Re: [tcpm] status of TCP-MD5 after TCP-AO publication

Joe Touch <touch@ISI.EDU> Tue, 04 August 2009 16:37 UTC

Return-Path: <touch@ISI.EDU>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B0A433A6452; Tue, 4 Aug 2009 09:37:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_23=0.6]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RRLEs6pUX9k9; Tue, 4 Aug 2009 09:37:14 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C9CBF3A6F36; Tue, 4 Aug 2009 09:37:14 -0700 (PDT)
Received: from [] ( []) by (8.13.8/8.13.8) with ESMTP id n74Ga42e004955; Tue, 4 Aug 2009 09:36:07 -0700 (PDT)
Message-ID: <>
Date: Tue, 04 Aug 2009 09:36:04 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird (Windows/20090605)
MIME-Version: 1.0
To: Lars Eggert <>
References: <>
In-Reply-To: <>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
Cc:, " IESG" <>
Subject: Re: [tcpm] status of TCP-MD5 after TCP-AO publication
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Aug 2009 16:37:15 -0000

Hash: SHA1

Lars Eggert wrote:
> Hi,
> at the meeting, the question came up which status TCP-MD5 should have
> after TCP-AO is published. Specifically, whether it should be obsoleted
> by TCP-AO and/or if it should be reclassified as Historic. A related
> issue I came across while trying to form an opinion of the former issue
> is if the publication of TCP-AO means that we can lift the Standards
> Variance for TCP-MD5 introduced by RFC4728. (I'm CC'ing the IESG because
> of this latter point, because that Standards Variance came from the SEC
> and RTG areas.)

I think you mean RFC4278.

Because TCP-AO is intended to replace TCP MD5, and because TCP MD5 is
considered less than desirable, it seems reasonable to both put forward
AO as draft-standard and declare TCP MD5 historic at the same time.

If TCP MD5 were safer, we might consider leaving it as-is, but at this
point I think we're really trying to push the deployed both away from
TCP MD5 and towards AO, so both steps seem useful together right now.

And although, in some sense, all new protocols might be sent out first
as experimental, that is not the default process for standards developed
in the IETF per se, nor is it useful in this particular case, IMO. There
is no experiment desired or intended. There are no backward
compatibility issues, nor are there interaction issues with other
protocols. The only current component for which there is any question is
NAT support, which might be an experimental extension if published


Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -