From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=T_SCC_BODY_TEXT_LINE
	autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 5876 invoked from network); 26 Nov 2023 13:30:21 -0000
Received: from 9front.inri.net (168.235.81.73)
  by inbox.vuxu.org with ESMTPUTF8; 26 Nov 2023 13:30:21 -0000
Received: from duke.felloff.net ([216.126.196.34]) by 9front; Sun Nov 26 08:28:35 -0500 2023
Message-ID: <5F4CACE5910AE9C5EE598E758406DBD0@felloff.net>
Date: Sun, 26 Nov 2023 14:28:26 +0100
From: cinap_lenrek@felloff.net
To: 9front@9front.org
In-Reply-To: <129284489.2689159.1700948992100@comcenter.netcologne.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: advanced social browser DOM-based locator 
Subject: Re: [9front] [PATCH] ipv6 flow label support
Reply-To: 9front@9front.org
Precedence: bulk

the more i learn about the ipv6 flow-label the more
of a rabbit hole it becomes.

so it seems that some load-banalcer people actually dont
use the flowlabel anymore because of middle boxes
filling in random flowlabels across the same tcp
session, breaking the whole scheme. [1]

then linux implements crazy flow-label changes during
tcp retransmission timeouts to work around broken
paths in load balancers to switch to a different path. [2]

more concerning is the use for flow labels to generate
a unique per device id independent of the protocols
and ip addresses used as windows and linux haved used
keyed hash functions that have been shown to be reversible
as the 5-tuple hash input is known by an observer
and you can extract the static key used for the hashing
and use that to identify the device across differnet
ip addresses and protocols. [3]

[1] https://blog.apnic.net/2018/01/11/ipv6-flow-label-misuse-hashing/
[2] https://datatracker.ietf.org/meeting/111/materials/slides-111-rtgwg-sessb-3-selfhealing-network-01
[3] https://ieeexplore.ieee.org/stampPDF/getPDF.jsp?tp=&arnumber=9152759&ref=

arne, is here any particular REASON why we should
not just put ZERO in the flow-label field and pretend
flow-labels dont exist?

this thing seems to have cause enougth damage to
the ipv6 internet.

--
cinap