--- 1/draft-ietf-6man-flow-3697bis-02.txt 2011-05-02 23:15:37.000000000 +0200 +++ 2/draft-ietf-6man-flow-3697bis-03.txt 2011-05-02 23:15:38.000000000 +0200 @@ -1,23 +1,23 @@ 6MAN S. Amante Internet-Draft Level 3 Obsoletes: 3697 (if approved) B. Carpenter Updates: 2205, 2460 (if approved) Univ. of Auckland Intended status: Standards Track S. Jiang -Expires: September 14, 2011 Huawei Technologies Co., Ltd +Expires: November 3, 2011 Huawei Technologies Co., Ltd J. Rajahalme - Nokia-Siemens Networks - March 13, 2011 + Nokia Siemens Networks + May 2, 2011 IPv6 Flow Label Specification - draft-ietf-6man-flow-3697bis-02 + draft-ietf-6man-flow-3697bis-03 Abstract This document specifies the IPv6 Flow Label field and the minimum requirements for IPv6 nodes labeling flows, IPv6 nodes forwarding labeled packets, and flow state establishment methods. Even when mentioned as examples of possible uses of the flow labeling, more detailed requirements for specific use cases are out of scope for this document. @@ -33,21 +33,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 14, 2011. + This Internet-Draft will expire on November 3, 2011. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -66,66 +66,67 @@ the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. IPv6 Flow Label Specification . . . . . . . . . . . . . . . . 5 - 3. Stateless Flow Labeling Requirements . . . . . . . . . . . . . 7 - 4. Flow State Establishment Requirements . . . . . . . . . . . . 8 + 3. Stateless Flow Labeling Requirements . . . . . . . . . . . . . 6 + 4. Flow State Establishment Requirements . . . . . . . . . . . . 7 5. Essential correction to RFC 2205 . . . . . . . . . . . . . . . 8 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 6.1. Theft and Denial of Service . . . . . . . . . . . . . . . 8 6.2. IPsec and Tunneling Interactions . . . . . . . . . . . . . 10 6.3. Security Filtering Interactions . . . . . . . . . . . . . 10 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 - 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 - 9. Change log . . . . . . . . . . . . . . . . . . . . . . . . . . 11 - 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 - 10.1. Normative References . . . . . . . . . . . . . . . . . . . 12 - 10.2. Informative References . . . . . . . . . . . . . . . . . . 12 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 + 7. Differences from RFC 3697 . . . . . . . . . . . . . . . . . . 11 + 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 + 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 + 10. Change log [RFC Editor: Please remove] . . . . . . . . . . . . 11 + 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 + 11.1. Normative References . . . . . . . . . . . . . . . . . . . 12 + 11.2. Informative References . . . . . . . . . . . . . . . . . . 12 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction - A flow is a sequence of packets sent from a particular source to a - particular unicast, anycast, or multicast destination that a node - desires to label as a flow. A flow could consist of all packets in a - specific transport connection or a media stream. However, a flow is - not necessarily 1:1 mapped to a transport connection. + From the viewpoint of the network layer, a flow is a sequence of + packets sent from a particular source to a particular unicast, + anycast, or multicast destination that a node desires to label as a + flow. From an upper layer viewpoint, a flow could consist of all + packets in a specific transport connection or a media stream. + However, a flow is not necessarily 1:1 mapped to a transport + connection. Traditionally, flow classifiers have been based on the 5-tuple of the source and destination addresses, ports, and the transport protocol type. However, some of these fields may be unavailable due to either fragmentation or encryption, or locating them past a chain of IPv6 extension headers may be inefficient. Additionally, if classifiers depend only on IP layer headers, later introduction of alternative transport layer protocols will be easier. The usage of the 3-tuple of the Flow Label and the Source and Destination Address fields enables efficient IPv6 flow classification, where only IPv6 main header fields in fixed positions are used. The flow label could be used in both stateless and stateful - scenarios. A stateless scenario is one where a node that sets the - flow label value for all packets of a given flow does not need to - store any information about the flow, and any node that processes the - flow label in any way also does not need to store any information - after a packet has been processed. A stateful scenario is one where - a node that sets or processes the flow label value needs to store - information about the flow, including the flow label value. A - stateful scenario might also require a signaling mechanism to - establish flow state in the network. + scenarios. A stateless scenario is one where any node that processes + the flow label in any way does not need to store any information + about a flow before or after a packet has been processed. A stateful + scenario is one where a node that processes the flow label value + needs to store information about the flow, including the flow label + value. A stateful scenario might also require a signaling mechanism + to establish flow state in the network. The flow label can be used most simply in stateless scenarios. This specification concentrates on the stateless model and how it can be used as a default mechanism. Details of stateful models, signaling, specific flow state establishment methods and their related service models are out of scope for this specification. The basic requirement for stateful models is set forth in Section 4. The minimum level of IPv6 flow support consists of labeling the flows. A specific goal is to enable and encourage the use of the @@ -146,137 +147,124 @@ correction to [RFC2205] concerning the flow label. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. IPv6 Flow Label Specification The 20-bit Flow Label field in the IPv6 header [RFC2460] is used by a node to label packets of a flow. A Flow Label of zero is used to - indicate packets not part of any flow. Packet classifiers can use - the triplet of Flow Label, Source Address, and Destination Address - fields to identify which flow a particular packet belongs to. + indicate packets that have not been labeled. Packet classifiers can + use the triplet of Flow Label, Source Address, and Destination + Address fields to identify which flow a particular packet belongs to. Packets are processed in a flow-specific manner by nodes that are able to do so in a stateless manner, or that have been set up with flow-specific state. The nature of the specific treatment and the methods for flow state establishment are out of scope for this - specification. However, any node that sets flow label values - according to a stateful scheme MUST ensure that packets conform to - Section 3 of the present specification if they are sent outside the - network domain using the stateful scheme. + specification. - As specified below in Section 3, the normal expectation is that flow - label values are uniformly distributed. In this specification, it is - recommended below that a pseudo-random method should be used to - achieve such a uniform distribution. Intentionally, there are no - precise mathematical requirements placed on the distribution or the - pseudo-random method. + Flow label values should be chosen such that their bits exhibit a + high degree of variability, making them suitable for use as part of + the input to a hash function used in a load distribution scheme. At + the same time, third parties should be unlikely to be able to guess + the next value that a source of flow labels will choose. - Once set to a non-zero value, the Flow Label MUST be delivered - unchanged to the destination node(s). A forwarding node MUST NOT - change the flow label value in an arriving packet if it is non-zero. - However, there are two qualifications to this rule: - 1. Implementers are advised that forwarding nodes, especially those - acting as domain border devices, might nevertheless be configured - to change the flow label value in packets. This is undetectable, - unless some future version of IPsec authentication [RFC4302] - protects the flow label value. + In statistics, a discrete uniform distribution is defined as a + probability distribution in which each value in a given range of + equally spaced values (such as a sequence of integers) is equally + likely to be chosen as the next value. The values in such a + distribution exhibit both variability and unguessability. Thus, as + specified below in Section 3, an approximation to a discrete uniform + distribution is preferable as the source of flow label values. + Intentionally, there are no precise mathematical requirements placed + on the distribution or the method used to achieve such a + distribution. - 2. To enable stateless load distribution at any point in the - Internet, a network domain should never export packets - originating within the domain whose flow label values do not - conform to Section 3. However, neither domain border egress - routers nor intermediate routers/devices (using a flow-label, for - example, as a part of an input-key for a load-distribution hash) - can determine by inspection that a value is not part of a uniform - distribution. Therefore, if nodes within a domain ignore the - recommendations of Section 3, and such packets are forwarded - outside the domain, this might result in undesirable operational - implications (e.g., congestion, reordering) for not only the - inappropriately flow-labelled packets, but also well-behaved - flow-labelled packets, during forwarding at various intermediate - devices. Thus, a domain must protect its peers by never - exporting inappropriately labelled packets originating within the - domain. This is why nodes using a stateful scheme must not set - the flow label to a non-zero and non-uniformly distributed value - if the packet will leave their domain. If it is known to a - border router that flow labels originated within the domain are - not uniformly distributed, it will need to set outgoing flow - labels in the same manner as described for forwarding nodes in - Section 3. + Once set to a non-zero value, the Flow Label MUST be delivered + unchanged to the destination node(s). That is, a forwarding node + MUST NOT change the flow label value in an arriving packet if it is + non-zero. There is no way to verify whether a flow label has been modified en route or whether it belongs to a uniform distribution. Therefore, no Internet-wide mechanism can depend mathematically on immutable and uniformly distributed flow labels; they have a "best effort" quality. This leads to the following formal rules: o Implementers should be aware that the flow label is an unprotected field that could have been accidentally or intentionally changed - en route. Implementations MUST take appropriate steps to protect - themselves from being vulnerable to denial of service and other - types of attack that could result (see Section 6.1). - o Forwarding nodes such as routers and load balancers MUST NOT + en route (see Section 6). + o Forwarding nodes such as routers and load distributors MUST NOT depend only on Flow Label values being uniformly distributed. In any usage such as a hash key for load distribution, the Flow Label bits MUST be combined at least with bits from other sources within the packet, so as to produce a constant hash value for each flow and a suitable distribution of hash values across flows. + Typically the other fields used will be some or all components of + the usual 5-tuple. Although uniformly distributed flow label values are recommended - below, and will always be helpful for load balancing, it is unsafe to - assume their presence in the general case, and the use case needs to - work even if the flow label value is zero. - - The use of the Flow Label field does not necessarily signal any - requirement on packet reordering. Especially, the zero label does - not imply that significant reordering is acceptable. + below, and will always be helpful for load distribution, it is unsafe + to assume their presence in the general case, and the use case needs + to work even if the flow label value is zero. - An IPv6 node that does not set the flow label to a non-zero value, or - make use of it in any way, MUST ignore it when receiving or - forwarding a packet. + As a general practice, packet flows should not be reordered, and the + use of the Flow Label field does not affect this. In particular, a + Flow label value of zero does not imply that reordering is + acceptable. 3. Stateless Flow Labeling Requirements This section defines the minimum requirements for stateless methods of setting the flow label value. To enable Flow Label based classification, source nodes SHOULD assign each unrelated transport connection and application data stream to a new flow. A typical definition of a flow for this purpose is any set of packets carrying the same 5-tuple {dest addr, source addr, protocol, dest port, source port}. It is desirable that flow label values should be uniformly distributed to assist load distribution. It is therefore RECOMMENDED that source hosts support the flow label by setting the flow label - field for all packets of a given flow to the same uniformly - distributed pseudo-random value. Both stateful and stateless methods - of assigning a pseudo-random value could be used, but it is outside - the scope of this specification to mandate an algorithm. In a - stateless mechanism, the algorithm SHOULD ensure that the resulting - flow label values are unique with high probability. + field for all packets of a given flow to the same value chosen from + an approximation to a discrete uniform distribution. Both stateful + and stateless methods of assigning a value could be used, but it is + outside the scope of this specification to mandate an algorithm. The + algorithm SHOULD ensure that the resulting flow label values are + unique with high probability. However, if two flows are by chance + assigned the same flow label value, and have the same source and + destination addresses, it simply means that they will receive the + same treatment throughout the network. As long as this is a low + probability event, it will not significantly affect load + distribution. - An OPTIONAL algorithm for generating such a pseudo-random value is - described in [I-D.gont-6man-flowlabel-security]. + A possible stateless algorithm is to use a suitable 20 bit hash of + values from the IP packet's 5-tuple. An alternative is to to use a + pseudo-random number generator to assign a flow label value for a + given transport session; such a method will require minimal local + state to be kept at the source node. Viewed externally, either + approach will produce values that are effectively uniformly + distributed and pseudo-random. - [[ NOTE TO RFC EDITOR: The preceding sentence should be deleted, and - the reference should be changed to Informative, if the cited draft is - not on the standards track at the time of publication. ]] + An implementation in which flow labels are assigned sequentially is + NOT RECOMMENDED, as it would then be simple for third parties to + guess the next value. A source node which does not otherwise set the flow label MUST set its value to zero. A node that forwards a flow whose flow label value in arriving - packets is zero MAY set the flow label value. In that case, it is + packets is zero MAY change the flow label value. In that case, it is RECOMMENDED that the forwarding node sets the flow label field for a - flow to a uniformly distributed pseudo-random value. + flow to a uniformly distributed value as just described for source + nodes. o The same considerations apply as to source hosts setting the flow label; in particular, the normal case is that a flow is defined by the 5-tuple. o This option, if implemented, would presumably be used by first-hop or ingress routers. It might place a considerable per-packet processing load on them, even if they adopted a stateless method of flow identification and label assignment. This is why the principal recommendation is that the source host should set the label. @@ -284,45 +272,56 @@ include routers that set flow labels on behalf of hosts that do not do so. They also recommend that flow labels exported to the Internet are always either zero or uniformly distributed. 4. Flow State Establishment Requirements A node that sets the flow label MAY also take part in a flow state establishment method that results in assigning specific treatments to specific flows, possibly including signaling. Any such method MUST NOT disturb nodes taking part in the stateless model just described. - Further details are not discussed in this document. + + Thus, any node that sets flow label values according to a stateful + scheme MUST ensure that packets conform to Section 3 of the present + specification if they are sent outside the network domain using the + stateful scheme. Further details are not discussed in this document. 5. Essential correction to RFC 2205 [RFC2460] reduced the size of the flow label field from 24 to 20 bits. The references to a 24 bit flow label field on pages 87 and 88 of [RFC2205] are updated accordingly. 6. Security Considerations This section considers security issues raised by the use of the Flow Label, primarily the potential for denial-of-service attacks, and the related potential for theft of service by unauthorized traffic (Section 6.1). Section 6.2 addresses the use of the Flow Label in the presence of IPsec including its interaction with IPsec tunnel mode and other tunneling protocols. We also note that inspection of unencrypted Flow Labels may allow some forms of traffic analysis by revealing some structure of the underlying communications. Even if the flow label were encrypted, its presence as a constant value in a fixed position might assist traffic analysis and cryptoanalysis. - The flow label is not protected in any way and can be forged by an - on-path attacker. On the other hand, a uniformly distributed pseudo- - random flow label cannot be readily guessed by an off-path attacker; - see [I-D.gont-6man-flowlabel-security] for further discussion. + The flow label is not protected in any way, even if IPsec + authentication [RFC4302] is in use, so it can be forged by an on-path + attacker. On the other hand, a uniformly distributed pseudo-random + flow label cannot be readily guessed by an off-path attacker; see + [I-D.gont-6man-flowlabel-security] for further discussion. + + This specification defines the flow label as immutable once it has + been set to a non-zero value. However, implementers are advised that + forwarding nodes, especially those acting as domain border devices, + might nevertheless be configured to change the flow label value in + packets. This is undetectable. 6.1. Theft and Denial of Service Since the mapping of network traffic to flow-specific treatment is triggered by the IP addresses and Flow Label value of the IPv6 header, an adversary may be able to obtain unintended service by modifying the IPv6 header or by injecting packets with false addresses and/or labels. Theft of service is not further discussed in this document, since it can only be analysed for specific stateful methods of using the flow label. However, a denial of service attack @@ -336,23 +335,23 @@ Note that since the treatment of IP headers by nodes is typically unverified, there is no guarantee that flow labels sent by a node are set according to the recommendations in this document. A man-in-the- middle or injected-traffic denial of service attack specifically directed at flow label handling would involve setting unusual flow labels. For example, an attacker could set all flow labels reaching a given router to the same arbitrary non-zero value, or could perform rapid cycling of flow label values such that the packets of a given flow will each have a different value. Either of these attacks would cause a stateless load distribution algorithm to perform badly and - would cause a stateful mechanism to behave incorrectly. For this - reason, stateless mechanisms should not use the flow label alone to - control load distribution, and stateful mechanisms should include + would cause a stateful classifier to behave incorrectly. For this + reason, stateless classifiers should not use the flow label alone to + control load distribution, and stateful classifiers should include explicit methods to detect and ignore suspect flow label values. Since flows are identified by the 3-tuple of the Flow Label and the Source and Destination Address, the risk of denial of service introduced by the Flow Label is closely related to the risk of denial of service by address spoofing. An adversary who is in a position to forge an address is also likely to be able to forge a label, and vice versa. There are two issues with different properties: Spoofing of the Flow @@ -419,79 +418,112 @@ 6.3. Security Filtering Interactions The Flow Label does nothing to eliminate the need for packet filtering based on headers past the IP header, if such filtering is deemed necessary for security reasons on nodes such as firewalls or filtering routers. However, security devices that clear or rewrite non-zero flow label values would be in violation of this specification. -7. IANA Considerations +7. Differences from RFC 3697 + + The main differences between this specification and its predecessor + are as follows: + o This specification encourages non-zero flow label values to be + used, and clearly defines how to set a non-zero value. + o It encourages a stateless model with uniformly distributed flow + label values. + o It does not specify any details of a stateful model. + o It retains the rule that the flow label is immutable, but allows + routers to set the label on behalf of hosts that do not do so. + + For further details see [I-D.ietf-6man-flow-update]. + +8. IANA Considerations This document requests no action by IANA. -8. Acknowledgements +9. Acknowledgements Steve Deering and Alex Conta were co-authors of RFC 3697, on which this document is based. Valuable comments and contributions were made by Fred Baker, Steve Blake, Remi Despres, Alan Ford, Fernando Gont, Brian Haberman, Tony Hain, Joel Halpern, Qinwen Hu, Chris Morrow, Thomas Narten, Mark Smith, Pascal Thubert, Iljitsch van Beijnum, and other participants in the 6man working group. Contributors to the development of RFC 3697 included Ran Atkinson, Steve Blake, Jim Bound, Francis Dupont, Robert Elz, Tony Hain, Robert Hancock, Bob Hinden, Christian Huitema, Frank Kastenholz, Thomas Narten, Charles Perkins, Pekka Savola, Hesham Soliman, Michael Thomas, Margaret Wasserman, and Alex Zinin. This document was produced using the xml2rfc tool [RFC2629]. -9. Change log +10. Change log [RFC Editor: Please remove] + + draft-ietf-6man-flow-3697bis-03: update to resolve WGLC comments, + 2011-05-02: + + o Clarified that the network layer view of flows is agnostic about + transport sessions. + o Honed the definition of stateless v stateful models. + o Honed the text about using a pseudo-random function. + o Moved material about violation of immutability to Security + section, and rephrased accordingly. + o Dropped material about setting the flow label at a domain exit + router: doesn't belong here now that we have dropped almost all + the stateful text. + o Removed normative reference to draft-gont-6man-flowlabel-security. + o Removed the statement that a node that does not set or use the + flow label must ignore it: this statement appears to be a no-op. + o Added a summary of changes from RFC 3697. + o Miscellaneous editorial fixes. draft-ietf-6man-flow-3697bis-02: update to remove most text about stateful methods, 2011-03-13 draft-ietf-6man-flow-3697bis-01: update after resolving 11 initial issues, 2011-02-26 draft-ietf-6man-flow-3697bis-00: original version, built from RFC3697 and draft-ietf-6man-flow-update-01, 2011-01-31 -10. References -10.1. Normative References +11. References - [I-D.gont-6man-flowlabel-security] - Gont, F., "Security Assessment of the IPv6 Flow Label", - draft-gont-6man-flowlabel-security-01 (work in progress), - November 2010. +11.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S. Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Functional Specification", RFC 2205, September 1997. [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. -10.2. Informative References +11.2. Informative References + + [I-D.gont-6man-flowlabel-security] + Gont, F., "Security Assessment of the IPv6 Flow Label", + draft-gont-6man-flowlabel-security-01 (work in progress), + November 2010. [I-D.ietf-6man-flow-update] Amante, S., Carpenter, B., and S. Jiang, "Rationale for update to the IPv6 flow label specification", - draft-ietf-6man-flow-update-03 (work in progress), - February 2011. + draft-ietf-6man-flow-update-04 (work in progress), + March 2011. [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, June 1999. [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000. [RFC3697] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering, "IPv6 Flow Label Specification", RFC 3697, March 2004. @@ -516,26 +548,25 @@ Email: shane@level3.net Brian Carpenter Department of Computer Science University of Auckland PB 92019 Auckland, 1142 New Zealand Email: brian.e.carpenter@gmail.com - Sheng Jiang Huawei Technologies Co., Ltd Huawei Building, No.3 Xinxi Rd., Shang-Di Information Industry Base, Hai-Dian District, Beijing P.R. China - Email: shengjiang@huawei.com + Email: jiangsheng@huawei.com Jarno Rajahalme - Nokia-Siemens Networks - TBD - TBD + Nokia Siemens Networks + Linnoitustie 6 + 02600 Espoo Finland Email: jarno.rajahalme@nsn.com