[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 回复: Re: question about IPv6 Flow label
Even, or perhaps especially, the authors of 3697 would disagree with you
as to the security value you can associate with flow labels.
joel
ZhangDong wrote:
> Hi,
>
> I think that the flow label is able to be a good use for firewall. The firewall does not need to know the ports to identify a flow. It makes sense for flows encrypted, such as IPsec.
>
> Thanks.
>
> Dong Zhang
> Huaweisymantec Technologies Co., Ltd
>
>
> ----- 原始邮件 -----
> 发件人: David Malone <dwmalone@maths.tcd.ie>
> 日期: 2009年 5月 18日, 星期一, 下午6:54
> 主题: Re: question about IPv6 Flow label
> 收件人: marcelo bagnulo braun <marcelo@it.uc3m.es>
> 抄送: 'IPv6 Operations' <v6ops@ops.ietf.org>, Hesham Soliman <hesham@elevatemobile.com>, "Tsirtsis, George" <tsirtsis@qualcomm.com>
>
>
>> On Mon, May 18, 2009 at 03:22:46AM +0200, marcelo bagnulo braun wrote:
>> > In the MEXT WG we are discussing about using the Flow Label as a
>> flow
>> > descriptor and we were wondering how widely implemented is RFC3697.
>> In
>> > particular, how many of the current OSes actually do:
>>
>> I had a look at this a few years ago with Orla McGann, because we
>> wanted to know if the flow label could be used by a stateful firewall:
>>
>> http://www.maths.tcd.ie/~dwmalone/p/ec2nd05.pdf
>>
>> It seemed that there were some problems where the flow label was
>> not set consistently. We fixed this up in FreeBSD, so I can tell
>> you what happens there. For TCP the flow label is usually set
>> randomly, either using a hash of the connection details (+ a secret)
>> or is set randomly using a PRNG. At the moment there isn't check
>> to make sure the flow label is not shared between two flows.
>>
>> For UDP, I think the flow label will default to zero.
>>
>> David.
>>
>>
>