On 2012-01-28 20:59, Fernando Gont wrote: ... > A similar approach could be implemented for the generation of Fragment > Identification values. > > Thus, even if you needed to empty the Destinations Cache, you'd still > have the benefit that the algorithm: > * Makes the IDs (either FL or Fragment ID) difficult to guess by an > off-path attacker > * Minimize the reuse frequency of the corresponding IDs.
I think it's a mistake to draw a strong analogy between the flow label and the fragment ID. When the flow label is used for any form of load distribution, it really doesn't matter if occasional flows share the same label value, as long as this is statistially rare. It just means that the two flows might happen to follow the same path - so what? Thus, a completely stateless algorithm is fine and the counter brings no benefit. OTOH surely we need to completely avoid overlapping fragment IDs. Brian -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
