Intermediate Exchange: Difference between revisions
No edit summary |
No edit summary |
||
| Line 25: | Line 25: | ||
* IDr payload will NOT be sent: error at Initiator. This error has to be debugged further. | * IDr payload will NOT be sent: error at Initiator. This error has to be debugged further. | ||
* Fix test cases. | |||
== Future work == | == Future work == | ||
| Line 30: | Line 32: | ||
* Interoperability test with Elvis Plus. | * Interoperability test with Elvis Plus. | ||
* IDr payload | * IDr payload and authentication issues should be fixed. | ||
== Source code == | == Source code == | ||
Code commit : https://github.com/yulia-kuz/libreswan/commit/3af9f006f3f3150d66e8144cb243c00ae9ff3eb0 | Code commit RSA/ECDSA: https://github.com/yulia-kuz/libreswan/commit/3af9f006f3f3150d66e8144cb243c00ae9ff3eb0 | ||
Code commit PSK: https://github.com/libreswan/libreswan/commit/615a94316d0acd164b1bae3f23df6ad3ff8f7749 | |||
The implementation for this project is done by Yulia Kuzovkova (ukuzovkova@gmail.com) under the mentorship of Sahana Prasad and Paul Wouters and sponsored by Google as part of Google Summer of Code 2020 Program. | The implementation for this project is done by Yulia Kuzovkova (ukuzovkova@gmail.com) under the mentorship of Sahana Prasad and Paul Wouters and sponsored by Google as part of Google Summer of Code 2020 Program. | ||
The code is not yet merged as it is a POC (proof of concept). The code will be reviewed and merged after some issues are fixed and interoperability tests work. | The code is not yet merged as it is a POC (proof of concept). The code will be reviewed and merged after some issues are fixed and interoperability tests work. | ||
Revision as of 03:05, 31 August 2020
Introduction
Intermediate Exchange, or IKE_INTERMEDIATE, is an addition to the IKEv2 protocol to enable the usage of quantum computer (QC) resistant algorithms which require transfer of large public keys. A series of these exchanges take place between IKE_SA_INIT and IKE_AUTH phases and enable message fragmentation via IKE Fragmentation mechanism. Hence large keys can be transferred without causing IP fragmentation.
The Intermediate Exchange is specified in draft-ietf-ipsecme-ikev2-intermediate.
Implementation
To allow the use of Intermediate Exchange in libreswan, the following options were added:
- The value 43 was picked to define a new exchange type, IKE_INTERMEDIATE. The value 16438 defines INTERMEDIATE_EXCHANGE_SUPPORTED Notify messages. The numbers were assigned by IANA.
- Changes were made in source files (programs/pluto/ikev2_*.c) where IKEv2 is implemented. For now, only a single round of Intermediate Exchanges is supported, since the post-quantum cryptographic algorithms are not yet a part of NSS API.
- New state transitions were added in programs/pluto/ikev2.c to support Intermediate Exchange.
- New connection option was added which can be configured with intermediate=yes.
- Test suite changes.
Issues encountered
- Incorporating new exchange into existing implementation caused significant problems.
- IDr payload will NOT be sent: error at Initiator. This error has to be debugged further.
- Fix test cases.
Future work
- Interoperability test with Elvis Plus.
- IDr payload and authentication issues should be fixed.
Source code
Code commit RSA/ECDSA: https://github.com/yulia-kuz/libreswan/commit/3af9f006f3f3150d66e8144cb243c00ae9ff3eb0 Code commit PSK: https://github.com/libreswan/libreswan/commit/615a94316d0acd164b1bae3f23df6ad3ff8f7749
The implementation for this project is done by Yulia Kuzovkova (ukuzovkova@gmail.com) under the mentorship of Sahana Prasad and Paul Wouters and sponsored by Google as part of Google Summer of Code 2020 Program.
The code is not yet merged as it is a POC (proof of concept). The code will be reviewed and merged after some issues are fixed and interoperability tests work.