Fernando, Thomas, On Apr 6, 2011, at 12:22 MDT, Fernando Gont wrote: > Thomas, > > On 05/04/2011 05:36 p.m., Thomas Narten wrote: >> Case in point about how we are being *extremely* loose in using the >> term "pseudo random". > [....] >> Part of my objection to the term "pseudo random" is that the term has >> not been defined within the context of the Flow Label. > > You raise a very good point, indeed. For instance, when we talk about > e.g. "port randomization", we're really talking about "producing port > numbers that are unpredictable by off-path attackers". > > To make this terminology issue worse, it has been argued a few times (by > some mathematician IETFers) that the properties that we need for the > "hash" functions in the hash-based algorithms are really that of PRFs > (Pseudo Random Functions) (i.e., hash functions being a specific example). > > In summary, I agree with the terminology issue that you've raised. I'd > probably argue that the best way to go is to specify which properties we > want for Flow Labels, such as they have been specified for port numbers > in RFC 6056. Namely: > > * We want Flow Labels that unpredictable by off-path attackers (history > has taught us that this is a good proactive measure) > * We want an algorithm for generating FL that produces FLs that do not > repeat with a high frequency (i.e., they are distributed normally)
I like your (attempt at) a more precise definition that Thomas has been asking for. I would think another desirable property of (host-generated?) flow-labels might be that, by default, they strive to preserve privacy of the transmitter. IOW, flow-labels cannot be used to track individuals (over time), because they are traceable back to a particular implementation or, worse, a specific device. > One possible algorithm for achieving these properties is calling a > random()-like function. But there are others, such as the hash-based > algorithms specified in draft-gont-6man-flowlabel-security. Right. -shane > Thanks, > -- > Fernando Gont > e-mail: ferna...@gont.com.ar || fg...@acm.org > PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > > > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
