-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Jan 29, 2008, at 7:43 AM, Rahim Choudhary wrote:
Thanks. I also heard from Brian McGehee. It is basically the same
reason: efficiency by removing processing that is deemed unneeded.
In this case the layer 2 and 4 checksums are relied upon and
simplification and thereby performance is achieved at layer 3.
These are obvious reasons and I have seen them documented. Wonder
on two things:
1. one if there were other reasons for not including checksum in
IPv6 header, historically speaking if there was a contrary view?
IIRC this is a place where the consensus was "rough". The argument
made, however, followed the effect of an error. If there was a
checksum and an error occurred, the checksum would cause the packet
to be discarded and a higher layer would have to recover. If there
was no checksum, either the errored packet would get a different
service quality in some way, be delivered to the wrong place,
delivered correctly with the wrong putative sender, or (imagine a
high-order bit in the TTL being flipped) would get dropped for some
other reason. In any event, a higher layer protocol or application
would have to recover. So with or without the checksum, a higher
layer protocol would have to recover, and some other system in the
network would have to recognize that something about the packet was
screwy.
If IPsec is in fact used, the MD5 or SHA checksum is certainly
stronger than IPv4's checksum ever was.
So the feeling was "what's the point?"
2. second, concerns the security implication if any. Yes the
checksum was intended for guarding against transmission errors, not
as a security technique. The question is if there are some
unintended security impact possible? Eventually the presence or
absence of a checksum at layer 3 may be not too important because
the checksum can be recomputed if some malicious change is inserted.
if someone is intentionally manipulating the header, you need to
assume they are smart enough to recalculate the checksum. The header
checksum was never intended for security and never offered much.
Thanks for the input.
Fred Baker <[EMAIL PROTECTED]> wrote:
On Jan 28, 2008, at 2:03 PM, Rahim Choudhary wrote:
This may be a matter that is common knowledge to this list. But
please forgive me for asking. What were the reasons that the IPv6
working group decided not to include a checksum field for the IPv6
packet Header? Does it have no security impact to omit the checksum?
The short version is that in general the checksum found
implementation errors, but given a working system rarely found true
operational errors. It's not stupid as a debug technique, but it
doesn't result in packet discard in real networks, and so was
deemed unjustified.
Looking for last minute shopping deals? Find them fast with Yahoo!
Search.
-----BEGIN PGP SIGNATURE-----
iD8DBQFHn2nlbjEdbHIsm0MRAk3uAKCms/PKAOLqsZbtXCjv3/OR0gyvaQCgi+CA
jYXhnUTHzxwl2ieeMvADlDk=
=qKUm
-----END PGP SIGNATURE-----
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------