1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
|
<pre>Network Working Group J. Rajahalme
Request for Comments: 3697 Nokia
Category: Standards Track A. Conta
Transwitch
B. Carpenter
IBM
S. Deering
Cisco
March 2004
<span class="h1">IPv6 Flow Label Specification</span>
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
This document specifies the IPv6 Flow Label field and the minimum
requirements for IPv6 source nodes labeling flows, IPv6 nodes
forwarding labeled packets, and flow state establishment methods.
Even when mentioned as examples of possible uses of the flow
labeling, more detailed requirements for specific use cases are out
of scope for this document.
The usage of the Flow Label field enables efficient IPv6 flow
classification based only on IPv6 main header fields in fixed
positions.
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
A flow is a sequence of packets sent from a particular source to a
particular unicast, anycast, or multicast destination that the source
desires to label as a flow. A flow could consist of all packets in a
specific transport connection or a media stream. However, a flow is
not necessarily 1:1 mapped to a transport connection.
<span class="grey">Rajahalme, et al. Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc3697">RFC 3697</a> IPv6 Flow Label Specification March 2004</span>
Traditionally, flow classifiers have been based on the 5-tuple of the
source and destination addresses, ports, and the transport protocol
type. However, some of these fields may be unavailable due to either
fragmentation or encryption, or locating them past a chain of IPv6
option headers may be inefficient. Additionally, if classifiers
depend only on IP layer headers, later introduction of alternative
transport layer protocols will be easier.
The usage of the 3-tuple of the Flow Label and the Source and
Destination Address fields enables efficient IPv6 flow
classification, where only IPv6 main header fields in fixed positions
are used.
The minimum level of IPv6 flow support consists of labeling the
flows. IPv6 source nodes supporting the flow labeling MUST be able
to label known flows (e.g., TCP connections, application streams),
even if the node itself would not require any flow-specific
treatment. Doing this enables load spreading and receiver oriented
resource reservations, for example. Node requirements for flow
labeling are given in <a href="#section-3">section 3</a>.
Specific flow state establishment methods and the related service
models are out of scope for this specification, but the generic
requirements enabling co-existence of different methods in IPv6 nodes
are set forth in <a href="#section-4">section 4</a>. The associated scaling characteristics
(such as nodes involved in state establishment, amount of state
maintained by them, and state growth function) will be specific to
particular service models.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>
[<a href="#ref-KEYWORDS" title=""Key words for use in RFCs to indicate requirement levels"">KEYWORDS</a>].
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. IPv6 Flow Label Specification</span>
The 20-bit Flow Label field in the IPv6 header [<a href="#ref-IPv6" title=""Internet Protocol Version 6 Specification"">IPv6</a>] is used by a
source to label packets of a flow. A Flow Label of zero is used to
indicate packets not part of any flow. Packet classifiers use the
triplet of Flow Label, Source Address, and Destination Address fields
to identify which flow a particular packet belongs to. Packets are
processed in a flow-specific manner by the nodes that have been set
up with flow-specific state. The nature of the specific treatment
and the methods for the flow state establishment are out of scope for
this specification.
The Flow Label value set by the source MUST be delivered unchanged to
the destination node(s).
<span class="grey">Rajahalme, et al. Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc3697">RFC 3697</a> IPv6 Flow Label Specification March 2004</span>
IPv6 nodes MUST NOT assume any mathematical or other properties of
the Flow Label values assigned by source nodes. Router performance
SHOULD NOT be dependent on the distribution of the Flow Label values.
Especially, the Flow Label bits alone make poor material for a hash
key.
Nodes keeping dynamic flow state MUST NOT assume packets arriving 120
seconds or more after the previous packet of a flow still belong to
the same flow, unless a flow state establishment method in use
defines a longer flow state lifetime or the flow state has been
explicitly refreshed within the lifetime duration.
The use of the Flow Label field does not necessarily signal any
requirement on packet reordering. Especially, the zero label does
not imply that significant reordering is acceptable.
If an IPv6 node is not providing flow-specific treatment, it MUST
ignore the field when receiving or forwarding a packet.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Flow Labeling Requirements</span>
To enable Flow Label based classification, source nodes SHOULD assign
each unrelated transport connection and application data stream to a
new flow. The source node MAY also take part in flow state
establishment methods that result in assigning certain packets to
specific flows. A source node which does not assign traffic to flows
MUST set the Flow Label to zero.
To enable applications and transport protocols to define what packets
constitute a flow, the source node MUST provide means for the
applications and transport protocols to specify the Flow Label values
to be used with their flows. The use of the means to specify Flow
Label values is subject to appropriate privileges (see <a href="#section-5.1">section 5.1</a>).
The source node SHOULD be able to select unused Flow Label values for
flows not requesting a specific value to be used.
A source node MUST ensure that it does not unintentionally reuse Flow
Label values it is currently using or has recently used when creating
new flows. Flow Label values previously used with a specific pair of
source and destination addresses MUST NOT be assigned to new flows
with the same address pair within 120 seconds of the termination of
the previous flow. The source node SHOULD provide the means for the
applications and transport protocols to specify quarantine periods
longer than the default 120 seconds for individual flows.
To avoid accidental Flow Label value reuse, the source node SHOULD
select new Flow Label values in a well-defined sequence (e.g.,
sequential or pseudo-random) and use an initial value that avoids
<span class="grey">Rajahalme, et al. Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc3697">RFC 3697</a> IPv6 Flow Label Specification March 2004</span>
reuse of recently used Flow Label values each time the system
restarts. The initial value SHOULD be derived from a previous value
stored in non-volatile memory, or in the absence of such history, a
randomly generated initial value using techniques that produce good
randomness properties [<a href="#ref-RND" title=""Randomness Recommendations for Security"">RND</a>] SHOULD be used.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Flow State Establishment Requirements</span>
To enable flow-specific treatment, flow state needs to be established
on all or a subset of the IPv6 nodes on the path from the source to
the destination(s). The methods for the state establishment, as well
as the models for flow-specific treatment will be defined in separate
specifications.
To enable co-existence of different methods in IPv6 nodes, the
methods MUST meet the following basic requirements:
(1) The method MUST provide the means for flow state clean-up from
the IPv6 nodes providing the flow-specific treatment. Signaling
based methods where the source node is involved are free to
specify flow state lifetimes longer than the default 120
seconds.
(2) Flow state establishment methods MUST be able to recover from
the case where the requested flow state cannot be supported.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Security Considerations</span>
This section considers security issues raised by the use of the Flow
Label, primarily the potential for denial-of-service attacks, and the
related potential for theft of service by unauthorized traffic
(<a href="#section-5.1">Section 5.1</a>). <a href="#section-5.2">Section 5.2</a> addresses the use of the Flow Label in
the presence of IPsec including its interaction with IPsec tunnel
mode and other tunneling protocols. We also note that inspection of
unencrypted Flow Labels may allow some forms of traffic analysis by
revealing some structure of the underlying communications. Even if
the flow label were encrypted, its presence as a constant value in a
fixed position might assist traffic analysis and cryptoanalysis.
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Theft and Denial of Service</span>
Since the mapping of network traffic to flow-specific treatment is
triggered by the IP addresses and Flow Label value of the IPv6
header, an adversary may be able to obtain better service by
modifying the IPv6 header or by injecting packets with false
addresses and/or labels. Taken to its limits, such theft-of-service
becomes a denial-of-service attack when the modified or injected
traffic depletes the resources available to forward it and other
<span class="grey">Rajahalme, et al. Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc3697">RFC 3697</a> IPv6 Flow Label Specification March 2004</span>
traffic streams. A curiosity is that if a DoS attack were undertaken
against a given Flow Label (or set of Flow Labels), then traffic
containing an affected Flow Label might well experience worse-than-
best-effort network performance.
Note that since the treatment of IP headers by nodes is typically
unverified, there is no guarantee that flow labels sent by a node are
set according to the recommendations in this document. Therefore,
any assumptions made by the network about header fields such as flow
labels should be limited to the extent that the upstream nodes are
explicitly trusted.
Since flows are identified by the 3-tuple of the Flow Label and the
Source and Destination Address, the risk of theft or denial of
service introduced by the Flow Label is closely related to the risk
of theft or denial of service by address spoofing. An adversary who
is in a position to forge an address is also likely to be able to
forge a label, and vice versa.
There are two issues with different properties: Spoofing of the Flow
Label only, and spoofing of the whole 3-tuple, including Source and
Destination Address.
The former can be done inside a node which is using or transmitting
the correct source address. The ability to spoof a Flow Label
typically implies being in a position to also forge an address, but
in many cases, spoofing an address may not be interesting to the
spoofer, especially if the spoofer's goal is theft of service, rather
than denial of service.
The latter can be done by a host which is not subject to ingress
filtering [<a href="#ref-INGR" title=""Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing"">INGR</a>] or by an intermediate router. Due to its
properties, such is typically useful only for denial of service. In
the absence of ingress filtering, almost any third party could
instigate such an attack.
In the presence of ingress filtering, forging a non-zero Flow Label
on packets that originated with a zero label, or modifying or
clearing a label, could only occur if an intermediate system such as
a router was compromised, or through some other form of man-in-the-
middle attack. However, the risk is limited to traffic receiving
better or worse quality of service than intended. For example, if
Flow Labels are altered or cleared at random, flow classification
will no longer happen as intended, and the altered packets will
receive default treatment. If a complete 3-tuple is forged, the
altered packets will be classified into the forged flow and will
receive the corresponding quality of service; this will create a
denial of service attack subtly different from one where only the
<span class="grey">Rajahalme, et al. Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc3697">RFC 3697</a> IPv6 Flow Label Specification March 2004</span>
addresses are forged. Because it is limited to a single flow
definition, e.g., to a limited amount of bandwidth, such an attack
will be more specific and at a finer granularity than a normal
address-spoofing attack.
Since flows are identified by the complete 3-tuple, ingress filtering
[<a href="#ref-INGR" title=""Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing"">INGR</a>] will, as noted above, mitigate part of the risk. If the
source address of a packet is validated by ingress filtering, there
can be a degree of trust that the packet has not transited a
compromised router, to the extent that ISP infrastructure may be
trusted. However, this gives no assurance that another form of man-
in-the-middle attack has not occurred.
Only applications with an appropriate privilege in a sending host
will be entitled to set a non-zero Flow Label. Mechanisms for this
are operating system dependent. Related policy and authorization
mechanisms may also be required; for example, in a multi-user host,
only some users may be entitled to set the Flow Label. Such
authorization issues are outside the scope of this specification.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. IPsec and Tunneling Interactions</span>
The IPsec protocol, as defined in [<a href="#ref-IPSec" title=""Security Architecture for the Internet Protocol"">IPSec</a>, <a href="#ref-AH" title=""IP Authentication Header"">AH</a>, <a href="#ref-ESP" title=""IP Encapsulating Security Payload (ESP)"">ESP</a>], does not include
the IPv6 header's Flow Label in any of its cryptographic calculations
(in the case of tunnel mode, it is the outer IPv6 header's Flow Label
that is not included). Hence modification of the Flow Label by a
network node has no effect on IPsec end-to-end security, because it
cannot cause any IPsec integrity check to fail. As a consequence,
IPsec does not provide any defense against an adversary's
modification of the Flow Label (i.e., a man-in-the-middle attack).
IPsec tunnel mode provides security for the encapsulated IP header's
Flow Label. A tunnel mode IPsec packet contains two IP headers: an
outer header supplied by the tunnel ingress node and an encapsulated
inner header supplied by the original source of the packet. When an
IPsec tunnel is passing through nodes performing flow classification,
the intermediate network nodes operate on the Flow Label in the outer
header. At the tunnel egress node, IPsec processing includes
removing the outer header and forwarding the packet (if required)
using the inner header. The IPsec protocol requires that the inner
header's Flow Label not be changed by this decapsulation processing
to ensure that modifications to label cannot be used to launch theft-
or denial-of-service attacks across an IPsec tunnel endpoint. This
document makes no change to that requirement; indeed it forbids
changes to the Flow Label.
<span class="grey">Rajahalme, et al. Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc3697">RFC 3697</a> IPv6 Flow Label Specification March 2004</span>
When IPsec tunnel egress decapsulation processing includes a
sufficiently strong cryptographic integrity check of the encapsulated
packet (where sufficiency is determined by local security policy),
the tunnel egress node can safely assume that the Flow Label in the
inner header has the same value as it had at the tunnel ingress node.
This analysis and its implications apply to any tunneling protocol
that performs integrity checks. Of course, any Flow Label set in an
encapsulating IPv6 header is subject to the risks described in the
previous section.
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. Security Filtering Interactions</span>
The Flow Label does nothing to eliminate the need for packet
filtering based on headers past the IP header, if such filtering is
deemed necessary for security reasons on nodes such as firewalls or
filtering routers.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Acknowledgements</span>
The discussion on the topic in the IPv6 WG mailing list has been
instrumental for the definition of this specification. The authors
want to thank Ran Atkinson, Steve Blake, Jim Bound, Francis Dupont,
Robert Elz, Tony Hain, Robert Hancock, Bob Hinden, Christian Huitema,
Frank Kastenholz, Thomas Narten, Charles Perkins, Pekka Savola,
Hesham Soliman, Michael Thomas, Margaret Wasserman, and Alex Zinin
for their contributions.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. References</span>
<span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. Normative References</span>
[<a id="ref-IPv6">IPv6</a>] Deering, S. and R. Hinden, "Internet Protocol Version 6
Specification", <a href="./rfc2460">RFC 2460</a>, December 1998.
[<a id="ref-KEYWORDS">KEYWORDS</a>] Bradner, S., "Key words for use in RFCs to indicate
requirement levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RND">RND</a>] Eastlake, D., Crocker, S. and J. Schiller, "Randomness
Recommendations for Security", <a href="./rfc1750">RFC 1750</a>, December 1994.
<span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. Informative References</span>
[<a id="ref-AH">AH</a>] Kent, S. and R. Atkinson, "IP Authentication Header", <a href="./rfc2402">RFC</a>
<a href="./rfc2402">2402</a>, November 1998.
[<a id="ref-ESP">ESP</a>] Kent, S. and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", <a href="./rfc2406">RFC 2406</a>, November 1998.
<span class="grey">Rajahalme, et al. Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc3697">RFC 3697</a> IPv6 Flow Label Specification March 2004</span>
[<a id="ref-INGR">INGR</a>] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP
Source Address Spoofing", <a href="https://www.rfc-editor.org/bcp/bcp38">BCP 38</a>, <a href="./rfc2827">RFC 2827</a>, May 2000.
[<a id="ref-IPSec">IPSec</a>] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", <a href="./rfc2401">RFC 2401</a>, November 1998.
Authors' Addresses
Jarno Rajahalme
Nokia Research Center
P.O. Box 407
FIN-00045 NOKIA GROUP,
Finland
EMail: jarno.rajahalme@nokia.com
Alex Conta
Transwitch Corporation
3 Enterprise Drive
Shelton, CT 06484
USA
EMail: aconta@txc.com
Brian E. Carpenter
IBM Zurich Research Laboratory
Saeumerstrasse 4 / Postfach
8803 Rueschlikon
Switzerland
EMail: brc@zurich.ibm.com
Steve Deering
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
<span class="grey">Rajahalme, et al. Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc3697">RFC 3697</a> IPv6 Flow Label Specification March 2004</span>
Full Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed
to pertain to the implementation or use of the technology
described in this document or the extent to which any license
under such rights might or might not be available; nor does it
represent that it has made any independent effort to identify any
such rights. Information on the procedures with respect to
rights in RFC documents can be found in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and <a href="https://www.rfc-editor.org/bcp/bcp79">BCP 79</a>.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository
at <a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>.
The IETF invites any interested party to bring to its attention
any copyrights, patents or patent applications, or other
proprietary rights that may cover technology that may be required
to implement this standard. Please address the information to the
IETF at ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Rajahalme, et al. Standards Track [Page 9]
</pre>
|
