It would require a lot of luck to exploit, but nevertheless is worth protecting against if the firewall is going to reassemble the packet for inspection anyway. If it is going to inspect the entire reassembled packet, then verifying the checksum as well is a good idea, otherwise invalid packets could be constructed which will pass validation in the firewall and then only need a single bitflip to turned into a malicious packet with a valid checksum. (Unfortunately all the other fragments don't have the full information needed by the NAT to route the packet, so a NAT device still need to keep state about other fragments and in some cases buffer fragments until it knows where to send them.)Ī firewall may want to perform inspections on the packet covering data across multiple fragments.
IP HEADER CHECKSUM UPDATE
Since the fields NAT need to mangle are in the same packet as the checksum, this makes it possible for NAT to mangle the packet and update the checksum without needing to fully reassemble the packets. This is possible due to the way the checksums work. Instead the old checksum can be modified to only compensate for the changes made to the actual packet.
Updating the checksum can be done without verifying the old checksum or computing the new checksum from scratch. If it mangles the packet (which NAT by definition does), then the transport layer checksum is no longer valid, so it has to be updated. That eliminates one reason not to verify the checksum. However if the router simultaneously implement NAT and/or a firewall, then it has to consider the higher level protocol. It add needless complexity which makes it harder to implement - in particular if you want a hardware implementation rather than a software implementation.It may be fragmented such that the checksum (which is only present in the first fragment) covers all packets.
IP HEADER CHECKSUM HOW TO
There are many reasons for a router not to verify the checksums: If the router has NAT and/or firewall functionality, the answer may differ. However routers do exist with additional functionality. Longer answer: A router which implements just the router functionality does not and cannot verify UDP and TCP checksums.
0 kommentar(er)
