| Internet-Draft | tcp-ext-opt | June 2026 |
| Bonica & Li | Expires 28 December 2026 | [Page] |
A TCP header accommodates only 40 octets of TCP options. In the future, applications may require more than 40 octets of TCP options. For example, an application may require a TCP Authentication Option (TCP-AO) with a 384-bit MAC. This option requires 52 octets of option space.¶
This document defines a TCP extension that accommodates up to 1,016 octets of TCP options while maintaining backward compatibility with legacy implementations.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 28 December 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Figure 1 depicts a TCP [RFC9293] segment.¶
Every TCP segment contains a header. Some TCP segments also contain data.¶
Each field in the TCP header, except for the last, has a fixed length. The fixed length fields in the TCP header occupy 20 octets. One of these fields is called the Data Offset field.¶
The final field in the TCP header contains TCP options [TCPOPTS]. Its length varies from 0 to 40 octets.¶
The Data Offset field represents the TCP data offset, measured in 4-octet units. The Data Offset field also determines the length of the Options field. This is because the Options field consumes all space between the fixed length fields in the TCP header and the TCP data.¶
The Data Offset field contains 4 bits. So, its nominal value ranges from 0 to 15. However, the value of the Data Offset field must be 5 or greater. This is because TCP data must follow the fixed-length header fields, and those fields occupy 20 octets.¶
Because the value of the Data Offset field cannot exceed 15, the TCP data offset cannot exceed 60 and the length of the Options field cannot exceed 40 (i.e., 60 minus 20).¶
In the future, applications may require more than 40 octets of TCP options. For example, an application may require a TCP Authentication Option (TCP-AO) [RFC5925] with a 384-bit MAC [I-D.bonica-tcpm-tcp-ao-long-algs]. This option requires 52 octets of option space.¶
This document defines a TCP extension that accommodates up to 1,016 octets of TCP options while maintaining backward compatibility with legacy implementations.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document uses the following terms:¶
TCP Client - The TCP endpoint that initiates a session.¶
TCP Server - The TCP endpoint that communicates with the TCP Client.¶
Ordinary Segment (SEG-O) - A TCP segment, as defined in [RFC9293]. In a SEG-O, the Data Offset field has a value from 5 to 15.¶
Updated Segment (SEG-U) - A TCP segment, as defined in [RFC9293]. However, in a SEG-U, the Data Offset field must be equal to 0. That value identifies the segment as a SEG-U. See Section 4.1.¶
Ordinary SYN (SYN-O) - A SEG-O whose SYN bit is set and ACK bit is not set.¶
Updated SYN (SYN-U) - A SEG-U whose SYN bit is set and ACK bit is not set.¶
Ordinary SYN/ACK (SYN/ACK-O) - A SEG-O whose SYN and ACK bits are set.¶
Updated SYN/ACK (SYN/ACK-U) - A SEG-U whose SYN and ACK bits are set.¶
Ordinary TCP Connection (TCP-O) - A TCP connection, as defined in [RFC9293]. A TCP-O exchanges only SEG-O's.¶
Updated TCP Connection (TCP-U) - A TCP connection, as defined in [RFC9293]. However, a TCP-U can exchange both SEG-O's and SEG-U's. See Section 4.¶
Legacy TCP - A TCP implementation that supports TCP-O only.¶
Upgraded TCP - A TCP implementation that supports both TCP-O and TCP-U.¶
A TCP-U sends SEG-U's:¶
During the three-way handshake, even if those segments do not contain options¶
When the segment contains more than 40 octets of options.¶
When neither of the above conditions is true, a TCP-U MAY send either SEG-O's or SEG-U's.¶
The Data Offset field must have a value of 5 or greater¶
TCP Options can be present only when the Data Offset field has a value greater than 5.¶
In a SEG-U, the Data Offset MUST have a value of 0. This value identifies the segment as a SEG-U and indicates that the format of the TCP Options field MUST be as depicted in Figure 2.¶
Length: 8-bit unsigned integer. Represents the length of TCP Options, including the Length and Reserved fields. Measured in 4-octet units. Value MUST be 1 or greater. A value of 1 indicates that only the Length and Reserved fields are present, with no Individual Options (i.e., the options region is empty).¶
Reserved: MUST be set to 0 by the sender and MUST be ignored by the receiver.¶
In a SEG-U, the receiver MUST use the Length field to determine the boundary between the Options field and TCP data. TCP data begins at byte offset 20 + (Length x 4) from the start of the TCP header, where 20 is the length of the fixed TCP header fields. This replaces the role of the Data Offset field, which MUST be ignored as an offset in a SEG-U.¶
As per [RFC9293], checksums are calculated over the entire Options field.¶
A SEG-U can include 1,016 octets of options. While this may be required in the distant future, it is RECOMMENDED that TCP options not exceed 256 octets.¶
When a legacy TCP client initiates a session with an updated TCP server, it sends a SYN-O. Depending upon local policy and application requirements, the server can refuse the connection request or continue with a TCP-O.¶
When an updated TCP client initiates a session with a legacy TCP server, it sends a SYN-U. The server can ignore the SYN-U and allow the session to time out, as per [RFC9293] or respond with a SYN/ACK-O, in violation of [RFC9293].¶
In the latter case, depending upon local policy and application requirements, the updated TCP client can either terminate the connection or continue with a TCP-O.¶
The behavior described above is acceptable in environments where extended TCP options are essential. However, it is not acceptable in environments where extended TCP options are desirable, but not essential. In these environments, implementations SHOULD implement the Dual Three-Way Handshake described in Appendix A. In the Dual Three-Way Handshake, the client simultaneously initiates both a TCP-U and a TCP-O connection, and proceeds with whichever is accepted, preferring TCP-U when it is accepted.¶
Legacy middleboxes and hardware accelerators ignore packets with Data Offset equal to 0. So, when a TCP client sends a SYN-U and receives no response, it cannot tell whether the packet was ignored by a middlebox, an accelerator, or the server.¶
Regardless of where the packet was ignored, the client observes the behavior described in Section 5 and behaves as if the packet were ignored by a legacy server.¶
This document inherits security considerations from [RFC9293].¶
Setting the Data Offset field to 0 intentionally violates [RFC9293] Section 3.1, which mandates that the Data Offset field MUST be 5 or greater. This approach is acceptable because:¶
[RFC9293] compliant implementations will reject or discard segments with invalid Data Offset values (less than 5) before processing options. This ensures that legacy TCP implementations cannot be exploited by SEG-U segments, as the segments will be discarded at the validation stage rather than processed.¶
Upgraded TCP implementations MUST validate that the Data Offset field is either within the range [5, 15] (indicating a SEG-O) or exactly 0 (indicating a SEG-U). Any other value is malformed and MUST be discarded. Implementations MUST NOT attempt to infer meaning from intermediate values.¶
Legacy middleboxes that strictly validate TCP headers per [RFC9293] will discard or ignore SEG-U segments, which is the desired behavior for backward compatibility. Middleboxes that do not validate Data Offset values may forward SEG-U segments unchanged.¶
This document makes no IANA requests.¶
Parties participating in this experiment should publish experimental results within one year of the publication of this document. Experimental results should address the following:¶
Effort required to deploy¶
Scale of deployment¶
Interoperability¶
Effectiveness and sufficiency of OAM mechanisms¶
Successful experimental deployment SHOULD demonstrate the following:¶
Implementation and testing by at least two independent developers or organizations¶
Interoperability validation between implementations, demonstrating that SEG-U segments are correctly generated and processed¶
At least one deployment in a testbed or production environment¶
No critical security vulnerabilities discovered during the experiment¶
Positive or neutral feedback regarding middlebox compatibility and packet handling¶
The authors wish to acknowledge Keshawn Hamlin, Jordan Head, C. M. Heard, Rahul Khali, Prashant Kumar, Amalesh Maity, Erin MacNeil, Jainam Parikh, Joe Touch and Michael Tuexen for their review and helpful comments.¶
Special thanks to Bob Briscoe, who contributed the Dual Three-Way Handshake in [I-D.briscoe-tcpm-inner-space].¶
In this procedure an upgraded TCP client executes two three-way handshakes in parallel. One three-way handshake begins with a SYN-U while the other begins with a SYN-O. Both SYN segments have the same source address, destination address, and destination port. However, they use different source ports. So, while both SYN segments are directed to the same peer, they initiate different TCP sessions. The session that begins with a SYN-U is a TCP-U while the session that begins with SYN-O is a TCP-O.¶
Having sent a SYN-U and a SYN-O, the client may receive:¶
A SYN/ACK-U and a SYN/ACK-O, in that order¶
A SYN/ACK-U but not a SYN/ACK-O¶
A SYN/ACK-O and a SYN/ACK-U, in that order¶
A SYN/ACK-O but not a SYN/ACK-U¶
Neither a SYN/ACK-U nor a SYN/ACK-O¶
The following subsections describe each scenario.¶
In this scenario, TCP-U succeeds immediately. The client completes the TCP-U three-way handshake by sending ACK-U.¶
When SYN/ACK-O arrives for the parallel TCP-O attempt, the client rejects that connection by sending RST-O. The client then uses the TCP-U connection for all subsequent data exchange.¶
In this scenario, TCP-U succeeds and TCP-O is not established. The client completes the TCP-U three-way handshake and proceeds with TCP-U.¶
The client silently abandons the TCP-O attempt. If a delayed SYN/ACK-O is received later, the client sends RST-O.¶
In this scenario, the ordinary handshake responds first but the updated handshake is preferred.¶
Upon receiving SYN/ACK-O first, the client waits for a short, locally configured interval to allow SYN/ACK-U to arrive. If SYN/ACK-U arrives during that interval, the client completes TCP-U and send RST-O for the TCP-O attempt.¶
If SYN/ACK-U does not arrive before the local interval expires, the client completes TCP-O instead.¶
In this scenario, only TCP-O succeeds. The client completes the TCP-O handshake and proceeds with a TCP-O connection.¶
The TCP-U attempt is abandoned. If a delayed SYN/ACK-U arrives after TCP-O is selected, the client sends RST-U.¶
In this scenario, neither parallel connection attempt succeeds.¶
The client retransmits SYN-U and SYN-O according to [RFC9293] timer and retry behavior. If retries are exhausted without receiving either SYN/ACK-U or SYN/ACK-O, the connection attempt fails.¶