| Internet-Draft | tcp-ao-algs | March 2026 |
| Bonica & Li | Expires 24 September 2026 | [Page] |
RFC5926 specifies cryptographic algorithms for TCP-AO. It explains how to use KDF_HMAC_SHA1 and KDF_AES_128_CMAC as KDFs. It also explains how to use HMAC-SHA-1-96 and AES-128-CMAC-96 as MAC algorithms.¶
This document specifies several new KDFs and MAC algorithms for TCP-AO. The KDFs and MAC algorithms specified in this document use stronger cryptography.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 24 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
TCP end-points use the TCP Authentication Option (TCP-AO) [RFC5925] to authenticate segments. TCP-AO relies upon:¶
A Master Key Tuple (MKT)¶
A Key Derivation Function (KDF)¶
A Message Authentication Code (MAC) algorithm¶
TCP-AO systems are configured with one or more MKTs for each connection that they protect. When a connection is associated with multiple MKTs, TCP-AO can rotate among them during the course of a TCP session. This facilitates dynamic key change and authentication algorithm agility.¶
An MKT includes:¶
Two MKT identifiers, one used for sending and one used for receiving¶
A connection identifier (i.e., a TCP socket pair)¶
A master key (i.e., a shared secret)¶
A KDF¶
A MAC algorithm¶
A flag indicating whether TCP options other than TCP-AO are authenticated¶
The KDF generates a traffic key. Its inputs are:¶
A pseudorandom function (PRF) used to generate the traffic key¶
The master key¶
Context (i.e., A binary string containing information related to the connection)¶
Output length (i.e., the length of the traffic key, in bits)¶
The MAC algorithm produces a MAC. It is defined by:¶
The KDF algorithm used to generate the traffic key¶
The length of the traffic key, in bits¶
The length of the MAC, in bits¶
The following are inputs to the MAC Algorithm:¶
TCP-AO systems include the MAC in the TCP-AO. They use the MAC to authenticate segments.¶
[RFC5926] specifies cryptographic algorithms for TCP-AO. It explains how to use KDF_HMAC_SHA1 and KDF_AES_128_CMAC as KDFs. It also explains how to use HMAC-SHA-1-96 and AES-128-CMAC-96 as MAC algorithms.¶
This document specifies several new KDFs and MAC algorithms for TCP-AO. The KDFs and MAC algorithms defined in this document use stronger cryptography.¶
The MAC algorithms described this document yield MACs ranging from 256 to 512 bits (i.e., 32 to 64 bytes). Therefore, when they are encoded in a TCP-AO, the TCP-AO ranges from 36 to 68 bytes.¶
The TCP-AO is encoded in the TCP Options field. The TCP Options field is frequently required to carry multiple options, including the TCP-AO.¶
Currently, the TCP-Options field cannot exceed 40 bytes. However, TCP Extended Options [I-D.bonica-tcpm-extended-options] removes this limitation. Therefore, the MAC algorithms described in this document can only be used on systems that support TCP Extended Options or some other mechanism that extends the TCP Options field.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
For KDF_HMAC_SHA256:¶
For KDF_HMAC_SHA384:¶
For KDF_HMAC_SHA512:¶
For KDF_HMAC_SHA3-256:¶
For KDF_HMAC_SHA3-384:¶
For KDF_HMAC_SHA3-512:¶
By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.¶
The three fixed elements for HMAC-SHA256 are:¶
For:¶
MAC = MAC_alg (Traffic_Key, Message)¶
HMAC-SHA256 for TCP-AO has the following values:¶
By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.¶
The three fixed elements for HMAC-SHA384 are:¶
For:¶
MAC = MAC_alg (Traffic_Key, Message)¶
HMAC-SHA384 for TCP-AO has the following values:¶
By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.¶
The three fixed elements for HMAC-SHA512 are:¶
For:¶
MAC = MAC_alg (Traffic_Key, Message)¶
HMAC-SHA512 for TCP-AO has the following values:¶
By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.¶
The three fixed elements for HMAC-SHA3-256 are:¶
For:¶
MAC = MAC_alg (Traffic_Key, Message)¶
HMAC-SHA3-256 for TCP-AO has the following values:¶
By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.¶
The three fixed elements for HMAC-SHA3-384 are:¶
For:¶
MAC = MAC_alg (Traffic_Key, Message)¶
HMAC-SHA3-384 for TCP-AO has the following values:¶
By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.¶
The three fixed elements for HMAC-SHA3-224 are:¶
For:¶
MAC = MAC_alg (Traffic_Key, Message)¶
HMAC-SHA3-512 for TCP-AO has the following values:¶
This document inherits all of the security considerations of the TCP-AO [RFC5925].¶
IANA is requested to add the following entries to the "Cryptographic Algorithms for TCP-AO Registration" (https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-parameters-3).¶
| Algorithm | Reference |
|---|---|
| SHA256 | This Document |
| SHA384 | This Document |
| SHA512 | This Document |
| SHA3-256 | This Document |
| SHA3-384 | This Document |
| SHA3-512 | This Document |
Thanks to Lars Eggert, Gorry Fairhurst, C.M. Heard, Russ Housley, John Mattsson, Yoshifumi Nishida, Joe Touch, Michael Tuxen, and Magnus Westerlund for their review and comments.¶