[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]
Versions: (draft-rajahalme-ipv6-flow-label)
00 01 02 03 04 05 06 07 08 09 RFC 3697
IPv6 Working Group J. Rajahalme
INTERNET-DRAFT Nokia
<draft-ietf-ipv6-flow-label-05.txt> A. Conta
Transwitch
B. Carpenter
IBM
S. Deering
Cisco
Expires: August 2003 February 2003
IPv6 Flow Label Specification
draft-ietf-ipv6-flow-label-05.txt
Status of this memo
This document is an Internet-Draft and is subject to all provisions
of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Abstract
This document specifies the IPv6 Flow Label field, the requirements
for IPv6 source nodes labeling flows, the requirements for IPv6 nodes
forwarding labeled packets, and the requirements for flow state
establishment methods.
The usage of the Flow Label field enables efficient IPv6 flow
classification based only on IPv6 main header fields in fixed
positions.
1. Introduction
A flow is a sequence of packets sent from a particular source to a
particular unicast, anycast or multicast destination that the source
desires to label as a flow. A flow could consist of all packets in a
specific transport connection or a media stream. However, a flow is
not necessarily 1:1 mapped to a transport connection.
Rajahalme, et al. Expires: August 2003 [Page 1]
INTERNET-DRAFT draft-ietf-ipv6-flow-label-05.txt February 2003
Traditionally, flow classifiers have been based on the 5-tuple of the
source and destination addresses, ports and the transport protocol
type. However, some of these fields may be unavailable due to either
fragmentation or encryption, or locating them past a chain of IPv6
option headers may be inefficient. Additionally, if classifiers
depend only on IP layer headers, later introduction of alternative
transport layer protocols will be easier.
The 3-tuple of the Flow Label and the Source and Destination Address
fields enables efficient IPv6 flow classification, where only IPv6
main header fields in fixed positions are used.
The minimum level of IPv6 flow support consists of labeling the
flows. IPv6 source nodes can label known flows (e.g. TCP connections,
application streams), even if the node itself would not require any
flow-specific treatment. Doing this enables load spreading and
receiver oriented resource reservations, for example. Node
requirements for flow labeling are given in section 3.
Specific flow state establishment methods and the related service
models are out of scope for this specification, but the generic
requirements enabling co-existence of different methods in IPv6 nodes
are set forth in section 4.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [KEYWORDS].
2. IPv6 Flow Label Specification
The 20-bit Flow Label field in the IPv6 header [IPv6] is used by a
source to label packets of a flow. A Flow Label of zero is used to
indicate packets not part of any flow. Packet classifiers use the
triplet of Flow Label, Source Address, and Destination Address fields
to identify which flow a particular packet belongs to. Packets are
processed in a flow-specific manner by the nodes that have been set
up with flow-specific state. The nature of the specific treatment and
the methods for the flow state establishment are out of scope for
this specification.
The Flow Label value set by the source MUST be delivered unchanged to
the destination node(s).
IPv6 nodes MUST NOT assume any mathematical or other properties of
the Flow Label values assigned by source nodes. Router performance
SHOULD NOT be dependent on the distribution of the Flow Label values.
Especially, the Flow Label bits alone make poor material for a hash
key.
Nodes keeping dynamic flow state MUST NOT assume packets arriving 120
seconds or more after the previous packet of a flow still belong to
the same flow, unless a flow state establishment method in use
Rajahalme, et al. Expires: August 2003 [Page 2]
INTERNET-DRAFT draft-ietf-ipv6-flow-label-05.txt February 2003
defines a longer flow state lifetime or the flow state has been
explicitly refreshed within the lifetime duration.
If an IPv6 node is not providing flow-specific treatment, it MUST
ignore the field when receiving or forwarding a packet.
3. Flow Labeling Requirements
To enable Flow Label based classification, source nodes SHOULD assign
each unrelated transport connection and application data stream to a
new flow. The source node MAY also take part in flow state
establishment methods that result in assigning certain packets to
specific flows. A source node which does not assign traffic to flows
MUST set the Flow Label to zero.
To enable applications and transport protocols to define what packets
constitute a flow, the source node MUST provide means for the
applications and transport protocols to specify the Flow Label values
to be used with their flows. The source node SHOULD be able to select
unused Flow Label values for flows not requesting a specific value to
be used.
A source node MUST ensure that it does not reuse Flow Label values it
is currently using or has recently used when creating new flows. Flow
Label values previously used with a specific pair of source and
destination addresses MUST NOT be assigned to new flows with the same
address pair within 120 seconds of the termination of the previous
flow. The source node SHOULD provide the means for the applications
and transport protocols to specify quarantine periods longer than the
default 120 seconds for individual flows.
To avoid accidental Flow Label value reuse, the source node SHOULD
select new Flow Label values in a well-defined sequence (e.g.
sequential or pseudo-random) and use an initial value that avoids
reuse of recently used Flow Label values each time the system
restarts. The initial value SHOULD be derived from a previous value
stored in non-volatile memory, or in the absence of such history, a
randomly generated initial value using techniques that produce good
randomness properties [RND] SHOULD be used.
4. Flow State Establishment Requirements
To enable flow-specific treatment, flow state needs to be established
on all or a subset of the IPv6 nodes on the path from the source to
the destination(s). The methods for the state establishment, as well
as the models for flow-specific treatment will be defined in separate
specifications.
Rajahalme, et al. Expires: August 2003 [Page 3]
INTERNET-DRAFT draft-ietf-ipv6-flow-label-05.txt February 2003
To enable co-existence of different methods in IPv6 nodes, the
methods MUST meet the following basic requirements:
(1) The method MUST provide the means for flow state clean-up from
the IPv6 nodes providing the flow-specific treatment. Signaling
based methods where the source node is involved are free to
specify flow state lifetimes longer than the default 120
seconds.
(2) Flow state establishment methods MUST be able to recover from
the case where the requested flow state cannot be supported.
5. Security Considerations
This section considers security issues raised by the use of the Flow
Label, primarily the potential for denial-of-service attacks, and the
related potential for theft of service by unauthorized traffic
(Section 5.1). Section 5.2 addresses the use of the Flow Label in the
presence of IPsec including its interaction with IPsec tunnel mode
and other tunneling protocols. We also note that inspection of
unencrypted Flow Labels may allow some forms of traffic analysis by
revealing some structure of the underlying communications.
5.1 Theft and Denial of Service
The goal of the Flow Label is to allow different levels of service to
be provided for traffic streams on a common network infrastructure. A
variety of techniques may be used to achieve this, but the end result
will be that some packets receive different (e.g., better or worse)
service than others. The mapping of network traffic to the flow-
specific treatment is triggered by the IP addresses and Flow Label
value of the IPv6 header, and hence an adversary may be able to
obtain better service by modifying the IPv6 header or by injecting
packets with false addresses and labels. Taken to its limits, such
theft-of-service becomes a denial-of-service attack when the modified
or injected traffic depletes the resources available to forward it
and other traffic streams.
Since flows are identified by the 3-tuple of the Flow Label and the
Source and Destination Address, the risk of theft or denial of
service introduced by the Flow Label is closely related to the risk
of theft or denial of service by address spoofing. An adversary who
is in a position to forge an address is also likely to be able to
forge a label, and vice versa.
Forging a non-zero Flow Label on packets that originated with a zero
label, or modifying or clearing a label, could only occur if an
intermediate system such as a router was compromised, or through some
other form of man-in-the-middle attack. However, the risk is limited
to traffic receiving better or worse quality of service than
intended. For example, if Flow Labels are altered or cleared at
Rajahalme, et al. Expires: August 2003 [Page 4]
INTERNET-DRAFT draft-ietf-ipv6-flow-label-05.txt February 2003
random, flow classification will no longer happen as intended, and
the altered packets will receive default treatment. If a complete 3-
tuple is forged, the altered packets will be classified into the
forged flow and will receive the corresponding quality of service;
this will create a denial of service attack subtly different from one
where only the addresses are forged. Because it is limited to a
single flow definition, e.g. to a limited amount of bandwidth, such
an attack will be more specific and at a finer granularity than a
normal address-spoofing attack.
Since flows are identified by the complete 3-tuple, ingress filtering
[INGR] will mitigate part of the risk. If the source address of a
packet is validated by ingress filtering, there can be a degree of
trust that the packet has not transited a compromised router, to the
extent that ISP infrastructure may be trusted. However, this gives no
assurance that another form of man-in-the-middle attack has not
occurred.
Applications in a sending host may or may not be entitled to set a
non-zero Flow Label. Policy and authorization mechanisms for this may
be required; for example, in a multi-user host, only some users may
be entitled to set the Flow Label. Such authorization issues are
outside the scope of this specification.
5.2 IPsec and Tunneling Interactions
The IPsec protocol, as defined in [IPSec, AH, ESP], does not include
the IPv6 header's Flow Label in any of its cryptographic calculations
(in the case of tunnel mode, it is the outer IPv6 header's Flow Label
that is not included). Hence modification of the Flow Label by a
network node has no effect on IPsec end-to-end security, because it
cannot cause any IPsec integrity check to fail. As a consequence,
IPsec does not provide any defense against an adversary's
modification of the Flow Label (i.e., a man-in-the-middle attack).
IPsec tunnel mode provides security for the encapsulated IP header's
Flow Label. A tunnel mode IPsec packet contains two IP headers: an
outer header supplied by the tunnel ingress node and an encapsulated
inner header supplied by the original source of the packet. When an
IPsec tunnel is passing through nodes performing flow classification,
the intermediate network nodes operate on the Flow Label in the outer
header. At the tunnel egress node, IPsec processing includes removing
the outer header and forwarding the packet (if required) using the
inner header. The IPsec protocol requires that the inner header's
Flow Label not be changed by this decapsulation processing to ensure
that modifications to label cannot be used to launch theft- or
denial-of-service attacks across an IPsec tunnel endpoint. This
document makes no change to that requirement; indeed it forbids
changes to the Flow Label.
When IPsec tunnel egress decapsulation processing includes a
sufficiently strong cryptographic integrity check of the encapsulated
Rajahalme, et al. Expires: August 2003 [Page 5]
INTERNET-DRAFT draft-ietf-ipv6-flow-label-05.txt February 2003
packet (where sufficiency is determined by local security policy),
the tunnel egress node can safely assume that the Flow Label in the
inner header has the same value as it had at the tunnel ingress node.
This analysis and its implications apply to any tunneling protocol
that performs integrity checks. Of course, any Flow Label set in an
encapsulating IPv6 header is subject to the risks described in the
previous section.
Acknowledgements
The discussion on the topic in the IPv6 WG mailing list has been
instrumental for the definition of this specification. The authors
want to thank Steve Blake, Jim Bound, Francis Dupont, Robert Elz,
Tony Hain, Robert Hancock, Bob Hinden, Christian Huitema, Frank
Kastenholz, Thomas Narten, Charles Perkins, Hesham Soliman, Michael
Thomas, and Margaret Wasserman for their contributions.
Normative References
[IPv6] Deering, S., Hinden, R., "Internet Protocol Version 6
Specification", RFC 2460, December 1998.
[KEYWORDS] Bradner, S., "Key words for use in RFCs to indicate
requirement levels", BCP 14, RFC 2119, March 1997.
[RND] Eastlake, D., Crocker, S., Schiller, J., "Randomness
Recommendations for Security", RFC 1750, December 1994.
Informative References
[AH] Kent, S., Atkinson, R., "IP Authentication Header", RFC
2402, November 1998.
[ESP] Kent, S., Atkinson, R., "IP Encapsulating Security
Payload (ESP)", RFC 2406, November 1998.
[INGR] Ferguson, P., "Network Ingress Filtering: Defeating
Denial of Service Attacks which employ IP Source Address
Spoofing", RFC 2827, May 2000.
[IPSec] Kent, S., Atkinson, R., "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
Rajahalme, et al. Expires: August 2003 [Page 6]
INTERNET-DRAFT draft-ietf-ipv6-flow-label-05.txt February 2003
Authors' Addresses
Jarno Rajahalme
Nokia Research Center
P.O. Box 407
FIN-00045 NOKIA GROUP,
Finland
E-mail: jarno.rajahalme@nokia.com
Alex Conta
Transwitch Corporation
3 Enterprise Drive
Shelton, CT 06484
USA
Email: aconta@txc.com
Brian E. Carpenter
IBM Zurich Research Laboratory
Saeumerstrasse 4 / Postfach
8803 Rueschlikon
Switzerland
Email: brian@hursley.ibm.com
Steve Deering
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Email: deering@cisco.com
IPR Notices
The IETF takes no position regarding the validity or scope of
any intellectual property or other rights that might be claimed
to pertain to the implementation or use of the technology
described in this document or the extent to which any license
under such rights might or might not be available; neither does
it represent that it has made any effort to identify any such
rights. Information on the IETF's procedures with respect to
rights in standards-track and standards-related documentation
can be found in BCP-11. Copies of claims of rights made
available for publication and any assurances of licenses to
be made available, or the result of an attempt made
to obtain a general license or permission for the use of such
proprietary rights by implementors or users of this
specification can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its
attention any copyrights, patents or patent applications, or
other proprietary rights which may cover technology that may be
Rajahalme, et al. Expires: August 2003 [Page 7]
INTERNET-DRAFT draft-ietf-ipv6-flow-label-05.txt February 2003
required to practice this standard. Please address the
information to the IETF Executive Director.
Copyright Notice
Copyright (C) The Internet Society (date). All Rights
Reserved.
This document and translations of it may be copied and
furnished to others, and derivative works that comment on or
otherwise explain it or assist in its implementation may be
prepared, copied, published and distributed, in whole or in
part, without restriction of any kind, provided that the above
copyright notice and this paragraph are included on all such
copies and derivative works. However, this document itself may
not be modified in any way, such as by removing the copyright
notice or references to the Internet Society or other Internet
organizations, except as needed for the purpose of developing
Internet standards in which case the procedures for copyrights
defined in the Internet Standards process must be followed, or
as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will
not be revoked by the Internet Society or its successors or
assigns.
This document and the information contained herein is provided
on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE
OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY
IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE."
Expiration Date
This memo is filed as <draft-ietf-ipv6-flow-label-05.txt> and expires
in August 2003.
Rajahalme, et al. Expires: August 2003 [Page 8]
Html markup produced by rfcmarkup 1.129d, available from
https://tools.ietf.org/tools/rfcmarkup/