[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Flow label and its uses

To: Bora Akyol <bora@broadcom.com>
Subject: Re: Flow label and its uses
From: Brian E Carpenter <brc@zurich.ibm.com>
Date: Sun, 05 Feb 2006 14:43:41 +0100
Cc: Vishwas Manral <Vishwas@sinett.com>, v6ops@ops.ietf.org
In-reply-to: <03235919BBDE634289BB6A0758A20B36358030@NT-SJCA-0751.brcm.ad.broadcom.com>
Organization: IBM
References: <03235919BBDE634289BB6A0758A20B36358030@NT-SJCA-0751.brcm.ad.broadcom.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

As the flow label spec says (RFC 3697, section 5.1), you can
trust the flow label just as much as you can trust the source
and destination addresses - exactly the same attackers can forge
any of them. As Spencer and Thomas have pointed out, it's too
expensive to check an authenticator at each hop, and the hops
cannot know the relevant keys anyway.

So, you can use the address pair and flow label for classification,
just as safely (or dangerously) as you can use the address pair
and the DSCP. There's no impact on the applicable threats.
A MITM can change any of them.

The key difference from the DSCP in this regard is only that the
DSCP is defined as mutable at domain boundaries and the flow
label is defined as immutable. In both cases, you can't detect
if someone breaks those rules. That constrains the use cases -
erroneous usage mustn't change the basic semantics of unreliable
datagram delivery to the intended destination. RFC 2474 and
RFC 3697 both assume this - i.e. the added threat is theft
of QoS.

In a connectionless datagram network, it seems impossible to
do better.

   Brian

Bora Akyol wrote:

Flow label is not a field that is protected by IPSEC
hence I do not think you can use
this as a selector.

Unless you do modifications to IKEv2, you can not also let
the other end know what exactly the SP (security policy)
is based on.

Frankly, use of flow label as a selector would be a hack
to get around the problem of the full security policy lookup
in IPSEC at high speeds. The truth is that this has not
been a problem for at least 4-5 years now as long
as the selectors themselves are TCAM friendly.

Bora
-----Original Message-----
From: Vishwas Manral [mailto:Vishwas@sinett.com]Sent: Tuesday, January 31, 2006 2:08 AM
To: Bora Akyol; Spencer Dawkins; v6ops@ops.ietf.org
Subject: RE: Flow label and its uses

Bora,
Does this mean that you are using the flow label in lieu of theregular IPSEC SP match?
All I am saying is just as we can have local and remote portsas selectors; we can instead use Flow Labels along with theIP addresses for the same purpose, if some assumptions can bemade for the flow label.
Is my understanding wrong?

Thanks,
Vishwas

References:
- RE: Flow label and its uses
  - From: "Bora Akyol" <bora@broadcom.com>

Prev by Date: Re: Teredo spec has been published!
Next by Date: Re: Teredo spec has been published!
Previous by thread: RE: Flow label and its uses
Next by thread: Re: Flow label and its uses
Index(es):
- Date
- Thread