On 03 Feb 2011, at 13:54 , Steven Blake wrote: > The firewall could alternatively choose to recompute the lower 8 bits > using 5-tuple hash, since presumably it is already digging its way > through the packet headers.
I think sites with this concern would be comfortable with that approach. As you say, a site firewall/border-router that is applying a policy to Flow Label field bits is already rummaging through packet headers looking at various other stuff, so creating its own replacement (full or partial) Flow-Label value is probably not a lot of extra work. > Actually, a firewall could always choose to rewrite the whole flow label > with the output of its own hash calculation (or a per-flow cached > pseudo-random number), eliminating any covert channel. Exactly so. That noted, Joel is quite correct that a larger sized inter-domain transit/backbone router is not terribly likely to have the ability today to regenerate a Flow Label while also forwarding packets at wire-speed. Yours, Ran -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------