Re: Checksum at IP layer - is it even needed ?

<lloyd.wood@xxxxxxxxxxx> · Wed, 16 Dec 2015 02:07:16 +0000 (UTC)

The question is 'checksum at IP layer - is it even needed'

I say 'yes' as a useful header check that packets are sent
towards the correct destination at each hop; if the headers
don't pass scrutiny, don't bother. IPv4's header
checksum covering mutable fields (TTL and QoS) made
recomputing at each hop painful and led to bizarre fixup check
behaviour (discussed in detail on the tsvwg list); if
that header checksum only covered non-mutable fields
(and also overlapped pseudo header fields?) it
would have been imo (and that's likely a minority imo)
better. Any cost to NATs which treat non-mutable fields
as mutable is imo just a bonus to discourage NAT, really.

IPv6 leaving header checksums out in favour of assuming
that protocols would do the right thing with endpoint
pseudoheader checks has not worked well - see RFC6935
and RFC6936 for hints of some of the consequences of
that, or consider where UDP-Lite becomes useful and
necessary. But it makes NAT of IPv6 easier, so that's
thinking ahead!

In general, checksums and error detection are not well
understood in the IETF.

For example, DTNRG tried to design a protocol
for the most difficult errored conditions imaginable -
and left out any error detection from it at all. (See
the half-assed, half-baked RFC5050). Eight years after
that problem was identified, 'find someone who understands
checksums to make a recommendation' is now a line item in
the RFC5050bis todo list in DTNWG meetings.

Choosing checksums to suit coverage lengths is nontrivial,
because, you know, math. Math is hard, and the IETF is more
arts and crafts of protocol specification, really.
It's all basketweaving and handcrafted pottery and consensus
hums voicing approval of performance art. I mean,
powerpoint slides.

L.

indaba hakuna matata ulwimi ululodwa alonelanga

Lloyd Wood
 lloyd.wood@xxxxxxxxxxx
 http://about.me/lloydwood 

 From: Alexey Eromenko <al4321@xxxxxxxxx>
 To: lloyd.wood@xxxxxxxxxxx 
Cc: ietf <ietf@xxxxxxxx>; stbryant@xxxxxxxxx; Christopher Morrow <morrowc.lists@xxxxxxxxx>; Jared Mauch <jared@xxxxxxxxxxxxxxx>
 Sent: Wednesday, 16 December 2015, 0:54
 Subject: Re: Checksum at IP layer - is it even needed ?

Look, if IPv6 had a 32-bit checksum,  it would increase their header by yet another 4 bytes.  To a monster of 44 bytes.
This is a tradeoff - add those 4 bytes or let upper layer cover that one for you...

And assume what-if IPFF has those 4 bytes covered. Should it also cover "Hops" aka TTL, or not? Should it also cover data or not ?
And this will not prevent device mangling (moving to NAT devices this time), instead of Ethernet switches.

On Dec 15, 2015 3:26 PM,  <lloyd.wood@xxxxxxxxxxx> wrote:
Stewart,

we've recently had much discussion of this in tsvwg. (And
Fletcher isn't that good...)

My working theory with hindsight is that, in many ways,
IPv6 embodies the worst of all possible choices.

Lloyd Wood
 lloyd.wood@xxxxxxxxxxx
 http://about.me/lloydwood 

 From: Stewart Bryant <stbryant@xxxxxxxxx>
 To: lloyd.wood@xxxxxxxxxxx; Christopher Morrow <morrowc.lists@xxxxxxxxx>; Alexey Eromenko <al4321@xxxxxxxxx> 
Cc: ietf <ietf@xxxxxxxx>; Jared Mauch <jared@xxxxxxxxxxxxxxx>
 Sent: Tuesday, 15 December 2015, 21:55
 Subject: Re: Checksum at IP layer - is it even needed ?

    Lloyd

      If that is a significant risk, then why did IPv6 not move

      to a better protection when it was changing the other things

      in the nw/xport interface? After all there were much

      better c/s - such as Fletcher - that were well known

      at the time?

      Stewart

      On 15/12/2015 00:32, lloyd.wood@xxxxxxxxxxx wrote:

        > If the
            content is not understood by anyone except the intended
            endpoint 

          > the
            occasional misdelivery is surely of no consequence.

        There's still a risk
            of port pollution (IPv4) or destination pollution (IPv6)
        from
            misdeliveries without checksums.

        not
            understood != not handled and pushed up the stack. 

        Lloyd
          Wood lloyd.wood@xxxxxxxxxxx http://about.me/lloydwood 

 From: Stewart
                Bryant <stbryant@xxxxxxxxx>

                To:
                Christopher Morrow <morrowc.lists@xxxxxxxxx>;
                Alexey Eromenko <al4321@xxxxxxxxx> 

                Cc: ietf
                <ietf@xxxxxxxx>; Jared Mauch
                <jared@xxxxxxxxxxxxxxx>

                Sent:
                Tuesday, 15 December 2015, 10:04

                Subject:
                Re: Checksum at IP layer - is it even needed ?

              On 14/12/2015 21:55, Christopher Morrow wrote:

                > I suppose: "Why are we trying to solve this in
                tcp/udp? why not solve 

                > this at the application layer with TLS?" . 

              Yes, I was wondering about this.

              If the content is not understood by anyone except the
              intended endpoint 

              the occasional misdelivery is surely of no consequence.

              Stewart

    -- 
For corporate legal information go to:

http://www.cisco.com/web/about/doing_business/legal/cri/index.html