[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Flow label and its uses



Hi Spencer,

I agree relying on the Flow-label when it traverses the unprotected
network may not be the best option. 

However in the tunnel mode case, I do not think that issue will arise;
besides at the tunnel tail egress we will not really check the
flow-label to identify an SA, but an SPI. DSCP fields are used the same
way already (we use it to identify an outgoing tunnel and don't use it
for identifying an incoming one).

Thanks,
Vishwas
-----Original Message-----
From: owner-v6ops@ops.ietf.org [mailto:owner-v6ops@ops.ietf.org] On
Behalf Of Spencer Dawkins
Sent: Monday, January 23, 2006 6:54 PM
To: v6ops@ops.ietf.org
Subject: Re: Flow label and its uses

Hi, Vishwas,

The point I was trying to make was that since flow labels are
unprotected, 
you can use them unless you must trust them.

Having a device that alters flow labels for some random reason in the
middle 
of the network basically says we couldn't use flow labels to correlate 
packet captures taken at two points in the network. If we could trust
them 
(AH-protected), we could use them, but a per-packet AH operation to make

sure we can trust them isn't reasonable, in our situation.

Sorry if this wasn't clear.

Spencer

From: "Vishwas Manral" <Vishwas@sinett.com>
To: "Spencer Dawkins" <spencer@mcsr-labs.org>; <v6ops@ops.ietf.org>
Sent: Sunday, January 22, 2006 11:04 PM
Subject: RE: Flow label and its uses


Hi Spencer,

I may be missing the point; however I would like to understand what you
mean.

In IPsec for the SG-to-SG assume a case where we get a plain packet. By
processing fields in the packet (could be DSCP field, Source Destination
address, protocol field, upper header message type etc) we decide the
out going SA identified by an SPI. The packet reaches the tunnel tail
end and using the SPI we identify the incoming tunnel and authenticate/
decrypt the packet.

What I have been saying is that, just as we use fields in the plain
packet to identify an outgoing SA, we could (instead of using a 5-tuple)
use a flow label, which is available in all packets. The 5-tuple may not
be available in all IP packets.

It would be nice to understand how this is equivalent to setting the
"Security Bit"?

Thanks,
Vishwas
-----Original Message-----
From: owner-v6ops@ops.ietf.org [mailto:owner-v6ops@ops.ietf.org] On
Behalf Of Spencer Dawkins
Sent: Saturday, January 21, 2006 7:53 PM
To: v6ops@ops.ietf.org
Subject: Re: Flow label and its uses

I'm out of the "deep packet inspection" business for now, but I did
spend
about 18 months building products in this space...

Although in a perfect world it would be lovely to know that flow labels
didn't change end-to-end, if that lovely thought requires a per-packet
AH
operation on middleboxes, it's probably beyond what people can build and

sell at affordable prices now, and (since end-to-end AH would be using
CPU
at each endpoint, while a middlebox verifying AH has to use its own CPU
for
all the packets it processes), Moore's Law doesn't seem all that helpful
in
planning for the future, either.

Maybe the RFC 3514 Security Bit from IPv4 should have an IPv6
counterpart
that says, "I promise that this packet is AH protected and hasn't been
dorked with, so you can believe the flow label"? That would help a
lot...

:-)

Spencer

From: "Vishwas Manral" <Vishwas@sinett.com>
To: "Brian E Carpenter" <brc@zurich.ibm.com>
Cc: "Pekka Savola" <pekkas@netcore.fi>; "Bora Akyol"
<bora@broadcom.com>;
"Fred Baker" <fred@cisco.com>; <v6ops@ops.ietf.org>
Sent: Saturday, January 21, 2006 2:54 AM
Subject: RE: Flow label and its uses


Brian,

That is exactly what I am trying to say too. For cases where we need to
do deep packet inspection, if we could guarantee the flow label is not
mutable etc it could be used. Examples of which could be IPsec, though
it is not currently done that way.

Regarding Alain Durand's question, I agree the field is just as mutable
as the DSCP field or any other field in the outer header. Currently in
IPsec to identify an outgoing SA we could use the protocol as well as
port numbers (an SA for an application) and in a few cases we may not
have all the inner header information. Having a flow Label helps in this
case.

We could have protected it using AH. However for backward compatibility
reasons this is not done (as has been pointed out earlier by Fred).

Using flow label could make the work of on-path devices which do deeper
packet inspection in some cases easier.

Thanks,
Vishwas
-----Original Message-----
From: Brian E Carpenter [mailto:brc@zurich.ibm.com]
Sent: Friday, January 20, 2006 6:00 PM
To: Vishwas Manral
Cc: Pekka Savola; Bora Akyol; Fred Baker; v6ops@ops.ietf.org
Subject: Re: Flow label and its uses

Vishwas Manral wrote:
>...  I am sure things like load balancing which require
> deeper packet inspection can also be done.

The whole point is that you will not need deep packet inspection
if the flow label is set by the source.

    Brian