Group Domain of Interpretation

The GDOI protocol is specified in an IETF Standard, RFC 6407, and is based on Internet Security Association and Key Management Protocol (ISAKMP), RFC 2408, and Internet Key Exchange version 1 (IKE).

Once the "Rekey-SA" is established, the GDOI controller can send ("push") unsolicited updates to the group security association to members over multicast, broadcast or unicast channels.

"Efficiency" is evaluated in terms of space, time and message complexity.

RFC 2627 and other algorithms such as "subset-difference" are logarithmic in space, time and message complexity.

Thus, RFC 2627 supports efficient group "membership management" for GDOI.

The member has a credential such as an X.509 certificate that proves it is authorized to join one or more groups.

Each group can have its own policy for cryptography, key lifetime, and member behavior.

GDOI Functional Block Diagram
Member Key Ladder