Case in point about how we are being *extremely* loose in using the term "pseudo random".
If you look at draft-gont-6man-flowlabel-security-01, it proposes two different algorithms for generating Flow Label values. Unless I'm missing something, neither of them actually provides "pseudo randomness". Both have subsequent Flow Label values simply increment a counter to get to the next value. What these algorithms do do is make it very hard for an off-site attacker to guess what Flow Label values are being used. That is probably a good thing. But that is not the same thing as saying that the Flow Labels that are generated are "pseudo random", which is what the current Flow Label documents are saying we need. Part of my objection to the term "pseudo random" is that the term has not been defined within the context of the Flow Label. RFC 4086 "Randomness Requirements for Security" talks quite a bit about pseudo randomness. I don't think we need that for the Flow Label. But without carefully defining terms, that is what is presumably being required... Thomas -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
