TCP Interactions with Key Mgmt On segment transmit Request tuple from TSAD (including # bytes to process) If no TSAD entry, no key tuples or MAC of NONE, send w/o TCP-AO option Otherwise, perform MAC and add TCP-AO On segment receipt Request tuple from TSAD (including # bytes to process) Various considerations of tuple exists or not, MAC is NONE or not, TCP-AO is present or not, where most errors result in silent drop or silent accept Validation failures are silently dropped (& indicated to TSAD?) Process segment as usual (in window, etc.) No pre-processing to avoid exhaustion from spoofed packets |