--- 1/draft-ietf-ipsecme-chacha20-poly1305-07.txt	2015-05-13 15:15:02.926978587 -0700
+++ 2/draft-ietf-ipsecme-chacha20-poly1305-08.txt	2015-05-13 15:15:02.950979170 -0700
@@ -1,18 +1,18 @@
 
 Network Working Group                                             Y. Nir
 Internet-Draft                                               Check Point
-Intended status: Standards Track                             May 7, 2015
-Expires: November 8, 2015
+Intended status: Standards Track                            May 14, 2015
+Expires: November 15, 2015
 
             ChaCha20, Poly1305 and their use in IKE & IPsec
-                draft-ietf-ipsecme-chacha20-poly1305-07
+                draft-ietf-ipsecme-chacha20-poly1305-08
 
 Abstract
 
    This document describes the use of the ChaCha20 stream cipher along
    with the Poly1305 authenticator, combined into an AEAD algorithm for
    the Internet Key Exchange protocol (IKEv2) and for IPsec.
 
 Status of This Memo
 
    This Internet-Draft is submitted in full conformance with the
@@ -21,21 +21,21 @@
    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF).  Note that other groups may also distribute
    working documents as Internet-Drafts.  The list of current Internet-
    Drafts is at http://datatracker.ietf.org/drafts/current/.
 
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on November 8, 2015.
+   This Internet-Draft will expire on November 15, 2015.
 
 Copyright Notice
 
    Copyright (c) 2015 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
    Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info) in effect on the date of
    publication of this document.  Please review these documents
@@ -80,34 +80,34 @@
    the only other widely supported cipher being the much slower 3DES, it
    is not feasible to re-configure IPsec installations away from AES.
    [standby-cipher] describes this issue and the need for a standby
    cipher in greater detail.
 
    This document proposes the fast and secure ChaCha20 stream cipher as
    such a standby cipher in an Authenticated Encryption with Associated
    Data (AEAD) construction with the Poly1305 authenticator for use with
    the Encapsulated Security Protocol (ESP - [RFC4303]) and the Internet
    Key Exchange Protocol (IKEv2 - [RFC7296]).  The algorithms are
-   described in a separate document ([chacha_poly]).  This document only
+   described in a separate document ([RFC7539]).  This document only
    describes the IPsec-specific things.
 
 1.1.  Conventions Used in This Document
 
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
    "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
    document are to be interpreted as described in [RFC2119].
 
 2.  ChaCha20 & Poly1305 for ESP
 
    AEAD_CHACHA20_POLY1305 is a combined mode algorithm, or AEAD.  The
    construction follows the AEAD construction in section 2.8 of
-   [chacha_poly]:
+   [RFC7539]:
 
    o  The Initialization Vector (IV) is 64-bit, and is used as part of
       the nonce.  The IV MUST be unique for each invocation for a
       particular SA but does not need to be unpredictable.  The use of a
       counter or a linear feedback shift register (LFSR) is RECOMMENDED.
    o  A 32-bit Salt is prepended to the 64-bit IV to form the 96-bit
       nonce.  The salt is fixed per SA and it is not transmitted as part
       of the ESP packet.
    o  The encryption key is 256-bit.
    o  The Internet Key Exchange protocol generates a bitstring called
@@ -133,22 +133,22 @@
    plaintext, no padding should be necessary.  However, in keeping with
    the specification in RFC 4303, the plaintext always has a pad length
    octet and a Next Header octet and may require padding bytes so as to
    align the buffer to an integral multiple of 4 octets.
 
    The same key and nonce, along with a block counter of zero are passed
    to the ChaCha20 block function, and the top 256 bits of the result
    are used as the Poly1305 key.
 
    Finally, the Poly1305 function is run on the data to be
-   authenticated, which is, as specified in section 2.8 of [chacha_poly]
-   a concatenation of the following in the below order:
+   authenticated, which is, as specified in section 2.8 of [RFC7539] a
+   concatenation of the following in the below order:
 
    o  The Authenticated Additional Data (AAD) - see Section 2.1.
    o  Zero-octet padding that rounds the length up to 16 bytes.  This is
       4 or 8 bytes depending on the length of the AAD.
    o  The ciphertext
    o  Zero octet padding that rounds the total length up to an integral
       multiple of 16 bytes.
    o  The length of the additional authenticated data (AAD) in octets
       (as a 64-bit integer encoded in little-endian byte order).
    o  The length of the ciphertext in octets (as a 64-bit integer
@@ -208,21 +208,21 @@
 
    The most important security consideration in implementing this draft
    is the uniqueness of the nonce used in ChaCha20.  The nonce should be
    selected uniquely for a particular key, but unpredictability of the
    nonce is not required.  Counters and LFSRs are both acceptable ways
    of generating unique nonces.
 
    Another issue with implementing these algorithms is avoiding side
    channels.  This is trivial for ChaCha20, but requires some care for
    Poly1305.  Considerations for implementations of these algorithms are
-   in the [chacha_poly] document.
+   in [RFC7539].
 
    The Salt value in used nonce construction in ESP and IKEv2 is derived
    from the keystream, same as the encryption key.  It is never
    transmitted on the wire, but the security of the algorithm does not
    depend on its secrecy.  Thus implementations that keep keys and other
    secret material within some security boundary MAY export the Salt
    from the security boundary.  This may be useful if the API provided
    by the library accepts the nonce as parameter rather than the IV.
 
 6.  IANA Considerations
@@ -255,24 +255,22 @@
 
    [RFC5282]  Black, D. and D. McGrew, "Using Authenticated Encryption
               Algorithms with the Encrypted Payload of the Internet Key
               Exchange version 2 (IKEv2) Protocol", RFC 5282, August
               2008.
 
    [RFC7296]  Kivinen, T., Kaufman, C., Hoffman, P., Nir, Y., and P.
               Eronen, "Internet Key Exchange Protocol Version 2
               (IKEv2)", RFC 7296, October 2014.
 
-   [chacha_poly]
-              Langley, A. and Y. Nir, "ChaCha20 and Poly1305 for IETF
-              protocols", draft-nir-cfrg-chacha20-poly1305-01 (work in
-              progress), January 2014.
+   [RFC7539]  Langley, A. and Y. Nir, "ChaCha20 and Poly1305 for IETF
+              protocols", RFC 7539, May 2015.
 
 8.2.  Informative References
 
    [AE]       Bellare, M. and C. Namprempre, "Authenticated Encryption:
               Relations among notions and analysis of the generic
               composition paradigm", 2000,
               <http://cseweb.ucsd.edu/~mihir/papers/oem.html>.
 
    [FIPS-197]
               National Institute of Standards and Technology, "Advanced