<?xml version='1.0' encoding='utf-8'?>

<!DOCTYPE rfc [
  <!ENTITY lt       "&#60;"> <!-- left angle -->
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;"> <!-- word joiner -->
  <!ENTITY mu      "&#956;"> <!-- Greek letter mu -->
]>

<rfc
      xmlns:xi="http://www.w3.org/2001/XInclude"
      category="info"
      docName="draft-guthrie-cnsa2-ipsec-profile-03"
      ipr="trust200902"
      obsoletes="9206"
      updates=""
      submissionType="independent"
      xml:lang="en"
      tocInclude="true"
      tocDepth="4"
      symRefs="true"
      sortRefs="true"
      version="3">

 <!-- ***** FRONT MATTER ***** -->

 <front>

   <title abbrev="CNSA Suite 2.0 Profile for IPsec">Commercial National Security Algorithm (CNSA) Suite 2.0 Profile for IPsec</title>
    <seriesInfo name="Internet-Draft" value="draft-guthrie-cnsa2-ipsec-profile-03"/>


	<author fullname="Michael Jenkins" initials="M." surname="Jenkins">
	  <organization abbrev="NSA-CCSS" showOnFrontPage="true">NSA Center for Cybersecurity Standards</organization>
	  <address>
	    <email>mjjenki@cyber.nsa.gov</email>
	  </address>
	</author>
	
    <date year="2026"/>

   <area>Security</area>
   <workgroup>Network Working Group</workgroup>
   
   <keyword>CNSA</keyword>
   <keyword>NSS</keyword>
   <keyword>IPsec</keyword>
   <keyword>IKEv2</keyword>
   
   <abstract>
   
      <t>This document defines a base profile for IPsec for use with the US Commercial National Security Algorithm (CNSA) 2.0 Suite, a cybersecurity advisory that outlines quantum-resistant cryptographic algorithm policy for national security applications. This profile applies to the capabilities, configuration, and operation of all components of US National Security Systems that employ IPsec. It is also appropriate for all other US Government systems that process high-value information. This memo is not an IETF standard, and has not been shown to have IETF community consensus. This profile is made publicly available for use by developers and operators of these and any other system deployments.</t>
	  
   </abstract>
   
  </front>
  
  <middle>
  
    <section anchor="intro">
      <name>Introduction</name>
	  
	    <t>This document specifies an Internet Protocol Security (IPsec) profile to comply with the National Security Agency's (NSA) Commercial National Security Algorithm (CNSA) 2.0 Suite <xref target="CNSA2"/>. This profile applies to the capabilities, configuration, and operation of all components of US National Security Systems (NSS) <xref target="SP80059"/> that employ IPsec. This profile is also appropriate for all other US Government systems that process high-value information, and is made publicly available for use by developers and operators of these and any other system deployments.</t>
		
		<t>This document does not specify how to use any cryptographic algorithm not currently supported by IPsec; instead, it profiles CNSA 2.0-compliant conventions for IPsec, and it uses only algorithms in the CNSA 2.0 suite already specified for use by IPsec.</t>
		
		<t> This memo is not an IETF standard, and has not been shown to have IETF community consensus. </t>
		
	</section>  <!-- Introduction -->
	
	
	<section anchor="terms"> 
	  <name>Terminology</name> 
	  
	    <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/><xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. Normative language does not apply beyond the scope of this profile.</t>
		
		<t>AES: Advanced Encryption Standard</t>
		
		<t>DH: Diffie-Hellman key establishment</t>
		
		<t>ECDH: Elliptic Curve Diffie-Hellman</t>
		
		<t>PSK/PPK: Pre-Shared Key/Post-Quantum Pre-Shared Key; in this document, used interchangeably</t>
		<t>ML-KEM: Module-Lattice-Based Key Encapsulation Mechanism, defined in <xref target="FIPS203"/></t>
		
		<t>ML-DSA: Module-Lattice-Based Digital Signature Algorithm, defined in <xref target="FIPS204"/></t>		
		
	</section>  <!-- Terminology -->
	
	
	<section anchor="cnsa2">
	  <name>The Commercial National Security Algorithm Suite 2.0</name>

         <t>The National Security Agency (NSA) profiles commercial cryptographic algorithms and protocols as part of its mission to support secure, interoperable communications for US Government National Security Systems.  To this end, it publishes guidance both to assist with transitioning the United States Government to new algorithms and to provide vendors, and the Internet community in general, with information concerning their proper use and configuration within the scope of US Government National Security Systems.</t>

         <t>The CNSA Suite is the set of approved commercial algorithms that can be used by vendors and IT users to meet cybersecurity and interoperability requirements for NSS.  The first suite of CNSA Suite algorithms, "Suite B", established a baseline for use of commercial algorithms to protect classified information. The next suite, "CNSA 1.0", served as a bridge between the original set and a fully post-quantum cryptographic capability. The current suite, "CNSA 2.0", seeks to provide fully quantum-resistant protection <xref target="CNSA2"/>.</t>
		 
         <t>The National Institute for Standards and Technology (NIST) has standardized several post-quantum asymmetric algorithms. From these, NSA has selected two: ML-DSA-87 <xref target="FIPS204"/> for signing and ML-KEM-1024 <xref target="FIPS203"/> for key establishment. With SHA-384 (preferred, or alternatively SHA-512), AES-256, and LMS/XMSS, these comprise the CNSA Suite 2.0.</t>
		 
		 <t>The CNSA Suite was selected by NSA for protection of US national security information based on factors including security, performance, data value and retention requirements, advanced threat actors, and certification process. This suite will not be appropriate for all use cases; data owners are encouraged to perform their own risk assessments and consult with their data protection systems providers.</t>

         <t>The NSA is authoring a set of RFCs, including this one, to provide updated guidance for using CNSA 2.0 algorithms in certain IETF protocols.  These RFCs can be used in conjunction with other RFCs and cryptographic guidance (e.g., NIST Special Publications) to properly protect Internet traffic and data-at-rest for US Government National Security Systems.</t>

	</section>  <!-- CNSA Suite 2.0 -->
	

    <section anchor="cnsa1dev">
	  <name>Deviation from CNSA 2.0 Suite for IKEv2</name>
	  
	  <t>While this profile requires use of CNSA 2.0 compliant algorithms, it also specifies key establishment algorithms allowed by the CNSA 1.0 IPsec profile <xref target="RFC9206"/>: ECDH with curve P-384 <xref target="SP80056A"/> and DH with prime modulus of 3072 bits or 4096 bits <xref target="RFC3526"/>.</t>
		  
	  <t>If ML-KEM-1024 were used in the IKE_SA_INIT exchange, the sizes of its public key and ciphertext would cause the initiator and responder messages to exceed the typical path MTU and necessitate in IP-level fragmentation, which can present operational challenges and prevent the establishment of a connection.</t>
		  
	  <t>To address this issue, <xref target="RFC9370"/> enables peers to perform multiple key exchanges. While the cryptographic content exchanged to facilitate the first key establishment algorithm (performed in IKE_SA_INIT) must be constrained enough in size as to not induce IP fragmentation, a subsequent key establishment algorithm can be performed in the IKE_INTERMEDIATE exchange <xref target="RFC9242"/>, which precedes IKE_AUTH. This exchange, because it is encrypted by the initial key establishment algorithm, can now leverage the IKEv2-level fragmentation mechanism specified in <xref target="RFC7383"/>. Use of this mechanism allows public keys and ciphertexts to be exchanged in messages that exceed path MTU and avoids IP fragmentation.</t>
		  
	  <t>This document profiles the use of <xref target="RFC9370"/> and <xref target="I-D.ietf-ipsecme-ikev2-mlkem"/> where the key exchanges are instantiated as follows:</t>
		  
	  <ul spacing="normal">
	    <li>The key exchange performed in IKE_SA_INIT can use any of the following algorithms: 384-bit random ECP group, 3072-bit MODP group, 4096-bit MODP group.</li>
	    <li>The additional key exchange performed in IKE_INTERMEDIATE MUST be ML-KEM-1024.</li>
	  </ul>
		  
	  <t>The CNSA 1.0 key establishment algorithms are permitted instead of, e.g., a smaller quantum resistant algorithm because they enable backwards compatibility with CNSA 1.0-compliant implementations of IPsec during the transition to the CNSA 2.0 Suite and facilitate interoperability among implementations, while introducing negligible security risks (described further in Security Considerations).</t>
		  
	</section>  <!-- Deviation from CNSA 2.0 Suite for IKEv2 -->


    <section anchor="genreq">
	  <name>General Requirements</name>
	  
	  <t>The reader is assumed to have familiarity with the following documents: </t>
	  
	  <ul>
	    <li>Internet Key Exchange Protocol Version 2 <xref target="RFC7296"/></li>
		<li>IKEv2 Message Fragmentation <xref target="RFC7383"/></li>
        <li>Signature Authentication in IKEv2 <xref target="RFC7427"/></li>
		<li>Intermediate Exchange in IKEv2 <xref target="RFC9242"/></li>
		<li>Mixing Preshared Keys in the IKE_INTERMEDIATE and CREATE_CHILD_SA Exchanges of IKEv2 for Post-Quantum Security <xref target="RFC9867"/></li>
		<li>Signature Authentication in IKEv2 using PQC <xref target="I-D.ietf-ipsecme-ikev2-pqc-auth"/></li>
	  </ul>

      <t><xref target="RFC7296"/>-style notation indicates optional payloads using brackets. Some payloads, while optional in their respective specifications, are required by this profile. This has been done either to enable use of post-quantum cryptography, or to ensure the use of CNSA 2.0 Suite algorithms. These differences are discussed in more detail throughout this section. This document makes no requirements on payloads that are not specifically discussed.</t>

	  </section>  <!-- General Requirements -->
	  

	<section anchor="ikesainit">
	  <name>IKE_SA_INIT Exchange</name>
	  
	<section anchor="isioverview">
	  <name>Overview</name>
	  
	  <t>The IKE_SA_INIT exchange MUST include the following payloads in addition to those from <xref target="RFC7296"/>:</t>
	  
	  <ul>
	    <li>N(IKEV2_FRAGMENTATION_SUPPORTED) <xref target="RFC7383"/></li>
		<li>N(INTERMEDIATE_EXCHANGE_SUPPORTED) <xref target="RFC9242"/></li>
		<li>N(SIGNATURE_HASH_ALGORITHMS) <xref target="RFC7427"/></li>
	  </ul>
	  
	  <t>The IKE_SA_INIT exchange MUST include the following optional payload from <xref target="RFC7296"/> in the response:</t>
	  
	  <ul>
	    <li>CERTREQ</li>
	  </ul>
		
	  <t>This profile does not require nor preclude the use of preshared keys. If preshared keys are being mixed in with the key exchange, then one or both of the following payloads MAY also include:</t>
	  
	  <ul>
	    <li>N(USE_PPK_INT) <xref target="RFC9867"/> (preferred)</li>
	    <li>N(USE_PPK) <xref target="RFC8784"/></li>
	  </ul>
	  
		<t><xref target="isisapl"/> discusses requirements concerning the contents of the SA payloads. <xref target="isikepl"/> discusses requirements on the KE payloads. <xref target="isinpl"/> discusses the Notify payloads included in the lists above.</t>
				
	  </section>  <!-- IKE_SA_INIT Exchange: Overview -->
	  
	  
	  <section anchor="isisapl">
	    <name>Security Association Payloads</name>
		
		<t>Security Association (SA) payloads are used to propose IPsec protocols and the cryptographic algorithms (indicated via Transform Types) that correspond to each protocol. A CNSA 2.0-compliant implementation of IPsec will use the Encapsulating Security Payload (ESP) protocol <xref target="RFC4303"/> and the IKEv2 protocol <xref target="RFC7296"/>. The SA[i/r]1 payloads exchanged in IKE_SA_INIT are used to present IKE proposals. Proposals for the ESP protocol are presented during the IKE_AUTH exchange and are discussed in Section 6.3.</t>
		
		<t>The IKE proposal includes the following:</t>
		
		<ul spacing="normal">
		  <li>Encryption Algorithm (Transform Type 1): ENCR_AES_GCM_16 (with key size 256 bits)</li>
		  <li>Pseudorandom Function (Transform Type 2): PRF_HMAC_SHA2_512 or PRF_HMAC_SHA2_384</li>
		  <li>Integrity Algorithm (Transform Type 3): NONE or not offered</li>
		  <li>Key Exchange Method (Transform Type 4): 384-bit random ECP group or 3072-bit MODP group or 4096-bit MODP group</li>
		  <li>Additional Key Exchange 1 (Transform Type 6): ML-KEM-1024</li>
		</ul>
		
		<t>While the proposal requires negotiation of both a confidentiality algorithm and integrity algorithm, algorithms for Authenticated Encryption with Associated Data (AEAD) <xref target="RFC5116"/> provide integrity, and are incompatible with the use of a separate integrity algorithm. In particular, since the Advanced Encryption Standard <xref target="FIPS197"/> in Galois-Counter Mode <xref target="SP80038D"/> (AES-GCM) <xref target="RFC8247"/> is an AEAD algorithm, the IKE proposal offering AES-GCM as its encryption algorithm MUST either offer no integrity algorithm or an integrity algorithm of "NONE" with the former being the RECOMMENDED method, as per <xref target="RFC7296" sectionFormat="comma" section="3.3"/>.</t>
<!--		
		<t>AES-GCM-SIV <xref target="RFC8452"/> conforms with the requirements of this document and MAY be used instead of AES-GCM if a Federal Information Processing Standard (FIPS) validated implementation is available and a Transform Type 1 value is registered with IANA.</t>
		
		<t>[EDNOTE: Please contact the document authors to express interest in or identify implementations that support AES-GCM-SIV.]</t>
-->
		<t>ML-KEM-1024 MAY be proposed using any one of the Additional Key Exchange Transform Types (ADDKEs) 1-7 (with Transform Type 6-12 respectively), but a proposal MUST only include a single ADDKE Transform Type, and that ADDKE Transform Type MUST be ML-KEM-1024.</t>
		
		<t>An initiator proposal MUST be constructed using all of the Transform Types indicated above. For Transform Types that list more than one algorithm as an option, an initiator proposal MUST include at least one of the options listed and no options other than those listed above.</t>
		
		<t>A responder MUST accept initiator proposals that fit this description. If none of the proposals offered by the initiator comply with the above description, then the responder MUST return a Notify payload with the error NO_PROPOSAL_CHOSEN when operating in CNSA-compliant mode.</t>
		
	  </section>  <!-- IKE_SA_INIT Exchange: Security Association Payloads -->
	  
	  
	  <section anchor="isikepl">
	    <name>Key Exchange Payloads</name>
		<t>The Key Exchange Method field <xref target="RFC9370"/> in the initiator's Key Exchange payload MUST be one of the following:</t>
		
		<ul spacing="normal">
		  <li>384-bit random ECP group</li>
		  <li>3072-bit MODP group</li>
		  <li>4096-bit MODP group</li>
		</ul>
		
		<t>A responder compliant with this profile MUST send a N(INVALID_KE_PAYLOAD) <xref target="RFC7296"/> if it receives a Key Exchange payload using a Key Exchange Method value corresponding to any algorithm not listed above.</t>
		
		<t>The following requirements are restated from <xref target="RFC9206"/>.</t>
		<t>In every key establishment session, the CNSA-compliant initiator and responder MUST each generate ephemeral keys.</t>
		
		<t>While IKEv2 allows for the reuse of ephemeral Diffie-Hellman private keys <xref target="RFC7296" sectionFormat="comma" section="2.12"/>, there are security concerns related to this practice. In order to address such concerns, <xref target="I-D.ietf-ipsecme-ikev2-mlkem"/> requires ephemeral keys to be generated per connection. Moreover, this profile REQUIRES CNSA 2.0-compliant IPsec implementations to align with <xref target="SP80056A"/>. In particular, an ephemeral private key MUST be used in exactly one key establishment transaction and MUST be destroyed (zeroized) as soon as possible. Any shared secret derived from key establishment MUST also be destroyed (zeroized) immediately after its use.</t>
		
		<t>If the Elliptic Curve Diffie-Hellman (ECDH) key exchange is used, the initiator and responder both MUST generate an elliptic curve (EC) key pair using the P-384 elliptic curve. The ephemeral public keys MUST be stored in the key exchange payload as described in <xref target="RFC5903"/>.</t>
		
		<t>If the Diffie-Hellman (DH) key exchange is used, the initiator and responder both MUST generate a key pair using the appropriately sized MODP group as described in <xref target="RFC3526"/>. The size of the MODP group will be determined by the selection of either a 3072-bit or greater modulus for the SA.</t>
		
		<t>As noted in <xref target="RFC5903" sectionFormat="comma" section="7"/>, the shared secret result of an ECDH key exchange is the 384-bit x value of the ECDH common value. The shared secret result of a DH key exchange is the number of octets needed to accommodate the prime (e.g., 384 octets for 3072-bit MODP group) with leading zeros as necessary <xref target="RFC2631" sectionFormat="comma" section="2.1.2"/>.</t>
		
	  </section>  <!-- IKE_SA_INIT Exchange: Key Exchange Payloads -->
	  
	  
	  <section anchor="isinpl">
	    <name>Notify Payloads</name>
		
		<t>The initiator and responder MUST include both of the following Notify payloads in their respective IKE_SA_INIT messages, enabling Intermediate Exchange <xref target="RFC9242"/> and IKE-level fragmentation <xref target="RFC7383"/>:</t>
		
		<ul spacing="normal">
		  <li>N(IKEV2_FRAGMENTATION_SUPPORTED) <xref target="RFC7383"/></li>
		  <li>N(INTERMEDIATE_EXCHANGE_SUPPORTED) <xref target="RFC9242"/></li>
		</ul>
		
		<t>In order to use the ML-DSA-87 signature algorithm, both initiator and responder MUST include the N(SIGNATURE_HASH_ALGORITHMS) payload with hash value 'Identity' (5) as specified in <xref target="I-D.ietf-ipsecme-ikev2-pqc-auth"/>.</t>
		
		<t>The initiators and responders also MAY negotiate use of pre-shared (symmetric) key. While <xref target="RFC9206"/> supported the use of a PPK via <xref target="RFC8784"/>, use of a PPK as specified in <xref target="RFC9867"/> is preferred as it implicates the PPK earlier in the key schedule. Because both implementations may be active for some time, CNSA 2.0-compliant initiators configured for PPK use SHOULD send N(USE_PPK_INT), and MAY also send N(USE_PPK) if they are unsure whether the responder implements the preferred mechanism. A responder that receives such a message (i.e. with both Notify payloads) SHOULD reply with N(USE_PPK_INT) if it is supported. Only one mechanism can be invoked per SA. The details of PPK use are fully described in <xref target="RFC9206"/> and <xref target="RFC8784"/>; this profile makes no additional constraints on their implementation, configuration, and use.</t>
		
	  </section>  <!-- IKE_SA_INIT Exchange: Notify Payloads -->
	  
	</section>  <!-- IKE_SA_INIT Exchange -->

	<section anchor="ikeint">
	  <name>IKE_INTERMEDIATE Exchanges</name>
	  
	  <section anchor="intoverview">
	    <name>Overview</name>
		
		<t>The IKE_INTERMEDIATE exchange performs an additional key establishment with ML-KEM-1024.</t>
		
		<t>The initiator sends an IKE_INTERMEDIATE message to the responder containing an encrypted KEi(1) <xref target="RFC9370"/> payload. In reply, the responder sends an IKE_INTERMEDIATE message containing an encrypted KEr(1) <xref target="RFC9370"/> payload. Requirements for Key Exchange payloads and ML-KEM are discussed in Section 5.2.</t>
		
		<t>If <xref target="RFC9867"/> is supported by initiator and responder, a second IKE_INTERMEDIATE exchange can also be used to mix in a pre-shared key. PSK guidance and requirements are discussed in detail in <xref target="intpsk"/>.</t>
		
		<t>Implementations compliant with this profile MUST NOT use additional IKE_INTERMEDIATE exchanges to facilitate further key establishments. In other words, peers MUST NOT use IKE_INTERMEDIATE exchanges to send KE[i/r](n) payloads for values other than n=1 or that contain key establishment material for algorithms other than ML-KEM-1024.</t>
		
	  </section>  <!-- IKE_INTERMEDIATE Exchanges: Overview -->
	  
	  
	  <section anchor="intkepl">
	    <name>Key Exchange Payloads</name>
		
		<t>In IKE_INTERMEDIATE, initiator and responder messages each contain a Key Exchange payload in order to facilitate a second key establishment which uses ML-KEM-1024.</t>
		
		<t>ML-KEM-1024 has Key Exchage Method value "TBD37" [EDNOTE: Will be assigned by IANA when <xref target="I-D.ietf-ipsecme-ikev2-mlkem"/> is published].</t>
		
		<t>This profile strengthens normative key generation, encapsulation, and decapsulation guidance from <xref target="I-D.ietf-ipsecme-ikev2-mlkem" sectionFormat="comma" section="2.3"/> as follows: Responders MUST perform the checks specified in Section 7.2 of <xref target="FIPS203"/> prior to performing Encaps(pk). If the checks fail, the responder MUST send a N(INVALID_SYNTAX) payload as a response to the request from the initiator. Initiators MUST perform the checks specified in Section 7.3 of <xref target="FIPS203"/> prior to performing Decaps(sk, ct). In this case, the initiator SHOULD send a N(INVALID_SYNTAX) payload to the responder using the IKE_INFORMATIONAL exchange. This is an exception for the general requirement to not begin a new exchange based on errors in responses.</t>
		
		<t> As per <xref target="I-D.ietf-ipsecme-ikev2-mlkem"/>, ephemeral ML-KEM private keys must be generated per connection. Additionally, a CNSA 2.0-compliant IPsec implementation MUST use ML-KEM ephemeral private keys in exactly one key establishment transaction, and MUST destroy (zeroize) said key as soon as possible. Any shared secret derived from key establishment MUST also be destroyed (zeroized) immediately after its use, as is required for (EC)DH in Section 4.3.</t>
		
		<t>The following requirement is restated from <xref target="I-D.ietf-ipsecme-ikev2-mlkem"/> for emphasis: the ML-KEM public key generated by the initiator and the ciphertext generated by the responder use randomness (usually a seed) which MUST be independent of any other random seed used in the IKEv2 negotiation. For example, at the initiator, the ML-KEM and (EC)DH keypairs used in a PQ/T Hybrid key exchange should not be generated from the same seed.</t>
		
	  </section>  <!-- IKE_INTERMEDIATE Exchanges: Key Exchange Payloads -->
	  
	  
	  <section anchor="intpsk">
	    <name>PSK</name>
		
		<t>If initiator and responder intend to signal support for <xref target="RFC9867"/> in IKE_SA_INIT, the initiator sends an N(PPK_IDENTITY_KEY) payload(s) to the responder using the IKE_INTERMEDIATE exchange, and the responder will reply, both in accordance with <xref target="RFC9867" sectionFormat="comma" section="3.1"/>.</t>
		
		<t>While <xref target="RFC9867"/> indicates that the initiator MAY include the N(PPK_IDENTITY_KEY) payload(s) in the IKE_INTERMEDIATE exchange message used to transfer ML-KEM key material, it is RECOMMENDED by this profile that the initiator use a separate IKE_INTERMEDIATE exchange to agree on a pre-shared key such that the ML-KEM exchange precedes the PSK exchange.</t>
		
		<t>PSKs shall be at least 256 bits in length, and generated from a NIST approved random bit generator that supports 256-bits of entropy <xref target="SP80090C"/>.</t>
		
	  </section>  <!-- IKE_INTERMEDIATE Exchanges: PSK -->
	  
	</section>  <!-- IKE_INTERMEDIATE Exchanges -->

	<section anchor="ikeauth">
	  <name>IKE_AUTH Exchange</name>
	  
	  <section anchor="iauoverview">
	    <name>Overview</name>
		
	  <t>The IKE_AUTH exchange MUST include the following optional payloads from <xref target="RFC7296"/> in the initiator message:</t>
	  
	  <ul>
	    <li>CERT</li>
	    <li>CERTREQ</li>
	  </ul>
	  
	  <t>The IKE_AUTH exchange MUST include the following optional payloads from <xref target="RFC7296"/> in the responder message:</t>
	  
	  <ul>
	    <li>CERT</li>
	  </ul>
		
		<t>The contents of the initiator SAi2 payload and the responder SAr2 payload are discussed in <xref target="iausapl"/>. <xref target="iauauthpl"/> discusses the initiator and responder AUTH payloads. The CERT payloads are discussed in <xref target="iaucertpl"/>.</t>
		
	  </section>  <!-- IKE_AUTH Exchange: Overview -->
	  
	  
	  <section anchor="iausapl">
	    <name>Security Association Payloads</name>
		
		<t>The initiator and responder present their ESP proposals in SAi2 and SAr2 respectively.</t>
		<t>The ESP proposal includes the following:</t>
		
		<ul spacing="normal">
		  <li>Encryption Algorithm (Transform Type 1): ENCR_AES_GCM_16 (with key size 256 bits)</li>
		  <li>Integrity Algorithm (Transform Type 2): NONE or not offered</li>
		</ul>
		
		<t>While ESP as specified in <xref target="RFC7296"/> optionally supports an integrity algorithm, the use of AES-GCM <xref target="RFC4106"/> for an encryption algorithm requires that either no integrity algorithm or an algorithm NONE be offered.</t>
<!--
		<t>AES-GCM-SIV <xref target="RFC8452"/> conforms with the requirements of this document and MAY be used instead of AES-GCM if a Federal Information Processing Standard (FIPS) validated implementation is available and a Transform Type 1 value is registered with IANA.</t>
-->
<!--
    	<t>[EDNOTE: Guidance on Extended Sequence Numbers (Transform Type 5) <xref target="RFC7296" sectionFormat="comma" section="3.3.2"/> in ESP proposals is forthcoming.]</t> 
-->

	  </section>  <!-- IKE_AUTH Exchange: Security Association Payloads -->


	  <section anchor="iauauthpl">
	    <name>Authentication Payloads</name>
		
		<t>This profile REQUIRES the use of digital signature ML-DSA-87 <xref target="FIPS204"/>. If the relying party receives a message signed with any authentication method other than ML-DSA-87, it MUST return an AUTHENTICATION_FAILED Notify payload and stop processing the message.</t>
		
		<t>In alignment with <xref target="I-D.ietf-ipsecme-ikev2-pqc-auth"/> and as defined by <xref target="FIPS204"/>, this profile permits the use of both hedged and deterministic variants of ML-DSA.</t>
		
		<t>The ML-DSA algorithm incorporates an internal hashing function, so there is no need to apply a hashing algorithm before signing. Where implementation makes it more efficient to perform hashing externally, the external-μ mechanism described in Step 6 of Algorithm 7 of <xref target="FIPS204"/> and Section 8 of <xref target="RFC9881"/> MAY be used. HashML-DSA is not permitted.</t>

		<t>The computation instructions of the Authentication Data field in the AUTH payload is a complex interplay of <xref target="RFC7296"/>, <xref target="I-D.ietf-ipsecme-ikev2-mlkem"/>, <xref target="RFC9370"/>, <xref target="RFC9242"/>, and <xref target="RFC7383"/>. Additionally, if peers agreed on and mixed in a PSK as in <xref target="RFC9867"/>, this also impacts the calculation of the Authentication Data field.</t>
		
	  </section> <!-- IKE_AUTH Exchange: Authentication Payloads -->


	  <section anchor="iaucertpl">
	    <name>Certificate Payloads</name>
		
		<t>While <xref target="RFC7296"/> treats the inclusion of CERT payloads in IKE_AUTH messages as optional, CNSA 2.0-compliant initiator and responder IKE_AUTH messages MUST include the requisite CERT payloads. All CERT payloads MUST comply with <xref target="I-D.jenkins-cnsa2-pkix-profile"/>. CERT payload(s) sent by both initiator and responder MUST include the Cert Encoding of X.509 Certificate - Signature (4). If a chain of certificates needs to be sent, multiple CERT payloads are used, of which only the first holds the public key used to validate the sender's AUTH payload. CERT payloads sent by initiator or responder may also use other Cert Encodings (such as Certificate Revocation List (7)) as needed. Other public key formats (such as PGP Certificate or SPKI Certificate) MUST NOT be used. Peer authentication decisions MUST be based on the Subject or Subject Alternative Name from the certificate that contains the key used to validate the digital signature in the AUTH payload, rather than the Identification Data from the ID payload that is used to look up policy.</t>
		
	  </section>  <!-- IKE_AUTH Exchange: Certificate Payloads -->
	  
	</section>  <!-- IKE_AUTH Exchange -->


	<section>
	  <name>CREATE_CHILD_SA Exchanges</name>
	  
	  <t>A KE payload SHOULD be included in the CREATE_CHILD_SA exchange, whether it be for creating a new child SA or for rekeying an existing IKE_SA or CHILD_SA. When an initiator includes a key exchange value, it MUST be an ML-KEM-1024 public key. Upon receipt, the responder MUST include a ML-KEM_1024 ciphertext in its response.</t>
	  
	  <t>Long-lived SAs SHOULD be rekeyed according to mission need and deployment environment.</t>
	  
	</section>

	<section>
	  <name>Additional Requirements</name>
	  
	  <t>The IPsec protocol AH MUST NOT be used in CNSA-compliant implementations.</t>
	  
	  <t>Two operational requirements derive from <xref target="SP80056A"/>:</t>
	  <ul>
	    <li>Any ephemeral private key MUST be used in exactly one key establishment transaction and MUST be destroyed (zeroized) as soon as possible. (Section 5.6.3.3)</li>
        <li>Any shared secret derived from key establishment MUST be destroyed (zeroized) immediately after its use. (Section 5.8)</li>
      </ul>

      <t>Initiator and responder MUST use X.509 certificates that comply with [RFC8603]. Peer authentication decisions must be based on the Subject or Subject Alternative Name from the certificate that contains the key used to validate the signature in the Authentication Payload as defined in Section 3.8 of <xref target="RFC7296"/>, rather than Identification Data from the Identification Payload that is used to look up policy.</t>

	</section>

	<section anchor="addlreq">
	  <name>Security Considerations</name>
	  
	  <t>The security of a system that uses cryptography depends on both the strength of the cryptographic algorithms chosen and the strength of the keys used with those algorithms.  The security also depends on the engineering and administration of the protocol used by the system to ensure that there are no non-cryptographic ways to bypass the security of the overall system.</t>

      <t>When selecting a mode for the AES encryption [RFC5116], be aware that nonce reuse can result in a loss of confidentiality. Nonce reuse is catastrophic for GCM, since it also results in a loss of integrity.</t>

	</section> <!-- Additional Requirements addlreq -->

	<section anchor="app-additional">
      <name>IANA Considerations</name>
	  <t>None.</t>
	</section>
	
		<section anchor="acks">
	  <name>Acknowledgements</name>
	    <t>Rebecca Guthrie was the primary editor and contributed significantly to this document while she was employed at the National Security Agency's Center for Cybersecurity Standards.
		</t>
	</section>
	
</middle>
<back>	
   <references>
      <name>References</name>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2631.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3526.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4106.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4303.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5116.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5903.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7296.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7383.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7427.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8247.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8452.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8784.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9206.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9242.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9370.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9593.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9867.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9881.xml"/>
	  
	  
	  <reference anchor="CNSA2" target="https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0_FAQ_.PDF">
	    <front>
		  <title>The Commercial National Security Algorithm Suite 2.0 and Quantum Computing FAQ</title>
		  <author>
		    <organization>National Security Agency
			</organization>
		  </author>
		  <date month="December" year="2024"/>
		</front>
	  </reference>
	  
	  <reference anchor="SP80059">
	    <front>
		  <title>Guideline for Identifying an Information System as a National Security System</title>
		  <author>
		    <organization>National Institute of Standards and Technology</organization>
		  </author>
		  <date month="August" year="2003"/>
		</front>
	  </reference>
	  
	  <reference anchor="SP80056A">
	    <front>
		  <title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</title>
		  <author>
		    <organization>National Institute of Standards and Technology</organization>
		  </author>
		  <date month="April" year="2018"/>
		</front>
		</reference>
	  
	  <reference anchor="SP80038D">
	    <front>
		  <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title>
		  <author>
		    <organization>National Institute of Standards and Technology</organization>
		  </author>
		  <date month="November" year="2007"/>
		</front>
		</reference>
	  
	  <reference anchor="SP80090C">
	    <front>
		  <title>Recommendation for Random Bit Generator (RBG) Constructions</title>
		  <author>
		    <organization>National Institute of Standards and Technology</organization>
		  </author>
		  <date month="July" year="2024"/>
		</front>
		</reference>
	   
	  <reference anchor="FIPS203">
	    <front>
		  <title>Module-Lattice-Based Key-Encapsulation Mechanism Standard</title>
		  <author>
		    <organization>National Institute of Standards and Technology</organization>
		  </author>
		  <date month="August" year="2024"/>
		</front>
		</reference>
	  
	  <reference anchor="FIPS204">
	    <front>
		  <title>Module-Lattice-Based Digital Signature Standard</title>
		  <author>
		    <organization>National Institute of Standards and Technology</organization>
		  </author>
		  <date month="August" year="2024"/>
		</front>
		</reference>
	  
	  <reference anchor="FIPS197">
	    <front>
		  <title>Advanced Encryption Standard (AES)</title>
		  <author>
		    <organization>National Institute of Standards and Technology</organization>
		  </author>
		  <date month="May" year="2023"/>
		</front>
		</reference>
	  
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-ipsecme-ikev2-mlkem.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-ipsecme-ikev2-pqc-auth.xml"/>
	  <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.jenkins-cnsa2-pkix-profile.xml"/>

	</references>
</back>	
</rfc>
