Re: Checksum in IPv6 header

To: Vishwas Manral <vishwas.ietf at gmail.com>
Subject: Re: Checksum in IPv6 header
From: Rahim Choudhary <rahimchoudhary at yahoo.com>
Date: Fri, 1 Feb 2008 08:49:04 -0800 (PST)
Cc: ipv6 at ietf.org
Delivered-to: ietfarch-ipv6-web-archive at core3.amsl.com
Delivered-to: ipv6 at core3.amsl.com
In-reply-to: <77ead0ec0802010820y363e487bta38ab129fd94c1fa at mail.gmail.com>
List-help: <mailto:ipv6-request@ietf.org?subject=help>
List-id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-post: <mailto:ipv6@ietf.org>
List-subscribe: <http://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
List-unsubscribe: <http://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
Sender: ipv6-bounces at ietf.org

Another point to note is this. In the case that a packet checksum/hash is used, a corrupted packet gets dropped on its way, whereas without such a checksum/hash it is dropped at the destination. Thus additional network resources are consumed. All this is assuming that layer 2 CRC has been circumvented.

Vishwas Manral <vishwas.ietf at gmail.com> wrote:

Hi Iljitsch,

I agree with you. However if you take note of RFC4301 - the IPsec base
RFC, the AH has been downgraded to a MAY support. So not all machines
will support AH. I agree we can do without checksum, am just trying to
fill in when I feel there is some additional information that
discussion could gain from.

Thanks,
Vishwas

On Feb 1, 2008 1:02 AM, Iljitsch van Beijnum wrote:
> On 1 feb 2008, at 1:59, Vishwas Manral wrote:
>
> > For ESP (RFC4303) the ICV does not cover the outer IP header at all
> > the mutable field or not. For AH (RFC4302) however the outer IP header
> > is covered for the ICV calculation.
>
> Yes. So if you want to cryptographically protect your header, either
> use AH or put the packet into another packet and protect the original
> packet with ESP.
>
> A header checksum will give you none of this because the checksum
> algorithm used in IP is so simple I can calculate it in my head (just
> 16-bit additions over data that's in the packet).
>
> Note also that all the important fields in the IP header are included
> in the transport layer checksum, which also makes it unnecessary to do
> a separate header checksum to protect these fields against bit errors.
>
> Last but not least, if an attacker can toggle bits in your header, it
> really doesn't matter whether you have cryptographically strong means
> to detect this, because what you would be doing is dropping the
> packet, while any of this toggling would also result in dropping the
> packet at some point, all else being equal. (The attacker could also
> toggle bits in the data part of the packet so the receiver would
> accept bad data, but IPsec AH/ESP or even TLS all provide protection
> against that regardless of header checksums.)
>

Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 at ietf.org
Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Follow-Ups:
- Re: Checksum in IPv6 header
  - From: Antonio Querubin

References:
- Re: Checksum in IPv6 header
  - From: Vishwas Manral

Prev by Date: Re: Checksum in IPv6 header
Next by Date: RE: Checksum in IPv6 header
Previous by thread: Re: Checksum in IPv6 header
Next by thread: Re: Checksum in IPv6 header
Index(es):
- Date
- Thread

Re: Checksum in IPv6 header

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.