[IPsec] Re: [EXT] [Pqc] Re: Re: [EXTERNAL] PQC integration in IPsec/IKEv2 - implementation experience and interop
Songbo Bu <bluedognull@gmail.com> Thu, 25 June 2026 01:55 UTC
Return-Path: <bluedognull@gmail.com>
X-Original-To: ipsec@mail2.ietf.org
Delivered-To: ipsec@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 40499106E6611 for <ipsec@mail2.ietf.org>; Wed, 24 Jun 2026 18:55:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782352515; bh=z8mcgecSU5u3+nn/8zHXcowwWaa95QUE36HJKssof90=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=pZvpoc4tReRCZ+CiJ/NlR09xpR6B3TCek/h0Z0lnWQmCj6y4xgkoOd8+MG7fE7SGI uxk64zPOeDVSwmQfS9BSu/9CzIdevmP/7zAg24fpZ4YXOYE+9HmC7Xig4Fjxd4Tiv4 BJgKMoMufg8FZeW98GEuWtqO0Gm4eOhTdlBiUysQ=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G0AUbbLKq1AX for <ipsec@mail2.ietf.org>; Wed, 24 Jun 2026 18:55:13 -0700 (PDT)
Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BC095106E63EC for <ipsec@ietf.org>; Wed, 24 Jun 2026 18:54:57 -0700 (PDT)
Received: by mail-qv1-xf36.google.com with SMTP id 6a1803df08f44-8dedb44ed1fso16735786d6.1 for <ipsec@ietf.org>; Wed, 24 Jun 2026 18:54:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1782352491; cv=none; d=google.com; s=arc-20260327; b=B+c4hj9wOZoGd9gE5bltbj4FsFSlm982NlbF8I+gTrsv3ryDEJx+I0iMGqwrwIOoA9 Dn6IWdkltZvPNywA/0wRlqrIaIDFUrcfCk9l7VBmYNUSXoz+kNuqa9XfRDw6Dm+nypJd jf+eOVIAsymcie3m5LgEpZ7TLDB2VzWUXImQzZjlZTnN5jTJhzE4SFnNqIRPPOxfwKwh n7BcBeLQ7G8vZn9GXggBkDt/A3A0k9cVyAjcUQmnHBRMXvOEb9cwwjM3RZRGt3Fh3dCE jwM/AMgXPzenOidDJxMeXepohMQsFh+2nvWRvvk5zlLCL6mS99lxXYBU0UzY0GIVnr4Y bBdg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=NtdtkSCLwnUInjQR1ccZiVfkTGC1xcULgJODOh3GoOw=; fh=x+b96uQJdv2qeeEt+6OiHSrMRot40r4forTEINhP7LE=; b=ouRZVnBuahEjIvwxb+F+/6ZViz6PWhaTfiQH2EnPu7VyZ7APiAh9Uwoa3P9uYHUVgI Z6nD/KritxlDq/Pb4GTdSECvguLOOg7DOd7rR1KcSo8/C5j3SzEhWhy+14g4ZzqCFgsT 6YqlookfmOBtJUvKdKQtTkxPl3b3CLPUSAGu1XhjLj1MniWUe5/uYISCpMJ/YADHw266 59srAhsgwZQMTzMAQ4x4B3LdhoVhvVMdWNrRnY9kpuifB4X6Q3ETcOizJtG0apxAt8IH gn2NNzozJI24L/sMHOeWrHurom8K3amR4HVD3T4WMq0rBEQk6YzXCZFoxs/3Ifpkhx88 5grg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782352491; x=1782957291; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=NtdtkSCLwnUInjQR1ccZiVfkTGC1xcULgJODOh3GoOw=; b=tNOPKm5cfGIA5G1MJ9GfTkRh4iPmwQriPlxydyXngMZcdBmWFEM6z1fxtP89LKMSiM lR70eXZMLdYevQ4qB4tz8nwuTFRemGnUX7NT2JnmGMLcU62+Dx2BRce1XDfTcillKu8H QRCvwkNvZaQIArC1Qd70syAh96iYqSPm9UiQP2qCKGyK/860NHdy3NMUKP5Rw9Qr2DMv dKlSaWoJga+Pu8NWmd8PF+dZwBC+T+9zRTarNhp/eVUwIdI/cuBpEMBt0AmPWr1l9WmV l/I9eyHVs3Uaz0UXLbuVDTgbfoHuWNHmk3KUaovsm/29kf1bmNF/o6vS4SjyQM7ynXGQ T53Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782352491; x=1782957291; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=NtdtkSCLwnUInjQR1ccZiVfkTGC1xcULgJODOh3GoOw=; b=ewKd2Pgf3GfcTI1ScoYB3Q95eRNgvjVcP7KyxNQ2VTLp8F2mztr0uzu9WpLsiP22tY 2JaPdcndcb1WNOu0dn+qh0iVXdNJ5CaaVpJ9qtUl3AiIMBsSWok/vs/M025hms4bMxem d71bumD9602XmNyipOvt3rkxuk8c2KBHZ2M5IEsFfxf7RKflfE8yrwKVCaqyi7iPXC5u d4T962GZsLGWCkrvE2uPWbguI0GJD11MaiCOTOCTjoIRxiES4fnU6oq8rMj/2bUP9PqK KzBpOBo7PkV3D0srjS2Pk/vApBoSZUA10ArGFmvnyz90een10GofIcE18h0l0VcHffdk rpgQ==
X-Gm-Message-State: AOJu0YxGu5SGVgolZ8po4nzh90CStVjvh9ZHrpx7EvsfQYiJkuJPtTUc yVC9lV30pAT7T9Gtms9IU/t5RX4zI5A4UejhdDx4amZGhUopHtfy/9xIwksLiQV2OoPPM/ovDZ8 ZfaMxnNDXwzvmefG8QFBtMRhT2unaW3RQU/zIxI0=
X-Gm-Gg: AfdE7clkOKxU0hI07QZHHQb4CY4BdRkMpyR3+/pbpBJd5CzC1y+GZEw6Tp/7zMyRd34 6zhI5OA0z7zs04DAWlq+UsRMKHODi7qXPEQ4I7IN756ULOV9/nC9hk7/yv2ydMQvxowkpwaiDAs i7SP7xzkOauiXVf/VXeO7/PrMoZbm0EiBrsA34w4zAjrLb9rfqAom+PCTlN/VM0A5kbYKDopC3a pdu+zLCDxiPRzXEAIQVoaT30dbNPHDXTo2qCP1J6/bnwnqjBEkD3uNXIX0px6tlOTDSh1DjVv2j U185n4/mSAfXU1/pxq/4O4wfBg==
X-Received: by 2002:a05:622a:593:b0:516:e236:1d3e with SMTP id d75a77b69052e-51a7277e3ccmr5794441cf.6.1782352490657; Wed, 24 Jun 2026 18:54:50 -0700 (PDT)
MIME-Version: 1.0
References: <IA3PR00MB21814CB13608DD1BC9BB1671F2042@IA3PR00MB2181.namprd00.prod.outlook.com> <CAK08nYbQh4TG6QLUp4EssnmgNx7SysxuQnM9hpo6PqTO-vQ-uw@mail.gmail.com> <CH4PR00MB2224DB61CDA667347F9663DCBAEF2@CH4PR00MB2224.namprd00.prod.outlook.com> <13e00acd-0ae7-8db4-dab6-995b16368864@nohats.ca> <CAK08nYZWN6bAT-bCeVgd_HLx_mpix9VC0s9upJFN-BKZwwZfzg@mail.gmail.com> <BN0P110MB1419AA9DB63932C690DCEF2A90EEA@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN0P110MB1419AA9DB63932C690DCEF2A90EEA@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
From: Songbo Bu <bluedognull@gmail.com>
Date: Thu, 25 Jun 2026 09:54:39 +0800
X-Gm-Features: AVVi8CeiPOHOVW10j9L8TdrQ_kh_3KxX_dDzuFr-wyVunU9Ax6W619pLyr_5u6s
Message-ID: <CAK08nYYGpUTCuDWyJHNj1uOSjOX6q4=qGnKPnzGrBgavZn00bw@mail.gmail.com>
To: ipsec@ietf.org, pqc@ietf.org
Content-Type: multipart/mixed; boundary="000000000000129b5706550a472a"
Message-ID-Hash: IZWWTRSIX6NBQ6E5CRBGXY5NUXCSZA6L
X-Message-ID-Hash: IZWWTRSIX6NBQ6E5CRBGXY5NUXCSZA6L
X-MailFrom: bluedognull@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipsec.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Nick Grifka <nigri@microsoft.com>, Paul Wouters <paul@nohats.ca>, Uri Blumenthal <uri@ll.mit.edu>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [IPsec] Re: [EXT] [Pqc] Re: Re: [EXTERNAL] PQC integration in IPsec/IKEv2 - implementation experience and interop
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/zl-HfN6B0XYh-XB30blQfPEnIx4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Owner: <mailto:ipsec-owner@ietf.org>
List-Post: <mailto:ipsec@ietf.org>
List-Subscribe: <mailto:ipsec-join@ietf.org>
List-Unsubscribe: <mailto:ipsec-leave@ietf.org>
Hi Nick, Paul, Uri, all, I took a first pass at the starter matrix I mentioned and attached it as Markdown. It is deliberately lightweight: not an interop claim, and not a standards-status statement. The goal is just to give implementers a common row format for recording what was actually tested, against which peer, and with what evidence. I also split KEM-based authentication into its own bucket after Uri’s note, rather than folding it into RFC 9370 or PQC signature authentication. The seed rows are only placeholders based on the public discussion so far. They should be replaced or corrected by the actual implementers if the group wants to use this around IETF 126 / hackathon coordination. Best, Songbo On Tue, 23 Jun 2026 02:27:19 +0000, “Blumenthal, Uri - 0553 - MITLL” uri@ll.mit.edu wrote: Please add this draft to the list of mechanisms: https://datatracker.ietf.org/doc/draft-wang-ipsecme-kem-auth-ikev2/ – V/R, Uri Blumenthal There are two ways to design a system. One is to make it so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies. - C. A. R. Hoare I was a shepherd to fools Causelessly bold or afraid. They would not abide by my rules. Yet they escaped. For I stayed. R. Kipling “Epitaphs of the War. Convoy Escort” From: Songbo Bu king347608@gmail.com Date: Monday, June 22, 2026 at 21:23 To: ipsec@ietf.org ipsec@ietf.org; pqc@ietf.org pqc@ietf.org Cc: nigri@microsoft.com nigri@microsoft.com; paul@nohats.ca paul@nohats.ca Subject: [EXT] [Pqc] Re: [IPsec] Re: [EXTERNAL] PQC integration in IPsec/IKEv2 - implementation experience and interop This Message Is From an External Sender This message came from outside the Laboratory. Hi Nick, Paul, all, This thread is useful. I agree with Paul that IPsec/IKEv2 interop probably does not need a QUIC-style continuous public test harness to be useful. A lower-friction artifact may be enough for the first pass: a public interop checklist and results matrix that records exactly what was tested, against which peer, and what evidence was observed. For PQC-in-IKEv2 I would split the first matrix along a few axes: - implementation and version; - peer implementation and version; - deployment shape: site-to-site, remote access, or point-to-point; - mechanism: RFC 8784 PPK, RFC 9867 PPK with IKE_INTERMEDIATE, RFC 9370 multiple key exchange, PQC authentication, reliable IKEv2 transport, downgrade prevention; - algorithm set: ML-KEM and ML-DSA parameter sets actually exercised; - path conditions: fragmentation, retransmission, NAT traversal, rekey/CREATE_CHILD_SA, and failure diagnostics; - result evidence: packet trace summary, logs, negotiated transforms, and failure reason where applicable. That would let vendors and open-source implementations participate at different disclosure levels while still producing useful compatibility data. If there is interest, I can help turn this into a starter checklist or markdown matrix for the IETF 126 hackathon discussion. Best, Songbo On Mon, 22 Jun 2026 19:26:21 -0400 (EDT), Paul Wouters paul@nohats.ca wrote: On Mon, 22 Jun 2026, Nick Grifka wrote: Also, I see in the past there have been PQC-related interop events (ex: https://github.com/IETF-Hackathon/pqc-certificates) Is there any appetite for an interop event for PQC in IPsec/IKEv2 amongst the community? I realize the nature of many IPsec/IKEv2 products might not be suitable for a robust and efficient interop framework (ex: https://github.com/quic-interop) so maybe that makes such an event less practical. Traditionally these were held in the past (called “bake offs” but then IPR got into the way of that name). But since IKEv2/IPsec has strong opensource releases (libreswan and strongswan), interop testing usually happens against those implementations (and recently elvis-plus) and doesn’t require much gathering. Although if you will be at IETF-126, there will be *swan people and elvis-plus people who will gladly do some interop testing with you - especially during the hackathon days (Sat+Sun) Paul
- [IPsec] PQC integration in IPsec/IKEv2 - implemen… Matt Ige
- [IPsec] PQC integration in IPsec/IKEv2 - implemen… Blue Dog
- [IPsec] Re: PQC integration in IPsec/IKEv2 - impl… Christian Vögl
- [IPsec] Re: [EXTERNAL] [Pqc] PQC integration in I… Nick Grifka
- [IPsec] Re: [Pqc] PQC integration in IPsec/IKEv2 … SIDDESH PAWAR
- [IPsec] Re: [EXTERNAL] [Pqc] PQC integration in I… Paul Wouters
- [IPsec] Re: [EXTERNAL] [Pqc] PQC integration in I… Songbo Bu
- [IPsec] Re: [EXT] [Pqc] Re: Re: [EXTERNAL] PQC in… Blumenthal, Uri - 0553 - MITLL
- [IPsec] Re: [EXT] [Pqc] Re: Re: [EXTERNAL] PQC in… Songbo Bu
- [IPsec] Re: PQC integration in IPsec/IKEv2 - impl… Nick Grifka
- [IPsec] Re: [EXT] [Pqc] Re: Re: [EXTERNAL] PQC in… Songbo Bu