Hi again, > I would propose that we add PPK to both SK_d and SK_pi and SK_pr. > > SK_d provides quantum resistance for the IPsec SAs and Child IKE SAs. > The SK_pi and SK_pr provides key verification, meaning that incorrect > PPKs will result AUTHENTICATION_FAILURE notification, instead of just > wrong keys. > > SK_pi and SK_pr as used to MAC the ID payloads of the peers, and if we > mix PPK in there that might also provide some resistance against > quantum computers even when the attackers can break RSA. I.e., it does > not matter that they can generate valid signatures if they do not know > what they are supposed to sign.
That will work. However, I'm not sure that a single AUTHENTICATION_FAILURE notification is a good thing from operational point of view. A separate notification indicated that PPKs are mismatched could be more preferred to quickly trace back and fix configuration errors. Regards, Valery. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
