draft-ietf-6man-flow-3697bis-00.txt   draft-ietf-6man-flow-3697bis-01.txt 
6MAN S. Amante 6MAN S. Amante
Internet-Draft Level 3 Internet-Draft Level 3
Obsoletes: 3697 (if approved) B. Carpenter Obsoletes: 3697 (if approved) B. Carpenter
Updates: 2205, 2460 Univ. of Auckland Updates: 2205, 2460 (if approved) Univ. of Auckland
(if approved) S. Jiang Intended status: Standards Track S. Jiang
Intended status: Standards Track Huawei Technologies Co., Ltd Expires: August 30, 2011 Huawei Technologies Co., Ltd
Expires: August 4, 2011 J. Rajahalme J. Rajahalme
Nokia-Siemens Networks Nokia-Siemens Networks
January 31, 2011 February 26, 2011
IPv6 Flow Label Specification IPv6 Flow Label Specification
draft-ietf-6man-flow-3697bis-00 draft-ietf-6man-flow-3697bis-01
Abstract Abstract
This document specifies the IPv6 Flow Label field and the minimum This document specifies the IPv6 Flow Label field and the minimum
requirements for IPv6 nodes labeling flows, IPv6 nodes forwarding requirements for IPv6 nodes labeling flows, IPv6 nodes forwarding
labeled packets, and flow state establishment methods. Even when labeled packets, and flow state establishment methods. Even when
mentioned as examples of possible uses of the flow labeling, more mentioned as examples of possible uses of the flow labeling, more
detailed requirements for specific use cases are out of scope for detailed requirements for specific use cases are out of scope for
this document. this document.
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 1, 2011. This Internet-Draft will expire on August 30, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 9 skipping to change at page 3, line 9
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. IPv6 Flow Label Specification . . . . . . . . . . . . . . . . 5 2. IPv6 Flow Label Specification . . . . . . . . . . . . . . . . 5
3. Flow Labeling Requirements . . . . . . . . . . . . . . . . . . 6 3. Stateless Flow Labeling Requirements . . . . . . . . . . . . . 7
4. Flow State Establishment Requirements . . . . . . . . . . . . 8 4. Flow State Establishment Requirements . . . . . . . . . . . . 8
5. Essential correction to RFC 2205 . . . . . . . . . . . . . . . 8 5. Essential correction to RFC 2205 . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
6.1. Theft and Denial of Service . . . . . . . . . . . . . . . 9 6.1. Theft and Denial of Service . . . . . . . . . . . . . . . 9
6.2. IPsec and Tunneling Interactions . . . . . . . . . . . . . 10 6.2. IPsec and Tunneling Interactions . . . . . . . . . . . . . 11
6.3. Security Filtering Interactions . . . . . . . . . . . . . 11 6.3. Security Filtering Interactions . . . . . . . . . . . . . 12
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
9. Change log . . . . . . . . . . . . . . . . . . . . . . . . . . 12 9. Change log . . . . . . . . . . . . . . . . . . . . . . . . . . 13
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
10.1. Normative References . . . . . . . . . . . . . . . . . . . 12 10.1. Normative References . . . . . . . . . . . . . . . . . . . 13
10.2. Informative References . . . . . . . . . . . . . . . . . . 12 10.2. Informative References . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
A flow is a sequence of packets sent from a particular source to a A flow is a sequence of packets sent from a particular source to a
particular unicast, anycast, or multicast destination that a node particular unicast, anycast, or multicast destination that a node
desires to label as a flow. A flow could consist of all packets in a desires to label as a flow. A flow could consist of all packets in a
specific transport connection or a media stream. However, a flow is specific transport connection or a media stream. However, a flow is
not necessarily 1:1 mapped to a transport connection. not necessarily 1:1 mapped to a transport connection.
Traditionally, flow classifiers have been based on the 5-tuple of the Traditionally, flow classifiers have been based on the 5-tuple of the
skipping to change at page 4, line 26 skipping to change at page 4, line 26
fragmentation or encryption, or locating them past a chain of IPv6 fragmentation or encryption, or locating them past a chain of IPv6
extension headers may be inefficient. Additionally, if classifiers extension headers may be inefficient. Additionally, if classifiers
depend only on IP layer headers, later introduction of alternative depend only on IP layer headers, later introduction of alternative
transport layer protocols will be easier. transport layer protocols will be easier.
The usage of the 3-tuple of the Flow Label and the Source and The usage of the 3-tuple of the Flow Label and the Source and
Destination Address fields enables efficient IPv6 flow Destination Address fields enables efficient IPv6 flow
classification, where only IPv6 main header fields in fixed positions classification, where only IPv6 main header fields in fixed positions
are used. are used.
The flow label could be used in both stateless and stateful
scenarios. A stateless scenario is one where a node that sets the
flow label value for all packets of a given flow does not need to
store any information about the flow, and any node that processes the
flow label in any way also does not need to store any information
after a packet has been processed. A stateful scenario is one where
a node that sets or processes the flow label value needs to store
information about the flow, including the flow label value. A
stateful scenario might also require a signaling mechanism to
establish flow state in the network.
The flow label can be used most simply in stateless scenarios. This
specification concentrates on the stateless model and how it can be
used as a default mechanism. Details of stateful models, signaling,
specific flow state establishment methods and their related service
models are out of scope for this specification. Generic requirements
enabling co-existence of different models are set forth in Section 4.
The associated scaling characteristics (such as nodes involved in
state establishment, amount of state maintained by them, and state
growth function) will be specific to particular service models.
The minimum level of IPv6 flow support consists of labeling the The minimum level of IPv6 flow support consists of labeling the
flows. A specific goal is to enable and encourage the use of the flows. A specific goal is to enable and encourage the use of the
flow label for various forms of stateless load distribution, flow label for various forms of stateless load distribution,
especially across Equal Cost Multi-Path (EMCP) and/or Link especially across Equal Cost Multi-Path (EMCP) and/or Link
Aggregation Group (LAG) paths. ECMP and LAG are methods to bond Aggregation Group (LAG) paths. ECMP and LAG are methods to bond
together multiple physical links used to procure the required together multiple physical links used to procure the required
capacity necessary to carry an offered load greater than the capacity necessary to carry an offered load greater than the
bandwidth of an individual physical link. IPv6 source nodes SHOULD bandwidth of an individual physical link. IPv6 source nodes SHOULD
be able to label known flows (e.g., TCP connections, application be able to label known flows (e.g., TCP connections, application
streams), even if the node itself does not require any flow-specific streams), even if the node itself does not require any flow-specific
treatment. Node requirements for flow labeling are given in treatment. Node requirements for stateless flow labeling are given
Section 3. in Section 3.
The flow label can be used most simply in stateless models, but
stateful mechanisms are also possible. Specific flow state
establishment methods and the related service models are out of scope
for this specification, but the generic requirements enabling co-
existence of different methods in IPv6 nodes are set forth in
Section 4. The associated scaling characteristics (such as nodes
involved in state establishment, amount of state maintained by them,
and state growth function) will be specific to particular service
models.
This document replaces [RFC3697] and Appendix A of [RFC2460]. A This document replaces [RFC3697] and Appendix A of [RFC2460]. A
rationale for the changes made is documented in rationale for the changes made is documented in
[I-D.ietf-6man-flow-update]. The present document also includes a [I-D.ietf-6man-flow-update]. The present document also includes a
correction to [RFC2205] concerning the flow label. correction to [RFC2205] concerning the flow label.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
skipping to change at page 5, line 20 skipping to change at page 5, line 31
The 20-bit Flow Label field in the IPv6 header [RFC2460] is used by a The 20-bit Flow Label field in the IPv6 header [RFC2460] is used by a
node to label packets of a flow. A Flow Label of zero is used to node to label packets of a flow. A Flow Label of zero is used to
indicate packets not part of any flow. Packet classifiers can use indicate packets not part of any flow. Packet classifiers can use
the triplet of Flow Label, Source Address, and Destination Address the triplet of Flow Label, Source Address, and Destination Address
fields to identify which flow a particular packet belongs to. fields to identify which flow a particular packet belongs to.
Packets are processed in a flow-specific manner by nodes that are Packets are processed in a flow-specific manner by nodes that are
able to do so in a stateless manner, or that have been set up with able to do so in a stateless manner, or that have been set up with
flow-specific state. The nature of the specific treatment and the flow-specific state. The nature of the specific treatment and the
methods for flow state establishment are out of scope for this methods for flow state establishment are out of scope for this
specification. specification. However, any node that sets flow label values
according to a stateful scheme MUST ensure that packets conform to
Section 3 of the present specification if they are sent outside the
network domain using the stateful scheme.
As specified below in Section 3, the normal expectation is that flow
label values are uniformly distributed. In this specification, it is
recommended below that a pseudo-random method should be used to
achieve such a uniform distribution. Intentionally, there are no
precise mathematical requirements placed on the distribution or the
pseudo-random method.
Once set to a non-zero value, the Flow Label MUST be delivered Once set to a non-zero value, the Flow Label MUST be delivered
unchanged to the destination node(s). A forwarding node MUST NOT unchanged to the destination node(s). A forwarding node MUST NOT
change the flow label value in an arriving packet if it is non-zero. change the flow label value in an arriving packet if it is non-zero.
However, there are two qualifications to this rule: However, there are two qualifications to this rule:
1. Implementers are advised that forwarding nodes, especially those 1. Implementers are advised that forwarding nodes, especially those
acting as domain border devices, might nevertheless be configured acting as domain border devices, might nevertheless be configured
to change the flow label value in packets (e.g., to a new pseudo- to change the flow label value in packets. This is undetectable,
random value). This is undetectable, unless some future version unless some future version of IPsec authentication [RFC4302]
of IPsec authentication [RFC4302] protects the flow label value. protects the flow label value.
2. To enable stateless load distribution at any point in the 2. To enable stateless load distribution at any point in the
Internet, a network domain MUST NOT forward packets outside the Internet, a network domain should never export packets
domain whose flow label values are other than zero or pseudo- originating within the domain whose flow label values do not
random. Neither domain border egress routers nor intermediate conform to Section 3. However, neither domain border egress
routers/devices (using a flow-label, for example, as a part of an routers nor intermediate routers/devices (using a flow-label, for
input-key for a load-distribution hash) can determine by example, as a part of an input-key for a load-distribution hash)
inspection that a value is not pseudo-random. Therefore, if can determine by inspection that a value is not part of a uniform
nodes within a domain ignore the above recommendations to set distribution. Therefore, if nodes within a domain ignore the
zero or pseudo-random flow label values, and such packets are recommendations of Section 3, and such packets are forwarded
forwarded outside the domain, this would likely result in outside the domain, this might result in undesirable operational
undesirable operational implications (e.g., congestion, implications (e.g., congestion, reordering) for not only the
reordering) for not only the inappropriately flow-labelled inappropriately flow-labelled packets, but also well-behaved
packets, but also well-behaved flow-labelled packets, during flow-labelled packets, during forwarding at various intermediate
forwarding at various intermediate devices. Thus, a domain must devices. Thus, a domain must protect its peers by never
protect its peers by never exporting inappropriately labelled exporting inappropriately labelled packets originating within the
packets. This document does not specify the method for enforcing domain. This is why nodes using a stateful scheme must not set
this rule. The suggested way to enforce it is that nodes within the flow label to a non-zero and non-uniformly distributed value
a domain MUST NOT set the flow label to a non-zero and non- if the packet will leave their domain. If it is known to a
pseudo-random number if the packet will leave the domain. If border router that flow labels originated within the domain are
this is not known to be the case, the border router will need to not uniformly distributed, it will need to set outgoing flow
change outgoing flow labels. labels in the same manner as described for forwarding nodes in
Section 3.
There is no way to verify whether a flow label has been modified en There is no way to verify whether a flow label has been modified en
route. Therefore, no Internet-wide mechanism can depend route or whether it belongs to a uniform distribution. Therefore, no
mathematically on immutable flow labels; they have a "best effort" Internet-wide mechanism can depend mathematically on immutable and
quality. This leads to the following formal rules: uniformly distributed flow labels; they have a "best effort" quality.
This leads to the following formal rules:
IPv6 nodes MUST NOT assume that the Flow Label value in a incoming o Implementers should be aware that the flow label is an unprotected
packet is identical to the value set by the source node. field that could have been accidentally or intentionally changed
en route. Implementations MUST take appropriate steps to protect
Forwarding nodes such as routers and load balancers MUST NOT depend themselves from being vulnerable to denial of service and other
only on Flow Label values being randomly distributed. In any usage types of attack that could result (see Section 6.1).
such as a hash key for load distribution, the Flow Label bits MUST be o Forwarding nodes such as routers and load balancers MUST NOT
combined with bits from other sources within the packet, so as to depend only on Flow Label values being uniformly distributed. In
produce a constant hash value for each flow and a suitable any usage such as a hash key for load distribution, the Flow Label
distribution of hash values across flows. bits MUST be combined at least with bits from other sources within
the packet, so as to produce a constant hash value for each flow
Although a pseudo-random flow label is recommended, and will always and a suitable distribution of hash values across flows.
be helpful for load balancing, it is unsafe to assume its presence in
the general case, and the use case needs to work even if the flow
label value is zero.
Nodes keeping dynamic flow state MUST NOT assume packets arriving 120 Although uniformly distributed flow label values are recommended
seconds or more after the previous packet of a flow still belong to below, and will always be helpful for load balancing, it is unsafe to
the same flow, unless a flow state establishment method in use assume their presence in the general case, and the use case needs to
defines a longer flow state lifetime or the flow state has been work even if the flow label value is zero.
explicitly refreshed within the lifetime duration.
The use of the Flow Label field does not necessarily signal any The use of the Flow Label field does not necessarily signal any
requirement on packet reordering. Especially, the zero label does requirement on packet reordering. Especially, the zero label does
not imply that significant reordering is acceptable. not imply that significant reordering is acceptable.
An IPv6 node that does not set or make use of the flow label MUST An IPv6 node that does not set the flow label to a non-zero value, or
ignore it when receiving or forwarding a packet. make use of it in any way, MUST ignore it when receiving or
forwarding a packet.
3. Flow Labeling Requirements 3. Stateless Flow Labeling Requirements
This section defines the minimum requirements for stateless methods
of setting the flow label value.
To enable Flow Label based classification, source nodes SHOULD assign To enable Flow Label based classification, source nodes SHOULD assign
each unrelated transport connection and application data stream to a each unrelated transport connection and application data stream to a
new flow. It is RECOMMENDED that source hosts support the flow label new flow. A typical definition of a flow for this purpose is any set
by setting the flow label field for all packets of a flow to the same of packets carrying the same 5-tuple {dest addr, source addr,
pseudo-random value. Both stateful and stateless methods of protocol, dest port, source port}.
assigning a pseudo-random value could be used, but it is outside the
scope of this specification to mandate an algorithm. It is desirable that flow label values should be uniformly
distributed to assist load distribution. It is therefore RECOMMENDED
that source hosts support the flow label by setting the flow label
field for all packets of a given flow to the same uniformly
distributed pseudo-random value. Both stateful and stateless methods
of assigning a pseudo-random value could be used, but it is outside
the scope of this specification to mandate an algorithm. In a
stateless mechanism, the algorithm SHOULD ensure that the resulting
flow label values are unique with high probability.
An OPTIONAL algorithm for generating such a pseudo-random value is An OPTIONAL algorithm for generating such a pseudo-random value is
described in [I-D.gont-6man-flowlabel-security]. described in [I-D.gont-6man-flowlabel-security].
[[ QUESTION TO WG: Should we incorporate that algorithm here, or [[ NOTE TO RFC EDITOR: The preceding sentence should be deleted, and
leave it as a separate draft? ]] the reference should be changed to Informative, if the cited draft is
not on the standards track at the time of publication. ]]
A source node which does not otherwise set the flow label MUST set A source node which does not otherwise set the flow label MUST set
its value to zero. its value to zero.
A node that forwards a flow whose flow label value in arriving A node that forwards a flow whose flow label value in arriving
packets is zero MAY set the flow label value. In that case, it is packets is zero MAY set the flow label value. In that case, it is
RECOMMENDED that the forwarding node sets the flow label field for a RECOMMENDED that the forwarding node sets the flow label field for a
flow to a pseudo-random value. flow to a uniformly distributed pseudo-random value.
o The same considerations apply as to source hosts setting the flow o The same considerations apply as to source hosts setting the flow
label; in particular, the normal case is that a flow is defined by
the 5-tuple.
o This option, if implemented, would presumably be used by first-hop
or ingress routers. It might place a considerable per-packet
processing load on them, even if they adopted a stateless method
of flow identification and label assignment. This is why the
principal recommendation is that the source host should set the
label. label.
o This option, if implemented, would presumably be used by ingress
routers. It would place a considerable per-packet processing load
on them, even if they adopted a stateless method of flow
identification and label assignment. This is why the principal
recommendation is that the source host should set the label.
The preceding rules taken together allow a given network domain to The preceding rules taken together allow a given network domain to
include routers that set flow labels on behalf of hosts that do not include routers that set flow labels on behalf of hosts that do not
do so. They also recommend that flow labels exported to the Internet do so. They also recommend that flow labels exported to the Internet
are always either zero or pseudo-random. are always either zero or uniformly distributed.
The node that sets the flow label MAY also take part in flow state
establishment methods that result in assigning certain packets to
specific flows.
To enable applications and transport protocols to define what packets
constitute a flow, the source node MUST provide means for the
applications and transport protocols to specify the Flow Label values
to be used with their flows. The use of the means to specify Flow
Label values is subject to appropriate privileges (see Section 6.1).
The source node SHOULD be able to select unused Flow Label values for
flows not requesting a specific value to be used.
[[ QUESTION TO WG: Should we reduce this whole paragraph to a MAY? ]]
A source node MUST ensure that it does not unintentionally reuse Flow 4. Flow State Establishment Requirements
Label values it is currently using or has recently used when creating
new flows. Flow Label values previously used with a specific pair of
source and destination addresses MUST NOT be assigned to new flows
with the same address pair within 120 seconds of the termination of
the previous flow. The source node SHOULD provide the means for the
applications and transport protocols to specify quarantine periods
longer than the default 120 seconds for individual flows.
To avoid accidental Flow Label value reuse, the source node SHOULD This section defines the minimum requirements for stateful methods of
select new Flow Label values in a well-defined way and use an initial setting the flow label value.
value that avoids reuse of recently used Flow Label values each time
the system restarts. The initial value SHOULD be derived from a
previous value stored in non-volatile memory, or in the absence of
such history, a randomly generated initial value using techniques
that produce good randomness properties SHOULD be used
[I-D.gont-6man-flowlabel-security].
4. Flow State Establishment Requirements The node that sets the flow label MAY also take part in flow state
establishment methods that result in assigning specific treatments to
specific flows, possibly including signaling.
o In this case, unlike the stateless case, a source node MUST ensure
that it does not unintentionally reuse Flow Label values it is
currently using or has recently used when creating new flows.
Flow Label values previously used with a specific pair of source
and destination addresses MUST NOT be assigned to new flows with
the same address pair within 120 seconds of the termination of the
previous flow.
o To avoid accidental Flow Label value reuse, the source node SHOULD
select new Flow Label values in a well-defined way and use an
initial value that avoids reuse of recently used Flow Label values
each time the system restarts. The initial value SHOULD be
derived from a previous value stored in non-volatile memory, or in
the absence of such history, a randomly generated initial value
using techniques that produce good randomness properties SHOULD be
used.
To enable stateful flow-specific treatment, flow state needs to be To enable stateful flow-specific treatment, flow state needs to be
established on all or a subset of the IPv6 nodes on the path from the established on all or a subset of the IPv6 nodes on the path from the
source to the destination(s). The methods for the state source to the destination(s). The methods for the state
establishment, as well as the models for flow-specific treatment will establishment, as well as the models for flow-specific treatment will
be defined in separate specifications. be defined in separate specifications.
In stateful mechanisms, nodes keeping dynamic flow state MUST NOT
assume packets arriving 120 seconds or more after the previous packet
of a flow still belong to the same flow, unless a flow state
establishment method in use defines a longer flow state lifetime or
the flow state has been explicitly refreshed within the lifetime
duration.
To enable co-existence of different methods in IPv6 nodes, the To enable co-existence of different methods in IPv6 nodes, the
methods MUST meet the following basic requirements: methods MUST meet the following basic requirements:
1. The method MUST provide the means for flow state clean-up from o The method MUST provide the means for flow state clean-up from the
the IPv6 nodes providing the flow-specific treatment. Signaling IPv6 nodes providing the flow-specific treatment. Signaling based
based methods where the source node is involved are free to methods where the source node is involved are free to specify flow
specify flow state lifetimes longer than the default 120 seconds. state lifetimes longer than the default 120 seconds.
2. Flow state establishment methods MUST be able to recover from the o Flow state establishment methods MUST be able to recover from the
case where the requested flow state cannot be supported. case where the requested flow state cannot be supported.
5. Essential correction to RFC 2205 5. Essential correction to RFC 2205
[RFC2460] reduced the size of the flow label field from 24 to 20 [RFC2460] reduced the size of the flow label field from 24 to 20
bits. The references to a 24 bit flow label field on pages 87 and 88 bits. The references to a 24 bit flow label field on pages 87 and 88
of [RFC2205] are updated accordingly. of [RFC2205] are updated accordingly.
6. Security Considerations 6. Security Considerations
This section considers security issues raised by the use of the Flow This section considers security issues raised by the use of the Flow
skipping to change at page 8, line 47 skipping to change at page 9, line 32
related potential for theft of service by unauthorized traffic related potential for theft of service by unauthorized traffic
(Section 6.1). Section 6.2 addresses the use of the Flow Label in (Section 6.1). Section 6.2 addresses the use of the Flow Label in
the presence of IPsec including its interaction with IPsec tunnel the presence of IPsec including its interaction with IPsec tunnel
mode and other tunneling protocols. We also note that inspection of mode and other tunneling protocols. We also note that inspection of
unencrypted Flow Labels may allow some forms of traffic analysis by unencrypted Flow Labels may allow some forms of traffic analysis by
revealing some structure of the underlying communications. Even if revealing some structure of the underlying communications. Even if
the flow label were encrypted, its presence as a constant value in a the flow label were encrypted, its presence as a constant value in a
fixed position might assist traffic analysis and cryptoanalysis. fixed position might assist traffic analysis and cryptoanalysis.
The flow label is not protected in any way and can be forged by an The flow label is not protected in any way and can be forged by an
on-path attacker. On the other hand, a pseudo-random flow label on-path attacker. On the other hand, a uniformly distributed pseudo-
cannot be readily guessed by an off-path attacker; see random flow label cannot be readily guessed by an off-path attacker;
see [I-D.gont-6man-flowlabel-security] for further discussion.
[I-D.gont-6man-flowlabel-security] for further discussion.
6.1. Theft and Denial of Service 6.1. Theft and Denial of Service
Since the mapping of network traffic to flow-specific treatment is Since the mapping of network traffic to flow-specific treatment is
triggered by the IP addresses and Flow Label value of the IPv6 triggered by the IP addresses and Flow Label value of the IPv6
header, an adversary may be able to obtain better service by header, an adversary may be able to obtain better service by
modifying the IPv6 header or by injecting packets with false modifying the IPv6 header or by injecting packets with false
addresses and/or labels. Taken to its limits, such theft-of-service addresses and/or labels. Taken to its limits, such theft-of-service
becomes a denial-of-service attack when the modified or injected becomes a denial-of-service attack when the modified or injected
traffic depletes the resources available to forward it and other traffic depletes the resources available to forward it and other
skipping to change at page 10, line 28 skipping to change at page 11, line 13
address-spoofing attack. address-spoofing attack.
Since flows are identified by the complete 3-tuple, ingress filtering Since flows are identified by the complete 3-tuple, ingress filtering
[RFC2827] will, as noted above, mitigate part of the risk. If the [RFC2827] will, as noted above, mitigate part of the risk. If the
source address of a packet is validated by ingress filtering, there source address of a packet is validated by ingress filtering, there
can be a degree of trust that the packet has not transited a can be a degree of trust that the packet has not transited a
compromised router, to the extent that ISP infrastructure may be compromised router, to the extent that ISP infrastructure may be
trusted. However, this gives no assurance that another form of man- trusted. However, this gives no assurance that another form of man-
in-the-middle attack has not occurred. in-the-middle attack has not occurred.
Only applications with an appropriate privilege in a sending host A man-in-the-middle denial of service attack specifically directed at
will be entitled to set a non-zero Flow Label. Mechanisms for this flow label handling would involve setting unusual flow labels. For
are operating system dependent. Related policy and authorization example, an attacker could set all flow labels reaching a given
mechanisms may also be required; for example, in a multi-user host, router to the same arbitrary non-zero value, or could perform rapid
only some users may be entitled to set the Flow Label. Such cycling of flow label values such that the packets of a given flow
authorization issues are outside the scope of this specification. will each have a different value. Either of these attacks would
cause a stateless load distribution algorithm to perform badly and
would cause a stateful mechanism to behave incorrectly. For this
reason, stateless mechanisms should not use the flow label alone to
control load distribution, and stateful mechanisms should include
explicit methods to detect and ignore suspect flow label values.
6.2. IPsec and Tunneling Interactions 6.2. IPsec and Tunneling Interactions
The IPsec protocol, as defined in [RFC4301], [RFC4302], [RFC4303] The IPsec protocol, as defined in [RFC4301], [RFC4302], [RFC4303]
does not include the IPv6 header's Flow Label in any of its does not include the IPv6 header's Flow Label in any of its
cryptographic calculations (in the case of tunnel mode, it is the cryptographic calculations (in the case of tunnel mode, it is the
outer IPv6 header's Flow Label that is not included). Hence outer IPv6 header's Flow Label that is not included). Hence
modification of the Flow Label by a network node has no effect on modification of the Flow Label by a network node has no effect on
IPsec end-to-end security, because it cannot cause any IPsec IPsec end-to-end security, because it cannot cause any IPsec
integrity check to fail. As a consequence, IPsec does not provide integrity check to fail. As a consequence, IPsec does not provide
skipping to change at page 12, line 15 skipping to change at page 13, line 7
Contributors to the development of RFC 3697 included Ran Atkinson, Contributors to the development of RFC 3697 included Ran Atkinson,
Steve Blake, Jim Bound, Francis Dupont, Robert Elz, Tony Hain, Robert Steve Blake, Jim Bound, Francis Dupont, Robert Elz, Tony Hain, Robert
Hancock, Bob Hinden, Christian Huitema, Frank Kastenholz, Thomas Hancock, Bob Hinden, Christian Huitema, Frank Kastenholz, Thomas
Narten, Charles Perkins, Pekka Savola, Hesham Soliman, Michael Narten, Charles Perkins, Pekka Savola, Hesham Soliman, Michael
Thomas, Margaret Wasserman, and Alex Zinin. Thomas, Margaret Wasserman, and Alex Zinin.
This document was produced using the xml2rfc tool [RFC2629]. This document was produced using the xml2rfc tool [RFC2629].
9. Change log 9. Change log
draft-ietf-6man-flow-3697bis-01: update after resolving 11 initial
issues, 2011-02-26
draft-ietf-6man-flow-3697bis-00: original version, built from RFC3697 draft-ietf-6man-flow-3697bis-00: original version, built from RFC3697
and draft-ietf-6man-flow-update-01, 2011-01-31 and draft-ietf-6man-flow-update-01, 2011-01-31
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.gont-6man-flowlabel-security] [I-D.gont-6man-flowlabel-security]
Gont, F., "Security Assessment of the IPv6 Flow Label", Gont, F., "Security Assessment of the IPv6 Flow Label",
draft-gont-6man-flowlabel-security-01 (work in progress), draft-gont-6man-flowlabel-security-01 (work in progress),
skipping to change at page 12, line 40 skipping to change at page 13, line 35
[RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S. [RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S.
Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1
Functional Specification", RFC 2205, September 1997. Functional Specification", RFC 2205, September 1997.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998. (IPv6) Specification", RFC 2460, December 1998.
10.2. Informative References 10.2. Informative References
[I-D.ietf-6man-flow-update] [I-D.ietf-6man-flow-update]
Amante, S., Carpenter, B., and S. Jiang, "Update to the Amante, S., Carpenter, B., and S. Jiang, "Rationale for
IPv6 flow label specification", update to the IPv6 flow label specification",
draft-ietf-6man-flow-update-01 (work in progress), draft-ietf-6man-flow-update-02 (work in progress),
January 2011. January 2011.
[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
June 1999. June 1999.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, May 2000. Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC3697] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering, [RFC3697] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering,
 End of changes. 31 change blocks. 
145 lines changed or deleted 182 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/