Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-zero checksums
Joe Touch <touch@isi.edu> Fri, 02 May 2014 23:59 UTC
Return-Path: <touch@isi.edu>
X-Original-To: tofoo@ietfa.amsl.com
Delivered-To: tofoo@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96A771A6FDE; Fri, 2 May 2014 16:59:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.851
X-Spam-Level:
X-Spam-Status: No, score=-4.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2cz9yaHBh29H; Fri, 2 May 2014 16:59:00 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by ietfa.amsl.com (Postfix) with ESMTP id 2D01B1A6F63; Fri, 2 May 2014 16:59:00 -0700 (PDT)
Received: from [128.9.184.177] ([128.9.184.177]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id s42Nw4IT016849 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 2 May 2014 16:58:04 -0700 (PDT)
Message-ID: <5364310E.5010306@isi.edu>
Date: Fri, 02 May 2014 16:58:06 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Tom Herbert <therbert@google.com>
References: <CA+mtBx8+OyN5UUsL-sS1AuPF69p6=T3kw4Mq-BogjQhEF-Cpsw@mail.gmail.com> <CAC8QAccqYygAZrX=P1S7Av4KXtU82RWANv=BAaKjYm=hDH0hAA@mail.gmail.com> <CA+mtBx9YfBtizy+a1Wi+z5isYQ7AtLm_Hevx7U66U8HS8u_6LQ@mail.gmail.com> <CAC8QAcdXLbdVw3FYcdqSg163_w76ThYXuK3M9-vvw_wx5d52_Q@mail.gmail.com> <5362ACA5.1030102@isi.edu> <CAC8QAcfi=CEc_a43R1ZgidtmdjGL2G4C_+PPj-uDCMkZ+aheuw@mail.gmail.com> <5362AFBB.6080008@isi.edu> <CA+mtBx8G6kBzOiKP2r7W3i1JV43A8feg8Xqbo6t1Kfhj3jwpJA@mail.gmail.com> <5362B7E4.8060809@isi.edu> <CA+mtBx8hLyvQ+3Bs9cFjGPV0dWtK+TDO+J6Mg_gLtgxHECiCRw@mail.gmail.com> <53641B46.5000200@isi.edu> <CA+mtBx-3on5jyEteRnNLAb6Pv5n6y2UkHUdKCnbmJDMk6yrKFQ@mail.gmail.com> <53642009.6000805@isi.edu> <CA+mtBx_DXxr-nHExc+Rxg8VDTU-3Eszv9o5oOqKHsQX9A6__Hw@mail.gmail.com>
In-Reply-To: <CA+mtBx_DXxr-nHExc+Rxg8VDTU-3Eszv9o5oOqKHsQX9A6__Hw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/tofoo/18x_w5MBGJsteWajWEaAxCLj7F4
Cc: "tofoo@ietf.org" <tofoo@ietf.org>, sarikaya@ieee.org, "nvo3@ietf.org" <nvo3@ietf.org>, "mallik_mahalingam@yahoo.com" <mallik_mahalingam@yahoo.com>, "ddutt.ietf@hobbesdutt.com" <ddutt.ietf@hobbesdutt.com>
Subject: Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-zero checksums
X-BeenThere: tofoo@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for Tunneling over Foo \(with\)in IP networks \(TOFOO\)." <tofoo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tofoo>, <mailto:tofoo-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tofoo/>
List-Post: <mailto:tofoo@ietf.org>
List-Help: <mailto:tofoo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tofoo>, <mailto:tofoo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 May 2014 23:59:02 -0000
On 5/2/2014 4:15 PM, Tom Herbert wrote: >> I think your objection may be that you don't think we can assume that >> zero-checksum packets arrive at VXLAN, because of how RFC1122 is worded. > > No, I expect zero checksums will be the common case. I meant that you don't think that this common case will be correctly handled. >> However, RFC768 permits zero-checksum packets as valid and useful to the >> upper layer, so I interpret RFC 1122 as saying "the app might be able to >> configure UDP to discard zero-checksum packets", but if it doesn't, those >> packets already will end up at the application. > > My interpretation of the VXLAN draft precludes the possibility of an > implementation being able to reject received zero-checksums even as a > configuration option, or even for select senders. Agreed - as writte, it cannot reject those packets merely because thye have a zero checksum - "When a packet is received with a UDP checksum of zero, it MUST be accepted for decapsulation. " (note that I have no position as to whether this is good or bad; VXLAN could decide to reject such packets if that's what the WG decides). > So if we receive a > zero checksum from a sender that we know has not disabled checksums, > per the draft we need to accept even though we know this is a > corrupted packet. I don't know how you can make this claim. You don't know it's a corrupted packet - esp. because it's highly unlikely that the checksum would be zero'd solely by corruption. What you know - at best - is that the source decided to send a zero-checksum packet. A sender that transmits zero checksums does so deliberately (on an ongoing basis). It does so when it believes that another layer will check for packet corruption, or when packet corruption isn't important. > This may not break the standard, but it doesn't seem > robust either. Is my interpretation correct? VXLAN can make whatever decision you want; you can decide to accept zero-sum packets for further processing, to reject them, or to decide on a per-endpoint basis given other knowledge of the endpoint. All behaviors are compliant with current standards. What you cannot do is accept a packet with a non-zero checksum that is invalid. Those should never be sent to VXLAN; they MUST be silently dropped by UDP. That's where this discussion originated. As to robustness, IMO, the best would be to send packets with UDP checksums, so you drop corrupt packets as early as possible. If you don't want to incur the cost of checking (which is often in offload engines anyway), then you'd be relying on the upper layer (VXLAN layer) to check for errors. However, I don't see that here - what I see is an ethernet header but that doesn't protect the E2E of the UDP packet, and that's not good enough. > My core concern in all of this is still whether the vni in VXLAN in > being adequately protected against corruption (this would apply to > other encapsulation protocols that carry vni also). The integrity of > the vni is paramount in supporting the isolation requirements of > network virtualization. Then what you want is to require VXLAN to MUST send non-zero UDP checksums. At that point, saying "VXLAN receiver MUST discard zero-checksums" is fine, and both statements are compliant with existing standards. Alternately, if you allow - or encourage - zero-checksum UDP, then you want to add a checksum of some kind to the VXLAN header. But again, you're talking about the zero-checksum case, not the non-zero case where this all started. Joe
- [Tofoo] VXLAN (UDP tunnel protocols) and non-zero… Tom Herbert
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Gorry Fairhurst
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Behcet Sarikaya
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Tom Herbert
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Behcet Sarikaya
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Larry Kreeger (kreeger)
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Tom Herbert
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Larry Kreeger (kreeger)
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Tom Herbert
- Re: [Tofoo] [nvo3] VXLAN (UDP tunnel protocols) a… Tom Herbert
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Larry Kreeger (kreeger)
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Joe Touch
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Behcet Sarikaya
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Joe Touch
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Behcet Sarikaya
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Tom Herbert
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Joe Touch
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Stewart Bryant
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Tom Herbert
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Tom Herbert
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Joe Touch
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Tom Herbert
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Joe Touch
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Tom Herbert
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Joe Touch
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Tom Herbert
- Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-… Joe Touch