[EMAIL PROTECTED] wrote: >> On Tue, 30 Sep 2008, Robert Thurlow wrote: >> >>>> Modern NFS runs over a TCP connection, which includes its own data >>>> validation. This surely helps. >>> Less than we'd sometimes like :-) The TCP checksum isn't >>> very strong, and we've seen corruption tied to a broken >>> router, where the Ethernet checksum was recomputed on >>> bad data, and the TCP checksum didn't help. It sucked. >> TCP does not see the router. The TCP and ethernet checksums are at >> completely different levels. Routers do not pass ethernet packets. >> They pass IP packets. Your statement does not make technical sense. > > I think he was referring to a broken VLAN switch. > > But even then, any active component will take bist from the > wire, check the MAC, changes what needed and redo the MAC and > other checksums which needed changes. The whole packet lives > in the memory of the switch/router and if that memory is broken > the packet will be send damaged.
Which is why you need a network end-to-end strong checksum for iSCSI. I recommend that IPsec AH (at least but in many cases ESP) be deployed. If you care enough about your data to set checksum=sha256 for the ZFS datasets then make sure you care enough to setup IPsec and use HMAC-SHA256 for on the wire integrity protection too. -- Darren J Moffat _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
