Michael Richardson writes: > > This has the issue that differences in the PPK will not be detected, > > i.e., if PPKs are mismatched because of configuration error, we do get > > IKEv2 SA up and running, and we create IPsec Child SAs without errors, > > but then all traffic in IPsec SA will simply be dropped as the keying > > material is wrong. > > I think that this is a *HUGE* user configuration issue. > It means that the QM resistance will be turned off first thing whenever there > is a problem.
That is why I think it is important that we do detect the failures correctly. > > SK_d provides quantum resistance for the IPsec SAs and Child IKE SAs. > > The SK_pi and SK_pr provides key verification, meaning that incorrect > > PPKs will result AUTHENTICATION_FAILURE notification, instead of just > > wrong keys. > > Would it be reasonable to create some token/nonce from something before the > PPK is mixed in such that we could recognize the different AUTH FAILUREs, > or does that create too much of an oracle for testing PPKs? I think it is better to keep the AUTHENTICATION_FAILURE to mean both, i.e., not provide an oracle. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
