Intermediate Exchange: Difference between revisions

Introduction

Intermediate Exchange, or IKE_INTERMEDIATE, is an addition to the IKEv2 protocol to enable the usage of quantum computer (QC) resistant algorithms which require transfer of large public keys. A series of these exchanges take place between IKE_SA_INIT and IKE_AUTH phases and enable message fragmentation via IKE Fragmentation mechanism. Hence large keys can be transferred without causing IP fragmentation.

The Intermediate Exchange is specified in draft-ietf-ipsecme-ikev2-intermediate.

Implementation

To allow the use of Intermediate Exchange in libreswan, the following options were added:

• The value 43 was picked to define a new exchange type, IKE_INTERMEDIATE. The value 16438 defines INTERMEDIATE_EXCHANGE_SUPPORTED Notify messages. The numbers were assigned by IANA.

• Changes were made in source files (programs/pluto/ikev2_*.c) where IKEv2 is implemented. For now, only a single round of Intermediate Exchanges is supported, since the post-quantum cryptographic algorithms are not yet a part of NSS API.

• New state transitions were added in programs/pluto/ikev2.c to support Intermediate Exchange.

• New connection option was added which can be configured with intermediate=yes.

• Test suite changes.

Future work

• Interoperability test with Elvis Plus.

• Support of pre-shared keys.

Source code

Code commit : https://github.com/yulia-kuz/libreswan/commit/3af9f006f3f3150d66e8144cb243c00ae9ff3eb0

The implementation for this project is done by Yulia Kuzovkova (ukuzovkova@gmail.com) under the mentorship of Sahana Prasad and Paul Wouters and sponsored by Google as part of Google Summer of Code 2020 Program.