Enabling Checksum Verification - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual

Configuring a Tunnel with Generic Routing Encapsulation
Configuring GRE
9-12

Enabling Checksum Verification

A router can include a checksum in outgoing packets' GRE headers. A check-
sum is a value computed from the contents of a packet, and is often based on
the sum of the bits. The router that receives the packet runs the same
computation. If it comes up with the same value, it assumes that the data has
not been altered.
Checksums help ensure data integrity. However, they are better at protecting
against accidently garbled data than data that has been tampered with inten-
tionally. Because the checksum calculation is intentionally simple, hackers
can reproduce it and make sure the altered packet produces the correct
checksum. For true data integrity protection, you must use a hash algorithm
such as those provided with IPSec.
Checksum verification enables the router both to verify the checksum of
packets it receives over a tunnel and to insert a checksum in the GRE headers
of packets it transmits. To enable checksum verification, enter:
ProCurve(config-tunnel 1)# tunnel checksum
When it inserts the checksum value into the GRE header, the router also sets
the checksum present bit, informing the remote endpoint that it is using
checksum verification. The remote endpoint, if enabled for checksum verifi-
cation, computes the packet's checksum, forwards valid packets, and drops
garbled packets.
If the other end of the tunnel does not perform checksum verification, then
the checksum is meaningless: all packets flow through the tunnel. Similarly,
if the local endpoint has no checksum to verify, it must allow all packets.