



ipsecme                                                            J. Hu
Internet-Draft                                                     Nokia
Intended status: Standards Track                              Y. Morioka
Expires: 31 August 2026                                 NTT DOCOMO, INC.
                                                                 G. Wang
                                                                  Huawei
                                                        27 February 2026


    Post-Quantum Traditional (PQ/T) Hybrid PKI Authentication in the
                Internet Key Exchange Version 2 (IKEv2)
                  draft-hu-ipsecme-pqt-hybrid-auth-04

Abstract

   One IPsec area that would be impacted by Cryptographically Relevant
   Quantum Computer (CRQC) is IKEv2 authentication based on traditional
   asymmetric cryptographic algorithms: e.g RSA, ECDSA, which are widely
   deployed authentication options of IKEv2.  There are new Post-Quantum
   Cryptographic (PQC) algorithms for digital signature like NIST
   [ML-DSA], However, it takes time for new cryptographic algorithms to
   mature, There is security risk to use only the new algorithm before
   it is field proven.  This document describes a hybrid PKI
   authentication scheme for IKEv2 that incorporates both traditional
   and PQC digital signature algorithms, so that authentication is
   secure as long as one algorithm in the hybrid scheme is secure.

About This Document

   This note is to be removed before publishing as an RFC.

   The latest revision of this draft can be found at
   https://example.com/LATEST.  Status information for this document may
   be found at https://datatracker.ietf.org/doc/draft-hu-ipsecme-pqt-
   hybrid-auth/.

   Discussion of this document takes place on the WG Working Group
   mailing list (mailto:ipsec@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/ipsec/.  Subscribe at
   https://www.ietf.org/mailman/listinfo/ipsec/.

   Source for this draft and an issue tracker can be found at
   https://github.com/USER/REPO.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.



Hu, et al.               Expires 31 August 2026                 [Page 1]

Internet-Draft               IKEv2 PQTH Auth               February 2026


   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 31 August 2026.

Copyright Notice

   Copyright (c) 2026 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Change log  . . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  changes in -04  . . . . . . . . . . . . . . . . . . . . .   3
     1.2.  changes in -03  . . . . . . . . . . . . . . . . . . . . .   3
     1.3.  Changes in -02  . . . . . . . . . . . . . . . . . . . . .   3
     1.4.  Changes in -01  . . . . . . . . . . . . . . . . . . . . .   4
   2.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Conventions and Definitions . . . . . . . . . . . . . . . . .   5
   4.  IKEv2 Key Exchange  . . . . . . . . . . . . . . . . . . . . .   5
   5.  Exchanges . . . . . . . . . . . . . . . . . . . . . . . . . .   5
     5.1.  Announcement  . . . . . . . . . . . . . . . . . . . . . .   6
       5.1.1.  Sending Announcement  . . . . . . . . . . . . . . . .   8
       5.1.2.  Receiving Announcement  . . . . . . . . . . . . . . .   9
     5.2.  AUTH & CERT payload . . . . . . . . . . . . . . . . . . .   9
       5.2.1.  Type-1  . . . . . . . . . . . . . . . . . . . . . . .  10
       5.2.2.  Type-2  . . . . . . . . . . . . . . . . . . . . . . .  11
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  12
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  12
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  12
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  13



Hu, et al.               Expires 31 August 2026                 [Page 2]

Internet-Draft               IKEv2 PQTH Auth               February 2026


   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  14
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  14

1.  Change log

1.1.  changes in -04

   *  align to draft-ietf-lamps-pq-composite-sigs-14

   *  add text to clarify two setup types

   *  add text to describe the example exchange in section 5

   *  clarify using of pre-hash alg

   *  clarify sign operation in type-2

   *  ietf-lamps-cert-binding-for-multi-auth is now RFC9763

   *  ietf-lamps-dilithium-certificates is now RFC9881

   *  editorial changes

1.2.  changes in -03

   *  version bump to keep doc alive

1.3.  Changes in -02

   *  clarify the approach in the document is general

   *  dropping support for PreHash ML-DSA, change example to Pure
      Signature ML-DSA

   *  adding more details in signing process to align with ietf-lamps-
      pq-composite-sigs-04

   *  add text in Security Considerations to emphasize prohibit of key
      reuse

   *  clarify the both C and S bit MAY be 1 at the same time

   *  clarify the receiver behavior when the announcement contains no
      algid

   *  typo fixes





Hu, et al.               Expires 31 August 2026                 [Page 3]

Internet-Draft               IKEv2 PQTH Auth               February 2026


1.4.  Changes in -01

   *  Only use SUPPORTED_AUTH_METHODS for algorithm combination
      announcement, no longer use SIGNATURE_HASH_ALGORITHMS

   *  add flag field in the announcement

   *  clarify two types of PKI setup

   *  add some clarifications on how AUTH payload is computed

2.  Introduction

   A Cryptographically Relevant Quantum Computer (CRQC) could break
   traditional asymmetric cryptographic algorithms: e.g RSA, ECDSA,
   which are widely deployed authentication options of IKEv2.  New Post-
   Quantum Cryptographic (PQC) algorithms for digital signature were
   recently published like NIST [ML-DSA], However, by considering
   potential flaws in the new algorithm's specifications and
   implementations, it will take time for these new PQC algorithms to be
   field proven.  So it is risky to only use PQC algorithms before they
   are mature.  There is more detailed discussion on motivation of a
   hybrid approach for authentication in Section 1.2 of
   [I-D.ietf-pquip-hybrid-signature-spectrums].

   This document describes a post-quantum traditional (PQ/T) hybrid
   digital signature authentication scheme for IKEv2 that incorporates
   both traditional and PQC digital signature algorithms, so that
   authentication is secure as long as one algorithm in the hybrid
   scheme is secure.

   Each IPsec peer announces the support of hybrid authentication via
   SUPPORTED_AUTH_METHODS notification as defined in [RFC9593],
   generates and verifies AUTH payload using composite signature using
   the procedures defined in [I-D.ietf-lamps-pq-composite-sigs].

   The approach specified in this document is a general framework for
   all PQC and traditional algorithms.  The combinations of ML-DSA
   variants and traditional algorithms given in this document are
   instantiations of the general framework.

   There are two types of PQ/T hybrid PKI setup:

   1.  Type-1: A single certificate that has a composite key as defined
       in [I-D.ietf-lamps-pq-composite-sigs], which contains two
       component keys: one traditional key + one PQC key.





Hu, et al.               Expires 31 August 2026                 [Page 4]

Internet-Draft               IKEv2 PQTH Auth               February 2026


   2.  Type-2: Two certificates, one certificate with traditional
       algorithm key and one certificate with PQC algorithm key as
       described in [RFC9763], Each certificate MAY contain
       RelatedCertificate extension to associate with the other
       certificate.

   A given deployment could use either type to provide PQ/T hybrid PKI.
   This document supports both types.

3.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   Cryptographically Relevant Quantum Computer (CRQC): A quantum
   computer that is capable of breaking real world cryptographic
   systems.

   Post-Quantum Cryptographic (PQC) algorithms: Asymmetric Cryptographic
   algorithms are thought to be secure against CRQC.

   Traditional Cryptographic algorithms: Existing asymmetric
   Cryptographic algorithms could be broken by CRQC, like RSA, ECDSA
   ..etc.

4.  IKEv2 Key Exchange

   There is no changes introduced in this document to the IKEv2 key
   exchange process, although it MUST be also resilient to CRQC when
   using along with the PQ/T hybrid authentication, for example key
   exchange using the PPK as defined in [RFC8784], or hybrid key
   exchanges that includes PQC algorithm like [ML-KEM] via multiple key
   exchange process as defined in [I-D.ietf-ipsecme-ikev2-mlkem].

5.  Exchanges

   The hybrid authentication exchanges is illustrated in an example
   depicted in Figure 1, using PPK as defined in [RFC8784] during key
   exchange.  However, other PQC key exchanges could also be used since
   how key exchange is done is independent from authentication.








Hu, et al.               Expires 31 August 2026                 [Page 5]

Internet-Draft               IKEv2 PQTH Auth               February 2026


   Initiator                         Responder
   -------------------------------------------------------------------
   HDR, SAi1, KEi, Ni,
             N(USE_PPK) -->
                     <--  HDR, SAr1, KEr, Nr, [CERTREQ,] N(USE_PPK),
                                         N(SUPPORTED_AUTH_METHODS)

   HDR, SK {IDi, CERT+, [CERTREQ,]
           [IDr,] AUTH, SAi2,
           TSi, TSr, N(PPK_IDENTITY, PPK_ID),
           N(SUPPORTED_AUTH_METHODS)} -->
                               <--  HDR, SK {IDr, CERT+, [CERTREQ,]
                                         AUTH, [N(PPK_IDENTITY)]}

    Figure 1: Hybrid Authentication Exchanges with RFC8784 Key Exchange

   1.  Responder announces the hybrid authentication support via
       SUPPORTED_AUTH_METHODS notification in IKE_SA_INIT response
       message.  The notification includes the combinations of PQC,
       traditional, hash algorithm and type of hybrid PKI setup that
       responder supports.

   2.  Initiator chooses a combination from responder's
       SUPPORTED_AUTH_METHODS, uses the combination to generate the AUTH
       payload, along with corresponding signing certificate(s) in CERT
       payload(s), and includes its support of hybrid combinations in
       SUPPORTED_AUTH_METHODS notification of IKE_AUTH request message.

   3.  Responder chooses a combination from initiator's
       SUPPORTED_AUTH_METHODS, uses the combination to generate the AUTH
       payload, and includes corresponding signing certificate(s) in
       CERT payload(s) of IKE_AUTH response message.

5.1.  Announcement

   Announcement of support hybrid authentication is through
   SUPPORTED_AUTH_METHODS notification as defined in [RFC9593], which
   includes a list of acceptable authentication methods announcements.
   This document defines a hybrid authentication announcement with
   following format:











Hu, et al.               Expires 31 August 2026                 [Page 6]

Internet-Draft               IKEv2 PQTH Auth               February 2026


                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Length (>=2) |  Auth Method  |   Cert Link 1 | Alg 1 flag    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Alg 1 Len     |                                               |
   +-+-+-+-+-+-+-+-+                                               |
   ~                      AlgorithmIdentifier 1                    ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Cert Link 2   | Alg 2 flag    |  Alg 2 Len    |               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+               +
   |                                                               |
   ~                      AlgorithmIdentifier 2                    ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   ~                      ...                                      ~
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Cert Link 3   | Alg 3 flag    |  Alg 3 Len    |               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+               +
   |                                                               |
   ~                      AlgorithmIdentifier N                    ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                Figure 2: Hybrid Authentication Announcement

   The announcement includes a list of N algorithms could be used for
   hybrid signature

   *  Auth Method: A new value to be allocated by IANA

   *  Cert Link N: Links corresponding signature algorithm N with a
      particular CA, as defined in Section 3.2.2 of [RFC9593]

   *  Alg N Flag:

      -  C: set to 1 if the algorithm could be used in type-1 setup

      -  S: set to 1 if the algorithm could be used in type-2 setup

      -  Both C and S MAY be set to 1 but MUST NOT set to zero at the
         same time

      -  RESERVED: set to 0





Hu, et al.               Expires 31 August 2026                 [Page 7]

Internet-Draft               IKEv2 PQTH Auth               February 2026


        0 1 2 3 4 5 6 7
       +-+-+-+-+-+-+-+-+
       |C|S| RESERVED  |
       +-+-+-+-+-+-+-+-+

                          Figure 3: Algorithm Flag

   *  AlgorithmIdentifier N: The variable-length ASN.1 object that is
      encoded using Distinguished Encoding Rules (DER) [X.690] and
      identifies the algorithm of a composite signature as defined in
      Section 7 of [I-D.ietf-lamps-pq-composite-sigs].

5.1.1.  Sending Announcement

   As defined in [RFC9593], the responder includes
   SUPPORTED_AUTH_METHODS in IKE_SA_INIT response (and potentially also
   in IKE_INTERMEDIATE response), while the initiator includes the
   notification in IKE_AUTH request.

   The sender includes a hybrid authentication announcement in
   SUPPORTED_AUTH_METHODS, which contains 0 or N composite signature
   AlgorithmIdentifiers sender accepts.  Each AlgorithmIdentifier
   identifies a combination of algorithms as specified in Section 6 of
   [I-D.ietf-lamps-pq-composite-sigs]:

   *  a traditional PKI algorithm (e.g. id-RSASA-PSS)

   *  a PQC algorithm (e.g. id-ML-DSA-44)

   *  a pre-hash algorithm (e.g. id-sha256)

   In case of type-2 setup, even though the certificate is not a
   composite key certificate, system still uses a composite signature
   algorithm that corresponds to the combination of two certificates PKI
   algorithms and hash algorithm(s).

   C and S bits in flag field are set according to whether sender
   accepts the algorithm combination in type-1/type-2 setup.

   Announcement without any AlgorithmIdentifiers signals that there is
   no particular restrictions on algorithm.










Hu, et al.               Expires 31 August 2026                 [Page 8]

Internet-Draft               IKEv2 PQTH Auth               February 2026


5.1.2.  Receiving Announcement

   If hybrid authentication announcement is received, and the receiver
   chooses to authenticate itself using hybrid authentication, then
   based on its local policy and certificates, one AlgorithmIdentifier
   (which identifies a combination of algorithms) in the hybrid
   authentication announcement and a PKI setup (type-1 or type-2) is
   chosen to create its AUTH and CERT payload(s).

   If there is no AlgorithmIdentifier in the announcement, the receiver
   MAY choose AlgorithmIdentifier just according to its local policy and
   certificates.

5.2.  AUTH & CERT payload

   The IKEv2 AUTH payload has following format as defined in Section 3.8
   of [RFC7296]:

                           1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | Next Payload  |C|  RESERVED   |         Payload Length        |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | Auth Method   |                RESERVED                       |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     ~                      Authentication Data                      ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                           Figure 4: AUTH payload

   For hybrid authentication, the AUTH Method has value defined in
   Section 5.1

   The Authentication Data field follows format defined in Section 3 of
   [RFC7427]:














Hu, et al.               Expires 31 August 2026                 [Page 9]

Internet-Draft               IKEv2 PQTH Auth               February 2026


                          1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | ASN.1 Length  | AlgorithmIdentifier ASN.1 object              |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     ~        AlgorithmIdentifier ASN.1 object continuing            ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     ~                         Signature Value                       ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

            Figure 5: Authentication Data in hybrid AUTH payload

   Based on selected AlgorithmIdentifier and setup type, the Signature
   Value is created via procedure defined in Section 5.2.1,
   Section 5.2.2.

5.2.1.  Type-1

   Assume selected AlgorithmIdentifier is A.

   1.  There is no change on data to be signed, e.g.
       InitiatorSignedOctets/ResponderSignedOctets as defined in
       Section 2.15 of [RFC7296]

   2.  Follow Sign operation identified by A, e.g. Section 3.2 of
       [I-D.ietf-lamps-pq-composite-sigs].  The ctx input is the string
       of "IKEv2-PQT-Hybrid-Auth".  This step outputs the composite
       signature, a CompositeSignatureValue.

   3.  CompositeSignatureValue is serialized per Section 4.3 of
       [I-D.ietf-lamps-pq-composite-sigs], and the output is used as
       Signature Value in the Authentication Data field.

   Note: [I-D.ietf-lamps-pq-composite-sigs] uses a pre-hash algorithm
   with [ML-DSA] pure mode (Algorithm 2), not the HashML-DSA as defined
   in [ML-DSA], see Section 2.1 of [I-D.ietf-lamps-pq-composite-sigs]
   for the rationale.

   Following is an initiator example:

   1.  A is id-MLDSA44-RSA2048-PSS-SHA256, which uses PQC ML-DSA-44 and
       traditional RSASSA-PSS with pre-hash function SHA256





Hu, et al.               Expires 31 August 2026                [Page 10]

Internet-Draft               IKEv2 PQTH Auth               February 2026


   2.  Follow Section 3.2 of [I-D.ietf-lamps-pq-composite-sigs] with
       following inputs:

       *  sk is the private key of the signing composite key certificate

       *  M is InitiatorSignedOctets

       *  ctx is "IKEv2-PQT-Hybrid-Auth"

   The signing composite certificate MUST be the first CERT payload.

5.2.2.  Type-2

   1.  Combine PQC key and traditional key into composite key using
       SerializePrivateKey operation as defined in Section 4.2 of
       [I-D.ietf-lamps-pq-composite-sigs].

   2.  Follow Sign operation as Section 5.2.1

   Note: Section 6 of [RFC9881] defines 3 options for ML-DSA private key
   storage, this document requires options that include seed since Sign
   operation of [I-D.ietf-lamps-pq-composite-sigs] only supports seed.

   With example in Section 5.2.1:

   *  sk is the combined private key, e.g. output of SerializePrivateKey

   *  M is InitiatorSignedOctets

   *  ctx is "IKEv2-PQT-Hybrid-Auth"

   The signing PQC certificate MUST be the first CERT payload in the
   IKEv2 message, while traditional certificate MUST be the second CERT
   payload.

5.2.2.1.  RelatedCertificate

   In type-2 setup, the signing certificate MAY contain
   RelatedCertificate extension, then the receiver SHOULD verify the
   extension according to Section 4.2 of [RFC9763].  Failed verification
   SHOULD fail authentication.

6.  Security Considerations

   The security of general PQ/T hybrid authentication is discussed in
   [I-D.ietf-pquip-hybrid-signature-spectrums].





Hu, et al.               Expires 31 August 2026                [Page 11]

Internet-Draft               IKEv2 PQTH Auth               February 2026


   This document uses mechanisms defined in
   [I-D.ietf-lamps-pq-composite-sigs], [RFC7427] and [RFC9593], so the
   security discussion in the corresponding RFCs also apply.

   One important security consideration mentioned in
   [I-D.ietf-lamps-pq-composite-sigs] worth repeating here is that
   component key used in either Section 5.2.1 or Section 5.2.2 MUST NOT
   be reused in any other cases including single-algorithm case.

7.  IANA Considerations

   This document requests a value in "IKEv2 Authentication Method"
   subregistry under IANA "Internet Key Exchange Version 2 (IKEv2)
   Parameters" registry

8.  References

8.1.  Normative References

   [I-D.ietf-lamps-pq-composite-sigs]
              Ounsworth, M., Gray, J., Pala, M., Klaußner, J., and S.
              Fluhrer, "Composite ML-DSA for use in X.509 Public Key
              Infrastructure", Work in Progress, Internet-Draft, draft-
              ietf-lamps-pq-composite-sigs-15, 24 February 2026,
              <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-
              pq-composite-sigs-15>.

   [I-D.ietf-pquip-hybrid-signature-spectrums]
              Bindel, N., Hale, B., Connolly, D., and F. D, "Hybrid
              signature spectrums", Work in Progress, Internet-Draft,
              draft-ietf-pquip-hybrid-signature-spectrums-07, 20 June
              2025, <https://datatracker.ietf.org/doc/html/draft-ietf-
              pquip-hybrid-signature-spectrums-07>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC7296]  Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
              Kivinen, "Internet Key Exchange Protocol Version 2
              (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
              2014, <https://www.rfc-editor.org/rfc/rfc7296>.

   [RFC7427]  Kivinen, T. and J. Snyder, "Signature Authentication in
              the Internet Key Exchange Version 2 (IKEv2)", RFC 7427,
              DOI 10.17487/RFC7427, January 2015,
              <https://www.rfc-editor.org/rfc/rfc7427>.



Hu, et al.               Expires 31 August 2026                [Page 12]

Internet-Draft               IKEv2 PQTH Auth               February 2026


   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

   [RFC9593]  Smyslov, V., "Announcing Supported Authentication Methods
              in the Internet Key Exchange Protocol Version 2 (IKEv2)",
              RFC 9593, DOI 10.17487/RFC9593, July 2024,
              <https://www.rfc-editor.org/rfc/rfc9593>.

   [RFC9763]  Becker, A., Guthrie, R., and M. Jenkins, "Related
              Certificates for Use in Multiple Authentications within a
              Protocol", RFC 9763, DOI 10.17487/RFC9763, June 2025,
              <https://www.rfc-editor.org/rfc/rfc9763>.

   [RFC9881]  Massimo, J., Kampanakis, P., Turner, S., and B. E.
              Westerbaan, "Internet X.509 Public Key Infrastructure --
              Algorithm Identifiers for the Module-Lattice-Based Digital
              Signature Algorithm (ML-DSA)", RFC 9881,
              DOI 10.17487/RFC9881, October 2025,
              <https://www.rfc-editor.org/rfc/rfc9881>.

   [X.690]    "Information Technology - ASN.1 encoding rules:
              Specification of Basic Encoding Rules (BER), Canonical
              Encoding Rules (CER) and Distinguished Encoding Rules
              (DER)", ISO/IEC 8825-1:2021 (E), ITU-T Recommendation
              X.690, February 2021.

8.2.  Informative References

   [I-D.ietf-ipsecme-ikev2-mlkem]
              Kampanakis, P., "Post-quantum Key Exchange with ML-KEM in
              the Internet Key Exchange Protocol Version 2 (IKEv2)",
              Work in Progress, Internet-Draft, draft-ietf-ipsecme-
              ikev2-mlkem-04, 26 February 2026,
              <https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-
              ikev2-mlkem-04>.

   [ML-DSA]   "Module-Lattice-Based Digital Signature Standard", NIST 
              FIPS-204, August 2023,
              <https://csrc.nist.gov/pubs/fips/204/final>.

   [ML-KEM]   "Module-Lattice-Based Key-Encapsulation Mechanism
              Standard", NIST FIPS-203, August 2023,
              <https://csrc.nist.gov/pubs/fips/203/final>.







Hu, et al.               Expires 31 August 2026                [Page 13]

Internet-Draft               IKEv2 PQTH Auth               February 2026


   [RFC8784]  Fluhrer, S., Kampanakis, P., McGrew, D., and V. Smyslov,
              "Mixing Preshared Keys in the Internet Key Exchange
              Protocol Version 2 (IKEv2) for Post-quantum Security",
              RFC 8784, DOI 10.17487/RFC8784, June 2020,
              <https://www.rfc-editor.org/rfc/rfc8784>.

   [RFC9370]  Tjhai, CJ., Tomlinson, M., Bartlett, G., Fluhrer, S., Van
              Geest, D., Garcia-Morchon, O., and V. Smyslov, "Multiple
              Key Exchanges in the Internet Key Exchange Protocol
              Version 2 (IKEv2)", RFC 9370, DOI 10.17487/RFC9370, May
              2023, <https://www.rfc-editor.org/rfc/rfc9370>.

Acknowledgments

   TODO acknowledge.

Authors' Addresses

   Jun Hu
   Nokia
   United States of America
   Email: jun.hu@nokia.com


   Yasufumi Morioka
   NTT DOCOMO, INC.
   Japan
   Email: yasufumi.morioka.dt@nttdocomo.com


   Guilin Wang
   Huawei
   Singapore
   Email: Wang.Guilin@huawei.com

















Hu, et al.               Expires 31 August 2026                [Page 14]
