[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: about the ULID in the TCP checksum

To: marcelo bagnulo braun <marcelo@it.uc3m.es>
Subject: Re: about the ULID in the TCP checksum
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Tue, 2 Jan 2007 15:27:34 +0100
Cc: shim6-wg <shim6@psg.com>
In-reply-to: <0c04a20019e39a23b5fb232fe276cb98@it.uc3m.es>
References: <0c04a20019e39a23b5fb232fe276cb98@it.uc3m.es>

On 28-dec-2006, at 18:57, marcelo bagnulo braun wrote:

The problem here is that some intermediate system, such as afirewall or a smart NIC, may take it upon itself to check the TCPor UDP checksum and discard the packet if the checksum fails.

how common is this practice? is this widely used?

Certainly not with IPv6. But checksumming NICs are very common forIPv4 so I'm sure we'll have those for IPv6 too in the future. And atone point, PIX firewalls would truncate DNS packets that were longerthan 512 bytes, creating much mayham with EDNS0. So I have a healthysuspicion of firewall builders.

For firewalls and the like, the best thing is probably either tofully monitor the shim state so they can do this properly, orforego such checking if a shim header is present.

yes, this is probably useful in terms of security also, just likein the case to TCP connections, where the firewall can decide toaccept segments of connections for which the firewall havepreviosuly seen SYN exchange

do you think we should add text about this? (if you do, please sendtext)

"Firewalls and other middleboxes SHALL NOT drop TCP, UDP and ICMPpackets with apparently incorrect checksums based on that fact aloneunless they implement (monitoring of) the full shim6 protocol and areable to determine the checksum that must be present in a packet withaddresses rewritten by shim6."

For NICs a better solution would be to do an incremental checksumverification and only over the ULP segment, so that the host stackmust complete the calculation by applying the increment from thepseudo header, which can largely be cached, so the performanceadvantages are almost completely preserved

i don't understand what do you mean by incremental checksumverification... could you expand on this?

The checksum is defined as the one's complement of the one'scomplement additions of the 16-bit words making up the pseudo-headerand the TCP/UDP/ICMP segment. So you could calculate it this way:


//  0  start
chksm = 0;

//  1  pseudoheader
for (i = 0; i < pseudo.length; i++)
  chcksm = 1cmpadd(chcksm, pseudo.hdr[i]);

//  2  TCP
for (i = 0; i < tcp.length; i++)
  chcksm = 1cmpadd(chcksm, tcp.data[i]);

//  3  check
if (1cmp(chcksm) == tcp.checksum)
  return happy;
else
  return sad;

As far as I can tell, NICs can do parts 0 - 2 and leave 3 up to theIP stack. This method isn't compatible with shim6 because then theNIC would have to be aware of the address rewriting. However, itwouldn't be hard to do 0 and 1 in the IP stack, 2 in the NIC and 3 inthe IP stack again. Since the pseudoheader is always the same for asession, this part can be pre-computed, so the only part thatactually requires real work is checking the TCP/UDP/ICMP segment,which is exactly the part that still happens in the NIC, soperformance can be the same but now everything is shim-compatible.

Follow-Ups:
- Re: about the ULID in the TCP checksum
  - From: Brian E Carpenter <brc@zurich.ibm.com>

References:
- about the ULID in the TCP checksum
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

Prev by Date: Re: length of shim6 control mesages
Next by Date: Re: shim6-proto-07 review
Previous by thread: Re: about the ULID in the TCP checksum
Next by thread: Re: about the ULID in the TCP checksum
Index(es):
- Date
- Thread