Technical Summary
This document describes how to extend the Internet Key Exchange
Protocol Version 2 (IKEv2) to allow multiple key exchanges to take
place while computing a shared secret during a Security Association
(SA) setup. The primary application of this feature in IKEv2 is the
ability to perform one or more post-quantum key exchanges in
conjunction with the classical (Elliptic Curve) Diffie-Hellman key
exchange, so that the resulting shared key is resistant against
quantum computer attacks. Another possible application is the
ability to combine several key exchanges in situations when no single
key exchange algorithm is trusted by both initiator and responder.
This document updates RFC7296 by renaming a transform type 4 from
"Diffie-Hellman Group (D-H)" to "Key Exchange Method (KE)" and
renaming a field in the Key Exchange Payload from "Diffie-Hellman
Group Num" to "Key Exchange Method". It also renames an IANA
registry for this transform type from "Transform Type 4 - Diffie-
Hellman Group Transform IDs" to "Transform Type 4 - Key Exchange
Method Transform IDs". These changes generalize key exchange
algorithms that can be used in IKEv2.
Working Group Summary
The document has WG consensus.
The number of authors reflects the expertise needed to draft this document -- both IPsec and PQC cryptography.
Document Quality
As this document was changing the a cryptographic mechanism in IPsec, it was was subject to a peer-reviewed, formal verification:
* DOI: https://dl.acm.org/doi/10.1145/3485832.3485885
* Pre-print: https://www.mnm-team.org/pub/Publikationen/gggh21b/PDF-Version/gggh21b.pdf
Several implementors have been integral in developing this document. There is already at least two interoperable implementations of this specification:
* strongSwan, https://github.com/strongswan/strongswan/tree/ikev2-qske-multi-ke
* ELVIS-PLUS, http://ipsec.elvis.ru/en.html
Personnel
Document Shepherd: Tero Kivinen
Responsible AD: Roman Danyliw