**Session Date/Time:** 19 Mar 2024 05:30

# ipsecme

## Summary

The ipsecme working group meeting covered several draft proposals, including ML-KEM integration with IKEv2, an ESP echo protocol (ESP Ping), sharing a single IPsec tunnel for multiple VPNs, disabling anti-replay with ESN, the SM2/SM3/SM4 cryptographic algorithms and fragmentation avoidance using LMAP. Discussions focused on the technical details of each proposal, potential issues, and whether they should be adopted as working group drafts.

## Key Discussion Points

*   **ML-KEM:**
    *   Should ML-KEM 512 be assigned a code point for use in IKE init for pure post-quantum key exchange?
    *   Should this be a working group draft or obtain code points via expert review?
    *   Suggestion to consider a more generic "how to use post-quantum KEM in IKEv2" draft.
    *   Strong support for adopting the draft and publishing it, even if short.
*   **ESP Ping:**
    *   Initial draft proposed reserved SPIs for echo requests/responses.
    *   Discussion of using production SPIs for troubleshooting, but concerns about differentiating echo packets from dummy packets when using next header 59.
    *   Security considerations: Preventing downgrade attacks and avoiding denial-of-service amplification.
    *   How to determine if the remote site supports ESP Ping.
    *   Concerns about false positives and how to determine blocked traffic vs. unsupported endpoints.
    *   Alternative solution proposed involving an IKE message requesting a dummy IPsec packet.
    *   Using existing notify mechanisms to signal capabilities.
*   **Multi-VPN IPsec Tunnel Sharing:**
    *   Problem of IPsec tunnel scalability in 3GPP networks with RAN sharing.
    *   Proposed solution to share a single IPsec tunnel for multiple VPNs by adding VPN-related information to traffic selectors and ESP/AH headers.
    *   Alternative solutions discussed: splitting the SPI field, using a unified flow ID, or using IPV6
    *   Concerns regarding the need for transporting VPN IDs over the network in ESP packets.
*   **Anti-Replay/ESN:**
    *   Discussion of disabling anti-replay protection and the impact on Extended Sequence Numbers (ESN).
    *   Should ESN be unbinded from antireplay?
    *   Notification methods.
*   **SM2/SM3/SM4:**
    *   Introduction of Chinese national standard cryptographic algorithms to IPsec.
    *   Request to add several new items to register, type transforms and methods to the current IKE definition.
    *   Recommendation to follow the ISE (Independent Submissions Editor) process.
    *   Questioning the necessity of keeping CBC mode.
*   **LMAP:**
    *   Use of LMAP to avoid debris assembly operations.
    *   PTB (Packet Too Big) extension discussed.

## Decisions and Action Items

*   **ML-KEM:** Panos to consider the suggestion to have a generic "how to use post-quantum KEM in IKEv2" draft.
*   **ESP Ping:** Move discussion to the mailing list.
*   **Multi-VPN IPsec Tunnel Sharing:** Bring discussion back to the mailing list.
*   **Anti-Replay/ESN:** Bring discussion back to the mailing list.
*   **SM2/SM3/SM4:** Work toward submission to the ISE (Independent Submissions Editor) process.
*   **DSCP:** Chair to discuss with AD Deb Cooley whether DSCP is in scope.

## Next Steps

*   Continue discussions on the mailing list for ESP Ping, Multi-VPN IPsec Tunnel Sharing and Anti-Replay/ESN.
*   Consider the generic post-quantum KEM document for ML-KEM.
*   Submit SM2/SM3/SM4 to the ISE (Independent Submissions Editor) process.
*   Discuss the charter and adoption for DSCP with the AD.