{
  "draft": "draft-ietf-tcpm-tcp-auth-opt-11",
  "doc_id": "RFC5925",
  "title": "The TCP Authentication Option",
  "authors": [
    "J. Touch",
    "A. Mankin",
    "R. Bonica"
  ],
  "format": [
    "TEXT",
    "HTML"
  ],
  "page_count": "48",
  "pub_status": "PROPOSED STANDARD",
  "status": "PROPOSED STANDARD",
  "source": "TCP Maintenance and Minor Extensions",
  "abstract": "This document specifies the TCP Authentication Option (TCP-AO), which obsoletes the TCP MD5 Signature option of RFC 2385 (TCP MD5).  TCP-AO specifies the use of stronger Message Authentication Codes (MACs), protects against replays even for long-lived TCP connections, and provides more details on the association of security with TCP connections than TCP MD5.  TCP-AO is compatible with either a static Master Key Tuple (MKT) configuration or an external, out-of-band MKT management mechanism; in either case, TCP-AO also protects connections when using the same MKT across repeated instances of a connection, using traffic keys derived from the MKT, and coordinates MKT changes between endpoints.  The result is intended to support current infrastructure uses of TCP MD5, such as to protect long-lived connections (as used, e.g., in BGP and LDP), and to support a larger set of MACs with minimal other system and operational changes.  TCP-AO uses a different option identifier than TCP MD5, even though TCP-AO and TCP MD5 are never permitted to be used simultaneously.  TCP-AO supports IPv6, and is fully compatible with the proposed requirements for the replacement of TCP MD5. [STANDARDS-TRACK]",
  "pub_date": "June 2010",
  "keywords": [
    "transmission control protocol",
    "border",
    "gateway",
    "protocol",
    "transmission control message",
    "digest",
    "algorithm"
  ],
  "obsoletes": [
    "RFC2385"
  ],
  "obsoleted_by": [],
  "updates": [],
  "updated_by": [],
  "see_also": [],
  "doi": "10.17487/RFC5925",
  "errata_url": "https://www.rfc-editor.org/errata/rfc5925"
}