IETF Logo Mail Archive

[tcpm] Re: Feedback on draft-ietf-tcpm-tcp-ao-algs-00

"Bonica, Ron" <ronald.bonica@hpe.com> Wed, 29 April 2026 23:54 UTC

Return-Path: <ronald.bonica@hpe.com>
X-Original-To: tcpm@mail2.ietf.org
Delivered-To: tcpm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 26DACE60F1B0; Wed, 29 Apr 2026 16:54:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777506890; bh=/fUAxO+X388CdeBfntREvLPrnich75SlDRJNEKwJWSI=; h=From:To:CC:Subject:Date:References:In-Reply-To; b=aJCOoa7J0LOxMHXAy6TRwTvlHbBmkwUcVmPiWwDjb1JVzZpM+eNm8cqx9IYjQ4rk5 IYH7mfOPn+EW5N2vZiCmqiIGZyGL9vpgb18PpTvh/vwV3RDSO6F0BwEkpHyKpgsG/M Y0KxPwdqiyzv6xC0CnQ5ueJfi+L//AGnWgoXZCfk=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=hpe.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gaf-kYX_JwLt; Wed, 29 Apr 2026 16:54:47 -0700 (PDT)
Received: from mx0a-002e3701.pphosted.com (mx0a-002e3701.pphosted.com [148.163.147.86]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9AF08E60F1A9; Wed, 29 Apr 2026 16:54:47 -0700 (PDT)
Received: from pps.filterd (m0148663.ppops.net [127.0.0.1]) by mx0a-002e3701.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 63THf6II2853043; Wed, 29 Apr 2026 23:54:46 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hpe.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=pps0720; bh=d/hg+vqZzOc5gMiT3znXBY1GHe nj6qMlSQMLIdpeoLU=; b=lm5QkSdZcQZAqRJKByZeIN0BaTZUz8Hge+HIqHImvK rTxqCcLzJKAtd8m45D0eKBksY5Re3vGiznGVYTyBgjnF4E9avPvUZNsMPZ2pu2l9 6BFmVVs9lVAznwgB1xQp9XTDD01vpPIyTrLLaCPmm1hJBy7/LnjzyNZpF91LnAIx IWW+/QIWUZ6Uaru3+GhsQnGeADpybUPI1lEVursz2k8iAoV+7j4m2BFAX5CDkcAl tzRfd/DeBKj0mOBayLAN5JtCCajEfppImNTmODYuNWaUfCyD2Jgbd3t/+agd0woB 4OBoBklJZ+RJ1kP/QNd7lbBJi8RejDcflhcSJENQCwMQ==
Received: from p1lg14881.it.hpe.com (p1lg14881.it.hpe.com [16.230.97.202]) by mx0a-002e3701.pphosted.com (PPS) with ESMTPS id 4dupk83jnm-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Wed, 29 Apr 2026 23:54:46 +0000 (GMT)
Received: from p1wg14924.americas.hpqcorp.net (unknown [10.119.18.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by p1lg14881.it.hpe.com (Postfix) with ESMTPS id 248B58014C3; Wed, 29 Apr 2026 23:54:46 +0000 (UTC)
Received: from p1wg14924.americas.hpqcorp.net (10.119.18.113) by p1wg14924.americas.hpqcorp.net (10.119.18.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Wed, 29 Apr 2026 11:54:45 -1200
Received: from P1WG14918.americas.hpqcorp.net (16.230.19.121) by p1wg14924.americas.hpqcorp.net (10.119.18.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17 via Frontend Transport; Wed, 29 Apr 2026 11:54:45 -1200
Received: from DS2PR08CU001.outbound.protection.outlook.com (192.58.206.35) by edge.it.hpe.com (16.230.19.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Wed, 29 Apr 2026 23:54:45 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Uml3LFzYM0UA+a4eZm21DWqYbq6sIWJnUTDELC8dWuj8kv8Tg1lL0Q+ZCUEvVXnx24jSzwIuf8HlSePZu2cvzJy5h9ybhoeTRG3IWOa4UfIP25nLYshkdJb7A0zk9Z/A4JTG31aOkeD5q2dz4xzVmkytRXtVEes/MrYCLKKFWZbLEzeOvBMb6Dw7fqvrNFgWBP1prTnCRpu+Agg6B7s4FB/Y0GgQ8qNkVl3wLygq9C91Tm/kX8nUQv3egF50D2LX3k+PWJVnt2S7DQIFP3rzGOhDBJJgRrTE7LIn4kKCdPkPvTAWm53eVWOSJVLqDDpVHzthEQKydB29AloFmQzO4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=d/hg+vqZzOc5gMiT3znXBY1GHenj6qMlSQMLIdpeoLU=; b=lB/pH4Gy7GQoKtmMtoL1BfXd3/9wdpochGCQYlt+wSj/O30V7JCQCYiNDAFch29qzNX1kIbm8LPn5EWnyn5k9EzzE9ta2mXduvakUIyUGq06+TJe+AWXLalvhzVwpFpAU0SbxGoS4KW6JzJQPZDWiFTKTUjIisXy7VI3pQ3yCJMNwp2lZyVf9VaRT6fqyJwLpSUJ3/5Xzkh6pWfosmqNl9o0rFLuPhiMYaYGKHZGZpQc0a2rT8k/SbaxFr+2ZeXc4C/zNSbI1DVG6M2BYew8muUDa7uUDUzKPbprx6f1FNtMKE6TyhYalB6P85gMekRO0ZwwSg1XA5VFmLc0jQEbLw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
Received: from DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM (2603:10b6:8:51::18) by PH7PR84MB2079.NAMPRD84.PROD.OUTLOOK.COM (2603:10b6:510:156::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9846.26; Wed, 29 Apr 2026 23:54:43 +0000
Received: from DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM ([fe80::f9b2:4189:25fa:bd66]) by DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM ([fe80::f9b2:4189:25fa:bd66%3]) with mapi id 15.20.9870.016; Wed, 29 Apr 2026 23:54:43 +0000
From: "Bonica, Ron" <ronald.bonica@hpe.com>
To: Eric Biggers <ebiggers=40google.com@dmarc.ietf.org>
Thread-Topic: [tcpm] Re: Feedback on draft-ietf-tcpm-tcp-ao-algs-00
Thread-Index: AQHc1zLLuhArvynpjUWsoVRlxY49p7X0vZc2gAHfmYCAABtNRQ==
Date: Wed, 29 Apr 2026 23:54:43 +0000
Message-ID: <DM4PR84MB231028355B09D02D777C64B3F4342@DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM>
References: <20260428065832.GB3813922@google.com> <DM4PR84MB231066C41AAFD689B58D21FFF4372@DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM> <20260428171608.GA42950@google.com> <DM4PR84MB23107B9C52B76D0859820A63F4372@DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM> <20260429221615.GA746420@google.com>
In-Reply-To: <20260429221615.GA746420@google.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM4PR84MB2310:EE_|PH7PR84MB2079:EE_
x-ms-office365-filtering-correlation-id: 4c85ae74-b5ed-4957-1dab-08dea64aaf9c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|18002099003|56012099003|22082099003|38070700021|8096899003;
x-microsoft-antispam-message-info: nSLBf81+NNGLL8sCBFrG1UOOX5qce4w6Yj6Az9o+ZuvxEtSaFMUWBjaZ4e6yP1298EV0kfUk/vvvULB8GwUBnzpGnABBwSxdExG8XXJwDvtS8MCDGx+pmo8F6JqELHAqRjPVasC82BKT7DVNbXYT7Iu1tWI67rCOfDjzNpzA9340APugANT4nCzpvThUpZ5oukAlXEjXbfUd1TIgxULegnsO5OqwPv3Qmxcqa2CVp+TpiDEk5/bTLrOgy+NdskrzYHUi78ET8c+nashhmGxlrgS4mY2ongGFOqx8b+yY+gU+ESWXomuTPu8t1Wak2rajqLg5L4bKVt7JZX7E7GxaM2zuRNj2maooEfj/zlQAaPvnqmemIlxqx2S907srgzTBh7jPkD217lCX8Ke5Qj8xvDerAwkzk+glsu6Wc39xwN5fJV1EXffBMf6vAcs3jruuqWbiP51tdML8GGPjKv7gKfzAeYM8J3HeC+4UT6iJOb9EoBXYqG71MUZPYnvsV8ZWGmm7tguJ86WYobkabOH1J25B8RRDq/7QRcmWUpXPmoyTbEZktVjcvDXOi3/R9C1tubyWlc7ns9JQAyE4em6SlgHi4tzwxrTFOfC3s9RIjr1X5Tuuv86BbSN1iSQAEE6uOKgmMuSd8+kM1w5XUOL17ZNWMW5QDs4maXzvfTqL/yyhWlmoY3gpGitea5/jrgzDj0hCHctOyKS/JEPjAAhw1Zdt0MN4FM1tDblXuISro91Q0zxyVGKOY72w7EIGD4XYUNxn9zX9RDzTjcPVN83PyhIidBcSbQ1aQEUXbloOKiY=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(18002099003)(56012099003)(22082099003)(38070700021)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /eK0L9a+et7YrTrcKteWjOsu50Zjp/L7uz+Su8Fr8Gpf6MzxLD2Ac4dezHhvphZEO9FrYp5VG04zm7hMEvMyAjL8uCuZVHoTkHg/aHpmpG/ncztZRiBTbIBmcOEVbPx7Yl6JaOjyJSy76Vkzq0YBYyr6xG4U/R7bW0qERSGMpZMdvEqffLoixjRjp8HTNbih4z4rMaoHUWUF66BSPGqBJ2hpZ0hcW3LEic/lRs8v7j9sMhbimiSvKm/JVkE2QpjpKgN3FLO7Mx2LxxBNMFbDe01etWEXBsuNNgj4dbyndSoryzSQPXMTQV/PYiAeSfOz368FEyk6Kb7Xoab9yn9PIzawh0Ljm2YeGISH0pJTBNvodb/6wgU5ukkN8wJK8FbyVUZllssMV64G+73sCTJ7820FZGejU7OxISsuzZYxNpxs90fXJbcv0pxOMFOAdsghynRCLg1TM1BOklF/RSbF7z21NRej15TZqQZZ5STaYzQbPVAwciaZ+FlY/0l/Y9C9xH3UBTZjzXd8BKEMhLhRlu6IVy4ToYMD7VyyqT9xXp3qwTZ/epJgceHEkCKob6AMRgRTeod87Z07fN49KknM/IqnO9nVMYBDg7lOubQSMSJszt/iUl7ULgJiO08FllNoFu2BsxA3e3rJRdlBas9ibXOMs861jN+jPVv4ZEqX9Trz4AOmvmlBv8Uvtfdw3EX01jUS8GzsL84rD9YpoooIq6DBrS+FkJ6UqefHr9pUlXTlqffnukO2sbPHJVTJ9gMS3ubWF/HahO1k//LYjwp3sL8Xqdaf4Poc5mzqltKCRvlYtOvysK8VhQsnu3rKIBuot2+EQWYZB0q2YiqR7Io8wO/qMEMf2tvvO9rC5ope5DJVyWQzehdsHXwI3xgFh0e/rDjwOv4pxc38CEUTSdKNufHCjxS2VmJSeyCoavJCHzdomtcP4W/i2upOT4h1i1knwzJ7HaVV64z98NjVWm/hy+DoR5bz4ewKX+pClRhFVf1zMXRPIKt2miJtgTImyaJFrn/HBJCQ8GQV6Rzl4WiTM+zU0ns9ZVWxaNHdSdeVOBelt/2IZA57UVcf6n7/+xPqxl0CaMYYY3vWH87A071s2FoJdi3AgDmY+6p7BzlQDCXTHD5qRuKEbOdvnBNdf+ddWmT6lRiAwtFXMStVK5W7GIbgVIcJUkLSQBJSoQBAtUnBGj2efFS0gyE45v64bl/nL2eCg7fMVQ+KCpbz1GT8ENFwpimVqr26yd4sMk5rOb+MgwEr8pFRwN6WxHUim8eBkbs9qj2i5aL8/UcRXNOwu8dziJeZAB2PGiKWid13NFzuBBOGf0YfNu/IAGjXQcXaMMZZCvUcs2VWZiXMXKsy44RPmaZWnvSBwZZOkh6vmU0MgNK2Kb3DBqQmK7YZjL2B+W4siJ0FKi5aJ8C2SA1ESGJn42ihfKcV1Qga35PBohO6LVhrJzoS3hnOPYTjAid9h5AF5ZEOcdQDqG6KnmrquF6+9hlcRkmvGeyf0JCVdh1+3D6txM9Ihz0H2ADYnvwFMxmEkInCwdD0uAwsKid7a46kGnFn1MfXKoU4GDNG8uycn5pwv0z0/1Ib/zPqdzeqaHIIkS8AWHXlVW2VYSxzZtmhG7lKtpBZRolW+fgz/yZc/SWZ7IizDJuSFdZLyvW0xB2gItVvIQ2EWdT4JEZj8v36zHy6PgIHNE8P3VKpDT9B0mqZpL2wO8/ltZ8tJTUNdWjttRoWhA1x2QFm7LruYQ==
Content-Type: multipart/alternative; boundary="_000_DM4PR84MB231028355B09D02D777C64B3F4342DM4PR84MB2310NAMP_"
MIME-Version: 1.0
X-Exchange-RoutingPolicyChecked: JIKt2v1SMW4hCafa4WhNn1ByaG+uvvkBiZ78zBmqDdAsAj4XXNCYhXyCYSwDEMBP194O7iIe96hfazLP5DjRb5/Et+fPXRkmBz2yGDqbMGwwg6w4IHnwixafmRPCTdr7B4CSzovVt76G+0GgMZy04Vnw3rSuoANQ3iBh5WwFu4XACflk1s0rX7o+I7tKRi2wKR8gphBE9fJy5tk0BVWlrzMR1nCHRQ+GlWu2zCeY8PJ7PZ76ycarEQa1axa1LJcb8i7fPSMeUMWnN3PxuvcxtjR9siLkVSNK+h6ACUVbcDBpX+fjlFcGCvLl8ByU/LGOJE7hQEuCPOrOZh5m5z32bA==
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 4c85ae74-b5ed-4957-1dab-08dea64aaf9c
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Apr 2026 23:54:43.7173 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CEc/WxG3qyMOcJr+IHqC6oGuQtNtShnaMwoXyi4D5HEjEb4UsN2Kt/EzCbLEl5Cgqo/Mb600Gjowhu4Yf2Bizw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR84MB2079
X-OriginatorOrg: hpe.com
X-Authority-Analysis: v=2.4 cv=XIkAjwhE c=1 sm=1 tr=0 ts=69f29a46 cx=c_pps a=FAnPgvRYq/vnBSvlTDCQOQ==:117 a=FAnPgvRYq/vnBSvlTDCQOQ==:17 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=gQcMVamqm3wCPoSYhaRC:22 a=6_mrDcixewTG61oOsKN3:22 a=48vgC7mUAAAA:8 a=MvuuwTCpAAAA:8 a=qdgcVNqnMlWztze7GWMA:9 a=CjuIK1q_8ugA:10 a=iXkI0dSkQulRsu1Ph4wA:9 a=i-p-kohCCoPSytiS:21 a=frz4AuCg-hUA:10 a=_W_S_7VecoQA:10
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDI5MDI0MCBTYWx0ZWRfX61An/L5oCi4o q4So0rrHDQ7P4joQQ6DBbal+ziZ02Q43FdJsbmh+VSTMbNcN2X0ttXl/jPI+szDpv5+Irsaat2g rJipetO3hIi2BaEm294ECSdF2fRruEbCIwG4imC/Ly1jlx0JpBAONO9lDKKN45s7m4xNafIgoV4 C3HNt8ftajh0CYQbCP0xKuAOqXwwTFBs9AMP5rBkq1Mh3UnK8cblCap4+X52iVrryOnNgZc0xU/ owM4Khue0OsotbxDS/oiElyMpSdT47QeClXZjYnLuqfN1WUOM3uKmjbpO5dWtsjlJT697709E7m CHAsv/aMS507zlNjn8gpeOzLSxKdiRYZzzPg3Ekf+db4KwWZMn1kRvlJfeaJByhKW3eEJHMsv8Q g72wr2SNNR0vLEr3pUfATT0QvcMkMlpe7syAQp0xS7MHhQRZ/IUEfVLpIB3JwaLbPlwQqLec2x/ UIFb6Ah5NKeTZ8kTsig==
X-Proofpoint-GUID: SitB7yUUmjFbu68NLPxenBz5OiP8V91P
X-Proofpoint-ORIG-GUID: SitB7yUUmjFbu68NLPxenBz5OiP8V91P
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-29_02,2026-04-28_01,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 adultscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 phishscore=0 malwarescore=0 impostorscore=0 lowpriorityscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2604290240
Message-ID-Hash: OOHSTY32AY2PUMEQT4VHFKX7INK2FY7Q
X-Message-ID-Hash: OOHSTY32AY2PUMEQT4VHFKX7INK2FY7Q
X-MailFrom: ronald.bonica@hpe.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tcpm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tcpm@ietf.org" <tcpm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [tcpm] Re: Feedback on draft-ietf-tcpm-tcp-ao-algs-00
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/D7eBgn_eeH5Q0BEVVwWgVpYBevo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Owner: <mailto:tcpm-owner@ietf.org>
List-Post: <mailto:tcpm@ietf.org>
List-Subscribe: <mailto:tcpm-join@ietf.org>
List-Unsubscribe: <mailto:tcpm-leave@ietf.org>

Eric,

Good catch! I will make that change in the next version of the draft!

Thanks!

                                    Ron

________________________________
From: Eric Biggers <ebiggers=40google.com@dmarc.ietf.org>
Sent: Wednesday, April 29, 2026 6:16 PM
To: Bonica, Ron <ronald.bonica@hpe.com>
Cc: Bonica, Ron <ronald.bonica@hpe.com>; tcpm@ietf.org <tcpm@ietf.org>
Subject: Re: [tcpm] Re: Feedback on draft-ietf-tcpm-tcp-ao-algs-00

On Tue, Apr 28, 2026 at 05:42:14PM +0000, Bonica, Ron wrote:
> Folks,
>
> I would be happy to trim the draft down to 1 KDF (HMAC-SHA236) and one MAC (HMAC-SHA256-128).
>
> Does the WG agree?

Is the missing entropy extraction planned to be fixed as well, or is
that issue planned to be carried over from the HMAC-SHA1 support?

RFC5926 is clear that the user-provided "key" doesn't necessarily
contain full entropy for its length:

    "The Master_Key is used as the seed for the KDF.  We assume that
    this is a human-readable pre-shared key (PSK); thus, we assume it is
    of variable length."

Yet, TCP-AO uses Master_Key directly as an HMAC-SHA1 key, without first
running an entropy extractor on it (e.g., passing it as the message into
HMAC-SHA1 with an all-zeroes key).  The proposed additional algorithms
carry over this same issue.

This doesn't follow cryptographic best practices, and it makes the
system hard to analyze.  Specifically its security depends on the
internal structure of HMAC, rather than on HMAC simply being a PRF.
I think it's probably okay in practice, but it's an odd quirk that
shouldn't really exist, especially in a new proposal.

It can be fixed by adding an entropy extraction step, like what TCP-AO
already specifies for AES-128-CMAC.

Alternatively it could be required that the user-provided key has full
entropy.  But I wouldn't recommend that: it would be error-prone to
introduce that usage requirement into TCP-AO now, when it didn't have it
from the beginning.

- Eric

v2.41.0 | Report a Bug | By Email | System Status