Re: Re: Re: Re: question about IPv6 Flow label

[ZhangDong <zhangdong_rh@huaweisymantec.com>]

>  >> Even, or perhaps especially, the authors of 3697 would disagree 
> with you
>  >> as to the security value you can associate with flow labels.
>  > 
>  > Note that it depends how you use it. Our idea was not to use it as
>  > a hash key (which would certainly be unwise), but as an extra piece
>  > of information that a blind attacker would have to guess to insert
>  > packets into a connection.  It looked like it might work, however
>  > the big stumbling block was that not all flows were actually sending
>  > with a consistent flow label.
>  
>  => But even if they are sending a consistent flow label, to do what you
>  want, you need to ensure that the recepient can verify the flow 
> label, which
>  is not possible unless both sender and receiver agree through 
> negotiation or
>  in a predetermined manner on how to generate it.
>  Of course if it is a predetermined manner, then you can't use a RNG 
> in the
>  process and therefore a blind attacker can generate a valid packet anyway
>  unless the flow label changes with each packet, right?

Hmm... So the flow label also needs security protection to some extent when it is uesd, right?

Is there any document describe how the flow label is used by applications? 

Dong Zhang
Huaweisymantec Technologies Co., Ltd