Mixing Preshared Keys in the IKE_INTERMEDIATE and in the CREATE_CHILD_SA Exchanges of IKEv2 for Post-quantum Security
draft-ietf-ipsecme-ikev2-qr-alt-10

Received changes through RFC Editor sync (changed state to RFC, created became rfc relationship between draft-ietf-ipsecme-ikev2-qr-alt and RFC 9867, changed IESG state to RFC Published)

[Ballot comment]
Thanks for working on this document. It's in good shape; I have a few minor issues and several nits that can be incorporated at the discretion of the author and the responsible AD.

In Section 3.1, given the MUST abort, I'm guessing the "should" is not a SHOULD. Consider "should treat this as" => "treats this as" (or "MUST treat this as a fatal error and abort...")

In Section 4, the terms "QR" and "CRQC" need to be introduced with an expansion on first use, or better yet, simply expanded and the abbreviation not used.

===NITS===

Section 1:

"it is the IPsec traffic the one that mostly needs to be protected." => "it is the IPsec traffic that most needs to be protected."

"This allows to leverage fresh" => Either "This allows implementations to leverage fresh" or "This allows the use of fresh"

"The initiator that" => "An initiator that"

CURRENT: If the responder is configured with one of the PPKs which IDs were sent by the initiator and this PPK matches the initiator's one (based on the information from the PPK Confirmation field),
CONSIDER: If the responder supports any of the PPKs which the initiator proposed, based on the PPK ID and PPK Confirmation fields,

"returns PPK identity" => "returns a PPK identity"

CURRENT: If the responder does not have any of the PPKs which IDs were sent by the initiator or it has some of proposed PPKs, but their values mismatch the initiator's ones (based on the information from the PPK Confirmation field), and using PPK is mandatory for the responder, then it MUST return AUTHENTICATION_FAILED notification and abort creating the IKE SA.
CONSIDER: If the responder cannot use any of the PPKs proposed by the initiator, based on the PPK ID and PPK Confirmation fields, it MAY return an AUTHENTICATION_FAILED notification and abort creating the IKE SA if configured to require PPK usage.

CURRENT: If the responder does not have any of the PPKs which IDs were sent by the initiator or it has some of proposed PPKs, but their values mismatch the initiator's ones (based on the information from the PPK Confirmation field), and using PPK is optional for the responder, then it does not include any PPK_IDENTITY notification to the response.
CONSIDER: If the responder cannot use any of the PPKs proposed by the initiator but it is not configured to require PPK usage, it does not include any PPK_IDENTITY notification to the response.

"abort creating IKE SA" => "abort creating the IKE SA"

"selects PPK" => "selects a PPK"

Section 3.1.1:

"applying PPK" => "applying the PPK"

"with PPK" => "with the PPK"

Section 3.2: "supports use PPKs" => "supports using PPKs"

Similar language suggestions from Section 3.1.

Section 3.2.1: "resulted" => "resulting"

Section 4:
- "Compared to use PPKs in IKE_AUTH this" => "Compared to using PPKs in IKE_AUTH, this" or "Compared to the use of PPKs in IKE_AUTH, this"
- "since PPK is used in authentication too, that gives this exchange a QR protection even against active attacker." => "since the PPK is used in authentication too, this exchange is protected even against an active attacker."

Throughout: "Note, that" => "Note that"

[Ballot comment]
Thank you to Meral Shirazipour for the GENART review.

** Section 5.
  This document defines two new Notify Message Types in the "IKEv2
  Notify Message Types - Status Types" registry:

Please correct the name of the registry to be “IKEv2 Notify Message Status Types” (https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-16)

[Ballot comment]
Hi Valery,

Thank you for the effort put into this specification.

Also, thanks to Luis M. Contreras for the OPSDIR review (his first review for the opsdir team, BTW) and to Valery for engaging with Luis.

Please find some comments below:

# Guidance for those who will deploy

From the perspective of those who will deploy, I found appendix useful…but somehow late. Putting aside that appendix was not referenced in the document, having an applicability section early in the document with a guidance when to use this extension vs. RFC8784 would be my preferred approach.

# Guards against too frequent changes

For example, we do have

CURRENT:
  If a fresh PPK is available to both peers at the time when an IKE SA
  is active, peers MAY use this fresh PPK without creating a new IKE SA
  from scratch. 

Is there some kind of timer used as a guard to protect against too frequent changes?

# Preference policy

CURRENT:
  However, if the responder supports both specifications and is
  configured to use PPKs, it has to choose one to use, thus it MUST
  return either USE_PPK_INT or USE_PPK notification in the response,
  but not both.

Is there any provision for policy support here? Also, can we recommend a default value here?

# Exemplify shortcomings and situations

It would be helpful to exemplify the shortcomings mentioned in:

CURRENT:
  Instead, it is supposed to be
  used in situations where the approach defined there has a significant
  shortcomings.

Likewise, do we have examples of situations mentioned in the following excerpt?

CURRENT:
  However, if the partners support both use PPKs in
  IKE_AUTH and this specification, then the latter MAY also be used in
  situations where using PPKs in IKE_AUTH suffices.

BTW, what is meant by “partners” mentioned in that text? Do we mean initiator and responder?

# Terminology anchor

As I’m there, maybe consider adding the following (or similar) to Section 2:

NEW:
  This document uses the terms defined in [RFC7296].  In
  particular, readers should be familiar with the terms "initiator" and
  "responder" as used in that document.

Cheers,
Med

[Ballot comment]
# Andy Newton, ART AD, comments for draft-ietf-ipsecme-ikev2-qr-alt-08
CC @anewton1998

* line numbers:
  - https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-ipsecme-ikev2-qr-alt-08.txt&submitcheck=True

* comment syntax:
  - https://github.com/mnot/ietf-comments/blob/main/format.md

* "Handling Ballot Positions":
  - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/

## Comments

Thanks for writing this draft. The following are just comments to use as you see fit.

### Variable PKK_ID

Given the figure and the description of PKK_ID below, is there a mismatch
on the length. The description says "(variable)" but the figure seems to
indicate a rigid 8 octets.

204                            1                  2                  3
205        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
206        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
207        |                                                              |
208        ~                            PPK_ID                            ~
209        |                                                              |
210        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
211        |                                                              |
212        +                        PPK Confirmation                      +
213        |                                                              |
214        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

216                Figure 1: PPK_IDENTITY_KEY Notification Data Format

218        Where:

220        *  PPK_ID (variable) -- PPK_ID as defined in Section 5.1 of
221          [RFC8784].  The receiver can determine the length of PPK_ID by
222          subtracting 8 (the length of PPK Confirmation) from the
223          Notification Data length.

225        *  PPK Confirmation (8 octets) -- value, which allows the responder
226          to check whether it has the same PPK as the initiator for a given
227          PPK_ID.  This field contains the first 8 octets of a string
228          computed as prf( PPK, Ni | Nr | SPIi | SPIr ), where prf is the
229          negotiated PRF; PPK is the key value for a specified PPK_ID; Ni,
230          Nr, SPIi, SPIr -- nonces and IKE SPIs for the SA being
231          established.

## Nits

### Remove "the one"

I think "the one" can be removed from the end of line 91. I would also remove
the word "mostly", but that's just me.

90        calculation.  At the time this extension was being developed, it was
91        a consensus in the IPsecME WG that it is the IPsec traffic the one
92        that mostly needs to be protected.  It was believed that information

### Not Applicable Cells

My first reaction to looking at this table is that "*" was a reference to
a foot note or aside. Maybe putting "n/a" for "not applicable" is better
if your intention is to say neither "Yes" nor "No" but something is needed.

295        Table 1 summarizes the above logic for the responder:

297        +===========+=============+========+===========+====================+
298        |Received  | Supports    |Has one | PPK is    | Action            |
299        |USE_PPK_INT| USE_PPK_INT |of      | mandatory |                    |
300        |          |            |proposed| for      |                    |
301        |          |            |PPKs    | initial  |                    |
302        |          |            |        | IKE SA    |                    |
303        +===========+=============+========+===========+====================+
304        |No        | *          |*      | No        | [RFC8784] (if      |
305        |          |            |        |          | proposed) or      |
306        |          |            |        |          | standard IKEv2    |
307        |          |            |        |          | protocol          |
308        +-----------+-------------+--------+-----------+--------------------+
309        |No        | Yes        |*      | Yes      | Send              |
310        |          |            |        |          | NO_PROPOSAL_CHOSEN |
311        +-----------+-------------+--------+-----------+--------------------+
312        |Yes        | Yes        |Yes    | *        | Section 3.1,      |
313        |          |            |        |          | Paragraph 16, Item |
314        |          |            |        |          | 1 (use this        |
315        |          |            |        |          | extension)        |
316        +-----------+-------------+--------+-----------+--------------------+
317        |Yes        | Yes        |No      | Yes      | Section 3.1,      |
318        |          |            |        |          | Paragraph 16, Item |
319        |          |            |        |          | 2 (abort          |
320        |          |            |        |          | negotiation)      |
321        +-----------+-------------+--------+-----------+--------------------+
322        |Yes        | Yes        |No      | No        | Section 3.1,      |
323        |          |            |        |          | Paragraph 16, Item |
324        |          |            |        |          | 3 (standard IKEv2  |
325        |          |            |        |          | protocol)          |
326        +-----------+-------------+--------+-----------+--------------------+

### Comparison to IKE_AUTH

457        IKEv2 protocol are discussed in [RFC8784].  Compared to use PPKs in
458        IKE_AUTH this specification makes even initial IKE SA quantum secure.

Just a suggestion (if I understood correct):

  Unlike PPKs in IKE_AUTH, this specification makes initial IKE SA quantum secure.

[Ballot comment]
Thanks for producing this I-D for IKE. I really found it helpful to understand how this could work and to explain the new method.

I have two comments that I really think ought to be considered before progression (but which I do not need to DISCUSS:

(1) Please consider whether this ought to use RFC-2119 language, as /MAY/, it could be a protocol action (you or the responsbile AD will know best): "If this is inappropriate for the initiator, it may immediately delete this SA."

(2) Appendix A contains a RFC 2119 keyword: /MAY/. I do not think this is normal to use keywords on appendices (you or the responsbile AD will know best), please consider using a lower case /may/ or simply explain it is an /alternative/.

===

I stumbled several times for non-technical reasons when reading, and therefore I have a few comments that I hope will allow others to also easilly read this useful I-D, for which I have tried to suggest new wording:

Abstract:
"way to get protection" - the word "get" seems to read strange to me, could you consider using "provide" or soemthing similar?
"but protects the initial IKEv2 SA too", could be "but also protects the initial IKEv2 SA."

Introduction:
"At the time this extension was being developed, it was a consensus in the IPsecME WG that it is the IPsec traffic the one
that mostly needs to be protected.", could be: "At the time this extension was being developed, the consensus in the IPsecME WG was to specify protection for the IPsec traffic."
"However, in some situations it is desirable to have this protection for IKE SA", include /the/: "However, in some situations it is desirable to have this protection for the IKE SA".
"An example of such situation is Group", include /a/ and /the/: "An example of such a situation is the Group"
"In this protocol group policy and session keys are transferred from Group Controller/Key Server (GCKS) to Group Members (GM) immediately once an initial IKE SA is created. ", include /a/ and /the/: "In this protocol, group policy and session keys are immediately transferred from a Group Controller/Key Server (GCKS) to the Group Members (GM) once  an initial IKE SA is created."

Spec:
"then the responder MUST return NO_PROPOSAL_CHOSEN notification.", include /a/? "then the responder MUST return a NO_PROPOSAL_CHOSEN notification."
"If the negotiation was successful, the initiator includes one or more PPK_IDENTITY_KEY notification containing PPK identities the initiator believes are appropriate for the IKE SA being created, into the IKE_INTERMEDIATE request.", could be:
"If the negotiation was successful, the initiator includes one or more PPK_IDENTITY_KEY notifications into the IKE_INTERMEDIATE request, containing the PPK identities that the initiator believes are appropriate for the IKE SA being created."
Bullet 1&3:"If the responder is configured with one of the PPKs which IDs were sent by the initiator and this PPK matches the initiator's",
seems hard to parse, maybe /with an ID that was sent/ ... or something similar? (the same comment applies to bullet 3).
Bullet 2:"has some of proposed PPKs", include /the/: "has some of the proposed PPKs"

"In case the responder", could be: "In the case that a responder"

[Ballot comment]
# Internet AD comments for draft-ietf-ipsecme-ikev2-qr-alt-08
CC @ekline

* comment syntax:
  - https://github.com/mnot/ietf-comments/blob/main/format.md

* "Handling Ballot Positions":
  - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/

## Comments

### S1

* Thank you for the helpful summary and background.

## Nits

### S1

* "that it is the IPsec traffic the one that mostly needs to be protected"

  ->

  "that it was the IPsec traffic that most needed to be protected"

  perhaps

* "re-creating a new once"

  ->

  "re-creating a new one"

IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-ipsecme-ikev2-qr-alt-07. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there is a single action which we must complete.

In the IKEv2 Notify Message Status Types registry in the Internet Key Exchange Version 2 (IKEv2) Parameters registry group located at:

https://www.iana.org/assignments/ikev2-parameters/

two new registrations will be made from the Expert Review range of values as follows:

Value: [ TBD-at-Registration ]
Notify Message Status Type: USE_PPK_INT
Reference: [ RFC-to-be ]

Value: [ TBD-at-Registration ]
Notify Message Status Type: PPK_IDENTITY_KEY
Reference: [ RFC-to-be ]

As this document requests registrations in an Expert Review or Specification Required (see RFC 8126) registry, we have completed the required Expert Review via a separate request.

We understand that this is the only action required to be completed upon approval of this document.

NOTE: The action requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the action that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Sr. Specialist

The following Last Call announcement was sent out (ends 2025-04-02):

From: The IESG
To: IETF-Announce
CC: debcooley1@gmail.com, draft-ietf-ipsecme-ikev2-qr-alt@ietf.org, ipsec@ietf.org, ipsecme-chairs@ietf.org, william.panwei@huawei.com
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Mixing Preshared Keys in the IKE_INTERMEDIATE and in the CREATE_CHILD_SA Exchanges of IKEv2 for Post-quantum Security) to Proposed Standard


The IESG has received a request from the IP Security Maintenance and
Extensions WG (ipsecme) to consider the following document: - 'Mixing
Preshared Keys in the IKE_INTERMEDIATE and in the
  CREATE_CHILD_SA Exchanges of IKEv2 for Post-quantum Security'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2025-04-02. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  An Internet Key Exchange protocol version 2 (IKEv2) extension defined
  in RFC8784 allows IPsec traffic to be protected against someone
  storing VPN communications today and decrypting them later, when (and
  if) cryptographically relevant quantum computers are available.  The
  protection is achieved by means of Post-quantum Preshared Key (PPK)
  which is mixed into the session keys calculation.  However, this
  protection doesn't cover an initial IKEv2 SA, which might be
  unacceptable in some scenarios.  This specification defines an
  alternative way to get protection against quantum computers, which is
  similar to the solution defined in RFC8784, but protects the initial
  IKEv2 SA too.

  RFC8784 assumes that PPKs are static and thus they are only used when
  an initial IKEv2 Security Association (SA) is created.  If a fresh
  PPK is available before the IKE SA expired, then the only way to use
  it is to delete the current IKE SA and create a new one from scratch,
  which is inefficient.  This specification defines a way to use PPKs
  in active IKEv2 SAs for creating additional IPsec SAs and rekey
  operations.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-qr-alt/



No IPR declarations have been submitted directly on this I-D.

# Document Shepherd Write-Up for Group Documents

*This version is dated 4 July 2022.*

Thank you for your service as a document shepherd. Among the responsibilities is
answering the questions in this write-up to give helpful context to Last Call
and Internet Engineering Steering Group ([IESG][1]) reviewers, and your
diligence in completing it is appreciated. The full role of the shepherd is
further described in [RFC 4858][2]. You will need the cooperation of the authors
and editors to complete these checks.

Note that some numbered items contain multiple related questions; please be sure
to answer all of them.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

It reached broad agreement in the WG as a useful method to protect the initial
IKE SA and additional IPsec SAs against quantum computers by means of Post-
quantum Preshared Key (PPK). This document was widely interested by the WG
participants.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

No.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

No.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

There were a few implementations reported to the WG, including libreswan which
has implemented the latest version of this document.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

No additional reviews are needed.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

No formal expert reviews are needed.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

No YANG module is contained.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

No automated checks are needed as no formal language is used.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

I have reviewed the document, and my comments have been incorporated.
I think the document is needed and ready to be handed off to the AD.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

No special reviews were performed, and no issues were identified.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

Proposed Standard is the proper type.
This document defines a method to protect the initial IKE SA and additional
IPsec SAs against quantum computers by means of Post-quantum Preshared Key, it
extends the IKEv2 which is on the Internet Standard level.
Datatracker correctly reflects this.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

The IPR disclosure query has been done. No IPR is reported by the author or
the community.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.

Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

No issues or nits found.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

References have been correctly split between informative and normative.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

All normative references are freely available.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

None.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

All normative references are RFCs already.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

This document does not change the status of existing RFCs. This document is
related to RFC8784, and the relationship is detailed in Appendix A.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

This document request for two new Notify payloads for the "IKEv2 Notify Messages
Types - Status Types". This is correctly clarified in the document.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

No new registries added.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://wiki.ietf.org/group/ops/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://wiki.ietf.org/group/iesg/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp79
[8]: https://www.ietf.org/tools/idnits/
[9]: https://www.rfc-editor.org/rfc/rfc3967.html
[10]: https://www.rfc-editor.org/info/bcp97
[11]: https://www.rfc-editor.org/rfc/rfc8126.html
[12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5
[13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1
[14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2
[15]: https://authors.ietf.org/en/content-guidelines-overview
[16]: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
[17]: https://datatracker.ietf.org/doc/downref/

# Document Shepherd Write-Up for Group Documents

*This version is dated 4 July 2022.*

Thank you for your service as a document shepherd. Among the responsibilities is
answering the questions in this write-up to give helpful context to Last Call
and Internet Engineering Steering Group ([IESG][1]) reviewers, and your
diligence in completing it is appreciated. The full role of the shepherd is
further described in [RFC 4858][2]. You will need the cooperation of the authors
and editors to complete these checks.

Note that some numbered items contain multiple related questions; please be sure
to answer all of them.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

It reached broad agreement in the WG as a useful method to protect the initial
IKE SA and additional IPsec SAs against quantum computers by means of Post-
quantum Preshared Key (PPK). This document was widely interested by the WG
participants.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

No.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

No.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

There were a few implementations reported to the WG, including libreswan which
has implemented the latest version of this document.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

No additional reviews are needed.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

No formal expert reviews are needed.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

No YANG module is contained.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

No automated checks are needed as no formal language is used.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

I have reviewed the document, and my comments have been incorporated.
I think the document is needed and ready to be handed off to the AD.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

No special reviews were performed, and no issues were identified.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

Proposed Standard is the proper type.
This document defines a method to protect the initial IKE SA and additional
IPsec SAs against quantum computers by means of Post-quantum Preshared Key, it
extends the IKEv2 which is on the Internet Standard level.
Datatracker correctly reflects this.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

The IPR disclosure query has been done. No IPR is reported by the author or
the community.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.

Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

No issues or nits found.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

References have been correctly split between informative and normative.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

All normative references are freely available.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

None.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

All normative references are RFCs already.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

This document does not change the status of existing RFCs. This document is
related to RFC8784, and the relationship is detailed in Appendix A.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

This document request for two new Notify payloads for the "IKEv2 Notify Messages
Types - Status Types". This is correctly clarified in the document.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

No new registries added.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://wiki.ietf.org/group/ops/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://wiki.ietf.org/group/iesg/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp79
[8]: https://www.ietf.org/tools/idnits/
[9]: https://www.rfc-editor.org/rfc/rfc3967.html
[10]: https://www.rfc-editor.org/info/bcp97
[11]: https://www.rfc-editor.org/rfc/rfc8126.html
[12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5
[13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1
[14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2
[15]: https://authors.ietf.org/en/content-guidelines-overview
[16]: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
[17]: https://datatracker.ietf.org/doc/downref/

# Document Shepherd Write-Up for Group Documents

*This version is dated 4 July 2022.*

Thank you for your service as a document shepherd. Among the responsibilities is
answering the questions in this write-up to give helpful context to Last Call
and Internet Engineering Steering Group ([IESG][1]) reviewers, and your
diligence in completing it is appreciated. The full role of the shepherd is
further described in [RFC 4858][2]. You will need the cooperation of the authors
and editors to complete these checks.

Note that some numbered items contain multiple related questions; please be sure
to answer all of them.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

It reached broad agreement in the WG as a useful method to protect the initial
IKE SA and additional IPsec SAs against quantum computers by means of Post-
quantum Preshared Key (PPK). This document was widely interested by the WG
participants.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

No.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

No.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

There were a few implementations reported to the WG, including libreswan which
has implemented the latest version of this document.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

No additional reviews are needed.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

No formal expert reviews are needed.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

No YANG module is contained.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

No automated checks are needed as no formal language is used.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

I have reviewed the document, and my comments have been incorporated.
I think the document is needed and ready to be handed off to the AD.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

No special reviews were performed, and no issues were identified.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

Proposed Standard is the proper type.
This document defines a method to protect the initial IKE SA and additional
IPsec SAs against quantum computers by means of Post-quantum Preshared Key, it
extends the IKEv2 which is on the Internet Standard level.
Datatracker correctly reflects this.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

The IPR disclosure query hasn't been done yet.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.

Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

Following are the warnings and comments, which I think they can be corrected by
the RFC Editor later.
  == The 'Updates: ' line in the draft header should list only the _numbers_
    of the RFCs which will be updated by this document (if approved); it
    should not include the word 'RFC' in the list.

  -- The abstract seems to indicate that this document updates RFC8784, but
    the header doesn't have an 'Updates:' line to match this.

  == The copyright year in the IETF Trust and authors Copyright Line does not
    match the current year

  -- The document date (21 November 2024) is 60 days in the past.  Is this
    intentional?

  == Outdated reference: A later version (-20) exists of
    draft-ietf-ipsecme-g-ikev2-17

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

References have been correctly split between informative and normative.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

All normative references are freely available.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

None.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

All normative references are RFCs already.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

This document will update RFC8784. This information is listed on the title
page and in the abstract. The introduction does not explicitly say this document
updates RFC8784. The relationship with RFC8784 is detailed in Appendix A.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

This document request for two new Notify payloads for the "IKEv2 Notify Messages
Types - Status Types". This is correctly clarified in the document.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

No new registries added.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://wiki.ietf.org/group/ops/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://wiki.ietf.org/group/iesg/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp79
[8]: https://www.ietf.org/tools/idnits/
[9]: https://www.rfc-editor.org/rfc/rfc3967.html
[10]: https://www.rfc-editor.org/info/bcp97
[11]: https://www.rfc-editor.org/rfc/rfc8126.html
[12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5
[13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1
[14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2
[15]: https://authors.ietf.org/en/content-guidelines-overview
[16]: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
[17]: https://datatracker.ietf.org/doc/downref/