On 01/27/2012 07:49 AM, Florian Weimer wrote: >> I have just posted a revision of the aforementioned I-D. It is available >> at: <http://tools.ietf.org/id/draft-gont-6man-flowlabel-security-02.txt> >> >> Any comments will be appreciated. > > Destination-specific counters introduce state keeping requirements and > concurrency bottlenecks. Are those really necessary?
There are no "destination-specific" counters. Just a global counter, or a set of counters (for the double-hash algorithm). > I would like to see actual use of the flow label field which doesn't > suffer from denial of service issues (by creating many flows with the > same label, Well, *this* is no different from doing load-sharing based on the five-tuple (protocop, src ip, srp port, dst ip, dst port). > undermining things like label-based load distribution) or > traffic parasitism. Furthermore, RFC 6437 allows modification of the > flow label header in transit, so I really doubt that there are any such > applications. There's no checksum on the Flow Label, and it's not even protected by IPsec, so... how could RFC6437 possibly "forbid modification of the flow label"? (other than "nodes MUST NOT modify the FL....Good *luck*, btw!") Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
