IETF Last Call Review of draft-ietf-ipsecme-ikev2-mlkem-05
review-ietf-ipsecme-ikev2-mlkem-05-tsvart-lc-rose-2026-06-08-00

This document has been reviewed as part of the transport area review team's
ongoing effort to review key IETF documents. These comments were written
primarily for the transport area directors, but are copied to the document's
authors and WG to allow them to address any issues raised and also to the IETF
discussion list for information.

When done at the time of IETF Last Call, the authors should consider this
review as part of the last-call comments they receive. Please always CC
tsv-art@ietf.org if you reply to or forward this review.

This document is Ready with Nits.

Nits:

* "Other than combining the security of a well-established algorithm with
relatively new quantum-resistant algorithms, another use of a PQ/T Hybrid key
exchanges in IKEv2 is to prevent fragmentation of key exchanges with the high
security parameter of ML-KEM which may not fit in common network packet payload
sizes." It is unclear how the use of hybrid key exchanges results in ML-KEM
parameters that allow the key share to fit within a typical MTU. (I can
obviously guess, but this should nonetheless be clarified for those readers not
intimately familiar with IKEv2 or RFC 9370.)

Other comments:

* It seems like the susceptibility of IKEv2 to downgrade attacks by active
MitMs should be described and discussed in one place (and hopefully motivate
the development of an IKEv3 not vulnerable to this kind of attack) rather than
resulting in the same boilerplate in every document describing a new security
parameter.

* Is the information in appendix A required in order to implement this
specification? It might be, but it's unclear on my reading. If it is required,
then it should be in the main text of the document, not in an appendix.