IETF Logo Mail Archive

Re: [IPsec] New Version Notification for draft-kampanakis-ml-kem-ikev2-00.txt

"Kampanakis, Panos" <kpanos@amazon.com> Tue, 20 February 2024 16:02 UTC

Return-Path: <prvs=773ec6dfa=kpanos@amazon.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A353C18DB8A for <ipsec@ietfa.amsl.com>; Tue, 20 Feb 2024 08:02:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.102
X-Spam-Level:
X-Spam-Status: No, score=-7.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 39Ap51cN9XaE for <ipsec@ietfa.amsl.com>; Tue, 20 Feb 2024 08:02:04 -0800 (PST)
Received: from smtp-fw-52005.amazon.com (smtp-fw-52005.amazon.com [52.119.213.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3671EC18DB87 for <ipsec@ietf.org>; Tue, 20 Feb 2024 08:01:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1708444914; x=1739980914; h=from:to:cc:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=1YddyharQOrVyKANrEPbvW4hNrmrWwg9sF+RI9/as8M=; b=vjo75Ys4RFUsBN42Jp0ACqSUyrj5wwpocb+Nc5dcyP8k38h5k9SBBIRW MBJT1YMidP9WiWum49vTmELhS0mhhSoyDNGxBWhnL3HfUPS4TRJkDO6rN hJJXsf4+3DoBDPKI04iLgh6/v2WJwCvWGPdN2dLLlZdxwcq/6qImSPZU5 M=;
X-IronPort-AV: E=Sophos;i="6.06,174,1705363200"; d="scan'208";a="635457869"
Thread-Topic: [IPsec] New Version Notification for draft-kampanakis-ml-kem-ikev2-00.txt
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO smtpout.prod.us-east-1.prod.farcaster.email.amazon.dev) ([10.43.8.6]) by smtp-border-fw-52005.iad7.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Feb 2024 16:01:52 +0000
Received: from EX19MTAUEC001.ant.amazon.com [10.0.0.204:22061] by smtpin.naws.us-east-1.prod.farcaster.email.amazon.dev [10.0.39.36:2525] with esmtp (Farcaster) id 989be6d9-ffb6-460b-a69b-1a27b25acdf6; Tue, 20 Feb 2024 16:01:51 +0000 (UTC)
X-Farcaster-Flow-ID: 989be6d9-ffb6-460b-a69b-1a27b25acdf6
Received: from EX19D012UEC001.ant.amazon.com (10.252.135.206) by EX19MTAUEC001.ant.amazon.com (10.252.135.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Tue, 20 Feb 2024 16:01:50 +0000
Received: from EX19D001ANA001.ant.amazon.com (10.37.240.156) by EX19D012UEC001.ant.amazon.com (10.252.135.206) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.40; Tue, 20 Feb 2024 16:01:49 +0000
Received: from EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055]) by EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055%5]) with mapi id 15.02.1258.028; Tue, 20 Feb 2024 16:01:48 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: Ben S3 <ben.s3@ncsc.gov.uk>, "ipsec@ietf.org" <ipsec@ietf.org>
CC: "Ravago, Gerardo" <gcr@amazon.com>
Thread-Index: AdoV2DEatnwaqH0lRluk3MJn/eiLLQ5m1T2ABKrkfiAAb6HIgAANk2Sg
Date: Tue, 20 Feb 2024 16:01:48 +0000
Message-ID: <89c4793cf00c451b9ab9c471e445f95e@amazon.com>
References: <a7235519ec6f4a4a93574108390c8095@amazon.com> <LO4P123MB63568D57DEB3E3ED1228A666807A2@LO4P123MB6356.GBRP123.PROD.OUTLOOK.COM> <4fb2ffeb1d26409eb9b1c2fdea8e0468@amazon.com> <LO4P123MB6662465C9BD0D466FAD356BF80502@LO4P123MB6662.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <LO4P123MB6662465C9BD0D466FAD356BF80502@LO4P123MB6662.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.37.240.200]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/tpUcoLEpDpspmxEXgMqykLcoYYQ>
Subject: Re: [IPsec] New Version Notification for draft-kampanakis-ml-kem-ikev2-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2024 16:02:05 -0000

Hi Ben, 

Good catch. You are right. I was reading rfc9370 wrong
" For the methods that require multiple round trips, a separate document should define how such methods are split into several IKE_FOLLOWUP_KE exchanges. "

But that applies to IKE_INTERMEDIATE as well and it is not related to IKEv2 fragmentation. I fixed it in the git repo. It will now read 

   ML-KEM-768 and ML-KEM-1024 public keys and ciphertexts can exceed
   typical network MTUs (1500 bytes).  Thus, IKE_INTERMEDIATE or
   IKE_FOLLOWUP_KE messages carrying ML-KEM public keys and ciphertexts
   may be IKEv2 fragmented as per [RFC7383]. [ EDNOTE: Consider adding
   ML-KEM-512 which would fit in one packet. ]

   Although, this document focuses on using ML-KEM as the second key
   exchange in a PQ/T Hybrid KEM
   [I-D.ietf-pquip-pqt-hybrid-terminology-02] scenario, ML-KEM-768 Key
   Exchange Method identifier TBD36 MAY be used in IKE_SA_INIT as a
   quantum-resistant-only key exchange because the encapsulation key is
   1184 bytes, which assuming an additional 250 bytes of IKE header
   data, can fit in typical network MTUs of 1500 bytes.  [EDNOTE:
   Confirm it fits the MTU with captures.]  ML-KEM-1024 Key Exchange
   Method identifier TBD37 SHOULD NOT be used in IKE_SA_INIT messages
   which could exceed typical network MTUs and cannot be IKEv2
   fragmented. [ EDNOTE: Consider adding ML-KEM-512 which would fit in
   one packet. ]

It will be in the next -03 version. 



-----Original Message-----
From: Ben S3 <ben.s3@ncsc.gov.uk> 
Sent: Tuesday, February 20, 2024 4:17 AM
To: Kampanakis, Panos <kpanos@amazon.com>; ipsec@ietf.org
Cc: Ravago, Gerardo <gcr@amazon.com>
Subject: RE: [EXTERNAL] [IPsec] New Version Notification for draft-kampanakis-ml-kem-ikev2-00.txt

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



Hi Panos,

Looks good! And perhaps we can discuss the last point in Brisbane.

Just looking at section 2.1:
> IKE_FOLLOWUP_KE messages carrying ML-KEM public keys and ciphertexts cannot be IKEv2 fragmented.

Is this true? RFC7383 Section 2.2 states: "the original message can be fragmented if and only if it contains an Encrypted payload", and IKE_FOLLOWUP_KE exchanges contain such an Encrypted payload protected with the previously-established SKs, as per RFC9370 Section 2.2.4.

- Ben S

-----Original Message-----
From: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org>
Sent: Tuesday, February 20, 2024 4:26 AM
To: Ben S3 <ben.s3@ncsc.gov.uk>; ipsec@ietf.org
Cc: Ravago, Gerardo <gcr@amazon.com>
Subject: RE: [IPsec] New Version Notification for draft-kampanakis-ml-kem-ikev2-00.txt

[You don't often get email from kpanos=40amazon.com@dmarc.ietf.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

Hi Ben,

In the just submitted -02 version, I fixed (I think) all points you brought up except for the last one. https://datatracker.ietf.org/doc/html/draft-kampanakis-ml-kem-ikev2-02

I do not think we need a new draft for a IKEv2 combiner.

I also added EDNOTEs about adding ML-KEM-512 in the future if the WG converges that direction.

Thank you for the feedback. Hopefully IPSECME will discuss this draft in Brisbane.



-----Original Message-----
From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Ben S3
Sent: Thursday, January 25, 2024 4:48 AM
To: Kampanakis, Panos <kpanos@amazon.com>; ipsec@ietf.org
Cc: Ravago, Gerardo <gcr@amazon.com>
Subject: RE: [EXTERNAL] [IPsec] New Version Notification for draft-kampanakis-ml-kem-ikev2-00.txt

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



Hi Panos,

Thanks for producing this draft, it'll obviously be very important going forward. A few thoughts on v01 below:

Abstract states:
> [...] theoretical weaknesses in ML-KEM as it is relatively new.
This line won't age well - it won't be "relatively new" in 10 years' time. Should this come with something saying "at time of writing" or similar?

Section 2.1 states:
> [ML-KEM-1024] SHOULD NOT be used in IKE_SA_INIT because they could often be introducing IP fragmentation which is not possible in IKE_SA_INIT exchanges.
IP fragmentation is possible in IKE_SA_INIT exchanges, just not IKE fragmentation (as in RFC 7383).

Is it worth registering a code point for ML-KEM-512 in this draft, for those that want to use it? Looking at the recent flurry of activity around diet-ESP, it seems to me there's interest in running IPsec in constrained settings, which may want to use the smallest secure option available.

This draft is focused almost entirely on using (EC)DH in the IKE_SA_INIT, and ML-KEM in the IKE_INTERMEDIATE.  This implicitly restricts the use case of using a non-(EC)DH algorithm in the IKE_SA_INIT (e.g. another future PQ-KEM). My view is that the draft should be agnostic on what the algorithm in the IKE_SA_INIT is. It also doesn't allow for using ML-KEM in an IKE_FOLLOWUP_KE as per RFC9370, which should be an option.

In fact, since I imagine any future PQ-KEMs will have similar hybrid requirements to ML-KEM, I wonder whether it would make sense for there to be two drafts - a very simple one for ML-KEM registering code points, and a generic draft along the lines of "Use of Post-Quantum Key Encapsulation Mechanisms in IKE". In my mind, this would include info on how KEMs work in a key exchange payload (as opposed to DH - i.e. the second paragraph of section 2.1), as well as recommendations on using a hybrid key exchange.

- Ben S

-----Original Message-----
From: Kampanakis, Panos <kpanos@amazon.com>
Sent: Monday, November 13, 2023 2:22 AM
To: IPsecME WG <ipsec@ietf.org>
Cc: Ravago, Gerardo <gcr@amazon.com>
Subject: [IPsec] New Version Notification for draft-kampanakis-ml-kem-ikev2-00.txt

Hi all,

https://datatracker.ietf.org/doc/draft-kampanakis-ml-kem-ikev2/
This new draft brings ML-KEM to IKEv2 by using RFC 9370. It basically says how ML-KEM will be negotiated as an additional Key Exchange and requests codepoints for ML-KEM. The intention is not to get temporary codepoints like we did with Kyber in TLS. We are close to the final specs, so codepoints next year would suffice.

It could be a standards track draft given that ML-KEM will see a lot of adoption, an AD sponsored draft, or even an individual stable draft which gets codepoints from Expert Review.  The approach is to be decided by the IPSECME WG.

Feedback is welcome.

Thx,
Panos


~~~
A new version of Internet-Draft draft-kampanakis-ml-kem-ikev2-00.txt has been successfully submitted by Panos Kampanakis and posted to the IETF repository.

Name:     draft-kampanakis-ml-kem-ikev2
Revision: 00
Title:    Post-quantum Hybrid Key Exchange with ML-KEM in the Internet Key Exchange Protocol Version 2 (IKEv2)
Date:     2023-11-12
Group:    Individual Submission
Pages:    11
URL:      https://www.ietf.org/archive/id/draft-kampanakis-ml-kem-ikev2-00.txt
Status:   https://datatracker.ietf.org/doc/draft-kampanakis-ml-kem-ikev2/
HTML:     https://www.ietf.org/archive/id/draft-kampanakis-ml-kem-ikev2-00.html
HTMLized: https://datatracker.ietf.org/doc/html/draft-kampanakis-ml-kem-ikev2


Abstract:

   [EDNOTE: The intention of this draft is to get IANA KE codepoints for
   ML-KEM.  It could be a standards track draft given that ML-KEM will
   see a lot of adoption, an AD sponsored draft, or even a individual
   stable draft which gets codepoints from Expert Review.  The approach
   is to be decided by the IPSECME WG. ]

   NIST recently standardized ML-KEM, a new key encapsulation mechanism,
   which can be used for quantum-resistant key establishment.  This
   draft specifies how to use ML-KEM as an additionall key exchange
   mechanism in IKEv2 along with traditional (Elliptic Curve) Diffie-
   Hellman.  This hybrid approach allows for negotiating IKE and Child
   SA keys which are safe against cryptanalytically-relevant quantum
   computers and theoretical weaknesses in ML-KEM as it is relatively
   new.



The IETF Secretariat


_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email