On Tue, Sep 7, 2010 at 9:18 PM, Brian E Carpenter <[email protected]> wrote: > Hi, > > The authors of draft-carpenter-6man-flow-update (now also > including Shane Amante) are working on a new version. One > fundamental issue that has come up is about the (lack of) > security properties of the flow label. The most brutal > expression of this is: > > The flow label field is always unprotected (no IP header > checksum, not included in transport checksums, not included in > IPsec checksum). It cannot be verified and can be used as a > covert channel, so it will never pass a security analysis. Thus > some firewalls *will* decide to clear it, whatever the IETF > wants. This is inevitable, for exactly the same reason that the > diffserv code point is rewriteable at domain boundaries. > > If this is correct, it is futile to assert that the flow label > MUST be delivered unchanged to the destination, because we > cannot rely on this in the real world. > > Are we ready to accept this analysis?
what's the threat if it changes in flight? multiple times even? -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
