Section 8 seems to be blocking #37, #25, and #26, so I'll try to
revise it first. How about this for section 8.
# Sorry if my poor English broke some sentenses.


8. Key Derivation

KINK uses the same key derivation mechanisms that [IKE] uses in
section 5.5, which is:

KEYMAT = prf(SKEYID_d, [g(qm)^xy |] protocol | SPI | Ni_b [| Nr_b])

The following differences apply:

o prf is the pseudo-random function corresponding to the session
key's etype. They are defined in [KCRYPTO].

o SKEYID_d is the session key in the Kerberos service ticket from
the AP-REQ.

o Nr_b is optional.

When the responder's nonce does not exist, Nr_b is treated as if
a zero length value was supplied.

Note that g(qm)^xy refers to the keying material generated when KE
payloads are supplied using Diffie Hellman key agreement. This is
explained in section 5.5 of [IKE].

The rest of the key derivation (e.g. how to expand KEYMAT)
follows IKE. How to use derived keying materials is up to each
service (e.g. section 4.6.2 of [IPSEC]).


# add a reference [KCRYPTO] to RFC 3961.
# "section 4.6.2 of [IPSEC]" may be "section 4.5.2 of [2401bis]".