It is not just the implementation including support for PPK or not. It’s the deployment considerations, the domain admin’s ability and willingness to manage PPKs. — Regards, Uri
Secure Resilient Systems and Technologies MIT Lincoln Laboratory > On Jul 31, 2025, at 08:26, Jun Hu (Nokia) <jun...@nokia.com> wrote: > > > This Message Is From an External Sender > This message came from outside the Laboratory. > By “mandating use of PPK” I meant in RFC8784 PPK is already a negotiated > option, but in order to prevent attacker remove the USE_PPK notification, > both sides need to have policy to mandate PPK must be used. > Of course, we can’t assume all implementations support PPK, but it is same we > can’t assume all implementations will support new protocol changes this draft > introduces specifically the changes in the draft is not trivial; at least > RFC8784 has been out for a while, and I know quite some ipsec implementations > already supported it. > I think if the WG adopt this draft, there should be texts in the draft > mentioning all these mitigations beside protocol changes. > > From: Christopher Patton <cpat...@cloudflare.com> > Sent: Thursday, July 31, 2025 6:08 AM > To: Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu> > Cc: Jun Hu (Nokia) <jun...@nokia.com>; Michael Richardson > <mcr+i...@sandelman.ca>; Valery Smyslov <smyslov.i...@gmail.com>; Scott > Fluhrer <sfluh...@cisco.com>; ipsec <ipsec@ietf.org> > Subject: Re: [EXT] [IPsec] Re: > draft-smyslov-ipsecme-ikev2-downgrade-prevention > > > CAUTION: This is an external email. Please be very careful when clicking > links or opening attachments. See the URL nok.it/ext for additional > information. > > > Hi Uri and Jun, > > I agree - mandating use of PPK may not work. However, suggesting use of PPK, > i.e., as a (negotiable?) option would be a very good thing: those who have > the ability to employ it, and want better security - would opt in. While > those who don’t care or for various reasons cannot manage the distribution - > could opt out. > > This sounds like a good idea to me! > https://github.com/smyslov/ikev2-downgrade-prevention/issues/5 > > Chris P.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
