[tcpm] Re: draft-ietf-tcpm-tcp-ao-algs
John Mattsson <john.mattsson@ericsson.com> Tue, 05 May 2026 09:10 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tcpm@mail2.ietf.org
Delivered-To: tcpm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2C013E9311DE for <tcpm@mail2.ietf.org>; Tue, 5 May 2026 02:10:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777972248; bh=vYx/6hihf28GuO7Nrvay8+O1BAzogOu0xj2or5Yn2rE=; h=From:To:CC:Subject:Date; b=UFXaGmDNjinuGBUqezCLJUUhe7Syx3FotLJK0lo1u63OEfAdZpexZZFtFFjIANSUl XTrTUPKd+5kwjwv6KMQghG205MjvcEFYf7ilh79Md69gndzBB/ZSorqQ2wvP/mYXkO Z3qk9akGeITfPtUCxkraGT2jpeGnuaBoXlYls9AM=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B471LfwLoamy for <tcpm@mail2.ietf.org>; Tue, 5 May 2026 02:10:43 -0700 (PDT)
Received: from PA4PR04CU001.outbound.protection.outlook.com (mail-francecentralazon11013008.outbound.protection.outlook.com [40.107.162.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E65A2E93118B for <tcpm@ietf.org>; Tue, 5 May 2026 02:10:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=JHBXxdb8iMp8UXW/fCaQedNifmhHWwDtV0FdkcepYyj0thjQz00W9nIZQsQdFHhN6Z5hov1DVfuzO2VokI7BrROBLcrZcRYwkv2Eq3k+VuqG3+ADXowmD5GGIuzK+qUAN51Qf8vlUsS8knBam2RS3Tb/5U3vohHsNqzpPagaOKGR+RFRn/udfEET8u3JX6iWbi/OPiWWQjGh5CSmpYgTAMb4jY9On5UtHnDwuRkJQPmELknlj3utdsIc21RogxwJGumxc8LYB8xA9QUgqufm6QQhD0TFjlXJ3FgiIupiLzWulXHO1XsbE6iyifbkYYt93zcahb4hs37YwAAdLoLqbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eByp3J+01JY7YnvcPiHn07Xal68Htfj3/6zUSo1ZmKw=; b=ROdDKj4ulHFw+vtx0aUgf0Et56c5b701+fFmg0jR5UXBiByaujc0Itf3cqwxsIbrQP8mIHA4XfezHNh/lIxJez4UnQ8d9ngolOSDBwj9YJlnAKSqtzg7SeAfEEQ+qbWO+R3wN4r3DQicveyN1wYDjZwMTBpJlM1i8lOnBCnBprzOtLNAyFf9CktF6viNsbMKLE2ZT9jdXvzB8RhTSsx9iFhX6Rig3TzG71cSTzZ9kgotaPqhMvjko/DBX4DIKL2Nrp8345YB7nzP9Cq3noFjGLOSdSOIfvm8RW/GBrPScOjks6PoShywGLQVGmHAilRkQs6/CKkNtLKk7UTyDXz/Hg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eByp3J+01JY7YnvcPiHn07Xal68Htfj3/6zUSo1ZmKw=; b=NsheDlJ/98yrWOqNbQWQ22r4kvNvTgxthH8jqt8BNSuaZQgmccYr1L5BX79n57y6t+MyLcpj3+qyjE/yf0hSankWzkrYyr/lS6joHhz7ThsP3TL2dt8SZubDmA0749/B/Heul3rdorPSPkTDjNbz6KpErjAULLhzekiInuzNpoGLvtoFDtkYQunlZX+yyZV3NckFLiWKRSi1mM0sAaINi/06BaEshJytG55juhXM25geKhqrTWM3ZJwIJQXasXFMt3FnBxs/buSNVFwAwCwxV8jpDTbraxg8KCvi2ay/gJkS0OgHh4sUP5nX3nLkm8PJusoOxxa9ogoEXtOekTIwnQ==
Received: from AS4PR07MB8825.eurprd07.prod.outlook.com (2603:10a6:20b:4f3::15) by PA6PR07MB11644.eurprd07.prod.outlook.com (2603:10a6:102:51b::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9870.25; Tue, 5 May 2026 09:10:18 +0000
Received: from AS4PR07MB8825.eurprd07.prod.outlook.com ([fe80::11a4:5f37:fa92:f174]) by AS4PR07MB8825.eurprd07.prod.outlook.com ([fe80::11a4:5f37:fa92:f174%6]) with mapi id 15.20.9870.023; Tue, 5 May 2026 09:10:18 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "Bonica, Ron" <ronald.bonica@hpe.com>, "tcpm@ietf.org Extensions" <tcpm@ietf.org>
Thread-Topic: [tcpm] draft-ietf-tcpm-tcp-ao-algs
Thread-Index: AQHc3G0rtjMdL7EBokG0o1wc5DgnVQ==
Date: Tue, 05 May 2026 09:10:18 +0000
Message-ID: <AS4PR07MB8825928FAA03F4BB3B7A40A4893E2@AS4PR07MB8825.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS4PR07MB8825:EE_|PA6PR07MB11644:EE_
x-ms-office365-filtering-correlation-id: 0a3a93b4-b16d-4464-2559-08deaa8620af
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|38070700021|13003099007|18002099003|8096899003|56012099003;
x-microsoft-antispam-message-info: hkfuJUzhnx8SlMVdjd0QDuL1cZ5mmEHwW+nBIgy5YvP020vlpE6tkvUOwLjNxfhVajAIyAEIPKwdJO8PE/i8k/KEm4G+L2d4YcrAo3TF8Q00UC00wxGUDQGrBGn11pf1uY2k8S71F/Bg/yfWOZUt47KqKSkQVH6u4XcITIaxnSk4TjK71m0cTL/I28vFFl9IABoKdsoG+PNSM5b8CXw3v7YrzbFdJJmFgmSmAvoGuaz2mrZqqyAN9DE93GA28ynt8oGefwgQ3Oe6FHqfH6oPIpCALLz1gXswtVgL8g6YtxWxuthyG6QrQjw3JfEx/TiXC3MNixSyLzDTgZfRgdRvnXiIPpJATsq670ah5lp26clLhYFNJxNuktdJwffb6tMDXRzN53U19YX7lWE4XznATH6w6HHUt/8dUvAd/a9QPq3iti+/7B0XeHGqZHXGTlAYWtCOPNAp7imOgvqD6SnGqM9NzsW7fPFJvgxPCq9xXlblzG/kTUaBNVnJcOz5LtELy6rjobhIxo5Ywy0Ec+4Xc8Q81h1wgZ+LgXlIP1uZDyTgMettvEez1VB/qXylcuvaOZd3LOw7lM81RSUgOPpPfSXJDphUK6uDIRYCWyJuEiGrFg1wga7pjhYULf9H87IKtRlVhnhY62+QfoIDuNj4YcDKTusc8/SPLD/ieIG/g2LBARehpykF0tE1b7TcjkCtAD52B3H4StjFmi7mif7YVQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4PR07MB8825.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700021)(13003099007)(18002099003)(8096899003)(56012099003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ediKtGT4Hl5gelqVZv97/nLDzDeuao0AN62VOjTNkE1f0lPzKDu3Lkt7QbThxgOAlqIj9ZDzhWOjSUEb5vmMGzXxf6NNVxJFZOfRpxZhVtpVn6FLqlUHbNl6RJekyOMfiTnwIyc6cjdsrEot83Eb2p5n9WhpYbStzrU+iX+gO7U/bEwqwKOAnPysexmcHy7uGADnAeI9k059W4Rg16mnujcawyM73IDVXuSd3bLWohyzF5YZSIZrkb4ElGPsClU58Lc4RqqAUnOupaJPsGheNQIyIDlFu2aNb++5e4LOZRE9dZqVPq8AacL+33JkXnPLQyEU672FSgYGShMl7ZedGRCPBtNjVF2CM+AvJInRJvUvSSbb3Xt0iRp2H2fnliMB6AqmjhW8dO0886XKexnf6cpJEmjrpld+SlPpsheDexxexJr2ZDBIr94orjTVYXeIs6ILhVzaKbVoYfPIqjZQW7Ga9Kt20sg2SjD6iMslWzyqog56kSw1h9J5OlJxMVbah22jBTPF7vq7HJTOdb1dBYG+HGtzwPtuqc6gjGpikreH7sK6kd6retufoMDcDU0r7oDBJJddbV1XExFqZaxlyEk+zuzBpwQ5XhuCNG6VJpHfsDyoe/+bJewc7wcPkJ1D1VwN08wJ2O6A4RTqKR02Y4phqYl6gl+kh/KzMteHuielLf7hMpe6yRcEMDfs7af+rhEe0hdV7rSDWe0LeB/0JmIw9zdlLGP6okCgvu8VVGaVEkHuaTLN9vsLsJSZjA7uHOCGqC5YiDgPXan82/uXB72etieZjmMIvieBGMb6BbYEL4h050k6xwqT5NtN6cBdLH7jrdIokxddw8UAnEEEsbOcGWZaB7bYi5xNo83vrboy6hh6KIxy1/M2+HexbazLrpDSeHYMxvmI5vW3cZMbRVpIdQPb5m9mXOepveb71C92OJUy4M/fAF7gd94MrC/QNmeveHSXgKBuS0bqhCehiGszLbWSP9/WPIccir1j26+xNEfqxX6U152eeuFX1w5DnJYtHIrG5kcVi+szbnTyjtk0LtSYUHWxSMv3lBqim4j2ltpuhQjCw505Mqx1DRH6v2nj9W5lu+w3tF9UQxBMiHwCBHu3DoYCY7ssxISGj8MgdKSTXhFAQuR/nspcu9cMwF95DWv4EhstVV5RP5UjOgJqRuCjw7nDllh/B+7EXtav2oSV4p72rM+YRa53ZPAM46NutkuTcImAnAs1bzty0h+FK2eNMWXkVZuFSMPUH/0uenxpzYHIjmyZnmkd7UvB+1KWRXL+hjEoo3g9ak7KM0UR5VN9mtLMy/l89KJ0olGF4SNsPOUp3QHJm2oKKekMcNCFY7hy7j36ZS4WrISH528Ero+AfZF2c9DFYYvHx/GuRe2/uXH0bH9VfZjXIHJ1+YqA8mv7mDrRIcBovYr42xxiJczCE88gZx3mmnHaDZyinhtcs3jRzM8w0N5MwR9yV2pW6C4U2faCNdbLg3tX3SVHl01viyuJYrPGrf6eUdky1xIYOWNXuWvQbytmW/T1XPTY1pU1Y7VowvVjKKoLykUYGbBqlRjz928WqYVuYp7jqAPOkkJfqP98mvRr8o4bp7vX/iazqccyYuWshhrlVV/wjxUzJ2Y4HoFQlNKFuIrZjOaUdqKmp1m9IqPzw3IYxnG09VEl4sgtW3XotCjzr5fgHBsO4eRswHUuAL+IBBRz1xvBwj9khI6mgF48sy0FrOtuCZBq6/XSf4mEEIH8llJoDOKAEJohzv+oK7svU6Q=
Content-Type: multipart/alternative; boundary="_000_AS4PR07MB8825928FAA03F4BB3B7A40A4893E2AS4PR07MB8825eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS4PR07MB8825.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0a3a93b4-b16d-4464-2559-08deaa8620af
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 May 2026 09:10:18.2769 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 4C08wm4c4I9RhBKrWOGego5oxpyP0WfthP6sgHjrt2rWgKCGyO0FZEc2BZdFynkQcmU9i309sfSbP6vRt6Qrq3CaRbwkVOoHEuPRfvssAhQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA6PR07MB11644
Message-ID-Hash: ZIS3S4CHEO4YGV4HRUJIXAN2SNJVOPYS
X-Message-ID-Hash: ZIS3S4CHEO4YGV4HRUJIXAN2SNJVOPYS
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tcpm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "ebiggers@google.com" <ebiggers@google.com>, "Li, Tony" <anthony.li@hpe.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [tcpm] Re: draft-ietf-tcpm-tcp-ao-algs
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/Y4ONWXUGePo_xNElLWNy9s0PWK4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Owner: <mailto:tcpm-owner@ietf.org>
List-Post: <mailto:tcpm@ietf.org>
List-Subscribe: <mailto:tcpm-join@ietf.org>
List-Unsubscribe: <mailto:tcpm-leave@ietf.org>
The MACs names should not include "KDF" I do not think TCPM should standardize KDF_AES_256_CMAC MAC-AES-256-CMAC-128 Due to the narrow block length of AES-256, AES-256-CMAC does not have good properties, it integrity advantage is quadratic in the number of queries and the expected numer of forgeries is cubic in the number of queries. CMAC also have quite bad properties as a KDF. See e.g., https://emanjon.github.io/NIST-comments/2024%20-%20SP%20800-38B%20and%20800-38C.pdf AES-CMAC only make sense for IoT devices that need to use a single primitive for all crypto. If, TCPM standardize a single set of algorithms, it should be KDF_KMAC256 MAC-KMAC256-128 If you add a single new algorithm is should be SHA-3. If you add two set of algorithms it should be SHA-3 and SHA-2 KDF_KMAC256 MAC-KMAC256-128 KDF-HMAC-SHA256 MAC-HMAC-SHA256-128 Cheers, John Preuß Mattsson From: Bonica, Ron <ronald.bonica@hpe.com> Date: Monday, 4 May 2026 at 16:13 To: tcpm@ietf.org Extensions <tcpm@ietf.org> Cc: ebiggers@google.com <ebiggers@google.com>; Li, Tony <anthony.li@hpe.com> Subject: [tcpm] draft-ietf-tcpm-tcp-ao-algs Folks, In a series of off-line discussions, Eric Biggers and I have agreed that the draft should include only the following KDFs: * KDF_HMAC_SHA256 * KDF_AES_256_CMAC And the following MACs: * KDF-HMAC-SHA256-128 * KDF-AES-256-CMAC-128 Does everybody agree? If so, I will update the draft accordingly. Ron
- [tcpm] draft-ietf-tcpm-tcp-ao-algs Bonica, Ron
- [tcpm] Re: draft-ietf-tcpm-tcp-ao-algs John Mattsson
- [tcpm] Re: draft-ietf-tcpm-tcp-ao-algs Bonica, Ron
- [tcpm] Re: draft-ietf-tcpm-tcp-ao-algs Eric Biggers