TCPM Working Group R. Bonica Internet-Draft T. Li Updates: RFC 5926 (if approved) HPE Intended status: Standards Track 12 December 2025 Expires: 15 June 2026 Additional Security Algorithms For Use With TCP-AO draft-bonica-tcmp-tcp-ao-algs-00 Abstract RFC5926 specifies cryptographic algorithms for TCP-AO. It explains how to use KDF_HMAC_SHA1 and KDF_AES_128_CMAC as KDFs. It also explains how to use HMAC-SHA-1-96 and AES-128-CMAC-96 as MAC algorithms. This document specifies several new KDFs and MAC algorithms for TCP- AO. The KDFs and MAC algorithms specified in this document are based upon more recent, stronger cryptography. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 15 June 2026. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components Bonica & Li Expires 15 June 2026 [Page 1] Internet-Draft tcp-ao-algs December 2025 extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4 3. Updates to RFC 5926 . . . . . . . . . . . . . . . . . . . . . 5 3.1. Concrete KDFs . . . . . . . . . . . . . . . . . . . . . . 5 3.1.1. KDF_HMAC_SHA224 . . . . . . . . . . . . . . . . . . . 5 3.1.2. KDF_HMAC_SHA256 . . . . . . . . . . . . . . . . . . . 5 3.1.3. KDF_HMAC_SHA384 . . . . . . . . . . . . . . . . . . . 5 3.1.4. KDF_HMAC_SHA512 . . . . . . . . . . . . . . . . . . . 6 3.1.5. KDF_HMAC_SHA3-224 . . . . . . . . . . . . . . . . . . 6 3.1.6. KDF_HMAC_SHA3-256 . . . . . . . . . . . . . . . . . . 6 3.1.7. KDF_HMAC_SHA3-384 . . . . . . . . . . . . . . . . . . 7 3.1.8. KDF_HMAC_SHA3-512 . . . . . . . . . . . . . . . . . . 7 3.2. Non-truncated MAC Algorithms . . . . . . . . . . . . . . 7 3.2.1. The Use of HMAC-SHA224 . . . . . . . . . . . . . . . 8 3.2.2. The Use of HMAC-SHA256 . . . . . . . . . . . . . . . 8 3.2.3. The Use of HMAC-SHA384 . . . . . . . . . . . . . . . 9 3.2.4. The Use of HMAC-SHA512 . . . . . . . . . . . . . . . 9 3.2.5. The Use of HMAC-SHA3-224 . . . . . . . . . . . . . . 10 3.2.6. The Use of HMAC-SHA3-256 . . . . . . . . . . . . . . 10 3.2.7. The Use of HMAC-SHA3-384 . . . . . . . . . . . . . . 11 3.2.8. The Use of HMAC-SHA3-512 . . . . . . . . . . . . . . 12 3.3. Truncated MAC Algorithms . . . . . . . . . . . . . . . . 12 3.3.1. The Use of HMAC-SHA224-128 . . . . . . . . . . . . . 12 3.3.2. The Use of HMAC-SHA256-128 . . . . . . . . . . . . . 13 3.3.3. The Use of HMAC-SHA384-128 . . . . . . . . . . . . . 13 3.3.4. The Use of HMAC-SHA512-128 . . . . . . . . . . . . . 14 3.3.5. The Use of HMAC-SHA3-224-128 . . . . . . . . . . . . 15 3.3.6. The Use of HMAC-SHA3-256-128 . . . . . . . . . . . . 15 3.3.7. The Use of HMAC-SHA3-384-128 . . . . . . . . . . . . 16 3.3.8. The Use of HMAC-SHA3-512-128 . . . . . . . . . . . . 16 4. Security Considerations . . . . . . . . . . . . . . . . . . . 17 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 7. Normative References . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 1. Introduction TCP end-points use the TCP Authentication Option (TCP-AO) [RFC5925] to authenticate segments. TCP-AO relies upon: * A Master Key Tuple (MKT) Bonica & Li Expires 15 June 2026 [Page 2] Internet-Draft tcp-ao-algs December 2025 * A Key Derivation Function (KDF) * A Message Authentication Code (MAC) algorithm TCP-AO systems are configured with one or more MKTs for each connection that they protect. When a connection is associated with multiple MKTs, TCP-AO can rotate among them during the course of a TCP session. This facilitates dynamic key change and authentication algorithm agility. An MKT includes: * Two MKT identifiers, one used for sending and one used for receiving * A connection identifier (i.e., a TCP socket pair) * A master key (i.e., a shared secret) * A KDF * A MAC algorithm * A flag indicating whether TCP options other than TCP-AO are authenticated The KDF generates a traffic key. Its inputs are: * A pseudorandom function (PRF) used to generate the traffic key * The master key * Context (i.e., A binary string containing information related to the connection) * Output length (i.e., the length of the traffic key, in bits) The MAC algorithm produces a MAC. It is defined by: * The KDF algorithm used to generate the traffic key * The length of the traffic key, in bits * The length of the MAC, in bits The following are inputs to the MAC Algorithm: * traffic key Bonica & Li Expires 15 June 2026 [Page 3] Internet-Draft tcp-ao-algs December 2025 * message TCP-AO systems include the MAC in the TCP-AO. They use the MAC to authenticate segments. [RFC5926] specifies cryptographic algorithms for TCP-AO. It explains how to use KDF_HMAC_SHA1 and KDF_AES_128_CMAC as KDFs. It also explains how to use HMAC-SHA-1-96 and AES-128-CMAC-96 as MAC algorithms. This document specifies several new KDFs and MAC algorithms for TCP- AO. The KDFs and MAC algorithms defined in this document are based upon more recent, stronger cryptography. The MAC algorithms described in Section 3.2 of this document are not truncated. They yield MACs ranging from 256 to 512 bits (i.e., 32 to 64 bytes). Therefore, when they are encoded in a TCP-AO, the TCP-AO ranges from 36 to 68 bytes. The MAC algorithms described in Section 3.3 of this document are truncated to 128 bits (i.e., 16 bytes). Therefore, when they are encoded in TCP-AO, the TCP-AO consumes 20 bytes. The TCP-AO is encoded in the TCP Options field. The TCP Options field is frequently required to carry multiple options, including the TCP-AO. Currently, the TCP-Options field cannot exceed 40 bytes. However, TCP Extended Options [I-D.bonica-tcpm-extended-options] removes this limitation. Therefore, many of the MAC algorithms described in this document can only be used on systems that support TCP Extended Options or some other mechanism that extends the TCP Options field. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Bonica & Li Expires 15 June 2026 [Page 4] Internet-Draft tcp-ao-algs December 2025 3. Updates to RFC 5926 3.1. Concrete KDFs 3.1.1. KDF_HMAC_SHA224 For KDF_HMAC_SHA224: * PRF for KDF_alg: HMAC-SHA224 [RFC2104] [DOI.10.6028_NIST.FIPS.180-4] * Use: HMAC-SHA224(Key, Input). * Input: ( i || Label || Context || Output_Length) * Key: Master_Key, configured by user, and passed to the KDF * Output_Length: 224 bits * Result: Traffic_Key, used in the MAC function by TCP-AO 3.1.2. KDF_HMAC_SHA256 For KDF_HMAC_SHA256: * PRF for KDF_alg: HMAC-SHA256 [RFC2104] [DOI.10.6028_NIST.FIPS.180-4] * Use: HMAC-SHA256(Key, Input). * Input: ( i || Label || Context || Output_Length) * Key: Master_Key, configured by user, and passed to the KDF * Output_Length: 256 bits * Result: Traffic_Key, used in the MAC function by TCP-AO 3.1.3. KDF_HMAC_SHA384 For KDF_HMAC_SHA384: * PRF for KDF_alg: HMAC-SHA384 [RFC2104] [DOI.10.6028_NIST.FIPS.180-4] * Use: HMAC-SHA384(Key, Input). * Input: ( i || Label || Context || Output_Length) Bonica & Li Expires 15 June 2026 [Page 5] Internet-Draft tcp-ao-algs December 2025 * Key: Master_Key, configured by user, and passed to the KDF * Output_Length: 384 bits * Result: Traffic_Key, used in the MAC function by TCP-AO 3.1.4. KDF_HMAC_SHA512 For KDF_HMAC_SHA512: * PRF for KDF_alg: HMAC-SHA512 [RFC2104] [DOI.10.6028_NIST.FIPS.180-4] * Use: HMAC-SHA512(Key, Input). * Input: ( i || Label || Context || Output_Length) * Key: Master_Key, configured by user, and passed to the KDF * Output_Length: 224 bits * Result: Traffic_Key, used in the MAC function by TCP-AO 3.1.5. KDF_HMAC_SHA3-224 For KDF_HMAC_SHA3-224: * PRF for KDF_alg: HMAC-SHA3-224 [RFC2104] [DOI.10.6028_NIST.FIPS.202] * Use: HMAC-SHA3-224(Key, Input). * Input: ( i || Label || Context || Output_Length) * Key: Master_Key, configured by user, and passed to the KDF * Output_Length: 224 bits * Result: Traffic_Key, used in the MAC function by TCP-AO 3.1.6. KDF_HMAC_SHA3-256 For KDF_HMAC_SHA3-256: * PRF for KDF_alg: HMAC-SHA3-256 [RFC2104] [DOI.10.6028_NIST.FIPS.202] * Use: HMAC-SHA3-256(Key, Input). Bonica & Li Expires 15 June 2026 [Page 6] Internet-Draft tcp-ao-algs December 2025 * Input: ( i || Label || Context || Output_Length) * Key: Master_Key, configured by user, and passed to the KDF * Output_Length: 256 bits * Result: Traffic_Key, used in the MAC function by TCP-AO 3.1.7. KDF_HMAC_SHA3-384 For KDF_HMAC_SHA3-384: * PRF for KDF_alg: HMAC-SHA3-384 [RFC2104] [DOI.10.6028_NIST.FIPS.202] * Use: HMAC-SHA3-384(Key, Input). * Input: ( i || Label || Context || Output_Length) * Key: Master_Key, configured by user, and passed to the KDF * Output_Length: 384 bits * Result: Traffic_Key, used in the MAC function by TCP-AO 3.1.8. KDF_HMAC_SHA3-512 For KDF_HMAC_SHA3-512: * PRF for KDF_alg: HMAC-SHA3-512 [RFC2104] [DOI.10.6028_NIST.FIPS.202] * Use: HMAC-SHA3-512(Key, Input). * Input: ( i || Label || Context || Output_Length) * Key: Master_Key, configured by user, and passed to the KDF * Output_Length: 512 bits * Result: Traffic_Key, used in the MAC function by TCP-AO 3.2. Non-truncated MAC Algorithms The following subsections should be added to Section 3.2 of [RFC5926]. Bonica & Li Expires 15 June 2026 [Page 7] Internet-Draft tcp-ao-algs December 2025 3.2.1. The Use of HMAC-SHA224 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA224 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA224 are: * KDF_Alg: KDF_HMAC_SHA224. * Key_Length: 224 bits. * MAC_Length: 224 bits. For: * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA224 for TCP-AO has the following values: * MAC_alg: HMAC-SHA224. * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. 3.2.2. The Use of HMAC-SHA256 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA256 are: * KDF_Alg: KDF_HMAC_SHA256 * Key_Length: 256 bits. * MAC_Length: 256 bits. For: * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA256 for TCP-AO has the following values: * MAC_alg: HMAC-SHA256 Bonica & Li Expires 15 June 2026 [Page 8] Internet-Draft tcp-ao-algs December 2025 * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. 3.2.3. The Use of HMAC-SHA384 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA384 are: * KDF_Alg: KDF_HMAC_SHA384 * Key_Length: 384 bits. * MAC_Length: 384 bits. For: * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA384 for TCP-AO has the following values: * MAC_alg: HMAC-SHA384 * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. 3.2.4. The Use of HMAC-SHA512 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA512 are: * KDF_Alg: KDF_HMAC_SHA512 * Key_Length: 512 bits. * MAC_Length: 512 bits. For: Bonica & Li Expires 15 June 2026 [Page 9] Internet-Draft tcp-ao-algs December 2025 * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA512 for TCP-AO has the following values: * MAC_alg: HMAC-SHA512 * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. 3.2.5. The Use of HMAC-SHA3-224 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-224 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-224 are: * KDF_Alg: KDF_HMAC_SHA3-224. * Key_Length: 224 bits. * MAC_Length: 224 bits. For: * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA3-224 for TCP-AO has the following values: * MAC_alg: HMAC-SHA3-224. * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. 3.2.6. The Use of HMAC-SHA3-256 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-256 are: * KDF_Alg: KDF_HMAC_SHA3-256. Bonica & Li Expires 15 June 2026 [Page 10] Internet-Draft tcp-ao-algs December 2025 * Key_Length: 256 bits. * MAC_Length: 256 bits. For: * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA3-256 for TCP-AO has the following values: * MAC_alg: HMAC-SHA3-256. * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. 3.2.7. The Use of HMAC-SHA3-384 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-384 are: * KDF_Alg: KDF_HMAC_SHA3-384. * Key_Length: 384 bits. * MAC_Length: 384 bits. For: * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA3-384 for TCP-AO has the following values: * MAC_alg: HMAC-SHA3-384. * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. Bonica & Li Expires 15 June 2026 [Page 11] Internet-Draft tcp-ao-algs December 2025 3.2.8. The Use of HMAC-SHA3-512 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-224 are: * KDF_Alg: KDF_HMAC_SHA3-512. * Key_Length: 512 bits. * MAC_Length: 512 bits. For: * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA3-512 for TCP-AO has the following values: * MAC_alg: HMAC-SHA3-512. * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. 3.3. Truncated MAC Algorithms The following subsections should be added to Section 3.2 of [RFC5926]. 3.3.1. The Use of HMAC-SHA224-128 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA224 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA224-128 are: * KDF_Alg: KDF_HMAC_SHA224. * Key_Length: 224 bits. * MAC_Length: 128 bits. For: Bonica & Li Expires 15 June 2026 [Page 12] Internet-Draft tcp-ao-algs December 2025 * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA224-128 for TCP-AO has the following values: * MAC_alg: HMAC-SHA224. * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. 3.3.2. The Use of HMAC-SHA256-128 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA256-128 are: * KDF_Alg: KDF_HMAC_SHA256 * Key_Length: 256 bits. * MAC_Length: 128 bits. For: * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA256-128 for TCP-AO has the following values: * MAC_alg: HMAC-SHA256 * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. 3.3.3. The Use of HMAC-SHA384-128 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA384-128 are: * KDF_Alg: KDF_HMAC_SHA384 Bonica & Li Expires 15 June 2026 [Page 13] Internet-Draft tcp-ao-algs December 2025 * Key_Length: 384 bits. * MAC_Length: 128 bits. For: * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA384-128 for TCP-AO has the following values: * MAC_alg: HMAC-SHA384 * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. 3.3.4. The Use of HMAC-SHA512-128 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA512-128 are: * KDF_Alg: KDF_HMAC_SHA512 * Key_Length: 512 bits. * MAC_Length: 128 bits. For: * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA512-128 for TCP-AO has the following values: * MAC_alg: HMAC-SHA512 * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. Bonica & Li Expires 15 June 2026 [Page 14] Internet-Draft tcp-ao-algs December 2025 3.3.5. The Use of HMAC-SHA3-224-128 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-224 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-224-128 are: * KDF_Alg: KDF_HMAC_SHA3-224. * Key_Length: 224 bits. * MAC_Length: 128 bits. For: * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA3-224-128 for TCP-AO has the following values: * MAC_alg: HMAC-SHA3-224. * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. 3.3.6. The Use of HMAC-SHA3-256-128 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-256 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-256-128 are: * KDF_Alg: KDF_HMAC_SHA3-256. * Key_Length: 256 bits. * MAC_Length: 128 bits. For: * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA3-256-128 for TCP-AO has the following values: * MAC_alg: HMAC-SHA3-256. Bonica & Li Expires 15 June 2026 [Page 15] Internet-Draft tcp-ao-algs December 2025 * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. 3.3.7. The Use of HMAC-SHA3-384-128 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-384 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-384-128 are: * KDF_Alg: KDF_HMAC_SHA3-384. * Key_Length: 384 bits. * MAC_Length: 128 bits. For: * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA3-384-128 for TCP-AO has the following values: * MAC_alg: HMAC-SHA3-384. * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. 3.3.8. The Use of HMAC-SHA3-512-128 By definition, HMAC [RFC2104] requires a cryptographic hash function. SHA3-512 will be that hash function used for authenticating and providing integrity validation on TCP segments with HMAC. The three fixed elements for HMAC-SHA3-224-128 are: * KDF_Alg: KDF_HMAC_SHA3-512. * Key_Length: 512 bits. * MAC_Length: 128 bits. For: Bonica & Li Expires 15 June 2026 [Page 16] Internet-Draft tcp-ao-algs December 2025 * MAC = MAC_alg (Traffic_Key, Message) HMAC-SHA3-512-128 for TCP-AO has the following values: * MAC_alg: HMAC-SHA3-512. * Traffic_Key: Variable; the result of the KDF. * Message: The message to be authenticated, as specified in [RFC5925], Section 5.1. 4. Security Considerations TBD 5. IANA Considerations IANA is requested to add the following entries to the "Cryptographic Algorithms for TCP-AO Registration" (https://www.iana.org/assignments/tcp-parameters/tcp- parameters.xhtml#tcp-parameters-3). Bonica & Li Expires 15 June 2026 [Page 17] Internet-Draft tcp-ao-algs December 2025 +==============+===============+ | Algorithm | Reference | +==============+===============+ | SHA224 | This Document | +--------------+---------------+ | SHA256 | This Document | +--------------+---------------+ | SHA384 | This Document | +--------------+---------------+ | SHA512 | This Document | +--------------+---------------+ | SHA3-224 | This Document | +--------------+---------------+ | SHA3-256 | This Document | +--------------+---------------+ | SHA3-384 | This Document | +--------------+---------------+ | SHA3-512 | This Document | +--------------+---------------+ | SHA224-128 | This Document | +--------------+---------------+ | SHA256-128 | This Document | +--------------+---------------+ | SHA384-128 | This Document | +--------------+---------------+ | SHA512-128 | This Document | +--------------+---------------+ | SHA3-224-128 | This Document | +--------------+---------------+ | SHA3-256-128 | This Document | +--------------+---------------+ | SHA3-384-128 | This Document | +--------------+---------------+ | SHA3-512-128 | This Document | +--------------+---------------+ Table 1: IANA Actions 6. Acknowledgements TBD 7. Normative References [DOI.10.6028_NIST.FIPS.180-4] "Secure hash standard", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.180-4, 2015, . Bonica & Li Expires 15 June 2026 [Page 18] Internet-Draft tcp-ao-algs December 2025 [DOI.10.6028_NIST.FIPS.197] "Advanced Encryption Standard (AES)", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.197, 2001, . [DOI.10.6028_NIST.FIPS.202] "SHA-3 standard :: permutation-based hash and extendable- output functions", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.202, 2015, . [DOI.10.6028_NIST.SP.800-38B] Dworkin, M., "Recommendation for block cipher modes of operation :: the CMAC mode for authentication", National Institute of Standards and Technology, DOI 10.6028/nist.sp.800-38b, 2016, . [I-D.bonica-tcpm-extended-options] Bonica, R. and T. Li, "TCP Extended Options", Work in Progress, Internet-Draft, draft-bonica-tcpm-extended- options-02, 29 September 2025, . [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4615] Song, J., Poovendran, R., Lee, J., and T. Iwata, "The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC- PRF-128) Algorithm for the Internet Key Exchange Protocol (IKE)", RFC 4615, DOI 10.17487/RFC4615, August 2006, . [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP Authentication Option", RFC 5925, DOI 10.17487/RFC5925, June 2010, . Bonica & Li Expires 15 June 2026 [Page 19] Internet-Draft tcp-ao-algs December 2025 [RFC5926] Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms for the TCP Authentication Option (TCP-AO)", RFC 5926, DOI 10.17487/RFC5926, June 2010, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . Authors' Addresses Ron Bonica HPE United States of America Email: ronald.bonica@hpe.com Tony Li HPE United States of America Email: tony.li@tony.li Bonica & Li Expires 15 June 2026 [Page 20]