回复: Re: question about IPv6 Flow label

[ZhangDong <zhangdong_rh@huaweisymantec.com>]

Hi,

I think that the flow label is able to be a good use for firewall. The firewall does not need to know the ports to identify a flow. It makes sense for flows encrypted, such as IPsec.

Thanks.

Dong Zhang
Huaweisymantec Technologies Co., Ltd


----- 原始邮件 -----
发件人: David Malone <dwmalone@maths.tcd.ie>
日期: 2009年 5月 18日, 星期一,  下午6:54
主题: Re: question about IPv6 Flow label
收件人: marcelo bagnulo braun <marcelo@it.uc3m.es>
抄送: 'IPv6 Operations' <v6ops@ops.ietf.org>, Hesham Soliman <hesham@elevatemobile.com>, "Tsirtsis, George" <tsirtsis@qualcomm.com>


> On Mon, May 18, 2009 at 03:22:46AM +0200, marcelo bagnulo braun wrote:
>  > In the MEXT WG we are discussing about using the Flow Label as a 
> flow 
>  > descriptor and we were wondering how widely implemented is RFC3697. 
> In 
>  > particular, how many of the current OSes actually do:
>  
>  I had a look at this a few years ago with Orla McGann, because we
>  wanted to know if the flow label could be used by a stateful firewall:
>  
>  	http://www.maths.tcd.ie/~dwmalone/p/ec2nd05.pdf
>  
>  It seemed that there were some problems where the flow label was
>  not set consistently. We fixed this up in FreeBSD, so I can tell
>  you what happens there. For TCP the flow label is usually set
>  randomly, either using a hash of the connection details (+ a secret)
>  or is set randomly using a PRNG. At the moment there isn't check
>  to make sure the flow label is not shared between two flows.
>  
>  For UDP, I think the flow label will default to zero.
>  
>  	David.
>  
>