Re: The TCP and UDP checksum algorithm may soon need updating

Nico Williams <> Mon, 08 June 2020 19:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7477C3A122F for <>; Mon, 8 Jun 2020 12:03:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wWrQ2NXf-Vx7 for <>; Mon, 8 Jun 2020 12:03:15 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D99583A10F0 for <>; Mon, 8 Jun 2020 12:02:31 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|
Received: from (localhost []) by (Postfix) with ESMTP id 4A0D8121F60; Mon, 8 Jun 2020 19:02:30 +0000 (UTC)
Received: from (100-96-23-33.trex.outbound.svc.cluster.local []) (Authenticated sender: dreamhost) by (Postfix) with ESMTPA id 6B910121DFC; Mon, 8 Jun 2020 19:02:29 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by (trex/5.18.8); Mon, 08 Jun 2020 19:02:30 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|
X-MailChannels-Auth-Id: dreamhost
X-Whimsical-Cooperative: 3b70d64a2a44befc_1591642949735_1654732574
X-MC-Loop-Signature: 1591642949735:4006088354
X-MC-Ingress-Time: 1591642949734
Received: from (localhost []) by (Postfix) with ESMTP id 1FCDF7F0E2; Mon, 8 Jun 2020 12:02:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=uqPPd9bTC1GRzZ TPheGW/kHXjLw=; b=X2MBW9XS9GK/aSicKvWBLF17g12Envz0crPwfz1Hp7nIn7 c+vu8FY8iyPtRp5HTvsRiwjyLeJyJJ3i5JGhgqQxj83K8dNwdxSgCKqhqR0bevGq WnwOCHSM+Z+nMh3P7E1OAY6f9oy4bv/7nE9c8Q/s7+1jRMDsUCwX23xE4iP50=
Received: from localhost (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id C0B657F0EA; Mon, 8 Jun 2020 12:02:25 -0700 (PDT)
Date: Mon, 8 Jun 2020 14:02:21 -0500
X-DH-BACKEND: pdx1-sub0-mail-a99
From: Nico Williams <>
To: Michael Thomas <>
Cc: Nick Hilliard <>, "" <>
Subject: Re: The TCP and UDP checksum algorithm may soon need updating
Message-ID: <20200608190220.GA18021@localhost>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduhedrudehvddgjedvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucggtffrrghtthgvrhhnpefftdektefhueetveeigfefgeejteejvdfhhefgvddtfeeujeehleeguefhgffhgfenucfkphepvdegrddvkedruddtkedrudekfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhm
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Jun 2020 19:03:24 -0000

On Mon, Jun 08, 2020 at 11:23:09AM -0700, Michael Thomas wrote:
> ssl had the advantage that it 1) beat ipsec to market, and 2) wasn't subject
> to API differences from OS layer calls like IPsec was, and with quite a bit
> of churn as i recall too. it's really too bad, imo. we wouldn't have had to
> do the contortions of dtls, for example. and now there's this problem. none
> of them are earth shattering, but it would have been cleaner.

You can sprinkle TLS anywhere you have an octet stream.  You can
sprinkle DTLS anywhere you have datagram flows.  No need for OS support
-- it will just work.  IPsec?  IPsec requires OS support.

Also, IPsec got a lot of things wrong.  It's simply not usable at
Internet scale as originally intended because... it's IP-layer, so it
deals in discrete packets and IP addresses.  Well, discrete packets do
not define application connections/sessions[*], IP addresses are too
dynamic and useless for authentication and authorization[**], and
configuration is ETOOHARD.

As you can see, a dozen years ago was already too late, but our idea
then was to

 - construct protection guarantees for packet flows using IPsec,
 - to use anonymous or anonymous-like key exchanges to key IPsec,
 - and to use channel binding from application layer protocols that can
   authenticate more useful names than IP addresses.


[*] In the IPsec architecture, RFC 4301, there is no guarantee that the
    packets making up a TCP connection, say, will have anything like
    similar protection for the lifetime of the TCP connection.
    Everything about how a TCP conenction is protected by IPsec depends
    entirely on *configuration* with no standard interfaces _at all_ for
    applications to manipulate said configuration.

[**] Yes, in RFC 4301 you're supposed to specify things like trust
     anchors and policies like "any peer with a certificate from this CA
     can _claim_ IP addresses in the following prefixes/ranges".  This
     _cannot_ scale to Internet scale.

     Giving up on authentication and authorization in the RFC 4301
     scheme (BTNS, RFC 5387) and constructing logical packet flows with
     consistent protection during their lifetimes (RFC 5660), fixes the
     problem.  It didn't get implemented -- even if it had been, TLS was
     already king.  This would all have to have happened at least half a
     decade earlier, if not a whole decade earlier, to have had a

     What was particularly appealing at one point was the possibility of
     having ESP offload in NIC HW.  The lower in the stack the crypto
     happens, the easier it is to offload it.