbound
direction. GSPD entries marked as "receiver only" indicate
that one SA is to be created in the inbound direction. GSPD
entries marked as "sender only" or "receiver only" SHOULD
support multicast IP addresses in their destination address
selectors. If the processing requested is BYPASS or DISCARD
and a "sender only" type is configured, the entry MUST be put
in GSPD-O only. Reciprocally, if the type is "receiver
only", the entry MUST go to GSPD-I only.
GSPD entries created by a GCKS may be assigned identical Security
Parameter Indexes (SPIs) to SAD entries created by IKEv2 [<a href="./rfc4306" title=""Internet Key Exchange (IKEv2) Protocol"">RFC4306</a>].
This is not a problem for the inbound traffic as the appropriate SAs
can be matched using the algorithm described in Section 4.1 of <a href="./rfc4301">RFC</a>
<a href="./rfc4301">4301</a>. However, the outbound traffic needs to be matched against the
GSPD selectors so that the appropriate SA can be created.
To facilitate dynamic group keying, the outbound GSPD MUST implement
a policy action capability that triggers a GKM protocol registration
exchange (as per <a href="./rfc4301#section-5.1">Section 5.1 of [RFC4301]</a>). For example, the Group
Sender GSPD policy might trigger on a match with a specified
multicast application packet that is entering the implementation via
the protected interface or that is emitted by the implementation on
the protected side of the boundary and directed toward the
<span class="grey">Weis, et al. Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
unprotected interface. The ensuing Group Sender registration
exchange would set up the Group Sender's outbound SAD entry that
encrypts the multicast application's data stream. In the inverse
direction, group policy may also set up an inbound IPsec SA.
At the Group Receiver endpoint(s), the IPsec subsystem MAY use GSPD
policy mechanisms that initiate a GKM protocol registration exchange.
One such policy mechanism might be on the detection of a device in
the protected network joining a multicast group matching GSPD policy
(e.g., by receiving a IGMP/MLD (Multicast Listener Discovery) join
group message on a protected interface). The ensuing Group Receiver
registration exchange would set up the Group Receiver's inbound SAD
entry that decrypts the multicast application's data stream. In the
inverse direction, the group policy may also set up an outbound IPsec
SA (e.g., when supporting an ASM service model).
Note: A security gateway triggering on the receipt of unauthenticated
messages arriving on a protected interface may result in early Group
Receiver registration if the message is not the result of a device on
the protected network actually wishing to join a multicast group.
The unauthenticated messages will only cause the Group Receiver to
register once; subsequent messages will have no effect on the Group
Receiver.
The IPsec subsystem MAY provide GSPD policy mechanisms that
automatically initiate a GKM protocol de-registration exchange.
De-registration allows a GCKS to minimize exposure of the group's
secret key by re-keying a group on a group membership change event.
It also minimizes cost on a GCKS for those groups that maintain
member state. One such policy mechanism could be the detection of
IGMP/MLD leave group exchange. However, a security gateway Group
Member would not initiate a GKM protocol de-registration exchange
until it detects that there are no more receivers behind a protected
interface.
Additionally, the GKM subsystem MAY set up the GSPD/SAD state
information independent of the multicast application's state. In
this scenario, the Group Owner issues management directives that tell
the GKM subsystem when it should start GKM registration and
de-registration protocol exchanges. Typically, the registration
policy strives to make sure that the group's IPsec subsystem state is
"always ready" in anticipation of the multicast application starting
its execution.
<span class="grey">Weis, et al. Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
<span class="h4"><a class="selflink" id="section-4.1.2" href="#section-4.1.2">4.1.2</a>. Security Association Database (SAD)</span>
The SAD contains an item describing whether tunnel or transport mode
is applied to traffic on this SA. The text in <a href="./rfc4301#section-4.4.2.1">RFC 4301 Section </a>
<a href="#section-4.4.2.1">4.4.2.1</a> is amended to describe address preservation.
o IPsec protocol mode: tunnel or transport. Indicates which
mode of AH or ESP is applied to traffic on this SA. When
tunnel mode is specified, the data item also indicates
whether or not address preservation is applied to the outer
IP header. Address preservation MUST NOT be specified when
the IP version of the encapsulating header and IP version of
the inner header do not match. The local address, remote
address, or both addresses MAY be marked as being preserved
during tunnel encapsulation.
<span class="h4"><a class="selflink" id="section-4.1.3" href="#section-4.1.3">4.1.3</a>. Group Peer Authorization Database (GPAD)</span>
The multicast IPsec extensions introduce a new data structure called
the Group Peer Authorization Database (GPAD). The GPAD is analogous
to the PAD defined in <a href="./rfc4301">RFC 4301</a>. It provides a link between the GSPD
and a Group Key Management (GKM) Subsystem. The GPAD embodies the
following critical functions:
o identifies a GCKS (or group of GCKS devices) that is
authorized to communicate with this IPsec entity
o specifies the protocol and method used to authenticate each
GCKS
o provides the authentication data for each GKCS
o constrains the traffic selectors that can be asserted by a
GCKS with regard to SA creation
o constrains the types and values of Group Identifiers for
which a GCKS is authorized to provide group policy
The GPAD provides these functions for a Group Key Management
subsystem. The GPAD is not consulted by IKE or other authentication
protocols that do not act as GKM protocols.
To provide these functions, the GPAD contains an entry for each GCKS
that the IPsec entity is configured to contact. An entry contains
one or more GCKS Identifiers, the authentication protocol (e.g.,
Group Domain of Interpretation (GDOI) or Group Secure Association Key
Management Protocol (GSAKMP)), the authentication method used (e.g.,
certificates or pre-shared secrets), and the authentication data
<span class="grey">Weis, et al. Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
(e.g., the pre-shared secret or trust anchor relative to which the
peer's certificate will be validated). For certificate-based
authentication, the entry also may provide information to assist in
verifying the revocation status of the peer, e.g., a pointer to a
Certificate Revocation List (CRL) repository or the name of an Online
Certificate Status Protocol (OCSP) server associated with either the
peer or the trust anchor associated with the peer. The entry also
contains constraints a Group Member applies to the policy received
from the GKCS.
<span class="h5"><a class="selflink" id="section-4.1.3.1" href="#section-4.1.3.1">4.1.3.1</a>. GCKS Identifiers</span>
GCKS Identifiers are used to identify one or more devices that are
authorized to act as a GCKS for this group. GCKS Identifiers are
specified as PAD entry IDs in <a href="./rfc4301#section-4.4.3.1">Section 4.4.3.1 of RFC 4301</a> and follow
the matching rules described therein.
<span class="h5"><a class="selflink" id="section-4.1.3.2" href="#section-4.1.3.2">4.1.3.2</a>. GCKS Peer Authentication Data</span>
Once a GPAD entry is located, it is necessary to verify the asserted
identity, i.e., to authenticate the asserted GCKS Identifier. PAD
authentication data types and semantics specified in <a href="./rfc4301#section-4.4.3.2">Section 4.4.3.2
of RFC 4301</a> are used to authenticate a GCKS.
See GDOI [<a href="./rfc3547" title=""The Group Domain of Interpretation"">RFC3547</a>] and GSAKMP [<a href="./rfc4535" title=""GSAKMP: Group Secure Association Key Management Protocol"">RFC4535</a>] for details of how a GKM
protocol performs peer authentication using certificates and
pre-shared secrets.
<span class="h5"><a class="selflink" id="section-4.1.3.3" href="#section-4.1.3.3">4.1.3.3</a>. Group Identifier Authorization Data</span>
A Group Identifier is used by a GKM protocol to identify a particular
group to a GCKS. A GPAD entry includes a Group Identifier to
indicate that the GKCS Identifiers in the GPAD entry are authorized
to act as a GCKS for the group.
The Group Identifier is an opaque byte string of IKE ID type Key ID
that identifies a secure multicast group. The Group Identifier byte
string MUST be at least four bytes long and less than 256 bytes long.
IKE ID types other than Key ID MAY be supported.
<span class="h5"><a class="selflink" id="section-4.1.3.4" href="#section-4.1.3.4">4.1.3.4</a>. IPsec SA Traffic Selector Authorization Data</span>
Once a GCKS is authenticated, the GCKS delivers IPsec SA policy to
the Group Member. Before the Group Member accepts the IPsec SA
Policy, the source and destination traffic selectors of the SA are
compared to a set of authorized data flows. Each data flow includes
a set of authorized source traffic selectors and a set of authorized
<span class="grey">Weis, et al. Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
destination traffic selectors. Traffic selectors are represented as
a set of IPv4 and/or IPv6 address ranges. (A peer may be authorized
for both address types, so there MUST be provision for both v4 and v6
address ranges.)
<span class="h5"><a class="selflink" id="section-4.1.3.5" href="#section-4.1.3.5">4.1.3.5</a>. How the GPAD Is Used</span>
When a GKM protocol registration exchange is triggered, the Group
Member and GCKS each assert their identity as a part of the exchange.
Each GKM protocol registration exchange MUST use the asserted ID to
locate an identity in the GPAD. The GPAD entry specifies the
authentication method to be employed for the identified GCKS. The
entry also specifies the authentication data that will be used to
verify the asserted identity. This data is employed in conjunction
with the specified method to authenticate the GCKS before accepting
any group policy from the GCKS.
During the GKM protocol registration, a Group Member includes a Group
Identifier. Before presenting that Group Identifier to the GCKS, a
Group Member verifies that the GPAD entry for authenticated GCKS GPAD
entry includes the Group Identifier. This ensures that the GCKS is
authorized to provide policy for the Group.
When IPsec SA policy is received, each data flow is compared to the
data flows in the GPAD entry. The Group Member accepts policy
matching a data flow. Policy not matching a data flow is discarded,
and the reason SHOULD be recorded in the audit log.
A GKM protocol may distribute IPsec SA policy to IPsec devices that
have previously registered with it. The method of distribution is
part of the GKM protocol and is outside the scope of this memo. When
the IPsec device receives this new policy, it compares the policy to
the data flows in the GPAD entry as described above.
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Group Security Association (GSA)</span>
An IPsec implementation supporting these extensions will support a
number of Security Associations: one or more IPsec SAs plus one or
more GKM SAs used to download the parameters that are used to create
IPsec SAs. These SAs are collectively referred to as a Group
Security Association (GSA) [<a href="./rfc3740" title=""The Multicast Group Security Architecture"">RFC3740</a>].
<span class="h4"><a class="selflink" id="section-4.2.1" href="#section-4.2.1">4.2.1</a>. Concurrent IPsec SA Life Spans and Re-key Rollover</span>
During a secure multicast group's lifetime, multiple IPsec Group
Security Associations can exist concurrently. This occurs
principally due to two reasons:
<span class="grey">Weis, et al. Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
- There are multiple Group Senders authorized in the group, each with
its own IPsec SA, which maintains anti-replay state. A group that
does not rely on IP security anti-replay services can share one
IPsec SA for all of its Group Senders.
- The life spans of a Group Sender's two (or more) IPsec SAs are
allowed to overlap in time so that there is continuity in the
multicast data stream across group re-key events. This capability
is referred to as "re-key rollover continuity".
The re-key continuity rollover algorithm depends on an IPsec SA
management interface between the GKM subsystem and the IPsec
subsystem. The IPsec subsystem MUST provide management interface
mechanisms for the GKM subsystem to add IPsec SAs and to delete IPsec
SAs. For illustrative purposes, this text defines the re-key
rollover continuity algorithm in terms of two timer parameters that
govern IPsec SA life spans relative to the start of a group re-key
event. However, it should be emphasized that the GKM subsystem
interprets the group's security policy to direct the correct timing
of IPsec SA activation and deactivation. A given group policy may
choose timer values that differ from those recommended by this text.
The two re-key rollover continuity timer parameters are:
1. Activation Time Delay (ATD) - The ATD defines how long after the
start of a re-key event to activate new IPsec SAs. The ATD
parameter is expressed in units of seconds. Typically, the ATD
parameter is set to the maximum time it takes to deliver a
multicast message from the GCKS to all of the group's members.
For a GCKS that relies on a Reliable Multicast Transport Protocol
(RMTP), the ATD parameter could be set equal to the RTMP's maximum
error recovery time. When an RMTP is not present, the ATD
parameter might be set equal to the network's maximum multicast
message delivery latency across all of the group's endpoints. The
ATD is a GKM group policy parameter. This value SHOULD be
configurable at the Group Owner management interface on a per
group basis.
2. Deactivation Time Delay (DTD) - The DTD defines how long after the
start of a re-key event to deactivate those IPsec SAs that are
destroyed by the re-key event. The purpose of the DTD parameter
is to minimize the residual exposure of a group's keying material
after a re-key event has retired that keying material. The DTD is
independent of, and should not to be confused with, the IPsec SA
soft lifetime attribute. The DTD parameter is expressed in units
of seconds. Typically, the DTD parameter would be set to the ADT
plus the maximum time it takes to deliver a multicast message from
the Group Sender to all of the group's members. For a Group
Sender that relies on an RMTP, the DTD parameter could be set
<span class="grey">Weis, et al. Standards Track [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
equal to ADT plus the RMTP's maximum error recovery time. When an
RMTP is not present, the DTD parameter might be set equal to ADT
plus the network's maximum multicast message delivery latency
across all of the group's endpoints. A GKM subsystem MAY
implement the DTD as a group security policy parameter. If a GKM
subsystem does not implement the DTD parameter, then other group
security policy mechanisms MUST determine when to deactivate an
IPsec SA.
Each group re-key multicast message sent by a GCKS signals the start
of a new Group Sender IPsec SA time epoch, with each such epoch
having an associated set of two IPsec SAs. Note that this document
refers to re-key mechanisms as being multicast because of the
inherent scalability of IP multicast distribution. However, there is
no particular reason that re-keying mechanisms must be multicast.
For example, [<a href="#ref-ZLLY03" title=""Protocol Design for Scalable and Reliable Group Rekeying"">ZLLY03</a>] describes a method of re-key employing both
unicast and multicast messages.
The group membership interacts with these IPsec SAs as follows:
- As a precursor to the Group Sender beginning its re-key rollover
continuity processing, the GCKS periodically multicasts a Re-Key
Event (RKE) message to the group. The RKE multicast MAY contain
group policy directives, new IPsec SA policy, and group keying
material. In the absence of an RMTP, the GCKS may re-transmit the
RKE a policy-defined number of times to improve the availability of
re-key information. The GKM subsystem starts the ATD and DTD
timers after it receives the last RKE re-transmission.
- The GKM subsystem interprets the RKE multicast to configure the
group's GSPD/SAD with the new IPsec SAs. Each IPsec SA that
replaces an existing SA is called a "leading edge" IPsec SA. The
leading edge IPsec SA has a new Security Parameter Index (SPI) and
its associated keying material, which keys it. For a time period
of ATD seconds after the GCKS multicasts the RKE, a Group Sender
does not yet transmit data using the leading edge IPsec SA.
Meanwhile, other Group Members prepare to use this IPsec SA by
installing the leading edge IPsec SAs to their respective GSPD/SAD.
- After waiting for the ATD period, such that all of the Group
Members have received and processed the RKE message, the GKM
subsystem directs the Group Sender to begin to transmit using the
leading edge IPsec SA with its data encrypted by the new keying
material. Only authorized Group Members can decrypt these IPsec SA
multicast transmissions.
<span class="grey">Weis, et al. Standards Track [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
- The Group Sender's "trailing edge" SA is the oldest Security
Association in use by the group for that sender. All authorized
Group Members can receive and decrypt data for this SA, but the
Group Sender does not transmit new data using the trailing edge
IPsec SA after it has transitioned to the leading edge IPsec SA.
The trailing edge IPsec SA is deleted by the group's GKM subsystems
after the DTD time period has elapsed since the RKE transmission.
This re-key rollover strategy allows the group to drain its
in-transit datagrams from the network while transitioning to the
leading edge IPsec SA. Staggering the roles of each respective IPsec
SA as described above improves the group's synchronization even when
there are high network propagation delays. Note that due to group
membership joins and leaves, each Group Sender IPsec SA time epoch
may have a different group membership set.
It is a group policy decision whether the re-key event transition
between epochs provides forward and backward secrecy. The group's
re-key protocol keying material and algorithm (e.g., Logical Key
Hierarchy; refer to [<a href="./rfc2627" title=""Key Management for Multicast: Issues and Architectures"">RFC2627</a>] and <a href="./rfc4535#appendix-A">Appendix A of [RFC4535]</a>) enforces
this policy. Implementations MAY offer a Group Owner management
interface option to enable/disable re-key rollover continuity for a
particular group. This specification requires that a GKM/IPsec
implementation MUST support at least two concurrent IPsec SAs per
Group Sender as well as this re-key rollover continuity algorithm.
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. Data Origin Authentication</span>
As defined in [<a href="./rfc4301" title=""Security Architecture for the Internet Protocol"">RFC4301</a>], data origin authentication is a security
service that verifies the identity of the claimed source of data. A
Message Authentication Code (MAC) is often used to achieve data
origin authentication for connections shared between two parties.
However, typical MAC authentication methods using a single shared
secret are not sufficient to provide data origin authentication for
groups with more than two parties. With a MAC algorithm, every Group
Member can use the MAC key to create a valid MAC tag, whether or not
they are the authentic originator of the group application's data.
When the property of data origin authentication is required for an
IPsec SA shared by more than two parties, an authentication transform
where the receiver is assured that the sender generated that message
should be used. Two possible algorithms are Timed Efficient Stream
Loss-Tolerant Authentication (TESLA) [<a href="./rfc4082" title=""Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction"">RFC4082</a>] or RSA digital
signature [<a href="./rfc4359" title=""The Use of RSA/SHA-1 Signatures within Encapsulating Security Payload (ESP) and Authentication Header (AH)"">RFC4359</a>].
In some cases (e.g., digital signature authentication transforms),
the processing cost of the algorithm is significantly greater than a
Hashed Message Authentication Code (HMAC) authentication method. To
<span class="grey">Weis, et al. Standards Track [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
protect against denial-of-service attacks from a device that is not
authorized to join the group, the IPsec SA using this algorithm may
be encapsulated with an IPsec SA using a MAC authentication
algorithm. However, doing so requires the packet to be sent across
the IPsec boundary a second time for additional outbound processing
on the Group Sender (see <a href="./rfc4301#section-5.1">Section 5.1 of [RFC4301]</a>) and a second time
for inbound processing on Group Receivers (see <a href="./rfc4301#section-5.2">Section 5.2 of
[RFC4301]</a>). This use of AH or ESP encapsulated within AH or ESP
accommodates the constraint that AH and ESP define an Integrity Check
Value (ICV) for only a single authenticator transform.
<span class="h3"><a class="selflink" id="section-4.4" href="#section-4.4">4.4</a>. Group SA and Key Management</span>
<span class="h4"><a class="selflink" id="section-4.4.1" href="#section-4.4.1">4.4.1</a>. Co-Existence of Multiple Key Management Protocols</span>
Often, the GKM subsystem will be introduced to an existent IPsec
subsystem as a companion key management protocol to IKEv2 [<a href="./rfc4306" title=""Internet Key Exchange (IKEv2) Protocol"">RFC4306</a>].
A fundamental GKM protocol IP security subsystem requirement is that
both the GKM protocol and IKEv2 can simultaneously share access to a
common Group Security Policy Database and Security Association
Database. The mechanisms that provide mutually exclusive access to
the common GSPD/SAD data structures are a local matter. This
includes the GSPD-O cache and the GSPD-I cache. However,
implementers should note that IKEv2 SPI allocation is entirely
independent from GKM SPI allocation because Group Security
Associations are qualified by a destination multicast IP address and
may optionally have a source IP address qualifier. See <a href="./rfc4303#section-2.1">Section 2.1
of [RFC4303]</a> for further explanation.
The Peer Authorization Database does require explicit coordination
between the GKM protocol and IKEv2. <a href="#section-4.1.3">Section 4.1.3</a> describes these
interactions.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. IP Traffic Processing</span>
Processing of traffic follows <a href="./rfc4301#section-5">Section 5 of [RFC4301]</a>, with the
additions described below when these IP multicast extensions are
supported.
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Outbound IP Traffic Processing</span>
If an IPsec SA is marked as supporting tunnel mode with address
preservation (as described in <a href="#section-3.1">Section 3.1</a>), either or both of the
outer header source or destination addresses are marked as being
preserved.
Header construction for tunnel mode is described in <a href="./rfc4301#section-5.1.2">Section 5.1.2 of
RFC 4301</a>. The first bullet of that section is amended as follows:
<span class="grey">Weis, et al. Standards Track [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
o If address preservation is not marked in the SAD entry for
either the outer IP header Source Address or Destination
Address, the outer IP header Source Address and Destination
Address identify the "endpoints" of the tunnel (the
encapsulator and decapsulator). If address preservation is
marked for the IP header Source Address, it is copied from
the inner IP header Source Address. If address preservation
is marked for the IP header Destination Address, it is copied
from the inner IP header Destination Address. The inner IP
header Source Address and Destination Addresses identify the
original sender and recipient of the datagram (from the
perspective of this tunnel), respectively. Address
preservation MUST NOT be marked when the IP version of the
encapsulating header and IP version of the inner header do
not match.
Note (3), regarding construction of tunnel addresses in <a href="./rfc4301#section-5.1.2.1">Section</a>
<a href="./rfc4301#section-5.1.2.1">5.1.2.1 of RFC 4301</a>, is amended as follows. (Note: for brevity, Note
(3) of <a href="./rfc4301">RFC 4301</a> is not reproduced in its entirety.)
(3) Unless marked for address preservation, Local and Remote
addresses depend on the SA, which is used to determine the
Remote address, which in turn determines which Local
address (net interface) is used to forward the packet. If
address preservation is marked for the Local address, it is
copied from the inner IP header. If address preservation
is marked for the Remote address, that address is copied
from the inner IP header.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Inbound IP Traffic Processing</span>
IPsec-protected packets generated by an IPsec device supporting these
multicast extensions may (depending on its GSPD policy) populate an
outer tunnel header with a destination address such that it is not
addressed to an IPsec device. This requires an IPsec device
supporting these multicast extensions to accept and process IP
traffic that is not addressed to the IPsec device itself. The
following additions to IPsec inbound IP traffic processing are
necessary.
For compatibility with <a href="./rfc4301">RFC 4301</a>, the phrase "addressed to this
device" is taken to mean packets with a unicast destination address
belonging to the system itself, and also multicast packets that are
received by the system itself. However, multicast packets not
received by the IPsec device are not considered addressed to this
device.
<span class="grey">Weis, et al. Standards Track [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
The discussion of processing inbound IP Traffic described in <a href="./rfc4301#section-5.2">Section</a>
<a href="./rfc4301#section-5.2">5.2 of RFC 4301</a> is amended as follows.
The first dash in item 2 is amended as follows:
- If the packet appears to be IPsec protected and it is
addressed to this device, or appears to be IPsec protected
and is addressed to a multicast group, an attempt is made to
map it to an active SA via the SAD. Note that the device may
have multiple IP addresses that may be used in the SAD
lookup, e.g., in the case of protocols such as SCTP.
A new item is added to the list between items 3a and 3b to describe
processing of IPsec packets with destination address preservation
applied:
3aa. If the packet is addressed to a multicast group and AH or
ESP is specified as the protocol, the packet is looked up
in the SAD. Use the SPI plus the destination or SPI plus
destination and source addresses, as specified in <a href="#section-4.1">Section</a>
<a href="#section-4.1">4.1</a>. If there is no match, the packet is directed to
SPD-I lookup. Note that if the IPsec device is a security
gateway, and the SPD-I policy is to BYPASS the packet, a
subsequent security gateway along the routed path of the
multicast packet may decrypt the packet.
Figure 3 in <a href="./rfc4301">RFC 4301</a> is updated to show the new processing path
defined in item 3aa.
<span class="grey">Weis, et al. Standards Track [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
Unprotected Interface
|
V
+-----+ IPsec protected
------------------->|Demux|--------------------+
| +-----+ |
| | |
| Not IPsec | |
| | IPsec protected, not |
| V addressed to device, |
| +-------+ +---------+ and not in SAD |
| |DISCARD|<---|SPD-I (*)|<------------+ |
| +-------+ +---------+ | |
| | | |
| |-----+ | |
| | | | |
| | V | |
| | +------+ | |
| | | ICMP | | |
| | +------+ | |
| | | V
+---------+ | +-----------+
....|SPD-O (*)|............|...................|PROCESS(**)|...IPsec
+---------+ | | (AH/ESP) | Boundary
^ | +-----------+
| | +---+ |
| BYPASS | +-->|IKE| |
| | | +---+ |
| V | V
| +----------+ +---------+ +----+
|--------<------|Forwarding|<---------|SAD Check|-->|ICMP|
nested SAs +----------+ | (***) | +----+
| +---------+
V
Protected Interface
Figure 1. Processing Model for Inbound Traffic
(amending Figure 3 of <a href="./rfc4301">RFC 4301</a>)
<span class="grey">Weis, et al. Standards Track [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
The discussion of processing inbound IP traffic in Section 5.2 of <a href="./rfc4301">RFC</a>
<a href="./rfc4301">4301</a> is amended to insert a new item 6 as follows.
6. If an IPsec SA is marked as supporting tunnel mode with
address preservation (as described in <a href="#section-3.1">Section 3.1</a>), the
marked address(es) (i.e., source and/or destination
address(es)) in the outer IP header MUST be verified to be
the same value(s) as in the inner IP header. If the
addresses are not consistent, the IPsec system MUST discard
the packet and treat the inconsistency as an auditable
event.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Security Considerations</span>
The IP security multicast extensions defined by this specification
build on the unicast-oriented IP security architecture [<a href="./rfc4301" title=""Security Architecture for the Internet Protocol"">RFC4301</a>].
Consequently, this specification inherits many of <a href="./rfc4301">RFC 4301</a>'s security
considerations, and the reader is advised to review it as companion
guidance.
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Security Issues Solved by IPsec Multicast Extensions</span>
The IP security multicast extension service provides the following
network layer mechanisms for secure group communications:
- Confidentiality using a group shared encryption key.
- Group source authentication and integrity protection using a group
shared authentication key.
- Group Sender data origin authentication using a digital signature,
TESLA, or other mechanism.
- Anti-replay protection for a limited number of Group Senders using
the ESP (or AH) sequence number facility.
- Filtering of multicast transmissions identified with a source
address of systems that are not authorized by group policy to be
Group Senders. This feature leverages the IPsec stateless firewall
service (i.e., SPD-I and/or SDP-O entries with a packet disposition
specified as DISCARD).
In support of the above services, this specification enhances the
definition of the SPD, PAD, and SAD databases to facilitate the
automated group key management of large-scale cryptographic groups.
<span class="grey">Weis, et al. Standards Track [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Security Issues Not Solved by IPsec Multicast Extensions</span>
As noted in <a href="./rfc4301#section-2.2">Section 2.2. of RFC 4301</a>, it is out of the scope of this
architecture to defend the group's keys or its application data
against attacks targeting vulnerabilities of the operating
environment in which the IPsec implementation executes. However, it
should be noted that the risk of attacks originating by an adversary
in the network is magnified to the extent that the group keys are
shared across a large number of systems.
The security issues that are left unsolved by the IPsec multicast
extension service divide into two broad categories: outsider attacks
and insider attacks.
<span class="h4"><a class="selflink" id="section-6.2.1" href="#section-6.2.1">6.2.1</a>. Outsider Attacks</span>
The IPsec multicast extension service does not defend against an
adversary outside of the group who has:
- the capability to launch a multicast, flooding denial-of-service
attack against the group, originating from a system whose IPsec
subsystem does not filter the unauthorized multicast transmissions.
- compromised a multicast router, allowing the adversary to corrupt
or delete all multicast packets destined for the group endpoints
downstream from that router.
- captured a copy of an earlier multicast packet transmission and
then replayed it to a group that does not have the anti-replay
service enabled. Note that for a large-scale, any-source multicast
group, it is impractical for the Group Receivers to maintain an
anti-replay state for every potential Group Sender. Group policies
that require anti-replay protection for a large-scale, any-source
multicast group should consider an application layer multicast
protocol that can detect and reject replays.
<span class="h4"><a class="selflink" id="section-6.2.2" href="#section-6.2.2">6.2.2</a>. Insider Attacks</span>
For large-scale groups, the IP security multicast extensions are
dependent on an automated Group Key Management protocol to correctly
authenticate and authorize trustworthy members in compliance to the
group's policies. Inherent in the concept of a cryptographic group
is a set of one or more shared secrets entrusted to all of the Group
Members. Consequently, the service's security guarantees are no
stronger than the weakest member admitted to the group by the GKM
system. The GKM system is responsible for responding to compromised
Group Member detection by executing a re-key procedure. The GKM
re-keying protocol will expel the compromised Group Members and
<span class="grey">Weis, et al. Standards Track [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
distribute new group keying material to the trusted members.
Alternatively, the group policy may require the GKM system to
terminate the group.
In the event that an adversary has been admitted into the group by
the GKM system, the following attacks are possible and can not be
solved by the IPsec multicast extension service:
- The adversary can disclose the secret group key or group data to an
unauthorized party outside of the group. After a group key or data
compromise, cryptographic methods such as traitor tracing or
watermarking can assist in the forensics process. However, these
methods are outside the scope of this specification.
- The insider adversary can forge packet transmissions that appear to
be from a peer Group Member. To defend against this attack, for
those Group Sender transmissions that merit the overhead, the group
policy can require the Group Sender to multicast packets using the
data origin authentication service.
- If the group's data origin authentication service uses digital
signatures, then the insider adversary can launch a computational
resource denial-of-service attack by multicasting bogus signed
packets.
<span class="h3"><a class="selflink" id="section-6.3" href="#section-6.3">6.3</a>. Implementation or Deployment Issues that Impact Security</span>
<span class="h4"><a class="selflink" id="section-6.3.1" href="#section-6.3.1">6.3.1</a>. Homogeneous Group Cryptographic Algorithm Capabilities</span>
The IP security multicast extensions service can not defend against a
poorly considered group security policy that allows a weaker
cryptographic algorithm simply because all of the group's endpoints
are known to support it. Unfortunately, large-scale groups can be
difficult to upgrade to the current best-in-class cryptographic
algorithms. One possible approach to solving many of these problems
is the deployment of composite groups that can straddle heterogeneous
groups [<a href="#ref-COMPGRP" title=""Multicast IP Security Composite Cryptographic Groups"">COMPGRP</a>]. A standard solution for heterogeneous groups is an
activity for future standardization. In the interim, synchronization
of a group's cryptographic capabilities could be achieved using a
secure and scalable software distribution management tool.
<span class="h4"><a class="selflink" id="section-6.3.2" href="#section-6.3.2">6.3.2</a>. Groups that Span Two or More Security Policy Domains</span>
Large-scale groups may span multiple legal jurisdictions (e.g.,
countries) that enforce limits on cryptographic algorithms or key
strengths. As currently defined, the IPsec multicast extension
service requires a single group policy per group. As noted above,
this problem remains an area for future standardization.
<span class="grey">Weis, et al. Standards Track [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
<span class="h4"><a class="selflink" id="section-6.3.3" href="#section-6.3.3">6.3.3</a>. Source-Specific Multicast Group Sender Transient Locators</span>
A Source Specific Multicast (SSM) Group Sender's source IP address
can dynamically change during a secure multicast group's lifetime.
Examples of the events that can cause the Group Sender's source
address to change include but are not limited to NAT, a mobility-
induced change in the care-of-address, and a multi-homed host using a
new IP interface. The change in the Group Sender's source IP address
will cause GSPD entries related to that multicast group to become out
of date with respect to the group's multicast routing state. In the
worst case, there is a risk that the Group Sender's data originating
from a new source address will be BYPASS processed by a security
gateway. If this scenario was not anticipated, then it could leak
the group's data. Consequently, it is recommended that SSM secure
multicast groups have a default DISCARD policy for all unauthorized
Group Sender source IP addresses for the SSM group's destination IP
address.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Acknowledgements</span>
The authors wish to thank Steven Kent, Russ Housley, Pasi Eronen, and
Tero Kivinen for their helpful comments.
The "Guidelines for Writing RFC Text on Security Considerations"
[<a href="./rfc3552" title=""Guidelines for Writing RFC Text on Security Considerations"">RFC3552</a>] was consulted to develop the Security Considerations
section of this memo.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. References</span>
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Normative References</span>
[<a id="ref-RFC1112">RFC1112</a>] Deering, S., "Host extensions for IP multicasting", STD 5,
<a href="./rfc1112">RFC 1112</a>, August 1989.
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC4301">RFC4301</a>] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", <a href="./rfc4301">RFC 4301</a>, December 2005.
[<a id="ref-RFC4302">RFC4302</a>] Kent, S., "IP Authentication Header", <a href="./rfc4302">RFC 4302</a>, December
2005.
[<a id="ref-RFC4303">RFC4303</a>] Kent, S., "IP Encapsulating Security Payload (ESP)", <a href="./rfc4303">RFC</a>
<a href="./rfc4303">4303</a>, December 2005.
<span class="grey">Weis, et al. Standards Track [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Informative References</span>
[<a id="ref-COMPGRP">COMPGRP</a>] Gross G. and H. Cruickshank, "Multicast IP Security
Composite Cryptographic Groups", Work in Progress, February
2007.
[<a id="ref-RFC2526">RFC2526</a>] Johnson, D. and S. Deering, "Reserved IPv6 Subnet Anycast
Addresses", <a href="./rfc2526">RFC 2526</a>, March 1999.
[<a id="ref-RFC2627">RFC2627</a>] Wallner, D., Harder, E., and R. Agee, "Key Management for
Multicast: Issues and Architectures", <a href="./rfc2627">RFC 2627</a>, June 1999.
[<a id="ref-RFC2914">RFC2914</a>] Floyd, S., "Congestion Control Principles", <a href="https://www.rfc-editor.org/bcp/bcp41">BCP 41</a>, <a href="./rfc2914">RFC</a>
<a href="./rfc2914">2914</a>, September 2000.
[<a id="ref-RFC3171">RFC3171</a>] Albanna, Z., Almeroth, K., Meyer, D., and M. Schipper,
"IANA Guidelines for IPv4 Multicast Address Assignments",
<a href="https://www.rfc-editor.org/bcp/bcp51">BCP 51</a>, <a href="./rfc3171">RFC 3171</a>, August 2001.
[<a id="ref-RFC3306">RFC3306</a>] Haberman, B. and D. Thaler, "Unicast-Prefix-based IPv6
Multicast Addresses", <a href="./rfc3306">RFC 3306</a>, August 2002.
[<a id="ref-RFC3307">RFC3307</a>] Haberman, B., "Allocation Guidelines for IPv6 Multicast
Addresses", <a href="./rfc3307">RFC 3307</a>, August 2002.
[<a id="ref-RFC3376">RFC3376</a>] Cain, B., Deering, S., Kouvelas, I., Fenner, B., and A.
Thyagarajan, "Internet Group Management Protocol, Version
3", <a href="./rfc3376">RFC 3376</a>, October 2002.
[<a id="ref-RFC3547">RFC3547</a>] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The
Group Domain of Interpretation", <a href="./rfc3547">RFC 3547</a>, July 2003.
[<a id="ref-RFC3552">RFC3552</a>] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", <a href="https://www.rfc-editor.org/bcp/bcp72">BCP 72</a>, <a href="./rfc3552">RFC 3552</a>, July
2003.
[<a id="ref-RFC3569">RFC3569</a>] Bhattacharyya, S., Ed., "An Overview of Source-Specific
Multicast (SSM)", <a href="./rfc3569">RFC 3569</a>, July 2003.
[<a id="ref-RFC3740">RFC3740</a>] Hardjono, T. and B. Weis, "The Multicast Group Security
Architecture", <a href="./rfc3740">RFC 3740</a>, March 2004.
[<a id="ref-RFC3810">RFC3810</a>] Vida, R., Ed., and L. Costa, Ed., "Multicast Listener
Discovery Version 2 (MLDv2) for IPv6", <a href="./rfc3810">RFC 3810</a>, June 2004.
[<a id="ref-RFC3940">RFC3940</a>] Adamson, B., Bormann, C., Handley, M., and J. Macker,
"Negative-acknowledgment (NACK)-Oriented Reliable Multicast
(NORM) Protocol", <a href="./rfc3940">RFC 3940</a>, November 2004.
<span class="grey">Weis, et al. Standards Track [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
[<a id="ref-RFC4046">RFC4046</a>] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm,
"Multicast Security (MSEC) Group Key Management
Architecture", <a href="./rfc4046">RFC 4046</a>, April 2005.
[<a id="ref-RFC4082">RFC4082</a>] Perrig, A., Song, D., Canetti, R., Tygar, J., and B.
Briscoe, "Timed Efficient Stream Loss-Tolerant
Authentication (TESLA): Multicast Source Authentication
Transform Introduction", <a href="./rfc4082">RFC 4082</a>, June 2005.
[<a id="ref-RFC4306">RFC4306</a>] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) Protocol",
<a href="./rfc4306">RFC 4306</a>, December 2005.
[<a id="ref-RFC4359">RFC4359</a>] Weis, B., "The Use of RSA/SHA-1 Signatures within
Encapsulating Security Payload (ESP) and Authentication
Header (AH)", <a href="./rfc4359">RFC 4359</a>, January 2006.
[<a id="ref-RFC4535">RFC4535</a>] Harney, H., Meth, U., Colegrove, A., and G. Gross, "GSAKMP:
Group Secure Association Key Management Protocol", <a href="./rfc4535">RFC</a>
<a href="./rfc4535">4535</a>, June 2006.
[<a id="ref-RFC4601">RFC4601</a>] Fenner, B., Handley, M., Holbrook, H., and I. Kouvelas,
"Protocol Independent Multicast - Sparse Mode (PIM-SM):
Protocol Specification (Revised)", <a href="./rfc4601">RFC 4601</a>, August 2006.
[<a id="ref-RFC4891">RFC4891</a>] Graveman, R., Parthasarathy, M., Savola, P., and H.
Tschofenig, "Using IPsec to Secure IPv6-in-IPv4 Tunnels",
<a href="./rfc4891">RFC 4891</a>, May 2007.
[<a id="ref-ZLLY03">ZLLY03</a>] Zhang, X., et al., "Protocol Design for Scalable and
Reliable Group Rekeying", IEEE/ACM Transactions on
Networking (TON), Volume 11, Issue 6, December 2003.
<span class="grey">Weis, et al. Standards Track [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Multicast Application Service Models</span>
The vast majority of secure multicast applications can be catalogued
by their service model and accompanying intra-group communication
patterns. Both the Group Key Management (GKM) subsystem and the
IPsec subsystem MUST be able to configure the GSPD/SAD security
policies to match these dominant usage scenarios. The GSPD/SAD
policies MUST include the ability to configure both Any-Source
Multicast groups and Source-Specific Multicast groups for each of
these service models. The GKM subsystem management interface MAY
include mechanisms to configure the security policies for service
models not identified by this standard.
<span class="h3"><a class="selflink" id="appendix-A.1" href="#appendix-A.1">A.1</a>. Unidirectional Multicast Applications</span>
Multimedia content-delivery multicast applications that do not have
congestion notification or re-transmission error-recovery mechanisms
are inherently unidirectional. <a href="./rfc4301">RFC 4301</a> only defines bi-directional
unicast traffic selectors (as per <a href="./rfc4301">RFC 4301</a>, Sections <a href="#section-4.4.1">4.4.1</a> and <a href="#section-5.1">5.1</a>
with respect to traffic selector directionality). The GKM subsystem
requires that the IPsec subsystem MUST support unidirectional SPD
entries, which cause a Group Security Association (GSA) to be
installed in only one direction. Multicast applications that have
only one Group Member authorized to transmit can use this type of
Group Security Association to enforce that group policy. In the
inverse direction, the GSA does not have an SAD entry, and the GSPD
configuration is optionally set up to discard unauthorized attempts
to transmit unicast or multicast packets to the group.
The GKM subsystem's management interface MUST have the ability to set
up a GKM subsystem group having a unidirectional GSA security policy.
<span class="h3"><a class="selflink" id="appendix-A.2" href="#appendix-A.2">A.2</a>. Bi-Directional Reliable Multicast Applications</span>
Some secure multicast applications are characterized as one Group
Sender to many receivers but have inverse data flows required by a
reliable multicast transport protocol (e.g., NORM). In such
applications, the data flow from the sender is multicast and the
inverse flow from the Group's Receivers is unicast to the sender.
Typically, the inverse data flows carry error repair requests and
congestion control status.
For such applications, it is advantageous to use the same IPsec SA
for protection of both unicast and multicast data flows. This does
introduce one risk: the IKEv2 application may choose the same SPI for
receiving unicast traffic as the GCKS chooses for a group IPsec SA
covering unicast traffic. If both SAs are installed in the SAD, the
SA lookup may return the wrong SPI as the result of an SA lookup. To
<span class="grey">Weis, et al. Standards Track [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
avoid this problem, IPsec SAs installed by the GKM SHOULD use the 2-
tuple {destination IP address, SPI} to identify each IPsec SA. In
addition, the GKM SHOULD use a unicast destination IP address that
does not match any destination IP address in use by an IKEv2 unicast
IPsec SA. For example, suppose a Group Member is using both IKEv2
and a GKM protocol, and the group security policy requires protecting
the NORM inverse data flows as described above. In this case, group
policy SHOULD allocate and use a unique unicast destination IP
address representing the NORM Group Sender. This address would be
configured in parallel to the Group Sender's existing IP addresses.
The GKM subsystems at both the NORM Group Sender and Group Receiver
endpoints would install the IPsec SA, protecting the NORM unicast
messages such that the SA lookup uses the unicast destination address
as well as the SPI.
The GSA SHOULD use IPsec anti-replay protection service for the
sender's multicast data flow to the group's Receivers. Because of
the scalability problem described in the next section, it is not
practical to use the IPsec anti-replay service for the unicast
inverse flows. Consequently, in the inverse direction, the IPsec
anti-replay protection MUST be disabled. However, the unicast
inverse flows can use the group's IPsec group authentication
mechanism. The Group Receiver's GSPD entry for this GSA SHOULD be
configured to only allow a unicast transmission to the sender node
rather than a multicast transmission to the whole group.
If an ESP digital signature authentication is available (e.g., <a href="./rfc4359">RFC</a>
<a href="./rfc4359">4359</a>), source authentication MAY be used to authenticate a receiver
node's transmission to the sender. The GKM protocol MUST define a
key management mechanism for the Group Sender to validate the
asserted signature public key of any receiver node without requiring
that the sender maintain state about every Group Receiver.
This multicast application service model is RECOMMENDED because it
includes congestion control feedback capabilities. Refer to
[<a href="./rfc2914" title=""Congestion Control Principles"">RFC2914</a>] for additional background information.
The GKM subsystem's Group Owner management interface MUST have the
ability to set up a symmetric GSPD entry and one Group Sender. The
management interface SHOULD be able to configure a group to have at
least 16 concurrent authorized senders, each with their own GSA
anti-replay state.
<span class="grey">Weis, et al. Standards Track [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
<span class="h3"><a class="selflink" id="appendix-A.3" href="#appendix-A.3">A.3</a>. Any-To-Many Multicast Applications</span>
Another family of secure multicast applications exhibits an "any-to-
many" communications pattern. A representative example of such an
application is a videoconference combined with an electronic
whiteboard.
For such applications, all (or a large subset) of the Group Members
are authorized multicast senders. In such service models, creating a
distinct IPsec SA with anti-replay state for every potential sender
does not scale to large groups. The group SHOULD share one IPsec SA
for all of its senders. The IPsec SA SHOULD NOT use the IPsec anti-
replay protection service for the sender's multicast data flow to the
Group Receivers.
The GKM subsystem's management interface MUST have the ability to set
up a group having an Any-To-Many Multicast GSA security policy.
<span class="h2"><a class="selflink" id="appendix-B" href="#appendix-B">Appendix B</a>. ASN.1 for a GSPD Entry</span>
This appendix describes an additional way to describe GSPD entries,
as defined in <a href="#section-4.1.1">Section 4.1.1</a>. It uses ASN.1 syntax that has been
successfully compiled. This syntax is merely illustrative and need
not be employed in an implementation to achieve compliance. The GSPD
description in <a href="#section-4.1.1">Section 4.1.1</a> is normative. As shown in <a href="#section-4.1.1">Section</a>
<a href="#section-4.1.1">4.1.1</a>, the GSPD updates the SPD and thus this appendix updates the
SPD object identifier.
<span class="h3"><a class="selflink" id="appendix-B.1" href="#appendix-B.1">B.1</a>. Fields Specific to a GSPD Entry</span>
The following fields summarize the fields of the GSPD that are not
present in the SPD.
- direction (in IPsecEntry)
- DirectionFlags
- noswap (in SelectorList)
- ap-l, ap-r (in TunnelOptions)
<span class="grey">Weis, et al. Standards Track [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
<span class="h3"><a class="selflink" id="appendix-B.2" href="#appendix-B.2">B.2</a>. SPDModule</span>
SPDModule
{iso(1) org (3) dod (6) internet (1) security (5) mechanisms (5)
ipsec (8) asn1-modules (3) spd-module (1) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
RDNSequence FROM PKIX1Explicit88
{ iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-pkix1-explicit(18) } ;
-- An SPD is a list of policies in decreasing order of preference
SPD ::= SEQUENCE OF SPDEntry
SPDEntry ::= CHOICE {
iPsecEntry IPsecEntry, -- PROTECT traffic
bypassOrDiscard [0] BypassOrDiscardEntry } -- DISCARD/BYPASS
IPsecEntry ::= SEQUENCE { -- Each entry consists of
name NameSets OPTIONAL,
pFPs PacketFlags, -- Populate from packet flags
-- Applies to ALL of the corresponding
-- traffic selectors in the SelectorLists
direction DirectionFlags, -- SA directionality
condition SelectorLists, -- Policy "condition"
processing Processing -- Policy "action"
}
BypassOrDiscardEntry ::= SEQUENCE {
bypass BOOLEAN, -- TRUE BYPASS, FALSE DISCARD
condition InOutBound }
InOutBound ::= CHOICE {
outbound [0] SelectorLists,
inbound [1] SelectorLists,
bothways [2] BothWays }
<span class="grey">Weis, et al. Standards Track [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
BothWays ::= SEQUENCE {
inbound SelectorLists,
outbound SelectorLists }
NameSets ::= SEQUENCE {
passed SET OF Names-R, -- Matched to IKE ID by
-- responder
local SET OF Names-I } -- Used internally by IKE
-- initiator
Names-R ::= CHOICE { -- IKEv2 IDs
dName RDNSequence, -- ID_DER_ASN1_DN
fqdn FQDN, -- ID_FQDN
<a href="./rfc822">rfc822</a> [0] RFC822Name, -- ID_RFC822_ADDR
keyID OCTET STRING } -- KEY_ID
Names-I ::= OCTET STRING -- Used internally by IKE
-- initiator
FQDN ::= IA5String
RFC822Name ::= IA5String
PacketFlags ::= BIT STRING {
-- if set, take selector value from packet
-- establishing SA
-- else use value in SPD entry
localAddr (0),
remoteAddr (1),
protocol (2),
localPort (3),
remotePort (4) }
DirectionFlags ::= BIT STRING {
-- if set, install SA in the specified
-- direction. symmetric policy is
-- represented by setting both bits
inbound (0),
outbound (1) }
SelectorLists ::= SET OF SelectorList
SelectorList ::= SEQUENCE {
localAddr AddrList,
remoteAddr AddrList,
protocol ProtocolChoice,
noswap BOOLEAN } -- Do not swap local and remote
-- addresses and ports on incoming
<span class="grey">Weis, et al. Standards Track [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
-- SPD-S and SPD-I checks
Processing ::= SEQUENCE {
extSeqNum BOOLEAN, -- TRUE 64 bit counter, FALSE 32 bit
seqOverflow BOOLEAN, -- TRUE rekey, FALSE terminate & audit
fragCheck BOOLEAN, -- TRUE stateful fragment checking,
-- FALSE no stateful fragment checking
lifetime SALifetime,
spi ManualSPI,
algorithms ProcessingAlgs,
tunnel TunnelOptions OPTIONAL } -- if absent, use
-- transport mode
SALifetime ::= SEQUENCE {
seconds [0] INTEGER OPTIONAL,
bytes [1] INTEGER OPTIONAL }
ManualSPI ::= SEQUENCE {
spi INTEGER,
keys KeyIDs }
KeyIDs ::= SEQUENCE OF OCTET STRING
ProcessingAlgs ::= CHOICE {
ah [0] IntegrityAlgs, -- AH
esp [1] ESPAlgs} -- ESP
ESPAlgs ::= CHOICE {
integrity [0] IntegrityAlgs, -- integrity only
confidentiality [1] ConfidentialityAlgs, -- confidentiality
-- only
both [2] IntegrityConfidentialityAlgs,
combined [3] CombinedModeAlgs }
IntegrityConfidentialityAlgs ::= SEQUENCE {
integrity IntegrityAlgs,
confidentiality ConfidentialityAlgs }
-- Integrity Algorithms, ordered by decreasing preference
IntegrityAlgs ::= SEQUENCE OF IntegrityAlg
-- Confidentiality Algorithms, ordered by decreasing preference
ConfidentialityAlgs ::= SEQUENCE OF ConfidentialityAlg
<span class="grey">Weis, et al. Standards Track [Page 33]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-34" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
-- Integrity Algorithms
IntegrityAlg ::= SEQUENCE {
algorithm IntegrityAlgType,
parameters ANY -- DEFINED BY algorithm -- OPTIONAL }
IntegrityAlgType ::= INTEGER {
none (0),
auth-HMAC-MD5-96 (1),
auth-HMAC-SHA1-96 (2),
auth-DES-MAC (3),
auth-KPDK-MD5 (4),
auth-AES-XCBC-96 (5)
-- tbd (6..65535)
}
-- Confidentiality Algorithms
ConfidentialityAlg ::= SEQUENCE {
algorithm ConfidentialityAlgType,
parameters ANY -- DEFINED BY algorithm -- OPTIONAL }
ConfidentialityAlgType ::= INTEGER {
encr-DES-IV64 (1),
encr-DES (2),
encr-3DES (3),
encr-RC5 (4),
encr-IDEA (5),
encr-CAST (6),
encr-BLOWFISH (7),
encr-3IDEA (8),
encr-DES-IV32 (9),
encr-RC4 (10),
encr-NULL (11),
encr-AES-CBC (12),
encr-AES-CTR (13)
-- tbd (14..65535)
}
CombinedModeAlgs ::= SEQUENCE OF CombinedModeAlg
CombinedModeAlg ::= SEQUENCE {
algorithm CombinedModeType,
parameters ANY -- DEFINED BY algorithm -- }
-- defined outside
-- of this document for AES modes.
<span class="grey">Weis, et al. Standards Track [Page 34]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-35" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
CombinedModeType ::= INTEGER {
comb-AES-CCM (1),
comb-AES-GCM (2)
-- tbd (3..65535)
}
TunnelOptions ::= SEQUENCE {
dscp DSCP,
ecn BOOLEAN, -- TRUE Copy CE to inner header
ap-l BOOLEAN, -- TRUE Copy inner IP header
-- source address to outer
-- IP header source address
ap-r BOOLEAN, -- TRUE Copy inner IP header
-- destination address to outer
-- IP header destination address
df DF,
addresses TunnelAddresses }
TunnelAddresses ::= CHOICE {
ipv4 IPv4Pair,
ipv6 [0] IPv6Pair }
IPv4Pair ::= SEQUENCE {
local OCTET STRING (SIZE(4)),
remote OCTET STRING (SIZE(4)) }
IPv6Pair ::= SEQUENCE {
local OCTET STRING (SIZE(16)),
remote OCTET STRING (SIZE(16)) }
DSCP ::= SEQUENCE {
copy BOOLEAN, -- TRUE copy from inner header
-- FALSE do not copy
mapping OCTET STRING OPTIONAL} -- points to table
-- if no copy
DF ::= INTEGER {
clear (0),
set (1),
copy (2) }
ProtocolChoice::= CHOICE {
anyProt AnyProtocol, -- for ANY protocol
noNext [0] NoNextLayerProtocol, -- has no next layer
-- items
oneNext [1] OneNextLayerProtocol, -- has one next layer
-- item
<span class="grey">Weis, et al. Standards Track [Page 35]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-36" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
twoNext [2] TwoNextLayerProtocol, -- has two next layer
-- items
fragment FragmentNoNext } -- has no next layer
-- info
AnyProtocol ::= SEQUENCE {
id INTEGER (0), -- ANY protocol
nextLayer AnyNextLayers }
AnyNextLayers ::= SEQUENCE { -- with either
first AnyNextLayer, -- ANY next layer selector
second AnyNextLayer } -- ANY next layer selector
NoNextLayerProtocol ::= INTEGER (2..254)
FragmentNoNext ::= INTEGER (44) -- Fragment identifier
OneNextLayerProtocol ::= SEQUENCE {
id INTEGER (1..254), -- ICMP, MH, ICMPv6
nextLayer NextLayerChoice } -- ICMP Type*256+Code
-- MH Type*256
TwoNextLayerProtocol ::= SEQUENCE {
id INTEGER (2..254), -- Protocol
local NextLayerChoice, -- Local and
remote NextLayerChoice } -- Remote ports
NextLayerChoice ::= CHOICE {
any AnyNextLayer,
opaque [0] OpaqueNextLayer,
range [1] NextLayerRange }
-- Representation of ANY in next layer field
AnyNextLayer ::= SEQUENCE {
start INTEGER (0),
end INTEGER (65535) }
-- Representation of OPAQUE in next layer field.
-- Matches IKE convention
OpaqueNextLayer ::= SEQUENCE {
start INTEGER (65535),
end INTEGER (0) }
-- Range for a next layer field
NextLayerRange ::= SEQUENCE {
start INTEGER (0..65535),
end INTEGER (0..65535) }
<span class="grey">Weis, et al. Standards Track [Page 36]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-37" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
-- List of IP addresses
AddrList ::= SEQUENCE {
v4List IPv4List OPTIONAL,
v6List [0] IPv6List OPTIONAL }
-- IPv4 address representations
IPv4List ::= SEQUENCE OF IPv4Range
IPv4Range ::= SEQUENCE { -- close, but not quite right ...
ipv4Start OCTET STRING (SIZE (4)),
ipv4End OCTET STRING (SIZE (4)) }
-- IPv6 address representations
IPv6List ::= SEQUENCE OF IPv6Range
IPv6Range ::= SEQUENCE { -- close, but not quite right ...
ipv6Start OCTET STRING (SIZE (16)),
ipv6End OCTET STRING (SIZE (16)) }
END
<span class="grey">Weis, et al. Standards Track [Page 37]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-38" ></span>
<span class="grey"><a href="./rfc5374">RFC 5374</a> Multicast Extensions to <a href="./rfc4301">RFC 4301</a> November 2008</span>
Authors' Addresses
Brian Weis
Cisco Systems
170 W. Tasman Drive,
San Jose, CA 95134-1706
USA
Phone: +1-408-526-4796
EMail: bew@cisco.com
George Gross
Secure Multicast Networks LLC
977 Bates Road
Shoreham, VT 05770
USA
Phone: +1-802-897-5339
EMail: gmgross@securemulticast.net
Dragan Ignjatic
Polycom
Suite 200
3605 Gilmore Way
Burnaby, BC V5G 4X5
Canada
Phone: +1-604-453-9424
EMail: dignjatic@polycom.com
Weis, et al. Standards Track [Page 38]
</pre>
|
