5.2. Security Association Payload

The Security Association payload is defined in RFC 2408. For GDOI, it is used by the GCKS to assert security attributes for both the Re-key SA and Data-security SAs.

Key Fields

DOI (4 octets): The GDOI value is 2
Situation (4 octets): Must be zero
SA Attribute Next Payload (1 octet): Must be either a SAK Payload or a SAT Payload

5.2.1. Payloads Following the SA Payload

Payloads that define specific security association attributes for the KEK and/or TEKs used by the group MUST follow the SA payload. The number of each payload depends on group policy:

Zero or one SAK Payloads: For KEK (Key Encrypting Key) policy
Zero or more SAT Payloads: For TEK (Traffic Encrypting Key) policy
At least one SAK or SAT payload MUST be present

This flexibility allows various group policies:

Groups without Re-key SA can omit SA KEK attributes
Multiple SATs enable multiple sessions within the same group
Different streams (e.g., video, audio, text) can have individual security policies

Key Fields​

5.2.1. Payloads Following the SA Payload​

Key Fields

5.2.1. Payloads Following the SA Payload