TCP-ENO: Encryption Negotiation Option
RFC 8547
Internet Engineering Task Force (IETF) A. Bittau
Request for Comments: 8547 Google
Category: Experimental D. Giffin
ISSN: 2070-1721 Stanford University
M. Handley
University College London
D. Mazieres
Stanford University
E. Smith
Kestrel Institute
May 2019
TCP-ENO: Encryption Negotiation Option
Abstract
Despite growing adoption of TLS, a significant fraction of TCP
traffic on the Internet remains unencrypted. The persistence of
unencrypted traffic can be attributed to at least two factors.
First, some legacy protocols lack a signaling mechanism (such as a
STARTTLS command) by which to convey support for encryption, thus
making incremental deployment impossible. Second, legacy
applications themselves cannot always be upgraded and therefore
require a way to implement encryption transparently entirely within
the transport layer. The TCP Encryption Negotiation Option (TCP-ENO)
addresses both of these problems through a new TCP option kind
providing out-of-band, fully backward-compatible negotiation of
encryption.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are candidates for any level of
Internet Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8547.
Bittau, et al. Experimental [Page 1]
RFC 8547 TCP Encryption Negotiation Option May 2019
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Bittau, et al. Experimental [Page 2]
RFC 8547 TCP Encryption Negotiation Option May 2019
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Design Goals . . . . . . . . . . . . . . . . . . . . . . 4
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 5
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. TCP-ENO Specification . . . . . . . . . . . . . . . . . . . . 6
4.1. ENO Option . . . . . . . . . . . . . . . . . . . . . . . 7
4.2. The Global Suboption . . . . . . . . . . . . . . . . . . 9
4.3. TCP-ENO Roles . . . . . . . . . . . . . . . . . . . . . . 10
4.4. Specifying Suboption Data Length . . . . . . . . . . . . 11
4.5. The Negotiated TEP . . . . . . . . . . . . . . . . . . . 12
4.6. TCP-ENO Handshake . . . . . . . . . . . . . . . . . . . . 13
4.7. Data in SYN Segments . . . . . . . . . . . . . . . . . . 14
4.8. Negotiation Transcript . . . . . . . . . . . . . . . . . 16
5. Requirements for TEPs . . . . . . . . . . . . . . . . . . . . 16
5.1. Session IDs . . . . . . . . . . . . . . . . . . . . . . . 18
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 19
7. Future Developments . . . . . . . . . . . . . . . . . . . . . 21
8. Design Rationale . . . . . . . . . . . . . . . . . . . . . . 22
8.1. Handshake Robustness . . . . . . . . . . . . . . . . . . 22
8.2. Suboption Data . . . . . . . . . . . . . . . . . . . . . 22
8.3. Passive Role Bit . . . . . . . . . . . . . . . . . . . . 22
Show full document text