RFC 3547 - The Group Domain of Interpretation
Publication Date: July 2003
Status: Standards Track
Authors: M. Baugher, B. Weis (Cisco Systems), T. Hardjono (Verisign), H. Harney (Sparta)
Abstract
This document presents an ISAKMP Domain of Interpretation (DOI) for group key management to support secure group communications. The GDOI manages group security associations, which are used by IPsec and potentially other data security protocols running at the IP or application layers. These security associations protect one or more key-encrypting keys, traffic-encrypting keys, or data shared by group members.
Table of Contents
- 1. Introduction
- 1.1. GDOI Applications
- 1.2. Extending GDOI
- 2. GDOI Phase 1 Protocol
- 2.1. ISAKMP Phase 1 Protocol
- 2.1.1. DOI Value
- 2.1.2. UDP Port
- 2.1. ISAKMP Phase 1 Protocol
- 3. GROUPKEY-PULL Exchange
- 3.1. Authorization
- 3.2. Messages
- 3.2.1. Perfect Forward Secrecy
- 3.2.2. ISAKMP Header Initialization
- 3.3. Initiator Operations
- 3.4. Receiver Operations
- 4. GROUPKEY-PUSH Message
- 4.1. Perfect Forward Secrecy (PFS)
- 4.2. Forward and Backward Access Control
- 4.2.1. Forward Access Control Requirements
- 4.3. Delegation of Key Management
- 4.4. Use of Signature Keys
- 4.5. ISAKMP Header Initialization
- 4.6. Deletion of SAs
- 4.7. GCKS Operations
- 4.8. Group Member Operations
- 5. Payloads and Defined Values
- 6. Security Considerations
- 6.1. ISAKMP Phase 1
- 6.2. GROUPKEY-PULL Exchange
- 6.3. GROUPKEY-PUSH Exchange
- 7. IANA Considerations
- 8. Intellectual Property Rights Statement
- 9. Acknowledgements
- 10. References
- 10.1. Normative References
- 10.2. Informative References
Appendices
- Appendix A: Alternate GDOI Phase 1 Protocols
- A.1. IKEv2 Phase 1 Protocol
- A.2. KINK Protocol
Related Resources
- Official Text: RFC 3547 (TXT)
- Official Page: RFC 3547 DataTracker
- Errata: RFC Editor Errata