Re: [v6ops] [tcpm] Flow Label Load Balancing

[Brian E Carpenter <brian.e.carpenter@gmail.com>]

On 04-Dec-20 06:30, Tom Herbert wrote:
> On Thu, Dec 3, 2020 at 8:43 AM Erik Kline <ek.ietf@gmail.com> wrote:
>>
>>>> Please include requirements for both hosts and network nodes. If there
>>>> is going to the be a requirement that hosts MUST make a 1:1 mapping to
>>>> a transport connection and the flow label MUST be consistent for the
>>>> life of connection, then I would expect there to also be a requirement
>>>> that the flow label MUST be immutable by all devices in the path-- in
>>>> particular the requirement of RFC6437 would need to be updated: "A
>>>> forwarding node MUST either leave a non-zero flow label value
>>>> unchanged or change it only for compelling operational security
>>>> reasons..."-- if hosts are not allowed to change a field they are
>>>> primarily responsible for setting, then the network should not be
>>>> allowed to modify it either.
>>>
>>> I don't recall _(of the top of my head) why we ended up making the field
>>> mutable ("SHOULD NOT  be modified" rather than "MUST NOT.."). IIRC, it
>>> had to do with allowing middle-boxes to mitigate FL-based covert
>>> channels.  If that's the case (Brian CC'ed) then, in retrospective, that
>>> seems to have been a bad idea.  -- I was part of the discussion, so I
>>> take my share of blame. :-)
>>
>> My understanding/recollection is that since there were never any
>> restrictions on modification of the flow label from the very beginning
>> it wasn't super meaningful to try to close the barn door after all
>> these years.
> 
> Erik,
> 
> There are two apropos statements in RFC6437:
> 
> "There is no way to verify whether a flow label has been modified en
> route or whether it belongs to a uniform distribution.  Therefore, no
> Internet-wide mechanism can depend mathematically on unmodified and
> uniformly distributed flow labels; they have a "best effort" quality."

Yes, a MUST NOT is futile because it cannot be enforced.

Also, the firewall folk  seemed very insistent that they would change
the flow label (or zero it) because paranoia. So specifying that if they
changed it, they should do it consistently, seemed better than a MUST NOT
which they would definitely ignore.

> "From an upper-layer viewpoint, a flow could consist of all packets in
> one direction of a specific transport connection or media stream.
> However, a flow is not necessarily 1:1 mapped to a transport
> connection."
> 
> So building a load balancer, or any other intermediate network device,
> that *depends* on the flow label to be consistent for the life of a
> transport connection and 1:1 mapped to a transport connection is
> contrary to this guidance. The ship has already sailed on this in
> deployment, and even if the protocol requirements were to be
> sufficiently tightened that would take years to reach full effect and
> that would preclude other use cases where modifying the flow label is
> useful. If a stable 1:1 mapped identifier for transport ports is
> needed in the network layer, it might make sense to create a new HBH
> option for that. Personally, if I were building a load balancer I'd
> use neither the flow label nor transport ports for entropy, I'd look
> at using the destination address since 128 bits allows plenty of bits
> of entropy, it's consistent per transport flow and always set in an
> IPv6 packet.

But that doesn't help with server load balancing. For ECMP/LAG in a
transit network, the DA alone doesn't help either, if a particular 
destination is prone to very heavy flows for some reason. And of course
the ports don't help if they're encrypted.

There's no simple answer here.

   Brian