Iljitsch in his review raises the following issue: my comments are inline
The result of this consistent mapping is that there is no impact on the ULPs. In particular, there is no impact on pseudo-header checksums and connection identification.The problem here is that some intermediate system, such as a firewall or a smart NIC, may take it upon itself to check the TCP or UDP checksum and discard the packet if the checksum fails.
how common is this practice? is this widely used?
For firewalls and the like, the best thing is probably either to fully monitor the shim state so they can do this properly, or forego such checking if a shim header is present.
yes, this is probably useful in terms of security also, just like in the case to TCP connections, where the firewall can decide to accept segments of connections for which the firewall have previosuly seen SYN exchange
do you think we should add text about this? (if you do, please send text)
For NICs a better solution would be to do an incremental checksum verification and only over the ULP segment, so that the host stack must complete the calculation by applying the increment from the pseudo header, which can largely be cached, so the performance advantages are almost completely preserved
i don't understand what do you mean by incremental checksum verification... could you expand on this?