idnits 2.17.1 draft-ietf-ipsecme-ikev2-multiple-ke-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: With multiple key exchanges the SAs are not yet created when the CRETE_CHILD_SA is completed, they would be created only after the series of IKE_FOLLOWUP_KE exchanges is finished. For this reason if additional key exchanges were negotiated in the CREATE_CHILD_SA initiated by the losing side, there is nothing to delete and this side just stops the rekeying process - this side MUST not initiate IKE_FOLLOWUP_KE exchange with next key exchange. -- The document date (January 8, 2020) is 1563 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-10) exists of draft-ietf-ipsecme-ikev2-intermediate-03 == Outdated reference: A later version (-11) exists of draft-ietf-ipsecme-qr-ikev2-10 -- Obsolete informational reference (is this intentional?): RFC 8229 (Obsoleted by RFC 9329) Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force (IETF) C. Tjhai 3 Internet-Draft M. Tomlinson 4 Updates: 7296 (if approved) Post-Quantum 5 Intended status: Standards Track G. Bartlett 6 Expires: July 11, 2020 S. Fluhrer 7 Cisco Systems 8 D. Van Geest 9 ISARA Corporation 10 O. Garcia-Morchon 11 Philips 12 V. Smyslov 13 ELVIS-PLUS 14 January 8, 2020 16 Multiple Key Exchanges in IKEv2 17 draft-ietf-ipsecme-ikev2-multiple-ke-00 19 Abstract 21 This document describes how to extend the Internet Key Exchange 22 Protocol Version 2 (IKEv2) to allow multiple key exchanges to take 23 place while computing of a shared secret during a Security 24 Association (SA) setup. The primary application of this feature in 25 IKEv2 is the ability to perform one or more post-quantum key 26 exchanges in conjunction with the classical (Elliptic Curve) Diffie- 27 Hellman key exchange, so that the resulting shared key is resistant 28 against quantum computer attacks. Another possible application is 29 the ability to combine several key exchanges in situations when no 30 single key exchange algorithm is trusted by both initiator and 31 responder. 33 This document updates RFC7296 by renaming a tranform type 4 from 34 "Diffie-Hellman Group (D-H)" to "Key Exchange Method (KE)" and 35 renaming a field in the Key Exchange Payload from "Diffie-Hellman 36 Group Num" to "Key Exchange Method". It also renames an IANA 37 registry for this transform type from "Transform Type 4 - Diffie- 38 Hellman Group Transform IDs" to "Transform Type 4 - Key Exchange 39 Method Transform IDs". These changes generalize key exchange 40 algorithms that can be used in IKEv2. 42 Status of This Memo 44 This Internet-Draft is submitted in full conformance with the 45 provisions of BCP 78 and BCP 79. 47 Internet-Drafts are working documents of the Internet Engineering 48 Task Force (IETF). Note that other groups may also distribute 49 working documents as Internet-Drafts. The list of current Internet- 50 Drafts is at https://datatracker.ietf.org/drafts/current/. 52 Internet-Drafts are draft documents valid for a maximum of six months 53 and may be updated, replaced, or obsoleted by other documents at any 54 time. It is inappropriate to use Internet-Drafts as reference 55 material or to cite them other than as "work in progress." 57 This Internet-Draft will expire on July 11, 2020. 59 Copyright Notice 61 Copyright (c) 2020 IETF Trust and the persons identified as the 62 document authors. All rights reserved. 64 This document is subject to BCP 78 and the IETF Trust's Legal 65 Provisions Relating to IETF Documents 66 (https://trustee.ietf.org/license-info) in effect on the date of 67 publication of this document. Please review these documents 68 carefully, as they describe your rights and restrictions with respect 69 to this document. Code Components extracted from this document must 70 include Simplified BSD License text as described in Section 4.e of 71 the Trust Legal Provisions and are provided without warranty as 72 described in the Simplified BSD License. 74 Table of Contents 76 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 77 1.1. Problem Description . . . . . . . . . . . . . . . . . . . 3 78 1.2. Proposed Extension . . . . . . . . . . . . . . . . . . . 3 79 1.3. Changes . . . . . . . . . . . . . . . . . . . . . . . . . 4 80 1.4. Document Organization . . . . . . . . . . . . . . . . . . 5 81 2. Design Criteria . . . . . . . . . . . . . . . . . . . . . . . 6 82 3. Multiple Key Exchanges . . . . . . . . . . . . . . . . . . . 8 83 3.1. Overall design . . . . . . . . . . . . . . . . . . . . . 8 84 3.2. Overall Protocol . . . . . . . . . . . . . . . . . . . . 9 85 3.2.1. IKE_SA_INIT Round: Negotiation . . . . . . . . . . . 10 86 3.2.2. IKE_INTERMEDIATE Round: Additional Key Exchanges . . 11 87 3.2.3. IKE_AUTH Exchange . . . . . . . . . . . . . . . . . . 12 88 3.2.4. CREATE_CHILD_SA Exchange . . . . . . . . . . . . . . 12 89 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 90 5. Security Considerations . . . . . . . . . . . . . . . . . . . 16 91 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 92 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 93 7.1. Normative References . . . . . . . . . . . . . . . . . . 17 94 7.2. Informative References . . . . . . . . . . . . . . . . . 18 95 Appendix A. Alternative Design . . . . . . . . . . . . . . . . . 18 96 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 98 1. Introduction 100 1.1. Problem Description 102 Internet Key Exchange Protocol (IKEv2) as specified in [RFC7296] uses 103 the Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH) 104 algorithm to establish a shared secret between an initiator and a 105 responder. The security of the DH and ECDH algorithms relies on the 106 difficulty to solve a discrete logarithm problem in multiplicative 107 and elliptic curve groups respectively when the order of the group 108 parameter is large enough. While solving such a problem remains 109 difficult with current computing power, it is believed that general 110 purpose quantum computers will be able to solve this problem, 111 implying that the security of IKEv2 is compromised. There are, 112 however, a number of cryptosystems that are conjectured to be 113 resistant against quantum computer attack. This family of 114 cryptosystems are known as post-quantum cryptography (PQC). It is 115 sometimes also referred to as quantum-safe cryptography (QSC) or 116 quantum-resistant cryptography (QRC). 118 1.2. Proposed Extension 120 This document describes a method to perform multiple successive key 121 exchanges in IKEv2. It allows integration of QSC in IKEv2, while 122 maintaining backwards compatibility, to derive a set of IKE keys that 123 is resistant to quantum computer attacks. This extension allows the 124 negotiation of one or more QSC algorithm to exchange data, in 125 addition to the existing DH or ECDH key exchange data. We believe 126 that the feature of using more than one post-quantum algorithm is 127 important as many of these algorithms are relatively new and there 128 may be a need to hedge the security risk with multiple key exchange 129 data from several distinct QSC algorithms. 131 The secrets established from each key exchange are combined in a way 132 such that should the post-quantum secrets not be present, the derived 133 shared secret is equivalent to that of the standard IKEv2; on the 134 other hand, a post-quantum shared secret is obtained if both 135 classical and post-quantum key exchange data are present. This 136 extension also applies to key exchanges in IKE Security Associations 137 (SAs) for Encapsulating Security Payload (ESP) [RFC4303] or 138 Authentication Header (AH) [RFC4302], i.e. Child SAs, in order to 139 provide a stronger guarantee of forward security. 141 Some post-quantum key exchange payloads may have size larger than the 142 standard maximum transmission unit (MTU) size, and therefore there 143 could be issues with fragmentation at IP layer. IKE does allow 144 transmission over TCP where fragmentation is not an issue [RFC8229]; 145 however, we believe that a UDP-based solution will be required too. 147 IKE does have a mechanism to handle fragmentation within UDP 148 [RFC7383], however that is only applicable to messages exchanged 149 after the IKE_SA_INIT. To use this mechanism, this specification 150 relies on the IKE_INTERMEDIATE exchange as outlined in 151 [I-D.ietf-ipsecme-ikev2-intermediate]. With this mechanism, we do an 152 initial key exchange, using a smaller, possibly non-quantum resistant 153 primitive, such as ECDH. Then, before we do the IKE_AUTH exchange, 154 we perform one or more IKE_INTERMEDIATE exchanges, each of which 155 contains an additional key exchange. As the IKE_INTERMEDIATE 156 exchange is encrypted, the IKE fragmentation protocol [RFC7383] can 157 be used. The IKE SK_* values are updated after each exchange, and so 158 the final IKE SA keys depend on all the key exchanges, hence they are 159 secure if any of the key exchanges are secure. 161 Note that readers should consider the approach defined in this 162 document as providing a long term solution in upgrading the IKEv2 163 protocol to support post-quantum algorithms. A short term solution 164 to make IKEv2 key exchange quantum secure is to use post-quantum pre- 165 shared keys as discussed in [I-D.ietf-ipsecme-qr-ikev2]. 167 Note also, that the proposed approach of performing multiple 168 successive key exchanges in such a way that resulting session keys 169 depend on all of them is not limited to achieving quantum resistance 170 only. It can also be used when all the performed key exchanges are 171 classical (EC)DH ones, but for some reasons (e.g. policy 172 requirements) it is essential to perform multiple of them. 174 1.3. Changes 176 RFC EDITOR PLEASE DELETE THIS SECTION. 178 Changes in this draft in each version iterations. 180 draft-ietf-ipsecme-ikev2-multiple-ke-00 182 o Draft name changed as result of WG adoption and generalization of 183 the approach. 185 o New exchange IKE_FOLLOWUP_KE is defined for additional key 186 exchanges performed after CREATE_CHILD_SA. 188 o Nonces are removed from all additional key exchanges. 190 o Clarification that IKE_INTERMEDIATE must be negotiated is added. 192 draft-tjhai-ipsecme-hybrid-qske-ikev2-04 193 o Clarification about key derivation in case of multiple key 194 exchanges in CREATE_CHILD_SA is added. 196 o Resolving rekey collisions in case of multiple key exchanges is 197 clarified. 199 draft-tjhai-ipsecme-hybrid-qske-ikev2-03 201 o Using multiple key exchanges CREATE_CHILD_SA is defined. 203 draft-tjhai-ipsecme-hybrid-qske-ikev2-02 205 o Use new transform types to negotiate additional key exchanges, 206 rather than using the KE payloads of IKE SA. 208 draft-tjhai-ipsecme-hybrid-qske-ikev2-01 210 o Use IKE_INTERMEDIATE to perform multiple key exchanges in 211 succession. 213 o Handle fragmentation by keeping the first key exchange (a standard 214 IKE_SA_INIT with a few extra notifies) small, and encrypting the 215 rest of the key exchanges. 217 o Simplify the negotiation of the 'extra' key exchanges. 219 draft-tjhai-ipsecme-hybrid-qske-ikev2-00 221 o We added a feature to allow more than one post-quantum key 222 exchange algorithms to be negotiated and used to exchange a post- 223 quantum shared secret. 225 o Instead of relying on TCP encapsulation to deal with IP level 226 fragmentation, we introduced a new key exchange payload that can 227 be sent as multiple fragments within IKE_SA_INIT message. 229 1.4. Document Organization 231 The remainder of this document is organized as follows. Section 2 232 summarizes design criteria. Section 3 describes how multiple key 233 exchanges are performed between two IKE peers and how keying 234 materials are derived for both SAs and Child SAs. A summary of 235 alternative approaches that have been considered, but later 236 discarded, are described in Appendix A. Section 4 discusses IANA 237 considerations for the namespaces introduced in this document, and 238 lastly Section 5 discusses security considerations. 240 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 241 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 242 "OPTIONAL" in this document are to be interpreted as described in BCP 243 14 [RFC2119] [RFC8174] when, and only when, they appear in all 244 capitals, as shown here. 246 2. Design Criteria 248 The design of the proposed extension is driven by the following 249 criteria: 251 1) Need for post-quantum cryptography in IPsec. Quantum computers 252 might become feasible in the near future. If current Internet 253 communications are monitored and recorded today (D), the 254 communications could be decrypted as soon as a quantum- computer 255 is available (e.g., year Q) if key negotiation only relies on 256 non post-quantum primitives. This is a high threat for any 257 information that must remain confidential for a long period of 258 time T > Q-D. The need is obvious if we assume that Q is 2040, 259 D is 2020, and T is 30 years. Such a value of T is typical in 260 classified or healthcare data. 262 2) Hybrid. Currently, there does not exist a post-quantum key 263 exchange that is trusted at the level that ECDH is trusted 264 against conventional (non-quantum) adversaries. A hybrid post- 265 quantum algorithms to be introduced next to well-established 266 primitives, since the overall security is at least as strong as 267 each individual primitive. 269 3) Focus on quantum-resistant confidentiality. A passive attacker 270 can eavesdrop on IPsec communication today and decrypt it once a 271 quantum computer is available in the future. This is a very 272 serious attack for which we do not have a solution. An attacker 273 can only perform active attacks such as impersonation of the 274 communicating peers once a quantum computer is available, 275 sometime in the future. Thus, our design focuses on quantum- 276 resistant confidentiality due to the urgency of this problem. 277 This document does not address quantum-resistant authentication 278 since it is less urgent at this stage. 280 4) Limit amount of exchanged data. The protocol design should be 281 such that the amount of exchanged data, such as public-keys, is 282 kept as small as possible even if initiator and responder need 283 to agree on a hybrid group or multiple public-keys need to be 284 exchanged. 286 5) Future proof. Any cryptographic algorithm could be potentially 287 broken in the future by currently unknown or impractical 288 attacks: quantum computers are merely the most concrete example 289 of this. The design does not categorize algorithms as "post- 290 quantum" or "non post-quantum" and does not create assumptions 291 about the properties of the algorithms, meaning that if 292 algorithms with different properties become necessary in the 293 future, this extension can be used unchanged to facilitate 294 migration to those algorithms. 296 6) Limited amount of changes. A key goal is to limit the number of 297 changes required when enabling a post-quantum handshake. This 298 ensures easier and quicker adoption in existing implementations. 300 7) Localized changes. Another key requirement is that changes to 301 the protocol are limited in scope, in particular, limiting 302 changes in the exchanged messages and in the state machine, so 303 that they can be easily implemented. 305 8) Deterministic operation. This requirement means that the hybrid 306 post-quantum exchange, and thus, the computed keys, will be 307 based on algorithms that both client and server wish to support. 309 9) Fragmentation support. Some PQC algorithms could be relatively 310 bulky and they might require fragmentation. Thus, a design goal 311 is the adaptation and adoption of an existing fragmentation 312 method or the design of a new method that allows for the 313 fragmentation of the key shares. 315 10) Backwards compatibility and interoperability. This is a 316 fundamental requirement to ensure that hybrid post-quantum IKEv2 317 and a non-post-quantum IKEv2 implementations are interoperable. 319 11) Federal Information Processing Standards (FIPS) compliance. 320 IPsec is widely used in Federal Information Systems and FIPS 321 certification is an important requirement. However, algorithms 322 that are believed to be post-quantum are not FIPS compliant yet. 323 Still, the goal is that the overall hybrid post-quantum IKEv2 324 design can be FIPS compliant. 326 12) Ability to use this method with multiple classical (EC)DH key 327 exchanges. In some situations peers have no single mutually 328 trusted key exchange algorithm (e.g., due to local policy 329 restrictions). The ability to combine two (or more) key 330 exchange methods in such a way that the resulting shared key 331 depends on all of them allows peers to communicate in this 332 situation. 334 3. Multiple Key Exchanges 336 3.1. Overall design 338 This design assigns new Transform Type 4 identifiers to the various 339 post-quantum key exchanges (which will be defined later). We 340 specifically do not make a distinction between classical (DH and 341 ECDH) and post-quantum key exchanges, nor post-quantum algorithms 342 which are true key exchanges versus post-quantum algorithms that act 343 as key transport mechanisms; all are treated equivalently by the 344 protocol. To be more specific, this document renames Transform Type 345 4 from "Diffie-Hellman Group (D-H)" to "Key Exchange Method (KE)" and 346 renames a field in the Key Exchange Payload from "Diffie-Hellman 347 Group Num" to "Key Exchange Method". The corresponding IANA registry 348 is also renamed from "Diffie-Hellman Group Transform IDs" to "Key 349 Exchange Method Transform IDs". 351 In order to support IKE fragmentation for additional key exchanges 352 that may have long public keys, the proposed framework utilizes the 353 IKE_INTERMEDIATE exchange defined in 354 [I-D.ietf-ipsecme-ikev2-intermediate]. 356 In order to minimize communication overhead, only the key shares that 357 are agreed to be used are actually exchanged. In order to achieve 358 this several new Transform Types are defined, each sharing possible 359 Transform IDs with Transform Type 4. The IKE_SA_INIT message 360 includes one or more newly defined SA transforms that lists the extra 361 key exchange policy required by the initiator; the responder selects 362 single transform of each type, and returns them back in the response 363 IKE_SA_INIT message. Then, provided that additional key exchanges 364 are negotiated the initiator and the responder perform one or more 365 IKE_INTERMEDIATE exchanges; each such exchange includes a KE payload 366 for one of the negotiated key exchanges. 368 Here is an overview of the initial exchanges: 370 Initiator Responder 371 --------------------------------------------------------------------- 372 <-- IKE_SA_INIT (additional key exchanges negotiation) --> 374 <-- {IKE_INTERMEDIATE (additional key exchange)} --> 376 ... 378 <-- {IKE_INTERMEDIATE (additional key exchange)} --> 380 <-- {IKE_AUTH} --> 381 The additional key exchanges may use algorithms that are currently 382 considered to be resistant to quantum computer attacks. These 383 algorithms are collectively referred to as post-quantum algorithms in 384 this document. However, it is also possible to use classical (EC)DH 385 primitives for non post-quantum requirements. 387 Most post-quantum key agreement algorithms are relatively new, and 388 thus are not fully trusted. There are also many proposed algorithms, 389 with different trade-offs and relying on different hard problems. 390 The concern is that some of these hard problems may turn out to be 391 easier to solve than anticipated (and thus the key agreement 392 algorithm not be as secure as expected). A hybrid solution allows us 393 to deal with this uncertainty by combining a classical key exchange 394 with a post-quantum one, as well as leaving open the possibility of 395 multiple post-quantum key exchanges. 397 The method that we use to perform additional key exchanges also 398 addresses the fragmentation issue. The initial IKE_INIT messages do 399 not have any inherent fragmentation support within IKE; however that 400 can include a relatively short KE payload (e.g. one for group 14, 19 401 or 31). The rest of the KE payloads are encrypted within 402 IKE_INTERMEDIATE messages; because they are encrypted, the standard 403 IKE fragmentation solution [RFC7383] is available. 405 The fact that all Additional Key Exchange Transform Types share the 406 same registry with Transform Type 4 allows additional key exchanges 407 to be of any type - either post-quantum ones or classical (EC)DH 408 ones. This approach allows any combination of defined key exchange 409 methods to take place. This also allows performing a single post- 410 quantum key exchange in the IKE_SA_INIT without additional key 411 exchanges, provided that IP fragmentation is not an issue and that 412 hybrid key exchange is not needed. 414 3.2. Overall Protocol 416 In the simplest case, the initiator is happy with a single key 417 exchange (and has no interest in supporting multiple), and it is not 418 concerned with possible fragmentation of the IKE_SA_INIT messages 419 (either because the key exchange it selects is small enough not to 420 fragment, or the initiator is confident that fragmentation will be 421 handled either by IP fragmentation, or transport via TCP). 423 In this case, the initiator performs the IKE_SA_INIT as standard, 424 inserting a preferred key exchange (which is possibly a post-quantum 425 algorithm) as the listed Transform Type 4, and including the 426 initiator KE payload. If the responder accepts the policy, it 427 responds with an IKE_SA_INIT response, and IKE continues as usual. 429 If the initiator desires to negotiate multiple key exchanges, or it 430 needs IKE to handle any possible fragmentation, then the initiator 431 uses the protocol listed below. 433 3.2.1. IKE_SA_INIT Round: Negotiation 435 Multiple key exchanges are negotiated using the standard IKEv2 436 mechanism, via SA payload. For this purpose several new transform 437 types, namely Additional Key Exchange 1, Additional Key Exchange 2, 438 Additional Key Exchange 3, etc., are defined. They are collectively 439 called Additional Key Exchanges and have slightly different semantics 440 than existing IKEv2 transform types. They are interpreted as 441 additional key exchanges that peers agreed to perform in a series of 442 IKE_INTERMEDIATE exchanges. The possible transform IDs for these 443 transform types are the same as IDs for the Transform Type 4, so they 444 all share a single IANA registry for transform IDs. 446 Key exchange method negotiated via Transform Type 4 MUST always take 447 place in the IKE_SA_INIT exchange. Additional key exchanges 448 negotiated via newly defined transforms MUST take place in a series 449 of IKE_INTERMEDIATE exchanges, in an order of the values of their 450 transform types, so that key exchange negotiated using Transform Type 451 n always precedes that of Transform Type n + 1. Each 452 IKE_INTERMEDIATE exchange MUST bear exactly one key exchange method. 453 Note that with this semantics, Additional Key Exchanges transforms 454 are not associated with any particular type of key exchange and don't 455 have any specific per transform type transform IDs IANA registry. 456 Instead they all share a single registry for transform IDs - "Key 457 Exchange Method Transform IDs", as well as Transform Type 4. All new 458 key exchange algorithms (both classical or post-quantum) should be 459 added to this registry. This approach gives peers flexibility in 460 defining the ways they want to combine different key exchange 461 methods. 463 When forming a proposal the initiator adds transforms for the 464 IKE_SA_INIT exchange using Transform Type 4. In most cases they will 465 contain classical key exchange methods (DH or ECDH), however it is 466 not a requirement. Additional key exchange methods are proposed 467 using Additional Key Exchanges transform types. All these transform 468 types are optional, the initiator is free to select any of them for 469 proposing additional key exchange methods. Consequently, if none of 470 Additional Key Exchange transforms are included in the proposal, then 471 this proposal indicates performing standard IKEv2, as defined in 472 [RFC7296]. If the initiator includes any transform of type n (where 473 n is among Additional Key Exchanges) in the proposal, the responder 474 MUST select one of the algorithms proposed using this type. A 475 transform ID NONE may be added to those transform types which contain 476 key exchange methods that the initiator believes are optional. 478 If the initiator includes any Additional Key Exchanges transform 479 types into SA payload, it MUST also negotiate using IKE_INTERMEDIATE 480 exchange as described in [I-D.ietf-ipsecme-ikev2-intermediate], by 481 including INTERMEDIATE_EXCHANGE_SUPPORTED notification in the 482 IKE_SA_INIT request message. If the responder agrees to use 483 additional key exchanges, it MUST also return back this notification, 484 thus confirming that IKE_INTERMEDIATE exchange is supported and will 485 be used for transferring additional key exchange data. Presence of 486 Additional Key Exchanges transform types in SA payload without 487 negotiation of using IKE_INTERMEDIATE exchange MUST be treated as 488 protocol error by both initiator and responder. 490 The responder performs negotiation using standard IKEv2 procedure 491 described in Section 3.3 of [RFC7296]. However, for the Additional 492 Key Exchange types the responder's choice MUST NOT contain equal 493 transform IDs (apart from NONE), and the ID selected for Transform 494 Type 4 MUST NOT appear in any of Additional Key Exchange transforms. 495 In other words, all selected key exchange methods must be different. 497 3.2.2. IKE_INTERMEDIATE Round: Additional Key Exchanges 499 For each extra key exchange agreed to in the IKE_SA_INIT exchange, 500 the initiator and the responder perform one IKE_INTERMEDIATE 501 exchange, as described in [I-D.ietf-ipsecme-ikev2-intermediate]. 503 These exchanges are as follows: 505 Initiator Responder 506 --------------------------------------------------------------------- 507 HDR, SK {KEi(n)} --> 508 <-- HDR, SK {KEr(n)} 510 The initiator sends key exchange data in the KEi(n) payload. This 511 packet is protected with the current SK_ei/SK_ai keys. 513 On receiving this, the responder sends back key exchange payload 514 KEr(n); again, this packet is protected with the current SK_er/SK_ar 515 keys. 517 The former "Diffie-Hellman Group Num" (now called "Key Exchange 518 Method") field in the KEi(n) and KEr(n) payloads MUST match the n-th 519 negotiated additional key exchange. Note that the negotiated 520 transform types (the encryption type, integrity type, prf type) are 521 not modified. 523 Once this exchange is done, then both sides compute an updated keying 524 material: 526 SKEYSEED(n) = prf(SK_d(n-1), KE(n) | Ni | Nr) 528 where KE(n) is the resulting shared secret of this key exchange, Ni 529 and Nr are nonces from the IKE_SA_INIT exchange and SK_d(n-1) is the 530 last generated SK_d, (derived from the previous IKE_INTERMEDIATE 531 exchange, or the IKE_SA_INIT if there haven't already been any 532 IKE_INTERMEDIATE exchanges). Then, SK_d, SK_ai, SK_ar, SK_ei, SK_er, 533 SK_pi, SK_pr are updated as: 535 {SK_d(n) | SK_ai(n) | SK_ar(n) | SK_ei(n) | SK_er(n) | SK_pi(n) | 536 SK_pr(n)} = prf+ (SKEYSEED(n), Ni | Nr | SPIi | SPIr) 538 Both the initiator and the responder use this updated key values in 539 the next exchange. 541 3.2.3. IKE_AUTH Exchange 543 After all IKE_INTERMEDIATE exchanges have completed, the initiator 544 and the responder perform an IKE_AUTH exchange. This exchange is the 545 standard IKE exchange, except that the initiator and responder signed 546 octets are modified as described in 547 [I-D.ietf-ipsecme-ikev2-intermediate]. 549 3.2.4. CREATE_CHILD_SA Exchange 551 The CREATE_CHILD_SA exchange is used in IKEv2 for the purpose of 552 creating additional Child SAs, rekeying them and rekeying IKE SA 553 itself. When creating or rekeying Child SAs, the peers may 554 optionally perform a Diffie-Hellmann key exchange to add a fresh 555 entropy into the session keys. In case of IKE SA rekey, the key 556 exchange is mandatory. 558 If the IKE SA was created using multiple key exchange methods, the 559 peers may want to continue using multiple key exchanges in the 560 CREATE_CHILD_SA exchange too. If the initiator includes any 561 Additional Key Exchanges transform in the SA payload (along with 562 Transform Type 4) and the responder agrees to perform additional key 563 exchanges, then the additional key exchanges are performed in a 564 series of new IKE_FOLLOWUP_KE exchanges that follows the 565 CREATE_CHILD_SA exchange. The IKE_FOLLOWUP_KE exchange is introduced 566 as a dedicated exchange type to transfer data of additional key 567 exchanges following the key exchange performed in the 568 CREATE_CHILD_SA. Its Exchange Type is . 570 These key exchanges are performed in an order of the values of their 571 transform types, so that key exchange negotiated using Transform Type 572 n always precedes key exchange negotiated using Transform Type n + 1. 573 Each IKE_FOLLOWUP_KE exchange MUST bear exactly one key exchange 574 method. Key exchange negotiated via Transform Type 4 always takes 575 place in the CREATE_CHILD_SA exchange, as per IKEv2 specification. 577 Since after IKE SA is created the window size may be greater than one 578 and multiple concurrent exchanges may be in progress, it is essential 579 to link the IKE_FOLLOWUP_KE exchanges together and with the 580 corresponding CREATE_CHILD_SA exchange. A new status type 581 notification ADDITIONAL_KEY_EXCHANGE is used for this purpose. Its 582 Notify Message Type is , Protocol ID and SPI Size are 583 both set to 0. The data associated with this notification is a blob 584 meaningful only to the responder, so that the responder can correctly 585 link successive exchanges. For the initiator the content of this 586 notification is an opaque blob. 588 The responder MUST include this notification in a CREATE_CHILD_SA or 589 IKE_FOLLOWUP_KE response message in case next exchange is expected, 590 filling it with some data that would allow linking this exchange to 591 the next one. The initiator MUST copy the received notification with 592 its content intact into the request message of the next exchange. 594 Below is an example of three additional key exchanges. 596 Initiator Responder 597 --------------------------------------------------------------------- 598 HDR(CREATE_CHILD_SA), SK {SA, Ni, KEi} --> 599 <-- HDR(CREATE_CHILD_SA), SK {SA, Nr, KEr, 600 N(ADDITIONAL_KEY_EXCHANGE)(link1)} 602 HDR(IKE_FOLLOWUP_KE), SK {KEi(1), 603 N(ADDITIONAL_KEY_EXCHANGE)(link1)} --> 604 <-- HDR(IKE_FOLLOWUP_KE), SK {KEr(1), 605 N(ADDITIONAL_KEY_EXCHANGE)(link2)} 607 HDR(IKE_FOLLOWUP_KE), SK {KEi(2), 608 N(ADDITIONAL_KEY_EXCHANGE)(link2)} --> 609 <-- HDR(IKE_FOLLOWUP_KE), SK {KEr(2), 610 N(ADDITIONAL_KEY_EXCHANGE)(link3)} 612 HDR(IKE_FOLLOWUP_KE), SK {KEi(3), 613 N(ADDITIONAL_KEY_EXCHANGE)(link3)} --> 614 <-- HDR(IKE_FOLLOWUP_KE), SK {KEr(3)} 616 The former "Diffie-Hellman Group Num" (now called "Key Exchange 617 Method") field in the KEi(n) and KEr(n) payloads MUST match the n-th 618 negotiated additional key exchange. 620 It is possible that due to some unexpected events (e.g. reboot) the 621 initiator could forget that it is in the process of performing 622 additional key exchanges and never starts next IKE_FOLLOWUP_KE 623 exchanges. The responder MUST handle this situation gracefully and 624 delete the associated state if it doesn't receive the next expected 625 IKE_FOLLOWUP_KE request after some reasonable period of time. 627 If responder receives IKE_FOLLOWUP_KE request containing 628 ADDITIONAL_KEY_EXCHANGE notification and the content of this notify 629 doesn't correspond to any active key exchange state the responder 630 has, it MUST send back a new error type notification STATE_NOT_FOUND. 631 This is a non-fatal error notification, its Notify Message Type is 632 , Protocol ID and SPI Size are both set to 0 and the 633 data is empty. If the initiator receives this notification in 634 response to IKE_FOLLOWUP_KE exchange performing additional key 635 exchange, it MUST cancel this exchange and MUST treat the whole 636 series of exchanges started from the CREATE_CHILD_SA exchange as 637 failed. In most cases, the receipt of this notification is caused by 638 premature deletion of the corresponding state on the responder (the 639 time period between IKE_FOLLOWUP_KE exchanges appeared too long from 640 responder's point of view, e.g. due to a temporary network failure). 641 After receiving this notification the initiator MAY start a new 642 CREATE_CHILD_SA exchange (eventually followed by the IKE_FOLLOWUP_KE 643 exchanges) to retry the failed attempt. If the initiator continues 644 to receive STATE_NOT_FOUND notifications after several retries, it 645 MUST treat this situation as fatal error and delete IKE SA by sending 646 a DELETE payload. 648 When rekeying IKE SA or Child SA, it is possible that the peers start 649 doing this at the same time, which is called simultaneous rekeying. 650 Sections 2.8.1 and 2.8.2 of [RFC7296] describes how IKEv2 handles 651 this situation. In a nutshell IKEv2 follows the rule that if in case 652 of simultaneous rekeying two identical new IKE SAs (or two pairs of 653 Child SAs) are created, then one of them should be deleted. Which 654 one is to be deleted is determined by comparing the values of four 655 nonces, that were used in the colliding CREATE_CHILD_SA exchanges - 656 the IKE SA (or pair of Child SAs) that was created by the exchange in 657 which the smallest nonce was used should be deleted by the initiator 658 of this exchange. 660 With multiple key exchanges the SAs are not yet created when the 661 CRETE_CHILD_SA is completed, they would be created only after the 662 series of IKE_FOLLOWUP_KE exchanges is finished. For this reason if 663 additional key exchanges were negotiated in the CREATE_CHILD_SA 664 initiated by the losing side, there is nothing to delete and this 665 side just stops the rekeying process - this side MUST not initiate 666 IKE_FOLLOWUP_KE exchange with next key exchange. 668 In most cases, rekey collisions are resolved in the CREATE_CHILD_SA 669 exchange. However, a situation may occur when due to packet loss, 670 one of the peers receives CREATE_CHILD_SA message requesting rekeying 671 SA that is already being rekeyed by this peer (i.e. the 672 CREATE_CHILD_SA exchange initiated by this peer has been already 673 completed and the series of IKE_FOLLOWUP_KE exchanges is in 674 progress). In this case, a TEMPORARY_FAILURE notification MUST be 675 sent in response to such request. 677 If multiple key exchanges were negotiated in the CREATE_CHILD_SA 678 exchange, then the resulting keys are computed as follows. In case 679 of IKE SA rekey: 681 SKEYSEED = prf(SK_d, KE | Ni | Nr | KE(1) | ... KE(n)) 683 In case of Child SA creation or rekey: 685 KEYMAT = prf+ (SK_d, KE | Ni | Nr | KE(1) | ... KE(n)) 687 In both cases SK_d is from existing IKE SA; KE, Ni, Nr are the shared 688 key and nonces from the CREATE_CHILD_SA respectively; KE(1)...KE(n) 689 are the shared keys from additional key exchanges. 691 4. IANA Considerations 693 This document adds new exchange type into the "IKEv2 Exchange Types" 694 registry: 696 IKE_FOLLOWUP_KE 698 This document renames Transform Type 4 defined in "Transform Type 699 Values" registry from "Diffie-Hellman Group (D-H)" to "Key Exchange 700 Method (KE)". 702 This document renames IKEv2 registry "Transform Type 4 - Diffie- 703 Hellman Group Transform IDs" to "Transform Type 4 - Key Exchange 704 Method Transform IDs" 706 This document adds the following Transform Types to the "Transform 707 Type Values" registry: 709 Type Description Used In 710 ----------------------------------------------------------------- 711 Additional Key Exchange 1 (optional in IKE, AH, ESP) 712 Additional Key Exchange 2 (optional in IKE, AH, ESP) 713 Additional Key Exchange 3 (optional in IKE, AH, ESP) 714 Additional Key Exchange 4 (optional in IKE, AH, ESP) 715 Additional Key Exchange 5 (optional in IKE, AH, ESP) 716 Additional Key Exchange 6 (optional in IKE, AH, ESP) 717 Additional Key Exchange 7 (optional in IKE, AH, ESP) 718 This document defines a new Notify Message Type in the "Notify 719 Message Types - Status Types" registry: 721 ADDITIONAL_KEY_EXCHANGE 723 and a new Notify Message Type in the "Notify Message Types - Error 724 Types" registry: 726 STATE_NOT_FOUND 728 5. Security Considerations 730 The key length of the Encryption Algorithm (Transform Type 1), the 731 Pseudorandom Function (Transform Type 2) and the Integrity Algorithm 732 (Transform Type 3), all have to be of sufficient length to prevent 733 attacks using Grover's algorithm [GROVER]. In order to use the 734 extension proposed in this document, the key lengths of these 735 transforms SHALL be at least 256 bits long in order to provide 736 sufficient resistance to quantum attacks. Accordingly the post- 737 quantum security level achieved is at least 128 bits. 739 SKEYSEED is calculated from shared KE(x) using an algorithm defined 740 in Transform Type 2. While a quantum attacker may learn the value of 741 KE(x), if this value is obtained by means of a classical key 742 exchange, other KE(x) values generated by means of a quantum- 743 resistant algorithm ensure that the final SKEYSEED is not 744 compromised. This assumes that the algorithm defined in the 745 Transform Type 2 is post-quantum. 747 The main focus of this document is to prevent a passive attacker 748 performing a "harvest and decrypt" attack. In other words, an 749 attacker that records messages exchanges today and proceeds to 750 decrypt them once he owns a quantum computer. This attack is 751 prevented due to the hybrid nature of the key exchange. Other 752 attacks involving an active attacker using a quantum-computer are not 753 completely solved by this document. This is for two reasons. 755 The first reason is because the authentication step remains 756 classical. In particular, the authenticity of the SAs established 757 under IKEv2 is protected using a pre-shared key, RSA, DSA, or ECDSA 758 algorithms. Whilst the pre-shared key option, provided the key is 759 long enough, is post-quantum, the other algorithms are not. 760 Moreover, in implementations where scalability is a requirement, the 761 pre-shared key method may not be suitable. Quantum-safe authenticity 762 may be provided by using a quantum-safe digital signature and several 763 quantum-safe digital signature methods are being explored by IETF. 764 For example, if the implementation is able to reliably track state, 765 the hash based method, XMSS has the status of an RFC, see [RFC8391]. 767 Currently, quantum-safe authentication methods are not specified in 768 this document, but are planned to be incorporated in due course. 770 It should be noted that the purpose of post-quantum algorithms is to 771 provide resistance to attacks mounted in the future. The current 772 threat is that encrypted sessions are subject to eavesdropping and 773 archived with decryption by quantum computers taking place at some 774 point in the future. Until quantum computers become available there 775 is no point in attacking the authenticity of a connection because 776 there are no possibilities for exploitation. These only occur at the 777 time of the connection, for example by mounting a man-in-the-middle 778 (MitM) attack. Consequently there is not such a pressing need for 779 quantum-safe authenticity. 781 This draft does not attempt to address key exchanges with KE payloads 782 longer than 64k; the current IKE payload format does not allow that 783 as a possibility. If such huge KE payloads are required, a work 784 around (such as making the KE payload a URL and a hash of the real 785 payload) would be needed. At the current time, it appears likely 786 that there will be plenty of key exchanges available that would not 787 require such a workaround. 789 6. Acknowledgements 791 The authors would like to thanks Frederic Detienne and Olivier 792 Pelerin for their comments and suggestions, including the idea to 793 negotiate the post-quantum algorithms using the existing KE payload. 794 The authors are also grateful to Tobias Heider and Tobias Guggemos 795 for valuable comments. 797 7. References 799 7.1. Normative References 801 [I-D.ietf-ipsecme-ikev2-intermediate] 802 Smyslov, V., "Intermediate Exchange in the IKEv2 803 Protocol", draft-ietf-ipsecme-ikev2-intermediate-03 (work 804 in progress), December 2019. 806 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 807 Requirement Levels", BCP 14, RFC 2119, 808 DOI 10.17487/RFC2119, March 1997, 809 . 811 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 812 Kivinen, "Internet Key Exchange Protocol Version 2 813 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 814 2014, . 816 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 817 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 818 May 2017, . 820 7.2. Informative References 822 [GROVER] Grover, L., "A Fast Quantum Mechanical Algorithm for 823 Database Search", Proc. of the Twenty-Eighth Annual ACM 824 Symposium on the Theory of Computing (STOC 1996), 1996. 826 [I-D.ietf-ipsecme-qr-ikev2] 827 Fluhrer, S., McGrew, D., Kampanakis, P., and V. Smyslov, 828 "Mixing Preshared Keys in IKEv2 for Post-quantum 829 Resistance", draft-ietf-ipsecme-qr-ikev2-10 (work in 830 progress), December 2019. 832 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, 833 DOI 10.17487/RFC4302, December 2005, 834 . 836 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", 837 RFC 4303, DOI 10.17487/RFC4303, December 2005, 838 . 840 [RFC7383] Smyslov, V., "Internet Key Exchange Protocol Version 2 841 (IKEv2) Message Fragmentation", RFC 7383, 842 DOI 10.17487/RFC7383, November 2014, 843 . 845 [RFC8229] Pauly, T., Touati, S., and R. Mantha, "TCP Encapsulation 846 of IKE and IPsec Packets", RFC 8229, DOI 10.17487/RFC8229, 847 August 2017, . 849 [RFC8391] Huelsing, A., Butin, D., Gazdag, S., Rijneveld, J., and A. 850 Mohaisen, "XMSS: eXtended Merkle Signature Scheme", 851 RFC 8391, DOI 10.17487/RFC8391, May 2018, 852 . 854 Appendix A. Alternative Design 856 This section gives an overview on a number of alternative approaches 857 that we have considered, but later discarded. These approaches are: 859 o Sending the classical and post-quantum key exchanges as a single 860 transform 862 We considered combining the various key exchanges into a single 863 large KE payload; this effort is documented in a previous version 864 of this draft (draft-tjhai-ipsecme-hybrid-qske-ikev2-01). This 865 does allow us to cleanly apply hybrid key exchanges during the 866 child SA; however it does add considerable complexity, and 867 requires an independent fragmentation solution. 869 o Sending post-quantum proposals and policies in KE payload only 871 With the objective of not introducing unnecessary notify payloads, 872 we considered communicating the hybrid post-quantum proposal in 873 the KE payload during the first pass of the protocol exchange. 874 Unfortunately, this design is susceptible to the following 875 downgrade attack. Consider the scenario where there is an MitM 876 attacker sitting between an initiator and a responder. The 877 initiator proposes, through SAi payload, to use a hybrid post- 878 quantum group and as a backup a Diffie-Hellman group, and through 879 KEi payload, the initiator proposes a list of hybrid post-quantum 880 proposals and policies. The MitM attacker intercepts this traffic 881 and replies with N(INVALID_KE_PAYLOAD) suggesting to downgrade to 882 the backup Diffie-Hellman group instead. The initiator then 883 resends the same SAi payload and the KEi payload containing the 884 public value of the backup Diffie-Hellman group. Note that the 885 attacker may forward the second IKE_SA_INIT message only to the 886 responder, and therefore at this point in time, the responder will 887 not have the information that the initiator prefers the hybrid 888 group. Of course, it is possible for the responder to have a 889 policy to reject an IKE_SA_INIT message that (a) offers a hybrid 890 group but not offering the corresponding public value in the KEi 891 payload; and (b) the responder has not specifically acknowledged 892 that it does not supported the requested hybrid group. However, 893 the checking of this policy introduces unnecessary protocol 894 complexity. Therefore, in order to fully prevent any downgrade 895 attacks, using KE payload alone is not sufficient and that the 896 initiator MUST always indicate its preferred post-quantum 897 proposals and policies in a notify payload in the subsequent 898 IKE_SA_INIT messages following a N(INVALID_KE_PAYLOAD) response. 900 o New payload types to negotiate hybrid proposal and to carry post- 901 quantum public values 903 Semantically, it makes sense to use a new payload type, which 904 mimics the SA payload, to carry a hybrid proposal. Likewise, 905 another new payload type that mimics the KE payload, could be used 906 to transport hybrid public value. Although, in theory a new 907 payload type could be made backwards compatible by not setting its 908 critical flag as per Section 2.5 of RFC7296, we believe that it 909 may not be that simple in practice. Since the original release of 910 IKEv2 in RFC4306, no new payload type has ever been proposed and 911 therefore, this creates a potential risk of having a backward 912 compatibility issue from non-conforming RFC IKEv2 implementations. 913 Since we could not see any other compelling advantages apart from 914 a semantic one, we use the existing transform type and notify 915 payloads instead. In fact, as described above, we use the KE 916 payload in the first IKE_SA_INIT request round and the notify 917 payload to carry the post-quantum proposals and policies. We use 918 one or more of the existing KE payloads to carry the hybrid public 919 values. 921 o Hybrid public value payload 923 One way to transport the negotiated hybrid public payload, which 924 contains one classical Diffie-Hellman public value and one or more 925 post-quantum public values, is to bundle these into a single KE 926 payload. Alternatively, these could also be transported in a 927 single new hybrid public value payload, but following the same 928 reasoning as above, this may not be a good idea from a backward 929 compatibility perspective. Using a single KE payload would 930 require an encoding or formatting to be defined so that both peers 931 are able to compose and extract the individual public values. 932 However, we believe that it is cleaner to send the hybrid public 933 values in multiple KE payloads--one for each group or algorithm. 934 Furthermore, at this point in the protocol exchange, both peers 935 should have indicated support of handling multiple KE payloads. 937 o Fragmentation 939 Handling of large IKE_SA_INIT messages has been one of the most 940 challenging tasks. A number of approaches have been considered 941 and the two prominent ones that we have discarded are outlined as 942 follows. 944 The first approach was to treat the entire IKE_SA_INIT message as 945 a stream of bytes, which we then split it into a number of 946 fragments, each of which is wrapped onto a payload that would fit 947 into the size of the network MTU. The payload that wraps each 948 fragment is a new payload type and it was envisaged that this new 949 payload type will not cause a backward compatibility issue because 950 at this stage of the protocol, both peers should have indicated 951 support of fragmentation in the first pass of the IKE_SA_INIT 952 exchange. The negotiation of fragmentation is performed using a 953 notify payload, which also defines supporting parameters such as 954 the size of fragment in octets and the fragment identifier. The 955 new payload that wraps each fragment of the messages in this 956 exchange is assigned the same fragment identifier. Furthermore, 957 it also has other parameters such as a fragment index and total 958 number of fragments. We decided to discard this approach due to 959 its blanket approach to fragmentation. In cases where only a few 960 payloads need to be fragmented, we felt that this approach is 961 overly complicated. 963 Another idea that was discarded was fragmenting an individual 964 payload without introducing a new payload type. The idea was to 965 use the 9-th bit (the bit after the critical flag in the RESERVED 966 field) in the generic payload header as a flag to mark that this 967 payload is fragmented. As an example, if a KE payload is to be 968 fragmented, it may look as follows. 970 1 2 3 971 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 972 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 973 | Next Payload |C|F| RESERVED | Payload Length | 974 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 975 | Diffie-Hellman Group Number | Fragment Identifier | 976 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 977 | Fragment Index | Total Fragments | 978 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 979 | Total KE Payload Data Length | 980 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 981 | | 982 ~ Fragmented KE Payload ~ 983 | | 984 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 986 When the flag F is set, this means the current KE payload is a 987 fragment of a larger KE payload. The Payload Length field denotes 988 the size of this payload fragment in octets--including the size of 989 the generic payload header. The two-octet RESERVED field 990 following Diffie-Hellman Group Number was to be used as a fragment 991 identifier to help assembly and disassembly of fragments. The 992 Fragment Index and Total Fragments fields are self-explanatory. 993 The Total KE Payload Data Length indicates the size of the 994 assembled KE payload data in octets. Finally, the actual fragment 995 is carried in Fragment KE Payload field. 997 We discarded this approach because we believe that the working 998 group may not be happy using the RESERVED field to change the 999 format of a packet and that implementers may not like the 1000 complexity added from checking the fragmentation flag in each 1001 received payload. More importantly, fragmenting the messages in 1002 this way may leave the system to be more prone to denial of 1003 service (DoS) attacks. By using IKE_INTERMEDIATE to transport the 1004 large post-quantum key exchange payloads, there is no longer any 1005 issue with fragmentation. 1007 o Group sub-identifier 1008 As discussed before, each group identifier is used to distinguish 1009 a post-quantum algorithm. Further classification could be made on 1010 a particular post-quantum algorithm by assigning additional value 1011 alongside the group identifier. This sub- identifier value may be 1012 used to assign different security parameter sets to a given post- 1013 quantum algorithm. However, this level of details does not fit 1014 the principles of the document where it should deal with generic 1015 hybrid key exchange protocol, not a specific ciphersuite. 1016 Furthermore, there are enough Diffie- Hellman group identifiers 1017 should this be required in the future. 1019 Authors' Addresses 1021 C. Tjhai 1022 Post-Quantum 1024 Email: cjt@post-quantum.com 1026 M. Tomlinson 1027 Post-Quantum 1029 Email: mt@post-quantum.com 1031 G. Bartlett 1032 Cisco Systems 1034 Email: grbartle@cisco.com 1036 S. Fluhrer 1037 Cisco Systems 1039 Email: sfluhrer@cisco.com 1041 D. Van Geest 1042 ISARA Corporation 1044 Email: daniel.vangeest@isara.com 1046 O. Garcia-Morchon 1047 Philips 1049 Email: oscar.garcia-morchon@philips.com 1050 Valery Smyslov 1051 ELVIS-PLUS 1053 Email: svan@elvis.ru