RE: I-D Action: draft-baker-ipv6-ospf-dst-flowlabel-routing-03.txt
"Duncan, Richard (Jeremy)" <jeremy.duncan@salientfed.com> Tue, 03 September 2013 00:45 UTC
Return-Path: <jeremy.duncan@salientfed.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D568621F9E54 for <ipv6@ietfa.amsl.com>; Mon, 2 Sep 2013 17:45:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gI13T0RAZT3I for <ipv6@ietfa.amsl.com>; Mon, 2 Sep 2013 17:45:19 -0700 (PDT)
Received: from co1outboundpool.messaging.microsoft.com (co1ehsobe002.messaging.microsoft.com [216.32.180.185]) by ietfa.amsl.com (Postfix) with ESMTP id EF04721F9E4F for <ipv6@ietf.org>; Mon, 2 Sep 2013 17:45:18 -0700 (PDT)
Received: from mail138-co1-R.bigfish.com (10.243.78.227) by CO1EHSOBE029.bigfish.com (10.243.66.94) with Microsoft SMTP Server id 14.1.225.22; Tue, 3 Sep 2013 00:45:15 +0000
Received: from mail138-co1 (localhost [127.0.0.1]) by mail138-co1-R.bigfish.com (Postfix) with ESMTP id F3FF4780194; Tue, 3 Sep 2013 00:45:14 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.236.101; KIP:(null); UIP:(null); IPV:NLI; H:BY2PRD0510HT002.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -19
X-BigFish: PS-19(zzbb2dIc85fhzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1de098h1033IL18c673h1de097h186068h8275bh8275dhz2fh2a8h839hd24hf0ah10d2h1288h12a5h12bdh137ah1441h1537h153bh162dh1631h1758h18deh18e1h1946h19b5h1ad9h1b0ah1bceh1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1fe8h1ff5h17ej1155h)
Received-SPF: pass (mail138-co1: domain of salientfed.com designates 157.56.236.101 as permitted sender) client-ip=157.56.236.101; envelope-from=jeremy.duncan@salientfed.com; helo=BY2PRD0510HT002.namprd05.prod.outlook.com ; .outlook.com ;
Received: from mail138-co1 (localhost.localdomain [127.0.0.1]) by mail138-co1 (MessageSwitch) id 1378169113444171_25118; Tue, 3 Sep 2013 00:45:13 +0000 (UTC)
Received: from CO1EHSMHS021.bigfish.com (unknown [10.243.78.248]) by mail138-co1.bigfish.com (Postfix) with ESMTP id 68D94680059; Tue, 3 Sep 2013 00:45:13 +0000 (UTC)
Received: from BY2PRD0510HT002.namprd05.prod.outlook.com (157.56.236.101) by CO1EHSMHS021.bigfish.com (10.243.66.31) with Microsoft SMTP Server (TLS) id 14.16.227.3; Tue, 3 Sep 2013 00:45:13 +0000
Received: from BY2PRD0510MB366.namprd05.prod.outlook.com ([169.254.5.86]) by BY2PRD0510HT002.namprd05.prod.outlook.com ([10.255.84.37]) with mapi id 14.16.0353.003; Tue, 3 Sep 2013 00:45:12 +0000
From: "Duncan, Richard (Jeremy)" <jeremy.duncan@salientfed.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, 6man <ipv6@ietf.org>
Subject: RE: I-D Action: draft-baker-ipv6-ospf-dst-flowlabel-routing-03.txt
Thread-Topic: I-D Action: draft-baker-ipv6-ospf-dst-flowlabel-routing-03.txt
Thread-Index: AQHOqDrvCryv8+rFT0a1EuERjw/LTZmzLTwo
Date: Tue, 03 Sep 2013 00:45:12 +0000
Message-ID: <law7ih8bi9c49krt9g1abvda.1378169107538@email.android.com>
References: <20130828154148.2174.50810.idtracker@ietfa.amsl.com>, <52252A6D.8090608@gmail.com>
In-Reply-To: <52252A6D.8090608@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [::]
Content-Type: multipart/alternative; boundary="_000_law7ih8bi9c49krt9g1abvda1378169107538emailandroidcom_"
MIME-Version: 1.0
X-OriginatorOrg: salientfed.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-Mailman-Approved-At: Sun, 08 Sep 2013 12:43:38 -0700
Cc: Fred Baker <fred@cisco.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "Duncan, Richard (Jeremy)" <jeremy.duncan@salientfed.com>
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2013 00:45:29 -0000
I have first hand knowledge that a McAfee Sidewinder firewall sets/rewrites the flow label. Sent from my Verizon Wireless 4G LTE smartphone -------- Original message -------- From: Brian E Carpenter <brian.e.carpenter@gmail.com> Date: 09/02/2013 20:17 (GMT-05:00) To: 6man <ipv6@ietf.org> Cc: Fred Baker <fred@cisco.com> Subject: Re: I-D Action: draft-baker-ipv6-ospf-dst-flowlabel-routing-03.txt Hi, The IPv6 flow label is defined by RFC 6437. This isn't just an editorial correction - the rules about how to set the flow label are in 6437, not in 2460. I believe that this draft (and draft-baker-ipv6-isis-dst-flowlabel-routing) needs some extra text explaining how it's compatible with the flow label specification. I don't think there's any problem, it just needs a little explanation. We're talking about a 20-bit authorization token, which I assume would be an unpredictable value, such that there is only a one-per-million chance of an off-path attacker guessing it. So a pesudo-random value is needed, and from the RFC 6437 point of view that is just fine. That means we can say something like the following: According to [RFC6437], a flow is "a sequence of packets sent from a particular source to a particular unicast, anycast, or multicast destination that a node desires to label as a flow." It is not necessarily in 1:1 correspondence with a single transport connection. Using a given label (in this case an authorization token) for all traffic to a given destination is compatible with this definition. In fact [RFC6437] allows for, but does not define, uses of the flow label that rely on pre-established flow-specific state, and route authorization is an example of such stateful usage. Assuming the authorization token will have a pseudo-random value, it will also serve well for the load balancing scenarios described in [RFC6437]. Also one warning: there are rumours of firewalls that will change or clear flow labels. This would break the authorization token. Regards Brian -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- Re: I-D Action: draft-baker-ipv6-ospf-dst-flowlab… Brian E Carpenter
- Re: I-D Action: draft-baker-ipv6-ospf-dst-flowlab… Fred Baker (fred)
- Re: I-D Action: draft-baker-ipv6-ospf-dst-flowlab… Brian E Carpenter
- RE: I-D Action: draft-baker-ipv6-ospf-dst-flowlab… Duncan, Richard (Jeremy)