IETF Logo Mail Archive

Re: [v6ops] Flow label setting [WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops]

Warren Kumari <warren@kumari.net> Tue, 15 March 2016 06:36 UTC

Return-Path: <warren@kumari.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76E8D12D7F1 for <v6ops@ietfa.amsl.com>; Mon, 14 Mar 2016 23:36:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 544_i_HrDP6G for <v6ops@ietfa.amsl.com>; Mon, 14 Mar 2016 23:36:30 -0700 (PDT)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 064B112D596 for <v6ops@ietf.org>; Mon, 14 Mar 2016 23:36:29 -0700 (PDT)
Received: by mail-yw0-x22d.google.com with SMTP id d65so9402402ywb.0 for <v6ops@ietf.org>; Mon, 14 Mar 2016 23:36:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ieg7EO1VL4/80Vd/ogSDFYRLUZBwh4tgM3VHXefUYmg=; b=B5cbTG0/7/HheLCN0XGICgPo7lRZDL+ATLfHhNIHud8czNtuLK1wnI4bQE3aCSy0xc K8fu/A6t1kN43H7C2TFFwXm6EGAiH2V2O0COvQIL7x+XbTlCp+6guoCxJpfUnMumtn/f vkQ81ONBz1CJ4X0sZuzW1jodm7UsOMqM9sFvfI5bCxdjRZhkcMPJ4fFw49owz2LNIKQ6 9KNJNzvngn/4MY6IAagW3n7yX+WqNK8XnBWDFfddZ0IDKKsTLvoiBmYwtf0Z8Svg+R/v 6YsJ/AU7huxQ3YCQd3O4hhYF7ZQehjPWrdsp5mg39uyWb/sEDbBFiUtwgwD7IQOagxzU xnuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ieg7EO1VL4/80Vd/ogSDFYRLUZBwh4tgM3VHXefUYmg=; b=QdUTef67fmh9sI227Ds8OO8t2xAtA93gZFSCqClrj+dWBL/a4za9aNWXLTv0dnr8O3 dq0QyVJQntxs8JW78N8rU5jgF/lu1usc+De76xrDK7OO4TaVFH5OZWMFAxTneWfvI6yL L3adQyzjNGqzIovEEgelO54QgW+M2NW3IP7cW8BLH84RnJ1kGaPrNKlHWjFgWoX6TlJO VBQuQ6ltLwMIv+eLJkUJDEaxsoKs/XFkDX6olXNre+kk7BrN9/jutPONubtlnlw+6wlu 68WOe2Wy2fPIurEkswk22LyVyzpy1zBBt1ocy2zo9Ttqgp5GB6gY/GpZl0tWaX7El2IM rAbQ==
X-Gm-Message-State: AD7BkJIoMFMvTRGNcShvewGwmrMnIfwF2dorxM3UqK5GJPsvFZzi9/cMmqIrhWHHUzbKxpankjG9DAU0g70r4Q4d
X-Received: by 10.13.214.142 with SMTP id y136mr13815061ywd.105.1458023789274; Mon, 14 Mar 2016 23:36:29 -0700 (PDT)
MIME-Version: 1.0
References: <A277BE71-BD70-4AFE-97DA-F224D7DBBCB8@cisco.com> <BDA56C2D-788D-421C-B44A-1A29578F0F78@employees.org> <56E318C7.5020200@gmail.com> <F57DFD38-FC99-45AE-B41D-51B0565148B1@employees.org> <CALx6S37vNXk-g=W4n_Qvd2J=7xkgydvGEUwrhu8pRQig0hoqLg@mail.gmail.com> <1BB37194-0F5B-45C1-9DFA-87B1C28264D2@employees.org> <CALx6S37vfDcchTa5Tch+BS8rQAGgPP_EeYbVz19WBchSHTqExg@mail.gmail.com> <56E60B0D.6070600@gmail.com> <CALx6S36_Vi4XZfPvCNY42zpbXy9dXeXzwE8KedxYDhne371HHA@mail.gmail.com> <56E6326B.2090303@gmail.com> <CALx6S353ognNHWnjbNSdW5hb_e6Hv3LqLa_r+e9yEW4F=cjH=A@mail.gmail.com> <56E6FC18.1060304@foobar.org> <CALx6S35pcSj_LLnDWJ68KwSYiHeu6FwrXTaR4N2xE6aY7MRO1A@mail.gmail.com> <56E71F40.9030102@gmail.com> <CALx6S34XYWe=BB5xw8gwmZF7m3LP=fY=5Mf9PZuz4h8FkzsEZg@mail.gmail.com> <56E77CE4.2010303@gmail.com>
In-Reply-To: <56E77CE4.2010303@gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 15 Mar 2016 06:36:19 +0000
Message-ID: <CAHw9_iJ_1M60oki5nX86WxXJANn8sSgp8fNq9FtNhrJQAZtr2w@mail.gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Tom Herbert <tom@herbertland.com>
Content-Type: multipart/alternative; boundary="94eb2c0762e608d847052e109ea9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/fvSJ8lyvho5mkPYHIRfOXe8546c>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] Flow label setting [WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2016 06:36:32 -0000

On Tue, Mar 15, 2016 at 11:09 AM Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:

> On 15/03/2016 11:32, Tom Herbert wrote:
>
> ...
> > - Linux (e.g. Android will): sets the flow label for new connections
> > (TCP or connected UDP socket) using prandom_u32 (pseudo random
> > number). The flow label for a connection may change if the connection
> > is failing in hopes of finding a better route
>
> In that case, it really doesn't matter as far as ECMP or load balancing
> goes
> if the flow label changes, since the path will be changing anyway.
> (OK, it might matter for server load balancing at the destination,
> but that is a corner case that has to be dealt with regardless.)
>
> > -- either the networking
> > stack detects a bad route (i.e. TCP is retransmitting) or userspace
> > can request a route change if it has information about path quality.
> > So flow labels are not necessarily persistent which probably makes
> > flow label filtering a bad idea
>
> It's a bad idea, period. If you are trying to detect malicious traffic
> you will need DPI anyway.
>

... but, but, what if you are trying to use this to permit *good* traffic?!

You just *know* that if you provide the ability to filter on flow labels
that some silly monkey will invent some horrendous hack where you have to
portknock on the SSH port with the flowlabel set to 0xBAA. Or "firewall"
their corporate network to only allow flowlables of 0x123 (and provide a
client that sets the flowlabel on all packets sent to that network to
0x123).

Oh! Huh! Nftable provides the "ipv6 flowlabel" matching primitive.
And I can just stuff (0xBAA & IPV6_FLOWINFO_FLOWLABEL) into flr_label...

Oh no... I'm the stupid monkey here...

:-P

W

>
> > at least if persistence for the
> > lifetime of a connection is required for that (see
> > http://www.maths.tcd.ie/~dwmalone/p/ec2nd05.pdf). For cases with no
> > connection state (unconnected UDP, forward and encapsulate), the flow
> > label is generated by parsing the packet to determine a hash based on
> > L3/L4 information.
> >
> > - Windows: I believe you mentioned that Windows 7 doesn't seem to have
> > support for setting flow labels.
>
> I couldn't find anything. Presumably it can be done by apps through the
> Winsock API, but that isn't very useful.
>
> > Maybe someone from Microsoft can
> > clarify this and let us know what the prospects are for getting flow
> > label support.
>
> Please.
>    Brian
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email