6. Security Considerations

Network virtualization overlays face several security challenges. Geneve does not inherently provide security (such as encryption or authentication) but relies on either the underlay network or additional security mechanisms for protection.

6.1. Data Confidentiality

Geneve packets carry tenant data in cleartext. If the underlay network is not trusted, an attacker with access to the underlay can inspect the traffic. To provide confidentiality, Geneve can be transported over IPsec or DTLS, or the inner packet can be encrypted by the tenant.

6.2. Data Integrity

Without integrity protection, an attacker could modify the Geneve header or the inner payload. The UDP checksum provides limited protection against accidental corruption but not against malicious modification. Secure transport protocols (IPsec/DTLS) should be used if integrity is required.

6.3. Authentication

Tunnel endpoints should authenticate each other to prevent unauthorized devices from injecting traffic into the overlay. This is typically handled by the control plane or by using a secure transport protocol.

6.4. Replay Protection

An attacker could capture valid Geneve packets and replay them later. Standard Geneve does not include sequence numbers or timestamps to prevent replay. Upper-layer protocols (e.g., TCP) or secure transport protocols must be relied upon for replay protection.

6.5. Traffic Analysis

Even with encryption, an attacker can analyze the traffic patterns (volume, timing) to infer information. Geneve headers (VNI, Options) are visible if not encrypted by IPsec, potentially leaking metadata.

6.6. Secure Protocol Negotiation

The negotiation of Geneve capabilities and options between endpoints must be secure to prevent downgrade attacks. This is the responsibility of the control plane.

6.7. Inner Traffic Verification

The decapsulating endpoint MUST verify that the inner packet is valid and permitted for the given VNI. It effectively acts as a firewall for the tenant network.

6.8. Option Security

Options may carry sensitive information. Endpoints MUST ensure that options are only processed from trusted sources and that the information contained within them is handled securely.