IETF Logo Mail Archive

[IPsec] Re: New I-D: draft-li-ipsecme-extensions-for-robust-negotiation

Christian Vögl <Christian.Voegl@ncp-e.com> Wed, 24 June 2026 07:54 UTC

Return-Path: <christian.voegl@ncp-e.com>
X-Original-To: ipsec@mail2.ietf.org
Delivered-To: ipsec@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2BFA1106524FE for <ipsec@mail2.ietf.org>; Wed, 24 Jun 2026 00:54:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782287647; bh=Ei/KQERwR8HdoQQuMk9dnZdanWAhV5x8Q/RtIHTBTls=; h=From:To:Subject:Date:References:In-Reply-To; b=c4saqMItcO7vkrIfn1AbqPKC8R/GMit2Z1rACGme2Jj6ke1N6kIb69hKz6MSTgD56 vUgD0uSahHZyNUYCCf/wM/7frvVd13i4wxfOXrOXTeoAsqwsjQhIDEAQAHmvroJ+f9 YTvfCvyl835ugEa826DSvR9/Uxf5zBGT9GxC+f9M=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=ncp-e.com header.b="PWQNagDh"; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=ncp-e.com header.b="ezcQb3Dx"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phsUbCrYyv9s for <ipsec@mail2.ietf.org>; Wed, 24 Jun 2026 00:54:06 -0700 (PDT)
Received: from mail.ncp-e.com (mail.ncp-e.com [62.153.165.35]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E8AEA106524F4 for <ipsec@ietf.org>; Wed, 24 Jun 2026 00:54:05 -0700 (PDT)
DKIM-Signature: v=1; c=relaxed/relaxed; d=ncp-e.com; s=defaultr; t=1782287638; bh=eoHxI1AV7Xx+SxVbGFvPzjHdhAFHDMTvUzYk8oaYZcA=; h= Subject:Subject:From:From:Date:Date:ReplyTo:ReplyTo:Cc:Cc:Message-Id:Message-Id; a=rsa-sha256; b= PWQNagDhcVGVsi569k0jaVoKhpM4sosDi9m0NXJc3v1RA7gPuxfHm6rX64DZdPSxAkUnOGrZNFZhNFQWvd/YXTm6AjgkkKOklazYTltsSeoD37lHks05BNGY829jqo+z0G17b/4a8pdXyzNlQK6S+yla0G/W4hSeMfkqXvSFP0E=
DKIM-Signature: v=1; c=relaxed/relaxed; d=ncp-e.com; s=defaulte; t=1782287638; bh=eoHxI1AV7Xx+SxVbGFvPzjHdhAFHDMTvUzYk8oaYZcA=; h= Subject:Subject:From:From:Date:Date:ReplyTo:ReplyTo:Cc:Cc:Message-Id:Message-Id; a=ed25519-sha256; b= ezcQb3Dxs4KZ8DrChpLNgFadd7Hv2qjI8oEbWzl5rmX0MfGYuwfEH+hv1uMbQSte3l+aKJCjcRod1hZr9mcZCQ==
Content-Type: multipart/signed; boundary="NoSpamProxy_0a9d19ca-a1d0-468c-8d6c-8a358faee27d"; protocol="application/pkcs7-signature"; micalg="sha256"
From: Christian Vögl <Christian.Voegl@ncp-e.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] Re: New I-D: draft-li-ipsecme-extensions-for-robust-negotiation
Thread-Index: AQHdAlLPtJPfEk38CUGenzS3VsDTqLZKkmMAgAAdY4CAAIeJgIAAUrrvgAB7Z4CAAAXkAIAAw1qAgACGDYA=
Date: Wed, 24 Jun 2026 07:53:45 +0000
Message-ID: <d1b99dcd8a45452f9303e31e154dd51f@ncp-e.com>
References: <c2a5224ed5064e71954ad456584ec292@huawei.com> <CAK08nYZ7jzSCcbA_QZwB1sTU+e7bnDTxX7osT8L3Hf+YdjhY3A@mail.gmail.com> <SA1PR18MB5692EB9EA4BC0FE272488215CAE52@SA1PR18MB5692.namprd18.prod.outlook.com> <CAK08nYbG01Qz9SdmBMip8441Uf3SfmfvbSS4=6-KkkgThVvP8w@mail.gmail.com> <024e315bc2d84e318514378f1ea3fcbe@huawei.com> <CAK08nYYs8VOvahXeRLHvXVejhRuPjiH8VNQS3QvzGw14ErS33Q@mail.gmail.com> <17fc098b-0e3c-1818-0048-3046120fdb93@nohats.ca> <CAK08nYZJuhYVzjBfGSpyMJXOgCE+_nzJedRJxdwcz9MfzTx2Jw@mail.gmail.com> <6a3a0095.23eca271.2ab982.a197SMTPIN_ADDED_BROKEN@mx.google.com> <CAK08nYZmStvQX5BMGuA8H3b4tkF93TFi0cvcX4a+fF+tWuewgQ@mail.gmail.com> <CAJeAr6sYo8=6r8TFaF7cMeO1rXmOCdNb+v3anh-MSbWwzeSbZw@mail.gmail.com> <CAK08nYbgBrGwkw=H_MGj9PhiO3UPQENSGQd6zY4n4=G4RSoTeA@mail.gmail.com> <3200ca0bd4754e819a90dd6aee6fe95b@huawei.com>
In-Reply-To: <3200ca0bd4754e819a90dd6aee6fe95b@huawei.com>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-c2processedorg: 9967f5a3-a146-4287-bbaa-84cba262ed0f
MIME-Version: 1.0
X-CrossPremisesHeadersFilteredBySendConnector: ex19.ncp.local
X-OrganizationHeadersPreserved: ex19.ncp.local
Message-ID-Hash: BQOU4IXGYGQ4XWWHHHMP2OB5KJ3ZNHNN
X-Message-ID-Hash: BQOU4IXGYGQ4XWWHHHMP2OB5KJ3ZNHNN
X-MailFrom: christian.voegl@ncp-e.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipsec.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [IPsec] Re: New I-D: draft-li-ipsecme-extensions-for-robust-negotiation
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/OCsZspg8hTxVk8BBWdSZFMWjlZ4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Owner: <mailto:ipsec-owner@ietf.org>
List-Post: <mailto:ipsec@ietf.org>
List-Subscribe: <mailto:ipsec-join@ietf.org>
List-Unsubscribe: <mailto:ipsec-leave@ietf.org>

Hi,

I don’t think there is a problem with that proposal. In RFC9370 I could only find that requirement for the responder’s choice. Additionally section 2.2.1 has an example exchange with
ADDKE2=PQ_KEM1, PQ_KEM_2
ADDKE3= PQ_KEM1, PQ_KEM_2

Christian

From: Wang Guilin <Wang.Guilin=40huawei.com@dmarc.ietf.org>
Sent: Wednesday, 24 June 2026 03:40
To: Songbo Bu <king347608@gmail.com>; Andrew Cagney <andrew.cagney@gmail.com>
Cc: paul@nohats.ca; lilun (F) <lilun20@huawei.com>; xiw@fortinet.com; ipsec@ietf.org; Wang Guilin <Wang.Guilin@huawei.com>
Subject: [IPsec] Re: New I-D: draft-li-ipsecme-extensions-for-robust-negotiation

Got a little confused.

What I know is, according to RFC 9370, the initiator is not allowed to prepare the following ADDKEs, as beside NONE, any other KEM cannot be duplicated in two or multiple ADDKEs.

addke1=kem1,kem2
addke2=kem1,kem2,none
Guilin

From: Songbo Bu <king347608@gmail.com<mailto:king347608@gmail.com>>
Sent: Tuesday, 23 June 2026 10:01 pm
To: Andrew Cagney <andrew.cagney@gmail.com<mailto:andrew.cagney@gmail.com>>
Cc: Wang Guilin <Wang.Guilin@huawei.com<mailto:Wang.Guilin@huawei.com>>; paul@nohats.ca<mailto:paul@nohats.ca>; lilun (F) <lilun20@huawei.com<mailto:lilun20@huawei.com>>; xiw@fortinet.com<mailto:xiw@fortinet.com>; ipsec@ietf.org<mailto:ipsec@ietf.org>
Subject: Re: [IPsec] Re: New I-D: draft-li-ipsecme-extensions-for-robust-negotiation


Hi Andrew,

Yes, I think you are right. I was reading that case too narrowly.

With:
ADDKE1 = { PQ_KEM_1, PQ_KEM_2 } ADDKE2 = { PQ_KEM_1, PQ_KEM_2, NONE }

the responder can express the outcomes I had in mind, assuming the normal RFC 9370 rule that the selected non-NONE algorithms are not duplicated:

  *   both: select PQ_KEM_1 in one ADDKE slot and PQ_KEM_2 in the other;
  *   only PQ_KEM_1: select PQ_KEM_1 and NONE;
  *   only PQ_KEM_2: select PQ_KEM_2 and NONE.

So I would retract my “not directly expressible” phrasing for that row.

The remaining implementation-facing point still seems useful: if the initiator’s intent is “one mandatory from this set, plus at most one optional additional method from the same set”, it should encode that with an explicit NONE in the optional ADDKE slot, not by sending repeated mandatory ADDKE lists and expecting the responder to repair them. A responder should still reject outcomes that require duplicated non-NONE algorithms or an implicit NONE that was not proposed.

Best,
Songbo

On Tue, 23 Jun 2026 09:40:09 -0400, Andrew Cagney andrew.cagney@gmail.com<mailto:andrew.cagney@gmail.com> wrote:

  *   both-or-one, meaning (PQ_KEM_1 AND PQ_KEM_2) OR PQ_KEM_1 OR PQ_KEM_2: not directly expressible as one RFC 9370 proposal, as far
as I can tell.

addke1=kem1,kem2
addke2=kem1,kem2,none
?

v2.46.0 | Report a Bug | By Email | System Status