The Multicast Group Security Architecture
RFC 3740
Document Type RFC - Informational (March 2004; No errata)
Authors Thomas Hardjono  , Brian Weis 
Last updated 2013-03-02
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3740 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                        T. Hardjono
Request for Comments: 3740                                      Verisign
Category: Informational                                          B. Weis
                                                                   Cisco
                                                              March 2004

               The Multicast Group Security Architecture

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

   This document provides an overview and rationale of the multicast
   security architecture used to secure data packets of large multicast
   groups.  The document begins by introducing a Multicast Security
   Reference Framework, and proceeds to identify the security services
   that may be part of a secure multicast solution.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.1.  Scope. . . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.2.  Summary of Contents of Document. . . . . . . . . . . . .  3
       1.3.  Audience . . . . . . . . . . . . . . . . . . . . . . . .  4
       1.4.  Terminology. . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Architectural Design: The Multicast Security Reference
       Framework. . . . . . . . . . . . . . . . . . . . . . . . . . .  4
       2.1.  The Reference Framework. . . . . . . . . . . . . . . . .  4
       2.2.  Elements of the Centralized Reference Framework. . . . .  5
             2.2.1.  Group Controller and Key Server. . . . . . . . .  6
             2.2.2.  Sender and Receiver. . . . . . . . . . . . . . .  7
             2.2.3.  Policy Server. . . . . . . . . . . . . . . . . .  7
       2.3.  Elements of the Distributed Reference Framework. . . . .  8
   3.  Functional Areas . . . . . . . . . . . . . . . . . . . . . . .  9
       3.1.  Multicast Data Handling. . . . . . . . . . . . . . . . .  9
       3.2.  Group Key Management . . . . . . . . . . . . . . . . . . 10
       3.3.  Multicast Security Policies. . . . . . . . . . . . . . . 11
   4.  Group Security Associations (GSA). . . . . . . . . . . . . . . 12
       4.1.  The Security Association . . . . . . . . . . . . . . . . 12

Hardjono & Weis              Informational                      [Page 1]
RFC 3740         Multicast Group Security Architecture        March 2004

       4.2.  Structure of a GSA: Introduction . . . . . . . . . . . . 13
       4.3.  Structure of a GSA: Reasoning. . . . . . . . . . . . . . 14
       4.4.  Definition of GSA. . . . . . . . . . . . . . . . . . . . 15
       4.5.  Typical Compositions of a GSA. . . . . . . . . . . . . . 17
   5.  Security Services. . . . . . . . . . . . . . . . . . . . . . . 17
       5.1.  Multicast Data Confidentiality . . . . . . . . . . . . . 18
       5.2.  Multicast Source Authentication and Data Integrity . . . 18
       5.3.  Multicast Group Authentication . . . . . . . . . . . . . 19
       5.4.  Multicast Group Membership Management. . . . . . . . . . 19
       5.5.  Multicast Key Management . . . . . . . . . . . . . . . . 20
       5.6.  Multicast Policy Management. . . . . . . . . . . . . . . 21
   6.  Security Considerations. . . . . . . . . . . . . . . . . . . . 22
       6.1.  Multicast Data Handling. . . . . . . . . . . . . . . . . 22
       6.2.  Group Key Management . . . . . . . . . . . . . . . . . . 22
       6.3.  Multicast Security Policies. . . . . . . . . . . . . . . 22
   7.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
       8.1.  Normative References . . . . . . . . . . . . . . . . . . 23
       8.2.  Informative References . . . . . . . . . . . . . . . . . 23
   9.  Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25
   10. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 26

1.  Introduction

   Securing IP multicast group communication is a complex task that
   involves many aspects.  Consequently, a secure IP multicast protocol
   suite must have a number of functional areas that address different
   aspects of the solution.  This document describes those functional
   areas and how they are related.

1.1.  Scope

   This architecture is concerned with the securing of large multicast
   groups.  Whereas it can also be used for smaller groups, it is not
   necessarily the most efficient means.  Other architectures (e.g., the
   Cliques architecture [STW]) can be more efficient for small ad-hoc
   group communication.

   This architecture is "end to end", and does not require multicast
   routing protocols (e.g., PIM [RFC2362]) to participate in this
   architecture.  Inappropriate routing may cause denial of service to
   application layer groups conforming to this architecture.  However
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools