draft-ietf-6man-flow-3697bis-01.txt   draft-ietf-6man-flow-3697bis-02.txt 
6MAN S. Amante 6MAN S. Amante
Internet-Draft Level 3 Internet-Draft Level 3
Obsoletes: 3697 (if approved) B. Carpenter Obsoletes: 3697 (if approved) B. Carpenter
Updates: 2205, 2460 (if approved) Univ. of Auckland Updates: 2205, 2460 (if approved) Univ. of Auckland
Intended status: Standards Track S. Jiang Intended status: Standards Track S. Jiang
Expires: August 30, 2011 Huawei Technologies Co., Ltd Expires: September 14, 2011 Huawei Technologies Co., Ltd
J. Rajahalme J. Rajahalme
Nokia-Siemens Networks Nokia-Siemens Networks
February 26, 2011 March 13, 2011
IPv6 Flow Label Specification IPv6 Flow Label Specification
draft-ietf-6man-flow-3697bis-01 draft-ietf-6man-flow-3697bis-02
Abstract Abstract
This document specifies the IPv6 Flow Label field and the minimum This document specifies the IPv6 Flow Label field and the minimum
requirements for IPv6 nodes labeling flows, IPv6 nodes forwarding requirements for IPv6 nodes labeling flows, IPv6 nodes forwarding
labeled packets, and flow state establishment methods. Even when labeled packets, and flow state establishment methods. Even when
mentioned as examples of possible uses of the flow labeling, more mentioned as examples of possible uses of the flow labeling, more
detailed requirements for specific use cases are out of scope for detailed requirements for specific use cases are out of scope for
this document. this document.
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 30, 2011. This Internet-Draft will expire on September 14, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 11 skipping to change at page 3, line 11
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. IPv6 Flow Label Specification . . . . . . . . . . . . . . . . 5 2. IPv6 Flow Label Specification . . . . . . . . . . . . . . . . 5
3. Stateless Flow Labeling Requirements . . . . . . . . . . . . . 7 3. Stateless Flow Labeling Requirements . . . . . . . . . . . . . 7
4. Flow State Establishment Requirements . . . . . . . . . . . . 8 4. Flow State Establishment Requirements . . . . . . . . . . . . 8
5. Essential correction to RFC 2205 . . . . . . . . . . . . . . . 9 5. Essential correction to RFC 2205 . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6.1. Theft and Denial of Service . . . . . . . . . . . . . . . 9 6.1. Theft and Denial of Service . . . . . . . . . . . . . . . 8
6.2. IPsec and Tunneling Interactions . . . . . . . . . . . . . 11 6.2. IPsec and Tunneling Interactions . . . . . . . . . . . . . 10
6.3. Security Filtering Interactions . . . . . . . . . . . . . 12 6.3. Security Filtering Interactions . . . . . . . . . . . . . 10
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11
9. Change log . . . . . . . . . . . . . . . . . . . . . . . . . . 13 9. Change log . . . . . . . . . . . . . . . . . . . . . . . . . . 11
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 10.1. Normative References . . . . . . . . . . . . . . . . . . . 12
10.2. Informative References . . . . . . . . . . . . . . . . . . 13 10.2. Informative References . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
A flow is a sequence of packets sent from a particular source to a A flow is a sequence of packets sent from a particular source to a
particular unicast, anycast, or multicast destination that a node particular unicast, anycast, or multicast destination that a node
desires to label as a flow. A flow could consist of all packets in a desires to label as a flow. A flow could consist of all packets in a
specific transport connection or a media stream. However, a flow is specific transport connection or a media stream. However, a flow is
not necessarily 1:1 mapped to a transport connection. not necessarily 1:1 mapped to a transport connection.
Traditionally, flow classifiers have been based on the 5-tuple of the Traditionally, flow classifiers have been based on the 5-tuple of the
skipping to change at page 4, line 41 skipping to change at page 4, line 41
after a packet has been processed. A stateful scenario is one where after a packet has been processed. A stateful scenario is one where
a node that sets or processes the flow label value needs to store a node that sets or processes the flow label value needs to store
information about the flow, including the flow label value. A information about the flow, including the flow label value. A
stateful scenario might also require a signaling mechanism to stateful scenario might also require a signaling mechanism to
establish flow state in the network. establish flow state in the network.
The flow label can be used most simply in stateless scenarios. This The flow label can be used most simply in stateless scenarios. This
specification concentrates on the stateless model and how it can be specification concentrates on the stateless model and how it can be
used as a default mechanism. Details of stateful models, signaling, used as a default mechanism. Details of stateful models, signaling,
specific flow state establishment methods and their related service specific flow state establishment methods and their related service
models are out of scope for this specification. Generic requirements models are out of scope for this specification. The basic
enabling co-existence of different models are set forth in Section 4. requirement for stateful models is set forth in Section 4.
The associated scaling characteristics (such as nodes involved in
state establishment, amount of state maintained by them, and state
growth function) will be specific to particular service models.
The minimum level of IPv6 flow support consists of labeling the The minimum level of IPv6 flow support consists of labeling the
flows. A specific goal is to enable and encourage the use of the flows. A specific goal is to enable and encourage the use of the
flow label for various forms of stateless load distribution, flow label for various forms of stateless load distribution,
especially across Equal Cost Multi-Path (EMCP) and/or Link especially across Equal Cost Multi-Path (EMCP) and/or Link
Aggregation Group (LAG) paths. ECMP and LAG are methods to bond Aggregation Group (LAG) paths. ECMP and LAG are methods to bond
together multiple physical links used to procure the required together multiple physical links used to procure the required
capacity necessary to carry an offered load greater than the capacity necessary to carry an offered load greater than the
bandwidth of an individual physical link. IPv6 source nodes SHOULD bandwidth of an individual physical link. IPv6 source nodes SHOULD
be able to label known flows (e.g., TCP connections, application be able to label known flows (e.g., TCP connections, application
skipping to change at page 8, line 15 skipping to change at page 8, line 13
principal recommendation is that the source host should set the principal recommendation is that the source host should set the
label. label.
The preceding rules taken together allow a given network domain to The preceding rules taken together allow a given network domain to
include routers that set flow labels on behalf of hosts that do not include routers that set flow labels on behalf of hosts that do not
do so. They also recommend that flow labels exported to the Internet do so. They also recommend that flow labels exported to the Internet
are always either zero or uniformly distributed. are always either zero or uniformly distributed.
4. Flow State Establishment Requirements 4. Flow State Establishment Requirements
This section defines the minimum requirements for stateful methods of A node that sets the flow label MAY also take part in a flow state
setting the flow label value. establishment method that results in assigning specific treatments to
specific flows, possibly including signaling. Any such method MUST
The node that sets the flow label MAY also take part in flow state NOT disturb nodes taking part in the stateless model just described.
establishment methods that result in assigning specific treatments to Further details are not discussed in this document.
specific flows, possibly including signaling.
o In this case, unlike the stateless case, a source node MUST ensure
that it does not unintentionally reuse Flow Label values it is
currently using or has recently used when creating new flows.
Flow Label values previously used with a specific pair of source
and destination addresses MUST NOT be assigned to new flows with
the same address pair within 120 seconds of the termination of the
previous flow.
o To avoid accidental Flow Label value reuse, the source node SHOULD
select new Flow Label values in a well-defined way and use an
initial value that avoids reuse of recently used Flow Label values
each time the system restarts. The initial value SHOULD be
derived from a previous value stored in non-volatile memory, or in
the absence of such history, a randomly generated initial value
using techniques that produce good randomness properties SHOULD be
used.
To enable stateful flow-specific treatment, flow state needs to be
established on all or a subset of the IPv6 nodes on the path from the
source to the destination(s). The methods for the state
establishment, as well as the models for flow-specific treatment will
be defined in separate specifications.
In stateful mechanisms, nodes keeping dynamic flow state MUST NOT
assume packets arriving 120 seconds or more after the previous packet
of a flow still belong to the same flow, unless a flow state
establishment method in use defines a longer flow state lifetime or
the flow state has been explicitly refreshed within the lifetime
duration.
To enable co-existence of different methods in IPv6 nodes, the
methods MUST meet the following basic requirements:
o The method MUST provide the means for flow state clean-up from the
IPv6 nodes providing the flow-specific treatment. Signaling based
methods where the source node is involved are free to specify flow
state lifetimes longer than the default 120 seconds.
o Flow state establishment methods MUST be able to recover from the
case where the requested flow state cannot be supported.
5. Essential correction to RFC 2205 5. Essential correction to RFC 2205
[RFC2460] reduced the size of the flow label field from 24 to 20 [RFC2460] reduced the size of the flow label field from 24 to 20
bits. The references to a 24 bit flow label field on pages 87 and 88 bits. The references to a 24 bit flow label field on pages 87 and 88
of [RFC2205] are updated accordingly. of [RFC2205] are updated accordingly.
6. Security Considerations 6. Security Considerations
This section considers security issues raised by the use of the Flow This section considers security issues raised by the use of the Flow
skipping to change at page 9, line 40 skipping to change at page 8, line 47
The flow label is not protected in any way and can be forged by an The flow label is not protected in any way and can be forged by an
on-path attacker. On the other hand, a uniformly distributed pseudo- on-path attacker. On the other hand, a uniformly distributed pseudo-
random flow label cannot be readily guessed by an off-path attacker; random flow label cannot be readily guessed by an off-path attacker;
see [I-D.gont-6man-flowlabel-security] for further discussion. see [I-D.gont-6man-flowlabel-security] for further discussion.
6.1. Theft and Denial of Service 6.1. Theft and Denial of Service
Since the mapping of network traffic to flow-specific treatment is Since the mapping of network traffic to flow-specific treatment is
triggered by the IP addresses and Flow Label value of the IPv6 triggered by the IP addresses and Flow Label value of the IPv6
header, an adversary may be able to obtain better service by header, an adversary may be able to obtain unintended service by
modifying the IPv6 header or by injecting packets with false modifying the IPv6 header or by injecting packets with false
addresses and/or labels. Taken to its limits, such theft-of-service addresses and/or labels. Theft of service is not further discussed
becomes a denial-of-service attack when the modified or injected in this document, since it can only be analysed for specific stateful
methods of using the flow label. However, a denial of service attack
becomes possible in the stateless model when the modified or injected
traffic depletes the resources available to forward it and other traffic depletes the resources available to forward it and other
traffic streams. A curiosity is that if a DoS attack were undertaken traffic streams. If a DoS attack were undertaken against a given
against a given Flow Label (or set of Flow Labels), then traffic Flow Label (or set of Flow Labels), then traffic containing an
containing an affected Flow Label might well experience worse-than- affected Flow Label might well experience worse-than-best-effort
best-effort network performance. network performance.
Note that since the treatment of IP headers by nodes is typically Note that since the treatment of IP headers by nodes is typically
unverified, there is no guarantee that flow labels sent by a node are unverified, there is no guarantee that flow labels sent by a node are
set according to the recommendations in this document. Therefore, set according to the recommendations in this document. A man-in-the-
any assumptions made by the network about header fields such as flow middle or injected-traffic denial of service attack specifically
labels should be limited to the extent that the upstream nodes are directed at flow label handling would involve setting unusual flow
explicitly trusted. labels. For example, an attacker could set all flow labels reaching
a given router to the same arbitrary non-zero value, or could perform
rapid cycling of flow label values such that the packets of a given
flow will each have a different value. Either of these attacks would
cause a stateless load distribution algorithm to perform badly and
would cause a stateful mechanism to behave incorrectly. For this
reason, stateless mechanisms should not use the flow label alone to
control load distribution, and stateful mechanisms should include
explicit methods to detect and ignore suspect flow label values.
Since flows are identified by the 3-tuple of the Flow Label and the Since flows are identified by the 3-tuple of the Flow Label and the
Source and Destination Address, the risk of theft or denial of Source and Destination Address, the risk of denial of service
service introduced by the Flow Label is closely related to the risk introduced by the Flow Label is closely related to the risk of denial
of theft or denial of service by address spoofing. An adversary who of service by address spoofing. An adversary who is in a position to
is in a position to forge an address is also likely to be able to forge an address is also likely to be able to forge a label, and vice
forge a label, and vice versa. versa.
There are two issues with different properties: Spoofing of the Flow There are two issues with different properties: Spoofing of the Flow
Label only, and spoofing of the whole 3-tuple, including Source and Label only, and spoofing of the whole 3-tuple, including Source and
Destination Address. Destination Address.
The former can be done inside a node which is using or transmitting The former can be done inside a node which is using or transmitting
the correct source address. The ability to spoof a Flow Label the correct source address. The ability to spoof a Flow Label
typically implies being in a position to also forge an address, but typically implies being in a position to also forge an address, but
in many cases, spoofing an address may not be interesting to the in many cases, spoofing an address may not be interesting to the
spoofer, especially if the spoofer's goal is theft of service, rather spoofer, especially if the spoofer's goal is theft of service, rather
than denial of service. than denial of service.
The latter can be done by a host which is not subject to ingress The latter can be done by a host which is not subject to ingress
filtering [RFC2827] or by an intermediate router. Due to its filtering [RFC2827] or by an intermediate router. Due to its
properties, such is typically useful only for denial of service. In properties, this is typically useful only for denial of service. In
the absence of ingress filtering, almost any third party could the absence of ingress filtering, almost any third party could
instigate such an attack. instigate such an attack.
In the presence of ingress filtering, forging a non-zero Flow Label In the presence of ingress filtering, forging a non-zero Flow Label
on packets that originated with a zero label, or modifying or on packets that originated with a zero label, or modifying or
clearing a label, could only occur if an intermediate system such as clearing a label, could only occur if an intermediate system such as
a router was compromised, or through some other form of man-in-the- a router was compromised, or through some other form of man-in-the-
middle attack. However, the risk is limited to traffic receiving middle attack.
better or worse quality of service than intended. For example, if
Flow Labels are altered or cleared at random, flow classification
will no longer happen as intended, and the altered packets will
receive default treatment. If a complete 3-tuple is forged, the
altered packets will be classified into the forged flow and will
receive the corresponding quality of service; this will create a
denial of service attack subtly different from one where only the
addresses are forged. Because it is limited to a single flow
definition, e.g., to a limited amount of bandwidth, such an attack
will be more specific and at a finer granularity than a normal
address-spoofing attack.
Since flows are identified by the complete 3-tuple, ingress filtering
[RFC2827] will, as noted above, mitigate part of the risk. If the
source address of a packet is validated by ingress filtering, there
can be a degree of trust that the packet has not transited a
compromised router, to the extent that ISP infrastructure may be
trusted. However, this gives no assurance that another form of man-
in-the-middle attack has not occurred.
A man-in-the-middle denial of service attack specifically directed at
flow label handling would involve setting unusual flow labels. For
example, an attacker could set all flow labels reaching a given
router to the same arbitrary non-zero value, or could perform rapid
cycling of flow label values such that the packets of a given flow
will each have a different value. Either of these attacks would
cause a stateless load distribution algorithm to perform badly and
would cause a stateful mechanism to behave incorrectly. For this
reason, stateless mechanisms should not use the flow label alone to
control load distribution, and stateful mechanisms should include
explicit methods to detect and ignore suspect flow label values.
6.2. IPsec and Tunneling Interactions 6.2. IPsec and Tunneling Interactions
The IPsec protocol, as defined in [RFC4301], [RFC4302], [RFC4303] The IPsec protocol, as defined in [RFC4301], [RFC4302], [RFC4303]
does not include the IPv6 header's Flow Label in any of its does not include the IPv6 header's Flow Label in any of its
cryptographic calculations (in the case of tunnel mode, it is the cryptographic calculations (in the case of tunnel mode, it is the
outer IPv6 header's Flow Label that is not included). Hence outer IPv6 header's Flow Label that is not included). Hence
modification of the Flow Label by a network node has no effect on modification of the Flow Label by a network node has no effect on
IPsec end-to-end security, because it cannot cause any IPsec IPsec end-to-end security, because it cannot cause any IPsec
integrity check to fail. As a consequence, IPsec does not provide integrity check to fail. As a consequence, IPsec does not provide
skipping to change at page 13, line 7 skipping to change at page 11, line 35
Contributors to the development of RFC 3697 included Ran Atkinson, Contributors to the development of RFC 3697 included Ran Atkinson,
Steve Blake, Jim Bound, Francis Dupont, Robert Elz, Tony Hain, Robert Steve Blake, Jim Bound, Francis Dupont, Robert Elz, Tony Hain, Robert
Hancock, Bob Hinden, Christian Huitema, Frank Kastenholz, Thomas Hancock, Bob Hinden, Christian Huitema, Frank Kastenholz, Thomas
Narten, Charles Perkins, Pekka Savola, Hesham Soliman, Michael Narten, Charles Perkins, Pekka Savola, Hesham Soliman, Michael
Thomas, Margaret Wasserman, and Alex Zinin. Thomas, Margaret Wasserman, and Alex Zinin.
This document was produced using the xml2rfc tool [RFC2629]. This document was produced using the xml2rfc tool [RFC2629].
9. Change log 9. Change log
draft-ietf-6man-flow-3697bis-02: update to remove most text about
stateful methods, 2011-03-13
draft-ietf-6man-flow-3697bis-01: update after resolving 11 initial draft-ietf-6man-flow-3697bis-01: update after resolving 11 initial
issues, 2011-02-26 issues, 2011-02-26
draft-ietf-6man-flow-3697bis-00: original version, built from RFC3697 draft-ietf-6man-flow-3697bis-00: original version, built from RFC3697
and draft-ietf-6man-flow-update-01, 2011-01-31 and draft-ietf-6man-flow-update-01, 2011-01-31
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.gont-6man-flowlabel-security] [I-D.gont-6man-flowlabel-security]
Gont, F., "Security Assessment of the IPv6 Flow Label", Gont, F., "Security Assessment of the IPv6 Flow Label",
draft-gont-6man-flowlabel-security-01 (work in progress), draft-gont-6man-flowlabel-security-01 (work in progress),
November 2010. November 2010.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
skipping to change at page 13, line 37 skipping to change at page 12, line 26
Functional Specification", RFC 2205, September 1997. Functional Specification", RFC 2205, September 1997.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998. (IPv6) Specification", RFC 2460, December 1998.
10.2. Informative References 10.2. Informative References
[I-D.ietf-6man-flow-update] [I-D.ietf-6man-flow-update]
Amante, S., Carpenter, B., and S. Jiang, "Rationale for Amante, S., Carpenter, B., and S. Jiang, "Rationale for
update to the IPv6 flow label specification", update to the IPv6 flow label specification",
draft-ietf-6man-flow-update-02 (work in progress), draft-ietf-6man-flow-update-03 (work in progress),
January 2011. February 2011.
[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
June 1999. June 1999.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, May 2000. Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC3697] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering, [RFC3697] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering,
"IPv6 Flow Label Specification", RFC 3697, March 2004. "IPv6 Flow Label Specification", RFC 3697, March 2004.
 End of changes. 17 change blocks. 
116 lines changed or deleted 56 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/