Cisco Cisco IOS Software Release 12.4(6)T
Secure Multicast
Information About Secure Multicast
3
Cisco IOS Security Configuration Guide
Secure Multicast and Internet Standards
Secure Multicast relies on the following two Internet standards: GDOI and IPsec.
GDOI
GDOI is defined as the Internet Security Association Key Management Protocol (ISAKMP) Domain of
Interpretation (DOI) for group key management. In a group management model, the GDOI protocol
operates between a group member and a group controller or key server (GCKS), which establishes
security associations among authorized group members. The ISAKMP defines two phases of
negotiation. GDOI is protected by a Phase 1 ISAKMP security association. The Phase 2 exchange is
defined in IETF RFC 3547. The topology shown in Figure 1 and the corresponding explanation show
how this protocol works.
Interpretation (DOI) for group key management. In a group management model, the GDOI protocol
operates between a group member and a group controller or key server (GCKS), which establishes
security associations among authorized group members. The ISAKMP defines two phases of
negotiation. GDOI is protected by a Phase 1 ISAKMP security association. The Phase 2 exchange is
defined in IETF RFC 3547. The topology shown in Figure 1 and the corresponding explanation show
how this protocol works.
Figure 1
Protocol Flows That Are Necessary for Group Members
to Participate in a Group
to Participate in a Group
The above topology in
shows the protocol flows that are necessary for group members to
participate in a group:
1.
Group members register with the key server. The key server authenticates and authorizes the group
members and downloads the IPsec policy and keys that are necessary for them to encrypt and decrypt
IP multicast packets.
members and downloads the IPsec policy and keys that are necessary for them to encrypt and decrypt
IP multicast packets.
2.
Group members exchange IP multicast packets that are encrypted using IPsec.
3.
As needed, the key server pushes a rekey message to the group members. The rekey message
contains new IPsec policy and keys to use when old IPsec SAs expire. Rekey messages are sent in
advance of the SA expiration time to ensure that valid group keys are always available.
contains new IPsec policy and keys to use when old IPsec SAs expire. Rekey messages are sent in
advance of the SA expiration time to ensure that valid group keys are always available.
IPsec
IPsec is a well-known RFC that defines an architecture to provide various security services for traffic at
the IP layer. The components and how they fit together with each other and into the IP environment are
described in IETF RFC 2401.
the IP layer. The components and how they fit together with each other and into the IP environment are
described in IETF RFC 2401.