RFC Errata
RFC 5925, "The TCP Authentication Option", June 2010
Source of RFC: tcpm (wit)
Errata ID: 7135
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Venkatesh Natarajan
Date Reported: 2022-09-16
Rejected by: Martin Duke
Date Rejected: 2022-10-06
Section 7.3 says:
>> A TCP-AO implementation MUST allow for configuration of the behavior of segments with TCP-AO but that do not match an MKT. The initial default of this configuration SHOULD be to silently accept such connections. If this is not the desired case, an MKT can be included to match such connections, or the connection can indicate that TCP-AO is required. Alternately, the configuration can be changed to discard segments with the AO option not matching an MKT.
It should say:
>> A TCP-AO implementation MUST allow for configuration of the behavior of segments with TCP-AO but that do not match any MKT or no MKT is available. The initial default of this configuration SHOULD be to silently accept such connections. In this mode of operation, both the endpoints will not perform TCP-AO validation. If this is not the desired case, an MKT can be included to match such connections, or the connection can indicate that TCP-AO is required. Alternately, the configuration can be changed to discard segments with the AO option not matching an MKT.
Notes:
The RFC does not clearly draw out the distinction between treatment of segments with TCP-AO and without TCP-AO option.
Note that in the case of MKT mismatch as per existing RFC text, if either endpoint does TCP-AO validation, the session would not get established.
--VERIFIER NOTES--
As noted in the email below, when both sides do not have common configuration, the handshake will fail.
Please see https://mailarchive.ietf.org/arch/msg/tcpm/0zG2aP5tGBvbRJxuNOIPFYDK9Jg/