Re: The TCP and UDP checksum algorithm may soon need updating

Michael Thomas <> Mon, 08 June 2020 17:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8479A3A0D74 for <>; Mon, 8 Jun 2020 10:37:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.651
X-Spam-Status: No, score=-1.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HQ0ipEyP4aAD for <>; Mon, 8 Jun 2020 10:37:24 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9B4423A0D4A for <>; Mon, 8 Jun 2020 10:37:24 -0700 (PDT)
Received: by with SMTP id ga6so136761pjb.1 for <>; Mon, 08 Jun 2020 10:37:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=VL0WINYZi0m+i4VcfeXVdH40RKMS8bkF2zSVFntWUPU=; b=wC7SMMbpqODLc4gN8B59GbKsgN5wYWmTi+JRjIPSCrLYEsnHN0ZZQ9fncAGQDBzVM3 i5l+Cm1OWji894wMoMXSoXlnPeZC1KJAHZ6K95fa1m7TTc/qeLl+FrA7MxDrrTKYdZpw C7UHrkejdRKWbsg0UTRqjXwLsFxXTwssV/zsLH2FWkpBYU5LmdD3/GIO+mM5HSrOqElS IxkN2783DAOfPwlzRqI+8skchmaAtzoff2ras1iEH7dLthG1M5QA+vIbo2SGOr1ipYEU 5bB8e5Vd5prC4NQEGQ+cwQlgP/B+iVrRRSTLGn+l51tGk8+JXVjunpoS6bSVB0gyRZAP F8+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=VL0WINYZi0m+i4VcfeXVdH40RKMS8bkF2zSVFntWUPU=; b=RcCveEjDOftqfANBnd1gAKt5oZt6fIB1tTzH89d3rsMywxqHvqRT0YF87j4ntJhBVA ul5tbSHAnyUvZ889YP5lkRdp8aHZhjI/rV+cCEj/x/el2ALhQJnfLLQ/5xtdBe97JabS oW8VRHsewMDhih9a4eDtQY5MUiKF3Zh/PqSd1pjyUHyAhTFVBmkbq8YKaWOBtuGrqwTJ rB6BHLjEaKkpGymZSUvFaJcDDrbBzWYRPE0zGS7ZuEk8FudwnZXPl09c0us3335QUIgG gOgn01fgSzcQxCeX2atyOtTR/jKLdxR9VESO+AxsVcFFGamR0khrrUcIVpr64W6rIz9x 53sg==
X-Gm-Message-State: AOAM5317334MaOmNkq021+AFMac2xbpXWmxQK32Y8PjfkteCTYV2T5rm lNHT2he5Uj+xDuo2pZq+gEnSYjolWhQ=
X-Google-Smtp-Source: ABdhPJywKWK9Hu+0j11KAdi5xq7jzqKVM4JF09YyXJeZaiMXbgfyKqaHzmZQzF9Q1aCkGCqkeJh8dQ==
X-Received: by 2002:a17:902:e901:: with SMTP id k1mr21301281pld.92.1591637843668; Mon, 08 Jun 2020 10:37:23 -0700 (PDT)
Received: from MichaelsMacBook.lan ( []) by with ESMTPSA id k12sm6539068pgm.11.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 08 Jun 2020 10:37:22 -0700 (PDT)
Subject: Re: The TCP and UDP checksum algorithm may soon need updating
To: Nick Hilliard <>
Cc: "" <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
From: Michael Thomas <>
Message-ID: <>
Date: Mon, 08 Jun 2020 10:37:21 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.8.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Jun 2020 17:37:26 -0000

On 6/8/20 10:24 AM, Nick Hilliard wrote:
> Michael Thomas wrote on 08/06/2020 17:59:
>> On 6/8/20 2:09 AM, Nick Hilliard wrote:
>>> in their current incarnations, transport mode ipsec and tcp-ao 
>>> aren't deployable at scale in the same way that tls is.
>> why would you say that? what layer the crypto is performed seems sort 
>> of irrelevant: rsa, aes and sha don't care who calls them. i assume 
>> that you can hack ipsec to emulate clients not having certs. what's 
>> left?
> Usability?  How about you put someone's granny in front of a computer 
> and give her the simple task of transferring some data over tls, or 
> tcp-ao, or ipsec.  Any data would do, e.g a http GET, or a one-line 
> message to her grand-daughter to say happy birthday.

Uh, why are you selling apps so short? An app is capable of making 
library calls for TLS but incapable of making the OS calls for IPsec? 
That's just silly.

The only reason, imo, that tls took hold is because it beat ipsec to the 
market. By the time ipsec was well supported, nobody cared any more.