RFC 5925

The TCP Authentication Option, June 2010

Canonical URL:
File formats:
Plain TextPDF
RFC 2385
J. Touch
A. Mankin
R. Bonica
tcpm (tsv)

Cite this RFC: TXT  |  XML

DOI:  10.17487/RFC5925

Discuss this RFC: Send questions or comments to tcpm@ietf.org

Other actions: View Errata  |  Submit Errata  |  Find IPR Disclosures from the IETF


This document specifies the TCP Authentication Option (TCP-AO), which obsoletes the TCP MD5 Signature option of RFC 2385 (TCP MD5). TCP-AO specifies the use of stronger Message Authentication Codes (MACs), protects against replays even for long-lived TCP connections, and provides more details on the association of security with TCP connections than TCP MD5. TCP-AO is compatible with either a static Master Key Tuple (MKT) configuration or an external, out-of-band MKT management mechanism; in either case, TCP-AO also protects connections when using the same MKT across repeated instances of a connection, using traffic keys derived from the MKT, and coordinates MKT changes between endpoints. The result is intended to support current infrastructure uses of TCP MD5, such as to protect long-lived connections (as used, e.g., in BGP and LDP), and to support a larger set of MACs with minimal other system and operational changes. TCP-AO uses a different option identifier than TCP MD5, even though TCP-AO and TCP MD5 are never permitted to be used simultaneously. TCP-AO supports IPv6, and is fully compatible with the proposed requirements for the replacement of TCP MD5. [STANDARDS-TRACK]

For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 4844.

Download PDF Reader