Hello all, This draft (draft-guthrie-ipsecme-ikev2-hybrid-auth) describes a mechanism for IKEv2 that allows for either peer to perform multiple authentications, each using a distinct digital signature and certificate chain. The intended purpose for this extension is to enable the use of a Post-Quantum digital signature and X.509 cert along with a traditional authentication method, using a method described in draft-becker-guthrie-noncomposite-hybrid-auth-00 as non-composite hybrid authentication.
The document defines a new Notify Payload HYBRID_AUTH and also leverages the SUPPORTED_AUTH_METHODS Notify Payload as defined in draft-ietf-ipsecme-ikev2-auth-announce-00- together, these allow peers to signify support for hybrid non-composite authentication and announce which algorithms they support for each authentication (e.g., which PQ algorithms and which traditional algorithms). The draft also enables peers to send additional CERTREQ, AUTH, and CERT payloads. I look forward to feedback and discussion! Rebecca Guthrie -----Original Message----- From: internet-dra...@ietf.org <internet-dra...@ietf.org> Sent: Friday, March 25, 2022 5:24 AM To: Rebecca Guthrie (GOV) <rmgu...@uwe.nsa.gov> Subject: New Version Notification for draft-guthrie-ipsecme-ikev2-hybrid-auth-00.txt A new version of I-D, draft-guthrie-ipsecme-ikev2-hybrid-auth-00.txt has been successfully submitted by Rebecca Guthrie and posted to the IETF repository. Name: draft-guthrie-ipsecme-ikev2-hybrid-auth Revision: 00 Title: Hybrid Non-Composite Authentication in IKEv2 Document date: 2022-03-25 Group: Individual Submission Pages: 13 URL: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-guthrie-ipsecme-ikev2-hybrid-auth-00.txt&data=04%7C01%7Crmguthr%40uwe.nsa.gov%7C1920aedd1bbc4137b77f08da0e4142a8%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C637837970707340448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=npjLuN%2BX8s%2BvZa8YfFKuBZ0RhhFL%2BZ2gQmggvrszjgc%3D&reserved=0 Status: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-guthrie-ipsecme-ikev2-hybrid-auth%2F&data=04%7C01%7Crmguthr%40uwe.nsa.gov%7C1920aedd1bbc4137b77f08da0e4142a8%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C637837970707340448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=jJTOJPRRf9y0lmyPdl6q9HEUOmT7ZDfhj04fdhG%2FXBc%3D&reserved=0 Html: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-guthrie-ipsecme-ikev2-hybrid-auth-00.html&data=04%7C01%7Crmguthr%40uwe.nsa.gov%7C1920aedd1bbc4137b77f08da0e4142a8%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C637837970707340448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=VOiUhaM67dEZovb%2FmHz6F5msmHqrLjk%2FzWtNnAbVW3Y%3D&reserved=0 Htmlized: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-guthrie-ipsecme-ikev2-hybrid-auth&data=04%7C01%7Crmguthr%40uwe.nsa.gov%7C1920aedd1bbc4137b77f08da0e4142a8%7Cd61e9a6ffc164f848a3e6eeff33e136b%7C0%7C0%7C637837970707340448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2BxlUF59Xk24YIn8OPsNAXTGDUAWyaqtrnrD6xuv89nU%3D&reserved=0 Abstract: This document describes how to extend the Internet Key Exchange Protocol Version 2 (IKEv2) to allow hybrid non-composite authentication. The intended purpose for this extension is to enable the use of a Post-Quantum (PQ) digital signature and X.509 certificate in addition to the use of a traditional authentication method. This document enables peers to signify support for hybrid non-composite authentication, and send additional CERTREQ, AUTH, and CERT payloads to perform multiple authentications. The IETF Secretariat _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
