►
From YouTube: IETF111-IPSECME-20210726-2130
Description
IPSECME meeting session at IETF111
2021/07/26 2130
https://datatracker.ietf.org/meeting/111/proceedings/
B
Yay,
that's
good
all
right,
so
I
think
my
clock
is
now
half
hour
past
midnight,
so
we
are
about
to
start
so
it's
9
30
utc.
So
this
is
ipsec
maintenance
and
extensions
working
group.
I
think
it
was
supposed
to
be
minor
extensions.
Did
I
misspell
that
all
right
anyway?
So
this
is
the
idea
meeting.
So
we
have
a
note.
Well,
you
have
probably
seen
that
before
and
noted
it
well.
B
B
So
that's
actually
nice
there's
a
minutes
are
there's
already
template
made
in
the
eater
part,
so
use
that
and
and
if
anybody
else,
while
paulo's
talking,
for
example,
you
can
make
some
notes
for
also
for
that
and
or
help
him
to
add
some
things,
and
if,
if
you
ask
something,
you
can
also
go
and
type
your
question
there
to
get
it
correctly,
you
know
written
down
all
right,
so
I
don't
think
we
have
any
other
administer
tasks.
C
B
B
D
Okay,
great
yeah,
so
I
just
wanted
to.
We
started
that
thread
on
the
on
the
list
about
a
month
back
hoping
to
get
some
comments
from
you
on
that.
But
it's
I
do
have
comments
from
offline.
D
The
thing
I
did
about
a
month
back,
we
published
a
new
version
that
you
know
took
some
of
your
comments
on
the
the
reordering.
I
don't
know
we
covered
all
of
your
comments,
but
you
know
we
think
we
covered
the
gist
of
you
know,
and
you
know
it's
about
added
about
a
paragraph
that
talked
about
reordering.
B
Yeah,
I'm
sorry
that
I
haven't
been
able
to
really
because
in
last
month
I
have
been.
You
know,
having
two
weeks
of
ieee
meeting
and
one
week
of
moving
and
two
weeks
of
sailing
in
one
last
month.
D
D
I
guess
you
know
the
only
thing
that
we'd
ask
is
that
you
know
if
there
are
any
more
changes
to
make.
If
we
could,
you
know
work
together
to
quickly
turn
those
around
because
we've
been
through.
You
know:
we've
been
through
a
full
cycle.
App
post-working
group
last
call
that'd
be
great
yeah.
B
E
B
E
So
for
labeled
ipsec,
the
same
thing
applies:
there's
no
really
no
changes.
It's
I
I
think
last
meeting
we
decided
on
working
with
lascal
would
start,
and
I
think
that's
should
be
moved
up
to
your
list
for
waiting
for
a
write-up
chair
review
and
be
put
on
your
to-do
list
for
next
week.
B
Did
we
do
the
vertical
for
the
lab
labeled
a
basic
already,
I'm
trying
to
think
we
actually
did
that.
I
think
it
was
waiting
for
this
to
the
you
know,
working
club
last
call
to
start
wasn't
it.
E
B
B
C
I
just
I
just
want
to
second
christian
hope
that
you
will
find
time
to
write
separate
review
for
iq
to
intermediate.
It's
been
waiting
for
you
for
chair
review
for
since
previous
idea
and
yeah
quite
a
lot
of
interoperable
implementation,
and
I
think
the
traffic
is
quite
ready
for
publishing
terrorism.
C
B
That
would
be
awesome,
yeah,
okay,
so
I
don't
think
we
have
anything
for
the
this
gi
version
two
and
I
don't
think,
there's
a
have
lots
of
happening
in
the
the
rfc
82
to
9bs.
B
C
Okay,
so
it's
a
very
short
informational
message
that
we've
had
a
high
pre-tech
between
the
ability
to
test
an
event.
So
next,
please
it
was
on
july
the
1st
it
was
organized
by
secunet,
and
there
were
three
pacific
participants,
trump
swan,
elvis
plus
and
genoa,
and
we
performed
quite
a
lot
of
testing
based
on
a
combination
of
iqr2
intermediate
and
iq2
multiple
key
exchange,
and
we
performed
a
real
post
quantum
crypto
key
exchange
based
also
implementation.
C
We
used
and
leap
ocus
library
that
contains
quite
a
lot
of
port
quantum
key
exchange
and
signature
implementations
from
the
east
third
around
east.
That's
our
next!
Please.
C
So
the
result
was
that
strong,
swan
and
ls
plus
performed
up
to
four
additional
key
exchanges
with
different
algorithms,
like
kyber
saber
for
the
km
psych
and
all
works
very
well,
except
for
minor
issues
that
the
same
additional
case
changes
voice
letters
that
was
prohibited
by
roxy
and
with
genoa.
Initially,
there
were
some
troubles
with
creation
when
using
lipos,
but
later
they
fixed
on
the
second
day,
and
they
also
successfully
performed
to
interpret
interoperability
testing.
C
C
So
the
results
are
that
results
that
there
are
at
least
three
independent
implementation
of
this
drought,
so
they
are
interoperable
or
we
badly
need
common
identifiers
and
I'll
request
to
assign
code
points
for
multiple
key
soon,
and
we
also
need
a
temporary
identifiers
for
post
quantum
and
the
reason,
because
there
are
quite
a
lot
of
them.
We
use
some
private
numbers
that
are
on
the
right
on
the
screen
and
genna
and
with
passwords
are
interested
in
testing
machines
which
doesn't
fit
in
multiple
key
because
it
has
a
very
large
public
keys.
C
So
it
is
based
on
beyond
64
contract
and
we're
going
to
perform
this
test
later,
probably
in
september.
C
So
that's
all
so
the
conclusion
the
draft
is,
quite
I
I
mean
multiple
key
exchanges
quite
stable,
so
we
have
three
interoperable
implementations
and
I
think,
as
a
co-alpha
and
I've
discussed
it
with
my
classes,
the
draft
is
ready
for
working
group.
Passcode.
B
G
Could
you
explain
a
little
bit?
What
was
the
experiment
that
you
perform?
So
I
I
saw
there
is
securenet,
so
you
have
a
three
different
implementation
of
the
ipsec
post,
quantum
hybrid,
and
so
you
you
you
so
you
are
three
that
implemented
in
some
ipsec
client,
including
libor,
qs,
that's
right
and
after
you
you
test,
if
it's
more
or
less
working,
and
so
do
you
try
to
have
some
performance
comparison
or
not
at
all.
G
Well,
the
goal
of.
C
This
event
was
to
to
to
confirm
that
implementation
are
interoperable,
so
we
didn't
perform
some
performance
testing
well
from
from
my
experience
as
a
user,
it
takes
a
bit
longer
well,
but
it's
still
tolerable
to
to
to
to
establish,
I
can
say,
with
up
to
four
post
quantum
key
exchange,
algorithms,
but
it's
it's!
It
takes
about
half
a
second
or
probably
one
second,
but
keep
in
mind
that
the
implementation
was
on
the
different
countries.
So
it's
it's!
C
You
can
add
some
network
delay
to
this,
and
so
it's
tolerable,
it's
a
bit
slow,
but
but
not
not
that
much
that
one
can
expect.
G
So
yes,
indeed,
since
it's
I
hybrid
things,
you
are
doing
more,
so
it's
it's
clear
that
it's
slower,
so
it's
good
to
know
that
it's
not
too
slow
and
so.
B
G
Point
is
that
in
the
draft,
so
you
consider
the
key
exchange
step,
but
not
the
authentication
with
certificates
with
the
breed
certificates.
C
That's
true
because
the
draft
that
was
tested,
multiple
key
exchange,
is
focused
on
the
post,
quantum
key
exchange
and
not
on
post
quantum
signature.
So
if
you
want
to
perform
post
quantum
signature,
it's
a
different
thing.
It
is
not
yet
addressed
yet
addressed
in
high
quality.
I
Okay,
am
I
listening
now?
Okay,
could
you
a
quick,
a
quick
request?
Could
you
please
post
the
code
points
to
the
main
list,
so
we
have
a
semi
permanent
record
of
what
what
you've
actually
used.
C
It's
on
the
on
the
slides
some
on
previews.
Well,
it's
probably
not
it's
like
okay.
Can
you
please
move
the
slide
back.
One
slide.
I
No,
no!
No!
No.
Could
you
please
post
the
points
that
you
give
us
your
that
you
used
to
to
do
the
to
the
mailing
list
so
that
we
have
a
permanent,
a
permanent
record
of
what
of
what
you,
okay,.
B
I
B
Them
they
can
actually
try
to
use
the
same
private
numbers,
okay,
okay,
sure,
all
right,
yeah,
okay-
and
I
think
I
think
there
was
one
question
in
the
chat
about
the
3k
access
using
the
same
algorithm.
Was
that
intentional
or
failure
in
negotiation,
or
was
it
a
failure?
I
actually
was
a
bargain
that
it
code.
C
Yeah,
it
was
a
bug
and
actually
at
least
it
was
back
in
my
in
my
implementation-
I've
already
fixed
it,
but
I
fixed
it
after
that
went
take
place.
So
probably
the
next
internal
wheelchair
I
went
we'll
try
to
to
to
figure
out
whether
this
fix
works,
all
right.
Okay,.
B
K
K
Can
can
you
hear
me,
does
it
work
great?
So
I
will
talk
about
the
improvements
for
pos
quantum
iqv2
and
the
main
point
of
issue
we
had
with
post
quantum
migrate
ii
are
intermediate
intermediate
exchanges
so
next
place
they
are
rather
complex,
especially
designing
of
them,
and
especially
when
used
with
fragmented
messages
or
fragmented
exchanges,
and
since
the
post
quantum
key
exchanges
are
rather
large.
They
are
most
of
the
time
fragmented,
so
the
the
signing
of
them
is
quite
complex,
and
that
means
always
the
risk
of
of
bugs
and
security.
K
Critical
box
is
always
there
and
we
also
have
a
higher
cost
of
maintenance
and
implementation.
Furthermore,
large
post
quantum
key
exchanges
like
make
a
list
require
data
to
be
sent
more
than
two
megabytes.
We
got
in
large
parameter
sets
and
doing
this
before
authentication
leads
to
vulnerabilities
against
the
os
attacks
or
ddos
attacks,
so
we
moved
them
in
our
implementation
to
the
follow-up
key
exchange.
K
How
that
looks
next
place
we
see
here
so
that
is
the
state
machine
of
of
igv2.
With
all
these
drafts
applied
and
there
we
see
we
perform
iksa
in
it,
and
thereafter
we
move
on
to
intermediate
exchanges,
doing
all
all
the
exchanges
which
do
not
require
large
amounts
of
data,
so
it
might
like
no
mecalis,
for
example.
Then
we
authenticate,
then
we
immediately
re-key
the
iksa
and
during
the
re-king
we
perform
all
the
exchange
of
the
the
key
exchanges
which
require
too
much
data
to
be
sent
during
ike
intermediate.
K
So
we
decided
all
the
exchanges
which
require
the
beyond
64k
draft
to
be
applied,
have
to
be
performed
after
authentication,
and
then
they
are
performed
during
fallout
ke.
That
is
the
status
quo.
How
we
decided
to
implement
the
the
drafts,
as
they
are
presented
right
now
next
place.
K
The
the
first
thing
we
propos
would
propose
is
to
remove
the
intermediate
exchanges
in
this
for
this
context,
because
we
have
to
to
have
this
workflow
anyway,
where
we
conduct
additional
exchanges
after
authentication
in
during
the
follow
p,
and
since
this
has
an
inherent
risk
for
an
attacker
being
able
to
break
the
initial
exchange
during
arkansas
life,
because
they
would
then
be
able
to
recalculate
the
message
authentication
code,
which
is
the
the
anchor
for
security
after
authentication,
we
propose
to
add
quite
simple,
hybrid
key
exchanges
like
a
ecdh
and
psych,
for
example,
something
that
fits
into.
K
I
can
say
unit
and
then
it
all.
It
is
already
secure
on
its
own
for
someone
needing
a
high
level
of
security
for
a
long
time.
So,
like
I
don't
know,
10
years
or
more,
there
is
the
possibility
to
have
additional
key
exchanges
after
authentication,
which
also,
if
maybe
in
10
years,
someone
has
a
efficient
way
of
breaking
psych,
for
example,
or
n2
in
a
small
parameter
set
and
acdh.
K
There
is
still
the
the
the
michaelis
or
frodocam
whatever,
which
is
also
it
should
be
secure.
Also
then,
so
a
record
in
harvest
attack
is
impossible
and
the
second
exchange,
the
second
change
we
would
introduce,
is
related
to
the
state
machine
being
not
cleared
in
this
state
because
we,
after
ike
off,
we
cannot
rely
on
the
essays
being
created
and
success
successfully
established
so
next
place.
K
We
require
a
further
key
exchanges
to
be
conducted,
otherwise
yeah
the
extra
the
handshake
has
to
be
awarded,
and
also
we
have
the
possibility
to
introduce
another
hash
of
the
the
public
key
from
the
follow-up
exchanges,
which
is
then
also
signed.
So
we
do
have
an
additional
anchor
for
security,
also
for
the
exchanges,
key
exchanges.
After
the
alternative,
auth
and
yeah,
then
we
have
the
more
clear
stuff.
K
We
have
a
more
clear
state,
machine
or
clearer
state
machine
which
is
easy
to
maintain
next,
please
so
the
benefits
of
these
changes
are.
We
are
rather
ind
for,
for
the
use
case
of
post
quantum
key
exchange.
We
are
independent
of
the
complex
arg
intermediate
exchanges.
K
We
have
a,
we
introduced,
the
large
quantum
key
exchanges,
but
drs
protected
because
they're
after
authentication,
it
is
a
more
clean
estate
machine
because
if
we
introduce
them
after
the
classical
icos,
like
auth,
doesn't
mean,
as
the
key
handshake
has
finished
and
in
general
we
have
a
new
place
of
for
exchanging
handshake
data
after
establishing
an
authenticated
channel
due
to
the
new
exchange
type,
which
might
also
be
yeah
making,
which
might
which
might
also
make
the
introduction
of
post-quantum
signatures
easier.
But
that
is
another
point,
so
that's
it
thanks
a
lot.
C
Actually,
we
discussed
a
little
bit
with
daniel
already
his
proposal,
and
I
think
that
there
are
a
few
things
that
that
I
don't
like
about
it.
First,
I
can't
immediately
is
not
used
only
for
the
exchange,
it
is
also
it
may
be
useful
and
I
suspect
it
will
be
useful
for
the
sins
too,
and
so,
if
this
proposal
completely
drops,
I
get
immediate.
C
I
think
it's
not
a
good
thing,
then
I
don't
think
that
this
proposal
makes
state
machine
simpler
and
then
then
it
is,
I
think
it
might
make,
makes
it
more
complex
and
the
new
authentication
exchange.
I
think
it's
a
new
exchange,
it's
not
that
gross.
It's
like
icon,
alternative
off
it's
another
exchange
with
which
must
be
implemented
with.
C
It
is
not
clear
for
me
right
now
what
this
exchange
should
contain
until
probably
draft
will
be
written
on
something
more
detailed
explanation,
so
it's
difficult
to
to
make
a
conclusion
whether
it
is
more
simple
or
more
from
my
understanding.
It
is
more
complicated
than
I
can
immediately
and
I
get
immediate
because
it's
all
problems
it's
a
bit.
B
C
And
those
attacks
concern
is
very
serious
and
I
think
addressed
and
but
otherwise
I
don't
think
this
proposal
is.
H
Okay
next
chart,
so
no
no
changes.
We
we've
submitted
the
draft,
it's
so
basically
it's
it's.
The
management
for
the
ipsec,
so
for
the
iptfs
and
the
only
the
only
difference
is
the
the
base
file
the
base
yang
that
we
augmented
for
this
is
now
an
rfc
next
chart,
and
so
the
tree
this
was
was
presented
before.
So
these
are
the
management
objects
for
iptfs
and
the
counters
that
we
have
for
the
iptfs
okay
next
chart.
H
So
if
you
go
to
the
next
chart,
we
we
used
the
the
yang
to
to
produce
snmp
objects
that
could
be
were
were
the
same
as
the
as
the
yang,
and
so
it's
it's.
Basically
one
model
that
and
and
there's
two
views,
there's
the
yang
view
and
then
there's
the
snmp
mid
view.
That's
so
you
can
read
it
and
we
we
talked
about
this
before
that's,
because
some
people
still
would
like
to
be
able
to
read
this
with
snmp
and
just,
for
example,
the
next
chart.
H
So
here
are
the
objects
in
the
mib
that
correspond
to
the
one
before
so.
The
summary
is
that
we
we
think
because
the
iptfs
draft
is
is
progressed.
The
these
two
drafts
are
the
management
model
and
they're
ready
to
go
for
workgroup
last
call.
B
I
just
started
couple
of
last
calls:
we
have
now
three
working
club
last
goals
ongoing,
so
I
would
actually
like
to
postpone
these
and
concentrate
and
get
iptfs
out
and
then
getting
the
three
last
calls
out
and
then
hopefully
start
this
after
we
get
iptfs
forward.
So
we
don't
consume
resources
for
these.
While
we
are
actually
trying
to
get
the
main
core
document
out.
First.
H
I,
I
guess
the
only
thing
I'd
I'd
say
is:
having
had
another
yang
document
go
through
work
group
last
call
to
get
the
yang
doctors
on
to.
It
would
probably
be
a
good
step
that
we
could
start
initiating.
B
C
So
this
draft
was
already
presented.
I
think
it
was
presented
a
couple
of
times,
but
it
has
some
significant
changes
from
the
last
8
years.
The
design
was
greatly
simplified
and
it
was
lined
with
a
recent
add
work
in
particular
with
itf
edg
dnr
design.
C
It's
also
leverage
svgb
is
a
way
to
to
transfer
parameters
for
encrypted
dns
servers,
and
the
draft
address
comments
released
by
the
working
group
in
idea
114
through
his
deployment
section
to
appendix
it's.
A
minor
comment
and
a
magic
comment
was
to
reliable
magnitude
with
data
and
certificate,
so
we
introduced
instead
of
using
picayo,
introduced
a
new
attribute
that
can
weigh
sufficient
the
dns
server
certificate,
so
the
next
piece.
C
So
what
is
simplified
design
instead
of
having
six
attributes
for
two
versions,
families
and
three
protocols
like
dot,
doh
and
doku?
We
have
only
two
attributes
now
for
version
four
inversions
at
leadership
on
their
competition.
Six
and
all
the
specifics
of
encrypted
dns
server
is
conveyed
in
service
parameters.
That
has
a
format
of
what
we
see
so
connect.
Please
and
a
new
attribute
is
introduced.
C
Its
attribute
contains
a
hash
of
the
encrypted
dns
server
certificate
and
the
hash
is
computed
using
official
algorithms
from
the
ip2
cache
organism
registry.
So
there's
no
no
need
for
new
registry.
We
use
an
existing
one
and
at
the
same
time
we
have
algorithm
agility.
That's
a
good
thing
and
sha
2
256
is
my
data
template
so
the
next
please.
C
So
the
client
requests
in
request
includes
an
mdns
digest
info
attribute
with
a
list
of
hash
algorithm.
It
supports
and
a
server
chooses,
selects
one
of
this
algorithm
computes
cache
or
use
a
precompute
hash
of
the
certificate
and
includes,
in
response
refresh
of
the
dns
server
certificate,
along
with
a
special
gifts
identifier.
C
So
this
is
the
diagram
that
just
illustrates
what
I've
said,
so
that
please
so
next
steps,
and
we
think
that
the
draft
is
now
in
the
good
shape,
and
I
think
it
is
already
it
can
be
considered
for
adoption
by
this
working
group.
So
please
consider
adoption
of
this
job.
C
This
giant
it's
a
giant
digest
over
or
serve
dns
server
certificate
that
is
transferred
inside
iksa,
so
that
the
next
slide
please.
This
next
slide
has
a
diagram.
C
So
you
can
see
that
the
client
requests
the
parameters
of
the
encrypted
dns
server
and
the
responder
returns
a
hash
of
the
dns
server
certificates,
which
the
client
can
further
compare
with
the
certificates
that
dns
server
is
using.
So
this
time
this
way
a
client
verifies
its
by
authentication
with
responder.
E
Okay,
so
I
guess
I'm
a
little
confuses.
Why?
Wouldn't
we
almost
just
send
an
svcp
presentation,
format,
dns
record
to
the
client
and
say
like
this
is
what
we
have
you
figure
out
what
you
want
to
use?
Why
is
there
an
additional
authentication
here,
because
the
the
ike
exchange
itself
is
already
authenticated,
so
why
does
that?
Do
we
have
to
have
a
separate
authentication
in
this
step?
C
Security
association
between
client
and
initiate
and
responder,
and
we
need
to
also
authenticate,
not
authenticate,
but
we
did
the
dns
server
certificate
in
a
server
with
the
different
entities
and
responded.
And
so
we
need
to
know
that
certificates
that
is
used
by
dns
server
is
weighted
from
responding
by
authentication.
E
E
Because
so
I
think
it
includes
things
like
pub
key
and
other
things
and
sure
it's
not
maybe
not
authenticated.
If
you
do
it
that
way
anyway,
I'll
I'll
take
this
on
the
list.
I'll
have
another
look
at
it,
because
it's
now
changed
quite
a
bit
so
I'll
have
another
look
and
and
clarify
my
questions.
Okay,.
B
I
have
one
question
because
it
seems
to
be
here
here:
you
have
a
hash.
Algorithm
item
requires,
yes,
seems
to
indicate
there's
a
list
of
them,
but
how
do
you
actually?
Is
there
some
kind
of
end
marker,
or
is
there
actual
number
of
them
and
if
there
are
multiple
certificate
tickets?
Also,
if
you
have
multiple
house
algorithms.
C
Well,
the
client
includes
least,
of
algorithm
identifiers.
It
supports,
but
responder
returns
on
the
single
algorithm.
B
C
B
C
Okay,
so
this
presentation
was
also
presented
as
in
the
couple
idea
before,
but
we
had
some
changes
so
next,
please.
C
So
what
is
motivation
for
this
round?
We
have
iq
to
multiple
gear
and
it
addresses
issues
of
using
large
keys
for
key
exchange
method,
but
it
still
has
a
limit
on
the
key
size
that
is
limited
by
any
equity
load,
that
is
64
kilobytes
and
most
nist
candidates
fit
into
the
into
this
restriction.
C
But
there
is
one
notable
exception:
it's
a
classic
mechanism
and
with
a
small
ski
size
of
255
kilobytes,
some
national
regulators,
like
bsi,
recommend
using
classic
mechanics
so
because
it
is
very
conservative
and
some
cartographers
think
that
it
is
most
most
conservative
and
that's
why
most
trustable
of
all
the
candidates-
and
we
also
anticipate
that
with
quantum
digital
signature
will
be
used
in
likely
too
and
looking
into
the
needs.
Third-Round
candidates,
at
least
two
algorithms
that
are
either
candidates,
so
alternative
candidates
have
either
signature
size
or
public
key
size,
greater
than
64
kilobytes.
C
We
want
so
the
performance
of
episode,
traffic
not
suffer,
and
we
want
that.
This
mechanism
must
be
as
simple
as
as
possible
and
reasonable
and
introduced
minimal
change,
typically
something
next,
please
and
not:
gold,
not
gold,
to
define
the
generic
mechanism
of
transfer
any
load
greater
than
64
kilobytes,
because
it
it
requires
to
redesign
ip2
and
reload
format
and
accents
that
it's
it's
announceable.
C
Yes,
please.
So
the
approach
is
very
simple:
if
some
block
of
data
doesn't
fit
into
the
single
blue,
just
split
it
into
the
chunks
less
than
64
kilobytes
and
place
it
into
the
sequence
of
adjacent
adjacent
reloads
of
the
same
type
and
the
responder
will
concatenate
all
these
chunks
and
receive
a
large
global
data.
C
So
this
approach
works
very
well
if
there
is
only
one
preload
of
a
given
type
in
a
message.
C
C
So
it's
it's
an
example,
so
we
have,
I
can
say
need
then
I
get
immediately
with
with
ballots
that
are
in
blue.
It's
this
a
lot
that
are
split
into
in
into
several
loads,
a
large
block
of
blocks
of
data
that
are
split
into
several
prologues,
for
example.
This
is
in
this
diagram.
It
is
key
exchange
below
circuit
loans
and
hospitals.
C
So
what
are
the
changes
from
zero
zero
version?
Eye
fermentation
is
not
mandatory
for
both
udp
and
tcp.
It
is
because
the
gcp
individual's
message
size
is
still
limited.
The
imessage
size
is
still
limited
to
64
kilobytes,
because
tcp
lens
prefix
is
16
bit
lens,
so
we
have
to
use
incrementation
even
with
tcp,
then
we
introduce
a
so-called
mix
transport
mode
and
the
mix
transfer
transport
mode
is
a
way
of
avoid
problems
that
ipsec
traffic
esp
traffic
have
when
it
is
encapsulated
in
tcp.
C
C
With
this
mixed
mode,
we
have
a
reliable
transfer
of
very
large
data
in
ike
essay,
but
still
doesn't
don't
have
problems
that
with
performance
that
are
caused
by
using
gcp
transport
for
esp.
So
it's
an
optional
mode.
It
is
negotiated
by
exchanging
new
notification
ico
with
tcp,
and
we
think
that
for
transforming
large
public
keys,
it's
very
useful
condition.
C
So
we
also
need
some
clarification:
how
to
tweet
cleanse
or
foreign
and
actually
actually
results
or
for
the
changes.
That's
the
next
piece
and
a
very
important
respect
is
joseph
tex.
C
We
have
a
section
that
discussed
them
a
bit
and
we
said
rfc
1819,
but
we
think
that
some
more
discussion
is
needed
in
the
draft
because
of
the
large
large
data
blocks,
something
next
please
so
anyway,
there
is
some
interest
in
using
at
least
in
using
my
keyless
from
in
interest
from
vendors.
So
we
think
that
the
draft
is
in
the
situation
in
the
state
when
it
can
be
adopted,
and
so
if
the
working
group
is
saying
that
this
work
is
worse
to
to
conduct.
So
we
ask
for
adoption.
E
Okay,
just
just
one
comment
now
like
requiring
tcp
is
a
really
heavy-handed
change
to
the
ike
protocol
like
well.
While
the
world
is
moving
more
towards
udp,
we
would
be
moving
towards
requiring
tcp,
which
would
be
really
scary
and
easily
filtered
easily
blocked.
So
I
would
be
very
not
in
favor
of
requiring
tcp.
C
Well,
actually,
it
is
not
required
to
use
tcp
it
is.
It
is
an
optional,
an
option
because
with
udp,
it's
quite
difficult
to
reliably
transfer
mcalee's
public
keys.
Actually,
I
performed
some
experiments
on
the
local
local
network
on
the
land
and
even
using
edp.
It
is
manageable
to
to
exchange
michaelis
public
keys.
At
least
I
managed
to
do
it
it.
It
usually
takes
about
a
couple
of
seconds
and
about
couple
of
three
year,
transmits
of
all
the
to
55
kilobytes
message,
but
it
works,
but
with
tcp
is
much
more
reliable.
A
Yeah,
so
I'd
like
to
agree
that
the
you
can
get
better
reliability
with
udp
like
they
get
in
quick,
but
you
need
the
quick
mechanism.
Just
can't
just
use
the
thing
you.
What
we
have
in
ike
is
not
nearly
as
robust
as
what
they
have
in
grid.
I'd
like
to
push
back
on
the
statement
that
it's
a
non-goal
to
make
it
a
generic
mechanism.
A
I
think
you
could,
if
you
just
made
the
length
field
bigger,
like
adopt
some
of
those
seven
reserved
bits
next
to
the
length
field
and
use
that
as
an
extra
length
field,
and
you
could
get
payloads
that
are
four
megabytes
or
eight
megabytes
depending
if
you
use
the
last
one,
and
I
think
that
would
be
a
simpler
thing
than
the
way
you
do
it
with
multiple
ident,
multiple,
similar
payloads
one
after
the
other.
C
That
was
an
option
too
and
the
last
atf
I
presented
some
ideas
of
a
new
balloon
format,
but
as
far
as
I
remember
that
wasn't
received
very
well
and
actually
actually
it's
it's
quite
a
light
change
to
to
to
the
protocol.
It's
a
larger
change,
more
more
deeper
change,
because
look
for
format
is
very,
very
inside
the
the
protocol
of
the
code,
and
you
have
to
also
negotiate
using
new
feature
and
the
code
compatibility.
A
A
simple
hack,
it
just
seems
to
me
that
having
a
big
certificate
in
one
big
payload
is
better
than
having
one
certificate
in
multiple
search
payloads.
But
that's
just
me.
E
B
Message
and
each
of
them
would
be
fragmented
in
multiple
pieces,
and
you
have
to
have
somehow
separate
them
and
of
course
you
add-
and
if
you
have
to,
if
you
think
about
that
understanding,
is
that
all
the
beyond
64
kilohertz
buckets
are
inside
the
encrypted
payloads,
yes
with,
which
means
that
at
the
encrypted
payload
that
you're
proposing
or
handling
it
so
that
the
you
know
that
length
of
field
of
that
is
going
to
be
zero,
which
means
that
all
the
old
implementations
are
going
to
be
barf
at
that
point
anyway,
because
they
will
actually
check
that.
B
So
after
you
get
past
that
check
that
okay,
that
group,
the
payload
negative,
zero
okay,
then
we
can
actually,
you
know,
go
to
the
other
part
and
say
that
okay,
now
we
just
change
they
change
the
you
know:
payload
numbers
to
payload
links
to
32
bits,
or
something
like
that.
I
don't
know,
but
this
is
something
that
I
think
we
should
probably
think
about
it
when
we
are
actually
processing
those.
B
But
that
actually
it
goes
anyway,
it
goes
with.
You
know
the
you
know,
post
quantum
crypto
stuff
anyway,
because
we
need
that
for
for
it
anyway.
So
I
think
we
can
actually
still
adopt
this
as
a
working
group
document,
so
I
will
think
we
are
good
for
the
last
two.
Actually,
I
think
we
probably
going
to
be
making
a
adoption
course
quite
soon.
C
L
Okay,
hello,
everyone,
my
name
is
weipan
and
I'd
like
to
present
the
ik
version.
Two
optional
essay
and
ts
payloads
in
child
exchange,
and
this
draft
was
previously
presented
at,
was
first
presented
at
itf
105
and
next
slide.
L
L
Currently,
the
draft
is
in
version
007
and
thanks
a
lot
for
for
the
comments
and
feedbacks
and
suggestions.
The
whole
solution
now
is
much
simpler
and
text
is
more
readable
for
now.
The
whole
optimization
solution
comprises
of
three
steps.
First,
is
a
negotiation
of
support
and
after
the
negotiation,
the
initiator
and
the
responder
can
do
the
optimization
that
is
omitted.
The
sa
payloads
and
wreaking
ike
essays
and
omitting
the
essay
and
ts
pillows
at
the
wreaking
china
essays
for
now.
There
is
no
more
consideration
for
the
situation
of
configuration
change.
L
L
The
new
notify
message,
type
notifications:
there
are
only
two
notifications
are
needed
now
and
the
previous
one
is
three,
and
the
next
pictures
shows
the
comparison
between
the
previous
version
and
the
current
version.
You
can
see
that
the
the
right
picture,
the
current
version-
is
much
simpler
and
also
now
we
have
new
two
co-authors
for
others
and
melinchen
and
welcome
them
next
slide.
Please.
L
This
picture
this
slide
shows
the
steps.
Three
steps
of
optimization
and
the
read
read:
parts
are
the
new
new
notified
notifications
are
added
and
you
can
see
there
is
it's
much
simpler
and
reduce
the
band
package
size
of
the
rookie
messages.
L
For
now
about
the
draft
there
I've,
I
also
think
there
are
some
open
questions.
First,
should
the
supporting
the
notify
mean
that
peers
may
or
should
or
must
use?
This
method
must
may
be
too
strong
and
we
think
should
maybe
better
and
second
question
is,
alternatively,
if
the
supporter
notified
could
have
a
payload
that
signifies
whether
the
old
method
is
support
or
not.
We
think
this
is
not
necessary
and
it
will
increase
the
complexity,
so
we
don't
want
to
do
that,
but
we
also
want
to
hear
others.
Opinions.
L
What
should
an
optimized
key
do
when
there
is
no
key
payload
send
invalid
k
payload,
and
we
also
do
want
to
hear
from
the
colleagues
next
slide
please
and
for
now
we'd,
like
about
next
steps,
we'd
like
to
ask
for
working
group
adoption-
and
we
are
welcome
others
to
discuss
and
close
the
open
questions,
and
we
also
are
looking
for
implementations
to
do
inter
testing.
C
So
for
the
question,
I
think
that
supported
always
mean.
May
it's
my
opinion,
because
it's
negotiation
of
capability
and
well,
if
you
want
to
use
it,
should
to
use
it
as
should
then
it
just
might
support
it,
but
something
like
always
used
and
yeah
for
the
third
question
for
the
third
question,
I
have
another
question:
what
about
the
first
child
the
same?
Is
it
well,
the
first
time
child
decide
is
created,
so
when
I
can
say
it's
created,
so
is
it
considered
as
negotiated
with
pfs
or
not
so
it's
just
a
first
prompt.
L
About
the
the
child
essay,
it
was
optional,
you
can
include
the
k
payload
or
not.
C
All
this
thing,
the
question
you
you
you
have
is
when
the
child
is
saying
was
nick
shaitan
with
space.
I
I'm
asking
what
about
the
very
first
child
they
say.
Is
it
considered
as
negotiated
with
papers
or
not
with
or
without
papers,
because
the
first
child
they
say
in
fact
doesn't
have
its
own
bfas.
It's
just
inherits
key
material
from
my
case.
C
C
E
So
in
the
traffic
selectors
for
that
child
essay
in
ike
off
there
is
the
divi
helmet
group
as
a
transform.
So
you
do
signal
that
it
is
one
with
pfs.
Yes,
yes,
and
so.
B
So
I
don't
think
he
actually
like
also
includes
that,
but
I
think
we
actually
are
running
out
of
time
and
we
probably
have
one
more
presentation
from
paul.
So
I
think
we
should
take
those
questions
to
the
list,
but
might
be
much
easier
to
understand
there.
When
we
have
a
diagram
that
people
can
actually
read
the
drafts.
E
Okay,
so
this
is
about
our
purse
per
cpu
or
per
q
child
essay.
So
so,
hopefully
you
have
read
the
draft,
because
I
I
will
definitely
assume
you've,
read
it
for
the
questions
or
the
the
items.
So
next
slide.
E
Normally,
you
know
it
gets
downgraded
to
two
to
five
gigs,
because
we
have
one
tunnel
with
one
counter
and
synchronization
issues,
and
so
what
we're
planning
to
do
is
having
multiple
child
assays
in
parallel
bound
to
cpus
or
network
queues
that
can
independently
push
this
traffic
much
faster
and
we
have
reached
like
40
to
60
gig
speeds.
Using
this.
E
E
We
clarified
the
terms
initial
child
assay
because
it's
a
little
confusing
when
it's
getting
re-keyed.
So
we
call
that
that
the
fallback
child
is
saying
we
also
added
the
info
notified
to
be
always
added.
If
you
want
one
of
these
additional
child
assists
just
to
make
it
easier
to
recognize
it,
because
someone
could
start
a
traditional.
I
guess
a
sorry,
a
traditional
creature,
let's
say
with
no
no
identifiers,
meaning
that
it's
just
separate
from
this
mechanism.
E
We
ran
into
a
bunch
of
corner
cases
about
the
number
of
tunnels
you
want
to
negotiate.
So,
instead
of
the
minimum,
we
picked
the
maximum.
E
So
you
basically
pick
the
maximum
of
the
two
parties,
obviously
within
like
denial
of
service
reasonability,
and
that
that
gets
you
out
of
a
lot
of
the
the
corner
cases
that
we
saw.
We
attempted
to
clarify
the
qos
case,
but
I'll
talk
about
that.
A
little
bit
more.
We
added
some
operational
considerations
that
we
realized
about
mostly
about
acquires
and
if
you
don't
have
per
cpu
acquires
so
next
slide.
E
So
then
this
was
the
major
issue,
so
the
authors
on
this
drive
don't
are
actually
not
quality
of
service
experts
and
we
we
see
a
bunch
of
issues
with
quality
of
service
and
how
to
do
that.
So,
first
of
all,
there's
no
code,
so
we
can't
actually
test
any
of
this.
Another
question
is:
what
do
you
do
with
qos?
Do
you
like
negotiate
all
of
the
possible
combination
flows
at
first,
and
so
so?
Do
you
start
like
64
tunnels
or
do
you
just
say
like
well?
E
E
So
we
don't
really
know
the
answers
to
these
questions,
so
we
are
kind
of
tempted
to
say.
Maybe
if
there's
really
qos
people,
they
should
put
all
of
this
in
their
own
draft
and
work
on
it
and
and
get
these
things
done,
and
we
would
like
to
see
maybe
kick
this
out
of
the
our
draft.
So
ardor
focuses
on
you
know
the
the
cpu
slash
network,
cues
that
are
available
because
that's
actually
the
code
we're
seeing
we're
implemented.
We
know
about.
We
just
have
too
many
questions
about
this.
E
There
was
some
some
talk
about
what
to
return
error
code
wise,
and
I
know
that
valerie
had
had
suggested
no
additional
essays,
but
we
realized
that
there's
one
issue
with
that.
If
you
have-
and
I
can
say
with
multiple
child
essays
and
with
some
of
them,
you
want
to
do
this,
multiple
children
and
with
some
of
them
you
don't,
then
doing
no
additional
essays
might
be
confusing
to
say
whether
you
mean
no
additional
saves
for
this
traffic
selector
set
or
or
that
it's
still
allowed
to
do
other
traffic
selectors.
E
So
we
think
it
should
still
either
be
t,
is
unacceptable
or
maybe
just
a
a
custom
new
code,
and
so
there's
a
note
here
as
well
that
we've
broken
this
for
quite
a
few
years,
like
I
think,
going
back
to
prague
a
couple
of
years
ago,
and
so
we
would
really
like
to
do
like
see
if
the
working
group
is
interested
because
we
we
really
need
to
know
whether
we
should
merge
this
code
into
the
linux
kernel
and
eye
demons
or
whether
we
should
give
up
on
this
and
and
look
at
other
ways.
B
B
The
previous
one
could
be
actually
put
into
the
compression
stop,
but
we
have
to
think
about
it
more.
So
I
think
we
need
to
have
a
discussion
with
the
lady
and
the
authors
and
see
if
we
need
to
reach
our
or
something
like
that,
but
we
are
now
running
out
of
time.
So
we
can't
do
that
one
now,
but
I
please
send
a
list
to
the
email
to
the
list
and
and
remind
this
and
then
our
added
ccdiads
and
our
creators
are
coming.
F
Right
no,
I
agree
we
should
talk
about
this
offline,
but
I
had
I
wanted
to
join
the
the
queue
to
say
something
unrelated,
which
was
since
we
were
talking
about
post
quantum,
so
much
and
hybrid
techniques.
Today
I
wanted
to
point
out
that
tomorrow,
at
the
sag
session,
we're
gonna
have
a
topic,
for
you
know
how
should
the
ietf
be
handling
post
quantum
stuff
in
general,
which
may
be
of
interest
to
many
of
us
here?
So
please
come
to
that
and
share
your
opinions.
B
B
Yeah
the
cookies
out
there
in
the
gutter
towel,
so
it's
probably
gonna
grab
them
before
people.
Other
people
take
them.
Okay,
so
that's
all
for
the
high
basic
mma
and
I
hope
people
we
had
a
little
bit
problem
with
my
my
scheduling
because
I
was
in
the
vacation
where
I
was
supposed
to
schedule
this
meeting.
So
that's
why
we
only
get
to
one
hour
and
in
wrong
location
in
overlapping
or
several
other
systems,
but
hopefully
that
was
still
useful
and
so
okay.