Internet-Draft tcp-ao-algs December 2025
Bonica & Li Expires 15 June 2026 [Page]
Workgroup:
TCPM Working Group
Internet-Draft:
draft-bonica-tcmp-tcp-ao-algs-00
Updates:
RFC 5926 (if approved)
Published:
Intended Status:
Standards Track
Expires:
Authors:
R. Bonica
HPE
T. Li
HPE

Additional Security Algorithms For Use With TCP-AO

Abstract

RFC5926 specifies cryptographic algorithms for TCP-AO. It explains how to use KDF_HMAC_SHA1 and KDF_AES_128_CMAC as KDFs. It also explains how to use HMAC-SHA-1-96 and AES-128-CMAC-96 as MAC algorithms.

This document specifies several new KDFs and MAC algorithms for TCP-AO. The KDFs and MAC algorithms specified in this document are based upon more recent, stronger cryptography.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 15 June 2026.

Table of Contents

1. Introduction

TCP end-points use the TCP Authentication Option (TCP-AO) [RFC5925] to authenticate segments. TCP-AO relies upon:

TCP-AO systems are configured with one or more MKTs for each connection that they protect. When a connection is associated with multiple MKTs, TCP-AO can rotate among them during the course of a TCP session. This facilitates dynamic key change and authentication algorithm agility.

An MKT includes:

The KDF generates a traffic key. Its inputs are:

The MAC algorithm produces a MAC. It is defined by:

The following are inputs to the MAC Algorithm:

TCP-AO systems include the MAC in the TCP-AO. They use the MAC to authenticate segments.

[RFC5926] specifies cryptographic algorithms for TCP-AO. It explains how to use KDF_HMAC_SHA1 and KDF_AES_128_CMAC as KDFs. It also explains how to use HMAC-SHA-1-96 and AES-128-CMAC-96 as MAC algorithms.

This document specifies several new KDFs and MAC algorithms for TCP-AO. The KDFs and MAC algorithms defined in this document are based upon more recent, stronger cryptography.

The MAC algorithms described in Section 3.2 of this document are not truncated. They yield MACs ranging from 256 to 512 bits (i.e., 32 to 64 bytes). Therefore, when they are encoded in a TCP-AO, the TCP-AO ranges from 36 to 68 bytes.

The MAC algorithms described in Section 3.3 of this document are truncated to 128 bits (i.e., 16 bytes). Therefore, when they are encoded in TCP-AO, the TCP-AO consumes 20 bytes.

The TCP-AO is encoded in the TCP Options field. The TCP Options field is frequently required to carry multiple options, including the TCP-AO.

Currently, the TCP-Options field cannot exceed 40 bytes. However, TCP Extended Options [I-D.bonica-tcpm-extended-options] removes this limitation. Therefore, many of the MAC algorithms described in this document can only be used on systems that support TCP Extended Options or some other mechanism that extends the TCP Options field.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Updates to RFC 5926

3.1. Concrete KDFs

3.1.1. KDF_HMAC_SHA224

For KDF_HMAC_SHA224:

  • PRF for KDF_alg: HMAC-SHA224 [RFC2104] [DOI.10.6028_NIST.FIPS.180-4]

  • Use: HMAC-SHA224(Key, Input).

  • Input: ( i || Label || Context || Output_Length)

  • Key: Master_Key, configured by user, and passed to the KDF

  • Output_Length: 224 bits

  • Result: Traffic_Key, used in the MAC function by TCP-AO

3.1.2. KDF_HMAC_SHA256

For KDF_HMAC_SHA256:

  • PRF for KDF_alg: HMAC-SHA256 [RFC2104] [DOI.10.6028_NIST.FIPS.180-4]

  • Use: HMAC-SHA256(Key, Input).

  • Input: ( i || Label || Context || Output_Length)

  • Key: Master_Key, configured by user, and passed to the KDF

  • Output_Length: 256 bits

  • Result: Traffic_Key, used in the MAC function by TCP-AO

3.1.3. KDF_HMAC_SHA384

For KDF_HMAC_SHA384:

  • PRF for KDF_alg: HMAC-SHA384 [RFC2104] [DOI.10.6028_NIST.FIPS.180-4]

  • Use: HMAC-SHA384(Key, Input).

  • Input: ( i || Label || Context || Output_Length)

  • Key: Master_Key, configured by user, and passed to the KDF

  • Output_Length: 384 bits

  • Result: Traffic_Key, used in the MAC function by TCP-AO

3.1.4. KDF_HMAC_SHA512

For KDF_HMAC_SHA512:

  • PRF for KDF_alg: HMAC-SHA512 [RFC2104] [DOI.10.6028_NIST.FIPS.180-4]

  • Use: HMAC-SHA512(Key, Input).

  • Input: ( i || Label || Context || Output_Length)

  • Key: Master_Key, configured by user, and passed to the KDF

  • Output_Length: 224 bits

  • Result: Traffic_Key, used in the MAC function by TCP-AO

3.1.5. KDF_HMAC_SHA3-224

For KDF_HMAC_SHA3-224:

  • PRF for KDF_alg: HMAC-SHA3-224 [RFC2104] [DOI.10.6028_NIST.FIPS.202]

  • Use: HMAC-SHA3-224(Key, Input).

  • Input: ( i || Label || Context || Output_Length)

  • Key: Master_Key, configured by user, and passed to the KDF

  • Output_Length: 224 bits

  • Result: Traffic_Key, used in the MAC function by TCP-AO

3.1.6. KDF_HMAC_SHA3-256

For KDF_HMAC_SHA3-256:

  • PRF for KDF_alg: HMAC-SHA3-256 [RFC2104] [DOI.10.6028_NIST.FIPS.202]

  • Use: HMAC-SHA3-256(Key, Input).

  • Input: ( i || Label || Context || Output_Length)

  • Key: Master_Key, configured by user, and passed to the KDF

  • Output_Length: 256 bits

  • Result: Traffic_Key, used in the MAC function by TCP-AO

3.1.7. KDF_HMAC_SHA3-384

For KDF_HMAC_SHA3-384:

  • PRF for KDF_alg: HMAC-SHA3-384 [RFC2104] [DOI.10.6028_NIST.FIPS.202]

  • Use: HMAC-SHA3-384(Key, Input).

  • Input: ( i || Label || Context || Output_Length)

  • Key: Master_Key, configured by user, and passed to the KDF

  • Output_Length: 384 bits

  • Result: Traffic_Key, used in the MAC function by TCP-AO

3.1.8. KDF_HMAC_SHA3-512

For KDF_HMAC_SHA3-512:

  • PRF for KDF_alg: HMAC-SHA3-512 [RFC2104] [DOI.10.6028_NIST.FIPS.202]

  • Use: HMAC-SHA3-512(Key, Input).

  • Input: ( i || Label || Context || Output_Length)

  • Key: Master_Key, configured by user, and passed to the KDF

  • Output_Length: 512 bits

  • Result: Traffic_Key, used in the MAC function by TCP-AO

3.2. Non-truncated MAC Algorithms

The following subsections should be added to Section 3.2 of [RFC5926].

3.2.1. The Use of HMAC-SHA224

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA224 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA224 are:

  • KDF_Alg: KDF_HMAC_SHA224.

  • Key_Length: 224 bits.

  • MAC_Length: 224 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA224 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA224.

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

3.2.2. The Use of HMAC-SHA256

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA256 are:

  • KDF_Alg: KDF_HMAC_SHA256

  • Key_Length: 256 bits.

  • MAC_Length: 256 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA256 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA256

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

3.2.3. The Use of HMAC-SHA384

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA384 are:

  • KDF_Alg: KDF_HMAC_SHA384

  • Key_Length: 384 bits.

  • MAC_Length: 384 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA384 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA384

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

3.2.4. The Use of HMAC-SHA512

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA512 are:

  • KDF_Alg: KDF_HMAC_SHA512

  • Key_Length: 512 bits.

  • MAC_Length: 512 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA512 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA512

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

3.2.5. The Use of HMAC-SHA3-224

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-224 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA3-224 are:

  • KDF_Alg: KDF_HMAC_SHA3-224.

  • Key_Length: 224 bits.

  • MAC_Length: 224 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-224 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA3-224.

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

3.2.6. The Use of HMAC-SHA3-256

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA3-256 are:

  • KDF_Alg: KDF_HMAC_SHA3-256.

  • Key_Length: 256 bits.

  • MAC_Length: 256 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-256 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA3-256.

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

3.2.7. The Use of HMAC-SHA3-384

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA3-384 are:

  • KDF_Alg: KDF_HMAC_SHA3-384.

  • Key_Length: 384 bits.

  • MAC_Length: 384 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-384 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA3-384.

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

3.2.8. The Use of HMAC-SHA3-512

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA3-224 are:

  • KDF_Alg: KDF_HMAC_SHA3-512.

  • Key_Length: 512 bits.

  • MAC_Length: 512 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-512 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA3-512.

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

3.3. Truncated MAC Algorithms

The following subsections should be added to Section 3.2 of [RFC5926].

3.3.1. The Use of HMAC-SHA224-128

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA224 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA224-128 are:

  • KDF_Alg: KDF_HMAC_SHA224.

  • Key_Length: 224 bits.

  • MAC_Length: 128 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA224-128 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA224.

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

3.3.2. The Use of HMAC-SHA256-128

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA256-128 are:

  • KDF_Alg: KDF_HMAC_SHA256

  • Key_Length: 256 bits.

  • MAC_Length: 128 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA256-128 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA256

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

3.3.3. The Use of HMAC-SHA384-128

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA384-128 are:

  • KDF_Alg: KDF_HMAC_SHA384

  • Key_Length: 384 bits.

  • MAC_Length: 128 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA384-128 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA384

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

3.3.4. The Use of HMAC-SHA512-128

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA512-128 are:

  • KDF_Alg: KDF_HMAC_SHA512

  • Key_Length: 512 bits.

  • MAC_Length: 128 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA512-128 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA512

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

3.3.5. The Use of HMAC-SHA3-224-128

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-224 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA3-224-128 are:

  • KDF_Alg: KDF_HMAC_SHA3-224.

  • Key_Length: 224 bits.

  • MAC_Length: 128 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-224-128 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA3-224.

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

3.3.6. The Use of HMAC-SHA3-256-128

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA3-256-128 are:

  • KDF_Alg: KDF_HMAC_SHA3-256.

  • Key_Length: 256 bits.

  • MAC_Length: 128 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-256-128 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA3-256.

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

3.3.7. The Use of HMAC-SHA3-384-128

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA3-384-128 are:

  • KDF_Alg: KDF_HMAC_SHA3-384.

  • Key_Length: 384 bits.

  • MAC_Length: 128 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-384-128 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA3-384.

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

3.3.8. The Use of HMAC-SHA3-512-128

By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC.

The three fixed elements for HMAC-SHA3-224-128 are:

  • KDF_Alg: KDF_HMAC_SHA3-512.

  • Key_Length: 512 bits.

  • MAC_Length: 128 bits.

For:

  • MAC = MAC_alg (Traffic_Key, Message)

HMAC-SHA3-512-128 for TCP-AO has the following values:

  • MAC_alg: HMAC-SHA3-512.

  • Traffic_Key: Variable; the result of the KDF.

  • Message: The message to be authenticated, as specified in [RFC5925], Section 5.1.

4. Security Considerations

TBD

5. IANA Considerations

IANA is requested to add the following entries to the "Cryptographic Algorithms for TCP-AO Registration" (https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-parameters-3).

Table 1: IANA Actions
Algorithm Reference
SHA224 This Document
SHA256 This Document
SHA384 This Document
SHA512 This Document
SHA3-224 This Document
SHA3-256 This Document
SHA3-384 This Document
SHA3-512 This Document
SHA224-128 This Document
SHA256-128 This Document
SHA384-128 This Document
SHA512-128 This Document
SHA3-224-128 This Document
SHA3-256-128 This Document
SHA3-384-128 This Document
SHA3-512-128 This Document

6. Acknowledgements

TBD

7. Normative References

[DOI.10.6028_NIST.FIPS.180-4]
"Secure hash standard", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.180-4, , <https://doi.org/10.6028/nist.fips.180-4>.
[DOI.10.6028_NIST.FIPS.197]
"Advanced Encryption Standard (AES)", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.197, , <https://doi.org/10.6028/nist.fips.197>.
[DOI.10.6028_NIST.FIPS.202]
"SHA-3 standard :: permutation-based hash and extendable-output functions", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.202, , <https://doi.org/10.6028/nist.fips.202>.
[DOI.10.6028_NIST.SP.800-38B]
Dworkin, M., "Recommendation for block cipher modes of operation :: the CMAC mode for authentication", National Institute of Standards and Technology, DOI 10.6028/nist.sp.800-38b, , <https://doi.org/10.6028/nist.sp.800-38b>.
[I-D.bonica-tcpm-extended-options]
Bonica, R. and T. Li, "TCP Extended Options", Work in Progress, Internet-Draft, draft-bonica-tcpm-extended-options-02, , <https://datatracker.ietf.org/doc/html/draft-bonica-tcpm-extended-options-02>.
[RFC2104]
Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, , <https://www.rfc-editor.org/rfc/rfc2104>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC4615]
Song, J., Poovendran, R., Lee, J., and T. Iwata, "The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for the Internet Key Exchange Protocol (IKE)", RFC 4615, DOI 10.17487/RFC4615, , <https://www.rfc-editor.org/rfc/rfc4615>.
[RFC5925]
Touch, J., Mankin, A., and R. Bonica, "The TCP Authentication Option", RFC 5925, DOI 10.17487/RFC5925, , <https://www.rfc-editor.org/rfc/rfc5925>.
[RFC5926]
Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms for the TCP Authentication Option (TCP-AO)", RFC 5926, DOI 10.17487/RFC5926, , <https://www.rfc-editor.org/rfc/rfc5926>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.

Authors' Addresses

Ron Bonica
HPE
United States of America
Tony Li
HPE
United States of America