1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
|
<!DOCTYPE html>
<html lang="en" class="RFC">
<head>
<meta charset="utf-8">
<meta content="Common,Latin" name="scripts">
<meta content="initial-scale=1.0" name="viewport">
<title>RFC 8784: Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security</title>
<meta content="Scott Fluhrer" name="author">
<meta content="Panos Kampanakis" name="author">
<meta content="David McGrew" name="author">
<meta content="Valery Smyslov" name="author">
<meta content="
The possibility of quantum computers poses a serious challenge to
cryptographic algorithms deployed widely today. The Internet Key Exchange
Protocol Version 2 (IKEv2) is one example of a cryptosystem that could
be broken; someone storing VPN communications today could decrypt them
at a later time when a quantum computer is available. It is anticipated
that IKEv2 will be extended to support quantum-secure key exchange
algorithms; however, that is not likely to happen in the near term. To
address this problem before then, this document describes an extension
of IKEv2 to allow it to be resistant to a quantum computer by using
preshared keys.
" name="description">
<meta content="xml2rfc 2.46.0" name="generator">
<meta content="internet key exchange" name="keyword">
<meta content="quantum computer" name="keyword">
<meta content="post quantum" name="keyword">
<meta content="post-quantum" name="keyword">
<meta content="quantum safe" name="keyword">
<meta content="quantum secure" name="keyword">
<meta content="quantum resistant" name="keyword">
<meta content="8784" name="rfc.number">
<link href="rfc8784.xml" rel="alternate" type="application/rfc+xml">
<link href="#copyright" rel="license">
<style type="text/css">/*
NOTE: Changes at the bottom of this file overrides some earlier settings.
Once the style has stabilized and has been adopted as an official RFC style,
this can be consolidated so that style settings occur only in one place, but
for now the contents of this file consists first of the initial CSS work as
provided to the RFC Formatter (xml2rfc) work, followed by itemized and
commented changes found necssary during the development of the v3
formatters.
*/
/* fonts */
@import url('https://fonts.googleapis.com/css?family=Noto+Sans'); /* Sans-serif */
@import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
@import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */
@viewport {
zoom: 1.0;
width: extend-to-zoom;
}
@-ms-viewport {
width: extend-to-zoom;
zoom: 1.0;
}
/* general and mobile first */
html {
}
body {
max-width: 90%;
margin: 1.5em auto;
color: #222;
background-color: #fff;
font-size: 14px;
font-family: 'Noto Sans', Arial, Helvetica, sans-serif;
line-height: 1.6;
scroll-behavior: smooth;
}
.ears {
display: none;
}
/* headings */
#title, h1, h2, h3, h4, h5, h6 {
margin: 1em 0 0.5em;
font-weight: bold;
line-height: 1.3;
}
#title {
clear: both;
border-bottom: 1px solid #ddd;
margin: 0 0 0.5em 0;
padding: 1em 0 0.5em;
}
.author {
padding-bottom: 4px;
}
h1 {
font-size: 26px;
margin: 1em 0;
}
h2 {
font-size: 22px;
margin-top: -20px; /* provide offset for in-page anchors */
padding-top: 33px;
}
h3 {
font-size: 18px;
margin-top: -36px; /* provide offset for in-page anchors */
padding-top: 42px;
}
h4 {
font-size: 16px;
margin-top: -36px; /* provide offset for in-page anchors */
padding-top: 42px;
}
h5, h6 {
font-size: 14px;
}
#n-copyright-notice {
border-bottom: 1px solid #ddd;
padding-bottom: 1em;
margin-bottom: 1em;
}
/* general structure */
p {
padding: 0;
margin: 0 0 1em 0;
text-align: left;
}
div, span {
position: relative;
}
div {
margin: 0;
}
.alignRight.art-text {
background-color: #f9f9f9;
border: 1px solid #eee;
border-radius: 3px;
padding: 1em 1em 0;
margin-bottom: 1.5em;
}
.alignRight.art-text pre {
padding: 0;
}
.alignRight {
margin: 1em 0;
}
.alignRight > *:first-child {
border: none;
margin: 0;
float: right;
clear: both;
}
.alignRight > *:nth-child(2) {
clear: both;
display: block;
border: none;
}
svg {
display: block;
}
.alignCenter.art-text {
background-color: #f9f9f9;
border: 1px solid #eee;
border-radius: 3px;
padding: 1em 1em 0;
margin-bottom: 1.5em;
}
.alignCenter.art-text pre {
padding: 0;
}
.alignCenter {
margin: 1em 0;
}
.alignCenter > *:first-child {
border: none;
/* this isn't optimal, but it's an existence proof. PrinceXML doesn't
support flexbox yet.
*/
display: table;
margin: 0 auto;
}
/* lists */
ol, ul {
padding: 0;
margin: 0 0 1em 2em;
}
ol ol, ul ul, ol ul, ul ol {
margin-left: 1em;
}
li {
margin: 0 0 0.25em 0;
}
.ulCompact li {
margin: 0;
}
ul.empty, .ulEmpty {
list-style-type: none;
}
ul.empty li, .ulEmpty li {
margin-top: 0.5em;
}
ul.compact, .ulCompact,
ol.compact, .olCompact {
line-height: 100%;
margin: 0 0 0 2em;
}
/* definition lists */
dl {
}
dl > dt {
float: left;
margin-right: 1em;
}
/*
dl.nohang > dt {
float: none;
}
*/
dl > dd {
margin-bottom: .8em;
min-height: 1.3em;
}
dl.compact > dd, .dlCompact > dd {
margin-bottom: 0em;
}
dl > dd > dl {
margin-top: 0.5em;
margin-bottom: 0em;
}
/* links */
a {
text-decoration: none;
}
a[href] {
color: #22e; /* Arlen: WCAG 2019 */
}
a[href]:hover {
background-color: #f2f2f2;
}
figcaption a[href],
a[href].selfRef {
color: #222;
}
/* XXX probably not this:
a.selfRef:hover {
background-color: transparent;
cursor: default;
} */
/* Figures */
tt, code, pre, code {
background-color: #f9f9f9;
font-family: 'Roboto Mono', monospace;
}
pre {
border: 1px solid #eee;
margin: 0;
padding: 1em;
}
img {
max-width: 100%;
}
figure {
margin: 0;
}
figure blockquote {
margin: 0.8em 0.4em 0.4em;
}
figcaption {
font-style: italic;
margin: 0 0 1em 0;
}
@media screen {
pre {
overflow-x: auto;
max-width: 100%;
max-width: calc(100% - 22px);
}
}
/* aside, blockquote */
aside, blockquote {
margin-left: 0;
padding: 1.2em 2em;
}
blockquote {
background-color: #f9f9f9;
color: #111; /* Arlen: WCAG 2019 */
border: 1px solid #ddd;
border-radius: 3px;
margin: 1em 0;
}
cite {
display: block;
text-align: right;
font-style: italic;
}
/* tables */
table {
width: 100%;
margin: 0 0 1em;
border-collapse: collapse;
border: 1px solid #eee;
}
th, td {
text-align: left;
vertical-align: top;
padding: 0.5em 0.75em;
}
th {
text-align: left;
background-color: #e9e9e9;
}
tr:nth-child(2n+1) > td {
background-color: #f5f5f5;
}
table caption {
font-style: italic;
margin: 0;
padding: 0;
text-align: left;
}
table p {
/* XXX to avoid bottom margin on table row signifiers. If paragraphs should
be allowed within tables more generally, it would be far better to select on a class. */
margin: 0;
}
/* pilcrow */
a.pilcrow {
color: #666; /* Arlen: AHDJ 2019 */
text-decoration: none;
visibility: hidden;
user-select: none;
-ms-user-select: none;
-o-user-select:none;
-moz-user-select: none;
-khtml-user-select: none;
-webkit-user-select: none;
-webkit-touch-callout: none;
}
@media screen {
aside:hover > a.pilcrow,
p:hover > a.pilcrow,
blockquote:hover > a.pilcrow,
div:hover > a.pilcrow,
li:hover > a.pilcrow,
pre:hover > a.pilcrow {
visibility: visible;
}
a.pilcrow:hover {
background-color: transparent;
}
}
/* misc */
hr {
border: 0;
border-top: 1px solid #eee;
}
.bcp14 {
font-variant: small-caps;
}
.role {
font-variant: all-small-caps;
}
/* info block */
#identifiers {
margin: 0;
font-size: 0.9em;
}
#identifiers dt {
width: 3em;
clear: left;
}
#identifiers dd {
float: left;
margin-bottom: 0;
}
#identifiers .authors .author {
display: inline-block;
margin-right: 1.5em;
}
#identifiers .authors .org {
font-style: italic;
}
/* The prepared/rendered info at the very bottom of the page */
.docInfo {
color: #666; /* Arlen: WCAG 2019 */
font-size: 0.9em;
font-style: italic;
margin-top: 2em;
}
.docInfo .prepared {
float: left;
}
.docInfo .prepared {
float: right;
}
/* table of contents */
#toc {
padding: 0.75em 0 2em 0;
margin-bottom: 1em;
}
nav.toc ul {
margin: 0 0.5em 0 0;
padding: 0;
list-style: none;
}
nav.toc li {
line-height: 1.3em;
margin: 0.75em 0;
padding-left: 1.2em;
text-indent: -1.2em;
}
/* references */
.references dt {
text-align: right;
font-weight: bold;
min-width: 7em;
}
.references dd {
margin-left: 8em;
overflow: auto;
}
.refInstance {
margin-bottom: 1.25em;
}
.references .ascii {
margin-bottom: 0.25em;
}
/* index */
.index ul {
margin: 0 0 0 1em;
padding: 0;
list-style: none;
}
.index ul ul {
margin: 0;
}
.index li {
margin: 0;
text-indent: -2em;
padding-left: 2em;
padding-bottom: 5px;
}
.indexIndex {
margin: 0.5em 0 1em;
}
.index a {
font-weight: 700;
}
/* make the index two-column on all but the smallest screens */
@media (min-width: 600px) {
.index ul {
-moz-column-count: 2;
-moz-column-gap: 20px;
}
.index ul ul {
-moz-column-count: 1;
-moz-column-gap: 0;
}
}
/* authors */
address.vcard {
font-style: normal;
margin: 1em 0;
}
address.vcard .nameRole {
font-weight: 700;
margin-left: 0;
}
address.vcard .label {
font-family: "Noto Sans",Arial,Helvetica,sans-serif;
margin: 0.5em 0;
}
address.vcard .type {
display: none;
}
.alternative-contact {
margin: 1.5em 0 1em;
}
hr.addr {
border-top: 1px dashed;
margin: 0;
color: #ddd;
max-width: calc(100% - 16px);
}
/* temporary notes */
.rfcEditorRemove::before {
position: absolute;
top: 0.2em;
right: 0.2em;
padding: 0.2em;
content: "The RFC Editor will remove this note";
color: #9e2a00; /* Arlen: WCAG 2019 */
background-color: #ffd; /* Arlen: WCAG 2019 */
}
.rfcEditorRemove {
position: relative;
padding-top: 1.8em;
background-color: #ffd; /* Arlen: WCAG 2019 */
border-radius: 3px;
}
.cref {
background-color: #ffd; /* Arlen: WCAG 2019 */
padding: 2px 4px;
}
.crefSource {
font-style: italic;
}
/* alternative layout for smaller screens */
@media screen and (max-width: 1023px) {
body {
padding-top: 2em;
}
#title {
padding: 1em 0;
}
h1 {
font-size: 24px;
}
h2 {
font-size: 20px;
margin-top: -18px; /* provide offset for in-page anchors */
padding-top: 38px;
}
#identifiers dd {
max-width: 60%;
}
#toc {
position: fixed;
z-index: 2;
top: 0;
right: 0;
padding: 0;
margin: 0;
background-color: inherit;
border-bottom: 1px solid #ccc;
}
#toc h2 {
margin: -1px 0 0 0;
padding: 4px 0 4px 6px;
padding-right: 1em;
min-width: 190px;
font-size: 1.1em;
text-align: right;
background-color: #444;
color: white;
cursor: pointer;
}
#toc h2::before { /* css hamburger */
float: right;
position: relative;
width: 1em;
height: 1px;
left: -164px;
margin: 6px 0 0 0;
background: white none repeat scroll 0 0;
box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
content: "";
}
#toc nav {
display: none;
padding: 0.5em 1em 1em;
overflow: auto;
height: calc(100vh - 48px);
border-left: 1px solid #ddd;
}
}
/* alternative layout for wide screens */
@media screen and (min-width: 1024px) {
body {
max-width: 724px;
margin: 42px auto;
padding-left: 1.5em;
padding-right: 29em;
}
#toc {
position: fixed;
top: 42px;
right: 42px;
width: 25%;
margin: 0;
padding: 0 1em;
z-index: 1;
}
#toc h2 {
border-top: none;
border-bottom: 1px solid #ddd;
font-size: 1em;
font-weight: normal;
margin: 0;
padding: 0.25em 1em 1em 0;
}
#toc nav {
display: block;
height: calc(90vh - 84px);
bottom: 0;
padding: 0.5em 0 0;
overflow: auto;
}
img { /* future proofing */
max-width: 100%;
height: auto;
}
}
/* pagination */
@media print {
body {
width: 100%;
}
p {
orphans: 3;
widows: 3;
}
#n-copyright-notice {
border-bottom: none;
}
#toc, #n-introduction {
page-break-before: always;
}
#toc {
border-top: none;
padding-top: 0;
}
figure, pre {
page-break-inside: avoid;
}
figure {
overflow: scroll;
}
h1, h2, h3, h4, h5, h6 {
page-break-after: avoid;
}
h2+*, h3+*, h4+*, h5+*, h6+* {
page-break-before: avoid;
}
pre {
white-space: pre-wrap;
word-wrap: break-word;
font-size: 10pt;
}
table {
border: 1px solid #ddd;
}
td {
border-top: 1px solid #ddd;
}
}
/* This is commented out here, as the string-set: doesn't
pass W3C validation currently */
/*
.ears thead .left {
string-set: ears-top-left content();
}
.ears thead .center {
string-set: ears-top-center content();
}
.ears thead .right {
string-set: ears-top-right content();
}
.ears tfoot .left {
string-set: ears-bottom-left content();
}
.ears tfoot .center {
string-set: ears-bottom-center content();
}
.ears tfoot .right {
string-set: ears-bottom-right content();
}
*/
@page :first {
padding-top: 0;
@top-left {
content: normal;
border: none;
}
@top-center {
content: normal;
border: none;
}
@top-right {
content: normal;
border: none;
}
}
@page {
size: A4;
margin-bottom: 45mm;
padding-top: 20px;
/* The follwing is commented out here, but set appropriately by in code, as
the content depends on the document */
/*
@top-left {
content: 'Internet-Draft';
vertical-align: bottom;
border-bottom: solid 1px #ccc;
}
@top-left {
content: string(ears-top-left);
vertical-align: bottom;
border-bottom: solid 1px #ccc;
}
@top-center {
content: string(ears-top-center);
vertical-align: bottom;
border-bottom: solid 1px #ccc;
}
@top-right {
content: string(ears-top-right);
vertical-align: bottom;
border-bottom: solid 1px #ccc;
}
@bottom-left {
content: string(ears-bottom-left);
vertical-align: top;
border-top: solid 1px #ccc;
}
@bottom-center {
content: string(ears-bottom-center);
vertical-align: top;
border-top: solid 1px #ccc;
}
@bottom-right {
content: '[Page ' counter(page) ']';
vertical-align: top;
border-top: solid 1px #ccc;
}
*/
}
/* Changes introduced to fix issues found during implementation */
/* Make sure links are clickable even if overlapped by following H* */
a {
z-index: 2;
}
/* Separate body from document info even without intervening H1 */
section {
clear: both;
}
/* Top align author divs, to avoid names without organization dropping level with org names */
.author {
vertical-align: top;
}
/* Leave room in document info to show Internet-Draft on one line */
#identifiers dt {
width: 8em;
}
/* Don't waste quite as much whitespace between label and value in doc info */
#identifiers dd {
margin-left: 1em;
}
/* Give floating toc a background color (needed when it's a div inside section */
#toc {
background-color: white;
}
/* Make the collapsed ToC header render white on gray also when it's a link */
@media screen and (max-width: 1023px) {
#toc h2 a,
#toc h2 a:link,
#toc h2 a:focus,
#toc h2 a:hover,
#toc a.toplink,
#toc a.toplink:hover {
color: white;
background-color: #444;
text-decoration: none;
}
}
/* Give the bottom of the ToC some whitespace */
@media screen and (min-width: 1024px) {
#toc {
padding: 0 0 1em 1em;
}
}
/* Style section numbers with more space between number and title */
.section-number {
padding-right: 0.5em;
}
/* prevent monospace from becoming overly large */
tt, code, pre, code {
font-size: 95%;
}
/* Fix the height/width aspect for ascii art*/
pre.sourcecode,
.art-text pre {
line-height: 1.12;
}
/* Add styling for a link in the ToC that points to the top of the document */
a.toplink {
float: right;
margin-right: 0.5em;
}
/* Fix the dl styling to match the RFC 7992 attributes */
dl > dt,
dl.dlParallel > dt {
float: left;
margin-right: 1em;
}
dl.dlNewline > dt {
float: none;
}
/* Provide styling for table cell text alignment */
table td.text-left,
table th.text-left {
text-align: left;
}
table td.text-center,
table th.text-center {
text-align: center;
}
table td.text-right,
table th.text-right {
text-align: right;
}
/* Make the alternative author contact informatio look less like just another
author, and group it closer with the primary author contact information */
.alternative-contact {
margin: 0.5em 0 0.25em 0;
}
address .non-ascii {
margin: 0 0 0 2em;
}
/* With it being possible to set tables with alignment
left, center, and right, { width: 100%; } does not make sense */
table {
width: auto;
}
/* Avoid reference text that sits in a block with very wide left margin,
because of a long floating dt label.*/
.references dd {
overflow: visible;
}
/* Control caption placement */
caption {
caption-side: bottom;
}
/* Limit the width of the author address vcard, so names in right-to-left
script don't end up on the other side of the page. */
address.vcard {
max-width: 30em;
margin-right: auto;
}
/* For address alignment dependent on LTR or RTL scripts */
address div.left {
text-align: left;
}
address div.right {
text-align: right;
}
/* Provide table alignment support. We can't use the alignX classes above
since they do unwanted things with caption and other styling. */
table.right {
margin-left: auto;
margin-right: 0;
}
table.center {
margin-left: auto;
margin-right: auto;
}
table.left {
margin-left: 0;
margin-right: auto;
}
/* Give the table caption label the same styling as the figcaption */
caption a[href] {
color: #222;
}
@media print {
.toplink {
display: none;
}
/* avoid overwriting the top border line with the ToC header */
#toc {
padding-top: 1px;
}
/* Avoid page breaks inside dl and author address entries */
.vcard {
page-break-inside: avoid;
}
}
/* Tweak the bcp14 keyword presentation */
.bcp14 {
font-variant: small-caps;
font-weight: bold;
font-size: 0.9em;
}
/* Tweak the invisible space above H* in order not to overlay links in text above */
h2 {
margin-top: -18px; /* provide offset for in-page anchors */
padding-top: 31px;
}
h3 {
margin-top: -18px; /* provide offset for in-page anchors */
padding-top: 24px;
}
h4 {
margin-top: -18px; /* provide offset for in-page anchors */
padding-top: 24px;
}
/* Float artwork pilcrow to the right */
@media screen {
.artwork a.pilcrow {
display: block;
line-height: 0.7;
margin-top: 0.15em;
}
}
/* Make pilcrows on dd visible */
@media screen {
dd:hover > a.pilcrow {
visibility: visible;
}
}
/* Make the placement of figcaption match that of a table's caption
by removing the figure's added bottom margin */
.alignLeft.art-text,
.alignCenter.art-text,
.alignRight.art-text {
margin-bottom: 0;
}
.alignLeft,
.alignCenter,
.alignRight {
margin: 1em 0 0 0;
}
/* In print, the pilcrow won't show on hover, so prevent it from taking up space,
possibly even requiring a new line */
@media print {
a.pilcrow {
display: none;
}
}
/* Styling for the external metadata */
div#external-metadata {
background-color: #eee;
padding: 0.5em;
margin-bottom: 0.5em;
display: none;
}
div#internal-metadata {
padding: 0.5em; /* to match the external-metadata padding */
}
/* Styling for title RFC Number */
h1#rfcnum {
clear: both;
margin: 0 0 -1em;
padding: 1em 0 0 0;
}
/* Make .olPercent look the same as <ol><li> */
dl.olPercent > dd {
margin-bottom: 0.25em;
min-height: initial;
}
/* Give aside some styling to set it apart */
aside {
border-left: 1px solid #ddd;
margin: 1em 0 1em 2em;
padding: 0.2em 2em;
}
aside > dl,
aside > ol,
aside > ul,
aside > table,
aside > p {
margin-bottom: 0.5em;
}
/* Additional page break settings */
@media print {
figcaption, table caption {
page-break-before: avoid;
}
}
/* Font size adjustments for print */
@media print {
body { font-size: 10pt; line-height: normal; max-width: 96%; }
h1 { font-size: 1.72em; padding-top: 1.5em; } /* 1*1.2*1.2*1.2 */
h2 { font-size: 1.44em; padding-top: 1.5em; } /* 1*1.2*1.2 */
h3 { font-size: 1.2em; padding-top: 1.5em; } /* 1*1.2 */
h4 { font-size: 1em; padding-top: 1.5em; }
h5, h6 { font-size: 1em; margin: initial; padding: 0.5em 0 0.3em; }
}
/* Sourcecode margin in print, when there's no pilcrow */
@media print {
.artwork,
.sourcecode {
margin-bottom: 1em;
}
}
/* Avoid narrow tables forcing too narrow table captions, which may render badly */
table {
min-width: 20em;
}
/* ol type a */
ol.type-a { list-style-type: lower-alpha; }
ol.type-A { list-style-type: upper-alpha; }
ol.type-i { list-style-type: lower-roman; }
ol.type-I { list-style-type: lower-roman; }
/* Apply the print table and row borders in general, on request from the RPC,
and increase the contrast between border and odd row background sligthtly */
table {
border: 1px solid #ddd;
}
td {
border-top: 1px solid #ddd;
}
tr:nth-child(2n+1) > td {
background-color: #f8f8f8;
}
/* Use style rules to govern display of the TOC. */
@media screen and (max-width: 1023px) {
#toc nav { display: none; }
#toc.active nav { display: block; }
}
/* Add support for keepWithNext */
.keepWithNext {
break-after: avoid-page;
break-after: avoid-page;
}
/* Add support for keepWithPrevious */
.keepWithPrevious {
break-before: avoid-page;
}
/* Change the approach to avoiding breaks inside artwork etc. */
figure, pre, table, .artwork, .sourcecode {
break-before: avoid-page;
break-after: auto;
}
/* Avoid breaks between <dt> and <dd> */
dl {
break-before: auto;
break-inside: auto;
}
dt {
break-before: auto;
break-after: avoid-page;
}
dd {
break-before: avoid-page;
break-after: auto;
orphans: 3;
widows: 3
}
span.break, dd.break {
margin-bottom: 0;
min-height: 0;
break-before: auto;
break-inside: auto;
break-after: auto;
}
/* Undo break-before ToC */
@media print {
#toc {
break-before: auto;
}
}
/* Text in compact lists should not get extra bottim margin space,
since that would makes the list not compact */
ul.compact p, .ulCompact p,
ol.compact p, .olCompact p {
margin: 0;
}
/* But the list as a whole needs the extra space at the end */
section ul.compact,
section .ulCompact,
section ol.compact,
section .olCompact {
margin-bottom: 1em; /* same as p not within ul.compact etc. */
}
/* The tt and code background above interferes with for instance table cell
backgrounds. Changed to something a bit more selective. */
tt, code {
background-color: transparent;
}
p tt, p code {
background-color: #f9f9f9;
}
</style>
<link href="rfc-local.css" rel="stylesheet" type="text/css">
<link href="https://dx.doi.org/10.17487/rfc8784" rel="alternate">
<link href="urn:issn:2070-1721" rel="alternate">
<link href="https://datatracker.ietf.org/doc/draft-ietf-ipsecme-qr-ikev2-11" rel="prev">
</head>
<body>
<script src="https://www.rfc-editor.org/js/metadata.min.js"></script>
<table class="ears">
<thead><tr>
<td class="left">RFC 8784</td>
<td class="center">Mixing PSKs in IKEv2 for PQ Security</td>
<td class="right">June 2020</td>
</tr></thead>
<tfoot><tr>
<td class="left">Fluhrer, et al.</td>
<td class="center">Standards Track</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
<div id="external-metadata" class="document-information"></div>
<div id="internal-metadata" class="document-information">
<dl id="identifiers">
<dt class="label-stream">Stream:</dt>
<dd class="stream">Internet Engineering Task Force (IETF)</dd>
<dt class="label-rfc">RFC:</dt>
<dd class="rfc"><a href="https://www.rfc-editor.org/rfc/rfc8784" class="eref">8784</a></dd>
<dt class="label-category">Category:</dt>
<dd class="category">Standards Track</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2020-06" class="published">June 2020</time>
</dd>
<dt class="label-issn">ISSN:</dt>
<dd class="issn">2070-1721</dd>
<dt class="label-authors">Authors:</dt>
<dd class="authors">
<div class="author">
<div class="author-name">S. Fluhrer</div>
<div class="org">Cisco Systems</div>
</div>
<div class="author">
<div class="author-name">P. Kampanakis</div>
<div class="org">Cisco Systems</div>
</div>
<div class="author">
<div class="author-name">D. McGrew</div>
<div class="org">Cisco Systems</div>
</div>
<div class="author">
<div class="author-name">V. Smyslov</div>
<div class="org">ELVIS-PLUS</div>
</div>
</dd>
</dl>
</div>
<h1 id="rfcnum">RFC 8784</h1>
<h1 id="title">Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security</h1>
<section id="section-abstract">
<h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
<p id="section-abstract-1">The possibility of quantum computers poses a serious challenge to
cryptographic algorithms deployed widely today. The Internet Key Exchange
Protocol Version 2 (IKEv2) is one example of a cryptosystem that could
be broken; someone storing VPN communications today could decrypt them
at a later time when a quantum computer is available. It is anticipated
that IKEv2 will be extended to support quantum-secure key exchange
algorithms; however, that is not likely to happen in the near term. To
address this problem before then, this document describes an extension
of IKEv2 to allow it to be resistant to a quantum computer by using
preshared keys.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
</section>
<div id="status-of-memo">
<section id="section-boilerplate.1">
<h2 id="name-status-of-this-memo">
<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
</h2>
<p id="section-boilerplate.1-1">
This is an Internet Standards Track document.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-2">
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further
information on Internet Standards is available in Section 2 of
RFC 7841.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-3">
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
<span><a href="https://www.rfc-editor.org/info/rfc8784">https://www.rfc-editor.org/info/rfc8784</a></span>.<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="copyright">
<section id="section-boilerplate.2">
<h2 id="name-copyright-notice">
<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
</h2>
<p id="section-boilerplate.2-1">
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.2-2">
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="toc">
<section id="section-toc.1">
<a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
</h2>
<nav class="toc"><ul class="toc ulEmpty compact">
<li class="toc ulEmpty compact" id="section-toc.1-1.1">
<p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="xref">1</a>. <a href="#name-introduction" class="xref">Introduction</a><a href="#section-toc.1-1.1.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty compact">
<li class="toc ulEmpty compact" id="section-toc.1-1.1.2.1">
<p id="section-toc.1-1.1.2.1.1" class="keepWithNext"><a href="#section-1.1" class="xref">1.1</a>. <a href="#name-requirements-language" class="xref">Requirements Language</a><a href="#section-toc.1-1.1.2.1.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="toc ulEmpty compact" id="section-toc.1-1.2">
<p id="section-toc.1-1.2.1" class="keepWithNext"><a href="#section-2" class="xref">2</a>. <a href="#name-assumptions" class="xref">Assumptions</a><a href="#section-toc.1-1.2.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty compact" id="section-toc.1-1.3">
<p id="section-toc.1-1.3.1"><a href="#section-3" class="xref">3</a>. <a href="#name-exchanges" class="xref">Exchanges</a><a href="#section-toc.1-1.3.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty compact" id="section-toc.1-1.4">
<p id="section-toc.1-1.4.1"><a href="#section-4" class="xref">4</a>. <a href="#name-upgrade-procedure" class="xref">Upgrade Procedure</a><a href="#section-toc.1-1.4.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty compact" id="section-toc.1-1.5">
<p id="section-toc.1-1.5.1"><a href="#section-5" class="xref">5</a>. <a href="#name-ppk" class="xref">PPK</a><a href="#section-toc.1-1.5.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty compact">
<li class="toc ulEmpty compact" id="section-toc.1-1.5.2.1">
<p id="section-toc.1-1.5.2.1.1"><a href="#section-5.1" class="xref">5.1</a>. <a href="#name-ppk_id-format" class="xref">PPK_ID Format</a><a href="#section-toc.1-1.5.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty compact" id="section-toc.1-1.5.2.2">
<p id="section-toc.1-1.5.2.2.1"><a href="#section-5.2" class="xref">5.2</a>. <a href="#name-operational-considerations" class="xref">Operational Considerations</a><a href="#section-toc.1-1.5.2.2.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty compact">
<li class="toc ulEmpty compact" id="section-toc.1-1.5.2.2.2.1">
<p id="section-toc.1-1.5.2.2.2.1.1"><a href="#section-5.2.1" class="xref">5.2.1</a>. <a href="#name-ppk-distribution" class="xref">PPK Distribution</a><a href="#section-toc.1-1.5.2.2.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty compact" id="section-toc.1-1.5.2.2.2.2">
<p id="section-toc.1-1.5.2.2.2.2.1"><a href="#section-5.2.2" class="xref">5.2.2</a>. <a href="#name-group-ppk" class="xref">Group PPK</a><a href="#section-toc.1-1.5.2.2.2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty compact" id="section-toc.1-1.5.2.2.2.3">
<p id="section-toc.1-1.5.2.2.2.3.1"><a href="#section-5.2.3" class="xref">5.2.3</a>. <a href="#name-ppk-only-authentication" class="xref">PPK-Only Authentication</a><a href="#section-toc.1-1.5.2.2.2.3.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
</ul>
</li>
<li class="toc ulEmpty compact" id="section-toc.1-1.6">
<p id="section-toc.1-1.6.1"><a href="#section-6" class="xref">6</a>. <a href="#name-security-considerations" class="xref">Security Considerations</a><a href="#section-toc.1-1.6.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty compact" id="section-toc.1-1.7">
<p id="section-toc.1-1.7.1"><a href="#section-7" class="xref">7</a>. <a href="#name-iana-considerations" class="xref">IANA Considerations</a><a href="#section-toc.1-1.7.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty compact" id="section-toc.1-1.8">
<p id="section-toc.1-1.8.1"><a href="#section-8" class="xref">8</a>. <a href="#name-references" class="xref">References</a><a href="#section-toc.1-1.8.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty compact">
<li class="toc ulEmpty compact" id="section-toc.1-1.8.2.1">
<p id="section-toc.1-1.8.2.1.1"><a href="#section-8.1" class="xref">8.1</a>. <a href="#name-normative-references" class="xref">Normative References</a><a href="#section-toc.1-1.8.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty compact" id="section-toc.1-1.8.2.2">
<p id="section-toc.1-1.8.2.2.1"><a href="#section-8.2" class="xref">8.2</a>. <a href="#name-informative-references" class="xref">Informative References</a><a href="#section-toc.1-1.8.2.2.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="toc ulEmpty compact" id="section-toc.1-1.9">
<p id="section-toc.1-1.9.1"><a href="#section-appendix.a" class="xref">Appendix A</a>. <a href="#name-discussion-and-rationale" class="xref">Discussion and Rationale</a><a href="#section-toc.1-1.9.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty compact" id="section-toc.1-1.10">
<p id="section-toc.1-1.10.1"><a href="#section-appendix.b" class="xref"></a><a href="#name-acknowledgements" class="xref">Acknowledgements</a><a href="#section-toc.1-1.10.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty compact" id="section-toc.1-1.11">
<p id="section-toc.1-1.11.1"><a href="#section-appendix.c" class="xref"></a><a href="#name-authors-addresses" class="xref">Authors' Addresses</a><a href="#section-toc.1-1.11.1" class="pilcrow">¶</a></p>
</li>
</ul>
</nav>
</section>
</div>
<section id="section-1">
<h2 id="name-introduction">
<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
</h2>
<p id="section-1-1">Recent achievements in developing quantum computers demonstrate that
it is probably feasible to build one that is cryptographically significant. If
such a computer is implemented, many of the cryptographic algorithms and
protocols currently in use would be insecure. A quantum computer would
be able to solve Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman
(ECDH) problems in polynomial time <span>[<a href="#I-D.hoffman-c2pq" class="xref">C2PQ</a>]</span>, and this would imply that the security of existing
IKEv2 <span>[<a href="#RFC7296" class="xref">RFC7296</a>]</span> systems would be
compromised. IKEv1 <span>[<a href="#RFC2409" class="xref">RFC2409</a>]</span>, when used with strong preshared
keys, is not vulnerable to quantum attacks because those keys are one of
the inputs to the key derivation function. If the preshared key has
sufficient entropy and the Pseudorandom Function (PRF), encryption, and authentication
transforms are quantum secure, then the resulting system is believed to
be quantum secure -- that is, secure against classical attackers of
today or future attackers with a quantum computer.<a href="#section-1-1" class="pilcrow">¶</a></p>
<p id="section-1-2">This document describes a way to extend IKEv2 to have a similar
property; assuming that the two end systems share a long secret key,
then the
resulting exchange is quantum secure.
By bringing post-quantum security to IKEv2, this document removes the need
to use an obsolete version of IKE in order to achieve
that security goal.<a href="#section-1-2" class="pilcrow">¶</a></p>
<p id="section-1-3">The general idea is that we add an additional secret that is shared
between the initiator and the responder; this secret is in addition to
the authentication method that is already provided within IKEv2. We
stir this secret into the SK_d value, which is used to generate the key
material (KEYMAT) for the Child Security Associations (SAs) and the
SKEYSEED for the IKE SAs created as a result
of the initial IKE SA rekey. This secret provides quantum resistance to
the IPsec SAs and any subsequent IKE SAs. We also stir the secret into the SK_pi and SK_pr values;
this allows both sides to detect a secret mismatch cleanly.<a href="#section-1-3" class="pilcrow">¶</a></p>
<p id="section-1-4">It was considered important to minimize the changes to IKEv2.
The existing mechanisms to perform authentication and key exchange remain
in place (that is, we continue to perform (EC)DH and potentially PKI
authentication if configured). This document does not replace the authentication
checks that the protocol does; instead, they are
strengthened by using an additional secret key.<a href="#section-1-4" class="pilcrow">¶</a></p>
<section id="section-1.1">
<h3 id="name-requirements-language">
<a href="#section-1.1" class="section-number selfRef">1.1. </a><a href="#name-requirements-language" class="section-name selfRef">Requirements Language</a>
</h3>
<p id="section-1.1-1">
The key words "<span class="bcp14">MUST</span>", "<span class="bcp14">MUST NOT</span>", "<span class="bcp14">REQUIRED</span>", "<span class="bcp14">SHALL</span>", "<span class="bcp14">SHALL NOT</span>", "<span class="bcp14">SHOULD</span>", "<span class="bcp14">SHOULD NOT</span>", "<span class="bcp14">RECOMMENDED</span>", "<span class="bcp14">NOT RECOMMENDED</span>",
"<span class="bcp14">MAY</span>", and "<span class="bcp14">OPTIONAL</span>" in this document are to be interpreted as
described in BCP 14 <span>[<a href="#RFC2119" class="xref">RFC2119</a>]</span> <span>[<a href="#RFC8174" class="xref">RFC8174</a>]</span>
when, and only when, they appear in all capitals, as shown here.<a href="#section-1.1-1" class="pilcrow">¶</a></p>
</section>
</section>
<section id="section-2">
<h2 id="name-assumptions">
<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-assumptions" class="section-name selfRef">Assumptions</a>
</h2>
<p id="section-2-1"> We assume that each IKE peer has a list of Post-quantum Preshared
Keys (PPKs) along with their identifiers (PPK_ID), and any potential IKE
initiator selects which PPK to use with any specific responder. In
addition, implementations have a configurable flag that determines
whether this PPK is mandatory. This PPK is
independent of the preshared key (if any) that the IKEv2 protocol uses
to perform authentication (because the preshared key in IKEv2 is not
used for any key derivation and thus doesn't protect against quantum
computers). The PPK-specific configuration that is assumed to be on
each node consists of the following tuple:<a href="#section-2-1" class="pilcrow">¶</a></p>
<div class="artwork art-text alignLeft" id="section-2-2">
<pre>
Peer, PPK, PPK_ID, mandatory_or_not
</pre><a href="#section-2-2" class="pilcrow">¶</a>
</div>
<p id="section-2-3">We assume the reader is familiar with the payload notation defined in
<span><a href="https://www.rfc-editor.org/rfc/rfc7296#section-1.2" class="relref">Section 1.2</a> of [<a href="#RFC7296" class="xref">RFC7296</a>]</span>.<a href="#section-2-3" class="pilcrow">¶</a></p>
</section>
<div id="Exchanges">
<section id="section-3">
<h2 id="name-exchanges">
<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-exchanges" class="section-name selfRef">Exchanges</a>
</h2>
<p id="section-3-1">If the initiator is configured to use a PPK with the responder (whether or not
the use of the PPK is mandatory), then it <span class="bcp14">MUST</span> include a
notification USE_PPK in the IKE_SA_INIT request message as follows:<a href="#section-3-1" class="pilcrow">¶</a></p>
<div class="artwork art-text alignLeft" id="section-3-2">
<pre>
Initiator Responder
------------------------------------------------------------------
HDR, SAi1, KEi, Ni, N(USE_PPK) --->
</pre><a href="#section-3-2" class="pilcrow">¶</a>
</div>
<p id="section-3-3">N(USE_PPK) is a status notification payload with the type 16435;
it has a protocol ID of 0, no Security Parameter Index (SPI), and no notification data associated with it.<a href="#section-3-3" class="pilcrow">¶</a></p>
<p id="section-3-4">If the initiator needs to resend this initial message with a COOKIE notification, then the resend would include the USE_PPK notification
if the original message did (see <span><a href="https://www.rfc-editor.org/rfc/rfc7296#section-2.6" class="relref">Section 2.6</a> of [<a href="#RFC7296" class="xref">RFC7296</a>]</span>).<a href="#section-3-4" class="pilcrow">¶</a></p>
<p id="section-3-5">If the responder does not support this specification or does not have any PPK configured,
then it ignores the received notification (as defined in <span>[<a href="#RFC7296" class="xref">RFC7296</a>]</span> for unknown status notifications)
and continues with the IKEv2 protocol as normal.
Otherwise, the responder replies with the IKE_SA_INIT message, including a USE_PPK notification in the response:<a href="#section-3-5" class="pilcrow">¶</a></p>
<div class="artwork art-text alignLeft" id="section-3-6">
<pre>
Initiator Responder
------------------------------------------------------------------
<--- HDR, SAr1, KEr, Nr, [CERTREQ,] N(USE_PPK)
</pre><a href="#section-3-6" class="pilcrow">¶</a>
</div>
<p id="section-3-7">When the initiator receives this reply, it checks whether the responder included the USE_PPK notification.
If the responder did not include the USE_PPK notification and the flag mandatory_or_not indicates that using PPKs is mandatory for communication with this responder,
then the initiator <span class="bcp14">MUST</span> abort the exchange. This
situation may happen in case of misconfiguration, i.e., when the
initiator believes it has a mandatory-to-use PPK for the responder and the responder either doesn't support
PPKs at all or doesn't have any PPK configured for the initiator. See <a href="#Security" class="xref">Section 6</a> for discussion
of the possible impacts of this situation.<a href="#section-3-7" class="pilcrow">¶</a></p>
<p id="section-3-8">If the responder did not include the USE_PPK notification and using a PPK for this particular responder is optional,
then the initiator continues with the IKEv2 protocol as normal, without using PPKs.<a href="#section-3-8" class="pilcrow">¶</a></p>
<p id="section-3-9">If the responder did include the USE_PPK notification, then the initiator selects a PPK, along with its
identifier PPK_ID. Then, it computes this modification of the standard
IKEv2 key derivation from <span><a href="https://www.rfc-editor.org/rfc/rfc7296#section-2.14" class="relref">Section 2.14</a> of [<a href="#RFC7296" class="xref">RFC7296</a>]</span>:<a href="#section-3-9" class="pilcrow">¶</a></p>
<div id="section-3-10">
<pre class="sourcecode lang-pseudocode">
SKEYSEED = prf(Ni | Nr, g^ir)
{SK_d' | SK_ai | SK_ar | SK_ei | SK_er | SK_pi' | SK_pr'}
= prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
SK_d = prf+ (PPK, SK_d')
SK_pi = prf+ (PPK, SK_pi')
SK_pr = prf+ (PPK, SK_pr')
</pre><a href="#section-3-10" class="pilcrow">¶</a>
</div>
<p id="section-3-11"> That is, we use the standard IKEv2 key derivation process, except
that the three resulting subkeys SK_d, SK_pi, and SK_pr
(marked with primes in the formula above) are then run through the prf+ again, this time using the PPK as the key.
The result is the unprimed versions of these keys, which are then used as inputs to subsequent steps of the
IKEv2 exchange.<a href="#section-3-11" class="pilcrow">¶</a></p>
<p id="section-3-12"> Using a prf+ construction ensures that it is always possible to get
the resulting keys of the same size as the initial ones, even if the
underlying PRF has an output size different from its key size. Note that
at the time of this writing, all PRFs defined for use in IKEv2 (see the
"Transform Type 2 - Pseudorandom Function Transform IDs" subregistry
<span>[<a href="#IANA-IKEV2" class="xref">IANA-IKEV2</a>]</span>) have an output size equal to the (preferred) key size. For such PRFs, only the first
iteration of prf+ is needed:<a href="#section-3-12" class="pilcrow">¶</a></p>
<div id="section-3-13">
<pre class="sourcecode lang-pseudocode">
SK_d = prf (PPK, SK_d' | 0x01)
SK_pi = prf (PPK, SK_pi' | 0x01)
SK_pr = prf (PPK, SK_pr' | 0x01)
</pre><a href="#section-3-13" class="pilcrow">¶</a>
</div>
<p id="section-3-14">Note that the PPK is used in SK_d, SK_pi, and SK_pr calculations only
during the initial IKE SA setup. It <span class="bcp14">MUST NOT</span> be used when these subkeys
are calculated as result of IKE SA rekey, resumption, or other similar
operations.<a href="#section-3-14" class="pilcrow">¶</a></p>
<p id="section-3-15">The initiator then sends the IKE_AUTH request message, including the PPK_ID value as follows:<a href="#section-3-15" class="pilcrow">¶</a></p>
<div class="artwork art-text alignLeft" id="section-3-16">
<pre>
Initiator Responder
------------------------------------------------------------------
HDR, SK {IDi, [CERT,] [CERTREQ,]
[IDr,] AUTH, SAi2,
TSi, TSr, N(PPK_IDENTITY, PPK_ID), [N(NO_PPK_AUTH)]} --->
</pre><a href="#section-3-16" class="pilcrow">¶</a>
</div>
<p id="section-3-17">PPK_IDENTITY is a status notification with the type 16436;
it has a protocol ID of 0, no SPI, and notification data that consists of the identifier PPK_ID.<a href="#section-3-17" class="pilcrow">¶</a></p>
<p id="section-3-18">A situation may happen when the responder has some PPKs but doesn't have a PPK with the PPK_ID received
from the initiator. In this case, the responder cannot continue with the
PPK (in particular, it cannot
authenticate the initiator), but the responder could be able to continue
with the normal IKEv2 protocol if the initiator
provided its authentication data computed as in the normal IKEv2 without using PPKs. For this purpose,
if using PPKs for communication with this responder is optional for the initiator (based on the mandatory_or_not flag),
then the initiator <span class="bcp14">MUST</span> include a NO_PPK_AUTH notification in the above message. This notification informs the responder
that PPKs are optional and allows for authenticating the initiator
without using PPKs.<a href="#section-3-18" class="pilcrow">¶</a></p>
<p id="section-3-19">NO_PPK_AUTH is a status notification with the type 16437; it has a
protocol ID of 0 and no SPI. The Notification Data field contains
the initiator's authentication data computed using SK_pi', which has
been computed without using PPKs. This is the same data that would
normally be placed in the Authentication Data field of an AUTH payload.
Since the Auth Method field is not present in the notification, the
authentication method used for computing the authentication data <span class="bcp14">MUST</span>
be the same as the method indicated in the AUTH payload. Note that if the
initiator decides to include the NO_PPK_AUTH notification, the initiator
needs to perform authentication data computation twice, which may
consume computation power (e.g., if digital signatures are involved).<a href="#section-3-19" class="pilcrow">¶</a></p>
<p id="section-3-20">When the responder receives this encrypted exchange, it first computes the values:<a href="#section-3-20" class="pilcrow">¶</a></p>
<div id="section-3-21">
<pre class="sourcecode lang-pseudocode">
SKEYSEED = prf(Ni | Nr, g^ir)
{SK_d' | SK_ai | SK_ar | SK_ei | SK_er | SK_pi' | SK_pr'}
= prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
</pre><a href="#section-3-21" class="pilcrow">¶</a>
</div>
<p id="section-3-22">The responder then uses the SK_ei/SK_ai values to decrypt/check the message and then scans through the payloads for the PPK_ID
attached to the PPK_IDENTITY notification. If no PPK_IDENTITY notification is found and the peers successfully
exchanged USE_PPK notifications in the IKE_SA_INIT exchange, then the
responder <span class="bcp14">MUST</span> send back an AUTHENTICATION_FAILED
notification and then fail the negotiation.<a href="#section-3-22" class="pilcrow">¶</a></p>
<p id="section-3-23">If the PPK_IDENTITY notification contains a PPK_ID that is not known to the responder or is not configured
for use for the identity from the IDi payload, then the responder checks whether using PPKs for this initiator is mandatory
and whether the initiator included a NO_PPK_AUTH notification in the message. If using PPKs is mandatory or no NO_PPK_AUTH
notification is found, then the responder <span class="bcp14">MUST</span> send
back an AUTHENTICATION_FAILED notification and then fail the negotiation.
Otherwise (when a PPK is optional and the initiator included a NO_PPK_AUTH notification), the responder <span class="bcp14">MAY</span>
continue the regular IKEv2 protocol, except that it uses the data from the NO_PPK_AUTH notification as the
authentication data (which usually resides in the AUTH payload) for the purpose of the initiator authentication.
Note that the authentication method is still indicated in the AUTH payload.<a href="#section-3-23" class="pilcrow">¶</a></p>
<p id="section-3-24"><a href="#table1" class="xref">Table 1</a> summarizes the above logic for the responder:<a href="#section-3-24" class="pilcrow">¶</a></p>
<div id="table1">
<table class="left" id="table-1">
<caption><a href="#table-1" class="selfRef">Table 1</a></caption>
<thead>
<tr>
<th class="text-left" rowspan="1" colspan="1">Received USE_PPK</th>
<th class="text-left" rowspan="1" colspan="1">Received NO_PPK_AUTH</th>
<th class="text-left" rowspan="1" colspan="1">Configured with PPK</th>
<th class="text-left" rowspan="1" colspan="1">PPK is Mandatory</th>
<th class="text-left" rowspan="1" colspan="1">Action</th>
</tr>
</thead>
<tbody>
<tr>
<td class="text-left" rowspan="1" colspan="1">No</td>
<td class="text-left" rowspan="1" colspan="1">*</td>
<td class="text-left" rowspan="1" colspan="1">No</td>
<td class="text-left" rowspan="1" colspan="1">*</td>
<td class="text-left" rowspan="1" colspan="1">Standard IKEv2 protocol</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">No</td>
<td class="text-left" rowspan="1" colspan="1">*</td>
<td class="text-left" rowspan="1" colspan="1">Yes</td>
<td class="text-left" rowspan="1" colspan="1">No</td>
<td class="text-left" rowspan="1" colspan="1">Standard IKEv2 protocol</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">No</td>
<td class="text-left" rowspan="1" colspan="1">*</td>
<td class="text-left" rowspan="1" colspan="1">Yes</td>
<td class="text-left" rowspan="1" colspan="1">Yes</td>
<td class="text-left" rowspan="1" colspan="1">Abort negotiation</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">Yes</td>
<td class="text-left" rowspan="1" colspan="1">No</td>
<td class="text-left" rowspan="1" colspan="1">No</td>
<td class="text-left" rowspan="1" colspan="1">*</td>
<td class="text-left" rowspan="1" colspan="1">Abort negotiation</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">Yes</td>
<td class="text-left" rowspan="1" colspan="1">Yes</td>
<td class="text-left" rowspan="1" colspan="1">No</td>
<td class="text-left" rowspan="1" colspan="1">Yes</td>
<td class="text-left" rowspan="1" colspan="1">Abort negotiation</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">Yes</td>
<td class="text-left" rowspan="1" colspan="1">Yes</td>
<td class="text-left" rowspan="1" colspan="1">No</td>
<td class="text-left" rowspan="1" colspan="1">No</td>
<td class="text-left" rowspan="1" colspan="1">Standard IKEv2 protocol</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">Yes</td>
<td class="text-left" rowspan="1" colspan="1">*</td>
<td class="text-left" rowspan="1" colspan="1">Yes</td>
<td class="text-left" rowspan="1" colspan="1">*</td>
<td class="text-left" rowspan="1" colspan="1">Use PPK</td>
</tr>
</tbody>
</table>
</div>
<p id="section-3-26">If a PPK is in use, then the responder extracts the corresponding PPK and computes the following values:<a href="#section-3-26" class="pilcrow">¶</a></p>
<div id="section-3-27">
<pre class="sourcecode lang-pseudocode">
SK_d = prf+ (PPK, SK_d')
SK_pi = prf+ (PPK, SK_pi')
SK_pr = prf+ (PPK, SK_pr')
</pre><a href="#section-3-27" class="pilcrow">¶</a>
</div>
<p id="section-3-28">The responder then continues with the IKE_AUTH exchange (validating the AUTH payload that the initiator included) as usual
and sends back a response, which includes the PPK_IDENTITY notification with no data to indicate that the PPK is
used in the exchange:<a href="#section-3-28" class="pilcrow">¶</a></p>
<div class="artwork art-text alignLeft" id="section-3-29">
<pre>
Initiator Responder
------------------------------------------------------------------
<-- HDR, SK {IDr, [CERT,]
AUTH, SAr2,
TSi, TSr, N(PPK_IDENTITY)}
</pre><a href="#section-3-29" class="pilcrow">¶</a>
</div>
<p id="section-3-30">When the initiator receives the response, it checks for the
presence of the PPK_IDENTITY notification. If it receives one, it
marks the SA as using the configured PPK to generate SK_d, SK_pi, and
SK_pr (as shown above); the content of the received PPK_IDENTITY (if
any) <span class="bcp14">MUST</span> be ignored. If the initiator does not receive the
PPK_IDENTITY, it <span class="bcp14">MUST</span> either fail the IKE SA negotiation sending the
AUTHENTICATION_FAILED notification in the INFORMATIONAL exchange (if
the PPK was configured as mandatory) or continue without using the
PPK (if the PPK was not configured as mandatory and the initiator
included the NO_PPK_AUTH notification in the request).<a href="#section-3-30" class="pilcrow">¶</a></p>
<p id="section-3-31">If the Extensible Authentication Protocol (EAP) is used in the IKE_AUTH exchange, then the initiator doesn't
include the AUTH payload
in the first request message; however, the responder sends back the AUTH payload in the first reply.
The peers then exchange AUTH payloads after EAP is successfully completed.
As a result, the responder sends the AUTH payload twice -- in the first
and last IKE_AUTH reply message -- while the initiator sends the AUTH payload only in the last IKE_AUTH request.
See more details about EAP authentication in IKEv2 in <span><a href="https://www.rfc-editor.org/rfc/rfc7296#section-2.16" class="relref">Section 2.16</a> of [<a href="#RFC7296" class="xref">RFC7296</a>]</span>.<a href="#section-3-31" class="pilcrow">¶</a></p>
<p id="section-3-32">The general rule for using a PPK in the IKE_AUTH exchange, which
covers the EAP authentication case too, is that the initiator includes a
PPK_IDENTITY (and optionally a NO_PPK_AUTH) notification in the request
message containing the AUTH payload. Therefore, in case of EAP, the
responder always computes the AUTH payload in the first IKE_AUTH reply
message without using a PPK (by means of SK_pr'), since PPK_ID is not
yet known to the responder. Once the IKE_AUTH request message containing
the PPK_IDENTITY notification is received, the responder follows the
rules described above for the non-EAP authentication case.<a href="#section-3-32" class="pilcrow">¶</a></p>
<div class="artwork art-text alignLeft" id="section-3-33">
<pre>
Initiator Responder
----------------------------------------------------------------
HDR, SK {IDi, [CERTREQ,]
[IDr,] SAi2,
TSi, TSr} -->
<-- HDR, SK {IDr, [CERT,] AUTH,
EAP}
HDR, SK {EAP} -->
<-- HDR, SK {EAP (success)}
HDR, SK {AUTH,
N(PPK_IDENTITY, PPK_ID)
[, N(NO_PPK_AUTH)]} -->
<-- HDR, SK {AUTH, SAr2, TSi, TSr
[, N(PPK_IDENTITY)]}
</pre><a href="#section-3-33" class="pilcrow">¶</a>
</div>
<p id="section-3-34">Note that the diagram above shows both the cases when the responder
uses a PPK and when it chooses not to use it (provided the initiator has
included the NO_PPK_AUTH notification); thus, the responder's
PPK_IDENTITY notification is marked as optional. Also, note that the
IKE_SA_INIT exchange using a PPK is as described above (including
exchange of the USE_PPK notifications), regardless of whether or not EAP is
employed in the IKE_AUTH.<a href="#section-3-34" class="pilcrow">¶</a></p>
</section>
</div>
<section id="section-4">
<h2 id="name-upgrade-procedure">
<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-upgrade-procedure" class="section-name selfRef">Upgrade Procedure</a>
</h2>
<p id="section-4-1">This algorithm was designed so that someone can introduce PPKs into an existing IKE network
without causing network disruption.<a href="#section-4-1" class="pilcrow">¶</a></p>
<p id="section-4-2">In the initial phase of the network upgrade, the network administrator would visit each IKE node and configure:<a href="#section-4-2" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-4-3.1">The set of PPKs (and corresponding PPK_IDs) that this node would need to know.<a href="#section-4-3.1" class="pilcrow">¶</a>
</li>
<li class="normal" id="section-4-3.2">The PPK that will be used for each peer that this node would
initiate to.<a href="#section-4-3.2" class="pilcrow">¶</a>
</li>
<li class="normal" id="section-4-3.3">The value "false" for the mandatory_or_not flag for each peer
that this node would initiate to (thus indicating that the use of PPKs
is not mandatory).<a href="#section-4-3.3" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-4-4">With this configuration, the node will continue to operate with nodes that have not yet been upgraded.
This is due to the USE_PPK notification and the NO_PPK_AUTH notification; if the initiator has not been upgraded, it will not send the USE_PPK
notification (and so the responder will know that the peers will not use a PPK). If the responder has not been upgraded, it
will not send the USE_PPK notification (and so the initiator will know to not use a PPK). If both peers
have been upgraded but the responder isn't yet configured with the PPK for the initiator, then the responder
could continue with the standard IKEv2 protocol if the initiator sent a NO_PPK_AUTH notification.
If both the responder and initiator have been upgraded and properly configured, they will both realize it, and the Child SAs will be quantum secure.<a href="#section-4-4" class="pilcrow">¶</a></p>
<p id="section-4-5">As an optional second step, after all nodes have been upgraded, the administrator should then go back through
the nodes and mark the use of a PPK as mandatory. This will not affect the strength against a passive attacker, but
it would mean that an active attacker with a quantum computer (which is sufficiently fast to be able to break the (EC)DH
in real time) would not be able to perform a downgrade attack.<a href="#section-4-5" class="pilcrow">¶</a></p>
</section>
<section id="section-5">
<h2 id="name-ppk">
<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-ppk" class="section-name selfRef">PPK</a>
</h2>
<section id="section-5.1">
<h3 id="name-ppk_id-format">
<a href="#section-5.1" class="section-number selfRef">5.1. </a><a href="#name-ppk_id-format" class="section-name selfRef">PPK_ID Format</a>
</h3>
<p id="section-5.1-1">This standard requires that both the initiator and the responder
have a secret PPK value, with the responder selecting the PPK based on
the PPK_ID that the initiator sends. In this standard, both the
initiator and the responder are configured with fixed PPK and PPK_ID
values and perform the lookup based on the PPK_ID value. It is anticipated
that later specifications will extend this technique to allow
dynamically changing PPK values. To facilitate such an extension, we
specify that the PPK_ID the initiator sends will have its first octet
be the PPK_ID type value. This document defines two values for the
PPK_ID type:<a href="#section-5.1-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-5.1-2.1">PPK_ID_OPAQUE (1) - For this type, the format of the PPK_ID (and
the PPK itself) is not specified by this document; it is assumed to
be mutually intelligible by both the initiator and the responder.
This PPK_ID type is intended for those implementations that choose
not to disclose the type of PPK to active attackers.<a href="#section-5.1-2.1" class="pilcrow">¶</a>
</li>
<li class="normal" id="section-5.1-2.2">PPK_ID_FIXED (2) - In this case, the format of the PPK_ID and
the PPK are fixed octet strings; the remaining bytes of the PPK_ID
are a configured value. We assume that there is a fixed mapping
between PPK_ID and PPK, which is configured locally to both the
initiator and the responder. The responder can use the PPK_ID to
look up the corresponding PPK value. Not all implementations are
able to configure arbitrary octet strings; to improve the potential
interoperability, it is recommended that, in the PPK_ID_FIXED case,
both the PPK and the PPK_ID strings be limited to the base64
character set <span>[<a href="#RFC4648" class="xref">RFC4648</a>]</span>.<a href="#section-5.1-2.2" class="pilcrow">¶</a>
</li>
</ul>
</section>
<section id="section-5.2">
<h3 id="name-operational-considerations">
<a href="#section-5.2" class="section-number selfRef">5.2. </a><a href="#name-operational-considerations" class="section-name selfRef">Operational Considerations</a>
</h3>
<p id="section-5.2-1">The need to maintain several independent sets of security credentials can significantly complicate a security administrator's job
and can potentially slow down widespread adoption of this specification. It is anticipated that administrators will try to simplify their job
by decreasing the number of credentials they need to maintain. This section describes some of the considerations for PPK management.<a href="#section-5.2-1" class="pilcrow">¶</a></p>
<section id="section-5.2.1">
<h4 id="name-ppk-distribution">
<a href="#section-5.2.1" class="section-number selfRef">5.2.1. </a><a href="#name-ppk-distribution" class="section-name selfRef">PPK Distribution</a>
</h4>
<p id="section-5.2.1-1">PPK_IDs of the type PPK_ID_FIXED (and the corresponding PPKs) are assumed to be configured within the IKE device in an out-of-band fashion.
While the method of distribution is a local matter and is out of scope of this document or IKEv2, <span>[<a href="#RFC6030" class="xref">RFC6030</a>]</span> describes a format for the transport and provisioning of symmetric keys. That format
could be reused using the PIN profile (defined in <span><a href="https://www.rfc-editor.org/rfc/rfc6030#section-10.2" class="relref">Section 10.2</a> of [<a href="#RFC6030" class="xref">RFC6030</a>]</span>)
with the "Id" attribute of the <Key> element being the PPK_ID (without the PPK_ID type octet for a PPK_ID_FIXED) and the <Secret> element containing the PPK.<a href="#section-5.2.1-1" class="pilcrow">¶</a></p>
</section>
<section id="section-5.2.2">
<h4 id="name-group-ppk">
<a href="#section-5.2.2" class="section-number selfRef">5.2.2. </a><a href="#name-group-ppk" class="section-name selfRef">Group PPK</a>
</h4>
<p id="section-5.2.2-1">This document doesn't explicitly require that the PPK be unique for each pair of peers. If this is the case, then this solution provides full
peer authentication, but it also means that each host must have as many independent PPKs as peers it is going to communicate with.
As the number of peers grows, the PPKs will not scale.<a href="#section-5.2.2-1" class="pilcrow">¶</a></p>
<p id="section-5.2.2-2">It is possible to use a single PPK for a group of users. Since
each peer uses classical public key cryptography in addition to a
PPK for key exchange and authentication, members of the group can
neither impersonate each other nor read each other's traffic unless
they use quantum computers to break public key operations. However,
group members can record any traffic they have access to that comes
from other group members and decrypt it later, when they get access
to a quantum computer.<a href="#section-5.2.2-2" class="pilcrow">¶</a></p>
<p id="section-5.2.2-3">In addition, the fact that the PPK is known to a (potentially large) group of users makes it more susceptible to theft.
When an attacker equipped with a quantum computer gets access to a group PPK, all communications inside the group are revealed.<a href="#section-5.2.2-3" class="pilcrow">¶</a></p>
<p id="section-5.2.2-4">For these reasons, using a group PPK is <span class="bcp14">NOT RECOMMENDED</span>.<a href="#section-5.2.2-4" class="pilcrow">¶</a></p>
</section>
<section id="section-5.2.3">
<h4 id="name-ppk-only-authentication">
<a href="#section-5.2.3" class="section-number selfRef">5.2.3. </a><a href="#name-ppk-only-authentication" class="section-name selfRef">PPK-Only Authentication</a>
</h4>
<p id="section-5.2.3-1">If quantum computers become a reality, classical public key cryptography will provide little security, so administrators may find it attractive
not to use it at all for authentication.
This will reduce the number of credentials they need to maintain because they
only need to maintain PPK credentials. Combining group PPK and
PPK-only authentication is <span class="bcp14">NOT RECOMMENDED</span> since, in
this case, any member of the group can impersonate any other member,
even without the help
of quantum computers.<a href="#section-5.2.3-1" class="pilcrow">¶</a></p>
<p id="section-5.2.3-2">PPK-only authentication can be achieved in IKEv2 if the NULL
Authentication method <span>[<a href="#RFC7619" class="xref">RFC7619</a>]</span> is
employed. Without PPK, the NULL Authentication method provides no
authentication of the peers; however, since a PPK is stirred into
the SK_pi and the SK_pr, the peers become authenticated if a PPK is
in use. Using PPKs <span class="bcp14">MUST</span> be mandatory for the peers if
they advertise support for PPKs in IKE_SA_INIT and use NULL
Authentication. Additionally, since the peers are authenticated via
PPKs, the ID Type in the IDi/IDr payloads <span class="bcp14">SHOULD NOT</span>
be ID_NULL, despite using the NULL Authentication method.<a href="#section-5.2.3-2" class="pilcrow">¶</a></p>
</section>
</section>
</section>
<div id="Security">
<section id="section-6">
<h2 id="name-security-considerations">
<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
</h2>
<p id="section-6-1">A critical consideration is how to ensure the randomness of this
post-quantum preshared key. Quantum computers are able to perform Grover's
algorithm <span>[<a href="#GROVER" class="xref">GROVER</a>]</span>; that effectively halves the size of
a symmetric key. In addition, an adversary impersonating the server,
even with a conventional computer, can perform a dictionary search over
plausible post-quantum preshared key values. The strongest practice is
to ensure that any post-quantum preshared key contains at least 256 bits of
entropy; this will provide 128 bits of post-quantum security, while
providing security against conventional dictionary attacks. That provides the security
equivalent to Category 5 as defined in the NIST Post-Quantum Cryptography
Call for Proposals <span>[<a href="#NISTPQCFP" class="xref">NISTPQCFP</a>]</span>. Deriving
a post-quantum preshared key from a password, name, or other low-entropy
source is not secure because of these known attacks.<a href="#section-6-1" class="pilcrow">¶</a></p>
<p id="section-6-2">With this protocol, the computed SK_d is a function of the
PPK. Assuming that the PPK has sufficient entropy (for example, at least
2<sup>256</sup> possible values), even if an attacker was able to recover the
rest of the inputs to the PRF function, it would be infeasible to use
Grover's algorithm with a quantum computer to recover the SK_d value.
Similarly, all keys that are a function of SK_d, which include all Child
SA keys and all keys for subsequent IKE SAs (created when the initial
IKE SA is rekeyed), are also quantum secure (assuming that the PPK was
of high enough entropy and that all the subkeys are sufficiently long).<a href="#section-6-2" class="pilcrow">¶</a></p>
<p id="section-6-3">An attacker with a quantum computer that can decrypt the initial IKE
SA has access to all the information exchanged over it, such as
identities of the peers, configuration parameters, and all negotiated
IPsec SA information (including traffic selectors), with the exception
of the cryptographic keys used by the IPsec SAs, which are protected by
the PPK.<a href="#section-6-3" class="pilcrow">¶</a></p>
<p id="section-6-4">Deployments that treat this information as sensitive or that send other sensitive data (like cryptographic keys)
over IKE SAs <span class="bcp14">MUST</span> rekey the IKE SA before the sensitive information is sent to ensure this information is protected by the PPK.
It is possible to create a childless IKE SA as specified in <span>[<a href="#RFC6023" class="xref">RFC6023</a>]</span>. This prevents Child SA
configuration information from being transmitted in the original IKE SA that is not protected by a PPK.
Some information related to IKE SA that is sent in the IKE_AUTH exchange, such as peer identities, feature notifications,
vendor IDs, etc., cannot be hidden from the attack described above, even if the additional IKE SA rekey is performed.<a href="#section-6-4" class="pilcrow">¶</a></p>
<p id="section-6-5">In addition, the policy <span class="bcp14">SHOULD</span> be set to negotiate only quantum-secure
symmetric algorithms; while this RFC doesn't claim to give
advice as to what algorithms are secure (as that may change
based on future cryptographical results), below is a list of defined IKEv2 and
IPsec algorithms that should not be used, as they are known to provide less than 128 bits of post-quantum security:<a href="#section-6-5" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-6-6.1">Any IKEv2 encryption algorithm, PRF, or integrity algorithm with a
key size less than 256 bits.<a href="#section-6-6.1" class="pilcrow">¶</a>
</li>
<li class="normal" id="section-6-6.2">Any ESP transform with a key size less than 256 bits.<a href="#section-6-6.2" class="pilcrow">¶</a>
</li>
<li class="normal" id="section-6-6.3">PRF_AES128_XCBC and PRF_AES128_CBC: even though they can use as
input a key of arbitrary size, such input keys are converted into a 128-bit key for internal use.<a href="#section-6-6.3" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-6-7"><a href="#Exchanges" class="xref">Section 3</a> requires the initiator to
abort the initial exchange if using PPKs is mandatory for it but the
responder does not include the USE_PPK notification in the response. In
this situation, when the initiator aborts the negotiation, it leaves a
half-open IKE SA on the responder (because IKE_SA_INIT completes
successfully from the responder's point of view). This half-open SA will
eventually expire and be deleted, but if the initiator continues its
attempts to create IKE SA with a high enough rate, then the responder may
consider it a denial-of-service (DoS) attack and take protective
measures (see <span>[<a href="#RFC8019" class="xref">RFC8019</a>]</span> for more
details). In this situation, it is <span class="bcp14">RECOMMENDED</span> that the
initiator cache the negative result of the negotiation and not attempt
to create it again for some time. This period of time may vary, but it
is believed that waiting for at least few minutes will not cause the
responder to treat it as a DoS attack. Note that this situation would
most likely be a result of misconfiguration, and some reconfiguration of
the peers would probably be needed.<a href="#section-6-7" class="pilcrow">¶</a></p>
<p id="section-6-8">If using PPKs is optional for both peers and they authenticate themselves using digital signatures, then
an attacker in between, equipped with a quantum computer capable of breaking public key operations
in real time, is able to mount a downgrade attack by removing the USE_PPK notification from the IKE_SA_INIT
and forging digital signatures in the subsequent exchange. If using PPKs is mandatory for at least one of the peers
or if a preshared key mode is used for authentication, then the attack will be detected
and the SA won't be created.<a href="#section-6-8" class="pilcrow">¶</a></p>
<p id="section-6-9">If using PPKs is mandatory for the initiator, then an attacker able
to eavesdrop and inject packets into the network can prevent creation of an
IKE SA by mounting the following attack. The attacker intercepts the
initial request containing the USE_PPK notification and injects a forged
response containing no USE_PPK. If the attacker manages to inject this
packet before the responder sends a genuine response, then the initiator
would abort the exchange. To thwart this kind of attack, it is
<span class="bcp14">RECOMMENDED</span> that, if using PPKs is mandatory for the
initiator and the received response doesn't contain the USE_PPK
notification, the initiator not abort the exchange
immediately. Instead, it waits for more response messages,
retransmitting the request as if no responses were received at all, until
either the received message contains the USE_PPK notification or the exchange times
out (see <span><a href="https://www.rfc-editor.org/rfc/rfc7296#section-2.4" class="relref">Section 2.4</a> of [<a href="#RFC7296" class="xref">RFC7296</a>]</span> for more details about retransmission timers in
IKEv2). If none of the received responses contains USE_PPK, then the
exchange is aborted.<a href="#section-6-9" class="pilcrow">¶</a></p>
<p id="section-6-10">If using a PPK is optional for both peers, then in case of misconfiguration (e.g., mismatched PPK_ID), the IKE SA
will be created without protection against quantum computers. It is
advised that if a PPK was configured but
was not used for a particular IKE SA, then implementations <span class="bcp14">SHOULD</span> audit this event.<a href="#section-6-10" class="pilcrow">¶</a></p>
</section>
</div>
<section id="section-7">
<h2 id="name-iana-considerations">
<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
</h2>
<p id="section-7-1">This document defines three new Notify Message Types in the
"IKEv2 Notify Message Types - Status Types" subregistry under the
"Internet Key Exchange Version 2 (IKEv2) Parameters" registry
<span>[<a href="#IANA-IKEV2" class="xref">IANA-IKEV2</a>]</span>:<a href="#section-7-1" class="pilcrow">¶</a></p>
<div id="table2">
<table class="center" id="table-2">
<caption><a href="#table-2" class="selfRef">Table 2</a></caption>
<tbody>
<tr>
<th class="text-left" rowspan="1" colspan="1">Value</th>
<th class="text-left" rowspan="1" colspan="1">NOTIFY MESSAGES - STATUS TYPES</th>
<th class="text-left" rowspan="1" colspan="1">Reference</th>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">16435</td>
<td class="text-left" rowspan="1" colspan="1">USE_PPK</td>
<td class="text-left" rowspan="1" colspan="1">RFC 8784</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">16436</td>
<td class="text-left" rowspan="1" colspan="1">PPK_IDENTITY</td>
<td class="text-left" rowspan="1" colspan="1">RFC 8784</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">16437</td>
<td class="text-left" rowspan="1" colspan="1">NO_PPK_AUTH</td>
<td class="text-left" rowspan="1" colspan="1">RFC 8784</td>
</tr>
</tbody>
</table>
</div>
<p id="section-7-3">Per this document, IANA has created a new subregistry titled "IKEv2
Post-quantum Preshared Key ID Types" under the "Internet Key Exchange
Version 2 (IKEv2) Parameters" registry <span>[<a href="#IANA-IKEV2" class="xref">IANA-IKEV2</a>]</span>. This new subregistry is for the PPK_ID types used in
the PPK_IDENTITY notification defined in this specification. The initial
contents of the new subregistry are as follows:<a href="#section-7-3" class="pilcrow">¶</a></p>
<div id="table3">
<table class="center" id="table-3">
<caption><a href="#table-3" class="selfRef">Table 3</a></caption>
<thead>
<tr>
<th class="text-left" rowspan="1" colspan="1">Value</th>
<th class="text-left" rowspan="1" colspan="1">PPK_ID Type</th>
<th class="text-left" rowspan="1" colspan="1">Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td class="text-left" rowspan="1" colspan="1">0</td>
<td class="text-left" rowspan="1" colspan="1">Reserved</td>
<td class="text-left" rowspan="1" colspan="1">RFC 8784</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">1</td>
<td class="text-left" rowspan="1" colspan="1">PPK_ID_OPAQUE</td>
<td class="text-left" rowspan="1" colspan="1">RFC 8784</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">2</td>
<td class="text-left" rowspan="1" colspan="1">PPK_ID_FIXED</td>
<td class="text-left" rowspan="1" colspan="1">RFC 8784</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">3-127</td>
<td class="text-left" rowspan="1" colspan="1">Unassigned</td>
<td class="text-left" rowspan="1" colspan="1">RFC 8784</td>
</tr>
<tr>
<td class="text-left" rowspan="1" colspan="1">128-255</td>
<td class="text-left" rowspan="1" colspan="1">Reserved for Private Use</td>
<td class="text-left" rowspan="1" colspan="1">RFC 8784</td>
</tr>
</tbody>
</table>
</div>
<p id="section-7-5">The PPK_ID type value 0 is reserved; values 3-127 are to be assigned
by IANA; and values 128-255 are for private use among mutually consenting
parties. To register new PPK_IDs in the Unassigned range, a type name, a
value between 3 and 127, and a reference specification need to be
defined. Changes and additions to the Unassigned range of this registry
are made using the Expert Review policy <span>[<a href="#RFC8126" class="xref">RFC8126</a>]</span>. Changes and additions to the Reserved for Private Use range of
this registry are made using the Private Use policy <span>[<a href="#RFC8126" class="xref">RFC8126</a>]</span>.<a href="#section-7-5" class="pilcrow">¶</a></p>
</section>
<section id="section-8">
<h2 id="name-references">
<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-references" class="section-name selfRef">References</a>
</h2>
<section id="section-8.1">
<h3 id="name-normative-references">
<a href="#section-8.1" class="section-number selfRef">8.1. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
</h3>
<dl class="references">
<dt id="RFC2119">[RFC2119]</dt>
<dd>
<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span><<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC7296">[RFC7296]</dt>
<dd>
<span class="refAuthor">Kaufman, C.</span><span class="refAuthor">, Hoffman, P.</span><span class="refAuthor">, Nir, Y.</span><span class="refAuthor">, Eronen, P.</span><span class="refAuthor">, and T. Kivinen</span>, <span class="refTitle">"Internet Key Exchange Protocol Version 2 (IKEv2)"</span>, <span class="seriesInfo">STD 79</span>, <span class="seriesInfo">RFC 7296</span>, <span class="seriesInfo">DOI 10.17487/RFC7296</span>, <time datetime="2014-10" class="refDate">October 2014</time>, <span><<a href="https://www.rfc-editor.org/info/rfc7296">https://www.rfc-editor.org/info/rfc7296</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC8174">[RFC8174]</dt>
<dd>
<span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 8174</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <time datetime="2017-05" class="refDate">May 2017</time>, <span><<a href="https://www.rfc-editor.org/info/rfc8174">https://www.rfc-editor.org/info/rfc8174</a>></span>. </dd>
<dd class="break"></dd>
</dl>
</section>
<section id="section-8.2">
<h3 id="name-informative-references">
<a href="#section-8.2" class="section-number selfRef">8.2. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
</h3>
<dl class="references">
<dt id="I-D.hoffman-c2pq">[C2PQ]</dt>
<dd>
<span class="refAuthor">Hoffman, P.</span>, <span class="refTitle">"The Transition from Classical to Post-Quantum Cryptography"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-hoffman-c2pq-07</span>, <time datetime="2020-05-26" class="refDate">26 May 2020</time>, <span><<a href="https://tools.ietf.org/html/draft-hoffman-c2pq-07">https://tools.ietf.org/html/draft-hoffman-c2pq-07</a>></span>. </dd>
<dd class="break"></dd>
<dt id="GROVER">[GROVER]</dt>
<dd>
<span class="refAuthor">Grover, L.</span>, <span class="refTitle">"A Fast Quantum Mechanical Algorithm for Database Search"</span>, <span class="refContent">STOC '96: Proceedings of the Twenty-Eighth Annual ACM Symposium
on the Theory of Computing, pp. 212-219"</span>, <span class="seriesInfo">DOI 10.1145/237814.237866</span>, <time datetime="1996-07" class="refDate">July 1996</time>, <span><<a href="https://doi.org/10.1145/237814.237866">https://doi.org/10.1145/237814.237866</a>></span>. </dd>
<dd class="break"></dd>
<dt id="IANA-IKEV2">[IANA-IKEV2]</dt>
<dd>
<span class="refAuthor">IANA</span>, <span class="refTitle">"Internet Key Exchange Version 2 (IKEv2) Parameters"</span>, <span><<a href="https://www.iana.org/assignments/ikev2-parameters/">https://www.iana.org/assignments/ikev2-parameters/</a>></span>. </dd>
<dd class="break"></dd>
<dt id="NISTPQCFP">[NISTPQCFP]</dt>
<dd>
<span class="refAuthor">NIST</span>, <span class="refTitle">"Submission Requirements and Evaluation Criteria for the Post-Quantum Cryptography Standardization Process"</span>, <time datetime="2016-12" class="refDate">December 2016</time>, <span><<a href="https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf">https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC2409">[RFC2409]</dt>
<dd>
<span class="refAuthor">Harkins, D.</span><span class="refAuthor"> and D. Carrel</span>, <span class="refTitle">"The Internet Key Exchange (IKE)"</span>, <span class="seriesInfo">RFC 2409</span>, <span class="seriesInfo">DOI 10.17487/RFC2409</span>, <time datetime="1998-11" class="refDate">November 1998</time>, <span><<a href="https://www.rfc-editor.org/info/rfc2409">https://www.rfc-editor.org/info/rfc2409</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC4648">[RFC4648]</dt>
<dd>
<span class="refAuthor">Josefsson, S.</span>, <span class="refTitle">"The Base16, Base32, and Base64 Data Encodings"</span>, <span class="seriesInfo">RFC 4648</span>, <span class="seriesInfo">DOI 10.17487/RFC4648</span>, <time datetime="2006-10" class="refDate">October 2006</time>, <span><<a href="https://www.rfc-editor.org/info/rfc4648">https://www.rfc-editor.org/info/rfc4648</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC6023">[RFC6023]</dt>
<dd>
<span class="refAuthor">Nir, Y.</span><span class="refAuthor">, Tschofenig, H.</span><span class="refAuthor">, Deng, H.</span><span class="refAuthor">, and R. Singh</span>, <span class="refTitle">"A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)"</span>, <span class="seriesInfo">RFC 6023</span>, <span class="seriesInfo">DOI 10.17487/RFC6023</span>, <time datetime="2010-10" class="refDate">October 2010</time>, <span><<a href="https://www.rfc-editor.org/info/rfc6023">https://www.rfc-editor.org/info/rfc6023</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC6030">[RFC6030]</dt>
<dd>
<span class="refAuthor">Hoyer, P.</span><span class="refAuthor">, Pei, M.</span><span class="refAuthor">, and S. Machani</span>, <span class="refTitle">"Portable Symmetric Key Container (PSKC)"</span>, <span class="seriesInfo">RFC 6030</span>, <span class="seriesInfo">DOI 10.17487/RFC6030</span>, <time datetime="2010-10" class="refDate">October 2010</time>, <span><<a href="https://www.rfc-editor.org/info/rfc6030">https://www.rfc-editor.org/info/rfc6030</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC7619">[RFC7619]</dt>
<dd>
<span class="refAuthor">Smyslov, V.</span><span class="refAuthor"> and P. Wouters</span>, <span class="refTitle">"The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2)"</span>, <span class="seriesInfo">RFC 7619</span>, <span class="seriesInfo">DOI 10.17487/RFC7619</span>, <time datetime="2015-08" class="refDate">August 2015</time>, <span><<a href="https://www.rfc-editor.org/info/rfc7619">https://www.rfc-editor.org/info/rfc7619</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC8019">[RFC8019]</dt>
<dd>
<span class="refAuthor">Nir, Y.</span><span class="refAuthor"> and V. Smyslov</span>, <span class="refTitle">"Protecting Internet Key Exchange Protocol Version 2 (IKEv2) Implementations from Distributed Denial-of-Service Attacks"</span>, <span class="seriesInfo">RFC 8019</span>, <span class="seriesInfo">DOI 10.17487/RFC8019</span>, <time datetime="2016-11" class="refDate">November 2016</time>, <span><<a href="https://www.rfc-editor.org/info/rfc8019">https://www.rfc-editor.org/info/rfc8019</a>></span>. </dd>
<dd class="break"></dd>
<dt id="RFC8126">[RFC8126]</dt>
<dd>
<span class="refAuthor">Cotton, M.</span><span class="refAuthor">, Leiba, B.</span><span class="refAuthor">, and T. Narten</span>, <span class="refTitle">"Guidelines for Writing an IANA Considerations Section in RFCs"</span>, <span class="seriesInfo">BCP 26</span>, <span class="seriesInfo">RFC 8126</span>, <span class="seriesInfo">DOI 10.17487/RFC8126</span>, <time datetime="2017-06" class="refDate">June 2017</time>, <span><<a href="https://www.rfc-editor.org/info/rfc8126">https://www.rfc-editor.org/info/rfc8126</a>></span>. </dd>
<dd class="break"></dd>
</dl>
</section>
</section>
<div id="app-additional">
<section id="section-appendix.a">
<h2 id="name-discussion-and-rationale">
<a href="#section-appendix.a" class="section-number selfRef">Appendix A. </a><a href="#name-discussion-and-rationale" class="section-name selfRef">Discussion and Rationale</a>
</h2>
<p id="section-appendix.a-1">The primary goal of this document is to augment the IKEv2 protocol to
provide protection against
quantum computers without requiring novel cryptographic algorithms. The idea behind this document is that while a quantum computer can easily
reconstruct the shared secret of an (EC)DH exchange, it cannot as
easily recover a secret from a symmetric exchange. This document makes the
SK_d (and thus also the IPsec KEYMAT and any subsequent IKE SA's SKEYSEED) depend
on both the symmetric PPK and the Diffie-Hellman exchange.
If we assume that the attacker knows everything except the
PPK during the key exchange and there are 2<sup>n</sup> plausible PPKs, then
a quantum computer (using Grover's algorithm) would take O(2<sup>n/2</sup>)
time to recover the PPK. So, even if the (EC)DH can be trivially
solved, the attacker still can't recover any key material
(except for the SK_ei, SK_er, SK_ai, and SK_ar values for the initial IKE exchange) unless they
can find the PPK, which is too difficult if the PPK has enough
entropy (for example, 256 bits).
Note that we do allow an attacker with a quantum computer to
rederive the keying material for the initial IKE SA; this was
a compromise to allow the responder to select the correct PPK quickly.<a href="#section-appendix.a-1" class="pilcrow">¶</a></p>
<p id="section-appendix.a-2">Another goal of this protocol is to minimize the number of changes
within the IKEv2 protocol, in particular, within the cryptography
of IKEv2. By limiting our changes to notifications and only adjusting the
SK_d, SK_pi, and SK_pr, it is hoped that this would be implementable, even
on systems that perform most of the IKEv2 processing in hardware.<a href="#section-appendix.a-2" class="pilcrow">¶</a></p>
<p id="section-appendix.a-3">A third goal is to be friendly to incremental deployment in
operational networks for which we might not want to have a global
shared key or for which quantum-secure IKEv2 is rolled out incrementally. This is
why we specifically try to allow the PPK to be dependent on the peer and
why we allow the PPK to be configured as optional.<a href="#section-appendix.a-3" class="pilcrow">¶</a></p>
<p id="section-appendix.a-4">A fourth goal is to avoid violating any of the security properties
provided by IKEv2.<a href="#section-appendix.a-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="Acknowledgements">
<section id="section-appendix.b">
<h2 id="name-acknowledgements">
<a href="#name-acknowledgements" class="section-name selfRef">Acknowledgements</a>
</h2>
<p id="section-appendix.b-1">We would like to thank <span class="contact-name">Tero Kivinen</span>, <span class="contact-name">Paul Wouters</span>, <span class="contact-name">Graham Bartlett</span>,
<span class="contact-name">Tommy Pauly</span>, <span class="contact-name">Quynh Dang</span>, and
the rest of the IPSECME Working Group for their feedback and suggestions
for the scheme.<a href="#section-appendix.b-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="authors-addresses">
<section id="section-appendix.c">
<h2 id="name-authors-addresses">
<a href="#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
</h2>
<address class="vcard">
<div dir="auto" class="left"><span class="fn nameRole">Scott Fluhrer</span></div>
<div dir="auto" class="left"><span class="org">Cisco Systems</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:sfluhrer@cisco.com" class="email">sfluhrer@cisco.com</a>
</div>
</address>
<address class="vcard">
<div dir="auto" class="left"><span class="fn nameRole">Panos Kampanakis</span></div>
<div dir="auto" class="left"><span class="org">Cisco Systems</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:pkampana@cisco.com" class="email">pkampana@cisco.com</a>
</div>
</address>
<address class="vcard">
<div dir="auto" class="left"><span class="fn nameRole">David McGrew</span></div>
<div dir="auto" class="left"><span class="org">Cisco Systems</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:mcgrew@cisco.com" class="email">mcgrew@cisco.com</a>
</div>
</address>
<address class="vcard">
<div dir="auto" class="left"><span class="fn nameRole">Valery Smyslov</span></div>
<div dir="auto" class="left"><span class="org">ELVIS-PLUS</span></div>
<div class="tel">
<span>Phone:</span>
<a href="tel:+7%20495%20276%200211" class="tel">+7 495 276 0211</a>
</div>
<div class="email">
<span>Email:</span>
<a href="mailto:svan@elvis.ru" class="email">svan@elvis.ru</a>
</div>
</address>
</section>
</div>
<script>const toc = document.getElementById("toc");
toc.querySelector("h2").addEventListener("click", e => {
toc.classList.toggle("active");
});
toc.querySelector("nav").addEventListener("click", e => {
toc.classList.remove("active");
});
</script>
</body>
</html>
|
