May 1996 - dns-wg - mailman.ripe.net

UPD checksumming for Digital Unix Nameserver
by Pulak Rakshit 08 May '96

08 May '96

---------- From: Ray "The Dragon" Lauff[SMTP:ray@thunder.ocis.temple.edu] Sent: 08 May 1996 12:10 To: Alpha Mailing List; gurus(a)thunder.ocis.temple.edu; John Center Cc: pulakr(a)cableol.net Subject: SUMMARY: UPD checksumming for Digital Unix Nameserver First off, thanks for all the replies. It would appear that Digital Unix indeed does do UDP checksums by default. The checksum is across the header and contents of each UDP packet sent across the network and is required by several RFCs. You can use the netconfig(8) tool if you have it, which will display the state of several kernel networking settings. I obtained netconfig from: ftp://ftp.std.com/customers3/src/network/netconfig.tar.gz It compiled easily on DU 3.2. If you don't want to use netconfig, you can use dbx to examine the appropriate variable as follows: -- root> dbx /vmunix dbx version 3.11.8 Type 'help' for help. (dbx) p udpcksum 1 ---- If for some reason you want to turn it off (why...I don't know...) you can use: echo 'assign udpcksum=0' | dbx -k /vmunix /dev/mem As Chris Jankowski said in his email: "Not checking checksums on received packets was a hack to squeeze last drop of performance from an overloaded CPU. The rationale given was that the networks no longer corrupt packets or that the higher layer of protocols will do it. (:-))." The following people were helpful in their responses: Kevin Oberman <oberman(a)nersc.gov> Stuart Davidson <dav(a)mas.eurocontrol.be> Chris Jankowski <chris(a)lagoon.meo.dec.com> Dan Riley <dsr(a)lns598.lns.cornell.edu> Phil LAwrence <philip(a)uvo.dec.com> Matt Thomas <thomas(a)lkg.dec.com> Thanks again folks! Ray -- Ray Lauff : ray(a)thunder.ocis.temple.edu : (215) 204-5678 : Temple University

1 0

DNS and UDP checksum
by Francis Dupont 08 May '96

08 May '96

#<text/plain; charset=iso-8859-1 Here is a technical note about UDP checksums (which should be mandatory for DNS, perhaps we should write a RFC about this ?) Francis.Dupont(a)inria.fr IP checksums are the 1-complement of the 1-complement sum of a part of the packet viewed as a 16-bit integer vector. There are two zeros in the 1-complement arithmetic, 0x0000 and 0xffff. Usually only 0x0000 is the legal value but for UDP/IPv4 zeros have special meanings because the checksum is optional (but must be enabled by default, cf RFC 1122 4.1.3.4 page 78-79) : - 0x0000 means the checksum is not used - 0xffff means the checksum is used and its value is zero Unix OSs have a kernel flag named usually "udpcksum" settable by a binary editor, config tools (like sysctl, ndd, no, ...) and defined in .../sys/netinet/in_proto.c which is distributed in the source form in order to allow the setting of various TCP/IP flags. On output 4.4 BSD Lite code is (cf TCP/IP Illustrated vol 2) : /* * Stuff checksum and output datagram. */ ui->ui_sum = 0; if (udpcksum) { if ((ui->ui_sum = in_cksum(m, sizeof (struct udpiphdr) + len)) == 0) ui->ui_sum = 0xffff; } (lines 388-395 of .../sys/netinet/udp_usrreq.c) On input the code is : /* * Checksum extended UDP header and data. */ if (udpcksum && uh->uh_sum) { ((struct ipovly *)ip)->ih_next = 0; ((struct ipovly *)ip)->ih_prev = 0; ((struct ipovly *)ip)->ih_x1 = 0; ((struct ipovly *)ip)->ih_len = uh->uh_ulen; if (uh->uh_sum = in_cksum(m, len + sizeof (struct ip))) { udpstat.udps_badsum++; m_freem(m); return; } } (lines 107-120 of .../sys/netinet/udp_usrreq.c) The best way to test whether the UDP checksum is enabled is to see if the field is 0x0000 or not with a tool like etherfind, snoop, tcpdump (just try the command tcpdump udp port 53 and 'udp[6:2] == 0' if you believe this problem is anecdotal :-). The ZoneCheck tool written by Benont Grangi for the NIC France (available at URL:http://www.nic.fr/ZoneCheck/sources.html) uses a little tool named ckudpcksum which can give an hint (URL:ftp://ftp.nic.fr/pub/programmes/DNS/ckudpcksum.tar.gz). It sends UDP packets with a *wrong* checksum in order to see if the target host verified checksums of incoming UDP packets. It is a legitimate test for a new DNS server and can be used with DNS clients where UDP checksums for incoming and outgoing packets are not managed independently (it was the first purpose of this program but it is not possible to do it very easily and I have suggested this trick to Benont).

3 2

RE: Charging by local IRs
by Wilfried Woeber, UniVie/ACOnet 05 May '96

05 May '96

Daniel said: = > "Wilfried Woeber, UniVie/ACOnet" <woeber(a)cc.univie.ac.at> writes: = > . Either store the documents where they are maintained = > --> broken links, eventually. = =I do not expect much volatility in this area. Also the new setup of =the RIPE docstore will note this as it happens and it can be fixed quickly. = = > . Or store the documents alongside with the parent doc at the RIPE-NCC = > --> non-trivial to make the access "secure" and at the same time = > resonably comfortable to ensure regular updates. = =This is slightly more involved and therefore 2nd choice. I stil think that it would be much simpler to put any relevant urls into the TLD-objects in the RIPE-DB, either in a remark: attribute or in the (proposed) url: attribute. Wilfried. BTW, technical curiosity: how do you intend to keep track of dangling pointers in the "new RIPE Web"? Carol mentioned that aspect briefly in the plenary report but didn't go into details... -------------------------------------------------------------------------- Wilfried Woeber : e-mail: Woeber(a)CC.UniVie.ac.at Computer Center - ACOnet : Vienna University : Tel: +43 1 4065822 355 Universitaetsstrasse 7 : Fax: +43 1 4065822 170 A-1010 Vienna, Austria, Europe : NIC: WW144 --------------------------------------------------------------------------

2 1