Skip to content

Cross-transport PQC: (D)TLS hybrid/pure ML‑KEM; IKEv2/IPsec hybrids + re‑key #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vparla wants to merge 6 commits into
base: develop
Choose a base branch
from
Open

Cross-transport PQC: (D)TLS hybrid/pure ML‑KEM; IKEv2/IPsec hybrids + re‑key #75

vparla wants to merge 6 commits into from

Conversation

@vparla
Copy link

@vparla vparla commented Dec 1, 2025
edited
Loading

Summary

  • Clarify PQC guidance across transports.
  • (D)TLS: add NamedGroups for hybrid and pure ML‑KEM.
  • IKEv2/IPsec: hybrids via RFC 9242/9370; include re‑key guidance; telemetry wording.

Changes

  • Updated source rule:
    • c:\Work\rules\sources\core\codeguard-1-post-quantum-cryptography.md
  • Regenerated skill:
    • c:\Work\rules\skills\software-security\rules\codeguard-1-post-quantum-cryptography.md

(D)TLS specifics

  • Hybrids per I-D.ietf-tls-ecdhe-mlkem:
    • X25519MLKEM768
    • SecP256r1MLKEM768
    • SecP384r1MLKEM1024 (high‑assurance)
  • Pure PQC per I-D.ietf-tls-mlkem-key-agreement:
    • ML‑KEM‑768 baseline; ML‑KEM‑1024 where required; avoid ML‑KEM‑512 except in constrained environments
  • Use vendor‑documented identifiers; avoid legacy “Hybrid‑Kyber”.

IKEv2/IPsec specifics

  • Enforce IKEv2; ESP with AEAD; PFS via ECDHE; disable legacy suites.
  • Hybrids with ML‑KEM‑768 + ECDHE (X25519 or P‑256) using RFC 9242/9370 multi‑KE; apply to initial and re‑key (CREATE_CHILD_SA).
  • Re‑key: time/byte lifetimes for IKE_SA and CHILD_SAs; ensure hybrids persist across re‑keys.

Validation

  • Validator: 109/109 passed
  • Converter: skills regenerated
  • Frontmatter: description + alwaysApply: true

@vparla vparla changed the title docs(pqc): cross-transport PQC (TLS/DTLS, IPsec/IKEv2); regenerate skills cross-transport PQC (TLS/DTLS, IPsec/IKEv2) guidance Dec 1, 2025
@vparla vparla changed the title cross-transport PQC (TLS/DTLS, IPsec/IKEv2) guidance Cross-transport PQC: (D)TLS hybrid/pure ML‑KEM; IKEv2/IPsec hybrids + re‑key Dec 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vparla