Earlier, Jari Arkko wrote:
> In addition, I'm not sure I understand how a router knows that it is a first
> hop router.
My understanding is that the IPv6 WG's compromise regarding
the "Flow Label covert channel issue" that has been worked out
expressly permits any IPv6 security gateway to rewrite
IPv6 Flow Labels from value A to value B, if required by the
security policy deployed in that IPv6 security gateway,
provided that value B provides the documented required
mathematical properties that support load-balancing purposes.
Since IPv6 Flow Label rewriting is allowed under that situation,
I don't see any value in restricting the rewriting of IPv6 packets
containing a zero IPv6 Flow Label to a non-zero IPv6 Flow Label value
-- again, provided the new non-zero value meets the documented
required mathematical properties.
So I don't think it matters whether the router performing
rewriting is a first-hop router or not. Requiring a check
of whether the router is a first-hop router is just wasted
computational overhead for the router.
>From the perspective of an IPv6 router implementer, the relevant
data are (A) was the IPv6 Flow Label value zero upon receipt
by that router, (B) are the 5 input values easily read
by that router, and (C) is calculating a non-zero Flow Label
value reasonable given other computational demands on that
router at that moment in time.
For an ASIC-based or FPGA-based IPv6 forwarding engine,
- (A) is trivial to check at wire speed
- (B) is true IFF packet is not fragmented
- (C) is irrelevant since one would throw a few lines
of Verilog at the problem
For an NP-based IPv6 forwarding engine,
- (A) is trivial to check at wire speed
- (B) is generally true IFF packet is not fragmented
- (C) depends primarily on how much other processing
(e.g. encapsulation/decapsulation) that particular frame
might require, and secondarily on the number of
NP cycles available while performing at wire-speed
BOTTOM LINE:
If any IPv6 router sees any zero-value Flow Label, the router ought
to be permitted (but NOT required) to rewrite the Flow Label value
to a non-zero value that meets the published mathematical requirements.
Yours,
Ran
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
