Hello, Following up from the last call and the issues I raised, I'll try to propose something to start with to make the security considerations more in line with certain imporant issues.
Note: I'm assuming that the sentence: A source node MUST ensure that it does not reuse Flow Label values it is currently using or has recently used when creating new flows. will be changed, at least to "unintentionally reuse". Now, to the security considerations. 5.1 Theft and Denial of Service The goal of the Flow Label is to allow different levels of service to be provided for traffic streams on a common network infrastructure. A variety of techniques may be used to achieve this, but the end result will be that some packets receive different (e.g., better or worse) service than others. The mapping of network traffic to the flow- specific treatment is triggered by the IP addresses and Flow Label value of the IPv6 header, and hence an adversary may be able to obtain better service by modifying the IPv6 header or by injecting packets with false addresses and labels. Taken to its limits, such ^^^ ==> false addresses _or_ labels. theft-of-service becomes a denial-of-service attack when the modified or injected traffic depletes the resources available to forward it and other traffic streams. ==> after this, add a new paragraph: Note that there is no guarantee that flow labels used in a node are not used in any manner the node wants to, even reusing flow labels. This is a feature: as nodes are typically untrusted, it cannot be assumed that they would in fact implement or adhere to any restrictions if such would be set -- and therefore any assumptions made by the network on nodes' behaviour should be very limited except in cases where the nodes are explicitly trusted. ==> and after the "Since flows.." paragraph, add paragraphs: There are two issues with different properties: spoofing of only Flow Label, and spoofing of the whole 3-tuple, including Source and Destination Address. The former can be done inside a node which is using the correct source address. Being able to spoof Flow Label typically requires being in position to also forge an address -- but in many cases, spoofing the address may not be the interesting, especially if the spoofer's goal is theft of service, not denial of service. The latter can be done by a host which is not subject to ingress filtering [INGR] or an intermediate router. Due to its properties, such is typically useful only for denial of service. ==> TODO: consider whether changes are needed (on ingress filtering) in the second-last paragraph. Perhaps this should get one started. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------