Search RFCs
RFC 5925
The TCP Authentication Option,June 2010
- File formats:
- Status:
- PROPOSED STANDARD
- Obsoletes:
- RFC 2385
- Authors:
- J. Touch
A. Mankin
R. Bonica - Stream:
- IETF
- Source:
- tcpm (wit)
Cite this RFC:TXT | XML | BibTeX
DOI: https://doi.org/10.17487/RFC5925
Discuss this RFC: Send questions or comments to the mailing listtcpm@ietf.org
Other actions:View Errata | Submit Errata | Find IPR Disclosures from the IETF | View History of RFC 5925
Abstract
This document specifies the TCP Authentication Option (TCP-AO), whichobsoletes the TCP MD5 Signature option of RFC 2385 (TCP MD5). TCP-AOspecifies the use of stronger Message Authentication Codes (MACs),protects against replays even for long-lived TCP connections, andprovides more details on the association of security with TCPconnections than TCP MD5. TCP-AO is compatible with either a staticMaster Key Tuple (MKT) configuration or an external, out-of-band MKTmanagement mechanism; in either case, TCP-AO also protectsconnections when using the same MKT across repeated instances of aconnection, using traffic keys derived from the MKT, and coordinatesMKT changes between endpoints. The result is intended to supportcurrent infrastructure uses of TCP MD5, such as to protect long-livedconnections (as used, e.g., in BGP and LDP), and to support a largerset of MACs with minimal other system and operational changes. TCP-AOuses a different option identifier than TCP MD5, even though TCP-AOand TCP MD5 are never permitted to be used simultaneously. TCP-AOsupports IPv6, and is fully compatible with the proposed requirementsfor the replacement of TCP MD5. [STANDARDS-TRACK]
For the definition ofStatus,seeRFC 2026.
For the definition ofStream, seeRFC 8729.