[IPsec] Re: FW: New Version Notification for draft-sfluhrer-ipsecme-ikev2-mldsa-00.txt

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Mon, 10 February 2025 21:17 UTC

IronPort-PHdr: A9a23:LgulQB2PvZeO0jr7smDPmlBlVkEcU/3cJAUZ7N8gk71RN//l9JX5N 0uZ7vJo3xfFXoTevupNkPGe87vhVmoJ/YubvTgcfYZNWR4IhYRenwEpDMOfT0yuBPXrdCc9W s9FUTdY
IronPort-Data: A9a23:j6M/86kyCJd85B/B81bGh17o5gzHJ0RdPkR7XQ2eYbSJt1+Wr1Gzt xIYWm/TO/zbMzP9KNh1bIrj/UgF7MKHmIdlSlM6/31nEVtH+JHPbTi7wugcHM8zwunrFh8PA xA2M4GYRCwMZiaC4E/rav658CEUOZigHtLUEPTDNj16WThqQSIgjQMLs+Mii+aEu/Dha++2k Y20+pa31GONgWYubzpOsvrb8nuDgdyr0N8mlg1mDRx0lAe2e0k9VPo3Oay3Jn3kdYhYdsbSb /rD1ryw4lTC9B4rDN6/+p6jGqHdauePVeQmoiM+t5mK2nCulARrukoIHKZ0hXNsttm8t4sZJ OOhGnCHYVxB0qXkwIzxWvTDes10FfUuFLTveRBTvSEPpqHLWyOE/hlgMK05FZUZosl0QkhOz 8cnOXcWQQ6inMKrmq3uH4GAhux7RCXqFIobvnclyXTSCuwrBMiaBa7L/tRfmjw3g6iiH96HO JFfMmQpNUqGOkYfUrsUIMpWcOOAnXf7bj1CpUi9rqss6G+Vxwt0uFToGIaPKoPXGpQIxy50o Eqcwn7SBDFLOefA6haq8W3ynLHL2hrSDdd6+LqQs6QCbEeo7m0LExAdfVq2vff/jVSxM++zM GQd/i4o6Kx3/0uxQ5ylBluzoWWPuVgXXN84//AG1TxhA5H8um6xLmMFVTVGLtchsacLqfYCj DdlQ/uB6eRTjYCo
IronPort-HdrOrdr: A9a23:M7tn3ayZD18+JHhcwaMKKrPxfugkLtp133Aq2lEZdPULSL36qy n+ppQmPEHP6Qr5AEtQ5uxoWJPtfZquz+8K3WBxB8buYOCIghrSEGgP1/qH/9SkIVyDygc/79 YtT0EdMqyLMbESt6+Ti2fIcadE/DDEytHUuQ609QYKcegeUdAZ0+4PMHfjLqQZfnggObMJUL Cnyo5soT2mdX4LbsK9KEUkcoH4zeHjpdbNWzJDIwQoxjWvoFqThYISFSL24j4uFxd0hZsy+2 nMlAL0oo+5teug9xPa32jPq7xLhdrI0LJ4dYKxo/lQDg+pphejZYxnVbHHlisyuvuT5FEjl8 SJiws8Pv5092jacgiO0FrQMkjboXYTAk3ZuB2laEjY0InErfUBeo58bLdiA1jkAowbzZZBOe xwriSkXtFsfGL9dWzGlqj1vldR5wWJSb5Iq59Ks5SZOrFuMYN5vMgR+lhYH4wHGz+/4Ic7EP N2BMWZ//pOd0iGBkqp9lWH7ebcKEjbJC32C3Qqq4iQyXxbjXp5x0wXyIgWmWoB7os0T91B6/ 7fOqplmblSRotOBJgNTtspUI+yECjAUBjMOGWdLRDuE7wGIWvEr9ry7K8u7O+ndZQUxN85mY jHUllfqWkuEnieQvGmzdlO6FTAUW+9VTPixoVX4IV4oKT1QP7xPSiKWDkV4rydSjUkc7nmst qISedr6qXYXBjT8K5yrn/DZ6U=
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Daniel Van Geest <daniel.vangeest=40cryptonext-security.com@dmarc.ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] FW: New Version Notification for draft-sfluhrer-ipsecme-ikev2-mldsa-00.txt
Thread-Index: AQHbdBKWyaMv1Nyjd0CdfV7Uih2oKLMxRzMQgA984gCAAFWHEA==
Date: Mon, 10 Feb 2025 21:16:59 +0000
Message-ID: <CH0PR11MB5444354D8BDF3A1081819F90C1F22@CH0PR11MB5444.namprd11.prod.outlook.com>
References: <173835008260.58904.3312254574955629084@dt-datatracker-6f7f8bdd64-4ngzm> <CH0PR11MB5444CA907AA74178925254C7C1E82@CH0PR11MB5444.namprd11.prod.outlook.com> <bebb222b-7a35-43f1-aaf9-c3be4ed742a2@cryptonext-security.com>
In-Reply-To: <bebb222b-7a35-43f1-aaf9-c3be4ed742a2@cryptonext-security.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /jtDKxJ5U2A78+eJJcw0KjlhpJnvzHfDqCKh1R9PAAoHZTRo57iYUf/citQF4i8DDKEIIIsCDixCAZywiAh0Bjfn8em+I2LQDluLPXsBBVcJEdij7YssKBOaczepy85SyHSdaMToHC+idlBhNXFXScmq5ukZ9y3zWj0WJ39/usvKmt7DY3PnoJTlipsvqvihP5MhAVVL2lHvS8EPaGWFQkoeEEoDOs7/2EB501Xqvl9dhndGz9dxcEqkz2kqVLgqiIggJ14PeO9l2hFXOjr9n1bkgtOSYOtAcGtgGkRrxjKKvrY0NRtBq5+4PyKnBpEgGIFBuKslWwSJaKBZ0vwNaHr9L7go7zp6aMYKnciWUabNtnGEDOX/nS3MCyIju9CpuJeUSHvN0QoxahvcahszzTRrpf7qED4MS291qX6bEC07c39KWBba3trt60hnPmIphLWKo0RPVy/BPNNeHrUwKIGghl5BZoBH4c3IKrze9dNILAgLuG6XCCpoVdi5tgwBP5w+lEVV1n2nnxpqUS35nHDLJPTsoat0iJE7AxhnMbjr19j/mHAaT8IjvFYr6zFd+4DugbZyxOvnLly9GDhfMWyWaoFqPQ9xBEb5wcqlbcEawOaWXAkaSikFZ8A+npuJ1Mh/W+k3UmyOjilxA437hn16MB4yXP4sW4U4hTa/D+uPmKhZiJD6NfEhNjL1eacZg1rZRtAmoWZ9Ib+f0bopzIDWW+FzrwwrJJZs5bIDJXTyHZkSwknSLh7gswFkrNKAATn9iZRRc72pZf4Ydgn1yE1lC7SLhuEGFhAhLutuZjAY89Z6F0EfclKVXxqWHgXUwW9Hw1USRcr1RVQczzchEO3CTLQXWAxy7E9nepAyFAYQXG1243qR8IrvfaNqwtDyB7vDFGnf4h3FvGIDEMTF4QMW28N26H7Thyvt9D4MIny8VhRYO6baYsuXb2S7PylSnIN1QG50rv94VIdCJuvBinK4+qHtrVKkDXWokn32lLWFNSk631EcVAGiXPJc41CowGeDZWu5VXjQpZ+nURjr0v4u7pPt04f0OLLtuJaMHtv0UP5tXerg2M2cHmW9Tgs+VbP7MAuvOY3zyJk2ao3cpUXolV6ocWKqWOllnrAeh4Duyai1qjdPw3k6c4RUi/tzQnE4eG3IorYCAThi6CGpzBIU3DEkJZZlTnjq7gfsIxI19LRhEo3vJFHsr35Cv/iyeecIdG8ycKk3JrryP5zfNvKgIffbI0UgmdTpyzXyLYsrmgvesW6P5pvasMi5o+GP32HNATPMXMGpAwKrpj0OL44lAevTSAmNipOh2mzVsfSm3+0jvPb72WSKEHAeVLLoN14OrhVpktoT1Tp4G+nESW1+RYw2invqZt2UoG7y3U9bsS/Cm/oLOwUQ8ebyDKY0uVEIFdowu22I1CfD2TQPXwgH3pkfKqoQX+eME43v0/xd0n7s2lYG5dic0Kual/Nv9dcLmXXPogIZbc7yQ89PeRF5PYJl8xZ7CEiDTc2t0mmLj+wjp4GZUtWFlpyoVjDbARKy47f+KZVQvd/lkZvukeBua82HZ1M4r9gWlih23UMqR6lAp5vyFctUTju0X0nnVmfskoyBYq7O0EQtoKWyzIB+QnEVrV5bvJgMHDKPyf0=
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB5444354D8BDF3A1081819F90C1F22CH0PR11MB5444namp_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5444.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4937a891-cdb9-4187-17df-08dd4a1841af
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2025 21:16:59.8032 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wCJTmFFGVHlKt0K/e9ZetYntd2zJD6SI0coEyNTRdzJ5CbzTm9rKomRH3Q+/FBwKpJmLg++ZIEdtJeCV7MjEWQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB6676
X-Outbound-SMTP-Client: 72.163.7.164, rcdn-opgw-3.cisco.com
X-Outbound-Node: alln-l-core-01.cisco.com
Message-ID-Hash: R2KYZVVYBWWAOOWR6TRIVZJYRJEXU7WG
X-Message-ID-Hash: R2KYZVVYBWWAOOWR6TRIVZJYRJEXU7WG
X-MailFrom: sfluhrer@cisco.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipsec.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [IPsec] Re: FW: New Version Notification for draft-sfluhrer-ipsecme-ikev2-mldsa-00.txt
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/w8YvU191Fm4SxGvofW20chGFKtc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Owner: <mailto:ipsec-owner@ietf.org>
List-Post: <mailto:ipsec@ietf.org>
List-Subscribe: <mailto:ipsec-join@ietf.org>
List-Unsubscribe: <mailto:ipsec-leave@ietf.org>

I’ve already pulled in the changes into draft-reddy-ipsecme-ikev2-pqc-auth (at least, the one in github – that update will be published Real Soon Now).

Except, one of my coauthors preferred the RFC8420 approach and no one else (including me) had an opinion, so that’s what we’ll be doing for now…


From: Daniel Van Geest <daniel.vangeest=40cryptonext-security.com@dmarc.ietf.org>
Sent: Monday, February 10, 2025 11:09 AM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; ipsec@ietf.org
Subject: Re: [IPsec] FW: New Version Notification for draft-sfluhrer-ipsecme-ikev2-mldsa-00.txt


I support this work, but there is already a draft specifying both ML-DSA and SLH-DSA in IKEv2: https://datatracker.ietf.org/doc/draft-reddy-ipsecme-ikev2-pqc-auth/

Scott, as you're an author on both you'll have no problem reconciling the two drafts :)

Regards,
Daniel
On 2025-01-31 7:40 p.m., Scott Fluhrer (sfluhrer) wrote:

I just noticed that IKE was missing a draft to how to support pure (ML-DSA only) PQ authentication, so I threw this together.



Any comments are fine (and I expect them to range from "this is completely stupid" to "this is mostly stupid, but it might be salvageable")



-----Original Message-----

From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org><mailto:internet-drafts@ietf.org>

Sent: Friday, January 31, 2025 2:01 PM

To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com><mailto:sfluhrer@cisco.com>

Subject: New Version Notification for draft-sfluhrer-ipsecme-ikev2-mldsa-00.txt



A new version of Internet-Draft draft-sfluhrer-ipsecme-ikev2-mldsa-00.txt has been successfully submitted by Scott Fluhrer and posted to the IETF repository.



Name:     draft-sfluhrer-ipsecme-ikev2-mldsa

Revision: 00

Title:    IKEv2 Support of ML-DSA

Date:     2025-01-31

Group:    Individual Submission

Pages:    8

URL:      https://www.ietf.org/archive/id/draft-sfluhrer-ipsecme-ikev2-mldsa-00.txt

Status:   https://datatracker.ietf.org/doc/draft-sfluhrer-ipsecme-ikev2-mldsa/

HTML:     https://www.ietf.org/archive/id/draft-sfluhrer-ipsecme-ikev2-mldsa-00.html

HTMLized: https://datatracker.ietf.org/doc/html/draft-sfluhrer-ipsecme-ikev2-mldsa





Abstract:



   One IPsec area that would be impacted by Cryptographically Relevant

   Quantum Computer (CRQC) is IKEv2 authentication based on traditional

   asymmetric cryptograph algorithms: e.g RSA, ECDSA; which are widely

   deployed authentication options of IKEv2.  NIST has recently

   standardized ML-DSA, which is a signature algorithm believed to be

   secure against Quantum Computers.  This document describes how to use

   ML-DSA with IKEv2 as an auhentication scheme.







The IETF Secretariat





_______________________________________________

IPsec mailing list -- ipsec@ietf.org<mailto:ipsec@ietf.org>

To unsubscribe send an email to ipsec-leave@ietf.org<mailto:ipsec-leave@ietf.org>

[IPsec] FW: New Version Notification for draft-sf… Scott Fluhrer (sfluhrer)
[IPsec] Re: FW: New Version Notification for draf… Loganaden Velvindron
[IPsec] Re: FW: New Version Notification for draf… Paul Wouters
[IPsec] Re: FW: New Version Notification for draf… Scott Fluhrer (sfluhrer)
[IPsec] Re: FW: New Version Notification for draf… Kampanakis, Panos
[IPsec] Re: FW: New Version Notification for draf… Andreas Steffen
[IPsec] Re: FW: New Version Notification for draf… Daniel Van Geest
[IPsec] Re: FW: New Version Notification for draf… Scott Fluhrer (sfluhrer)