This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] Xen checksumming bug with IPsec ESP packets

To: Nivedita Singhvi <nsnix@xxxxxxxxxxx>
Subject: Re: [Xen-devel] Xen checksumming bug with IPsec ESP packets
From: "Jonathan M. McCune" <jmmccune@xxxxxxxxxxx>
Date: Thu, 04 Aug 2005 21:06:27 -0400
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, caceres@xxxxxxxxxx, "Jonathan M. McCune" <jonmccune@xxxxxxx>, jaegert@xxxxxxxxxx, sailer@xxxxxxxxxx
Delivery-date: Fri, 05 Aug 2005 01:05:31 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <42F2BAD6.3020400@xxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <42F0F054.9030003@xxxxxxx> <e82174aa4369ea9370eccca5d8b31d71@xxxxxxxxxxxx> <42F2BAD6.3020400@xxxxxxxxxxx>
Reply-to: jonmccune@xxxxxxx
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)
I can test patches until the end of August.


Nivedita Singhvi wrote:

Keir Fraser wrote:

On 3 Aug 2005, at 17:27, Jonathan M. McCune wrote:

We fixed this by removing the addition of flag NETIF_F_IP_CSUM in drivers/xen/netfront/netfront.c:create_netdev(). I believe this tells the kernel to just always do the checksum in software. Thus, the broken optimization for TCP/UDP packets gets bypassed.

Permanent Solution:


That's why I posted this message... :-)

I suspect the ESP code would need to be made aware of the csum_blank field, and fill in before forwarding. There are doubtless other paths that may need similar tweaks (e.g., NAT IP masquerading is untested I think, although there's a fair chance it'll just work).

Apart from the above 'proper fix', simple not-so-hacky solutions include:
 * Run 'ethtool -K tx off' in each domU
* Add an option to netback in domain0 to fill in checksums itself if not done by domU. * Allow netback to advertise to domUs whether it accepts non-checksummed packets, and have an option to set this advertisement when you start netback.

Keir, Jonathan,

I stuck the above in a bugzilla entry (#143) just for better
tracking.  Jonathan, would you be able to test patches?


Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>