On Thu, 3 Feb 2011 10:17:12 -0500, RJ Atkinson <rja.li...@gmail.com>
wrote:
In particular, a number of domains connected to the public Internet,
including a number of commercial firms, are concerned about use of
"covert channels" by their adversaries (e.g. to steal IPR, to probe
interior network segments).
While most (all ?) useful communications protocols have at least
some low-bandwidth covert channels, the IPv6 Flow Label stands out
as a relatively high-bandwidth covert channel -- due to its size.
[snip]
When one intersects Joel's comments above and my observations
above, it is not obvious to me that an arbitrary router somewhere
in the global Internet reasonably could expect that the IPv6 Flow
Label of an arbitrary IPv6 packet will contain values useful for
LAG, SLB, etc.
Would a one-byte covert channel in the flow label be considered a
problem? I.e., if a firewall only zeroed out the most significant 12
bits of the flow label, that would still leave 8 random bits for the
LAG/ECMP hash key, which is probably more than enough in practice. The
firewall could alternatively choose to recompute the lower 8 bits using
5-tuple hash, since presumably it is already digging its way through the
packet headers.
Actually, a firewall could always choose to rewrite the whole flow
label with the output of its own hash calculation (or a per-flow cached
pseudo-random number), eliminating any covert channel.
Regards,
// Steve
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
