On Wed, 15 Aug 2018, Bruckert, Leonie wrote:
Obviously, in order to achieve PFS in the sense of PQ security, we need to
perform at least one PQ key exchange for Child SAs. At this point
of the protocol, the peers already know if both of them support PQ algorithms,
so backwards compatibility should not be an issue.
Furthermore, as the CREATE_CHILD_SA exchange is already encrypted and IKE
fragmentation could be used, you could simply include further (PQ)
KE payloads in the message.
I don’t think that it is necessary to negotiate the PQ key exchange algorithms
again. This would introduce more complexity. Instead you could
restrict the PQ algorithms to the ones already negotiated in the IKE_AUX
exchange.
That makes sense to me.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
