[DRBD-user] Digest integrity check FAILED. Broken NICs? (DRBD 8.2.4)

Florian Haas florian.haas at linbit.com
Wed Jan 23 17:20:12 CET 2008

Note: "permalinks" may not be as permanent as we would like,
direct links of old sources may well be a few messages off.

On Wednesday 23 January 2008 11:07:40 Paul Court wrote:
> > On Tue, Jan 22, 2008 at 05:56:55PM +0000, Paul Court wrote:
> >> Hello,
> ---8<--- Snip ---8<---
> > you ask drbd to enable the "data-integrity feature",
> > which prepends each data block with its digest (you configured sha1,
> > which is overkill here, md5 or even crc32 would do fine) before
> > sending them over the wire.
> > the receiving side then calculates a digest of that data block
> > using the same algorithm, and naturally, this re-calculated digest,
> > and the digest transfered with the data block should match exactly.
> I notice there are a few other places where I have used sha1. Are there
> any other recomendations for the other values? (cram-hmac-alg &
> verify-alg)?

Well obviously crc32c is expected to be faster than md5 which in turn is 
expected to be faster than sha1. But cram-hmac-alg is only used during the 
initial handshake upon connect, and verify-alg only during device 
verification, whereas data-integrity-alg is used for every single replication 
and sync packet throughout your connection's lifetime. So selecting a faster 
data-integrity-alg has more impact on performance than selecting a faster 
algorithm for the other two.

> Is it possible to disable encryption, I'm not sure someone snooping on
> my packets is something I need to worry about with a cross over cable?

DRBD currently does _not_ use encryption. It does use cryptographic 
algorithms, yes, but only for authentication (cram-hmac-alg) and message 
digest (data-integrity-alg, verify-alg) purposes.


: Florian G. Haas
: LINBIT Information Technologies GmbH
: Vivenotgasse 48, A-1120 Vienna, Austria

When replying, there is no need to CC my personal address.
I monitor the list on a daily basis. Thank you.

More information about the drbd-user mailing list