On Wed, 08 Sep 2010 13:18:41 +1200, Brian E Carpenter <brian.e.carpen...@gmail.com> wrote:
> Hi, > > The authors of draft-carpenter-6man-flow-update (now also > including Shane Amante) are working on a new version. One > fundamental issue that has come up is about the (lack of) > security properties of the flow label. The most brutal > expression of this is: > > The flow label field is always unprotected (no IP header > checksum, not included in transport checksums, not included in > IPsec checksum). It cannot be verified and can be used as a > covert channel, so it will never pass a security analysis. Thus > some firewalls *will* decide to clear it, whatever the IETF > wants. This is inevitable, for exactly the same reason that the > diffserv code point is rewriteable at domain boundaries. > > If this is correct, it is futile to assert that the flow label > MUST be delivered unchanged to the destination, because we > cannot rely on this in the real world. > > Are we ready to accept this analysis? FWIW, covering the FL in a header/transport checksum would not guarantee immutability, since a firewall could always re-calculate either of these. There are already a variety of covert channels available (e.g., packet size, packet timing, DSCP, hop count), so I wouldn't lose sleep about the FL adding an additional one. Regards, // Steve -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
