Group Domain of Interpretation (GDOI) Payloads - per [RFC3547] (last updated 9 December 2004) Related Registries: GDOI ID Payload Type Values SA KEK Payload Values -POP Algorithm -KEK Attributes SA TEK Payload Values -Protocol-ID Key Download Type Values -TEK Download Type -KEK Download Type -LKH Download Type In all cases, new assigned numbers and values must be added due to a Standards Action as defined in [RFC2434]. GDOI ID Payload Type Values --------------------------- When an ISAKMP identification payload is used with GDOI, the assigned values for the Identification Type field are interpreted according to this registry. The GDOI ID Payload Type is an 8-bit value that is used as a discriminator for interpretation of the variable-length Identification Payload. The following table describes ID Payload Types. ID Type Value Reference ------- ----- --------- RESERVED 0 - 10 [RFC3547] ID_KEY_ID 11 [RFC3547] RESERVED 12 - 127 [RFC3547] Private Use 128 - 255 [RFC3547] SA KEK Payload Values --------------------- POP Algorithm The POP algorithm is a 16-bit value that is used to describe the encryption algorithm of the POP payload. Algorithm Type Value Reference -------------- ----- --------- RESERVED 0 [RFC3547] POP_ALG_RSA 1 [RFC3547] POP_ALG_DSS 2 [RFC3547] POP_ALG_ECDSS 3 [RFC3547] RESERVED 4-127 [RFC3547] Private Use 128-255 [RFC3547] KEK Attributes The KEK Attribute consists of a 16-bit type and its associated value. KEK attributes are used to pass policy from a GCKS to a group member. The following attributes may be present in a SAK Payload. The attributes must follow the format defined in ISAKMP [RFC2408] section 3.3. In the table, attributes that are defined as TV are marked as Basic (B); attributes that are defined as TLV are marked as Variable (V). ID Class Value Type Reference -------- ----- ---- --------- RESERVED 0 KEK_MANAGEMENT_ALGORITHM 1 B [RFC3547] KEK_ALGORITHM 2 B [RFC3547] KEK_KEY_LENGTH 3 B [RFC3547] KEK_KEY_LIFETIME 4 V [RFC3547] SIG_HASH_ALGORITHM 5 B [RFC3547] SIG_ALGORITHM 6 B [RFC3547] SIG_KEY_LENGTH 7 B [RFC3547] KE_OAKLEY_GROUP 8 B [RFC3547] KEK_MANAGEMENT_ALGORITHM The KEK_MANAGEMENT_ALGORITHM class specifies the group KEK management algorithm used to provide forward or backward access control (i.e., used to exclude group members). Defined values are specified in the following table. KEK Management Type Value Reference ------------------- ----- --------- RESERVED 0 [RFC3547] LKH 1 [RFC3547] RESERVED 2-127 [RFC3547] Private Use 128-255 [RFC3547] KEK_ALGORITHM The KEK_ALGORITHM class specifies the encryption algorithm using with the KEK. Defined values are specified in the following table. Algorithm Type Value Reference -------------- ----- --------- RESERVED 0 [RFC3547] KEK_ALG_DES 1 [RFC3547] KEK_ALG_3DES 2 [RFC3547] KEK_ALG_AES 3 [RFC3547] RESERVED 4-127 [RFC3547] Private Use 128-255 [RFC3547] KEK_KEY_LENGTH The KEK_KEY_LENGTH class specifies the KEK Algorithm key length (in bits). KEK_KEY_LIFETIME The KEK_KEY_LIFETIME class specifies the maximum time for which the KEK is valid. The GCKS may refresh the KEK at any time before the end of the valid period. The value is a four (4) octet number defining a valid time period in seconds. SIG_HASH_ALGORITHM SIG_HASH_ALGORITHM specifies the SIG payload hash algorithm. The following tables define the algorithms for SIG_HASH_ALGORITHM. Algorithm Type Value Reference -------------- ----- --------- RESERVED 0 [RFC3547] SIG_HASH_MD5 1 [RFC3547] SIG_HASH_SHA1 2 [RFC3547] RESERVED 3-127 [RFC3547] Private Use 128-255 [RFC3547] SIG_ALGORITHM The SIG_ALGORITHM class specifies the SIG payload signature algorithm. Defined values are specified in the following table. Algorithm Type Value Reference -------------- ----- --------- RESERVED 0 [RFC3547] SIG_ALG_RSA 1 [RFC3547] SIG_ALG_DSS 2 [RFC3547] SIG_ALG_ECDSS 3 [RFC3547] RESERVED 4-127 [RFC3547] Private Use 128-255 [RFC3547] SIG_KEY_LENGTH The SIG_KEY_LENGTH class specifies the length of the SIG payload key. KE_OAKLEY_GROUP The KE_OAKLEY_GROUP class defines the OAKLEY Group used to compute the PFS secret in the optional KE payload of the GDOI GROUPKEY-PULL exchange. This attribute uses the values assigned to Group Definitions in the IANA IPsec-registry [IPSEC-REG]. SA TEK Payload Values --------------------- Protocol-ID The SA_TEK protocol-ID is an 8-bit value that is used to describe the type of TEK is included in the SA_TEK payload. The following table defines values for the Security Protocol Protocol ID Value Reference ----------- ----- --------- RESERVED 0 [RFC3547] GDOI_PROTO_IPSEC_ESP 1 [RFC3547] RESERVED 2-127 [RFC3547] Private Use 128-255 [RFC3547] Key Download Type Values ------------------------ Te Key Download Type is an 8-bit value that is used as a discriminator for interpretation of the variable-length Key Packet. Key Download Type Value Reference ----------------- ----- --------- RESERVED 0 [RFC3547] TEK 1 [RFC3547] KEK 2 [RFC3547] LKH 3 [RFC3547] RESERVED 4-127 [RFC3547] Private Use 128-255 [RFC3547] TEK Download Type The following attributes may be present in a TEK Download Type. The attributes must follow the format defined in ISAKMP [RFC2408] section 3.3. In the table, attributes that are defined as TV are marked as Basic (B); attributes that are defined as TLV are marked as Variable (V). TEK Class Value Type Reference --------- ----- ---- --------- RESERVED 0 [RFC3547] TEK_ALGORITHM_KEY 1 V [RFC3547] TEK_INTEGRITY_KEY 2 V [RFC3547] TEK_SOURCE_AUTH_KEY 3 V [RFC3547] KEK Download Type The following attributes may be present in a KEK download Type. In the table, attributes that are defined as TV are marked as Basic (B); attributes which are defined as TLV are marked as Variable (V). KEK Class Value Type Reference --------- ----- ---- --------- RESERVED 0 [RFC3547] KEK_ALGORITHM_KEY 1 V [RFC3547] SIG_ALGORITHM_KEY 2 V [RFC3547] LKH Download Type The LKH key packet is comprised of attributes representing different leaves in the LKH key tree. The following attributes are used to pass an LKH KEK array in the KD payload. The attributes must follow the format defined in ISAKMP [RFC2408] section 3.3. In the table, attributes that are defined as TV are marked as Basic (B); attributes that are defined as TLV are marked as Variable (V). KEK Class Value Type Reference --------- ----- ---- --------- RESERVED 0 [RFC3547] LKH_DOWNLOAD_ARRAY 1 V [RFC3547] LKH_UPDATE_ARRAY 2 V [RFC3547] SIG_ALGORITHM_KEY 3 V [RFC3547] RESERVED 4-127 [RFC3547] Private Use 128-255 [RFC3547] References ---------- [RFC3547] M. Baugher, T. hardjono, H. harney, and B. Weis, "The Group Domain of Interpretation", RFC 3547, July 2003. (registry created 28 March 2003) []