[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wrap-up: TCP checksum calculation

To: Erik Nordmark <erik.nordmark@sun.com>
Subject: Re: Wrap-up: TCP checksum calculation
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
Date: Wed, 14 Mar 2007 11:53:17 +0100
Cc: Iljitsch van Beijnum <iljitsch@muada.com>, Brian E Carpenter <brc@zurich.ibm.com>, shim6-wg <shim6@psg.com>, Thomas R Henderson <thomas.r.henderson@boeing.com>, Geoff Huston <gih@apnic.net>
In-reply-to: <45F7180C.4060106@sun.com>
References: <b002c1cff507fb6c6b8209dff71ac28f@it.uc3m.es> <45F7180C.4060106@sun.com>


El 13/03/2007, a las 22:30, Erik Nordmark escribió:

marcelo bagnulo braun wrote:
The problem is that shim6 payload packets that carry locatorsdifferent than ULIDs, will have the checksum calculated based on theULIDs and not on the actual addresses carried in the ipv6 header.This would imply that any device in the middle (from NIC to middleboxes (firewalls and TCP relays)) will fail the checksum verification(and drop the packet). It is possible that TCP checksum verificationis more common, since there is no IP checksum in IPv6.
I don't understand what the issue is.
The shim6 packets have a protocol/nexthdr field which is shim6 and notTCP, UDP, etc.

Thus an unmodified middlebox doesn't see a TCP packet - it seems a toit unknown IP protocol.
Only if the middlebox is modified to know about shim6 would it be ableto skip the shim6 header to find the TCP, UDP, etc header.And a middlebox which is modified to know about shim6 could be awarethat the TCP/UDP etc checksums are different when there is a shim6payload message before the TCP/UDP header.
Proposed approach:
First: Add a new section titled "Middle-boxes considerations" withthe following text.It is recommended that firewalls and other middleboxes do not dropTCP, UDP and ICMP packets with apparently incorrect checksums basedon that fact alone unless they implement (monitoring of) the fullshim6 protocol and are able to determine the checksum that must bepresent in a packet with addresses rewritten by shim6."
If the above sentence was expanded to say that these TCP etc headersare the ones that follow a shim6 header, then it would be a usefuladdition.

Add a new section titled "Middle-boxes considerations" with thefollowing text.

Data packets belonging to a Shim6 context carrying the Shim6 PayloadHeader contain alternative locators other than the ULIDs in the sourceand destination address fields of the IPv6 header. However, if thosedata packets are TCP or UDP packets, the presudoheader used for thechecksum calculation will contain the ULID pair, rather than thelocator pair contained in the data packet.It is possible that some firewalls or other middle boxes verify theTCP/UDP checksum. Those middleboxes need to be updated in order to beable to parse the Shim6 payload header and find the TCP/UDP headerafter that. It is recommended that firewalls and other middleboxes donot drop TCP, UDP and ICMP packets that carry the Shim6 Payload headerwith apparently incorrect checksums when using the addresses in theIPv6 header for the pseudoheader computation, unless they implement(monitoring of) the full shim6 protocol and are able to determine thechecksum that must be present in a packet with addresses rewritten byshim6.


would this be ok/enough?

Regards, marcelo

   Erik

Follow-Ups:
- Re: Wrap-up: TCP checksum calculation
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: Wrap-up: TCP checksum calculation
  - From: Brian E Carpenter <brc@zurich.ibm.com>

References:
- Wrap-up: TCP checksum calculation
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: Wrap-up: TCP checksum calculation
  - From: Erik Nordmark <erik.nordmark@sun.com>

Prev by Date: Re: Wrap-up: TCP checksum calculation
Next by Date: Re: Wrap-up: TCP checksum calculation
Previous by thread: Re: Wrap-up: TCP checksum calculation
Next by thread: Re: Wrap-up: TCP checksum calculation
Index(es):
- Date
- Thread