One document matched: draft-ietf-6man-flow-3697bis-02.xml
<?xml version="1.0"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<!-- This is built from a template for a generic Internet Draft. Suggestions for
improvement welcome - write to Brian Carpenter, brian.e.carpenter @ gmail.com -->
<!-- This can be converted using the Web service at http://xml.resource.org/experimental.html
(which supports the latest, sometimes undocumented and under-tested, features.) -->
<?rfc toc="yes"?> <!-- You want a table of contents -->
<?rfc symrefs="yes"?> <!-- Use symbolic labels for references -->
<?rfc sortrefs="yes"?> <!-- This sorts the references -->
<?rfc iprnotified="no" ?> <!-- Change to "yes" if someone has disclosed IPR for the draft -->
<?rfc compact="yes"?>
<!-- You need one entry like the following for each RFC referenced -->
<!ENTITY RFC2119 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119'>
<!ENTITY RFC2629 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2629'>
<!ENTITY RFC2460 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2460'>
<!ENTITY RFC3697 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3697'>
<!ENTITY RFC4301 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4301'>
<!ENTITY RFC4302 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4302'>
<!ENTITY RFC4303 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4303'>
<!ENTITY RFC2474 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2474'>
<!ENTITY RFC2827 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2827'>
<!ENTITY RFC2205 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2205'>
<!-- You need one entry like the following for each I-D referenced -->
<!-- ENTITY DRAFT-conta1 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.conta-ipv6-flow-label.xml"> -->
<!-- ENTITY DRAFT-metzler SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.metzler-ipv6-flowlabel.xml"> -->
<!ENTITY DRAFT-conta2 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.conta-diffserv-ipv6-fl-classifier.xml">
<!ENTITY DRAFT-chakra SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.chakravorty-6lsa.xml">
<!ENTITY DRAFT-bannerj SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.banerjee-flowlabel-ipv6-qos.xml">
<!ENTITY DRAFT-roberts SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.roberts-inband-qos-ipv6.xml">
<!ENTITY DRAFT-beck1 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.martinbeckman-ietf-ipv6-fls-ipv6flowswitching.xml">
<!ENTITY DRAFT-beck2 SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.martinbeckman-ietf-ipv6-amp-ipv6hcamp.xml">
<!ENTITY DRAFT-nonce SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.blake-ipv6-flow-label-nonce.xml">
<!ENTITY DRAFT-ecmp SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.carpenter-flow-ecmp.xml">
<!ENTITY DRAFT-hu SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.hu-flow-label-cases.xml">
<!ENTITY DRAFT-gont SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.gont-6man-flowlabel-security.xml">
<!ENTITY DRAFT-rationale SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-6man-flow-update.xml">
<!-- This defines the specific filename and version number of your draft (and inserts the appropriate IETF boilerplate -->
<rfc ipr="pre5378Trust200902" docName="draft-ietf-6man-flow-3697bis-02" category="std" obsoletes="3697" updates="2205, 2460">
<front>
<title abbrev="IPv6 Flow Label Specification">IPv6 Flow Label Specification</title>
<author initials="S." surname="Amante" fullname="Shane Amante">
<organization abbrev="Level 3"></organization>
<address>
<postal>
<street>Level 3 Communications, LLC</street>
<street>1025 Eldorado Blvd</street>
<city>Broomfield</city>
<region>CO</region>
<code>80021</code>
<country>USA</country>
</postal>
<email>shane@level3.net</email>
</address>
</author>
<author initials="B. E." surname="Carpenter" fullname="Brian Carpenter">
<organization abbrev="Univ. of Auckland"></organization>
<address>
<postal>
<street>Department of Computer Science</street>
<street>University of Auckland</street>
<street>PB 92019</street>
<city>Auckland</city>
<region></region>
<code>1142</code>
<country>New Zealand</country>
</postal>
<email>brian.e.carpenter@gmail.com</email>
</address>
</author>
<author fullname="Sheng Jiang" initials="S.J." surname="Jiang">
<organization>Huawei Technologies Co., Ltd</organization>
<address>
<postal>
<street>Huawei Building, No.3 Xinxi Rd.,</street>
<city>Shang-Di Information Industry Base, Hai-Dian District, Beijing</city>
<country>P.R. China</country>
</postal>
<email>shengjiang@huawei.com</email>
</address>
</author>
<author fullname="Jarno Rajahalme" initials="J." surname="Rajahalme">
<organization>Nokia-Siemens Networks</organization>
<address>
<postal>
<street>TBD</street>
<city>TBD</city>
<country>Finland</country>
</postal>
<email>jarno.rajahalme@nsn.com</email>
</address>
</author>
<date day="13" month="March" year="2011" />
<area>Internet</area>
<workgroup>6MAN</workgroup>
<abstract>
<t>This document specifies the IPv6 Flow Label field and the minimum
requirements for IPv6 nodes labeling flows, IPv6 nodes
forwarding labeled packets, and flow state establishment methods.
Even when mentioned as examples of possible uses of the flow
labeling, more detailed requirements for specific use cases are out
of scope for this document.
</t>
<t>The usage of the Flow Label field enables efficient IPv6 flow
classification based only on IPv6 main header fields in fixed
positions.
</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t>A flow is a sequence of packets sent from a particular source to a
particular unicast, anycast, or multicast destination that a node
desires to label as a flow. A flow could consist of all packets in a
specific transport connection or a media stream. However, a flow is
not necessarily 1:1 mapped to a transport connection. </t>
<t>Traditionally, flow classifiers have been based on the 5-tuple of the
source and destination addresses, ports, and the transport protocol
type. However, some of these fields may be unavailable due to either
fragmentation or encryption, or locating them past a chain of IPv6
extension headers may be inefficient. Additionally, if classifiers
depend only on IP layer headers, later introduction of alternative
transport layer protocols will be easier. </t>
<t>The usage of the 3-tuple of the Flow Label and the Source and
Destination Address fields enables efficient IPv6 flow
classification, where only IPv6 main header fields in fixed positions
are used. </t>
<t>The flow label could be used in both stateless and stateful scenarios.
A stateless scenario is one where a node that sets the flow label value for all packets of a given
flow does not need to store any information about the flow, and any node
that processes the flow label in any way also does not need to store
any information after a packet has been processed. A stateful scenario is
one where a node that sets or processes the flow label value needs to store information about
the flow, including the flow label value. A stateful scenario might also require
a signaling mechanism to establish flow state in the network. </t>
<t>The flow label can be used most simply in stateless scenarios.
This specification concentrates on the stateless model and how it can be used
as a default mechanism. Details of stateful models, signaling, specific flow state
establishment methods and their related service models are out of scope for this
specification. The basic requirement for stateful models is
set forth in <xref target="estreq"/>. </t>
<t>The minimum level of IPv6 flow support consists of labeling the
flows. A specific goal is to enable and encourage the use of the
flow label for various forms of stateless load distribution, especially across
Equal Cost Multi-Path (EMCP) and/or Link Aggregation Group (LAG) paths.
ECMP and LAG are methods to bond together multiple physical links used to
procure the required capacity necessary to carry an offered load
greater than the bandwidth of an individual physical link.
IPv6 source nodes SHOULD be able
to label known flows (e.g., TCP connections, application streams),
even if the node itself does not require any flow-specific
treatment. Node requirements for stateless flow
labeling are given in <xref target="labreq"/>. </t>
<t>This document replaces <xref target="RFC3697"/> and Appendix A of <xref target="RFC2460"/>.
A rationale for the changes made is documented in <xref target="I-D.ietf-6man-flow-update"/>.
The present document also includes
a correction to <xref target="RFC2205"/> concerning the flow label.</t>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119"/>.</t>
</section> <!-- intro -->
<section anchor="spec" title="IPv6 Flow Label Specification">
<t>The 20-bit Flow Label field in the IPv6 header <xref target="RFC2460"/> is used by a
node to label packets of a flow. A Flow Label of zero is used to
indicate packets not part of any flow. Packet classifiers can use the
triplet of Flow Label, Source Address, and Destination Address fields
to identify which flow a particular packet belongs to. Packets are
processed in a flow-specific manner by nodes that are able to do so in a
stateless manner, or that have been set up with flow-specific state.
The nature of the specific treatment and the methods for flow state establishment
are out of scope for this specification. However, any node that sets
flow label values according to a stateful scheme MUST ensure that packets
conform to <xref target="labreq"/> of the present specification if they are sent outside
the network domain using the stateful scheme. </t>
<t>As specified below in <xref target="labreq"/>, the normal expectation
is that flow label values are uniformly distributed. In this specification,
it is recommended below that a pseudo-random method should be used to achieve such
a uniform distribution. Intentionally, there are no precise mathematical requirements
placed on the distribution or the pseudo-random method. </t>
<t>Once set to a non-zero value, the Flow Label MUST be delivered unchanged to
the destination node(s). A forwarding node MUST NOT change the flow label value in an arriving packet if
it is non-zero. However, there are two qualifications to this rule:
<!-- start nested t -->
<list style='numbers'>
<t>Implementers are advised that forwarding nodes, especially those acting as domain border devices,
might nevertheless be configured to change the flow label value in packets.
This is undetectable, unless some future version of
IPsec authentication <xref target="RFC4302"/> protects the flow label value. </t>
<t>To enable stateless load distribution at any point in the
Internet, a network domain should never export packets originating within the domain
whose flow label values do not conform to <xref target="labreq"/>.
However, neither domain border egress routers nor intermediate
routers/devices (using a flow-label, for example, as a part of an
input-key for a load-distribution hash) can determine by
inspection that a value is not part of a uniform distribution. Therefore, if
nodes within a domain ignore the recommendations of <xref target="labreq"/>,
and such packets are forwarded outside the domain, this might result in
undesirable operational implications (e.g., congestion,
reordering) for not only the inappropriately flow-labelled
packets, but also well-behaved flow-labelled packets, during
forwarding at various intermediate devices. Thus, a domain must
protect its peers by never exporting inappropriately labelled
packets originating within the domain. This is why nodes using
a stateful scheme must not set the flow label to a non-zero and
non-uniformly distributed value if the packet will leave their domain.
If it is known to a border router that flow labels originated within the
domain are not uniformly distributed, it will need to
set outgoing flow labels in the same manner as described
for forwarding nodes in <xref target="labreq"/>.
</t>
</list>
<!-- end nested t -->
</t>
<t> There is no way to verify whether a flow label has been modified en route
or whether it belongs to a uniform distribution.
Therefore, no Internet-wide mechanism can depend mathematically on immutable and uniformly
distributed flow labels; they have a "best effort" quality. This leads to the following formal rules:</t>
<list style="symbols">
<t>Implementers should be aware that the flow label is an
unprotected field that could have been accidentally
or intentionally changed en route. Implementations MUST
take appropriate steps to protect themselves from being
vulnerable to denial of service and other types of attack that
could result (see <xref target="theft"/>). </t>
<t>Forwarding nodes such as routers and load balancers MUST NOT depend only on Flow Label
values being uniformly distributed. In any usage such as a hash key for load distribution,
the Flow Label bits MUST be combined at least with bits from other sources within the packet,
so as to produce a constant hash value for each flow and a suitable distribution of hash
values across flows. </t>
</list>
<t> Although uniformly distributed flow
label values are recommended below, and will always be helpful for load balancing, it is unsafe to assume
their presence in the general case, and the use case needs to work even if the flow label
value is zero. </t>
<t>The use of the Flow Label field does not necessarily signal any
requirement on packet reordering. Especially, the zero label does
not imply that significant reordering is acceptable. </t>
<t>An IPv6 node that does not set the flow label to a non-zero value, or make use of it in any way, MUST
ignore it when receiving or forwarding a packet. </t>
</section> <!-- spec -->
<section anchor="labreq" title="Stateless Flow Labeling Requirements">
<t>This section defines the minimum requirements for stateless methods of setting the flow label value. </t>
<t>To enable Flow Label based classification, source nodes SHOULD assign
each unrelated transport connection and application data stream to a
new flow. A typical definition of a flow for this purpose is any set
of packets carrying the same 5-tuple {dest addr, source addr, protocol, dest port, source port}. </t>
<t>It is desirable that flow label values should be uniformly distributed
to assist load distribution. It is therefore RECOMMENDED that source hosts support the flow label by
setting the flow label field for all packets of a given flow to the same uniformly distributed pseudo-random value.
Both stateful and stateless methods of assigning a pseudo-random value could be used,
but it is outside the scope of this specification to mandate an algorithm. In a stateless mechanism,
the algorithm SHOULD ensure that the resulting flow label values are unique
with high probability. </t>
<t>An OPTIONAL algorithm for generating such a pseudo-random value is
described in <xref target="I-D.gont-6man-flowlabel-security"/>. </t>
<t>[[ NOTE TO RFC EDITOR: The preceding sentence should be deleted, and the reference should be
changed to Informative, if the cited draft is not on the standards track at the time of publication. ]]</t>
<t>A source node which does not otherwise set the flow label
MUST set its value to zero. </t>
<t>A node that forwards a flow whose flow label value in arriving packets is zero
MAY set the flow label value. In that case, it is RECOMMENDED
that the forwarding node sets the flow label field for a flow to a uniformly distributed pseudo-random value. </t>
<list style='symbols'>
<t>The same considerations apply as to source hosts setting the flow label; in particular,
the normal case is that a flow is defined by the 5-tuple. </t>
<t>This option, if implemented, would presumably be used by first-hop or ingress routers. It might place a
considerable per-packet processing load on them, even if they adopted a stateless method of
flow identification and label assignment. This is why the principal recommendation is that
the source host should set the label.
</t>
</list>
<t>The preceding rules taken together allow a given network domain to
include routers that set flow labels on behalf of hosts that do not do so.
They also recommend that flow labels exported
to the Internet are always either zero or uniformly distributed. </t>
</section> <!-- labreq -->
<section anchor="estreq" title="Flow State Establishment Requirements">
<t>A node that sets the flow label MAY also take part in a flow state
establishment method that results in assigning specific treatments to
specific flows, possibly including signaling. Any such method MUST NOT
disturb nodes taking part in the stateless model just described. Further details
are not discussed in this document. </t>
</section> <!-- estreq -->
<section title="Essential correction to RFC 2205">
<t><xref target="RFC2460"/> reduced the size of the flow label field from 24 to 20 bits.
The references to a 24 bit flow label field on pages 87 and 88 of <xref target="RFC2205"/> are updated accordingly. </t>
</section>
<section anchor="security" title="Security Considerations">
<t>This section considers security issues raised by the use of the Flow
Label, primarily the potential for denial-of-service attacks, and the
related potential for theft of service by unauthorized traffic
(<xref target="theft"/>). <xref target="ipsec"/> addresses the use of the Flow Label in
the presence of IPsec including its interaction with IPsec tunnel
mode and other tunneling protocols. We also note that inspection of
unencrypted Flow Labels may allow some forms of traffic analysis by
revealing some structure of the underlying communications. Even if
the flow label were encrypted, its presence as a constant value in a
fixed position might assist traffic analysis and cryptoanalysis. </t>
<t>The flow label is not protected in any way and can be forged by an on-path
attacker. On the other hand, a uniformly distributed pseudo-random flow label cannot be readily
guessed by an off-path attacker; see
<xref target="I-D.gont-6man-flowlabel-security"/> for further discussion. </t>
<section anchor="theft" title="Theft and Denial of Service">
<t>Since the mapping of network traffic to flow-specific treatment is
triggered by the IP addresses and Flow Label value of the IPv6
header, an adversary may be able to obtain unintended service by
modifying the IPv6 header or by injecting packets with false
addresses and/or labels. Theft of service is not further discussed
in this document, since it can only be analysed for specific stateful
methods of using the flow label. However, a denial of service attack
becomes possible in the stateless model when the modified or injected
traffic depletes the resources available to forward it and other
traffic streams. If a DoS attack were undertaken
against a given Flow Label (or set of Flow Labels), then traffic
containing an affected Flow Label might well experience worse-than-best-effort
network performance. </t>
<t>Note that since the treatment of IP headers by nodes is typically
unverified, there is no guarantee that flow labels sent by a node are
set according to the recommendations in this document.
A man-in-the-middle or injected-traffic denial of service attack specifically
directed at flow label handling would involve setting unusual flow labels.
For example, an attacker could set all flow labels reaching a given router
to the same arbitrary non-zero value, or could perform rapid cycling of
flow label values such that the packets of a given flow will each have
a different value. Either of these attacks would cause a stateless load
distribution algorithm to perform badly and would cause a stateful
mechanism to behave incorrectly. For this reason, stateless mechanisms
should not use the flow label alone to control load distribution,
and stateful mechanisms should include explicit methods to detect
and ignore suspect flow label values. </t>
<t>Since flows are identified by the 3-tuple of the Flow Label and the
Source and Destination Address, the risk of denial of
service introduced by the Flow Label is closely related to the risk
of denial of service by address spoofing. An adversary who
is in a position to forge an address is also likely to be able to
forge a label, and vice versa. </t>
<t>There are two issues with different properties: Spoofing of the Flow
Label only, and spoofing of the whole 3-tuple, including Source and
Destination Address. </t>
<t>The former can be done inside a node which is using or transmitting
the correct source address. The ability to spoof a Flow Label
typically implies being in a position to also forge an address, but
in many cases, spoofing an address may not be interesting to the
spoofer, especially if the spoofer's goal is theft of service, rather
than denial of service. </t>
<t>The latter can be done by a host which is not subject to ingress
filtering <xref target="RFC2827"/> or by an intermediate router. Due to its
properties, this is typically useful only for denial of service. In
the absence of ingress filtering, almost any third party could
instigate such an attack. </t>
<t>In the presence of ingress filtering, forging a non-zero Flow Label
on packets that originated with a zero label, or modifying or
clearing a label, could only occur if an intermediate system such as
a router was compromised, or through some other form of man-in-the-
middle attack. </t>
</section>
<section anchor="ipsec" title="IPsec and Tunneling Interactions">
<t>The IPsec protocol, as defined in <xref target="RFC4301"/>, <xref target="RFC4302"/>,
<xref target="RFC4303"/> does not include
the IPv6 header's Flow Label in any of its cryptographic calculations
(in the case of tunnel mode, it is the outer IPv6 header's Flow Label
that is not included). Hence modification of the Flow Label by a
network node has no effect on IPsec end-to-end security, because it
cannot cause any IPsec integrity check to fail. As a consequence,
IPsec does not provide any defense against an adversary's
modification of the Flow Label (i.e., a man-in-the-middle attack). </t>
<t>IPsec tunnel mode provides security for the encapsulated IP header's
Flow Label. A tunnel mode IPsec packet contains two IP headers: an
outer header supplied by the tunnel ingress node and an encapsulated
inner header supplied by the original source of the packet. When an
IPsec tunnel is passing through nodes performing flow classification,
the intermediate network nodes operate on the Flow Label in the outer
header. At the tunnel egress node, IPsec processing includes
removing the outer header and forwarding the packet (if required)
using the inner header. The IPsec protocol requires that the inner
header's Flow Label not be changed by this decapsulation processing
to ensure that modifications to label cannot be used to launch theft-
or denial-of-service attacks across an IPsec tunnel endpoint. This
document makes no change to that requirement; indeed it forbids
changes to the Flow Label. </t>
<t>When IPsec tunnel egress decapsulation processing includes a
sufficiently strong cryptographic integrity check of the encapsulated
packet (where sufficiency is determined by local security policy),
the tunnel egress node can safely assume that the Flow Label in the
inner header has the same value as it had at the tunnel ingress node. </t>
<t>This analysis and its implications apply to any tunneling protocol
that performs integrity checks. Of course, any Flow Label set in an
encapsulating IPv6 header is subject to the risks described in the
previous section. </t>
</section>
<section title="Security Filtering Interactions">
<t>The Flow Label does nothing to eliminate the need for packet
filtering based on headers past the IP header, if such filtering is
deemed necessary for security reasons on nodes such as firewalls or
filtering routers. </t>
<t>However, security devices that clear or rewrite non-zero flow label values would
be in violation of this specification. </t>
</section>
</section> <!-- security -->
<section anchor="iana" title="IANA Considerations">
<t>This document requests no action by IANA. </t>
</section> <!-- iana -->
<section anchor="ack" title="Acknowledgements">
<t>Steve Deering and Alex Conta were co-authors of RFC 3697, on which this document is based. </t>
<t>
Valuable comments and contributions were made by
Fred Baker,
Steve Blake,
Remi Despres,
Alan Ford,
Fernando Gont,
Brian Haberman,
Tony Hain,
Joel Halpern,
Qinwen Hu,
Chris Morrow,
Thomas Narten,
Mark Smith,
Pascal Thubert,
Iljitsch van Beijnum,
and other participants in the 6man working group.</t>
<t>Contributors to the development of RFC 3697 included
Ran Atkinson, Steve Blake, Jim Bound, Francis Dupont,
Robert Elz, Tony Hain, Robert Hancock, Bob Hinden, Christian Huitema,
Frank Kastenholz, Thomas Narten, Charles Perkins, Pekka Savola,
Hesham Soliman, Michael Thomas, Margaret Wasserman, and Alex Zinin. </t>
<t>This document was produced using the xml2rfc tool
<xref target="RFC2629"/>.</t>
</section> <!-- ack -->
<section anchor ="changes" title="Change log">
<t>draft-ietf-6man-flow-3697bis-02: update to remove most text about stateful methods, 2011-03-13</t>
<t>draft-ietf-6man-flow-3697bis-01: update after resolving 11 initial issues, 2011-02-26</t>
<t>draft-ietf-6man-flow-3697bis-00: original version, built from RFC3697 and draft-ietf-6man-flow-update-01, 2011-01-31</t>
</section> <!-- changes -->
</middle>
<back>
<references title="Normative References">
&RFC2460;
&RFC2119;
&RFC2205;
&DRAFT-gont;
</references>
<references title="Informative References">
&RFC2629;
&RFC2827;
&RFC3697;
&RFC4301;
&RFC4302;
&RFC4303;
&DRAFT-rationale;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 20:48:45 |