On 2011-01-11 11:50, Fred Baker wrote:
> On Jan 10, 2011, at 11:26 AM, Christian Huitema wrote:
>
>> Fred wrote:
>>
>>> Note that I am in favor of suggesting that the Flow Label be included in
>>> the hash when doing load balancing. It is a no brainer. At worst, it is a
>>> no op. But it certainly is never better to exclude it.
>> Have you looked at the security implications? Suppose that an attacker can
>> predict the hash algorithm used by a router. This attacker could then pick
>> "interesting" values of the flow ID, to get the flow of traffic directed to
>> particular paths, or not. For example, they could systematically but a
>> different flow label to each packet to ensure the traffic is spread over all
>> available paths.
>
> Or he could hit a large number of flows, play with them to see which values
> achieve what he's trying to achieve, and simply use them - without knowledge
> of the game aforehand.
>
> Unless, of course, the network is in control of the flow label. If the
> network is in control of the flow label, it is in a position to change that.
I understood the WG to have reached a consensus that we still
want to declare the flow label immutable, except for allowing a
router to set it if the source host does not. The draft reflects
that consensus.
Brian
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
