On Thu, Nov 08, 2001 at 08:26:21AM +0100, Daniel Stenberg wrote:
> On Wed, 7 Nov 2001, Kevin Pilch-Bisson wrote:
>
> > My ISP performs NAT somewhere in its network, which requires
> > re-caculating the tcp checksum of packets as they pass through. It seems
> > that the problem is that they weren't _verifying_ the original checksum
> > before recalculating, therefore allowing corrupted packets to be received
> > by my machine
>
> Just a minor detail, but NATs don't mess with TCP, they mess with IP. So they
> change the IP headers and that is separately checksummed (and very commonly
> ignored). Thus, the TCP checksum and data shall remain unmodified even after
> having passed through a NAT.
>
> IPv6 doesn't even have a checksum for the IP header, as both the underlying
> layer (mostly ethernet) and the upper layer (mostly TCP) usually already
> checksum the data.
>
> So, I don't think the NAT explains how your machine could accept broken TCP
> packets.
>
Having just written a NAT server for vxworks, I know that RFC 0761 (TCP),
states that the TCP checksum includes the tcp header, data, and a 96 bit
pseudo header including source and dest addresses, 8 zero bits, the protocol
number, and the length of the tcp data + tcp header. Thus anytime the
source or destination port or address is modified the tcp checksum _DOES_ need
to be recalculated. (Plus if any port changes are involved, the port number
is specified at the TCP level, not the IP level.)
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kevin Pilch-Bisson http://www.pilch-bisson.net
"Historically speaking, the presences of wheels in Unix
has never precluded their reinvention." - Larry Wall
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- application/pgp-signature attachment: stored
Received on Sat Oct 21 14:36:48 2006