In your previous mail you wrote: On Tue, Jul 28, 2009 at 3:29 AM, Francis Dupont<[email protected]> wrote: > In your previous mail you wrote: > > Thoughts? > > => I am strongly against changing all IPv6 implementations. > IMHO the simplest solution is to drop UDP packets with zero checksums > (as far as I know all IPv4 implementations use non-zero checksums > per default and some UDP applications, for instance DNS, work far > better with non-zero checksums. BTW it is an easy condition to check > in firewalls). Out of curiosity, what's the signal back to the sender that his/her packet was dropped??
=> none but if you really want something an unreachable / admin forbidden seems not so bad. NFS (in some implementations) doesn't checksum UDP packets, => NFS over UDP throught a translator is already a bad idea. DNS doesn't, => I have the opposite view and I know at least a TLD which has a UDP checksum check in its sanity tool (so when you add a new domain you are required to do UDP checksums for all name servers for this domain). There is no standard knob to drop UDP packets with zero checksums but if there is one I believe many name servers will switch it on. there are quite a few things that don't checksum UDP packets. => not many because the zero checksum choice is system wide and off by default. So it is enough to get non-zero checksums in general. (if someone has a good stat, please...) Simply dropping packets on the floor isn't polite. Dropping them and notifying (icmp <somethingbadhappenedhere>) is also hard to deal with since users can't force udp checksums to happen (per application/stack) and there's not a clear (aside from application failure) idea to the user that something isn't working. => it is not polite too to send packets with zero checksums. As it is hard to send zero checksum packets IMHO the best is to handle them in a firewall with possibly smarter behavior. If you choose to drop the packet tell the sender that it happened (port-unreachable or something along those lines, still the wrong semantics though), I believe you should accept and correct the checksum issue though in the end, it's the only proper path. => fixing zero checksums can accept bad packets, IMHO it is simpler and easier to just get rid of zero checksums: they make sense 20 years ago but not these days. BTW checksums are offloaded on all modern NICs so zero checksums are no longer "faster". Regards [email protected] PS: NATs (PT or not) in general adjust transport checksums and don't (re)compute them.
-------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
