[v6ops] Comments on draft-wang-v6ops-flow-label-refelction-01
Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 22 July 2014 19:13 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 172621A0AEC for <v6ops@ietfa.amsl.com>; Tue, 22 Jul 2014 12:13:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 45c4Z4Y53QDS for <v6ops@ietfa.amsl.com>; Tue, 22 Jul 2014 12:13:37 -0700 (PDT)
Received: from mail-we0-x22d.google.com (mail-we0-x22d.google.com [IPv6:2a00:1450:400c:c03::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD0ED1A00DB for <v6ops@ietf.org>; Tue, 22 Jul 2014 12:13:36 -0700 (PDT)
Received: by mail-we0-f173.google.com with SMTP id q58so97140wes.32 for <v6ops@ietf.org>; Tue, 22 Jul 2014 12:13:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=oustb1pwyBYww8+8Rz3FFiEJ3c/EmQUt2t9bOlep980=; b=VvavKhoKUnMeQVjTu32PJuX6oV8MsyqCmqALvYLZxuJ5l1OaFHUOkk0D3yuWjfXOG6 B8rn23Q/n9khlPMNgu+XwzKActWR81c5JL7004vjMDBwf6ha+1D2QmqvLDAw3EO6NRxp UZBxngrP1zXXqp6uGW6hFaAmOayoqmU8BooAtVqrgA47kSuOk8H04YREFIDkV94Z0FLZ AAT2T9wLciNo5THDw0lJIGRm7NeNGdTPajGzvc2pPyCs4RXzAcOr2R/1U+OKG8UsjsAG 4hFxX4FXdxZVaDFPD1mhdDDVtI3OgpwIn0McmtpJJ+fF2p9PAeQwmtSidcTcVKPZ4mCq xcEA==
X-Received: by 10.180.78.100 with SMTP id a4mr17733013wix.36.1406056415365; Tue, 22 Jul 2014 12:13:35 -0700 (PDT)
Received: from [31.133.162.184] (dhcp-a2b8.meeting.ietf.org. [31.133.162.184]) by mx.google.com with ESMTPSA id lk7sm3017066wjb.24.2014.07.22.12.13.28 for <v6ops@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 22 Jul 2014 12:13:29 -0700 (PDT)
Message-ID: <53CEB7DC.6020805@gmail.com>
Date: Wed, 23 Jul 2014 07:13:32 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: IPv6 Operations <v6ops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/rX3pAt413WDdido_yVy2gtQax2g
Subject: [v6ops] Comments on draft-wang-v6ops-flow-label-refelction-01
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jul 2014 19:13:39 -0000
There wasn't time for me to line up at the microphone, so
here are my comments. I think the idea is quite interesting,
but a little optimistic.
What are the effects of some sessions supporting reflection
and others not? We know very well that even the basic RFC 6437
flow label is not supported yet in the real world, so widespread
use of reflection is years in the future.
There's no discussion of flow label rewriting by firewalls,
which we know from the 6man discussions before RFC 6437 is
a real issue. If the scope is strictly limited to a single
administrative domain, that's OK, but the general end-to-end
case probably fails.
Actually, the draft doesn't clarify exactly what is a session
for flow label purposes. As noted in the meeting, is a "stateless"
session (UDP request/reply) a session for this purpose? What
about multiple HTTP connections from the same client?
The uniqueness rule for flow labels is that a flow is identified
by the 3-tuple {Flow Label, Source Addr, Destination Addr}. The
flow label value itself might not be unique in the intermediate
nodes, so any state must be keyed by the 3-tuple, with the two
addresses either way round.
The mechanism seems very exposed to on-path attacks, since an
attacker could forge a reverse packet with the correct label,
even before the first TCP ACK. So nobody should rely on the flow
label alone for anything important. (I don't think there is any
new risk for off-path attacks.)
Finally I think the document would have more chance of success
if it was made Informational, without that SHOULD. Just describe
this as a use case for the flow label - it is completely consistent
with RFC 6437. If the original label is pseudo-random, it will
do fine as a reflected label from the other node.
Regards
Brian
- [v6ops] Comments on draft-wang-v6ops-flow-label-r… Brian E Carpenter
- Re: [v6ops] Comments on draft-wang-v6ops-flow-lab… Aijun Wang
- Re: [v6ops] Comments on draft-wang-v6ops-flow-lab… Aijun Wang
- Re: [v6ops] Comments on draft-wang-v6ops-flow-lab… Brian E Carpenter