Internet Engineering Task Force (IETF) S. Amante Request for Comments: 6437 Level 3 Obsoletes: 3697 B. Carpenter Updates: 2205, 2460 Univ. of Auckland Category: Standards Track S. Jiang ISSN: 2070-1721 Huawei J. Rajahalme Nokia Siemens Networks November 2011
Internet Engineering Task Force (IETF) S. Amante Request for Comments: 6437 Level 3 Obsoletes: 3697 B. Carpenter Updates: 2205, 2460 Univ. of Auckland Category: Standards Track S. Jiang ISSN: 2070-1721 Huawei J. Rajahalme Nokia Siemens Networks November 2011
IPv6 Flow Label Specification
IPv6流标签规范
Abstract
摘要
This document specifies the IPv6 Flow Label field and the minimum requirements for IPv6 nodes labeling flows, IPv6 nodes forwarding labeled packets, and flow state establishment methods. Even when mentioned as examples of possible uses of the flow labeling, more detailed requirements for specific use cases are out of the scope for this document.
本文档规定了IPv6流标签字段以及IPv6节点标记流、IPv6节点转发标记数据包和流状态建立方法的最低要求。即使作为流标签可能使用的示例提到,特定用例的更详细要求也不在本文档的范围之内。
The usage of the Flow Label field enables efficient IPv6 flow classification based only on IPv6 main header fields in fixed positions.
使用流标签字段可以仅基于固定位置的IPv6主标头字段实现高效的IPv6流分类。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6437.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6437.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. IPv6 Flow Label Specification . . . . . . . . . . . . . . . . 4 3. Flow Labeling Requirements in the Stateless Scenario . . . . . 5 4. Flow State Establishment Requirements . . . . . . . . . . . . 7 5. Essential Correction to RFC 2205 . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6.1. Covert Channel Risk . . . . . . . . . . . . . . . . . . . 8 6.2. Theft and Denial of Service . . . . . . . . . . . . . . . 8 6.3. IPsec and Tunneling Interactions . . . . . . . . . . . . . 10 6.4. Security Filtering Interactions . . . . . . . . . . . . . 11 7. Differences from RFC 3697 . . . . . . . . . . . . . . . . . . 11 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 9.1. Normative References . . . . . . . . . . . . . . . . . . . 12 9.2. Informative References . . . . . . . . . . . . . . . . . . 12 Appendix A. Example 20-Bit Hash Function . . . . . . . . . . . . 14
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. IPv6 Flow Label Specification . . . . . . . . . . . . . . . . 4 3. Flow Labeling Requirements in the Stateless Scenario . . . . . 5 4. Flow State Establishment Requirements . . . . . . . . . . . . 7 5. Essential Correction to RFC 2205 . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6.1. Covert Channel Risk . . . . . . . . . . . . . . . . . . . 8 6.2. Theft and Denial of Service . . . . . . . . . . . . . . . 8 6.3. IPsec and Tunneling Interactions . . . . . . . . . . . . . 10 6.4. Security Filtering Interactions . . . . . . . . . . . . . 11 7. Differences from RFC 3697 . . . . . . . . . . . . . . . . . . 11 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 9.1. Normative References . . . . . . . . . . . . . . . . . . . 12 9.2. Informative References . . . . . . . . . . . . . . . . . . 12 Appendix A. Example 20-Bit Hash Function . . . . . . . . . . . . 14
From the viewpoint of the network layer, a flow is a sequence of packets sent from a particular source to a particular unicast, anycast, or multicast destination that a node desires to label as a flow. From an upper-layer viewpoint, a flow could consist of all packets in one direction of a specific transport connection or media stream. However, a flow is not necessarily 1:1 mapped to a transport connection.
从网络层的观点来看,流是从特定源发送到节点希望标记为流的特定单播、选播或多播目的地的分组序列。从上层的观点来看,流可以由特定传输连接或媒体流的一个方向上的所有数据包组成。但是,流不一定要1:1映射到传输连接。
Traditionally, flow classifiers have been based on the 5-tuple of the source address, destination address, source port, destination port, and the transport protocol type. However, some of these fields may be unavailable due to either fragmentation or encryption, or locating them past a chain of IPv6 extension headers may be inefficient. Additionally, if classifiers depend only on IP-layer headers, later introduction of alternative transport-layer protocols will be easier.
传统上,流分类器基于源地址、目标地址、源端口、目标端口和传输协议类型的5元组。但是,由于碎片或加密,这些字段中的某些字段可能不可用,或者通过IPv6扩展头链定位这些字段可能效率低下。此外,如果分类器仅依赖于IP层头,那么以后引入替代传输层协议将更容易。
The usage of the 3-tuple of the Flow Label, Source Address, and Destination Address fields enables efficient IPv6 flow classification, where only IPv6 main header fields in fixed positions are used.
使用流标签、源地址和目标地址字段的三元组可以实现高效的IPv6流分类,其中只使用固定位置的IPv6主标头字段。
The flow label could be used in both stateless and stateful scenarios. A stateless scenario is one where any node that processes the flow label in any way does not need to store any information about a flow before or after a packet has been processed. A stateful scenario is one where a node that processes the flow label value needs to store information about the flow, including the flow label value. A stateful scenario might also require a signaling mechanism to inform downstream nodes that the flow label is being used in a certain way and to establish flow state in the network. For example, RSVP [RFC2205] and General Internet Signaling Transport (GIST) [RFC5971] can signal flow label values.
流标签可用于无状态和有状态场景。无状态场景是指任何以任何方式处理流标签的节点都不需要在处理数据包之前或之后存储关于流的任何信息。有状态场景是指处理流标签值的节点需要存储有关流的信息,包括流标签值。有状态场景可能还需要信令机制来通知下游节点正在以某种方式使用流标签,并在网络中建立流状态。例如,RSVP[RFC2205]和通用互联网信令传输(GIST)[RFC5971]可以发送流标签值的信号。
The flow label can be used most simply in stateless scenarios. This specification concentrates on the stateless model and how it can be used as a default mechanism. Details of stateful models, signaling, specific flow state establishment methods, and their related service models are out of scope for this specification. The basic requirement for stateful models is set forth in Section 4.
流标签可以最简单地用于无状态场景。本规范集中于无状态模型以及如何将其用作默认机制。有状态模型、信令、特定流状态建立方法及其相关服务模型的详细信息不在本规范的范围内。第4节阐述了有状态模型的基本要求。
The minimum level of IPv6 flow support consists of labeling the flows. A specific goal is to enable and encourage the use of the flow label for various forms of stateless load distribution, especially across Equal Cost Multi-Path (ECMP) and/or Link Aggregation Group (LAG) paths. ECMP and LAG are methods to bond together multiple physical links used to procure the required
IPv6流支持的最低级别包括标记流。一个具体的目标是支持并鼓励对各种形式的无状态负载分配使用流标签,特别是跨等成本多路径(ECMP)和/或链路聚合组(LAG)路径。ECMP和LAG是将多个物理链路连接在一起的方法,用于获取所需的
capacity necessary to carry an offered load greater than the bandwidth of an individual physical link. Further details are in a separate document [RFC6438]. IPv6 source nodes SHOULD be able to label known flows (e.g., TCP connections and application streams), even if the node itself does not require any flow-specific treatment. Node requirements for stateless flow labeling are given in Section 3.
承载大于单个物理链路带宽的提供负载所需的容量。更多详情见单独的文件[RFC6438]。IPv6源节点应该能够标记已知流(例如TCP连接和应用程序流),即使节点本身不需要任何特定于流的处理。第3节给出了无状态流标记的节点要求。
This document replaces [RFC3697] and Section 6 and Appendix A of [RFC2460]. A rationale for the changes made is documented in [RFC6436]. The present document also includes a correction to [RFC2205] concerning the flow label.
This document replaces [RFC3697] and Section 6 and Appendix A of [RFC2460]. A rationale for the changes made is documented in [RFC6436]. The present document also includes a correction to [RFC2205] concerning the flow label.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”应按照[RFC2119]中的说明进行解释。
The 20-bit Flow Label field in the IPv6 header [RFC2460] is used by a node to label packets of a flow. A Flow Label of zero is used to indicate packets that have not been labeled. Packet classifiers can use the triplet of Flow Label, Source Address, and Destination Address fields to identify the flow to which a particular packet belongs. Packets are processed in a flow-specific manner by nodes that are able to do so in a stateless manner or that have been set up with flow-specific state. The nature of the specific treatment and the methods for flow state establishment are out of scope for this specification.
IPv6报头[RFC2460]中的20位流标签字段由节点用于标记流的数据包。零流标签用于指示尚未标记的数据包。包分类器可以使用流标签、源地址和目标地址字段的三元组来识别特定包所属的流。数据包由能够以无状态方式处理或已设置为流特定状态的节点以流特定方式处理。具体处理的性质和流动状态建立的方法超出本规范的范围。
Flow label values should be chosen such that their bits exhibit a high degree of variability, making them suitable for use as part of the input to a hash function used in a load distribution scheme. At the same time, third parties should be unlikely to be able to guess the next value that a source of flow labels will choose.
流标签值的选择应确保其位具有高度的可变性,使其适合用作负载分配方案中使用的哈希函数输入的一部分。同时,第三方不太可能猜出流标签源将选择的下一个值。
In statistics, a discrete uniform distribution is defined as a probability distribution in which each value in a given range of equally spaced values (such as a sequence of integers) is equally likely to be chosen as the next value. The values in such a distribution exhibit both variability and unguessability. Thus, as specified in Section 3, an approximation to a discrete uniform distribution is preferable as the source of flow label values. Intentionally, there are no precise mathematical requirements placed on the distribution or the method used to achieve such a distribution.
在统计学中,离散均匀分布被定义为一种概率分布,其中在给定的等间距值范围内(如整数序列)的每个值都有可能被选为下一个值。这种分布中的值表现出可变性和不可用性。因此,如第3节所述,离散均匀分布的近似值最好作为流量标签值的来源。有意地,对分布或用于实现这种分布的方法没有精确的数学要求。
Once set to a non-zero value, the Flow Label is expected to be delivered unchanged to the destination node(s). A forwarding node MUST either leave a non-zero flow label value unchanged or change it only for compelling operational security reasons as described in Section 6.1.
一旦设置为非零值,则流标签将原封不动地传递到目标节点。转发节点必须保持非零流标签值不变,或仅出于第6.1节中所述的强制操作安全原因对其进行更改。
There is no way to verify whether a flow label has been modified en route or whether it belongs to a uniform distribution. Therefore, no Internet-wide mechanism can depend mathematically on unmodified and uniformly distributed flow labels; they have a "best effort" quality. Implementers should be aware that the flow label is an unprotected field that could have been accidentally or intentionally changed en route (see Section 6). This leads to the following formal rule:
无法验证流标签是否已在途中修改,或者是否属于均匀分布。因此,互联网范围内的任何机制都不能在数学上依赖于未修改且均匀分布的流标签;他们有“尽力而为”的品质。实施者应该知道,流标签是一个未受保护的字段,可能在途中意外或故意更改(请参见第6节)。这导致了以下正式规则:
o Forwarding nodes such as routers and load distributors MUST NOT depend only on Flow Label values being uniformly distributed. In any usage such as a hash key for load distribution, the Flow Label bits MUST be combined at least with bits from other sources within the packet, so as to produce a constant hash value for each flow and a suitable distribution of hash values across flows. Typically, the other fields used will be some or all components of the usual 5-tuple. In this way, load distribution will still occur even if the Flow Label values are poorly distributed.
o 转发节点(如路由器和负载分配器)不能仅依赖于均匀分布的流标签值。在诸如用于负载分布的散列键之类的任何使用中,流标签位必须至少与来自分组内的其他源的位组合,以便为每个流产生恒定散列值以及散列值在流之间的适当分布。通常,使用的其他字段将是通常的5元组的部分或全部组件。这样,即使流标签值分布不均匀,负载分布仍然会发生。
Although uniformly distributed flow label values are recommended below, and will always be helpful for load distribution, it is unsafe to assume their presence in the general case, and the use case needs to work even if the flow label value is zero.
尽管下面建议使用均匀分布的流量标签值,并且这些值总是有助于负载分配,但在一般情况下假设它们的存在是不安全的,并且即使流量标签值为零,用例也需要工作。
As a general practice, packet flows should not be reordered, and the use of the Flow Label field does not affect this. In particular, a Flow label value of zero does not imply that reordering is acceptable.
一般来说,数据包流不应该被重新排序,并且流标签字段的使用不会影响这一点。特别是,流标签值为零并不意味着可以接受重新排序。
This section defines the minimum requirements for methods of setting the flow label value within the stateless scenario of flow label usage.
本节定义了在流标签使用的无状态场景中设置流标签值的方法的最低要求。
To enable Flow-Label-based classification, source nodes SHOULD assign each unrelated transport connection and application data stream to a new flow. A typical definition of a flow for this purpose is any set of packets carrying the same 5-tuple {dest addr, source addr, protocol, dest port, source port}. It should be noted that a source node always has convenient and efficient access to this 5-tuple, which is not always the case for nodes that subsequently forward the packet.
要启用基于流标签的分类,源节点应将每个不相关的传输连接和应用程序数据流分配给新流。用于此目的的流的典型定义是携带相同5元组{dest addr,source addr,protocol,dest port,source port}的任何数据包集。应该注意的是,源节点总是能够方便高效地访问这个5元组,对于随后转发数据包的节点来说,情况并非总是如此。
It is desirable that flow label values should be uniformly distributed to assist load distribution. It is therefore RECOMMENDED that source hosts support the flow label by setting the flow label field for all packets of a given flow to the same value chosen from an approximation to a discrete uniform distribution. Both stateful and stateless methods of assigning a value could be used, but it is outside the scope of this specification to mandate an algorithm. The algorithm SHOULD ensure that the resulting flow label values are unique with high probability. However, if two simultaneous flows are assigned the same flow label value by chance and have the same source and destination addresses, it simply means that they will receive the same flow label treatment throughout the network. As long as this is a low-probability event, it will not significantly affect load distribution.
流标签值应均匀分布,以辅助负载分布。因此,建议源主机通过将给定流的所有数据包的流标签字段设置为从离散均匀分布近似值中选择的相同值来支持流标签。可以使用有状态和无状态赋值方法,但强制使用算法超出了本规范的范围。该算法应确保生成的流标签值具有高概率的唯一性。但是,如果两个同时发生的流碰巧被分配了相同的流标签值,并且具有相同的源地址和目标地址,这仅仅意味着它们将在整个网络中接受相同的流标签处理。只要这是一个低概率事件,它将不会显著影响负荷分布。
A possible stateless algorithm is to use a suitable 20-bit hash of values from the IP packet's 5-tuple. A simple example hash function is described in Appendix A.
一种可能的无状态算法是使用IP数据包5元组中合适的20位散列值。附录A中描述了一个简单的哈希函数示例。
An alternative approach is to use a pseudo-random number generator to assign a flow label value for a given transport session; such a method will require minimal local state to be kept at the source node by recording the flow label associated with each transport socket.
另一种方法是使用伪随机数生成器为给定的传输会话分配流标签值;这种方法将要求通过记录与每个传输套接字关联的流标签,在源节点保持最小的本地状态。
Viewed externally, either of these approaches will produce values that appear to be uniformly distributed and pseudo-random.
从外部看,这两种方法中的任何一种都会产生均匀分布和伪随机的值。
An implementation in which flow labels are assigned sequentially is NOT RECOMMENDED, as it would then be simple for on-path observers to guess the next value.
不推荐按顺序分配流标签的实现,因为这样路径上的观察者就可以很容易地猜测下一个值。
A source node that does not otherwise set the flow label MUST set its value to zero.
未以其他方式设置流标签的源节点必须将其值设置为零。
A node that forwards a flow whose flow label value in arriving packets is zero MAY change the flow label value. In that case, it is RECOMMENDED that the forwarding node sets the flow label field for a flow to a uniformly distributed value as just described for source nodes.
转发到达分组中的流标签值为零的流的节点可以更改流标签值。在这种情况下,建议转发节点将流的流标签字段设置为均匀分布的值,如刚刚针对源节点所述。
o The same considerations apply as to source hosts setting the flow label; in particular, the preferred case is that a flow is defined by the 5-tuple. However, there are cases in which the complete 5-tuple for all packets is not readily available to a forwarding node, in particular for fragmented packets. In such cases, a flow can be defined by fewer IPv6 header fields, typically using only the 2-tuple {dest addr, source addr}. There are alternative approaches that implementers could choose, such as:
o 与源主机设置流标签的注意事项相同;特别是,首选情况是流由5元组定义。然而,存在这样的情况,即所有分组的完整5元组对于转发节点不容易获得,特别是对于分段分组。在这种情况下,流可以由较少的IPv6头字段定义,通常只使用2元组{dest addr,source addr}。实施者可以选择其他方法,例如:
* A forwarding node might use the 5-tuple to define a flow whenever possible but use the 2-tuple when the complete 5-tuple is not available. In this case, unfragmented and fragmented packets belonging to the same transport session would receive different flow label values, altering the effect of subsequent load distribution based on the flow label.
* 转发节点可能会尽可能使用5元组来定义流,但如果完整的5元组不可用,则使用2元组。在这种情况下,属于同一传输会话的未分段和分段数据包将接收不同的流标签值,从而改变基于流标签的后续负载分布的效果。
* A forwarding node might use the 2-tuple to define a flow in all cases. In this case, subsequent load distribution would be based only on IP addresses.
* 转发节点可以在所有情况下使用2元组定义流。在这种情况下,后续的负载分配将仅基于IP地址。
o The option to set the flow label in a forwarding node, if implemented, would presumably be of value in first-hop or ingress routers. It might place a considerable per-packet processing load on them, even if they adopted a stateless method of flow identification and label assignment. However, it will not interfere with host-to-router load sharing [RFC4311]. It needs to be under the control of network managers, to avoid unwanted processing load and any other undesirable effects. For this reason, it MUST be a configurable option, disabled by default.
o 在转发节点中设置流标签的选项,如果实现,可能在第一跳或入口路由器中具有价值。即使它们采用流标识和标签分配的无状态方法,也可能会给每个数据包带来相当大的处理负载。但是,它不会干扰主机到路由器的负载共享[RFC4311]。它需要在网络管理员的控制下,以避免不必要的处理负载和任何其他不良影响。因此,它必须是一个可配置选项,默认情况下禁用。
The preceding rules taken together allow a given network to include routers that set flow labels on behalf of hosts that do not do so. The complications described explain why the principal recommendation is that the source hosts should set the label.
前面的规则结合在一起允许给定的网络包括代表不这样做的主机设置流标签的路由器。所描述的复杂性解释了为什么主要建议源主机设置标签。
A node that sets the flow label MAY also take part in a flow state establishment method that results in assigning specific treatments to specific flows, possibly including signaling. Any such method MUST NOT disturb nodes taking part in the stateless scenario just described. Thus, any node that sets flow label values according to a stateful scheme MUST choose labels that conform to Section 3 of this specification. Further details are not discussed in this document.
设置流标签的节点还可以参与流状态建立方法,该方法导致将特定处理分配给特定流,可能包括信令。任何这样的方法都不能干扰参与刚才描述的无状态场景的节点。因此,根据有状态方案设置流标签值的任何节点必须选择符合本规范第3节的标签。本文件不讨论更多细节。
[RFC2460] reduced the size of the flow label field from 24 to 20 bits. The references to a 24-bit flow label field in Section A.9 of [RFC2205] are updated accordingly.
[RFC2460]将流量标签字段的大小从24位减小到20位。[RFC2205]第a.9节中对24位流量标签字段的引用相应更新。
This section considers security issues raised by the use of the Flow Label, including the potential for denial-of-service attacks and the related potential for theft of service by unauthorized traffic (Section 6.2). Section 6.3 addresses the use of the Flow Label in
本节考虑使用流量标签引起的安全问题,包括拒绝服务攻击的可能性和未经授权流量窃取服务的相关可能性(第6.2节)。第6.3节介绍了在中使用流量标签
the presence of IPsec, including its interaction with IPsec tunnel mode and other tunneling protocols. We also note that inspection of unencrypted Flow Labels may allow some forms of traffic analysis by revealing some structure of the underlying communications. Even if the flow label was encrypted, its presence as a constant value in a fixed position might assist traffic analysis and cryptoanalysis.
IPsec的存在,包括其与IPsec隧道模式和其他隧道协议的交互。我们还注意到,通过检查未加密的流标签,可以通过揭示底层通信的某些结构来进行某种形式的流量分析。即使流标签是加密的,它在固定位置作为常量存在也可能有助于流量分析和密码分析。
The flow label is not protected in any way, even if IPsec authentication [RFC4302] is in use, so it can be forged by an on-path attacker. Implementers are advised that any en-route change to the flow label value is undetectable. On the other hand, a uniformly distributed pseudo-random flow label cannot be readily guessed by an attacker; see [LABEL-SEC] for further discussion. If a hash algorithm is used, as suggested in Section 3, it SHOULD include a step that makes the flow label value significantly difficult to predict [RFC4086], even with knowledge of the algorithm being used.
即使正在使用IPsec身份验证[RFC4302],流标签也不会受到任何保护,因此路径上的攻击者可以伪造流标签。建议实施者,对流标签值的任何中途更改都是不可检测的。另一方面,攻击者无法轻易猜测均匀分布的伪随机流标签;有关进一步的讨论,请参见[LABEL-SEC]。如第3节所述,如果使用散列算法,则应包括一个使流标签值难以预测的步骤[RFC4086],即使知道所使用的算法也是如此。
The flow label could be used as a covert data channel, since apparently pseudo-random flow label values could, in fact, consist of covert data [NSA]. This could, for example, be achieved using a series of otherwise innocuous UDP packets whose flow label values constitute a covert message, or by co-opting a TCP session to carry a covert message in the flow labels of successive packets. Both of these could be recognized as suspicious -- the first because isolated UDP packets would not normally be expected to have non-zero flow labels, and the second because the flow label values in a given TCP session should all be equal. However, other methods, such as co-opting the flow labels of occasional packets, might be rather hard to detect.
流标签可以用作隐蔽数据通道,因为表面上的伪随机流标签值实际上可能包含隐蔽数据[NSA]。例如,这可以通过使用一系列无害的UDP数据包实现,这些数据包的流标签值构成隐蔽消息,或者通过选择TCP会话在连续数据包的流标签中携带隐蔽消息。这两种情况都可能被认为是可疑的——第一个原因是通常不希望孤立的UDP数据包具有非零流标签,第二个原因是给定TCP会话中的流标签值都应该相等。然而,其他方法,例如选择偶然数据包的流标签,可能很难检测到。
In situations where the covert channel risk is considered significant, the only certain defense is for a firewall to rewrite non-zero flow labels. This would be an exceptional violation of the rule that the flow label, once set to a non-zero value, must not be changed. To preserve load distribution capability, such a firewall SHOULD rewrite labels by following the method described for a forwarding node (see Section 3), as if the incoming label value were zero, and MUST NOT set non-zero flow labels to zero. This behavior is nevertheless undesirable, since (as discussed in Section 3) only source nodes have straightforward access to the complete 5-tuple.
在隐蔽通道风险被认为是重大的情况下,唯一确定的防御措施是防火墙重写非零流量标签。这将是对规则的例外违反,即流标签一旦设置为非零值,就不能更改。为了保持负载分配能力,这样的防火墙应该按照为转发节点描述的方法(参见第3节)重写标签,就像传入标签值为零一样,并且不能将非零流标签设置为零。然而,这种行为是不可取的,因为(如第3节所讨论的)只有源节点可以直接访问完整的5元组。
Since the mapping of network traffic to flow-specific treatment is triggered by the IP addresses and Flow Label value of the IPv6 header, an adversary may be able to obtain a class of service that
由于网络通信量到流特定处理的映射是由IPv6报头的IP地址和流标签值触发的,因此对手可能能够获得
the network did not intend to provide by modifying the IPv6 header or by injecting packets with false addresses and/or labels. A concrete analysis of this threat is only possible for specific stateful methods of signaling and using the flow label, which are out of scope for this document. Clearly, a full analysis will be required when any such method is specified, but in general, networks SHOULD NOT make resource allocation decisions based on flow labels without some external means of assurance.
网络不打算通过修改IPv6报头或注入带有虚假地址和/或标签的数据包来提供。对这种威胁的具体分析仅适用于特定的有状态方法,即发送信号和使用流标签,这超出了本文档的范围。显然,当指定任何此类方法时,都需要进行全面分析,但一般来说,如果没有一些外部保证手段,网络不应基于流标签做出资源分配决策。
A denial-of-service attack [RFC4732] becomes possible in the stateless model when the modified or injected traffic depletes the resources available to forward it and other traffic streams. If a denial-of-service attack were undertaken against a given Flow Label (or set of Flow Labels), then traffic containing an affected Flow Label might well experience worse-than-best-effort network performance.
在无状态模型中,当修改或注入的流量耗尽可用于转发该流量和其他流量流的资源时,可能会发生拒绝服务攻击[RFC4732]。如果对给定的流标签(或一组流标签)进行拒绝服务攻击,则包含受影响流标签的流量可能会比尽力而为的网络性能更差。
Note that since the treatment of IP headers by nodes is typically unverified, there is no guarantee that flow labels sent by a node are set according to the recommendations in this document. A man-in-the-middle or injected-traffic denial-of-service attack specifically directed at flow label handling would involve setting unusual flow labels. For example, an attacker could set all flow labels reaching a given router to the same arbitrary non-zero value or could perform rapid cycling of flow label values such that the packets of a given flow will each have a different value. Either of these attacks would cause a stateless load distribution algorithm to perform badly and would cause a stateful classifier to behave incorrectly. For this reason, stateless classifiers should not use the flow label alone to control load distribution, and stateful classifiers should include explicit methods to detect and ignore suspect flow label values.
请注意,由于节点对IP头的处理通常未经验证,因此不能保证节点发送的流标签是根据本文档中的建议设置的。专门针对流量标签处理的中间人或注入式流量拒绝服务攻击将涉及设置异常流量标签。例如,攻击者可以将到达给定路由器的所有流标签设置为相同的任意非零值,或者可以执行流标签值的快速循环,以便给定流的每个数据包都具有不同的值。这两种攻击中的任何一种都会导致无状态负载分配算法性能不佳,并导致有状态分类器行为不正确。因此,无状态分类器不应单独使用流标签来控制负载分布,而有状态分类器应包括检测和忽略可疑流标签值的显式方法。
Since flows are identified by the 3-tuple of the Flow Label and the Source and Destination Address, the risk of denial of service introduced by the Flow Label is closely related to the risk of denial of service by address spoofing. An adversary who is in a position to forge an address is also likely to be able to forge a label, and vice versa.
由于流由流标签的3元组以及源地址和目标地址标识,因此流标签引入的拒绝服务风险与地址欺骗导致的拒绝服务风险密切相关。能够伪造地址的对手也可能伪造标签,反之亦然。
There are two issues with different properties: spoofing of the Flow Label only and spoofing of the whole 3-tuple, including Source and Destination Address.
有两个具有不同属性的问题:仅欺骗流标签和欺骗整个3元组,包括源地址和目标地址。
The former can be done inside a node that is using or transmitting the correct source address. The ability to spoof a Flow Label typically implies being in a position to also forge an address, but
前者可以在使用或传输正确源地址的节点内完成。欺骗流标签的能力通常意味着能够伪造地址,但是
in many cases, spoofing an address may not be interesting to the spoofer, especially if the spoofer's goal is theft of service rather than denial of service.
在许多情况下,欺骗者可能对欺骗地址不感兴趣,尤其是当欺骗者的目标是窃取服务而不是拒绝服务时。
The latter can be done by a host that is not subject to ingress filtering [RFC2827] or by an intermediate router. Due to its properties, this is typically useful only for denial of service. In the absence of ingress filtering, almost any third party could instigate such an attack.
后者可以由不受入口过滤[RFC2827]约束的主机或中间路由器完成。由于其特性,这通常仅对拒绝服务有用。在没有入口过滤的情况下,几乎任何第三方都可以发起此类攻击。
In the presence of ingress filtering, forging a non-zero Flow Label on packets that originated with a zero label, or modifying or clearing a label, could only occur if an intermediate system such as a router was compromised, or through some other form of man-in-the-middle attack.
在存在入口过滤的情况下,只有当中间系统(如路由器)受到破坏或通过某种其他形式的中间人攻击时,才能在源于零标签的数据包上伪造非零流标签,或修改或清除标签。
The IPsec protocol, as defined in [RFC4301], [RFC4302], and [RFC4303], does not include the IPv6 header's Flow Label in any of its cryptographic calculations (in the case of tunnel mode, it is the outer IPv6 header's Flow Label that is not included). Hence, modification of the Flow Label by a network node has no effect on IPsec end-to-end security, because it cannot cause any IPsec integrity check to fail. As a consequence, IPsec does not provide any defense against an adversary's modification of the Flow Label (i.e., a man-in-the-middle attack).
[RFC4301]、[RFC4302]和[RFC4303]中定义的IPsec协议在其任何加密计算中不包括IPv6标头的流标签(在隧道模式下,不包括外部IPv6标头的流标签)。因此,网络节点修改流标签对IPsec端到端安全性没有影响,因为它不会导致任何IPsec完整性检查失败。因此,IPsec不会针对对手修改流标签(即中间人攻击)提供任何防御。
IPsec tunnel mode provides security for the encapsulated IP header's Flow Label. A tunnel mode IPsec packet contains two IP headers: an outer header supplied by the tunnel ingress node and an encapsulated inner header supplied by the original source of the packet. When an IPsec tunnel is passing through nodes performing flow classification, the intermediate network nodes operate on the Flow Label in the outer header. At the tunnel egress node, IPsec processing includes removing the outer header and forwarding the packet (if required) using the inner header. The IPsec protocol requires that the inner header's Flow Label not be changed by this decapsulation processing to ensure that modifications to the label cannot be used to launch theft- or denial-of-service attacks across an IPsec tunnel endpoint. This document makes no change to that requirement; indeed, it forbids changes to the Flow Label.
IPsec隧道模式为封装的IP头的流标签提供安全性。隧道模式IPsec数据包包含两个IP报头:由隧道入口节点提供的外部报头和由数据包原始源提供的封装内部报头。当IPsec隧道通过执行流分类的节点时,中间网络节点在外部报头中的流标签上操作。在隧道出口节点处,IPsec处理包括移除外部报头和使用内部报头转发分组(如果需要)。IPsec协议要求此解除封装处理不会更改内部标头的流标签,以确保对标签的修改不能用于跨IPsec隧道端点发起盗窃或拒绝服务攻击。本文件未对该要求进行任何更改;实际上,它禁止更改流标签。
When IPsec tunnel egress decapsulation processing includes a sufficiently strong cryptographic integrity check of the encapsulated packet (where sufficiency is determined by local security policy), the tunnel egress node can safely assume that the Flow Label in the inner header has the same value it had at the tunnel ingress node.
当IPsec隧道出口解除封装处理包括对封装的分组进行足够强的密码完整性检查(其中充分性由本地安全策略确定)时,隧道出口节点可以安全地假定内部报头中的流标签具有与在隧道入口节点处相同的值。
This analysis and its implications apply to any tunneling protocol that performs integrity checks. Of course, any Flow Label set in an encapsulating IPv6 header is subject to the risks described in the previous section.
此分析及其含义适用于执行完整性检查的任何隧道协议。当然,在封装IPv6标头中设置的任何流标签都会受到上一节所述风险的影响。
The Flow Label does nothing to eliminate the need for packet filtering based on headers past the IP header if such filtering is deemed necessary for security reasons on nodes such as firewalls or filtering routers.
如果出于安全原因,在防火墙或过滤路由器等节点上认为有必要进行基于经过IP报头的报头的包过滤,则流标签不会消除这种需要。
The main differences between this specification and its predecessor [RFC3697] are as follows:
本规范与其前身[RFC3697]之间的主要区别如下:
o This specification encourages non-zero flow label values to be used and clearly defines how to set a non-zero value.
o 本规范鼓励使用非零流量标签值,并明确定义如何设置非零值。
o This specification encourages a stateless model with uniformly distributed flow label values.
o 本规范鼓励使用具有均匀分布的流标签值的无状态模型。
o This specification does not specify any details of a stateful model.
o 本规范未指定有状态模型的任何详细信息。
o This specification retains the rule that the flow label must not be changed en route but allows routers to set the label on behalf of hosts that do not do so.
o 本规范保留了在路由过程中不得更改流标签的规则,但允许路由器代表不更改流标签的主机设置流标签。
o This specification discusses the covert channel risk and its consequences for firewalls.
o 本规范讨论隐蔽通道风险及其对防火墙的影响。
For further details, see [RFC6436].
有关更多详细信息,请参阅[RFC6436]。
Valuable comments and contributions were made by Jari Arkko, Ran Atkinson, Fred Baker, Richard Barnes, Steve Blake, Tassos Chatzithomaoglou, Remi Despres, Alan Ford, Fernando Gont, Brian Haberman, Tony Hain, Joel Halpern, Qinwen Hu, Chris Morrow, Thomas Narten, Mark Smith, Pascal Thubert, Iljitsch van Beijnum, and other participants in the 6man working group.
贾里·阿尔科、冉·阿特金森、弗雷德·贝克、理查德·巴恩斯、史蒂夫·布莱克、塔索斯·查齐托马奥格鲁、雷米·德普雷斯、艾伦·福特、费尔南多·冈特、布赖恩·哈伯曼、托尼·海恩、乔尔·哈尔伯恩、胡钦文、克里斯·莫罗、托马斯·纳滕、马克·史密斯、帕斯卡尔·苏伯特、伊尔吉奇·范·贝纳姆、,以及6人工作组的其他参与者。
Cristian Calude suggested the von Neumann algorithm in Appendix A. David Malone and Donald Eastlake gave additional input about hash algorithms.
克里斯蒂安·卡洛德在附录A中提出了冯·诺依曼算法。戴维·马龙和唐纳德·伊斯特莱克对哈希算法给出了补充意见。
Steve Deering and Alex Conta were co-authors of RFC 3697, on which this document is based.
Steve Deering和Alex Conta是RFC 3697的共同作者,本文档以此为基础。
Contributors to the original development of RFC 3697 included Ran Atkinson, Steve Blake, Jim Bound, Francis Dupont, Robert Elz, Tony Hain, Robert Hancock, Bob Hinden, Christian Huitema, Frank Kastenholz, Thomas Narten, Charles Perkins, Pekka Savola, Hesham Soliman, Michael Thomas, Margaret Wasserman, and Alex Zinin.
RFC3697最初开发的贡献者包括:冉·阿特金森、史蒂夫·布莱克、吉姆·邦德、弗朗西斯·杜邦、罗伯特·埃尔兹、托尼·海恩、罗伯特·汉考克、鲍勃·欣登、克里斯蒂安·惠特马、弗兰克·卡斯滕霍尔茨、托马斯·纳滕、查尔斯·珀金斯、佩卡·萨沃拉、赫萨姆·索利曼、迈克尔·托马斯、玛格丽特·瓦瑟曼和亚历克斯·津宁。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S. Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Functional Specification", RFC 2205, September 1997.
[RFC2205]Braden,B.,Zhang,L.,Berson,S.,Herzog,S.,和S.Jamin,“资源预留协议(RSVP)——第1版功能规范”,RFC 22052997年9月。
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998.
[RFC2460]Deering,S.和R.Hinden,“互联网协议,第6版(IPv6)规范”,RFC 2460,1998年12月。
[RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005.
[RFC4086]Eastlake,D.,Schiller,J.,和S.Crocker,“安全的随机性要求”,BCP 106,RFC 4086,2005年6月。
[LABEL-SEC] Gont, F., "Security Assessment of the IPv6 Flow Label", Work in Progress, November 2010.
[LABEL-SEC]Gont,F.,“IPv6流标签的安全评估”,正在进行的工作,2010年11月。
[NSA] Potyraj, C., "Firewall Design Considerations for IPv6", National Security Agency I733-041R-2007, 2007, <http://www.nsa.gov/ia/_files/ipv6/I733-041R-2007.pdf>.
[NSA]Potyraj,C.,“IPv6的防火墙设计考虑”,国家安全局I733-041R-2007,2007<http://www.nsa.gov/ia/_files/ipv6/I733-041R-2007.pdf>.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC2827]Ferguson,P.和D.Senie,“网络入口过滤:击败利用IP源地址欺骗的拒绝服务攻击”,BCP 38,RFC 2827,2000年5月。
[RFC3697] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering, "IPv6 Flow Label Specification", RFC 3697, March 2004.
[RFC3697]Rajahalme,J.,Conta,A.,Carpenter,B.,和S.Deering,“IPv6流标签规范”,RFC 36972004年3月。
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005.
[RFC4301]Kent,S.和K.Seo,“互联网协议的安全架构”,RFC 43012005年12月。
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December 2005.
[RFC4302]Kent,S.,“IP认证头”,RFC43022005年12月。
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005.
[RFC4303]Kent,S.,“IP封装安全有效载荷(ESP)”,RFC 4303,2005年12月。
[RFC4311] Hinden, R. and D. Thaler, "IPv6 Host-to-Router Load Sharing", RFC 4311, November 2005.
[RFC4311]Hinden,R.和D.Thaler,“IPv6主机到路由器负载共享”,RFC 4311,2005年11月。
[RFC4732] Handley, M., Rescorla, E., and IAB, "Internet Denial-of-Service Considerations", RFC 4732, December 2006.
[RFC4732]Handley,M.,Rescorla,E.,和IAB,“互联网拒绝服务注意事项”,RFC 4732,2006年12月。
[RFC5971] Schulzrinne, H. and R. Hancock, "GIST: General Internet Signalling Transport", RFC 5971, October 2010.
[RFC5971]Schulzrinne,H.和R.Hancock,“要点:通用互联网信号传输”,RFC 59712010年10月。
[RFC6436] Amante, S., Carpenter, B., and S. Jiang, "Rationale for Update to the IPv6 Flow Label Specification", RFC 6436, November 2011.
[RFC6436]Amante,S.,Carpenter,B.,和S.Jiang,“更新IPv6流标签规范的基本原理”,RFC 64362011年11月。
[RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label for Equal Cost Multipath Routing and Link Aggregation in Tunnels", RFC 6438, November 2011.
[RFC6438]Carpenter,B.和S.Amante,“在隧道中使用IPv6流标签进行等成本多路径路由和链路聚合”,RFC 6438,2011年11月。
[vonNeumann] von Neumann, J., "Various techniques used in connection with random digits", National Bureau of Standards Applied Math Series 12, 36-38, 1951.
[vonNeumann]von Neumann,J.,“与随机数字相关的各种技术”,国家标准局应用数学系列12,36-381951年。
As mentioned in Section 3, a stateless hash function may be used to generate a flow label value from an IPv6 packet's 5-tuple. It is not trivial to choose a suitable hash function, and it is expected that extensive practical experience will be required to identify the best choices. An example function, based on an algorithm by von Neumann known to produce an approximately uniform distribution [vonNeumann], follows. For each packet for which a flow label must be generated, execute the following steps:
如第3节所述,无状态哈希函数可用于从IPv6数据包的5元组生成流标签值。选择一个合适的散列函数并非易事,而且需要大量的实践经验来确定最佳选择。下面是一个基于冯·诺依曼(von Neumann)算法的示例函数,该算法产生近似均匀分布[vonNeumann]。对于必须为其生成流标签的每个数据包,执行以下步骤:
1. Split the destination and source addresses into two 64-bit values each, thus transforming the 5-tuple into a 7-tuple.
1. 将目标地址和源地址分别拆分为两个64位的值,从而将5元组转换为7元组。
2. Add the following five components together using unsigned 64-bit arithmetic, discarding any carry bits: both parts of the source address, both parts of the destination address, and the protocol number.
2. 使用无符号64位算术将以下五个组件相加,丢弃任何进位:源地址的两部分、目标地址的两部分和协议号。
3. Apply the von Neumann algorithm to the resulting string of 64 bits:
3. 将von Neumann算法应用于生成的64位字符串:
1. Starting at the least significant end, select two bits.
1. 从最低有效端开始,选择两位。
2. If the two bits are 00 or 11, discard them.
2. 如果两位为00或11,则丢弃它们。
3. If the two bits are 01, output a 0 bit.
3. 如果两位为01,则输出一个0位。
4. If the two bits are 10, output a 1 bit.
4. 如果两位为10,则输出1位。
5. Repeat with the next two bits in the input 64-bit string.
5. 重复输入64位字符串中的下两位。
6. Stop when 16 bits have been output (or when the 64-bit string is exhausted).
6. 输出16位时停止(或64位字符串用尽时停止)。
4. Add the two port numbers to the resulting 16-bit number.
4. 将两个端口号添加到生成的16位编号中。
5. Shift the resulting value 4 bits left, and mask with 0xfffff.
5. 将结果值向左移位4位,并用0xfffff屏蔽。
6. In the highly unlikely event that the result is exactly zero, set the flow label arbitrarily to the value 1.
6. 如果结果恰好为零,则极不可能将流标签任意设置为值1。
Note that this simple example does not include a step to prevent predictability, as recommended in Section 6.
请注意,这个简单的示例不包括第6节中建议的防止可预测性的步骤。
Authors' Addresses
作者地址
Shane Amante Level 3 Communications, LLC 1025 Eldorado Blvd Broomfield, CO 80021 USA
美国科罗拉多州布鲁姆菲尔德埃尔多拉多大道1025号Shane Amante三级通信有限责任公司,邮编80021
EMail: shane@level3.net
EMail: shane@level3.net
Brian Carpenter Department of Computer Science University of Auckland PB 92019 Auckland 1142 New Zealand
Brian Carpenter奥克兰大学计算机系,奥克兰92019,新西兰1142
EMail: brian.e.carpenter@gmail.com
EMail: brian.e.carpenter@gmail.com
Sheng Jiang Huawei Technologies Co., Ltd Q14, Huawei Campus No.156 Beiqing Road Hai-Dian District, Beijing 100095 P.R. China
中国北京海淀区北青路156号华为校区盛江华为技术有限公司Q14,邮编100095
EMail: jiangsheng@huawei.com
EMail: jiangsheng@huawei.com
Jarno Rajahalme Nokia Siemens Networks Linnoitustie 6 02600 Espoo Finland
雅诺·拉贾哈尔梅诺基亚西门子网络公司芬兰埃斯波6 02600
EMail: jarno.rajahalme@nsn.com
EMail: jarno.rajahalme@nsn.com