Dear list,
sorry to stir the hornet's nest about end-to-end flow labels, but I think
there are some security problems in them.
First, the labels are excluded from the IPSec AH, which means they cannot be
trusted. I wouldn't build a service that is based on them, unless there is
some other way to make them trustworthy. Like keeping the server and the
client within the same administrative domain.
Another problem is a covert channel. If a client can set the flow label
bits, it can communicate with the outside world without anybody noticing. I
don't mean just transmitting payload without paying for it. There are spy
programs, too.
Don't-care bits should not cross a security perimeter. All header fields
that are not protected by the IPSec AH should be overwritten by edge
routers. Either by something neutral (like zeroes for flow label) or values
that have been agreed with the peering domain (DiffServ Code Points).
I vote for edge-to-edge flow labels, not end-to-end.
-- Lassi
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
