Consideration of Robust Multi-KEM Negotiation within IKEv2
draft-li-ipsecme-extensions-for-robust-negotiation-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Author | LUN LI | ||
| Last updated | 2026-06-05 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-li-ipsecme-extensions-for-robust-negotiation-00
Network Working Group L. Li
Internet-Draft Huawei
Intended status: Informational 3 June 2026
Expires: 5 December 2026
Consideration of Robust Multi-KEM Negotiation within IKEv2
draft-li-ipsecme-extensions-for-robust-negotiation-00
Abstract
RFC 9370 specifies a framework for multiple additional key exchanges
(ADDKE) in the Internet Key Exchange Protocol Version 2 (IKEv2) to
support post-quantum cryptography migration. Under this framework,
an initiator can propose multiple ADDKE transform types. In
deployment scenarios, initiators may send proposals that contain
redundant or overlapping lists of Key Encapsulation Mechanism (KEM)
algorithms across different ADDKE transform types. This contribution
discusses the implications of these proposals and specifies extended
procedures for handling proposed transforms, which may improve
negotiation robustness and interoperability by allowing the responder
to select a valid set of algorithms without altering the security
properties defined in RFC 9370.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 5 December 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
Li Expires 5 December 2026 [Page 1]
Internet-Draft extensions for robust negotiation June 2026
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. The Architectural Paradigm of Multiple KE Transforms . . . . 3
4. Protocol Extension for Complex Transform Proposals . . . . . 4
5. Extended Responder Selection Logic (The Core Mechanism) . . . 5
5.1. Extended Selection Policies . . . . . . . . . . . . . . . 5
5.2. Responder Processing Workflow . . . . . . . . . . . . . . 6
6. Annex: Multi-KEM ADDKE proposals and Boundary Conditions . . 7
6.1. Profile 1: Complete Overlap with Limited Responder
Support . . . . . . . . . . . . . . . . . . . . . . . . . 7
6.2. Profile 2: Subset Overlap Requiring Implicit NONE . . . . 8
6.3. Profile 3: Explicit NONE and Fallback Interaction . . . . 8
6.4. Profile 4: Consideration Priority and Tie-Breaking . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
9.1. Normative References . . . . . . . . . . . . . . . . . . 10
9.2. Informative References . . . . . . . . . . . . . . . . . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction
The migration of the Internet Key Exchange Protocol Version 2 (IKEv2)
to Post-Quantum Cryptography (PQC) uses hybrid key exchange
mechanisms to mitigate risks from new quantum-resistant algorithms.
[RFC9370] establishes a framework for multiple additional key
exchanges (ADDKE) during the IKE_SA_INIT exchange. This allows
combining classic algorithms (e.g., Elliptic Curve Diffie-Hellman)
with one or more post-quantum Key Encapsulation Mechanisms (KEMs) to
derive SKEYSEED.
The multi-KEM architecture allows an initiator to group KEM proposals
across distinct ADDKE transform types based on their properties, such
as placing a shorter KEMs in one transform type and longer length
KEMs in another. However, in practice, cryptographic policies are
often configured via automated templates or simplified management
interfaces. Consequently, initiators may send proposals that are
Li Expires 5 December 2026 [Page 2]
Internet-Draft extensions for robust negotiation June 2026
valid under the syntax of [RFC9370] but contain redundancies, such as
populating multiple ADDKE transform types with identical lists of KEM
algorithms. If a responder implements strict validation checks based
on current specification, this redundancy can cause it to reject the
proposal and for the negotiation to fail.
This document provides guidance for handling the overlapping multi-
KEM proposals based on best practices. It does not change the
security properties defined in RFC, nor does it allow the responder
to skip PQC algorithms. Instead, it defines a selection logic for
the responder to improve interoperability and robustness during the
PQC transition.
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. The Architectural Paradigm of Multiple KE Transforms
[RFC7296] defines the negotiation of the IKE Security Association
(SA) within the SA payload during the IKE_SA_INIT exchange. The
initiator presents one or more proposals. Each proposal consists of
multiple transform types, including Encryption (ENCR), Pseudo-Random
Function (PRF), Integrity Protection (INTEG), and Diffie-Hellman (DH)
group (Transform Type 4).
[RFC9370] extends this negotiation mechanism by introducing seven
additional transform types for alternative key exchanges, designated
as ADDKE1 (Type 6) through ADDKE7 (Type 12). This arrangement allows
the initiator to propose a combination of a classical key exchange
along with multiple post-quantum key encapsulation mechanisms (KEMs).
Figure 1 illustrates the payload hierarchy within the IKE_SA_INIT
message when multiple key exchanges are proposed.
Li Expires 5 December 2026 [Page 3]
Internet-Draft extensions for robust negotiation June 2026
+-------------------------------------------------------+
| IKE_SA_INIT Message |
+-------------------------------------------------------+
|
[ SA Payload ]
|
[ Proposal #1 ]
|
+-----------------------+-----------------------+
... | | | ...
[Transform] [Transform] [Transform]
Type 4 (DH) Type 6 (ADDKE1) Type 7 (ADDKE2) ...
| | |
(e.g., Curve25519) (e.g., ML-KEM-768) (e.g., frodoKEM)
Figure 1: SA Payload Structure with Multiple Key Exchanges
In the current RFC 9370 specification, the initiator populates each
ADDKE transform type with a list of supported algorithms. The
responder evaluates the proposal and selects exactly one transform
for each proposed ADDKE type. The core restriction in RFC 9370 is as
follows:
1. the responder's choice MUST NOT contain duplicated algorithms
(those with an identical Transform ID and attributes), except for
the Transform ID of NONE as duplicate algorithms do not provide
additional security and waste message space.
2. Only the ADDKE with indication NONE can be optional, otherwise,
one algorithm must be selected in the cooresponding ADDKE.
4. Protocol Extension for Complex Transform Proposals
To illustrate the limitations of rigid transform processing, consider
the following two failure scenarios:
1. Scenario 1: The initiator sends a proposal where ADDKE1, ADDKE2,
and ADDKE3 each contain the identical list of algorithms:
PQ_KEM_1 and PQ_KEM_2. The responder supports both PQ_KEM_1 and
PQ_KEM_2. If the responder selects PQ_KEM_1 for ADDKE1 and
PQ_KEM_2 for ADDKE2, no unique, non-overlapping algorithm remains
available for selection in ADDKE3. Consequently, the responder
cannot satisfy the remaining transform type, and the negotiation
fails.
2. Scenario 2: The initiator sends a proposal where ADDKE1 contains
PQ_KEM_1 and PQ_KEM_2, while ADDKE2 contains only PQ_KEM_2. The
responder only supports PQ_KEM_1. The responder can match
Li Expires 5 December 2026 [Page 4]
Internet-Draft extensions for robust negotiation June 2026
PQ_KEM_1 in ADDKE1, but it cannot satisfy ADDKE2 because it does
not support PQ_KEM_2. Since selecting a transform for each
proposed ADDKE type is mandatory to accept the proposal, the
negotiation fails, even though both peers share mutual support
for PQ_KEM_1.
Negotiation is an issue that developers may often encounter, and in
subsequent sections, we consider extensions to improve robustness.
We believe that the success rate of negotiation can potentially be
increased to avoid abnormal occurrences.
The scenarios above demonstrate that while the initiator's proposals
are valid under RFC 9370, a sequential or rigid evaluation logic
leads to negotiation failures. In Scenario 1, a mathematically valid
combination of distinct algorithms exists, but a naive parsing logic
lacks the ability to evaluate the proposal holistically. In Scenario
2, the failure is driven by a rigid assignment whereby the responder
is unable to optimize its selection across the multiple transform
types.
We provide simple extended procedures that allow the responder to
evaluate overlapping or redundant proposals deterministically. This
extension increases the handshake success rate in complex deployment
environments with minimum impacting on the security constraints.
5. Extended Responder Selection Logic (The Core Mechanism)
This section defines the extended selection procedures for a
responder processing an IKE_SA_INIT message that contains multiple
key exchange transforms. The responder MUST first attempt to process
the proposal strictly according to the rules defined in RFC 9370.
The extended policies described below are triggered only when the
responder cannot satisfy the initiator's proposal using the standard
non-overlapping selection logic.
5.1. Extended Selection Policies
To resolve negotiation failures caused by complex or redundant
proposals, the responder MAY be permitted to apply one or both of the
following extended selection policies (i.e., consideration 1 and 2):
Consideration 1 (Duplicate Algorithm Selection): The responder can be
permitted to select the same algorithm for different key exchange
fields (ADDKE transform types). This consideration 1 relaxes the
strict prohibition against duplicate selections during the
responder's parsing phase, allowing a successful match when the
initiator sends identical lists across multiple transform types.
Li Expires 5 December 2026 [Page 5]
Internet-Draft extensions for robust negotiation June 2026
Consideration 2 (Implicit NONE Selection): The responder can be
permitted to select the "NONE" algorithm (Transform ID 0, i.e., Null
algorithm) for a specific key exchange field, even if the "NONE"
algorithm was not explicitly included in that transform type by the
initiator. Consideration 2 effectively treats a specific ADDKE
transform type as optional rather than mandatory when no mutually
supported algorithm is available in that specific field.
NOTE: Consideration 2 may have security impacts. It is recommended
that Consideration 2 be enabled only when Consideration 1 fails to be
negotiated. More security analysis is proposed in Section 8.
Above considerations may be implemented, for example, when the
responder checks one by one whether ADDKE meets the conditions from
ADDKE 1 to 7. When a certain ADDKE (e.g., 2) cannot be met,
compatibility policies can be activated. Consideration 1 can be
applicable, when the initial algorithm selection for a first key
exchange field yields no result; Consideration 2 can be applicable,
for example, when the initial algorithm selection for a second key
exchange field yields no result, and no mutually supported algorithm
is available in that specific field.
5.2. Responder Processing Workflow
Upon receiving an initial algorithm negotiation message (IKE_SA_INIT)
comprising ADDKE fields with algorithms, the responder and initiator
execute the following procedure:
1. Initial Evaluation: The responder evaluates the algorithms
carried in each proposed key exchange field and attempts to
select exactly one algorithm per field without duplicates, in
strict compliance with RFC 9370.
2. Compatibility Strategy Execution: If the initial evaluation fails
to produce a valid combination or results in NONE algorithm
(i.e., yields no result), the responder MAY apply the extended
compatibility policies. for example, the responder can activate
the compatibility mode and utilizes extend selection policy of
Consideration 1 and Consideration 2 in order, or a combination of
both for each proposed ADDKE field.
Li Expires 5 December 2026 [Page 6]
Internet-Draft extensions for robust negotiation June 2026
3. Response Transmission: Upon successfully concluding the selection
using the extended policies, the responder sends the chosen
algorithms back to the initiator in the IKE_SA_INIT response
message, which includes one or more of the key exchange fields,
each carrying the selected algorithm. However, the responder
should include the compatibility indication in the message or use
an out-of-band method to indicate to the initiator that an
extended compatibility consideration has been adopted.
4. Key Generation: The initiator receives the response, accepts the
responder's selected algorithms (including duplicates or NONE, as
permitted by the extended policies by informed indication from
responder), and utilizes the associated key materials to generate
the SKEYSEED used for establishing the secure connection. The
peers then proceed other procedure such as the IKE_AUTH to
complete the IPsec connection establishment. at least two
algorithms/keys materials should be included if it is applicable
for the PQC hybrid key exchange establishing the secure
connection.
6. Annex: Multi-KEM ADDKE proposals and Boundary Conditions
This annex provides profiles for resolving complex boundary
conditions during multi-KEM negotiation. It serves as a
deterministic reference for implementers to ensure interoperability
when applying the extended responder selection logic defined in
Section 5.
6.1. Profile 1: Complete Overlap with Limited Responder Support
Boundary Condition: The initiator proposes identical lists of
algorithms across multiple ADDKE types, but the responder supports
only a single algorithm from the proposed lists.
Example Proposal:
* ADDKE1: PQ_KEM_A, PQ_KEM_B
* ADDKE2: PQ_KEM_A, PQ_KEM_B
Responder Capability: Supports only PQ_KEM_A.
Li Expires 5 December 2026 [Page 7]
Internet-Draft extensions for robust negotiation June 2026
Deterministic Outcome: Under standard RFC 9370 rules, this
negotiation fails. Utilizing the compatibility strategy, the
responder triggers Consideration 1 (Duplicate Algorithm Selection).
The responder selects PQ_KEM_A for ADDKE1 and PQ_KEM_A for ADDKE2.
The responder sends this selection back with the compatibility
indication. SKEYSEED is derived using the classical DH algorithm and
the duplicated PQ_KEM_A materials.
6.2. Profile 2: Subset Overlap Requiring Implicit NONE
Boundary Condition: The initiator proposes different but overlapping
lists without explicitly including the NONE algorithm, and the
responder cannot satisfy all ADDKE types using Consideration 1 alone.
Example Proposal:
* ADDKE1: PQ_KEM_A, PQ_KEM_B
* ADDKE2: PQ_KEM_C
Responder Capability: Supports PQ_KEM_B only.
Deterministic Outcome: The responder selects PQ_KEM_B for ADDKE1.
For ADDKE2, since PQ_KEM_C is not supported and Consideration 1
cannot be applied (PQ_KEM_B was not proposed in ADDKE2), the
responder evaluates Consideration 2. The responder selects the
Implicit NONE algorithm (Transform ID 0) for ADDKE2. The negotiation
succeeds with one classical DH algorithm and one PQC algorithm (i.e.,
PQ_KEM_B).
6.3. Profile 3: Explicit NONE and Fallback Interaction
Boundary Condition: The initiator explicitly includes the NONE
algorithm in some ADDKE fields but omits it in others, creating an
asymmetrical fallback matrix.
Example Proposal:
* ADDKE1: PQ_KEM_A, NONE
* ADDKE2: PQ_KEM_B
Responder Capability: Supports PQ_KEM_C only.
Li Expires 5 December 2026 [Page 8]
Internet-Draft extensions for robust negotiation June 2026
Deterministic Outcome: The responder cannot match PQ_KEM_A or
PQ_KEM_B. For ADDKE1, the responder selects the explicitly provided
NONE algorithm according to standard RFC 9370 parsing. For ADDKE2,
the responder triggers Consideration 2 (Implicit NONE Selection) and
selects NONE. Both ADDKE fields resolve to NONE.
NOTE: While this resolution is syntactically valid under the extended
policies, it reduces the exchange to classical DH only.
Implementations MUST consult their local security policies to
determine if an IPsec connection without quantum-secure key materials
should be established or dropped.
6.4. Profile 4: Consideration Priority and Tie-Breaking
Boundary Condition: The proposal structure allows the responder to
resolve the negotiation using either Consideration 1 or Consideration
2. A deterministic tie-breaker is required.
Example Proposal:
* ADDKE1: PQ_KEM_A
* ADDKE2: PQ_KEM_A
Responder Capability: Supports PQ_KEM_A.
Deterministic Outcome: The responder can apply Consideration 1
(select PQ_KEM_A for both) or Consideration 2 (select PQ_KEM_A for
ADDKE1 and Implicit NONE for ADDKE2). According to the order defined
in Section 4, the responder SHALL prioritize Consideration 1 over
Consideration 2. Therefore, the responder selects PQ_KEM_A for both
fields. Consideration 2 is strictly a fallback when duplication
cannot satisfy the proposal.
7. IANA Considerations
This document has no IANA considerations.
8. Security Considerations
This document introduces extended negotiation strategies that alter
the algorithm selection logic but do not modify the underlying
cryptographic primitives or key derivation functions defined in RFC
9370. The primary security consideration is that the
interoperability introduced by these extensions may result in an
overall security strength lower than the initiator's optimal
proposal.
Li Expires 5 December 2026 [Page 9]
Internet-Draft extensions for robust negotiation June 2026
When Consideration 1 (Duplicate Algorithm Selection) is applied, the
same Post-Quantum KEM is utilized for multiple ADDKE transform types.
While this resolves parsing failures, it eliminates the defense-in-
depth property intended by hybrid multi-KEM architectures. If a
cryptographic weakness is discovered in the duplicated algorithm, all
instances of it within the exchange are compromised. The resulting
security level is equivalent to negotiating that specific PQC
algorithm only once alongside the classical DH algorithm.
When Consideration 2 (Implicit NONE Selection) is applied, the
responder essentially ignores an ADDKE transform type. This may
weaken the overall entropy of the SKEYSEED compared to the
initiator's original intent. If a peer relies heavily on this
policy, it risks downgrading the connection to classical cryptography
only (e.g., Profile 3 in Annex). Implementations MUST ensure that
local security policies define the minimum acceptable cryptographic
threshold, and MUST abort the connection if the resolved multi-KEM
combination falls below this defined threshold.
Because these compatibility policies evaluate unauthenticated
payloads during the IKE_SA_INIT exchange, an active MITM attacker
could theoretically modify the proposals to force the responder into
applying Consideration 1 or 2. However, to comply with RFC 7296 and
RFC 9370, the entire contents of the IKE_SA_INIT messages are
cryptographically bound and verified during the subsequent IKE_AUTH
exchange. Any tampering intended to force a fallback or downgrade
will result in a MAC validation failure, fully mitigating this attack
vector.
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, DOI 10.17487/RFC2119, March
1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", RFC 7296, DOI 10.17487/RFC7296, October 2014,
<https://www.rfc-editor.org/info/rfc7296>.
[RFC9370] Tjhai, C., Tomlinson, M., Bartlett, G., Fluhrer, S., Van
Geest, D., and O. Garcia-Morchon, "Multiple Additional Key
Exchanges in the Internet Key Exchange Protocol Version 2
(IKEv2)", RFC 9370, DOI 10.17487/RFC9370, May 2023,
<https://www.rfc-editor.org/info/rfc9370>.
Li Expires 5 December 2026 [Page 10]
Internet-Draft extensions for robust negotiation June 2026
9.2. Informative References
Author's Address
Lun Li
Huawei
Email: lilun20@huawei.com
Li Expires 5 December 2026 [Page 11]