Project

General

Profile

Actions
Copy link

Feature #7753

open

vxlan: decoder drops packets with non-zero reserved fields

Added by Fupeng Zhao about 2 months ago. Updated 16 days ago.

Status:
In Review
Priority:
Normal
Assignee:
Fupeng Zhao
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:
C, Needs Suricata-Verify test, Protocol

Description

The current VXLAN decoder implementation follows RFC draft-mahalingam-dutt-dcops-vxlan-00 too strictly and does not ignore the Reserved fields on receipt, as required by RFC 7348 §5 . This causes valid VXLAN packets with non-zero Reserved bits to be dropped, leading to loss of response-side traffic in some environments.

Files

vxlan-non-zero-reserved-fields.pcap (1.95 KB) vxlan-non-zero-reserved-fields.pcap Fupeng Zhao, 06/12/2025 06:44 AM
Actions
Copy link
 #1

Updated by Fupeng Zhao about 2 months ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Fupeng Zhao

Assigned to myself.

I plan to remove the strict validation of the Reserved fields entirely. Since we don’t decode the inner packet before parsing the VXLAN header, we can’t reliably determine the packet direction (transmit vs receive) and thus can’t selectively apply Reserved field checks.

Open to alternative suggestions if there's a preferred way to handle this.

Actions
Copy link
 #2

Updated by Fupeng Zhao about 2 months ago

  • Status changed from Assigned to In Review
Actions
Copy link
 #3

Updated by Philippe Antoine about 1 month ago

  • Target version changed from TBD to 9.0.0-beta1
Actions
Copy link
 #4

Updated by Philippe Antoine 16 days ago

  • Tracker changed from Bug to Feature
Actions
Copy link

Also available in: Atom PDF