The TCP Authentication Option

Abstract: This document specifies the TCP Authentication Option (TCP-AO), which obsoletes the TCP MD5 Signature option of RFC 2385 (TCP MD5). TCP-AO specifies the use of stronger Message Authentication Codes (MACs), protects against replays even for long-lived TCP connections, and provides more details on the association of security with TCP connections than TCP MD5. TCP-AO is compatible with either a static Master Key Tuple (MKT) configuration or an external, out-of-band MKT management mechanism; in either case, TCP-AO… Show more

“…PCEP implementations SHOULD also consider the additional security provided by the TCP Authentication Option (TCP-AO) [RFC5925] or Transport Layer Security (TLS) [PCEPS].…”

Domain Subobjects for the Path Computation Element Communication Protocol (PCEP)

“…PCEP implementations SHOULD also consider the additional security provided by the TCP Authentication Option (TCP-AO) [RFC5925] or Transport Layer Security (TLS) [PCEPS].…”

Domain Subobjects for the Path Computation Element Communication Protocol (PCEP)

“…The set of eligible peers could be preconfigured (as a list of either IP addresses or address/mask combinations), or it could be discovered dynamically via some secure discovery protocol. The TCP Authentication Option (TCP-AO), as defined in [RFC5925], SHOULD be used. This provides integrity and authentication for the ICCP messages and eliminates the possibility of source address spoofing.…”

Inter-Chassis Communication Protocol for Layer 2 Virtual Private Network (L2VPN) Provider Edge (PE) Redundancy

“…TCP MD5 [RFC2385] has recently been obsoleted by a new TCP Authentication Option (TCP-AO) [RFC5925]. [RFC5925] specifies the use of stronger Message Authentication Codes (MACs), protects against replays even for long-lived TCP connections, and provides more details than TCP-MD5 on the association of security with TCP connections.…”

“…[RFC5925] specifies the use of stronger Message Authentication Codes (MACs), protects against replays even for long-lived TCP connections, and provides more details than TCP-MD5 on the association of security with TCP connections. It allows rekeying during a TCP connection, assuming that an out-of-band protocol or manual mechanism provides the new keys.…”

“…However, this document covers only TCP MD5, as all current deployments are still using BGP with TCP MD5 and have not upgraded to [RFC5925]. There isn't enough operational experience present to evaluate the technical and management issues with this proposal yet.…”

Issues with Existing Cryptographic Protection Methods for Routing Protocols