RFC 3309 (rfc3309) - Page 2 of 17
Stream Control Transmission Protocol (SCTP) Checksum Change
Alternative Format: Original Text Document
RFC 3309 SCTP Checksum Change September 2002
1 Introduction
A fundamental weakness has been detected in SCTP's current Adler-32
checksum algorithm [STONE]. This document updates and replaces the
Adler-32 checksum definition in [RFC 2960]. Note that there is no
graceful transition mechanism for migrating to the new checksum.
Implementations are expected to immediately switch to the new
algorithm; use of the old algorithm is deprecated.
One requirement of an effective checksum is that it evenly and
smoothly spreads its input packets over the available check bits.
From an email from Jonathan Stone, who analyzed the Adler-32 as part
of his doctoral thesis:
"Briefly, the problem is that, for very short packets, Adler32 is
guaranteed to give poor coverage of the available bits. Don't take
my word for it, ask Mark Adler. :-)
Adler-32 uses two 16-bit counters, s1 and s2. s1 is the sum of the
input, taken as 8-bit bytes. s2 is a running sum of each value of
s1. Both s1 and s2 are computed mod-65521 (the largest prime less
than 2^16). Consider a packet of 128 bytes. The *most* that each
byte can be is 255. There are only 128 bytes of input, so the
greatest value which the s1 accumulator can have is 255 * 128 =
32640. So, for 128-byte packets, s1 never wraps. That is critical.
Why?
The key is to consider the distribution of the s1 values, over some
distribution of the values of the individual input bytes in each
packet. Because s1 never wraps, s1 is simply the sum of the
individual input bytes. (Even Doug's trick of adding 0x5555 doesn't
help here, and an even larger value doesn't really help: we can get
at most one mod-65521 reduction.)
Given the further assumption that the input bytes are drawn
independently from some distribution (they probably aren't: for file
system data, it's even worse than that!), the Central Limit Theorem
tells us that that s1 will tend to have a normal distribution.
That's bad: it tells us that the value of s1 will have hot-spots at
around 128 times the mean of the input distribution: around 16k,
assuming a uniform distribution. That's bad. We want the
accumulator to wrap as many times as possible, so that the resulting
sum has as close to a uniform distribution as possible. (I call this
"fairness".)
Stone, et. al. Standards Track