Disable checksum offload on the IPIP tunnel like we do for VXLAN

[cyclinder]

Expected Behavior

root@controller:~/cyclinder# ethtool -k tunl0 | grep tx-checksumming
tx-checksumming: on

As a part of projectcalico/felix#2811, I think we need also disable checksum offload on the IPIP tunnel for kernels <v5.7.

We encountered this problem in our production, the clients used IPIP mode, the clients found that the pod could not tcp communicate with across nodes, and finally solved it by executing the following command in every node:

ethtool -K tunl0 tx off

Current Behavior

calico only disable checksum offload on the VXLAN tunnel.

Possible Solution

Steps to Reproduce (for bugs)

Context

Similar reports： https://dev.hsrn.nyu.edu/hsrn-projects/kubernetes-bare-metal/-/issues/7

Your Environment

• Calico version
• Orchestrator version (e.g. kubernetes, mesos, rkt):
• Operating System and version:
• Link to your project (optional):

[mazdakn]

Hey @cyclinder , I don't think Felix disables IPIP tunnel checksum offload by default. Generally speaking, we recommend using vxlan instead of ipip as we have seen many issues with ipip due to lack of attention it's getting in different platform/NICs. There was also a major change to IPIP kernel v5.7 (or maybe v5.8) that made the situation worse.

[cyclinder]

Thanks for the tip. @mazdakn

I think we have many IPIP users. and If calico supports IPIP mode, I think we should fix it, so should we also disables IPIP tunnel checksum offload by default?

There was also a major change to IPIP kernel v5.7 (or maybe v5.8) that made the situation worse.

Could you tell me more details about this? thanks.

[cyclinder]

Hi @fasaxc, Should we disable checksum offload on the IPIP tunnel? If yes, I can work for this.

[fasaxc]

Yes, I think that's a good idea. Let's disable it by default. You could wire it up to the "ChecksumOffloadBroken" feature flag so that it can be overridden later for testing. (Then later if we find it's fixed we can dd autodetection in for the kernels where it works.)