On Mon, Dec 14, 2015 at 4:14 PM, Alexey Eromenko <al4321@xxxxxxxxx> wrote: > Well, this is kinda unexpected. > I expected link failures (electromagnetic interference on copper > links), but we got device (middlebox) failures ! > > Now, if we want to protect vs. data mangling by middleboxes, we need > to look not only at switches, but also at NAT Routers (including cheap > home routers, and load-balancers) -- those *can* mangle any TCP data, > and compute the wrong checksum there ! > Typical Internet data goes through NAT not once, but twice (!); a > source NAT (a corporate firewall, or a home router), and then again > through a destination NAT (load-balancer). > Anyone of them can mangle data, if poorly implemented (cheap embedded > CPU without ECC cache, etc...) > > One possible defense, is to modify TCPv5 and UDPv5 slightly, to > include CRC32 checksum, but only on the *data portion*, not on ports. > (instead of old 16-bit checksums) > > Just moving to TCP/IP to CRC32 will *not* solve the issue of > middleboxes mangling our data. > isn't the solution to all of this to just use TLS ? (or DTLS for udp) > But then port numbers are unprotected by checksum. > So data destined to port 20, can suddenly arrive to port 80. > > Is this any better ? > > A more radical idea, is to move "port numbers" to IP layer, and cover > them by IP-layer checksum, as nowadays "ports" are really "Routing" > data. > > NOTE: I will be moving to "5gangip@xxxxxxxx", so please subscribe there. > https://www.ietf.org/mailman/listinfo/5gangip > > -Alexey "Technologov" >