The IESG has approved the following document: - 'Mixing Preshared Keys in the IKE_INTERMEDIATE and in the CREATE_CHILD_SA Exchanges of IKEv2 for Post-quantum Security' (draft-ietf-ipsecme-ikev2-qr-alt-10.txt) as Proposed Standard
This document is the product of the IP Security Maintenance and Extensions Working Group. The IESG contact persons are Paul Wouters and Deb Cooley. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-qr-alt/ Technical Summary An Internet Key Exchange protocol version 2 (IKEv2) extension defined in RFC8784 allows IPsec traffic to be protected against someone storing VPN communications today and decrypting them later, when (and if) cryptographically relevant quantum computers are available. The protection is achieved by means of Post-quantum Preshared Key (PPK) which is mixed into the session keys calculation. However, this protection doesn't cover an initial IKEv2 SA, which might be unacceptable in some scenarios. This specification defines an alternative way to get protection against quantum computers, which is similar to the solution defined in RFC8784, but protects the initial IKEv2 SA too. Besides, RFC8784 assumes that PPKs are static and thus they are only used when an initial IKEv2 Security Association (SA) is created. If a fresh PPK is available before the IKE SA expired, then the only way to use it is to delete the current IKE SA and create a new one from scratch, which is inefficient. This specification also defines a way to use PPKs in active IKEv2 SA for creating additional IPsec SAs and for rekey operations. Working Group Summary This draft reached broad agreement in the WG as a useful method to protect the initial IKE SA and additional IPsec SAs against quantum computers by means of Post- quantum Preshared Key (PPK). This document had wide interest by the WG participants. Document Quality There are a few implementations reported to the WG, including libreswan which has implemented the latest version of this document. There are no special reviews required. Personnel The Document Shepherd for this document is Wei Pan. The Responsible Area Director is Deb Cooley. _______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
