| rfc9235.original | rfc9235.txt | |||
|---|---|---|---|---|
| TCPM J. Touch | ||||
| Internet Draft Independent consultant | ||||
| Intended status: Informational J. Kuusisaari | ||||
| Expires: September 2022 Infinera | ||||
| March 3, 2022 | ||||
| TCP-AO Test Vectors | Internet Engineering Task Force (IETF) J. Touch | |||
| draft-ietf-tcpm-ao-test-vectors-09.txt | Request for Comments: 9235 Independent Consultant | |||
| Category: Informational J. Kuusisaari | ||||
| ISSN: 2070-1721 Infinera | ||||
| May 2022 | ||||
| TCP Authentication Option (TCP-AO) Test Vectors | ||||
| Abstract | Abstract | |||
| This document provides test vectors to validate implementations of | This document provides test vectors to validate implementations of | |||
| the two mandatory authentication algorithms specified for the TCP | the two mandatory authentication algorithms specified for the TCP | |||
| Authentication Option over both IPv4 and IPv6. This includes | Authentication Option over both IPv4 and IPv6. This includes | |||
| validation of the key derivation function (KDF) based on a set of | validation of the key derivation function (KDF) based on a set of | |||
| test connection parameters as well as validation of the message | test connection parameters as well as validation of the message | |||
| authentication code (MAC). Vectors are provided for both currently | authentication code (MAC). Vectors are provided for both currently | |||
| required pairs of KDF and MAC algorithms: KDF_HMAC_SHA1 and HMAC- | required pairs of KDF and MAC algorithms: KDF_HMAC_SHA1 and HMAC- | |||
| SHA-1-96, and KDF_AES_128_CMAC and AES-128-CMAC-96. The vectors also | SHA-1-96, and KDF_AES_128_CMAC and AES-128-CMAC-96. The vectors also | |||
| validate both whole TCP segments as well as segments whose options | validate both whole TCP segments as well as segments whose options | |||
| are excluded for middlebox traversal. | are excluded for middlebox traversal. | |||
| Status of this Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | ||||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF), its areas, and its working groups. Note that | ||||
| other groups may also distribute working documents as Internet- | ||||
| Drafts. | ||||
| The list of current Internet-Drafts can be accessed at | ||||
| http://www.ietf.org/ietf/1id-abstracts.txt | ||||
| The list of Internet-Draft Shadow Directories can be accessed at | This document is not an Internet Standards Track specification; it is | |||
| https://www.ietf.org/shadow.html | published for informational purposes. | |||
| Internet-Drafts are draft documents valid for a maximum of six | This document is a product of the Internet Engineering Task Force | |||
| months and may be updated, replaced, or obsoleted by other documents | (IETF). It represents the consensus of the IETF community. It has | |||
| at any time. It is inappropriate to use Internet-Drafts as | received public review and has been approved for publication by the | |||
| reference material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Not all documents | |||
| approved by the IESG are candidates for any level of Internet | ||||
| Standard; see Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on September 3, 2022. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9235. | ||||
| Copyright and License Notice | Copyright Notice | |||
| Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with | carefully, as they describe your rights and restrictions with respect | |||
| respect to this document. Code Components extracted from this | to this document. Code Components extracted from this document must | |||
| document must include Revised BSD License text as described in | include Revised BSD License text as described in Section 4.e of the | |||
| Section 4.e of the Trust Legal Provisions and are provided without | Trust Legal Provisions and are provided without warranty as described | |||
| warranty as described in the Revised BSD License. | in the Revised BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction...................................................3 | 1. Introduction | |||
| 2. Conventions used in this document..............................4 | 2. Conventions Used in This Document | |||
| 3. Input Test Vectors.............................................4 | 3. Input Test Vectors | |||
| 3.1. TCP Connection Parameters.................................4 | 3.1. TCP Connection Parameters | |||
| 3.1.1. TCP-AO parameters....................................4 | 3.1.1. TCP-AO Parameters | |||
| 3.1.2. Active (client) side parameters......................4 | 3.1.2. Active (Client) Side Parameters | |||
| 3.1.3. Passive (server) side parameters.....................5 | 3.1.3. Passive (Server) Side Parameters | |||
| 3.1.4. Other IP fields and options..........................5 | 3.1.4. Other IP Fields and Options | |||
| 3.1.5. Other TCP fields and options.........................5 | 3.1.5. Other TCP Fields and Options | |||
| 4. IPv4 SHA-1 Output Test Vectors.................................5 | 4. IPv4 SHA-1 Output Test Vectors | |||
| 4.1. HMAC-SHA-1-96 (default - covers TCP options)..............6 | 4.1. HMAC-SHA-1-96 (Default - Covers TCP Options) | |||
| 4.1.1. Send (client) SYN (covers options)...................6 | 4.1.1. Send (Client) SYN (Covers Options) | |||
| 4.1.2. Receive (server) SYN-ACK (covers options)............6 | 4.1.2. Receive (Server) SYN-ACK (Covers Options) | |||
| 4.1.3. Send (client) non-SYN (covers options)...............7 | 4.1.3. Send (Client) Non-SYN (Covers Options) | |||
| 4.1.4. Receive (server) non-SYN (covers options)............7 | 4.1.4. Receive (Server) Non-SYN (Covers Options) | |||
| 4.2. HMAC-SHA-1-96 (omits TCP options).........................8 | 4.2. HMAC-SHA-1-96 (Omits TCP Options) | |||
| 4.2.1. Send (client) SYN (omits options)....................8 | 4.2.1. Send (Client) SYN (Omits Options) | |||
| 4.2.2. Receive (server) SYN-ACK (omits options).............8 | 4.2.2. Receive (Server) SYN-ACK (Omits Options) | |||
| 4.2.3. Send (client) non-SYN (omits options)................9 | 4.2.3. Send (Client) Non-SYN (Omits Options) | |||
| 4.2.4. Receive (server) non-SYN (omits options)............10 | 4.2.4. Receive (Server) Non-SYN (Omits Options) | |||
| 5. IPv4 AES-128 Output Test Vectors..............................10 | 5. IPv4 AES-128 Output Test Vectors | |||
| 5.1. AES-128-CMAC-96 (default - covers TCP options)...........10 | 5.1. AES-128-CMAC-96 (Default - Covers TCP Options) | |||
| 5.1.1. Send (client) SYN (covers options)..................10 | 5.1.1. Send (Client) SYN (Covers Options) | |||
| 5.1.2. Receive (server) SYN-ACK (covers options)...........11 | 5.1.2. Receive (Server) SYN-ACK (Covers Options) | |||
| 5.1.3. Send (client) non-SYN (covers options)..............12 | 5.1.3. Send (Client) Non-SYN (Covers Options) | |||
| 5.1.4. Receive (server) non-SYN (covers options)...........12 | 5.1.4. Receive (Server) Non-SYN (Covers Options) | |||
| 5.2. AES-128-CMAC-96 (omits TCP options)......................13 | 5.2. AES-128-CMAC-96 (Omits TCP Options) | |||
| 5.2.1. Send (client) SYN (omits options)...................13 | 5.2.1. Send (Client) SYN (Omits Options) | |||
| 5.2.2. Receive (server) SYN-ACK (omits options)............13 | 5.2.2. Receive (Server) SYN-ACK (Omits Options) | |||
| 5.2.3. Send (client) non-SYN (omits options)...............14 | 5.2.3. Send (Client) Non-SYN (Omits Options) | |||
| 5.2.4. Receive (server) non-SYN (omits options)............14 | 5.2.4. Receive (Server) Non-SYN (Omits Options) | |||
| 6. IPv6 SHA-1 Output Test Vectors................................15 | 6. IPv6 SHA-1 Output Test Vectors | |||
| 6.1. HMAC-SHA-1-96 (default - covers TCP options).............15 | 6.1. HMAC-SHA-1-96 (Default - Covers TCP Options) | |||
| 6.1.1. Send (client) SYN (covers options)..................15 | 6.1.1. Send (Client) SYN (Covers Options) | |||
| 6.1.2. Receive (server) SYN-ACK (covers options)...........16 | 6.1.2. Receive (Server) SYN-ACK (Covers Options) | |||
| 6.1.3. Send (client) non-SYN (covers options)..............16 | 6.1.3. Send (Client) Non-SYN (Covers Options) | |||
| 6.1.4. Receive (server) non-SYN (covers options)...........17 | 6.1.4. Receive (Server) Non-SYN (Covers Options) | |||
| 6.2. HMAC-SHA-1-96 (omits TCP options)........................18 | 6.2. HMAC-SHA-1-96 (Omits TCP Options) | |||
| 6.2.1. Send (client) SYN (omits options)...................18 | 6.2.1. Send (Client) SYN (Omits Options) | |||
| 6.2.2. Receive (server) SYN-ACK (omits options)............18 | 6.2.2. Receive (Server) SYN-ACK (Omits Options) | |||
| 6.2.3. Send (client) non-SYN (omits options)...............19 | 6.2.3. Send (Client) Non-SYN (Omits Options) | |||
| 6.2.4. Receive (server) non-SYN (omits options)............19 | 6.2.4. Receive (Server) Non-SYN (Omits Options) | |||
| 7. IPv6 AES-128 Output Test Vectors..............................20 | 7. IPv6 AES-128 Output Test Vectors | |||
| 7.1. AES-128-CMAC-96 (default - covers TCP options)...........20 | 7.1. AES-128-CMAC-96 (Default - Covers TCP Options) | |||
| 7.1.1. Send (client) SYN (covers options)..................20 | 7.1.1. Send (Client) SYN (Covers Options) | |||
| 7.1.2. Receive (server) SYN-ACK (covers options)...........21 | 7.1.2. Receive (Server) SYN-ACK (Covers Options) | |||
| 7.1.3. Send (client) non-SYN (covers options)..............21 | 7.1.3. Send (Client) Non-SYN (Covers Options) | |||
| 7.1.4. Receive (server) non-SYN (covers options)...........22 | 7.1.4. Receive (Server) Non-SYN (Covers Options) | |||
| 7.2. AES-128-CMAC-96 (omits TCP options)......................23 | 7.2. AES-128-CMAC-96 (Omits TCP Options) | |||
| 7.2.1. Send (client) SYN (omits options)...................23 | 7.2.1. Send (Client) SYN (Omits Options) | |||
| 7.2.2. Receive (server) SYN-ACK (omits options)............23 | 7.2.2. Receive (Server) SYN-ACK (Omits Options) | |||
| 7.2.3. Send (client) non-SYN (omits options)...............24 | 7.2.3. Send (Client) Non-SYN (Omits Options) | |||
| 7.2.4. Receive (server) non-SYN (omits options)............24 | 7.2.4. Receive (Server) Non-SYN (Omits Options) | |||
| 8. Observed Implementation Errors................................25 | 8. Observed Implementation Errors | |||
| 8.1. Algorithm issues.........................................25 | 8.1. Algorithm Issues | |||
| 8.2. Algorithm parameters.....................................25 | 8.2. Algorithm Parameters | |||
| 8.3. String handling issues...................................26 | 8.3. String Handling Issues | |||
| 8.4. Header coverage issues...................................26 | 8.4. Header Coverage Issues | |||
| 9. Security Considerations.......................................26 | 9. Security Considerations | |||
| 10. IANA Considerations..........................................26 | 10. IANA Considerations | |||
| 11. References...................................................27 | 11. References | |||
| 11.1. Normative References....................................27 | 11.1. Normative References | |||
| 11.2. Informative References..................................27 | 11.2. Informative References | |||
| 12. Acknowledgments..............................................28 | Acknowledgments | |||
| Authors' Addresses | ||||
| 1. Introduction | 1. Introduction | |||
| This document provides test vectors to validate the correct | This document provides test vectors to validate the correct | |||
| implementation of the TCP Authentication Option (TCP-AO) [RFC5925] | implementation of the TCP Authentication Option (TCP-AO) [RFC5925] | |||
| and its mandatory cryptographic algorithms defined in [RFC5926]. It | and its mandatory cryptographic algorithms defined in [RFC5926]. It | |||
| includes the specification of all endpoint parameters to generate | includes the specification of all endpoint parameters to generate the | |||
| the variety of TCP segments covered by different keys and MAC | variety of TCP segments covered by different keys and MAC coverage, | |||
| coverage, i.e., both the default case and the variant where TCP | i.e., both the default case and the variant where TCP options are | |||
| options are ignored for middlebox traversal. It also includes both | ignored for middlebox traversal. It also includes both default key | |||
| default key derivation functions (KDFs) and MAC generation | derivation functions (KDFs) and MAC generation algorithms [RFC5926] | |||
| algorithms [RFC5926] and lists common pitfalls of implementing the | and lists common pitfalls of implementing the algorithms correctly. | |||
| algorithms correctly. | ||||
| The experimental extension to support NAT traversal [RFC6978] is not | The experimental extension to support NAT traversal [RFC6978] is not | |||
| included in the provided test vectors. | included in the provided test vectors. | |||
| This document provides test vectors from multiple implementations | This document provides test vectors from multiple implementations | |||
| that have been validated against each other for interoperability. | that have been validated against each other for interoperability. | |||
| 2. Conventions used in this document | 2. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. Input Test Vectors | 3. Input Test Vectors | |||
| 3.1. TCP Connection Parameters | 3.1. TCP Connection Parameters | |||
| The following parameters are used throughout this suite of test | The following parameters are used throughout this suite of test | |||
| vectors. The terms 'active' and 'passive' are used as defined for | vectors. The terms 'active' and 'passive' are used as defined for | |||
| TCP [RFC793]. | TCP [RFC0793]. | |||
| 3.1.1. TCP-AO parameters | 3.1.1. TCP-AO Parameters | |||
| The following values are used for all exchanges. This suite does not | The following values are used for all exchanges. This suite does not | |||
| test key switchover. The KeyIDs are as indicated for TCP-AO | test key switchover. The KeyIDs are as indicated for TCP-AO | |||
| [RFC5925]. The Master_Key is used to derive the traffic keys | [RFC5925]. The Master_Key is used to derive the traffic keys | |||
| [RFC5926]. | [RFC5926]. | |||
| Active (client) side KeyID: 61 decimal (0x3d hexadecimal) | Active (client) side KeyID: 61 decimal (0x3d hexadecimal) | |||
| Passive (server) side KeyID: 84 decimal (0x54 hexadecimal) | Passive (server) side KeyID: 84 decimal (0x54 hexadecimal) | |||
| Master_Key: "testvector" (length = 10 bytes) | Master_Key: "testvector" (length = 10 bytes) | |||
| 3.1.2. Active (client) side parameters | 3.1.2. Active (Client) Side Parameters | |||
| The following endpoint parameters are used on the active side of the | The following endpoint parameters are used on the active side of the | |||
| TCP connection, i.e., the side that initiates the TCP SYN. | TCP connection, i.e., the side that initiates the TCP SYN. | |||
| For IPv4: 10.11.12.13 (dotted decimal) | For IPv4: 10.11.12.13 (dotted decimal) | |||
| For IPv6: fd00::1 (IPv6 hexadecimal) | For IPv6: fd00::1 (IPv6 hexadecimal) | |||
| TCP port: (varies) | TCP port: (varies) | |||
| 3.1.3. Passive (server) side parameters | 3.1.3. Passive (Server) Side Parameters | |||
| The following endpoint parameters are used for the passive side of | The following endpoint parameters are used for the passive side of | |||
| the TCP connection, i.e., the side that responds with a TCP SYN-ACK. | the TCP connection, i.e., the side that responds with a TCP SYN-ACK. | |||
| For IPv4: 172.27.28.29 (dotted decimal) | For IPv4: 172.27.28.29 (dotted decimal) | |||
| For IPv6: fd00::2 (IPv6 hexadecimal) | For IPv6: fd00::2 (IPv6 hexadecimal) | |||
| TCP port = 179 decimal (BGP) | TCP port = 179 decimal (BGP) | |||
| 3.1.4. Other IP fields and options | 3.1.4. Other IP Fields and Options | |||
| No IP options are used in these test vectors. | No IP options are used in these test vectors. | |||
| All IPv4 packets use the following other parameters [RFC791]: DSCP = | All IPv4 packets use the following other parameters [RFC0791]: | |||
| 111000 binary (CS7) as is typical for BGP, ECN = 00 binary, set DF, | Differentiated Services Code Point (DSCP) = 111000 binary (CS7) as is | |||
| and clear MF. | typical for BGP, Explicit Congestion Notification (ECN) = 00 binary, | |||
| set the Don't Fragment (DF) bit, and clear the More Fragments (MF) | ||||
| bit. | ||||
| IPv4 uses a TTL of 255 decimal; IPv6 uses a hop limit of 255 | IPv4 uses a TTL of 255 decimal; IPv6 uses a hop limit of 255 decimal. | |||
| decimal. | ||||
| All IPv6 packets use the following other parameters [RFC8200]: | All IPv6 packets use the following other parameters [RFC8200]: | |||
| traffic class = 0xe0 hexadecimal (DSCP = 111000 binary CS7, as is | traffic class = 0xe0 hexadecimal (DSCP = 111000 binary CS7, as is | |||
| typical for BGP, with ECN = 00 binary) and no EHs. | typical for BGP, with ECN = 00 binary) and no Extension Headers | |||
| (EHs). | ||||
| 3.1.5. Other TCP fields and options | 3.1.5. Other TCP Fields and Options | |||
| The SYN and SYN-ACK segments include MSS [RFC793], NOP, WindowScale | The SYN and SYN-ACK segments include Maximum Segment Size (MSS) | |||
| [RFC7323], SACK Permitted [RFC2018], TimeStamp [RFC7323], and TCP-AO | [RFC0793], No Operation (NOP), Window Scale [RFC7323], Selective | |||
| [RFC5925], in that order. | Acknowledgment (SACK) permitted [RFC2018], Timestamp [RFC7323], and | |||
| TCP-AO [RFC5925], in that order. | ||||
| All other example segments include NOP, NOP, TimeStamp, and TCP-AO, | All other example segments include NOP, NOP, Timestamp, and TCP-AO, | |||
| in that order. | in that order. | |||
| All segment URG pointers are zero [RFC793]. All segments with data | All segment urgent (URG) pointers are zero [RFC0793]. All segments | |||
| set the PSH flag [RFC793]. | with data set the push (PSH) flag [RFC0793]. | |||
| Each TCP connection below uses the Initial Sequence Numbers (ISNs) | Each TCP connection below uses the Initial Sequence Numbers (ISNs) as | |||
| as indicated at the front of each corresponding section. | indicated at the front of each corresponding section. | |||
| 4. IPv4 SHA-1 Output Test Vectors | 4. IPv4 SHA-1 Output Test Vectors | |||
| The SHA-1 KDF and MAC algorithms, KDF_HMAC_SHA1 and HMAC-SHA-1-96, | The SHA-1 KDF and MAC algorithms, KDF_HMAC_SHA1 and HMAC-SHA-1-96, | |||
| are computed as specified for TCP-AO [RFC5926]. | are computed as specified for TCP-AO [RFC5926]. | |||
| In the following sections, all values are indicated as 2-digit | In the following sections, all values are indicated as 2-digit | |||
| hexadecimal values with spacing per line representing the contents | hexadecimal values with spacing per line representing the contents of | |||
| of 16 consecutive bytes, as is typical for data dumps. The IP/TCP | 16 consecutive bytes, as is typical for data dumps. The IP/TCP data | |||
| data indicates the entire IP packet, including the TCP segment and | indicates the entire IP packet, including the TCP segment and its | |||
| its options (whether covered by TCP-AO or not, as indicated), | options (whether covered by TCP-AO or not, as indicated), including | |||
| including TCP-AO. | TCP-AO. | |||
| 4.1. HMAC-SHA-1-96 (default - covers TCP options) | 4.1. HMAC-SHA-1-96 (Default - Covers TCP Options) | |||
| 4.1.1. Send (client) SYN (covers options) | 4.1.1. Send (Client) SYN (Covers Options) | |||
| Client ISN = 0xfbfbab5a | Client ISN = 0xfbfbab5a | |||
| Send_SYN_traffic_key: | Send_SYN_traffic_key: | |||
| 6d 63 ef 1b 02 fe 15 09 d4 b1 40 27 07 fd 7b 04 | 6d 63 ef 1b 02 fe 15 09 d4 b1 40 27 07 fd 7b 04 | |||
| 16 ab b7 4f | 16 ab b7 4f | |||
| IPv4/TCP: | IPv4/TCP: | |||
| 45 e0 00 4c dd 0f 40 00 ff 06 bf 6b 0a 0b 0c 0d | 45 e0 00 4c dd 0f 40 00 ff 06 bf 6b 0a 0b 0c 0d | |||
| ac 1b 1c 1d e9 d7 00 b3 fb fb ab 5a 00 00 00 00 | ac 1b 1c 1d e9 d7 00 b3 fb fb ab 5a 00 00 00 00 | |||
| e0 02 ff ff ca c4 00 00 02 04 05 b4 01 03 03 08 | e0 02 ff ff ca c4 00 00 02 04 05 b4 01 03 03 08 | |||
| 04 02 08 0a 00 15 5a b7 00 00 00 00 1d 10 3d 54 | 04 02 08 0a 00 15 5a b7 00 00 00 00 1d 10 3d 54 | |||
| 2e e4 37 c6 f8 ed e6 d7 c4 d6 02 e7 | 2e e4 37 c6 f8 ed e6 d7 c4 d6 02 e7 | |||
| MAC: | MAC: | |||
| 2e e4 37 c6 f8 ed e6 d7 c4 d6 02 e7 | 2e e4 37 c6 f8 ed e6 d7 c4 d6 02 e7 | |||
| 4.1.2. Receive (server) SYN-ACK (covers options) | 4.1.2. Receive (Server) SYN-ACK (Covers Options) | |||
| Server ISN = 0x11c14261 | Server ISN = 0x11c14261 | |||
| Receive_SYN_traffic_key: | Receive_SYN_traffic_key: | |||
| d9 e2 17 e4 83 4a 80 ca 2f 3f d8 de 2e 41 b8 e6 | d9 e2 17 e4 83 4a 80 ca 2f 3f d8 de 2e 41 b8 e6 | |||
| 79 7f ea 96 | 79 7f ea 96 | |||
| IPv4/TCP: | IPv4/TCP: | |||
| 45 e0 00 4c 65 06 40 00 ff 06 37 75 ac 1b 1c 1d | 45 e0 00 4c 65 06 40 00 ff 06 37 75 ac 1b 1c 1d | |||
| 0a 0b 0c 0d 00 b3 e9 d7 11 c1 42 61 fb fb ab 5b | 0a 0b 0c 0d 00 b3 e9 d7 11 c1 42 61 fb fb ab 5b | |||
| e0 12 ff ff 37 76 00 00 02 04 05 b4 01 03 03 08 | e0 12 ff ff 37 76 00 00 02 04 05 b4 01 03 03 08 | |||
| 04 02 08 0a 84 a5 0b eb 00 15 5a b7 1d 10 54 3d | 04 02 08 0a 84 a5 0b eb 00 15 5a b7 1d 10 54 3d | |||
| ee ab 0f e2 4c 30 10 81 51 16 b3 be | ee ab 0f e2 4c 30 10 81 51 16 b3 be | |||
| MAC: | MAC: | |||
| ee ab 0f e2 4c 30 10 81 51 16 b3 be | ee ab 0f e2 4c 30 10 81 51 16 b3 be | |||
| 4.1.3. Send (client) non-SYN (covers options) | 4.1.3. Send (Client) Non-SYN (Covers Options) | |||
| Send_other_traffic_key: | Send_other_traffic_key: | |||
| d2 e5 9c 65 ff c7 b1 a3 93 47 65 64 63 b7 0e dc | d2 e5 9c 65 ff c7 b1 a3 93 47 65 64 63 b7 0e dc | |||
| 24 a1 3d 71 | 24 a1 3d 71 | |||
| IPv4/TCP: | IPv4/TCP: | |||
| 45 e0 00 87 36 a1 40 00 ff 06 65 9f 0a 0b 0c 0d | 45 e0 00 87 36 a1 40 00 ff 06 65 9f 0a 0b 0c 0d | |||
| ac 1b 1c 1d e9 d7 00 b3 fb fb ab 5b 11 c1 42 62 | ac 1b 1c 1d e9 d7 00 b3 fb fb ab 5b 11 c1 42 62 | |||
| skipping to change at page 7, line 40 ¶ | skipping to change at line 303 ¶ | |||
| c2 c2 e2 bf ff ff ff ff ff ff ff ff ff ff ff ff | c2 c2 e2 bf ff ff ff ff ff ff ff ff ff ff ff ff | |||
| ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d | ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d | |||
| 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | |||
| 00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40 | 00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40 | |||
| 06 00 64 00 01 01 00 | 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| 70 64 cf 99 8c c6 c3 15 c2 c2 e2 bf | 70 64 cf 99 8c c6 c3 15 c2 c2 e2 bf | |||
| 4.1.4. Receive (server) non-SYN (covers options) | 4.1.4. Receive (Server) Non-SYN (Covers Options) | |||
| Receive_other_traffic_key: | Receive_other_traffic_key: | |||
| d9 e2 17 e4 83 4a 80 ca 2f 3f d8 de 2e 41 b8 e6 | d9 e2 17 e4 83 4a 80 ca 2f 3f d8 de 2e 41 b8 e6 | |||
| 79 7f ea 96 | 79 7f ea 96 | |||
| IPv4/TCP: | IPv4/TCP: | |||
| 45 e0 00 87 1f a9 40 00 ff 06 7c 97 ac 1b 1c 1d | 45 e0 00 87 1f a9 40 00 ff 06 7c 97 ac 1b 1c 1d | |||
| 0a 0b 0c 0d 00 b3 e9 d7 11 c1 42 62 fb fb ab 9e | 0a 0b 0c 0d 00 b3 e9 d7 11 c1 42 62 fb fb ab 9e | |||
| skipping to change at page 8, line 21 ¶ | skipping to change at line 326 ¶ | |||
| 95 4d ea c7 ff ff ff ff ff ff ff ff ff ff ff ff | 95 4d ea c7 ff ff ff ff ff ff ff ff ff ff ff ff | |||
| ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d | ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d | |||
| 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | |||
| 00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40 | 00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40 | |||
| 06 00 64 00 01 01 00 | 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| a6 3f 0e cb bb 2e 63 5c 95 4d ea c7 | a6 3f 0e cb bb 2e 63 5c 95 4d ea c7 | |||
| 4.2. HMAC-SHA-1-96 (omits TCP options) | 4.2. HMAC-SHA-1-96 (Omits TCP Options) | |||
| 4.2.1. Send (client) SYN (omits options) | 4.2.1. Send (Client) SYN (Omits Options) | |||
| Client ISN = 0xcb0efbee | Client ISN = 0xcb0efbee | |||
| Send_SYN_traffic_key: | Send_SYN_traffic_key: | |||
| 30 ea a1 56 0c f0 be 57 da b5 c0 45 22 9f b1 0a | 30 ea a1 56 0c f0 be 57 da b5 c0 45 22 9f b1 0a | |||
| 42 3c d7 ea | 42 3c d7 ea | |||
| IPv4/TCP: | IPv4/TCP: | |||
| 45 e0 00 4c 53 99 40 00 ff 06 48 e2 0a 0b 0c 0d | 45 e0 00 4c 53 99 40 00 ff 06 48 e2 0a 0b 0c 0d | |||
| ac 1b 1c 1d ff 12 00 b3 cb 0e fb ee 00 00 00 00 | ac 1b 1c 1d ff 12 00 b3 cb 0e fb ee 00 00 00 00 | |||
| e0 02 ff ff 54 1f 00 00 02 04 05 b4 01 03 03 08 | e0 02 ff ff 54 1f 00 00 02 04 05 b4 01 03 03 08 | |||
| 04 02 08 0a 00 02 4c ce 00 00 00 00 1d 10 3d 54 | 04 02 08 0a 00 02 4c ce 00 00 00 00 1d 10 3d 54 | |||
| 80 af 3c fe b8 53 68 93 7b 8f 9e c2 | 80 af 3c fe b8 53 68 93 7b 8f 9e c2 | |||
| MAC: | MAC: | |||
| 80 af 3c fe b8 53 68 93 7b 8f 9e c2 | 80 af 3c fe b8 53 68 93 7b 8f 9e c2 | |||
| 4.2.2. Receive (server) SYN-ACK (omits options) | 4.2.2. Receive (Server) SYN-ACK (Omits Options) | |||
| Server ISN = 0xacd5b5e1 | Server ISN = 0xacd5b5e1 | |||
| Receive_SYN_traffic_key: | Receive_SYN_traffic_key: | |||
| b5 b2 89 6b b3 66 4e 81 76 b0 ed c6 e7 99 52 41a | b5 b2 89 6b b3 66 4e 81 76 b0 ed c6 e7 99 52 41a | |||
| 01 a8 30 7f | 01 a8 30 7f | |||
| IPv4/TCP: | IPv4/TCP: | |||
| 45 e0 00 4c 32 84 40 00 ff 06 69 f7 ac 1b 1c 1d | 45 e0 00 4c 32 84 40 00 ff 06 69 f7 ac 1b 1c 1d | |||
| 0a 0b 0c 0d 00 b3 ff 12 ac d5 b5 e1 cb 0e fb ef | 0a 0b 0c 0d 00 b3 ff 12 ac d5 b5 e1 cb 0e fb ef | |||
| e0 12 ff ff 38 8e 00 00 02 04 05 b4 01 03 03 08 | e0 12 ff ff 38 8e 00 00 02 04 05 b4 01 03 03 08 | |||
| 04 02 08 0a 57 67 72 f3 00 02 4c ce 1d 10 54 3d | 04 02 08 0a 57 67 72 f3 00 02 4c ce 1d 10 54 3d | |||
| 09 30 6f 9a ce a6 3a 8c 68 cb 9a 70 | 09 30 6f 9a ce a6 3a 8c 68 cb 9a 70 | |||
| MAC: | MAC: | |||
| 09 30 6f 9a ce a6 3a 8c 68 cb 9a 70 | 09 30 6f 9a ce a6 3a 8c 68 cb 9a 70 | |||
| 4.2.3. Send (client) non-SYN (omits options) | 4.2.3. Send (Client) Non-SYN (Omits Options) | |||
| Send_other_traffic_key: | Send_other_traffic_key: | |||
| f3 db 17 93 d7 91 0e cd 80 6c 34 f1 55 ea 1f 00 | f3 db 17 93 d7 91 0e cd 80 6c 34 f1 55 ea 1f 00 | |||
| 34 59 53 e3 | 34 59 53 e3 | |||
| IPv4/TCP: | IPv4/TCP: | |||
| 45 e0 00 87 a8 f5 40 00 ff 06 f3 4a 0a 0b 0c 0d | 45 e0 00 87 a8 f5 40 00 ff 06 f3 4a 0a 0b 0c 0d | |||
| ac 1b 1c 1d ff 12 00 b3 cb 0e fb ef ac d5 b5 e2 | ac 1b 1c 1d ff 12 00 b3 cb 0e fb ef ac d5 b5 e2 | |||
| skipping to change at page 10, line 5 ¶ | skipping to change at line 393 ¶ | |||
| 71 c9 3a a5 ff ff ff ff ff ff ff ff ff ff ff ff | 71 c9 3a a5 ff ff ff ff ff ff ff ff ff ff ff ff | |||
| ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d | ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d | |||
| 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | |||
| 00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40 | 00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40 | |||
| 06 00 64 00 01 01 00 | 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| 71 06 08 cc 69 6c 03 a2 71 c9 3a a5 | 71 06 08 cc 69 6c 03 a2 71 c9 3a a5 | |||
| 4.2.4. Receive (server) non-SYN (omits options) | 4.2.4. Receive (Server) Non-SYN (Omits Options) | |||
| Receive_other_traffic_key: | Receive_other_traffic_key: | |||
| b5 b2 89 6b b3 66 4e 81 76 b0 ed c6 e7 99 52 41 | b5 b2 89 6b b3 66 4e 81 76 b0 ed c6 e7 99 52 41 | |||
| 01 a8 30 7f | 01 a8 30 7f | |||
| IPv4/TCP: | IPv4/TCP: | |||
| 45 e0 00 87 54 37 40 00 ff 06 48 09 ac 1b 1c 1d | 45 e0 00 87 54 37 40 00 ff 06 48 09 ac 1b 1c 1d | |||
| 0a 0b 0c 0d 00 b3 ff 12 ac d5 b5 e2 cb 0e fc 32 | 0a 0b 0c 0d 00 b3 ff 12 ac d5 b5 e2 cb 0e fc 32 | |||
| skipping to change at page 10, line 28 ¶ | skipping to change at line 416 ¶ | |||
| ae 61 b4 f9 ff ff ff ff ff ff ff ff ff ff ff ff | ae 61 b4 f9 ff ff ff ff ff ff ff ff ff ff ff ff | |||
| ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d | ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d | |||
| 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | |||
| 00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40 | 00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40 | |||
| 06 00 64 00 01 01 00 | 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| 97 76 6e 48 ac 26 2d e9 ae 61 b4 f9 | 97 76 6e 48 ac 26 2d e9 ae 61 b4 f9 | |||
| 5. IPv4 AES-128 Output Test Vectors | 5. IPv4 AES-128 Output Test Vectors | |||
| The AES-128 KDF and MAC algorithms, KDF_AES_128_CMAC and AES-128- | The AES-128 KDF and MAC algorithms, KDF_AES_128_CMAC and AES-128- | |||
| CMAC-96, are computed as specified for TCP-AO [RFC5926]. | CMAC-96, are computed as specified for TCP-AO [RFC5926]. | |||
| In the following sections, all values are indicated as 2-digit | In the following sections, all values are indicated as 2-digit | |||
| hexadecimal values with spacing per line representing the contents | hexadecimal values with spacing per line representing the contents of | |||
| of 16 consecutive bytes, as is typical for data dumps. The IP/TCP | 16 consecutive bytes, as is typical for data dumps. The IP/TCP data | |||
| data indicates the entire IP packet, including the TCP segment and | indicates the entire IP packet, including the TCP segment and its | |||
| its options (whether covered by TCP-AO or not, as indicated), | options (whether covered by TCP-AO or not, as indicated), including | |||
| including TCP-AO. | TCP-AO. | |||
| 5.1. AES-128-CMAC-96 (default - covers TCP options) | 5.1. AES-128-CMAC-96 (Default - Covers TCP Options) | |||
| 5.1.1. Send (client) SYN (covers options) | 5.1.1. Send (Client) SYN (Covers Options) | |||
| Client ISN = 0x787a1ddf | Client ISN = 0x787a1ddf | |||
| Send_SYN_traffic_key: | Send_SYN_traffic_key: | |||
| f5 b8 b3 d5 f3 4f db b6 eb 8d 4a b9 66 0e 60 e3 | f5 b8 b3 d5 f3 4f db b6 eb 8d 4a b9 66 0e 60 e3 | |||
| IP/TCP: | IP/TCP: | |||
| 45 e0 00 4c 7b 9f 40 00 ff 06 20 dc 0a 0b 0c 0d | 45 e0 00 4c 7b 9f 40 00 ff 06 20 dc 0a 0b 0c 0d | |||
| ac 1b 1c 1d c4 fa 00 b3 78 7a 1d df 00 00 00 00 | ac 1b 1c 1d c4 fa 00 b3 78 7a 1d df 00 00 00 00 | |||
| e0 02 ff ff 5a 0f 00 00 02 04 05 b4 01 03 03 08 | e0 02 ff ff 5a 0f 00 00 02 04 05 b4 01 03 03 08 | |||
| 04 02 08 0a 00 01 7e d0 00 00 00 00 1d 10 3d 54 | 04 02 08 0a 00 01 7e d0 00 00 00 00 1d 10 3d 54 | |||
| e4 77 e9 9c 80 40 76 54 98 e5 50 91 | e4 77 e9 9c 80 40 76 54 98 e5 50 91 | |||
| MAC: | MAC: | |||
| e4 77 e9 9c 80 40 76 54 98 e5 50 91 | e4 77 e9 9c 80 40 76 54 98 e5 50 91 | |||
| 5.1.2. Receive (server) SYN-ACK (covers options) | 5.1.2. Receive (Server) SYN-ACK (Covers Options) | |||
| Server ISN = 0xfadd6de9 | Server ISN = 0xfadd6de9 | |||
| Receive_SYN_traffic_key: | Receive_SYN_traffic_key: | |||
| 4b c7 57 1a 48 6f 32 64 bb d8 88 47 40 66 b4 b1 | 4b c7 57 1a 48 6f 32 64 bb d8 88 47 40 66 b4 b1 | |||
| IPv4/TCP: | IPv4/TCP: | |||
| 45 e0 00 4c 4b ad 40 00 ff 06 50 ce ac 1b 1c 1d | 45 e0 00 4c 4b ad 40 00 ff 06 50 ce ac 1b 1c 1d | |||
| 0a 0b 0c 0d 00 b3 c4 fa fa dd 6d e9 78 7a 1d e0 | 0a 0b 0c 0d 00 b3 c4 fa fa dd 6d e9 78 7a 1d e0 | |||
| e0 12 ff ff f3 f2 00 00 02 04 05 b4 01 03 03 08 | e0 12 ff ff f3 f2 00 00 02 04 05 b4 01 03 03 08 | |||
| 04 02 08 0a 93 f4 e9 e8 00 01 7e d0 1d 10 54 3d | 04 02 08 0a 93 f4 e9 e8 00 01 7e d0 1d 10 54 3d | |||
| d6 ad a7 bc 4c dd 53 6d 17 69 db 5f | d6 ad a7 bc 4c dd 53 6d 17 69 db 5f | |||
| MAC: | MAC: | |||
| d6 ad a7 bc 4c dd 53 6d 17 69 db 5f | d6 ad a7 bc 4c dd 53 6d 17 69 db 5f | |||
| 5.1.3. Send (client) non-SYN (covers options) | 5.1.3. Send (Client) Non-SYN (Covers Options) | |||
| Send_other_traffic_key: | Send_other_traffic_key: | |||
| 8c 8a e0 e8 37 1e c5 cb b9 7e a7 9d 90 41 83 91 | 8c 8a e0 e8 37 1e c5 cb b9 7e a7 9d 90 41 83 91 | |||
| IPv4/TCP: | IPv4/TCP: | |||
| 45 e0 00 87 fb 4f 40 00 ff 06 a0 f0 0a 0b 0c 0d | 45 e0 00 87 fb 4f 40 00 ff 06 a0 f0 0a 0b 0c 0d | |||
| ac 1b 1c 1d c4 fa 00 b3 78 7a 1d e0 fa dd 6d ea | ac 1b 1c 1d c4 fa 00 b3 78 7a 1d e0 fa dd 6d ea | |||
| c0 18 01 04 95 05 00 00 01 01 08 0a 00 01 7e d0 | c0 18 01 04 95 05 00 00 01 01 08 0a 00 01 7e d0 | |||
| skipping to change at page 12, line 27 ¶ | skipping to change at line 492 ¶ | |||
| ef f0 97 3e ff ff ff ff ff ff ff ff ff ff ff ff | ef f0 97 3e ff ff ff ff ff ff ff ff ff ff ff ff | |||
| ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d | ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d | |||
| 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | |||
| 00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40 | 00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40 | |||
| 06 00 64 00 01 01 00 | 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| 77 41 27 42 fa 4d c4 33 ef f0 97 3e | 77 41 27 42 fa 4d c4 33 ef f0 97 3e | |||
| 5.1.4. Receive (server) non-SYN (covers options) | 5.1.4. Receive (Server) Non-SYN (Covers Options) | |||
| Receive_other_traffic_key: | Receive_other_traffic_key: | |||
| 4b c7 57 1a 48 6f 32 64 bb d8 88 47 40 66 b4 b1 | 4b c7 57 1a 48 6f 32 64 bb d8 88 47 40 66 b4 b1 | |||
| IPv4/TCP: | IPv4/TCP: | |||
| 45 e0 00 87 b9 14 40 00 ff 06 e3 2b ac 1b 1c 1d | 45 e0 00 87 b9 14 40 00 ff 06 e3 2b ac 1b 1c 1d | |||
| 0a 0b 0c 0d 00 b3 c4 fa fa dd 6d ea 78 7a 1e 23 | 0a 0b 0c 0d 00 b3 c4 fa fa dd 6d ea 78 7a 1e 23 | |||
| c0 18 01 00 e7 db 00 00 01 01 08 0a 93 f4 e9 e8 | c0 18 01 00 e7 db 00 00 01 01 08 0a 93 f4 e9 e8 | |||
| skipping to change at page 13, line 9 ¶ | skipping to change at line 514 ¶ | |||
| 45 f7 2d ac ff ff ff ff ff ff ff ff ff ff ff ff | 45 f7 2d ac ff ff ff ff ff ff ff ff ff ff ff ff | |||
| ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d | ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d | |||
| 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | |||
| 00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40 | 00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40 | |||
| 06 00 64 00 01 01 00 | 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| f6 d9 65 a7 83 82 a7 48 45 f7 2d ac | f6 d9 65 a7 83 82 a7 48 45 f7 2d ac | |||
| 5.2. AES-128-CMAC-96 (omits TCP options) | 5.2. AES-128-CMAC-96 (Omits TCP Options) | |||
| 5.2.1. Send (client) SYN (omits options) | 5.2.1. Send (Client) SYN (Omits Options) | |||
| Client ISN = 0x389bed71 | Client ISN = 0x389bed71 | |||
| Send_SYN_traffic_key: | Send_SYN_traffic_key: | |||
| 2c db ae 13 92 c4 94 49 fa 92 c4 50 97 35 d5 0e | 2c db ae 13 92 c4 94 49 fa 92 c4 50 97 35 d5 0e | |||
| IPv4/TCP: | IPv4/TCP: | |||
| 45 e0 00 4c f2 2e 40 00 ff 06 aa 4c 0a 0b 0c 0d | 45 e0 00 4c f2 2e 40 00 ff 06 aa 4c 0a 0b 0c 0d | |||
| ac 1b 1c 1d da 1c 00 b3 38 9b ed 71 00 00 00 00 | ac 1b 1c 1d da 1c 00 b3 38 9b ed 71 00 00 00 00 | |||
| e0 02 ff ff 70 bf 00 00 02 04 05 b4 01 03 03 08 | e0 02 ff ff 70 bf 00 00 02 04 05 b4 01 03 03 08 | |||
| 04 02 08 0a 00 01 85 e1 00 00 00 00 1d 10 3d 54 | 04 02 08 0a 00 01 85 e1 00 00 00 00 1d 10 3d 54 | |||
| c4 4e 60 cb 31 f7 c0 b1 de 3d 27 49 | c4 4e 60 cb 31 f7 c0 b1 de 3d 27 49 | |||
| MAC: | MAC: | |||
| c4 4e 60 cb 31 f7 c0 b1 de 3d 27 49 | c4 4e 60 cb 31 f7 c0 b1 de 3d 27 49 | |||
| 5.2.2. Receive (server) SYN-ACK (omits options) | 5.2.2. Receive (Server) SYN-ACK (Omits Options) | |||
| Server ISN = 0xd3844a6f | Server ISN = 0xd3844a6f | |||
| Receive_SYN_traffic_key: | Receive_SYN_traffic_key: | |||
| 3c e6 7a 55 18 69 50 6b 63 47 b6 33 c5 0a 62 4a | 3c e6 7a 55 18 69 50 6b 63 47 b6 33 c5 0a 62 4a | |||
| IPv4/TCP: | IPv4/TCP: | |||
| 45 e0 00 4c 6c c0 40 00 ff 06 2f bb ac 1b 1c 1d | 45 e0 00 4c 6c c0 40 00 ff 06 2f bb ac 1b 1c 1d | |||
| 0a 0b 0c 0d 00 b3 da 1c d3 84 4a 6f 38 9b ed 72 | 0a 0b 0c 0d 00 b3 da 1c d3 84 4a 6f 38 9b ed 72 | |||
| e0 12 ff ff e4 45 00 00 02 04 05 b4 01 03 03 08 | e0 12 ff ff e4 45 00 00 02 04 05 b4 01 03 03 08 | |||
| 04 02 08 0a ce 45 98 38 00 01 85 e1 1d 10 54 3d | 04 02 08 0a ce 45 98 38 00 01 85 e1 1d 10 54 3d | |||
| 3a 6a bb 20 7e 49 b1 be 71 36 db 90 | 3a 6a bb 20 7e 49 b1 be 71 36 db 90 | |||
| MAC: | MAC: | |||
| 3a 6a bb 20 7e 49 b1 be 71 36 db 90 | 3a 6a bb 20 7e 49 b1 be 71 36 db 90 | |||
| 5.2.3. Send (client) non-SYN (omits options) | 5.2.3. Send (Client) Non-SYN (Omits Options) | |||
| Send_other_traffic_key: | Send_other_traffic_key: | |||
| 03 5b c4 00 a3 41 ff e5 95 f5 9f 58 00 50 06 ca | 03 5b c4 00 a3 41 ff e5 95 f5 9f 58 00 50 06 ca | |||
| IPv4/TCP: | IPv4/TCP: | |||
| 45 e0 00 87 ee 91 40 00 ff 06 ad ae 0a 0b 0c 0d | 45 e0 00 87 ee 91 40 00 ff 06 ad ae 0a 0b 0c 0d | |||
| ac 1b 1c 1d da 1c 00 b3 38 9b ed 72 d3 84 4a 70 | ac 1b 1c 1d da 1c 00 b3 38 9b ed 72 d3 84 4a 70 | |||
| c0 18 01 04 88 51 00 00 01 01 08 0a 00 01 85 e1 | c0 18 01 04 88 51 00 00 01 01 08 0a 00 01 85 e1 | |||
| skipping to change at page 14, line 31 ¶ | skipping to change at line 578 ¶ | |||
| 7b 96 f8 37 ff ff ff ff ff ff ff ff ff ff ff ff | 7b 96 f8 37 ff ff ff ff ff ff ff ff ff ff ff ff | |||
| ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d | ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d | |||
| 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | |||
| 00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40 | 00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40 | |||
| 06 00 64 00 01 01 00 | 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| 75 85 e9 e9 d5 c3 ec 85 7b 96 f8 37 | 75 85 e9 e9 d5 c3 ec 85 7b 96 f8 37 | |||
| 5.2.4. Receive (server) non-SYN (omits options) | 5.2.4. Receive (Server) Non-SYN (Omits Options) | |||
| Receive_other_traffic_key: | Receive_other_traffic_key: | |||
| 3c e6 7a 55 18 69 50 6b 63 47 b6 33 c5 0a 62 4a | 3c e6 7a 55 18 69 50 6b 63 47 b6 33 c5 0a 62 4a | |||
| IPv4/TCP: | IPv4/TCP: | |||
| 45 e0 00 87 6a 21 40 00 ff 06 32 1f ac 1b 1c 1d | 45 e0 00 87 6a 21 40 00 ff 06 32 1f ac 1b 1c 1d | |||
| 0a 0b 0c 0d 00 b3 da 1c d3 84 4a 70 38 9b ed 72 | 0a 0b 0c 0d 00 b3 da 1c d3 84 4a 70 38 9b ed 72 | |||
| c0 18 01 00 04 49 00 00 01 01 08 0a ce 45 98 38 | c0 18 01 00 04 49 00 00 01 01 08 0a ce 45 98 38 | |||
| skipping to change at page 15, line 21 ¶ | skipping to change at line 600 ¶ | |||
| 5c 09 82 f4 ff ff ff ff ff ff ff ff ff ff ff ff | 5c 09 82 f4 ff ff ff ff ff ff ff ff ff ff ff ff | |||
| ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d | ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d | |||
| 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 | |||
| 00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40 | 00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40 | |||
| 06 00 64 00 01 01 00 | 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| 5c 04 0f d9 23 33 04 76 5c 09 82 f4 | 5c 04 0f d9 23 33 04 76 5c 09 82 f4 | |||
| 6. IPv6 SHA-1 Output Test Vectors | 6. IPv6 SHA-1 Output Test Vectors | |||
| The SHA-1 KDF and MAC algorithms, KDF_HMAC_SHA1 and HMAC-SHA-1-96, | The SHA-1 KDF and MAC algorithms, KDF_HMAC_SHA1 and HMAC-SHA-1-96, | |||
| are computed as specified for TCP-AO [RFC5926]. | are computed as specified for TCP-AO [RFC5926]. | |||
| 6.1. HMAC-SHA-1-96 (default - covers TCP options) | 6.1. HMAC-SHA-1-96 (Default - Covers TCP Options) | |||
| 6.1.1. Send (client) SYN (covers options) | 6.1.1. Send (Client) SYN (Covers Options) | |||
| Client ISN = 0x176a833f | Client ISN = 0x176a833f | |||
| Send_SYN_traffic_key: | Send_SYN_traffic_key: | |||
| 62 5e c0 9d 57 58 36 ed c9 b6 42 84 18 bb f0 69 | 62 5e c0 9d 57 58 36 ed c9 b6 42 84 18 bb f0 69 | |||
| 89 a3 61 bb | 89 a3 61 bb | |||
| IPv6/TCP: | IPv6/TCP: | |||
| skipping to change at page 16, line 9 ¶ | skipping to change at line 629 ¶ | |||
| 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 02 f7 e4 00 b3 17 6a 83 3f | 00 00 00 00 00 00 00 02 f7 e4 00 b3 17 6a 83 3f | |||
| 00 00 00 00 e0 02 ff ff 47 21 00 00 02 04 05 a0 | 00 00 00 00 e0 02 ff ff 47 21 00 00 02 04 05 a0 | |||
| 01 03 03 08 04 02 08 0a 00 41 d0 87 00 00 00 00 | 01 03 03 08 04 02 08 0a 00 41 d0 87 00 00 00 00 | |||
| 1d 10 3d 54 90 33 ec 3d 73 34 b6 4c 5e dd 03 9f | 1d 10 3d 54 90 33 ec 3d 73 34 b6 4c 5e dd 03 9f | |||
| MAC: | MAC: | |||
| 90 33 ec 3d 73 34 b6 4c 5e dd 03 9f | 90 33 ec 3d 73 34 b6 4c 5e dd 03 9f | |||
| 6.1.2. Receive (server) SYN-ACK (covers options) | 6.1.2. Receive (Server) SYN-ACK (Covers Options) | |||
| Server ISN = 0x3f51994b | Server ISN = 0x3f51994b | |||
| Receive_SYN_traffic_key: | Receive_SYN_traffic_key: | |||
| e4 a3 7a da 2a 0a fc a8 71 14 34 91 3f e1 38 c7 | e4 a3 7a da 2a 0a fc a8 71 14 34 91 3f e1 38 c7 | |||
| 71 eb cb 4a | 71 eb cb 4a | |||
| IPv6/TCP: | IPv6/TCP: | |||
| skipping to change at page 16, line 31 ¶ | skipping to change at line 651 ¶ | |||
| 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 01 00 b3 f7 e4 3f 51 99 4b | 00 00 00 00 00 00 00 01 00 b3 f7 e4 3f 51 99 4b | |||
| 17 6a 83 40 e0 12 ff ff bf ec 00 00 02 04 05 a0 | 17 6a 83 40 e0 12 ff ff bf ec 00 00 02 04 05 a0 | |||
| 01 03 03 08 04 02 08 0a bd 33 12 9b 00 41 d0 87 | 01 03 03 08 04 02 08 0a bd 33 12 9b 00 41 d0 87 | |||
| 1d 10 54 3d f1 cb a3 46 c3 52 61 63 f7 1f 1f 55 | 1d 10 54 3d f1 cb a3 46 c3 52 61 63 f7 1f 1f 55 | |||
| MAC: | MAC: | |||
| f1 cb a3 46 c3 52 61 63 f7 1f 1f 55 | f1 cb a3 46 c3 52 61 63 f7 1f 1f 55 | |||
| 6.1.3. Send (client) non-SYN (covers options) | 6.1.3. Send (Client) Non-SYN (Covers Options) | |||
| Send_other_traffic_key: | Send_other_traffic_key: | |||
| 1e d8 29 75 f4 ea 44 4c 61 58 0c 5b d9 0d bd 61 | 1e d8 29 75 f4 ea 44 4c 61 58 0c 5b d9 0d bd 61 | |||
| bb c9 1b 7e | bb c9 1b 7e | |||
| IPv6/TCP: | IPv6/TCP: | |||
| 6e 08 91 dc 00 73 06 40 fd 00 00 00 00 00 00 00 | 6e 08 91 dc 00 73 06 40 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | |||
| skipping to change at page 17, line 22 ¶ | skipping to change at line 675 ¶ | |||
| b4 ac 7b 16 3d 6f cd f2 ff ff ff ff ff ff ff ff | b4 ac 7b 16 3d 6f cd f2 ff ff ff ff ff ff ff ff | |||
| ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | |||
| 01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80 | 01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80 | |||
| 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | |||
| e8 02 08 40 06 00 64 00 01 01 00 | e8 02 08 40 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| bf 08 05 fe b4 ac 7b 16 3d 6f cd f2 | bf 08 05 fe b4 ac 7b 16 3d 6f cd f2 | |||
| 6.1.4. Receive (server) non-SYN (covers options) | 6.1.4. Receive (Server) Non-SYN (Covers Options) | |||
| Receive_other_traffic_key: | Receive_other_traffic_key: | |||
| e4 a3 7a da 2a 0a fc a8 71 14 34 91 3f e1 38 c7 | e4 a3 7a da 2a 0a fc a8 71 14 34 91 3f e1 38 c7 | |||
| 71 eb cb 4a | 71 eb cb 4a | |||
| IPv6/TCP: | IPv6/TCP: | |||
| 6e 01 00 9e 00 73 06 40 fd 00 00 00 00 00 00 00 | 6e 01 00 9e 00 73 06 40 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | |||
| skipping to change at page 18, line 5 ¶ | skipping to change at line 699 ¶ | |||
| 11 33 5b ab 9a 07 a7 97 ff ff ff ff ff ff ff ff | 11 33 5b ab 9a 07 a7 97 ff ff ff ff ff ff ff ff | |||
| ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | |||
| 01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80 | 01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80 | |||
| 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | |||
| e8 02 08 40 06 00 64 00 01 01 00 | e8 02 08 40 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| 6c 48 12 5c 11 33 5b ab 9a 07 a7 97 | 6c 48 12 5c 11 33 5b ab 9a 07 a7 97 | |||
| 6.2. HMAC-SHA-1-96 (omits TCP options) | 6.2. HMAC-SHA-1-96 (Omits TCP Options) | |||
| 6.2.1. Send (client) SYN (omits options) | 6.2.1. Send (Client) SYN (Omits Options) | |||
| Client ISN = 0x020c1e69 | Client ISN = 0x020c1e69 | |||
| Send_SYN_traffic_key: | Send_SYN_traffic_key: | |||
| 31 a3 fa f6 9e ff ae 52 93 1b 7f 84 54 67 31 5c | 31 a3 fa f6 9e ff ae 52 93 1b 7f 84 54 67 31 5c | |||
| 27 0a 4e dc | 27 0a 4e dc | |||
| IPv6/TCP: | IPv6/TCP: | |||
| skipping to change at page 18, line 29 ¶ | skipping to change at line 723 ¶ | |||
| 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 02 c6 cd 00 b3 02 0c 1e 69 | 00 00 00 00 00 00 00 02 c6 cd 00 b3 02 0c 1e 69 | |||
| 00 00 00 00 e0 02 ff ff a4 1a 00 00 02 04 05 a0 | 00 00 00 00 e0 02 ff ff a4 1a 00 00 02 04 05 a0 | |||
| 01 03 03 08 04 02 08 0a 00 9d b9 5b 00 00 00 00 | 01 03 03 08 04 02 08 0a 00 9d b9 5b 00 00 00 00 | |||
| 1d 10 3d 54 88 56 98 b0 53 0e d4 d5 a1 5f 83 46 | 1d 10 3d 54 88 56 98 b0 53 0e d4 d5 a1 5f 83 46 | |||
| MAC: | MAC: | |||
| 88 56 98 b0 53 0e d4 d5 a1 5f 83 46 | 88 56 98 b0 53 0e d4 d5 a1 5f 83 46 | |||
| 6.2.2. Receive (server) SYN-ACK (omits options) | 6.2.2. Receive (Server) SYN-ACK (Omits Options) | |||
| Server ISN = 0xeba3734d | Server ISN = 0xeba3734d | |||
| Receive_SYN_traffic_key: | Receive_SYN_traffic_key: | |||
| 40 51 08 94 7f 99 65 75 e7 bd bc 26 d4 02 16 a2 | 40 51 08 94 7f 99 65 75 e7 bd bc 26 d4 02 16 a2 | |||
| c7 fa 91 bd | c7 fa 91 bd | |||
| IPv6/TCP: | IPv6/TCP: | |||
| skipping to change at page 19, line 9 ¶ | skipping to change at line 745 ¶ | |||
| 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 01 00 b3 c6 cd eb a3 73 4d | 00 00 00 00 00 00 00 01 00 b3 c6 cd eb a3 73 4d | |||
| 02 0c 1e 6a e0 12 ff ff 77 4d 00 00 02 04 05 a0 | 02 0c 1e 6a e0 12 ff ff 77 4d 00 00 02 04 05 a0 | |||
| 01 03 03 08 04 02 08 0a 5e c9 9b 70 00 9d b9 5b | 01 03 03 08 04 02 08 0a 5e c9 9b 70 00 9d b9 5b | |||
| 1d 10 54 3d 3c 54 6b ad 97 43 f1 2d f8 b8 01 0d | 1d 10 54 3d 3c 54 6b ad 97 43 f1 2d f8 b8 01 0d | |||
| MAC: | MAC: | |||
| 3c 54 6b ad 97 43 f1 2d f8 b8 01 0d | 3c 54 6b ad 97 43 f1 2d f8 b8 01 0d | |||
| 6.2.3. Send (client) non-SYN (omits options) | 6.2.3. Send (Client) Non-SYN (Omits Options) | |||
| Send_other_traffic_key: | Send_other_traffic_key: | |||
| b3 4e ed 6a 93 96 a6 69 f1 c4 f4 f5 76 18 f3 65 | b3 4e ed 6a 93 96 a6 69 f1 c4 f4 f5 76 18 f3 65 | |||
| 6f 52 c7 ab | 6f 52 c7 ab | |||
| IPv6/TCP: | IPv6/TCP: | |||
| 6e 07 8f cd 00 73 06 40 fd 00 00 00 00 00 00 00 | 6e 07 8f cd 00 73 06 40 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | |||
| skipping to change at page 19, line 33 ¶ | skipping to change at line 769 ¶ | |||
| 19 24 e0 01 19 2f 5b f0 ff ff ff ff ff ff ff ff | 19 24 e0 01 19 2f 5b f0 ff ff ff ff ff ff ff ff | |||
| ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | |||
| 01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80 | 01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80 | |||
| 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | |||
| e8 02 08 40 06 00 64 00 01 01 00 | e8 02 08 40 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| 48 bd 09 3b 19 24 e0 01 19 2f 5b f0 | 48 bd 09 3b 19 24 e0 01 19 2f 5b f0 | |||
| 6.2.4. Receive (server) non-SYN (omits options) | 6.2.4. Receive (Server) Non-SYN (Omits Options) | |||
| Receive_other_traffic_key: | Receive_other_traffic_key: | |||
| 40 51 08 94 7f 99 65 75 e7 bd bc 26 d4 02 16 a2 | 40 51 08 94 7f 99 65 75 e7 bd bc 26 d4 02 16 a2 | |||
| c7 fa 91 bd | c7 fa 91 bd | |||
| IPv6/TCP: | IPv6/TCP: | |||
| 6e 0a 7e 1f 00 73 06 40 fd 00 00 00 00 00 00 00 | 6e 0a 7e 1f 00 73 06 40 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | |||
| skipping to change at page 20, line 22 ¶ | skipping to change at line 793 ¶ | |||
| 45 b4 fd e9 8d 9e 13 17 ff ff ff ff ff ff ff ff | 45 b4 fd e9 8d 9e 13 17 ff ff ff ff ff ff ff ff | |||
| ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | |||
| 01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80 | 01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80 | |||
| 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | |||
| e8 02 08 40 06 00 64 00 01 01 00 | e8 02 08 40 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| 55 9a 81 94 45 b4 fd e9 8d 9e 13 17 | 55 9a 81 94 45 b4 fd e9 8d 9e 13 17 | |||
| 7. IPv6 AES-128 Output Test Vectors | 7. IPv6 AES-128 Output Test Vectors | |||
| The AES-128 KDF and MAC algorithms, KDF_AES_128_CMAC and AES-128- | The AES-128 KDF and MAC algorithms, KDF_AES_128_CMAC and AES-128- | |||
| CMAC-96, are computed as specified for TCP-AO [RFC5926]. | CMAC-96, are computed as specified for TCP-AO [RFC5926]. | |||
| 7.1. AES-128-CMAC-96 (default - covers TCP options) | 7.1. AES-128-CMAC-96 (Default - Covers TCP Options) | |||
| 7.1.1. Send (client) SYN (covers options) | 7.1.1. Send (Client) SYN (Covers Options) | |||
| Client ISN = 0x193cccec | Client ISN = 0x193cccec | |||
| Send_SYN_traffic_key: | Send_SYN_traffic_key: | |||
| fa 5a 21 08 88 2d 39 d0 c7 19 29 17 5a b1 b7 b8 | fa 5a 21 08 88 2d 39 d0 c7 19 29 17 5a b1 b7 b8 | |||
| IP/TCP: | IP/TCP: | |||
| 6e 04 a7 06 00 38 06 40 fd 00 00 00 00 00 00 00 | 6e 04 a7 06 00 38 06 40 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 02 f8 5a 00 b3 19 3c cc ec | 00 00 00 00 00 00 00 02 f8 5a 00 b3 19 3c cc ec | |||
| 00 00 00 00 e0 02 ff ff de 5d 00 00 02 04 05 a0 | 00 00 00 00 e0 02 ff ff de 5d 00 00 02 04 05 a0 | |||
| 01 03 03 08 04 02 08 0a 13 e4 ab 99 00 00 00 00 | 01 03 03 08 04 02 08 0a 13 e4 ab 99 00 00 00 00 | |||
| 1d 10 3d 54 59 b5 88 10 74 81 ac 6d c3 92 70 40 | 1d 10 3d 54 59 b5 88 10 74 81 ac 6d c3 92 70 40 | |||
| MAC: | MAC: | |||
| 59 b5 88 10 74 81 ac 6d c3 92 70 40 | 59 b5 88 10 74 81 ac 6d c3 92 70 40 | |||
| 7.1.2. Receive (server) SYN-ACK (covers options) | 7.1.2. Receive (Server) SYN-ACK (Covers Options) | |||
| Server ISN = 0xa6744ecb | Server ISN = 0xa6744ecb | |||
| Receive_SYN_traffic_key: | Receive_SYN_traffic_key: | |||
| cf 1b 1e 22 5e 06 a6 36 16 76 4a 06 7b 46 f4 b1 | cf 1b 1e 22 5e 06 a6 36 16 76 4a 06 7b 46 f4 b1 | |||
| IPv6/TCP: | IPv6/TCP: | |||
| 6e 06 15 20 00 38 06 40 fd 00 00 00 00 00 00 00 | 6e 06 15 20 00 38 06 40 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 01 00 b3 f8 5a a6 74 4e cb | 00 00 00 00 00 00 00 01 00 b3 f8 5a a6 74 4e cb | |||
| 19 3c cc ed e0 12 ff ff ea bb 00 00 02 04 05 a0 | 19 3c cc ed e0 12 ff ff ea bb 00 00 02 04 05 a0 | |||
| 01 03 03 08 04 02 08 0a 71 da ab c8 13 e4 ab 99 | 01 03 03 08 04 02 08 0a 71 da ab c8 13 e4 ab 99 | |||
| 1d 10 54 3d dc 28 43 a8 4e 78 a6 bc fd c5 ed 80 | 1d 10 54 3d dc 28 43 a8 4e 78 a6 bc fd c5 ed 80 | |||
| MAC: | MAC: | |||
| dc 28 43 a8 4e 78 a6 bc fd c5 ed 80 | dc 28 43 a8 4e 78 a6 bc fd c5 ed 80 | |||
| 7.1.3. Send (client) non-SYN (covers options) | 7.1.3. Send (Client) Non-SYN (Covers Options) | |||
| Send_other_traffic_key: | Send_other_traffic_key: | |||
| 61 74 c3 55 7a be d2 75 74 db a3 71 85 f0 03 00 | 61 74 c3 55 7a be d2 75 74 db a3 71 85 f0 03 00 | |||
| IPv6/TCP: | IPv6/TCP: | |||
| 6e 04 a7 06 00 73 06 40 fd 00 00 00 00 00 00 00 | 6e 04 a7 06 00 73 06 40 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 02 f8 5a 00 b3 19 3c cc ed | 00 00 00 00 00 00 00 02 f8 5a 00 b3 19 3c cc ed | |||
| skipping to change at page 22, line 22 ¶ | skipping to change at line 865 ¶ | |||
| 0d 4f 5f 01 83 5b aa b3 ff ff ff ff ff ff ff ff | 0d 4f 5f 01 83 5b aa b3 ff ff ff ff ff ff ff ff | |||
| ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | |||
| 01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80 | 01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80 | |||
| 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | |||
| e8 02 08 40 06 00 64 00 01 01 00 | e8 02 08 40 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| 7b 6a 45 5c 0d 4f 5f 01 83 5b aa b3 | 7b 6a 45 5c 0d 4f 5f 01 83 5b aa b3 | |||
| 7.1.4. Receive (server) non-SYN (covers options) | 7.1.4. Receive (Server) Non-SYN (Covers Options) | |||
| Receive_other_traffic_key: | Receive_other_traffic_key: | |||
| cf 1b 1e 22 5e 06 a6 36 16 76 4a 06 7b 46 f4 b1 | cf 1b 1e 22 5e 06 a6 36 16 76 4a 06 7b 46 f4 b1 | |||
| IPv6/TCP: | IPv6/TCP: | |||
| 6e 06 15 20 00 73 06 40 fd 00 00 00 00 00 00 00 | 6e 06 15 20 00 73 06 40 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 01 00 b3 f8 5a a6 74 4e cc | 00 00 00 00 00 00 00 01 00 b3 f8 5a a6 74 4e cc | |||
| skipping to change at page 23, line 5 ¶ | skipping to change at line 888 ¶ | |||
| fd 3d 69 3a 6d f3 f2 89 ff ff ff ff ff ff ff ff | fd 3d 69 3a 6d f3 f2 89 ff ff ff ff ff ff ff ff | |||
| ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | |||
| 01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80 | 01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80 | |||
| 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | |||
| e8 02 08 40 06 00 64 00 01 01 00 | e8 02 08 40 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| c1 06 9b 7d fd 3d 69 3a 6d f3 f2 89 | c1 06 9b 7d fd 3d 69 3a 6d f3 f2 89 | |||
| 7.2. AES-128-CMAC-96 (omits TCP options) | 7.2. AES-128-CMAC-96 (Omits TCP Options) | |||
| 7.2.1. Send (client) SYN (omits options) | 7.2.1. Send (Client) SYN (Omits Options) | |||
| Client ISN = 0xb01da74a | Client ISN = 0xb01da74a | |||
| Send_SYN_traffic_key: | Send_SYN_traffic_key: | |||
| a9 4f 51 12 63 e4 09 3d 35 dd 81 8c 13 bb bf 53 | a9 4f 51 12 63 e4 09 3d 35 dd 81 8c 13 bb bf 53 | |||
| IPv6/TCP: | IPv6/TCP: | |||
| 6e 09 3d 76 00 38 06 40 fd 00 00 00 00 00 00 00 | 6e 09 3d 76 00 38 06 40 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 02 f2 88 00 b3 b0 1d a7 4a | 00 00 00 00 00 00 00 02 f2 88 00 b3 b0 1d a7 4a | |||
| 00 00 00 00 e0 02 ff ff 75 ff 00 00 02 04 05 a0 | 00 00 00 00 e0 02 ff ff 75 ff 00 00 02 04 05 a0 | |||
| 01 03 03 08 04 02 08 0a 14 27 5b 3b 00 00 00 00 | 01 03 03 08 04 02 08 0a 14 27 5b 3b 00 00 00 00 | |||
| 1d 10 3d 54 3d 45 b4 34 2d e8 bb 15 30 84 78 98 | 1d 10 3d 54 3d 45 b4 34 2d e8 bb 15 30 84 78 98 | |||
| MAC: | MAC: | |||
| 3d 45 b4 34 2d e8 bb 15 30 84 78 98 | 3d 45 b4 34 2d e8 bb 15 30 84 78 98 | |||
| 7.2.2. Receive (server) SYN-ACK (omits options) | 7.2.2. Receive (Server) SYN-ACK (Omits Options) | |||
| Server ISN = 0xa6246145 | Server ISN = 0xa6246145 | |||
| Receive_SYN_traffic_key: | Receive_SYN_traffic_key: | |||
| 92 de a5 bb c7 8b 1d 9f 5b 29 52 e9 cd 30 64 2a | 92 de a5 bb c7 8b 1d 9f 5b 29 52 e9 cd 30 64 2a | |||
| IPv6/TCP: | IPv6/TCP: | |||
| 6e 0c 60 0a 00 38 06 40 fd 00 00 00 00 00 00 00 | 6e 0c 60 0a 00 38 06 40 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 01 00 b3 f2 88 a6 24 61 45 | 00 00 00 00 00 00 00 01 00 b3 f2 88 a6 24 61 45 | |||
| b0 1d a7 4b e0 12 ff ff a7 0c 00 00 02 04 05 a0 | b0 1d a7 4b e0 12 ff ff a7 0c 00 00 02 04 05 a0 | |||
| 01 03 03 08 04 02 08 0a 17 82 24 5b 14 27 5b 3b | 01 03 03 08 04 02 08 0a 17 82 24 5b 14 27 5b 3b | |||
| 1d 10 54 3d 1d 01 f6 c8 7c 6f 93 ac ff a9 d4 b5 | 1d 10 54 3d 1d 01 f6 c8 7c 6f 93 ac ff a9 d4 b5 | |||
| MAC: | MAC: | |||
| 1d 01 f6 c8 7c 6f 93 ac ff a9 d4 b5 | 1d 01 f6 c8 7c 6f 93 ac ff a9 d4 b5 | |||
| 7.2.3. Send (client) non-SYN (omits options) | 7.2.3. Send (Client) Non-SYN (Omits Options) | |||
| Send_other_traffic_key: | Send_other_traffic_key: | |||
| 4f b2 08 6e 40 2c 67 90 79 ed 65 d4 bf 97 69 3d | 4f b2 08 6e 40 2c 67 90 79 ed 65 d4 bf 97 69 3d | |||
| IPv6/TCP: | IPv6/TCP: | |||
| 6e 09 3d 76 00 73 06 40 fd 00 00 00 00 00 00 00 | 6e 09 3d 76 00 73 06 40 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 02 f2 88 00 b3 b0 1d a7 4b | 00 00 00 00 00 00 00 02 f2 88 00 b3 b0 1d a7 4b | |||
| skipping to change at page 24, line 32 ¶ | skipping to change at line 955 ¶ | |||
| cc b4 7a 33 32 76 e7 f8 ff ff ff ff ff ff ff ff | cc b4 7a 33 32 76 e7 f8 ff ff ff ff ff ff ff ff | |||
| ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | |||
| 01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80 | 01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80 | |||
| 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | |||
| e8 02 08 40 06 00 64 00 01 01 00 | e8 02 08 40 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| 29 0c f4 14 cc b4 7a 33 32 76 e7 f8 | 29 0c f4 14 cc b4 7a 33 32 76 e7 f8 | |||
| 7.2.4. Receive (server) non-SYN (omits options) | 7.2.4. Receive (Server) Non-SYN (Omits Options) | |||
| Receive_other_traffic_key: | Receive_other_traffic_key: | |||
| 92 de a5 bb c7 8b 1d 9f 5b 29 52 e9 cd 30 64 2a | 92 de a5 bb c7 8b 1d 9f 5b 29 52 e9 cd 30 64 2a | |||
| IPv6/TCP: | IPv6/TCP: | |||
| 6e 0c 60 0a 00 73 06 40 fd 00 00 00 00 00 00 00 | 6e 0c 60 0a 00 73 06 40 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 | |||
| 00 00 00 00 00 00 00 01 00 b3 f2 88 a6 24 61 46 | 00 00 00 00 00 00 00 01 00 b3 f2 88 a6 24 61 46 | |||
| skipping to change at page 25, line 22 ¶ | skipping to change at line 978 ¶ | |||
| d5 40 34 99 f6 19 fd 1b ff ff ff ff ff ff ff ff | d5 40 34 99 f6 19 fd 1b ff ff ff ff ff ff ff ff | |||
| ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 | |||
| 01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80 | 01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80 | |||
| 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | 00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd | |||
| e8 02 08 40 06 00 64 00 01 01 00 | e8 02 08 40 06 00 64 00 01 01 00 | |||
| MAC: | MAC: | |||
| 99 51 5f fc d5 40 34 99 f6 19 fd 1b | 99 51 5f fc d5 40 34 99 f6 19 fd 1b | |||
| 8. Observed Implementation Errors | 8. Observed Implementation Errors | |||
| The following is a partial list of implementation errors that this | The following is a partial list of implementation errors that this | |||
| set of test vectors is intended to validate. | set of test vectors is intended to validate. | |||
| 8.1. Algorithm issues | 8.1. Algorithm Issues | |||
| o Underlying implementation of HMAC-SHA-1-96 or AES-128-CMAC-96 | * The underlying implementation of HMAC-SHA-1-96 or AES-128-CMAC-96 | |||
| does not pass their corresponding test vectors [RFC2202] | does not pass their corresponding test vectors [RFC2202] | |||
| [RFC4493] | [RFC4493]. | |||
| o The SNE algorithm does not consider corner cases, possibly | * The SNE algorithm does not consider corner cases, possibly because | |||
| because the pseudocode in [RFC5925] was not intended as complete, | the pseudocode in [RFC5925] was not intended as complete, as | |||
| as discussed in [RFC9187], the latter of which includes its own | discussed in [RFC9187], the latter of which includes its own | |||
| validation sequence. | validation sequence. | |||
| 8.2. Algorithm parameters | 8.2. Algorithm Parameters | |||
| o KDF context length is incorrect, e.g., it does not include TCP | * KDF context length is incorrect, e.g., it does not include TCP | |||
| header length + payload length (it should, per 5.2 of TCP-AO | header length + payload length (it should, per Section 5.2 of | |||
| [RFC5925]) | TCP-AO [RFC5925]). | |||
| o KDF calculation does not start from counter i = 1 (it should, per | * KDF calculation does not start from counter i = 1 (it should, per | |||
| Sec. 3.1.1 of the TCP-AO crypto algorithms [RFC5926]) | Section 3.1.1 of TCP-AO crypto algorithms [RFC5926]). | |||
| o KDF calculation does not include output length in bits, contained | * KDF calculation does not include output length in bits, contained | |||
| in two bytes in network byte order (it should, per Sec. 3.1.1 of | in two bytes in network byte order (it should, per Section 3.1.1 | |||
| the TCP-AO crypto algorithms [RFC5926]) | of the TCP-AO crypto algorithms [RFC5926]). | |||
| o KDF uses keys generated from current TCP segment sequence numbers | * KDF uses keys generated from current TCP segment sequence numbers | |||
| (KDF should use only local and remote ISNs or zero, as indicated | (KDF should use only local and remote ISNs or zero, as indicated | |||
| in Sec. 5.2 of TCP-AO [RFC5925]) | in Section 5.2 of TCP-AO [RFC5925]). | |||
| 8.3. String handling issues | 8.3. String Handling Issues | |||
| The strings indicated in TCP-AO and its algorithms are indicated as | The strings indicated in TCP-AO and its algorithms are indicated as a | |||
| a sequence of bytes of known length. In some implementations, string | sequence of bytes of known length. In some implementations, string | |||
| lengths are indicated by a terminal value (e.g., zero in C). This | lengths are indicated by a terminal value (e.g., zero in C). This | |||
| terminal value is not included as part of the string for | terminal value is not included as part of the string for | |||
| calculations. | calculations. | |||
| o Password includes the last zero-byte (it should not) | * The password includes the last zero-byte (it should not). | |||
| o Label "TCP-AO" includes the last zero byte (it should not) | * The label "TCP-AO" includes the last zero byte (it should not). | |||
| 8.4. Header coverage issues | 8.4. Header Coverage Issues | |||
| o TCP checksum and/or MAC is not zeroed properly before calculation | * TCP checksum and/or MAC is not zeroed properly before calculation | |||
| (both should be) | (both should be). | |||
| o TCP header is not included in the MAC calculation (it should be) | * TCP header is not included in the MAC calculation (it should be). | |||
| o TCP options are not included in the MAC calculation by default. | * TCP options are not included in the MAC calculation by default. | |||
| There is a separate parameter in the Master Key Tuple (MKT) | There is a separate parameter in the Master Key Tuple (MKT) [RFC5925] | |||
| [RFC5925] to ignore options; this document provides test vectors for | to ignore options; this document provides test vectors for both | |||
| both options-included and options-excluded cases. | options-included and options-excluded cases. | |||
| 9. Security Considerations | 9. Security Considerations | |||
| This document is intended to assist in the validation of | This document is intended to assist in the validation of | |||
| implementations of TCP-AO, to further enable its more widespread use | implementations of TCP-AO to further enable its more widespread use | |||
| as a security mechanism to authenticate not only TCP payload | as a security mechanism to authenticate not only TCP payload contents | |||
| contents but the TCP headers and protocol. | but the TCP headers and protocol. | |||
| The Master_Key of "testvector" used here for test vector generation | The Master_Key of "testvector" used here for test vector generation | |||
| SHOULD NOT be used operationally. | SHOULD NOT be used operationally. | |||
| 10. IANA Considerations | 10. IANA Considerations | |||
| This document contains no IANA issues. This section should be | This document has no IANA actions. | |||
| removed upon publication as an RFC. | ||||
| 11. References | 11. References | |||
| 11.1. Normative References | 11.1. Normative References | |||
| [RFC791] Postel, J., "Internet Protocol," RFC 791, Sept. 1981. | [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, | |||
| DOI 10.17487/RFC0791, September 1981, | ||||
| <https://www.rfc-editor.org/info/rfc791>. | ||||
| [RFC793] Postel, J., "Transmission Control Protocol," RFC 793, | [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, | |||
| September 1981. | RFC 793, DOI 10.17487/RFC0793, September 1981, | |||
| <https://www.rfc-editor.org/info/rfc793>. | ||||
| [RFC2018] Mathis, M., J. Mahdavi, S. Floyd, A. Romanow, "TCP | [RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP | |||
| Selective Acknowledgment Options," RFC 2018, Oct. 1996. | Selective Acknowledgment Options", RFC 2018, | |||
| DOI 10.17487/RFC2018, October 1996, | ||||
| <https://www.rfc-editor.org/info/rfc2018>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels," BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | ||||
| <https://www.rfc-editor.org/info/rfc2119>. | ||||
| [RFC5925] Touch, J., A. Mankin, R. Bonica, "The TCP Authentication | [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP | |||
| Option," RFC 5925, June 2010. | Authentication Option", RFC 5925, DOI 10.17487/RFC5925, | |||
| June 2010, <https://www.rfc-editor.org/info/rfc5925>. | ||||
| [RFC5926] Lebovitz, G., and E. Rescorla, "Cryptographic Algorithms | [RFC5926] Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms | |||
| for the TCP Authentication Option (TCP-AO)," RFC 5926, | for the TCP Authentication Option (TCP-AO)", RFC 5926, | |||
| June 2010. | DOI 10.17487/RFC5926, June 2010, | |||
| <https://www.rfc-editor.org/info/rfc5926>. | ||||
| [RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT | [RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT | |||
| Traversal," RFC 6978, July 2013. | Traversal", RFC 6978, DOI 10.17487/RFC6978, July 2013, | |||
| <https://www.rfc-editor.org/info/rfc6978>. | ||||
| [RFC7323] Borman, D., B. Braden, V. Jacobson, R. Scheffenegger, Ed., | [RFC7323] Borman, D., Braden, B., Jacobson, V., and R. | |||
| "TCP Extensions for High Performance," RFC 7323, Sept. | Scheffenegger, Ed., "TCP Extensions for High Performance", | |||
| 2014. | RFC 7323, DOI 10.17487/RFC7323, September 2014, | |||
| <https://www.rfc-editor.org/info/rfc7323>. | ||||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words," RFC 8174, May 2017. | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||||
| [RFC8200] Deering, S., R. Hinden, "Internet Protocol Version 6 | [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | |||
| (IPv6) Specification," RFC 8200, Jul. 2017. | (IPv6) Specification", STD 86, RFC 8200, | |||
| DOI 10.17487/RFC8200, July 2017, | ||||
| <https://www.rfc-editor.org/info/rfc8200>. | ||||
| 11.2. Informative References | 11.2. Informative References | |||
| [RFC2202] Cheng, P., and R. Glenn, "Test Cases for HMAC-MD5 and | [RFC2202] Cheng, P. and R. Glenn, "Test Cases for HMAC-MD5 and HMAC- | |||
| HMAC-SHA-1," RFC 2202, Sept. 1997. | SHA-1", RFC 2202, DOI 10.17487/RFC2202, September 1997, | |||
| <https://www.rfc-editor.org/info/rfc2202>. | ||||
| [RFC4493] Song, JH, R. Poovendran, J. Lee, T. Iwata, "The AES-CMAC | [RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The | |||
| Algorithm," RFC 4493, June 2006. | AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June | |||
| 2006, <https://www.rfc-editor.org/info/rfc4493>. | ||||
| [RFC9187] Touch, J., "Sequence Number Extension for Windowed | [RFC9187] Touch, J., "Sequence Number Extension for Windowed | |||
| Protocols," RFC 9187, Jan. 2022. | Protocols", RFC 9187, DOI 10.17487/RFC9187, January 2022, | |||
| <https://www.rfc-editor.org/info/rfc9187>. | ||||
| 12. Acknowledgments | Acknowledgments | |||
| This document was prepared using 2-Word-v2.0.template.dot. | This work benefited from feedback from Russ Housley and Michael | |||
| Scharf as well as discussions on the IETF TCPM email list and with | ||||
| the IESG. | ||||
| This document was initially prepared using 2-Word-v2.0.template.dot. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Joe Touch | Joe Touch | |||
| Manhattan Beach, CA 90266 USA | Manhattan Beach, CA 90266 | |||
| United States of America | ||||
| Phone: +1 (310) 560-0334 | Phone: +1 (310) 560-0334 | |||
| Email: touch@strayalpha.com | Email: touch@strayalpha.com | |||
| Juhamatti Kuusisaari | Juhamatti Kuusisaari | |||
| Infinera Corporation | Infinera Corporation | |||
| Sinimaentie 6c | Sinimaentie 6c | |||
| FI-02630 Espoo, Finland | FI-02630 Espoo | |||
| Finland | ||||
| Email: jkuusisaari@infinera.com | Email: jkuusisaari@infinera.com | |||
| End of changes. 125 change blocks. | ||||
| 265 lines changed or deleted | 286 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||