{"draft":"draft-ietf-tcpm-tcp-auth-opt-11","doc_id":"RFC5925","title":"The TCP Authentication Option","authors":["J. Touch","A. Mankin","R. Bonica"],"format":["ASCII","HTML"],"page_count":"48","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"TCP Maintenance and Minor Extensions","abstract":"This document specifies the TCP Authentication Option (TCP-AO), which\r\nobsoletes the TCP MD5 Signature option of RFC 2385 (TCP MD5).  TCP-AO\r\nspecifies the use of stronger Message Authentication Codes (MACs),\r\nprotects against replays even for long-lived TCP connections, and\r\nprovides more details on the association of security with TCP\r\nconnections than TCP MD5.  TCP-AO is compatible with either a static\r\nMaster Key Tuple (MKT) configuration or an external, out-of-band MKT\r\nmanagement mechanism; in either case, TCP-AO also protects\r\nconnections when using the same MKT across repeated instances of a\r\nconnection, using traffic keys derived from the MKT, and coordinates\r\nMKT changes between endpoints.  The result is intended to support\r\ncurrent infrastructure uses of TCP MD5, such as to protect long-lived\r\nconnections (as used, e.g., in BGP and LDP), and to support a larger\r\nset of MACs with minimal other system and operational changes.  TCP-AO\r\nuses a different option identifier than TCP MD5, even though TCP-AO\r\nand TCP MD5 are never permitted to be used simultaneously.  TCP-AO\r\nsupports IPv6, and is fully compatible with the proposed requirements\r\nfor the replacement of TCP MD5.  [STANDARDS-TRACK]","pub_date":"June 2010","keywords":["[--------]","transmission control protocol","border","gateway","protocol","transmission control message","digest","algorithm"],"obsoletes":["RFC2385"],"obsoleted_by":[],"updates":[],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC5925","errata_url":"https:\/\/www.rfc-editor.org\/errata\/rfc5925"}