Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-zero checksums

Behcet Sarikaya <sarikaya2012@gmail.com> Thu, 01 May 2014 20:30 UTC

Return-Path: <sarikaya2012@gmail.com>
X-Original-To: tofoo@ietfa.amsl.com
Delivered-To: tofoo@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21D411A6F62; Thu, 1 May 2014 13:30:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GubdFXRD00Hr; Thu, 1 May 2014 13:30:21 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) by ietfa.amsl.com (Postfix) with ESMTP id AA76F1A0974; Thu, 1 May 2014 13:30:20 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id p9so2476097lbv.17 for <multiple recipients>; Thu, 01 May 2014 13:30:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=C2fokqfoMgm2zwBD/y9sHBi86kyCubGJg/Y+LhD+Lzc=; b=K8q+FaMr//bWSZbdZd/Ldzh/+R5W4PHo08kHQqYuXUEcASQjwzoDehKXl2V/jTUOpm gepeqPMkA5BKxAesKBLxRTCjea6DyqL1sYI44ZGOLEWOTgFsaXdC4Cp9nO22pxIvDB4F ciCzQ4BfUSxmhMJeN/zZSIwM/qvGwfoOIimRCi2Je1qA1hPlHeispd2jo+amqPj8a/5V 6sp4mwE33lxBeFNfNAiokIt1H/ADcPytuxGmI2Hj94rvleb28uNigXec3NdSsOFFnmJb jCbPXlaAzmbq3c9rEKYHqnrHOQOrQN361dP+pqPd/jqiKqe1cMNu4VNxcSDGfk4r18BN DXLw==
MIME-Version: 1.0
X-Received: by 10.112.35.202 with SMTP id k10mr8541373lbj.14.1398976218072; Thu, 01 May 2014 13:30:18 -0700 (PDT)
Received: by 10.114.70.165 with HTTP; Thu, 1 May 2014 13:30:18 -0700 (PDT)
In-Reply-To: <5362ACA5.1030102@isi.edu>
References: <CA+mtBx8+OyN5UUsL-sS1AuPF69p6=T3kw4Mq-BogjQhEF-Cpsw@mail.gmail.com> <CAC8QAccqYygAZrX=P1S7Av4KXtU82RWANv=BAaKjYm=hDH0hAA@mail.gmail.com> <CA+mtBx9YfBtizy+a1Wi+z5isYQ7AtLm_Hevx7U66U8HS8u_6LQ@mail.gmail.com> <CAC8QAcdXLbdVw3FYcdqSg163_w76ThYXuK3M9-vvw_wx5d52_Q@mail.gmail.com> <5362ACA5.1030102@isi.edu>
Date: Thu, 1 May 2014 15:30:18 -0500
Message-ID: <CAC8QAcfi=CEc_a43R1ZgidtmdjGL2G4C_+PPj-uDCMkZ+aheuw@mail.gmail.com>
From: Behcet Sarikaya <sarikaya2012@gmail.com>
To: Joe Touch <touch@isi.edu>
Content-Type: multipart/alternative; boundary=001a11c36bb2870cb204f85c8868
Archived-At: http://mailarchive.ietf.org/arch/msg/tofoo/VJgeIocZZ6fd_QEs1g4AeoNunXo
Cc: "tofoo@ietf.org" <tofoo@ietf.org>, "nvo3@ietf.org" <nvo3@ietf.org>, ddutt.ietf@hobbesdutt.com, mallik_mahalingam@yahoo.com, Tom Herbert <therbert@google.com>
Subject: Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-zero checksums
X-BeenThere: tofoo@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: sarikaya@ieee.org
List-Id: "Discussion list for Tunneling over Foo \(with\)in IP networks \(TOFOO\)." <tofoo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tofoo>, <mailto:tofoo-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tofoo/>
List-Post: <mailto:tofoo@ietf.org>
List-Help: <mailto:tofoo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tofoo>, <mailto:tofoo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 May 2014 20:30:22 -0000

On Thu, May 1, 2014 at 3:20 PM, Joe Touch <touch@isi.edu>; wrote:

>
>
> On 4/30/2014 2:23 PM, Behcet Sarikaya wrote:
>
>> Here is what VXLAN says on tunneled traffic:
>>
>> Tunneled traffic over the IP network can be secured with traditional
>>     security mechanisms like IPsec that authenticate and optionally
>>     encrypt VXLAN traffic. This will, of course, need to be coupled with
>>     an authentication infrastructure for authorized endpoints to obtain
>>     and distribute credentials.
>>
>> Based on this, UDP checksum text seems to be consistent, no?
>>
>
> No; the UDP checksum is not for authetication. It is an error check.
>
> The only party that can decide to make the UDP checksum optional when
> using IPv4 is the source - by inserting zero.
>
> It's not the receiver's choice to ignore that checksum if it's not zero.
> That's where this doc breaks the current standards.
>
>
The important point in the above text that I quoted was encryption being
optional not about authentication.
So checksum would be zero if the payload is encrypted and non-zero if it is
not not and both cases are possible.

Behcet

> Joe
>