> On 24/02/2014, at 9:33 PM, Henning Brauer wrote: > > > * Richard Procter <richard.n.proc...@gmail.com> [2014-01-25 20:41]: > >> On 22/01/2014, at 7:19 PM, Henning Brauer wrote: > >>> * Richard Procter <richard.n.proc...@gmail.com> [2014-01-22 06:44]: > >>>> This fundamentally weakens its usefulness, though: a correct > >>>> checksum now implies only that the payload likely matches > >>>> what the last NAT router happened to have in its memory > >>> huh? > >>> we receive a packet with correct cksum -> NAT -> packet goes out with > >>> correct cksum. > >>> we receive a packet with broken cksum -> NAT -> we leave the cksum > >>> alone, i. e. leave it broken. > >> Christian said it better than me: routers may corrupt data > >> and regenerating the checksum will hide it. > > > > if that happened we had much bigger problems than NAT. > > By bigger problems do you mean obvious router stability > issues? Suppose someone argued that as we'd have obvious > stability issues if unprotected memory was unreliable, ECC > memory is unnecessary. That argument is logically equivalent > to what seems to be yours, that as we'd see obvious > issues if routers were corrupting data, end-to-end > checksums are unnecessary, but I don't buy it.
What is your solution? > We know that routers corrupt data. Right now my home > firewall shows 30 TCP segments dropped for bad checksums. As > checks at least as strong are used by every sane link-layer > this virtually implies the dropped packets suffered router > or end-point faults. Yes. And what is your solution? > Again, it's not just me saying it: "...checksums are used by > higher layers to ensure that data was not corrupted in > intermediate routers or by the sending or receiving host. > The fact that checksums are typically the secondary level of > protection has often led to suggestions that checksums are > superfluous. Hard won experience, however, has shown that > checksums are necessary. Software errors (such as buffer > mismanagement) and even hardware errors (such as network > adapters with poor DMA hardware that sometimes fail to fully > DMA data) are surprisingly common [let alone memory faults! > RP] and checksums have been very useful in protecting > against such errors."[0] I'll ask again, since you keep just trashing other people's code. I'm getting ready to declare you a kook, because I suspect you're going to suggest we change ethernet header and IP headers or prohibit NAT.