The IESG has received a request from an individual submitter to consider the following document: - 'The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE)' <draft-hoffman-rfc3664bis-05.txt> as a Proposed Standard On 1 July 2005 the IESG received a request to consider publication of draft-hoffman-rfc3664bis-03 as a standards-track RFC. Updates were made based on IETF Last Call comments, the -04 version of the document was discussed during the telechat of 1 September 2005. The document was approved, and placed in the the RFC Editor queue. On 29 September 2005, Paul Hoffman asked the IESG to rescind approval of the document due to an implementation issue that was discovered at the IKEv2 bake-off. The attached note describes this situation more completely. Now, version -05 has addressed this concern, and the IESG has been asked to consider publication of the updated document as a standards-track RFC. The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send any comments to the iesg@ietf.org or ietf@ietf.org mailing lists by 2005-11-23. The file can be obtained via http://www.ietf.org/internet-drafts/draft-hoffman-rfc3664bis-05.txt --- Message Rescinding Approval of draft-hoffman-rfc3664bis-04 --- To: IETF Announcement list <ietf-announce@ietf.org> From: IESG <iesg@ietf.org> Date: Wed, 12 Oct 2005 11:22:01 -0400 Cc: iana@iana.org, rfc-editor@rfc-editor.org Subject: Rescinding Approval of draft-hoffman-rfc3664bis-04 On 1 July 2005 the IESG received a request from Paul Hoffman to consider publication of draft-hoffman-rfc3664bis-03 as a standards-track RFC. Updates were made based on IETF Last Call comments, the -04 version of the document was discussed during the telechat of 1 September 2005. The document was approved, and it is now in the RFC Editor queue. On 29 September 2005, Paul Hoffman asked the IESG to rescind approval of the document due to an implementation issue that was discovered at the IKEv2 bake-off. A summary of the problem is: In IKEv2 section 2.14 on generating keying material, it says: "If the negotiated prf takes a fixed length key and the lengths of Ni and Nr do not add up to that length, half the bits must come from Ni and half from Nr, taking the first bits of each." In section 2.15 on authentication, it says: "If the negotiated prf takes a fixed size key, the shared secret MUST be of that fixed size." In draft-hoffman-rfc3664bis-04 section 1.1 says: "This document specifies the same algorithm as RFC 3664 except that the restriction on keys having to be exactly 128 bits from [AES-XCBC-MAC] is removed. Implementations of RFC 3664 will have the same bits-on-the-wire results as this algorithm; the only difference is that keys that were not equal in length to 128 bits will no longer be rejected, but instead will be made 128 bits. The problem is that changing from fixed-key-size to variable-key-size changes the bits output from generating keying material. Because the nonces must each be at least 128 bits (from IKEv2 section 2.10), the lengths will never add up to the key length unless the key is 256 or longer. A new version of draft-hoffman-rfc3664bis has been posted that attempts to solve the problem. This new version will be the subject of a separate IETF Last Call and IESG action. Accordingly, the IESG agreed to rescind approval to publish draft-hoffman-rfc3664bis-04 as a standards-track RFC. This decision requires that the following action by the RFC Editor: Please remove draft-hoffman-rfc3664bis-04.txt from the RFC Editor queue and discontinue processing of the document. _______________________________________________ IETF-Announce@ietf.org https://www1.ietf.org/mailman/listinfo/ietf-announce
