Hi,
the -01 version of G-IKEv2 protocol has a lot of changes compared to the -00.
After some discussion among authors the draft has received
some conceptual changes.
1. The protocol is now considered more like an IKEv2 extension
(although a complex one), than like a new protocol based on IKEv2 wire
format.
So it is made closer to IKEv2 by re-using as many IKEv2 structures
as possible. This approach required introduction of new IKEv2
transforms to be able to follow IKEv2 approach of defining SA parameters.
The protocol now re-use IKEv2 IANA registry instead of defining its own.
2. Based on this approach the wire format is simplified and unified.
It is no longer compatible with previous versions of the draft,
however the changes are made in such a way, that it is always possible to
distinguish between old and new formats.
3. The way SA keys are distributed is changed so that all keys are
always transferred in encrypted form (even inside SA).
The key distribution is performed in such a way, that for the GM
the algorithm of obtaining the keys doesn't change when
the GCKS implements more complex group key management
schemes, like LKH.
A lot of clarifications were added to eliminate possible ambiguities.
We solicit reviews of the new version and discussions of these changes.
Regards,
Valery (for the authors).
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the IP Security Maintenance and Extensions WG of
> the IETF.
>
> Title : Group Key Management using IKEv2
> Authors : Valery Smyslov
> Brian Weis
> Filename: draft-ietf-ipsecme-g-ikev2-01.txt
> Pages : 59
> Date: 2020-07-12
>
> Abstract:
>This document presents an extension to the Internet Key Exchange
>version 2 (IKEv2) protocol for the purpose of a group key management.
>The protocol is in conformance with the Multicast Security (MSEC) key
>management architecture, which contains two components: member
>registration and group rekeying. Both components require a Group
>Controller/Key Server to download IPsec group security associations
>to authorized members of a group. The group members then exchange IP
>multicast or other group traffic as IPsec packets. This document
>obsoletes RFC 6407.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-ipsecme-g-ikev2/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-ipsecme-g-ikev2-01
> https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-g-ikev2-01
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-g-ikev2-01
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> ___
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
