lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 11 Jun 2013 09:00:38 +0100
From:	Tom Parkin <tparkin@...alix.com>
To:	Ben Hutchings <bhutchings@...arflare.com>, davem@...emloft.net
Cc:	netdev@...r.kernel.org, jchapman@...alix.com
Subject: Re: [PATCH] l2tp: avoid checksum offload for fragmented packets

On Wed, Jun 05, 2013 at 01:57:57PM +0100, Ben Hutchings wrote:
> On Wed, 2013-06-05 at 10:41 +0100, Tom Parkin wrote:
> > On Mon, Jun 03, 2013 at 03:44:12PM +0100, Ben Hutchings wrote:
> > > On Mon, 2013-06-03 at 08:49 +0100, Tom Parkin wrote:
> > > > Hardware offload for UDP datagram checksum calculation doesn't work with
> > > > fragmented IP packets -- the device will note the fragmentation and leave the
> > > > UDP checksum well alone.
> > > > 
> > > > As such, if we expect the L2TP packet to be fragmented by the IP layer we need
> > > > to perform the UDP checksum ourselves in software (ref: net/ipv4/udp.c).
> > > >
> > > > This change modifies the L2TP xmit path to fallback to software checksum
> > > > calculation if the L2TP packet + IP header exceeds the tunnel device MTU.
> > > [...]
> > > 
> > > Surely this should be done in the IP stack when fragmenting, not in any
> > > particular client?
> > > 
> > 
> > Hmm, that's a good question.
> > 
> > I'm not sure it makes sense to push this down into the IP layer, though.  Since 
> > it's the UDP checksum we're calculating, it seems reasonable to handle it at 
> > the UDP layer (which is where L2TP sits when using UDP encapsulation).
> 
> TCP, UDP and similar checksums can be handled generically, e.g. if
> dev_hard_start_xmit() finds the device doesn't actually do checksum
> offload then it calls skb_checksum_help() to fill it in.  I was thinking
> that since the IP layer makes the decision to fragment then it should
> also be responsible for filling in the checksum before doing so.  Why
> should the transport layer protocol have to guess?

Fair point!

I suppose an argument can be made either way, so really it comes down to a
question of taste and a feel for how the net tree "should" handle
this.

Dave -- could you give me a steer?  Are you happy to keep this kind of
calculation in the transport layer, or should I look to push something
generic into the IP code?

Thanks,
Tom
-- 
Tom Parkin
Katalix Systems Ltd
http://www.katalix.com
Catalysts for your Embedded Linux software development

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ