Fernando, On Jan 21, 2011, at 8:55 AM, Fernando Gont wrote:
> Hi, Thomas, > > On 10/01/2011 11:10 a.m., Thomas Narten wrote: >> The crux of the issue is the following: >> >>> 1. It is RECOMMENDED that source hosts support the flow label by >>> setting the flow label field for all packets of a flow to the >>> same pseudo-random value. >> >> I do not see a reason to require this. > > Probably that could/should be rephrased as: > > 1. It is RECOMMENDED that source hosts support the flow label by > setting the flow label field for all packets of a flow to the > same value. Such value should not be easily predictable by an > off-path attacker. We could also add to this something like: One way to achieve this is with a pseudo-random value. Bob > > > >> You do NOT need uniform spread on the input to the hash to get such an >> output. A decent hash algorithm is what you need. You also don't need >> Flow Labels selected in a psuedo random fashion. > > Agreed. But predictable values have been found to have problems. See > e.g. the implications of the IPv4 identification field in > http://www.gont.com.ar/papers/InternetProtocol.pdf > > >> RFC 3697 says specifically you can assign Flow Label values >> sequentially. > > Indeed, draft-gont-6man-flowlabel-security does select flow-labels > incrementally --- although with a scheme that makes it difficult for an > off-path attacker to guess te next flowlabel value. > > Thanks! > > Best regards, > -- > Fernando Gont > e-mail: ferna...@gont.com.ar || fg...@acm.org > PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------