On Wed, Dec 16, 2015 at 1:51 PM, Saku Ytti <saku@xxxxxxx> wrote: > On 16 December 2015 at 13:01, Alexey Eromenko <al4321@xxxxxxxxx> wrote: > >> We can't defend vs Mangling devices fully, sadly. (without encryption) >> What if data-mangling device (NAT), changes port, and re-computes new >> good checksum on it... ? >> Server will accept a valid-data of a packet, that doesn't belong to the > > Being self-centered bastard I don't care about NAT or other devices > which intentionally mangle packets. Protecting against them is not > priority to me. If the data mangling happens in Internet core, it > affects everyone, it's priority that those issues are recognised at > the next hop, so that it's easy to identify which node mangled it. > It's WAY smaller problem domain when you're faced with 'there are some > mangled packets' when everyone who complains happens to behind > specific NAT box. Compared to if it's some tier1 router is silently > mangling, complaints can come anywhere in the world, triangulating > that to one specific router in the world is slow and expensive (i.e. > not gonna happen). > But if so, making a stronger layer 4 checksum can also solve this problem. i.e. TCP with CRC32 or CRC64, instead of loosy 16-bit checksum. It will solve the "core router" and the "important Ethernet switch" mangling problem. -- -Alexey Eromenko "Technologov"