On 2011-01-18 08:27, Christian Huitema wrote:
> Thomas Narten wrote:
>
>> I'm a bit stuck on this point, because both of the current flow label
>> document
>> continue to say flow labels should be generated SHOULD be pseudo-random,
>> and I'm not convinced this is necessary, required, or buys us anything.
>> What compelling argument am I missing?
>
> I agree. The network routers should not trust that the flow label has any
> particular randomness properties, because misplaced trust would open a path
> for attacks. Having the randomness requirement in the spec would only
> encourage routers to make the wrong security assumptions.
There are two, or possibly three, arguments for a "SHOULD" here:
1. The security argument, made in draft-gont-6man-flowlabel-security
Obviously downstream nodes must not rely on this, but that in itself
doesn't weaken the argument for pseudo-randomness. The draft says
"Forwarding nodes such as routers and load balancers MUST NOT
depend only on Flow Label values being randomly distributed."
I find Christian's counter-argument strange; there are many places
where foolish implementers can create security exposures.
2. The argument, that Thomas has disputed, that this provides better
input to a load balancing hash. I'll debate that on another thread
where Thomas has repeated his arguments.
3. The dubious argument that by recommending a *specific* method of
setting the flow label, we increase the chances that implementers will
actually do so. It's clear that the present recommendation is too
weak in that respect.
Brian
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
