Hi, Brian, > That presumably depends on the use case. The idea is that someone > figures out what flow label values will screw you, and sets such > values. Let's assume you're using it for ECMP or LAG. You're hashing > the flow label as part of the ECMP/LAG hash. Someone figures out > how to compute a flow label for each packet arriving on your 10GB > line that will bias your hash, and therefore defeat the load sharing.
I think that the lesson learned from similar fields in other protocols is that the Flow Label needs to be unpredictable by an off-path attacker. This was the motivation for writing the stuff in draft-gont-6man-flowlabel-security (which was written quite some time ago, but only recently published as an IETF I-D). Thanks! Kind regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
