On Tue, 30 Jun 2020 20:40:10 -0600
"Theo de Raadt" <dera...@openbsd.org> wrote:

> Matt Dunwoodie <n...@noconroy.net> wrote:
> 
> > Depends on your definition of significant, I've seen 1-3% throughput
> > improvement without the patch.  
> 
> > Real networks require statistics, which you want to throw away.  
> 
> > Overall, it is still debatable whether to skip the IPv4 checksum as
> > modern crypto certainly offers better integrity checks. However, the
> > primary motivator for skipping the integrity checks is performance,
> > and the performance isn't severely impacted. Additionally, I can
> > sympathise with avoiding layer violations and bringing it inline
> > with other tunnels in this case.  
> 
> If it is debatable, why don't you debate it?  I don't see a debate.
> 
> Let me debate it.
> 
> The issue is not about integrity checks being needed, but about
> integrity check counters -- such counters are used to short-cut
> procedures during network diagostic failures in multi-configuration
> systems.
> 
> If a higher-level network overlay skips that counter updates for
> lower-levels, the counters are incorrect, now how do you diagnose
> quickly?  Well, you don't.

Before going any further, I should clarify that the outer packet
checksums are already checked (with or without this patch) in
ip_input_if and udp_input when being received on the lower-level
interface. Therefore, any lower-level link layer corruption to the
outer packet will be caught, dropped and counters incremented before
being passed to wg_input. Does that change any of your following points?

> It sounds like the overlay is being chosen and relevant as more
> important than the underlay.  Sorry to burst your bubble, but the
> overlay will never be the whole internet.  The underlay will persist
> for a long time, and the underlay will see errors.  But the counters
> indicating those erors will be *incoherent*.
> 
> To me, it seems your path leads to the inablity to diagnose underlying
> issues correctly and quickly
> 
> Are underlying issues suddenly absent, or rare enough, they don't need
> quick diagnosis?
> 
> Or do (all) overlay technologies now provide enough information
> access to make evaluation of underlying failures easy?
> 
> For those questions, in my experience, I don't think reality provides
> easy paths yet.
> 
> As I said, argue it from a non-wg diagnosis model.  If the argument is
> not convincing, we have to do the obvious right thing, even if it
> costs a small amount.
> 
> Honestly, i don't understand how you ended in the position you are.

Now, the "debatability" is about whether we want to check the inner
packet IPv4 checksum after successful decryption (not about counters).
The story may be different if you have any cases to add to the three
Jason sent through earlier. I said "debatable" because I still think
both sides are vaild, however when I weigh up the arguments I see
applying the patch as the right thing to do.

- Matt

Reply via email to