Hi Quynh,
Thank you Valery and thank you everyone who responded to me. The approaches in the drafts https://tools.ietf.org/html/draft-ietf-ipsecme-ikev2-multiple-ke-00#section-1.1 and https://tools.ietf.org/html/draft-ietf-ipsecme-ikev2-intermediate-04 look good to me. Note, that this is essentially the same approach - draft-multiple-ke is based on draft-ikev2-intermediate and only clarifies its usage for the particular case of KE methods with large public keys (and combining several KE too). It looks like if/when someone implements them and adds a large key and/or ciphertext KEM, the maximum IKEv2 message size must be adjusted if the existing implementation does not already support the corresponding message size with the new KEM ( for an ephemeral key exchange, it contains a public key and a ciphertext) because I don't see any mentioning of the maximum IKEv2 message size (it is an implementation specific issue). There are already few implementations and they even had an interop last November. And you are right that the maximum IKEv2 message size is implementation dependent (in any case it is limited to 64 Kbytes). Let's say after 10 or 15 years from now, the group trusts the security of some PQ KEM and signature algorithms and would like to use them in normal IKEv2 without the 2 methods above. In that situation, if the KEM has large public key and/or ciphtertext would have the IP fragmentation and packet drop issues. So, this KEM should use the approaches in the drafts above to deal with these issues. These drafts were specifically written to address these issues. An obvious question is that what is the performance impact from this large KEM using the approaches above when compared with a KEM (if its public key and ciphertext are around 1,400-1,600 bytes in total) (assuming a pq signature algorithm has a small signature and a small public key) which would work well in a normal IKEv2's implementation ? I guess the impact is small generally because an IPsec tunnel normally stays up for a long time. Does my guess seem ok here ? Would there be some noticeable impact on a high-volume connections VPN server ? I think it depends on many factors. You are right that generally IPsec tunnels are relatively long lived. We also have an SA resumption mechanism (RFC 5723) that allows to quickly restore SA. But of course for the SA establishment we'll do have a penalty of performing more exchanges, and more data to transfer... Regards, Valery. Regards, Quynh. <https://tools.ietf.org/html/draft-ietf-ipsecme-ikev2-intermediate-04> draft-ietf-ipsecme-ikev2-intermediate-04 - Intermediate Exchange in the IKEv2 Protocol This documents defines a new exchange, called Intermediate Exchange, for the Internet Key Exchange protocol Version 2 (IKEv2). This exchange can be used for transferring large amount of data in the process of IKEv2 Security Association (SA) establishment. Introducing Intermediate Exchange allows re-using existing IKE Fragmentation mechanism, that helps to avoid IP fragmentation of large IKE ... tools.ietf.org _____ From: Valery Smyslov <smyslov.i...@gmail.com> Sent: Wednesday, June 17, 2020 9:57 AM To: Dang, Quynh H. (Fed) <quynh.d...@nist.gov>; 'ipsecme mailing list' <ipsec@ietf.org> Subject: RE: [IPsec] Maximum sizes of IKEv2 messages and UDP messages ? Hi Quinh, please look at the draft-ietf-ipsecme-ikev2-multiple-ke-00. It specifically addresses your concern about large public keys of PQ KE methods. Actually, it's generally OK to have public keys/signatures up to 64Kbytes. If you need to deal with larger keys, then some update of the specs is needed. Regards, Valery. From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Dang, Quynh H. (Fed) Sent: Wednesday, June 17, 2020 4:49 PM To: ipsecme mailing list Subject: [IPsec] Maximum sizes of IKEv2 messages and UDP messages ? Hi everyone, I am interested in knowing what are typical maximum sizes for IKEv2 messages and UDP messages in implementations. The reason is that the IKEv2's spec has a must and a should being 1280 and 3000 bytes respectively for IKEv2 messages, but does not have a maximum limit. As you know some of the post quantum cryptographic candidates in our standardization process have large or very large public key , signature and/or ciphertext sizes. My guess is that some updates to the spec and/or implementations would make them work. Your data points and discussions are appreciated. Regards, Quynh.
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
