IETF Logo Mail Archive

Re: [tsvwg] UDP Options: on forcing the use of UDP CS=0 in connection with FRAG+LITE

Tom Herbert <tom@herbertland.com> Mon, 01 July 2019 21:56 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C7BC12017F for <tsvwg@ietfa.amsl.com>; Mon, 1 Jul 2019 14:56:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xLXNIbImtdlU for <tsvwg@ietfa.amsl.com>; Mon, 1 Jul 2019 14:56:28 -0700 (PDT)
Received: from mail-ed1-x543.google.com (mail-ed1-x543.google.com [IPv6:2a00:1450:4864:20::543]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C79AE120180 for <tsvwg@ietf.org>; Mon, 1 Jul 2019 14:56:27 -0700 (PDT)
Received: by mail-ed1-x543.google.com with SMTP id d4so25239664edr.13 for <tsvwg@ietf.org>; Mon, 01 Jul 2019 14:56:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9n548bQyIzsilfTFg4DaH0qwXWv9m2wmHYm78rj410c=; b=RceqMTDXR3A+Fvpy707bqP0unLiA3Hj9FQ2vGd4BGE1FhYI4mo2GklHnaDeyp+f1uW offY8dg50fI6YhbmgIPQiFoedzL9vIpwsfvgcP7quNQoInbNnGtv5BDNFZQP4q1qsNCh xGaZWLP46k/DxtFzPCNb6gg8DKaYQaDtoWvCnpkOvvnZsxHO/+EcVWZLq71AC+7ZRw77 Isdetr9cDkMv2JjrcLrAgAZ+tWevmZxXMXs4q0Aa02F/W8n/CK+0Xj1bcSaxNUt51m/O SEvdxRGw1hNVTDXT8um6k4DmZ4gPu8OXNhBbtoifcubmxGRzc0lrWVyy+ZRpXtHCRfQS htKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9n548bQyIzsilfTFg4DaH0qwXWv9m2wmHYm78rj410c=; b=SvYGQjU0RF0Elkw7lxLodjIAenh8MkqoAM4HDgts8rZDmagEmlRcIsahkUYnB54pxh PFIOz4ls2qAjmPL9Hw3QapyxubcD4U3n4YdsC+H9e8t/wNiGVqeYzfMzVLIy4sj99Tgy yE9QauzP/wYZlQv8lO/d3Wu9bBQSjN3a7Jo/80j72LJh8OV2CrWlvn3IMDdtf3Uq4gez Y6K5JegEpuWCMJsXvjRqZlrOX0FFCGGZMiJANyeKoxX8TJ9wkcU2araadEgxN5nC4uG/ QpDPJPNzBLS/wmezRxkTTMnp6rh9Mmm3T/J+2Aw7MpR5HnYoKIWQIVLo1pDrLwF63o9v 3Z2w==
X-Gm-Message-State: APjAAAXhYYUBgZesrWxVTxW4/64EJt/osyYyBModUUnf2fg2F2iD7ZNM lC4hloxkyolDviB22DvDl+LWiJ+CQwyHPYsrmDIaO58b
X-Google-Smtp-Source: APXvYqxfaIf6eqaU5dKQaVEcPo8/sKKQGSTp3z7AMrs7BfgbefA4Q9KPLcTnmVJaql6kpSCGr1TaNJC9e8Uxn4tQ1hk=
X-Received: by 2002:a17:906:7901:: with SMTP id b1mr25110203ejo.244.1562018186108; Mon, 01 Jul 2019 14:56:26 -0700 (PDT)
MIME-Version: 1.0
References: <CACL_3VHGtMz3htgfFLRGhjXm=qC7kOXQs+cchtamhh-giBnpLA@mail.gmail.com> <CALx6S35T9ApzMaoSVgHSJPpcpfXsbHHogoBbEjMPj6vH-kxYeA@mail.gmail.com> <CACL_3VE6kr33Vk5si5AxSZNmhqysZZGoy6HK37COUgwbvcRkdA@mail.gmail.com> <24692A9B-4AF1-4E32-A760-7D4908A61262@strayalpha.com> <CACL_3VExhAdFCu-kFLLO5DeRYUOFyJztUgJg-vQmnPoecvzeJg@mail.gmail.com>
In-Reply-To: <CACL_3VExhAdFCu-kFLLO5DeRYUOFyJztUgJg-vQmnPoecvzeJg@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 01 Jul 2019 14:56:14 -0700
Message-ID: <CALx6S34zY74fhqbXxmiyturfu5mxFjRtA4=R48haX9tP6qLcow@mail.gmail.com>
To: "C. M. Heard" <heard@pobox.com>
Cc: Joe Touch <touch@strayalpha.com>, TSVWG <tsvwg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/mPj4X9avNLUUKzVXQThxYkoxUoo>
Subject: Re: [tsvwg] UDP Options: on forcing the use of UDP CS=0 in connection with FRAG+LITE
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jul 2019 21:56:31 -0000

On Mon, Jul 1, 2019 at 12:16 PM C. M. Heard <heard@pobox.com> wrote:
>
> On Sat, Jun 29, 2019 at 7:58 AM Joe Touch wrote:
> >
> > See sec 8.1, which incorporates rfc 6936:
> >
> >          As an exception to the default behavior, protocols that use UDP
> >          as a tunnel encapsulation may enable zero-checksum mode for a
> >          specific port (or set of ports) for sending and/or receiving.
> >          Any node implementing zero-checksum mode must follow the
> >          requirements specified in "Applicability Statement for the Use
> >          of IPv6 UDP Datagrams with Zero Checksums" [RFC6936].
> >
> > Frag is a kind of such a tunnel because it adds its own reassembly CS.
>
> I'll agree that FRAG+LITE with UDP CS=0 does conform to the requirements
> in RFC 6936 Sections 4 and 5 because it includes a reassembly CS.
>
Mike,

The reason that UDPv6 checksums were required in the first place is
that IPv6, unlike IPv4, has no header checksum. The pseudo header in
the UDP checksum includes the IP addresses which provides protection
against misdelivery when addresses are corrupted. The UDP options
reassembly checksum doesn't include the pseudo header so it provides
no protection of the IP addresses, and hence I don't believe it
satisfies the requirements of RFC6936 for using a zero UDP checksum.

> > But that also means middleboxes should allow relaying these since 6936
> > was passed.
>
> Yes. middleboxes are ***supposed*** to do that. But the empirical data
> that we have says that in a significant number of cases (affecting 26%-36%
> of the paths) they do not.
>
Thanks for the numbers, that is very enlightening.

> It's possible that the situation will improve in the future, but given
> that it has not improved enough to make UDP CS=0 useable in other than
> controlled environments, I don't think it's a good idea to propose its
> use when we have an alternative that avoid UDP CS=0 that is no more
> complex to implement.

Agreed. I'd also point out that the very reason to force UDP checksum
to zero is that some implementations incorrectly compute the UDP
checksum based on length of the packet as opposed to using UDP length.
Unlike expecting devices to accept UDPv6 zero checksums when prior to
RFC6936 was strictly prohibited for all cases, basing UDP checksum on
packet length was _never_ allowed. IMO,  forcing zero checksums is at
best trading off one source of brokenness for another, but the numbers
you're reporting don't seem justify the tradeoff is worth it.

Tom

>
> Mike Heard

v2.23.0 | Report a Bug | By Email