This new standard seems like a really, really stupid idea that's going to backfire on a massive scale if it gets adopted widely enough, due to the eventuality of misconfigurations where people will discard dealing with authentication in higher levels of the stack.

I agree. There are layers in networks for a reason and look at how ipsec has seen limited adoption and can be a real PITA for when authentication was shoved into layer 3 instead of layer 4.

Why do I need this when I have TLS?

To handle the auth upon the creation of the connection itself, rather than just encrypt the traffic.

Don't plug in cables: done.

Hi. I'm the author of RFC-1535, which has nothing to do with this, but it beats putting in the obligatory resume comments "I've been doing this for umpteen diggity years..."

Layer4 has no business doing anything other than layer4. TCP-AO has no business existing. It should be up to the higher layers to create whatever mechanism they like to ensure auth or encrypt or both. UID313 mentioned TLS. TLS, SSL, and other mechanisms exist for a reason, and they are great (i.e. they do their job well). There's no need and it's designologically bad to move that functionality to L4 or lower.

Well then, looking at *this* particular RFC provides an explanation why it is introduced on the TCP layer, namely to counter spoofing attacks. This is something that obviously can not be handled on higher layers.

I think you're conflating L4 wtth L3. In neither case is it the responsibility of the lower layer to prevent its use. That's where layer violation occurs. What you call spoofing is a useful part of reliable network setrvices.

TCP-AO is not a new concept it's the successor of rfc2385, however since the usage of MD5 for security features is nowadays kinda sketchy, it's sensible to find a successor that uses a more modern algorithm and is ideally also not forced into using this one algorithm till the end of dawn.

Also what is your issue with an implementation in layer3? Having the option to authenticate the TCP stream itself make many attacks a lot harder to perform, as it's not that easy to spoof TCP anymore. Yes ideally the layers above should handle every possible spoofing attack, however it's still an added security by deafault feature. While adoption on hardware will take time, especially with moderns DPU's however it soudln't be an issue to deploy this at scale, even with todays hardware. Despite from the stuggle to implement this, I only see improvements to the internet, if this get's widespread usage.