IPSEC: "bad checksum"
Hi, today I see tons of these on a 4.6-stable/amd64 machine (sample): 17:21:00.848135 esp 1.1.1.1 > 2.2.2.2 spi 0x54d46678 seq 132642 len 84 (DF) (ttl 64, id 49897, len 104, bad cksum 0! differs by 8b3c) 17:21:00.859630 esp 2.2.2.2 > 1.1.1.1 spi 0x87b9932c seq 89638 len 324 (ttl 46, id 63366, len 344) 17:21:00.860346 esp 1.1.1.1 > 2.2.2.2 spi 0x54d46678 seq 132643 len 324 [tos 0xb8] (ttl 64, id 40719, len 344, bad cksum 0! differs by ed6e) 17:21:00.866788 esp 2.2.2.2 > 1.1.1.1 spi 0x87b9932c seq 89639 len 1028 (ttl 46, id 22841, len 1048) 17:21:00.867366 esp 1.1.1.1 > 2.2.2.2 spi 0x54d46678 seq 132644 len 84 (DF) (ttl 64, id 58626, len 104, bad cksum 0! differs by 6923) 17:21:00.874786 esp 2.2.2.2 > 1.1.1.1 spi 0x87b9932c seq 89640 len 756 (ttl 46, id 57720, len 776) 17:21:00.888078 esp 2.2.2.2 > 1.1.1.1 spi 0x87b9932c seq 89641 len 324 (ttl 46, id 50367, len 344) 17:21:00.890475 esp 1.1.1.1 > 2.2.2.2 spi 0x54d46678 seq 132645 len 324 [tos 0xb8] (ttl 64, id 11430, len 344, bad cksum 0! differs by 5fd8) 17:21:00.912343 esp 1.1.1.1 > 2.2.2.2 spi 0x54d46678 seq 132646 len 84 (DF) (ttl 64, id 28840, len 104, bad cksum 0! differs by dd7d) 17:21:00.918568 esp 2.2.2.2 > 1.1.1.1 spi 0x87b9932c seq 89642 len 324 (ttl 46, id 19061, len 344) 17:21:00.920435 esp 1.1.1.1 > 2.2.2.2 spi 0x54d46678 seq 132647 len 324 [tos 0xb8] (ttl 64, id 33521, len 344, bad cksum 0! differs by 98d) 17:21:00.949296 esp 2.2.2.2 > 1.1.1.1 spi 0x87b9932c seq 89643 len 324 (ttl 46, id 24659, len 344) 17:21:00.950417 esp 1.1.1.1 > 2.2.2.2 spi 0x54d46678 seq 132648 len 324 [tos 0xb8] (ttl 64, id 56867, len 344, bad cksum 0! differs by ae5a) 17:21:00.959740 esp 2.2.2.2 > 1.1.1.1 spi 0x87b9932c seq 89644 len 84 (ttl 46, id 12621, len 104) 17:21:00.977666 esp 2.2.2.2 > 1.1.1.1 spi 0x87b9932c seq 89645 len 324 (ttl 46, id 30599, len 344) The 2.2.2.2 machine runs an older version of OpenBSD, but is now slated to be upgraded RSN now. Kind regards, --Toni++
Re: IPSEC: "bad checksum"
Toni Mueller wrote: > today I see tons of these on a 4.6-stable/amd64 machine (sample): > > 17:21:00.848135 esp 1.1.1.1 > 2.2.2.2 spi 0x54d46678 seq 132642 len 84 > (DF) (ttl 64, id 49897, len 104, bad cksum 0! differs by 8b3c) This looks like outgoing packets on an interface that does IPv4 header checksumming in hardware. tcpdump sees the packets before the checksum is actually filled in. This has nothing to do with IPsec. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: IPSEC: "bad checksum"
Hi, On Thu, 21.01.2010 at 21:48:01 +, Christian Weisgerber wrote: > Toni Mueller wrote: > > today I see tons of these on a 4.6-stable/amd64 machine (sample): > > 17:21:00.848135 esp 1.1.1.1 > 2.2.2.2 spi 0x54d46678 seq 132642 len 84 > > (DF) (ttl 64, id 49897, len 104, bad cksum 0! differs by 8b3c) > > This looks like outgoing packets on an interface that does IPv4 > header checksumming in hardware. tcpdump sees the packets before > the checksum is actually filled in. This has nothing to do with > IPsec. thanks for the explanation. I didn't think of it, but it's a bge(4) interface. Kind regards, --Toni++
Re: IPSEC: "bad checksum"
On Fri, Jan 22, 2010 at 9:58 AM, Toni Mueller wrote: > Hi, > > On Thu, 21.01.2010 at 21:48:01 +, Christian Weisgerber > wrote: >> Toni Mueller wrote: >> > today I see tons of these on a 4.6-stable/amd64 machine (sample): >> > 17:21:00.848135 esp 1.1.1.1 > 2.2.2.2 spi 0x54d46678 seq 132642 len 84 >> > (DF) (ttl 64, id 49897, len 104, bad cksum 0! differs by 8b3c) >> >> This looks like outgoing packets on an interface that does IPv4 >> header checksumming in hardware. tcpdump sees the packets before >> the checksum is actually filled in. This has nothing to do with >> IPsec. > > thanks for the explanation. I didn't think of it, but it's a bge(4) > interface. >From bge(4) The bge driver supports IPv4 IP, TCP, and UDP checksum offload for re- ceive, IP checksum offload for transmit, VLAN tag insertion and strip- ping, as well as a 256-bit multicast hash filter. The BCM5723, BCM5754, BCM5755, BCM5761, BCM5764, BCM5784, BCM5785, BCM5787 and BCM577x0 chips also support IPv6 receive TCP/UDP checksum offload. A netstat -ss will show if it is used. You will see entries like 6575 input datagrams checksum-processed by hardware 5765 output datagrams checksum-processed by hardware =Adriaan=
