To whom it may concern..
what`s the current state of the RFC 8784 [1] in OPNsense/stronswan/..?
(and whats the state at client side, windows11 :-D)
Maybe OPNsense may write use two lines about?
facts:
- stronswan seems to have it implemented already. [2]
- DH/RSA/EC should be considered as broken soon [3]
- symmetric AES256 should be used everywhere, because AES128 is dead soon too, as Grover [4] tells us quantum will reduce AES256 to a AES128 problem.
- BSI (Bundesamt für Sicherheit in der Informationstechnik) finally told us today, we need to be quantum safe at about ~2030 [5]
- i prefer symmetric only encryption like aes256 or one-time-pads ;-), so RFC 8784 will mix the "best" of both worlds
- a seemless integration is being specified, so you can deploy new PPK ("the anti-quantum 2nd PSK key" or lets say additional key for encryption) as optional first. once deployed you can enable enforcement later.
[1] https://datatracker.ietf.org/doc/html/rfc8784
[2] https://docs.strongswan.org/docs/latest/features/ietf.html
[3] https://en.wikipedia.org/wiki/Shor%27s_algorithm (Wikipedia! :-P)
[4] https://en.wikipedia.org/wiki/Grover%27s_algorithm (Wikipedia!)
[5] https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2026/260211_Ende_klassischer_Verschluesselungsverfahren.html