On Thu, May 1, 2014 at 3:34 PM, Joe Touch <[email protected]> wrote: > > > On 5/1/2014 1:30 PM, Behcet Sarikaya wrote: > >> >> >> >> On Thu, May 1, 2014 at 3:20 PM, Joe Touch <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> >> On 4/30/2014 2:23 PM, Behcet Sarikaya wrote: >> >> Here is what VXLAN says on tunneled traffic: >> >> Tunneled traffic over the IP network can be secured with >> traditional >> security mechanisms like IPsec that authenticate and >> optionally >> encrypt VXLAN traffic. This will, of course, need to be >> coupled with >> an authentication infrastructure for authorized endpoints >> to obtain >> and distribute credentials. >> >> Based on this, UDP checksum text seems to be consistent, no? >> >> >> No; the UDP checksum is not for authetication. It is an error check. >> >> The only party that can decide to make the UDP checksum optional >> when using IPv4 is the source - by inserting zero. >> >> It's not the receiver's choice to ignore that checksum if it's not >> zero. That's where this doc breaks the current standards. >> >> The important point in the above text that I quoted was encryption being >> optional not about authentication. >> So checksum would be zero if the payload is encrypted and non-zero if it >> is not not and both cases are possible. >> > > Receiver processing is simple: > > - if the checksum is zero, ignore > > - if the checksum is NOT zero, it MUST match > > No other part of the packet needs to be examined. If the *sender* wants to > have the receiver ignore the checksum, it inserts zero. If not, the > receiver MUST process and validate it. > > Sure. I think we are in agreement.
Behcet > Joe >
_______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
