[IPsec] Re: Symmetric crypto guidance in RFC 8784 is misleading

Fri, 20 Feb 2026 09:04:38 -0800 

I don’t think we need errata for RFC 9867. The issue in RFC8784 is a normative 
"SHOULD" and some text that should read that AES128 is theoretically weaker in 
a PQ word, but not practically weaker. It is good to have erratum for RFC8784, 
but no need to mess with RFC 9867 in my opinion. 


-----Original Message-----
From: Valery Smyslov <[email protected]> 
Sent: Friday, February 20, 2026 2:35 AM
To: 'Tero Kivinen' <[email protected]>; 'Thom Wiggers' <[email protected]>; 
[email protected]
Subject: [EXTERNAL] [IPsec] Re: Symmetric crypto guidance in RFC 8784 is 
misleading

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you can confirm the sender and know the 
content is safe.



Hi Tero,

> Tero Kivinen writes:
> > Thom Wiggers writes:
> > > Hi all,
> > >
> > > I was going through the security considerations of RFC 8784 and I 
> > > saw the following:
>
> Ups, the RFC 8784 was the Mixing Preshared keys in the IKEv2, not the 
> algorithm implementation requirements for ESP and AH (RFC8221) or for
> IKEv2 (RFC8247), which I assummed it to be. Thats why it is very bad 
> idea to only include RFC number, it is always better to refer 
> documents with their titles, and include RFC number only as extra 
> information...
>
> Anyways for that yes, submitting errata is fine.

And then what to do with RFC 9867, which references the Security Considerations 
section from RFC 8784?
There is no details on symmetric key sizes, just the text:

   Security considerations for using Post-quantum Preshared Keys in the
   IKEv2 protocol are discussed in [RFC8784].

Should errata be issued for RFC 9867 as well? Just because the referenced text 
has become not up to date? This does looks weird to me...

Regards,
Valery.

_____
> > IPsec mailing list -- [email protected] To unsubscribe send an email to 
> > [email protected]
>
> --
> [email protected]
>
> _______________________________________________
> IPsec mailing list -- [email protected]
> To unsubscribe send an email to [email protected]

_______________________________________________
IPsec mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
IPsec mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to