Re: Extracting the 5-tuple from IPv6 packets

* Brian E. Carpenter: > Common practice in network monitoring and in QoS technologies > is to identify a flow of packets by the 5-tuple > {source address, dest address, source port, dest port, protocol #}. > This is relatively trivial at line speed in IPv4 since > these things are at fixed locatio

Re: Extracting the 5-tuple from IPv6 packets

Simon, On 2010-04-16 05:40, Simon Perreault wrote: > On 2010-04-15 11:22, Joel M. Halpern wrote: >> However, a network can not give QoS treatment purely on the basis of >> source and dest IPv6 address plus flow label. There simply is not enough >> information. A client provided flow label is not a

Re: Extracting the 5-tuple from IPv6 packets

On 2010-04-15 11:22, Joel M. Halpern wrote: However, a network can not give QoS treatment purely on the basis of source and dest IPv6 address plus flow label. There simply is not enough information. A client provided flow label is not a DSCP code point. My point with comparing this proposal wit

Re: Extracting the 5-tuple from IPv6 packets

> Bert > > -Original Message- > From: ipv6-boun...@ietf.org [mailto:ipv6-boun...@ietf.org] On Behalf Of > Manfredi, Albert E > Sent: Thursday, April 15, 2010 1:08 PM > To: Joel M. Halpern > Cc: ipv6@ietf.org > Subject: RE: Extracting the 5-tuple from IPv6 packets >

RE: Extracting the 5-tuple from IPv6 packets

lf Of Manfredi, Albert E Sent: Thursday, April 15, 2010 1:08 PM To: Joel M. Halpern Cc: ipv6@ietf.org Subject: RE: Extracting the 5-tuple from IPv6 packets > -Original Message- > From: ipv6-boun...@ietf.org [mailto:ipv6-boun...@ietf.org] On > If we can count on hosts setting the

RE: Extracting the 5-tuple from IPv6 packets

> -Original Message- > From: ipv6-boun...@ietf.org [mailto:ipv6-boun...@ietf.org] On > If we can count on hosts setting the flow label with suitable > granularity, then we can use the flow label (plus src and dest IPv6 > address) in our ECMP and LAG hashes without having to look > for

Re: Extracting the 5-tuple from IPv6 packets

On Thu, 15 Apr 2010, Joel M. Halpern wrote: There seem to be two separate things going on here, and they appear to be getting mixed. The first thing is the notion that the host should set a non-zeero value into the flow label. They should do so with the constraint that different packets

Re: Extracting the 5-tuple from IPv6 packets

On Thu, 15 Apr 2010 11:22:09 -0400, "Joel M. Halpern" wrote: > The one obvious conclusion here is that if we want hosts to actually set > flow labels, then we are largely preempting network modification of > those flow labels. Whatever setting we want to allow, it would have to > preserve the

Re: Extracting the 5-tuple from IPv6 packets

Le 15 avr. 2010 à 00:26, Brian E Carpenter a écrit : > Or we can strongly recommend that all hosts set the flow label, so > that we can use the 3-tuple {source address, dest address, flow label}. > > What do people think? In view of Mark's remark about the impossibility for routers to identify

Re: Extracting the 5-tuple from IPv6 packets

There seem to be two separate things going on here, and they appear to be getting mixed. The first thing is the notion that the host should set a non-zeero value into the flow label. They should do so with the constraint that different packets which are part of the same flow MUST have the sam

Re: Extracting the 5-tuple from IPv6 packets

On Thu, 15 Apr 2010, Simon Perreault wrote: On 2010-04-15 10:38, Mohacsi Janos wrote: Why cope with QoS if somebody is sending packets to black-hole? I don't understand your question, but here's an example use case of the attack I'm suggesting: I want to evade an SFQ QoS for a single fl

Re: Extracting the 5-tuple from IPv6 packets

Hi, I agree with Francis that there is the issue of the transport headers not being present in the first fragment itself. In IPv4 the minimum fragment size is 64 which means the first fragement has the header (even when options are present). We have a draft to take care of this for IPv6: http://t

Re: Extracting the 5-tuple from IPv6 packets

On 2010-04-15 10:38, Mohacsi Janos wrote: Why cope with QoS if somebody is sending packets to black-hole? I don't understand your question, but here's an example use case of the attack I'm suggesting: I want to evade an SFQ QoS for a single flow. If the QoS is based on the flow field, I can

Re: Extracting the 5-tuple from IPv6 packets

On Thu, 15 Apr 2010, Simon Perreault wrote: On 2010-04-15 10:32, Mohacsi Janos wrote: So as put garbage to src and dst port. Not as easy because a host often has no control on the destination port. Google won't talk to me unless I put 80 in there. Why cope with QoS if somebody is sendin

Re: Extracting the 5-tuple from IPv6 packets

On 2010-04-15 10:32, Mohacsi Janos wrote: So as put garbage to src and dst port. Not as easy because a host often has no control on the destination port. Google won't talk to me unless I put 80 in there. Simon -- NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server-

Re: Extracting the 5-tuple from IPv6 packets

On Thu, 15 Apr 2010, Simon Perreault wrote: On 2010-04-14 18:26, Brian E Carpenter wrote: Common practice in network monitoring and in QoS technologies is to identify a flow of packets by the 5-tuple {source address, dest address, source port, dest port, protocol #}. Or we can strongly re

Re: Extracting the 5-tuple from IPv6 packets

In your previous mail you wrote: any implementation (hardware or software) that extracts the 5-tuple has to follow the linked list to the end. => and in a rare case ports are not in the first fragment... Or we can strongly recommend that all hosts set the flow label, so that we c

Re: Extracting the 5-tuple from IPv6 packets

On 2010-04-14 18:26, Brian E Carpenter wrote: Common practice in network monitoring and in QoS technologies is to identify a flow of packets by the 5-tuple {source address, dest address, source port, dest port, protocol #}. Or we can strongly recommend that all hosts set the flow label, so tha

Re: Extracting the 5-tuple from IPv6 packets

On Thu, 15 Apr 2010, Brian E Carpenter wrote: Hi, Common practice in network monitoring and in QoS technologies is to identify a flow of packets by the 5-tuple {source address, dest address, source port, dest port, protocol #}. This is relatively trivial at line speed in IPv4 since these thi

Re: Extracting the 5-tuple from IPv6 packets

On Wed, Apr 14, 2010 at 7:16 PM, Bob Hinden wrote: > Brian, > > On Apr 14, 2010, at 3:26 PM, Brian E Carpenter wrote: > >> Hi, >> >> Common practice in network monitoring and in QoS technologies >> is to identify a flow of packets by the 5-tuple >> {source address, dest address, source port, dest

Re: Extracting the 5-tuple from IPv6 packets

On Wed, Apr 14, 2010 at 7:03 PM, Vishwas Manral wrote: > Hi Brian, > >> Or we can strongly recommend that all hosts set the flow label, so >> that we can use the 3-tuple {source address, dest address, flow label}. > Using a 3-tuple helps in stateless firewalls/ middle boxes/ ECMP, > which cannot/

Re: Extracting the 5-tuple from IPv6 packets

On Apr 14, 2010, at 15:26, Brian E Carpenter wrote: > > What do people think? I think this topic reminds me of . "This document proposes a new family of IPv6 extension headers that will be encoded in a consistent format so that it is p

Re: Extracting the 5-tuple from IPv6 packets

Brian, On Apr 14, 2010, at 3:26 PM, Brian E Carpenter wrote: > Hi, > > Common practice in network monitoring and in QoS technologies > is to identify a flow of packets by the 5-tuple > {source address, dest address, source port, dest port, protocol #}. > This is relatively trivial at line speed

Re: Extracting the 5-tuple from IPv6 packets

> [Senthil] In order to get to the port numbers you would still have to > traverse the extension headers and in the process you would identify the > protocol too, isnt that right? Oh my yes! How embarassing, but it makes the problem even worse. Regards Brian Carpenter On 2010-04-15 10:42,

Re: Extracting the 5-tuple from IPv6 packets

Hi Brian, > Or we can strongly recommend that all hosts set the flow label, so > that we can use the 3-tuple {source address, dest address, flow label}. Using a 3-tuple helps in stateless firewalls/ middle boxes/ ECMP, which cannot/ do-not reassemble all fragments. The 5-tuple is not available for

RE: Extracting the 5-tuple from IPv6 packets

-Original Message- From: ipv6-boun...@ietf.org [mailto:ipv6-boun...@ietf.org] On Behalf Of Brian E Carpenter Sent: Wednesday, April 14, 2010 6:26 PM To: 6man Cc: Nevil Brownlee Subject: Extracting the 5-tuple from IPv6 packets Hi, Common practice in network monitoring and in QoS techno