UDP checksums and inband control messages

Derek Fawcus dfawcus+lists-wireguard at employees.org
Tue Feb 20 02:05:20 CET 2018


I see from the code that currently the kernel UDP sockets
have checksums enabled.  I also note the message from
November speculating upon if in band control messages
should be added.

One thing I was pondering recently in the context of UDP tunnelling,
is that one doesn't really need to have UDP checksums on the
encapsulating packet, since they payload itself is eventually
protected by its IPv4 header checksum, and likewise its transport
payload being protected by its own TCP/UDP/etc checksum.
[OK - some exceptions, but valid to a first approximation]

In the case of a crypto tunnel tunnel when using a
verified / authenticated crypto algorithm, any lower level
UDP checksum is even more redundent.

The one place where UDP checksums would stil seem to be useful
is for any in band control messages, if they were themselves
not covered by the crypto layer.  i.e. c.f. OpenVPN and
its payload vs control messages.

Which then got me to thinking that one could sort of cheat,
and use the checksum field in the UDP header as an indicator
of if the payload is control or data.  All zero bits for
data, none zero (including 0xffff) for control.

This would also have the advantage that if one is using a system
without support for h/w checksum offload, one gets to save a
bit of CPU;  however that may or may not be significant depending
upon just if/when packet memory if touched, and by which cores
in a system.  i.e. I'm pondering a non Linux kernel implementation.

So - thoughts?  Is it worth doing something like this for wireguard?

DF


More information about the WireGuard mailing list