Christian Huitema <huit...@microsoft.com> writes: > Have you looked at the security implications? Suppose that an > attacker can predict the hash algorithm used by a router. This > attacker could then pick "interesting" values of the flow ID, to get > the flow of traffic directed to particular paths, or not. For > example, they could systematically but a different flow label to > each packet to ensure the traffic is spread over all available > paths.
Thinking about this some more. There are two cases to worry about. The first one concerns the (currently mythical) case where a flow setup protocol has been used to create state/reservations along a path for a particular Flow. An attacker might want to target that precise flow in order to cause problems for that one flow (e.g, exceed its flow spec). The attacker would presumably need to determine the src/dst/flow label value of a particular flow in order to exploit this. Since flow setup is involved, presumably the Flow Label value can be choosen somewhat carefully to make this harder for off-path attackers. This case is presumably also not really a relevant to the current discussion. The second case concerns a number of paths across which traffic is to be split. An attacker might want to overload a particular path. One way to do this is to guess the Flow Labels being used for ECMP. But it seems like there is an even easier way. If there are N paths, whatever hash is used will distribute over those N paths. So all an attacker needs to do is generate src/dest/Flow IDs and probe the network to see which paths are actually being used. And then generate lots of traffic to target the particular path they are after. (Rereading the thread I see now that Fred made this same point.) The point being, an attacker doesn't have to guess the actual Flow Labels that are being in use, but just come up with way to generate traffic that ECMP maps onto the target path. That suggests that having Flow Label values themselves be "pseudo random" doesn't buy a whole lot. Or am I missing something? I'm a bit stuck on this point, because both of the current flow label document continue to say flow labels should be generated SHOULD be psuedo-random, and I'm not convinced this is necessary, required, or buys us anything. What compelling argument am I missing? Thomas -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------