<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.14 (Ruby 3.3.8) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-piraux-tcp-ao-tls-04" category="exp" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="Opp-TCP-AO">Opportunistic TCP-AO with TLS</title>

    <author initials="O." surname="Bonaventure" fullname="Olivier Bonaventure">
      <organization>UCLouvain &amp; WELRI</organization>
      <address>
        <email>olivier.bonaventure@uclouvain.be</email>
      </address>
    </author>
    <author initials="M." surname="Piraux" fullname="Maxime Piraux">
      <organization>Unaffiliated</organization>
      <address>
        <email>maxime.piraux@uclouvain.be</email>
      </address>
    </author>
    <author initials="T." surname="Wirtgen" fullname="Thomas Wirtgen">
      <organization>Unaffiliated</organization>
      <address>
        <email>thomas.wirtgen@gmail.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="06"/>

    <area>Transport</area>
    <workgroup>TCPM</workgroup>
    <keyword>tcp</keyword> <keyword>tls</keyword> <keyword>tcp-ao</keyword>

    <abstract>


<?line 54?>

<t>This document specifies an opportunistic mode for TCP-AO when used with TLS.
In this mode, the TCP connection starts with a well-known authentication key
which is later replaced by a secure key derived from the TLS handshake.</t>



    </abstract>

    <note title="About This Document" removeInRFC="true">
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-piraux-tcp-ao-tls/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        TCPM Working Group mailing list (<eref target="mailto:tcpm@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/tcpm/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/tcpm/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/IPNetworkingLab/draft-tcp-ao-tls"/>.</t>
    </note>


  </front>

  <middle>


<?line 61?>

<section anchor="introduction"><name>Introduction</name>

<t>The TCP Authentication Option (TCP-AO) <xref target="RFC5925"/> provides integrity
protection for long-lived TCP connections. It assumes that the communicating
hosts share a Master Key Tuple (MKT). This MKT is used to derive traffic
keys to authenticate the TCP packets exchanged by the two hosts.
TCP-AO supports different authentication algorithms <xref target="RFC5926"/>.</t>

<t>TCP-AO protects the integrity of all the packets exchanged during a TCP
connection, including the SYNs. Such a protection is important for some specific
services, but many applications would benefit from the integrity protection
offered by TCP-AO, notably against RST attacks or injection attacks that can
happen later in the connection. Unfortunately, from a deployment viewpoint,
for many applications
that use long-lived TCP connections, having an existing MKT on the client
and the server before establishing a connection is a severe limitation.</t>

<t>This document proposes a way to derive a MKT from the TLS secure handshake <xref target="RFC8446"/>.
Before the TLS handshake completes, this document defines default keys which
offer a limited protection to the first TCP packets of the connection.
These default keys are then replaced by secure keys to protect the integrity of
subsequent packets past the TLS handshake. This
prevents packet injection attacks that could result in the failure of the TLS
connection.</t>

<t>This mechanism can be used to authenticate the TCP packets of BGP sessions when TLS
is used as discussed in <xref target="CONEXT24"/>,<xref target="I-D.hbq-bgp-tls-auth"/>,<xref target="I-D.wirtgen-bgp-tls"/>.</t>

<t>This document is organised as follows. We provide a brief overview of
Opportunistic TCP-AO in section <xref target="overview"/>. Then section <xref target="format"/> discusses the
required changes to TCP-AO and TLS.</t>

</section>
<section anchor="conventions-and-definitions"><name>Conventions and Definitions</name>

<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

<?line -18?>

<section anchor="notational-conventions"><name>Notational conventions</name>

<t>This document uses network byte order (that is, big endian) values.
Fields are placed starting from the high-order bits of each byte.</t>

</section>
</section>
<section anchor="overview"><name>An overview of Opportunistic TCP-AO</name>

<t>In a nutshell, an opportunistic TCP-AO connection starts like a TCP-AO
connection, i.e. the SYNs and all subsequent packets are authenticated,
but using a MKT with a default key specified in this document.
Then, during the TLS handshake,
both endpoints announce the parameters they will use for their MKT. When the
TLS handshake completes, they both can securely derive an MKT from the
TLS secrets and use this new MKT to protect subsequent packets.
Thus, the beginning of the connection is not protected against
packet modifications and packet injection attacks. The real protection only
starts once the TLS handshake finishes.</t>

<t>Figure <xref target="fig-overview-handshake"/> illustrates the establishment of an
opportunistic TCP-AO connection. The client sends a SYN packet using
the default MKT defined in this document. The TCP-AO option in the SYN
packet indicates the use of this default MKT. The server validates the TCP-AO
option and replies with an integrity protected SYN+ACK.
The client confirms the establishment
of the TCP-AO connection with an ACK and sends a TLS ClientHello containing
the AO Extension defined in this document. This
extension specifies the authentication algorithms that the client will use when
sending TCP packets on the connection and whether TCP options will be protected.
At this point the server can derive from the TLS keys the TCP-AO keys to use
for validating client's packets.
The server replies with TLS ServerHello and TLS EncryptedExtensions
that are sent in packets protected with the default TCP-AO MKT.
To finish the setting up of TCP-AO, the server includes the AO Extension in
the sent EncryptedExtensions to announce the parameters it will use to
protect the packets it will send.
It then derives the new key and installs it in its TCP-AO MKT.
Upon reception of these messages, the client can derive the TLS and
TCP-AO keys. It installs the TCP-AO keys in its MKT and sends the Finished
message protected with the new MKT. All the packets exchanged after the
Finished message are protected using the MKT derived from the secure TLS handshake.
The initial TCP-AO key remains available on the client and server to support
retransmissions until the derivation of the next key (K_2).</t>

<figure title="Starting an opportunistic TCP-AO connection
with TLS. The messages between brackets are authenticated using the TCP-AO MKT derived from the TLS handshake." anchor="fig-overview-handshake"><artwork><![CDATA[
Client                                   Server
 |            SYN (KeyID=0, RNextID=0)       | [uses default key]
 |------------------------------------------>|
 |          SYN+ACK (KeyID=0, RNextID=0)     |
 |<------------------------------------------|
 |       ACK, TLS ClientHello + AO           |
 |          (KeyID=0, RNextID=0)             |
 |------------------------------------------>|
 |  TLS ServerHello, TLS Enc.Extensions + AO |
 |          (KeyID=0, RNextID=x)             |
 |<------------------------------------------|
 |              [TLS Finished]               |
 |           (KeyID=0, RNextID=0)            |
 |------------------------------------------>|
 |   [K_1 installed and promoted on server]  |
 |   [K_1 installed and promoted on client]  |
 |              [TLS records]                |
 |           (KeyID=1, RNextID=1)            |
 |<----------------------------------------->| [uses secure key]
]]></artwork></figure>

<t>The TCP-AO can be changed during the lifetime of the TLS session. To derive
a new TCP-AO key, this document uses the HKDF-Expand construction <xref target="RFC5869"/>.</t>

</section>
<section anchor="format"><name>Opportunistic TCP-AO</name>

<section anchor="the-tcpao-tls-extension"><name>The TCPAO TLS Extension</name>

<t>This document specifies one TLS extension to support the opportunistic
utilization of TCP-AO with keys derived from the TLS secure handshake.
The extension is used by endpoints to specify the parameters of the MKT
they will use to protect the TCP packets they send.</t>

<figure><artwork><![CDATA[
enum {
    tcp_ao(TBD),
    (65535)
} ExtensionType;
]]></artwork></figure>

<t>The format for the "tcp_ao" extension is defined by:</t>

<figure><artwork><![CDATA[
   enum {
      tcp_option_protection_disabled(0),
      tcp_option_protection_enabled(1),
      (255)
   } TCPAOOptionProt;

   enum {
      HMAC-SHA-1-96(0),
      AES-128-CMAC-96(1),
      (255)
   } TCPAOAuth;

   enum {
      KDF_HMAC_SHA1(0),
      KDF_AES_128_CMAC(1),
      (255)
   } TCPAOKDF;

   struct {
      TCPAOOptionProt prot;
      TCPAOAuth auth;
      TCPAOKDF kdf;
   } TCPAO;
]]></artwork></figure>

<t>The TCPAOOptionProt indicates whether the endpoint will protect the integrity
of TCP options or not. The TCPAOAuth specifies
the authentication algorithm defined in <xref target="RFC5926"/> that will be
used to protect the packets. The TCPAOKDF specifies the key derivation
function defined in <xref target="RFC5926"/> and that the endpoint will use to derive its
keys. If the peer did not use this option when initiating the TLS session, this
document assumes the following default:</t>

<t><list style="symbols">
  <t>no integrity protection for the TCP options</t>
  <t>The default key derivation function is KDF_AES_128_CMAC</t>
  <t>The default message authentication code is AES-128-CMAC-96</t>
</list></t>

</section>
<section anchor="the-initial-mkt"><name>The initial MKT</name>

<t>To support the establishment of opportunistic TCP-AO connections, the
client and the server must be configured with a default MKT. This default
MKT is used to authenticate the packets until the derivation of the secure
MKT from the TLS keying material. This document defines the following default MKT:</t>

<t><list style="symbols">
  <t>TCP connection identifier: selected by the TCP stack.</t>
  <t>TCP option flag. The default MKT assumes that TCP options are not included
in the MAC calculation.</t>
  <t>The current values for the SendID and RecvID are set to 0.</t>
  <t>The Master secret is set to 0x1cebb1ff.</t>
  <t>The default key derivation function is KDF_AES_128_CMAC.</t>
  <t>The default message authentication code is AES-128-CMAC-96.</t>
</list></t>

<t>Given that the TCP-AO KeyID is a local field and has no global meaning,
hosts have no guarantee that a KeyID of 0 will be unequivocally recognised as
designating the default MKT specified in this document.
<xref section="7.5.1" sectionFormat="of" target="RFC5925"/> indicates that hosts receiving SYN segments with
TCP-AO enabled and no matching MKT should remove the option and accept them.
A client initiating a TCP connection in the opportunistic mode of TCP-AO
<bcp14>MUST</bcp14> check that the server accepted the use of TCP-AO in this mode by replying
using the default MKT before deriving a secure MKT as described in this
document.</t>

</section>
<section anchor="derivation-of-the-first-tcp-ao-mkt-k1"><name>Derivation of the first TCP AO MKT (K_1)</name>

<t>The Master key for the MKT to protect the TCP packets after the transmission
of the Finished messages is derived from the Exporter Master Secret using
Keying Material Exporters <xref target="RFC5705"/>:</t>

<figure><artwork><![CDATA[
struct {
   TCPAO ao;
   uint8 key_id;
} TCPAOKeyExporterContext;
]]></artwork></figure>

<figure><artwork><![CDATA[
TLS-Exporter("tcp-ao", TCPAOKeyExporterContext, 32)
   = tcp_ao_secret
]]></artwork></figure>

<t>The TLS-Exporter function receives the label "tcp-ao", with the parameters of
the MKT and the KeyID as context as defined in the TCPAO structure within
<xref target="the-tcpao-tls-extension"/>. It generates a 32-byte secret.</t>

<t>In this document both endpoints use the same value for SendID and RecvID.
Implementations <bcp14>MUST</bcp14> use SendID = RecvID for each MKT derived from the
TLS Exporter and for each subsequent ratchet step. The value 0 is reserved for the
default MKT; derived KeyIDs <bcp14>MUST</bcp14> be in the range 1–254.
The KeyID <bcp14>MUST</bcp14> be different from the default KeyID of 0.</t>

<t>The traffic keys used by the client and the server can then be derived
from this secret using the procedures defined in <xref target="RFC5925"/> and
<xref target="RFC5926"/>.</t>

<t>After K_1 is installed and promoted as the send key, the initial MKT (K_0) is retained as
a receive-only fallback to allow the peer's in-flight TLS Finished to be retransmitted as
it may still carry K_0 authentication.
K_0 is deleted when the first HKDF ratchet step installs K_2 (see <xref target="rekey"/>).
At any moment exactly two MKTs coexist: the current send key and the previous key kept
as a receive fallback.</t>

<t>After K_1 is installed, the client and server stop using the
initial MKT defined in <xref target="the-initial-mkt"/>.</t>

</section>
<section anchor="rekey"><name>Key Rotation</name>

<t>After K_1 is installed, endpoints rotate to a new MKT using an
HKDF ratchet. Each rotation derives the next key from the current one using HKDF-Expand <xref target="RFC5869"/>:</t>

<figure><artwork><![CDATA[
  K_{n+1} = HKDF-Expand(
      PRK  = K_n,
      info = "tcp-ao-rekey",
      L    = 32 octets,
      Hash = SHA-256
  )
]]></artwork></figure>

<t>When installing K_i+1, a peer <bcp14>SHOULD</bcp14> still keep K_i to accept delayed
packets using K_i for some time.</t>

<t>KeyIDs cycle in the range 1–254. Reuse of a KeyID is safe because each
reuse carries a distinct ratchet-derived secret.</t>

<t>Keys that are no longer in use <bcp14>SHOULD</bcp14> be wiped out of memory after each HKDF-Expand.</t>

</section>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>TCP-AO provides a protection against the injection of TCP RST or other types of packet injection. This can impact
legitimate connectionless resets, e.g. when an endpoint loses the required state
to send TCP-AO segments. <xref section="7.7" sectionFormat="of" target="RFC5925"/> provides recommendations to
mitigate this effect.</t>

<t>Using TCP-AO with TLS can also inhibit the triggering of the "bad_record_mac"
alert that abruptly closes the TLS session when a decryption error occurs. For
instance, injected packets will fail the TCP-AO authentication and be ignored
by the receiver instead. This also prevents sessionless resets at the TLS level,
and similar recommendations to <xref section="7.7" sectionFormat="of" target="RFC5925"/> can apply.</t>

<t>The ratchet state <bcp14>SHOULD</bcp14> be wiped when the session closes.</t>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<t>IANA is requested to create a new "Opportunistic TCP-AO with TLS" heading for
the new registries defined in this section. New registrations under this heading
follow the "Specification Required" policy of <xref target="RFC8126"/>.</t>

<t>IANA is requested to add the following entries to the existing "TLS
ExtensionType Values" registry.</t>

<texttable>
      <ttcol align='left'>Value</ttcol>
      <ttcol align='left'>Extension Name</ttcol>
      <ttcol align='left'>TLS 1.3</ttcol>
      <ttcol align='left'>Recommended</ttcol>
      <ttcol align='left'>Reference</ttcol>
      <c>TBD</c>
      <c>tcp_ao</c>
      <c>CH, EE</c>
      <c>N</c>
      <c>This document</c>
</texttable>

<t>Note that "Recommended" is set to N as this extension is intended for
uses as described in this document.</t>

<t>IANA is requested to create a new registry "Authentication Algorithms" under
the "Opportunistic TCP-AO with TLS" heading.</t>

<t>The registry governs an 8-bit space. Entries in this registry must include a
"Algorithm name" field containing a short mnemonic for the algorithm. Its
initial content is presented in <xref target="the-tcpao-tls-extension"/> in
the TCPAOAuth enum. The registry has a "Reference" column. It is set to
<xref target="RFC5926"/> for the two initial algorithms.</t>

<t>IANA is requested to create a new registry "Key Derivation Functions" under
the "Opportunistic TCP-AO with TLS" heading.</t>

<t>The registry governs an 8-bit space. Entries in this registry must include a
"Key Derivation Function name" field containing a short mnemonic for the function. Its
initial content is presented in <xref target="the-tcpao-tls-extension"/> in
the TCPAOKDF enum. The registry has a "Reference" column. It is set to
<xref target="RFC5926"/> for the two initial functions.</t>

</section>
<section numbered="false" anchor="acknowledgments"><name>Acknowledgments</name>

<t>The authors thank Dimitri Safonov for the TCP-AO implementation in Linux.
The authors thank Michael Tüxen, Yoshifumi Nishida and Alessandro Ghedini for
their questions and comments on the document during the TCPM meeting at IETF 118.</t>

</section>
<section numbered="false" anchor="change-log"><name>Change log</name>

</section>


  </middle>

  <back>


    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC5925">
  <front>
    <title>The TCP Authentication Option</title>
    <author fullname="J. Touch" initials="J." surname="Touch"/>
    <author fullname="A. Mankin" initials="A." surname="Mankin"/>
    <author fullname="R. Bonica" initials="R." surname="Bonica"/>
    <date month="June" year="2010"/>
    <abstract>
      <t>This document specifies the TCP Authentication Option (TCP-AO), which obsoletes the TCP MD5 Signature option of RFC 2385 (TCP MD5). TCP-AO specifies the use of stronger Message Authentication Codes (MACs), protects against replays even for long-lived TCP connections, and provides more details on the association of security with TCP connections than TCP MD5. TCP-AO is compatible with either a static Master Key Tuple (MKT) configuration or an external, out-of-band MKT management mechanism; in either case, TCP-AO also protects connections when using the same MKT across repeated instances of a connection, using traffic keys derived from the MKT, and coordinates MKT changes between endpoints. The result is intended to support current infrastructure uses of TCP MD5, such as to protect long-lived connections (as used, e.g., in BGP and LDP), and to support a larger set of MACs with minimal other system and operational changes. TCP-AO uses a different option identifier than TCP MD5, even though TCP-AO and TCP MD5 are never permitted to be used simultaneously. TCP-AO supports IPv6, and is fully compatible with the proposed requirements for the replacement of TCP MD5. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5925"/>
  <seriesInfo name="DOI" value="10.17487/RFC5925"/>
</reference>
<reference anchor="RFC5705">
  <front>
    <title>Keying Material Exporters for Transport Layer Security (TLS)</title>
    <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
    <date month="March" year="2010"/>
    <abstract>
      <t>A number of protocols wish to leverage Transport Layer Security (TLS) to perform key establishment but then use some of the keying material for their own purposes. This document describes a general mechanism for allowing that. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5705"/>
  <seriesInfo name="DOI" value="10.17487/RFC5705"/>
</reference>
<reference anchor="RFC8446">
  <front>
    <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
    <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
    <date month="August" year="2018"/>
    <abstract>
      <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
      <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8446"/>
  <seriesInfo name="DOI" value="10.17487/RFC8446"/>
</reference>
<reference anchor="RFC5926">
  <front>
    <title>Cryptographic Algorithms for the TCP Authentication Option (TCP-AO)</title>
    <author fullname="G. Lebovitz" initials="G." surname="Lebovitz"/>
    <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
    <date month="June" year="2010"/>
    <abstract>
      <t>The TCP Authentication Option (TCP-AO) relies on security algorithms to provide authentication between two end-points. There are many such algorithms available, and two TCP-AO systems cannot interoperate unless they are using the same algorithms. This document specifies the algorithms and attributes that can be used in TCP-AO's current manual keying mechanism and provides the interface for future message authentication codes (MACs). [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5926"/>
  <seriesInfo name="DOI" value="10.17487/RFC5926"/>
</reference>
<reference anchor="RFC8126">
  <front>
    <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
    <author fullname="M. Cotton" initials="M." surname="Cotton"/>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <author fullname="T. Narten" initials="T." surname="Narten"/>
    <date month="June" year="2017"/>
    <abstract>
      <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
      <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
      <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="26"/>
  <seriesInfo name="RFC" value="8126"/>
  <seriesInfo name="DOI" value="10.17487/RFC8126"/>
</reference>
<reference anchor="RFC5869">
  <front>
    <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
    <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
    <author fullname="P. Eronen" initials="P." surname="Eronen"/>
    <date month="May" year="2010"/>
    <abstract>
      <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5869"/>
  <seriesInfo name="DOI" value="10.17487/RFC5869"/>
</reference>
<reference anchor="RFC2119">
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="2119"/>
  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <date month="May" year="2017"/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="8174"/>
  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>



    </references>

    <references title='Informative References' anchor="sec-informative-references">



<reference anchor="CONEXT24">
  <front>
    <title>The Multiple Benefits of a Secure Transport for BGP</title>
    <author fullname="Thomas Wirtgen" initials="T." surname="Wirtgen">
      <organization>ICTEAM, UCLouvain &amp;amp; WEL Research Institute, Louvain-la-Neuve, Walloon Brabant, BE</organization>
    </author>
    <author fullname="Nicolas Rybowski" initials="N." surname="Rybowski">
      <organization>ICTEAM, UCLouvain &amp;amp; WEL Research Institute, Louvain-la-Neuve, Walloon Brabant, Belgium</organization>
    </author>
    <author fullname="Cristel Pelsser" initials="C." surname="Pelsser">
      <organization>ICTEAM, UCLouvain, Louvain-la-Neuve, Walloon Brabant, Belgium</organization>
    </author>
    <author fullname="Olivier Bonaventure" initials="O." surname="Bonaventure">
      <organization>ICTEAM, UCLouvain &amp;amp; WEL Research Institute, Louvain-la-Neuve, Walloon Brabant, Belgium</organization>
    </author>
    <date month="November" year="2024"/>
  </front>
  <seriesInfo name="Proceedings of the ACM on Networking" value="vol. 2, no. CoNEXT4, pp. 1-23"/>
  <seriesInfo name="DOI" value="10.1145/3696406"/>
<refcontent>Association for Computing Machinery (ACM)</refcontent></reference>

<reference anchor="I-D.hbq-bgp-tls-auth">
   <front>
      <title>TLS Authentication for BGP</title>
      <author fullname="Jeff Haas" initials="J." surname="Haas">
         <organization>HPE</organization>
      </author>
      <author fullname="Bob Beck" initials="B." surname="Beck">
         <organization>OpenSSL</organization>
      </author>
      <author fullname="Yingzhen Qu" initials="Y." surname="Qu">
         <organization>Futurewei Technologies</organization>
      </author>
      <date day="1" month="March" year="2026"/>
      <abstract>
	 <t>   The Border Gateway Protocol, Version 4 (BGP-4) (RFC 4271) uses TCP
   (RFC 9293) as its transport layer protocol.  There are proposals to
   run BGP over TLS-based transport protocols, including QUIC.  This
   document discusses authentication considerations for running BGP over
   TLS protocols and defines a PKI framework to provide for
   authenticating BGP peering sessions.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-hbq-bgp-tls-auth-00"/>
   
</reference>

<reference anchor="I-D.wirtgen-bgp-tls">
   <front>
      <title>BGP over TLS/TCP</title>
      <author fullname="Thomas Wirtgen" initials="T." surname="Wirtgen">
         <organization>Unaffiliated</organization>
      </author>
      <author fullname="Olivier Bonaventure" initials="O." surname="Bonaventure">
         <organization>UCLouvain &amp; WELRI</organization>
      </author>
      <author fullname="Aravind Babu MahendraBabu" initials="A. B." surname="MahendraBabu">
         <organization>Cisco Systems</organization>
      </author>
      <author fullname="Chennakesava Reddy Gaddam" initials="C. R." surname="Gaddam">
         <organization>Cisco Systems</organization>
      </author>
      <date day="6" month="July" year="2026"/>
      <abstract>
	 <t>   This document specifies the use of TLS over TCP to support BGP.  The
   Border Gateway Protocol (BGP) relies on TCP to establish sessions
   between routers.  While the TCP Authentication Option (TCP-AO)
   provides transport-layer integrity protection against spoofing and
   reset attacks, it does not provide confidentiality, cryptographic
   peer identity, or scalable key management.  This document specifies a
   method for establishing a secure BGP session by running BGP over a
   TLS 1.3 session.  The underlying TCP transport MUST be protected
   using TCP-AO.  An &quot;Implicit TLS&quot; model on TCP port 179 is specified
   as the preferred mechanism.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-wirtgen-bgp-tls-05"/>
   
</reference>



    </references>



  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA81b63IbOXb+j6dA6KqstEO2RdnyeOiZ2aEleazSzZHoTKam
XCqwGySx6gu3L5K4slJ5h7xAHiS/kjfJk+RcgG50k5I9m6Qq+mGTaDRwcC7f
uYGDwUCUpoz1SPbOl8ssL6vUFKUJ5WT/w2B8Lm9NuZCTk8ueUNNprm9GEqYN
+KGIsjBVCbwb5WpWDpYmV9XdoAyXA5UNyrgY7LwUoSr1PMtXI6nvlkIU1TQx
RWGytFwt4c2jw8k7KZ9JFRcZ0GDSSC81/JOWvb7s6ciUWW5UjF+Oxm/hvyyH
TxeTdz2RVslU5yMRwQ4jEWZpodOiKkayzCstgNIXQuVawaqTXKUFHq4nbrP8
ep5n1RKH9z+c9sS1XsFgNBJyIIF0+i8u7Dc4iBA3Oq1gBynbL0rJR+j9Amua
dC5/xsc4nigTwzi8n/xkdDkLsnyO4yoPFzC+KMtlMXr+HKfhkLnRgZv2HAee
T/PsttDPcYHn+OIcpFBN4dWjD2e6vOX9TtT0OTO+4XhPCFWViyzH48CLUrKA
zmNzY3Qu32apguOUVa7pKeyoUvNXVYJARvLj/klW3SiTyr+XvxyeXBzRHM3H
yXiJYNos8VMVxvxCMNXtDU/VnUm0/EAqsWmrVM1mJjYgu8jfJaH3AlalJ9af
LLJEFfIXk5dznf6ODUp6MbjlF3+a42gQZokQIs3yBN6+IVlfvNvf+253z338
dsd9fP3y5atmgvv4elh/3Hv96ruRECad+evJ/fOzw3+a7L4cyYPzo2C4EwyH
L/eev3j13auXO69wwtHgIFhM/zKYzpdkPCjIkXtg6XUPYf3BYCDVtChzFZZA
/GRhCgkGWSUgG1ksdWhmRhdSpTJrGXaSRVoCabWFL3Qqq0JHta0H4igFPsF6
OLcPHzVOlmBiqQ6RvbIoVV4W/IaStzqOB9dpdptKJBoIMCGJQYJxiduFCRcS
VotBFrnM9TJWIWw3XcGrhQ5BkXCejHQOvIrkLM8S3vPkUi5UGhULda0DPnFi
oijWQjyTR2mZZ1FF9ND5mchxm4DzJf23xYfdlvf3VrAPD3KZZzcmAh6ZFDAq
N+VKwFBpj4gsirN0PoiJqjYDikAelVIVBbC7AGJVSRSDHiXAZ9w7nYtFVgCP
gHo4oAKLKPD4x3DSSbWMtdw6PZ5sB5IEBx+RQySGMrOsACBDHQ4Rogoc9pir
a6ksVXitYR99FwKz5sxYfAg4IYmEQFhRFxVpAuiJmc10jorSkZeKAatBqElR
c+rVwwPw3q5g+VPQBjXbZDaDN2MaXCcnqnJER4XUioaFfXg/jKsIn+GLl7+e
AVcvqxA1ypMDsMUkSLYCclEoRQbAYhU8FIXOb0yoi76cViXARwpatVzG9kCg
olkVA0t0qmembHSrob3ZSmTEFWIgn7cv06xU0xjWnAMKFaW8uJxIVZZwyAJd
kUn/bMl0g6QLoUrFAsgAy2KlN6nVD3f6AABqRlYJz+NVnylTIPllnK3IhgFt
b5cZENoXeOy1ownaClTmCTXtgwHdEPdTkAgCAHxGZcssQbGBrQQYGX1FZgK1
Uw0baqkLPLspFiw+z/xBJmi6MBc2N4kpiaKgi0LA2mVWIAjJW7XyFFsRDS1D
t0BQ2zvrH4It6t9bpmgNFdDiwJZKlH/Z2jsCeaewNfyvqriUZEMERSxmoIEo
B555ygYk4h4zk4OsfesCDe8IEBEHeN9aXzGNaQvkGogjI7a7rVkQhkaF/ktF
jLO7LgEzNkAhYQZglUY/XNjZj+oiGUCuC6TS6uEMnB7SZE8Fqwv/ZCzGRKMF
myJBdQadqNHpSRiCJd/+/AEOTUFewe4FN3DwphB+irAq8AvQc3/vPOPDQ//+
fpMXrB90vCAjU0vsprBxgN1qlsUxxFKB/EU7vAfJT3OjZzK7QezQt8j8jcEv
UFdYlt7fu9mwKfBf+4/Y0YNHcQcjfBQ5SNMgnjASkvTtymhw5GnRk+1nKQqS
2IUPDlB1Dds4+TX0jhijFrJ3+vFygsEw/i/PzunzxeE/fDy6ODzAz5fvxycn
9QdhZ1y+P/94ctB8at7cPz89PTw74JdhVLaGRO90/Cs8Qap65x8mR+dn45Me
a5HPddL7DHUENToHzSyJ/QK8a5ibKUv67f6H//i34Utg2N+Bae8Oh98By/jL
6+G3IH5SFt4tSwF0+SuwciUQTBXhKDqaUC0Bc2IweoUOFgOPBWARsPOPvyFn
Po3k99NwOXz5ox3AA7cGHc9ag8Sz9ZG1l5mJG4Y2bFNzszXe4XSb3vGvre+O
797g93+KAdzkYPj6Tz+iCj2TZxljsIoRo5w6da2jQtVMOYMAaALzBa0CLNwi
pDDoRM1cQv5lVLotb1RcaYge3hkdRwxuFtUo/EOvUEP4wswXA15sahgGtAJX
jpsEqOTj1Lc3udHe7p/VRiYwBlUyrcpiAdFlfz2Ote+sB6WxudYcbWCO2go4
AsBOF2uQmqEybcBditg8lIv6AqOLqmBPiM7Lhr4e/NdBd7RmIOQsgAAbCq0h
OiyfwXLAeHL4SFuaVWmobUiVQ84DdkWwAmZhgGr0+xgWwIjJkSKAOEQlBJ4n
XCS8TlshpLNjile1V05bbllYt5wTR4BZuCUdKwUZ4kzPm60zEc9c8Z4ADHOT
pnj0NT+KiA1BllsIYYNDLWHdGuQgGOipBh8f83eEy+DpwAY8l45IIqxqZI6l
bQ4h3IKaAcmg63N0jIDpZj5w2jiopwJGAfMrzLpKRvkmSiILw0gYAsmnNZUJ
5dgLOJyicaFOupORnglc3KkXcpsjmg3KJW3ug5tknO9YPw9rippbEakyE42i
JFGYwt+Dl7JRIJi/ieo3rDnZ9VEMGONghsmWkK6H1EArEPDNeP+Y9N8dGPgA
8VWygXvCxSNrpu32gLVob8c0lOM+LfseUCLDV0rQHsc+WOTwrtQphiJP8g/C
KV1PbJJnXOPxDKlJ+/hgtV2i3xJIImp8KzjqpgF0GJgOo5SQW/kVvNZUN6wM
xLhkugki/HAdbdmacCuk5oiz4aeLQIFEyiisgJFIPsEfCt946/VbgsaFL2mc
OW4jGXmYhvlqCYTWDLcJCmJpQaFZ2sS1tYLQmr6mW1pRGcUks6ZpT1sSrdUS
VdclaB4fOJ+0YmuJ3qSC5wEZGwiloPYRxDWeXMtM+NG7O42bghIPxFHJKQBL
hIlBwEQPgcxCbAO3Q68BS9BZ+mf+uMwwfQg1GxpbBOydQECt5hbEa1NqJO+E
DlsIT95Up6i37CqD3R/RpbEqnPSOETESdttNErNeIJDjR1N/NcPkF32JW9Cd
g6OJelH2rLgII12nEmRTqE5BaEIZFATKAPjNqYB5CToQqW6wvjqNdTvZtScl
jQG525oIBOslVoltcRpyFTD52GomUKM8acDJ79jjbx1f7W6D1/jnx/8Ew5P8
8h9blZCfW4PgFbaO9ero4Iedvrw4g53x47Z9/Fn+RjGdF4Z8ghUGX/334+fW
hhavH98Sp3//9ct7q8Oy/TW8/gbttPlrE/PEuZvpv/uoHQDrO/QKPDwgsr5E
zN06MX8bZ+zfb0iIs5NPHeXoTP8Sa/4mzsjfjq+GDizQelOqjSQZWij6ReLa
p5qYL0xnc/u0Rrs7KoAc5rTdkz5y1GFz1OHaUb+e7z86i2mqMp+eNN/7kXy2
ORaU1Dj7oXfpkqEvpyiiLrFToOUwHRx9eavBZ0zzxxIQDyEbb/GlknnvoSmM
EyFcx+kUZvG92Mx0iQ2bpiLkSjhAqqvbCUWg32Btt+hW2dKHfH988G5weLdE
ncDOXJlXrlhiOyRUu4G88JFE0JZUKLe1J4BxMlVnpo/3PLKUT9CEdA3QE3kt
MYkKkN72jZrIgv0cecmNXO7WK9kdNTu6ctd05aV1SAZRueqGGZbvIFTRzvE6
FUM/mqSJHHSgCgudVom8p2ZXGS6vVLY1eXuw3aeBrVd7ey/2tsVDw7/Jaqnf
0ItEOnPc5ZTUvYQleu0juRh6uhrxnrC0ty1vzDHsVZODXUWmQEccbe1Ych6b
qFOeN6znbe3uAdnw4YF1gBs6H+CVN2Jt9/en4/3B5fvxYDj47pW32fjwcjDc
fT3Yx+fw5PHlsX20YWFQ5ytc/AoWH3oL4zgsfgWLX+HiT6wMU3lhNoZ66c6p
SNpv/GdIEoFBaxSWk9fR7I23gxWmqO3FW7VJ/1y2QdmX1UxWt42VacEWUScm
oB6QrgeNURJ5te2Jp1ImPwXz2kucSNmMR7gq84ZI29sVj9/O0+oWIm0qZhDM
l520z9+TWx42gWvzwZqdDawhQBY2kmYbXWrgXmQiKlvUNRGbGFO5m4PS0i/1
WDBlwBRN4bTuIGpbqsaXbDQHJiYHsMvGZlVtqJ5wcPpk0epJ+NFrzRIgt6u4
3VfrML0tyhCbx/B6x6BEjdMuHkcgw/zNR921SskXvCXnOsIL271kL6mKkpwZ
VhOwZhN1S3K2ntFUOESny7rWx3DA+lTsz7gv1vpXwGsUXYLtPmCA27nbjtoo
aCSVhd1psxu8CIMqno9g45hzJdvexakF1r0C96JVwVms5kFLmJTf+b1q36Ax
1EgJISh7pssStnwEwoWYIQ6r2Pb3rJIAB6h5zAXiWhMvwYyODkhQFzq8wY+U
+5fI7J36bdsI58oiysPNuBuGejodzmbB/0CR1979fZoMrvRnsPq0wQarlhSF
cuMzzoApcoZVcTrsQmEJU87jbArjiVZYf+rb9v9C3Wh6WoGzBzvWvLKyC4JW
7dTFnirFjtENLh+vKD6eu0YWdlLMPG1AxZftU4Xn+/tLq0zfBnvBEDdsbkD4
RUEgiinG4oOhpjEmn4WeJ9RlROtylQXrpun0cDZQ+nDhOsvFwjYck8yWJbya
oQqxsIGjSSDGLiP38FKtmUC6HrHxHZY6VBPU4QkXOrxuxGZhgjfUkV/1bLp7
9SUXNCosc6ENiybU9plsm+KkhkypDQHZumSr1dVC+YDQ8WANSpousw3ntyCh
2mb/bY0EFd+ZV6fi3o0G61qL9AsZrqTarb8UHM11AluI2IHLsIzd/pJtlOvR
x4xwpxbh6snuqsi3O6BSNiz0YxwO3VVGoUoFvuw1HuvKRG+EC430yi22n4GN
3JU2lMF/AFwH7ulWj6+69fqPvdiXL3Yp6vrBxsBXjDNNnOuv1yAJK70F6FhN
dSybveqSVytgF04ozjOxRYMqhEwLa4VXdHZpDHMHdQdXNikYKTzEa3z23mQd
c2Oz+aiUc51q7jgoON+AOnd8Lkyijrrt2E4ziWMUeANoZ8wmnVqD60AcYacI
l7DdFjIsfN3O/cEBO75P/b1NWajgNM2yGNevp3ttohxBA5QLFG3J7opJ20HN
zDXZb+SUX3iW+KbekBhuqaTeMx0zx+xWDv/rX/51d+8lp2UsGTevuf1UK75b
vgHlgLXFXsHiRNAldJ1iYqcUT9XfqXZUCrsJObrGnFif8izUkIbrYlOYusdh
qmjfxBqTnVPppXis+qIKSxQM2jS9FZoh0uxsM6OxX8IuRjkrGFD3fQYLTxVi
aoZ90uy2jn7/gBsPZrGZL0rpV63sJYC6llraawAGb2ZBrloaat7n+QoOsNNx
yYHAMYKlmO4P3Np+pgVKrCm0tKapax9f7cqtQmPfLtdw4IeHbeqX4JWpJCOb
0HcqLOFUeCsOOIBGSheiRixNG9E4jtVyxUs2JqsKGrwGVyIUGqFlVM2jR+XS
7yqLVZSizJaNIghfNi1NQFywDwfJdUkaAM4EbxFe2Ja/vH/Gh36chgYLcnyJ
0htVt3FtWzsVPocDeYgGm7tN2u0MW/+u7cfxDysvvJxfAfKKPnXZ4PjqPv1m
+ACQ4s3cshnuh4tjRPDjq9Rl03ibFkYsJg/owD338EQS4L/YlRlEyGXhxt+r
YgHjWBDY3cM7ttvsBn7hJI3Yg7QeX5lvhn28doipnb3Kwcp6rUHP4DlxjIMX
UE+1Aruus4XCrtHcTsRSWiCFsAAVrsL4EXgCQLVRiWpCzELNsGceKnyEuCly
moWWQ3d68aIRhEthjaIDB4m1Vzjm5p9twEGQhpcE+SYiATofcoouaIn12ooy
sgSiNjBOjiUIsT3p0D2OSwx6MBUFh1tAfpIrd9OkviHKl2pblzjd9UnGIde3
t6UFvFMJnMu4LLFaaiqHdbv8NqNChDXJEi89x3oOhoEZlxcwxhDfkPsANZA6
gEyIYATvP7okP85cmbK+oVWgVQgszyEAuOuyNvQNpB9Ef9sOoevzYriewPzI
+s4yEwCAZs7JJVCuweuEKJqPhe0L+z+woIPhryDgxAszNaUN5cwcpObdnOhN
VXTFpfOrRIU9oWJN+TVKeppXSwS5sDmiV3ywnAAFpg4ojug8R86HIFM45rss
F2QWaaj7lvM6qiNMSlPw6qCfF3VrPWlErnieQrAcCessLVzmZHRaRVaWdNz6
GqOl0hOgVM3txxhmxX26qVqYBH84sYHjTwmK+LuEED+wJbLGlaCIugZROx/H
POYp2cDR+Gy8pv80SB4V4puiZGcIxoiLM9Z+4Rc2cgGcoUtVIAbXYM1BxyFc
NLoTSnI0wXZx1syznKjSiHIBmGUXFVx0YBW6tJenWWQX1gh6cpnFJqTb3Hz5
dmhDjo1HU1HUqWaAFIlQe4m2vm/cw+ufrbKz/EeqHPQc2SiTzzwoP3t9+zOM
WD+T/IfBC/h04UQONOA3iuNCbRtBn0e2tzbqNttG6582TYQl5OTtAS5m04em
zST33/fl4SF+OvPbT51Cz2chzrLSZvk9j96eV+o44wgNQcGvrmOdj46GGkC9
lE15pZfcf4XSOQ7LXueXEeP6IkuP9YV07it11EbH9eJzbI/R9Sz5eoDgVQBo
gAs8tCrhSK9foPKdLTlJJXo1NfT7np6trjTXeTDdXmAhMUnBRaVAmkuL6+oy
ZkpFHUlRDsYXgpeIJmnph1QbUy13TaQpa2MPwN0qs4QvKP7r1arXg53iKkn5
ooWTsB+z15Ri6OnIa64R/U4pYuTnlRLe2QT2/4UQH6Htd4vUZeX/uxLF4Pb/
TqCOZvYQ4xB/DgWxN0cQ4n7Ev1bU0Q89yBkKja3ZiW2VZHSxU6XX8gB/kZAb
ealmWZrd+DV+qli10nM8+4lJq7tgw0qnJlwoHcvJf/77Hd48/TUrFmZWJUae
4Q86IkWeeozOFj7kmfwZ0jc4i3M+Jpeki/WlS8ax5g5bU9n27rTufziFEFJz
Ja/kH3cOh6/tNXdqO0P0Nd/MDiH+G9iyuluOOgAA

-->

</rfc>

