[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
about the ULID in the TCP checksum
Iljitsch in his review raises the following issue:
my comments are inline
The result of this consistent mapping is that there is no impact on
the ULPs. In particular, there is no impact on pseudo-header
checksums and connection identification.
The problem here is that some intermediate system, such as a firewall
or a smart NIC, may take it upon itself to check the TCP or UDP
checksum and discard the packet if the checksum fails.
how common is this practice? is this widely used?
For firewalls and the like, the best thing is probably either to
fully monitor the shim state so they can do this properly, or forego
such checking if a shim header is present.
yes, this is probably useful in terms of security also, just like in
the case to TCP connections, where the firewall can decide to accept
segments of connections for which the firewall have previosuly seen SYN
do you think we should add text about this? (if you do, please send
For NICs a better solution would be to do an incremental checksum
verification and only over the ULP segment, so that the host stack
must complete the calculation by applying the increment from the
pseudo header, which can largely be cached, so the performance
advantages are almost completely preserved
i don't understand what do you mean by incremental checksum
verification... could you expand on this?