Those wishing to learn more about the TCP Authentication Option feature can see the IETF.org RFC5925 spec.
To answer the questions posed here:
Why do I need this when I have TLS?
(TLS) [RFC5246], Secure BGP (sBGP) or Secure Origin BGP (soBGP)
[Le09], or any other mechanisms that protect only the TCP data
stream. TCP-AO protects the transport layer, preventing attacks from
disabling the TCP connection itself [RFC4953].
This new standard seems like a really, really stupid idea that's going to backfire on a massive scale if it gets adopted widely enough, due to the eventuality of misconfigurations where people will discard dealing with authentication in higher levels of the stack.
TCP-AO has no business existing. It should be up to the higher layers to create whatever mechanism they like to ensure auth or encrypt or both
One of the problem statements-- the reasons behind this spec-- can be found, in part, here.
Comment