4 Replies
      Latest reply: Feb 2, 2017 3:05 PM by eskimo RSS
      jsistech Level 1 Level 1 (0 points)

        It seems that IPv4 UDP packets that have no checksum set (i.e. checksum = 0x0000) are filtered out and cannot be received  via an UDP socket that is listening even though they are valid UDP packets (according to RFC768).

         

        We are trying to receive IPSec ESP packets that are UDP encapsulated. In this case RFC3948 prescribes that "the IPv4 UDP Checksum SHOULD be transmitted as a zero value".

         

        We are using POSIX sockets (not raw sockets) and are using the NetworkExtension and or developing for macOS.

         

        We have tried

        sudo sysctl net.inet.udp.checksum=0
        

        to switch-off the checksum checking, but this didn't seem to make any difference.

         

        Is there a way to receive these packets? Preferrably without needing admin rights.

         

        Thanks

        • Re: How to receive UDP packets that have no checksum
          NotMyName Level 4 Level 4 (550 points)

          Don't you need to set SO_NO_CHECK to receive those packets?

           

          Edit:  On the other hand, I notice that setting the checksum to 0 is only a 'should' in the RFC.  Can your sender turn checksums on?

            • Re: How to receive UDP packets that have no checksum
              eskimo Apple Staff Apple Staff (6,055 points)

              Don't you need to set SO_NO_CHECK to receive those packets?

              Maybe on Linux, but this is BSD Sockets (-:  I believe the BSD equivalent is UDP_NOCKSUM.  This, however, disables checksums on the outgoing side.  Similarly, for the net.inet.udp.checksum sysctl.

              On the incoming side UDP seems to treat a checksum of 0 as valid.  Check out the first if statement in udp_input_checksum in the Darwin source.

              Share and Enjoy

              Quinn “The Eskimo!”
              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
              let myEmail = "eskimo" + "1" + "@apple.com"

                • Re: How to receive UDP packets that have no checksum
                  jsistech Level 1 Level 1 (0 points)

                  Thanks for the prompt reply.

                   

                  The problem however, seems to be that the checksum verification is offloaded to the NIC. There are kernel parameters (ending in hwcksum_rx for example) that indicate this. This means that the NIC does not even deliver the UDP packets with a zero checksum to the system and the function udp_input_checksum is not even called.


                  It also seems that the involved kernel parameters cannot be altered. (not even when the System Integrity Protection is switched off, which would not have been a viable solution anyway).


                  So the question remains, how to get the UDP packets with their checksum set to zero?

                    • Re: How to receive UDP packets that have no checksum
                      eskimo Apple Staff Apple Staff (6,055 points)

                      Honestly that sounds like a bug in the driver; it seems obvious that the driver’s checksum offload should behave the same as kernel’s.

                      I don’t know if there’s a way around this; if you want a definitive answer, you should open a DTS tech support incident and I, or one of my colleagues, can dig into it.

                      Share and Enjoy

                      Quinn “The Eskimo!”
                      Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                      let myEmail = "eskimo" + "1" + "@apple.com"