idnits 2.17.00 (12 Aug 2021) /tmp/idnits21023/draft-ietf-ipsecme-ikev2-multiple-ke-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: With multiple key exchanges the SAs are not yet created when the CRETE_CHILD_SA is completed, they would be created only after the series of IKE_FOLLOWUP_KE exchanges is finished. For this reason if additional key exchanges were negotiated in the CREATE_CHILD_SA initiated by the losing side, there is nothing to delete and this side just stops the rekeying process - this side MUST not initiate IKE_FOLLOWUP_KE exchange with next key exchange. -- The document date (July 7, 2020) is 683 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-10) exists of draft-ietf-ipsecme-ikev2-intermediate-04 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force (IETF) C. Tjhai 3 Internet-Draft M. Tomlinson 4 Updates: 7296 (if approved) Post-Quantum 5 Intended status: Standards Track G. Bartlett 6 Expires: January 8, 2021 Quantum Secret 7 S. Fluhrer 8 Cisco Systems 9 D. Van Geest 10 ISARA Corporation 11 O. Garcia-Morchon 12 Philips 13 V. Smyslov 14 ELVIS-PLUS 15 July 7, 2020 17 Multiple Key Exchanges in IKEv2 18 draft-ietf-ipsecme-ikev2-multiple-ke-01 20 Abstract 22 This document describes how to extend the Internet Key Exchange 23 Protocol Version 2 (IKEv2) to allow multiple key exchanges to take 24 place while computing a shared secret during a Security Association 25 (SA) setup. The primary application of this feature in IKEv2 is the 26 ability to perform one or more post-quantum key exchanges in 27 conjunction with the classical (Elliptic Curve) Diffie-Hellman key 28 exchange, so that the resulting shared key is resistant against 29 quantum computer attacks. Another possible application is the 30 ability to combine several key exchanges in situations when no single 31 key exchange algorithm is trusted by both initiator and responder. 33 This document updates RFC7296 by renaming a transform type 4 from 34 "Diffie-Hellman Group (D-H)" to "Key Exchange Method (KE)" and 35 renaming a field in the Key Exchange Payload from "Diffie-Hellman 36 Group Num" to "Key Exchange Method". It also renames an IANA 37 registry for this transform type from "Transform Type 4 - Diffie- 38 Hellman Group Transform IDs" to "Transform Type 4 - Key Exchange 39 Method Transform IDs". These changes generalize key exchange 40 algorithms that can be used in IKEv2. 42 Status of This Memo 44 This Internet-Draft is submitted in full conformance with the 45 provisions of BCP 78 and BCP 79. 47 Internet-Drafts are working documents of the Internet Engineering 48 Task Force (IETF). Note that other groups may also distribute 49 working documents as Internet-Drafts. The list of current Internet- 50 Drafts is at https://datatracker.ietf.org/drafts/current/. 52 Internet-Drafts are draft documents valid for a maximum of six months 53 and may be updated, replaced, or obsoleted by other documents at any 54 time. It is inappropriate to use Internet-Drafts as reference 55 material or to cite them other than as "work in progress." 57 This Internet-Draft will expire on January 8, 2021. 59 Copyright Notice 61 Copyright (c) 2020 IETF Trust and the persons identified as the 62 document authors. All rights reserved. 64 This document is subject to BCP 78 and the IETF Trust's Legal 65 Provisions Relating to IETF Documents 66 (https://trustee.ietf.org/license-info) in effect on the date of 67 publication of this document. Please review these documents 68 carefully, as they describe your rights and restrictions with respect 69 to this document. Code Components extracted from this document must 70 include Simplified BSD License text as described in Section 4.e of 71 the Trust Legal Provisions and are provided without warranty as 72 described in the Simplified BSD License. 74 Table of Contents 76 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 77 1.1. Problem Description . . . . . . . . . . . . . . . . . . . 3 78 1.2. Proposed Extension . . . . . . . . . . . . . . . . . . . 3 79 1.3. Changes . . . . . . . . . . . . . . . . . . . . . . . . . 4 80 1.4. Document Organization . . . . . . . . . . . . . . . . . . 5 81 2. Design Criteria . . . . . . . . . . . . . . . . . . . . . . . 6 82 3. Multiple Key Exchanges . . . . . . . . . . . . . . . . . . . 8 83 3.1. Overall Design . . . . . . . . . . . . . . . . . . . . . 8 84 3.2. Overall Protocol . . . . . . . . . . . . . . . . . . . . 9 85 3.2.1. IKE_SA_INIT Round: Negotiation . . . . . . . . . . . 10 86 3.2.2. IKE_INTERMEDIATE Round: Additional Key Exchanges . . 11 87 3.2.3. IKE_AUTH Exchange . . . . . . . . . . . . . . . . . . 12 88 3.2.4. CREATE_CHILD_SA Exchange . . . . . . . . . . . . . . 12 89 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 90 5. Security Considerations . . . . . . . . . . . . . . . . . . . 16 91 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 92 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 93 7.1. Normative References . . . . . . . . . . . . . . . . . . 17 94 7.2. Informative References . . . . . . . . . . . . . . . . . 18 95 Appendix A. Alternative Design . . . . . . . . . . . . . . . . . 19 96 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 98 1. Introduction 100 1.1. Problem Description 102 Internet Key Exchange Protocol (IKEv2) as specified in [RFC7296] uses 103 the Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH) 104 algorithm to establish a shared secret between an initiator and a 105 responder. The security of the DH and ECDH algorithms relies on the 106 difficulty to solve a discrete logarithm problem in multiplicative 107 and elliptic curve groups respectively when the order of the group 108 parameter is large enough. While solving such a problem remains 109 difficult with current computing power, it is believed that general 110 purpose quantum computers will be able to solve this problem, 111 implying that the security of IKEv2 is compromised. There are, 112 however, a number of cryptosystems that are conjectured to be 113 resistant against quantum computer attack. This family of 114 cryptosystems is known as post-quantum cryptography (PQC). It is 115 sometimes also referred to as quantum-safe cryptography (QSC) or 116 quantum-resistant cryptography (QRC). 118 1.2. Proposed Extension 120 This document describes a method to perform multiple successive key 121 exchanges in IKEv2. It allows integration of QSC in IKEv2, while 122 maintaining backwards compatibility, to derive a set of IKE keys that 123 is resistant to quantum computer attacks. This extension allows the 124 negotiation of one or more QSC algorithm to exchange data, in 125 addition to the existing DH or ECDH key exchange data. We believe 126 that the feature of using more than one post-quantum algorithms is 127 important as many of these algorithms are relatively new and there 128 may be a need to hedge the security risk with multiple key exchange 129 data from several distinct QSC algorithms. 131 The secrets established from each key exchange are combined in a way 132 such that should the post-quantum secrets not be present, the derived 133 shared secret is equivalent to that of the standard IKEv2; on the 134 other hand, a post-quantum shared secret is obtained if both 135 classical and post-quantum key exchange data are present. This 136 extension also applies to key exchanges in IKE Security Associations 137 (SAs) for Encapsulating Security Payload (ESP) [RFC4303] or 138 Authentication Header (AH) [RFC4302], i.e. Child SAs, in order to 139 provide a stronger guarantee of forward security. 141 Some post-quantum key exchange payloads may have sizes larger than 142 the standard maximum transmission unit (MTU) size, and therefore 143 there could be issues with fragmentation at the IP layer. IKE does 144 allow transmission over TCP where fragmentation is not an issue 145 [RFC8229]; however, we believe that a UDP-based solution will be 146 required too. IKE does have a mechanism to handle fragmentation 147 within UDP [RFC7383], however that is only applicable to messages 148 exchanged after the IKE_SA_INIT. To use this mechanism, this 149 specification relies on the IKE_INTERMEDIATE exchange as outlined in 150 [I-D.ietf-ipsecme-ikev2-intermediate]. With this mechanism, we do an 151 initial key exchange, using a smaller, possibly non-quantum resistant 152 primitive, such as ECDH. Then, before we do the IKE_AUTH exchange, 153 we perform one or more IKE_INTERMEDIATE exchanges, each of which 154 contains an additional key exchange. As the IKE_INTERMEDIATE 155 exchange is encrypted, the IKE fragmentation protocol [RFC7383] can 156 be used. The IKE SK_* values are updated after each exchange, and so 157 the final IKE SA keys depend on all the key exchanges, hence they are 158 secure if any of the key exchanges are secure. 160 Note that readers should consider the approach defined in this 161 document as providing a long term solution in upgrading the IKEv2 162 protocol to support post-quantum algorithms. A short term solution 163 to make IKEv2 key exchange quantum secure is to use post-quantum pre- 164 shared keys as discussed in [RFC8784]. 166 Note also, that the proposed approach of performing multiple 167 successive key exchanges in such a way that resulting session keys 168 depend on all of them is not limited to achieving quantum resistance 169 only. It can also be used when all the performed key exchanges are 170 classical (EC)DH ones, where for some reasons (e.g. policy 171 requirements) it is essential to perform multiple of them. 173 1.3. Changes 175 RFC EDITOR PLEASE DELETE THIS SECTION. 177 Changes in this draft in each version iterations. 179 draft-ietf-ipsecme-ikev2-multiple-ke-01 181 o References are updated. 183 draft-ietf-ipsecme-ikev2-multiple-ke-00 185 o Draft name changed as result of WG adoption and generalization of 186 the approach. 188 o New exchange IKE_FOLLOWUP_KE is defined for additional key 189 exchanges performed after CREATE_CHILD_SA. 191 o Nonces are removed from all additional key exchanges. 193 o Clarification that IKE_INTERMEDIATE must be negotiated is added. 195 o Clarification about key derivation in case of multiple key 196 exchanges in CREATE_CHILD_SA is added. 198 o Resolving rekey collisions in case of multiple key exchanges is 199 clarified. 201 draft-tjhai-ipsecme-hybrid-qske-ikev2-03 203 o Using multiple key exchanges CREATE_CHILD_SA is defined. 205 draft-tjhai-ipsecme-hybrid-qske-ikev2-02 207 o Use new transform types to negotiate additional key exchanges, 208 rather than using the KE payloads of IKE SA. 210 draft-tjhai-ipsecme-hybrid-qske-ikev2-01 212 o Use IKE_INTERMEDIATE to perform multiple key exchanges in 213 succession. 215 o Handle fragmentation by keeping the first key exchange (a standard 216 IKE_SA_INIT with a few extra notifies) small, and encrypting the 217 rest of the key exchanges. 219 o Simplify the negotiation of the 'extra' key exchanges. 221 draft-tjhai-ipsecme-hybrid-qske-ikev2-00 223 o We added a feature to allow more than one post-quantum key 224 exchange algorithms to be negotiated and used to exchange a post- 225 quantum shared secret. 227 o Instead of relying on TCP encapsulation to deal with IP level 228 fragmentation, we introduced a new key exchange payload that can 229 be sent as multiple fragments within IKE_SA_INIT message. 231 1.4. Document Organization 233 The remainder of this document is organized as follows. Section 2 234 summarizes design criteria. Section 3 describes how multiple key 235 exchanges are performed between two IKE peers and how keying 236 materials are derived for both SAs and Child SAs. A summary of 237 alternative approaches that have been considered, but later 238 discarded, are described in Appendix A. Section 4 discusses IANA 239 considerations for the namespaces introduced in this document, and 240 lastly Section 5 discusses security considerations. 242 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 243 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 244 "OPTIONAL" in this document are to be interpreted as described in BCP 245 14 [RFC2119] [RFC8174] when, and only when, they appear in all 246 capitals, as shown here. 248 2. Design Criteria 250 The design of the proposed extension is driven by the following 251 criteria: 253 1) Need for post-quantum cryptography in IPsec. Quantum computers 254 might become feasible in the near future. If current Internet 255 communications are monitored and recorded today (D), the 256 communications could be decrypted as soon as a quantum- computer 257 is available (e.g., year Q) if key negotiation only relies on 258 non post-quantum primitives. This is a high threat for any 259 information that must remain confidential for a long period of 260 time T > Q-D. The need is obvious if we assume that Q is 2040, 261 D is 2020, and T is 30 years. Such a value of T is typical in 262 classified or healthcare data. 264 2) Hybrid. Currently, there does not exist a post-quantum key 265 exchange that is trusted at the level that ECDH is trusted 266 against conventional (non-quantum) adversaries. A hybrid post- 267 quantum algorithm to be introduced next to well-established 268 primitives, since the overall security is at least as strong as 269 each individual primitive. 271 3) Focus on quantum-resistant confidentiality. A passive attacker 272 can eavesdrop on IPsec communication today and decrypt it once a 273 quantum computer is available in the future. This is a very 274 serious attack for which we do not have a solution. An attacker 275 can only perform active attacks such as impersonation of the 276 communicating peers once a quantum computer is available, 277 sometime in the future. Thus, our design focuses on quantum- 278 resistant confidentiality due to the urgency of this problem. 279 This document does not address quantum-resistant authentication 280 since it is less urgent at this stage. 282 4) Limit amount of exchanged data. The protocol design should be 283 such that the amount of exchanged data, such as public-keys, is 284 kept as small as possible even if initiator and responder need 285 to agree on a hybrid group or multiple public-keys need to be 286 exchanged. 288 5) Future proof. Any cryptographic algorithm could be potentially 289 broken in the future by currently unknown or impractical 290 attacks: quantum computers are merely the most concrete example 291 of this. The design does not categorize algorithms as "post- 292 quantum" or "non post-quantum" nor does it create assumptions 293 about the properties of the algorithms, meaning that if 294 algorithms with different properties become necessary in the 295 future, this extension can be used unchanged to facilitate 296 migration to those algorithms. 298 6) Limited amount of changes. A key goal is to limit the number of 299 changes required when enabling a post-quantum handshake. This 300 ensures easier and quicker adoption in existing implementations. 302 7) Localized changes. Another key requirement is that changes to 303 the protocol are limited in scope, in particular, limiting 304 changes in the exchanged messages and in the state machine, so 305 that they can be easily implemented. 307 8) Deterministic operation. This requirement means that the hybrid 308 post-quantum exchange, and thus, the computed keys, will be 309 based on algorithms that both client and server wish to support. 311 9) Fragmentation support. Some PQC algorithms could be relatively 312 bulky and they might require fragmentation. Thus, a design goal 313 is the adaptation and adoption of an existing fragmentation 314 method or the design of a new method that allows for the 315 fragmentation of the key shares. 317 10) Backwards compatibility and interoperability. This is a 318 fundamental requirement to ensure that hybrid post-quantum IKEv2 319 and non-post-quantum IKEv2 implementations are interoperable. 321 11) Federal Information Processing Standards (FIPS) compliance. 322 IPsec is widely used in Federal Information Systems and FIPS 323 certification is an important requirement. However, algorithms 324 that are believed to be post-quantum are not FIPS compliant yet. 325 Still, the goal is that the overall hybrid post-quantum IKEv2 326 design can be FIPS compliant. 328 12) Ability to use this method with multiple classical (EC)DH key 329 exchanges. In some situations peers have no single mutually 330 trusted key exchange algorithm (e.g., due to local policy 331 restrictions). The ability to combine two (or more) key 332 exchange methods in such a way that the resulting shared key 333 depends on all of them allows peers to communicate in this 334 situation. 336 3. Multiple Key Exchanges 338 3.1. Overall Design 340 This design assigns new Transform Type 4 identifiers to the various 341 post-quantum key exchanges (which will be defined later). We 342 specifically do not make a distinction between classical (DH and 343 ECDH) and post-quantum key exchanges, nor post-quantum algorithms 344 which are true key exchanges versus post-quantum algorithms that act 345 as key transport mechanisms; all are treated equivalently by the 346 protocol. To be more specific, this document renames Transform Type 347 4 from "Diffie-Hellman Group (D-H)" to "Key Exchange Method (KE)" and 348 renames a field in the Key Exchange Payload from "Diffie-Hellman 349 Group Num" to "Key Exchange Method". The corresponding IANA registry 350 is also renamed from "Diffie-Hellman Group Transform IDs" to "Key 351 Exchange Method Transform IDs". 353 In order to support IKE fragmentation for additional key exchanges 354 that may have long public keys, the proposed framework utilizes the 355 IKE_INTERMEDIATE exchange defined in 356 [I-D.ietf-ipsecme-ikev2-intermediate]. 358 In order to minimize communication overhead, only the key shares that 359 are agreed to be used are actually exchanged. In order to achieve 360 this several new Transform Types are defined, each sharing possible 361 Transform IDs with Transform Type 4. The IKE_SA_INIT message 362 includes one or more newly defined SA transforms that lists the extra 363 key exchange policy required by the initiator; the responder selects 364 a single transform of each type, and returns them in the response 365 IKE_SA_INIT message. Then, provided that additional key exchanges 366 are negotiated, the initiator and the responder perform one or more 367 IKE_INTERMEDIATE exchanges; each such exchange includes a KE payload 368 for one of the negotiated key exchanges. 370 Here is an overview of the initial exchanges: 372 Initiator Responder 373 --------------------------------------------------------------------- 374 <-- IKE_SA_INIT (additional key exchanges negotiation) --> 376 <-- {IKE_INTERMEDIATE (additional key exchange)} --> 378 ... 380 <-- {IKE_INTERMEDIATE (additional key exchange)} --> 382 <-- {IKE_AUTH} --> 383 The additional key exchanges may use algorithms that are currently 384 considered to be resistant to quantum computer attacks. These 385 algorithms are collectively referred to as post-quantum algorithms in 386 this document. However, it is also possible to use classical (EC)DH 387 primitives for non post-quantum requirements. 389 Most post-quantum key agreement algorithms are relatively new, and 390 thus are not fully trusted. There are also many proposed algorithms, 391 with different trade-offs and relying on different hard problems. 392 The concern is that some of these hard problems may turn out to be 393 easier to solve than anticipated and thus the key agreement algorithm 394 may not be as secure as expected. A hybrid solution allows us to 395 deal with this uncertainty by combining a classical key exchange with 396 a post-quantum one, as well as leaving open the possibility of 397 multiple post-quantum key exchanges. 399 The method that we use to perform additional key exchanges also 400 addresses the fragmentation issue. The initial IKE_INIT messages do 401 not have any inherent fragmentation support within IKE; however that 402 can include a relatively short KE payload (e.g. one for group 14, 19 403 or 31). The rest of the KE payloads are encrypted within 404 IKE_INTERMEDIATE messages; because they are encrypted, the standard 405 IKE fragmentation solution [RFC7383] is available. 407 The fact that all Additional Key Exchange Transform Types share the 408 same registry with Transform Type 4 allows additional key exchanges 409 to be of any type - either post-quantum ones or classical (EC)DH 410 ones. This approach allows any combination of defined key exchange 411 methods to take place. This also allows performing a single post- 412 quantum key exchange in the IKE_SA_INIT without additional key 413 exchanges, provided that IP fragmentation is not an issue and that 414 hybrid key exchange is not needed. 416 3.2. Overall Protocol 418 In the simplest case, the initiator is happy with a single key 419 exchange (and has no interest in supporting multiple), and it is not 420 concerned with possible fragmentation of the IKE_SA_INIT messages 421 (either because the key exchange it selects is small enough not to 422 fragment, or the initiator is confident that fragmentation will be 423 handled either by IP fragmentation, or transport via TCP). 425 In this case, the initiator performs the IKE_SA_INIT as standard, 426 inserting a preferred key exchange (which is possibly a post-quantum 427 algorithm) as the listed Transform Type 4, and including the 428 initiator KE payload. If the responder accepts the policy, it 429 responds with an IKE_SA_INIT response, and IKE continues as usual. 431 If the initiator desires to negotiate multiple key exchanges, or it 432 needs IKE to handle any possible fragmentation, then the initiator 433 uses the protocol listed below. 435 3.2.1. IKE_SA_INIT Round: Negotiation 437 Multiple key exchanges are negotiated using the standard IKEv2 438 mechanism, via SA payload. For this purpose several new transform 439 types, namely Additional Key Exchange 1, Additional Key Exchange 2, 440 Additional Key Exchange 3, etc., are defined. They are collectively 441 called Additional Key Exchanges and have slightly different semantics 442 than existing IKEv2 transform types. They are interpreted as 443 additional key exchanges that peers agreed to perform in a series of 444 IKE_INTERMEDIATE exchanges. The possible transform IDs for these 445 transform types are the same as IDs for the Transform Type 4, so they 446 all share a single IANA registry for transform IDs. 448 Key exchange methods negotiated via Transform Type 4 MUST always take 449 place in the IKE_SA_INIT exchange. Additional key exchanges 450 negotiated via newly defined transforms MUST take place in a series 451 of IKE_INTERMEDIATE exchanges, in an order of the values of their 452 transform types, so that key exchange negotiated using Transform Type 453 n always precedes that of Transform Type n + 1. Each 454 IKE_INTERMEDIATE exchange MUST bear exactly one key exchange method. 455 Note that with this semantics, Additional Key Exchanges transforms 456 are not associated with any particular type of key exchange and do 457 not have any specific per transform type transform IDs IANA registry. 458 Instead they all share a single registry for transform IDs - "Key 459 Exchange Method Transform IDs", as well as Transform Type 4. All new 460 key exchange algorithms (both classical or post-quantum) should be 461 added to this registry. This approach gives peers flexibility in 462 defining the ways they want to combine different key exchange 463 methods. 465 When forming a proposal the initiator adds transforms for the 466 IKE_SA_INIT exchange using Transform Type 4. In most cases they will 467 contain classical key exchange methods (DH or ECDH), however it is 468 not a requirement. Additional key exchange methods are proposed 469 using Additional Key Exchanges transform types. All these transform 470 types are optional, the initiator is free to select any of them for 471 proposing additional key exchange methods. Consequently, if none of 472 Additional Key Exchange transforms are included in the proposal, then 473 this proposal indicates performing standard IKEv2, as defined in 474 [RFC7296]. If the initiator includes any transform of type n (where 475 n is among Additional Key Exchanges) in the proposal, the responder 476 MUST select one of the algorithms proposed using this type. A 477 transform ID NONE may be added to those transform types which contain 478 key exchange methods that the initiator believes are optional. 480 If the initiator includes any Additional Key Exchanges transform 481 types into SA payload, it MUST also negotiate using IKE_INTERMEDIATE 482 exchange as described in [I-D.ietf-ipsecme-ikev2-intermediate], by 483 including INTERMEDIATE_EXCHANGE_SUPPORTED notification in the 484 IKE_SA_INIT request message. If the responder agrees to use 485 additional key exchanges, it MUST also return this notification, thus 486 confirming that IKE_INTERMEDIATE exchange is supported and will be 487 used for transferring additional key exchange data. The presence of 488 Additional Key Exchanges transform types in SA payload without 489 negotiation of using IKE_INTERMEDIATE exchange MUST be treated as 490 protocol error by both initiator and responder. 492 The responder performs negotiation using standard IKEv2 procedure 493 described in Section 3.3 of [RFC7296]. However, for the Additional 494 Key Exchange types the responder's choice MUST NOT contain equal 495 transform IDs (apart from NONE), and the ID selected for Transform 496 Type 4 MUST NOT appear in any of Additional Key Exchange transforms. 497 In other words, all selected key exchange methods must be different. 499 3.2.2. IKE_INTERMEDIATE Round: Additional Key Exchanges 501 For each extra key exchange agreed to in the IKE_SA_INIT exchange, 502 the initiator and the responder perform one IKE_INTERMEDIATE 503 exchange, as described in [I-D.ietf-ipsecme-ikev2-intermediate]. 505 These exchanges are as follows: 507 Initiator Responder 508 --------------------------------------------------------------------- 509 HDR, SK {KEi(n)} --> 510 <-- HDR, SK {KEr(n)} 512 The initiator sends key exchange data in the KEi(n) payload. This 513 packet is protected with the current SK_ei/SK_ai keys. 515 On receiving this, the responder sends back key exchange payload 516 KEr(n); again, this packet is protected with the current SK_er/SK_ar 517 keys. 519 The former "Diffie-Hellman Group Num" (now called "Key Exchange 520 Method") field in the KEi(n) and KEr(n) payloads MUST match the n-th 521 negotiated additional key exchange. Note that the negotiated 522 transform types (the encryption type, integrity type, prf type) are 523 not modified. 525 Once this exchange is done, then both sides compute an updated keying 526 material: 528 SKEYSEED(n) = prf(SK_d(n-1), KE(n) | Ni | Nr) 530 where KE(n) is the resulting shared secret of this key exchange, Ni 531 and Nr are nonces from the IKE_SA_INIT exchange and SK_d(n-1) is the 532 last generated SK_d, (derived from the previous IKE_INTERMEDIATE 533 exchange, or the IKE_SA_INIT if there have not already been any 534 IKE_INTERMEDIATE exchanges). Then, SK_d, SK_ai, SK_ar, SK_ei, SK_er, 535 SK_pi, SK_pr are updated as: 537 {SK_d(n) | SK_ai(n) | SK_ar(n) | SK_ei(n) | SK_er(n) | SK_pi(n) | 538 SK_pr(n)} = prf+ (SKEYSEED(n), Ni | Nr | SPIi | SPIr) 540 Both the initiator and the responder use these updated key values in 541 the next exchange. 543 3.2.3. IKE_AUTH Exchange 545 After all IKE_INTERMEDIATE exchanges have completed, the initiator 546 and the responder perform an IKE_AUTH exchange. This exchange is the 547 standard IKE exchange, except that the initiator and responder signed 548 octets are modified as described in 549 [I-D.ietf-ipsecme-ikev2-intermediate]. 551 3.2.4. CREATE_CHILD_SA Exchange 553 The CREATE_CHILD_SA exchange is used in IKEv2 for the purpose of 554 creating additional Child SAs, rekeying them and rekeying IKE SA 555 itself. When creating or rekeying Child SAs, the peers may 556 optionally perform a Diffie-Hellman key exchange to add a fresh 557 entropy into the session keys. In case of IKE SA rekey, the key 558 exchange is mandatory. 560 If the IKE SA was created using multiple key exchange methods, the 561 peers may want to continue using multiple key exchanges in the 562 CREATE_CHILD_SA exchange too. If the initiator includes any 563 Additional Key Exchanges transform in the SA payload (along with 564 Transform Type 4) and the responder agrees to perform additional key 565 exchanges, then the additional key exchanges are performed in a 566 series of new IKE_FOLLOWUP_KE exchanges that follows the 567 CREATE_CHILD_SA exchange. The IKE_FOLLOWUP_KE exchange is introduced 568 as a dedicated exchange type to transfer data of additional key 569 exchanges following the key exchange performed in the 570 CREATE_CHILD_SA. Its Exchange Type is . 572 These key exchanges are performed in an order of the values of their 573 transform types, so that key exchange negotiated using Transform Type 574 n always precedes key exchange negotiated using Transform Type n + 1. 575 Each IKE_FOLLOWUP_KE exchange MUST bear exactly one key exchange 576 method. Key exchange negotiated via Transform Type 4 always takes 577 place in the CREATE_CHILD_SA exchange, as per IKEv2 specification. 579 Since after IKE SA is created the window size may be greater than one 580 and multiple concurrent exchanges may be in progress, it is essential 581 to link the IKE_FOLLOWUP_KE exchanges together and with the 582 corresponding CREATE_CHILD_SA exchange. A new status type 583 notification ADDITIONAL_KEY_EXCHANGE is used for this purpose. Its 584 Notify Message Type is , Protocol ID and SPI Size are 585 both set to 0. The data associated with this notification is a blob 586 meaningful only to the responder, so that the responder can correctly 587 link successive exchanges. For the initiator the content of this 588 notification is an opaque blob. 590 The responder MUST include this notification in a CREATE_CHILD_SA or 591 IKE_FOLLOWUP_KE response message in case the next exchange is 592 expected, filling it with some data that would allow linking this 593 exchange to the next one. The initiator MUST copy the received 594 notification with its content intact into the request message of the 595 next exchange. 597 Below is an example of three additional key exchanges. 599 Initiator Responder 600 --------------------------------------------------------------------- 601 HDR(CREATE_CHILD_SA), SK {SA, Ni, KEi} --> 602 <-- HDR(CREATE_CHILD_SA), SK {SA, Nr, KEr, 603 N(ADDITIONAL_KEY_EXCHANGE)(link1)} 605 HDR(IKE_FOLLOWUP_KE), SK {KEi(1), 606 N(ADDITIONAL_KEY_EXCHANGE)(link1)} --> 607 <-- HDR(IKE_FOLLOWUP_KE), SK {KEr(1), 608 N(ADDITIONAL_KEY_EXCHANGE)(link2)} 610 HDR(IKE_FOLLOWUP_KE), SK {KEi(2), 611 N(ADDITIONAL_KEY_EXCHANGE)(link2)} --> 612 <-- HDR(IKE_FOLLOWUP_KE), SK {KEr(2), 613 N(ADDITIONAL_KEY_EXCHANGE)(link3)} 615 HDR(IKE_FOLLOWUP_KE), SK {KEi(3), 616 N(ADDITIONAL_KEY_EXCHANGE)(link3)} --> 617 <-- HDR(IKE_FOLLOWUP_KE), SK {KEr(3)} 619 The former "Diffie-Hellman Group Num" (now called "Key Exchange 620 Method") field in the KEi(n) and KEr(n) payloads MUST match the n-th 621 negotiated additional key exchange. 623 It is possible that due to some unexpected events (e.g. reboot) the 624 initiator could forget that it is in the process of performing 625 additional key exchanges and never starts next IKE_FOLLOWUP_KE 626 exchanges. The responder MUST handle this situation gracefully and 627 delete the associated state if it does not receive the next expected 628 IKE_FOLLOWUP_KE request after some reasonable period of time. 630 If responder receives IKE_FOLLOWUP_KE request containing 631 ADDITIONAL_KEY_EXCHANGE notification and the content of this notify 632 does not correspond to any active key exchange state the responder 633 has, it MUST send back a new error type notification STATE_NOT_FOUND. 634 This is a non-fatal error notification, its Notify Message Type is 635 , Protocol ID and SPI Size are both set to 0 and the 636 data is empty. If the initiator receives this notification in 637 response to IKE_FOLLOWUP_KE exchange performing additional key 638 exchange, it MUST cancel this exchange and MUST treat the whole 639 series of exchanges started from the CREATE_CHILD_SA exchange as 640 failed. In most cases, the receipt of this notification is caused by 641 premature deletion of the corresponding state on the responder (the 642 time period between IKE_FOLLOWUP_KE exchanges appeared too long from 643 responder's point of view, e.g. due to a temporary network failure). 644 After receiving this notification the initiator MAY start a new 645 CREATE_CHILD_SA exchange (eventually followed by the IKE_FOLLOWUP_KE 646 exchanges) to retry the failed attempt. If the initiator continues 647 to receive STATE_NOT_FOUND notifications after several retries, it 648 MUST treat this situation as a fatal error and delete IKE SA by 649 sending a DELETE payload. 651 When rekeying IKE SA or Child SA, it is possible that the peers start 652 doing this at the same time, which is called simultaneous rekeying. 653 Sections 2.8.1 and 2.8.2 of [RFC7296] describes how IKEv2 handles 654 this situation. In a nutshell IKEv2 follows the rule that if in case 655 of simultaneous rekeying two identical new IKE SAs (or two pairs of 656 Child SAs) are created, then one of them should be deleted. Which 657 one is to be deleted is determined by comparing the values of four 658 nonces, that were used in the colliding CREATE_CHILD_SA exchanges - 659 the IKE SA (or pair of Child SAs) that was created by the exchange in 660 which the smallest nonce was used should be deleted by the initiator 661 of this exchange. 663 With multiple key exchanges the SAs are not yet created when the 664 CRETE_CHILD_SA is completed, they would be created only after the 665 series of IKE_FOLLOWUP_KE exchanges is finished. For this reason if 666 additional key exchanges were negotiated in the CREATE_CHILD_SA 667 initiated by the losing side, there is nothing to delete and this 668 side just stops the rekeying process - this side MUST not initiate 669 IKE_FOLLOWUP_KE exchange with next key exchange. 671 In most cases, rekey collisions are resolved in the CREATE_CHILD_SA 672 exchange. However, a situation may occur when due to packet loss, 673 one of the peers receives CREATE_CHILD_SA message requesting rekeying 674 SA that is already being rekeyed by this peer (i.e. the 675 CREATE_CHILD_SA exchange initiated by this peer has been already 676 completed and the series of IKE_FOLLOWUP_KE exchanges is in 677 progress). In this case, a TEMPORARY_FAILURE notification MUST be 678 sent in response to such a request. 680 If multiple key exchanges were negotiated in the CREATE_CHILD_SA 681 exchange, then the resulting keys are computed as follows. In case 682 of IKE SA rekey: 684 SKEYSEED = prf(SK_d, KE | Ni | Nr | KE(1) | ... KE(n)) 686 In case of Child SA creation or rekey: 688 KEYMAT = prf+ (SK_d, KE | Ni | Nr | KE(1) | ... KE(n)) 690 In both cases SK_d is from existing IKE SA; KE, Ni, Nr are the shared 691 key and nonces from the CREATE_CHILD_SA respectively; KE(1)...KE(n) 692 are the shared keys from additional key exchanges. 694 4. IANA Considerations 696 This document adds new exchange type into the "IKEv2 Exchange Types" 697 registry: 699 IKE_FOLLOWUP_KE 701 This document renames Transform Type 4 defined in "Transform Type 702 Values" registry from "Diffie-Hellman Group (D-H)" to "Key Exchange 703 Method (KE)". 705 This document renames IKEv2 registry "Transform Type 4 - Diffie- 706 Hellman Group Transform IDs" to "Transform Type 4 - Key Exchange 707 Method Transform IDs". 709 This document adds the following Transform Types to the "Transform 710 Type Values" registry: 712 Type Description Used In 713 ----------------------------------------------------------------- 714 Additional Key Exchange 1 (optional in IKE, AH, ESP) 715 Additional Key Exchange 2 (optional in IKE, AH, ESP) 716 Additional Key Exchange 3 (optional in IKE, AH, ESP) 717 Additional Key Exchange 4 (optional in IKE, AH, ESP) 718 Additional Key Exchange 5 (optional in IKE, AH, ESP) 719 Additional Key Exchange 6 (optional in IKE, AH, ESP) 720 Additional Key Exchange 7 (optional in IKE, AH, ESP) 722 This document defines a new Notify Message Type in the "Notify 723 Message Types - Status Types" registry: 725 ADDITIONAL_KEY_EXCHANGE 727 and a new Notify Message Type in the "Notify Message Types - Error 728 Types" registry: 730 STATE_NOT_FOUND 732 5. Security Considerations 734 The key length of the Encryption Algorithm (Transform Type 1), the 735 Pseudorandom Function (Transform Type 2) and the Integrity Algorithm 736 (Transform Type 3), all have to be of sufficient length to prevent 737 attacks using Grover's algorithm [GROVER]. In order to use the 738 extension proposed in this document, the key lengths of these 739 transforms SHALL be at least 256 bits long in order to provide 740 sufficient resistance to quantum attacks. Accordingly the post- 741 quantum security level achieved is at least 128 bits. 743 SKEYSEED is calculated from shared KE(x) using an algorithm defined 744 in Transform Type 2. While a quantum attacker may learn the value of 745 KE(x), if this value is obtained by means of a classical key 746 exchange, other KE(x) values generated by means of a quantum- 747 resistant algorithm ensure that the final SKEYSEED is not 748 compromised. This assumes that the algorithm defined in the 749 Transform Type 2 is post-quantum. 751 The main focus of this document is to prevent a passive attacker 752 performing a "harvest and decrypt" attack. In other words, an 753 attacker that records messages exchanges today and proceeds to 754 decrypt them once he owns a quantum computer. This attack is 755 prevented due to the hybrid nature of the key exchange. Other 756 attacks involving an active attacker using a quantum-computer are not 757 completely solved by this document. This is for two reasons. 759 The first reason is because the authentication step remains 760 classical. In particular, the authenticity of the SAs established 761 under IKEv2 is protected using a pre-shared key, RSA, DSA, or ECDSA 762 algorithms. Whilst the pre-shared key option, provided the key is 763 long enough, is post-quantum, the other algorithms are not. 764 Moreover, in implementations where scalability is a requirement, the 765 pre-shared key method may not be suitable. Quantum-safe authenticity 766 may be provided by using a quantum-safe digital signature and several 767 quantum-safe digital signature methods are being explored by IETF. 768 For example, if the implementation is able to reliably track state, 769 the hash based method, XMSS has the status of an RFC, see [RFC8391]. 770 Currently, quantum-safe authentication methods are not specified in 771 this document, but are planned to be incorporated in due course. 773 It should be noted that the purpose of post-quantum algorithms is to 774 provide resistance to attacks mounted in the future. The current 775 threat is that encrypted sessions are subject to eavesdropping and 776 archived with decryption by quantum computers taking place at some 777 point in the future. Until quantum computers become available there 778 is no point in attacking the authenticity of a connection because 779 there are no possibilities for exploitation. These only occur at the 780 time of the connection, for example by mounting a man-in-the-middle 781 (MitM) attack. Consequently there is not such a pressing need for 782 quantum-safe authenticity. 784 This draft does not attempt to address key exchanges with KE payloads 785 longer than 64k; the current IKE payload format does not allow that 786 as a possibility. If such huge KE payloads are required, a work 787 around (such as making the KE payload a URL and a hash of the real 788 payload) would be needed. At the current time, it appears likely 789 that there will be plenty of key exchanges available that would not 790 require such a workaround. 792 6. Acknowledgements 794 The authors would like to thanks Frederic Detienne and Olivier 795 Pelerin for their comments and suggestions, including the idea to 796 negotiate the post-quantum algorithms using the existing KE payload. 797 The authors are also grateful to Tobias Heider and Tobias Guggemos 798 for valuable comments. 800 7. References 802 7.1. Normative References 804 [I-D.ietf-ipsecme-ikev2-intermediate] 805 Smyslov, V., "Intermediate Exchange in the IKEv2 806 Protocol", draft-ietf-ipsecme-ikev2-intermediate-04 (work 807 in progress), June 2020. 809 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 810 Requirement Levels", BCP 14, RFC 2119, 811 DOI 10.17487/RFC2119, March 1997, 812 . 814 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 815 Kivinen, "Internet Key Exchange Protocol Version 2 816 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 817 2014, . 819 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 820 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 821 May 2017, . 823 7.2. Informative References 825 [GROVER] Grover, L., "A Fast Quantum Mechanical Algorithm for 826 Database Search", Proc. of the Twenty-Eighth Annual ACM 827 Symposium on the Theory of Computing (STOC 1996), 1996. 829 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, 830 DOI 10.17487/RFC4302, December 2005, 831 . 833 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", 834 RFC 4303, DOI 10.17487/RFC4303, December 2005, 835 . 837 [RFC7383] Smyslov, V., "Internet Key Exchange Protocol Version 2 838 (IKEv2) Message Fragmentation", RFC 7383, 839 DOI 10.17487/RFC7383, November 2014, 840 . 842 [RFC8229] Pauly, T., Touati, S., and R. Mantha, "TCP Encapsulation 843 of IKE and IPsec Packets", RFC 8229, DOI 10.17487/RFC8229, 844 August 2017, . 846 [RFC8391] Huelsing, A., Butin, D., Gazdag, S., Rijneveld, J., and A. 847 Mohaisen, "XMSS: eXtended Merkle Signature Scheme", 848 RFC 8391, DOI 10.17487/RFC8391, May 2018, 849 . 851 [RFC8784] Fluhrer, S., Kampanakis, P., McGrew, D., and V. Smyslov, 852 "Mixing Preshared Keys in the Internet Key Exchange 853 Protocol Version 2 (IKEv2) for Post-quantum Security", 854 RFC 8784, DOI 10.17487/RFC8784, June 2020, 855 . 857 Appendix A. Alternative Design 859 This section gives an overview on a number of alternative approaches 860 that we have considered, but later discarded. These approaches are: 862 o Sending the classical and post-quantum key exchanges as a single 863 transform 865 We considered combining the various key exchanges into a single 866 large KE payload; this effort is documented in a previous version 867 of this draft (draft-tjhai-ipsecme-hybrid-qske-ikev2-01). This 868 does allow us to cleanly apply hybrid key exchanges during the 869 child SA; however it does add considerable complexity, and 870 requires an independent fragmentation solution. 872 o Sending post-quantum proposals and policies in KE payload only 874 With the objective of not introducing unnecessary notify payloads, 875 we considered communicating the hybrid post-quantum proposal in 876 the KE payload during the first pass of the protocol exchange. 877 Unfortunately, this design is susceptible to the following 878 downgrade attack. Consider the scenario where there is an MitM 879 attacker sitting between an initiator and a responder. The 880 initiator proposes, through SAi payload, to use a hybrid post- 881 quantum group and as a backup a Diffie-Hellman group, and through 882 KEi payload, the initiator proposes a list of hybrid post-quantum 883 proposals and policies. The MitM attacker intercepts this traffic 884 and replies with N(INVALID_KE_PAYLOAD) suggesting to downgrade to 885 the backup Diffie-Hellman group instead. The initiator then 886 resends the same SAi payload and the KEi payload containing the 887 public value of the backup Diffie-Hellman group. Note that the 888 attacker may forward the second IKE_SA_INIT message only to the 889 responder, and therefore at this point in time, the responder will 890 not have the information that the initiator prefers the hybrid 891 group. Of course, it is possible for the responder to have a 892 policy to reject an IKE_SA_INIT message that (a) offers a hybrid 893 group but not offering the corresponding public value in the KEi 894 payload; and (b) the responder has not specifically acknowledged 895 that it does not supported the requested hybrid group. However, 896 the checking of this policy introduces unnecessary protocol 897 complexity. Therefore, in order to fully prevent any downgrade 898 attacks, using KE payload alone is not sufficient and that the 899 initiator MUST always indicate its preferred post-quantum 900 proposals and policies in a notify payload in the subsequent 901 IKE_SA_INIT messages following a N(INVALID_KE_PAYLOAD) response. 903 o New payload types to negotiate hybrid proposal and to carry post- 904 quantum public values 906 Semantically, it makes sense to use a new payload type, which 907 mimics the SA payload, to carry a hybrid proposal. Likewise, 908 another new payload type that mimics the KE payload, could be used 909 to transport hybrid public value. Although, in theory a new 910 payload type could be made backwards compatible by not setting its 911 critical flag as per Section 2.5 of RFC7296, we believe that it 912 may not be that simple in practice. Since the original release of 913 IKEv2 in RFC4306, no new payload type has ever been proposed and 914 therefore, this creates a potential risk of having a backward 915 compatibility issue from non-conforming RFC IKEv2 implementations. 916 Since we could not see any other compelling advantages apart from 917 a semantic one, we use the existing transform type and notify 918 payloads instead. In fact, as described above, we use the KE 919 payload in the first IKE_SA_INIT request round and the notify 920 payload to carry the post-quantum proposals and policies. We use 921 one or more of the existing KE payloads to carry the hybrid public 922 values. 924 o Hybrid public value payload 926 One way to transport the negotiated hybrid public payload, which 927 contains one classical Diffie-Hellman public value and one or more 928 post-quantum public values, is to bundle these into a single KE 929 payload. Alternatively, these could also be transported in a 930 single new hybrid public value payload, but following the same 931 reasoning as above, this may not be a good idea from a backward 932 compatibility perspective. Using a single KE payload would 933 require an encoding or formatting to be defined so that both peers 934 are able to compose and extract the individual public values. 935 However, we believe that it is cleaner to send the hybrid public 936 values in multiple KE payloads--one for each group or algorithm. 937 Furthermore, at this point in the protocol exchange, both peers 938 should have indicated support of handling multiple KE payloads. 940 o Fragmentation 942 Handling of large IKE_SA_INIT messages has been one of the most 943 challenging tasks. A number of approaches have been considered 944 and the two prominent ones that we have discarded are outlined as 945 follows. 947 The first approach was to treat the entire IKE_SA_INIT message as 948 a stream of bytes, which we then split it into a number of 949 fragments, each of which is wrapped onto a payload that would fit 950 into the size of the network MTU. The payload that wraps each 951 fragment is a new payload type and it was envisaged that this new 952 payload type will not cause a backward compatibility issue because 953 at this stage of the protocol, both peers should have indicated 954 support of fragmentation in the first pass of the IKE_SA_INIT 955 exchange. The negotiation of fragmentation is performed using a 956 notify payload, which also defines supporting parameters such as 957 the size of fragment in octets and the fragment identifier. The 958 new payload that wraps each fragment of the messages in this 959 exchange is assigned the same fragment identifier. Furthermore, 960 it also has other parameters such as a fragment index and total 961 number of fragments. We decided to discard this approach due to 962 its blanket approach to fragmentation. In cases where only a few 963 payloads need to be fragmented, we felt that this approach is 964 overly complicated. 966 Another idea that was discarded was fragmenting an individual 967 payload without introducing a new payload type. The idea was to 968 use the 9-th bit (the bit after the critical flag in the RESERVED 969 field) in the generic payload header as a flag to mark that this 970 payload is fragmented. As an example, if a KE payload is to be 971 fragmented, it may look as follows. 973 1 2 3 974 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 975 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 976 | Next Payload |C|F| RESERVED | Payload Length | 977 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 978 | Diffie-Hellman Group Number | Fragment Identifier | 979 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 980 | Fragment Index | Total Fragments | 981 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 982 | Total KE Payload Data Length | 983 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 984 | | 985 ~ Fragmented KE Payload ~ 986 | | 987 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 989 When the flag F is set, this means the current KE payload is a 990 fragment of a larger KE payload. The Payload Length field denotes 991 the size of this payload fragment in octets--including the size of 992 the generic payload header. The two-octet RESERVED field 993 following Diffie-Hellman Group Number was to be used as a fragment 994 identifier to help assembly and disassembly of fragments. The 995 Fragment Index and Total Fragments fields are self-explanatory. 996 The Total KE Payload Data Length indicates the size of the 997 assembled KE payload data in octets. Finally, the actual fragment 998 is carried in Fragment KE Payload field. 1000 We discarded this approach because we believe that the working 1001 group may not be happy using the RESERVED field to change the 1002 format of a packet and that implementers may not like the 1003 complexity added from checking the fragmentation flag in each 1004 received payload. More importantly, fragmenting the messages in 1005 this way may leave the system to be more prone to denial of 1006 service (DoS) attacks. By using IKE_INTERMEDIATE to transport the 1007 large post-quantum key exchange payloads, there is no longer any 1008 issue with fragmentation. 1010 o Group sub-identifier 1012 As discussed before, each group identifier is used to distinguish 1013 a post-quantum algorithm. Further classification could be made on 1014 a particular post-quantum algorithm by assigning additional value 1015 alongside the group identifier. This sub- identifier value may be 1016 used to assign different security parameter sets to a given post- 1017 quantum algorithm. However, this level of details does not fit 1018 the principles of the document where it should deal with generic 1019 hybrid key exchange protocol, not a specific ciphersuite. 1020 Furthermore, there are enough Diffie- Hellman group identifiers 1021 should this be required in the future. 1023 Authors' Addresses 1025 C. Tjhai 1026 Post-Quantum 1028 Email: cjt@post-quantum.com 1030 M. Tomlinson 1031 Post-Quantum 1033 Email: mt@post-quantum.com 1035 G. Bartlett 1036 Quantum Secret 1038 Email: graham.ietf@gmail.com 1039 S. Fluhrer 1040 Cisco Systems 1042 Email: sfluhrer@cisco.com 1044 D. Van Geest 1045 ISARA Corporation 1047 Email: daniel.vangeest@isara.com 1049 O. Garcia-Morchon 1050 Philips 1052 Email: oscar.garcia-morchon@philips.com 1054 Valery Smyslov 1055 ELVIS-PLUS 1057 Email: svan@elvis.ru