ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec
RFC 7634

[Ballot comment]
This is easier than usual to read for this sort of draft :-)

-- Section 1, 1st paragraph:
I concur with Stephen's comment. Furthermore, this entire paragraph pretty much reads like advertising copy. Can it be toned down a bit?

-- 8.1 (Normative References)

The reference to [RFC7539]  is a normative downref. I don't see it on the downref registry, nor was it mentioned in the last call notice. (For the record, I think it's a reasonable downref.)

[Ballot comment]

intro: "gold standard" is being a bit too keen IMO, I'd say
toning the language down a bit would be better.

intro: 3DES may be the "only other widely supported" cipher
for IPsec, but that's not true more generally.

section 2 says: "As the ChaCha20 block function is not applied
directly to the plaintext, no padding should be necessary."
That "should" could be confusing as written if a reader thinks
it means their code doesn't have to do padding. It might be
better to e.g. say something like "In theory no padding is
needed for this cipher, however, in keeping with..."

section 3: Is "SHOULD inlude no padding" really right?  I'd
have thought a MAY was better there.  "MUST accept any length"
is also a bit odd - what if I (try:-) add loads of padding?

Appendices: thanks for those - I assume someone checked them
for you? (I didn't:-)

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-ipsecme-chacha20-poly1305-10.  Authors should review the comments and/or questions below.  Please report any inaccuracies and respond to any questions as soon as possible.

We received the following comments/questions from the IANA's reviewer:

IANA understands that, upon approval of this document, there is a single action which must be completed.

In the Transform Type 1 - Encryption Algorithm Transform IDs subregistry of the Internet Key Exchange Version 2 (IKEv2) Parameters registry located at:

http://www.iana.org/assignments/ikev2-parameters/

a single value will be registered as follows:

Number: [ TBA ]
Name: ENCR_CHACHA20_POLY1305
ESP Reference: [ RFC-to-be ]
IKEv2 Reference: [ RFC-to-be ]

As this document requests registrations in an Expert Review or Specification Required (see RFC 5226) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC.

IANA understands that this is the only action required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. 

Please note that IANA cannot reserve specific values. However, early allocation is available for some types of registrations. For more information, please see RFC 7120.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (ChaCha20, Poly1305 and their use in IKE & IPsec) to Proposed Standard


The IESG has received a request from the IP Security Maintenance and
Extensions WG (ipsecme) to consider the following document:
- 'ChaCha20, Poly1305 and their use in IKE & IPsec'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-06-29. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document describes the use of the ChaCha20 stream cipher along
  with the Poly1305 authenticator, combined into an AEAD algorithm for
  the Internet Key Exchange protocol (IKEv2) and for IPsec.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-chacha20-poly1305/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-ipsecme-chacha20-poly1305/ballot/


No IPR declarations have been submitted directly on this I-D.

Shepherd writeup for draft-ietf-ipsecme-chacha20-poly1305

1. Summary

Paul Hoffman is the document shepherd, and Kathleen Moriarty is the responsible Area
Director.

This document describes the use of the ChaCha20 stream cipher along with the Poly1305
authenticator, combined into an AEAD algorithm for both IKEv2 and IPsec.

2. Review and Consensus

The document was discussed fairly well in the WG, both as an individual draft and then as
a WG document. The WG Last Call elicited good review and changes to the document during,
and after, the WG Last Call.

3. Intellectual Property

The author stated that he does not know of any relevant IPR for this document, and points
out that the algorithms and construction have been proposed earlier.

4. Other Points

The same combination of crypto algorithms are being discussed for use in TLS; however,
this document is only for IKEv2 and IPsec.

Shepherd writeup for draft-ietf-ipsecme-chacha20-poly1305

1. Summary

Paul Hoffman is the document shepherd, and Kathleen Moriarty is the responsible Area
Director.

This document describes the use of the ChaCha20 stream cipher along with the Poly1305
authenticator, combined into an AEAD algorithm for both IKEv2 and IPsec.

2. Review and Consensus

The document was discussed fairly well in the WG, both as an individual draft and then as
a WG document. The WG Last Call elicited good review and changes to the document during
the WG Last Call.

3. Intellectual Property

The author stated that he does not know of any relevant IPR for this document, and points
out that the algorithms and construction have been proposed earlier.

4. Other Points

The same combination of crypto algorithms are being discussed for use in TLS; however,
this document is only for IKEv2 and IPsec.