Re: question about IPv6 Flow label

[Hesham Soliman <hesham@elevatemobile.com>]

On 19/05/09 1:06 PM, "ZhangDong" <zhangdong_rh@huaweisymantec.com> wrote:

> 
>>>> Even, or perhaps especially, the authors of 3697 would disagree
>> with you
>>>> as to the security value you can associate with flow labels.
>>> 
>>> Note that it depends how you use it. Our idea was not to use it as
>>> a hash key (which would certainly be unwise), but as an extra piece
>>> of information that a blind attacker would have to guess to insert
>>> packets into a connection.  It looked like it might work, however
>>> the big stumbling block was that not all flows were actually sending
>>> with a consistent flow label.
>>  
>>  => But even if they are sending a consistent flow label, to do what you
>>  want, you need to ensure that the recepient can verify the flow
>> label, which
>>  is not possible unless both sender and receiver agree through
>> negotiation or
>>  in a predetermined manner on how to generate it.
>>  Of course if it is a predetermined manner, then you can't use a RNG
>> in the
>>  process and therefore a blind attacker can generate a valid packet anyway
>>  unless the flow label changes with each packet, right?
> 
> Hmm... So the flow label also needs security protection to some extent when it
> is uesd, right?

=> No, I was asking a question about what David said. The flow label doesn't
necessarily need security.

Hesham

> 
> Is there any document describe how the flow label is used by applications?
> 
> Dong Zhang
> Huaweisymantec Technologies Co., Ltd
> 
> 
>