On Sunday, January 26, 2020 3:58:31 PM CET Pete Biggs
wrote:> > what does Centos 7 do with UPD packets having invalid checksums?
>
> By default I assume they are just dropped - that's what should happen.
Hm that's what thought.
> > Are such packets inevitably dropped?
>
> Applications can specifically disable checksum checking for the kernel
> network stack on a per application basis, but the default is to check
> and drop if in error.
Ok, I wouldn't expect asterisk to disable checksumming by default.
> > Does a network card drop them when it
> >
> > does checksum verification in hardware even before the packets go
> > anywhere?
>
> Depends on the hardware. I suspect that most modern cards allow the OS
> to offload the checksum functions. You can check with, e.g.,
>
> ethtool --show-offload eth0
If it was so easy:
Features for bond0:
rx-checksumming: off [fixed]
tx-checksumming: on
tx-checksum-ipv4: off [fixed]
tx-checksum-ip-generic: on
tx-checksum-ipv6: off [fixed]
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: off [fixed]
Features for enp5s0:
rx-checksumming: on
tx-checksumming: on
tx-checksum-ipv4: off [fixed]
tx-checksum-ip-generic: on
tx-checksum-ipv6: off [fixed]
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: off [fixed]
Both physical interfaces show the same. But does this mean it's on as in
"rx-
checksumming: on" or off as in "tx-checksum-ipv4: off [fixed]"?
> > In general, if someone were to send me UPD packets with invalid
checksums
> > over the internet, how far would such packets get?
>
> As far as the checksumming code - either in the hardware or kernel
> network stack. They should be dropped as soon as the checksum fails
> because at that point it shows that the contents are flawed.
Ok, I'll assume I wouldn't receive damaged packages.
> > In particular, how likely it is that SRTP packets sent over the
internet
> > over UPD could be damaged in such a way that the verification of the
> > authentication tag fails when they arrive at the receiver, and how
might
> > such damage be caused?
>
> Don't know - how does any network packet get corrupted? Bad hardware,
> cosmic rays, bad cables, bad source? I would doubt there would be
> anything malicious: why do something to a packet such that it is almost
> guaranteed to be dropped.
Assuming that I do not receive packets with invalid UPD checksums, then the
packages must be somehow altered and their UPD checksums recalculated to
arrive here. Does bad hardware etc. do that? Why would the UDP checksums
just happen to get recalculated correctly but like randomly without intent?
Only when asterisk (i. e. libsrtp) finally verifies the authentication tag of
an SRTP package against the authenticated part of the package --- which,
according to RFC 3711, seems to be the entire payload of the UPD package ---
the verfication fails.
How is that possible?