While there may be a few firewalls that will do whatever they think they
need to in order to shut down covert channels, I do not see that as a
significant factor. I imagine most devices will not do so, since it
does represent a meaningful threat to the site being protected.
(There are other covert channels available, that I have never heard of
conventional commercial firewalls attempting to close. Heck, I could
have a pattern of connections to two remote sites for a covert channel.
I don't buy this as a driver.)
Yours,
joel
On 9/7/2010 9:18 PM, Brian E Carpenter wrote:
Hi,
The authors of draft-carpenter-6man-flow-update (now also
including Shane Amante) are working on a new version. One
fundamental issue that has come up is about the (lack of)
security properties of the flow label. The most brutal
expression of this is:
The flow label field is always unprotected (no IP header
checksum, not included in transport checksums, not included in
IPsec checksum). It cannot be verified and can be used as a
covert channel, so it will never pass a security analysis. Thus
some firewalls *will* decide to clear it, whatever the IETF
wants. This is inevitable, for exactly the same reason that the
diffserv code point is rewriteable at domain boundaries.
If this is correct, it is futile to assert that the flow label
MUST be delivered unchanged to the destination, because we
cannot rely on this in the real world.
Are we ready to accept this analysis?
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
