Re: [IPsec] Assessing Support for draft-smyslov-ipsecme-ikev2-qr-alt
Valery Smyslov <smyslov.ietf@gmail.com> Tue, 20 December 2022 11:47 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EDFDC14CE44 for <ipsec@ietfa.amsl.com>; Tue, 20 Dec 2022 03:47:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BKiAlthLvfCB for <ipsec@ietfa.amsl.com>; Tue, 20 Dec 2022 03:47:20 -0800 (PST)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F01EAC14CE40 for <ipsec@ietf.org>; Tue, 20 Dec 2022 03:46:02 -0800 (PST)
Received: by mail-lf1-x129.google.com with SMTP id j4so18276369lfk.0 for <ipsec@ietf.org>; Tue, 20 Dec 2022 03:46:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:to:from:from:to:cc:subject:date:message-id :reply-to; bh=TWCw/j+N38fiMUN+zK1wsUctkZy4ehyEnaQARJbfzHQ=; b=Yf4+9T4Dba7kkf+jlU5lN6FklYM4r3MJyuz4wOBeEYbQr0vMcixcK3EAcERLPz80E5 dhwN5fhFkTjbXn4CWgDQLMomNCr5znmCrJkF1Drx54y4s3MOVIUwxImQsYfqgrWctUep 53xC9LVM0ehaSq+V0MoEQdSgpxQ/3bkEhYoJhJ38hsxIiluT7KvSb8CIyLbwJspJ62kn fmlBkClSjX/g8YHNkBlnhEhUUkHLNZNwPiEJ+6nzbN9D8OaK2BzF/k6Vekp0pSpyZ5VG 88WKRQJ5nEBSfsEqOnA/7JjNLQB4vfCNU7P082J9ue7Wr4kj5cMe21IJe7F0WyUhb6n2 CVtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TWCw/j+N38fiMUN+zK1wsUctkZy4ehyEnaQARJbfzHQ=; b=dGK9DTwXfTMUUJUTl05NuUprdj0y5fNGTF3UqrYK2qM8JubbSCNXHlnS/WOmzn5hW/ CWZVjSnWapJsabJwnGUUNaN+9tRlzb/cdk1uHwS6yNRtqsbFdS/3Mc4BfLGt92BiQbNR eERu/V2fAq4mk+gpsdMKRg1ZycmaNH7i2UqWH92cah02PXj9QScjY/g3B9GyOiM8Xd4b ziWlwvnwyy8NG9THTjyUBuiuLXWHVE2v7+E/qCiod/v2EQwrcXNHtZnYlWsKe7NdM+Wk v+IglyWP4h7eMl4bsua674qTIbDVQIL6wS/Upy5CDUXFupKLIjiZD/hcSFyumjgloBul 2LOg==
X-Gm-Message-State: AFqh2ko2Isj3KPw8fM7nA6L0XLzy31FimLVX2Ksorw3um/nTmfEmeVor fT2zaZmGUiGwpBo6QnzljHTkgXIriHU=
X-Google-Smtp-Source: AMrXdXux4mmyhOGN+MZC4Pp4iN6e0v38CsrXnU7pZc9nYDUMCTXGWxBGRkJWoF3fmV6LNxbFptdp8g==
X-Received: by 2002:a05:6512:1094:b0:4c0:7cba:a811 with SMTP id j20-20020a056512109400b004c07cbaa811mr6094377lfg.33.1671536760387; Tue, 20 Dec 2022 03:46:00 -0800 (PST)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id v18-20020a05651203b200b004a93b8508edsm1429516lfp.181.2022.12.20.03.45.59 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Dec 2022 03:45:59 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Rebecca Guthrie' <rmguthr=40uwe.nsa.gov@dmarc.ietf.org>, ipsec@ietf.org
References: <PH8PR09MB92945586C20D2611674B3410FCE59@PH8PR09MB9294.namprd09.prod.outlook.com>
In-Reply-To: <PH8PR09MB92945586C20D2611674B3410FCE59@PH8PR09MB9294.namprd09.prod.outlook.com>
Date: Tue, 20 Dec 2022 14:45:59 +0300
Message-ID: <249f01d91468$a1b7ec80$e527c580$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_24A0_01D91481.C706AB20"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQH7DT2Tuz849KfZWiXuOrBZ2CH4i64yselg
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/tH41H1Gpr_SetmVAxNVtl84kWfo>
Subject: Re: [IPsec] Assessing Support for draft-smyslov-ipsecme-ikev2-qr-alt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2022 11:47:25 -0000
Hi all, the draft's original goal was to provide a way for G-IKEv2 to make hassle-free use of PPK (in G-IKEv2 sensitive information is transferred at the time the initial IKE SA is created). However, the draft is not tied to G-IKEv2 and can be used with IKEv2 when you need initial IKE SA to be secured with PPK. The draft was presented at IETF 106: https://datatracker.ietf.org/meeting/106/materials/slides-106-ipsecme-an-alternative-approach-for-postquantum-preshared-keys-in-ikev 2-00 As the draft's author, I obviously will support its adoption if the adoption call is issued by the chairs. As someone who implemented it, I confirm that it's easy, given you have already implemented RFC 8784 and 9242. Regards, Valery. Greetings all, DoD has customers who are interested in incorporating a PSK into the initial IKEv2 SA. While RFC 8784 already defines a PSK mechanism, the PSK is not rolled into the encryption until creation of the first Child SA. On the other hand, Alternative Approach for Mixing Preshared Keys in IKEv2 for Post-Quantum Security (draft-smyslov-ipsecme-ikev2-qr-alt) proposes a mechanism for incorporating a PSK that leverages RFC 9242's Intermediate Exchange in order to enable use of the PSK prior to IKE_AUTH. While RFC 8784 is useful as an immediate post-quantum solution, the proposed mechanism in draft-smyslov-ipsecme-ikev2-qr-alt provides PSK-fortified confidentiality earlier in the IKEv2 exchanges, and is simple to implement (given existing support for RFC 9242). I support the adoption of this draft, and am willing to contribute as a reviewer. Would the WG be interested in adopting this draft? Rebecca Guthrie she/her Center for Cybersecurity Standards (CCSS) Cybersecurity Collaboration Center (CCC) National Security Agency (NSA)
- [IPsec] Assessing Support for draft-smyslov-ipsec… Rebecca Guthrie
- Re: [IPsec] Assessing Support for draft-smyslov-i… Paul Wouters
- Re: [IPsec] Assessing Support for draft-smyslov-i… Valery Smyslov