Skip to main content

Problem Statement and Requirements for a TCP Authentication Option

Document Type Expired Internet-Draft (individual in tsv area)
Expired & archived
Author Steven M. Bellovin
Last updated 2015-10-14 (Latest revision 2007-07-12)
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Stream WG state (None)
Document shepherd (None)
IESG IESG state Expired (IESG: Dead)
Action Holders
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD Lars Eggert
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


The TCP-MD5 option is commonly used to secure BGP sessions between routers, although it is known to have many serious deficiencies. This memo presents requirements for a TCP segment authentication mechanism that is intended to replace TCP-MD5. While TCP-MD5 was designed to protect TCP sessions whose payload is BGP, the applicability of the mechanism described herein is broader. This mechanism can be applied to any TCP connection, regardless of payload.


Steven M. Bellovin

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)