Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-zero checksums

Gorry Fairhurst <gorry@erg.abdn.ac.uk> Wed, 30 April 2014 19:15 UTC

Return-Path: <gorry@erg.abdn.ac.uk>
X-Original-To: tofoo@ietfa.amsl.com
Delivered-To: tofoo@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20D251A0956; Wed, 30 Apr 2014 12:15:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.852
X-Spam-Level:
X-Spam-Status: No, score=-4.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B1Gn1RvBvyRM; Wed, 30 Apr 2014 12:15:53 -0700 (PDT)
Received: from spey.erg.abdn.ac.uk (spey.erg.abdn.ac.uk [139.133.204.173]) by ietfa.amsl.com (Postfix) with ESMTP id 68D3A1A094A; Wed, 30 Apr 2014 12:15:53 -0700 (PDT)
Received: by spey.erg.abdn.ac.uk (Postfix, from userid 5001) id 2E2092B454D; Wed, 30 Apr 2014 20:15:51 +0100 (BST)
Received: from gorry-mac.erg.abdn.ac.uk (gorry-mac.erg.abdn.ac.uk [139.133.207.5]) by spey.erg.abdn.ac.uk (Postfix) with ESMTPSA id 648442B43B3; Wed, 30 Apr 2014 20:15:49 +0100 (BST)
Message-ID: <53614BE5.2040203@erg.abdn.ac.uk>
Date: Wed, 30 Apr 2014 20:15:49 +0100
From: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
Organization: The University of Aberdeen is a charity registered in Scotland, No SC013683.
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Tom Herbert <therbert@google.com>, "nvo3@ietf.org" <nvo3@ietf.org>, "tofoo@ietf.org" <tofoo@ietf.org>, mallik_mahalingam@yahoo.com, ddutt.ietf@hobbesdutt.com
References: <CA+mtBx8+OyN5UUsL-sS1AuPF69p6=T3kw4Mq-BogjQhEF-Cpsw@mail.gmail.com>
In-Reply-To: <CA+mtBx8+OyN5UUsL-sS1AuPF69p6=T3kw4Mq-BogjQhEF-Cpsw@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tofoo/kckc2AH-hejKxnLiKNtwL4p-kUg
Subject: Re: [Tofoo] VXLAN (UDP tunnel protocols) and non-zero checksums
X-BeenThere: tofoo@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: gorry@erg.abdn.ac.uk
List-Id: "Discussion list for Tunneling over Foo \(with\)in IP networks \(TOFOO\)." <tofoo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tofoo>, <mailto:tofoo-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tofoo/>
List-Post: <mailto:tofoo@ietf.org>
List-Help: <mailto:tofoo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tofoo>, <mailto:tofoo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 19:15:56 -0000

This idea of simply ignoring the checksum value was dicussed and 
rejected in the analysis described in rfc6936. Appendix A2.6 describes 
the reasons why this was not recommended.

Gorry

On 30/04/2014 20:01, Tom Herbert wrote:
> Hi,
>
> I noticed that the VXLAN draft allows an implementation to potentially
> ignore a non-zero invalid UDP checksum.
>
> From: http://tools.ietf.org/html/draft-mahalingam-dutt-dcops-vxlan-09
>
> "When a decapsulating endpoint receives a packet with a non-zero
> checksum it MAY choose to verify the checksum"
>
> However, from RFC 1122:
>
> "If a UDP datagram is received with a checksum that is non-zero and
> invalid, UDP MUST silently discard the datagram."
>
> It doesn't seem like 1122 allows checksum verification to be optional,
> so these would seem to be a conflict. Presumably, ignoring the RX csum
> is included for performance but since the sender can already send zero
> checksums in UDP (they are optional in IPv4 and allowed for IPv6
> tunnels in RFC 6935) I'm not sure this is necessary. Besides that, the
> UDP checksum is potentially the only thing that protection of the vni
> against corruption end to end so allowing a receiver to ignore a bad
> checksum seems very risky.
>
> As a comparison, RFC 3931 (L2TP) has the following wording:
>
> "Thus, UDP checksums MAY be disabled in order to reduce the associated
> packet processing burden at the L2TP endpoints."
>
> This is somewhat ambiguous, but seems like the correct interpretation
> should be that zero checksums may be sent with L2TP/UDP, but on
> receive non-zero checksums should still be validated.
>
> Are these interpretations correct? Is there there a need to clarify
> the requirement for UDP tunnel protocols and checksums?
>
> Thanks,
> Tom
>
> _______________________________________________
> Tofoo mailing list
> Tofoo@ietf.org
> https://www.ietf.org/mailman/listinfo/tofoo
>