The following errata report has been held for document update for RFC8784, "Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security".
-------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid8775 -------------------------------------- Status: Held for Document Update Type: Technical Reported by: Thom Wiggers <[email protected]> Date Reported: 2026-02-20 Held by: Deb Cooley (IESG) Section: 6 Original Text ------------- In addition, the policy SHOULD be set to negotiate only quantum- secure symmetric algorithms; while this RFC doesn't claim to give advice as to what algorithms are secure (as that may change based on future cryptographical results), below is a list of defined IKEv2 and IPsec algorithms that should not be used, as they are known to provide less than 128 bits of post-quantum security: * Any IKEv2 encryption algorithm, PRF, or integrity algorithm with a key size less than 256 bits. * Any ESP transform with a key size less than 256 bits. * PRF_AES128_XCBC and PRF_AES128_CBC: even though they can use as input a key of arbitrary size, such input keys are converted into a 128-bit key for internal use. Corrected Text -------------- In general, the discussion on Grover's algorithm in the security considerations needs to be revisited. Since the document was published, the cryptographic community has come to the wide agreement that Grover's algorithm has extremely large implementation cost which practically negates its theoretical advantage over classical computers. As such, using (good) 128-bit secure algorithms is just fine. Notes ----- This also transitively affects RFC 9867 which points to this RFC's security considerations. -------------------------------------- RFC8784 (draft-ietf-ipsecme-qr-ikev2-11) -------------------------------------- Title : Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security Publication Date : June 2020 Author(s) : S. Fluhrer, P. Kampanakis, D. McGrew, V. Smyslov Category : PROPOSED STANDARD Source : IP Security Maintenance and Extensions Stream : IETF Verifying Party : IESG _______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
