GSAKMP: Group Secure Association Key Management Protocol
RFC 4535
Document Type RFC - Proposed Standard (June 2006; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4535 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to canetti@watson.ibm.com, ldondeti@nortel.com
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                          H. Harney
Request for Comments: 4535                                       U. Meth
Category: Standards Track                                   A. Colegrove
                                                            SPARTA, Inc.
                                                                G. Gross
                                                              IdentAware
                                                               June 2006

        GSAKMP: Group Secure Association Key Management Protocol

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document specifies the Group Secure Association Key Management
   Protocol (GSAKMP).  The GSAKMP provides a security framework for
   creating and managing cryptographic groups on a network.  It provides
   mechanisms to disseminate group policy and authenticate users, rules
   to perform access control decisions during group establishment and
   recovery, capabilities to recover from the compromise of group
   members, delegation of group security functions, and capabilities to
   destroy the group.  It also generates group keys.

Harney, et al.              Standards Track                     [Page 1]
RFC 4535                         GSAKMP                        June 2006

Table of Contents

   1. Introduction ....................................................7
      1.1. GSAKMP Overview ............................................7
      1.2. Document Organization ......................................9
   2. Terminology .....................................................9
   3. Security Considerations ........................................12
      3.1. Security Assumptions ......................................12
      3.2. Related Protocols .........................................13
           3.2.1. ISAKMP .............................................13
           3.2.2. FIPS Pub 196 .......................................13
           3.2.3. LKH ................................................13
           3.2.4. Diffie-Hellman .....................................14
      3.3. Denial of Service (DoS) Attack ............................14
      3.4. Rekey Availability ........................................14
      3.5. Proof of Trust Hierarchy ..................................15
   4. Architecture ...................................................15
      4.1. Trust Model ...............................................15
           4.1.1. Components .........................................15
           4.1.2. GO .................................................16
           4.1.3. GC/KS ..............................................16
           4.1.4. Subordinate GC/KS ..................................17
           4.1.5. GM .................................................17
           4.1.6. Assumptions ........................................18
      4.2. Rule-Based Security Policy ................................18
           4.2.1. Access Control .....................................19
           4.2.2. Authorizations for Security-Relevant Actions .......20
      4.3. Distributed Operation .....................................20
      4.4. Concept of Operation ......................................22
           4.4.1. Assumptions ........................................22
           4.4.2. Creation of a Policy Token .........................22
           4.4.3. Creation of a Group ................................23
           4.4.4. Discovery of GC/KS .................................24
           4.4.5. GC/KS Registration Policy Enforcement ..............24
           4.4.6. GM Registration Policy Enforcement .................24
           4.4.7. Autonomous Distributed GSAKMP Operations ...........24
   5. Group Life Cycle ...............................................27
      5.1. Group Definition ..........................................27
      5.2. Group Establishment .......................................27
           5.2.1. Standard Group Establishment .......................28
                  5.2.1.1. Request to Join ...........................30
                  5.2.1.2. Key Download ..............................31
                  5.2.1.3. Request to Join Error .....................33
                  5.2.1.4. Key Download - Ack/Failure ................34
                  5.2.1.5. Lack of Ack ...............................35
           5.2.2. Cookies: Group Establishment with Denial of
                  Service Protection .................................36
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools