--- 1/draft-ietf-ipsecme-chacha20-poly1305-09.txt 2015-06-14 11:14:53.127400058 -0700 +++ 2/draft-ietf-ipsecme-chacha20-poly1305-10.txt 2015-06-14 11:14:53.155400730 -0700 @@ -1,18 +1,18 @@ Network Working Group Y. Nir Internet-Draft Check Point Intended status: Standards Track June 14, 2015 Expires: December 16, 2015 ChaCha20, Poly1305 and their use in IKE & IPsec - draft-ietf-ipsecme-chacha20-poly1305-09 + draft-ietf-ipsecme-chacha20-poly1305-10 Abstract This document describes the use of the ChaCha20 stream cipher along with the Poly1305 authenticator, combined into an AEAD algorithm for the Internet Key Exchange protocol (IKEv2) and for IPsec. Status of This Memo This Internet-Draft is submitted in full conformance with the @@ -182,22 +182,23 @@ | | Pad Length | Next Header | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Integrity Check Value-ICV (variable) | ~ ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ o The IV field is 64-bit. It is the final 64 bits of the 96-bit nonce. If the counter method is used for generating unique IVs, then the final 32 bits of the IV will be equal to the Sequence Number field. - o The Pad Length field need not exceed 4 octets. However, RFC 4303 - and this specification do not prohibit using greater pad lengths. + o The length of the Padding field need not exceed 4 octets. + However, neither RFC 4303 nor this specification require using the + minimal padding length. o The Integrity Check Value field contains the 16 octet tag. 2.1. AAD Construction The construction of the Additional Authenticated Data (AAD) is similar to the one in [RFC4106]. For security associations (SAs) with 32-bit sequence numbers the AAD is 8 octets: a 4-octet SPI followed by 4-octet sequence number ordered exactly as it is in the packet. For SAs with ESN the AAD is 12 octets: a 4-octet SPI followed by an 8-octet sequence number as a 64-bit integer in network