GSAKMP: Group Secure Association Key Management Protocol
RFC 4535
Document | Type | RFC - Proposed Standard (June 2006; No errata) | |
---|---|---|---|
Authors | Hugh Harney , Andrea Colegrove , Uri Meth , George Gross | ||
Last updated | 2013-03-02 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4535 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | canetti@watson.ibm.com, ldondeti@nortel.com |
Network Working Group H. Harney Request for Comments: 4535 U. Meth Category: Standards Track A. Colegrove SPARTA, Inc. G. Gross IdentAware June 2006 GSAKMP: Group Secure Association Key Management Protocol Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document specifies the Group Secure Association Key Management Protocol (GSAKMP). The GSAKMP provides a security framework for creating and managing cryptographic groups on a network. It provides mechanisms to disseminate group policy and authenticate users, rules to perform access control decisions during group establishment and recovery, capabilities to recover from the compromise of group members, delegation of group security functions, and capabilities to destroy the group. It also generates group keys. Harney, et al. Standards Track [Page 1] RFC 4535 GSAKMP June 2006 Table of Contents 1. Introduction ....................................................7 1.1. GSAKMP Overview ............................................7 1.2. Document Organization ......................................9 2. Terminology .....................................................9 3. Security Considerations ........................................12 3.1. Security Assumptions ......................................12 3.2. Related Protocols .........................................13 3.2.1. ISAKMP .............................................13 3.2.2. FIPS Pub 196 .......................................13 3.2.3. LKH ................................................13 3.2.4. Diffie-Hellman .....................................14 3.3. Denial of Service (DoS) Attack ............................14 3.4. Rekey Availability ........................................14 3.5. Proof of Trust Hierarchy ..................................15 4. Architecture ...................................................15 4.1. Trust Model ...............................................15 4.1.1. Components .........................................15 4.1.2. GO .................................................16 4.1.3. GC/KS ..............................................16 4.1.4. Subordinate GC/KS ..................................17 4.1.5. GM .................................................17 4.1.6. Assumptions ........................................18 4.2. Rule-Based Security Policy ................................18 4.2.1. Access Control .....................................19 4.2.2. Authorizations for Security-Relevant Actions .......20 4.3. Distributed Operation .....................................20 4.4. Concept of Operation ......................................22 4.4.1. Assumptions ........................................22 4.4.2. Creation of a Policy Token .........................22 4.4.3. Creation of a Group ................................23 4.4.4. Discovery of GC/KS .................................24 4.4.5. GC/KS Registration Policy Enforcement ..............24 4.4.6. GM Registration Policy Enforcement .................24 4.4.7. Autonomous Distributed GSAKMP Operations ...........24 5. Group Life Cycle ...............................................27 5.1. Group Definition ..........................................27 5.2. Group Establishment .......................................27 5.2.1. Standard Group Establishment .......................28 5.2.1.1. Request to Join ...........................30 5.2.1.2. Key Download ..............................31 5.2.1.3. Request to Join Error .....................33 5.2.1.4. Key Download - Ack/Failure ................34 5.2.1.5. Lack of Ack ...............................35 5.2.2. Cookies: Group Establishment with Denial of Service Protection .................................36Show full document text