Best current practices for TCP-ENO configuration

Document Type Expired Internet-Draft (individual)
Authors Andrea Bittau , Daniel Giffin  , David Mazieres 
Last updated 2016-09-03 (latest revision 2016-03-02)
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


TCP-ENO negotiates encryption of TCP connections, protecting legacy applications and protocols from passive eavesdropping. TCP-ENO generally falls back to unencrypted TCP when not supported by both endpoints or the network. Nonetheless, certain middlebox behavior could cause TCP connections to fail entirely in conjunction with TCP- ENO. This document specifies conventions for servers against which TCP-ENO machines can test network paths for TCP-ENO compatibility, and describes the best current practice for enabling TCP-ENO only when it is unlikely to cause connection failure.


Andrea Bittau (
Daniel Giffin (
David Mazieres (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)