idnits 2.17.1 draft-ietf-ipsec-ciph-aes-xcbc-mac-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 11 longer pages, the longest (page 1) being 63 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 194 -- Looks like a reference, but probably isn't: '0' on line 169 == Unused Reference: 'HANDBOOK' is defined on line 439, but no explicit reference was found in the text == Unused Reference: 'RFC-2026' is defined on line 447, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'AES' ** Obsolete normative reference: RFC 2402 (ref. 'AH') (Obsoleted by RFC 4302, RFC 4305) -- Possible downref: Non-RFC (?) normative reference: ref. 'CBC-MAC-1' ** Obsolete normative reference: RFC 2406 (ref. 'ESP') (Obsoleted by RFC 4303, RFC 4305) -- Possible downref: Non-RFC (?) normative reference: ref. 'XCBC-MAC-1' -- Obsolete informational reference (is this intentional?): RFC 2401 (ref. 'ARCH') (Obsoleted by RFC 4301) -- Obsolete informational reference (is this intentional?): RFC 2411 (ref. 'ROADMAP') (Obsoleted by RFC 6071) Summary: 5 errors (**), 0 flaws (~~), 6 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft IPsec Working Group 3 February 2003 S. Frankel, NIST 4 Expiration Date: August 2003 H. Herbert, Intel 6 The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec 7 9 Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of RFC2026. Internet Drafts are working 13 documents of the Internet Engineering Task Force (IETF), its areas, 14 and its working Groups. Note that other groups may also distribute 15 working documents as Internet Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six months 18 and may be updated, replaced, or obsoleted by other documents at any 19 time. It is inappropriate to use Internet-Drafts as reference 20 material or to cite them other than as "work in progress." 22 The list of current Internet-Drafts can be accessed at 23 http://www.ietf.org/ietf/1id-abstracts.txt. 25 The list of Internet-Drafts Shadow Directories can be accessed at 26 http://www.ietf.org/shadow.html. 28 This document is a submission to the IETF Internet Protocol Security 29 (IPsec) Working Group. Comments are solicited and should be addressed 30 to the working group mailing list (ipsec@lists.tislabs.com) or to the 31 editors. 33 Distribution of this memo is unlimited. 35 Abstract 37 A Message Authentication Code (MAC) is a key-dependent one way hash 38 function. One popular way to construct a MAC algorithm is to use a 39 block cipher in conjunction with the Cipher-Block-Chaining (CBC) mode 40 of operation. The classic CBC-MAC algorithm, while secure for mes- 41 sages of a pre-selected fixed length, has been shown to be insecure 42 across messages of varying lengths such as the type found in typical 43 IP datagrams. This memo specifies the use of AES in CBC mode with a 44 set of extensions to overcome this limitation. This new algorithm is 45 named AES-XCBC-MAC-96. 47 Table of Contents 49 Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 2. Specification of Requirements . . . . . . . . . . . . . . . . . 3 52 3. Basic CBC-MAC with Obligatory 10* Padding . . . . . . . . . . . 3 53 4. AES-XCBC-MAC-96 . . . . . . . . . . . . . . . . . . . . . . . . 4 54 4.1 Keying Material . . . . . . . . . . . . . . . . . . . . . . 5 55 4.2 Padding . . . . . . . . . . . . . . . . . . . . . . . . . . 6 56 4.3 Truncation . . . . . . . . . . . . . . . . . . . . . . . . . 6 57 4.4 Interaction with the ESP Cipher Mechanism . . . . . . . . . 7 58 4.5 Performance . . . . . . . . . . . . . . . . . . . . . . . . 7 59 4.6 Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 7 60 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 8 61 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8 62 7. Intellectual Property Rights Statement . . . . . . . . . . . . . 8 63 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 8 64 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 65 9.1 Normative References . . . . . . . . . . . . . . . . . . . . . 9 66 9.2 Non-normative References . . . . . . . . . . . . . . . . . . . 9 67 10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 68 11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 11 69 1. Introduction 71 Message authentication provides data integrity and data origin au- 72 thentication with respect to the original message source. A Message 73 Authentication Code (MAC) is a key-dependent one way hash function. 74 One popular way to construct a MAC algorithm is to use a block cipher 75 in conjunction with the Cipher-Block-Chaining (CBC) mode of opera- 76 tion. The classic CBC-MAC algorithm, while secure for messages of a 77 pre-selected fixed length [CBC-MAC-2], has been shown to be insecure 78 across messages of varying lengths such as the type found in typical 79 IP datagrams [CBC-MAC-2, section 5]. In fact, it is trivial to pro- 80 duce forgeries for a second message given the MAC of a prior message. 81 [HANDBOOK, section 9.62, p. 354] 83 This memo specifies the use of AES [AES] in CBC mode [MODES] with a 84 set of extensions [XCBC-MAC-1] to overcome this limitation. This new 85 algorithm is named AES-XCBC-MAC-96. Using the AES block cipher, with 86 its increased block size (128 bits) and increased key length (128 87 bits), provides the new algorithm with the ability to withstand con- 88 tinuing advances in crypto-analytic techniques and computational ca- 89 pability. AES-XCBC-MAC-96 is used as an authentication mechanism 90 within the context of the IPsec Encapsulating Security Payload (ESP) 91 and the Authentication Header (AH) protocols. For further informa- 92 tion on ESP, refer to [ESP] and [ROADMAP]. For further information 93 on AH, refer to [AH] and [ROADMAP]. 95 The goal of AES-XCBC-MAC-96 is to ensure that the datagram is authen- 96 tic and cannot be modified in transit. Data integrity and data ori- 97 gin authentication as provided by AES-XCBC-MAC-96 are dependent upon 98 the scope of the distribution of the secret key. If the key is known 99 only by the source and destination, this algorithm will provide both 100 data origin authentication and data integrity for datagrams sent be- 101 tween the two parties. In addition, only a party with the identical 102 key can verify the hash. 104 2. Specification of Requirements 106 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 107 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" that 108 appear in this document are to be interpreted as described in 109 [RFC-2119]. 111 3. Basic CBC-MAC with Obligatory 10* Padding 113 CBC-MAC uses a block cipher for encryption; the block cipher trans- 114 forms b bits of plaintext to b bits of ciphertext. The basic CBC-MAC 115 [CBC-MAC-1, CBC-MAC-2] with Obligatory 10* Padding over a b-bit block 116 cipher is calculated as follows for a message M: 118 (1) Append a single 1 bit to M. Then append the minimum number of 119 0 bits to M such that the length of M is a multiple of b. 120 [NOTE: This is 1 of several padding schemes that can be used 121 for CBC-MAC. Several others are described in [MODES].] 123 (2) Break M into n blocks, M[1] ... M[n], where the blocksize of 124 blocks M[1] ... M[n] is b bits 126 (3) Define E[0] = 0x00000000000000000000000000000000 128 (4) For each block M[i], where i = 1 ... n: 129 XOR M[i] with E[i-1], then encrypt the result with Key K, 130 yielding E[i]. 132 (5) E[n] is the b-bit authenticator. 134 Basic CBC-MAC with obligatory 10* padding has been shown to be secure 135 for messages up to (but not including) a pre-selected fixed length, 136 in which the length is a multiple of the blocksize. This algorithm 137 is not suitable for IPsec for the following reasons: 139 + Any IPsec authenticator must be able to handle messages of 140 arbitrary length. However, the basic CBC-MAC cannot securely 141 handle messages that exceed the pre-selected fixed length. 143 + For messages shorter than the pre-selected fixed length, 144 padding the message to the pre-selected fixed length may 145 necessitate additional encryption operations, adding an unac- 146 ceptable computational penalty. 148 4. AES-XCBC-MAC-96 150 [AES] describes the underlying AES algorithm, while [CBC-MAC-1] and 151 [XCBC-MAC-1] describe the AES-XCBC-MAC algorithm. 153 The AES-XCBC-MAC-96 algorithm is a variant of the basic CBC-MAC with 154 obligatory 10* padding; however, AES-XCBC-MAC-96 is secure for mes- 155 sages of arbitrary length. The AES-XCBC-MAC-96 calculations require 156 numerous encryption operations; this encryption MUST be accomplished 157 using AES with a 128-bit key. Given a 128-bit secret key K, AES- 158 XCBC-MAC-96 is calculated as follows for a message M that consists of 159 n blocks, M[1] ... M[n], in which the blocksize of blocks M[1] ... 160 M[n-1] is 128 bits and the blocksize of block M[n] is between 1 and 161 128 bits: 163 (1) Derive 3 128-bit keys (K1, K2 and K3) from the 128-bit secret 164 key K, as follows: 165 K1 = 0x01010101010101010101010101010101 encrypted with Key K 166 K2 = 0x02020202020202020202020202020202 encrypted with Key K 167 K3 = 0x03030303030303030303030303030303 encrypted with Key K 169 (2) Define E[0] = 0x00000000000000000000000000000000 171 (3) For each block M[i], where i = 1 ... n-1: 172 XOR M[i] with E[i-1], then encrypt the result with Key K1, 173 yielding E[i]. 175 (4) For block M[n]: 177 (a) If the blocksize of M[n] is 128 bits: 178 XOR M[n] with E[n-1] and Key K2, then encrypt the 179 result with Key K1, yielding E[n]. 181 (b) If the blocksize of M[n] is less than 128 bits: 183 (i) Pad M[n] with a single "1" bit, followed by the num- 184 ber of "0" bits (possibly none) required to increase 185 M[n]'s blocksize to 128 bits. 187 (ii) XOR M[n] with E[n-1] and Key K3, then encrypt the 188 result with Key K1, yielding E[n]. 190 (5) The authenticator value is the leftmost 96 bits of the 128-bit 191 E[n]. 193 NOTE1: If M is the empty string, pad and encrypt as in (4)(b) to cre- 194 ate M[1] and E[1]. This will never be the case for ESP or AH, but is 195 included for completeness sake. 197 NOTE2: [CBC-MAC-1] defines K1 as follows: 198 K1 = Constant1A encrypted with Key K | 199 Constant1B encrypted with Key K. 200 However, the second encryption operation is only needed for 201 AES-XCBC-MAC with keys greater than 128 bits; thus, it is not 202 included in the definition of AES-XCBC-MAC-96. 204 AES-XCBC-MAC-96 verification is performed as follows: 205 Upon receipt of the AES-XCBC-MAC-96 authenticator, the entire 206 128-bit value is computed and the first 96 bits are compared to 207 the value stored in the authenticator field. 209 4.1 Keying Material 211 AES-XCBC-MAC-96 is a secret key algorithm. For use with either ESP or 212 AH a fixed key length of 128-bits MUST be supported. Key lengths 213 other than 128-bits MUST NOT be supported (i.e. only 128-bit keys are 214 to be used by AES-XCBC-MAC-96). 216 AES-XCBC-MAC-96 actually requires 384 bits of keying material (128 217 bits for the AES keysize + 2 times the blocksize). This keying mate- 218 rial can either be provided through the key generation mechanism or 219 it can be generated from a single 128-bit key. The latter approach 220 has been selected for AES-XCBC-MAC-96, since it is analogous to other 221 authenticators used within IPsec. The reason AES-XCBC-MAC-96 uses 3 222 keys is so the length of the input stream does not need to be known 223 in advance. This may be useful for systems that do one-pass assembly 224 of large packets. 226 A strong pseudo-random function MUST be used to generate the required 227 128-bit key. This key, along with the 3 derived keys (K1, K2 and K3), 228 should be used for no purposes other than those specified in the 229 algorithm. In particular, they should not be used as keys in another 230 cryptographic setting. Such abuses will invalidate the security of 231 the authentication algorithm. 233 At the time of this writing there are no specified weak keys for use 234 with AES-XCBC-MAC-96. This does not mean to imply that weak keys do 235 not exist. If, at some point, a set of weak keys for AES-XCBC-MAC-96 236 are identified, the use of these weak keys MUST be rejected followed 237 by a request for replacement keys or a newly negotiated Security 238 Association. 240 [ARCH] describes the general mechanism for obtaining keying material 241 when multiple keys are required for a single SA (e.g. when an ESP SA 242 requires a key for confidentiality and a key for authentication). 244 In order to provide data origin authentication, the key distribution 245 mechanism must ensure that unique keys are allocated and that they 246 are distributed only to the parties participating in the communica- 247 tion. 249 Current attacks do not necessitate a specific recommended frequency 250 for key changes. However, periodic key refreshment is a fundamental 251 security practice that helps against potential weaknesses of the 252 function and the keys, reduces the information available to a crypt- 253 analyst, and limits the damage resulting from a compromised key. 255 4.2 Padding 257 AES-XCBC-MAC-96 operates on 128-bit blocks of data. Padding require- 258 ments are specified in [CBC-MAC-1] and are part of the XCBC algo- 259 rithm. If you build AES-XCBC-MAC-96 according to [CBC-MAC-1] you do 260 not need to add any additional padding as far as AES-XCBC-MAC-96 is 261 concerned. With regard to "implicit packet padding" as defined in 262 [AH], no implicit packet padding is required. 264 4.3 Truncation 266 AES-XCBC-MAC produces a 128-bit authenticator value. AES-XCBC-MAC-96 267 is derived by truncating this 128-bit value as described in [HMAC] 268 and verified in [XCBC-MAC-2]. For use with either ESP or AH, a trun- 269 cated value using the first 96 bits MUST be supported. Upon sending, 270 the truncated value is stored within the authenticator field. Upon 271 receipt, the entire 128-bit value is computed and the first 96 bits 272 are compared to the value stored in the authenticator field. No other 273 authenticator value lengths are supported by AES-XCBC-MAC-96. 275 The length of 96 bits was selected because it is the default authen- 276 ticator length as specified in [AH] and meets the security require- 277 ments described in [XCBC-MAC-2]. 279 4.4 Interaction with the ESP Cipher Mechanism 281 As of this writing, there are no known issues which preclude the use 282 of AES-XCBC-MAC-96 with any specific cipher algorithm. 284 4.5 Performance 286 For any CBC MAC variant, the major computational effort is expended 287 in computing the underlying block cipher. This algorithm uses a min- 288 imum number of AES invocations, one for each block of the message or 289 fraction thereof, resulting in performance equivalent to classic CBC- 290 MAC. 292 The key expansion requires 3 additional AES encryption operations, 293 but these can be performed once in advance for each secret key. 295 4.6 Test Vectors 297 These test cases were provided by John Black, co-author of the XCBC- 298 MAC algorithm, who verified them with 2 independent implementations. 299 All values are hexadecimal numbers. 301 Test Case #1 : AES-XCBC-MAC-96 with 0-byte input 302 Key (K) : 000102030405060708090a0b0c0d0e0f 303 Message (M) : 304 AES-XCBC-MAC : 75f0251d528ac01c4573dfd584d79f29 305 AES-XCBC-MAC-96: 75f0251d528ac01c4573dfd5 307 Test Case #2 : AES-XCBC-MAC-96 with 3-byte input 308 Key (K) : 000102030405060708090a0b0c0d0e0f 309 Message (M) : 000102 310 AES-XCBC-MAC : 5b376580ae2f19afe7219ceef172756f 311 AES-XCBC-MAC-96: 5b376580ae2f19afe7219cee 313 Test Case #3 : AES-XCBC-MAC-96 with 16-byte input 314 Key (K) : 000102030405060708090a0b0c0d0e0f 315 Message (M) : 000102030405060708090a0b0c0d0e0f 316 AES-XCBC-MAC : d2a246fa349b68a79998a4394ff7a263 317 AES-XCBC-MAC-96: d2a246fa349b68a79998a439 319 Test Case #4 : AES-XCBC-MAC-96 with 20-byte input 320 Key (K) : 000102030405060708090a0b0c0d0e0f 321 Message (M) : 000102030405060708090a0b0c0d0e0f10111213 322 AES-XCBC-MAC : 47f51b4564966215b8985c63055ed308 323 AES-XCBC-MAC-96: 47f51b4564966215b8985c63 325 Test Case #5 : AES-XCBC-MAC-96 with 32-byte input 326 Key (K) : 000102030405060708090a0b0c0d0e0f 327 Message (M) : 000102030405060708090a0b0c0d0e0f10111213141516171819 328 1a1b1c1d1e1f 329 AES-XCBC-MAC : f54f0ec8d2b9f3d36807734bd5283fd4 330 AES-XCBC-MAC-96: f54f0ec8d2b9f3d36807734b 332 Test Case #6 : AES-XCBC-MAC-96 with 34-byte input 333 Key (K) : 000102030405060708090a0b0c0d0e0f 334 Message (M) : 000102030405060708090a0b0c0d0e0f10111213141516171819 335 1a1b1c1d1e1f2021 336 AES-XCBC-MAC : becbb3bccdb518a30677d5481fb6b4d8 337 AES-XCBC-MAC-96: becbb3bccdb518a30677d548 339 Test Case #7 : AES-XCBC-MAC-96 with 1000-byte input 340 Key (K) : 000102030405060708090a0b0c0d0e0f 341 Message (M) : 00000000000000000000 ... 00000000000000000000 342 [1000 bytes] 343 AES-XCBC-MAC : f0dafee895db30253761103b5d84528f 344 AES-XCBC-MAC-96: f0dafee895db30253761103b 346 5. Security Considerations 348 The security provided by AES-XCBC-MAC-96 is based upon the strength 349 of AES. At the time of this writing there are no practical crypto- 350 graphic attacks against AES or AES-XCBC-MAC-96. 352 As is true with any cryptographic algorithm, part of its strength 353 lies in the correctness of the algorithm implementation, the security 354 of the key management mechanism and its implementation, the strength 355 of the associated secret key, and upon the correctness of the imple- 356 mentation in all of the participating systems. This draft contains 357 test vectors to assist in verifying the correctness of AES-XCBC- 358 MAC-96 code. 360 6. IANA Considerations 362 IANA has assigned AH Transform Identifier XX to AH_AES-XCBC-MAC. 363 IANA has assigned AH/ESP Authentication Algorithm Value XX to AES- 364 XCBC-MAC. 366 7. Intellectual Property Rights Statement 368 The IETF takes no position regarding the validity or scope of any 369 intellectual property or other rights that might be claimed to per- 370 tain to the implementation or use of the technology described in this 371 document or the extent to which any license under such rights might 372 or might not be available; neither does it represent that it has made 373 any effort to identify any such rights. Information on the IETF's 374 procedures with respect to rights in standards-track and standards- 375 related documentation can be found in BCP-11. Copies of claims of 376 rights made available for publication and any assurances of licenses 377 to be made available, or the result of an attempt made to obtain a 378 general license or permission for the use of such proprietary rights 379 by implementers or users of this specification can be obtained from 380 the IETF Secretariat. 382 8. Acknowledgments 384 Portions of this text were unabashedly borrowed from [HMAC-SHA]. 386 Thanks to the XCBC-MAC authors for their expert advice and rapid 387 response to our queries: to Phil Rogaway for providing values for the 388 XCBC-MAC constants; and to John Black for detailed corrections to the 389 algorithm specifications and for providing the test cases. Thanks 390 also to Andrew Krywaniuk for insisting on (and providing wording for) 391 a rationale for the 3-key approach. 393 9. References 395 9.1 Normative References 397 [AES] NIST, FIPS PUB 197, "Advanced Encryption Standard 398 (AES)," November 2001. 399 http://csrc.nist.gov/publications/fips/fips197/fips-197.{ps,pdf} 401 [AH] Kent, S. and R. Atkinson, "IP Authentication Header", 402 RFC 2402, November 1998. 404 [CBC-MAC-1] Black, J. and P. Rogaway, "CBC MACs for Arbitrary- 405 Length Messages: The Three-Key Constructions," in M. 406 Bellare, editor, Advances in Cryptology -- CRYPTO '00, 407 volume 1880 of Lecture Notes in Computer Science, p. 408 0197, August 2000, Springer-Verlag. 409 http://www.cs.ucdavis.edu/~rogaway/papers/3k.ps 411 [ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security 412 Payload (ESP)", RFC 2406, November 1998. 414 [XCBC-MAC-1] 415 Black, J. and P. Rogaway, "A Suggestion for Handling 416 Arbitrary-Length Messages with the CBC MAC," NIST 417 Second Modes of Operation Workshop, August 2001. 418 http://csrc.nist.gov/encryption/modes/proposedmodes/ 419 xcbc-mac/xcbc-mac-spec.pdf 421 9.2 Non-normative References 423 [ARCH] Kent, S. and R. Atkinson, "Security Architecture for 424 the Internet Protocol", RFC 2401, November 1998. 426 [CBC-MAC-2] Bellare, M., J. Kilian and P. Rogaway, "The Security of 427 the Cipher Block Chaining Message Authentication Code," 428 Journal of Computer and System Sciences (JCSS), Vol. 429 61, No. 3, December 2000, pp. 362-399. 430 http://www-cse.ucsd.edu/users/mihir/papers/cbc.{ps,pdf} 432 [HMAC] Krawczyk, H., M. Bellare and R. Canetti, "HMAC: Keyed- 433 Hashing for Message Authentication," RFC 2104, February 434 1997. 436 [HMAC-SHA] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 437 within ESP and AH," RFC 2404, November 1998. 439 [HANDBOOK] Menezes, A., P. Van Oorschot and S. Vanstone, "Handbook 440 of Applied Cryptography, CRC Press, 1997. 442 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 443 Operation: Methods and Techniques," NIST Special 444 Publication 800-38A, December 2001. 445 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf 447 [RFC-2026] Bradner, S., "The Internet Standards Process -- 448 Revision 3", RFC2026, October 1996. 450 [RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate 451 Requirement Levels", RFC 2119, March 1997. 453 [ROADMAP] Thayer, R., N. Doraswamy, and R. Glenn, "IP Security 454 Document Roadmap", RFC 2411, November 1998. 456 [XCBC-MAC-2] 457 Rogaway, Phil, email communications, October 2001. 459 10. Authors' Addresses 461 Sheila Frankel 462 NIST 463 820 West Diamond Ave. 464 Room 680 465 Gaithersburg, MD 20899 466 Phone: +1 (301) 975-3297 467 Email: sheila.frankel@nist.gov 469 Howard C. Herbert 470 Intel Corporation 471 Lan Access Division 472 5000 West Chandler Blvd. 473 MS-CH7-404 474 Chandler, Arizona 85226 475 Phone: +1 (480) 554-3116 476 Email: howard.c.herbert@intel.com 478 The IPsec working group can be contacted through the chairs: 480 Barbara Fraser 481 Cisco Systems Inc. 482 Email: byfraser@cisco.com 484 Theodore Ts'o 485 Massachusetts Institute of Technology 486 Email: tytso@mit.edu 488 11. Full Copyright Statement 490 Copyright (C) The Internet Society (1998). All Rights Reserved. 492 This document and translations of it may be copied and furnished to 493 others, and derivative works that comment on or otherwise explain it 494 or assist in its implementation may be prepared, copied, published 495 and distributed, in whole or in part, without restriction of any 496 kind, provided that the above copyright notice and this paragraph are 497 included on all such copies and derivative works. However, this doc- 498 ument itself may not be modified in any way, such as by removing the 499 copyright notice or references to the Internet Society or other In- 500 ternet organizations, except as needed for the purpose of developing 501 Internet standards in which case the procedures for copyrights de- 502 fined in the Internet Standards process must be followed, or as re- 503 quired to translate it into languages other than English. 505 The limited permissions granted above are perpetual and will not be 506 revoked by the Internet Society or its successors or assigns. 508 This document and the information contained herein is provided on an 509 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 510 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 511 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HERE- 512 IN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MER- 513 CHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.