[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Flow label and its uses

To: <v6ops@ops.ietf.org>
Subject: Re: Flow label and its uses
From: "Spencer Dawkins" <spencer@mcsr-labs.org>
Date: Sat, 21 Jan 2006 08:23:21 -0600
References: <BB6D74C75CC76A419B6D6FA7C38317B2C3ADCE@sinett-sbs.SiNett.LAN>

I'm out of the "deep packet inspection" business for now, but I did spendabout 18 months building products in this space...

Although in a perfect world it would be lovely to know that flow labelsdidn't change end-to-end, if that lovely thought requires a per-packet AHoperation on middleboxes, it's probably beyond what people can build andsell at affordable prices now, and (since end-to-end AH would be using CPUat each endpoint, while a middlebox verifying AH has to use its own CPU forall the packets it processes), Moore's Law doesn't seem all that helpful inplanning for the future, either.

Maybe the RFC 3514 Security Bit from IPv4 should have an IPv6 counterpartthat says, "I promise that this packet is AH protected and hasn't beendorked with, so you can believe the flow label"? That would help a lot...


:-)

Spencer

From: "Vishwas Manral" <Vishwas@sinett.com>
To: "Brian E Carpenter" <brc@zurich.ibm.com>

Cc: "Pekka Savola" <pekkas@netcore.fi>; "Bora Akyol" <bora@broadcom.com>;"Fred Baker" <fred@cisco.com>; <v6ops@ops.ietf.org>

Sent: Saturday, January 21, 2006 2:54 AM
Subject: RE: Flow label and its uses


Brian,

That is exactly what I am trying to say too. For cases where we need to
do deep packet inspection, if we could guarantee the flow label is not
mutable etc it could be used. Examples of which could be IPsec, though
it is not currently done that way.

Regarding Alain Durand's question, I agree the field is just as mutable
as the DSCP field or any other field in the outer header. Currently in
IPsec to identify an outgoing SA we could use the protocol as well as
port numbers (an SA for an application) and in a few cases we may not
have all the inner header information. Having a flow Label helps in this
case.

We could have protected it using AH. However for backward compatibility
reasons this is not done (as has been pointed out earlier by Fred).

Using flow label could make the work of on-path devices which do deeper
packet inspection in some cases easier.

Thanks,
Vishwas
-----Original Message-----
From: Brian E Carpenter [mailto:brc@zurich.ibm.com]
Sent: Friday, January 20, 2006 6:00 PM
To: Vishwas Manral
Cc: Pekka Savola; Bora Akyol; Fred Baker; v6ops@ops.ietf.org
Subject: Re: Flow label and its uses

Vishwas Manral wrote:

...  I am sure things like load balancing which require
deeper packet inspection can also be done.


The whole point is that you will not need deep packet inspection
if the flow label is set by the source.

   Brian

References:
- RE: Flow label and its uses
  - From: "Vishwas Manral" <Vishwas@sinett.com>

Prev by Date: RE: Flow label and its uses
Next by Date: RE: Flow label and its uses
Previous by thread: RE: Flow label and its uses
Next by thread: RE: Flow label and its uses
Index(es):
- Date
- Thread