Re: Checksum at IP layer - is it even needed ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Well, this is kinda unexpected.
I expected link failures (electromagnetic interference on copper
links), but we got device (middlebox) failures !

Now, if we want to protect vs. data mangling by middleboxes, we need
to look not only at switches, but also at NAT Routers (including cheap
home routers, and load-balancers) -- those *can* mangle any TCP data,
and compute the wrong checksum there !
Typical Internet data goes through NAT not once, but twice (!);  a
source NAT (a corporate firewall, or a home router), and then again
through a destination NAT (load-balancer).
Anyone of them can mangle data, if poorly implemented (cheap embedded
CPU without ECC cache, etc...)

One possible defense, is to modify TCPv5 and UDPv5 slightly, to
include CRC32 checksum, but only on the *data portion*, not on ports.
(instead of old 16-bit checksums)

Just moving to TCP/IP to CRC32 will *not* solve the issue of
middleboxes mangling our data.

But then port numbers are unprotected by checksum.
So data destined to port 20, can suddenly arrive to port 80.

Is this any better ?

A more radical idea, is to move "port numbers" to IP layer, and cover
them by IP-layer checksum, as nowadays "ports" are really "Routing"
data.

NOTE: I will be moving to "5gangip@xxxxxxxx", so please subscribe there.
https://www.ietf.org/mailman/listinfo/5gangip

-Alexey "Technologov"




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]