Re: [v6ops] Comments on draft-wang-v6ops-flow-label-refelction-01
"Aijun Wang" <wangaijun@tsinghua.org.cn> Wed, 23 July 2014 05:41 UTC
Return-Path: <wangaijun@tsinghua.org.cn>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 480731B27A6 for <v6ops@ietfa.amsl.com>; Tue, 22 Jul 2014 22:41:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id glJ10iJchfe0 for <v6ops@ietfa.amsl.com>; Tue, 22 Jul 2014 22:41:03 -0700 (PDT)
Received: from tsinghua.org.cn (mail.tsinghua.org.cn [211.151.65.103]) by ietfa.amsl.com (Postfix) with ESMTP id 528891A02FA for <v6ops@ietf.org>; Tue, 22 Jul 2014 22:41:02 -0700 (PDT)
Received: from ctbriwangaij (unknown [219.142.69.77]) by app1 (Coremail) with SMTP id Z0GX06CruQXnP89TQlUZBA==.60278S4; Wed, 23 Jul 2014 12:54:03 +0800 (CST)
From: Aijun Wang <wangaijun@tsinghua.org.cn>
To: 'Brian E Carpenter' <brian.e.carpenter@gmail.com>, 'IPv6 Operations' <v6ops@ietf.org>
References: <53CEB7DC.6020805@gmail.com> <OF035CFAB7.1C7D5DB5-ON48257D1E.001298EC-48257D1E.00196DD2@ctbri.com.cn>
In-Reply-To:
Date: Wed, 23 Jul 2014 13:40:55 +0800
Message-ID: <007501cfa638$ac3b2390$04b16ab0$@org.cn>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac+l4RoIm9jMPtoKSwO7Vyza1Q7R6gAPbEdwAAZEzHAAADACYA==
Content-Language: zh-cn
X-CM-TRANSID: Z0GX06CruQXnP89TQlUZBA==.60278S4
X-Coremail-Antispam: 1U3129KBjvJXoWxCF43Xw45Kr13uFyxJr15XFb_yoWrtr4DpF WagryxKr98Jr17G3s7Aw1DWr409rWrGr43AF9xta4UAas8urn29r13tw45AryDWr95J3s0 qrWYgrWDXan3ZFJanT9S1TB71UUUUU7v73VFW2AGmfu7bjvjm3AaLaJ3UjIYCTnIWjllb7 Iv0xC_Jr1l5I8CrVACY4xI64kE6c02F40Ex7xfM7kC6x804xWl14x267AKxVW8JVW5JwAF xVCF77xC6IxKo4kEV4yl1I0EscIYIxCEI4klw4CSwwAv7VCjz48v1sIEY20_GF1lx4CE17 CEb7AF67AKxVWUXVWUAwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY 1x0267AKxVWUJVW8JwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14 v26r1j6r4U0xZFpf9x0JUCD73UUUUU=
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/X-_fZzeQ4plyVao_RtZM4U7Dryk
Subject: Re: [v6ops] Comments on draft-wang-v6ops-flow-label-refelction-01
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jul 2014 05:41:04 -0000
Hi, Brain:
Thanks for your comments. Below is my opinion to your concern points.
1. If some session support reflection, and others not, then the unsupported
session will be less likely recognized and controlled, there is no other
side-effect. Packets in bi-direction will be load balanced according to the
RFC6438, regardless whether the IPv6 flow label is reflected or not.
2.The reason that the IPv6 flow label is not supported in the real world is
that we have not find some killer-application that can exploit this field.
The mechanism of IPv6 flow label reflection can increase the opportunities
of such killer-application be hatched, not the contrary.
3. For mechanism of IPv6 flow label reflection, we strongly recommend this
value be manipulated only at the IPv6 packet endpoints, not the in-path
device. What is the motion for firewalls to rewrite this value?
4.The session for flow label can be UDP request/reply or TCP request/reply.
If one same client have multiple Http connections, there will be multiple
distinctive IPv6 Flow label. That is to say, this value is unique in the
local host for every TCP/UDP session.
5.For In-path device, it needs actually 3-tuple {Flow Label, Source Addr,
Destination Addr} to identify the unique session. If the flow label be
reflected, then the same 3-tuple can used to identify bi-direction traffic
of this session, or else it needs two different 3-tuple, or to parse the
extend IPv6 header.
6. Considering on-path attack, I think we can view this value as one magic
number, which is widely used in various application protocol. This magic
number/IPv6 flow label will be used only to coordinate the bi-direction
traffic of one session. If it is changed by some on-path attacker, it only
influence the recognition accuracy and control of the session. For
differentiated service based on this value, we need other mechanism to
protect or authenticate it. It is same risk for differentiated services that
based on DSCP value.
7. The IPv6 flow label field is unique in IPv6 packet, we should propose to
exploit its potential value actively. From the viewpoint of application
developer, there is no more differences between IPv6 packet and IPv4 packet
except this field and the length of IP address. The little change of host
operation system will be more influence to the IPv6 application and the
service that based on IPv6. This change can be deployed incrementally.
Best Regards.
-----Original Message-----
From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Brian E Carpenter
Sent: Wednesday, July 23, 2014 3:14 AM
To: IPv6 Operations
Subject: [v6ops] Comments on draft-wang-v6ops-flow-label-refelction-01
There wasn't time for me to line up at the microphone, so here are my
comments. I think the idea is quite interesting, but a little optimistic.
What are the effects of some sessions supporting reflection and others not?
We know very well that even the basic RFC 6437 flow label is not supported
yet in the real world, so widespread use of reflection is years in the
future.
There's no discussion of flow label rewriting by firewalls, which we know
from the 6man discussions before RFC 6437 is a real issue. If the scope is
strictly limited to a single administrative domain, that's OK, but the
general end-to-end case probably fails.
Actually, the draft doesn't clarify exactly what is a session for flow label
purposes. As noted in the meeting, is a "stateless"
session (UDP request/reply) a session for this purpose? What about multiple
HTTP connections from the same client?
The uniqueness rule for flow labels is that a flow is identified by the
3-tuple {Flow Label, Source Addr, Destination Addr}. The flow label value
itself might not be unique in the intermediate nodes, so any state must be
keyed by the 3-tuple, with the two addresses either way round.
The mechanism seems very exposed to on-path attacks, since an attacker could
forge a reverse packet with the correct label, even before the first TCP
ACK. So nobody should rely on the flow label alone for anything important.
(I don't think there is any new risk for off-path attacks.)
Finally I think the document would have more chance of success if it was
made Informational, without that SHOULD. Just describe this as a use case
for the flow label - it is completely consistent with RFC 6437. If the
original label is pseudo-random, it will do fine as a reflected label from
the other node.
Regards
Brian
_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops
- [v6ops] Comments on draft-wang-v6ops-flow-label-r… Brian E Carpenter
- Re: [v6ops] Comments on draft-wang-v6ops-flow-lab… Aijun Wang
- Re: [v6ops] Comments on draft-wang-v6ops-flow-lab… Aijun Wang
- Re: [v6ops] Comments on draft-wang-v6ops-flow-lab… Brian E Carpenter