Multicast Extensions to the Security Architecture for the Internet Protocol
RFC 5374
Document | Type | RFC - Proposed Standard (November 2008; No errata) | |
---|---|---|---|
Authors | George Gross , Brian Weis , Dragan Ignjatic | ||
Last updated | 2015-10-14 | ||
Stream | Internent Engineering Task Force (IETF) | ||
Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5374 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Tim Polk | ||
Send notices to | (None) |
Network Working Group B. Weis Request for Comments: 5374 Cisco Systems Category: Standards Track G. Gross Secure Multicast Networks LLC D. Ignjatic Polycom November 2008 Multicast Extensions to the Security Architecture for the Internet Protocol Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (c) 2008 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Abstract The Security Architecture for the Internet Protocol describes security services for traffic at the IP layer. That architecture primarily defines services for Internet Protocol (IP) unicast packets. This document describes how the IPsec security services are applied to IP multicast packets. These extensions are relevant only for an IPsec implementation that supports multicast. Weis, et al. Standards Track [Page 1] RFC 5374 Multicast Extensions to RFC 4301 November 2008 Table of Contents 1. Introduction ....................................................3 1.1. Scope ......................................................3 1.2. Terminology ................................................4 2. Overview of IP Multicast Operation ..............................6 3. Security Association Modes ......................................7 3.1. Tunnel Mode with Address Preservation ......................7 4. Security Association ............................................8 4.1. Major IPsec Databases ......................................8 4.1.1. Group Security Policy Database (GSPD) ...............8 4.1.2. Security Association Database (SAD) ................12 4.1.3. Group Peer Authorization Database (GPAD) ...........12 4.2. Group Security Association (GSA) ..........................14 4.2.1. Concurrent IPsec SA Life Spans and Re-key Rollover .15 4.3. Data Origin Authentication ................................17 4.4. Group SA and Key Management ...............................18 4.4.1. Co-Existence of Multiple Key Management Protocols ..18 5. IP Traffic Processing ..........................................18 5.1. Outbound IP Traffic Processing ............................18 5.2. Inbound IP Traffic Processing .............................19 6. Security Considerations ........................................22 6.1. Security Issues Solved by IPsec Multicast Extensions ......22 6.2. Security Issues Not Solved by IPsec Multicast Extensions ..23 6.2.1. Outsider Attacks ...................................23 6.2.2. Insider Attacks ....................................23 6.3. Implementation or Deployment Issues that Impact Security ..24 6.3.1. Homogeneous Group Cryptographic Algorithm Capabilities .......................................24 6.3.2. Groups that Span Two or More Security Policy Domains .....................................24 6.3.3. Source-Specific Multicast Group Sender Transient Locators .................................25 7. Acknowledgements ...............................................25 8. References .....................................................25 8.1. Normative References ......................................25 8.2. Informative References ....................................26 Appendix A - Multicast Application Service Models .................28 A.1 Unidirectional Multicast Applications ......................28 A.2 Bi-directional Reliable Multicast Applications .............28 A.3 Any-To-Any Multicast Applications ..........................30 Appendix B - ASN.1 for a GSPD Entry ...............................30 B.1 Fields Specific to a GSPD Entry ............................30Show full document text