On 6/4/2020 2:54 PM, Christian Huitema wrote: >> On Jun 4, 2020, at 2:26 PM, Craig Partridge <craig@xxxxxxxxxxxxx> wrote: >> >> >> The SSH spec says terminate on failure and that it requires a reliable underpinning. >> >> Termination on error is no good. One of the studies shows huge failure rates (over 50%) for large file transfers. One guess is that's due to security protocols terminating when TCP hands up something with an error. > Good thing that the IETF is nearing completion of the work on QUIC version 1.. I don't know whether you followed that, Craig, but QUIC plus UDP provides pretty much the same services as TLS plus TCP, including protection of every packet using AEAD encryption and checksum. Error not detected by the UDP checksum will most probably be detected by the 16 bits AEAD checksum. Oops. 16 bytes AEAD checksum, not bits, of course. > > Your note mentions that errors are so frequent that some might not be detected by the MD5 checksum. That's a tall claim. MD5 provides a 128 bit cryptographic checksum, so the chances of not detecting an error are something like 1/2^128, something like 1.0E-38. > > There are attacks against MD5, which is why it is now deprecated. But these are cryptographic attacks, requiring significant computations to obtain two packets that would get the same checksum. We are speaking here of randomly flipping a few bits, which is completely different. Any robust 128 checksum will detect that. I understand now that Craig was referring to environments in which the TCP checksum is complemented by an MD5 checksum truncated to 32 bits. That combination will let an error pass through for every 4 billion errors not detected by the TCP checksum, which could very well be a practical problem. When a full MD5 128 bit checksum used to check the validity of a file, the residual TCP errors will be reliably detected. -- Christian Huitema
