On 6/12/18 19:16, Brian E Carpenter wrote:
> On 2018-12-07 11:02, Nick Hilliard wrote:
>> Brian E Carpenter wrote on 06/12/2018 20:35:
>>> But there's a preliminary question: how widely is the flow label set
>>> by sending hosts? The answer is: widely, by modern o/s releases. But not
>>> much, by legacy o/s releases.
>>
>> more to the point, if you were going to implement a forwarding device,
>> do you depend solely on the flow label?
>>
>> This gives end-user device control over the hashing path on a purely
>> discretionary basis. I.e. and end user can change the flow label and
>> consequently make their own decisions about which network path to use,
>> without affecting any other transmission characteristic of the network
>> flow, e.g. port numbers, IP addresses, etc.
>
> Well, ECMP would be based on the {dest, srce, flow_label} 3-tuple so
> it's only the layer 4+ info that's missing. That will be missing anyway
> when encryption takes over.
If crypto == TLS, that need not.
> And any source that plays silly games
> with the flow label will damage its own users more than it damages
> the network.
>
>> Operationally, flow labels can cause grief. APNIC had a blog posting on
>> this a while back
>>
>> https://blog.apnic.net/2018/01/11/ipv6-flow-label-misuse-hashing/
>
> By Joel J, who generally knows what he's talking about.
>
> "By in large, this flow label changing behaviour has been traced to IPv6
> supporting CPE/firewalls, which change the flow label between the initial syn
> and the ack."
FWIW, FreeBSD had this behaviour -- without middleboxes involved ...
haven't checked recently to see if that's still the case
Thanks,
--
Fernando Gont
SI6 Networks
e-mail: [email protected]
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
