rfc9235xml2.original.xml   rfc9235.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ <!DOCTYPE rfc [
<!ENTITY RFC0791 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF <!ENTITY nbsp "&#160;">
C.0791.xml"> <!ENTITY zwsp "&#8203;">
<!ENTITY RFC0793 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF <!ENTITY nbhy "&#8209;">
C.0793.xml"> <!ENTITY wj "&#8288;">
<!ENTITY RFC2018 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.2018.xml">
<!ENTITY RFC2119 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.2119.xml">
<!ENTITY RFC5925 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.5925.xml">
<!ENTITY RFC5926 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.5926.xml">
<!ENTITY RFC6978 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.6978.xml">
<!ENTITY RFC7323 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.7323.xml">
<!ENTITY RFC8174 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.8174.xml">
<!ENTITY RFC8200 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.8200.xml">
<!ENTITY RFC2202 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.2202.xml">
<!ENTITY RFC4493 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.4493.xml">
<!ENTITY RFC9187 SYSTEM "https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.9187.xml">
]> ]>
<rfc submissionType="IETF" docName="draft-ietf-tcpm-ao-test-vectors-09" category
="info" ipr="trust200902">
<!-- Generated by id2xml 1.5.0 on 2022-03-28T23:00:23Z -->
<?rfc strict="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="no"?>
<?rfc text-list-symbols="o*+-"?>
<?rfc toc="yes"?>
<front>
<title>TCP-AO Test Vectors</title>
<author initials="J." surname="Touch" fullname="Joe Touch">
<organization abbrev="Independent consultant"></organization>
<address><postal>
<street></street>
<city>Manhattan Beach</city>
<region>CA</region>
<code>90266</code>
<country>USA</country>
</postal>
<phone>+1 (310) 560-0334</phone>
<email>touch@strayalpha.com</email>
</address>
</author>
<author initials="J." surname="Kuusisaari" fullname="Juhamatti Kuusisaari <rfc xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-ietf-tcpm-ao-test
"> -vectors-09" number="9235" submissionType="IETF" category="info" consensus="true
<organization abbrev="Infinera">Infinera Corporation</organization> " ipr="trust200902" obsoletes=""
<address><postal><street>Sinimaentie 6c</street> updates="" xml:lang="en" symRefs="true" sortRefs="true" tocInclude="true" versio
<city>Espoo</city> n="3">
<code>FI-02630</code>
<country>Finland</country>
</postal>
<email>jkuusisaari@infinera.com</email>
</address>
</author>
<date year="2022" month="March"/> <!-- xml2rfc v2v3 conversion 3.12.2 -->
<workgroup>TCPM</workgroup> <!-- Generated by id2xml 1.5.0 on 2022-03-28T23:00:23Z -->
<front>
<!-- [rfced] Please insert any keywords (beyond those that appear in the title) <title abbrev="TCP-AO Test Vectors">TCP Authentication Option (TCP-AO) Test
for use on https://www.rfc-editor.org/search. --> Vectors</title>
<seriesInfo name="RFC" value="9235"/>
<author initials="J." surname="Touch" fullname="Joe Touch">
<organization abbrev="Independent Consultant"/>
<address>
<postal>
<street/>
<city>Manhattan Beach</city>
<region>CA</region>
<code>90266</code>
<country>United States of America</country>
</postal>
<phone>+1 (310) 560-0334</phone>
<email>touch@strayalpha.com</email>
</address>
</author>
<author initials="J." surname="Kuusisaari" fullname="Juhamatti Kuusisaari">
<organization abbrev="Infinera">Infinera Corporation</organization>
<address>
<postal>
<street>Sinimaentie 6c</street>
<city>Espoo</city>
<code>02630</code>
<country>Finland</country>
</postal>
<email>jkuusisaari@infinera.com</email>
</address>
</author>
<date year="2022" month="May"/>
<area>TSV</area>
<workgroup>TCPM</workgroup>
<keyword>example</keyword> <keyword>TCP</keyword>
<keyword>authentication</keyword>
<keyword>option</keyword>
<keyword>test vector</keyword>
<abstract><t> <abstract>
<t>
This document provides test vectors to validate implementations of This document provides test vectors to validate implementations of
the two mandatory authentication algorithms specified for the TCP the two mandatory authentication algorithms specified for the TCP
Authentication Option over both IPv4 and IPv6. This includes Authentication Option over both IPv4 and IPv6. This includes
validation of the key derivation function (KDF) based on a set of validation of the key derivation function (KDF) based on a set of
test connection parameters as well as validation of the message test connection parameters as well as validation of the message
authentication code (MAC). Vectors are provided for both currently authentication code (MAC). Vectors are provided for both currently
required pairs of KDF and MAC algorithms: KDF_HMAC_SHA1 and HMAC- required pairs of KDF and MAC algorithms: KDF_HMAC_SHA1 and HMAC-
SHA-1-96, and KDF_AES_128_CMAC and AES-128-CMAC-96. The vectors also SHA-1-96, and KDF_AES_128_CMAC and AES-128-CMAC-96. The vectors also
validate both whole TCP segments as well as segments whose options validate both whole TCP segments as well as segments whose options
are excluded for middlebox traversal.</t> are excluded for middlebox traversal.</t>
</abstract>
</abstract> </front>
</front> <middle>
<section anchor="sect-1" numbered="true" toc="default">
<middle> <name>Introduction</name>
<section title="Introduction" anchor="sect-1"><t> <t>
This document provides test vectors to validate the correct This document provides test vectors to validate the correct
implementation of the TCP Authentication Option (TCP-AO) <xref target="RFC592 implementation of the TCP Authentication Option (TCP-AO) <xref target="RFC592
5"/> 5" format="default"/>
and its mandatory cryptographic algorithms defined in <xref target="RFC5926"/ and its mandatory cryptographic algorithms defined in <xref target="RFC5926"
>. It format="default"/>. It
includes the specification of all endpoint parameters to generate includes the specification of all endpoint parameters to generate
the variety of TCP segments covered by different keys and MAC the variety of TCP segments covered by different keys and MAC
coverage, i.e., both the default case and the variant where TCP coverage, i.e., both the default case and the variant where TCP
options are ignored for middlebox traversal. It also includes both options are ignored for middlebox traversal. It also includes both
default key derivation functions (KDFs) and MAC generation default key derivation functions (KDFs) and MAC generation
algorithms <xref target="RFC5926"/> and lists common pitfalls of implementing the algorithms <xref target="RFC5926" format="default"/> and lists common pitfall s of implementing the
algorithms correctly.</t> algorithms correctly.</t>
<t>
<t> The experimental extension to support NAT traversal <xref target="RFC6978" fo
The experimental extension to support NAT traversal <xref target="RFC6978"/> rmat="default"/> is not
is not
included in the provided test vectors.</t> included in the provided test vectors.</t>
<t>
<t>
This document provides test vectors from multiple implementations This document provides test vectors from multiple implementations
that have been validated against each other for interoperability.</t> that have been validated against each other for interoperability.</t>
</section>
</section> <section anchor="sect-2" numbered="true" toc="default">
<name>Conventions Used in This Document</name>
<section title="Conventions used in this document" anchor="sect-2"><t> <t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
"OPTIONAL" in this document are to be interpreted as described in NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
they appear in all "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
capitals, as shown here.</t> be interpreted as
described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
</section> when, and only when, they appear in all capitals, as shown here.
</t>
<section title="Input Test Vectors" anchor="sect-3"><section title="TCP C </section>
onnection Parameters" anchor="sect-3.1"><t> <section anchor="sect-3" numbered="true" toc="default">
<name>Input Test Vectors</name>
<section anchor="sect-3.1" numbered="true" toc="default">
<name>TCP Connection Parameters</name>
<t>
The following parameters are used throughout this suite of test The following parameters are used throughout this suite of test
vectors. The terms 'active' and 'passive' are used as defined for vectors. The terms 'active' and 'passive' are used as defined for
TCP <xref target="RFC0793"/>.</t> TCP <xref target="RFC0793" format="default"/>.</t>
<section anchor="sect-3.1.1" numbered="true" toc="default">
<section title="TCP-AO parameters" anchor="sect-3.1.1"><t> <name>TCP-AO Parameters</name>
<t>
The following values are used for all exchanges. This suite does not The following values are used for all exchanges. This suite does not
test key switchover. The KeyIDs are as indicated for TCP-AO test key switchover. The KeyIDs are as indicated for TCP-AO
<xref target="RFC5925"/>. The Master_Key is used to derive the traffic keys <xref target="RFC5925" format="default"/>. The Master_Key is used to derive t
<xref target="RFC5926"/>. he traffic keys
<xref target="RFC5926" format="default"/>.
<list>
<t>Active (client) side KeyID: 61 decimal (0x3d hexadecimal)</t>
<t>Passive (server) side KeyID: 84 decimal (0x54 hexadecimal)</t>
<t>Master_Key: "testvector" (length = 10 bytes)</t>
</list>
</t>
</section>
<section title="Active (client) side parameters" anchor="sect-3.1.2"><t> </t>
<ul empty="true" spacing="normal">
<li>Active (client) side KeyID: 61 decimal (0x3d hexadecimal)</li>
<li>Passive (server) side KeyID: 84 decimal (0x54 hexadecimal)</li>
<li>Master_Key: "testvector" (length = 10 bytes)</li>
</ul>
</section>
<section anchor="sect-3.1.2" numbered="true" toc="default">
<name>Active (Client) Side Parameters</name>
<t>
The following endpoint parameters are used on the active side of the The following endpoint parameters are used on the active side of the
TCP connection, i.e., the side that initiates the TCP SYN. TCP connection, i.e., the side that initiates the TCP SYN.
<list> </t>
<ul empty="true" spacing="normal">
<t>For IPv4: 10.11.12.13 (dotted decimal)</t> <li>For IPv4: 10.11.12.13 (dotted decimal)</li>
<li>For IPv6: fd00::1 (IPv6 hexadecimal) </li>
<t>For IPv6: fd00::1 (IPv6 hexadecimal) </t> <li>TCP port: (varies) </li>
</ul>
<t>TCP port: (varies) </t> </section>
<section anchor="sect-3.1.3" numbered="true" toc="default">
</list> <name>Passive (Server) Side Parameters</name>
</t> <t>
</section>
<section title="Passive (server) side parameters" anchor="sect-3.1.3"><t>
The following endpoint parameters are used for the passive side of The following endpoint parameters are used for the passive side of
the TCP connection, i.e., the side that responds with a TCP SYN-ACK. the TCP connection, i.e., the side that responds with a TCP SYN-ACK.
<list> </t>
<ul empty="true" spacing="normal">
<t>For IPv4: 172.27.28.29 (dotted decimal)</t> <li>For IPv4: 172.27.28.29 (dotted decimal)</li>
<li>For IPv6: fd00::2 (IPv6 hexadecimal)</li>
<t>For IPv6: fd00::2 (IPv6 hexadecimal)</t> <li>TCP port = 179 decimal (BGP)</li>
</ul>
<t>TCP port = 179 decimal (BGP)</t> </section>
<section anchor="sect-3.1.4" numbered="true" toc="default">
</list> <name>Other IP Fields and Options</name>
</t> <t>
No IP options are used in these test vectors.</t>
</section> <t>
All IPv4 packets use the following other parameters <xref target="RFC0791"/>:
<section title="Other IP fields and options" anchor="sect-3.1.4"><t> Differentiated Services Code Point (DSCP) = 111000 binary (CS7) as is
No IP options are used in these test vectors.</t> typical for BGP, Explicit Congestion Notification (ECN) = 00 binary,
set the Don't Fragment (DF) bit, and clear the More Fragments (MF) bit.
<t> </t>
All IPv4 packets use the following other parameters <xref target="RFC0791"/>: <t>
DSCP =
111000 binary (CS7) as is typical for BGP, ECN = 00 binary, set DF,
and clear MF.</t>
<t>
IPv4 uses a TTL of 255 decimal; IPv6 uses a hop limit of 255 IPv4 uses a TTL of 255 decimal; IPv6 uses a hop limit of 255
decimal.</t> decimal.</t>
<t>
<t> All IPv6 packets use the following other parameters <xref target="RFC8200" fo
All IPv6 packets use the following other parameters <xref target="RFC8200"/>: rmat="default"/>:
traffic class = 0xe0 hexadecimal (DSCP = 111000 binary CS7, as is traffic class = 0xe0 hexadecimal (DSCP = 111000 binary CS7, as is
typical for BGP, with ECN = 00 binary) and no EHs.</t> typical for BGP, with ECN = 00 binary) and no Extension Headers (EHs).</t>
</section>
</section> <section anchor="sect-3.1.5" numbered="true" toc="default">
<name>Other TCP Fields and Options</name>
<section title="Other TCP fields and options" anchor="sect-3.1.5"><t> <t>
The SYN and SYN-ACK segments include MSS <xref target="RFC0793"/>, NOP, Windo The SYN and SYN-ACK segments include Maximum Segment Size (MSS) <xref target=
wScale "RFC0793" format="default"/>, No Operation (NOP), Window Scale
<xref target="RFC7323"/>, SACK Permitted <xref target="RFC2018"/>, TimeStamp <xref target="RFC7323" format="default"/>, Selective Acknowledgment (SACK) pe
<xref target="RFC7323"/>, and TCP-AO rmitted <xref target="RFC2018" format="default"/>, Timestamp <xref target="RFC73
<xref target="RFC5925"/>, in that order.</t> 23" format="default"/>, and TCP-AO
<xref target="RFC5925" format="default"/>, in that order.</t>
<t> <t>
All other example segments include NOP, NOP, TimeStamp, and TCP-AO, All other example segments include NOP, NOP, Timestamp, and TCP-AO,
in that order.</t> in that order.</t>
<t>
<t> All segment urgent (URG) pointers are zero <xref target="RFC0793" format="def
All segment URG pointers are zero <xref target="RFC0793"/>. All segments with ault"/>. All segments with data
data set the push (PSH) flag <xref target="RFC0793" format="default"/>.</t>
set the PSH flag <xref target="RFC0793"/>.</t> <t>
<t>
Each TCP connection below uses the Initial Sequence Numbers (ISNs) Each TCP connection below uses the Initial Sequence Numbers (ISNs)
as indicated at the front of each corresponding section.</t> as indicated at the front of each corresponding section.</t>
</section>
</section> </section>
</section>
</section> <section anchor="sect-4" numbered="true" toc="default">
<name>IPv4 SHA-1 Output Test Vectors</name>
</section> <t>
<section title="IPv4 SHA-1 Output Test Vectors" anchor="sect-4"><t>
The SHA-1 KDF and MAC algorithms, KDF_HMAC_SHA1 and HMAC-SHA-1-96, The SHA-1 KDF and MAC algorithms, KDF_HMAC_SHA1 and HMAC-SHA-1-96,
are computed as specified for TCP-AO <xref target="RFC5926"/>.</t> are computed as specified for TCP-AO <xref target="RFC5926" format="default"/
>.</t>
<t> <t>
In the following sections, all values are indicated as 2-digit In the following sections, all values are indicated as 2-digit
hexadecimal values with spacing per line representing the contents hexadecimal values with spacing per line representing the contents
of 16 consecutive bytes, as is typical for data dumps. The IP/TCP of 16 consecutive bytes, as is typical for data dumps. The IP/TCP
data indicates the entire IP packet, including the TCP segment and data indicates the entire IP packet, including the TCP segment and
its options (whether covered by TCP-AO or not, as indicated), its options (whether covered by TCP-AO or not, as indicated),
including TCP-AO.</t> including TCP-AO.</t>
<section anchor="sect-4.1" numbered="true" toc="default">
<name>HMAC-SHA-1-96 (Default - Covers TCP Options)</name>
<section anchor="sect-4.1.1" numbered="true" toc="default">
<name>Send (Client) SYN (Covers Options)</name>
<section title="HMAC-SHA-1-96 (default - covers TCP options)" anchor="sect-4. <sourcecode type="tcp-ao-test-vectors"><![CDATA[
1"><section title="Send (client) SYN (covers options)" anchor="sect-4.1.1"> Client ISN = 0xfbfbab5a
<figure><artwork><![CDATA[
Client ISN = 0xfbfbab5a
Send_SYN_traffic_key:
6d 63 ef 1b 02 fe 15 09 d4 b1 40 27 07 fd 7b 04
16 ab b7 4f
IPv4/TCP:
45 e0 00 4c dd 0f 40 00 ff 06 bf 6b 0a 0b 0c 0d
ac 1b 1c 1d e9 d7 00 b3 fb fb ab 5a 00 00 00 00
e0 02 ff ff ca c4 00 00 02 04 05 b4 01 03 03 08
04 02 08 0a 00 15 5a b7 00 00 00 00 1d 10 3d 54
2e e4 37 c6 f8 ed e6 d7 c4 d6 02 e7
MAC:
2e e4 37 c6 f8 ed e6 d7 c4 d6 02 e7
]]></artwork></figure>
</section>
<section title="Receive (server) SYN-ACK (covers options)" anchor="sect-4
.1.2">
<figure><artwork><![CDATA[
Server ISN = 0x11c14261
Receive_SYN_traffic_key:
d9 e2 17 e4 83 4a 80 ca 2f 3f d8 de 2e 41 b8 e6
79 7f ea 96
IPv4/TCP:
45 e0 00 4c 65 06 40 00 ff 06 37 75 ac 1b 1c 1d
0a 0b 0c 0d 00 b3 e9 d7 11 c1 42 61 fb fb ab 5b
e0 12 ff ff 37 76 00 00 02 04 05 b4 01 03 03 08
04 02 08 0a 84 a5 0b eb 00 15 5a b7 1d 10 54 3d
ee ab 0f e2 4c 30 10 81 51 16 b3 be
MAC:
ee ab 0f e2 4c 30 10 81 51 16 b3 be
]]></artwork></figure>
</section>
<section title="Send (client) non-SYN (covers options)" anchor="sect-4.1.
3">
<figure><artwork><![CDATA[
Send_other_traffic_key:
d2 e5 9c 65 ff c7 b1 a3 93 47 65 64 63 b7 0e dc
24 a1 3d 71
IPv4/TCP:
45 e0 00 87 36 a1 40 00 ff 06 65 9f 0a 0b 0c 0d
ac 1b 1c 1d e9 d7 00 b3 fb fb ab 5b 11 c1 42 62
c0 18 01 04 a1 62 00 00 01 01 08 0a 00 15 5a c1
84 a5 0b eb 1d 10 3d 54 70 64 cf 99 8c c6 c3 15
c2 c2 e2 bf ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d
26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40
06 00 64 00 01 01 00
MAC:
70 64 cf 99 8c c6 c3 15 c2 c2 e2 bf
]]></artwork></figure>
</section>
<section title="Receive (server) non-SYN (covers options)" anchor="sect-4
.1.4">
<figure><artwork><![CDATA[
Receive_other_traffic_key:
d9 e2 17 e4 83 4a 80 ca 2f 3f d8 de 2e 41 b8 e6
79 7f ea 96
IPv4/TCP: Send_SYN_traffic_key:
45 e0 00 87 1f a9 40 00 ff 06 7c 97 ac 1b 1c 1d 6d 63 ef 1b 02 fe 15 09 d4 b1 40 27 07 fd 7b 04
0a 0b 0c 0d 00 b3 e9 d7 11 c1 42 62 fb fb ab 9e 16 ab b7 4f
c0 18 01 00 40 0c 00 00 01 01 08 0a 84 a5 0b f5
00 15 5a c1 1d 10 54 3d a6 3f 0e cb bb 2e 63 5c
95 4d ea c7 ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d
26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40
06 00 64 00 01 01 00
MAC: IPv4/TCP:
a6 3f 0e cb bb 2e 63 5c 95 4d ea c7 45 e0 00 4c dd 0f 40 00 ff 06 bf 6b 0a 0b 0c 0d
]]></artwork></figure> ac 1b 1c 1d e9 d7 00 b3 fb fb ab 5a 00 00 00 00
e0 02 ff ff ca c4 00 00 02 04 05 b4 01 03 03 08
04 02 08 0a 00 15 5a b7 00 00 00 00 1d 10 3d 54
2e e4 37 c6 f8 ed e6 d7 c4 d6 02 e7
</section> MAC:
</section> 2e e4 37 c6 f8 ed e6 d7 c4 d6 02 e7
]]></sourcecode>
</section>
<section anchor="sect-4.1.2" numbered="true" toc="default">
<name>Receive (Server) SYN-ACK (Covers Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Server ISN = 0x11c14261
<section title="HMAC-SHA-1-96 (omits TCP options)" anchor="sect-4.2"><sec tion title="Send (client) SYN (omits options)" anchor="sect-4.2.1"> Receive_SYN_traffic_key:
<figure><artwork><![CDATA[ d9 e2 17 e4 83 4a 80 ca 2f 3f d8 de 2e 41 b8 e6
Client ISN = 0xcb0efbee 79 7f ea 96
Send_SYN_traffic_key: IPv4/TCP:
30 ea a1 56 0c f0 be 57 da b5 c0 45 22 9f b1 0a 45 e0 00 4c 65 06 40 00 ff 06 37 75 ac 1b 1c 1d
42 3c d7 ea 0a 0b 0c 0d 00 b3 e9 d7 11 c1 42 61 fb fb ab 5b
e0 12 ff ff 37 76 00 00 02 04 05 b4 01 03 03 08
04 02 08 0a 84 a5 0b eb 00 15 5a b7 1d 10 54 3d
ee ab 0f e2 4c 30 10 81 51 16 b3 be
IPv4/TCP: MAC:
45 e0 00 4c 53 99 40 00 ff 06 48 e2 0a 0b 0c 0d ee ab 0f e2 4c 30 10 81 51 16 b3 be
ac 1b 1c 1d ff 12 00 b3 cb 0e fb ee 00 00 00 00 ]]></sourcecode>
e0 02 ff ff 54 1f 00 00 02 04 05 b4 01 03 03 08 </section>
04 02 08 0a 00 02 4c ce 00 00 00 00 1d 10 3d 54 <section anchor="sect-4.1.3" numbered="true" toc="default">
80 af 3c fe b8 53 68 93 7b 8f 9e c2 <name>Send (Client) Non-SYN (Covers Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Send_other_traffic_key:
MAC: d2 e5 9c 65 ff c7 b1 a3 93 47 65 64 63 b7 0e dc
24 a1 3d 71
80 af 3c fe b8 53 68 93 7b 8f 9e c2 IPv4/TCP:
]]></artwork></figure>
</section> 45 e0 00 87 36 a1 40 00 ff 06 65 9f 0a 0b 0c 0d
ac 1b 1c 1d e9 d7 00 b3 fb fb ab 5b 11 c1 42 62
c0 18 01 04 a1 62 00 00 01 01 08 0a 00 15 5a c1
84 a5 0b eb 1d 10 3d 54 70 64 cf 99 8c c6 c3 15
c2 c2 e2 bf ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d
26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40
06 00 64 00 01 01 00
<section title="Receive (server) SYN-ACK (omits options)" anchor="sect-4. 2.2"> MAC:
<figure><artwork><![CDATA[ 70 64 cf 99 8c c6 c3 15 c2 c2 e2 bf
Server ISN = 0xacd5b5e1 ]]></sourcecode>
</section>
<section anchor="sect-4.1.4" numbered="true" toc="default">
<name>Receive (Server) Non-SYN (Covers Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Receive_other_traffic_key:
Receive_SYN_traffic_key: d9 e2 17 e4 83 4a 80 ca 2f 3f d8 de 2e 41 b8 e6
79 7f ea 96
b5 b2 89 6b b3 66 4e 81 76 b0 ed c6 e7 99 52 41a IPv4/TCP:
01 a8 30 7f
IPv4/TCP: 45 e0 00 87 1f a9 40 00 ff 06 7c 97 ac 1b 1c 1d
0a 0b 0c 0d 00 b3 e9 d7 11 c1 42 62 fb fb ab 9e
c0 18 01 00 40 0c 00 00 01 01 08 0a 84 a5 0b f5
00 15 5a c1 1d 10 54 3d a6 3f 0e cb bb 2e 63 5c
95 4d ea c7 ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d
26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40
06 00 64 00 01 01 00
45 e0 00 4c 32 84 40 00 ff 06 69 f7 ac 1b 1c 1d MAC:
0a 0b 0c 0d 00 b3 ff 12 ac d5 b5 e1 cb 0e fb ef
e0 12 ff ff 38 8e 00 00 02 04 05 b4 01 03 03 08
04 02 08 0a 57 67 72 f3 00 02 4c ce 1d 10 54 3d
09 30 6f 9a ce a6 3a 8c 68 cb 9a 70
MAC: a6 3f 0e cb bb 2e 63 5c 95 4d ea c7
]]></sourcecode>
</section>
</section>
<section anchor="sect-4.2" numbered="true" toc="default">
<name>HMAC-SHA-1-96 (Omits TCP Options)</name>
<section anchor="sect-4.2.1" numbered="true" toc="default">
<name>Send (Client) SYN (Omits Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Client ISN = 0xcb0efbee
09 30 6f 9a ce a6 3a 8c 68 cb 9a 70 Send_SYN_traffic_key:
]]></artwork></figure>
</section> 30 ea a1 56 0c f0 be 57 da b5 c0 45 22 9f b1 0a
42 3c d7 ea
<section title="Send (client) non-SYN (omits options)" anchor="sect-4.2.3 "> IPv4/TCP:
<figure><artwork><![CDATA[ 45 e0 00 4c 53 99 40 00 ff 06 48 e2 0a 0b 0c 0d
Send_other_traffic_key: ac 1b 1c 1d ff 12 00 b3 cb 0e fb ee 00 00 00 00
e0 02 ff ff 54 1f 00 00 02 04 05 b4 01 03 03 08
04 02 08 0a 00 02 4c ce 00 00 00 00 1d 10 3d 54
80 af 3c fe b8 53 68 93 7b 8f 9e c2
f3 db 17 93 d7 91 0e cd 80 6c 34 f1 55 ea 1f 00 MAC:
34 59 53 e3
IPv4/TCP: 80 af 3c fe b8 53 68 93 7b 8f 9e c2
]]></sourcecode>
</section>
<section anchor="sect-4.2.2" numbered="true" toc="default">
<name>Receive (Server) SYN-ACK (Omits Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Server ISN = 0xacd5b5e1
45 e0 00 87 a8 f5 40 00 ff 06 f3 4a 0a 0b 0c 0d Receive_SYN_traffic_key:
ac 1b 1c 1d ff 12 00 b3 cb 0e fb ef ac d5 b5 e2
c0 18 01 04 6c 45 00 00 01 01 08 0a 00 02 4c ce
57 67 72 f3 1d 10 3d 54 71 06 08 cc 69 6c 03 a2
71 c9 3a a5 ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d
26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40
06 00 64 00 01 01 00
MAC: b5 b2 89 6b b3 66 4e 81 76 b0 ed c6 e7 99 52 41a
01 a8 30 7f
71 06 08 cc 69 6c 03 a2 71 c9 3a a5 IPv4/TCP:
]]></artwork></figure>
</section> 45 e0 00 4c 32 84 40 00 ff 06 69 f7 ac 1b 1c 1d
0a 0b 0c 0d 00 b3 ff 12 ac d5 b5 e1 cb 0e fb ef
e0 12 ff ff 38 8e 00 00 02 04 05 b4 01 03 03 08
04 02 08 0a 57 67 72 f3 00 02 4c ce 1d 10 54 3d
09 30 6f 9a ce a6 3a 8c 68 cb 9a 70
<section title="Receive (server) non-SYN (omits options)" anchor="sect-4. 2.4"> MAC:
<figure><artwork><![CDATA[ 09 30 6f 9a ce a6 3a 8c 68 cb 9a 70
Receive_other_traffic_key: ]]></sourcecode>
</section>
<section anchor="sect-4.2.3" numbered="true" toc="default">
<name>Send (Client) Non-SYN (Omits Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Send_other_traffic_key:
b5 b2 89 6b b3 66 4e 81 76 b0 ed c6 e7 99 52 41 f3 db 17 93 d7 91 0e cd 80 6c 34 f1 55 ea 1f 00
01 a8 30 7f 34 59 53 e3
IPv4/TCP: IPv4/TCP:
45 e0 00 87 54 37 40 00 ff 06 48 09 ac 1b 1c 1d 45 e0 00 87 a8 f5 40 00 ff 06 f3 4a 0a 0b 0c 0d
0a 0b 0c 0d 00 b3 ff 12 ac d5 b5 e2 cb 0e fc 32 ac 1b 1c 1d ff 12 00 b3 cb 0e fb ef ac d5 b5 e2
c0 18 01 00 46 b6 00 00 01 01 08 0a 57 67 72 f3 c0 18 01 04 6c 45 00 00 01 01 08 0a 00 02 4c ce
00 02 4c ce 1d 10 54 3d 97 76 6e 48 ac 26 2d e9 57 67 72 f3 1d 10 3d 54 71 06 08 cc 69 6c 03 a2
ae 61 b4 f9 ff ff ff ff ff ff ff ff ff ff ff ff 71 c9 3a a5 ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d
26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02 26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40 00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40
06 00 64 00 01 01 00 06 00 64 00 01 01 00
MAC: MAC:
97 76 6e 48 ac 26 2d e9 ae 61 b4 f9 71 06 08 cc 69 6c 03 a2 71 c9 3a a5
]]></artwork></figure> ]]></sourcecode>
</section>
<section anchor="sect-4.2.4" numbered="true" toc="default">
<name>Receive (Server) Non-SYN (Omits Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Receive_other_traffic_key:
</section> b5 b2 89 6b b3 66 4e 81 76 b0 ed c6 e7 99 52 41
01 a8 30 7f
</section> IPv4/TCP:
</section> 45 e0 00 87 54 37 40 00 ff 06 48 09 ac 1b 1c 1d
0a 0b 0c 0d 00 b3 ff 12 ac d5 b5 e2 cb 0e fc 32
c0 18 01 00 46 b6 00 00 01 01 08 0a 57 67 72 f3
00 02 4c ce 1d 10 54 3d 97 76 6e 48 ac 26 2d e9
ae 61 b4 f9 ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d
26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40
06 00 64 00 01 01 00
<section title="IPv4 AES-128 Output Test Vectors" anchor="sect-5"><t> MAC:
The AES-128 KDF and MAC algorithms, KDF_AES_128_CMAC and AES-128-
CMAC-96, are computed as specified for TCP-AO <xref target="RFC5926"/>.</t>
<t> 97 76 6e 48 ac 26 2d e9 ae 61 b4 f9
]]></sourcecode>
</section>
</section>
</section>
<section anchor="sect-5" numbered="true" toc="default">
<name>IPv4 AES-128 Output Test Vectors</name>
<t>
The AES-128 KDF and MAC algorithms, KDF_AES_128_CMAC and AES-128-CMAC-96, are
computed as specified for TCP-AO <xref target="RFC5926" format="default"/>.</t>
<t>
In the following sections, all values are indicated as 2-digit In the following sections, all values are indicated as 2-digit
hexadecimal values with spacing per line representing the contents hexadecimal values with spacing per line representing the contents
of 16 consecutive bytes, as is typical for data dumps. The IP/TCP of 16 consecutive bytes, as is typical for data dumps. The IP/TCP
data indicates the entire IP packet, including the TCP segment and data indicates the entire IP packet, including the TCP segment and
its options (whether covered by TCP-AO or not, as indicated), its options (whether covered by TCP-AO or not, as indicated),
including TCP-AO.</t> including TCP-AO.</t>
<section anchor="sect-5.1" numbered="true" toc="default">
<name>AES-128-CMAC-96 (Default - Covers TCP Options)</name>
<section anchor="sect-5.1.1" numbered="true" toc="default">
<name>Send (Client) SYN (Covers Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Client ISN = 0x787a1ddf
<section title="AES-128-CMAC-96 (default - covers TCP options)" anchor="sect- Send_SYN_traffic_key:
5.1"><section title="Send (client) SYN (covers options)" anchor="sect-5.1.1">
<figure><artwork><![CDATA[
Client ISN = 0x787a1ddf
Send_SYN_traffic_key:
f5 b8 b3 d5 f3 4f db b6 eb 8d 4a b9 66 0e 60 e3
IP/TCP:
45 e0 00 4c 7b 9f 40 00 ff 06 20 dc 0a 0b 0c 0d
ac 1b 1c 1d c4 fa 00 b3 78 7a 1d df 00 00 00 00
e0 02 ff ff 5a 0f 00 00 02 04 05 b4 01 03 03 08
04 02 08 0a 00 01 7e d0 00 00 00 00 1d 10 3d 54
e4 77 e9 9c 80 40 76 54 98 e5 50 91
MAC:
e4 77 e9 9c 80 40 76 54 98 e5 50 91
]]></artwork></figure>
</section>
<section title="Receive (server) SYN-ACK (covers options)" anchor="sect-5
.1.2">
<figure><artwork><![CDATA[
Server ISN = 0xfadd6de9
Receive_SYN_traffic_key:
4b c7 57 1a 48 6f 32 64 bb d8 88 47 40 66 b4 b1
IPv4/TCP:
45 e0 00 4c 4b ad 40 00 ff 06 50 ce ac 1b 1c 1d
0a 0b 0c 0d 00 b3 c4 fa fa dd 6d e9 78 7a 1d e0
e0 12 ff ff f3 f2 00 00 02 04 05 b4 01 03 03 08
04 02 08 0a 93 f4 e9 e8 00 01 7e d0 1d 10 54 3d
d6 ad a7 bc 4c dd 53 6d 17 69 db 5f
MAC:
d6 ad a7 bc 4c dd 53 6d 17 69 db 5f
]]></artwork></figure>
</section>
<section title="Send (client) non-SYN (covers options)" anchor="sect-5.1.
3">
<figure><artwork><![CDATA[
Send_other_traffic_key:
8c 8a e0 e8 37 1e c5 cb b9 7e a7 9d 90 41 83 91
IPv4/TCP:
45 e0 00 87 fb 4f 40 00 ff 06 a0 f0 0a 0b 0c 0d
ac 1b 1c 1d c4 fa 00 b3 78 7a 1d e0 fa dd 6d ea
c0 18 01 04 95 05 00 00 01 01 08 0a 00 01 7e d0
93 f4 e9 e8 1d 10 3d 54 77 41 27 42 fa 4d c4 33
ef f0 97 3e ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d
26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40
06 00 64 00 01 01 00
MAC:
77 41 27 42 fa 4d c4 33 ef f0 97 3e
]]></artwork></figure>
</section>
<section title="Receive (server) non-SYN (covers options)" anchor="sect-5
.1.4">
<figure><artwork><![CDATA[
Receive_other_traffic_key:
4b c7 57 1a 48 6f 32 64 bb d8 88 47 40 66 b4 b1
IPv4/TCP: f5 b8 b3 d5 f3 4f db b6 eb 8d 4a b9 66 0e 60 e3
45 e0 00 87 b9 14 40 00 ff 06 e3 2b ac 1b 1c 1d IP/TCP:
0a 0b 0c 0d 00 b3 c4 fa fa dd 6d ea 78 7a 1e 23
c0 18 01 00 e7 db 00 00 01 01 08 0a 93 f4 e9 e8
00 01 7e d0 1d 10 54 3d f6 d9 65 a7 83 82 a7 48
45 f7 2d ac ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d
26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40
06 00 64 00 01 01 00
MAC: 45 e0 00 4c 7b 9f 40 00 ff 06 20 dc 0a 0b 0c 0d
ac 1b 1c 1d c4 fa 00 b3 78 7a 1d df 00 00 00 00
e0 02 ff ff 5a 0f 00 00 02 04 05 b4 01 03 03 08
04 02 08 0a 00 01 7e d0 00 00 00 00 1d 10 3d 54
e4 77 e9 9c 80 40 76 54 98 e5 50 91
f6 d9 65 a7 83 82 a7 48 45 f7 2d ac MAC:
]]></artwork></figure>
</section> e4 77 e9 9c 80 40 76 54 98 e5 50 91
]]></sourcecode>
</section>
<section anchor="sect-5.1.2" numbered="true" toc="default">
<name>Receive (Server) SYN-ACK (Covers Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Server ISN = 0xfadd6de9
</section> Receive_SYN_traffic_key:
<section title="AES-128-CMAC-96 (omits TCP options)" anchor="sect-5.2"><s ection title="Send (client) SYN (omits options)" anchor="sect-5.2.1"> 4b c7 57 1a 48 6f 32 64 bb d8 88 47 40 66 b4 b1
<figure><artwork><![CDATA[ IPv4/TCP:
Client ISN = 0x389bed71
Send_SYN_traffic_key: 45 e0 00 4c 4b ad 40 00 ff 06 50 ce ac 1b 1c 1d
0a 0b 0c 0d 00 b3 c4 fa fa dd 6d e9 78 7a 1d e0
e0 12 ff ff f3 f2 00 00 02 04 05 b4 01 03 03 08
04 02 08 0a 93 f4 e9 e8 00 01 7e d0 1d 10 54 3d
d6 ad a7 bc 4c dd 53 6d 17 69 db 5f
2c db ae 13 92 c4 94 49 fa 92 c4 50 97 35 d5 0e MAC:
IPv4/TCP: d6 ad a7 bc 4c dd 53 6d 17 69 db 5f
]]></sourcecode>
</section>
<section anchor="sect-5.1.3" numbered="true" toc="default">
<name>Send (Client) Non-SYN (Covers Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Send_other_traffic_key:
45 e0 00 4c f2 2e 40 00 ff 06 aa 4c 0a 0b 0c 0d 8c 8a e0 e8 37 1e c5 cb b9 7e a7 9d 90 41 83 91
ac 1b 1c 1d da 1c 00 b3 38 9b ed 71 00 00 00 00
e0 02 ff ff 70 bf 00 00 02 04 05 b4 01 03 03 08
04 02 08 0a 00 01 85 e1 00 00 00 00 1d 10 3d 54
c4 4e 60 cb 31 f7 c0 b1 de 3d 27 49
MAC: IPv4/TCP:
c4 4e 60 cb 31 f7 c0 b1 de 3d 27 49 45 e0 00 87 fb 4f 40 00 ff 06 a0 f0 0a 0b 0c 0d
]]></artwork></figure> ac 1b 1c 1d c4 fa 00 b3 78 7a 1d e0 fa dd 6d ea
c0 18 01 04 95 05 00 00 01 01 08 0a 00 01 7e d0
93 f4 e9 e8 1d 10 3d 54 77 41 27 42 fa 4d c4 33
ef f0 97 3e ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d
26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40
06 00 64 00 01 01 00
</section> MAC:
<section title="Receive (server) SYN-ACK (omits options)" anchor="sect-5. 77 41 27 42 fa 4d c4 33 ef f0 97 3e
2.2"> ]]></sourcecode>
</section>
<section anchor="sect-5.1.4" numbered="true" toc="default">
<name>Receive (Server) Non-SYN (Covers Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Receive_other_traffic_key:
<figure><artwork><![CDATA[ 4b c7 57 1a 48 6f 32 64 bb d8 88 47 40 66 b4 b1
Server ISN = 0xd3844a6f
Receive_SYN_traffic_key: IPv4/TCP:
3c e6 7a 55 18 69 50 6b 63 47 b6 33 c5 0a 62 4a 45 e0 00 87 b9 14 40 00 ff 06 e3 2b ac 1b 1c 1d
0a 0b 0c 0d 00 b3 c4 fa fa dd 6d ea 78 7a 1e 23
c0 18 01 00 e7 db 00 00 01 01 08 0a 93 f4 e9 e8
00 01 7e d0 1d 10 54 3d f6 d9 65 a7 83 82 a7 48
45 f7 2d ac ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d
26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40
06 00 64 00 01 01 00
IPv4/TCP: MAC:
45 e0 00 4c 6c c0 40 00 ff 06 2f bb ac 1b 1c 1d f6 d9 65 a7 83 82 a7 48 45 f7 2d ac
0a 0b 0c 0d 00 b3 da 1c d3 84 4a 6f 38 9b ed 72 ]]></sourcecode>
e0 12 ff ff e4 45 00 00 02 04 05 b4 01 03 03 08 </section>
04 02 08 0a ce 45 98 38 00 01 85 e1 1d 10 54 3d </section>
3a 6a bb 20 7e 49 b1 be 71 36 db 90 <section anchor="sect-5.2" numbered="true" toc="default">
<name>AES-128-CMAC-96 (Omits TCP Options)</name>
<section anchor="sect-5.2.1" numbered="true" toc="default">
<name>Send (Client) SYN (Omits Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Client ISN = 0x389bed71
MAC: Send_SYN_traffic_key:
3a 6a bb 20 7e 49 b1 be 71 36 db 90 2c db ae 13 92 c4 94 49 fa 92 c4 50 97 35 d5 0e
]]></artwork></figure>
</section> IPv4/TCP:
<section title="Send (client) non-SYN (omits options)" anchor="sect-5.2.3 45 e0 00 4c f2 2e 40 00 ff 06 aa 4c 0a 0b 0c 0d
"> ac 1b 1c 1d da 1c 00 b3 38 9b ed 71 00 00 00 00
e0 02 ff ff 70 bf 00 00 02 04 05 b4 01 03 03 08
04 02 08 0a 00 01 85 e1 00 00 00 00 1d 10 3d 54
c4 4e 60 cb 31 f7 c0 b1 de 3d 27 49
<figure><artwork><![CDATA[ MAC:
Send_other_traffic_key:
03 5b c4 00 a3 41 ff e5 95 f5 9f 58 00 50 06 ca c4 4e 60 cb 31 f7 c0 b1 de 3d 27 49
]]></sourcecode>
</section>
<section anchor="sect-5.2.2" numbered="true" toc="default">
<name>Receive (Server) SYN-ACK (Omits Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Server ISN = 0xd3844a6f
IPv4/TCP: Receive_SYN_traffic_key:
45 e0 00 87 ee 91 40 00 ff 06 ad ae 0a 0b 0c 0d 3c e6 7a 55 18 69 50 6b 63 47 b6 33 c5 0a 62 4a
ac 1b 1c 1d da 1c 00 b3 38 9b ed 72 d3 84 4a 70
c0 18 01 04 88 51 00 00 01 01 08 0a 00 01 85 e1
ce 45 98 38 1d 10 3d 54 75 85 e9 e9 d5 c3 ec 85
7b 96 f8 37 ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d
26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40
06 00 64 00 01 01 00
MAC: IPv4/TCP:
75 85 e9 e9 d5 c3 ec 85 7b 96 f8 37 45 e0 00 4c 6c c0 40 00 ff 06 2f bb ac 1b 1c 1d
]]></artwork></figure> 0a 0b 0c 0d 00 b3 da 1c d3 84 4a 6f 38 9b ed 72
e0 12 ff ff e4 45 00 00 02 04 05 b4 01 03 03 08
04 02 08 0a ce 45 98 38 00 01 85 e1 1d 10 54 3d
3a 6a bb 20 7e 49 b1 be 71 36 db 90
</section> MAC:
<section title="Receive (server) non-SYN (omits options)" anchor="sect-5. 3a 6a bb 20 7e 49 b1 be 71 36 db 90
2.4"> ]]></sourcecode>
</section>
<section anchor="sect-5.2.3" numbered="true" toc="default">
<name>Send (Client) Non-SYN (Omits Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Send_other_traffic_key:
<figure><artwork><![CDATA[ 03 5b c4 00 a3 41 ff e5 95 f5 9f 58 00 50 06 ca
Receive_other_traffic_key:
3c e6 7a 55 18 69 50 6b 63 47 b6 33 c5 0a 62 4a IPv4/TCP:
IPv4/TCP: 45 e0 00 87 ee 91 40 00 ff 06 ad ae 0a 0b 0c 0d
ac 1b 1c 1d da 1c 00 b3 38 9b ed 72 d3 84 4a 70
c0 18 01 04 88 51 00 00 01 01 08 0a 00 01 85 e1
ce 45 98 38 1d 10 3d 54 75 85 e9 e9 d5 c3 ec 85
7b 96 f8 37 ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d
26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40
06 00 64 00 01 01 00
45 e0 00 87 6a 21 40 00 ff 06 32 1f ac 1b 1c 1d MAC:
0a 0b 0c 0d 00 b3 da 1c d3 84 4a 70 38 9b ed 72
c0 18 01 00 04 49 00 00 01 01 08 0a ce 45 98 38
00 01 85 e1 1d 10 54 3d 5c 04 0f d9 23 33 04 76
5c 09 82 f4 ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d
26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40
06 00 64 00 01 01 00
MAC: 75 85 e9 e9 d5 c3 ec 85 7b 96 f8 37
]]></sourcecode>
</section>
<section anchor="sect-5.2.4" numbered="true" toc="default">
<name>Receive (Server) Non-SYN (Omits Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Receive_other_traffic_key:
5c 04 0f d9 23 33 04 76 5c 09 82 f4 3c e6 7a 55 18 69 50 6b 63 47 b6 33 c5 0a 62 4a
]]></artwork></figure>
</section> IPv4/TCP:
</section> 45 e0 00 87 6a 21 40 00 ff 06 32 1f ac 1b 1c 1d
0a 0b 0c 0d 00 b3 da 1c d3 84 4a 70 38 9b ed 72
c0 18 01 00 04 49 00 00 01 01 08 0a ce 45 98 38
00 01 85 e1 1d 10 54 3d 5c 04 0f d9 23 33 04 76
5c 09 82 f4 ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d
26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40
06 00 64 00 01 01 00
</section> MAC:
<section title="IPv6 SHA-1 Output Test Vectors" anchor="sect-6"><t> 5c 04 0f d9 23 33 04 76 5c 09 82 f4
]]></sourcecode>
</section>
</section>
</section>
<section anchor="sect-6" numbered="true" toc="default">
<name>IPv6 SHA-1 Output Test Vectors</name>
<t keepWithNext="true">
The SHA-1 KDF and MAC algorithms, KDF_HMAC_SHA1 and HMAC-SHA-1-96, The SHA-1 KDF and MAC algorithms, KDF_HMAC_SHA1 and HMAC-SHA-1-96,
are computed as specified for TCP-AO <xref target="RFC5926"/>.</t> are computed as specified for TCP-AO <xref target="RFC5926" format="default"/
>.</t>
<section title="HMAC-SHA-1-96 (default - covers TCP options)" anchor="sec <section anchor="sect-6.1" numbered="true" toc="default">
t-6.1"><section title="Send (client) SYN (covers options)" anchor="sect-6.1.1"> <name>HMAC-SHA-1-96 (Default - Covers TCP Options)</name>
<section anchor="sect-6.1.1" numbered="true" toc="default">
<figure><artwork><![CDATA[ <name>Send (Client) SYN (Covers Options)</name>
Client ISN = 0x176a833f <sourcecode type="tcp-ao-test-vectors"><![CDATA[
Client ISN = 0x176a833f
Send_SYN_traffic_key:
62 5e c0 9d 57 58 36 ed c9 b6 42 84 18 bb f0 69
89 a3 61 bb
IPv6/TCP:
6e 08 91 dc 00 38 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 f7 e4 00 b3 17 6a 83 3f
00 00 00 00 e0 02 ff ff 47 21 00 00 02 04 05 a0
01 03 03 08 04 02 08 0a 00 41 d0 87 00 00 00 00
1d 10 3d 54 90 33 ec 3d 73 34 b6 4c 5e dd 03 9f
MAC:
90 33 ec 3d 73 34 b6 4c 5e dd 03 9f
]]></artwork></figure>
</section>
<section title="Receive (server) SYN-ACK (covers options)" anchor="sect-6
.1.2">
<figure><artwork><![CDATA[
Server ISN = 0x3f51994b
Receive_SYN_traffic_key: Send_SYN_traffic_key:
e4 a3 7a da 2a 0a fc a8 71 14 34 91 3f e1 38 c7 62 5e c0 9d 57 58 36 ed c9 b6 42 84 18 bb f0 69
71 eb cb 4a 89 a3 61 bb
IPv6/TCP: IPv6/TCP:
6e 01 00 9e 00 38 06 40 fd 00 00 00 00 00 00 00 6e 08 91 dc 00 38 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 b3 f7 e4 3f 51 99 4b 00 00 00 00 00 00 00 02 f7 e4 00 b3 17 6a 83 3f
17 6a 83 40 e0 12 ff ff bf ec 00 00 02 04 05 a0 00 00 00 00 e0 02 ff ff 47 21 00 00 02 04 05 a0
01 03 03 08 04 02 08 0a bd 33 12 9b 00 41 d0 87 01 03 03 08 04 02 08 0a 00 41 d0 87 00 00 00 00
1d 10 54 3d f1 cb a3 46 c3 52 61 63 f7 1f 1f 55 1d 10 3d 54 90 33 ec 3d 73 34 b6 4c 5e dd 03 9f
MAC: MAC:
f1 cb a3 46 c3 52 61 63 f7 1f 1f 55 90 33 ec 3d 73 34 b6 4c 5e dd 03 9f
]]></artwork></figure> ]]></sourcecode>
</section>
</section> <section anchor="sect-6.1.2" numbered="true" toc="default">
<name>Receive (Server) SYN-ACK (Covers Options)</name>
<section title="Send (client) non-SYN (covers options)" anchor="sect-6.1. <sourcecode type="tcp-ao-test-vectors"><![CDATA[
3"> Server ISN = 0x3f51994b
<figure><artwork><![CDATA[
Send_other_traffic_key:
1e d8 29 75 f4 ea 44 4c 61 58 0c 5b d9 0d bd 61
bb c9 1b 7e
IPv6/TCP:
6e 08 91 dc 00 73 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 f7 e4 00 b3 17 6a 83 40
3f 51 99 4c c0 18 01 00 32 9c 00 00 01 01 08 0a
00 41 d0 91 bd 33 12 9b 1d 10 3d 54 bf 08 05 fe
b4 ac 7b 16 3d 6f cd f2 ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
MAC:
bf 08 05 fe b4 ac 7b 16 3d 6f cd f2
]]></artwork></figure>
</section>
<section title="Receive (server) non-SYN (covers options)" anchor="sect-6
.1.4">
<figure><artwork><![CDATA[
Receive_other_traffic_key:
e4 a3 7a da 2a 0a fc a8 71 14 34 91 3f e1 38 c7
71 eb cb 4a
IPv6/TCP:
6e 01 00 9e 00 73 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 b3 f7 e4 3f 51 99 4c
17 6a 83 83 c0 18 01 00 ee 6e 00 00 01 01 08 0a
bd 33 12 a5 00 41 d0 91 1d 10 54 3d 6c 48 12 5c
11 33 5b ab 9a 07 a7 97 ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
MAC:
6c 48 12 5c 11 33 5b ab 9a 07 a7 97
]]></artwork></figure>
</section>
</section>
<section title="HMAC-SHA-1-96 (omits TCP options)" anchor="sect-6.2"><sec
tion title="Send (client) SYN (omits options)" anchor="sect-6.2.1">
<figure><artwork><![CDATA[
Client ISN = 0x020c1e69
Send_SYN_traffic_key:
31 a3 fa f6 9e ff ae 52 93 1b 7f 84 54 67 31 5c
27 0a 4e dc
IPv6/TCP:
6e 07 8f cd 00 38 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 c6 cd 00 b3 02 0c 1e 69
00 00 00 00 e0 02 ff ff a4 1a 00 00 02 04 05 a0
01 03 03 08 04 02 08 0a 00 9d b9 5b 00 00 00 00
1d 10 3d 54 88 56 98 b0 53 0e d4 d5 a1 5f 83 46
MAC:
88 56 98 b0 53 0e d4 d5 a1 5f 83 46
]]></artwork></figure>
</section>
<section title="Receive (server) SYN-ACK (omits options)" anchor="sect-6.
2.2">
<figure><artwork><![CDATA[
Server ISN = 0xeba3734d
Receive_SYN_traffic_key:
40 51 08 94 7f 99 65 75 e7 bd bc 26 d4 02 16 a2
c7 fa 91 bd
IPv6/TCP:
6e 0a 7e 1f 00 38 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 b3 c6 cd eb a3 73 4d
02 0c 1e 6a e0 12 ff ff 77 4d 00 00 02 04 05 a0
01 03 03 08 04 02 08 0a 5e c9 9b 70 00 9d b9 5b
1d 10 54 3d 3c 54 6b ad 97 43 f1 2d f8 b8 01 0d
MAC:
3c 54 6b ad 97 43 f1 2d f8 b8 01 0d
]]></artwork></figure>
</section>
<section title="Send (client) non-SYN (omits options)" anchor="sect-6.2.3
">
<figure><artwork><![CDATA[
Send_other_traffic_key:
b3 4e ed 6a 93 96 a6 69 f1 c4 f4 f5 76 18 f3 65
6f 52 c7 ab
IPv6/TCP:
6e 07 8f cd 00 73 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 c6 cd 00 b3 02 0c 1e 6a
eb a3 73 4e c0 18 01 00 83 e6 00 00 01 01 08 0a
00 9d b9 65 5e c9 9b 70 1d 10 3d 54 48 bd 09 3b
19 24 e0 01 19 2f 5b f0 ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
MAC:
48 bd 09 3b 19 24 e0 01 19 2f 5b f0
]]></artwork></figure>
</section>
<section title="Receive (server) non-SYN (omits options)" anchor="sect-6.
2.4">
<figure><artwork><![CDATA[ Receive_SYN_traffic_key:
Receive_other_traffic_key:
40 51 08 94 7f 99 65 75 e7 bd bc 26 d4 02 16 a2 e4 a3 7a da 2a 0a fc a8 71 14 34 91 3f e1 38 c7
c7 fa 91 bd 71 eb cb 4a
IPv6/TCP: IPv6/TCP:
6e 0a 7e 1f 00 73 06 40 fd 00 00 00 00 00 00 00 6e 01 00 9e 00 38 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 b3 c6 cd eb a3 73 4e 00 00 00 00 00 00 00 01 00 b3 f7 e4 3f 51 99 4b
02 0c 1e ad c0 18 01 00 71 6a 00 00 01 01 08 0a 17 6a 83 40 e0 12 ff ff bf ec 00 00 02 04 05 a0
5e c9 9b 7a 00 9d b9 65 1d 10 54 3d 55 9a 81 94 01 03 03 08 04 02 08 0a bd 33 12 9b 00 41 d0 87
45 b4 fd e9 8d 9e 13 17 ff ff ff ff ff ff ff ff 1d 10 54 3d f1 cb a3 46 c3 52 61 63 f7 1f 1f 55
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
MAC: MAC:
55 9a 81 94 45 b4 fd e9 8d 9e 13 17 f1 cb a3 46 c3 52 61 63 f7 1f 1f 55
]]></artwork></figure> ]]></sourcecode>
</section>
<section anchor="sect-6.1.3" numbered="true" toc="default">
<name>Send (Client) Non-SYN (Covers Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Send_other_traffic_key:
</section> 1e d8 29 75 f4 ea 44 4c 61 58 0c 5b d9 0d bd 61
bb c9 1b 7e
</section> IPv6/TCP:
</section> 6e 08 91 dc 00 73 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 f7 e4 00 b3 17 6a 83 40
3f 51 99 4c c0 18 01 00 32 9c 00 00 01 01 08 0a
00 41 d0 91 bd 33 12 9b 1d 10 3d 54 bf 08 05 fe
b4 ac 7b 16 3d 6f cd f2 ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
<section title="IPv6 AES-128 Output Test Vectors" anchor="sect-7"><t> MAC:
The AES-128 KDF and MAC algorithms, KDF_AES_128_CMAC and AES-128-
CMAC-96, are computed as specified for TCP-AO <xref target="RFC5926"/>.</t>
<section title="AES-128-CMAC-96 (default - covers TCP options)" anchor="s bf 08 05 fe b4 ac 7b 16 3d 6f cd f2
ect-7.1"><section title="Send (client) SYN (covers options)" anchor="sect-7.1.1" ]]></sourcecode>
> </section>
<section anchor="sect-6.1.4" numbered="true" toc="default">
<name>Receive (Server) Non-SYN (Covers Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Receive_other_traffic_key:
<figure><artwork><![CDATA[ e4 a3 7a da 2a 0a fc a8 71 14 34 91 3f e1 38 c7
Client ISN = 0x193cccec 71 eb cb 4a
Send_SYN_traffic_key: IPv6/TCP:
fa 5a 21 08 88 2d 39 d0 c7 19 29 17 5a b1 b7 b8 6e 01 00 9e 00 73 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 b3 f7 e4 3f 51 99 4c
17 6a 83 83 c0 18 01 00 ee 6e 00 00 01 01 08 0a
bd 33 12 a5 00 41 d0 91 1d 10 54 3d 6c 48 12 5c
11 33 5b ab 9a 07 a7 97 ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
IP/TCP: MAC:
6e 04 a7 06 00 38 06 40 fd 00 00 00 00 00 00 00 6c 48 12 5c 11 33 5b ab 9a 07 a7 97
00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 ]]></sourcecode>
00 00 00 00 00 00 00 02 f8 5a 00 b3 19 3c cc ec </section>
00 00 00 00 e0 02 ff ff de 5d 00 00 02 04 05 a0 </section>
01 03 03 08 04 02 08 0a 13 e4 ab 99 00 00 00 00 <section anchor="sect-6.2" numbered="true" toc="default">
1d 10 3d 54 59 b5 88 10 74 81 ac 6d c3 92 70 40 <name>HMAC-SHA-1-96 (Omits TCP Options)</name>
<section anchor="sect-6.2.1" numbered="true" toc="default">
<name>Send (Client) SYN (Omits Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Client ISN = 0x020c1e69
MAC: Send_SYN_traffic_key:
59 b5 88 10 74 81 ac 6d c3 92 70 40 31 a3 fa f6 9e ff ae 52 93 1b 7f 84 54 67 31 5c
]]></artwork></figure> 27 0a 4e dc
</section> IPv6/TCP:
<section title="Receive (server) SYN-ACK (covers options)" anchor="sect-7 6e 07 8f cd 00 38 06 40 fd 00 00 00 00 00 00 00
.1.2"> 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 c6 cd 00 b3 02 0c 1e 69
00 00 00 00 e0 02 ff ff a4 1a 00 00 02 04 05 a0
01 03 03 08 04 02 08 0a 00 9d b9 5b 00 00 00 00
1d 10 3d 54 88 56 98 b0 53 0e d4 d5 a1 5f 83 46
<figure><artwork><![CDATA[ MAC:
Server ISN = 0xa6744ecb
Receive_SYN_traffic_key: 88 56 98 b0 53 0e d4 d5 a1 5f 83 46
]]></sourcecode>
</section>
<section anchor="sect-6.2.2" numbered="true" toc="default">
<name>Receive (Server) SYN-ACK (Omits Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Server ISN = 0xeba3734d
cf 1b 1e 22 5e 06 a6 36 16 76 4a 06 7b 46 f4 b1 Receive_SYN_traffic_key:
IPv6/TCP: 40 51 08 94 7f 99 65 75 e7 bd bc 26 d4 02 16 a2
c7 fa 91 bd
6e 06 15 20 00 38 06 40 fd 00 00 00 00 00 00 00 IPv6/TCP:
00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 b3 f8 5a a6 74 4e cb
19 3c cc ed e0 12 ff ff ea bb 00 00 02 04 05 a0
01 03 03 08 04 02 08 0a 71 da ab c8 13 e4 ab 99
1d 10 54 3d dc 28 43 a8 4e 78 a6 bc fd c5 ed 80
MAC: 6e 0a 7e 1f 00 38 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 b3 c6 cd eb a3 73 4d
02 0c 1e 6a e0 12 ff ff 77 4d 00 00 02 04 05 a0
01 03 03 08 04 02 08 0a 5e c9 9b 70 00 9d b9 5b
1d 10 54 3d 3c 54 6b ad 97 43 f1 2d f8 b8 01 0d
dc 28 43 a8 4e 78 a6 bc fd c5 ed 80 MAC:
]]></artwork></figure>
</section> 3c 54 6b ad 97 43 f1 2d f8 b8 01 0d
]]></sourcecode>
</section>
<section anchor="sect-6.2.3" numbered="true" toc="default">
<name>Send (Client) Non-SYN (Omits Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Send_other_traffic_key:
<section title="Send (client) non-SYN (covers options)" anchor="sect-7.1. b3 4e ed 6a 93 96 a6 69 f1 c4 f4 f5 76 18 f3 65
3"> 6f 52 c7 ab
<figure><artwork><![CDATA[ IPv6/TCP:
Send_other_traffic_key:
61 74 c3 55 7a be d2 75 74 db a3 71 85 f0 03 00 6e 07 8f cd 00 73 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 c6 cd 00 b3 02 0c 1e 6a
eb a3 73 4e c0 18 01 00 83 e6 00 00 01 01 08 0a
00 9d b9 65 5e c9 9b 70 1d 10 3d 54 48 bd 09 3b
19 24 e0 01 19 2f 5b f0 ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
IPv6/TCP: MAC:
6e 04 a7 06 00 73 06 40 fd 00 00 00 00 00 00 00 48 bd 09 3b 19 24 e0 01 19 2f 5b f0
00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00 ]]></sourcecode>
00 00 00 00 00 00 00 02 f8 5a 00 b3 19 3c cc ed </section>
a6 74 4e cc c0 18 01 00 32 80 00 00 01 01 08 0a <section anchor="sect-6.2.4" numbered="true" toc="default">
13 e4 ab a3 71 da ab c8 1d 10 3d 54 7b 6a 45 5c <name>Receive (Server) Non-SYN (Omits Options)</name>
0d 4f 5f 01 83 5b aa b3 ff ff ff ff ff ff ff ff <sourcecode type="tcp-ao-test-vectors"><![CDATA[
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4 Receive_other_traffic_key:
01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
MAC: 40 51 08 94 7f 99 65 75 e7 bd bc 26 d4 02 16 a2
c7 fa 91 bd
7b 6a 45 5c 0d 4f 5f 01 83 5b aa b3 IPv6/TCP:
]]></artwork></figure>
</section> 6e 0a 7e 1f 00 73 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 b3 c6 cd eb a3 73 4e
02 0c 1e ad c0 18 01 00 71 6a 00 00 01 01 08 0a
5e c9 9b 7a 00 9d b9 65 1d 10 54 3d 55 9a 81 94
45 b4 fd e9 8d 9e 13 17 ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
<section title="Receive (server) non-SYN (covers options)" anchor="sect-7 .1.4"> MAC:
<figure><artwork><![CDATA[ 55 9a 81 94 45 b4 fd e9 8d 9e 13 17
Receive_other_traffic_key: ]]></sourcecode>
</section>
</section>
</section>
<section anchor="sect-7" numbered="true" toc="default">
<name>IPv6 AES-128 Output Test Vectors</name>
<t keepWithNext="true">
The AES-128 KDF and MAC algorithms, KDF_AES_128_CMAC and AES-128-CMAC-96, are
computed as specified for TCP-AO <xref target="RFC5926" format="default"/>.</t>
<section anchor="sect-7.1" numbered="true" toc="default">
<name>AES-128-CMAC-96 (Default - Covers TCP Options)</name>
<section anchor="sect-7.1.1" numbered="true" toc="default">
<name>Send (Client) SYN (Covers Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Client ISN = 0x193cccec
cf 1b 1e 22 5e 06 a6 36 16 76 4a 06 7b 46 f4 b1 Send_SYN_traffic_key:
IPv6/TCP: fa 5a 21 08 88 2d 39 d0 c7 19 29 17 5a b1 b7 b8
6e 06 15 20 00 73 06 40 fd 00 00 00 00 00 00 00 IP/TCP:
00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 b3 f8 5a a6 74 4e cc
19 3c cd 30 c0 18 01 00 52 f4 00 00 01 01 08 0a
71 da ab d3 13 e4 ab a3 1d 10 54 3d c1 06 9b 7d
fd 3d 69 3a 6d f3 f2 89 ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
MAC: 6e 04 a7 06 00 38 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 f8 5a 00 b3 19 3c cc ec
00 00 00 00 e0 02 ff ff de 5d 00 00 02 04 05 a0
01 03 03 08 04 02 08 0a 13 e4 ab 99 00 00 00 00
1d 10 3d 54 59 b5 88 10 74 81 ac 6d c3 92 70 40
c1 06 9b 7d fd 3d 69 3a 6d f3 f2 89 MAC:
]]></artwork></figure>
</section> 59 b5 88 10 74 81 ac 6d c3 92 70 40
]]></sourcecode>
</section>
<section anchor="sect-7.1.2" numbered="true" toc="default">
<name>Receive (Server) SYN-ACK (Covers Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Server ISN = 0xa6744ecb
</section> Receive_SYN_traffic_key:
<section title="AES-128-CMAC-96 (omits TCP options)" anchor="sect-7.2"><s ection title="Send (client) SYN (omits options)" anchor="sect-7.2.1"> cf 1b 1e 22 5e 06 a6 36 16 76 4a 06 7b 46 f4 b1
<figure><artwork><![CDATA[ IPv6/TCP:
Client ISN = 0xb01da74a
Send_SYN_traffic_key: 6e 06 15 20 00 38 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 b3 f8 5a a6 74 4e cb
19 3c cc ed e0 12 ff ff ea bb 00 00 02 04 05 a0
01 03 03 08 04 02 08 0a 71 da ab c8 13 e4 ab 99
1d 10 54 3d dc 28 43 a8 4e 78 a6 bc fd c5 ed 80
a9 4f 51 12 63 e4 09 3d 35 dd 81 8c 13 bb bf 53 MAC:
IPv6/TCP: dc 28 43 a8 4e 78 a6 bc fd c5 ed 80
]]></sourcecode>
</section>
<section anchor="sect-7.1.3" numbered="true" toc="default">
<name>Send (Client) Non-SYN (Covers Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Send_other_traffic_key:
6e 09 3d 76 00 38 06 40 fd 00 00 00 00 00 00 00 61 74 c3 55 7a be d2 75 74 db a3 71 85 f0 03 00
00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 f2 88 00 b3 b0 1d a7 4a
00 00 00 00 e0 02 ff ff 75 ff 00 00 02 04 05 a0
01 03 03 08 04 02 08 0a 14 27 5b 3b 00 00 00 00
1d 10 3d 54 3d 45 b4 34 2d e8 bb 15 30 84 78 98
MAC: IPv6/TCP:
3d 45 b4 34 2d e8 bb 15 30 84 78 98 6e 04 a7 06 00 73 06 40 fd 00 00 00 00 00 00 00
]]></artwork></figure> 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 f8 5a 00 b3 19 3c cc ed
a6 74 4e cc c0 18 01 00 32 80 00 00 01 01 08 0a
13 e4 ab a3 71 da ab c8 1d 10 3d 54 7b 6a 45 5c
0d 4f 5f 01 83 5b aa b3 ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
</section> MAC:
<section title="Receive (server) SYN-ACK (omits options)" anchor="sect-7. 7b 6a 45 5c 0d 4f 5f 01 83 5b aa b3
2.2"> ]]></sourcecode>
</section>
<section anchor="sect-7.1.4" numbered="true" toc="default">
<name>Receive (Server) Non-SYN (Covers Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Receive_other_traffic_key:
<figure><artwork><![CDATA[ cf 1b 1e 22 5e 06 a6 36 16 76 4a 06 7b 46 f4 b1
Server ISN = 0xa6246145
Receive_SYN_traffic_key: IPv6/TCP:
92 de a5 bb c7 8b 1d 9f 5b 29 52 e9 cd 30 64 2a 6e 06 15 20 00 73 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 b3 f8 5a a6 74 4e cc
19 3c cd 30 c0 18 01 00 52 f4 00 00 01 01 08 0a
71 da ab d3 13 e4 ab a3 1d 10 54 3d c1 06 9b 7d
fd 3d 69 3a 6d f3 f2 89 ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
IPv6/TCP: MAC:
6e 0c 60 0a 00 38 06 40 fd 00 00 00 00 00 00 00 c1 06 9b 7d fd 3d 69 3a 6d f3 f2 89
00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00 ]]></sourcecode>
00 00 00 00 00 00 00 01 00 b3 f2 88 a6 24 61 45 </section>
b0 1d a7 4b e0 12 ff ff a7 0c 00 00 02 04 05 a0 </section>
01 03 03 08 04 02 08 0a 17 82 24 5b 14 27 5b 3b <section anchor="sect-7.2" numbered="true" toc="default">
1d 10 54 3d 1d 01 f6 c8 7c 6f 93 ac ff a9 d4 b5 <name>AES-128-CMAC-96 (Omits TCP Options)</name>
<section anchor="sect-7.2.1" numbered="true" toc="default">
<name>Send (Client) SYN (Omits Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Client ISN = 0xb01da74a
MAC: Send_SYN_traffic_key:
1d 01 f6 c8 7c 6f 93 ac ff a9 d4 b5 a9 4f 51 12 63 e4 09 3d 35 dd 81 8c 13 bb bf 53
]]></artwork></figure>
</section> IPv6/TCP:
<section title="Send (client) non-SYN (omits options)" anchor="sect-7.2.3 6e 09 3d 76 00 38 06 40 fd 00 00 00 00 00 00 00
"> 00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 f2 88 00 b3 b0 1d a7 4a
00 00 00 00 e0 02 ff ff 75 ff 00 00 02 04 05 a0
01 03 03 08 04 02 08 0a 14 27 5b 3b 00 00 00 00
1d 10 3d 54 3d 45 b4 34 2d e8 bb 15 30 84 78 98
<figure><artwork><![CDATA[ MAC:
Send_other_traffic_key:
4f b2 08 6e 40 2c 67 90 79 ed 65 d4 bf 97 69 3d 3d 45 b4 34 2d e8 bb 15 30 84 78 98
]]></sourcecode>
</section>
<section anchor="sect-7.2.2" numbered="true" toc="default">
<name>Receive (Server) SYN-ACK (Omits Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Server ISN = 0xa6246145
IPv6/TCP: Receive_SYN_traffic_key:
6e 09 3d 76 00 73 06 40 fd 00 00 00 00 00 00 00 92 de a5 bb c7 8b 1d 9f 5b 29 52 e9 cd 30 64 2a
00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 f2 88 00 b3 b0 1d a7 4b
a6 24 61 46 c0 18 01 00 c3 6d 00 00 01 01 08 0a
14 27 5b 4f 17 82 24 5b 1d 10 3d 54 29 0c f4 14
cc b4 7a 33 32 76 e7 f8 ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
MAC: IPv6/TCP:
29 0c f4 14 cc b4 7a 33 32 76 e7 f8 6e 0c 60 0a 00 38 06 40 fd 00 00 00 00 00 00 00
]]></artwork></figure> 00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 b3 f2 88 a6 24 61 45
b0 1d a7 4b e0 12 ff ff a7 0c 00 00 02 04 05 a0
01 03 03 08 04 02 08 0a 17 82 24 5b 14 27 5b 3b
1d 10 54 3d 1d 01 f6 c8 7c 6f 93 ac ff a9 d4 b5
</section> MAC:
<section title="Receive (server) non-SYN (omits options)" anchor="sect-7. 1d 01 f6 c8 7c 6f 93 ac ff a9 d4 b5
2.4"> ]]></sourcecode>
</section>
<section anchor="sect-7.2.3" numbered="true" toc="default">
<name>Send (Client) Non-SYN (Omits Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Send_other_traffic_key:
<figure><artwork><![CDATA[ 4f b2 08 6e 40 2c 67 90 79 ed 65 d4 bf 97 69 3d
Receive_other_traffic_key:
92 de a5 bb c7 8b 1d 9f 5b 29 52 e9 cd 30 64 2a IPv6/TCP:
IPv6/TCP: 6e 09 3d 76 00 73 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 f2 88 00 b3 b0 1d a7 4b
a6 24 61 46 c0 18 01 00 c3 6d 00 00 01 01 08 0a
14 27 5b 4f 17 82 24 5b 1d 10 3d 54 29 0c f4 14
cc b4 7a 33 32 76 e7 f8 ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
6e 0c 60 0a 00 73 06 40 fd 00 00 00 00 00 00 00 MAC:
00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 b3 f2 88 a6 24 61 46
b0 1d a7 8e c0 18 01 00 34 51 00 00 01 01 08 0a
17 82 24 65 14 27 5b 4f 1d 10 54 3d 99 51 5f fc
d5 40 34 99 f6 19 fd 1b ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
MAC: 29 0c f4 14 cc b4 7a 33 32 76 e7 f8
]]></sourcecode>
</section>
<section anchor="sect-7.2.4" numbered="true" toc="default">
<name>Receive (Server) Non-SYN (Omits Options)</name>
<sourcecode type="tcp-ao-test-vectors"><![CDATA[
Receive_other_traffic_key:
99 51 5f fc d5 40 34 99 f6 19 fd 1b 92 de a5 bb c7 8b 1d 9f 5b 29 52 e9 cd 30 64 2a
]]></artwork></figure>
</section> IPv6/TCP:
</section> 6e 0c 60 0a 00 73 06 40 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 00 b3 f2 88 a6 24 61 46
b0 1d a7 8e c0 18 01 00 34 51 00 00 01 01 08 0a
17 82 24 65 14 27 5b 4f 1d 10 54 3d 99 51 5f fc
d5 40 34 99 f6 19 fd 1b ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80
00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
e8 02 08 40 06 00 64 00 01 01 00
</section> MAC:
<section title="Observed Implementation Errors" anchor="sect-8"><t> 99 51 5f fc d5 40 34 99 f6 19 fd 1b
]]></sourcecode>
</section>
</section>
</section>
<section anchor="sect-8" numbered="true" toc="default">
<name>Observed Implementation Errors</name>
<t keepWithNext="true">
The following is a partial list of implementation errors that this The following is a partial list of implementation errors that this
set of test vectors is intended to validate.</t> set of test vectors is intended to validate.</t>
<section anchor="sect-8.1" numbered="true" toc="default">
<section title="Algorithm issues" anchor="sect-8.1"><t><list style="symbo <name>Algorithm Issues</name>
ls"><t>Underlying implementation of HMAC-SHA-1-96 or AES-128-CMAC-96 <ul spacing="normal">
does not pass their corresponding test vectors <xref target="RFC2202"/> <li>The underlying implementation of HMAC-SHA-1-96 or AES-128-CMAC-96
<xref target="RFC4493"/></t> does not pass their corresponding test vectors <xref target="RFC2202" form
at="default"/>
<t>The SNE algorithm does not consider corner cases, possibly <xref target="RFC4493" format="default"/>.</li>
because the pseudocode in <xref target="RFC5925"/> was not intended as com <li>The SNE algorithm does not consider corner cases, possibly
plete, because the pseudocode in <xref target="RFC5925" format="default"/> was no
as discussed in <xref target="RFC9187"/>, the latter of which includes its t intended as complete,
own as discussed in <xref target="RFC9187" format="default"/>, the latter of w
validation sequence.</t> hich includes its own
validation sequence.</li>
</list> </ul>
</t> </section>
<section anchor="sect-8.2" numbered="true" toc="default">
</section> <name>Algorithm Parameters</name>
<ul spacing="normal">
<section title="Algorithm parameters" anchor="sect-8.2"><t><list style="s <li>KDF context length is incorrect, e.g., it does not include TCP
ymbols"><t>KDF context length is incorrect, e.g., it does not include TCP header length + payload length (it should, per
header length + payload length (it should, per 5.2 of TCP-AO <xref target="RFC5925" section="5.2" sectionFormat="of">TCP-AO</xref>).</l
<xref target="RFC5925"/>)</t> i>
<li>KDF calculation does not start from counter i = 1 (it should, per
<t>KDF calculation does not start from counter i = 1 (it should, per <xref target="RFC5926" sectionFormat="of" section="3.1.1">TCP-AO crypto al
Sec. 3.1.1 of the TCP-AO crypto algorithms <xref target="RFC5926"/>)</t> gorithms</xref>).</li>
<li>KDF calculation does not include output length in bits, contained
<t>KDF calculation does not include output length in bits, contained in two bytes in network byte order (it should, per <xref target="RFC5926"
in two bytes in network byte order (it should, per Sec. 3.1.1 of sectionFormat="of" section="3.1.1">the TCP-AO crypto algorithms</xref>).</li>
the TCP-AO crypto algorithms <xref target="RFC5926"/>)</t> <li>KDF uses keys generated from current TCP segment sequence numbers
<t>KDF uses keys generated from current TCP segment sequence numbers
(KDF should use only local and remote ISNs or zero, as indicated (KDF should use only local and remote ISNs or zero, as indicated
in Sec. 5.2 of TCP-AO <xref target="RFC5925"/>)</t> in <xref target="RFC5925" sectionFormat="of" section ="5.2">TCP-AO</xref>)
.</li>
</list> </ul>
</t> </section>
<section anchor="sect-8.3" numbered="true" toc="default">
</section> <name>String Handling Issues</name>
<t>
<section title="String handling issues" anchor="sect-8.3"><t>
The strings indicated in TCP-AO and its algorithms are indicated as The strings indicated in TCP-AO and its algorithms are indicated as
a sequence of bytes of known length. In some implementations, string a sequence of bytes of known length. In some implementations, string
lengths are indicated by a terminal value (e.g., zero in C). This lengths are indicated by a terminal value (e.g., zero in C). This
terminal value is not included as part of the string for terminal value is not included as part of the string for
calculations.</t> calculations.</t>
<ul spacing="normal">
<t><list style="symbols"><t>Password includes the last zero-byte (it shou <li>The password includes the last zero-byte (it should not).</li>
ld not)</t> <li>The label "TCP-AO" includes the last zero byte (it should not).</l
i>
<t>Label "TCP-AO" includes the last zero byte (it should not)</t> </ul>
</section>
</list> <section anchor="sect-8.4" numbered="true" toc="default">
</t> <name>Header Coverage Issues</name>
<ul spacing="normal">
</section> <li>TCP checksum and/or MAC is not zeroed properly before calculation
(both should be).</li>
<section title="Header coverage issues" anchor="sect-8.4"><t><list style= <li>TCP header is not included in the MAC calculation (it should be).<
"symbols"><t>TCP checksum and/or MAC is not zeroed properly before calculation /li>
(both should be)</t> <li>TCP options are not included in the MAC calculation by default.</l
i>
<t>TCP header is not included in the MAC calculation (it should be)</t> </ul>
<t>
<t>TCP options are not included in the MAC calculation by default.</t>
</list>
</t>
<t>
There is a separate parameter in the Master Key Tuple (MKT) There is a separate parameter in the Master Key Tuple (MKT)
<xref target="RFC5925"/> to ignore options; this document provides test vecto rs for <xref target="RFC5925" format="default"/> to ignore options; this document pr ovides test vectors for
both options-included and options-excluded cases.</t> both options-included and options-excluded cases.</t>
</section>
</section> </section>
<section anchor="sect-9" numbered="true" toc="default">
</section> <name>Security Considerations</name>
<t>
<section title="Security Considerations" anchor="sect-9"><t>
This document is intended to assist in the validation of This document is intended to assist in the validation of
implementations of TCP-AO, to further enable its more widespread use implementations of TCP-AO to further enable its more widespread use
as a security mechanism to authenticate not only TCP payload as a security mechanism to authenticate not only TCP payload
contents but the TCP headers and protocol.</t> contents but the TCP headers and protocol.</t>
<t>
<t>
The Master_Key of "testvector" used here for test vector generation The Master_Key of "testvector" used here for test vector generation
SHOULD NOT be used operationally.</t> <bcp14>SHOULD NOT</bcp14> be used operationally.</t>
</section>
</section> <section anchor="sect-10" numbered="true" toc="default">
<name>IANA Considerations</name>
<section title="IANA Considerations" anchor="sect-10"><t> <t>This document has no IANA actions.</t>
This document contains no IANA issues. This section should be </section>
removed upon publication as an RFC.</t> </middle>
<back>
</section> <references>
<name>References</name>
</middle> <references>
<name>Normative References</name>
<back> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<references title="Normative References"> FC.0791.xml"/>
&RFC0791; <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
&RFC0793; FC.0793.xml"/>
&RFC2018; <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
&RFC2119; FC.2018.xml"/>
&RFC5925; <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
&RFC5926; FC.2119.xml"/>
&RFC6978; <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
&RFC7323; FC.5925.xml"/>
&RFC8174; <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
&RFC8200; FC.5926.xml"/>
</references> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
<references title="Informative References"> FC.6978.xml"/>
&RFC2202; <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
&RFC4493; FC.7323.xml"/>
&RFC9187; <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
</references> FC.8174.xml"/>
<section title="Acknowledgments" anchor="sect-12"><t> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
This document was prepared using 2-Word-v2.0.template.dot.</t> FC.8200.xml"/>
</references>
<t>This work benefitted from feedback from Russ Housley and Michael Scharf, as w <references>
ell as discussions on the IETF TCPM email list and the IESG.</t> <name>Informative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.2202.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.4493.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.9187.xml"/>
</references>
</references>
<section anchor="sect-12" numbered="false" toc="default">
<name>Acknowledgments</name>
<t>This work benefited from feedback from <contact fullname="Russ Housley"
/> and <contact fullname="Michael Scharf"/> as well as discussions on the IETF T
CPM email list and with the IESG.</t>
<t>This document was initially prepared using 2-Word-v2.0.template.d
ot.</t>
</section>
</back>
</section> <!-- [rfced] Please review the "Inclusive Language" portion of the online
Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
and let us know if any changes are needed.
</back> For example, please consider whether "master" should be updated.
-->
</rfc> </rfc>
 End of changes. 213 change blocks. 
1019 lines changed or deleted 917 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/