One document matched: draft-carpenter-6man-flow-update-04.xml
<?xml version="1.0"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<!-- This is built from a template for a generic Internet Draft. Suggestions for
improvement welcome - write to Brian Carpenter, brian.e.carpenter @ gmail.com -->
<!-- This can be converted using the Web service at http://xml.resource.org/experimental.html
(which supports the latest, sometimes undocumented and under-tested, features.) -->
<?rfc toc="yes"?> <!-- You want a table of contents -->
<?rfc symrefs="yes"?> <!-- Use symbolic labels for references -->
<?rfc sortrefs="yes"?> <!-- This sorts the references -->
<?rfc iprnotified="no" ?> <!-- Change to "yes" if someone has disclosed IPR for the draft -->
<?rfc compact="yes"?>
<!-- You need one entry like the following for each RFC referenced -->
<!ENTITY RFC2119 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119'>
<!ENTITY RFC2629 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2629'>
<!ENTITY RFC2460 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2460'>
<!ENTITY RFC3697 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3697'>
<!ENTITY RFC4302 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4302'>
<!ENTITY RFC2474 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2474'>
<!-- You need one entry like the following for each I-D referenced -->
<!-- ENTITY DRAFT-conta1 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.conta-ipv6-flow-label.xml"> -->
<!-- ENTITY DRAFT-metzler SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.metzler-ipv6-flowlabel.xml"> -->
<!ENTITY DRAFT-conta2 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.conta-diffserv-ipv6-fl-classifier.xml">
<!ENTITY DRAFT-chakra SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.chakravorty-6lsa.xml">
<!ENTITY DRAFT-bannerj SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.banerjee-flowlabel-ipv6-qos.xml">
<!ENTITY DRAFT-roberts SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.roberts-inband-qos-ipv6.xml">
<!ENTITY DRAFT-beck1 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.martinbeckman-ietf-ipv6-fls-ipv6flowswitching.xml">
<!ENTITY DRAFT-beck2 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.martinbeckman-ietf-ipv6-amp-ipv6hcamp.xml">
<!ENTITY DRAFT-nonce SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.blake-ipv6-flow-label-nonce.xml">
<!ENTITY DRAFT-ecmp SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.carpenter-flow-ecmp.xml">
<!ENTITY DRAFT-hu SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.hu-flow-label-cases.xml">
<!ENTITY DRAFT-gont SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.gont-6man-flowlabel-security.xml">
<!-- This defines the specific filename and version number of your draft (and inserts the appropriate IETF boilerplate -->
<rfc ipr="trust200902" docName="draft-carpenter-6man-flow-update-04" category="info">
<front>
<title abbrev="Flow Label Update">Update to the IPv6 flow label specification</title>
<author initials="S." surname="Amante" fullname="Shane Amante">
<organization abbrev="Level 3"></organization>
<address>
<postal>
<street>Level 3 Communications, LLC</street>
<street>1025 Eldorado Blvd</street>
<city>Broomfield</city>
<region>CO</region>
<code>80021</code>
<country>USA</country>
</postal>
<email>shane@level3.net</email>
</address>
</author>
<author initials="B. E." surname="Carpenter" fullname="Brian Carpenter">
<organization abbrev="Univ. of Auckland"></organization>
<address>
<postal>
<street>Department of Computer Science</street>
<street>University of Auckland</street>
<street>PB 92019</street>
<city>Auckland</city>
<region></region>
<code>1142</code>
<country>New Zealand</country>
</postal>
<email>brian.e.carpenter@gmail.com</email>
</address>
</author>
<author fullname="Sheng Jiang" initials="S.J." surname="Jiang">
<organization>Huawei Technologies Co., Ltd</organization>
<address>
<postal>
<street>KuiKe Building, No.9 Xinxi Rd.,</street>
<city>Shang-Di Information Industry Base, Hai-Dian District, Beijing</city>
<country>P.R. China</country>
</postal>
<email>shengjiang@huawei.com</email>
</address>
</author>
<date day="16" month="September" year="2010" />
<area>Internet</area>
<workgroup>6MAN</workgroup>
<abstract>
<t>Various published proposals for use of the IPv6 flow label are incompatible with
its existing specification in RFC 3697. Furthermore, very little practical use is
made of the flow label, partly due to some uncertainties about the
correct interpretation of the specification.
This document proposes changes to the specification in order to clarify it, making
it clear what types of usage are possible, and to introduce some additional
flexibility.
</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t>The flow label field in the IPv6 header was reserved but left experimental by <xref target="RFC2460"/>,
which mandates only that "Hosts or routers
that do not support the functions of the Flow Label field are
required to set the field to zero when originating a packet, pass the
field on unchanged when forwarding a packet, and ignore the field
when receiving a packet." </t>
<t>The flow label field
was normatively specified by <xref target="RFC3697"/>. In particular, we quote three rules
from that RFC:</t>
<list style="letters">
<t>"The Flow Label value set by the source MUST be delivered unchanged to
the destination node(s)."</t>
<t>"IPv6 nodes MUST NOT assume any mathematical or other properties
of the Flow Label values assigned by source nodes." </t>
<t>"Router performance SHOULD NOT be dependent on the distribution of the Flow Label
values. Especially, the Flow Label bits alone make poor material for a hash key." </t>
</list>
<t>Additionally, RFC 3697 leaves it undefined what method a host should adopt by default
to choose the value of the flow label, if no specific method is in use. It was expected that
various signalling methods might be defined for agreeing on values of the flow label, but
no such methods have been standardised. </t>
<t>The flow label is hardly used in practice in existing IPv6 implementations. To some extent
this is due to the main focus being on basic deployment of IPv6, but the absence of a default
method of choosing the flow label value means that most host implementations simply set it to zero.
There is also anecdotal evidence that the rules quoted above have led to uncertainty about exactly
what is possible. Furthermore, various use cases have been
proposed that infringe one or another of the rules. None of these proposals
has been accepted as a standard and in practice there is no significant deployment
of any mechanism to set the flow label. </t>
<t>
The intention of this document is to explain this
in more detail and to propose changes to RFC 3697 intended to remove the uncertainties and encourage
active usage of the flow label. </t>
</section> <!-- intro -->
<section anchor="impact" title="Impact of current specification">
<t>Rule (a) makes it impossible for the routing system to use the flow label as any form
of dynamic routing tag. This was a conscious choice in the early design of IPv6 and there
appears to be no practical possibility of revisiting this choice at this stage in the
deployment of IPv6, which uses conventional routing mechanisms like those used for IPv4.
However, this rule also makes
it impossible to make any use at all of the flow label unless hosts choose to set it. It also
forbids clearing the flow label for security reasons. </t>
<t>This last point highlights the security properties, or rather the lack of them,
of the flow label. The flow label field is always unprotected as it travels
through the network, because there is no IPv6 header
checksum, and the flow label is not included in transport pseudo-header checksums, nor in
IPsec checksums. As a result, intentional and malicious changes
to its value cannot be detected. Also, it could be used as a
covert data channel, since apparently pseudo-random flow label values could in fact
consist of encrypted data. If the flow label were to carry quality of service
semantics, then like the diffserv code point <xref target="RFC2474"/>, it would not be
intrinsically trustworthy across domain boundaries. As a result, some security
specialists believe that flow labels should be cleared for safety. These points must
be considered when discussing the immutability of the flow label across domain
boundaries. </t>
<t>Rule (b) appears to forbid any usage in which the bits of the flow label are encoded
with a specific semantic meaning. If the word "alone" is overlooked, rule (c) has sometimes
been interpreted to forbid the use of the flow label as part of a hash used by load balancing mechanisms. </t>
<t>Both before and after these rules were laid down, a considerable number
of proposals for use of the flow label were published that seem incompatible with
them. Numerous examples and an analysis are presented in <xref target="I-D.hu-flow-label-cases"/>.
Those examples propose use cases in which some or all of the following
apply:</t>
<list style="symbols">
<t>The flow label may be changed by intermediate systems. </t>
<t>It doesn't matter if the flow label is changed, because the receiver doesn't use it. </t>
<t>Some or all bits of the flow label are encoded: they have specific meanings
understood by routers and switches along the path. </t>
<t>The encoding is related to the required quality of service, as well as identifying a flow. </t>
<t>The flow label is used to control forwarding or switching in some way. </t>
</list>
<t>These proposals all require either some form of encoding of semantics
in the bits of the flow label, or the ability for routers to modify
the flow label, or both. Thus they appear to infringe the rules from RFC 3697
quoted above. </t>
<t>We can conclude that a considerable number of researchers and designers have been
stymied by RFC 3697. On the other hand, some other proposals discussed in
<xref target="I-D.hu-flow-label-cases"/> appear to be compatible with RFC 3697.
Several are based on the originator of a packet choosing a pseudo-random flow label for
each flow, which is one option suggested in RFC 3697. Thus, we can also conclude that there is a useful
role for this approach. </t>
<t>If our goal is for the flow label to be used in practice, the conflict between
the various approaches creates a dilemma. There appear to be two major options: </t>
<list style="numbers">
<t>Discourage locally defined use of the flow label.
Strengthen RFC 3697 to say that hosts SHOULD set
a pseudo-random label value, which would clarify and limit its possible uses.
In particular, its use for load balancing would be encouraged. </t>
<t>Relax the rules to encourage locally defined use of the flow label. This approach would make the flow
label completely mutable and would exclude use cases depending on strict end-to-end immutability. It
would encourage applications of a pseudo-random flow label, such as load balancing,
on a local basis, but it would exclude end-to-end applications such as
<xref target="I-D.blake-ipv6-flow-label-nonce"/>. </t>
</list>
<t>During 2010 there has been considerable debate about these options and variants
of them, with a variety of proposals in previous versions of this document and in
mailing list discussions. After these discussions, there appears to be
a view that simplicity should prevail, and that complicated proposals such as
defining quality of service semantics in the flow label, or sub-dividing the flow label
field into smaller sub-fields, will not prove efficient
or deployable, especially in high speed routers. There is also a clearly expressed view
that using the flow label for various forms of stateless load balancing is the best simple
application for it. At the same time, it is necessary to recognize that the strict
immutability rule has drawbacks as noted above. </t>
<t>Even under the rules of RFC 3697, the flow label is intrinsically untrustworthy,
because modifcations en route cannot be detected. For this reason, even with
the current strict immutability rule, downstream nodes cannot rely on the value being unchanged.
In this sense, any use of the flow label must be viewed as an optimisation on a best
effort basis; a packet with a changed (or zero) flow label value should never cause
a hard failure. </t>
<t>The remainder of this document is in the form of a set of proposed modifications to the standard,
consistent with the points above and written in normative form. It is suggested that
if the proposal is generally accepted, a revised version of RFC 3697 should be produced
including these changes. </t>
</section> <!-- impact -->
<section title="Normative Notation">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119"/>.</t>
</section>
<section anchor="spec" title="Proposed changes to specification">
<t>Although RFC 3697 requires the flow label to be delivered
unchanged, as noted above, it is not included in any transport layer pseudo-header checksums
nor in IPsec authentication <xref target="RFC4302"/>.
Both RFC 2460 and RFC 3697 define the default flow label to be zero.
At the time of writing, this is the observed value in an
overwhelming proportion of IPv6 packets; neither operating systems nor
applications currently set it, and routers do not rely on it. Thus there is no reason
to expect operational difficulties if a careful change is made to the rules of RFC 3697. </t>
<t>In particular, the facts that the label is not checksummed and rarely used mean
that the current strict immutability of the label can be moderated without operational
consequences. </t>
<t>The purposes of the proposed changes are to remove the uncertainties left
by RFC 3697, in order to encourage setting of the flow label by default, and
to enable its generic use. The proposed generic use is to
encourage pseudo-random flow labels that can be used to assist load balancing.
There should be no impact on existing IETF specifications other than RFC 3697 and no impact on currently
operational software and hardware. </t>
<t>A secondary purpose is to modify the immutability of the flow label in a limited
way, to allow hosts that do not set the flow label to benefit from it
nevertheless. </t>
<t>The fact that the flow label may in practice be changed en route is also reflected
in the reformulation of the rules. </t>
<t>A description of the changes follows. They are written in normative language
to avoid ambiguity. They are mainly not written as specific
text changes to RFC 3697, and significant rewriting of the latter is needed to
incorporate these changes. </t>
<t>The definition of a flow is subtly changed from RFC 3697 as follows:</t>
<vspace blankLines="1"/>
<list style='empty'>
<t>A flow is a sequence of packets sent from a particular source to a
particular unicast, anycast, or multicast destination that a node
desires to label as a flow. A flow could consist of all packets in a
specific transport connection or a media stream. However, a flow is
not necessarily 1:1 mapped to a transport connection.</t>
</list>
<t>The change is that the words 'the source' have been replaced by 'a node'.
Nodes that do not support the flow label remain subject to RFC 2460.
The intention is to enable the following new specifications:</t>
<vspace blankLines="1"/>
<list style='numbers'>
<t>
It is RECOMMENDED that source hosts support the flow label by setting the flow label field
for all packets of a flow to the same pseudo-random value.
</t>
<list style='symbols'>
<t>This rule updates the less precise recommendation made in Section 3
of RFC 3697. Both stateful and stateless methods of assigning a pseudo-random value could be used,
but it is outside the scope of this specification to mandate an algorithm. </t>
<t>An OPTIONAL algorithm for generating such a pseudo-random value is
proposed in <xref target="I-D.gont-6man-flowlabel-security"/>. </t>
<t>Section 3 of RFC 3697 also allows nodes to participate in an unspecified
method of flow state establishment. The changes do not remove that option. </t>
</list>
<vspace blankLines="1"/>
<t>A node that forwards a flow whose flow label value in arriving packets is zero
MAY set the flow label value. In that case, it is RECOMMENDED
that the forwarding node sets the flow label field for a flow to a pseudo-random value. </t>
<list style='symbols'>
<t>The same considerations apply as to the first recommendation. </t>
<t>This option, if implemented, would presumably be used by ingress routers. It would place a
considerable per-packet processing load on them, even if they adopted a stateless method of
flow identification and label assignment. This is why the principal recommendation is that
the source host should set the label.
</t>
</list>
<vspace blankLines="1"/>
<t>In general, a forwarding node MUST NOT change the flow label value in an arriving packet if
it is non-zero. However, there are two qualifications to this rule:
<!-- start nested t -->
<list style='numbers'>
<t>A forwarding node acting as a domain border device MAY be configured to set
the flow label value in incoming packets to the default value of zero.
[[Note in draft - this is contentious, but it's going to happen anyway.]]</t>
<t>A network domain MUST NOT forward packets outside the domain whose flow label values
are other than zero or pseudo-random. </t>
</list>
<!-- end nested t -->
<vspace blankLines="1"/>
Note that the new rules above, taken together, allow a given network domain to
include routers that set flow labels on behalf of hosts that do not do so,
and to be protected at its border (if desired) by clearing flow labels
deemed to be untrustworthy. They also require that flow labels exported
to the Internet must always be either zero or pseudo-random. These changes replace rule (a)
quoted in <xref target="intro"/>.
They therefore exclude Internet-wide mechanisms that depend rigidly on immutable
flow labels. Given the
intrinsic forgeability of the flow label, this seems unavoidable. </t>
<vspace blankLines="1"/>
<t>IPv6 nodes MUST NOT assume that the Flow Label value in a incoming packet
is identical to the value set by the source node. </t>
<list style='symbols'>
<t>This replaces rule (b) quoted in <xref target="intro"/>. </t>
<t>Even though the flow label is in general immutable,
this is not guaranteed in real life, hence this rule. See further discussion below. </t>
</list>
<vspace blankLines="1"/>
<t>Forwarding nodes such as routers and load balancers MUST NOT depend only on Flow Label
values being randomly distributed. In any usage such as a hash key for load balancing,
the Flow Label bits MUST be combined with bits from other sources within the packet,
so as to produce a suitable distribution of hash values. </t>
<list style='symbols'>
<t>This replaces rule (c) quoted in <xref target="intro"/>. Although a pseudo-random flow
label is recommended, and will always be helpful for load balancing, it is unsafe to assume
its presence in the general case, and the use case needs to work even if the flow label
value is zero. </t>
</list>
</list>
</section> <!-- spec -->
<section anchor="disc" title="Discussion">
<t>The following are the consequences of the above changes, taken together with the unaffected
parts of RFC 3697:</t>
<list style="symbols">
<t>Sending hosts that are not updated will in practice continue to send all-zero labels. If there
is no label-setting router along the path taken by a packet, the label
will be delivered as zero. </t>
<t>Sending hosts conforming to this specification will by default choose pseudo-random
labels between 1 and 0xFFFFF. </t>
<t>Sending hosts may continue to send all-zero labels, in which case an ingress router may set pseudo-random
labels between 1 and 0xFFFFF. </t>
<t>Border security devices may clear untrustworthy flow labels. </t>
<t>The flow label is no longer asserted to be strictly immutable. In some circumstances
this will break end-to-end usage such as proposed
in <xref target="I-D.blake-ipv6-flow-label-nonce"/>. </t>
<t>The expected default usage of the flow label is some form of
load balancing, such as the ECMP/LAG usage defined in <xref target="I-D.carpenter-flow-ecmp"/>. </t>
<t>If the rules in <xref target="spec"/> are followed, especially rule 3.2,
all IPv6 traffic flows on the Internet will have zero or pseudo-random
flow label values. </t>
</list>
<t>From an operational viewpoint, existing IPv6 hosts that set a default (zero) flow label value
and ignore the flow label on receipt will be unaffected
by implementations of this specification. In general, it is assumed that hosts will ignore the
value of the flow label on receipt; it cannot be relied on as an end-to-end
signal of any kind. </t>
<t>Similarly, routers that ignore
the flow label will be unaffected by implementations of this specification. </t>
<t>Hosts that set a default (zero) flow label and are in a domain where routers
adopt the recommended pseudo-random mechanism in <xref target="spec"/>
will benefit from whatever flow label handling is used in the local domain.
</t>
<t>Hosts and routers that adopt the recommended pseudo-random mechanism
will enhance the performance of any load balancing devices that include the flow label
in the hash used to select a particular path or server, even when
packets leave the local domain. </t>
</section> <!-- disc -->
<section anchor="security" title="Security Considerations">
<t>The flow label is not protected in any way and can be forged by an on-path
attacker. On the other hand, a pseudo-random flow label cannot be readily
guessed by an off-path attacker. See RFC 3697
and <xref target="I-D.gont-6man-flowlabel-security"/> for further discussion. </t>
<t>This proposal recognises that security devices might clear flow label values,
if local policy so requires. </t>
</section> <!-- security -->
<section anchor="iana" title="IANA Considerations">
<t>This document requests no action by IANA. </t>
</section> <!-- iana -->
<section anchor="ack" title="Acknowledgements">
<t>The authors are grateful to Qinwen Hu for general
discussion about the flow label and for his work in searching the literature.
Valuable comments and contributions were made by
Fred Baker,
Steve Blake,
Remi Despres,
Fernando Gont,
Brian Haberman,
Joel Halpern,
Chris Morrow,
Thomas Narten,
Mark Smith,
Pascal Thubert,
Iljitsch van Beijnum,
and other participants in the 6man working group.</t>
<t>This document was produced using the xml2rfc tool
<xref target="RFC2629"/>.</t>
</section> <!-- ack -->
<section anchor ="changes" title="Change log">
<t>draft-carpenter-6man-flow-update-04: even more simplified according to WG discussion, 2010-09-16</t>
<t>draft-carpenter-6man-flow-update-03: futher simplified according to WG discussion, 2010-05-07</t>
<t>draft-carpenter-6man-flow-update-02: revised and simplified according to WG discussion, 2010-04-13</t>
<t>draft-carpenter-6man-flow-update-01: revised according to mail list discussion, 2010-03-05</t>
<t>draft-carpenter-6man-flow-update-00: original version, 2010-02-18</t>
</section> <!-- changes -->
</middle>
<back>
<references title="Normative References">
&RFC2460;
&RFC3697;
&RFC2119;
</references>
<references title="Informative References">
&RFC2629;
&RFC2474;
&RFC4302;
&DRAFT-beck1;
&DRAFT-nonce;
&DRAFT-ecmp;
&DRAFT-hu;
&DRAFT-gont;
</references>
<section anchor="Appendix1" title="Alternative Approaches">
<t>A model was discussed in an earlier version of this document which defined a notion
of 'flow label domain' analogous to a differentiated
services domain <xref target="RFC2474"/>. This model would have encouraged
local usage of the flow label as an alternative to any form of generic use,
but it required complex rules for the behaviour of domain boundary routers, and proved
controversial in discussion. </t>
<t>Two even more complex alternative approaches were also considered and rejected. </t>
<t>The first was to distinguish locally significant flow labels from those
conforming to RFC 3697 by setting or clearing the most significant bit (MSB)
of the flow label. This led to quite complicated rules, seems impossible
to make fully self-consistent, and was not considered practical. </t>
<t>The second was to use a specific differentiated
services code point (DSCP)<xref target="RFC2474"/> in the Traffic Class octet
instead of the MSB of the flow label itself, to flag a locally defined behaviour.
A more elaborate version of this was proposed
in <xref target="I-D.martinbeckman-ietf-ipv6-fls-ipv6flowswitching"/>.
There are two issues with this approach. One is that DSCP values
are themselves only locally significant, inconsistent with the end-to-end nature
of the original flow label definition. Secondly, it seems unwise to meld the
semantics of differentiated services, which are currently deployed,
with the unknown future semantics of flow label usage. However, this approach,
while not recommended, does not appear to violate any basic principles if applied
strictly within a single differentiated services domain. </t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 10:03:49 |