On Jan 10, 2011, at 11:26 AM, Christian Huitema wrote: > Fred wrote: > >> Note that I am in favor of suggesting that the Flow Label be included in the >> hash when doing load balancing. It is a no brainer. At worst, it is a no op. >> But it certainly is never better to exclude it. > > Have you looked at the security implications? Suppose that an attacker can > predict the hash algorithm used by a router. This attacker could then pick > "interesting" values of the flow ID, to get the flow of traffic directed to > particular paths, or not. For example, they could systematically but a > different flow label to each packet to ensure the traffic is spread over all > available paths.
Or he could hit a large number of flows, play with them to see which values achieve what he's trying to achieve, and simply use them - without knowledge of the game aforehand. Unless, of course, the network is in control of the flow label. If the network is in control of the flow label, it is in a position to change that. -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
