Re: [tcpm] TCP-AO review comments.

Stefanos Harhalakis <> Sun, 10 August 2008 09:38 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id A8F9C3A6982; Sun, 10 Aug 2008 02:38:04 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5DA6C3A68AF for <>; Sun, 10 Aug 2008 02:38:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PeLHznnSqHMw for <>; Sun, 10 Aug 2008 02:38:02 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3ED563A6982 for <>; Sun, 10 Aug 2008 02:38:01 -0700 (PDT)
Received: from ( []) by (8.14.3/8.14.3) with ESMTP id m7A9bo8w011385; Sun, 10 Aug 2008 12:37:50 +0300
Received: from ( []) by (8.14.3/8.14.3) with ESMTP id m7A9bogQ030838; Sun, 10 Aug 2008 12:37:50 +0300
Received: from ( []) by (8.14.3/8.14.3) with ESMTP id m7A9blsD002269; Sun, 10 Aug 2008 12:37:48 +0300
Authentication-Results:; spf=neutral
Authentication-Results:; sender-id=neutral
From: Stefanos Harhalakis <>
Date: Sun, 10 Aug 2008 12:37:46 +0300
User-Agent: KMail/1.9.9
References: <> <> <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <>
Cc: "Anantha Ramaiah (ananth)" <>, ext Joe Touch <>
Subject: Re: [tcpm] TCP-AO review comments.
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="iso-8859-7"
Content-Transfer-Encoding: base64

On Wednesday 06 August 2008, Lars Eggert wrote:
> So, my current thinking is that AO should maybe move TCP-MD5 to
> "historic". That would indicate that new implementations shouldn't
> implement TCP-MD5 and existing ones are encouraged to move away from
> it. But this isn't a clear -cut case. Comments?

IMHO, "shouldn't implement" in the above phrase should be changed 
to "shouldn't use". For backwards compatibility reasons implementations may 
(or should) (and most probably will) implement TCP-MD5 too.

> and TCP-MD5. AO is a replacement for TCP-MD5, but it isn't a simple  
> revision or extension of TCP-MD5, it's a new mechanism to provide  
> similar functionality in a (slightly) different way.

Following your thoughts: Since TCP-AO is mutually exclusive with TCP-MD5, one 
cannot view them as two distinct options. This means that TCP-AO is actually 
a replacement of TCP-MD5 and we can also describe it as a 'newer, 
backwards-incompatible version' of the existing authentication mechanism of 
TCP. Having this in mind, perhaps 'obsoletes' is correct.

Also, is there any good in including a (1-byte - or smaller with some unused 
bits) version field in TCP-AO? This will help similar future 
extensions/replacements and will also allow for easier authentication option 
handshaking by falling back to the highest commonly supported method.
tcpm mailing list