I'd like to put the topic PFS up for discussion, since section 3.5 Child SAs contains some (to cite Scott) weasel words.
Obviously, in order to achieve PFS in the sense of PQ security, we need to perform at least one PQ key exchange for Child SAs. At this point of the protocol, the peers already know if both of them support PQ algorithms, so backwards compatibility should not be an issue. Furthermore, as the CREATE_CHILD_SA exchange is already encrypted and IKE fragmentation could be used, you could simply include further (PQ) KE payloads in the message. I don't think that it is necessary to negotiate the PQ key exchange algorithms again. This would introduce more complexity. Instead you could restrict the PQ algorithms to the ones already negotiated in the IKE_AUX exchange. Any thoughts? Leonie
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
