Internet DRAFT - draft-ietf-trill-group-keying
draft-ietf-trill-group-keying
TRILL Workgroup D. Eastlake
Internet-Draft Futurewei Technologies
Intended status: Standards Track D. Zhang
Expires: May 19, 2023 Huawei Technologies
November 20, 2022
Simple Group Keying Protocol (SGKP)
<draft-ietf-trill-group-keying-11.txt>
Abstract
This document specifies a simple general group keying protocol that
provides for the distribution of shared secret keys to group members
and the management of such keys. It assumes that secure pairwise keys
can be created between any two group members.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of the
Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Distribution of this document is unlimited. Comments should be sent
to the authors or the TRILL mailing list: trill@ietf.org.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
https://www.ietf.org/1id-abstracts.html. The list of Internet-Draft
Shadow Directories can be accessed at
https://www.ietf.org/shadow.html.
D. Eastlake & D. Zhang Expires May 2023 [Page 1]
�
INTERNET-DRAFT Simple Group Keying November 2022
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of the
Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
D. Eastlake & D. Zhang Expires May 2023 [Page 2]
�
INTERNET-DRAFT Simple Group Keying November 2022
Table of Contents
1. Introduction............................................4
1.1 Terminology and Acronyms..............................4
2. Simple Group Keying Protocol............................5
2.1 Assumptions............................................5
2.2 Group Keying Procedure Overview........................5
2.3 Transmission and Receipt of Group Data Messages........6
2.4 Changes in Group Membership or GKd.....................7
3. Group Keying Messages...................................8
3.1 Set Key Message.......................................10
3.2 Use, Delete, Disuse, or Deleted Key Messages..........12
3.3 Response Message......................................13
3.3.1 Response Codes......................................15
3.4 No-Op Message.........................................16
4. Security Considerations................................18
5. IANA Considerations....................................19
Normative References......................................21
Informative References....................................21
Acknowledgements..........................................22
D. Eastlake & D. Zhang Expires May 2023 [Page 3]
�
INTERNET-DRAFT Simple Group Keying November 2022
1. Introduction
This document specifies a simple general group keying protocol that
provides for the distribution of shared secret keys to group members
and for the management of such keys. It assumes that secure pairwise
keys can be created between any two group members.
A companion document specifies two profiles for the use of this group
keying protocol in a case using DTLS and a case using IPsec payload
formats. It is anticipated that there will be other uses for this
group keying protocol.
1.1 Terminology and Acronyms
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119] [RFC8174]
when, and only when, they appear in all capitals, as shown here.
This document uses the following terms and acronyms:
AES - Advanced Encryption Standard.
DTLS - Datagram Transport Level Security [RFC9147].
GKd - A distinguished station in a group that is in charge of
which group key (Section 2) is in use.
GKs - Stations in a group other than GKd (Section 2).
IS-IS - Intermediate System to Intermediate System [RFC7176].
keying material - The set of a Key ID, a secret key, and a cypher
suite.
QoS - Quality of Service.
RBridge - An alternative term for a TRILL switch.
TRILL - Transparent Interconnection of Lots of Links or Tunneled
Routing in the Link Layer [RFC6325] [RFC7780].
TRILL switch - A device that implements the TRILL protocol
[RFC6325] [RFC7780], sometimes referred to as an RBridge.
D. Eastlake & D. Zhang Expires May 2023 [Page 4]
�
INTERNET-DRAFT Simple Group Keying November 2022
2. Simple Group Keying Protocol
This section gives an overview of the assumptions and capabilities of
the Simple Group Keying Protocol (SGKP) that provides shared secret
group keys. Further details of the messages used for this protocol
are give in Section 3.
Any particular use of this protocol will require profiling giving
further details and specifics for that use. For example, the envelope
used for addressing and transmitting the messages of this protocol
must be specified for any particular use. This protocol is not
suitable for discovery messages but is intended for use between
members of a group that have already established or can establish
pair-wise security.
2.1 Assumptions
The following are assumed:
- All pairs of stations in the group can engage in pairwise
communication with unicast messages and each can groupcast a
message to the other group members.
- At any particular time, there is a distinguished station GKd in
the group that is in charge of keying for the groupcast data
messages to be sent to the group. The group wide shared secret
keys established by GKd are referred to herein as "dynamic"
keys.
- Pairwise keying has been negotiated between GKd and each other
station GKs1, GKs2, ... GKsN in the group. These keys are
referred to in this protocol as "pairwise" keys.
- There are one or more keys, other than the dynamic or pairwise
keys, which are already in place at all group member stations
and may be present at other stations. These are referred to as
"stable" keys.
When keying material is stored by a station, it is accompanied by a
"use flag" indicating whether or not that keying material is usable
for groupcast transmissions.
2.2 Group Keying Procedure Overview
GKd sends unicast keying messages to the other stations in the group
and they respond as specified below and in further detail in the
particular use profiles of SGKP. All such keying messages MUST be
encrypted and authenticated using the pairwise keys as further
specified in the use profile.
D. Eastlake & D. Zhang Expires May 2023 [Page 5]
�
INTERNET-DRAFT Simple Group Keying November 2022
Typically, GKd sends a keying message to each GKs with keying
material. After successful acknowledgement of receipt from each GKs,
GKd sends a keying message to each GKs instructing it to use the
dynamic key GKd has set. It would be common for GKd to set a new
dynamic key at each GKs while an older dynamic key is in use so that
GKd can more promptly roll over to the new dynamic key when
appropriate.
To avoid an indefinite build up of keying material at a GKs, keys
have a lifetime specified by GKd and GKd can send a message deleting
a key. (GKd can also send a message indicating that a key is no
longer to be used but leaving it set.) Should the space available at
a GKs for keying material be exhausted, on receipt of a Set Key
keying message from GKd for a new key ID, GKs discards a dynamic key
it has and originates a Delete Key message to the source of that
dynamic key.
2.3 Transmission and Receipt of Group Data Messages
If a group has only one member, transmission of data between group
members is a moot question and any messages that would be so
transmitted if the group had more members are discarded.
If a group has only two members, then pairwise security is used
between them.
When a group has more than two members and a station in the group
transmits a data message to the group, if the transmitter has one or
more keys set by GKd that it has been instructed to use, it uses one
of those keys and its associated cypher suite to secure the data
message and then groupcasts it to all other membes of the group. If
it has no such key, then it uses serial unicast to send the data
message to each other member of the group, negotiating pairwise keys
with them if it does not already have such pairwise keys. Thus, it is
a responsibility of GKd not to authorize the use of a groupcast key
until it knows that all the GKs have that key.
When a station in the group receives data that has been groupcast to
the group, if the receiver has the key referenced by the data message
the receiver decrypts and verifies it. If verification fails or if
the receiver does not have the required key, the receiver discards
the data message. Thus whether GKs has been directed to "use" a key
by GKd is relevant only to transmission, not reception.
D. Eastlake & D. Zhang Expires May 2023 [Page 6]
�
INTERNET-DRAFT Simple Group Keying November 2022
2.4 Changes in Group Membership or GKd
When a new station joins the group, GKd SHOULD send that station the
currently in-use group key and instruct it to use that key and MAY
send it other keys known to the group members and intended for future
use.
If GKd detects that one or more stations that were members of the
group are no longer members of the group, it SHOULD generate and
distribute a new group key to the remaining group members, instruct
them to use this new key, and delete from them any old keys known to
the departed group member station(s) or at least instructing them to
dis-use such old keys that are marked for use; however, in the case
of groups with large and/or highly dynamic membership, where a
station might frequently leave and then rejoin, it may, as a
practical matter, be necessary to rekey less frequently.
A new group member can become GKd due to the previous GKd leaving the
group or a configuration change or the like. A GKs MUST NOT use
keying material for transmission that was set by a station that it
determines is not GKd. To avoid a gap in service, a station that is
not GKd MAY set keying material at other stations in the group;
however, such a non-GKd station cannot set the use flag for any such
keying material. It is RECOMENDED that the second highest priority
station to be GKd set such keying material at all other stations in
the group. Should a station run out of room for keying material, it
SHOULD discard keying material set by a station with lower priority
to be GKd before discarding keying material set by a higher priority
station and among keys set by GKd is SHOULD discard the lest recently
used first.
D. Eastlake & D. Zhang Expires May 2023 [Page 7]
�
INTERNET-DRAFT Simple Group Keying November 2022
3. Group Keying Messages
Keying messages start with a Version number. This document specifies
Version zero.
Keying messages are structured, as shown in Figure 3.1 below, as
o a Version number,
o a Response flag,
o a Key ID length,
o the Key ID of a stable key,
o a group keying use profile identifier,
o possible padding,
o a key wrap algorithm specifier, and finally
o a key wrapped vector of additional fields wrapped using a key
derived from the stable key identified.
Keying messages are always sent unicast and encrypted and
authenticated with the appropriate pairwise key, all as further
specified for the particular use profile. It will typically be
possible for GKd to calculate the keying message once, including the
wrapping under a key derived from the stable key, then send that
message to various GKs using the different pairwise keys for each
GKs.
+-+-+-+-+-+-+-+-+
|Ver|R|KeyID1Lng| 1 byte
+-+-+-+-+-+-+-+-+...
| KeyID1 ... KeyID1Lngth bytes
+-+-+-+-+-+-+-+-+...
| Use Type | 1 byte
+-+-+-+-+-+-+-+-+
| Pad1 Length | 1 byte
+-+-+-+-+-+-+-+-+...
| Padding Pad1 Length bytes
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+...
| KW Al | KW Length | 2 bytes
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+...
|
| Key Wrapped Material Variable size
|
+-+-+-+-+-+-+-+-...
Figure 3.1. Keying Message Structure
The fields in Figure 3.1 are as follows:
Ver - Group Keying protocol version. This document specifies
version zero.
D. Eastlake & D. Zhang Expires May 2023 [Page 8]
�
INTERNET-DRAFT Simple Group Keying November 2022
R - Response flag. If set to one, indicates a response message.
If set to zero, indicated a request or no-op message.
KeyID1Lngth, KeyID1 - KeyID1 identifies the stable key wrapping
key (also known as the Key Encrypting Key (KEK)) as further
specified in the use profile. KeyID1Lngth is a 5-bit field
that gives the length of KeyID1 in bytes minus 1 as an
unsigned integer.
Use Type - Specifies the particular group security use profile
such as one of the two profiles in [SGKPuses]. See Section
5, Item 3.
Pad1 Length, Pad1 - Padding to obscure the non-padded message
size. Pad1 Length may be from 0 to 255 and gives the length
of the padding as an unsigned integer. Each byte of padding
MUST be equal to Pad1 Length. For example, 3 bytes of
padding with length is 0x03030303.
KW Algorithm - An unsigned integer 4-bit field specifying the
Key Wrap Algorithm. See Section 5, Item 4.
KW Length - An unsigned integer 12-bit field that gives the
length of the Key Wrapped Material in octets as an unsigned
integer.
Key Wrapped Material - The output of the designated Key
Wrapping Algorithm on the message vector of fields using
the designated stable key.
The vector of fields contained within the key wrapping is specified
for the various keying messages in subsections below. The contents
of this wrapped vector are protected by the key wrapping as well as
being authenticated and super-encrypted by the pairwise keyed
security used for sending the overall keying message. The probability
that the stable key used for key wrapping is the same as the outer
message pairwise key MUST be insignificant (less that 1 in 2**64).
Each group keying message contains, in the key wrapped vector of
fields, a message type and a message ID set by the sender of a
request. These fields are returned in the corresponding response to
assist in the matching of response to requests, except that there is
no response required to the No-Op message.
If no response is received to a request (other than a No-Op request)
for an amount of time configurable in milliseconds from 1 to ( 2**15
- 1 ), the request is re-transmitted with the same message ID. These
retries can occur up to a configurable number of times from 1 to 8.
Unless otherwise provided in the particular use profile, the default
response delay threshold is 200 milliseconds and the default maximum
D. Eastlake & D. Zhang Expires May 2023 [Page 9]
�
INTERNET-DRAFT Simple Group Keying November 2022
number of retries is 3.
Keying messages are sent with a priority/QoS configurable on a per
device per use type basis. The default priority/QoS is specified in
the use profile.
Since the minimum length of the Key Wrapped Material is 16 bytes, the
minimum valid length of a keying message before pairwise security is
22 bytes, even if KeyID1 Length and Pad1 Length are zero. All multi-
byte fields are in network order, that is, with the most significant
byte first. The maximum valid length before pairwise security is 6
(fixed bytes) + 32 (max KeyID1) + 255 (max padding) + 4095 (max KW
material) = 4388 bytes. However, the Key Wrapped Material is usually
quite compact. To reduce possible problems with MTU, fragmentation,
etc., keying messages SHOULD NOT exceed 1000 bytes in length.
3.1 Set Key Message
The structure of the wrapped vector of fields for the Set Key keying
message is as show in Figure 3.2. A recipient automatically
determines the overall length provided for this vector of fields
inside the key wrapping as a byproduct of the process of key
unwrapping.
D. Eastlake & D. Zhang Expires May 2023 [Page 10]
�
INTERNET-DRAFT Simple Group Keying November 2022
+-+-+-+-+-+-+-+-+
| Msg Type = 1 | 1 bytes
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Msg ID 3 bytes |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Pad2 Length | 1 bytes
+-+-+-+-+-+-+-+-+...
| Padding Pad2 Length bytes
+-+-+-+-+-+-+-+-+...
| Other Variable size
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Lifetime | 2 bytes
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| KeyID2 Length | 1 byte
+-+-+-+-+-+-+-+-+
| KeyID2 ... KeyID2 Length bytes
+-+-+-+-+-+-+-+-+
| CypherSuiteLng| 1 byte
+-+-+-+-+-+-+-+-+
| CypherSuite ... CypherSuiteLng bytes
+-+-+-+-+-+-+-+-...
| Key ... Variable size
+-+-+-+-+-+-+-+-...
Figure 3.2. Set Key Message Inner Structure
The fields are as follows:
Msg Type = 1 for Set Key message
Msg ID - A 3 byte quantity to be included in the corresponding
response message to assist in matching requests and
responses. Msg ID zero has a special meaning in responses
and MUST NOT be used in a Set Key message or any other
group keying request message.
Pad2 Length, Pad2 - Padding to obscure the size of the unpadded
wrapped data. Pad2 Length may be from 0 to 255 and gives
the length of the padding as an unsigned integer. Each byte
of padding MUST be equal to Pad1 Length. For example, 2
bytes of padding with length byte is 0x020202.
Other - Additional information if specified in the use profile.
If Other information in this message is not mentioned in
the use profile, there is none and this portion of the
wrapped information is null. If a use profile specifies
Other information it must be possible to determine its
length so that following fields can be properly parsed and
so that the size of the Key field can be deduced; for
example, Other could begin with a length byte.
D. Eastlake & D. Zhang Expires May 2023 [Page 11]
�
INTERNET-DRAFT Simple Group Keying November 2022
Lifetime - A 2-byte unsigned integer. After that number of
seconds plus one second, the key and associated information
being set MUST be discarded. Unless otherwise specified for
a particular use profile of this group keying protocol, the
default Lifetime is 10,000 seconds or about 2 hours and 46
minutes.
KeyID2 Length, KeyID2 - KeyID2 identifies the group key and
associated information being set as further specified in
the use profile. KeyID2 Length is an unsigned byte that
gives the length of KeyID2 in bytes.
CypherSuiteLng, CypherSuite - CypherSuite identifies the cypher
suite associated with the key being set as further
specified in the use profile. CypherSuite Length is an
unsigned byte the gives the length of CypherSuite in bytes.
Key - This is the actually group shared secret keying material
being set. Its length is deduced from the overall length of
the vector of fields (found by the key unwrap operation)
and the length of the preceding fields.
Keying material and associated cypher suite are indexed under the Key
ID and the identity of the station that sent the information. This
identity is normally the address of that station as specified in the
use profile.
If GKs already has a dynamic key set under KeyID2, the key's value
and associated cypher suite are compared with those in the Set Key
messages. If they are the same, the only receiver action is to update
the Lifetime information associated with KeyID2 and send a Response
message. If they are different, the lifetime, cypher suite, and key
(and possibly Other material) are replaced, the use flag is cleared,
and a Response message sent.
3.2 Use, Delete, Disuse, or Deleted Key Messages
The structure of the wrapped material for the Use Key, Delete Key,
Disuse Key, and Deleted Key keying messages are the same as each
other except for the message type and are shown in Figure 3.3
D. Eastlake & D. Zhang Expires May 2023 [Page 12]
�
INTERNET-DRAFT Simple Group Keying November 2022
+-+-+-+-+-+-+-+-+
| Msg Type = t | 1 byte
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Msg ID 3 bytes |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Pad2 Length | 1 bytes
+-+-+-+-+-+-+-+-+...
| Padding Pad2 Length bytes
+-+-+-+-+-+-+-+-+...
| Other Variable size
+-+-+-+-+-+-+-+-+...
| KeyID2 Length | 1 byte
+-+-+-+-+-+-+-+-+...
| KeyID2 ... KeyID2 bytes
+-+-+-+-+-+-+-+-+...
Figure 3.3. Use, Delete, Disuse, or Deleted Key Message
The Msg Type field specifies the particular message as follows:
Msg Type Message
-------- ----------
2 Use Key
3 Delete Key
4 Disuse Key
5 Deleted Key
The remaining fields are as specified in Section 3.1. KeyID2
indicates the key to be used, deleted, for which use should cease, or
which has been deleted, depending on the message type.
It is RECOMMENDED that these messages be padded so as to be the same
length as a typical Set Key message.
The Delete Key is sent by a station believing itself to be GKd
instructing some GKs to delete a key. When a GKs spontaneously
deletes a key, it sends a Deleted Key message to the station from
which it received the key. The message types for Delete Key and
Deleted Key are different to minimize confusion in corner cases such
as the GKd changing while messages are in flight. The Msg ID used in
a Deleted Key message is created by the sending GKs from a space of
Msg IDs associated with that GKs, which space is independent of the
Msg IDs used in requests originated by GKd.
3.3 Response Message
The structure of the wrapped material for the Response group keying
message is as show below in Figure 3.4. A response message is
D. Eastlake & D. Zhang Expires May 2023 [Page 13]
�
INTERNET-DRAFT Simple Group Keying November 2022
indicated by the R bit in the first byte of the message outside the
key wrapping.
A response MUST NOT be sent due to the receipt of a response. The R
bit is outside of the key wrapping so that this rule can be enforced
even in case unwrapping is not possible.
+-+-+-+-+-+-+-+-+
| Msg Type = n | 1 byte
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Msg ID 3 bytes |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Pad2 Length | 1 bytes
+-+-+-+-+-+-+-+-+...
| Padding Pad2 Length bytes
+-+-+-+-+-+-+-+-+...
| Other Variable size
+-+-+-+-+-+-+-+-+...
| Response Code | 1 byte
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ReqPartLength | 2 bytes
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+...
| Request Part ReqPartLength bytes
+-+-+-+-+-+-+-+-...
Figure 3.4. Response Message Inner Structure
Except as specified below, the fields are as specified for the Key
Set message in Section 3.1.
Msg Type, Msg ID - The content of these field is copied from
the message in reply to which this Response message is sent
unless there is an error that stops the replying station
from determining them; in that case the special value zero
is used for the Msg Type and Msg ID. Errors where the Msg
Type and ID could not be determined are indicated by a
Response Code with its high order bit set to one, that is,
the 0b1xxxxxxx bit set.
Response Code - An unsigned byte giving the response as
enumerated in in Section 3.3.1. Any Response Code other
than a success indicates that the receiver took no action
on the request other than sending an error Response
message.
ReqPartLength, Request Part: It is usually usefully to include
some or all of the request message in error responses.
- If the Response Code high order two bits are zero, the
request succeeded and ReqPartLength MUST be set to zero
so Request Part will be null.
D. Eastlake & D. Zhang Expires May 2023 [Page 14]
�
INTERNET-DRAFT Simple Group Keying November 2022
- If the Response Code high order two bits are zero one
(0b01xxxxxx), then there was an error in the part of the
request inside the key wrapping but the unwrap process
was successful. ReqPartLength is the length of the
request message material included in the Request Part
field. The included request material is from the
unwrapped vector of fields started with the Msg Type
byte.
- If the Response Code high order bit is one (the
0b1xxxxxxx is set), then there was an error parsing the
material outside the key wrap or an error in the
unwrapping process. ReqPartLength is the length of the
request message part included in the Request Part field.
The included part of the request starts with the first
byte of the message (the byte containing the version,
response flag, and KeyID1 Length). The key wrapped
material in the response message will still be wrapped.
3.3.1 Response Codes
The high order two bits of the Response Code have meaning as shown in
Table 3.1.
Top 2 Bits Category
---------- ----------
0b00 Success
0b01 key wrap contents
0b10/11 Outside of key wrap contents
Figure 3.1 Categories of Response Codes
Response Response
Decimal Hex Meaning
-------- -------- ----------
0 0x00 Success
1 0x01 Success and the key at an existing key ID was
changed
2-47 0x02-0x2F Unassigned
48-63 0x30-0x3F Reserved for special success codes defined in
use profiles
64 0x40 Malformed inner fields (see Note 2 below)
65 0x41 Unknown or zero Msg Type in a request
66 0x42 Zero Msg ID in a request
68 0x43 Invalid length KeyID2
69 0x44 Unknown KeyID2
70 0x45 Invalid length CypherSuite
71 0x46 Unknown CyperSuite
D. Eastlake & D. Zhang Expires May 2023 [Page 15]
�
INTERNET-DRAFT Simple Group Keying November 2022
72 0x47 Bad Key (see Note 3 below)
73-111 0x49-0x6F Unassigned
112-127 0x70-0x7F Reserved for error codes defined in use
profiles and related to the key wrapped
contents
128 0x80 Malformed message (see Note 1 below)
129 0x81 Invalid length KeyID1
130 0x82 Unknown KeyID1
131 0x83 Unknown Use Type
131 0x84 Key unwrap fails test for constant (e.g., AES
test 1, see Section 3 [RFC5649]).
132 0x85 Key unwrap fails message length versus
wrapped size test (e.g., AES test 2,
see Section 3 [RFC5649]).
133 0x86 Key unwrap fails test for value of padding
(e.g., AES test3, see Section 3
[RFC5649]).
134-175 0x86-0x7F Unassigned
176-191 0xB0-0xBF Reserved for error codes defined in use
profiles and related to parts of
message outside the key wrap contents
192 0xC0 No keys set
193 0xC1 Referenced key unknown
194 0xC2 Referenced key known but use flag not set
195-255 0xC3-0xFF Reserved
Response Code Notes:
Note 1 Message is too short or too long, key wrapped material is too
short, Padding bytes are not the required value, or similar
fundamental message format problems.
Note 2 The key wrapped inner vector of fields is too short or too
long, Padding bytes are not the required value, or similar
fundamental vector of fields format problems.
Note 3 Key is not a valid length for CypherSuite or other internal
checks on key (for example, parity bits in a 64 bit DES key
(not that you should be using DES)) fail when they should be
correct.
Figure 3.2 Response Codes
3.4 No-Op Message
The No-Op message is a dummy message intended for use in disguising
metadata deducible from keying message transmissions. It requires no
D. Eastlake & D. Zhang Expires May 2023 [Page 16]
�
INTERNET-DRAFT Simple Group Keying November 2022
response although a recipient can always decide to send a No-Op
message to a station from which it has received such a message. The
vector of fields inside the key wrap is as follows:
+-+-+-+-+-+-+-+-+
| Msg Type = 6 | 1 byte
+-+-+-+-+-+-+-+-+
| Pad2 Length | 1 bytes
+-+-+-+-+-+-+-+-+...
| Padding Pad2 Length bytes
+-+-+-+-+-+-+-+-...
Figure 3.5. No-Op Message Inner Structure
The Msg Type is set to 6 to indicate a No-Op message.
Pad2 Length and Padding are as specified in Section 3.1. It is
RECOMMENDED that Pad2 Length in a No-Op message be such as to make
its length the same as the length of a typical Set Key message.
D. Eastlake & D. Zhang Expires May 2023 [Page 17]
�
INTERNET-DRAFT Simple Group Keying November 2022
4. Security Considerations
This section gives some general security considerations of this group
keying protocol as distinguished from security considerations of a
particular use profile.
The method by which the stations in the group discover each other is
specified in the group keying use profile. GKd controls group access
and generally learns whatever it needs to know about GKs during the
pairwise authentication and pairwise keying process.
The group keying provided by this protocol is shared secret keying.
This means that data messages can only be authenticated as coming
from some group member but not as coming from a specific group
member. If this level of authentication is insufficient, GKd can
simply not set keys or not set them as usable. This will force all
stations in the group that are configured to use security for multi-
destination transmissions to the group to serially unicast data to
the other group members using pairwise keying.
The content value of padding fields in the Group Keying protocol is
fixed so that it cannot be used as a covert channel. It might still
be possible to use the length of padding as a covert channel.
D. Eastlake & D. Zhang Expires May 2023 [Page 18]
�
INTERNET-DRAFT Simple Group Keying November 2022
5. IANA Considerations
IANA is requested to perform the following actions:
1. Establish a protocol parameters web page for "Group Keying
Protocol Parameters" with the initial registries on that page
as specified below in this section.
2. Establish a "Message Type" registry on the Group Keying
Protocol Parameters page as follows:
Name: Message Types
Registration Procedure: IETF Review
Reference: [this document]
Type Description Reference
------- ----------- ---------------
0 Reserved [This document]
1 Set Key [This document]
2 Use Key [This document]
3 Delete Key [This document]
4 Disuse Key [This document]
5 Deleted Key [This document]
6 No-Op [This document]
7-250 Unassigned
251-254 Private Use [This document]
255 Reserved [This document]
3. Establish a "Group Keying Use Profile" registry on the Group
Keying Protocol Parameters page as follows:
Name: Group Keying Use Profiles
Registration Procedure: IETF Review
Reference: [This document]
Profile Description Reference(s)
--------- ----------- ------------
0 Reserved [This document]
1 Extended RBridge Channel [SGKPuses]
2 TRILL over IP [SGKPuses]
3-250 Unassigned
251-254 Private Use [This document]
255 Reserved [This document]
4. Establish a "Key Wrap Algorithm" registry on the Group Keying
Protocol Parameters page as follows:
D. Eastlake & D. Zhang Expires May 2023 [Page 19]
�
INTERNET-DRAFT Simple Group Keying November 2022
Name: Key Wrap Algorithms
Registration Procedure: IETF Review
Reference: [This document]
Code Algorithm References
----- ----------- ------------
0 - Reserved
1 AES [This document][RFC5649]
2 ChaCha [This document][ChaChaKW]
3-16 - Reserved
5. Establish a "Response Code" registry on the Group Keying
Protocol Parameters page as show below taking entries from the
Response Code table in Section 3.3.1 above. In the table of
values, the Reference column should be "[This document]" except
where the Meaning is "Unassigned" or "Reserved".
Name: Response Codes
Registration Procedure: IETF Review
Reference: [This document]
Note: The top two bits of the Response Code indicate a category
as specified in Section 3.3.1 of [this document].
Response Response
Decimal Hex Meaning Reference
-------- --------- ----------- ---------
0 0x00 Success [this document]
... ... ...
255 0xFF Reserved
D. Eastlake & D. Zhang Expires May 2023 [Page 20]
�
INTERNET-DRAFT Simple Group Keying November 2022
Normative References
[RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119,
March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC5649] - Housley, R. and M. Dworkin, "Advanced Encryption Standard
(AES) Key Wrap with Padding Algorithm", RFC 5649, DOI
10.17487/RFC5649, September 2009,
<https://www.rfc-editor.org/info/rfc5649>.
[RFC6325] - Perlman, R., Eastlake 3rd, D., Dutt, D., Gai, S., and A.
Ghanwani, "Routing Bridges (RBridges): Base Protocol
Specification", RFC 6325, DOI 10.17487/RFC6325, July 2011,
<https://www.rfc-editor.org/info/rfc6325>.
[RFC7176] - Eastlake 3rd, D., Senevirathne, T., Ghanwani, A., Dutt,
D., and A. Banerjee, "Transparent Interconnection of Lots of
Links (TRILL) Use of IS-IS", RFC 7176, May 2014,
<https://www.rfc-editor.org/info/rfc7176>.
[RFC7780] - Eastlake 3rd, D., Zhang, M., Perlman, R., Banerjee, A.,
Ghanwani, A., and S. Gupta, "Transparent Interconnection of
Lots of Links (TRILL): Clarifications, Corrections, and
Updates", RFC 7780, DOI 10.17487/RFC7780, February 2016,
<https://www.rfc-editor.org/info/rfc7780>.
[RFC8174] - Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May
2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC9147] - Rescorla, E., Tschofenig, H., and N. Modadugu, "The
Datagram Transport Layer Security (DTLS) Protocol Version 1.3",
RFC 9147, DOI 10.17487/RFC9147, April 2022, <https://www.rfc-
editor.org/info/rfc9147>.
[SGKPuses] - D. Eastlake, D. Zhang, "Simple Group Keying Protocol
TRILL Use Profiles", draft-ietf-trill-link-gk-profiles, work in
progress.
[ChaChaKW] - D. Eastlake, "CHA CHA 20 Key Wrap with Padding
Algorithm", draft-eastlake-chacha20-key-wrap, work in progress.
Informative References
None.
D. Eastlake & D. Zhang Expires May 2023 [Page 21]
�
INTERNET-DRAFT Simple Group Keying November 2022
Acknowledgements
The contributions of the following are hereby gratefully
acknowledged:
TBD
D. Eastlake & D. Zhang Expires May 2023 [Page 22]
�
INTERNET-DRAFT Simple Group Keying November 2022
Authors' Addresses
Donald E. Eastlake, 3rd
Futurewei Technologies
2386 Panoramic Circle
Apopka, FL 32703 USA
Phone: +1-508-333-2270
EMail: d3e3e3@gmail.com
Dacheng Zhang
Huawei Technologies
Email: dacheng.zhang@huawei.com
D. Eastlake & D. Zhang Expires May 2023 [Page 23]
�
