TCP-AO Test Vectors

Document Type Replaced Internet-Draft (individual)
Authors Joseph Touch  , Juhamatti Kuusisaari 
Last updated 2020-12-23
Replaced by draft-ietf-tcpm-ao-test-vectors
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Replaced by draft-ietf-tcpm-ao-test-vectors
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document provides test vectors to validate implementations of the two mandatory authentication algorithms specified for the TCP Authentication Option over both IPv4 and IPv6. This includes validation of the key derivation function (KDF) based on a set of test connection parameters as well as validation of the message authentication code (MAC). Vectors are provided for both currently required pairs of KDF and MAC algorithms: one based on SHA-1 and the other on AES-128. The vectors also validate both whole TCP segments as well as segments whose options are excluded for NAT traversal.


Joseph Touch (
Juhamatti Kuusisaari (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)