draft-ietf-6man-flow-3697bis-03.txt   draft-ietf-6man-flow-3697bis-04.txt 
6MAN S. Amante 6MAN S. Amante
Internet-Draft Level 3 Internet-Draft Level 3
Obsoletes: 3697 (if approved) B. Carpenter Obsoletes: 3697 (if approved) B. Carpenter
Updates: 2205, 2460 (if approved) Univ. of Auckland Updates: 2205, 2460 (if approved) Univ. of Auckland
Intended status: Standards Track S. Jiang Intended status: Standards Track S. Jiang
Expires: November 3, 2011 Huawei Technologies Co., Ltd Expires: November 12, 2011 Huawei Technologies Co., Ltd
J. Rajahalme J. Rajahalme
Nokia Siemens Networks Nokia Siemens Networks
May 2, 2011 May 11, 2011
IPv6 Flow Label Specification IPv6 Flow Label Specification
draft-ietf-6man-flow-3697bis-03 draft-ietf-6man-flow-3697bis-04
Abstract Abstract
This document specifies the IPv6 Flow Label field and the minimum This document specifies the IPv6 Flow Label field and the minimum
requirements for IPv6 nodes labeling flows, IPv6 nodes forwarding requirements for IPv6 nodes labeling flows, IPv6 nodes forwarding
labeled packets, and flow state establishment methods. Even when labeled packets, and flow state establishment methods. Even when
mentioned as examples of possible uses of the flow labeling, more mentioned as examples of possible uses of the flow labeling, more
detailed requirements for specific use cases are out of scope for detailed requirements for specific use cases are out of scope for
this document. this document.
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 3, 2011. This Internet-Draft will expire on November 12, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 9 skipping to change at page 3, line 9
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. IPv6 Flow Label Specification . . . . . . . . . . . . . . . . 5 2. IPv6 Flow Label Specification . . . . . . . . . . . . . . . . 5
3. Stateless Flow Labeling Requirements . . . . . . . . . . . . . 6 3. Flow Labeling Requirements in the Stateless Scenario . . . . . 6
4. Flow State Establishment Requirements . . . . . . . . . . . . 7 4. Flow State Establishment Requirements . . . . . . . . . . . . 8
5. Essential correction to RFC 2205 . . . . . . . . . . . . . . . 8 5. Essential correction to RFC 2205 . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6.1. Theft and Denial of Service . . . . . . . . . . . . . . . 8 6.1. Covert Channel Risk . . . . . . . . . . . . . . . . . . . 8
6.2. IPsec and Tunneling Interactions . . . . . . . . . . . . . 10 6.2. Theft and Denial of Service . . . . . . . . . . . . . . . 9
6.3. Security Filtering Interactions . . . . . . . . . . . . . 10 6.3. IPsec and Tunneling Interactions . . . . . . . . . . . . . 10
6.4. Security Filtering Interactions . . . . . . . . . . . . . 11
7. Differences from RFC 3697 . . . . . . . . . . . . . . . . . . 11 7. Differences from RFC 3697 . . . . . . . . . . . . . . . . . . 11
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
10. Change log [RFC Editor: Please remove] . . . . . . . . . . . . 11 10. Change log [RFC Editor: Please remove] . . . . . . . . . . . . 12
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
11.1. Normative References . . . . . . . . . . . . . . . . . . . 12 11.1. Normative References . . . . . . . . . . . . . . . . . . . 13
11.2. Informative References . . . . . . . . . . . . . . . . . . 12 11.2. Informative References . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 Appendix A. Simple 20-bit Hash Function . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
From the viewpoint of the network layer, a flow is a sequence of From the viewpoint of the network layer, a flow is a sequence of
packets sent from a particular source to a particular unicast, packets sent from a particular source to a particular unicast,
anycast, or multicast destination that a node desires to label as a anycast, or multicast destination that a node desires to label as a
flow. From an upper layer viewpoint, a flow could consist of all flow. From an upper layer viewpoint, a flow could consist of all
packets in a specific transport connection or a media stream. packets in a specific transport connection or a media stream.
However, a flow is not necessarily 1:1 mapped to a transport However, a flow is not necessarily 1:1 mapped to a transport
connection. connection.
skipping to change at page 5, line 8 skipping to change at page 5, line 8
especially across Equal Cost Multi-Path (EMCP) and/or Link especially across Equal Cost Multi-Path (EMCP) and/or Link
Aggregation Group (LAG) paths. ECMP and LAG are methods to bond Aggregation Group (LAG) paths. ECMP and LAG are methods to bond
together multiple physical links used to procure the required together multiple physical links used to procure the required
capacity necessary to carry an offered load greater than the capacity necessary to carry an offered load greater than the
bandwidth of an individual physical link. IPv6 source nodes SHOULD bandwidth of an individual physical link. IPv6 source nodes SHOULD
be able to label known flows (e.g., TCP connections, application be able to label known flows (e.g., TCP connections, application
streams), even if the node itself does not require any flow-specific streams), even if the node itself does not require any flow-specific
treatment. Node requirements for stateless flow labeling are given treatment. Node requirements for stateless flow labeling are given
in Section 3. in Section 3.
This document replaces [RFC3697] and Appendix A of [RFC2460]. A This document replaces [RFC3697] and Section 6 and Appendix A of
rationale for the changes made is documented in [RFC2460]. A rationale for the changes made is documented in
[I-D.ietf-6man-flow-update]. The present document also includes a [I-D.ietf-6man-flow-update]. The present document also includes a
correction to [RFC2205] concerning the flow label. correction to [RFC2205] concerning the flow label.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. IPv6 Flow Label Specification 2. IPv6 Flow Label Specification
The 20-bit Flow Label field in the IPv6 header [RFC2460] is used by a The 20-bit Flow Label field in the IPv6 header [RFC2460] is used by a
skipping to change at page 5, line 50 skipping to change at page 5, line 50
distribution exhibit both variability and unguessability. Thus, as distribution exhibit both variability and unguessability. Thus, as
specified below in Section 3, an approximation to a discrete uniform specified below in Section 3, an approximation to a discrete uniform
distribution is preferable as the source of flow label values. distribution is preferable as the source of flow label values.
Intentionally, there are no precise mathematical requirements placed Intentionally, there are no precise mathematical requirements placed
on the distribution or the method used to achieve such a on the distribution or the method used to achieve such a
distribution. distribution.
Once set to a non-zero value, the Flow Label MUST be delivered Once set to a non-zero value, the Flow Label MUST be delivered
unchanged to the destination node(s). That is, a forwarding node unchanged to the destination node(s). That is, a forwarding node
MUST NOT change the flow label value in an arriving packet if it is MUST NOT change the flow label value in an arriving packet if it is
non-zero. non-zero. A possible exception to this rule is if a security gateway
for operational security reasons changes a non-zero Flow Label value
to a different non-zero value compliant with this RFC; see
Section 6.1 for details.
There is no way to verify whether a flow label has been modified en There is no way to verify whether a flow label has been modified en
route or whether it belongs to a uniform distribution. Therefore, no route or whether it belongs to a uniform distribution. Therefore, no
Internet-wide mechanism can depend mathematically on immutable and Internet-wide mechanism can depend mathematically on unmodified and
uniformly distributed flow labels; they have a "best effort" quality. uniformly distributed flow labels; they have a "best effort" quality.
This leads to the following formal rules: Implementers should be aware that the flow label is an unprotected
o Implementers should be aware that the flow label is an unprotected field that could have been accidentally or intentionally changed en
field that could have been accidentally or intentionally changed route (see Section 6). This leads to the following formal rule:
en route (see Section 6).
o Forwarding nodes such as routers and load distributors MUST NOT o Forwarding nodes such as routers and load distributors MUST NOT
depend only on Flow Label values being uniformly distributed. In depend only on Flow Label values being uniformly distributed. In
any usage such as a hash key for load distribution, the Flow Label any usage such as a hash key for load distribution, the Flow Label
bits MUST be combined at least with bits from other sources within bits MUST be combined at least with bits from other sources within
the packet, so as to produce a constant hash value for each flow the packet, so as to produce a constant hash value for each flow
and a suitable distribution of hash values across flows. and a suitable distribution of hash values across flows.
Typically the other fields used will be some or all components of Typically the other fields used will be some or all components of
the usual 5-tuple. the usual 5-tuple. In this way, load distribution will still
occur even if the Flow Label values are poorly distributed.
Although uniformly distributed flow label values are recommended Although uniformly distributed flow label values are recommended
below, and will always be helpful for load distribution, it is unsafe below, and will always be helpful for load distribution, it is unsafe
to assume their presence in the general case, and the use case needs to assume their presence in the general case, and the use case needs
to work even if the flow label value is zero. to work even if the flow label value is zero.
As a general practice, packet flows should not be reordered, and the As a general practice, packet flows should not be reordered, and the
use of the Flow Label field does not affect this. In particular, a use of the Flow Label field does not affect this. In particular, a
Flow label value of zero does not imply that reordering is Flow label value of zero does not imply that reordering is
acceptable. acceptable.
3. Stateless Flow Labeling Requirements 3. Flow Labeling Requirements in the Stateless Scenario
This section defines the minimum requirements for stateless methods This section defines the minimum requirements for methods of setting
of setting the flow label value. the flow label value within the stateless scenario of flow label
usage.
To enable Flow Label based classification, source nodes SHOULD assign To enable Flow Label based classification, source nodes SHOULD assign
each unrelated transport connection and application data stream to a each unrelated transport connection and application data stream to a
new flow. A typical definition of a flow for this purpose is any set new flow. A typical definition of a flow for this purpose is any set
of packets carrying the same 5-tuple {dest addr, source addr, of packets carrying the same 5-tuple {dest addr, source addr,
protocol, dest port, source port}. protocol, dest port, source port}.
It is desirable that flow label values should be uniformly It is desirable that flow label values should be uniformly
distributed to assist load distribution. It is therefore RECOMMENDED distributed to assist load distribution. It is therefore RECOMMENDED
that source hosts support the flow label by setting the flow label that source hosts support the flow label by setting the flow label
field for all packets of a given flow to the same value chosen from field for all packets of a given flow to the same value chosen from
an approximation to a discrete uniform distribution. Both stateful an approximation to a discrete uniform distribution. Both stateful
and stateless methods of assigning a value could be used, but it is and stateless methods of assigning a value could be used, but it is
outside the scope of this specification to mandate an algorithm. The outside the scope of this specification to mandate an algorithm. The
algorithm SHOULD ensure that the resulting flow label values are algorithm SHOULD ensure that the resulting flow label values are
unique with high probability. However, if two flows are by chance unique with high probability. However, if two simultaneous flows are
assigned the same flow label value, and have the same source and by chance assigned the same flow label value, and have the same
destination addresses, it simply means that they will receive the source and destination addresses, it simply means that they will
same treatment throughout the network. As long as this is a low receive the same treatment throughout the network. As long as this
probability event, it will not significantly affect load is a low probability event, it will not significantly affect load
distribution. distribution.
A possible stateless algorithm is to use a suitable 20 bit hash of A possible stateless algorithm is to use a suitable 20 bit hash of
values from the IP packet's 5-tuple. An alternative is to to use a values from the IP packet's 5-tuple. A simple hash function is
pseudo-random number generator to assign a flow label value for a described in Appendix A.
given transport session; such a method will require minimal local
state to be kept at the source node. Viewed externally, either An alternative approach is to to use a pseudo-random number generator
approach will produce values that are effectively uniformly to assign a flow label value for a given transport session; such a
distributed and pseudo-random. method will require minimal local state to be kept at the source
node, by recording the flow label associated with each transport
socket.
Viewed externally, either of these approaches will produce values
that appear to be uniformly distributed and pseudo-random.
An implementation in which flow labels are assigned sequentially is An implementation in which flow labels are assigned sequentially is
NOT RECOMMENDED, as it would then be simple for third parties to NOT RECOMMENDED, as it would then be simple for on-path observers to
guess the next value. guess the next value.
A source node which does not otherwise set the flow label MUST set A source node which does not otherwise set the flow label MUST set
its value to zero. its value to zero.
A node that forwards a flow whose flow label value in arriving A node that forwards a flow whose flow label value in arriving
packets is zero MAY change the flow label value. In that case, it is packets is zero MAY change the flow label value. In that case, it is
RECOMMENDED that the forwarding node sets the flow label field for a RECOMMENDED that the forwarding node sets the flow label field for a
flow to a uniformly distributed value as just described for source flow to a uniformly distributed value as just described for source
nodes. nodes.
o The same considerations apply as to source hosts setting the flow o The same considerations apply as to source hosts setting the flow
label; in particular, the normal case is that a flow is defined by label; in particular, the normal case is that a flow is defined by
the 5-tuple. the 5-tuple.
o This option, if implemented, would presumably be used by first-hop o This option, if implemented, would presumably be used by first-hop
or ingress routers. It might place a considerable per-packet or ingress routers. It might place a considerable per-packet
processing load on them, even if they adopted a stateless method processing load on them, even if they adopted a stateless method
of flow identification and label assignment. This is why the of flow identification and label assignment. This is why the
principal recommendation is that the source host should set the principal recommendation is that the source host should set the
label. label.
The preceding rules taken together allow a given network domain to The preceding rules taken together allow a given network to include
include routers that set flow labels on behalf of hosts that do not routers that set flow labels on behalf of hosts that do not do so.
do so. They also recommend that flow labels exported to the Internet
are always either zero or uniformly distributed. They also recommend that flow labels exported to the Internet are
always either zero or uniformly distributed.
4. Flow State Establishment Requirements 4. Flow State Establishment Requirements
A node that sets the flow label MAY also take part in a flow state A node that sets the flow label MAY also take part in a flow state
establishment method that results in assigning specific treatments to establishment method that results in assigning specific treatments to
specific flows, possibly including signaling. Any such method MUST specific flows, possibly including signaling. Any such method MUST
NOT disturb nodes taking part in the stateless model just described. NOT disturb nodes taking part in the stateless scenario just
described. Thus, any node that sets flow label values according to a
Thus, any node that sets flow label values according to a stateful stateful scheme MUST choose labels that conform to Section 3 of the
scheme MUST ensure that packets conform to Section 3 of the present present specification. Further details are not discussed in this
specification if they are sent outside the network domain using the document.
stateful scheme. Further details are not discussed in this document.
5. Essential correction to RFC 2205 5. Essential correction to RFC 2205
[RFC2460] reduced the size of the flow label field from 24 to 20 [RFC2460] reduced the size of the flow label field from 24 to 20
bits. The references to a 24 bit flow label field on pages 87 and 88 bits. The references to a 24 bit flow label field on pages 87 and 88
of [RFC2205] are updated accordingly. of [RFC2205] are updated accordingly.
6. Security Considerations 6. Security Considerations
This section considers security issues raised by the use of the Flow This section considers security issues raised by the use of the Flow
Label, primarily the potential for denial-of-service attacks, and the Label, including the potential for denial-of-service attacks, and the
related potential for theft of service by unauthorized traffic related potential for theft of service by unauthorized traffic
(Section 6.1). Section 6.2 addresses the use of the Flow Label in (Section 6.2). Section 6.3 addresses the use of the Flow Label in
the presence of IPsec including its interaction with IPsec tunnel the presence of IPsec including its interaction with IPsec tunnel
mode and other tunneling protocols. We also note that inspection of mode and other tunneling protocols. We also note that inspection of
unencrypted Flow Labels may allow some forms of traffic analysis by unencrypted Flow Labels may allow some forms of traffic analysis by
revealing some structure of the underlying communications. Even if revealing some structure of the underlying communications. Even if
the flow label were encrypted, its presence as a constant value in a the flow label were encrypted, its presence as a constant value in a
fixed position might assist traffic analysis and cryptoanalysis. fixed position might assist traffic analysis and cryptoanalysis.
The flow label is not protected in any way, even if IPsec The flow label is not protected in any way, even if IPsec
authentication [RFC4302] is in use, so it can be forged by an on-path authentication [RFC4302] is in use, so it can be forged by an on-path
attacker. On the other hand, a uniformly distributed pseudo-random attacker. Implementers are advised that any en-route change to the
flow label cannot be readily guessed by an off-path attacker; see flow label value is undetectable. On the other hand, a uniformly
[I-D.gont-6man-flowlabel-security] for further discussion. distributed pseudo-random flow label cannot be readily guessed by an
attacker; see [I-D.gont-6man-flowlabel-security] for further
discussion.
This specification defines the flow label as immutable once it has 6.1. Covert Channel Risk
been set to a non-zero value. However, implementers are advised that
forwarding nodes, especially those acting as domain border devices,
might nevertheless be configured to change the flow label value in
packets. This is undetectable.
6.1. Theft and Denial of Service The flow label could be used as a covert data channel, since
apparently pseudo-random flow label values could in fact consist of
covert data. This could for example be achieved using a series of
otherwise innocuous UDP packets whose flow label values constitute a
covert message, or by co-opting a TCP session to carry a covert
message in the flow labels of successive packets. Both of these
could be recognised as suspicious - the first because isolated UDP
packets would not normally be expected to have non-zero flow labels,
and the second because the flow label values in a given TCP session
should all be equal. However, other methods, such as co-opting the
flow labels of occasional packets, might be rather hard to detect.
In situations where the covert channel risk is considered
significant, the only certain defense is for a firewall to rewrite
non-zero flow labels in a stateless manner, like a first-hop router
(see Section 3). This would be an exceptional violation of the rule
that the flow label, once set to a non-zero value, must not be
changed. To preserve load distribution capability, such a firewall
MUST NOT set non-zero flow labels to zero.
6.2. Theft and Denial of Service
Since the mapping of network traffic to flow-specific treatment is Since the mapping of network traffic to flow-specific treatment is
triggered by the IP addresses and Flow Label value of the IPv6 triggered by the IP addresses and Flow Label value of the IPv6
header, an adversary may be able to obtain unintended service by header, an adversary may be able to obtain unintended service by
modifying the IPv6 header or by injecting packets with false modifying the IPv6 header or by injecting packets with false
addresses and/or labels. Theft of service is not further discussed addresses and/or labels. Theft of service is not further discussed
in this document, since it can only be analysed for specific stateful in this document, since it can only be analysed for specific stateful
methods of using the flow label. However, a denial of service attack methods of using the flow label. However, a denial of service attack
becomes possible in the stateless model when the modified or injected becomes possible in the stateless model when the modified or injected
traffic depletes the resources available to forward it and other traffic depletes the resources available to forward it and other
skipping to change at page 10, line 7 skipping to change at page 10, line 35
properties, this is typically useful only for denial of service. In properties, this is typically useful only for denial of service. In
the absence of ingress filtering, almost any third party could the absence of ingress filtering, almost any third party could
instigate such an attack. instigate such an attack.
In the presence of ingress filtering, forging a non-zero Flow Label In the presence of ingress filtering, forging a non-zero Flow Label
on packets that originated with a zero label, or modifying or on packets that originated with a zero label, or modifying or
clearing a label, could only occur if an intermediate system such as clearing a label, could only occur if an intermediate system such as
a router was compromised, or through some other form of man-in-the- a router was compromised, or through some other form of man-in-the-
middle attack. middle attack.
6.2. IPsec and Tunneling Interactions 6.3. IPsec and Tunneling Interactions
The IPsec protocol, as defined in [RFC4301], [RFC4302], [RFC4303] The IPsec protocol, as defined in [RFC4301], [RFC4302], [RFC4303]
does not include the IPv6 header's Flow Label in any of its does not include the IPv6 header's Flow Label in any of its
cryptographic calculations (in the case of tunnel mode, it is the cryptographic calculations (in the case of tunnel mode, it is the
outer IPv6 header's Flow Label that is not included). Hence outer IPv6 header's Flow Label that is not included). Hence
modification of the Flow Label by a network node has no effect on modification of the Flow Label by a network node has no effect on
IPsec end-to-end security, because it cannot cause any IPsec IPsec end-to-end security, because it cannot cause any IPsec
integrity check to fail. As a consequence, IPsec does not provide integrity check to fail. As a consequence, IPsec does not provide
any defense against an adversary's modification of the Flow Label any defense against an adversary's modification of the Flow Label
(i.e., a man-in-the-middle attack). (i.e., a man-in-the-middle attack).
skipping to change at page 10, line 45 skipping to change at page 11, line 24
sufficiently strong cryptographic integrity check of the encapsulated sufficiently strong cryptographic integrity check of the encapsulated
packet (where sufficiency is determined by local security policy), packet (where sufficiency is determined by local security policy),
the tunnel egress node can safely assume that the Flow Label in the the tunnel egress node can safely assume that the Flow Label in the
inner header has the same value as it had at the tunnel ingress node. inner header has the same value as it had at the tunnel ingress node.
This analysis and its implications apply to any tunneling protocol This analysis and its implications apply to any tunneling protocol
that performs integrity checks. Of course, any Flow Label set in an that performs integrity checks. Of course, any Flow Label set in an
encapsulating IPv6 header is subject to the risks described in the encapsulating IPv6 header is subject to the risks described in the
previous section. previous section.
6.3. Security Filtering Interactions 6.4. Security Filtering Interactions
The Flow Label does nothing to eliminate the need for packet The Flow Label does nothing to eliminate the need for packet
filtering based on headers past the IP header, if such filtering is filtering based on headers past the IP header, if such filtering is
deemed necessary for security reasons on nodes such as firewalls or deemed necessary for security reasons on nodes such as firewalls or
filtering routers. filtering routers.
However, security devices that clear or rewrite non-zero flow label
values would be in violation of this specification.
7. Differences from RFC 3697 7. Differences from RFC 3697
The main differences between this specification and its predecessor The main differences between this specification and its predecessor
are as follows: are as follows:
o This specification encourages non-zero flow label values to be o This specification encourages non-zero flow label values to be
used, and clearly defines how to set a non-zero value. used, and clearly defines how to set a non-zero value.
o It encourages a stateless model with uniformly distributed flow o It encourages a stateless model with uniformly distributed flow
label values. label values.
o It does not specify any details of a stateful model. o It does not specify any details of a stateful model.
o It retains the rule that the flow label is immutable, but allows o It retains the rule that the flow label must not be changed en
routers to set the label on behalf of hosts that do not do so. route, but allows routers to set the label on behalf of hosts that
do not do so.
o It discusses the covert channel risk and its consequences for
firewalls.
For further details see [I-D.ietf-6man-flow-update]. For further details see [I-D.ietf-6man-flow-update].
8. IANA Considerations 8. IANA Considerations
This document requests no action by IANA. This document requests no action by IANA.
9. Acknowledgements 9. Acknowledgements
Valuable comments and contributions were made by Ran Atkinson, Fred
Baker, Steve Blake, Remi Despres, Alan Ford, Fernando Gont, Brian
Haberman, Tony Hain, Joel Halpern, Qinwen Hu, Chris Morrow, Thomas
Narten, Mark Smith, Pascal Thubert, Iljitsch van Beijnum, and other
participants in the 6man working group.
Cristian Calude suggested the von Neumann algorithm in Appendix A.
Steve Deering and Alex Conta were co-authors of RFC 3697, on which Steve Deering and Alex Conta were co-authors of RFC 3697, on which
this document is based. this document is based.
Valuable comments and contributions were made by Fred Baker, Steve Contributors to the original development of RFC 3697 included Ran
Blake, Remi Despres, Alan Ford, Fernando Gont, Brian Haberman, Tony Atkinson, Steve Blake, Jim Bound, Francis Dupont, Robert Elz, Tony
Hain, Joel Halpern, Qinwen Hu, Chris Morrow, Thomas Narten, Mark Hain, Robert Hancock, Bob Hinden, Christian Huitema, Frank
Smith, Pascal Thubert, Iljitsch van Beijnum, and other participants Kastenholz, Thomas Narten, Charles Perkins, Pekka Savola, Hesham
in the 6man working group. Soliman, Michael Thomas, Margaret Wasserman, and Alex Zinin.
Contributors to the development of RFC 3697 included Ran Atkinson,
Steve Blake, Jim Bound, Francis Dupont, Robert Elz, Tony Hain, Robert
Hancock, Bob Hinden, Christian Huitema, Frank Kastenholz, Thomas
Narten, Charles Perkins, Pekka Savola, Hesham Soliman, Michael
Thomas, Margaret Wasserman, and Alex Zinin.
This document was produced using the xml2rfc tool [RFC2629]. This document was produced using the xml2rfc tool [RFC2629].
10. Change log [RFC Editor: Please remove] 10. Change log [RFC Editor: Please remove]
draft-ietf-6man-flow-3697bis-04: update to resolve further WG
comments, 2011-05-11:
o Suggested a specific hash algorithm to generate a flow label.
o Removed reference to stateful domain.
o Added text about covert channel and tuned text about firewall
behavior; removed the confusing word "immutable".
o Added that Section 6 of RFC 2460 is replaced.
o Editorial fixes.
draft-ietf-6man-flow-3697bis-03: update to resolve WGLC comments, draft-ietf-6man-flow-3697bis-03: update to resolve WGLC comments,
2011-05-02: 2011-05-02:
o Clarified that the network layer view of flows is agnostic about o Clarified that the network layer view of flows is agnostic about
transport sessions. transport sessions.
o Honed the definition of stateless v stateful models. o Honed the definition of stateless v stateful models.
o Honed the text about using a pseudo-random function. o Honed the text about using a pseudo-random function.
o Moved material about violation of immutability to Security o Moved material about violation of immutability to Security
section, and rephrased accordingly. section, and rephrased accordingly.
o Dropped material about setting the flow label at a domain exit o Dropped material about setting the flow label at a domain exit
router: doesn't belong here now that we have dropped almost all router: doesn't belong here now that we have dropped almost all
the stateful text. the stateful text.
o Removed normative reference to draft-gont-6man-flowlabel-security. o Removed normative reference to draft-gont-6man-flowlabel-security.
o Removed the statement that a node that does not set or use the o Removed the statement that a node that does not set or use the
flow label must ignore it: this statement appears to be a no-op. flow label must ignore it: this statement appears to be a no-op.
o Added a summary of changes from RFC 3697. o Added a summary of changes from RFC 3697.
o Miscellaneous editorial fixes. o Miscellaneous editorial fixes.
draft-ietf-6man-flow-3697bis-02: update to remove most text about draft-ietf-6man-flow-3697bis-02: update to remove most text about
skipping to change at page 13, line 5 skipping to change at page 13, line 47
11.2. Informative References 11.2. Informative References
[I-D.gont-6man-flowlabel-security] [I-D.gont-6man-flowlabel-security]
Gont, F., "Security Assessment of the IPv6 Flow Label", Gont, F., "Security Assessment of the IPv6 Flow Label",
draft-gont-6man-flowlabel-security-01 (work in progress), draft-gont-6man-flowlabel-security-01 (work in progress),
November 2010. November 2010.
[I-D.ietf-6man-flow-update] [I-D.ietf-6man-flow-update]
Amante, S., Carpenter, B., and S. Jiang, "Rationale for Amante, S., Carpenter, B., and S. Jiang, "Rationale for
update to the IPv6 flow label specification", update to the IPv6 flow label specification",
draft-ietf-6man-flow-update-04 (work in progress), draft-ietf-6man-flow-update-05 (work in progress),
March 2011. May 2011.
[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
June 1999. June 1999.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, May 2000. Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC3697] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering, [RFC3697] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering,
"IPv6 Flow Label Specification", RFC 3697, March 2004. "IPv6 Flow Label Specification", RFC 3697, March 2004.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005. Internet Protocol", RFC 4301, December 2005.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302, [RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
December 2005. December 2005.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, December 2005. RFC 4303, December 2005.
[vonNeumann]
von Neumann, J., "Various techniques used in connection
with random digits", National Bureau of Standards Applied
Math Series 12, 36-38, 1951.
Appendix A. Simple 20-bit Hash Function
As mentioned in Section 3, a stateless hash function may be used to
generate a flow label value from an IPv6 packet's 5-tuple. An
example function, based on an algorithm by von Neumann known to
produce an approximately uniform distribution [vonNeumann], is as
follows:
1. Split the destination and source addresses into two 64 bit values
each, thus transforming the 5-tuple into a 7-tuple.
2. Add the seven components together using unsigned 64 bit
arithmetic, discarding any carry bits.
3. Apply the von Neumann algorithm to the resulting string of 64
bits:
1. Starting at the least significant end, select two bits.
2. If the two bits are 00 or 11, discard them.
3. If the two bits are 01, output a 0 bit.
4. If the two bits are 10, output a 1 bit.
5. Repeat with the next two bits in the input 64 bit string.
6. Stop when 20 bits have been output (or when the 64 bit string
is exhausted).
4. In the highly unlikely event that the result is exactly zero, set
the flow label arbitrarily to the value 1.
Authors' Addresses Authors' Addresses
Shane Amante Shane Amante
Level 3 Communications, LLC Level 3 Communications, LLC
1025 Eldorado Blvd 1025 Eldorado Blvd
Broomfield, CO 80021 Broomfield, CO 80021
USA USA
Email: shane@level3.net Email: shane@level3.net
 End of changes. 35 change blocks. 
82 lines changed or deleted 151 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/