Re: about the ULID in the TCP checksum

[Brian E Carpenter <brc@zurich.ibm.com>]

On 2006-12-28 18:57, marcelo bagnulo braun wrote:
> Iljitsch in his review raises the following issue:
>
> my comments are inline
>
> >    The result of this consistent mapping is that there is no impact on
> >    the ULPs.  In particular, there is no impact on pseudo-header
> >    checksums and connection identification.
> >
> >
> > The problem here is that some intermediate system, such as a firewall 
> > or a smart NIC, may take it upon itself to check the TCP or UDP 
> > checksum and discard the packet if the checksum fails.
>
> how common is this practice? is this widely used?

I've not heard of firewalls doing this, but TCP relays are a known
form of evil - probably shim6 would not work on such a path.

TCP/IP offload mechanisms in general will have to be shim6-aware,
for sure. This is going to be very common in server clusters.

(In general, do we need a TCP/shim6 probing procedure, to check
whether a path actually works?)

    Brian
> >  For firewalls and the like, the best thing is probably either to 
> > fully monitor the shim state so they can do this properly, or forego 
> > such checking if a shim header is present.
>
> yes, this is probably useful in terms of security also, just like in the 
> case to TCP connections, where the firewall can decide to accept 
> segments of connections for which the firewall have previosuly seen SYN 
> exchange
>
> do you think we should add text about this? (if you do, please send text)
>
> > For NICs a better solution would be to do an incremental checksum 
> > verification and only over the ULP segment, so that the host stack 
> > must complete the calculation by applying the increment from the 
> > pseudo header, which can largely be cached, so the performance 
> > advantages are almost completely preserved
>
> i don't understand what do you mean by incremental checksum 
> verification... could you expand on this?