> On Apr 28, 2015, at 4:09 PM, Michael Richardson <[email protected]> wrote: > > > Yoav Nir <[email protected]> wrote: >>> Is this diagram correct: > > some comment on the accuracy of my diagram would be appreciated :-)
I’ll get to that later. > >>> I think that the IANA considerations of ipsecme-chacha20-poly1305 >>> should say >>> something like, >>> "According to cfrg-chacha20, Poly-1305 is not suitable for >>> use as a PRF for IKEv2, and this specification explicitely >>> does not allocate a code point for that.” > >> That’s kind of a weird thing to write. We don’t allocate an ICMPv6 type >> number either. It’s kind of sad because while Poly1305 is not a good >> PRF, ChaCha20 is. But unfortunately it’s not a good PRF for IKEv2 as it >> requires a constant-size key, and RFC 7296 requires that all PRFs >> support any size key. Of course we could add the blake2 hash function >> to convert any non-256-bit key to a 256-bit key, and blake2 is based on >> the ChaCha20 block function. But we chose not to do this. At least not >> yet. > > I predict that in two years, there will be a stream of queries from > @gmail/@hotmail accounts asking in broken english why there isn't a PRF > number. I'll bet we even get an Errata filed :-) But we’re not even creating an AUTH entry… > The bit about ChaCha also being wrong would be useful to write down > somewhere. https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10#section-2.7 Yoav _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
