Hello all, On 22/04/05, David Malone <[EMAIL PROTECTED]> wrote: > Using the flow label to validate recieved ICMP error messages is > quite appealing in light of draft-gont-tcpm-icmp-attacks-03. It > could also be used for validating ICMP messages generated by UDP > packets, where sequence numbers are not available but a flow label > could be set.
This is an interesting security point, but it could mean some proccessing overhead when not needed. For example in UDP DNS queries draft-gont-tcpm-icmp-attacks-03 shouldn't have that much of an impact since no session is established. I still see much more benefit in using the Flow Label for 6SLAs. If this indeed will be a common use for the Flow Label then we should take into consideration that probably many (if not most) service providers will not allow their customers to set the Flow Label field and enforce a zero label on all ingress traffic in order to allow 6SLAs to work properly. Ofcourse if the label will also be used to classify traffic for diffserv then this is one more reason for SPs to override the label to zero on all ingress traffic from customers. -- Ran. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------