Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-zero checksums

Behcet Sarikaya <sarikaya2012@gmail.com> Thu, 01 May 2014 20:38 UTC

Return-Path: <sarikaya2012@gmail.com>
X-Original-To: tofoo@ietfa.amsl.com
Delivered-To: tofoo@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 027BE1A6FA6; Thu, 1 May 2014 13:38:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5NZedy3VFMLV; Thu, 1 May 2014 13:38:27 -0700 (PDT)
Received: from mail-la0-x233.google.com (mail-la0-x233.google.com [IPv6:2a00:1450:4010:c03::233]) by ietfa.amsl.com (Postfix) with ESMTP id 881CF1A0976; Thu, 1 May 2014 13:38:26 -0700 (PDT)
Received: by mail-la0-f51.google.com with SMTP id gl10so2443639lab.24 for <multiple recipients>; Thu, 01 May 2014 13:38:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=sxRp+N7iVp/j63G0Uv0dmn/89yiAVba2b6w+9/NFP80=; b=z/1MskcOQF4/Rs+9C0y8RqoSr2Zmbjy0kx3UT1A8V6bhj+m0XSzLqAlzKQbF0LKNQt z5TTZ3GPNCtJ7UJ7KER1zx6CFPEnGFGnLllSL6DxLtumJ58UM/yv+rmh9iwdNvgc16ng AqdBrkwuVhHtJwZsMl5tx6NXnxLjgTpom1OIZTMtJRWdWYnYs9GMVZ+b/kW9c2j6u2Ia YyGGlyGLAxFtsUoJ+VFdyOyJ9WpXMMVbvaV0Ye0zOIMfLp6CUyNihb4BQJ0YDRAYSzfO mPO0MzvQfVytBMgnhrKv5muZjDQ+avDoQCjSIDugjStI6XdVDxWodPD9N0ll9HvPCPx2 EygA==
MIME-Version: 1.0
X-Received: by 10.112.61.199 with SMTP id s7mr8648577lbr.25.1398976703853; Thu, 01 May 2014 13:38:23 -0700 (PDT)
Received: by 10.114.70.165 with HTTP; Thu, 1 May 2014 13:38:23 -0700 (PDT)
In-Reply-To: <5362AFBB.6080008@isi.edu>
References: <CA+mtBx8+OyN5UUsL-sS1AuPF69p6=T3kw4Mq-BogjQhEF-Cpsw@mail.gmail.com> <CAC8QAccqYygAZrX=P1S7Av4KXtU82RWANv=BAaKjYm=hDH0hAA@mail.gmail.com> <CA+mtBx9YfBtizy+a1Wi+z5isYQ7AtLm_Hevx7U66U8HS8u_6LQ@mail.gmail.com> <CAC8QAcdXLbdVw3FYcdqSg163_w76ThYXuK3M9-vvw_wx5d52_Q@mail.gmail.com> <5362ACA5.1030102@isi.edu> <CAC8QAcfi=CEc_a43R1ZgidtmdjGL2G4C_+PPj-uDCMkZ+aheuw@mail.gmail.com> <5362AFBB.6080008@isi.edu>
Date: Thu, 1 May 2014 15:38:23 -0500
Message-ID: <CAC8QAcdCedWkNAShH4a_=mMvdcP-cvvAcEoH+c5B4BMFZbNjLA@mail.gmail.com>
From: Behcet Sarikaya <sarikaya2012@gmail.com>
To: Joe Touch <touch@isi.edu>
Content-Type: multipart/alternative; boundary=001a1133d17a7b7b2404f85ca5e9
Archived-At: http://mailarchive.ietf.org/arch/msg/tofoo/5x1lsfwAcO8QzGwgXeoSMELTn8o
Cc: "tofoo@ietf.org" <tofoo@ietf.org>, "nvo3@ietf.org" <nvo3@ietf.org>, ddutt.ietf@hobbesdutt.com, mallik_mahalingam@yahoo.com, Tom Herbert <therbert@google.com>
Subject: Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-zero checksums
X-BeenThere: tofoo@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: sarikaya@ieee.org
List-Id: "Discussion list for Tunneling over Foo \(with\)in IP networks \(TOFOO\)." <tofoo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tofoo>, <mailto:tofoo-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tofoo/>
List-Post: <mailto:tofoo@ietf.org>
List-Help: <mailto:tofoo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tofoo>, <mailto:tofoo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 May 2014 20:38:28 -0000

On Thu, May 1, 2014 at 3:34 PM, Joe Touch <touch@isi.edu>; wrote:

>
>
> On 5/1/2014 1:30 PM, Behcet Sarikaya wrote:
>
>>
>>
>>
>> On Thu, May 1, 2014 at 3:20 PM, Joe Touch <touch@isi.edu
>> <mailto:touch@isi.edu>> wrote:
>>
>>
>>
>>     On 4/30/2014 2:23 PM, Behcet Sarikaya wrote:
>>
>>         Here is what VXLAN says on tunneled traffic:
>>
>>         Tunneled traffic over the IP network can be secured with
>> traditional
>>              security mechanisms like IPsec that authenticate and
>> optionally
>>              encrypt VXLAN traffic. This will, of course, need to be
>>         coupled with
>>              an authentication infrastructure for authorized endpoints
>>         to obtain
>>              and distribute credentials.
>>
>>         Based on this, UDP checksum text seems to be consistent, no?
>>
>>
>>     No; the UDP checksum is not for authetication. It is an error check.
>>
>>     The only party that can decide to make the UDP checksum optional
>>     when using IPv4 is the source - by inserting zero.
>>
>>     It's not the receiver's choice to ignore that checksum if it's not
>>     zero. That's where this doc breaks the current standards.
>>
>> The important point in the above text that I quoted was encryption being
>> optional not about authentication.
>> So checksum would be zero if the payload is encrypted and non-zero if it
>> is not not and both cases are possible.
>>
>
> Receiver processing is simple:
>
>         - if the checksum is zero, ignore
>
>         - if the checksum is NOT zero, it MUST match
>
> No other part of the packet needs to be examined. If the *sender* wants to
> have the receiver ignore the checksum, it inserts zero. If not, the
> receiver MUST process and validate it.
>
>
Sure. I think we are in agreement.

Behcet

> Joe
>