From: Ansis Atteka <aatt...@ovn.org> Date: Fri, 21 Apr 2017 15:23:05 -0700
> Otherwise, UDP checksum offloads could corrupt ESP packets by attempting > to calculate UDP checksum when this inner UDP packet is already protected > by IPsec. > > One way to reproduce this bug is to have a VM with virtio_net driver (UFO > set to ON in the guest VM); and then encapsulate all guest's Ethernet > frames in Geneve; and then further encrypt Geneve with IPsec. In this > case following symptoms are observed: > 1. If using ixgbe NIC, then it will complain with following error message: > ixgbe 0000:01:00.1: partial checksum but l4 proto=32! > 2. Receiving IPsec stack will drop all the corrupted ESP packets and > increase XfrmInStateProtoError counter in /proc/net/xfrm_stat. > 3. iperf UDP test from the VM with packet sizes above MTU will not work at > all. > 4. iperf TCP test from the VM will get ridiculously low performance because. > > Signed-off-by: Ansis Atteka <aatt...@ovn.org> > Co-authored-by: Steffen Klassert <steffen.klass...@secunet.com> Applied, thanks.
