Hi, Thomas,
On 10/01/2011 11:10 a.m., Thomas Narten wrote:
> The crux of the issue is the following:
>
>> 1. It is RECOMMENDED that source hosts support the flow label by
>> setting the flow label field for all packets of a flow to the
>> same pseudo-random value.
>
> I do not see a reason to require this.
Probably that could/should be rephrased as:
1. It is RECOMMENDED that source hosts support the flow label by
setting the flow label field for all packets of a flow to the
same value. Such value should not be easily predictable by an
off-path attacker.
> You do NOT need uniform spread on the input to the hash to get such an
> output. A decent hash algorithm is what you need. You also don't need
> Flow Labels selected in a psuedo random fashion.
Agreed. But predictable values have been found to have problems. See
e.g. the implications of the IPv4 identification field in
http://www.gont.com.ar/papers/InternetProtocol.pdf
> RFC 3697 says specifically you can assign Flow Label values
> sequentially.
Indeed, draft-gont-6man-flowlabel-security does select flow-labels
incrementally --- although with a scheme that makes it difficult for an
off-path attacker to guess te next flowlabel value.
Thanks!
Best regards,
--
Fernando Gont
e-mail: [email protected] || [email protected]
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
