IETF Logo Mail Archive

[tcpm] Re: Feedback on draft-ietf-tcpm-tcp-ao-algs-00

Tony Li <tony.li@tony.li> Tue, 28 April 2026 17:57 UTC

Return-Path: <tony1athome@gmail.com>
X-Original-To: tcpm@mail2.ietf.org
Delivered-To: tcpm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 19ADAE4F4B9C for <tcpm@mail2.ietf.org>; Tue, 28 Apr 2026 10:57:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777399032; bh=IaTNd0n6LDHqzkKB3m40ACrTZ+RyXMpJWM8lJ5eDxuY=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=YEzuFwfY5ylJTlkBOfWIKycv+8bnF81AamH+qUUN2OzIqWHhtkkztil0hrA9OuPh4 xbdeZlN9e05AYifVuZBxEtHd1OJ5YXNx8pKBhfaPpyC3GIjeu24klfx9/g3sZk2Cb8 H9Sur5ceIrMvZjI7rXeN5zrF0Es+L37/Qeyy5zQ4=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBM9M-ZFUPX5 for <tcpm@mail2.ietf.org>; Tue, 28 Apr 2026 10:57:09 -0700 (PDT)
Received: from mail-dl1-x122e.google.com (mail-dl1-x122e.google.com [IPv6:2607:f8b0:4864:20::122e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E0258E4F49B1 for <tcpm@ietf.org>; Tue, 28 Apr 2026 10:55:58 -0700 (PDT)
Received: by mail-dl1-x122e.google.com with SMTP id a92af1059eb24-12c8c9c4cd8so67153c88.0 for <tcpm@ietf.org>; Tue, 28 Apr 2026 10:55:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777398958; x=1778003758; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:sender:from:to:cc:subject:date:message-id:reply-to; bh=28Gh1P8h9kxStxJC+SA9FWfelkfwG9EGBb7T2zCcJAE=; b=ZIZyJ0M32AzXhcoJaQ6WfBJQ/Z2iyHxDVrnC5x9TV/HEo1lVsCEaxDGyi194fhqyL/ dSlC9TsWmdlVbSTcJRWhpYc1kztik8j1Pt+2dAGn6aZsyjUXNAXQ5y9fjmyyD+lpIcIR pUGU5AbDVVEv0wjZdZ/fVMBQ+GT9lcqJlJ0zup5fBxCcxRUkno7Le1ww0WmD0Dlek7Qx 8dMxtkbBolU0ODFHDi/Reu2Bdeo27Ym3mTaI9YK2hWjwZK+uzELNfVn1wnQ5edIyNuE2 EsNYqs0FYFtzEmz75WCfo31bm9rsbAEA6TzqMl1NckUjMapXewazBpM9FarYQnh/miGy cXVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777398958; x=1778003758; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:sender:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=28Gh1P8h9kxStxJC+SA9FWfelkfwG9EGBb7T2zCcJAE=; b=AAmwCHG9UpuhSHhNzyR4ubq27VTZCy/G1N2PooVSJJSTzKxwO5I/UWA0nqR2h4y/eA GD4xS3LtpCTcrYLKPqcxdgHnmySbsl8ePou4ee5kKCqeM5XXvhTFxRDYDUyWsXfV7sBT dL+XPQrKQ+6RpYAoQhCCKXrSjFTbdCxbLIrY3MfJgTUhBTt3L2jNZg42FU97vzuuQuHd ltCZsgCZ1IYLTLHr5x63z1Wlb5cpKd9HBPJzuAXQMlwcRWxKc8+riREH9P5IYS3a+iFg /lEHXP4eS4P9fe3ScIq2VXoTDoEbnvMvrL9VWnNGUQa2GPzTUToC4Wd/K/ySzIc8CG0f 81eg==
X-Forwarded-Encrypted: i=1; AFNElJ+Hcb4Xx7XNFyJnx7HWl26C9geP706iZqNOQF7zxnCYI8Rud013Q+XmrWid+9mEinKm8Xvv@ietf.org
X-Gm-Message-State: AOJu0YyTirB5BlKLsk87bLNfldTRpRwt8h9UIPUHjU0l4P34NL0EUwXB eegXEhLQhdT7XxoWpSqzA/0LF5sDGxefWzXIMTe0E1iipYrGK6Shy8v/
X-Gm-Gg: AeBDiesDmOhw41MTYg4IrUV2dpZt8xAQ5T77Fa4K+WAF0HoO3Vmiced0wbQA2cm+LNx SvGo9EJMU/3pD9jG6KQG5y/sjcJWkWt7/Iy305eGgVWMahrzxSXQft4hno8t9UXcpEbXAbcLTC2 p4Q3/CXshkibTrPISVB3YwcGe12k4IvJkjH93Q/d6UZI994GeccxHgOSfLH6sOrUgfwBOi3mF4P +77elK3IMAC5zctudc5L9nTV8Div3ZfLz4uePwLTpYIJzdR+JGjYnvuLhjKbhglmPbIIA6gV2IP Dwk9tfe+DJBS09f9ebWZ/6s0HyIfLgxq9Sfaxire40iJctvnyQRzxFiyGqUv/y73u0VA3LAEZgS uZIfOaeNGVDp+nV0sLNQ9U6AeWg1hlLLulYK0JEzcNiYlhuhzICI3+HOVzn9BLrlwdDPoDYY0dn SIzPFethnIMdDA7DIey80iWMUJPYs+ss/TQ0DBVapA90ARQFCeQuHXEH1odmO53B/BVqHgnPaVL B6n
X-Received: by 2002:a05:7022:6892:b0:12d:de3e:86b1 with SMTP id a92af1059eb24-12dde4cc78emr1228170c88.20.1777398957634; Tue, 28 Apr 2026 10:55:57 -0700 (PDT)
Received: from smtpclient.apple (c-73-93-167-4.hsd1.ca.comcast.net. [73.93.167.4]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-12ddd9a60f3sm3514249c88.10.2026.04.28.10.55.56 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Apr 2026 10:55:57 -0700 (PDT)
Sender: Tony Li <tony1athome@gmail.com>
From: Tony Li <tony.li@tony.li>
Message-Id: <4E8F4CA7-3504-4C5F-BDD6-AEE119869C2A@tony.li>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DA4005EB-CD04-4D1C-9D15-640768D99B23"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.700.81.1.4\))
Date: Tue, 28 Apr 2026 10:55:46 -0700
In-Reply-To: <DM4PR84MB23107B9C52B76D0859820A63F4372@DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM>
To: Bonica Ron <ronald.bonica=40hpe.com@dmarc.ietf.org>
References: <20260428065832.GB3813922@google.com> <DM4PR84MB231066C41AAFD689B58D21FFF4372@DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM> <20260428171608.GA42950@google.com> <DM4PR84MB23107B9C52B76D0859820A63F4372@DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3826.700.81.1.4)
Message-ID-Hash: 6LUVOM7TZV7OIUNRKNLZ4RHCVKDL3TRK
X-Message-ID-Hash: 6LUVOM7TZV7OIUNRKNLZ4RHCVKDL3TRK
X-MailFrom: tony1athome@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tcpm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Eric Biggers <ebiggers=40google.com@dmarc.ietf.org>, "tcpm@ietf.org" <tcpm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [tcpm] Re: Feedback on draft-ietf-tcpm-tcp-ao-algs-00
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/vw1i5UOFd_f5b71c6yfajsUT-YY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Owner: <mailto:tcpm-owner@ietf.org>
List-Post: <mailto:tcpm@ietf.org>
List-Subscribe: <mailto:tcpm-join@ietf.org>
List-Unsubscribe: <mailto:tcpm-leave@ietf.org>

I prefer having at least two.  

Tony


> On Apr 28, 2026, at 10:42 AM, Bonica Ron <ronald.bonica=40hpe.com@dmarc.ietf.org> wrote:
> 
> Folks,
> 
> I would be happy to trim the draft down to 1 KDF (HMAC-SHA236) and one MAC (HMAC-SHA256-128).
> 
> Does the WG agree?
> 
>                                                          Ron
> From: Eric Biggers <ebiggers=40google.com@dmarc.ietf.org <mailto:ebiggers=40google.com@dmarc.ietf.org>>
> Sent: Tuesday, April 28, 2026 1:16 PM
> To: Bonica, Ron <ronald.bonica=40hpe.com@dmarc.ietf.org <mailto:ronald.bonica=40hpe.com@dmarc.ietf.org>>
> Cc: Eric Biggers <ebiggers=40google.com@dmarc.ietf.org <mailto:ebiggers=40google.com@dmarc.ietf.org>>; tcpm@ietf.org <mailto:tcpm@ietf.org> <tcpm@ietf.org <mailto:tcpm@ietf.org>>
> Subject: [tcpm] Re: Feedback on draft-ietf-tcpm-tcp-ao-algs-00
>  
> On Tue, Apr 28, 2026 at 03:23:59PM +0000, Bonica, Ron wrote:
> > Eric,
> > 
> > Thanks for the review. I suspect that we will trim the list of proposed algorithms. Version-00 of the draft was just a starting point.
> > 
> > You say:
> > 
> > "I suggest simplifying the proposal to just HMAC-SHA256 for now.  That's the only one that seems like an obvious choice.  Indeed, SHA-256 is the usual replacement for the outdated SHA-1."
> > 
> > Do you mean HMAC-SHA256-128? Or do you really mean HMAC-SHA256?
> > 
> > I propose HMAC-SHA256 in draft-bonica-tcpm-tcp-ao-long-algs<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-bonica-tcpm-tcp-ao-long-algs/__;!!NpxR!ibHEtcU57NxmKdu5whL8_6s1wUbjBsR7qPAFLrNdke5w3vsAIt5w7fVNN7MW3xVHj_Vg_ZvX7QCqOxUoVyyuWWCBmS3zv_3s$ >. But if we go there, we need to solve the problem identified in TCP Extended Options<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-bonica-tcpm-extended-options/__;!!NpxR!ibHEtcU57NxmKdu5whL8_6s1wUbjBsR7qPAFLrNdke5w3vsAIt5w7fVNN7MW3xVHj_Vg_ZvX7QCqOxUoVyyuWWCBmVcDn5IJ$ >.
> 
> By "HMAC-SHA256-128" you just mean HMAC-SHA256 with the output truncated
> to 128 bits, right?  I wasn't implying that you wouldn't need to do that
> truncation.  The TCP options header doesn't have enough space for the
> full output, after all.
> 
> Note that the full HMAC-SHA256 output still must be used in the KDF.
> 
> - Eric
> 
> _______________________________________________
> tcpm mailing list -- tcpm@ietf.org <mailto:tcpm@ietf.org>
> To unsubscribe send an email to tcpm-leave@ietf.org <mailto:tcpm-leave@ietf.org>
> _______________________________________________
> tcpm mailing list -- tcpm@ietf.org <mailto:tcpm@ietf.org>
> To unsubscribe send an email to tcpm-leave@ietf.org <mailto:tcpm-leave@ietf.org>

v2.43.4 | Report a Bug | By Email | System Status