Mixing Preshared Keys in the IKE_INTERMEDIATE and in the CREATE_CHILD_SA Exchanges of IKEv2 for Post-quantum Security
draft-ietf-ipsecme-ikev2-qr-alt-10
Technical Summary
An Internet Key Exchange protocol version 2 (IKEv2) extension defined
in RFC8784 allows IPsec traffic to be protected against someone
storing VPN communications today and decrypting them later, when (and
if) cryptographically relevant quantum computers are available. The
protection is achieved by means of Post-quantum Preshared Key (PPK)
which is mixed into the session keys calculation. However, this
protection doesn't cover an initial IKEv2 SA, which might be
unacceptable in some scenarios. This specification defines an
alternative way to get protection against quantum computers, which is
similar to the solution defined in RFC8784, but protects the initial
IKEv2 SA too.
Besides, RFC8784 assumes that PPKs are static and thus they are only
used when an initial IKEv2 Security Association (SA) is created. If
a fresh PPK is available before the IKE SA expired, then the only way
to use it is to delete the current IKE SA and create a new one from
scratch, which is inefficient. This specification also defines a way
to use PPKs in active IKEv2 SA for creating additional IPsec SAs and
for rekey operations.
Working Group Summary
This draft reached broad agreement in the WG as a useful method to protect the initial
IKE SA and additional IPsec SAs against quantum computers by means of Post-
quantum Preshared Key (PPK). This document had wide interest by the WG
participants.
Document Quality
There are a few implementations reported to the WG, including libreswan which
has implemented the latest version of this document.
There are no special reviews required.
Personnel
The Document Shepherd for this document is Wei Pan. The Responsible Area
Director is Deb Cooley.