IETF Logo Mail Archive

[tcpm] Re: Additional Security Algorithms For Use With TCP-AO

"Bonica, Ron" <ronald.bonica@hpe.com> Tue, 10 February 2026 18:15 UTC

Return-Path: <ronald.bonica@hpe.com>
X-Original-To: tcpm@mail2.ietf.org
Delivered-To: tcpm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 16B83B4DA829 for <tcpm@mail2.ietf.org>; Tue, 10 Feb 2026 10:15:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.994
X-Spam-Level:
X-Spam-Status: No, score=-1.994 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=hpe.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fc3ChIVaaABy for <tcpm@mail2.ietf.org>; Tue, 10 Feb 2026 10:15:04 -0800 (PST)
Received: from mx0b-002e3701.pphosted.com (mx0b-002e3701.pphosted.com [148.163.143.35]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E0293B4DA822 for <tcpm@ietf.org>; Tue, 10 Feb 2026 10:15:01 -0800 (PST)
Received: from pps.filterd (m0134425.ppops.net [127.0.0.1]) by mx0b-002e3701.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 61AFux8A2314525; Tue, 10 Feb 2026 18:14:48 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hpe.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=pps0720; bh=P7ssmUApGeVeDOlPyR7/zPiQC4 fXuCLKZyNTiMNR1UE=; b=NO2UqIG2Fri33oeTjjPoC6O9xy4E6SQHlUEDQsBn+x MoY6GEgk1In0mNnYEM/CnC8qX0aqwyYQsXoobKpChg2/Nt9utBS6Spo3TZ/Sw0Fp WL771t85FP/mMvzCNcbJOfleES/oZkVlq0gKGmuMTDt2uuu3vzp3YaixRG3a4hRY f+v3Z4l4LjSbno2xV5n/G5xyS6FYBPyOEpWblleoX3/34ooTaZcv1nx00ykIT9VN Rg3n5pbyifP0CU653WA15Cr0Eya/e2TZWfZQyUiL3cU+03NYxrk0v/9LbR1Ryio8 rb+DZhR/yv8KYyWrgnztjg1B1ljIO6AH5EwF45MubTDQ==
Received: from p1lg14881.it.hpe.com (p1lg14881.it.hpe.com [16.230.97.202]) by mx0b-002e3701.pphosted.com (PPS) with ESMTPS id 4c87s29tr7-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Tue, 10 Feb 2026 18:14:48 +0000 (GMT)
Received: from p1wg14925.americas.hpqcorp.net (unknown [10.119.18.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by p1lg14881.it.hpe.com (Postfix) with ESMTPS id 27048804DD8; Tue, 10 Feb 2026 18:14:47 +0000 (UTC)
Received: from p1wg14927.americas.hpqcorp.net (10.119.18.117) by p1wg14925.americas.hpqcorp.net (10.119.18.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Tue, 10 Feb 2026 06:14:46 -1200
Received: from p1wg14919.americas.hpqcorp.net (16.230.19.122) by p1wg14927.americas.hpqcorp.net (10.119.18.117) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17 via Frontend Transport; Tue, 10 Feb 2026 06:14:46 -1200
Received: from DM2PR04CU003.outbound.protection.outlook.com (192.58.206.38) by edge.it.hpe.com (16.230.19.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Tue, 10 Feb 2026 06:14:46 -1200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=lZwuiDFOy8Btu9MPdWieqztcozddDbuNJF11IbO64p6dzIPbAHhUKoYDBKFiwd7xG/F3z+3VC7/v1wLFw9f1KEhdPoyxUWQa8A2LlvmtV+rObQpFvKGbT6L+9bUG0FjgxqTLW+cSw9R2lC6utboAYpas+E7V4IzpPhQ8GRPIDi8Eno1p5WXMFgIeld62a8CWlCR09aMO7lvk1Q19g5nmFmRKt4OOgD7Dn6MZY0G89zLNpotqh3OSAzgjvWoifGgtJg7HgsUSKOaW59KKuHvMspRQVeDiW+VahLghiBwjfk3qaH/7SEPc85VEID/94oDg+Zt6/sn0evmh7d4LvWhfzg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=P7ssmUApGeVeDOlPyR7/zPiQC4fXuCLKZyNTiMNR1UE=; b=aV7sHZVbT8k6hohi43I+2VBsIKWmRY8+n3pASK3NPL0FUgZvAbeSqf16Sy+BUudFw8EFRPQbX0XwCQ22vA6AQh0e5q5i6P7kWKLg1/JHsfCrLNIsGl490JhWoRTL3T+z7EjBoo721bJX/KMyMC8D+6/sbIPG0hvNZarwYztj3osQ2kxqApSq96rmaoKjUWCWnxA1l7i81rpkjKXf7zKcqPvTRaUM8dGEKHBJo56vyEVR16PuI50V875in7Ebh+6WNv57McO+aiiQptLI552jPCgTrqrleX7giG+V7C2due73NfnPLHh1U5eZ+0Pve9qhvNKF75s99h00dEtlApHcog==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
Received: from DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM (2603:10b6:8:51::18) by PH0PR84MB1406.NAMPRD84.PROD.OUTLOOK.COM (2603:10b6:510:171::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9587.18; Tue, 10 Feb 2026 18:14:40 +0000
Received: from DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM ([fe80::f9b2:4189:25fa:bd66]) by DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM ([fe80::f9b2:4189:25fa:bd66%3]) with mapi id 15.20.9611.006; Tue, 10 Feb 2026 18:14:40 +0000
From: "Bonica, Ron" <ronald.bonica@hpe.com>
To: Yoshifumi Nishida <nsd.ietf@gmail.com>
Thread-Topic: [tcpm] Re: Additional Security Algorithms For Use With TCP-AO
Thread-Index: AQHclDBbHSX1/H2Iq0mVysrn9fsLx7V2IxsngAKHIYCAAKi2YYACMZAAgAC8kvU=
Date: Tue, 10 Feb 2026 18:14:40 +0000
Message-ID: <DM4PR84MB23106FBF309169A5C7E36AACF462A@DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM>
References: <DM4PR84MB2310F06DF364B70C1A570970F492A@DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM> <D2C73FF4-F60A-4EAC-8AA9-66936E3A0F68@strayalpha.com> <19EACEAC-A6DA-4DF0-B044-81888778121C@eggert.org> <7B90805D-646C-4B93-9C16-F9DF3A933416@tony.li> <3562FA6F-C968-42E0-8D2E-A3B655E059D1@strayalpha.com> <8C55B505-C579-4CF8-84B8-D078888D25A1@tony.li> <CAAK044SFKh65EDCQPo3M13JB1ACET7CG-EDBmheAMOsP_Df7Vg@mail.gmail.com> <DM4PR84MB2310FDAB355AB38D1BB48675F466A@DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM> <CAAK044T72UHaFdeps5yWp7YtkY47cOUM5QAFNJxpDRQySJrVBQ@mail.gmail.com> <DM4PR84MB2310636D5384B74B5D07B223F464A@DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM> <CAAK044Sv0raqLh_0oa6mfotdE72bLYzyUmiivP+qYPOm8AekOg@mail.gmail.com>
In-Reply-To: <CAAK044Sv0raqLh_0oa6mfotdE72bLYzyUmiivP+qYPOm8AekOg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM4PR84MB2310:EE_|PH0PR84MB1406:EE_
x-ms-office365-filtering-correlation-id: d743e496-9844-4b8d-cc87-08de68d041e9
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|1800799024|38070700021|8096899003|13003099007|7053199007;
x-microsoft-antispam-message-info: vemYOX3D/KpLVqbHW4l+1QGBarr9vhYDBMMMekm5/oM/sxHEDGlntu/60IBi5v1uSDioxlw2umjJEpMBV+GAv4Ky1Xsb3WOmoPH01hbKq6wvZRYr+K3v3JlYBoEIQdwu9JFxdtSmqyNdnDYCk7u04UIo0Imotgb3iEyY7EPtKgNorer/aI2BUVfB0K6X4n9Z753EwvP3nGVR5WUKhK8/ikUntNDoWO1edbQqsilBc4OaRZOsz8qDUAKY7JDzFEL5w5gimDV4IbOCCN9uGTr4uYsOCKUm66x0txxqpYVAvBBNXBOjbA5ksgyTAlxvZVP1LxW5CKkkHR7nyTkafYqq476D2ezv3NGRmC4/TSAuh6flDYor+DoiXCAMk5StCmTotbaGR6yB93u48GRhkrTwEULmxRW8cnwAo4Pa81AWhQe+LU0WiBxWuE1E7akbTRdnDpvdrVCb4C/GBqXeYEkTBrYmPLAhz3i4GpbFt2ukHPHnulKxJyy6HpfaeGjyWjdX0/kF53fmJEmeOMirZQgANjnGz7aeRLVrG/oCScC9sJ6eNau5tg4DLOadcH5DvQmRx+BXP33LqvoVriG+D5B6e6EFGn+w+LhSxfSFzeK7lySFDxJRZxQq60T26RDu7roRskeQyD6RGWWcELZLnkVNpoRN+bRIXveORU0uiYGlqY3LeXy7x4f5pDAc7VffjFyQTncRZP3eTa+x6zFibQbOZq0yBwfQtyfEBMtnF3fQFGiq8PYV0rh6cCEcLZTl/PYN8+8dzRjaMKZgfV9gk4uYrfD345ydrQOP73D/LkYo1IJpb5dh28SVfRCROMNNp50suFlLmh4TtuWKdrfhZP/Zho/bs8hdAMZqV5wk0+Z/Lx6b3o30xWo9tXoStQYuIa8jCHpvelg9bnwWMP2CuytKjsxN3P865xU5QuAMm0+KlUj9coXP7zcZ0tH16e1HujPrqy+idKMRLOv/mz6aB1tOo2V1oglZaP8S+bBOqw/ww24WDB7EZedlon4PC5moE1oiQTQqa+52mn9yXlbiKFSwbwDtHP5nxx5LuwotjNCccXEIbEvH5Y5HtSFDZX1AFGbA9TdeoZCcVdHSRy1tZFKDnX728BEmUMhWVfXe+SV+zSe+UIjixard+w6uljJZSP2ZCUp3MMs58aUMIMC2iaN8F69dnoCH3JuDu7t4US3V/FkRJhMj0tFpBbT6M91FMtEcxGz/pTkJJK4sY+aX0lYZEyye6RMcZhclMYHdLvidEQEEKIZPW/klr5PzIudTRhe1zGHSUgy5y9XFpyLkuMFU+l4tB8CifUy6oxS1HeUj2P0RlEm8X1don87N7LQqC5PfoNEtM1r3j+1gzCYgZy+mupK0zgdrqkUTddjb8/5mP/3CS1pWqX7AXBVoVIptfWlA9pHVFDbQ+x8nOy+jE6nONeuj4at9Zm2jrrmtvgEis9QkXlBbblkUfZA+AfARsQyyKYgbCcWSc/MDDrhewCAHN5D9OumHVaf4bZIrXzGq61/tvYxLNTWWiqZwPhJb0utkoBjuMIFK5o3Y4OTj3HC3NMYV9YtwFRrmg8MCjHO13UE5aQVJspEi+MIwxzoalCEG7U9OHO1u5M1ZgJONhjSsw2FOneimeAna53AltzvqIsI=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(38070700021)(8096899003)(13003099007)(7053199007);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 406JuMrfEqerDzvkiq7Wqy0ZNOKYDNbrmVwQmPOyN8c4dOaKJhpzk1i/5c7SkUUeRK+GYbYipF8w+/6T/IHwPLKklkB7cBOaUHF3GFuDlGZdNM/27t56pdxa8dnESsUIRCgrLaq4KRMfuQrqOOat26a0psCDkBg3BHwOmiwQRTeNSdaGj31kX1pg7A/68HBOx3Lra1strCD5zuZ470dD983iHW4lDa4Ip04DqSyFgFwWeHP1adMx93s+4Dl/A9icNbvXbNxxEK6lFIMU9VxUEz4R8+LoUzz2t882T+gzrSHLFaBY5I/82QtWd3BmVkb3BuQiTSUIzLIrBfZWTgBoyZVxtzztM3HKzngc4jpOVi0NeCVUbavIKntG2Q4btwDRSUg6qCrieJ6attdw2DgJknYOIqDI3mKc5o+/HZzrLbXl4KIKiKUYvhOXPDYqDB56qIwD0P0n6xC+oWP+ymLmy1+S9EYszUZ2NDjBvul/X9YJcGd5i1lnyv2DCJqsiIPBEqa4Fmxq3VcO6IzZYeijof3N68Yo0G8iaBNN36Jy9bcnX9MFgFCTqPmn5gf/aXOFUTf1zCj5nuVv77+DISXaG2n58jniMTtEDI3sm/KZgn42PMCaO0vSNmtylflgkP7tAdWEXK56JUkPxCo0qZPY3gJ41wJDuNzciiX7B5AfOlx5G0VRqLsIcRz+WIGliA+GyG8FSTirO0UXHF58/aSHLYh4i92DNNl1vjEkv9LcuZ/yJO19zNjWNpwr2Oiw2VG9uA/i5izNTA8ZNCn7hEtuJtwYFZtUf3ddzeB5YCSSkyOIk3vOuEtY3Qv7m/7C+FuQwiu8Nwht65Yk5mQnDlodTtF/uYd2jjcjuY1sv6nC9iSXyF+gyOhiHgaTooKGpeGccexITrunUPm60EV+uOfk9Lu0Q7YwT1b364bBIYS1MyPefizvPHvK5gCNZs30mAOg0FKhf04kmfCE7qZDTyG6g1sqGqvTvFHc5uz5vS/oQ5GpJHPb22VT/5chvjZhizirHbLMUnHEWHqEQTLC9oJlXJwpfD7XikFxJ9Pfw0jxIObCwb2j+cFhdjCv0cig9ol6ctRklH97gSjLNbiYFfL6ER8tbHHU5wYZMv2uj7XzvZvC0pHVA/oCECamXD8XwL/Nb0CF2PGyrzQ9N00bB4XKmbfYOllByYTBkzC0I7ZUcmAZY4tcT69DSntIulWr0GVpUaGu77iN17jo6HY+eXKDN3tVNbRsKVzQ8i6DlAlku1jrBmt10Z5tCFNCTTGEX1NTp9sTHY72tni4QeNCmhNuWVHcO9ZtifMN27a1+hDEk13gmm7cAZprkOFvVsFhZDvNcvR5jouIDKxDxhAGiVx0hDdVoGi6CNNzzwkhR/niXK1SbKnMCmR/8xikYQOZ/nJxa7K/p0xC0L0Ic2LPaRzWYSpxqct6/zN7YxR/cOoGn41vp8kL8CJlrWCq2zkv4YwqiMw2lxeElZb3jf0QtKtvq5EZc0UfQSlDCvwELdpmjCYOmOGspxzfdI6+UqwN2sxIaYwKq4q1AuZfj2CY3iju7j3DaJVsmCFgO3F779tTej9xkDXrNWqiBR3SAQaOVYwya26VJyMB5vUAUPPNMtexJQF/AlMXUB/pgupB+N+9iAGf/94nHMAguuQ96QSnHGcw1a20Ax5GEVCGZJsWi9sXgHz8p1kdLwiD16syvl8F1os4AohZbzTFCj5HSEHj47Xf
Content-Type: multipart/alternative; boundary="_000_DM4PR84MB23106FBF309169A5C7E36AACF462ADM4PR84MB2310NAMP_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: d743e496-9844-4b8d-cc87-08de68d041e9
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2026 18:14:40.0960 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 56PE2yBYiS/IC1J7UbxuySSNfb1vXtFrKVGJ0epyQk6TY0xA0gMMxtlt0aNd6IFPFyu737mCwpH3KAJ1vtW+ug==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR84MB1406
X-OriginatorOrg: hpe.com
X-Proofpoint-ORIG-GUID: FR9N7Wo_XefwfYnWIaceqhTsObojAkeZ
X-Authority-Analysis: v=2.4 cv=Z+Lh3XRA c=1 sm=1 tr=0 ts=698b7598 cx=c_pps a=FAnPgvRYq/vnBSvlTDCQOQ==:117 a=FAnPgvRYq/vnBSvlTDCQOQ==:17 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=HzLeVaNsDn8A:10 a=VkNPw1HP01LnGYTKEx00:22 a=Mpw57Om8IfrbqaoTuvik:22 a=GgsMoib0sEa3-_RKJdDe:22 a=MvuuwTCpAAAA:8 a=pGLkceISAAAA:8 a=5PjRKeHDAAAA:8 a=VuUvvSz7AAAA:8 a=48vgC7mUAAAA:8 a=fq0LXuPoCz8Uc-EIRawA:9 a=lqcHg5cX4UMA:10 a=QEXdDO2ut3YA:10 a=migMcoL4OMQP9wPK16MA:9 a=RJ0VWW0YrjCxUdE5:21 a=frz4AuCg-hUA:10 a=_W_S_7VecoQA:10 a=JUmZIVAtDGArBY8dChIh:22 a=jRD6tGenu3lYH-PfSCnz:22
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMjEwMDE1MiBTYWx0ZWRfX2kxEkMd8p9GT vqh6Ur4Op9QcCK86Qm4RKEQ1g7B5fmXHjtxBsGnulGL92ub5kmEp5s9Yioi9lHohliwm5PxF94J KPpVWfMj1/w2dya00DYi4jlzX1XqrYV2C/yg0psnwQzfet4z2GveYa1zJRv3hILPj/heynWBysl optzmyrbMWeL3IMUVP5Uxdb0tbTeu5DvVpfca/eaSIwrQNgY1IIkOCge6B3uvKjY0uoYGxyF25E a9aySx+gqoiUS8czyjbhjE/fztJUeg57Tvlpwj4xCpKaKf6i4LUBWSAwzxA2mDEekuNqDfFc5VL QAqRcprDrEdKQ7INQRw1arv+1o+YRorUmzITah40kSBiR2eXOY+r4qjYcbvAppkED1GLgxtAc9K 7XxmBg6b/ED4OnqdCfsCvAHCJSTUesJONi5fR9Io/xeWN+Tuzw/92fKnX4pkoMQYlH1nW/qYQ8V 5TI7ZPxl2rgkwKVvVOA==
X-Proofpoint-GUID: FR9N7Wo_XefwfYnWIaceqhTsObojAkeZ
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-02-10_02,2026-02-10_02,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 impostorscore=0 spamscore=0 bulkscore=0 lowpriorityscore=0 suspectscore=0 adultscore=0 clxscore=1015 phishscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2601150000 definitions=main-2602100152
Message-ID-Hash: IXX7XSEFABRVBTRRVOJMRVOGRTXJSLRR
X-Message-ID-Hash: IXX7XSEFABRVBTRRVOJMRVOGRTXJSLRR
X-MailFrom: ronald.bonica@hpe.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tcpm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tony Li <tony.li@tony.li>, Joe Touch <touch@strayalpha.com>, "tcpm@ietf.org Extensions" <tcpm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [tcpm] Re: Additional Security Algorithms For Use With TCP-AO
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/-cHfPuzv4sAL2U1JEKLxPkMHGC8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Owner: <mailto:tcpm-owner@ietf.org>
List-Post: <mailto:tcpm@ietf.org>
List-Subscribe: <mailto:tcpm-join@ietf.org>
List-Unsubscribe: <mailto:tcpm-leave@ietf.org>

Yoshifumi,

Thanks for your kind response. I understand the WGs preference for a solution that has a fallback mechanism when the other side doesn't understand extended options.

I believe that we see the following scenarios:


  1.
A TCP session must use extended options on every segment
  2.
A TCP session must use extended options, but only after session establishment
  3.
A TCP session works better with extended options, but also works without them
  4.
A TCP session doesn't need extended options at all

In Scenario 1, capability negotiation isn't an option. The TCP session has no choice other than using extended options in the first segment and risking failure. Draft-bonica is sufficient in this scenario.

In Scenarios 2, 3, and 4, capability negotiation is an option. The TCP endpoints can negotiate extended option capability using a mechanism like that specified in EDO. If both endpoints support extended options, they can proceed to use the mechanism described in draft-bonica.

I propose letting draft-bonica and EDO proceed independently, because we don't know when there will be an urgent need for draft-bonica. However, the authors of these drafts should work together, because in the end state, one draft will provide capability negotiation for the other.

                                                                        Ron


________________________________
From: Yoshifumi Nishida <nsd.ietf@gmail.com>
Sent: Tuesday, February 10, 2026 1:28 AM
To: Bonica, Ron <ronald.bonica@hpe.com>
Cc: Tony Li <tony.li@tony.li>; Joe Touch <touch@strayalpha.com>; Lars Eggert <lars@eggert.org>; tcpm@ietf.org Extensions <tcpm@ietf.org>
Subject: Re: [tcpm] Re: Additional Security Algorithms For Use With TCP-AO

Hi Ron,

I don't think the draft is problematic.
I might be wrong, but my personal impression is that people in the community seem to prefer a scheme that has a fall back mechanism rather than 'if the other end doesn't support it, the connection just fails' as a standard.
--
Yoshi

On Sun, Feb 8, 2026 at 1:19 PM Bonica, Ron <ronald.bonica@hpe.com<mailto:ronald.bonica@hpe.com>> wrote:
Yoshifumi,

Thanks for your consideration.

In the long term, we cannot allow truncation in the SYN. While we can rely on truncation in the short term, we don't know when that short term will end.

We must deploy untruncated MACs before attackers can defeat truncated ones. Given the lead time between standardization and deployment, we should probably begin work today.

Why is the solution proposed in draft-bonica is problematic so long as:


  *
Extended options are never used unless they are used in the first two segments of the session
  *
Application can tolerate session establishment time-out when both parties don't support extended options

Also, could a signaling solution like that proposed in EDO be added later, so that the above mentioned limitations would no longer apply.

I ask this question in sincerity. If I am missing something, please inform me.

                                                                          Ron





________________________________
From: Yoshifumi Nishida <nsd.ietf@gmail.com<mailto:nsd.ietf@gmail.com>>
Sent: Sunday, February 8, 2026 5:54 AM
To: Bonica, Ron <ronald.bonica@hpe.com<mailto:ronald.bonica@hpe.com>>
Cc: Tony Li <tony.li@tony.li<mailto:tony.li@tony.li>>; Joe Touch <touch@strayalpha.com<mailto:touch@strayalpha.com>>; Lars Eggert <lars@eggert.org<mailto:lars@eggert.org>>; tcpm@ietf.org<mailto:tcpm@ietf.org> Extensions <tcpm@ietf.org<mailto:tcpm@ietf.org>>
Subject: Re: [tcpm] Re: Additional Security Algorithms For Use With TCP-AO

Hi Ron,

Thanks for the comments, I basically support using non truncated MACS. I am just wondering if we can allow to use truncation only for SYN.
In this way, I think we don't need to think about extending SYN option space which is very tricky. In the meantime, I think we might be able to utilize EDO for extending option space in data segments to avoid truncation.
The current drawback of EDO is that it needs to disable GSO/GRO, however, if we use EDO with TCP-AO, this won't be an issue.
--
Yoshi


On Fri, Feb 6, 2026 at 12:47 PM Bonica, Ron <ronald.bonica@hpe.com<mailto:ronald.bonica@hpe.com>> wrote:
Yoshifumi,

Sorry for the slow response. I have been on holiday.

draft-bonica-tcpm-extended-options and draft-bonica-tcmp-tcp-ao-algs seek to satisfy the following customer requirement:


  *
Authenticate every segment in a long-lived TCP session with algorithms like HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512

The solution is negotiable, but the customer requirement is not.

The customers realize that it is very difficult to increase the size of the TCP Options field. So, they are willing to accept truncated MACS as an expedient (e.g., HMAC-SHA512-128). So, draft-bonica-tcmp-tcp-ao-algs how to use such algorithms with TCP-AO.

However, truncation is only an expedient. Furthermore, this degree of truncation can violate the guidance offered in Section 5 of RFC 2104.

While I have great respect for existing work, I think that the customer requirement is reasonable. I don't think that pushing back on any part of the requirement is a viable option.

                                                Ron




________________________________
From: Yoshifumi Nishida <nsd.ietf@gmail.com<mailto:nsd.ietf@gmail.com>>
Sent: Monday, February 2, 2026 5:39 AM
To: Tony Li <tony.li@tony.li<mailto:tony.li@tony.li>>
Cc: Joe Touch <touch@strayalpha.com<mailto:touch@strayalpha.com>>; Lars Eggert <lars@eggert.org<mailto:lars@eggert.org>>; Bonica, Ron <ronald.bonica@hpe.com<mailto:ronald.bonica@hpe.com>>; tcpm@ietf.org<mailto:tcpm@ietf.org> Extensions <tcpm@ietf.org<mailto:tcpm@ietf.org>>
Subject: Re: [tcpm] Re: Additional Security Algorithms For Use With TCP-AO



On Sat, Jan 31, 2026 at 5:04 PM Tony Li <tony.li@tony.li<mailto:tony.li@tony.li>> wrote:


> However, it’s been a decade and the former remains in-process and the latter has not been adopted by the WG.


It would seem that there is no interest.

I personally think there are some interests. But, extending option space is not an easy issue for TCP especially for SYN segments.

One thing I am wondering is if this draft can always fit the option into SYN packets without extending option space. This is because extending SYN option space is quite controversial.
OTOH, in my personal opinion, EDO which extends option space for non-SYN segments could proceed it.

The last time I presented Kuniyuki's linux implementation for EDO (https://datatracker.ietf.org/meeting/121/materials/slides-121-tcpm-tcp-extended-data-offset-option<https://urldefense.com/v3/__https://datatracker.ietf.org/meeting/121/materials/slides-121-tcpm-tcp-extended-data-offset-option__;!!NpxR!hx2dG4QMuB9n-YWoo7KXCmEIZbwR1Wwaiiz1Uvz9da6Ug_laE9wjPfCpncAxL0R9e4mCdB5ULs3ajMe3zg$>)
Some folks disagreed proceeding EDO because we will need to turn of GSO/GRO. However, TCP-AO implementation already does the same things.

If the blocking point of EDO draft is disabling GSO/GRO, it seems we have a realistic use case by using it for new TCP-AO even with this drawback.
--
Yoshi

v2.39.1 | Report a Bug | By Email | System Status