Re: [v6ops] Comments on draft-wang-v6ops-flow-label-refelction-01
"Aijun Wang" <wangaijun@tsinghua.org.cn> Wed, 23 July 2014 05:41 UTC
Return-Path: <wangaijun@tsinghua.org.cn>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 480731B27A6 for <v6ops@ietfa.amsl.com>; Tue, 22 Jul 2014 22:41:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id glJ10iJchfe0 for <v6ops@ietfa.amsl.com>; Tue, 22 Jul 2014 22:41:03 -0700 (PDT)
Received: from tsinghua.org.cn (mail.tsinghua.org.cn [211.151.65.103]) by ietfa.amsl.com (Postfix) with ESMTP id 528891A02FA for <v6ops@ietf.org>; Tue, 22 Jul 2014 22:41:02 -0700 (PDT)
Received: from ctbriwangaij (unknown [219.142.69.77]) by app1 (Coremail) with SMTP id Z0GX06CruQXnP89TQlUZBA==.60278S4; Wed, 23 Jul 2014 12:54:03 +0800 (CST)
From: Aijun Wang <wangaijun@tsinghua.org.cn>
To: 'Brian E Carpenter' <brian.e.carpenter@gmail.com>, 'IPv6 Operations' <v6ops@ietf.org>
References: <53CEB7DC.6020805@gmail.com> <OF035CFAB7.1C7D5DB5-ON48257D1E.001298EC-48257D1E.00196DD2@ctbri.com.cn>
In-Reply-To:
Date: Wed, 23 Jul 2014 13:40:55 +0800
Message-ID: <007501cfa638$ac3b2390$04b16ab0$@org.cn>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac+l4RoIm9jMPtoKSwO7Vyza1Q7R6gAPbEdwAAZEzHAAADACYA==
Content-Language: zh-cn
X-CM-TRANSID: Z0GX06CruQXnP89TQlUZBA==.60278S4
X-Coremail-Antispam: 1U3129KBjvJXoWxCF43Xw45Kr13uFyxJr15XFb_yoWrtr4DpF WagryxKr98Jr17G3s7Aw1DWr409rWrGr43AF9xta4UAas8urn29r13tw45AryDWr95J3s0 qrWYgrWDXan3ZFJanT9S1TB71UUUUU7v73VFW2AGmfu7bjvjm3AaLaJ3UjIYCTnIWjllb7 Iv0xC_Jr1l5I8CrVACY4xI64kE6c02F40Ex7xfM7kC6x804xWl14x267AKxVW8JVW5JwAF xVCF77xC6IxKo4kEV4yl1I0EscIYIxCEI4klw4CSwwAv7VCjz48v1sIEY20_GF1lx4CE17 CEb7AF67AKxVWUXVWUAwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY 1x0267AKxVWUJVW8JwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14 v26r1j6r4U0xZFpf9x0JUCD73UUUUU=
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/X-_fZzeQ4plyVao_RtZM4U7Dryk
Subject: Re: [v6ops] Comments on draft-wang-v6ops-flow-label-refelction-01
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jul 2014 05:41:04 -0000
Hi, Brain: Thanks for your comments. Below is my opinion to your concern points. 1. If some session support reflection, and others not, then the unsupported session will be less likely recognized and controlled, there is no other side-effect. Packets in bi-direction will be load balanced according to the RFC6438, regardless whether the IPv6 flow label is reflected or not. 2.The reason that the IPv6 flow label is not supported in the real world is that we have not find some killer-application that can exploit this field. The mechanism of IPv6 flow label reflection can increase the opportunities of such killer-application be hatched, not the contrary. 3. For mechanism of IPv6 flow label reflection, we strongly recommend this value be manipulated only at the IPv6 packet endpoints, not the in-path device. What is the motion for firewalls to rewrite this value? 4.The session for flow label can be UDP request/reply or TCP request/reply. If one same client have multiple Http connections, there will be multiple distinctive IPv6 Flow label. That is to say, this value is unique in the local host for every TCP/UDP session. 5.For In-path device, it needs actually 3-tuple {Flow Label, Source Addr, Destination Addr} to identify the unique session. If the flow label be reflected, then the same 3-tuple can used to identify bi-direction traffic of this session, or else it needs two different 3-tuple, or to parse the extend IPv6 header. 6. Considering on-path attack, I think we can view this value as one magic number, which is widely used in various application protocol. This magic number/IPv6 flow label will be used only to coordinate the bi-direction traffic of one session. If it is changed by some on-path attacker, it only influence the recognition accuracy and control of the session. For differentiated service based on this value, we need other mechanism to protect or authenticate it. It is same risk for differentiated services that based on DSCP value. 7. The IPv6 flow label field is unique in IPv6 packet, we should propose to exploit its potential value actively. From the viewpoint of application developer, there is no more differences between IPv6 packet and IPv4 packet except this field and the length of IP address. The little change of host operation system will be more influence to the IPv6 application and the service that based on IPv6. This change can be deployed incrementally. Best Regards. -----Original Message----- From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Brian E Carpenter Sent: Wednesday, July 23, 2014 3:14 AM To: IPv6 Operations Subject: [v6ops] Comments on draft-wang-v6ops-flow-label-refelction-01 There wasn't time for me to line up at the microphone, so here are my comments. I think the idea is quite interesting, but a little optimistic. What are the effects of some sessions supporting reflection and others not? We know very well that even the basic RFC 6437 flow label is not supported yet in the real world, so widespread use of reflection is years in the future. There's no discussion of flow label rewriting by firewalls, which we know from the 6man discussions before RFC 6437 is a real issue. If the scope is strictly limited to a single administrative domain, that's OK, but the general end-to-end case probably fails. Actually, the draft doesn't clarify exactly what is a session for flow label purposes. As noted in the meeting, is a "stateless" session (UDP request/reply) a session for this purpose? What about multiple HTTP connections from the same client? The uniqueness rule for flow labels is that a flow is identified by the 3-tuple {Flow Label, Source Addr, Destination Addr}. The flow label value itself might not be unique in the intermediate nodes, so any state must be keyed by the 3-tuple, with the two addresses either way round. The mechanism seems very exposed to on-path attacks, since an attacker could forge a reverse packet with the correct label, even before the first TCP ACK. So nobody should rely on the flow label alone for anything important. (I don't think there is any new risk for off-path attacks.) Finally I think the document would have more chance of success if it was made Informational, without that SHOULD. Just describe this as a use case for the flow label - it is completely consistent with RFC 6437. If the original label is pseudo-random, it will do fine as a reflected label from the other node. Regards Brian _______________________________________________ v6ops mailing list v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops
- [v6ops] Comments on draft-wang-v6ops-flow-label-r… Brian E Carpenter
- Re: [v6ops] Comments on draft-wang-v6ops-flow-lab… Aijun Wang
- Re: [v6ops] Comments on draft-wang-v6ops-flow-lab… Aijun Wang
- Re: [v6ops] Comments on draft-wang-v6ops-flow-lab… Brian E Carpenter