[IPsec] IPsec with QKD

Rodney Van Meter <rdv@sfc.wide.ad.jp> Sun, 08 November 2009 04:17 UTC

Return-Path: <rdv@sfc.wide.ad.jp>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 3E8723A6837 for <ipsec@core3.amsl.com>; Sat, 7 Nov 2009 20:17:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.131
X-Spam-Level: *
X-Spam-Status: No, score=1.131 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RELAY_IS_203=0.994, SARE_SUB_OBFU_Q1=0.227]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id y-48ohrcq3VU for <ipsec@core3.amsl.com>; Sat, 7 Nov 2009 20:17:41 -0800 (PST)
Received: from mail.sfc.wide.ad.jp (mail.sfc.wide.ad.jp []) by core3.amsl.com (Postfix) with ESMTP id CD96E3A682B for <ipsec@ietf.org>; Sat, 7 Nov 2009 20:17:40 -0800 (PST)
Received: from host-17-84.meeting.ietf.org (host-17-84.meeting.ietf.org []) by mail.sfc.wide.ad.jp (Postfix) with ESMTPSA id 058CB4C5B2 for <ipsec@ietf.org>; Sun, 8 Nov 2009 13:17:59 +0900 (JST)
Message-Id: <30676E84-F190-4DDA-8785-E1880D8422D0@sfc.wide.ad.jp>
From: Rodney Van Meter <rdv@sfc.wide.ad.jp>
To: ipsec@ietf.org
Content-Type: multipart/signed; boundary=Apple-Mail-32-173730866; micalg=sha1; protocol="application/pkcs7-signature"
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sun, 8 Nov 2009 13:16:44 +0900
X-Mailer: Apple Mail (2.936)
Subject: [IPsec] IPsec with QKD
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Nov 2009 04:17:42 -0000

Shota Nagayama and I have been experimenting with using keys generated  
by quantum key distribution (QKD) devices to key IPsec tunnels.  (The  
devices we used were borrowed from NEC, but we don't claim to  
represent them.)

We have written an I-D on the protocol modifications necessary, and  
are here in Hiroshima to discuss it.

For those who are interested, we have created a mailing list, which  
you can join:

Products for QKD already exist, and various experiments are underway,  
including a large one called SECOQC in Europe; the Japanese and U.S.  
governments also have sunk a lot of money into QKD.  The European  
effort, in particular, is committed to standardizing many parts of QKD  
through the ITU.

Although the existing products do not yet support IKE/IPsec (to the  
best of my knowledge, though things change), at least two  
implementations already exist, ours and BBN's (as described in Chip  
Elliott's SIGCOMM 2003 paper), as well as a recent paper by Sheila  
Frankel and collaborators at NIST.  Now seems to be the time to create  
at least an experimental RFC on the topic, to minimize confusion and  
incompatibility; IETF, rather than ITU, would definitely be the place  
to standardize the changes to IKE.  Although our protocol is  
unfortunately incompatible with BBN's, Chip has encouraged us to  
pursue an RFC.

At a protocol level, the changes are actually minimal; essentially,  
the addition of two types of Payload Headers.  There may still be some  
corners in the contents of messages and assumptions required to  
guarantee security; we look forward to hashing some of those out in  

Please, track us down here in Hiroshima; Shota and I will both be here  
until after the IPSECME meeting on Thursday.


Rodney Van Meter
assistant professor, Faculty of Environment and Information Studies,  
Keio University, Japan