Hi, Thomas, On 10/01/2011 11:10 a.m., Thomas Narten wrote: > The crux of the issue is the following: > >> 1. It is RECOMMENDED that source hosts support the flow label by >> setting the flow label field for all packets of a flow to the >> same pseudo-random value. > > I do not see a reason to require this.
Probably that could/should be rephrased as: 1. It is RECOMMENDED that source hosts support the flow label by setting the flow label field for all packets of a flow to the same value. Such value should not be easily predictable by an off-path attacker. > You do NOT need uniform spread on the input to the hash to get such an > output. A decent hash algorithm is what you need. You also don't need > Flow Labels selected in a psuedo random fashion. Agreed. But predictable values have been found to have problems. See e.g. the implications of the IPv4 identification field in http://www.gont.com.ar/papers/InternetProtocol.pdf > RFC 3697 says specifically you can assign Flow Label values > sequentially. Indeed, draft-gont-6man-flowlabel-security does select flow-labels incrementally --- although with a scheme that makes it difficult for an off-path attacker to guess te next flowlabel value. Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------