Hi,
I don't know if this has been discussed before, but what would be the
interaction between 9370 and 8784 if they are both used? I know it seems
unnecessary to use both of them, but it could happen technically, I see
following options:
1. Not allowing this: e.g. if a responder receives USE_PPK and ADDKEx
transform that is PQC alg in IKE_SA_INIT request, it choose to only use on
mechanism, e.g. if choose to use 9370, then responder doesn't include USE_PPK
in response
2. Support this, then the question is how would ppk be used?
* Used in every key exchange, to derive the SK_d, sk_pi, sk_pr as
specified in 8784
* Used only in last round key exchange
* Used only in first round
#1 seems simpler to implement, but is there any security benefit to do #2, like
ppk used as another level security enhancement?
I know there are IPsec implementations(include mine) already implemented 8784,
and now in process of implementing 9370 for PQC, I think it will be beneficial
to have some clarity on this interaction.
------
Hu Jun
_______________________________________________
IPsec mailing list -- ipsec@ietf.org
To unsubscribe send an email to ipsec-le...@ietf.org
