Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-zero checksums

Behcet Sarikaya <sarikaya2012@gmail.com> Wed, 30 April 2014 21:23 UTC

Return-Path: <sarikaya2012@gmail.com>
X-Original-To: tofoo@ietfa.amsl.com
Delivered-To: tofoo@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 614681A09BC; Wed, 30 Apr 2014 14:23:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 69MImUSR5w6o; Wed, 30 Apr 2014 14:23:37 -0700 (PDT)
Received: from mail-lb0-x22d.google.com (mail-lb0-x22d.google.com [IPv6:2a00:1450:4010:c04::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 8B76A1A08B5; Wed, 30 Apr 2014 14:23:30 -0700 (PDT)
Received: by mail-lb0-f173.google.com with SMTP id l4so1655341lbv.4 for <multiple recipients>; Wed, 30 Apr 2014 14:23:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=3I4TlrbYQsMbxjTroZmrdiobgKhqP0A9ixYUgVfOang=; b=Q37fC1W2vDWxwZ9mDOz35v8C+/MR350w1eqlFJBcZcgJnIv8Xuy5ao0E6CTmUKeRPM Us3MxNGNVau7jtzumCJPp59Qg97UrDg0ICBARC/KWlCv29cQTfA6wHpa64JvWGApOxUK vvOw8dHcTsROUOqP7mSZdrgVQR+q/vxKYaq2KeDqn0FgzqWcdDY/z9HBUqd2nmndkaWr mYRXu3/HAKS9+DMa6M2Q4xbqKMr2R+VcPBEI3Z92X3z1U3Z/RxunJqgiyVSZYz//I2cM oYxOZLRghIGpu9vqmDidv9VJZuYOdN6miqPps/E6f1UUC+jBfsFSijBuDVH2chnWVHyV KRzg==
MIME-Version: 1.0
X-Received: by 10.112.164.98 with SMTP id yp2mr4254792lbb.29.1398893008244; Wed, 30 Apr 2014 14:23:28 -0700 (PDT)
Received: by 10.114.70.165 with HTTP; Wed, 30 Apr 2014 14:23:28 -0700 (PDT)
In-Reply-To: <CA+mtBx9YfBtizy+a1Wi+z5isYQ7AtLm_Hevx7U66U8HS8u_6LQ@mail.gmail.com>
References: <CA+mtBx8+OyN5UUsL-sS1AuPF69p6=T3kw4Mq-BogjQhEF-Cpsw@mail.gmail.com> <CAC8QAccqYygAZrX=P1S7Av4KXtU82RWANv=BAaKjYm=hDH0hAA@mail.gmail.com> <CA+mtBx9YfBtizy+a1Wi+z5isYQ7AtLm_Hevx7U66U8HS8u_6LQ@mail.gmail.com>
Date: Wed, 30 Apr 2014 16:23:28 -0500
Message-ID: <CAC8QAcdXLbdVw3FYcdqSg163_w76ThYXuK3M9-vvw_wx5d52_Q@mail.gmail.com>
From: Behcet Sarikaya <sarikaya2012@gmail.com>
To: Tom Herbert <therbert@google.com>
Content-Type: multipart/alternative; boundary=001a11c33c6ed5dd2704f849289d
Archived-At: http://mailarchive.ietf.org/arch/msg/tofoo/SQKnICIx1-l4DCmyTxBJ227xWEc
Cc: "tofoo@ietf.org" <tofoo@ietf.org>, "nvo3@ietf.org" <nvo3@ietf.org>, mallik_mahalingam@yahoo.com, ddutt.ietf@hobbesdutt.com
Subject: Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-zero checksums
X-BeenThere: tofoo@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: sarikaya@ieee.org
List-Id: "Discussion list for Tunneling over Foo \(with\)in IP networks \(TOFOO\)." <tofoo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tofoo>, <mailto:tofoo-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tofoo/>
List-Post: <mailto:tofoo@ietf.org>
List-Help: <mailto:tofoo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tofoo>, <mailto:tofoo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 21:23:39 -0000

Here is what VXLAN says on tunneled traffic:

Tunneled traffic over the IP network can be secured with traditional
   security mechanisms like IPsec that authenticate and optionally
   encrypt VXLAN traffic. This will, of course, need to be coupled with
   an authentication infrastructure for authorized endpoints to obtain
   and distribute credentials.

Based on this, UDP checksum text seems to be consistent, no?

Behcet


On Wed, Apr 30, 2014 at 3:01 PM, Tom Herbert <therbert@google.com> wrote:

> On Wed, Apr 30, 2014 at 12:46 PM, Behcet Sarikaya
> <sarikaya2012@gmail.com> wrote:
> > This is what VXLAN draft says:
> >
> > The UDP checksum field SHOULD be transmitted as zero.  When a packet
> >    is received with a UDP checksum of zero, it MUST be accepted for
> >    decapsulation.  Optionally, if the encapsulating endpoint includes a
> >    non-zero UDP checksum, it MUST be correctly calculated across the
> >    entire packet including the IP header, UDP header, VXLAN header and
> >    encapsulated MAC frame.  When a decapsulating endpoint receives a
> >    packet with a non-zero checksum it MAY choose to verify the checksum
> >
> > value.  If it chooses to perform such verification, and the
> >    verification fails, the packet MUST be dropped.  If the
> >    decapsulating destination chooses not to perform the verification,
> >    or performs it successfully, the packet MUST be accepted for
> >    decapsulation.
> >
> > What is wrong with it?
> >
> This makes the verification of (a non-zero) UDP checksum optional,
> which as I pointed out seems contrary to established UDP standard. If
> the verification isn't done then the MUST to drop packets with an
> invalid checksum is moot. Also, there really should be no reason that
> VXLAN needs to define a custom use of UDP checksum. The UDP checksum
> is either computed across the UDP payload which should be clear in
> VXLAN, or may be zero per using zero checksum in tunneling guidelines.
> These should hold for all foo/UDP.
>
> Tom
>
> > Behcet
> >
> >
> > On Wed, Apr 30, 2014 at 2:01 PM, Tom Herbert <therbert@google.com>
> wrote:
> >>
> >> Hi,
> >>
> >> I noticed that the VXLAN draft allows an implementation to potentially
> >> ignore a non-zero invalid UDP checksum.
> >>
> >> From: http://tools.ietf.org/html/draft-mahalingam-dutt-dcops-vxlan-09
> >>
> >> "When a decapsulating endpoint receives a packet with a non-zero
> >> checksum it MAY choose to verify the checksum"
> >>
> >> However, from RFC 1122:
> >>
> >> "If a UDP datagram is received with a checksum that is non-zero and
> >> invalid, UDP MUST silently discard the datagram."
> >>
> >> It doesn't seem like 1122 allows checksum verification to be optional,
> >> so these would seem to be a conflict. Presumably, ignoring the RX csum
> >> is included for performance but since the sender can already send zero
> >> checksums in UDP (they are optional in IPv4 and allowed for IPv6
> >> tunnels in RFC 6935) I'm not sure this is necessary. Besides that, the
> >> UDP checksum is potentially the only thing that protection of the vni
> >> against corruption end to end so allowing a receiver to ignore a bad
> >> checksum seems very risky.
> >>
> >> As a comparison, RFC 3931 (L2TP) has the following wording:
> >>
> >> "Thus, UDP checksums MAY be disabled in order to reduce the associated
> >> packet processing burden at the L2TP endpoints."
> >>
> >> This is somewhat ambiguous, but seems like the correct interpretation
> >> should be that zero checksums may be sent with L2TP/UDP, but on
> >> receive non-zero checksums should still be validated.
> >>
> >> Are these interpretations correct? Is there there a need to clarify
> >> the requirement for UDP tunnel protocols and checksums?
> >>
> >> Thanks,
> >> Tom
> >>
> >> _______________________________________________
> >> Tofoo mailing list
> >> Tofoo@ietf.org
> >> https://www.ietf.org/mailman/listinfo/tofoo
> >
> >
>