Re: 回复: Re: question about IPv6 Flow label

[Hesham Soliman <hesham@elevatemobile.com>]

On 19/05/09 4:56 AM, "David Malone" <dwmalone@maths.tcd.ie> wrote:

>> Even, or perhaps especially, the authors of 3697 would disagree with you
>> as to the security value you can associate with flow labels.
> 
> Note that it depends how you use it. Our idea was not to use it as
> a hash key (which would certainly be unwise), but as an extra piece
> of information that a blind attacker would have to guess to insert
> packets into a connection.  It looked like it might work, however
> the big stumbling block was that not all flows were actually sending
> with a consistent flow label.

=> But even if they are sending a consistent flow label, to do what you
want, you need to ensure that the recepient can verify the flow label, which
is not possible unless both sender and receiver agree through negotiation or
in a predetermined manner on how to generate it.
Of course if it is a predetermined manner, then you can't use a RNG in the
process and therefore a blind attacker can generate a valid packet anyway
unless the flow label changes with each packet, right?

Hesham

> 
> David.
>