On 6/4/20 12:12 PM, Craig Partridge wrote:
Hi folks:
This note is intended as an invitation to think a bit about a
potential hard problem.
There's a small body of literature suggesting that the TCP checksum is
regularly failing to detect errors and that we're getting close the
point where using an MD5 authentication check will be insufficient
(e.g.. the number of times the TCP checksum fails to detect errors is
so large that TCP passes through enough errors that the md5 check
won't catch all of them). This situation is due to the growth in both
total traffic and the size of individual data transfers. This is not
a surprise -- it was anticipated 20 years ago, when studies showed the
TCP checksum was quite weak.
How does this interact with (D)TLS? Assuming the error is in the packet
body which would be most likely for data payloads, the TLS layer would
detect the error too, right? Obviously ack's coming back would still suffer.
Also: since it's clear that any new and improved checksum is going to
take forever to get upgraded, do we know what the implications are for
higher error rates? Is there anything non-linear that could happen if we
don't fix it, or does it just chug along getting more and more uncaught
errors due to traffic volumes?
Last given L2, can it be a backstop?
Mike
