draft-ietf-6man-flow-3697bis-07.txt   rfc6437.txt 
6MAN S. Amante Internet Engineering Task Force (IETF) S. Amante
Internet-Draft Level 3 Request for Comments: 6437 Level 3
Obsoletes: 3697 (if approved) B. Carpenter Obsoletes: 3697 B. Carpenter
Updates: 2205, 2460 (if approved) Univ. of Auckland Updates: 2205, 2460 Univ. of Auckland
Intended status: Standards Track S. Jiang Category: Standards Track S. Jiang
Expires: January 30, 2012 Huawei Technologies Co., Ltd ISSN: 2070-1721 Huawei
J. Rajahalme J. Rajahalme
Nokia Siemens Networks Nokia Siemens Networks
July 29, 2011 November 2011
IPv6 Flow Label Specification IPv6 Flow Label Specification
draft-ietf-6man-flow-3697bis-07
Abstract Abstract
This document specifies the IPv6 Flow Label field and the minimum This document specifies the IPv6 Flow Label field and the minimum
requirements for IPv6 nodes labeling flows, IPv6 nodes forwarding requirements for IPv6 nodes labeling flows, IPv6 nodes forwarding
labeled packets, and flow state establishment methods. Even when labeled packets, and flow state establishment methods. Even when
mentioned as examples of possible uses of the flow labeling, more mentioned as examples of possible uses of the flow labeling, more
detailed requirements for specific use cases are out of scope for detailed requirements for specific use cases are out of the scope for
this document. this document.
The usage of the Flow Label field enables efficient IPv6 flow The usage of the Flow Label field enables efficient IPv6 flow
classification based only on IPv6 main header fields in fixed classification based only on IPv6 main header fields in fixed
positions. positions.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering This is an Internet Standards Track document.
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
This Internet-Draft will expire on January 30, 2012. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6437.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 7 skipping to change at page 2, line 34
modifications of such material outside the IETF Standards Process. modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. IPv6 Flow Label Specification . . . . . . . . . . . . . . . . 5 2. IPv6 Flow Label Specification . . . . . . . . . . . . . . . . 4
3. Flow Labeling Requirements in the Stateless Scenario . . . . . 6 3. Flow Labeling Requirements in the Stateless Scenario . . . . . 5
4. Flow State Establishment Requirements . . . . . . . . . . . . 8 4. Flow State Establishment Requirements . . . . . . . . . . . . 7
5. Essential correction to RFC 2205 . . . . . . . . . . . . . . . 8 5. Essential Correction to RFC 2205 . . . . . . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
6.1. Covert Channel Risk . . . . . . . . . . . . . . . . . . . 9 6.1. Covert Channel Risk . . . . . . . . . . . . . . . . . . . 8
6.2. Theft and Denial of Service . . . . . . . . . . . . . . . 10 6.2. Theft and Denial of Service . . . . . . . . . . . . . . . 8
6.3. IPsec and Tunneling Interactions . . . . . . . . . . . . . 11 6.3. IPsec and Tunneling Interactions . . . . . . . . . . . . . 10
6.4. Security Filtering Interactions . . . . . . . . . . . . . 12 6.4. Security Filtering Interactions . . . . . . . . . . . . . 11
7. Differences from RFC 3697 . . . . . . . . . . . . . . . . . . 12 7. Differences from RFC 3697 . . . . . . . . . . . . . . . . . . 11
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
10. Change log [RFC Editor: Please remove] . . . . . . . . . . . . 13 9.1. Normative References . . . . . . . . . . . . . . . . . . . 12
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 9.2. Informative References . . . . . . . . . . . . . . . . . . 12
11.1. Normative References . . . . . . . . . . . . . . . . . . . 14 Appendix A. Example 20-Bit Hash Function . . . . . . . . . . . . 14
11.2. Informative References . . . . . . . . . . . . . . . . . . 14
Appendix A. Example 20-bit Hash Function . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
From the viewpoint of the network layer, a flow is a sequence of From the viewpoint of the network layer, a flow is a sequence of
packets sent from a particular source to a particular unicast, packets sent from a particular source to a particular unicast,
anycast, or multicast destination that a node desires to label as a anycast, or multicast destination that a node desires to label as a
flow. From an upper layer viewpoint, a flow could consist of all flow. From an upper-layer viewpoint, a flow could consist of all
packets in one direction of a specific transport connection or media packets in one direction of a specific transport connection or media
stream. However, a flow is not necessarily 1:1 mapped to a transport stream. However, a flow is not necessarily 1:1 mapped to a transport
connection. connection.
Traditionally, flow classifiers have been based on the 5-tuple of the Traditionally, flow classifiers have been based on the 5-tuple of the
source and destination addresses, ports, and the transport protocol source address, destination address, source port, destination port,
type. However, some of these fields may be unavailable due to either and the transport protocol type. However, some of these fields may
fragmentation or encryption, or locating them past a chain of IPv6 be unavailable due to either fragmentation or encryption, or locating
extension headers may be inefficient. Additionally, if classifiers them past a chain of IPv6 extension headers may be inefficient.
depend only on IP layer headers, later introduction of alternative Additionally, if classifiers depend only on IP-layer headers, later
transport layer protocols will be easier. introduction of alternative transport-layer protocols will be easier.
The usage of the 3-tuple of the Flow Label and the Source and The usage of the 3-tuple of the Flow Label, Source Address, and
Destination Address fields enables efficient IPv6 flow Destination Address fields enables efficient IPv6 flow
classification, where only IPv6 main header fields in fixed positions classification, where only IPv6 main header fields in fixed positions
are used. are used.
The flow label could be used in both stateless and stateful The flow label could be used in both stateless and stateful
scenarios. A stateless scenario is one where any node that processes scenarios. A stateless scenario is one where any node that processes
the flow label in any way does not need to store any information the flow label in any way does not need to store any information
about a flow before or after a packet has been processed. A stateful about a flow before or after a packet has been processed. A stateful
scenario is one where a node that processes the flow label value scenario is one where a node that processes the flow label value
needs to store information about the flow, including the flow label needs to store information about the flow, including the flow label
value. A stateful scenario might also require a signaling mechanism value. A stateful scenario might also require a signaling mechanism
to inform downstream nodes that the flow label is being used in a to inform downstream nodes that the flow label is being used in a
certain way and to establish flow state in the network. For example, certain way and to establish flow state in the network. For example,
RSVP [RFC2205] and GIST [RFC5971] can signal flow label values. RSVP [RFC2205] and General Internet Signaling Transport (GIST)
[RFC5971] can signal flow label values.
The flow label can be used most simply in stateless scenarios. This The flow label can be used most simply in stateless scenarios. This
specification concentrates on the stateless model and how it can be specification concentrates on the stateless model and how it can be
used as a default mechanism. Details of stateful models, signaling, used as a default mechanism. Details of stateful models, signaling,
specific flow state establishment methods and their related service specific flow state establishment methods, and their related service
models are out of scope for this specification. The basic models are out of scope for this specification. The basic
requirement for stateful models is set forth in Section 4. requirement for stateful models is set forth in Section 4.
The minimum level of IPv6 flow support consists of labeling the The minimum level of IPv6 flow support consists of labeling the
flows. A specific goal is to enable and encourage the use of the flows. A specific goal is to enable and encourage the use of the
flow label for various forms of stateless load distribution, flow label for various forms of stateless load distribution,
especially across Equal Cost Multi-Path (EMCP) and/or Link especially across Equal Cost Multi-Path (ECMP) and/or Link
Aggregation Group (LAG) paths. ECMP and LAG are methods to bond Aggregation Group (LAG) paths. ECMP and LAG are methods to bond
together multiple physical links used to procure the required together multiple physical links used to procure the required
capacity necessary to carry an offered load greater than the capacity necessary to carry an offered load greater than the
bandwidth of an individual physical link. Further details are in a bandwidth of an individual physical link. Further details are in a
separate document [I-D.ietf-6man-flow-ecmp]. IPv6 source nodes separate document [RFC6438]. IPv6 source nodes SHOULD be able to
SHOULD be able to label known flows (e.g., TCP connections, label known flows (e.g., TCP connections and application streams),
application streams), even if the node itself does not require any even if the node itself does not require any flow-specific treatment.
flow-specific treatment. Node requirements for stateless flow Node requirements for stateless flow labeling are given in Section 3.
labeling are given in Section 3.
This document replaces [RFC3697] and Section 6 and Appendix A of This document replaces [RFC3697] and Section 6 and Appendix A of
[RFC2460]. A rationale for the changes made is documented in [RFC2460]. A rationale for the changes made is documented in
[I-D.ietf-6man-flow-update]. The present document also includes a [RFC6436]. The present document also includes a correction to
correction to [RFC2205] concerning the flow label. [RFC2205] concerning the flow label.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
[RFC2119]. [RFC2119].
2. IPv6 Flow Label Specification 2. IPv6 Flow Label Specification
The 20-bit Flow Label field in the IPv6 header [RFC2460] is used by a The 20-bit Flow Label field in the IPv6 header [RFC2460] is used by a
node to label packets of a flow. A Flow Label of zero is used to node to label packets of a flow. A Flow Label of zero is used to
indicate packets that have not been labeled. Packet classifiers can indicate packets that have not been labeled. Packet classifiers can
use the triplet of Flow Label, Source Address, and Destination use the triplet of Flow Label, Source Address, and Destination
Address fields to identify which flow a particular packet belongs to. Address fields to identify the flow to which a particular packet
Packets are processed in a flow-specific manner by nodes that are belongs. Packets are processed in a flow-specific manner by nodes
able to do so in a stateless manner, or that have been set up with that are able to do so in a stateless manner or that have been set up
flow-specific state. The nature of the specific treatment and the with flow-specific state. The nature of the specific treatment and
methods for flow state establishment are out of scope for this the methods for flow state establishment are out of scope for this
specification. specification.
Flow label values should be chosen such that their bits exhibit a Flow label values should be chosen such that their bits exhibit a
high degree of variability, making them suitable for use as part of high degree of variability, making them suitable for use as part of
the input to a hash function used in a load distribution scheme. At the input to a hash function used in a load distribution scheme. At
the same time, third parties should be unlikely to be able to guess the same time, third parties should be unlikely to be able to guess
the next value that a source of flow labels will choose. the next value that a source of flow labels will choose.
In statistics, a discrete uniform distribution is defined as a In statistics, a discrete uniform distribution is defined as a
probability distribution in which each value in a given range of probability distribution in which each value in a given range of
equally spaced values (such as a sequence of integers) is equally equally spaced values (such as a sequence of integers) is equally
likely to be chosen as the next value. The values in such a likely to be chosen as the next value. The values in such a
distribution exhibit both variability and unguessability. Thus, as distribution exhibit both variability and unguessability. Thus, as
specified below in Section 3, an approximation to a discrete uniform specified in Section 3, an approximation to a discrete uniform
distribution is preferable as the source of flow label values. distribution is preferable as the source of flow label values.
Intentionally, there are no precise mathematical requirements placed Intentionally, there are no precise mathematical requirements placed
on the distribution or the method used to achieve such a on the distribution or the method used to achieve such a
distribution. distribution.
Once set to a non-zero value, the Flow Label is expected to be Once set to a non-zero value, the Flow Label is expected to be
delivered unchanged to the destination node(s). A forwarding node delivered unchanged to the destination node(s). A forwarding node
MUST either leave a non-zero flow label value unchanged, or change it MUST either leave a non-zero flow label value unchanged or change it
only for compelling operational security reasons as described in only for compelling operational security reasons as described in
Section 6.1. Section 6.1.
There is no way to verify whether a flow label has been modified en There is no way to verify whether a flow label has been modified en
route or whether it belongs to a uniform distribution. Therefore, no route or whether it belongs to a uniform distribution. Therefore, no
Internet-wide mechanism can depend mathematically on unmodified and Internet-wide mechanism can depend mathematically on unmodified and
uniformly distributed flow labels; they have a "best effort" quality. uniformly distributed flow labels; they have a "best effort" quality.
Implementers should be aware that the flow label is an unprotected Implementers should be aware that the flow label is an unprotected
field that could have been accidentally or intentionally changed en field that could have been accidentally or intentionally changed en
route (see Section 6). This leads to the following formal rule: route (see Section 6). This leads to the following formal rule:
o Forwarding nodes such as routers and load distributors MUST NOT o Forwarding nodes such as routers and load distributors MUST NOT
depend only on Flow Label values being uniformly distributed. In depend only on Flow Label values being uniformly distributed. In
any usage such as a hash key for load distribution, the Flow Label any usage such as a hash key for load distribution, the Flow Label
bits MUST be combined at least with bits from other sources within bits MUST be combined at least with bits from other sources within
the packet, so as to produce a constant hash value for each flow the packet, so as to produce a constant hash value for each flow
and a suitable distribution of hash values across flows. and a suitable distribution of hash values across flows.
Typically the other fields used will be some or all components of Typically, the other fields used will be some or all components of
the usual 5-tuple. In this way, load distribution will still the usual 5-tuple. In this way, load distribution will still
occur even if the Flow Label values are poorly distributed. occur even if the Flow Label values are poorly distributed.
Although uniformly distributed flow label values are recommended Although uniformly distributed flow label values are recommended
below, and will always be helpful for load distribution, it is unsafe below, and will always be helpful for load distribution, it is unsafe
to assume their presence in the general case, and the use case needs to assume their presence in the general case, and the use case needs
to work even if the flow label value is zero. to work even if the flow label value is zero.
As a general practice, packet flows should not be reordered, and the As a general practice, packet flows should not be reordered, and the
use of the Flow Label field does not affect this. In particular, a use of the Flow Label field does not affect this. In particular, a
Flow label value of zero does not imply that reordering is Flow label value of zero does not imply that reordering is
acceptable. acceptable.
3. Flow Labeling Requirements in the Stateless Scenario 3. Flow Labeling Requirements in the Stateless Scenario
This section defines the minimum requirements for methods of setting This section defines the minimum requirements for methods of setting
the flow label value within the stateless scenario of flow label the flow label value within the stateless scenario of flow label
usage. usage.
To enable Flow Label based classification, source nodes SHOULD assign To enable Flow-Label-based classification, source nodes SHOULD assign
each unrelated transport connection and application data stream to a each unrelated transport connection and application data stream to a
new flow. A typical definition of a flow for this purpose is any set new flow. A typical definition of a flow for this purpose is any set
of packets carrying the same 5-tuple {dest addr, source addr, of packets carrying the same 5-tuple {dest addr, source addr,
protocol, dest port, source port}. It should be noted that a source protocol, dest port, source port}. It should be noted that a source
node always has convenient and efficient access to this 5-tuple, node always has convenient and efficient access to this 5-tuple,
which is not always the case for nodes that subsequently forward the which is not always the case for nodes that subsequently forward the
packet. packet.
It is desirable that flow label values should be uniformly It is desirable that flow label values should be uniformly
distributed to assist load distribution. It is therefore RECOMMENDED distributed to assist load distribution. It is therefore RECOMMENDED
that source hosts support the flow label by setting the flow label that source hosts support the flow label by setting the flow label
field for all packets of a given flow to the same value chosen from field for all packets of a given flow to the same value chosen from
an approximation to a discrete uniform distribution. Both stateful an approximation to a discrete uniform distribution. Both stateful
and stateless methods of assigning a value could be used, but it is and stateless methods of assigning a value could be used, but it is
outside the scope of this specification to mandate an algorithm. The outside the scope of this specification to mandate an algorithm. The
algorithm SHOULD ensure that the resulting flow label values are algorithm SHOULD ensure that the resulting flow label values are
unique with high probability. However, if two simultaneous flows are unique with high probability. However, if two simultaneous flows are
by chance assigned the same flow label value, and have the same assigned the same flow label value by chance and have the same source
source and destination addresses, it simply means that they will and destination addresses, it simply means that they will receive the
receive the same treatment throughout the network. As long as this same flow label treatment throughout the network. As long as this is
is a low probability event, it will not significantly affect load a low-probability event, it will not significantly affect load
distribution. distribution.
A possible stateless algorithm is to use a suitable 20 bit hash of A possible stateless algorithm is to use a suitable 20-bit hash of
values from the IP packet's 5-tuple. A simple example hash function values from the IP packet's 5-tuple. A simple example hash function
is described in Appendix A. is described in Appendix A.
An alternative approach is to use a pseudo-random number generator to An alternative approach is to use a pseudo-random number generator to
assign a flow label value for a given transport session; such a assign a flow label value for a given transport session; such a
method will require minimal local state to be kept at the source method will require minimal local state to be kept at the source node
node, by recording the flow label associated with each transport by recording the flow label associated with each transport socket.
socket.
Viewed externally, either of these approaches will produce values Viewed externally, either of these approaches will produce values
that appear to be uniformly distributed and pseudo-random. that appear to be uniformly distributed and pseudo-random.
An implementation in which flow labels are assigned sequentially is An implementation in which flow labels are assigned sequentially is
NOT RECOMMENDED, as it would then be simple for on-path observers to NOT RECOMMENDED, as it would then be simple for on-path observers to
guess the next value. guess the next value.
A source node which does not otherwise set the flow label MUST set A source node that does not otherwise set the flow label MUST set its
its value to zero. value to zero.
A node that forwards a flow whose flow label value in arriving A node that forwards a flow whose flow label value in arriving
packets is zero MAY change the flow label value. In that case, it is packets is zero MAY change the flow label value. In that case, it is
RECOMMENDED that the forwarding node sets the flow label field for a RECOMMENDED that the forwarding node sets the flow label field for a
flow to a uniformly distributed value as just described for source flow to a uniformly distributed value as just described for source
nodes. nodes.
o The same considerations apply as to source hosts setting the flow o The same considerations apply as to source hosts setting the flow
label; in particular, the preferred case is that a flow is defined label; in particular, the preferred case is that a flow is defined
by the 5-tuple. However, there are cases in which the complete by the 5-tuple. However, there are cases in which the complete
5-tuple for all packets is not readily available to a forwarding 5-tuple for all packets is not readily available to a forwarding
node, in particular for fragmented packets. In such cases a flow node, in particular for fragmented packets. In such cases, a flow
can be defined by fewer IPv6 header fields, typically using only can be defined by fewer IPv6 header fields, typically using only
the 2-tuple {dest addr, source addr}. There are alternative the 2-tuple {dest addr, source addr}. There are alternative
approaches that implementers could choose, such as: approaches that implementers could choose, such as:
* A forwarding node might use the 5-tuple to define a flow * A forwarding node might use the 5-tuple to define a flow
whenever possible, but use the 2-tuple when the complete whenever possible but use the 2-tuple when the complete 5-tuple
5-tuple is not available. In this case, unfragmented and is not available. In this case, unfragmented and fragmented
fragmented packets belonging to the same transport session packets belonging to the same transport session would receive
would receive different flow label values, altering the effect different flow label values, altering the effect of subsequent
of subsequent load distribution based on the flow label. load distribution based on the flow label.
* A forwarding node might use the 2-tuple to define a flow in all * A forwarding node might use the 2-tuple to define a flow in all
cases. In this case, subsequent load distribution would be cases. In this case, subsequent load distribution would be
based only on IP addresses. based only on IP addresses.
o The option to set the flow label in a forwarding node, if o The option to set the flow label in a forwarding node, if
implemented, would presumably be of value in first-hop or ingress implemented, would presumably be of value in first-hop or ingress
routers. It might place a considerable per-packet processing load routers. It might place a considerable per-packet processing load
on them, even if they adopted a stateless method of flow on them, even if they adopted a stateless method of flow
identification and label assignment. However, it will not identification and label assignment. However, it will not
interfere with host-to-router load sharing [RFC4311]. It needs to interfere with host-to-router load sharing [RFC4311]. It needs to
be under the control of network managers, to avoid unwanted be under the control of network managers, to avoid unwanted
processing load and any other undesirable effects. For this processing load and any other undesirable effects. For this
reason it MUST be a configurable option, disabled by default. reason, it MUST be a configurable option, disabled by default.
The preceding rules taken together allow a given network to include The preceding rules taken together allow a given network to include
routers that set flow labels on behalf of hosts that do not do so. routers that set flow labels on behalf of hosts that do not do so.
The complications described explain why the principal recommendation The complications described explain why the principal recommendation
is that the source hosts should set the label. is that the source hosts should set the label.
4. Flow State Establishment Requirements 4. Flow State Establishment Requirements
A node that sets the flow label MAY also take part in a flow state A node that sets the flow label MAY also take part in a flow state
establishment method that results in assigning specific treatments to establishment method that results in assigning specific treatments to
specific flows, possibly including signaling. Any such method MUST specific flows, possibly including signaling. Any such method MUST
NOT disturb nodes taking part in the stateless scenario just NOT disturb nodes taking part in the stateless scenario just
described. Thus, any node that sets flow label values according to a described. Thus, any node that sets flow label values according to a
stateful scheme MUST choose labels that conform to Section 3 of the stateful scheme MUST choose labels that conform to Section 3 of this
present specification. Further details are not discussed in this specification. Further details are not discussed in this document.
document.
5. Essential correction to RFC 2205 5. Essential Correction to RFC 2205
[RFC2460] reduced the size of the flow label field from 24 to 20 [RFC2460] reduced the size of the flow label field from 24 to 20
bits. The references to a 24 bit flow label field on pages 87 and 88 bits. The references to a 24-bit flow label field in Section A.9 of
of [RFC2205] are updated accordingly. [RFC2205] are updated accordingly.
6. Security Considerations 6. Security Considerations
This section considers security issues raised by the use of the Flow This section considers security issues raised by the use of the Flow
Label, including the potential for denial-of-service attacks, and the Label, including the potential for denial-of-service attacks and the
related potential for theft of service by unauthorized traffic related potential for theft of service by unauthorized traffic
(Section 6.2). Section 6.3 addresses the use of the Flow Label in (Section 6.2). Section 6.3 addresses the use of the Flow Label in
the presence of IPsec including its interaction with IPsec tunnel the presence of IPsec, including its interaction with IPsec tunnel
mode and other tunneling protocols. We also note that inspection of mode and other tunneling protocols. We also note that inspection of
unencrypted Flow Labels may allow some forms of traffic analysis by unencrypted Flow Labels may allow some forms of traffic analysis by
revealing some structure of the underlying communications. Even if revealing some structure of the underlying communications. Even if
the flow label were encrypted, its presence as a constant value in a the flow label was encrypted, its presence as a constant value in a
fixed position might assist traffic analysis and cryptoanalysis. fixed position might assist traffic analysis and cryptoanalysis.
The flow label is not protected in any way, even if IPsec The flow label is not protected in any way, even if IPsec
authentication [RFC4302] is in use, so it can be forged by an on-path authentication [RFC4302] is in use, so it can be forged by an on-path
attacker. Implementers are advised that any en-route change to the attacker. Implementers are advised that any en-route change to the
flow label value is undetectable. On the other hand, a uniformly flow label value is undetectable. On the other hand, a uniformly
distributed pseudo-random flow label cannot be readily guessed by an distributed pseudo-random flow label cannot be readily guessed by an
attacker; see [I-D.gont-6man-flowlabel-security] for further attacker; see [LABEL-SEC] for further discussion. If a hash
discussion. If a hash algorithm is used, as suggested in Section 3, algorithm is used, as suggested in Section 3, it SHOULD include a
it SHOULD include a step that makes the flow-label value step that makes the flow label value significantly difficult to
significantly difficult to predict [RFC4086], even with knowledge of predict [RFC4086], even with knowledge of the algorithm being used.
the algorithm being used.
6.1. Covert Channel Risk 6.1. Covert Channel Risk
The flow label could be used as a covert data channel, since The flow label could be used as a covert data channel, since
apparently pseudo-random flow label values could in fact consist of apparently pseudo-random flow label values could, in fact, consist of
covert data [NSA]. This could for example be achieved using a series covert data [NSA]. This could, for example, be achieved using a
of otherwise innocuous UDP packets whose flow label values constitute series of otherwise innocuous UDP packets whose flow label values
a covert message, or by co-opting a TCP session to carry a covert constitute a covert message, or by co-opting a TCP session to carry a
message in the flow labels of successive packets. Both of these covert message in the flow labels of successive packets. Both of
could be recognised as suspicious - the first because isolated UDP these could be recognized as suspicious -- the first because isolated
packets would not normally be expected to have non-zero flow labels, UDP packets would not normally be expected to have non-zero flow
and the second because the flow label values in a given TCP session labels, and the second because the flow label values in a given TCP
should all be equal. However, other methods, such as co-opting the session should all be equal. However, other methods, such as co-
flow labels of occasional packets, might be rather hard to detect. opting the flow labels of occasional packets, might be rather hard to
detect.
In situations where the covert channel risk is considered In situations where the covert channel risk is considered
significant, the only certain defense is for a firewall to rewrite significant, the only certain defense is for a firewall to rewrite
non-zero flow labels. This would be an exceptional violation of the non-zero flow labels. This would be an exceptional violation of the
rule that the flow label, once set to a non-zero value, must not be rule that the flow label, once set to a non-zero value, must not be
changed. To preserve load distribution capability, such a firewall changed. To preserve load distribution capability, such a firewall
SHOULD rewrite labels by following the method described for a SHOULD rewrite labels by following the method described for a
forwarding node (see Section 3), as if the incoming label value were forwarding node (see Section 3), as if the incoming label value were
zero, and MUST NOT set non-zero flow labels to zero. This behaviour zero, and MUST NOT set non-zero flow labels to zero. This behavior
is nevertheless undesirable, since (as discussed in Section 3), only is nevertheless undesirable, since (as discussed in Section 3) only
source nodes have straightforward access to the complete 5-tuple. source nodes have straightforward access to the complete 5-tuple.
6.2. Theft and Denial of Service 6.2. Theft and Denial of Service
Since the mapping of network traffic to flow-specific treatment is Since the mapping of network traffic to flow-specific treatment is
triggered by the IP addresses and Flow Label value of the IPv6 triggered by the IP addresses and Flow Label value of the IPv6
header, an adversary may be able to obtain a class of service that header, an adversary may be able to obtain a class of service that
the network did not intend to provide by modifying the IPv6 header or the network did not intend to provide by modifying the IPv6 header or
by injecting packets with false addresses and/or labels. A concrete by injecting packets with false addresses and/or labels. A concrete
analysis of this threat is only possible for specific stateful analysis of this threat is only possible for specific stateful
methods of signaling and using the flow label, which are out of scope methods of signaling and using the flow label, which are out of scope
for this document. Clearly, a full analysis will be required when for this document. Clearly, a full analysis will be required when
any such method is specified, but in general networks SHOULD NOT make any such method is specified, but in general, networks SHOULD NOT
resource allocation decisions based on flow labels without some make resource allocation decisions based on flow labels without some
external means of assurance. external means of assurance.
A denial of service attack [RFC4732] becomes possible in the A denial-of-service attack [RFC4732] becomes possible in the
stateless model when the modified or injected traffic depletes the stateless model when the modified or injected traffic depletes the
resources available to forward it and other traffic streams. If a resources available to forward it and other traffic streams. If a
DoS attack were undertaken against a given Flow Label (or set of Flow denial-of-service attack were undertaken against a given Flow Label
Labels), then traffic containing an affected Flow Label might well (or set of Flow Labels), then traffic containing an affected Flow
experience worse-than-best-effort network performance. Label might well experience worse-than-best-effort network
performance.
Note that since the treatment of IP headers by nodes is typically Note that since the treatment of IP headers by nodes is typically
unverified, there is no guarantee that flow labels sent by a node are unverified, there is no guarantee that flow labels sent by a node are
set according to the recommendations in this document. A man-in-the- set according to the recommendations in this document. A man-in-the-
middle or injected-traffic denial of service attack specifically middle or injected-traffic denial-of-service attack specifically
directed at flow label handling would involve setting unusual flow directed at flow label handling would involve setting unusual flow
labels. For example, an attacker could set all flow labels reaching labels. For example, an attacker could set all flow labels reaching
a given router to the same arbitrary non-zero value, or could perform a given router to the same arbitrary non-zero value or could perform
rapid cycling of flow label values such that the packets of a given rapid cycling of flow label values such that the packets of a given
flow will each have a different value. Either of these attacks would flow will each have a different value. Either of these attacks would
cause a stateless load distribution algorithm to perform badly and cause a stateless load distribution algorithm to perform badly and
would cause a stateful classifier to behave incorrectly. For this would cause a stateful classifier to behave incorrectly. For this
reason, stateless classifiers should not use the flow label alone to reason, stateless classifiers should not use the flow label alone to
control load distribution, and stateful classifiers should include control load distribution, and stateful classifiers should include
explicit methods to detect and ignore suspect flow label values. explicit methods to detect and ignore suspect flow label values.
Since flows are identified by the 3-tuple of the Flow Label and the Since flows are identified by the 3-tuple of the Flow Label and the
Source and Destination Address, the risk of denial of service Source and Destination Address, the risk of denial of service
introduced by the Flow Label is closely related to the risk of denial introduced by the Flow Label is closely related to the risk of denial
of service by address spoofing. An adversary who is in a position to of service by address spoofing. An adversary who is in a position to
forge an address is also likely to be able to forge a label, and vice forge an address is also likely to be able to forge a label, and vice
versa. versa.
There are two issues with different properties: Spoofing of the Flow There are two issues with different properties: spoofing of the Flow
Label only, and spoofing of the whole 3-tuple, including Source and Label only and spoofing of the whole 3-tuple, including Source and
Destination Address. Destination Address.
The former can be done inside a node which is using or transmitting The former can be done inside a node that is using or transmitting
the correct source address. The ability to spoof a Flow Label the correct source address. The ability to spoof a Flow Label
typically implies being in a position to also forge an address, but typically implies being in a position to also forge an address, but
in many cases, spoofing an address may not be interesting to the in many cases, spoofing an address may not be interesting to the
spoofer, especially if the spoofer's goal is theft of service, rather spoofer, especially if the spoofer's goal is theft of service rather
than denial of service. than denial of service.
The latter can be done by a host which is not subject to ingress The latter can be done by a host that is not subject to ingress
filtering [RFC2827] or by an intermediate router. Due to its filtering [RFC2827] or by an intermediate router. Due to its
properties, this is typically useful only for denial of service. In properties, this is typically useful only for denial of service. In
the absence of ingress filtering, almost any third party could the absence of ingress filtering, almost any third party could
instigate such an attack. instigate such an attack.
In the presence of ingress filtering, forging a non-zero Flow Label In the presence of ingress filtering, forging a non-zero Flow Label
on packets that originated with a zero label, or modifying or on packets that originated with a zero label, or modifying or
clearing a label, could only occur if an intermediate system such as clearing a label, could only occur if an intermediate system such as
a router was compromised, or through some other form of man-in-the- a router was compromised, or through some other form of man-in-the-
middle attack. middle attack.
6.3. IPsec and Tunneling Interactions 6.3. IPsec and Tunneling Interactions
The IPsec protocol, as defined in [RFC4301], [RFC4302], [RFC4303] The IPsec protocol, as defined in [RFC4301], [RFC4302], and
does not include the IPv6 header's Flow Label in any of its [RFC4303], does not include the IPv6 header's Flow Label in any of
cryptographic calculations (in the case of tunnel mode, it is the its cryptographic calculations (in the case of tunnel mode, it is the
outer IPv6 header's Flow Label that is not included). Hence outer IPv6 header's Flow Label that is not included). Hence,
modification of the Flow Label by a network node has no effect on modification of the Flow Label by a network node has no effect on
IPsec end-to-end security, because it cannot cause any IPsec IPsec end-to-end security, because it cannot cause any IPsec
integrity check to fail. As a consequence, IPsec does not provide integrity check to fail. As a consequence, IPsec does not provide
any defense against an adversary's modification of the Flow Label any defense against an adversary's modification of the Flow Label
(i.e., a man-in-the-middle attack). (i.e., a man-in-the-middle attack).
IPsec tunnel mode provides security for the encapsulated IP header's IPsec tunnel mode provides security for the encapsulated IP header's
Flow Label. A tunnel mode IPsec packet contains two IP headers: an Flow Label. A tunnel mode IPsec packet contains two IP headers: an
outer header supplied by the tunnel ingress node and an encapsulated outer header supplied by the tunnel ingress node and an encapsulated
inner header supplied by the original source of the packet. When an inner header supplied by the original source of the packet. When an
IPsec tunnel is passing through nodes performing flow classification, IPsec tunnel is passing through nodes performing flow classification,
the intermediate network nodes operate on the Flow Label in the outer the intermediate network nodes operate on the Flow Label in the outer
header. At the tunnel egress node, IPsec processing includes header. At the tunnel egress node, IPsec processing includes
removing the outer header and forwarding the packet (if required) removing the outer header and forwarding the packet (if required)
using the inner header. The IPsec protocol requires that the inner using the inner header. The IPsec protocol requires that the inner
header's Flow Label not be changed by this decapsulation processing header's Flow Label not be changed by this decapsulation processing
to ensure that modifications to label cannot be used to launch theft- to ensure that modifications to the label cannot be used to launch
or denial-of-service attacks across an IPsec tunnel endpoint. This theft- or denial-of-service attacks across an IPsec tunnel endpoint.
document makes no change to that requirement; indeed it forbids This document makes no change to that requirement; indeed, it forbids
changes to the Flow Label. changes to the Flow Label.
When IPsec tunnel egress decapsulation processing includes a When IPsec tunnel egress decapsulation processing includes a
sufficiently strong cryptographic integrity check of the encapsulated sufficiently strong cryptographic integrity check of the encapsulated
packet (where sufficiency is determined by local security policy), packet (where sufficiency is determined by local security policy),
the tunnel egress node can safely assume that the Flow Label in the the tunnel egress node can safely assume that the Flow Label in the
inner header has the same value as it had at the tunnel ingress node. inner header has the same value it had at the tunnel ingress node.
This analysis and its implications apply to any tunneling protocol This analysis and its implications apply to any tunneling protocol
that performs integrity checks. Of course, any Flow Label set in an that performs integrity checks. Of course, any Flow Label set in an
encapsulating IPv6 header is subject to the risks described in the encapsulating IPv6 header is subject to the risks described in the
previous section. previous section.
6.4. Security Filtering Interactions 6.4. Security Filtering Interactions
The Flow Label does nothing to eliminate the need for packet The Flow Label does nothing to eliminate the need for packet
filtering based on headers past the IP header, if such filtering is filtering based on headers past the IP header if such filtering is
deemed necessary for security reasons on nodes such as firewalls or deemed necessary for security reasons on nodes such as firewalls or
filtering routers. filtering routers.
7. Differences from RFC 3697 7. Differences from RFC 3697
The main differences between this specification and its predecessor The main differences between this specification and its predecessor
are as follows: [RFC3697] are as follows:
o This specification encourages non-zero flow label values to be o This specification encourages non-zero flow label values to be
used, and clearly defines how to set a non-zero value. used and clearly defines how to set a non-zero value.
o It encourages a stateless model with uniformly distributed flow
label values.
o It does not specify any details of a stateful model.
o It retains the rule that the flow label must not be changed en
route, but allows routers to set the label on behalf of hosts that
do not do so.
o It discusses the covert channel risk and its consequences for
firewalls.
For further details see [I-D.ietf-6man-flow-update]. o This specification encourages a stateless model with uniformly
distributed flow label values.
8. IANA Considerations o This specification does not specify any details of a stateful
model.
This document requests no action by IANA. o This specification retains the rule that the flow label must not
be changed en route but allows routers to set the label on behalf
of hosts that do not do so.
9. Acknowledgements o This specification discusses the covert channel risk and its
consequences for firewalls.
For further details, see [RFC6436].
8. Acknowledgements
Valuable comments and contributions were made by Jari Arkko, Ran Valuable comments and contributions were made by Jari Arkko, Ran
Atkinson, Fred Baker, Richard Barnes, Steve Blake, Remi Despres, Alan Atkinson, Fred Baker, Richard Barnes, Steve Blake, Tassos
Ford, Fernando Gont, Brian Haberman, Tony Hain, Joel Halpern, Qinwen Chatzithomaoglou, Remi Despres, Alan Ford, Fernando Gont, Brian
Hu, Chris Morrow, Thomas Narten, Mark Smith, Pascal Thubert, Iljitsch Haberman, Tony Hain, Joel Halpern, Qinwen Hu, Chris Morrow, Thomas
van Beijnum, and other participants in the 6man working group. Narten, Mark Smith, Pascal Thubert, Iljitsch van Beijnum, and other
participants in the 6man working group.
Cristian Calude suggested the von Neumann algorithm in Appendix A. Cristian Calude suggested the von Neumann algorithm in Appendix A.
David Malone and Donald Eastlake gave additional input about hash David Malone and Donald Eastlake gave additional input about hash
algorithms. algorithms.
Steve Deering and Alex Conta were co-authors of RFC 3697, on which Steve Deering and Alex Conta were co-authors of RFC 3697, on which
this document is based. this document is based.
Contributors to the original development of RFC 3697 included Ran Contributors to the original development of RFC 3697 included Ran
Atkinson, Steve Blake, Jim Bound, Francis Dupont, Robert Elz, Tony Atkinson, Steve Blake, Jim Bound, Francis Dupont, Robert Elz, Tony
Hain, Robert Hancock, Bob Hinden, Christian Huitema, Frank Hain, Robert Hancock, Bob Hinden, Christian Huitema, Frank
Kastenholz, Thomas Narten, Charles Perkins, Pekka Savola, Hesham Kastenholz, Thomas Narten, Charles Perkins, Pekka Savola, Hesham
Soliman, Michael Thomas, Margaret Wasserman, and Alex Zinin. Soliman, Michael Thomas, Margaret Wasserman, and Alex Zinin.
This document was produced using the xml2rfc tool [RFC2629]. 9. References
10. Change log [RFC Editor: Please remove]
draft-ietf-6man-flow-3697bis-06: resolved IESG comments, 2011-07-29.
draft-ietf-6man-flow-3697bis-06: resolved IETF Last Call comments,
2011-07-11.
draft-ietf-6man-flow-3697bis-05: resolved AD comments, improved hash
algorithm, 2011-06-29.
draft-ietf-6man-flow-3697bis-04: update to resolve further WG
comments, 2011-05-11:
o Suggested a specific hash algorithm to generate a flow label.
o Removed reference to stateful domain.
o Added text about covert channel and tuned text about firewall
behavior; removed the confusing word "immutable".
o Added that Section 6 of RFC 2460 is replaced.
o Editorial fixes.
draft-ietf-6man-flow-3697bis-03: update to resolve WGLC comments,
2011-05-02:
o Clarified that the network layer view of flows is agnostic about
transport sessions.
o Honed the definition of stateless v stateful models.
o Honed the text about using a pseudo-random function.
o Moved material about violation of immutability to Security
section, and rephrased accordingly.
o Dropped material about setting the flow label at a domain exit
router: doesn't belong here now that we have dropped almost all
the stateful text.
o Removed normative reference to draft-gont-6man-flowlabel-security.
o Removed the statement that a node that does not set or use the
flow label must ignore it: this statement appears to be a no-op.
o Added a summary of changes from RFC 3697.
o Miscellaneous editorial fixes.
draft-ietf-6man-flow-3697bis-02: update to remove most text about
stateful methods, 2011-03-13
draft-ietf-6man-flow-3697bis-01: update after resolving 11 initial
issues, 2011-02-26
draft-ietf-6man-flow-3697bis-00: original version, built from RFC3697
and draft-ietf-6man-flow-update-01, 2011-01-31
11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 9.1. Normative References
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Requirement Levels", BCP 14, RFC 2119, March 1997.
Functional Specification", RFC 2205, September 1997.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S.
(IPv6) Specification", RFC 2460, December 1998. Jamin, "Resource ReSerVation Protocol (RSVP) -- Version
1 Functional Specification", RFC 2205, September 1997.
[RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
Requirements for Security", BCP 106, RFC 4086, June 2005. (IPv6) Specification", RFC 2460, December 1998.
11.2. Informative References [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
Requirements for Security", BCP 106, RFC 4086,
June 2005.
[I-D.gont-6man-flowlabel-security] 9.2. Informative References
Gont, F., "Security Assessment of the IPv6 Flow Label",
draft-gont-6man-flowlabel-security-01 (work in progress),
November 2010.
[I-D.ietf-6man-flow-ecmp] [LABEL-SEC] Gont, F., "Security Assessment of the IPv6 Flow Label",
Carpenter, B. and S. Amante, "Using the IPv6 flow label Work in Progress, November 2010.
for equal cost multipath routing and link aggregation in
tunnels", draft-ietf-6man-flow-ecmp-05 (work in progress),
July 2011.
[I-D.ietf-6man-flow-update] [NSA] Potyraj, C., "Firewall Design Considerations for IPv6",
Amante, S., Carpenter, B., and S. Jiang, "Rationale for National Security Agency I733-041R-2007, 2007,
update to the IPv6 flow label specification", <http://www.nsa.gov/ia/_files/ipv6/I733-041R-2007.pdf>.
draft-ietf-6man-flow-update-07 (work in progress),
July 2011.
[NSA] Potyraj, C., "Firewall Design Considerations for IPv6", [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
National Security Agency I733-041R-2007, 2007, Defeating Denial of Service Attacks which employ IP
<http://www.nsa.gov/ia/_files/ipv6/I733-041R-2007.pdf>. Source Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, [RFC3697] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering,
June 1999. "IPv6 Flow Label Specification", RFC 3697, March 2004.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Defeating Denial of Service Attacks which employ IP Source Internet Protocol", RFC 4301, December 2005.
Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC3697] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering, [RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
"IPv6 Flow Label Specification", RFC 3697, March 2004. December 2005.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
Internet Protocol", RFC 4301, December 2005. RFC 4303, December 2005.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302, [RFC4311] Hinden, R. and D. Thaler, "IPv6 Host-to-Router Load
December 2005. Sharing", RFC 4311, November 2005.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", [RFC4732] Handley, M., Rescorla, E., and IAB, "Internet Denial-of-
RFC 4303, December 2005. Service Considerations", RFC 4732, December 2006.
[RFC4311] Hinden, R. and D. Thaler, "IPv6 Host-to-Router Load [RFC5971] Schulzrinne, H. and R. Hancock, "GIST: General Internet
Sharing", RFC 4311, November 2005. Signalling Transport", RFC 5971, October 2010.
[RFC4732] Handley, M., Rescorla, E., and IAB, "Internet Denial-of- [RFC6436] Amante, S., Carpenter, B., and S. Jiang, "Rationale for
Service Considerations", RFC 4732, December 2006. Update to the IPv6 Flow Label Specification", RFC 6436,
November 2011.
[RFC5971] Schulzrinne, H. and R. Hancock, "GIST: General Internet [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label
Signalling Transport", RFC 5971, October 2010. for Equal Cost Multipath Routing and Link Aggregation in
Tunnels", RFC 6438, November 2011.
[vonNeumann] [vonNeumann] von Neumann, J., "Various techniques used in connection
von Neumann, J., "Various techniques used in connection with random digits", National Bureau of Standards
with random digits", National Bureau of Standards Applied Applied Math Series 12, 36-38, 1951.
Math Series 12, 36-38, 1951.
Appendix A. Example 20-bit Hash Function Appendix A. Example 20-Bit Hash Function
As mentioned in Section 3, a stateless hash function may be used to As mentioned in Section 3, a stateless hash function may be used to
generate a flow label value from an IPv6 packet's 5-tuple. It is not generate a flow label value from an IPv6 packet's 5-tuple. It is not
trivial to choose a suitable hash function, and it is expected that trivial to choose a suitable hash function, and it is expected that
extensive practical experience will be required to identify the best extensive practical experience will be required to identify the best
choices. An example function, based on an algorithm by von Neumann choices. An example function, based on an algorithm by von Neumann
known to produce an approximately uniform distribution [vonNeumann], known to produce an approximately uniform distribution [vonNeumann],
follows. For each packet for which a flow label must be generated, follows. For each packet for which a flow label must be generated,
execute the following steps: execute the following steps:
1. Split the destination and source addresses into two 64 bit values 1. Split the destination and source addresses into two 64-bit values
each, thus transforming the 5-tuple into a 7-tuple. each, thus transforming the 5-tuple into a 7-tuple.
2. Add the following five components together using unsigned 64 bit
2. Add the following five components together using unsigned 64-bit
arithmetic, discarding any carry bits: both parts of the source arithmetic, discarding any carry bits: both parts of the source
address, both parts of the destination address, and the protocol address, both parts of the destination address, and the protocol
number. number.
3. Apply the von Neumann algorithm to the resulting string of 64 3. Apply the von Neumann algorithm to the resulting string of 64
bits: bits:
1. Starting at the least significant end, select two bits. 1. Starting at the least significant end, select two bits.
2. If the two bits are 00 or 11, discard them. 2. If the two bits are 00 or 11, discard them.
3. If the two bits are 01, output a 0 bit. 3. If the two bits are 01, output a 0 bit.
4. If the two bits are 10, output a 1 bit. 4. If the two bits are 10, output a 1 bit.
5. Repeat with the next two bits in the input 64 bit string.
6. Stop when 16 bits have been output (or when the 64 bit string 5. Repeat with the next two bits in the input 64-bit string.
6. Stop when 16 bits have been output (or when the 64-bit string
is exhausted). is exhausted).
4. Add the two port numbers to the resulting 16 bit number.
5. Shift the resulting value 4 bits left and mask with 0xfffff. 4. Add the two port numbers to the resulting 16-bit number.
5. Shift the resulting value 4 bits left, and mask with 0xfffff.
6. In the highly unlikely event that the result is exactly zero, set 6. In the highly unlikely event that the result is exactly zero, set
the flow label arbitrarily to the value 1. the flow label arbitrarily to the value 1.
Note that this simple example does not include a step to prevent Note that this simple example does not include a step to prevent
predictability, as recommended in Section 6. predictability, as recommended in Section 6.
Authors' Addresses Authors' Addresses
Shane Amante Shane Amante
Level 3 Communications, LLC Level 3 Communications, LLC
1025 Eldorado Blvd 1025 Eldorado Blvd
Broomfield, CO 80021 Broomfield, CO 80021
USA USA
Email: shane@level3.net EMail: shane@level3.net
Brian Carpenter Brian Carpenter
Department of Computer Science Department of Computer Science
University of Auckland University of Auckland
PB 92019 PB 92019
Auckland, 1142 Auckland 1142
New Zealand New Zealand
Email: brian.e.carpenter@gmail.com EMail: brian.e.carpenter@gmail.com
Sheng Jiang Sheng Jiang
Huawei Technologies Co., Ltd Huawei Technologies Co., Ltd
Huawei Building, No.3 Xinxi Rd., Q14, Huawei Campus
Shang-Di Information Industry Base, Hai-Dian District, Beijing No.156 Beiqing Road
Hai-Dian District, Beijing 100095
P.R. China P.R. China
Email: jiangsheng@huawei.com EMail: jiangsheng@huawei.com
Jarno Rajahalme Jarno Rajahalme
Nokia Siemens Networks Nokia Siemens Networks
Linnoitustie 6 Linnoitustie 6
02600 Espoo 02600 Espoo
Finland Finland
Email: jarno.rajahalme@nsn.com EMail: jarno.rajahalme@nsn.com
 End of changes. 96 change blocks. 
267 lines changed or deleted 218 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/