Brian E Carpenter <brian.e.carpen...@gmail.com> writes: > > what's the threat if it changes in flight? multiple times even?
> That presumably depends on the use case. The idea is that someone > figures out what flow label values will screw you, and sets such > values. And exactly how is this is different that what we have today, where the same can be done by setting values for the src/dest addresses and ports? > Let's assume you're using it for ECMP or LAG. You're hashing > the flow label as part of the ECMP/LAG hash. Someone figures out > how to compute a flow label for each packet arriving on your 10GB > line that will bias your hash, and therefore defeat the load > sharing. And is easier (and thus more of a threat) than, say, any variety DDOS attack that targets a particular bottleneck link? > Note, I'm not saying it will happen, just that it might, and that > seems to be how some security people think. Let's discuss the threat (if there is one), but let's put it in context. How much worse a threat (or more exploitable of one) is this than other existing ones? Thomas -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
