Hi,
this version addresses discussion we had at IETF 113. In particular:
1. Explicit PSK authentication is removed.
2. USE_TRANSPORT_MODE notification is used as in IKEv2
(which implies a restriction that all IPsec SAs in GSA must use the same
mode).
3. Using ESN is MUST NOT now, but it is MUST for GCKS to rekey frequently
enough to prevent SN overlap.
4. Using replay protection is clarified. This is probably the most important
change,
since the semantics of "Extended Sequence Numbers" transform is enhanced,
which leads to its renaming to "Replay Protection" transform and thus
we formally update RFC 7296 (although only by renaming IANA registry).
See new section 2.6.
5. UDP encapsulation of ESP is prohibited for multicast Data-Security SAs.
6. Default Activation Time Delay and Deactivation Time Delay are set to 0 (no
delay,
wasn't specified before).
7. Using tunnel and transport mode clarified.
8. Clarified, that using port 848 in the IKE_SA_INIT exchange doesn't change
behavior comparing to port 500 (in particular, in both cases switch to 4500
in case of NAT).
9. Multiple text improvements.
Please, review.
Regards,
Valery.
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the IP Security Maintenance and Extensions WG of
> the IETF.
>
> Title : Group Key Management using IKEv2
> Authors : Valery Smyslov
> Brian Weis
> Filename : draft-ietf-ipsecme-g-ikev2-06.txt
> Pages : 68
> Date : 2022-04-06
>
> Abstract:
> This document presents an extension to the Internet Key Exchange
> version 2 (IKEv2) protocol for the purpose of a group key management.
> The protocol is in conformance with the Multicast Security (MSEC) key
> management architecture, which contains two components: member
> registration and group rekeying. Both components require a Group
> Controller/Key Server to download IPsec group security associations
> to authorized members of a group. The group members then exchange IP
> multicast or other group traffic as IPsec packets. This document
> obsoletes RFC 6407. This documents also updates RFC 7296 by renaming
> one of transform types defined there.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-g-ikev2/
>
> There is also an htmlized version available at:
> https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-g-ikev2-06
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-g-ikev2-06
>
>
> Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
