A small change in direction

I now believe that I was previously too quixotic about getting changes into TCP and I'm exploring a different approach for now. Previously, the kernel handled almost everything: key exchange (using long options), encryption and signing. Now I'm leaning towards a setup where the kernel provides a generic way to include a payload in SYNACK packets. This turns up in normal read() calls in userspace (if userspace has requested it). Now, the key exchange can be performed in userspace, as can the encryption and we end up with less TCP changes. Signing still needs to be performed in the kernel, however, as it needs to protect the whole packet (to stop RST attacks etc). For this, I'm hoping that the TCP-AO standard (which replaces TCP MD5) will suffice. Sadly, the TCP-AO draft authors are being very quiet.All in all, I don't expect a lot of movement until the fall IETF meeting, which I hope to attend. There will be kernel patches before then, however.