Multiple Key Exchanges in the Internet Key Exchange Protocol Version 2
RFC 9370, “Multiple Key Exchanges in the Internet Key Exchange Protocol Version 2”, is a Proposed Standard document published in May 2023 by CJ. Tjhai, M. Tomlinson, G. Bartlett, S. Fluhrer, D. Van Geest, O. Garcia-Morchon, V. Smyslov. It updates RFC 7296. The canonical text is published by the RFC Editor.
Abstract
This document describes how to extend the Internet Key Exchange Protocol Version 2 (IKEv2) to allow multiple key exchanges to take place while computing a shared secret during a Security Association (SA) setup.
This document utilizes the IKE_INTERMEDIATE exchange, where multiple key exchanges are performed when an IKE SA is being established. It also introduces a new IKEv2 exchange, IKE_FOLLOWUP_KE, which is used for the same purpose when the IKE SA is being rekeyed or is creating additional Child SAs.
This document updates RFC 7296 by renaming a Transform Type 4 from "Diffie-Hellman Group (D-H)" to "Key Exchange Method (KE)" and renaming a field in the Key Exchange Payload from "Diffie-Hellman Group Num" to "Key Exchange Method". It also renames an IANA registry for this Transform Type from "Transform Type 4 - Diffie- Hellman Group Transform IDs" to "Transform Type 4 - Key Exchange Method Transform IDs". These changes generalize key exchange algorithms that can be used in IKEv2.
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 9370 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
- RFC 9369 QUIC Version 2
- RFC 9371 Registration Procedures for Private Enterprise Numbers
- RFC 9368 Compatible Version Negotiation for QUIC
- RFC 9372 L-Band Digital Aeronautical Communications System
- RFC 9367 GOST Cipher Suites for Transport Layer Security Protocol Version 1.3
- RFC 9373 EdDSA Value for IPSECKEY
- RFC 9366 Multiple SIP Reason Header Field Values
- RFC 9374 DRIP Entity Tag for Unmanned Aircraft System Remote ID