Actions
Feature #7753
closedvxlan: decoder drops packets with non-zero reserved fields
Effort:
Difficulty:
Label:
C, Needs Suricata-Verify test, Protocol
Description
The current VXLAN decoder implementation follows RFC draft-mahalingam-dutt-dcops-vxlan-00 too strictly and does not ignore the Reserved fields on receipt, as required by RFC 7348 §5 . This causes valid VXLAN packets with non-zero Reserved bits to be dropped, leading to loss of response-side traffic in some environments.
Files
Updated by Fupeng Zhao 4 months ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Fupeng Zhao
Assigned to myself.
I plan to remove the strict validation of the Reserved fields entirely. Since we don’t decode the inner packet before parsing the VXLAN header, we can’t reliably determine the packet direction (transmit vs receive) and thus can’t selectively apply Reserved field checks.
Open to alternative suggestions if there's a preferred way to handle this.
Updated by Fupeng Zhao 4 months ago
- Status changed from Assigned to In Review
Updated by Philippe Antoine 4 months ago
- Target version changed from TBD to 9.0.0-beta1
Updated by Fupeng Zhao about 1 month ago
- Status changed from In Review to Closed
Updated by Victor Julien about 1 month ago
- Status changed from Closed to Resolved
Updated by OISF Ticketbot about 1 month ago
- Label deleted (
Needs backport to 8.0)
Actions