TCP checksum recalculation

[Robert Moskowitz <rgm-sec@htt-consult.com>]

As I looked over Kai's MIKE proposal, I got to thinking about transport
mode.  The more I thought about transport mode, the more I looked for what
we do for maintaining the TCP checksum.

It seems to me that transport mode breaks the checksum and requires its
recomputation on deencapsulating.  I could not find any discussion of this
in the RFCs.

Either I missed it in my search (and thus others will).  Or else I missed
something in the checksum handling in the IP kernel that makes this not an
issue.

The way I see it, each router decrements the TTL, but will not recompute
the checksum, as the next protocol is NOT TCP.  Then the end system gets
the packet, decapsulates and blindly sends the packet upwards to TCP with a
bad checksum.  ERGO either it is in the docs and I missed it, I have this
all wrong, I have it right and everyone knows about it and is building
their code properly, I have this right and no one is testing their
transport mode through routers (seems unlikely).  So where is this
documented  :)


Oh with MIKE, consider that at each IKE SA boundary, the addresses are
altered at each point (shades of RSIP), so then TCP checksum would really
be broken and partial recalculation would be different (not just TTL, but
whole IP).


Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com

---

Follow-Ups:

• Re: TCP checksum recalculation
• From: Henry Spencer <henry@spsystems.net>
• Re: TCP checksum recalculation
• From: Dave Perks <Dave_Perks@mitel.com>
• Re: TCP checksum recalculation
• From: Stephen Kent <kent@bbn.com>
• Re: TCP checksum recalculation
• From: Kai Martius <kai@secunet.de>

---

• Prev by Date: Re: More on a second IPSec algorithm
• Next by Date: Re: TCP checksum recalculation
• Prev by thread: RE: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACT ION :draft-ietf-pkix-scvp- 00.txt))
• Next by thread: Re: TCP checksum recalculation
• Index(es):
  • Main
  • Thread