IETF Logo Mail Archive

[tcpm] Feedback on draft-ietf-tcpm-tcp-ao-algs-00

Eric Biggers <ebiggers@google.com> Tue, 28 April 2026 06:58 UTC

Return-Path: <ebiggers@google.com>
X-Original-To: tcpm@mail2.ietf.org
Delivered-To: tcpm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 05D84E47AA05 for <tcpm@mail2.ietf.org>; Mon, 27 Apr 2026 23:58:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777359519; bh=URkvxYUjQ8Ggq0Oievak/oFvpk0SHw0rmlEFkeRouYs=; h=Date:From:To:Subject; b=U0g02HkAF82FHOKZwyxhAtEHE7o3oqTa0EYU7Xzh+KIvdx/3HxrEUo84ckpqO4yat ZHKAHzCSJiNMMnVrXFX4Hi1l6kH3mQmyPUU6IVtlnUK76I0UowrKOT8XTe+6DT9DhX lrfVi5oX9sWw/zvqSgVzuFdv+EefndMF1DAmsEfI=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -17.601
X-Spam-Level:
X-Spam-Status: No, score=-17.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1iGZsMvSUH37 for <tcpm@mail2.ietf.org>; Mon, 27 Apr 2026 23:58:38 -0700 (PDT)
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 88DC9E47AA00 for <tcpm@ietf.org>; Mon, 27 Apr 2026 23:58:38 -0700 (PDT)
Received: by mail-pj1-x1029.google.com with SMTP id 98e67ed59e1d1-35da1af3e10so10241477a91.3 for <tcpm@ietf.org>; Mon, 27 Apr 2026 23:58:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1777359517; x=1777964317; darn=ietf.org; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=6RAs6U9ThLP7nG2tomyJ1NhUReZ7avox+Dg6kqbl/no=; b=j8D3Wj/cVrotUYp1bOF3eKhRnAKoVMGB7sUGKJ4K/vC3iRUYnxGbOda6c2s+i6baLC EDge01doz6PGNCQopE1F2r8gTid8ByCRkFWCjCT4Kw04ZFHDzBjJyRWM2CgSszZ3DuPd Dbm1/h7eNy5QZOOGQg9mEwJ+UoQ6zpymmDG5SVQSyu8FzAEDwVKXFdmbOEvD58CNWbeP czHanPjv3PJxFhuPMBgJdTBPkSJma+7hwHPoEk7s7e4s30Nn/5ed2IGEtGvyPmVgp/hr qj+TLmBX9YjPJF0UkU3mb/IA2O2kGDOMQReW7GxMaFsOfG8p9nIX71LY2KS3STXoa51s B6uA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777359517; x=1777964317; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6RAs6U9ThLP7nG2tomyJ1NhUReZ7avox+Dg6kqbl/no=; b=fwQyQfM3Po65tvuGKO+OjCs/ZIpVfnxB+ZuIHWqgM/yu7AvsS+Q8V41LMjpq2gzdU5 +vAa7dCgT9RVITr3qfAokZno7sVFihWtkZW4GPxYODuqMaJ5Ou0zaxf5JHWTWNOLCEzX aqUmbgAkqYZwsEgs62hbtZRfRimZ5Sex5zRN6NX8MtCB4STKqaQemmv9D2A1TngsyLs6 HgRlSgr1lRjByaXjdNOMEPqp3d9ICt49kuE8kPIVA3+3/sp/bOleKgxAHC/R5uWws1Sr TBwPfrBx6gpd92SdjLpEW/mB+hMsqHzxnND6k4CdgqzGbnlM+toJEI/mjbTZb2Kzdtg0 sQWA==
X-Gm-Message-State: AOJu0YzONZpJZJEr7cL9ot69T/mqV69WLX2P3tQb2pWYq2mhV++h5zko CX8pnP5irM16R9EeF0l9yd5ngZmib/6Cn/AXPClI9sqxKWqJaFuPhAwvAwKP5qYqXnhGTxxcJnP GjjLaaw==
X-Gm-Gg: AeBDietX4dCcqJuWqFB6k3L0szMVQd9OxHrb4na67m8qUBv6AOWCgfeqaDXQcKARo5w fkdixdj1JU3GwpGmRi0uOMaIodYh1mMbtjmPTiVbssOYYWmqn4YtufEw1nKftHGyQMXghfyBtX7 IiwD9t8Xo6Dir5XveBabVlZC4i0j9VorxwrUUFvqsDV9DfBXgU9UGNPUKuQQDxTf8V64T/i+ZHW W8BxFgx8/AZQ8dH56tso+SvBT2rzMZlzk1dYPwjRE1eC/6/iHac965nBJGrQjtK5Ui7GxS4KrKo g/KWTMxVghQRKHsMEI+VO0VDF+W7kmg6CXlFTrS6wnHYoIt2t5QzxcQ9rYwW5EEgweBmQKngVbO nIue8a3/xqVnYwl9/h4kaKsDeZwmEOQ4nxLqJQdETbJAE7US6XSqYDxH13MVD8LpR4llqzp4CR6 maDh6RxjAgjtT7ENp5Ox8U+tcirjwWa8htke7jlbKRLRyeu75bXsb/42nQqdCC1fW+pqRKSOWWc e1+A4K91qItzrwkyNbeGQ==
X-Received: by 2002:a17:903:38c5:b0:2b4:62bd:ee3 with SMTP id d9443c01a7336-2b97c482964mr18194365ad.33.1777359516914; Mon, 27 Apr 2026 23:58:36 -0700 (PDT)
Received: from google.com (252.169.16.34.bc.googleusercontent.com. [34.16.169.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b97ac8cfd4sm16077685ad.62.2026.04.27.23.58.36 for <tcpm@ietf.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 23:58:36 -0700 (PDT)
Date: Tue, 28 Apr 2026 06:58:32 +0000
From: Eric Biggers <ebiggers@google.com>
To: tcpm@ietf.org
Message-ID: <20260428065832.GB3813922@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Message-ID-Hash: 4ZKXER3KQGCNKFNGTNF67SX2NGURSXHW
X-Message-ID-Hash: 4ZKXER3KQGCNKFNGTNF67SX2NGURSXHW
X-MailFrom: ebiggers@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tcpm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [tcpm] Feedback on draft-ietf-tcpm-tcp-ao-algs-00
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/AIikOvZGovZVDOyT-CUz1o_i5nU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Owner: <mailto:tcpm-owner@ietf.org>
List-Post: <mailto:tcpm@ietf.org>
List-Subscribe: <mailto:tcpm-join@ietf.org>
List-Unsubscribe: <mailto:tcpm-leave@ietf.org>

I don't support draft-ietf-tcpm-tcp-ao-algs-00 in its current form.
While adding a new algorithm to TCP-AO would be appropriate, the draft
actually proposes adding six new algorithms.  This will create
fragmentation and difficulty for implementers.

Specific comments on the proposed algorithms:

HMAC-SHA3-256, HMAC-SHA3-384, and HMAC-SHA3-512 are unnecessary.  SHA-3
doesn't require the HMAC construction.  If a SHA-3 based MAC is really
desired, a better choice would be KMAC256.  That would be one algorithm,
not three.  However, this still might not be particularly useful: SHA-3
is very slow on most CPUs, and SHA-2 is still considered secure.

Regarding the SHA-2 offerings: HMAC-SHA256-128, HMAC-SHA384-128, and
HMAC-SHA512-128 are mostly redundant with each other.  They're all part
of the SHA-2 family, and the MAC is being truncated to 128 bits anyway.

SHA-384 and SHA-512 do have higher internal cryptographic strength,
which could provide a small motivation for them.  However, the value of
that seems fairly marginal here, given the MAC truncation.  And either
way, we certainly don't need *both* SHA-384 and SHA-512.

I suggest simplifying the proposal to just HMAC-SHA256 for now.  That's
the only one that seems like an obvious choice.  Indeed, SHA-256 is the
usual replacement for the outdated SHA-1.

It may be reasonable to leave the door open to add HMAC-SHA512 and/or
KMAC256, if they could be strongly motivated.  But please do keep in
mind the costs of fragmentation, interoperability failures, and of
implementers having to implement all these algorithms.

I also suggest bringing this topic to the cfrg
(https://datatracker.ietf.org/rg/cfrg/about/) for advice.  There are
many people there who could help choose an appropriate algorithm(s).
They could also help ensure it is used in an appropriate way, including
following current best practices for key derivation which the current
draft appears to overlook.

- Eric

v2.43.4 | Report a Bug | By Email | System Status