On 28 Sep 2015, at 11:25, Paul Vixie wrote:
Robert Edmonds wrote:
...
I am also curious why a cryptographic hash function (SHA-1) is needed
for this. Is a fast non-cryptographic checksum not suitable (e.g.,
CRC-32C, which can be computed in hardware on x86 CPUs)?
in currently theorized attacks, the udp checksum is fooled by altering
two parts of a fragment:
first, alter the part you want to use to inject poison into a cache.
second, alter something else to fix up the checksum based on the first
alteration.
if CRC-32C is immune to that attack, i havn't heard, but i'd believe.
Note that he said "e.g.". There are other algorithms much faster than
SHA-1 that would work as well, such as the one in draft-eastlake-fnv.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
