于 2011/8/23 23:43, Nejc Škoberne 写道:
Dear authors,
In I-D.dec-stateless-4v6-02 there is a table on page 11, which says that
IPv4 Header Checksum needs to be recalculated in stateless translation
IPv4 address sharing solutions. Does this mean that _only_ the IPv4 header
checksum should be recalculated?
When we develop and deploy dIVI, for the 1st and 2nd IPv4/IPv6
translators, we recalculte the transport layer checksum, as stated in
RFC6145.
(1) In the IPv4/IPv6 translator, the transport layer checksum MUST be
recalculated during the translation process (exception is using checksum
neutral address) in order to generate legal IPv6 packets.
(2) The transport layer checksum calculation is acceptable even for the
performance considerations (compare with LSN, CGN).
(3) Dual translation and single translation can be mixed in some
deployment scenarios, so the IPv6 packets must contain the right
transport layer checksum.
Regards,
xing
This is how I see it:
Practically, the answer could maybe be yes. In each traversal of a packet
through
double stateless translation, there could be just one IPv4 header recalculation,
always in the second translation process, where the IPv4 header is put back
on.
However, RFC 6145 says:
The original IPv4 header on the
packet is removed and replaced by an IPv6 header, and the transport
checksum is updated as needed, if that transport is supported by the
translator.
This means, since the I-D.dec-stateless-4v6-02 (and the same goes for
I-D.xli-behave-divi-03, of course) refers to RFC 6145, that transport-layer
checksum recalculation should also be performed. Which causes a significant
performance impact (we need to include whole packets including packets to
do checksum recalculation). So in this case, we would have 1 IPv4 checksum
recalculation and 2 TCP/UDP checksum recalculations for every packet
traversal through the mechanism.
But since we know, that these packets will be translated two times in a row,
we could just avoid the TCP/UDP recalculation, I guess? Would this work?
I guess that devices in between the CPE and AFTR then shouldn't do any
transport-layer processing, since this would probably be fatal for such
"invalid" packets. So having any IDS/IPS/stateful firewall devices in the
access network would cause issues?
However, if this is not possible, then I think that I-D.dec-stateless-4v6-02
should also state that UDP/TCP Header Checksum recalculation has to be
performed.
Thanks,
Nejc
_______________________________________________
Softwires mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/softwires
