[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: checksums on http transfers?

From: Kevin Pilch-Bisson <kevin_at_pilch-bisson.net>
Date: 2001-11-08 12:15:48 CET

On Thu, Nov 08, 2001 at 08:26:21AM +0100, Daniel Stenberg wrote:
> On Wed, 7 Nov 2001, Kevin Pilch-Bisson wrote:
> > My ISP performs NAT somewhere in its network, which requires
> > re-caculating the tcp checksum of packets as they pass through. It seems
> > that the problem is that they weren't _verifying_ the original checksum
> > before recalculating, therefore allowing corrupted packets to be received
> > by my machine
> Just a minor detail, but NATs don't mess with TCP, they mess with IP. So they
> change the IP headers and that is separately checksummed (and very commonly
> ignored). Thus, the TCP checksum and data shall remain unmodified even after
> having passed through a NAT.
> IPv6 doesn't even have a checksum for the IP header, as both the underlying
> layer (mostly ethernet) and the upper layer (mostly TCP) usually already
> checksum the data.
> So, I don't think the NAT explains how your machine could accept broken TCP
> packets.
Having just written a NAT server for vxworks, I know that RFC 0761 (TCP),
states that the TCP checksum includes the tcp header, data, and a 96 bit
pseudo header including source and dest addresses, 8 zero bits, the protocol
number, and the length of the tcp data + tcp header. Thus anytime the
source or destination port or address is modified the tcp checksum _DOES_ need
to be recalculated. (Plus if any port changes are involved, the port number
is specified at the TCP level, not the IP level.)

Kevin Pilch-Bisson                    http://www.pilch-bisson.net
     "Historically speaking, the presences of wheels in Unix
     has never precluded their reinvention." - Larry Wall

  • application/pgp-signature attachment: stored
Received on Sat Oct 21 14:36:48 2006

This is an archived mail posted to the Subversion Dev mailing list.