Re: I-D Action: draft-baker-ipv6-ospf-dst-flowlabel-routing-03.txt
Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 03 September 2013 00:16 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 791F021F9CCC for <ipv6@ietfa.amsl.com>; Mon, 2 Sep 2013 17:16:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KsHfEISpGNGt for <ipv6@ietfa.amsl.com>; Mon, 2 Sep 2013 17:16:53 -0700 (PDT)
Received: from mail-pa0-x234.google.com (mail-pa0-x234.google.com [IPv6:2607:f8b0:400e:c03::234]) by ietfa.amsl.com (Postfix) with ESMTP id 8C4F321F9D66 for <ipv6@ietf.org>; Mon, 2 Sep 2013 17:16:52 -0700 (PDT)
Received: by mail-pa0-f52.google.com with SMTP id kq13so5695311pab.11 for <ipv6@ietf.org>; Mon, 02 Sep 2013 17:16:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=NTa1ZvdoIMTzHwm2mbX0rn6Op0cLFbkcZvkMMAZC7wo=; b=uFXkKdLmBOPPr5+mMRDRR6PJKLP5GpR4wDKr4s0x5CYXgffOdVTZkMkMtIUglJBI+x jy/rTmzqPu87UkSuwnQBbi04hZzDtOw/SfUSnQb55gzhzm1+KKYSOZwlP6WjnDB3OK8h AhWSi9M5Wooscqie9CBULTbuLzpdydYvVD+UlzSKtT8LmNXl3HXEsothIdfOcGU5ZUcb ffyZVwwWkBGi5N2rCjD67XIbmIeer4dBH6AFog6mQdKPcd89ET0qYf2OXelNklFRjV4y CQtjy/v/TRFBUO1FCjyWp1urvjUCIqJFQzM6FP6EjsNF2tlvQP8PXx0JjKtlP2TWTCNB eupA==
X-Received: by 10.66.228.234 with SMTP id sl10mr5722679pac.149.1378167408473; Mon, 02 Sep 2013 17:16:48 -0700 (PDT)
Received: from [172.24.31.170] (wireless-nat-1.auckland.ac.nz. [130.216.30.112]) by mx.google.com with ESMTPSA id om2sm18490514pbc.30.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 02 Sep 2013 17:16:47 -0700 (PDT)
Message-ID: <52252A6D.8090608@gmail.com>
Date: Tue, 03 Sep 2013 12:16:45 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: 6man <ipv6@ietf.org>
Subject: Re: I-D Action: draft-baker-ipv6-ospf-dst-flowlabel-routing-03.txt
References: <20130828154148.2174.50810.idtracker@ietfa.amsl.com>
In-Reply-To: <20130828154148.2174.50810.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: Fred Baker <fred@cisco.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2013 00:16:53 -0000
Hi, The IPv6 flow label is defined by RFC 6437. This isn't just an editorial correction - the rules about how to set the flow label are in 6437, not in 2460. I believe that this draft (and draft-baker-ipv6-isis-dst-flowlabel-routing) needs some extra text explaining how it's compatible with the flow label specification. I don't think there's any problem, it just needs a little explanation. We're talking about a 20-bit authorization token, which I assume would be an unpredictable value, such that there is only a one-per-million chance of an off-path attacker guessing it. So a pesudo-random value is needed, and from the RFC 6437 point of view that is just fine. That means we can say something like the following: According to [RFC6437], a flow is "a sequence of packets sent from a particular source to a particular unicast, anycast, or multicast destination that a node desires to label as a flow." It is not necessarily in 1:1 correspondence with a single transport connection. Using a given label (in this case an authorization token) for all traffic to a given destination is compatible with this definition. In fact [RFC6437] allows for, but does not define, uses of the flow label that rely on pre-established flow-specific state, and route authorization is an example of such stateful usage. Assuming the authorization token will have a pseudo-random value, it will also serve well for the load balancing scenarios described in [RFC6437]. Also one warning: there are rumours of firewalls that will change or clear flow labels. This would break the authorization token. Regards Brian
- Re: I-D Action: draft-baker-ipv6-ospf-dst-flowlab… Brian E Carpenter
- Re: I-D Action: draft-baker-ipv6-ospf-dst-flowlab… Fred Baker (fred)
- Re: I-D Action: draft-baker-ipv6-ospf-dst-flowlab… Brian E Carpenter
- RE: I-D Action: draft-baker-ipv6-ospf-dst-flowlab… Duncan, Richard (Jeremy)