Re: Promoting PRF_AES128_CBC and AUTH_AES_XCBC_96 from SHOULD to SHOULD+

[Hugo Krawczyk <hugo@ee.technion.ac.il>]

> 
> Good catch.  It appears that ikev2-algorithms-01 is in error:
> PRF_AES128_CBC is not defined in draft-ietf-ipsec-aes-cbc-05, and I
> don't see any drafts where it is defined.  So we need to modify
> ikev2-algorithms to point at a (currently non-existent) I-D, and we
> need to find a volunteer to quickly gin up an I-D which defines
> PRF_AES128_CBC.

that's easy: the right document to point out is
draft-ietf-ipsec-ciph-aes-xcbc-mac-04.txt.

The function defined there is exactly what the algorithms I-D calls
PRF_AES128_CBC (maybe we should rename it to PRF_AES128_XCBC),
except that draft-ietf-ipsec-ciph-aes-xcbc-mac-04.txt mandates the
truncation to 96 bits which is not necessary (nor recommended) here.
Thus one can define PRF_AES128_XCBC by referring to the above I-D and
saying that no truncation takes place (all the 128 bits of output 
from AES128 are output by the prf).
This means ignoring the  text in draft-ietf-ipsec-ciph-aes-xcbc-mac-04.txt
after sec 4.2.

It would be nice if draft-ietf-ipsec-ciph-aes-xcbc-mac-04.txt is
reorganized a bit such as first aes-xcbc-mac is defined with output 
equal to the block length (does this draft refer only to aes128?)
Then a section about truncation is added where aes-xcbc-mac-96 is defined.
A couple of test cases for aes-xcbc-mac could be added.
In this way ikev2 could cleanly refer to aes-xcbc-mac as defined in
draft-ietf-ipsec-ciph-aes-xcbc-mac-04.txt.

Hugo