Intermediate Exchange

From Libreswan
Revision as of 14:37, 30 August 2020 by Yulia K (talk | contribs)
Jump to navigation Jump to search


Intermediate Exchange, or IKE_INTERMEDIATE, is an addition to the IKEv2 protocol to enable the usage of quantum computer (QC) resistant algorithms which require transfer of large public keys. A series of these exchanges take place between IKE_SA_INIT and IKE_AUTH phases and enable message fragmentation via IKE Fragmentation mechanism. Hence large keys can be transferred without causing IP fragmentation.


To allow the use of Intermediate Exchange in libreswan, the following options were added:

  • The value 43 was picked to define a new exchange type, IKE_INTERMEDIATE. The value 16438 defines INTERMEDIATE_EXCHANGE_SUPPORTED Notify messages. The numbers were assigned by IANA.
  • Changes were made in source files (programs/pluto/ikev2_*.c) where IKEv2 is implemented. For now, only a single round of Intermediate Exchanges is supported, since the post-quantum cryptographic algorithms are not yet a part of NSS API.
  • New state transitions were added in programs/pluto/ikev2.c to support Intermediate Exchange.
  • New connection option was added which can be configured with intermediate=yes.
  • Test suite changes.

Future work

  • Interoperability test with Elvis Plus.
  • Support of pre-shared keys.

Source code

Code commit :

The implementation for this project is done by Yulia Kuzovkova ( under the mentorship of Sahana Prasad and Paul Wouters and sponsored by Google as part of Google Summer of Code 2020 Program.