Skip to main content

RFC 3547 - 群组解释域 (The Group Domain of Interpretation)

发布日期: 2003年7月
状态: 标准跟踪协议 (Standards Track)
作者: M. Baugher, B. Weis (Cisco Systems), T. Hardjono (Verisign), H. Harney (Sparta)

摘要 (Abstract)

本文档介绍了一种用于群组密钥管理的ISAKMP解释域 (ISAKMP Domain of Interpretation, DOI),以支持安全群组通信。GDOI管理群组安全关联 (Security Associations),这些安全关联由运行在IP层或应用层的IPsec及其他潜在的数据安全协议使用。这些安全关联保护一个或多个密钥加密密钥 (Key-Encrypting Keys)、流量加密密钥 (Traffic-Encrypting Keys) 或群组成员共享的数据。

目录 (Contents)

  • 1. Introduction (简介)
    • 1.1. GDOI Applications (GDOI应用)
    • 1.2. Extending GDOI (扩展GDOI)
  • 2. GDOI Phase 1 Protocol (GDOI第1阶段协议)
    • 2.1. ISAKMP Phase 1 Protocol (ISAKMP第1阶段协议)
      • 2.1.1. DOI Value (DOI值)
      • 2.1.2. UDP Port (UDP端口)
  • 3. GROUPKEY-PULL Exchange (GROUPKEY-PULL交换)
    • 3.1. Authorization (授权)
    • 3.2. Messages (消息)
      • 3.2.1. Perfect Forward Secrecy (完美前向保密性)
      • 3.2.2. ISAKMP Header Initialization (ISAKMP头初始化)
    • 3.3. Initiator Operations (发起方操作)
    • 3.4. Receiver Operations (接收方操作)
  • 4. GROUPKEY-PUSH Message (GROUPKEY-PUSH消息)
    • 4.1. Perfect Forward Secrecy (PFS) (完美前向保密性)
    • 4.2. Forward and Backward Access Control (前向和后向访问控制)
      • 4.2.1. Forward Access Control Requirements (前向访问控制要求)
    • 4.3. Delegation of Key Management (密钥管理的委托)
    • 4.4. Use of Signature Keys (签名密钥的使用)
    • 4.5. ISAKMP Header Initialization (ISAKMP头初始化)
    • 4.6. Deletion of SAs (SA的删除)
    • 4.7. GCKS Operations (GCKS操作)
    • 4.8. Group Member Operations (群组成员操作)
  • 5. Payloads and Defined Values (有效载荷和定义值)
    • 5.1. Identification Payload (身份识别载荷)
      • 5.1.1. Identification Type Values (身份识别类型值)
    • 5.2. Security Association Payload (安全关联载荷)
      • 5.2.1. Payloads Following the SA Payload (SA载荷之后的载荷)
    • 5.3. SA KEK Payload (SA KEK载荷)
      • 5.3.1. KEK Attributes (KEK属性)
      • 5.3.2. KEK_MANAGEMENT_ALGORITHM
      • 5.3.3. KEK_ALGORITHM
      • 5.3.4. KEK_KEY_LENGTH
      • 5.3.5. KEK_KEY_LIFETIME
      • 5.3.6. SIG_HASH_ALGORITHM
      • 5.3.7. SIG_ALGORITHM
      • 5.3.8. SIG_KEY_LENGTH
      • 5.3.9. KE_OAKLEY_GROUP
    • 5.4. SA TEK Payload (SA TEK载荷)
      • 5.4.1. PROTO_IPSEC_ESP
      • 5.4.2. Other Security Protocols (其他安全协议)
    • 5.5. Key Download Payload (密钥下载载荷)
      • 5.5.1. TEK Download Type (TEK下载类型)
      • 5.5.2. KEK Download Type (KEK下载类型)
      • 5.5.3. LKH Download Type (LKH下载类型)
    • 5.6. Sequence Number Payload (序列号载荷)
    • 5.7. Proof of Possession (拥有证明)
    • 5.8. Nonce (随机数)
  • 6. Security Considerations (安全考虑)
    • 6.1. ISAKMP Phase 1 (ISAKMP第1阶段)
      • 6.1.1. Authentication (认证)
      • 6.1.2. Confidentiality (保密性)
      • 6.1.3. Man-in-the-Middle Attack Protection (中间人攻击保护)
      • 6.1.4. Replay/Reflection Attack Protection (重放/反射攻击保护)
      • 6.1.5. Denial of Service Protection (拒绝服务保护)
    • 6.2. GROUPKEY-PULL Exchange (GROUPKEY-PULL交换)
      • 6.2.1. Authentication (认证)
      • 6.2.2. Confidentiality (保密性)
      • 6.2.3. Man-in-the-Middle Attack Protection (中间人攻击保护)
      • 6.2.4. Replay/Reflection Attack Protection (重放/反射攻击保护)
      • 6.2.5. Denial of Service Protection (拒绝服务保护)
      • 6.2.6. Authorization (授权)
    • 6.3. GROUPKEY-PUSH Exchange (GROUPKEY-PUSH交换)
      • 6.3.1. Authentication (认证)
      • 6.3.2. Confidentiality (保密性)
      • 6.3.3. Man-in-the-Middle Attack Protection (中间人攻击保护)
      • 6.3.4. Replay/Reflection Attack Protection (重放/反射攻击保护)
      • 6.3.5. Denial of Service Protection (拒绝服务保护)
      • 6.3.6. Forward Access Control (前向访问控制)
  • 7. IANA Considerations (IANA注意事项)
    • 7.1. ISAKMP DOI
    • 7.2. Payload Types (载荷类型)
    • 7.3. New Name Spaces (新命名空间)
    • 7.4. UDP Port (UDP端口)
  • 8. Intellectual Property Rights Statement (知识产权声明)
  • 9. Acknowledgements (致谢)
  • 10. References (参考文献)
    • 10.1. Normative References (规范性参考文献)
    • 10.2. Informative References (信息性参考文献)

附录 (Appendices)

Last updated on