On 2011-04-06 06:09, Thomas Narten wrote: > Here are my comments on this document. > > My main issue is that it continues to assert that flow labels are > required to be pseudo random. I am not convinced that is necessary and > I think it makes things more complex than necessary.
Emphasis changed to uniform distribution (and some text added why this is desirable). See comments on 3697bis. > Detailed comments: > > Review of -04 > > Also, it could be used as a covert data channel, since apparently > pseudo-random flow label values could in fact consist of covert data. > > drop "pseudo-random" as that is not relevant to the point. Oh yes it is ;-). If the bits are cyphertext encrypted with a good algorithm, as they would be in serious covert usage, they would indeed appear pseudo-random. If somebody included plaintext in the flow label, that would hardly be covert. > > As a result, some security > specialists believe that flow labels should be cleared for safety. > > If you don't have a reference to this, please delete. It's mentioned in draft-gont-6man-flowlabel-security. > > However, it is recommended that sources should set a pseudo-random > flow label value in all flows, replacing the less precise > recommendation made in Section 3 of RFC 3697. Both stateful and > > Again, I don't think we have agreement on this "recommendation". Ack, see above. > mathematically on immutable flow labels. The new rules require that > flow labels exported to the Internet should always be either zero or > pseudo-random, but even this cannot be relied on mathematically. Use > > Pseudo random requirement again... > Ditto. Brian, for the authors -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------