Re: [tsvwg] draft-tuexen-tsvwg-sctp-zero-checksum-02 adoption

Michael Tuexen <> Thu, 13 July 2023 13:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B1BDBC17CE88 for <>; Thu, 13 Jul 2023 06:49:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.496
X-Spam-Status: No, score=-1.496 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id juWswm5__M32 for <>; Thu, 13 Jul 2023 06:49:42 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 765E7C16B5D7 for <>; Thu, 13 Jul 2023 06:48:48 -0700 (PDT)
Received: from (unknown [IPv6:2a02:8109:1140:c3d:ddd2:508b:bcf2:2400]) (Authenticated sender: lurchi) by (Postfix) with ESMTPSA id 06CD48215B4EE; Thu, 13 Jul 2023 15:48:43 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
From: Michael Tuexen <>
In-Reply-To: <>
Date: Thu, 13 Jul 2023 15:48:43 +0200
Cc: "" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
To: Magnus Westerlund <>
X-Mailer: Apple Mail (2.3731.600.7)
Archived-At: <>
Subject: Re: [tsvwg] draft-tuexen-tsvwg-sctp-zero-checksum-02 adoption
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Jul 2023 13:49:44 -0000

> On 5. Jul 2023, at 16:06, Magnus Westerlund <> wrote:
> Hi,
> Yes this sounds good. I was making it unnecessary complex not thinking about how simple this criteria for when it is possible to send zero value for these algorithms actually are. Looking forward to update draft so I can review it.
Hi Magnus,

here it is:

I have no managed to implement this, but plan to do so before the IETF week.
I'll also implement using a zero checksum in combination with AUTH such that
we can see what the impact is.

Best regards
> Magnus
>  On 2023-07-05, 13:57, "" <> wrote:
>> On 5. Jul 2023, at 10:44, Magnus Westerlund <> wrote:
>>> Hi,
>> Your proposal sounds good.  That would mean that protection methods might have to specify additional criteria to fulfill to be able to set the CRC field
> OK. I'll update the document and submit an updated version.
>> to all 0. In the review and development of the zero checksum document towards WG LC if there are a common set of rules that have minimal impact on the DTLS encapsulation case we should consider those. The common rules would be to generalize the rules for when to one may send zero value, such that it apply to SCTP-AUTH or CRYPTO chunk when UDP encapsulated. This to minimize the implementation variations depending which protection one applies.
> I think we should keep the requirements for the receiver side at a minimum. At the sender side, you can
> always send with a correct checksum.
> For the alternate methods I see a simple way of specifying it:
> 1. For AUTH:    Sender side: Allow a zero checksum for all packets having an AUTH chunk as the first chunk.
>   Receiver side: Accept a zero checksum only for packets having an AUTH chunk as the first chunk.
> 2. For CRYTO:
>   Same as above, just replace AUTH by CRYPTO.
> Implementation wise: I guess most SCTP stacks will not implement multiple alternate methods.
> * The WebRTC implementations won't most likely use AUTH or CRYPTO.
> * Implementations supporting CRYTO don't need AUTH and are not used over DTLS.
> In the process of updating the ID RFC 4895bis, I'll implement the change to see what the
> impact is.
> Best regards
> Michael
>> Cheers
>> Magnus
>> On 2023-07-05, 09:04, "" <> wrote:
>>> On 4. Jul 2023, at 10:11, Magnus Westerlund <> wrote:
>>>> Hi Michael,
>>> So I fail to see the additional complexity beyond the initial negotiation being different. The draft (-00) rules for when to send with a zero value CRC only needs a minor tweak to account for both SCTP-AUTH and CRYPTO chunk. This tweak is that the selected protection mechanism to enable zero checksum would be to require to have reached established state in the SCTP state machine as well as not include it on INIT, INIT-ACK, COOKIE, Cookie-echo and in general packets with ASCONF chunks and OOB responses. When the crypto chunk using SCTP association reaches established state it will be protected. And before that no significant ULP data will flow over the association so the goal is meet. So even if DTLS encapsulation of SCTP association could run zero checksum from the first packet it is not necessary, and gives no practical benefit as it is so few packets until established state.  So I think that is a very pragmatic way of doing it that keeps code clean.  When it comes to UDP encapsulation, yes there could theoretically exist a firewall that verifies the SCTP CRC in a IP/UDP/SCTP packet. However, we have no knowledge of such a middlebox, does anyone in the WG know of such a one? The important difference here is that where IP/UDP is handled by all middleboxes, and IP/SCTP by some, we are getting into quite exotic territory with IP/UDP/SCTP, especially if one are not using the default UDP port for encapsulation. However, firewalls being overly suspicious are a reality for general internet deployments and affects all type of applications, but it doesn’t stop us from defining specifications that works in general but not in all corner cases. IP/UDP/SCTP has a general Internet checksum in UDP that help ensure that IP/UDP can be verified to a not been unintentional be broken with a certain probability. Further encapsulation or a SCTP strong packet authentication will verify that SCTP is not broken. So the only potential downside we are talking about here is a path failure. And if you are sensitive to that in your intended deployment then don’t do this trick to save resources use full CRC32c. In fact there is a very easy fall back if the SCTP association times out after having been established and then switched to zero checksum. Re-establish it without using it.  As we have seen with the SCTP NAT discussion which is a harder problem I agree, attempting to have a bullet proof solution is preventing the evolution. If one are running encrypted encapsulation of the SCTP association, then one are 100% sure that no other than the endpoints. But, I think this is one case where I don’t expect any significant problem and there are choices a deployment can do.  Cheers
>> Hi Magnus,
>> what about the following way forward:
>> 1. The zero checksum document will refer to alternate protection methods and
>>   the negotiation will be extended to declare support of a single alternate
>>   protection method, which is encoded by an IANA assigned number.
>>   The zero checksum document will create this registry.
>> 2. The zero checksum will specify the requirements for alternate protection
>>   methods (basically that the protection is at least as god as CRC32c and
>>   no interference with middle boxes)
>> 3. The zero checksum document will specify a single alternate protection
>>   method: the protection by the lower layer DTLS.
>> 4. If wanted, I can add some text to RFC 4895bis, to allow it to be
>>   an alternate method. The middlebox discussion will go here.
>> 5. If wanted, you can add some text to the CRYPTO document to
>>   allow it to be an alternate method. The middlebox discussion will go here.
>> This allows us to decouple the document and to implement zero checksum
>> for WebRTC without have in to deal with SCTP AUTH and/or CRYPTO.
>> Would you be fine with the above approach?
>> Best regards
>> Michael
>>> Magnus
>>>  On 2023-05-31, 17:13, "tsvwg" <> wrote:
>>>> On 29. May 2023, at 10:56, Magnus Westerlund <> wrote:
>>>>> Hi Michael,
>>>> Sorry for the delay in answering.  So if I understand the issue is the dependency on the protection mechanism being in place to enable zero checksum. So I think your proposal for including a list of entries representing offered protection mechanism that would allow zero checksum work, and each of them define the criteria for when in the handshaking zero checksum can be enabled would work. You would be able to add SCTP-
>>> Hi Magnus,
>>> yes, I think it works. I'm just wondering if we actually need this complexity.
>>>> AUTH immediately.
>>> I'm not sure here. Claudio indicated that there are middleboxes that verify the checksum
>>> of SCTP. I do no understand why NATs would do this, but it might make sense for firewalls
>>> validating the packet format (I know that packet validation exists in products, but I'm
>>> not sure if this includes checksum validation).
>>> So the protection is OK for all packets where the first chunk is an AUTH chunk.
>>> But the middlebox issue is still there. So we would require UDP encapsulation
>>> in addition (which is per path and can change over time). But we would assume
>>> that for UDP encapsulated packets, the SCTP would not be validated.
>>>> I do wonder a bit if DTLS encapsulation is a method requiring to be listed. If it is encapsulation of the whole SCTP packet
>>>> that provides a stronger integrity to the packet, then does it need to be specified? It will be in place from the start, and thus the initiator How does the sender know which packets the receiver is willing to accept. This depends on the mechanism
>>> being used instead of CRC32c. For example, using AUTH, the packet containing an INIT ACK chunk would
>>> need to have a valid checksum, but for DTLS encapsulation the ckecksum could be zero.
>>>> might not need to do more than to indicate that it will rely on the used encapsulation?  In regards to middleboxes doing deep inspection, and calculating the CRC32c of an UDP encapsulated SCTP packet and then react to it being wrong. I would be quite surprised to find a middlebox that Why would it be wrong for SCTP over UDP over IP, but OK for SCTP over IP? I do not see the difference.
>>> If you have a firewall which does some SCTP level protection and you deploy SCTP over UDP, you
>>> would like the firewall to do the same of SCTP over UDP over IP. Why would you not want the
>>> same level of protection depending on UDP encapsulation or not?
>>>> does this fairly deep layer violation. Only if one are running on the registered UDP port for SCTP encapsulation a general middlebox know that this is likely SCTP in the payload. I am not expecting this to be a real issue for this solution. Especially not where we would consider deploying a zero checksum solution where the set of middleboxes would be deployed by the same entity that deploys the endpoints.
>>> What about other middleboxes which might be deployed?
>>> Best regards
>>> Michael
>>>> Cheers
>>>> Magnus
>>>>   On 2023-05-10, 22:54, "" <> wrote:
>>>>> On 27. Apr 2023, at 09:31, Magnus Westerlund <> wrote:
>>>>>> Hi,
>>>>> Yes proposed change would address my issue.  Thanks
>>>> Hi Magnus,
>>>> I wanted to address this issue before submitting version -03 of the individual
>>>> draft, followed up by the -00 version of the WG document.
>>>> However, when drafting the text, I realized that this is more complex than
>>>> I initially thought.
>>>> Your suggestion is to allow zero checksum when using SCTP AUTH or CRYPTO.
>>>> One issue the related to the middleboxes and one could argue that when using
>>>> SCTP over UDP, middleboxes might not interfere with zero checksum. OK, we
>>>> can write that without make things more complex.
>>>> When using DTLS, all packets are protected. Requiring that packets containing
>>>> an INIT chunk is for backwards compatibility and is not specific to SCTP/DTLS
>>>> and would require to all other cases. The same applies to packets containing
>>>> an COOKIE ECHO or ASCONF chunk. This is for keeping implementations simple.
>>>> But there is a difference between SCTP/DTLS and AUTH or CRYPTO:
>>>> * For CRYPTO (as I understand it right now) does not protect packets handled
>>>>  in the front states.
>>>> * For AUTH, it protects only packets for which the AUTH chunk is the first one.
>>>> This means that the packets having an alternative protection depends on the
>>>> alternative method. How does the receiver know? How to specify it in a generic
>>>> way that it includes CRYPTO, for example, without referring to it?
>>>> One possibility would be to extend the Zero Checksum Parameter to contain an
>>>> uint32_t, which is an IANA registered value indicating the alternative method.
>>>> The document could define one for SCTP over DTLS, and one for using AUTH.
>>>> Then the CRYTO document could register another one for CRYPTO and provide
>>>> the rules.
>>>> However, I'm still contemplating whether this is worth doing. If middleboxes
>>>> check the CRC32c (which would kill zero checksum for AUTH and CRYPTO for
>>>> SCTP/IPv46), why shouldn't they do the same when SCTP is UDP encapsulated?
>>>> Assuming that they don't do it now, because SCTP over UDP is not used a lot
>>>> right now, does not extrapolate to the case where some specifications exist,
>>>> which require SCTP (with CRYPTO or AUTH) over UDP.
>>>> What do you think?
>>>> I submitted -03 of the individual document and the -00 of the WG document,
>>>> because I did not want to hold them up any longer. Once we have come
>>>> to a conclusion on the above discussion, I'll update the document accordingly.
>>>> Best regards
>>>> Michael
>>>>> Magnus
>>>>> On 2023-04-27, 00:13, "tsvwg" <> wrote:
>>>>>> On 18. Apr 2023, at 11:06, Magnus Westerlund <> wrote:
>>>>>>> Hi Michael,
>>>>>> I am slightly confused by your exclusion of UDP for the zero checksum. I would expect that IP/UDP/SCTP per RFC 6951 would actually make it across a network unless a firewall was present that actually checked the CRC on SCTP level with that encapsulation. Which would in fact be a bit surprising as the UDP payload can be a bit of anything unless the UDP port reveals the service and special rules exists.  
>>>>> Hi Magnus,
>>>>> there is an IANA assigned UDP port number. So firewalls could use this. However, I don't know if
>>>>> any product does now or will do in the future.
>>>>>> Thus, I would expect that SCTP zero checksum should be possible to deploy when RFC 6951 encapsulation occurs and the SCTP stack would be using SCTP-AUTH or CRYPTO chunk as alternative strong integrity verification.  So I think the zero checksum could actually be allowed for UDP encapsulated SCTP when using a strong integrity mechanism. Just want to ensure that the document doesn’t include unnecessary scoping which doesn’t have technical merit.
>>>>> I agree. Possibly we should be more precise:
>>>>> * We should not talk about lower layers providing a protection at least as good as CRC32c, but talk about other
>>>>>  protocol mechanisms instead. These protocol mechanisms include lower layers like DTLS, but also AUTH or CRYTO.
>>>>> * We should consider two conditions, where the use of the feature is not appropriate:
>>>>>  (1) There is no other protocol mechanism to protect a packet at least as good as CRC32c.
>>>>>  (2) Middleboxes will interfere with SCTP packets containing an incorrect checksum of zero.
>>>>> Then:
>>>>> * SCTP over DTLS is OK, since (1) and (2) are both not true.
>>>>> * SCTP over IP is not OK, since (1) and (2) is true.
>>>>> * SCTP using AUTH for all chunks over IP is not OK, since (2) is true.
>>>>> * SCTP over UDP over IP is not OK, since (1) is true. Whether (2) is true is not known to me.
>>>>> * SCTP using AUTH for all chunks over UDP over IP  might be OK, if (2) is not true.
>>>>> * SCTP using CRYTO is not OK, since (2) is true.
>>>>> * SCTP using CRPTO might be OK, if (2) is not true.
>>>>> Would such a change address your issue?
>>>>> Best regards
>>>>> Michael
>>>>>> Cheers
>>>>>> Magnus
>>>>>>   On 2023-04-12, 14:21, "tsvwg" <> wrote:
>>>>>>> On 11. Apr 2023, at 19:15, Nils Ohlmeier <> wrote:
>>>>>>>> Hello,
>>>>>>>> I’m supporting adoption of draft draft-tuexen-tsvwg-sctp-zero-checksum-02, because it is going to be useful for all WebRTC endpoints out there to have the option to skip the checksum step.
>>>>>>>> I also reviewed the draft. The only concern I found is this sentence:
>>>>>>>> "Since the lower layer of SCTP can not be IPv4 or IPv6 as specified in [RFC9260] or UDP as specified in [RFC6951], no problems with middle boxes expecting correct CRC32c checksums in the SCTP packets are expected.”
>>>>>>>> Which confuses me, because it sounds to me like this is trying to say that SCTP over IPv4 or IPv6 can not be done. Which obviously doesn’t make any sense. But I honestly fail to parse what this sentence is suppose to tell me (besides no problems with middle boxes is expected).
>>>>>> Would using
>>>>>> One example of such a lower layer is the use of SCTP over DTLS as
>>>>>> described in [RFC8261] (as used in the WebRTC context). Counter
>>>>>> examples include:
>>>>>> * SCTP over IPv4 or IPv6 as specified in [RFC9260].
>>>>>> * SCTP over UDP as specified in [RFC6951].
>>>>>> * The use of SCTP Authentication as specified in [RFC4895].
>>>>>> Therefore using an incorrect zero checksum will not result in
>>>>>> problems with middle boxes expecting correct CRC32c checksums in SCTP
>>>>>> packets.
>>>>>> be clearer?
>>>>>> Best regards
>>>>>> Michael
>>>>>>>> Best
>>>>>>> Nils Ohlmeier