Re: [9front] [PATCH] ipv6 flow label support

9front - general discussion about 9front
 help / color / mirror / Atom feed

From: cinap_lenrek@felloff.net
To: 9front@9front.org
Subject: Re: [9front] [PATCH] ipv6 flow label support
Date: Sun, 26 Nov 2023 14:28:26 +0100	[thread overview]
Message-ID: <5F4CACE5910AE9C5EE598E758406DBD0@felloff.net> (raw)
In-Reply-To: <129284489.2689159.1700948992100@comcenter.netcologne.de>

the more i learn about the ipv6 flow-label the more
of a rabbit hole it becomes.

so it seems that some load-banalcer people actually dont
use the flowlabel anymore because of middle boxes
filling in random flowlabels across the same tcp
session, breaking the whole scheme. [1]

then linux implements crazy flow-label changes during
tcp retransmission timeouts to work around broken
paths in load balancers to switch to a different path. [2]

more concerning is the use for flow labels to generate
a unique per device id independent of the protocols
and ip addresses used as windows and linux haved used
keyed hash functions that have been shown to be reversible
as the 5-tuple hash input is known by an observer
and you can extract the static key used for the hashing
and use that to identify the device across differnet
ip addresses and protocols. [3]

[1] https://blog.apnic.net/2018/01/11/ipv6-flow-label-misuse-hashing/
[2] https://datatracker.ietf.org/meeting/111/materials/slides-111-rtgwg-sessb-3-selfhealing-network-01
[3] https://ieeexplore.ieee.org/stampPDF/getPDF.jsp?tp=&arnumber=9152759&ref=

arne, is here any particular REASON why we should
not just put ZERO in the flow-label field and pretend
flow-labels dont exist?

this thing seems to have cause enougth damage to
the ipv6 internet.

--
cinap

next prev parent reply	other threads:[~2023-11-26 13:30 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-25 18:27 Arne Meyer
2023-11-25 20:46 ` cinap_lenrek
2023-11-25 20:51 ` cinap_lenrek
2023-11-25 21:03   ` Arne Meyer
2023-11-25 21:05 ` cinap_lenrek
2023-11-25 21:49   ` Arne Meyer
2023-11-26 13:28     ` cinap_lenrek [this message]
2023-11-27 19:17       ` Arne Meyer
2023-11-26 16:51     ` ori

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5F4CACE5910AE9C5EE598E758406DBD0@felloff.net \
    --to=cinap_lenrek@felloff.net \
    --cc=9front@9front.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).