Documentation/networking/tcp_ao.rst
Source file repositories/reference/linux-study-clean/Documentation/networking/tcp_ao.rst
File Facts
- System
- Linux kernel
- Corpus path
Documentation/networking/tcp_ao.rst- Extension
.rst- Size
- 23684 bytes
- Lines
- 470
- Domain
- Support Tooling And Documentation
- Bucket
- Documentation
- Inferred role
- Support Tooling And Documentation: documentation
- Status
- atlas-only
Why This File Exists
Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.
- Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.
Dependency Surface
- No C-style include directives detected by the generator.
Detected Declarations
- No top-level syscall, struct, function, initcall, or export declaration detected by the generator.
Annotated Snippet
.. SPDX-License-Identifier: GPL-2.0
========================================================
TCP Authentication Option Linux implementation (RFC5925)
========================================================
TCP Authentication Option (TCP-AO) provides a TCP extension aimed at verifying
segments between trusted peers. It adds a new TCP header option with
a Message Authentication Code (MAC). MACs are produced from the content
of a TCP segment using a key known to both peers.
The intent of TCP-AO is to deprecate TCP-MD5 providing better security,
key rotation and support for a variety of MAC algorithms.
1. Introduction
===============
.. table:: Short and Limited Comparison of TCP-AO and TCP-MD5
+----------------------+------------------------+-----------------------+
| | TCP-MD5 | TCP-AO |
+======================+========================+=======================+
|Supported MAC |MD5 of data and key |HMAC-SHA-1-96 and |
|algorithms |(cryptographically weak)|AES-128-CMAC-96. |
| | |Implementations are |
| | |permitted to support |
| | |additional algorithms. |
+----------------------+------------------------+-----------------------+
|Length of MACs (bytes)|16 |12 for HMAC-SHA-1-96 |
| | |and AES-128-CMAC-96. |
| | |Implementations are |
| | |permitted to support |
| | |any MAC length that |
| | |fits in the TCP header.|
+----------------------+------------------------+-----------------------+
|Number of keys per |1 |Many |
|TCP connection | | |
+----------------------+------------------------+-----------------------+
|Possibility to change |Non-practical (both |Supported by protocol |
|an active key |peers have to change | |
| |them during MSL) | |
+----------------------+------------------------+-----------------------+
|Protection against |No |Yes: ignoring them |
|ICMP 'hard errors' | |by default on |
| | |established connections|
+----------------------+------------------------+-----------------------+
|Protection against |No |Yes: pseudo-header |
|traffic-crossing | |includes TCP ports. |
|attack | | |
+----------------------+------------------------+-----------------------+
|Protection against |No |Sequence Number |
|replayed TCP segments | |Extension (SNE) and |
| | |Initial Sequence |
| | |Numbers (ISNs) |
+----------------------+------------------------+-----------------------+
|Supports |Yes |No. ISNs+SNE are needed|
|Connectionless Resets | |to correctly sign RST. |
+----------------------+------------------------+-----------------------+
|Standards |RFC 2385 |RFC 5925, RFC 5926 |
+----------------------+------------------------+-----------------------+
1.1 Frequently Asked Questions (FAQ) with references to RFC 5925
----------------------------------------------------------------
Q: Can either SendID or RecvID be non-unique for the same 4-tuple
(srcaddr, srcport, dstaddr, dstport)?
A: No [3.1]::
>> The IDs of MKTs MUST NOT overlap where their TCP connection
Annotation
- Atlas domain: Support Tooling And Documentation / Documentation.
- Implementation status: atlas-only.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.