Last Call: <draft-ietf-ipsecme-ikev2-qr-alt-07.txt> (Mixing Preshared Keys in the IKE_INTERMEDIATE and in the CREATE_CHILD_SA Exchanges of IKEv2 for Post-quantum Security) to Proposed Standard
The IESG <iesg-secretary@ietf.org> Thu, 20 March 2025 04:19 UTC
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: ietf-announce@ietf.org
Delivered-To: ietf-announce@mail2.ietf.org
Received: from [10.244.8.216] (unknown [104.131.183.230]) by mail2.ietf.org (Postfix) with ESMTP id 1BA17F48FD6; Wed, 19 Mar 2025 21:19:34 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Subject: Last Call: <draft-ietf-ipsecme-ikev2-qr-alt-07.txt> (Mixing Preshared Keys in the IKE_INTERMEDIATE and in the CREATE_CHILD_SA Exchanges of IKEv2 for Post-quantum Security) to Proposed Standard
X-Test-IDTracker: no
X-IETF-IDTracker: 12.37.0
Auto-Submitted: auto-generated
Precedence: bulk
Sender: iesg-secretary@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-ID: <174244437393.809125.6979014216737899644@dt-datatracker-5b9b68c5b6-zxk6z>
Date: Wed, 19 Mar 2025 21:19:33 -0700
Message-ID-Hash: QKJSMT4EQQQ5ZHRHT26HBJ7WIRXU3TW5
X-Message-ID-Hash: QKJSMT4EQQQ5ZHRHT26HBJ7WIRXU3TW5
X-MailFrom: iesg-secretary@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ietf-announce.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-ipsecme-ikev2-qr-alt@ietf.org, ipsec@ietf.org, ipsecme-chairs@ietf.org
X-Mailman-Version: 3.3.9rc6
Reply-To: last-call@ietf.org
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/m6fr9mqDZhNSoLpi2HbRj1CYrno>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-announce>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Owner: <mailto:ietf-announce-owner@ietf.org>
List-Post: <mailto:ietf-announce@ietf.org>
List-Subscribe: <mailto:ietf-announce-join@ietf.org>
List-Unsubscribe: <mailto:ietf-announce-leave@ietf.org>
The IESG has received a request from the IP Security Maintenance and Extensions WG (ipsecme) to consider the following document: - 'Mixing Preshared Keys in the IKE_INTERMEDIATE and in the CREATE_CHILD_SA Exchanges of IKEv2 for Post-quantum Security' <draft-ietf-ipsecme-ikev2-qr-alt-07.txt> as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-call@ietf.org mailing lists by 2025-04-02. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract An Internet Key Exchange protocol version 2 (IKEv2) extension defined in RFC8784 allows IPsec traffic to be protected against someone storing VPN communications today and decrypting them later, when (and if) cryptographically relevant quantum computers are available. The protection is achieved by means of Post-quantum Preshared Key (PPK) which is mixed into the session keys calculation. However, this protection doesn't cover an initial IKEv2 SA, which might be unacceptable in some scenarios. This specification defines an alternative way to get protection against quantum computers, which is similar to the solution defined in RFC8784, but protects the initial IKEv2 SA too. RFC8784 assumes that PPKs are static and thus they are only used when an initial IKEv2 Security Association (SA) is created. If a fresh PPK is available before the IKE SA expired, then the only way to use it is to delete the current IKE SA and create a new one from scratch, which is inefficient. This specification defines a way to use PPKs in active IKEv2 SAs for creating additional IPsec SAs and rekey operations. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-qr-alt/ No IPR declarations have been submitted directly on this I-D.