On Fri, 30 Aug 2019, Tero Kivinen wrote:
Current solutions have been trying to keep the identity protection part as good as it is without those extensions, i.e., qr-ikev2 still provides same identity protection than what normal IKEv2 does, and then provides extended protection for the actual trafic keys. Attacker who can break Diffie-Hellman can see the identities, but will not see the actual trafic protected by PPK.
And libreswan added a method where you can migrate from "no PPK" to "PPK" by sending two AUTH payloads in the IKE_AUTH. The other end can then pick which they want to use. Perhaps with PAKE's, it too could send another AUTH payload in a notify so it does not have to be sent in IKE_SA_INIT, yet does not incur another round trip if both parties support the same PAKE. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
