LinuxLists.cc - incorrect TCP checksum on sent TCP-MD5 packets (2.6.20-rc5)

2007-01-14 20:16:11

Subject: incorrect TCP checksum on sent TCP-MD5 packets (2.6.20-rc5)

Hi,

I'm using the new TCP-MD5 option in 2.6.20-rc4 and rc5
to talk BGP to cisco routers.
My box connects to the cisco, and the handshake looks fine:
SYN, SYN/ACK, ACK all have md5 option and correct TCP checksums.

All packets after that, i.e. the ones with payload data,
have wrong TCP checksums, quoth wireshark.
The same happens if the cisco connects: the first, "empty" packet
is ok, packets with payload aren't.

Am I doing something wrong? Or is this a bug?

I'll gladly send tcpdumps if it helps.

Thanks for your help,
Torsten

2007-01-15 18:17:21

by Stephen Hemminger

[permalink] [raw]

Subject: Re: incorrect TCP checksum on sent TCP-MD5 packets (2.6.20-rc5)

On Sun, 14 Jan 2007 20:32:34 +0100
Torsten Luettgert <[email protected]> wrote:

> Hi,
>
> I'm using the new TCP-MD5 option in 2.6.20-rc4 and rc5
> to talk BGP to cisco routers.
> My box connects to the cisco, and the handshake looks fine:
> SYN, SYN/ACK, ACK all have md5 option and correct TCP checksums.
>
> All packets after that, i.e. the ones with payload data,
> have wrong TCP checksums, quoth wireshark.
> The same happens if the cisco connects: the first, "empty" packet
> is ok, packets with payload aren't.
>
> Am I doing something wrong? Or is this a bug?
>
> I'll gladly send tcpdumps if it helps.
>
> Thanks for your help,
> Torsten

Are you running over a device that does checksum offload?

--
Stephen Hemminger <[email protected]>

2007-01-16 11:25:16

by Torsten Lüttgert

[permalink] [raw]

Subject: Re: incorrect checksum on sent TCP-MD5 packets (2.6.20-rc5)

On Mo, 2007-01-15 at 10:15 -0800, Stephen Hemminger wrote:

> Are you running over a device that does checksum offload?

Ooh, I'm feeling stupid now. Yes, I was. Turns out the problem
are the md5 checksums after all. Crypto-enabled tcpdump says:

11:05:42.856702 IP (tos 0x0, ttl 64, id 35129, offset 0, flags [DF],
proto: TCP (6), length: 80) 212.87.33.4.60565 > 212.87.49.254.bgp: S,
cksum 0x4a03 (correct), 1122127063:1122127063(0) win 5840 <mss
1460,sackOK,timestamp 63686126 0,nop,wscale 5,nop,nop,md5:valid>

11:05:42.871809 IP (tos 0x0, ttl 253, id 0, offset 0, flags [none],
proto: TCP (6), length: 64) 212.87.49.254.bgp > 212.87.33.4.60565: S,
cksum 0x0cc9 (correct), 2943414712:2943414712(0) ack 1122127064 win
16384 <mss 516,md5:valid,eol>

11:05:42.872085 IP (tos 0x0, ttl 64, id 35130, offset 0, flags [DF],
proto: TCP (6), length: 60) 212.87.33.4.60565 > 212.87.49.254.bgp: .,
cksum 0x4160 (correct), ack 1 win 5840 <nop,nop,md5:valid>

11:05:42.872150 IP (tos 0x0, ttl 64, id 35131, offset 0, flags [DF],
proto: TCP (6), length: 105) 212.87.33.4.60565 > 212.87.49.254.bgp: P,
cksum 0x54ec (correct), 1:46(45) ack 1 win 5840 <nop,nop,md5:invalid>:
BGP, length: 45
...

- Torsten