Show filters Hide filters

Refine your search

Publication Year
1-2 out of 2 results
Change view
  • Sort by:
56:55 Berkeley System Distribution (BSD), Andrea Ross English 2013


This talk introduces the OpenIKED project, the latest portable subproject of OpenBSD. OpenIKED is a FREE implementation of the most advanced Internet security "Internet Key Exchange version 2 (IKEv2)" Virtual Private Network (VPN) protocol using the strongest security, authentication and encryption techniques. The project was born in need of a modern Internet Protocol Security (IPsec) implementation for OpenBSD, but also for interoperability with the integrated IKEv2 client since Windows 7 and to provide a compliant solution for the US Government IPv6 (USGv6) standard. The project is still under active development; it was started by Reyk Floeter as "iked" for OpenBSD in 2010 but ported to other platforms including Linux, FreeBSD and NetBSD in late 2012 using the "OpenIKED" project name.
  • Published: 2013
  • Publisher: Berkeley System Distribution (BSD), Andrea Ross
  • Language: English
48:45 Berkeley System Distribution (BSD), Andrea Ross English 2013

The surprising complexity of checksums in TCP/IP

The well-known IP and TCP/UDP (and less well known, ICMP) checksums seem pretty much straighforward. Digging into the network stack reveals a surprising complexity dealing with them and updating. The rise of hardware checksum offloading didn't exactly make things easier. It goes so far that the old "pseudo header checksum" hack where parts of the checksum are precaclucated on the template PCBs and updated on the way out made its way into some of the hardware offloading engines. The talk explains how IP and protocol (UDP/TCP and ICMP) checksums are handled in the OpenBSD network stack and pf, both traditionally and after redesigning. This includes a closer view on performance impact - while the IP checksum only covers the header, the protocol checksums cover the entire payload, which makes them comparably expensive to verify recalculate. While the actual math is dirt cheap, the data access is not, and for forwarded packets we would not access the payload otherwise. Several different output pathes like the regular IP output, the bridging case and various tunneling/encapsulation mechanisms make things harder. The redesigned checksumming mechanism pretty much centralizes the checksum handling instead of having it all over the place, making dealing with the checksums in the rest of the stack much easier. It also allows us to benefit a little more from the NICs' offloading capabilities and fixes a long-standing bug which prevented us from enabling protocol checksum offloading on the RX side on many chipsets.
  • Published: 2013
  • Publisher: Berkeley System Distribution (BSD), Andrea Ross
  • Language: English
out of 1 pages


   54 ms - page object
   23 ms - search
    2 ms - highlighting
    2 ms - highlighting/19184
    2 ms - highlighting/19175


AV-Portal 3.8.0 (dec2fe8b0ce2e718d55d6f23ab68f0b2424a1f3f)