Le 8 sept. 2010 à 05:38, Brian E Carpenter a écrit : > ... Let's assume you're using it for ECMP or LAG. You're hashing > the flow label as part of the ECMP/LAG hash. Someone figures out > how to compute a flow label for each packet arriving on your 10GB > line that will bias your hash, and therefore defeat the load sharing. > > Note, I'm not saying it will happen, just that it might, and that > seems to be how some security people think.
Depending on whether the ECMP/LAG operator is more or less paranoid about this threat, it could: - ignore received FL values, and base its ECMP/LAG hash on its own 3- or -5-tuple hashes - OR take the risk, and use received FL values. This could IMHO remain an implementation/operation option. RD > > We can choose to not worry about this, but that's why I want to > discuss it. > > Brian > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------