On 2011-06-02 11:19, Fernando Gont wrote:
> Hi, Brian,
>
> On 06/01/2011 07:09 PM, Brian E Carpenter wrote:
>> My to-do list included running your algorithm against the
>> same datasets. However, I just looked at your draft again and
>> it seems to be underspecified - you do not define what functions
>> F and G are.
>
> To some extent, this was intentional. -- Although I do agree I should
> have noted (non-normatively) that MD5 would be a good choice for F().
>
> As for G(), one could use MD5(), or even something simpler.
OK.
>> And I think it's stateful, because of the statement
>> "if(three-tuple is unique)".
>
> Not sure what you mean. The specs themselves argue that a flowid
> shouldn't be reused if it's already in use.
That was RFC3697. RFC3697bis is more relaxed about this point, because
it isn't an essential property for load balancing. If uniqueness
is a hard requirement, you're definitely forced into a stateful
model, but that is out of scope for 3697bis.
> So one could envision that
> the flowid used for a communication instance is stored in the
> corresponding TCB, and that's how it is checked.
>
> Anyway, the same algorithm could be used without performing that check,
> and simply having faith in the algorithm on the fact that collisions
> will not occur. :-)
Or that they don't matter too much...
>> All we are discussing is a non-normative suggested algorithm,
>> so this is not critical for the draft to go forward IMHO.
>
> It looks like such an algorithm would belong to a separate document --
> particularly if the suggestion is going to be "non-normative". i.e., a
> separate document could evaluate different algorithms, in a similar way
> we have done so for transport protocol port number randomization.
Yes, the topic is quite complex and I can think of many more tests I
could run, if my time was infinite. All we really need for now is a
not-completely-lame algorithm as an illustration for 3697bis.
> -- BTW, still wondering what could be a sensible way forward for
> draft-gont-6man-flowlabel-security.
What I have learnt doing these tests is that it's complex (as noted)
and maybe it's too soon to know the best approach.
Brian
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
