Internet Engineering Task Force George Gross (IdentAware)
INTERNET-DRAFT (experimental track) H. Cruickshank
(CCSR, U. of Surrey)
draft-ietf-msec-ipsec-composite-group-01
Expires: August, 2007 February, 2007
Multicast IP Security Composite Cryptographic Groups
Status of this Memo
By submitting this Internet-Draft, each author represents that
any applicable patent or other IPR claims of which he or she is
aware have been or will be disclosed, and any of which he or she
becomes aware will be disclosed, in accordance with Section 6 of
BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
The Multicast IP Security extension architecture [Weis] implicitly
assumes a basic group endpoint population that shares homogeneous
cryptographic capabilities and security policies. In practice, large-
scale cryptographic groups may contain a heterogeneous endpoint
population that can not be accommodated by that basic multicast IPsec
architecture. For example, some endpoints may not have been upgraded
to handle the successor algorithm for one that is being retired (e.g.
SHA1 transition to SHA-ng). Group deployments that span multiple
legal jurisdictions may have a different security policy in each
jurisdiction (e.g. key strength). This document defines the
"composite cryptographic group" IP security architecture capability.
A composite cryptographic group allows multicast IPsec applications
to transparently interact with the single logical group that is
formed by the union of one or more basic cryptographic groups.
Gross, Cruickshank Expires August, 2007 [Page 1]
�
Multicast IPsec Composite Cryptographic Groups
Table of Contents
1. Introduction.......................................................3
1.1 Scope...........................................................3
1.2 Terminology.....................................................4
2. Composite IPsec Group Architecture.................................5
2.1 Transport Mode Composite Group Distributor......................6
2.2 Tunnel Mode Composite Group Distributor.........................6
2.3 Rationale for Multicast Destination IP Address and SPI Assignment7
3. Group Key Management Protocol Composite IPsec Group Requirements...7
3.1 IPsec Security Association Identifier Assignment................8
3.2 Group Receiver Composite IPsec Group Membership.................8
3.3 Group Speaker Composite IPsec Group Membership..................8
5. IANA Considerations................................................9
6. Security Considerations............................................9
6.1 Security Issues Solved by Composite IPsec Groups................9
6.2 Security Issues Not Solved by Composite IPsec Groups............9
6.2.1 Outsider Attacks...........................................10
6.2.2 Insider Attacks............................................10
6.3 Implementation or Deployment Issues that Impact Security.......11
7. Acknowledgements..................................................11
8. References........................................................11
8.1 Normative References...........................................11
8.2 Informative References.........................................12
APPENDIX A: Examples of Composite Cryptographic Group Use Cases......15
Author's Address.....................................................18
Intellectual Property Statement......................................19
Copyright Statement..................................................19
Gross, Cruickshank. Expires August, 2007 [Page 2]
Multicast IPsec Composite Cryptographic Groups
1. Introduction
In a basic IPsec cryptographic group there is a 1:1 relationship
between an IPsec group's data security association, a multicast
application, and a multicast IP address. All of the group members
share identical cryptographic capabilities and they abide by a common
security policy. IPsec subsystems [RFC4301] [RFC4302] [RFC4303] that
are compliant to the [Weis] standard by definition support basic
IPsec cryptographic groups.
For a small-scale cryptographic group, it is operationally feasible
to maintain a homogenous endpoint population. In contrast, large-
scale cryptographic groups may be heterogeneous in both their
cryptographic capabilities and/or their security policies.
o The differences in cryptographic capabilities can arise when
subsets of the group's membership are in transition, migrating from
one version of a cryptographic algorithm to its successor (e.g.
SHA-1 hash function to SHA-ng). It is unreasonable to expect that a
large-scale group membership should upgrade to new capabilities in
a flash cut operation.
o Heterogeneous security policies can occur when a cryptographic
group's membership straddles legal or security domain boundaries.
An example is a multi-national cryptographic group, for which some
endpoints reside in a country that enforces legislation that
specifies weaker cipher key strengths.
The above two requirements motivate the implementation and operation
of a "composite IPsec cryptographic group". A composite IPsec
cryptographic group is the union of two or more non-overlapping basic
IPsec cryptographic sub-groups. For sake of brevity, the terms
"Composite IPsec Group" and "Basic IPsec Subgroup" will be used in
subsequent text. The goal of a Composite IPsec Group is to
accommodate a large-scale group membership population that contains
heterogeneous capabilities, policies, or other attributes. Appendix A
enumerates additional use cases that can be satisfied by Composite
IPsec Groups.
A strong benefit of IPsec is that it applies its security processing
at the IP layer. Consequently, upper layer application programs can
execute securely without reprogramming or any awareness that IPsec
services are present. The additional benefit of a Composite IPsec
Group is that it shields the multicast application from the IP layer
complexity of the two or more Basic IPsec Subgroups. The application
multicasts its messages to what appear to be a single homogeneous
multicast group.
1.1 Scope
Gross, Cruickshank. Expires August, 2007 [Page 3]
Multicast IPsec Composite Cryptographic Groups
The IPsec extensions described in this document support IPsec
Security Associations that result in IPsec packets with IPv4 or IPv6
multicast group addresses as the destination address. Both Any-Source
Multicast (ASM) and Source-Specific Multicast (SSM) [RFC3569,
RFC3376] group addresses are supported.
These extensions also support Security Associations with IPv4
Broadcast addresses that result in an IPv4 Broadcast packet, and IPv6
Anycast addresses [RFC2526] that result in an IPv6 Anycast packet.
These destination address types share many of the same
characteristics of multicast addresses because there may be multiple
receivers of a packet protected by IPsec.
The IPsec Architecture does not make requirements upon entities not
participating in IPsec (e.g., network devices between IPsec
endpoints). As such, these multicast extensions do not require
intermediate systems in a multicast enabled network to participate in
IPsec. In particular, no requirements are placed on the use of
multicast routing protocols (e.g., PIM-SM [RFC2362]) or multicast
admission protocols (e.g., IGMP [RFC3376].
All implementation models of IPsec (e.g., "bump-in-the-stack", "bump-
in-the-wire") are supported.
1.2 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.
The following key terms are used throughout this document.
Any-Source Multicast (ASM)
The Internet Protocol (IP) multicast service model as defined in
RFC 1112 [RFC1112]. In this model one or more senders source
packets to a single IP multicast address. When receivers join the
group, they receive all packets sent to that IP multicast address.
This is known as a (*,G) group.
Group Controller Key Server (GCKS)
A Group Key Management Protocol (GKMP) server that manages IPsec
state for a group. A GCKS authenticates and provides the IPsec SA
policy and keying material to GKMP group members.
Group Key Management Protocol (GKMP)
A key management protocol used by a GCKS to distribute IPsec
Security Association policy and keying material. A GKMP is used
when a group of IPsec devices require the same SAs. For example,
Gross, Cruickshank. Expires August, 2007 [Page 4]
Multicast IPsec Composite Cryptographic Groups
when an IPsec SA describes an IP multicast destination, the sender
and all receivers must have the group SA.
GKMP Subsystem
A subsystem in an IPsec device implementing a Group Key Management
Protocol. The GKMP Subsystem provides IPsec SAs to the IPsec
subsystem on the IPsec device.
Group Member
An IPsec device that belongs to a group. A Group Member is
authorized to be a Group Speaker and/or a Group Receiver.
Group Owner
An administrative entity that chooses the policy for a group.
Group Security Association (GSA)
A collection of IPsec Security Associations (SAs) and GKMP
Subsystem SAs necessary for a Group Member to receive key updates.
A GSA describes the working policy for a group.
Group Receiver
A Group Member that is authorized to receive packets sent to a
group by a Group Speaker.
Group Speaker
A Group Member that is authorized to send packets to a group.
Source-Specific Multicast (SSM)
The Internet Protocol (IP) multicast service model as defined in
RFC 3569 [RFC3569]. In this model, each combination of a sender
and an IP multicast address is considered a group. This is known
as an (S,G) group.
Tunnel Mode with Address Preservation
A type of IPsec tunnel mode used by security gateway
implementations when encapsulating IP multicast packets such that
they remain IP multicast packets. This mode is necessary in order
for IP multicast routing to correctly route IP multicast packets
that are protected by IPsec.
2. Composite IPsec Group Architecture
The GCKS and the Group Members must support a Group Key Management
Protocol (GKMP) that can negotiate a Composite IPsec Group's
membership join or leave operation. The group key management
Gross, Cruickshank. Expires August, 2007 [Page 5]
Multicast IPsec Composite Cryptographic Groups
subsystem configures one or more IPsec subsystems to reflect the
Composite IPsec Group's revised state. In addition, the GCKS
configures a supporting Composite Group Distributor component
whenever a new Group Speaker endpoint joins the Composite IPsec
Group. The Composite Group Distributor handles the data flowing from
a multicast application's Group Speaker endpoint to the IPsec
subsystem. When the multicast application requests a message
transmission to the Composite IPsec Group's endpoints, the Composite
Group Distributor component transparently intercepts and replicates
that message for multicast delivery to each Basic IPsec Subgroup.
Sections 2.1 and 2.2 define the Composite Group Distributor's
architectural role for transport mode and tunnel mode IPsec security
associations. Section 3 provides the GKMP requirements for Composite
IPsec Group capability.
2.1 Transport Mode Composite Group Distributor
For a Composite IPsec Group transport mode security association, it
is the responsibility of the Composite Group Distributor to rewrite
each message copy's destination IP address before it is multicast to
the respective Basic IPsec Subgroup. The IPsec subsystem's SPD
traffic selectors then evaluate that message, and apply the Basic
IPsec Subgroup's security association transform. Since a single IPsec
subsystem supports the Group Speaker, that IPsec subsystem MUST
support all of the outbound security transforms required by all of
the Basic IPsec Subgroups that form the Composite IPsec Group.
Regardless of the Composite Group Distributor's underlying
implementation, it is a requirement that the two or more security
transforms applied by the IPsec subsystem to the multicast
application's replicated data streams MUST remain transparent to that
application's Group Speaker endpoint. Each Basic IPsec Subgroup MUST
be allocated a unique multicast destination IP address. Appendix B
provides non-normative guidance for the implementation of a Composite
Group Distributor supporting IPsec transport mode security
associations.
2.2 Tunnel Mode Composite Group Distributor
For a Composite IPsec Group tunnel mode security association, the
Composite Group Distributor component is simply the multicast routing
infrastructure residing on the network path between the Group Speaker
endpoint and two or more IPsec subsystems. Typically, the IPsec
subsystems are IPsec security gateways. In a tunnel mode
configuration, there is a parallel IPsec subsystem instance per Basic
IPsec Subgroup. Unlike transport mode, in tunnel mode the Composite
Group Distributor does not rewrite the destination IP multicast
address for each Basic IPsec Subgroup. Instead, each IPsec subsystem
SPD independently recognizes the message addressed to the Composite
IPsec Group destination IP address, and applies the IPsec tunnel mode
security transform for its respective Basic IPsec Subgroup. Each
IPsec subsystem MUST use a unique Security Parameter Index for their
security association instance. The GKMP is responsible for allocating
Gross, Cruickshank. Expires August, 2007 [Page 6]
Multicast IPsec Composite Cryptographic Groups
the SPI for each tunnel mode security association, so that they are
uniquely identified when the replicated messages are distributed to
the Composite IPsec Group.
Note that in tunnel mode, there is one multicast distribution tree
representing the Composite IPsec Group rather than a multicast
distribution tree per Basic IPsec Subgroup. All of the message copies
are multicast to the Composite IPsec Group's multicast IP address.
Consequently, the Group Receiver IPsec subsystems use the SPI to de-
multiplex which one of the message replicas is addressed to its Basic
IPsec Subgroup.
2.3 Rationale for Multicast Destination IP Address and SPI Assignment
For Composite Groups in transport mode, each Basic IPsec Subgroup is
assigned a distinct multicast destination IP address. This assignment
policy assures that the Group Speaker IPsec subsystem's SPD packet
matching can direct a packet to the correct sub-group's transport
mode IPsec SA instance. In particular, the CGD must not only
replicate the transmitted packet for each Basic IPsec Subgroup, it
must also alter each copied packet's destination IP address so that
the packet will be matched by the SPD and then encrypted by the
respective IPsec SAD entry.
In a Composite Group with tunnel mode address preservation, the
address assignment policy is to keep the packet's original multicast
address, and use only the SPI to distinguish between the Basic IPsec
Subgroups. Each Basic IPsec Subgroup has a parallel Security Gateway
instance doing an IPsec tunnel mode SA encapsulation. There is no CGD
component in these Security Gateways, since the multicast capable
trusted network has already replicated the packet. Each such Security
Gateway SPD is configured by the GKM protocol to insert the same
outer IP header as its peer Security Gateways. However, the SPI
assigned to the IPsec SA at each of the Security Gateways must be
unique. This allows the Group Receivers to discriminate between the
sub-group specific packet arrivals sharing a common destination
multicast IP address.
In a Composite Group without tunnel mode address preservation, it is
feasible to use any assignment policy that maintains a unique 2-tuple
of {destination multicast IP address, SPI} across all of the Basic
IPsec subgroups.
3. Group Key Management Protocol Composite IPsec Group Requirements
A Group Key Management Protocol subsystem supporting Composite IPsec
Groups is responsible for configuring the Group Speaker's Composite
Group Distributor and one or more IPsec SPD/SAD to create and manage
a Composite IPsec Group membership. Those GKMP subsystems that choose
to implement the optional Composite IPsec Group capability MUST
support both Group Receivers and Group Speakers, as defined below in
section 3.2 and section 3.3 respectively.
Gross, Cruickshank. Expires August, 2007 [Page 7]
Multicast IPsec Composite Cryptographic Groups
3.1 IPsec Security Association Identifier Assignment
Each Basic IPsec Subgroup MUST have a group data IPsec security
association identifier allocation from the GKMP subsystem that is
unique relative to all other security associations in the Composite
IPsec Group. For an any-source multicast group, the security
association identifier is the 2-tuple {destination multicast IP
address, Security Parameter Index}. If the Composite IPsec Group is
using Source-Specific Multicast, then the IPsec security association
identifier MUST be composite group-wide unique for the 3-tuple:
{source IP address, destination multicast IP address, Security
Parameter Index}.
3.2 Group Receiver Composite IPsec Group Membership
A Group Receiver endpoint acquires membership in only one Basic IPsec
Subgroup within a Composite IPsec Group. When a Group Receiver
endpoint requests to join the Composite IPsec Group, the registration
protocol exchange MUST select the Group Receiver's membership in one
of the Basic IPsec Subgroups. The Basic IPsec Subgroup selection can
be implicit (i.e. pre-configured at the GCKS) or explicitly
negotiated by registration protocol exchanges between the candidate
Group Receiver and the GCKS. The GKMP specification defines the
registration protocol exchange negotiation. When evaluating a
candidate Group Receiver's registration request, the GCKS MUST
enforce the authentication and membership authorization policies of
the Basic IPsec Subgroup that the candidate Group Receiver has
requested membership.
3.3 Group Speaker Composite IPsec Group Membership
When a Group Speaker endpoint registers with a GCKS to join a
Composite IPsec Group, the Group Speaker implicitly joins all of the
Basic IPsec Subgroups as a speaker in each subgroup. The GCKS sets up
the Composite IPsec Group such that when the multicast application
Group Speaker endpoint sends a single message to the Composite IPsec
Group, it is received once at each Group Receiver endpoint within the
two or more Basic IPsec Groups. The GCKS and GKMP is responsible for
the following actions:
o The GCKS MUST authenticate and authorize the candidate Group
Speaker endpoint before allowing it to become a Composite IPsec
Group Speaker. The speaker authorization is contingent on the
approval of both the Composite IPsec Group policy and the logical-
AND authorization of all of the Basic IPsec Group policies.
o For each Basic IPsec Group, the GCKS allocates a new group IPsec
security association instance representing the new Group Speaker.
The GCKS uses the GKMP to distribute and then activate that IPsec
security association's configuration in the IPsec subsystem SPD/SAD
of every Group Receiver endpoint within the subgroup. In addition,
the GCKS chooses one IPsec subsystem to be the Group Speaker's
Gross, Cruickshank. Expires August, 2007 [Page 8]
Multicast IPsec Composite Cryptographic Groups
representative in that Basic IPsec Group, and configures its
SPD/SAD for that role.
o For an IPsec transport mode security association, the GCKS
explicitly directs the Group Speaker's Composite Group Distributor
to intercept and replicate the Group Speaker's data traffic before
multicasting it to each Basic IPsec Group. The trusted control
interface between the GCKS and Composite Group Distributor is
implementation specific and it is outside the scope of this
specification.
5. IANA Considerations
This document does not require any IANA action.
6. Security Considerations
This document describes a large-scale Composite IPsec Group
architecture. Consequently, it inherits all of the security
considerations previously discussed in [Weis] for Basic IPsec Groups.
The reader is encouraged to review those security considerations in
addition to those discussed herein for Composite IPsec Groups.
6.1 Security Issues Solved by Composite IPsec Groups
Composite IPsec Groups accommodate the natural heterogeneity often
found in large-scale cryptographic groups. Two common motivations for
Composite IPsec Groups are easing the migration to new cryptographic
algorithms and handling country-specific cryptographic policies.
Appendix A enumerates a variety of other potential use cases.
Regardless of the motive, the primary benefit of composite groups is
that a group multicast application can interact without change with a
single virtual homogeneous cryptographic group. The Composite Group
Distributor and its supporting IPsec subsystems transparently apply
the correct IPsec transforms at the IP layer for each sub-group. An
operational benefit of Composite IPsec Groups is that it centralizes
the security policy management for multiple group multicast
applications into a single Security Officer role.
In contrast, in the scenario without the Composite Group capability,
a group multicast application must be re-programmed and re-configured
to correctly interact with the two or more Basic IPsec Groups.
Alternatively, the group multicast application must be re-programmed
to support an application layer security service equivalent to that
offered by the IPsec subsystem at the network layer. In either case,
the group multicast application incurs complexity and cost that could
have been avoided.
6.2 Security Issues Not Solved by Composite IPsec Groups
Gross, Cruickshank. Expires August, 2007 [Page 9]
Multicast IPsec Composite Cryptographic Groups
Similar as is the case for Basic IPsec Groups, the security issues
not solved by a Composite IPsec Group divide into two categories:
outsider attacks, and insider attacks. The discussion will focus on
the security issues that arise only in Composite IPsec Groups.
6.2.1 Outsider Attacks
A Composite IPsec Group using a weak cryptographic algorithm or key
strength in one of its Basic IPsec groups is vulnerable to an
Adversary that knows (or guesses) which sub-group uses that
algorithm. The Adversary can narrow its eavesdropping effort to only
the traffic sent to that sub-group and apply cryptoanalysis on that
sub-group's cipher-text.
The Composite Group Distributor can inadvertently leak the composite
group security policy to an Adversary that records the transmission
time of an IP packet, as each copy is encrypted and multicast for a
Basic IPsec Group. The Adversary could use that encryption processing
delay information to infer the cryptographic algorithm being applied
to a given Basic IPsec Group (e.g. AES encrypts at a faster rate than
triple-DES). The Composite Group Distributor can avoid this attack by
delaying each packet's transmission by a random dither.
If two Basic IPsec groups use the same encryption key but different
encryption algorithms for the same plain-text transmissions, then the
cipher-text may become vulnerable to differential analysis attacks.
This vulnerability exists only to the extent that comparing the
output of the encryption algorithms could disclose hints about the
plain text or the encryption key. Requiring the GKM protocol to
distribute a distinct encryption key for each Basic IPsec Group can
help mitigate this attack. Changing the keys more frequently is
another strategy.
6.2.2 Insider Attacks
Composite IPsec Groups are vulnerable to a registration time bid down
attack unless the GKM protocol has an accurate database describing
each group member's cryptographic capabilities. In the absence of GKM
enforcement at registration time, an insider Adversary could pretend
to support only a weak cryptographic algorithm. An accomplice to the
Adversary could eavesdrop and apply cryptoanalysis on the weakened
transmissions without the insider Adversary risking detection by
explicitly disclosing the key or plain text. To avoid this attack, a
Composite IPsec Group depends on the Group Owner designing a
membership authorization policy that forces each candidate Group
Receiver member to only join the Basic IPsec Group that implements
the strongest algorithms that their IPsec subsystem is known to
support. Special care must be taken when authorizing a Group Speaker,
as a group member in that role becomes a member of every Basic IPsec
Group.
Gross, Cruickshank. Expires August, 2007 [Page 10]
Multicast IPsec Composite Cryptographic Groups
A Composite Group Distributor under the control of an insider
Adversary could create a covert channel by altering the order in
which it multicast an IP packet to each Basic IP Group. An accomplice
to the Adversary who observed a long sequence of IP packet multicasts
could assemble the covert message from a codebook. Each symbol would
be represented by a different sequence of Basic IPsec Group
transmissions.
6.3 Implementation or Deployment Issues that Impact Security
The most prominent barrier to a successful Composite IPsec Group
deployment is the complexity of designing a composite group security
policy. Factors that should be considered when designing such
policies include:
o For each Basic IPsec Group, the policy should delegate the
subordinate GCKS role to the group member with the highest
trustworthiness amongst all members of that sub-group.
o A Group Receiver identity should be an authorised member of only
one Basic IPsec Group and that sub-group should represent the
strongest cryptographic algorithm that the member is capable of
supporting.
o The Group Speaker role is endowed with a membership in every sub-
group, and therefore this role should be authorised for only the
group's most trustworthy members.
o The weakest Basic IPsec Group should be the focal point for
retirement efforts, with the goal of moving its membership to
better cryptographic algorithms.
o A host system implementing the Composite Group Distributor
component will necessarily incur substantially more encryption
processing overhead, in proportion to the number of Basic IPsec
Groups that form the Composite IPsec Group. Consequently, care
should be exercised to minimise the number of Basic IPsec Groups.
o The use of ESP padding, frequent key changes, and a separate key
for each IPsec SA can help mitigate traffic analysis attacks that
compare the cipher-texts sent to multiple Basic IPsec Groups.
7. Acknowledgements
[TBD]
8. References
8.1 Normative References
Gross, Cruickshank. Expires August, 2007 [Page 11]
Multicast IPsec Composite Cryptographic Groups
[RFC1112] Deering, S., "Host Extensions for IP Multicasting," RFC
1112, August 1989.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Level", BCP 14, RFC 2119, March 1997.
[RFC3552] Rescorla, E., et. al., "Guidelines for Writing RFC Text on
Security Considerations", RFC 3552, July 2003.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December
2005.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
4303, December 2004.
[Weis] Weis B., Gross G., Ignjatic D., "Multicast Extensions to the
Security Architecture for the Internet", draft-ietf-msec-extensions-
03.txt, October 2006, work in progress.
8.2 Informative References
[RFC2362] Estrin, D., et. al., "Protocol Independent Multicast-Sparse
Mode (PIM-SM): Protocol Specification", RFC 2362, June 1998.
[RFC2526] Johnson, D., and S. Deering., "Reserved IPv6 Subnet Anycast
Addresses", RFC 2526, March 1999.
[RFC3376] Cain, B., et. al., "Internet Group Management Protocol,
Version 3", RFC 3376, October 2002.
[RFC3547] Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The
Group Domain of Interpretation", RFC 3547, December 2002.
[RFC3569] Bhattacharyya, S., "An Overview of Source-Specific
Multicast (SSM)", RFC 3569, July 2003.
[RFC3940] Adamson, B., et. al., "Negative-acknowledgment (NACK)-
Oriented Reliable Multicast (NORM) Protocol", RFC 3940, November
2004.
[RFC4082] Perrig, A., et. al., "Timed Efficient Stream Loss-Tolerant
Authentication (TESLA): Multicast Source Authentication Transform
Introduction", RFC 4082, June 2005.
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC
4306, December 2005.
Gross, Cruickshank. Expires August, 2007 [Page 12]
Multicast IPsec Composite Cryptographic Groups
[RFC4359] Weis., B., "The Use of RSA/SHA-1 Signatures within
Encapsulating Security Payload (ESP) and Authentication Header (AH)",
RFC 4359, January 2006.
[RFC3451] Luby, M., et al, "Layered Coding Transport (LCT) Building
Block", RFC3451, December 2002.
Gross, Cruickshank. Expires August, 2007 [Page 13]
Multicast IPsec Composite Cryptographic Groups
Gross, Cruickshank. Expires August, 2007 [Page 14]
Multicast IPsec Composite Cryptographic Groups
APPENDIX A: Examples of Composite Cryptographic Group Use Cases
The following is a non-exhaustive list that identifies other
representative use cases where a Composite Group could be applied:
- A group policy that allows the use of both IETF standard and
vendor-specific cryptographic algorithms.
- A group straddling both IP-v4 and IP-v6 endpoints. For a group
spanning IP-v4 and IP-v6, the Group Speaker endpoint's Node must be
dual stack capable.
- A single group using a Reliable Multicast Transport protocol (RTMP)
that has a heterogeneous deployment of error recovery algorithms
(e.g. Forward Error Correction codes) at its endpoint population.
Each RMTP version is configured as a sub-group at a distinct
multicast destination IP address. In this case, the application's
payload is replicated within the Group Speaker before being
distributed to each RMTP version-specific subsystem. The Group
Speaker endpoint's system must implement all of the RMTP sub-group
versions.
- There are multiple multicast routing domains supporting the IPsec
group, each routing domain imposing its own policy defined multicast
IP address. The Composite Group Distributor must alter the multicast
destination IP address for each copy of the multicast packet before
it is sent to its respective routing domain.
- A multicast application wherein the Composite Group is the union of
multiple source-specific IP multicast groups. For example, a multi-
homed Group Speaker might require this configuration.
In principal, each of the above examples could be decomposed into
multiple independent basic IPsec cryptographic groups. However, that
incurs a commensurate increase in the multicast application's
overhead to discover, join, and manage each of those groups. A
preferable solution is for the multicast application to join one
Composite Group
Figures A-1, A-2, and A-3 illustrate several representative composite
group use cases.
Gross, Cruickshank. Expires August, 2007 [Page 15]
Multicast IPsec Composite Cryptographic Groups
+--------+------------+
| | .
| Subgrp1 |
| ^ +-------+|
| | | Group ||
| | |Speaker||
| | +--+----+|
| | | |
| +------+-----V--+ |
+---------------+ | | Group Speaker | | +---------------+
| Subgrp2, <------+Composite Group+------> Subgrp4, |
| No Speaker | | | Distributor | | | No Speaker |
+---------------+ | +------+------ + | +---------------+
| | |
+---------|-----------+
|
+------V--------+
| Subgrp3, |
| No Speaker |
+---------------+
Figure A-1: A simple Composite Group with a single Group Speaker
multicasting to 4 Basic IPsec Subgroups, each subgroup having a
different group security policy. The Group Speaker multicasts to all
four subgroups but it will receive its multicast traffic from only
from "Subgrp1". The Group Speaker's Composite Group Distributor (CGD)
replicates each of the Group Speaker's IP packets, transforms each
copied packet according to its respective Basic IPsec Subgroup's
security policy, and sends that copied packet to its subgroup. The
Composite Group's security policy specifies each Basic IPsec
Subgroup's membership authorization.
Gross, Cruickshank. Expires August, 2007 [Page 16]
Multicast IPsec Composite Cryptographic Groups
+------+--------+
| Subgrp1, CGD1 | .
| Speaker1 |
+------+--------+
|
|
+---------------+ +------+--------+ +---------------+
| Subgrp2, CGD2 +-----+ Satellite + ------+ Subgrp4, CGD4 |
| Speaker2 | | DVB network | | No Speaker |
+---------------+ +------+------ + +---------------+
|
|
+------+--------+
| Subgrp3, CGD3 |
| No Speaker |
+---------------+
Figure A-2: A Composite Group containing 4 Basic IPsec Subgroups,
with each subgroup having its own S-GCKS. There are 5 LKH trees, one
for each subgroup managed by a S-GCKS and one LKH tree managed by the
primary GCKS for the set of S-GCKS.
Gross, Cruickshank. Expires August, 2007 [Page 17]
Multicast IPsec Composite Cryptographic Groups
Figure A-3 illustrates a reliable multicast scenario using Layered
Coding Transport (LCT) as specified in RFC 3451 [RFC3451]. Each
subgroup corresponds to a LCT layer. Reliable content delivery and
streaming applications could leverage this type of configuration.
+------+--------+
| Sub-group1, | .
| LCT layer1 |
+------A--------+
|
|
+---------------+ +------+--------+ +---------------+
| Sub-group2 <-----+ Multi-layered + ------> Sub-group 4 |
| LCT layer2 | | Reliable | | LCT layer4 |
+---------------+ | Multicast CGD | +---------------+
+------+--------+
|
|
+------V--------+
| Sub-group3 |
| LCT layer3 |
+---------------+
Figure A-3: 4 The LCT groups are organized as Basic IPsec Subgroups
managed by a centralized GCKS.
Author's Address
George Gross
IdentAware Security
82 Old Mountain Road
Lebanon, NJ 08833, USA
908-268-1629
gmgross@identaware.com
Haitham Cruickshank
Centre for Communications System Research (CCSR)
University of Surrey
Guildford, Surrey, GU2 7XH
UK
Email: h.cruickshank@surrey.ac.uk
Gross, Cruickshank. Expires August, 2007 [Page 18]
Multicast IPsec Composite Cryptographic Groups
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed
to pertain to the implementation or use of the technology
described in this document or the extent to which any license
under such rights might or might not be available; nor does it
represent that it has made any independent effort to identify any
such rights. Information on the procedures with respect to rights
in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository
at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST
AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY
THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS
OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The IETF Trust (2007). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Gross, Cruickshank. Expires August, 2007 [Page 19]