Checksum offload:

An optimization implemented by many NICs (Network Interface Controllers)that enables computation and verification of upper-layer protocol checksums in hardware on transmit and receive, respectively. This typically includes IP and TCP/UDP checksums that would otherwise be computed by the protocol stack in software.

Clos network:

A technique for composing network fabrics larger than a single switch while maintaining non-blocking bandwidth across connection points. ECMP is used to divide traffic across the multiple links and switches that constitute the fabric. Sometimes termed "leaf and spine" or "fat tree" topologies.

ECMP:

Equal Cost Multipath. A routing mechanism for selecting from among multiple best next-hop paths by hashing packet headers in order to better utilize network bandwidth while avoiding reordering of packets within a flow.

Geneve:

Generic Network Virtualization Encapsulation. The tunneling protocol described in this document.

LRO:

Large Receive Offload. The receiver-side equivalent functionof LSO, in which multiple protocol segments (primarily TCP) are coalesced into larger data units.

LSO:

Large Segmentation Offload. A function provided by many commercial NICs that allows data units larger than the MTU to be passed to the NIC to improve performance, the NIC being responsible for creating smaller segments of a size less than or equal to the MTU with correct protocol headers. When referring specifically to TCP/IP, this feature is often known as TSO (TCP Segmentation Offload).

Middlebox:

In the context of this document, the term "middlebox" refers to network service functions or service interposition appliances that typically implement tunnel endpoint functionality, terminating and re-encapsulating Geneve traffic.

NIC:

Network Interface Controller. Also called "Network Interface Card" or "Network Adapter". A NIC could be part of a tunnel endpoint or transit device and can either process or aid in the processing of Geneve packets.

Transit device:

A forwarding element (e.g., router or switch) along the path of the tunnel making up part of the underlay network. A transit device may be capable of understanding the Geneve packet format but does not originate or terminate Geneve packets.

Tunnel endpoint:

A component performing encapsulation and decapsulation of packets, such as Ethernet frames or IP datagrams, in Geneve headers. As the ultimate consumer of any tunnel metadata, tunnel endpoints have the highest level of requirements for parsing and interpreting tunnel headers. Tunnel endpoints may consist of either software or hardware implementations or a combination of the two. Tunnel endpoints are frequently a component of a Network Virtualization Edge (NVE) but may also be found in middleboxes or other elements making up an NVO3 network.

VM:

Virtual Machine.

  +---------------------+           +-------+  +------+
  | +--+  +-------+---+ |           |Transit|--|Top of|==Physical
  | |VM|--|       |   | | +------+ /|Router |  | Rack |==Servers
  | +--+  |Virtual|NIC|---|Top of|/ +-------+\/+------+
  | +--+  |Switch |   | | | Rack |\ +-------+/\+------+
  | |VM|--|       |   | | +------+ \|Transit|  |Uplink|   WAN
  | +--+  +-------+---+ |           |Router |--|      |=========>
  +---------------------+           +-------+  +------+
         Hypervisor

              ()===================================()
                      Switch-Switch Geneve Tunnels

• The data plane is generic and extensible enough to support current and future control planes.
• Tunnel components are efficiently implementable in both hardware and software without restricting capabilities to the lowest common denominator.
• High performance over existing IP fabrics is maintained.

Source Port:

A source port selected by the originating tunnel endpoint. This source port SHOULD be the same for all packets belonging to a single encapsulated flow to prevent reordering due to the use of different paths. To encourage an even distribution of flows across multiple links, the source port SHOULD be calculated using a hash of the encapsulated packet headers using, for example, a traditional 5-tuple. Since the port represents a flow identifier rather than a true UDP connection, the entire 16-bit range MAY be used to maximize entropy. In addition to setting the source port, for IPv6, the flow label MAY also be used for providing entropy. For an example of using the IPv6 flow label for tunnel use cases, see [RFC 6438].

If Geneve traffic is shared with other UDP listeners on the same IP address, tunnel endpoints SHOULD implement a mechanism to ensure ICMP return traffic arising from network errors is directed to the correct listener. The definition of such a mechanism is beyond the scope of this document.

Dest Port:

IANA has assigned port 6081 as the fixed well-known destination port for Geneve. Although the well-known value should be used by default, it is RECOMMENDED that implementations make this configurable. The chosen port is used for identification of Geneve packets and MUST NOT be reversed for different ends of a connection as is done with TCP. It is the responsibility of the control plane to manage any reconfiguration of the assigned port and its interpretation by respective devices. The definition of the control plane is beyond the scope of this document.

UDP Length:

The length of the UDP packet including the UDP header.

UDP Checksum:

In order to protect the Geneve header, options, and payload from potential data corruption, the UDP checksum SHOULD be generated as specified in [RFC 0768] and [RFC 1122] when Geneve is encapsulated in IPv4. To protect the IP header, Geneve header, options, and payload from potential data corruption, the UDP checksum MUST be generated by default as specified in [RFC 0768] and [RFC 8200] when Geneve is encapsulated in IPv6, except under certain conditions, which are outlined in the next paragraph. Upon receiving such packets with a non-zero UDP checksum, the receiving tunnel endpoints MUST validate the checksum. If the checksum is not correct, the packet MUST be dropped; otherwise, the packet MUST be accepted for decapsulation.

Under certain conditions, the UDP checksum MAY be set to zero on transmit for packets encapsulated in both IPv4 and IPv6 [RFC 8200]. See Section 4.3 for additional requirements that apply when using zero UDP checksum with IPv4 and IPv6. Disabling the use of UDP checksums is an operational consideration that should take into account the risks and effects of packet corruption.

Ver (2 bits):

The current version number is 0. Packets received by a tunnel endpoint with an unknown version MUST be dropped. Transit devices interpreting Geneve packets with an unknown version number MUST treat them as UDP packets with an unknown payload.

Opt Len (6 bits):

The length of the option fields, expressed in 4-byte multiples, not including the 8-byte fixed tunnel header. This results in a minimum total Geneve header size of 8 bytes and a maximum of 260 bytes. The start of the payload headers can be found using this offset from the end of the base Geneve header.

Transit devices MUST maintain consistent forwarding behavior irrespective of the value of 'Opt Len', including ECMP link selection.

O (1 bit):

Control packet. This packet contains a control message. Control messages are sent between tunnel endpoints. Tunnel endpoints MUST NOT forward the payload, and transit devices MUST NOT attempt to interpret it. Since control messages are less frequent, it is RECOMMENDED that tunnel endpoints direct these packets to a high-priority control queue (for example, to direct the packet to a general purpose CPU from a forwarding Application-Specific Integrated Circuit (ASIC) or to separate out control traffic on a NIC). Transit devices MUST NOT alter forwarding behavior on the basis of this bit, such as ECMP link selection.

C (1 bit):

Critical options present. One or more options has the critical bit set (see Section 3.5). If this bit is set, then tunnel endpoints MUST parse the options list to interpret any critical options. On tunnel endpoints where option parsing is not supported, the packet MUST be dropped on the basis of the 'C' bit in the base header. If the bit is not set, tunnel endpoints MAY strip all options using 'Opt Len' and forward the decapsulated packet. Transit devices MUST NOT drop packets on the basis of this bit.

Rsvd. (6 bits):

Reserved field, which MUST be zero on transmission and MUST be ignored on receipt.

Protocol Type (16 bits):

The type of protocol data unit appearing after the Geneve header. This follows the Ethertype [ETYPES] convention, with Ethernet itself being represented by the value 0x6558.

Virtual Network Identifier (VNI) (24 bits):

An identifier for a unique element of a virtual network. In many situations, this may represent an L2 segment; however, the control plane defines the forwarding semantics of decapsulated packets. The VNI MAY be used as part of ECMP forwarding decisions or MAY be used as a mechanism to distinguish between overlapping address spaces contained in the encapsulated packet when load balancing across CPUs.

Reserved (8 bits):

Reserved field, which MUST be zero on transmission and ignored on receipt.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          Option Class         |      Type     |R|R|R| Length  |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   ~                  Variable-Length Option Data                  ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Option Class (16 bits):

Namespace for the 'Type' field. IANA has created a "Geneve Option Class" registry to allocate identifiers for organizations, technologies, and vendors that have an interest in creating types for options. Each organization may allocate types independently to allow experimentation and rapid innovation. It is expected that, over time, certain options will become well known, and a given implementation may use option types from a variety of sources. In addition, IANA has reserved specific ranges for allocation by IETF Review and for Experimental Use (see Section 7).

Type (8 bits):

Type indicating the format of the data contained in this option. Options are primarily designed to encourage future extensibility and innovation, and standardized forms of these options will be defined in separate documents.

The high-order bit of the option type indicates that this is a critical option. If the receiving tunnel endpoint does not recognize the option and this bit is set, then the packet MUST be dropped. If this bit is set in any option, then the 'C' bit in the Geneve base header MUST also be set. Transit devices MUST NOT drop packets on the basis of this bit. The following figure shows the location of the 'C' bit in the 'Type' field:

   0 1 2 3 4 5 6 7 8
   +-+-+-+-+-+-+-+-+
   |C|    Type     |
   +-+-+-+-+-+-+-+-+

The requirement to drop a packet with an unknown option with the 'C' bit set applies to the entire tunnel endpoint system and not a particular component of the implementation. For example, in a system comprised of a forwarding ASIC and a general purpose CPU, this does not mean that the packet must be dropped in the ASIC. An implementation may send the packet to the CPU using a rate-limited control channel for slow-path exception handling.

R (3 bits):

Option control flags reserved for future use. These bits MUST be zero on transmission and MUST be ignored on receipt.

Length (5 bits):

Length of the option, expressed in 4-byte multiples, excluding the option header. The total length of each option may be between 4 and 128 bytes. A value of 0 in the 'Length' field implies an option with only an option header and no option data. Packets in which the total length of all options is not equal to the 'Opt Len' in the base header are invalid and MUST be silently dropped if received by a tunnel endpoint that processes the options.

Variable-Length Option Data:

Option data interpreted according to 'Type'.

• Receiving tunnel endpoints MUST drop packets containing unknown options with the 'C' bit set in the option type. Conversely, transit devices MUST NOT drop packets as a result of encountering unknown options, including those with the 'C' bit set.
• The contents of the options and their ordering MUST NOT be modified by transit devices.
• If a tunnel endpoint receives a Geneve packet with an 'Opt Len' (the total length of all options) that exceeds the options-processing capability of the tunnel endpoint, then the tunnel endpoint MUST drop such packets. An implementation may raise an exception to the control plane in such an event. It is the responsibility of the control plane to ensure the communicating peer tunnel endpoints have the processing capability to handle the total length of options. The definition of the control plane is beyond the scope of this document.

1. It is known that packet corruption is exceptionally unlikely (perhaps based on knowledge of equipment types in their underlay network) and the operator is willing to risk undetected packet corruption.
2. It is judged through observational measurements (perhaps through historic or current traffic flows that use non-zero checksum) that the level of packet corruption is tolerably low and is where the operator is willing to risk undetected corruption.
3. The Geneve payload is carrying applications that are tolerant of misdelivered or corrupted packets (perhaps through higher-layer checksum validation and/or reliability through retransmission).

1. Use of UDP checksum over IPv6 MUST be the default configuration for all Geneve tunnels.
2. If Geneve is used with zero UDP checksum over IPv6, then such a tunnel endpoint implementation MUST meet all the requirements specified in Section 4 of RFC 6936 and requirement 1 as specified in Section 5 of RFC 6936 since it is relevant to Geneve.
3. The Geneve tunnel endpoint that decapsulates the tunnel SHOULD check that the source and destination IPv6 addresses are valid for the Geneve tunnel that is configured to receive zero UDP checksum and discard other packets for which such a check fails.
4. The Geneve tunnel endpoint that encapsulates the tunnel MAY use different IPv6 source addresses for each Geneve tunnel that uses zero UDP checksum mode in order to strengthen the decapsulator's check of the IPv6 source address (i.e., the same IPv6 source address is not to be used with more than one IPv6 destination address, irrespective of whether that destination address is a unicast or multicast address). When this is not possible, it is RECOMMENDED to use each source address for as few Geneve tunnels that use zero UDP checksum as is feasible. Note that for requirements 3 and 4, the receiving tunnel endpoint can apply these checks only if it has out-of-band knowledge that the encapsulating tunnel endpoint is applying the indicated behavior. One possibility to obtain this out-of-band knowledge is through signaling by the control plane. The definition of the control plane is beyond the scope of this document.
5. Measures SHOULD be taken to prevent Geneve traffic over IPv6 with zero UDP checksum from escaping into the general Internet. Examples of such measures include employing packet filters at the gateways or edge of the Geneve network and/or keeping logical or physical separation of the Geneve network from networks carrying general Internet traffic.

• When performing LSO, a NIC MUST replicate the entire Geneve header and all options, including those unknown to the device, onto each resulting segment unless an option allows an exception. Conversely, when performing LRO, a NIC may assume that a binary comparison of the options (including unknown options) is sufficient to ensure equality and MAY merge packets with equal Geneve headers.
• Options MUST NOT be reordered during the course of offload processing, including when merging packets for the purpose of LRO.
• NICs performing offloads MUST NOT drop packets with unknown options, including those marked as critical, unless explicitly configured to do so.

Service Name:

geneve

Transport Protocol(s):

UDP

Assignee:

IESG <iesg@ietf.org>

Contact:

IETF Chair <chair@ietf.org>

Description:

Generic Network Virtualization Encapsulation (Geneve)

Reference:

[RFC8926]

Port Number:

6081

[RFC0768]

J. Postel, "User Datagram Protocol", STD 6, RFC 768, DOI 10.17487/RFC0768, August 1980,
<https://www.rfc-editor.org/info/rfc768>.

[RFC0792]

J. Postel, "Internet Control Message Protocol", STD 5, RFC 792, DOI 10.17487/RFC0792, September 1981,
<https://www.rfc-editor.org/info/rfc792>.

[RFC1122]

R. Braden, "Requirements for Internet Hosts - Communication Layers", STD 3, RFC 1122, DOI 10.17487/RFC1122, October 1989,
<https://www.rfc-editor.org/info/rfc1122>.

[RFC1191]

J.C. Mogul, and S.E. Deering, "Path MTU discovery", RFC 1191, DOI 10.17487/RFC1191, November 1990,
<https://www.rfc-editor.org/info/rfc1191>.

[RFC2003]

C. Perkins, "IP Encapsulation within IP", RFC 2003, DOI 10.17487/RFC2003, October 1996,
<https://www.rfc-editor.org/info/rfc2003>.

[RFC2119]

S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.

[RFC4443]

A. Conta, S. Deering, and M. Gupta, "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", STD 89, RFC 4443, DOI 10.17487/RFC4443, March 2006,
<https://www.rfc-editor.org/info/rfc4443>.

[RFC6040]

B. Briscoe, "Tunnelling of Explicit Congestion Notification", RFC 6040, DOI 10.17487/RFC6040, November 2010,
<https://www.rfc-editor.org/info/rfc6040>.

[RFC6936]

G. Fairhurst, and M. Westerlund, "Applicability Statement for the Use of IPv6 UDP Datagrams with Zero Checksums", RFC 6936, DOI 10.17487/RFC6936, April 2013,
<https://www.rfc-editor.org/info/rfc6936>.

[RFC7365]

M. Lasserre, F. Balus, T. Morin, N. Bitar, and Y. Rekhter, "Framework for Data Center (DC) Network Virtualization", RFC 7365, DOI 10.17487/RFC7365, October 2014,
<https://www.rfc-editor.org/info/rfc7365>.

[RFC8085]

L. Eggert, G. Fairhurst, and G. Shepherd, "UDP Usage Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, March 2017,
<https://www.rfc-editor.org/info/rfc8085>.

[RFC8126]

M. Cotton, B. Leiba, and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.

[RFC8174]

B. Leiba, "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017,
<https://www.rfc-editor.org/info/rfc8174>.

[RFC8200]

S. Deering, and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", STD 86, RFC 8200, DOI 10.17487/RFC8200, July 2017,
<https://www.rfc-editor.org/info/rfc8200>.

[RFC8201]

J. McCann, S. Deering, J. Mogul, and R. Hinden, "Path MTU Discovery for IP version 6", STD 87, RFC 8201, DOI 10.17487/RFC8201, July 2017,
<https://www.rfc-editor.org/info/rfc8201>.

[ETYPES]

IANA, "IEEE 802 Numbers",
<https://www.iana.org/assignments/ieee-802-numbers>.

[IANA-PR]

IANA, "Protocol Registries",
<https://www.iana.org/protocols>.

[IANA-SN]

IANA, "Service Name and Transport Protocol Port Number Registry",
<https://www.iana.org/assignments/service-names-port-numbers>.

[IEEE.802.1Q_2018]

IEEE, "IEEE Standard for Local and Metropolitan Area Networks--Bridges and Bridged Networks", DOI 10.1109/IEEESTD.2018.8403927, IEEE 802.1Q-2018, July 2018,
<http://ieeexplore.ieee.org/servlet/opac?punumber=8403925>.

[INTAREA-TUNNELS]

J Touch, and M Townsley, "IP Tunnels in the Internet Architecture", Internet-Draft draft-ietf-intarea-tunnels-10, September 2019,
<https://tools.ietf.org/html/draft-ietf-intarea-tunnels-10>.

[NVO3-DATAPLANE]

N Bitar, M Lasserre, F Balus, T Morin, L Jin, and B Khasnabish, "NVO3 Data Plane Requirements", Internet-Draft draft-ietf-nvo3-dataplane-requirements-03, April 2014,
<https://tools.ietf.org/html/draft-ietf-nvo3-dataplane-requirements-03>.

[NVO3-ENCAP]

S Boutros, "NVO3 Encapsulation Considerations", Internet-Draft draft-ietf-nvo3-encap-05, February 2020,
<https://tools.ietf.org/html/draft-ietf-nvo3-encap-05>.

[RFC2983]

D. Black, "Differentiated Services and Tunnels", RFC 2983, DOI 10.17487/RFC2983, October 2000,
<https://www.rfc-editor.org/info/rfc2983>.

[RFC3031]

E. Rosen, A. Viswanathan, and R. Callon, "Multiprotocol Label Switching Architecture", RFC 3031, DOI 10.17487/RFC3031, January 2001,
<https://www.rfc-editor.org/info/rfc3031>.

[RFC3552]

E. Rescorla, and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003,
<https://www.rfc-editor.org/info/rfc3552>.

[RFC3985]

S. Bryant, and P. Pate, "Pseudo Wire Emulation Edge-to-Edge (PWE3) Architecture", RFC 3985, DOI 10.17487/RFC3985, March 2005,
<https://www.rfc-editor.org/info/rfc3985>.

[RFC4301]

S. Kent, and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005,
<https://www.rfc-editor.org/info/rfc4301>.

[RFC5374]

B. Weis, G. Gross, and D. Ignjatic, "Multicast Extensions to the Security Architecture for the Internet Protocol", RFC 5374, DOI 10.17487/RFC5374, November 2008,
<https://www.rfc-editor.org/info/rfc5374>.

[RFC6438]

B. Carpenter, and S. Amante, "Using the IPv6 Flow Label for Equal Cost Multipath Routing and Link Aggregation in Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011,
<https://www.rfc-editor.org/info/rfc6438>.

[RFC7348]

M. Mahalingam, D. Dutt, K. Duda, P. Agarwal, L. Kreeger, T. Sridhar, M. Bursell, and C. Wright, "Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014,
<https://www.rfc-editor.org/info/rfc7348>.

[RFC7637]

P. Garg, and Y. Wang, "NVGRE: Network Virtualization Using Generic Routing Encapsulation", RFC 7637, DOI 10.17487/RFC7637, September 2015,
<https://www.rfc-editor.org/info/rfc7637>.

[RFC8014]

D. Black, J. Hudson, L. Kreeger, M. Lasserre, and T. Narten, "An Architecture for Data-Center Network Virtualization over Layer 3 (NVO3)", RFC 8014, DOI 10.17487/RFC8014, December 2016,
<https://www.rfc-editor.org/info/rfc8014>.

[RFC8086]

L. Yong, E. Crabbe, X. Xu, and T. Herbert, "GRE-in-UDP Encapsulation", RFC 8086, DOI 10.17487/RFC8086, March 2017,
<https://www.rfc-editor.org/info/rfc8086>.

[RFC8293]

A. Ghanwani, L. Dunbar, M. McBride, V. Bannai, and R. Krishnan, "A Framework for Multicast in Network Virtualization over Layer 3", RFC 8293, DOI 10.17487/RFC8293, January 2018,
<https://www.rfc-editor.org/info/rfc8293>.

[VL2]

Greenberg, A., et al., "VL2: A Scalable and Flexible Data Center Network", DOI 10.1145/1594977.1592576, August 2009,
<https://dl.acm.org/doi/10.1145/1594977.1592576>.

Pankaj Garg

Chris Wright

Kenneth Duda

Dinesh G. Dutt

Jon Hudson

Ariel Hendel

Jesse Gross

Ilango Ganga

T. Sridhar