[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Flow label and its uses

Hi,

I agree totally with Brian. I had sent a mail regarding the same earlier, but it somehow dissappeared in transit.

That said,we could use it either as normal selectors and signal it using IKE or as DSCP and not signal it using IKE.

Thanks,
Vishwas
=============================================================
Brian said=>

As the flow label spec says (RFC 3697, section 
5.1), you can
trust the flow label just as much as you can trust the source

and destination addresses - exactly the same attackers can forge
any of them. As Spencer and Thomas have pointed out, it's too
expensive to check an authenticator at each hop, and the hops

cannot know the relevant keys anyway.


So, you can use the address pair and flow label for classification,
just as safely (or dangerously) as you can use the address pair
and the DSCP. There's no impact on the applicable threats.

A MITM can change any of them.


The key difference from the DSCP in this regard is only that the
DSCP is defined as mutable at domain boundaries and the flow
label is defined as immutable. In both cases, you can't detect

if someone breaks those rules. That constrains the use cases -

erroneous usage mustn't change the basic semantics of unreliable
datagram delivery to the intended destination. RFC 2474 and
RFC 3697 both assume this - 
i.e. the added threat is theft
of QoS.

In a connectionless datagram network, it seems impossible to

do better.

   Brian

Bora Akyol wrote:
Flow label is not a field that is protected by IPSEC
hence I do not think you can use
this as a selector.

Unless you do modifications to IKEv2, you can not also let
the other end know what exactly the SP (security policy)


is based on.

Frankly, use of flow label as a selector would be a hack
to get around the problem of the full security policy lookup
in IPSEC at high speeds. The truth is that this has not
been a problem for at least 4-5 years now as long


as the selectors themselves are TCAM friendly.

Bora



-----Original Message-----
From: Vishwas Manral [ mailto:Vishwas@sinett.com] Sent: Tuesday, January 31, 2006 2:08 AM 
To: Bora Akyol; Spencer Dawkins; v6ops@ops.ietf.org
Subject: RE: Flow label and its uses


Bora,


Does this mean that you are using the flow label in lieu of the regular IPSEC SP match?
All I am saying is just as we can have local and remote ports as selectors; we can instead use Flow Labels along with the IP addresses for the same purpose, if some assumptions can be made for the flow label. 
Is my understanding wrong?

Thanks,
Vishwas