Skip to main content

5.2. Security Association Payload

The Security Association payload is defined in RFC 2408. For GDOI, it is used by the GCKS to assert security attributes for both the Re-key SA and Data-security SAs.

Key Fields

  • DOI (4 octets): The GDOI value is 2
  • Situation (4 octets): Must be zero
  • SA Attribute Next Payload (1 octet): Must be either a SAK Payload or a SAT Payload

5.2.1. Payloads Following the SA Payload

Payloads that define specific security association attributes for the KEK and/or TEKs used by the group MUST follow the SA payload. The number of each payload depends on group policy:

  • Zero or one SAK Payloads: For KEK (Key Encrypting Key) policy
  • Zero or more SAT Payloads: For TEK (Traffic Encrypting Key) policy
  • At least one SAK or SAT payload MUST be present

This flexibility allows various group policies:

  • Groups without Re-key SA can omit SA KEK attributes
  • Multiple SATs enable multiple sessions within the same group
  • Different streams (e.g., video, audio, text) can have individual security policies
Last updated on