Currently in IKEv2 , signature based authentication is per algorithm i.e., there is one for RSA digital signatures, one for DSS digital signatures (using SHA-1), and three for different ECDSA curves, each tied to exactly one hash algorithm.This design is cumbersome when more signature algorithms, hash algorithms, and elliptic curves need to be supported. RFC 7427 generalizes IKEv2 signature support to allow any signature method supported by PKIX and also adds signature hash algorithm negotiation. Why is it important for libreswan and what problem does it solve? Currently Libreswan only supports RSA as the digitial signature authentication method. Therefore there exists a need for extension so that other methods, such as ECDSA or EDDSA can be used easily. Implementation of RFC 7427 would solve this problem as the new digital signature method is flexible enough to include all current signature methods (RSA, DSA, ECDSA, RSASSA-PSS, etc.) and add new methods (ECGDSA, ElGamal, etc.) in the future.



Sahana Prasad


  • Paul Wouters
  • Tuomo Soini