Re: [tsvwg] draft-tuexen-tsvwg-sctp-zero-checksum-02 adoption Tue, 04 July 2023 10:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 35D86C151997 for <>; Tue, 4 Jul 2023 03:52:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id K9Ufe6bj4ihI for <>; Tue, 4 Jul 2023 03:52:01 -0700 (PDT)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 4A670C15199B for <>; Tue, 4 Jul 2023 03:51:27 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPS id 54C36E00EA; Tue, 4 Jul 2023 12:50:56 +0200 (CEST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: tuexen) by (Postfix) with ESMTPSA id 2613E1A004B; Tue, 4 Jul 2023 12:50:56 +0200 (CEST)
Content-Type: multipart/signed; boundary="Apple-Mail=_3A7EF9B9-067A-491D-8F40-474E05FB9488"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
In-Reply-To: <>
Date: Tue, 04 Jul 2023 12:50:55 +0200
Cc: "" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <>
To: Magnus Westerlund <>
X-Mailer: Apple Mail (2.3731.600.7)
Archived-At: <>
Subject: Re: [tsvwg] draft-tuexen-tsvwg-sctp-zero-checksum-02 adoption
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Jul 2023 10:52:03 -0000

> On 4. Jul 2023, at 10:11, Magnus Westerlund <> wrote:
> Hi Michael,
> So I fail to see the additional complexity beyond the initial negotiation being different. The draft (-00) rules for when to send with a zero value CRC only needs a minor tweak to account for both SCTP-AUTH and CRYPTO chunk. This tweak is that the selected protection mechanism to enable zero checksum
I think when we generalize zero checksum, we should not limit it to SCTP-AUTH or the current state of CRYPTO.
So we would need to put in hooks for other mechanisms. Negotiating them is a possibility. I'm not against it,
just stating that the input / output procedures need to deal with this and do different checks depending on
whether DTLS is used as a lower layer or SCTP AUTH, CRYPTO or whatever else.
> would be to require to have reached established state in the SCTP state machine as well as not include it on INIT, INIT-ACK, COOKIE, Cookie-echo and in general packets with ASCONF chunks and OOB responses. When the crypto chunk using SCTP association reaches established state it will be protected. And
But when looking at AUTH, for example, you not only need to require packets containing an INIT ACK or SHUTDOWN COMPLETE
chunk to have a valid checksum, but also that you can only use the zero checksum, if AUTH is the first chunk.
> before that no significant ULP data will flow over the association so the goal is meet. So even if DTLS encapsulation of SCTP association could run zero checksum from the first packet it is not necessary, and gives no practical benefit as it is so few packets until established state.  So I think that is a
The specification intentionally uses a SHOULD, so you can always compute a valid CRC32, if your implementation requires it.
> very pragmatic way of doing it that keeps code clean.  When it comes to UDP encapsulation, yes there could theoretically exist a firewall that verifies the SCTP CRC in a IP/UDP/SCTP packet. However, we have no knowledge of such a middlebox, does anyone in the WG know of such a one? The important
I think this is not the right way to look at it.

We don't have a specification describing how middleboxes handle SCTP. However, RFC 6951 specifies:

Firewalls inspecting SCTP packets must also be aware of the
encapsulation and apply corresponding rules to the encapsulated

And I think this still makes sense. If a Firewall applies some rules for SCTP/IP packets, then
not applying the same rules to SCTP/UDP/IP looks like a security problem to me.

I don't know, whether or not it is a good idea for a middlebox to perform a checksum validation,
But it was stated on the list, that some middleboxes do so for SCTP/IP.

So I think we should not assume, that this functionality is not performed when UDP encapsulation
is used. That would contradict what is written in the security considerations of RFC 6951.
> difference here is that where IP/UDP is handled by all middleboxes, and IP/SCTP by some, we are getting into quite exotic territory with IP/UDP/SCTP, especially if one are not using the default UDP port for encapsulation. However, firewalls being overly suspicious are a reality for general internet deployments and affects all type of applications, but it doesn’t stop us from defining specifications that works in general but not in all corner cases. IP/UDP/SCTP has a general Internet checksum in UDP that help ensure that IP/UDP can be verified to a not been unintentional be broken with a certain probability. Further encapsulation or a SCTP strong packet authentication will verify that SCTP is not broken. So the only potential downside we are
SCTP has intentionally a stronger protection than UDP or TCP. So I think just UDP encapsulation does not
qualify as an alternate protection method.
But you could combine it with AUTH or CRYPTO. However, in both cases you have to consider middleboxes
and one of the uses of UDP encapsulation is to deal with middleboxes not supporting SCTP. So how can
you know that there might be middleboxes, but no middlebox supporting SCTP. Especially in an environment
where you deploy SCTP intentionally.
> talking about here is a path failure. And if you are sensitive to that in your intended deployment then don’t do this trick to save resources use full CRC32c. In fact there is a very easy fall back if the SCTP association times out after having been established and then switched to zero checksum. Re-establish it without using it.  As we have seen with the SCTP NAT discussion which is a harder problem I agree, attempting to have a bullet proof solution is preventing the evolution. If one are running encrypted encapsulation of the SCTP association, then one are 100% sure that no other than the endpoints.
We never wanted a bullet proof solution. Just a way forward. But that is history.

Just to summarize:

There is a way to generalize zero checksum requiring an
(a) alternate protection mechanism, which would be negotiated.
(b) argument why middleboxes do not interfere with the zero checksum.

The negotiation for (a) is simple to do, the implementation impact for supporting SCTP AUTH, for example,
is limited, but non-zero.
(b) is the hard part based on what Claudio reported. I do not think that UDP encapsulation solves that.

I don't think it is a good idea to add additional protocol mechanisms to detect interference with middleboxes
and turn then zero checksum dynamically on and off. The initial use case is WebRTC and I'm all for generalizing
it, as long as it does not get substantially more complicated than needed for its use case.

Best regards
> But, I think this is one case where I don’t expect any significant problem and there are choices a deployment can do.  Cheers
>  Magnus
>   On 2023-05-31, 17:13, "tsvwg" <> wrote:
> > On 29. May 2023, at 10:56, Magnus Westerlund <> wrote:
> > > Hi Michael,
> >  Sorry for the delay in answering.  So if I understand the issue is the dependency on the protection mechanism being in place to enable zero checksum. So I think your proposal for including a list of entries representing offered protection mechanism that would allow zero checksum work, and each of them define the criteria for when in the handshaking zero checksum can be enabled would work. You would be able to add SCTP-
> Hi Magnus,
>  yes, I think it works. I'm just wondering if we actually need this complexity.
> > AUTH immediately.
> I'm not sure here. Claudio indicated that there are middleboxes that verify the checksum
> of SCTP. I do no understand why NATs would do this, but it might make sense for firewalls
> validating the packet format (I know that packet validation exists in products, but I'm
> not sure if this includes checksum validation).
> So the protection is OK for all packets where the first chunk is an AUTH chunk.
> But the middlebox issue is still there. So we would require UDP encapsulation
> in addition (which is per path and can change over time). But we would assume
> that for UDP encapsulated packets, the SCTP would not be validated.
> > I do wonder a bit if DTLS encapsulation is a method requiring to be listed. If it is encapsulation of the whole SCTP packet
> > that provides a stronger integrity to the packet, then does it need to be specified? It will be in place from the start, and thus the initiator How does the sender know which packets the receiver is willing to accept. This depends on the mechanism
> being used instead of CRC32c. For example, using AUTH, the packet containing an INIT ACK chunk would
> need to have a valid checksum, but for DTLS encapsulation the ckecksum could be zero.
> > might not need to do more than to indicate that it will rely on the used encapsulation?  In regards to middleboxes doing deep inspection, and calculating the CRC32c of an UDP encapsulated SCTP packet and then react to it being wrong. I would be quite surprised to find a middlebox that Why would it be wrong for SCTP over UDP over IP, but OK for SCTP over IP? I do not see the difference.
>  If you have a firewall which does some SCTP level protection and you deploy SCTP over UDP, you
> would like the firewall to do the same of SCTP over UDP over IP. Why would you not want the
> same level of protection depending on UDP encapsulation or not?
> > does this fairly deep layer violation. Only if one are running on the registered UDP port for SCTP encapsulation a general middlebox know that this is likely SCTP in the payload. I am not expecting this to be a real issue for this solution. Especially not where we would consider deploying a zero checksum solution where the set of middleboxes would be deployed by the same entity that deploys the endpoints.
> What about other middleboxes which might be deployed?
>  Best regards
> Michael
> >  Cheers
> >  Magnus
> >    On 2023-05-10, 22:54, "" <> wrote:
> > > On 27. Apr 2023, at 09:31, Magnus Westerlund <> wrote:
> > > > Hi,
> > >  Yes proposed change would address my issue.  Thanks
> > Hi Magnus,
> > I wanted to address this issue before submitting version -03 of the individual
> > draft, followed up by the -00 version of the WG document.
> >  However, when drafting the text, I realized that this is more complex than
> > I initially thought.
> >  Your suggestion is to allow zero checksum when using SCTP AUTH or CRYPTO.
> >  One issue the related to the middleboxes and one could argue that when using
> > SCTP over UDP, middleboxes might not interfere with zero checksum. OK, we
> > can write that without make things more complex.
> >  When using DTLS, all packets are protected. Requiring that packets containing
> > an INIT chunk is for backwards compatibility and is not specific to SCTP/DTLS
> > and would require to all other cases. The same applies to packets containing
> > an COOKIE ECHO or ASCONF chunk. This is for keeping implementations simple.
> >  But there is a difference between SCTP/DTLS and AUTH or CRYPTO:
> > * For CRYPTO (as I understand it right now) does not protect packets handled
> >   in the front states.
> > * For AUTH, it protects only packets for which the AUTH chunk is the first one.
> >  This means that the packets having an alternative protection depends on the
> > alternative method. How does the receiver know? How to specify it in a generic
> > way that it includes CRYPTO, for example, without referring to it?
> >  One possibility would be to extend the Zero Checksum Parameter to contain an
> > uint32_t, which is an IANA registered value indicating the alternative method.
> > The document could define one for SCTP over DTLS, and one for using AUTH.
> > Then the CRYTO document could register another one for CRYPTO and provide
> > the rules.
> > However, I'm still contemplating whether this is worth doing. If middleboxes
> > check the CRC32c (which would kill zero checksum for AUTH and CRYPTO for
> > SCTP/IPv46), why shouldn't they do the same when SCTP is UDP encapsulated?
> > Assuming that they don't do it now, because SCTP over UDP is not used a lot
> > right now, does not extrapolate to the case where some specifications exist,
> > which require SCTP (with CRYPTO or AUTH) over UDP.
> >  What do you think?
> >  I submitted -03 of the individual document and the -00 of the WG document,
> > because I did not want to hold them up any longer. Once we have come
> > to a conclusion on the above discussion, I'll update the document accordingly.
> >  Best regards
> > Michael
> >   >  Magnus
> > >  On 2023-04-27, 00:13, "tsvwg" <> wrote:
> > > > On 18. Apr 2023, at 11:06, Magnus Westerlund <> wrote:
> > > > > Hi Michael,
> > > >  I am slightly confused by your exclusion of UDP for the zero checksum. I would expect that IP/UDP/SCTP per RFC 6951 would actually make it across a network unless a firewall was present that actually checked the CRC on SCTP level with that encapsulation. Which would in fact be a bit surprising as the UDP payload can be a bit of anything unless the UDP port reveals the service and special rules exists.  
> > > Hi Magnus,
> > >  there is an IANA assigned UDP port number. So firewalls could use this. However, I don't know if
> > > any product does now or will do in the future.
> > > >  Thus, I would expect that SCTP zero checksum should be possible to deploy when RFC 6951 encapsulation occurs and the SCTP stack would be using SCTP-AUTH or CRYPTO chunk as alternative strong integrity verification.  So I think the zero checksum could actually be allowed for UDP encapsulated SCTP when using a strong integrity mechanism. Just want to ensure that the document doesn’t include unnecessary scoping which doesn’t have technical merit.
> > > I agree. Possibly we should be more precise:
> > >  * We should not talk about lower layers providing a protection at least as good as CRC32c, but talk about other
> > >   protocol mechanisms instead. These protocol mechanisms include lower layers like DTLS, but also AUTH or CRYTO.
> > > * We should consider two conditions, where the use of the feature is not appropriate:
> > >   (1) There is no other protocol mechanism to protect a packet at least as good as CRC32c.
> > >   (2) Middleboxes will interfere with SCTP packets containing an incorrect checksum of zero.
> > >  Then:
> > > * SCTP over DTLS is OK, since (1) and (2) are both not true.
> > > * SCTP over IP is not OK, since (1) and (2) is true.
> > > * SCTP using AUTH for all chunks over IP is not OK, since (2) is true.
> > > * SCTP over UDP over IP is not OK, since (1) is true. Whether (2) is true is not known to me.
> > > * SCTP using AUTH for all chunks over UDP over IP  might be OK, if (2) is not true.
> > > * SCTP using CRYTO is not OK, since (2) is true.
> > > * SCTP using CRPTO might be OK, if (2) is not true.
> > >  Would such a change address your issue?
> > >  Best regards
> > > Michael
> > > >  Cheers
> > > >  Magnus
> > > >    On 2023-04-12, 14:21, "tsvwg" <> wrote:
> > > > > On 11. Apr 2023, at 19:15, Nils Ohlmeier <> wrote:
> > > > > > Hello,
> > > > > > I’m supporting adoption of draft draft-tuexen-tsvwg-sctp-zero-checksum-02, because it is going to be useful for all WebRTC endpoints out there to have the option to skip the checksum step.
> > > > > > I also reviewed the draft. The only concern I found is this sentence:
> > > > > > "Since the lower layer of SCTP can not be IPv4 or IPv6 as specified in [RFC9260] or UDP as specified in [RFC6951], no problems with middle boxes expecting correct CRC32c checksums in the SCTP packets are expected.”
> > > > > > Which confuses me, because it sounds to me like this is trying to say that SCTP over IPv4 or IPv6 can not be done. Which obviously doesn’t make any sense. But I honestly fail to parse what this sentence is suppose to tell me (besides no problems with middle boxes is expected).
> > > > Would using
> > > >  One example of such a lower layer is the use of SCTP over DTLS as
> > > > described in [RFC8261] (as used in the WebRTC context). Counter
> > > > examples include:
> > > >  * SCTP over IPv4 or IPv6 as specified in [RFC9260].
> > > >  * SCTP over UDP as specified in [RFC6951].
> > > >  * The use of SCTP Authentication as specified in [RFC4895].
> > > >  Therefore using an incorrect zero checksum will not result in
> > > > problems with middle boxes expecting correct CRC32c checksums in SCTP
> > > > packets.
> > > >  be clearer?
> > > >  Best regards
> > > > Michael
> > > > > > Best
> > > > >  Nils Ohlmeier