<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-quic-extended-key-update-03" category="std" consensus="true" submissionType="IETF" updates="9001" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title>Extended Key Update for QUIC</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-quic-extended-key-update-03"/>
    <author initials="Y." surname="Rosomakho" fullname="Yaroslav Rosomakho">
      <organization>Zscaler</organization>
      <address>
        <email>yrosomakho@zscaler.com</email>
      </address>
    </author>
    <author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig">
      <organization abbrev="UniBw M.">University of the Bundeswehr Munich</organization>
      <address>
        <postal>
          <city>Neubiberg</city>
          <region>Bavaria</region>
          <code>85577</code>
          <country>Germany</country>
        </postal>
        <email>hannes.tschofenig@gmx.net</email>
      </address>
    </author>
    <author initials="T." surname="Reddy" fullname="Tirumaleswar Reddy">
      <organization>Nokia</organization>
      <address>
        <postal>
          <city>Bangalore</city>
          <region>Karnataka</region>
          <country>India</country>
        </postal>
        <email>kondtir@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Transport</area>
    <workgroup>QUIC</workgroup>
    <keyword>quic</keyword>
    <keyword>extended key update</keyword>
    <keyword>forward secrecy</keyword>
    <abstract>
      <?line 57?>

<t>This document specifies an Extended Key Update mechanism for the QUIC protocol, building on the
foundation of the TLS Extended Key Update. The TLS Extended Key Update specification enhances the
TLS protocol by introducing key updates with forward secrecy, eliminating the need to perform a
full handshake. This feature is particularly beneficial for maintaining security in scenarios
involving long-lived connections.</t>
      <t>This specification replaces the QUIC Key Update mechanism described in the "Using TLS to
Secure QUIC" specification.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://quicwg.org/extended-key-update/draft-ietf-quic-extended-key-update.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-quic-extended-key-update/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        QUIC Working Group mailing list (<eref target="mailto:quic@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/quic/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/quic/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/quicwg/extended-key-update"/>.</t>
    </note>
  </front>
  <middle>
    <?line 68?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The QUIC protocol <xref target="QUIC"/> provides a secure, versatile transport for various applications, suitable for long-lived sessions
in environments like industrial IoT, telecommunication networks or Virtual Private Networks (VPN), as specified in <xref target="RFC9484"/>.</t>
      <t>The TLS Extended Key Update <xref target="TLS-EKU"/> introduces a mechanism to enhance the security and flexibility
of encrypted communication protocols by enabling frequent key updates without requiring a full handshake renegotiation. This
approach allows applications to refresh their encryption keys more often using ephemeral keys, improving forward secrecy and reducing the risk of key compromise over long-lived connections. By separating key updates from the computationally expensive handshake process,
the specification provides a lightweight method for maintaining robust encryption in scenarios where connections need to
remain secure for extended periods.</t>
      <t>The TLS Extended Key Update mechanism is particularly valuable in environments where interruptions to perform a full key exchange would cause significant disruption. Other encrypted communication protocols, such as IPsec <xref target="IKEv2"/> and SSH <xref target="SSH-TRANSPORT"/>, include mechanisms for rekeying without interrupting active sessions. The TLS Extended Key Update specification helps protect sensitive data even in the event of a potential key compromise by enabling frequent key rotation and leveraging forward secrecy.</t>
      <t>This specification builds on concepts from <xref target="TLS-EKU"/> and applies them to the QUIC protocol context.
It thereby replaces the QUIC Key Update mechanism described in <xref section="6" sectionFormat="of" target="QUIC-TLS"/>. Unlike the previous QUIC key update process, which independently updated keys based on the Key Phase bit, the extended key update mechanism derives a new shared secret using the TLS Extended Key Update procedure. This approach enables a coordinated key transition, integrating TLS for key exchange while refining the QUIC key update process to maintain QUIC-specific key derivation.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>Readers are assumed to be familiar with <xref target="TLS-EKU"/>.</t>
    </section>
    <section anchor="extended-key-update-negotiation">
      <name>Extended Key Update Negotiation</name>
      <t>QUIC peers negotiate Extended Key Update through the TLS handshake process, as outlined in <xref section="3" sectionFormat="of" target="TLS-EKU"/>.
Extended Key Update <bcp14>MUST NOT</bcp14> be used unless both QUIC peers include the TLS flags extension <xref target="TLS-FLAGS"/> in the handshake and
set the "Extended_Key_Update" flag.</t>
      <t>Once the Extended Key Update has been successfully negotiated, QUIC peers <bcp14>MUST</bcp14> use only the Extended Key Update process defined in this document. The standard QUIC Key Update mechanism from <xref section="6" sectionFormat="of" target="QUIC-TLS"/> <bcp14>MUST NOT</bcp14> be used for the duration of the session, as both Key Update and Extended Key Update use the Key Phase bit to signal the use of updated keys. The Key Phase bit is initially set to 0 and toggled to indicate a key update following the successful post-handshake exchange of Extended Key Update messages. The Key Phase bit <bcp14>MUST</bcp14> only be changed as a result of a successful Extended Key Update exchange.</t>
    </section>
    <section anchor="extended-key-update-messages">
      <name>Extended Key Update Messages</name>
      <t>As specified in <xref section="4" sectionFormat="of" target="TLS-EKU"/>, either party <bcp14>MAY</bcp14> initiate the Extended Key Update process by sending an ExtendedKeyUpdate TLS handshake message with key_update_request message subtype in a QUIC CRYPTO frame. This message <bcp14>MUST NOT</bcp14> be sent before the QUIC handshake is confirmed, as described in <xref section="4.1.2" sectionFormat="of" target="QUIC-TLS"/>. If a QUIC endpoint receives an ExtendedKeyUpdate message before the handshake is complete, it <bcp14>MUST</bcp14> terminate the connection with an error of type 0x010a, equivalent to the TLS unexpected_message alert, as specified in <xref section="4.8" sectionFormat="of" target="QUIC-TLS"/>.</t>
      <t>If both QUIC peers independently initiate an Extended Key Update and their ExtendedKeyUpdate messages cross in flight, the conflict <bcp14>MUST</bcp14> be resolved following the clash error handling defined in <xref section="4" sectionFormat="of" target="TLS-EKU"/>. Specifically, the lexicographic order of the key_exchange value in the KeyShareEntry determines which request is dropped, ensuring a coordinated key update process without advancing by two key generations.</t>
      <t>Upon receiving an ExtendedKeyUpdate with key_update_request, the recipient <bcp14>MUST</bcp14> respond with an ExtendedKeyUpdate TLS handshake message with key_update_response message subtype within a QUIC CRYPTO frame. If a QUIC endpoint receives an ExtendedKeyUpdate with key_update_response message subtype without having previously sent an ExtendedKeyUpdate with key_update_request message subtype, it <bcp14>MUST</bcp14> treat this as a TLS protocol error and terminate the connection with an error of type 0x010a, equivalent to the TLS unexpected_message alert, as specified in <xref section="4.8" sectionFormat="of" target="QUIC-TLS"/>.</t>
      <t>Any mismatch between the negotiated NamedGroup during the initial handshake and the group used in the ExtendedKeyUpdate message, or an incorrect length of the encapsulated key <bcp14>MUST</bcp14> result in connection termination with error of type 0x012f, equivalent to TLS illegal_parameter alert.</t>
      <t>ExtendedKeyUpdate TLS handshake message with new_key_update message subtype <bcp14>MUST NOT</bcp14> be used in QUIC. If a QUIC endpoint receives an ExtendedKeyUpdate message with new_key_update message subtype, it <bcp14>MUST</bcp14> terminate the connection with an error of type 0x010a, equivalent to the TLS unexpected_message alert, as specified in <xref section="4.8" sectionFormat="of" target="QUIC-TLS"/>.</t>
    </section>
    <section anchor="updating-the-traffic-secrets">
      <name>Updating the Traffic Secrets</name>
      <t>After sending an ExtendedKeyUpdate with key_update_response message subtype, the responder derives new packet protection traffic secrets. The responder <bcp14>MUST</bcp14> continue using the previous secrets until it has received a packet with the Key Phase bit flipped and has successfully decrypted it using the new keys.</t>
      <t>After receiving and successfully processing an ExtendedKeyUpdate with key_update_response message subtype, the initiator derives new packet protection traffic secrets, flips the Key Phase bit for new packets, and uses the new write secret to protect them. The initiator <bcp14>MUST</bcp14> retain the old read secret until it has received a packet with a flipped Key Phase bit from the responder and successfully decrypted it using the new read secret.</t>
      <t>Both endpoints <bcp14>SHOULD</bcp14> retain old read secrets for some time after successfully decrypting a packet encrypted with the new keys. Discarding old secrets too early may cause delayed packets to be discarded, which the peer may be interpreted as packet loss, potentially impacting performance. However, implementations may choose to discard old secrets sooner in environments where memory limitations or security policies require minimizing the lifetime of old keys. The retention period should be chosen carefully to mitigate the risk of cryptographic attacks while still allowing late-arriving packets to be processed.</t>
      <t><xref target="fig-extended-key-update"/> shows this interaction graphically where the initial set of keys used (identified with @M) are replaced by updated keys (identified with @N). The value of the Key Phase bit is indicated in brackets [].</t>
      <figure anchor="fig-extended-key-update">
        <name>Extended Key Update Process in QUIC.</name>
        <artset>
          <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="464" width="560" viewBox="0 0 560 464" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 240,80 L 304,80" fill="none" stroke="black"/>
              <path d="M 240,112 L 304,112" fill="none" stroke="black"/>
              <path d="M 240,160 L 304,160" fill="none" stroke="black"/>
              <path d="M 240,176 L 304,176" fill="none" stroke="black"/>
              <path d="M 240,240 L 304,240" fill="none" stroke="black"/>
              <path d="M 240,288 L 304,288" fill="none" stroke="black"/>
              <path d="M 240,336 L 304,336" fill="none" stroke="black"/>
              <path d="M 240,416 L 304,416" fill="none" stroke="black"/>
              <polygon class="arrowhead" points="312,416 300,410.4 300,421.6" fill="black" transform="rotate(0,304,416)"/>
              <polygon class="arrowhead" points="312,240 300,234.4 300,245.6" fill="black" transform="rotate(0,304,240)"/>
              <polygon class="arrowhead" points="312,160 300,154.4 300,165.6" fill="black" transform="rotate(0,304,160)"/>
              <polygon class="arrowhead" points="312,80 300,74.4 300,85.6" fill="black" transform="rotate(0,304,80)"/>
              <polygon class="arrowhead" points="248,336 236,330.4 236,341.6" fill="black" transform="rotate(180,240,336)"/>
              <polygon class="arrowhead" points="248,288 236,282.4 236,293.6" fill="black" transform="rotate(180,240,288)"/>
              <polygon class="arrowhead" points="248,176 236,170.4 236,181.6" fill="black" transform="rotate(180,240,176)"/>
              <polygon class="arrowhead" points="248,112 236,106.4 236,117.6" fill="black" transform="rotate(180,240,112)"/>
              <g class="text">
                <text x="104" y="36">Initiator</text>
                <text x="416" y="36">Responder</text>
                <text x="12" y="68">@M</text>
                <text x="40" y="68">[0]</text>
                <text x="76" y="68">QUIC</text>
                <text x="128" y="68">Packets</text>
                <text x="332" y="100">@M</text>
                <text x="360" y="100">[0]</text>
                <text x="396" y="100">QUIC</text>
                <text x="448" y="100">Packets</text>
                <text x="8" y="148">[</text>
                <text x="88" y="148">ExtendedKeyUpdate</text>
                <text x="100" y="164">key_update_request</text>
                <text x="184" y="164">]</text>
                <text x="328" y="180">[</text>
                <text x="440" y="180">ExtendedKeyUpdateResponse</text>
                <text x="416" y="196">key_update_response</text>
                <text x="552" y="196">]</text>
                <text x="16" y="212">...</text>
                <text x="60" y="212">Update</text>
                <text x="100" y="212">to</text>
                <text x="124" y="212">@N</text>
                <text x="12" y="228">@N</text>
                <text x="40" y="228">[1]</text>
                <text x="76" y="228">QUIC</text>
                <text x="128" y="228">Packets</text>
                <text x="348" y="260">Update</text>
                <text x="388" y="260">to</text>
                <text x="412" y="260">@N</text>
                <text x="440" y="260">...</text>
                <text x="340" y="276">QUIC</text>
                <text x="392" y="276">Packets</text>
                <text x="440" y="276">[1]</text>
                <text x="468" y="276">@N</text>
                <text x="340" y="308">QUIC</text>
                <text x="392" y="308">Packets</text>
                <text x="440" y="308">[1]</text>
                <text x="468" y="308">@N</text>
                <text x="364" y="324">containing</text>
                <text x="424" y="324">ACK</text>
                <text x="16" y="356">...</text>
                <text x="48" y="356">Key</text>
                <text x="92" y="356">Update</text>
                <text x="160" y="356">Permitted</text>
                <text x="12" y="388">@N</text>
                <text x="40" y="388">[1]</text>
                <text x="76" y="388">QUIC</text>
                <text x="128" y="388">Packets</text>
                <text x="44" y="404">containing</text>
                <text x="104" y="404">ACK</text>
                <text x="136" y="404">for</text>
                <text x="164" y="404">@N</text>
                <text x="208" y="404">packets</text>
                <text x="336" y="436">Key</text>
                <text x="380" y="436">Update</text>
                <text x="448" y="436">Permitted</text>
                <text x="504" y="436">...</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art"><![CDATA[
        Initiator                              Responder

@M [0] QUIC Packets
                             -------->
                                        @M [0] QUIC Packets
                             <--------

[ ExtendedKeyUpdate
   key_update_request ]      -------->
                             <--------  [ ExtendedKeyUpdateResponse
                                          key_update_response       ]
... Update to @N
@N [1] QUIC Packets
                             -------->
                                        Update to @N ...
                                        QUIC Packets [1] @N
                             <--------
                                        QUIC Packets [1] @N
                                        containing ACK
                             <--------
... Key Update Permitted

@N [1] QUIC Packets
containing ACK for @N packets
                             -------->
                                        Key Update Permitted ...

]]></artwork>
        </artset>
      </figure>
      <t>QUIC endpoints that have agreed to the Extended Key Update process <bcp14>MUST NOT</bcp14> change the Key Phase bit without a succesful exchange of
Extended Key Update TLS messages. Receiving a packet with the Key Phase bit changed without a successful Extended Key Update exchange <bcp14>MUST</bcp14> be treated as
a connection error of type KEY_UPDATE_ERROR (0x0e), as defined in <xref section="20.1" sectionFormat="of" target="QUIC"/>.</t>
      <t>Key derivation function for computing the next generation of secrets is described in <xref section="7" sectionFormat="of" target="TLS-EKU"/>. The corresponding key and IV are derived from the new secret as defined in <xref section="5.1" sectionFormat="of" target="QUIC-TLS"/>. The header protection key is not updated.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>All Security Considerations defined in <xref section="11" sectionFormat="of" target="TLS-EKU"/> apply to Extended Key Update for QUIC.</t>
      <t>This specification describes an update to the key schedule of QUIC. Therefore, implementations <bcp14>MUST</bcp14> ensure that peers adhere strictly to the process
described in this document. Packets with higher packet numbers <bcp14>MUST NOT</bcp14> be protected using an older generation of secrets, as this could compromise key
synchronization and forward security.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="QUIC">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
        <reference anchor="TLS-EKU">
          <front>
            <title>Extended Key Update for Transport Layer Security (TLS) 1.3</title>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>Siemens</organization>
            </author>
            <author fullname="Michael Tüxen" initials="M." surname="Tüxen">
              <organization>Münster Univ. of Applied Sciences</organization>
            </author>
            <author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy.K">
              <organization>Nokia</organization>
            </author>
            <author fullname="Steffen Fries" initials="S." surname="Fries">
              <organization>Siemens</organization>
            </author>
            <author fullname="Yaroslav Rosomakho" initials="Y." surname="Rosomakho">
              <organization>Zscaler</organization>
            </author>
            <date day="4" month="July" year="2026"/>
            <abstract>
              <t>   TLS 1.3 ensures forward secrecy by performing an ephemeral Diffie-
   Hellman key exchange during the initial handshake, protecting past
   communications even if a party's long-term keys (typically a private
   key with a corresponding certificate) are later compromised.

   While the built-in KeyUpdate mechanism allows application traffic
   keys to be refreshed during a session, it does not incorporate fresh
   entropy from a new key exchange and therefore does not provide post-
   compromise security.  This limitation can pose a security risk in
   long-lived sessions, such as those found in industrial IoT or
   telecommunications environments.

   To address this, this specification defines an extended key update
   mechanism that performs a fresh execution of the key exchange
   negotiated during the initial handshake within an active session,
   thereby ensuring post-compromise security.

   By forcing attackers to exfiltrate new key material repeatedly, this
   approach mitigates the risks associated with static key compromise.
   Regular renewal of session keys helps contain the impact of such
   compromises.  The extension is applicable to both TLS 1.3 and DTLS
   1.3.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-extended-key-update-13"/>
        </reference>
        <reference anchor="QUIC-TLS">
          <front>
            <title>Using TLS to Secure QUIC</title>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <author fullname="S. Turner" initials="S." role="editor" surname="Turner"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes how Transport Layer Security (TLS) is used to secure QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9001"/>
          <seriesInfo name="DOI" value="10.17487/RFC9001"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="TLS-FLAGS">
          <front>
            <title>A Flags Extension for TLS 1.3</title>
            <author fullname="Yoav Nir" initials="Y." surname="Nir">
              <organization>Dell Technologies</organization>
            </author>
            <date day="17" month="March" year="2026"/>
            <abstract>
              <t>   A number of extensions are proposed in the TLS working group that
   carry no interesting information except the 1-bit indication that a
   certain optional feature is supported.  Such extensions take 4 octets
   each.  This document defines a flags extension that can provide such
   indications at an average marginal cost of 1 bit each.  More
   precisely, it provides as many flag extensions as needed at 4 + the
   order of the last set bit divided by 8.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-tlsflags-17"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9484">
          <front>
            <title>Proxying IP in HTTP</title>
            <author fullname="T. Pauly" initials="T." role="editor" surname="Pauly"/>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <author fullname="A. Chernyakhovsky" initials="A." surname="Chernyakhovsky"/>
            <author fullname="M. Kühlewind" initials="M." surname="Kühlewind"/>
            <author fullname="M. Westerlund" initials="M." surname="Westerlund"/>
            <date month="October" year="2023"/>
            <abstract>
              <t>This document describes how to proxy IP packets in HTTP. This protocol is similar to UDP proxying in HTTP but allows transmitting arbitrary IP packets. More specifically, this document defines a protocol that allows an HTTP client to create an IP tunnel through an HTTP server that acts as an IP proxy. This document updates RFC 9298.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9484"/>
          <seriesInfo name="DOI" value="10.17487/RFC9484"/>
        </reference>
        <reference anchor="IKEv2">
          <front>
            <title>Internet Key Exchange Protocol Version 2 (IKEv2)</title>
            <author fullname="C. Kaufman" initials="C." surname="Kaufman"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="Y. Nir" initials="Y." surname="Nir"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <author fullname="T. Kivinen" initials="T." surname="Kivinen"/>
            <date month="October" year="2014"/>
            <abstract>
              <t>This document describes version 2 of the Internet Key Exchange (IKE) protocol. IKE is a component of IPsec used for performing mutual authentication and establishing and maintaining Security Associations (SAs). This document obsoletes RFC 5996, and includes all of the errata for it. It advances IKEv2 to be an Internet Standard.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="79"/>
          <seriesInfo name="RFC" value="7296"/>
          <seriesInfo name="DOI" value="10.17487/RFC7296"/>
        </reference>
        <reference anchor="SSH-TRANSPORT">
          <front>
            <title>The Secure Shell (SSH) Transport Layer Protocol</title>
            <author fullname="T. Ylonen" initials="T." surname="Ylonen"/>
            <author fullname="C. Lonvick" initials="C." role="editor" surname="Lonvick"/>
            <date month="January" year="2006"/>
            <abstract>
              <t>The Secure Shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network.</t>
              <t>This document describes the SSH transport layer protocol, which typically runs on top of TCP/IP. The protocol can be used as a basis for a number of secure network services. It provides strong encryption, server authentication, and integrity protection. It may also provide compression.</t>
              <t>Key exchange method, public key algorithm, symmetric encryption algorithm, message authentication algorithm, and hash algorithm are all negotiated.</t>
              <t>This document also describes the Diffie-Hellman key exchange method and the minimal set of algorithms that are needed to implement the SSH transport layer protocol. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4253"/>
          <seriesInfo name="DOI" value="10.17487/RFC4253"/>
        </reference>
      </references>
    </references>
    <?line 190?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>We would like to thank Martin Thomson and Sean Turner for their early review of this design and their invaluable feedback.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA81a63LbuJL+z6fAKn9mTlmKncmcZFxziZN4Jq7El7XlOZVN
pVwQCUkoU4QOAFrRuDLPss+yT7ZfNwCK1CWXsztVR1WJJRJA37u/brLf72de
+1Idit7xB6+qQhXitVqK63khvRJjY8V/Xp+86GU5fk6MXR4K54ssK0xeyRm2
FVaOfV8rP+7/s9Z5X8VT+rdq2a/5lP7+d5mrRzPtnDaVX86x7eR4+KsQD4Qs
nQFtjS1z2lf53p7oqUJ7Y7Us6cfJ0XP8ASO9k8vhr72sqmcjZQ8zOvpwja9A
0B2KH/b3D7LcVE5VrsZvb2uV3R2K7zJplTwUQysrNzfWZwtjbyfW1PNDljQD
37hUHGaiL0gi+puEErgpAg26DO0spC2EU7lV+TK7U1UNloRonydEkPgfoKOr
ifiN7uHqTOrykCk8I+0NjJ3gqrT5FPqYej93hw8f0iK6pO/UIK16SBcejqxZ
OPWQ9j/sEUntp/UIW+nKYvJwix1oWUnq8S0KYTmfu2XLwy8w72DqZ2Uvy2Tt
p8aS3kBHCF1B7b23A3FpnJnJ26np8fVxXZbBdd5Ka1wp71YreAFYkZX+Q3o4
y6H4L5fLUlm+o4LOljatf/ZHuDvIzaxD99VADF0+NWNV6cka2VeyqpRbv9+l
el1B49ZpvxRmLPxUiec1xHYLNbXitK50PuVdcjSy6o7XP1+I0wFfzLHtUJyp
eqThqOF4qyZ88HN5J+HYYZ2pK0+e+5uyM1kt48UCPD79/vsnT9oyT5npgW+Y
fjaZfRhUynfEHkLbqiiWaxIPta1n0JODt7YWdEU+M7eJL+b/uawmsjRWdfh/
LW0lvbxdk+CkKuLmyG/v1lSF1xZs4jfZBx5SGcjpodnDLNPVuPUr6/f7UKbz
VuY+y4ZT7QRSTD1DQhBurnI91rCZrMS2LDVTOfSj3YzzFVmLIk/MrfEmN+We
GNW6LCj4TEW3szH4LljuZN7hm6ttR8ONdt9MjOXhJFWBiRxcEgXakuiL0RLm
8dYUdU5MrJKIEwuE7Xoe2ROq1DMNPdNq4q5SIOyNmCtLWhMyI+OSUxRuKm+Z
TWhsrKSvrRL4OpfW67xG8iiXYqQqBTaRT1lBsEjl8Y9OB8nakpvrSrhcVXBO
42CcO1Pe0f3SVJN+CSMVMDZcMCdR3SCaqKsAq+aljAoIFthqI4RRbhEZBdGk
pb1rR6RIZd5kV8RR2N/rEhgEN5npoihVlj2A1wWl0k3iaM3u4v7+P+jCT5e/
vkA92P/4kW7d6YI8KUiu9gTFOY4vFWpErAmsJYpTU2PlfF5GBtyecLX2clSG
ythSjlNc3Eh1cIQ7bU1FvutEqW9hkKqo4dtkgBMz3BNelQohMaNEEnSHSKZC
5KjO/a6tr7H0wuo7Ut1ZuvfN7xdn3+4J2Sg+6PD+/heS8PHTxx8/DoIednks
NIJb/ePX1z+d9F9ySen70m1L69BWclrW18qAcMTo62y+xoXgjWJcqg96pEv8
zhBaqsrtcu7Ze9riJhM5ig143agkDxhb9c+aIn49QkztBd3TlpZJ0fV+3KqA
AbwOXsKxkMFs1sh8CoRRolJ2zEgSWAVqbkoSaJv4JNZA24kZ8h5SA5QianZO
NZ+qmbKwCt3fE3rGrkRMd4OXtWBVDHXSj9XultIMCQUtYB+QEE6H4+0KL/F8
ifMQwyEFtNUxxnY+lo6qPQsEEaHFDwBQDke1FANaMJ7by9hOnWBtRUKpJ1O/
UPQ/rAxtFxtpwpoRHLitpna+EIupsqotQcpYmaV6UMVg42MbLIVkpk3hPuOx
K7dbz2p3sqw5FNdDLnAD5pW19byxeJM8g/uQUtUHOnyixMLUJUwgaxjG6UnF
eoIjFtrFIwbiHEq0n/doyhHkdk6cXEBsis6T18d3jygLPXn0w98RV+QiV1ev
6Bb+9IeXR2dXF+eXQ1ry+NH33338CAer8rIuWvI71p5V4JssksJiJSZFRk71
tElGX1O9pqqcO5YCJhQEmzWfhaVSKCDblK3puyd/lmKOxZXXISjavr0zqHF8
IEcqKHGUlZMtQbS9vnAVd1TD4Wm5mvsYDff3MadF1XKohzLEyWoDENB+Dz8c
ZCee7loFhv+V6nV/fxUcXvydNMLVpg9mYsU5QD4GNOQSQKfOgRW5pvDxq6hu
4hSuC2QpWt1QmdYUITGNpMPXAGOYwYupJIVrvxess9mpdJhHSeGYr9RCIEdY
FXXuY577BBYKXBaI4wg3mhTLtuZjc4PWiZBL5IBLqiYN7bGnTmJGIxLkzt0g
nFIVRmIOOaexw6aiyKopPfGafvIUXsxiJsjwQLwwFfks5wHyj5dMgX+H3EN7
qOdzond6fTWkppP+irNz/n55DBKXxy/p+9Wrozdvmi9ZXHH16vz6zcvVt9XO
F+enp8dnL8NmXBWdS1nv9Ogt7hBXvfOL4cn52dGbXoi0NgKGnUjkUcxq8CNS
sHRZxxufv7j4n/8+eExFHv736ODgBwRE+PH04AnAAWXGKlAzFTwr/ISel1Qu
FZoDnIJigkQ4B8yhXEZYY2oWlB9g9yz72zvSzPtD8eMonx88/jleIIE7F5PO
OhdZZ5tXNjYHJW65tIVMo83O9TVNd/k9etv5nfTeuvjjL0hdSvQPnv7yM5qT
SyXhUo7NIJ2DTYpojrGcAetAcYzjW4mIHW9bEJ2tkEqWhayk6OyEYNTWXX5q
TT2ZNuG5WeLJUqgHxPdaavqOUlOLsW3nJxuSTDVlmLoqKc5GBmK1uExVKfEx
LuXEhaRDFSfhy1/fHP121UWY+MeLGVby/pUM+JI55UMzkNi7AXs3gb0e04FK
zxPm3CYDEiHYR6FC/SWVUJVfrvRa7LUFYYGp2nMg7DoypZuCMkZqWFqBGQqs
8xCAqtfuqhHrVKdapGIBjWyoP/WxyLadNjVWdrY226ZFjcJ6mxAk5Ua1IP8l
oIPaTfdYE+NOqQmydTdp8gBNFb8kgMqn7DNhbyaTMoQFqhdVbDDUztxjQzg8
5fWViQAinO+vfKGpBmBnOx50Tk7UVvZYjWxQ6DEcQ1kSjADq12VELS3a2wgk
BnZG8GnkIMuONhqxZODHnZhDQ68ZPBJ+XQokoKhGv9ubk+uNSNEVDy9a0w8s
jOu62SBqJ6QjaP8maP+GMZjzzX1Xj2gqyfk+uO2Ly7cXw3M4qpyl+p4Wt73T
UTkaqTH1R02BXtHHLmCrsbYzijfpdsGlx4ODwaNuEAzEyTgxAxnnBqUOdstV
QCzbZE8MtvhZY2U2L1EqgT2ic6B48mBFxRYqNSxBYSACLI3Qo2gj9ex/2D/Y
lzAfWk+0GyR7xJOk9rqinitHwNwkTmgY6bd16CvBn66JnWWQezPPthFg4yw7
5l8cgNzH7tQRlGGNo4ORS6nT20sawM88amdE6MuZ8o4zUDte81KiVw7KIRUz
sm9lxV2ePxBXCcIjZQSaNCHIDZDgHGBXAHYpm9IbeWyTAKi/U6lYQKArgqvH
NG8E5WBIGg8wYk7+TbnZGmAZeB9N/uO8YB2WrqHJ1EvJ4k5W3Lcj6vzC8NqJ
qlRIwtSqXs950EVeuTMkdwRfkB579VyTJ7HKoW+cWDT+968HOJ3j1EaE08Jd
Uf7VAfdVVEmjU8lqSo0PVw3Cs1+htvWzW8FslfShIHOS78xcg69yZPw7xvxR
tRRolWfSw3tHyi8IuIRRb8Ir4gxGKvhxEeGAFIqxAHfhE9/hp04BP8So2ZkO
+HmapJ4+N9ZSxw9BJ1BHDERVoQVAyWwiJjkrVVFdtbWY1NtodFOdj8br6iRV
6rJUE1ne0JhrRgEdNAnlfFUQoJO9WXnNhiduQKvYMf4fys0XkP03rzgPQuVo
Gn4rx9Q7X/EkgIDNmMzxSdzxpakgZT1Oczg0jSBoADGX+S1AZBw6sTNFTsJM
IoK81WbWKA1vdFWr1sSiGazEfVCU1yXZgJqCaNWCJlaBIjO/iYlRCql0cEDR
xk4jUag0+NPtYQnJwXA5aa1dHIruEbHe/D/pNKIC85U63WMx3TbxcdTqCBcG
BYgZ1wi6sNqrNDCikWocF9KkLdhqxVTMGDyiof2mpLm4XM2bvsBEsjHJGqdp
CL5yjQ1lf8JeLTZgtueEvVIKcCJOGiLna1yHIawzM4Szxn8yBMoWugF4RGFW
Q+PG8xq/ES+1y6UNjyfLFSFvjFA86J7JZRxNF6qUSxqdBwvFIUQRDiDME9AQ
hwRwJO/cGBolpkpDY4Nmhks4czanCTIV7DArp2c8A/HKLGhSyw89SkV9b3yM
woxNjXE8nYpsdIRwxgA97ZjQz9TMAMzRs850Iik3PU6aGyBTmuOGJz9YD+ea
6T+SJUs9VmwEZDeiuWpaSdIqTOX5GQONsGi+z10huEX9ApQM5qJJIlx2kjJ0
elrDBmtQqvQeSnNxROnguWV4sMTPSOkdF2ltiPqubWLIqwKOdn8/1pMdj9po
yOYClmFryRC7kT5bJyitDQGoAw8Pllyobd9o6hhCEWBPe3b6LU+t4nC7IGDb
mSdv7jj7NigxwO+IB7aMAUKTz8VmZKPM795DzD///FNKdxfee6DPSZMTPvm5
TLGcZc9Oxbv996E4X4Szs0/u7cfPz59e1vp8NYkfE40se7eZu2nvFuz6/qvY
a0gIsYXEZawGXyyi2FpLwud9NhgMmumigdmzZ2fi3cFfq/Q2PQEGvnhjmynm
Evx+csPKWn8ZidaHIEl8Unr04vWXckYWaHXxF4QUPUIq22qKLg2uQ1g2/2sM
tY0tNhhFd3Z/KB7sSGWC3yb8aevLhBex3U4IvPcxTsBXxddPJTeNqKwTG196
+dyErEH4cW6wma+a/j5Wahr9teaMWyfiBLdXs8bLFaj7DIZMY8d1mp+dNzYj
GG5rw+Md2W4Yuo3C6+O3N9cXL4+GxzfHl5fnl+IbtA7q2zh02zKYebQ/OEiN
ADcBrztPysS4rsJC8qzwcsEKM33wrTkInZIKvN454nuyNggacvtjI2JLrzUQ
bDv5nWtUQLHFCtzxM8oAFncJ9f1KpjRFJDpTfmDTBsFEC7xWxqf6x23QVQIb
L5AbUQrjoAdYHgV+x83tnBwcdOTlh9CMLj71Wu3259xJodyG1k3KjAMy4fKp
KupSJcFZZMsj0E2Ixk7FkzAVgivMF2XBYILeScp94DP0URxS2dorWp0nHilF
sv9P9STMtTkkwpu5rtNzRxvQI6XU+ACsYc9Wf2L3ZYJ5eCNj9U4BRM/cssqn
QJHxpcXwxtHq1QG2Ftv15OjsaMOm3bcKqe2oTFgpm9fa+A2zEcShU47y28os
SlVMGLYi7wUJVfFTbyxLpyiD/SO9PRIe85MiZXUrTulVlQqmMTMXOb1SEH5Y
W0LE8QEPvXrEGJ8aWLg7w60QU3pStQa7umpedxkjLxKH4PZ/AY4ZiCe/LQAA

-->

</rfc>
