IETF Logo Mail Archive

Re: [v6ops] Flow label setting [WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops]

Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 15 March 2016 06:57 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FE8612D8E7 for <v6ops@ietfa.amsl.com>; Mon, 14 Mar 2016 23:57:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lg0icrDB9PaF for <v6ops@ietfa.amsl.com>; Mon, 14 Mar 2016 23:57:56 -0700 (PDT)
Received: from mail-pf0-x22f.google.com (mail-pf0-x22f.google.com [IPv6:2607:f8b0:400e:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A45612D841 for <v6ops@ietf.org>; Mon, 14 Mar 2016 23:57:56 -0700 (PDT)
Received: by mail-pf0-x22f.google.com with SMTP id u190so15959403pfb.3 for <v6ops@ietf.org>; Mon, 14 Mar 2016 23:57:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=iApJx6W68nO0IqVBoY+8I1qPZ5ZU32up+BAzA5YnZnk=; b=XW8WAuVAXubBN7RdanuY/Td6f34P9/aAQi1S+/0mW+WtMBuitjbGRlsb+FBMhbN7oV 0rS6oUIxkW1IgLEPC66s5AtfcOXHJndlJYjM0UKCTX4cTCV97mOm0wNkpG9L4aU85aZv tqTbLYomRWBcKnj7gpCqGgCmO6BoCjhVBLvg5/XXLTtCwBNjlJzjMZJrEMOrPjr2m6Xh gZNFqjVxvFFSLk1ng/82bksoKYM0n+8W1/zhfVwAIIO66pzgoUWNTzI8SZJ5D6oAIJ6A r6kTsOJrM149KPsQsShvJdsDclX71Ae05fCjFS5BBcHVEixHVwLe5KeI2rWChHtGgIkP 83zQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=iApJx6W68nO0IqVBoY+8I1qPZ5ZU32up+BAzA5YnZnk=; b=eGW2hCUuNJCe2Oy9Jg3JT7yDofv+U6E+3n2n1nKumCLDGQt3Age9vcjmm9AdvMJ1+i Yhss+1/WqE2B5vyyBRHzrBPoZjm9H4oZqlKJ8PLleRB7FtQlnA8ZjwIwyjoR81DVuDiQ iSJ25qDtijJ1vwU3viOMZl80Q78Zo+jUX+4s0PD/aPJRAphn0mA5gUJY4e0E4f/rtl6g YX4/41zCN7gUJUGZEt1KlV4oSja1y2Y0iRihXBzBq7m5s6BnjHGf2dubfx9OpsBI7T37 GkCvejXygoFWuqX6GR8sIe8qIM7Uwt3YBGIs9k8TONeD5q9lThl9VJtZdhgnz5x4XGJ3 l1wA==
X-Gm-Message-State: AD7BkJLdiQGByytpe03Jdn0pBv3rbgweXgwrWO5lF6RNcU3HRXMJsqBzU84Pb532wjXkaQ==
X-Received: by 10.67.5.133 with SMTP id cm5mr43938017pad.133.1458025076075; Mon, 14 Mar 2016 23:57:56 -0700 (PDT)
Received: from [10.1.9.199] ([103.23.18.15]) by smtp.gmail.com with ESMTPSA id fw9sm22183772pac.21.2016.03.14.23.57.52 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 14 Mar 2016 23:57:54 -0700 (PDT)
To: Warren Kumari <warren@kumari.net>, Tom Herbert <tom@herbertland.com>
References: <A277BE71-BD70-4AFE-97DA-F224D7DBBCB8@cisco.com> <BDA56C2D-788D-421C-B44A-1A29578F0F78@employees.org> <56E318C7.5020200@gmail.com> <F57DFD38-FC99-45AE-B41D-51B0565148B1@employees.org> <CALx6S37vNXk-g=W4n_Qvd2J=7xkgydvGEUwrhu8pRQig0hoqLg@mail.gmail.com> <1BB37194-0F5B-45C1-9DFA-87B1C28264D2@employees.org> <CALx6S37vfDcchTa5Tch+BS8rQAGgPP_EeYbVz19WBchSHTqExg@mail.gmail.com> <56E60B0D.6070600@gmail.com> <CALx6S36_Vi4XZfPvCNY42zpbXy9dXeXzwE8KedxYDhne371HHA@mail.gmail.com> <56E6326B.2090303@gmail.com> <CALx6S353ognNHWnjbNSdW5hb_e6Hv3LqLa_r+e9yEW4F=cjH=A@mail.gmail.com> <56E6FC18.1060304@foobar.org> <CALx6S35pcSj_LLnDWJ68KwSYiHeu6FwrXTaR4N2xE6aY7MRO1A@mail.gmail.com> <56E71F40.9030102@gmail.com> <CALx6S34XYWe=BB5xw8gwmZF7m3LP=fY=5Mf9PZuz4h8FkzsEZg@mail.gmail.com> <56E77CE4.2010303@gmail.com> <CAHw9_iJ_1M60oki5nX86WxXJANn8sSgp8fNq9FtNhrJQAZtr2w@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <56E7B271.2020909@gmail.com>
Date: Tue, 15 Mar 2016 19:57:53 +1300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <CAHw9_iJ_1M60oki5nX86WxXJANn8sSgp8fNq9FtNhrJQAZtr2w@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/dXeCEwQtuWqNyoFimeyHsuI7_CM>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] Flow label setting [WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2016 06:57:59 -0000

Warren,

A 20-bit hash of the evil bit?

Regards
   Brian

On 15/03/2016 19:36, Warren Kumari wrote:
> On Tue, Mar 15, 2016 at 11:09 AM Brian E Carpenter <
> brian.e.carpenter@gmail.com> wrote:
> 
>> On 15/03/2016 11:32, Tom Herbert wrote:
>>
>> ...
>>> - Linux (e.g. Android will): sets the flow label for new connections
>>> (TCP or connected UDP socket) using prandom_u32 (pseudo random
>>> number). The flow label for a connection may change if the connection
>>> is failing in hopes of finding a better route
>>
>> In that case, it really doesn't matter as far as ECMP or load balancing
>> goes
>> if the flow label changes, since the path will be changing anyway.
>> (OK, it might matter for server load balancing at the destination,
>> but that is a corner case that has to be dealt with regardless.)
>>
>>> -- either the networking
>>> stack detects a bad route (i.e. TCP is retransmitting) or userspace
>>> can request a route change if it has information about path quality.
>>> So flow labels are not necessarily persistent which probably makes
>>> flow label filtering a bad idea
>>
>> It's a bad idea, period. If you are trying to detect malicious traffic
>> you will need DPI anyway.
>>
> 
> ... but, but, what if you are trying to use this to permit *good* traffic?!
> 
> You just *know* that if you provide the ability to filter on flow labels
> that some silly monkey will invent some horrendous hack where you have to
> portknock on the SSH port with the flowlabel set to 0xBAA. Or "firewall"
> their corporate network to only allow flowlables of 0x123 (and provide a
> client that sets the flowlabel on all packets sent to that network to
> 0x123).
> 
> Oh! Huh! Nftable provides the "ipv6 flowlabel" matching primitive.
> And I can just stuff (0xBAA & IPV6_FLOWINFO_FLOWLABEL) into flr_label...
> 
> Oh no... I'm the stupid monkey here...
> 
> :-P
> 
> W
> 
>>
>>> at least if persistence for the
>>> lifetime of a connection is required for that (see
>>> http://www.maths.tcd.ie/~dwmalone/p/ec2nd05.pdf). For cases with no
>>> connection state (unconnected UDP, forward and encapsulate), the flow
>>> label is generated by parsing the packet to determine a hash based on
>>> L3/L4 information.
>>>
>>> - Windows: I believe you mentioned that Windows 7 doesn't seem to have
>>> support for setting flow labels.
>>
>> I couldn't find anything. Presumably it can be done by apps through the
>> Winsock API, but that isn't very useful.
>>
>>> Maybe someone from Microsoft can
>>> clarify this and let us know what the prospects are for getting flow
>>> label support.
>>
>> Please.
>>    Brian
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>
>

v2.23.0 | Report a Bug | By Email