ICMPv6 incorrect checksum alert if Ethernet FCS is present
If there is a frame check sequence (FCS) field in Ethernet header (placed after all high-level payload) then ICMPv6 checksum calculates incorrectly and suricata alerts a lot of "Invalid ICMPv6 checksum" messages. If remove FCS field then checksum calculates correctly.
See pcap attached
Updated by Victor Julien about 5 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jason Ish
The problem is that the size of the data that is passed to the checksum function is calculated from the end of the packet instead of based on the IPv6 length. The fix isn't trivial though as it requires some careful look at the ICMPv6 decoder.
Jason, is this one up your alley?