1. 1 GDOI Changes to Update Draft draft-ietf-msec-gdoi-update-01 Sheela Rowles Brian Weis

2. 2 Changes since Montreal IETF Address GDOI Attack

3. 3 GCKS Authorization Mitigation of attack by Meadows & Pavlovic if GCKS performs authorization based on IKEv1 credentials. A rogue device can perpetrate a man-in-the- middle attack if the following conditions are true: 1.The rogue GDOI participant convinces an authorized member of the group (i.e., victim group member) that it is a key server for that group. 2.The victim group member, victim GCKS, and rogue group member all share IKEv1 authentication credentials. 3.The victim GCKS does not properly verify that the IKEv1 authentication credentials used to protect a GROUPKEY- PULL protocol are authorized to join the group.

4. 4 GCKS Authorization (cont.) Attack Mitigations: A GDOI group member SHOULD be configured with policy describing which IKEv1 identities are authorized to act as GCKS for a group. A GDOI key server SHOULD perform one of the following authorization checks. 1.No CERT/POP: the GCKS SHOULD maintain a list of authorized group members for each group, where the group member identity is its IKEv1 authentication credentials. 2.Yes CERT/POP: the GCKS SHOULD verify that the identity in the CERT payload refers to the same identity in the IKEv1 authentication credentials.

5. 5 POP Definition Point of POP is to prove that the Phase 1 Key Identity is the same as the owner of the key distributed in the CERT.

6. 6 POP Change Original RFC: POP_HASH = hash(“pop”| Ni | Nr) Intended since Montreal IETF: POP_HASH = hash(“pop” | SKEYID_A | Ni | Nr) Finally: POP_HASH = hash(“pop” | IKE-INIT-PH1-ID | IKE-RESP-PH1-ID | Ni | Nr)