Re: [tsvwg] draft-tuexen-tsvwg-sctp-zero-checksum-02 adoption Wed, 05 July 2023 07:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D4C85C14F738 for <>; Wed, 5 Jul 2023 00:04:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XIc7sVXVgkvX for <>; Wed, 5 Jul 2023 00:04:54 -0700 (PDT)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 5F206C14CF1A for <>; Wed, 5 Jul 2023 00:04:53 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPS id 968E72052D; Wed, 5 Jul 2023 09:04:21 +0200 (CEST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: tuexen) by (Postfix) with ESMTPSA id 014A71A004C; Wed, 5 Jul 2023 09:04:20 +0200 (CEST)
Content-Type: multipart/signed; boundary="Apple-Mail=_62D3FC9C-D237-450A-BD49-120474DFCD6D"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
In-Reply-To: <>
Date: Wed, 05 Jul 2023 09:04:20 +0200
Cc: "" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <>
To: Magnus Westerlund <>
X-Mailer: Apple Mail (2.3731.600.7)
Archived-At: <>
Subject: Re: [tsvwg] draft-tuexen-tsvwg-sctp-zero-checksum-02 adoption
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 05 Jul 2023 07:04:59 -0000

> On 4. Jul 2023, at 10:11, Magnus Westerlund <> wrote:
> Hi Michael,
>  So I fail to see the additional complexity beyond the initial negotiation being different. The draft (-00) rules for when to send with a zero value CRC only needs a minor tweak to account for both SCTP-AUTH and CRYPTO chunk. This tweak is that the selected protection mechanism to enable zero checksum would be to require to have reached established state in the SCTP state machine as well as not include it on INIT, INIT-ACK, COOKIE, Cookie-echo and in general packets with ASCONF chunks and OOB responses. When the crypto chunk using SCTP association reaches established state it will be protected. And before that no significant ULP data will flow over the association so the goal is meet. So even if DTLS encapsulation of SCTP association could run zero checksum from the first packet it is not necessary, and gives no practical benefit as it is so few packets until established state.  So I think that is a very pragmatic way of doing it that keeps code clean.  When it comes to UDP encapsulation, yes there could theoretically exist a firewall that verifies the SCTP CRC in a IP/UDP/SCTP packet. However, we have no knowledge of such a middlebox, does anyone in the WG know of such a one? The important difference here is that where IP/UDP is handled by all middleboxes, and IP/SCTP by some, we are getting into quite exotic territory with IP/UDP/SCTP, especially if one are not using the default UDP port for encapsulation. However, firewalls being overly suspicious are a reality for general internet deployments and affects all type of applications, but it doesn’t stop us from defining specifications that works in general but not in all corner cases. IP/UDP/SCTP has a general Internet checksum in UDP that help ensure that IP/UDP can be verified to a not been unintentional be broken with a certain probability. Further encapsulation or a SCTP strong packet authentication will verify that SCTP is not broken. So the only potential downside we are talking about here is a path failure. And if you are sensitive to that in your intended deployment then don’t do this trick to save resources use full CRC32c. In fact there is a very easy fall back if the SCTP association times out after having been established and then switched to zero checksum. Re-establish it without using it.  As we have seen with the SCTP NAT discussion which is a harder problem I agree, attempting to have a bullet proof solution is preventing the evolution. If one are running encrypted encapsulation of the SCTP association, then one are 100% sure that no other than the endpoints. But, I think this is one case where I don’t expect any significant problem and there are choices a deployment can do.  Cheers
Hi Magnus,

what about the following way forward:

1. The zero checksum document will refer to alternate protection methods and
   the negotiation will be extended to declare support of a single alternate
   protection method, which is encoded by an IANA assigned number.
   The zero checksum document will create this registry.
2. The zero checksum will specify the requirements for alternate protection
   methods (basically that the protection is at least as god as CRC32c and
   no interference with middle boxes)
3. The zero checksum document will specify a single alternate protection
   method: the protection by the lower layer DTLS.
4. If wanted, I can add some text to RFC 4895bis, to allow it to be
   an alternate method. The middlebox discussion will go here.
5. If wanted, you can add some text to the CRYPTO document to
   allow it to be an alternate method. The middlebox discussion will go here.

This allows us to decouple the document and to implement zero checksum
for WebRTC without have in to deal with SCTP AUTH and/or CRYPTO.

Would you be fine with the above approach?

Best regards
>  Magnus
>   On 2023-05-31, 17:13, "tsvwg" <> wrote:
> > On 29. May 2023, at 10:56, Magnus Westerlund <> wrote:
> > > Hi Michael,
> >  Sorry for the delay in answering.  So if I understand the issue is the dependency on the protection mechanism being in place to enable zero checksum. So I think your proposal for including a list of entries representing offered protection mechanism that would allow zero checksum work, and each of them define the criteria for when in the handshaking zero checksum can be enabled would work. You would be able to add SCTP-
> Hi Magnus,
>  yes, I think it works. I'm just wondering if we actually need this complexity.
> > AUTH immediately.
> I'm not sure here. Claudio indicated that there are middleboxes that verify the checksum
> of SCTP. I do no understand why NATs would do this, but it might make sense for firewalls
> validating the packet format (I know that packet validation exists in products, but I'm
> not sure if this includes checksum validation).
> So the protection is OK for all packets where the first chunk is an AUTH chunk.
> But the middlebox issue is still there. So we would require UDP encapsulation
> in addition (which is per path and can change over time). But we would assume
> that for UDP encapsulated packets, the SCTP would not be validated.
> > I do wonder a bit if DTLS encapsulation is a method requiring to be listed. If it is encapsulation of the whole SCTP packet
> > that provides a stronger integrity to the packet, then does it need to be specified? It will be in place from the start, and thus the initiator How does the sender know which packets the receiver is willing to accept. This depends on the mechanism
> being used instead of CRC32c. For example, using AUTH, the packet containing an INIT ACK chunk would
> need to have a valid checksum, but for DTLS encapsulation the ckecksum could be zero.
> > might not need to do more than to indicate that it will rely on the used encapsulation?  In regards to middleboxes doing deep inspection, and calculating the CRC32c of an UDP encapsulated SCTP packet and then react to it being wrong. I would be quite surprised to find a middlebox that Why would it be wrong for SCTP over UDP over IP, but OK for SCTP over IP? I do not see the difference.
>  If you have a firewall which does some SCTP level protection and you deploy SCTP over UDP, you
> would like the firewall to do the same of SCTP over UDP over IP. Why would you not want the
> same level of protection depending on UDP encapsulation or not?
> > does this fairly deep layer violation. Only if one are running on the registered UDP port for SCTP encapsulation a general middlebox know that this is likely SCTP in the payload. I am not expecting this to be a real issue for this solution. Especially not where we would consider deploying a zero checksum solution where the set of middleboxes would be deployed by the same entity that deploys the endpoints.
> What about other middleboxes which might be deployed?
>  Best regards
> Michael
> >  Cheers
> >  Magnus
> >    On 2023-05-10, 22:54, "" <> wrote:
> > > On 27. Apr 2023, at 09:31, Magnus Westerlund <> wrote:
> > > > Hi,
> > >  Yes proposed change would address my issue.  Thanks
> > Hi Magnus,
> > I wanted to address this issue before submitting version -03 of the individual
> > draft, followed up by the -00 version of the WG document.
> >  However, when drafting the text, I realized that this is more complex than
> > I initially thought.
> >  Your suggestion is to allow zero checksum when using SCTP AUTH or CRYPTO.
> >  One issue the related to the middleboxes and one could argue that when using
> > SCTP over UDP, middleboxes might not interfere with zero checksum. OK, we
> > can write that without make things more complex.
> >  When using DTLS, all packets are protected. Requiring that packets containing
> > an INIT chunk is for backwards compatibility and is not specific to SCTP/DTLS
> > and would require to all other cases. The same applies to packets containing
> > an COOKIE ECHO or ASCONF chunk. This is for keeping implementations simple.
> >  But there is a difference between SCTP/DTLS and AUTH or CRYPTO:
> > * For CRYPTO (as I understand it right now) does not protect packets handled
> >   in the front states.
> > * For AUTH, it protects only packets for which the AUTH chunk is the first one.
> >  This means that the packets having an alternative protection depends on the
> > alternative method. How does the receiver know? How to specify it in a generic
> > way that it includes CRYPTO, for example, without referring to it?
> >  One possibility would be to extend the Zero Checksum Parameter to contain an
> > uint32_t, which is an IANA registered value indicating the alternative method.
> > The document could define one for SCTP over DTLS, and one for using AUTH.
> > Then the CRYTO document could register another one for CRYPTO and provide
> > the rules.
> > However, I'm still contemplating whether this is worth doing. If middleboxes
> > check the CRC32c (which would kill zero checksum for AUTH and CRYPTO for
> > SCTP/IPv46), why shouldn't they do the same when SCTP is UDP encapsulated?
> > Assuming that they don't do it now, because SCTP over UDP is not used a lot
> > right now, does not extrapolate to the case where some specifications exist,
> > which require SCTP (with CRYPTO or AUTH) over UDP.
> >  What do you think?
> >  I submitted -03 of the individual document and the -00 of the WG document,
> > because I did not want to hold them up any longer. Once we have come
> > to a conclusion on the above discussion, I'll update the document accordingly.
> >  Best regards
> > Michael
> >   >  Magnus
> > >  On 2023-04-27, 00:13, "tsvwg" <> wrote:
> > > > On 18. Apr 2023, at 11:06, Magnus Westerlund <> wrote:
> > > > > Hi Michael,
> > > >  I am slightly confused by your exclusion of UDP for the zero checksum. I would expect that IP/UDP/SCTP per RFC 6951 would actually make it across a network unless a firewall was present that actually checked the CRC on SCTP level with that encapsulation. Which would in fact be a bit surprising as the UDP payload can be a bit of anything unless the UDP port reveals the service and special rules exists.  
> > > Hi Magnus,
> > >  there is an IANA assigned UDP port number. So firewalls could use this. However, I don't know if
> > > any product does now or will do in the future.
> > > >  Thus, I would expect that SCTP zero checksum should be possible to deploy when RFC 6951 encapsulation occurs and the SCTP stack would be using SCTP-AUTH or CRYPTO chunk as alternative strong integrity verification.  So I think the zero checksum could actually be allowed for UDP encapsulated SCTP when using a strong integrity mechanism. Just want to ensure that the document doesn’t include unnecessary scoping which doesn’t have technical merit.
> > > I agree. Possibly we should be more precise:
> > >  * We should not talk about lower layers providing a protection at least as good as CRC32c, but talk about other
> > >   protocol mechanisms instead. These protocol mechanisms include lower layers like DTLS, but also AUTH or CRYTO.
> > > * We should consider two conditions, where the use of the feature is not appropriate:
> > >   (1) There is no other protocol mechanism to protect a packet at least as good as CRC32c.
> > >   (2) Middleboxes will interfere with SCTP packets containing an incorrect checksum of zero.
> > >  Then:
> > > * SCTP over DTLS is OK, since (1) and (2) are both not true.
> > > * SCTP over IP is not OK, since (1) and (2) is true.
> > > * SCTP using AUTH for all chunks over IP is not OK, since (2) is true.
> > > * SCTP over UDP over IP is not OK, since (1) is true. Whether (2) is true is not known to me.
> > > * SCTP using AUTH for all chunks over UDP over IP  might be OK, if (2) is not true.
> > > * SCTP using CRYTO is not OK, since (2) is true.
> > > * SCTP using CRPTO might be OK, if (2) is not true.
> > >  Would such a change address your issue?
> > >  Best regards
> > > Michael
> > > >  Cheers
> > > >  Magnus
> > > >    On 2023-04-12, 14:21, "tsvwg" <> wrote:
> > > > > On 11. Apr 2023, at 19:15, Nils Ohlmeier <> wrote:
> > > > > > Hello,
> > > > > > I’m supporting adoption of draft draft-tuexen-tsvwg-sctp-zero-checksum-02, because it is going to be useful for all WebRTC endpoints out there to have the option to skip the checksum step.
> > > > > > I also reviewed the draft. The only concern I found is this sentence:
> > > > > > "Since the lower layer of SCTP can not be IPv4 or IPv6 as specified in [RFC9260] or UDP as specified in [RFC6951], no problems with middle boxes expecting correct CRC32c checksums in the SCTP packets are expected.”
> > > > > > Which confuses me, because it sounds to me like this is trying to say that SCTP over IPv4 or IPv6 can not be done. Which obviously doesn’t make any sense. But I honestly fail to parse what this sentence is suppose to tell me (besides no problems with middle boxes is expected).
> > > > Would using
> > > >  One example of such a lower layer is the use of SCTP over DTLS as
> > > > described in [RFC8261] (as used in the WebRTC context). Counter
> > > > examples include:
> > > >  * SCTP over IPv4 or IPv6 as specified in [RFC9260].
> > > >  * SCTP over UDP as specified in [RFC6951].
> > > >  * The use of SCTP Authentication as specified in [RFC4895].
> > > >  Therefore using an incorrect zero checksum will not result in
> > > > problems with middle boxes expecting correct CRC32c checksums in SCTP
> > > > packets.
> > > >  be clearer?
> > > >  Best regards
> > > > Michael
> > > > > > Best
> > > > >  Nils Ohlmeier