From: "Timo Teräs" <timo.teras@iki.fi>
To: David Shwatrz <dshwatrz@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>, netdev@vger.kernel.org
Subject: Re: [net-next-2.6] XFRM: remove unused member in xfrm_encap_tmpl.
Date: Mon, 29 Nov 2010 21:27:01 +0200 [thread overview]
Message-ID: <4CF3FE85.6040406@iki.fi> (raw)
In-Reply-To: <AANLkTinQ1qbp9SyWgw7TdvH=5x_1AA6zqLkaa7c4PBGQ@mail.gmail.com>
On 11/29/2010 09:15 PM, David Shwatrz wrote:
> But isn't something wrong here ?
>
> According to RFC 3948:
> ...
> 3.1.2. Transport Mode Decapsulation NAT Procedure
>
> When a transport mode has been used to transmit packets, contained
> TCP or UDP headers will have incorrect checksums due to the change of
> parts of the IP header during transit. This procedure defines how to
> fix these checksums
> ...
> incrementally recompute the
> TCP/UDP checksum:
>
> * Subtract the IP source address in the received packet from the
> checksum.
> * Add the real IP source address received via IKE to the
> checksum (obtained from the NAT-OA)
> ...
>
> So where do we pass the NAT-OA, received from IKE messages, to this
> checksum recalculation process, which should be done in the kernel
> (layer 4 TCP/UDP I suppose) ?
>
> Should'nt this process be done in the kernel ?
>
> Isn't there something missing here ?
That's what the field was intended for. Also it's passed around by e.g.
'ip xfrm' command. The header change would break compilation of iproute2
too.
Alternatively the other RFCs say that the checksum can be just
recalculated. That's what the linux stack does: it throws the old
checksum away (ignored on local receive and recalculated on send /
forward paths). The ESP/AH packets are usually also configured to
contain a cryptographic hash, so the packet modifications are detected
even before trying to check the TCP/UDP checksum (making the check
redundant).
There's also probably some legacy reasons why the nat-oa field is useful
in kernel; and why the tcp/udp is not updated according the above
mentioned scheme. I guess doing that might speed up forwarding from one
tunnel to another where hardware checksum acceleration is not available;
maybe no one just had the time to implement it.
- Timo
next prev parent reply other threads:[~2010-11-29 19:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-27 17:24 [PATCH net-next-2.6] XFRM: remove unused member in xfrm_encap_tmpl David Shwatrz
2010-11-29 18:07 ` [net-next-2.6] " Timo Teräs
2010-11-29 18:57 ` David Miller
2010-11-29 19:15 ` David Shwatrz
2010-11-29 19:27 ` Timo Teräs [this message]
2010-11-29 20:09 ` David Shwatrz
2010-11-29 20:35 ` Timo Teräs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CF3FE85.6040406@iki.fi \
--to=timo.teras@iki.fi \
--cc=davem@davemloft.net \
--cc=dshwatrz@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).