On Tue, Sep 7, 2010 at 11:38 PM, Brian E Carpenter <[email protected]> wrote: > Below... > > On 2010-09-08 14:44, Christopher Morrow wrote: >> On Tue, Sep 7, 2010 at 9:18 PM, Brian E Carpenter >> <[email protected]> wrote: >>> Hi, >>> >>> The authors of draft-carpenter-6man-flow-update (now also >>> including Shane Amante) are working on a new version. One >>> fundamental issue that has come up is about the (lack of) >>> security properties of the flow label. The most brutal >>> expression of this is: >>> >>> The flow label field is always unprotected (no IP header >>> checksum, not included in transport checksums, not included in >>> IPsec checksum). It cannot be verified and can be used as a >>> covert channel, so it will never pass a security analysis. Thus >>> some firewalls *will* decide to clear it, whatever the IETF >>> wants. This is inevitable, for exactly the same reason that the >>> diffserv code point is rewriteable at domain boundaries. >>> >>> If this is correct, it is futile to assert that the flow label >>> MUST be delivered unchanged to the destination, because we >>> cannot rely on this in the real world. >>> >>> Are we ready to accept this analysis? >> >> what's the threat if it changes in flight? multiple times even? > > That presumably depends on the use case. The idea is that someone > figures out what flow label values will screw you, and sets such > values. Let's assume you're using it for ECMP or LAG. You're hashing > the flow label as part of the ECMP/LAG hash. Someone figures out > how to compute a flow label for each packet arriving on your 10GB > line that will bias your hash, and therefore defeat the load sharing.
If the flow label is used as the only input to the hash then changing it willy nilly will likely change the LAG member (or ECMP path), this MAY cause pain for the ISP, it MAY additionally cause pain for the end users of the flow. If the flow label is the only input, there may be less reliable traffic spreading/sharing than is desired anyway. It seems that either of the above isn't really good, but whether or not the flow label changes in flight (even multiple times) it doesn't look like it'd matter in a significant way, to me. I'd defer to Shane though, since he seemed to have some strong feelings about this. > Note, I'm not saying it will happen, just that it might, and that > seems to be how some security people think. > > We can choose to not worry about this, but that's why I want to > discuss it. so far my vote is to not worry... -chris > Brian > -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
