This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Traditionally, flow classifiers have been based on the 5-tuple of the source and destination addresses, ports, and the transport protocol type. However, some of these fields may not be available due to either fragmentation or encryption, or locating them past a chain of IPv6 option headers may be inefficient. Furthermore, if classifiers depend only on IP layer headers, later introduction of alternative transport layer protocols becomes relatively easier.
The usage of the 3-tuple of the Flow Label and the Source and Destination Address fields enables efficient IPv6 flow classification, where only IPv6 main header fields in fixed positions are used.
The minimum level of IPv6 flow support consists of labeling the flows. IPv6 source nodes supporting the flow labeling MUST be able to label known flows (e.g., TCP connections, application streams), even if the node itself would not require any flow-specific treatment. Doing this enables load spreading and receiver oriented resource reservations, for example.
The Flow Label Field was created to provide additional support for real-time datagram delivery and quality of service features. The concept of a flow is defined as a sequence of datagrams sent from a source device to one or more destination devices. A unique flow label is used to identify all the datagrams in a particular flow, so that routers between the source and destination all handle them the same way, to help ensure uniformity in how the datagrams in the flow are delivered. For example, if a video stream is being sent across an IP internetwork, the datagrams containing the stream could be identified with a flow label to ensure that they are delivered with minimal latency.
Not all devices and routers may support flow label handling, and use of the field by a source device is entirely optional. Also, the field is still somewhat experimental and may be refined over time.
IPv6 Flow Label Specification
The 20-bit Flow Label field in the IPv6 header is used by a source to label packets of a flow. A Flow Label of zero is used to indicate packets not part of any flow. Packet classifiers use the triplet of Flow Label, Source Address, and Destination Address fields to identify which flow a particular packet belongs to. Packets are processed in a flow-specific manner by the nodes that have been set up with flow-specific state. The nature of the specific treatment and the methods for the flow state establishment are out of scope for this specification. The Flow Label value set by the source MUST be delivered unchanged to the destination node(s). IPv6 nodes MUST NOT assume any mathematical or other properties of the Flow Label values assigned by source nodes. Router performance SHOULD NOT be dependent on the distribution of the Flow Label values. Especially, the Flow Label bits alone make poor material for a hash key.
Nodes keeping dynamic flow state MUST NOT assume packets arriving 120 seconds or more after the previous packet of a flow still belong to the same flow, unless a flow state establishment method in use defines a longer flow state lifetime or the flow state has been explicitly refreshed within the lifetime duration.
The use of the Flow Label field does not necessarily signal any requirement on packet reordering. Especially, the zero label does not imply that significant reordering is acceptable.
If an IPv6 node is not providing flow-specific treatment, it MUST ignore the field when receiving or forwarding a packet.
Flow Labeling Requirements
To enable Flow Label based classification, source nodes SHOULD assign each unrelated transport connection and application data stream to a new flow. The source node MAY also take part in flow state establishment methods that result in assigning certain packets to specific flows. A source node which does not assign traffic to flows MUST set the Flow Label to zero.
To enable applications and transport protocols to define what packets constitute a flow, the source node MUST provide means for the applications and transport protocols to specify the Flow Label values to be used with their flows. The use of the means to specify Flow Label values is depends on appropriate privileges. The source node SHOULD be able to select unused Flow Label values for flows not requesting a specific value to be used.
A source node MUST make sure that it does not accidentally make reuse of Flow Label values it is currently using or has recently used when creating new flows. Flow Label values previously used with a specific pair of source and destination addresses MUST NOT be assigned to new flows with the same address pair within 120 seconds of the termination of the previous flow. The source node SHOULD provide the means for the applications and transport protocols to specify quarantine periods longer than the default 120 seconds for individual flows.
To avoid unintentional Flow Label value reuse, the source node SHOULD select new Flow Label values in a well-defined sequence (e.g., sequential or pseudo-random) and use an initial value that avoids reuse of recently used Flow Label values each time the system restarts. The initial value SHOULD be derived from a previous value stored in non-volatile memory, or in the absence of such history, a randomly generated initial value using techniques that produce good randomness properties [RND] SHOULD be used.
What are the Flow State Establishment Requirements?
To enable flow-specific treatment, flow state needs to be established on all or a subset of the IPv6 nodes on the path from the source to the destination(s). The methods for the state establishment, as well as the models for flow-specific treatment will be defined in separate specifications.
To enable co-existence of different methods in IPv6 nodes, the methods MUST meet the following basic requirements:
(1) The method MUST provide the means for flow state clean-up from
the IPv6 nodes providing the flow-specific treatment. Signaling
based methods where the source node is involved are free to
specify flow state lifetimes longer than the default 120
(2) Flow state establishment methods MUST be able to recover from
the case where the requested flow state cannot be supported.
Here we take into consideration, the security issues raised by the use of the Flow Label, primarily the potential for denial-of-service attacks, and the related potential for theft of service by unauthorized traffic. We also take a look into the use of the Flow Label in the presence of IPsec including its interaction with IPsec tunnel mode and other tunneling protocols. We also note that inspection of unencrypted Flow Labels may allow some forms of traffic analysis by revealing some structure of the underlying communications. Even if the flow label were encrypted, its presence as a constant value in a fixed position might assist traffic analysis and cryptoanalysis.
Theft and Denial of Service
Since the mapping of network traffic to flow-specific treatment is triggered by the IP addresses and Flow Label value of the IPv6 header, an adversary may be able to obtain better service by modifying the IPv6 header or by injecting packets with false addresses and/or labels. Taken to its limits, such theft-of-service becomes denial-of-service attack when the modified or injected traffic depletes the resources available to forward it and other traffic streams. A curiosity is that if a DoS attack were undertaken against a given Flow Label (or set of Flow Labels), then traffic containing an affected Flow Label might well experience worse-than-best-effort network performance.
Note that since the treatment of IP headers by nodes is typically unverified, there is no guarantee that flow labels sent by a node are set according to the recommendations in this document. Therefore, any assumptions made by the network about header fields such as flow labels should be limited to the extent that the upstream nodes are explicitly trusted.
Since flows are identified by the 3-tuple of the Flow Label and the Source and Destination Address, the risk of theft or denial of service introduced by the Flow Label is closely related to the risk of theft or denial of service by address spoofing. An adversary who is in a position to forge an address is also likely to be able to forge a label, and vice versa.
There are two issues with different properties: Spoofing of the Flow Label only, and spoofing of the whole 3-tuple, including Source and Destination Address.
The former can be done inside a node which is using or transmitting the correct source address. The ability to spoof a Flow Label typically implies being in a position to also forge an address, but in many cases, spoofing an address may not be interesting to the spoofer, especially if the spoofer's goal is theft of service, rather than denial of service.
The latter can be done by a host which is not subject to ingress filtering [INGR] or by an intermediate router. Due to its properties, such is typically useful only for denial of service. In the absence of ingress filtering, almost any third party could instigate such an attack.
In the presence of ingress filtering, forging a non-zero Flow Label on packets that originated with a zero label, or modifying or clearing a label, could only occur if an intermediate system such as a router was compromised, or through some other form of man-in-the-middle attack. However, the risk is limited to traffic receiving better or worse quality of service than intended. For example, if Flow Labels are altered or cleared at random, flow classification will no longer happen as intended, and the altered packets will receive default treatment. If a complete 3-tuple is forged, the altered packets will be classified into the forged flow and will receive the corresponding quality of service; this will create a denial of service attack subtly different from one where only the addresses are forged. Because it is limited to a single flow definition, e.g., to a limited amount of bandwidth, such an attack will be more specific and at a finer granularity than a normal address-spoofing attack.
Since flows are identified by the complete 3-tuple, ingress filtering will, as noted above, mitigate part of the risk. If the source address of a packet is validated by ingress filtering, there can be a degree of trust that the packet has not transited a compromised router, to the extent that ISP infrastructure may be trusted. However, this gives no assurance that another form of man-in-the-middle attack has not occurred.
Only applications with an appropriate privilege in a sending host will be entitled to set a non-zero Flow Label. Mechanisms for this are operating system dependent. Related policy and authorization mechanisms may also be required; for example, in a multi-user host, only some users may be entitled to set the Flow Label. Such authorization issues are outside the scope of this specification.
IPsec and Tunneling Interactions
The IPsec protocol, as defined in [IPSec, AH, ESP], does not include the IPv6 header's Flow Label in any of its cryptographic calculations (in the case of tunnel mode, it is the outer IPv6 header's Flow Label that is not included). Hence modification of the Flow Label by a network node has no effect on IPsec end-to-end security, because it cannot cause any IPsec integrity check to fail. As a consequence, IPsec does not provide any defense against an adversary's modification of the Flow Label (i.e., a man-in-the-middle attack).
IPsec tunnel mode provides security for the encapsulated IP header's Flow Label. A tunnel mode IPsec packet contains two IP headers: an outer header supplied by the tunnel ingress node and an encapsulated inner header supplied by the original source of the packet. When an IPsec tunnel is passing through nodes performing flow classification, the intermediate network nodes operate on the Flow Label in the outer header. At the tunnel egress node, IPsec processing includes removing the outer header and forwarding the packet (if required) using the inner header. The IPsec protocol requires that the inner header's Flow Label not be changed by this decapsulation processing to ensure that modifications to label cannot be used to launch theft- or denial-of-service attacks across an IPsec tunnel endpoint. This document makes no change to that requirement; indeed it forbids changes to the Flow Label.
When IPsec tunnel egress decapsulation processing includes a sufficiently strong cryptographic integrity check of the encapsulated packet (where sufficiency is determined by local security policy), the tunnel egress node can safely assume that the Flow Label in the inner header has the same value as it had at the tunnel ingress node.
This analysis and its implications apply to any tunneling protocol that performs integrity checks. Of course, any Flow Label set in an encapsulating IPv6 header is subject to the risks described in the previous section.
Security Filtering Interactions
The Flow Label does nothing to eliminate the need for packet filtering based on headers past the IP header, if such filtering is deemed necessary for security reasons on nodes such as firewalls or filtering routers.
Using the Flow Label Field in IPv6
The current draft of the IPv6 specification states that every IPv6 header contains a 24-bit Flow Label. (Originally the specification called for a 28-bit Flow ID field, which included the flow label and a 4-bit priority field. The priority field is now distinct, for reasons discussed at the end of this memo).
The Flow Label is a pseudo-random number between 1 and FFFFFF (hex) that is unique when combined with the source address. The zero Flow Label is reserved to say that no Flow Label is being used. The specification requires that a source must not reuse a Flow Label value until all state information for the previous use of the Flow Label has been flushed from all routers in the internet.
The specification further requires that all datagrams with the same
(non-zero) Flow Label must have the same Destination Address, Hop-by-Hop Options header, Routing Header and Source Address contents. The notion is that by simply looking up the Flow Label in a table, the router can decide how to route and forward the datagram without examining the rest of the header.
Two Subfields of an IPv6 Flow
Flow Label Issues
The IPv6 specification originally left open a number of questions, of which these three were among the most important:
1. What should a router do if a datagram with a (non-zero)
Flow Label arrives and the router has no state for that
2. How does an internet flush old Flow Labels?
3. Which datagrams should carry (non-zero) Flow Labels?
What Does a Router Do With Flow Labels for Which It Has No State?
If a datagram with a non-zero Flow Label arrives at a router and the router discovers it has no state information for that Flow Label, what is the correct thing for the router to do?
The IPv6 specification allows routers to ignore Flow Labels and also allows for the possibility that IPv6 datagrams may carry flow setup information in their options. Unknown Flow Labels may also occur if a router crashes and loses its state. During a recovery period, the router will receive datagrams with Flow Labels it does not know, but this is arguably not an error, but rather a part of the recovery period. Finally, if the controversial suggestion that each TCP connection be assigned a separate Flow Label is adopted, it may be necessary to manage Flow Labels using an LRU cache (to avoid Flow Label cache overflow in routers), in which case an active but infrequently used flow's state may have been intentionally discarded.
In any case, it is clear that treating this situation as an error and, say dropping the datagram and sending an ICMP message, is inappropriate. Indeed, it seems likely that in most cases, simply forwarding the datagram as one would a datagram with a zero Flow Label would give better service to the flow than dropping the datagram.
Of course, there will be situations in which routing the datagram as if its Flow Label were zero will cause the wrong result. An example is a router which has two paths to the datagram's destination, one via a high-bandwidth satellite link and the other via a low-bandwidth terrestrial link. A high bandwidth flow obviously should be routed via the high-bandwidth link, but if the router loses the flow state, the router may route the traffic via the low-bandwidth link, with the potential for the flow's traffic to swamp the low-bandwidth link. It seems likely, however, these situations will be exceptions rather than the rule. So it seems reasonable to handle these situations using options that indicate that if the flow state is absent, the
datagram needs special handling. (The options may be Hop-by-Hop or only handled at some routers, depending on the flow's needs).
It would clearly be desirable to have some method for signalling to end systems that the flow state has been lost and needs to be refreshed. One possibility is to add a state-lost bit to the Flow Label field, however there is sensitivity to eating into the precious 24-bits of the field. Other possibilities include adding options to the datagram to indicate its Flow Label was unknown or sending an ICMP message back to the flow source.
In summary, the view is that the default rule should be that if a router receives a datagram with an unknown Flow Label, it treats the datagram as if the Flow Label is zero. As part of forwarding, the router will examine any hop-by-hop options and learn if the datagram requires special handling. The options could include simply the information that the datagram m is to be dropped if the Flow Label is unknown or could contain the flow state the router should have. There is clearly room here for experimentation with option design.
Flushing Old Flow Labels
The flow mechanism assumes that state associated with a given Flow Label is somehow deposited in routers, so they know how to handle datagrams that carry the Flow Label. A serious problem is how to flush Flow Labels that are no longer being used (stale Flow Labels) from the routers.
Stale Flow Labels can happen a number of ways, even if we assume that the source always sends a message deleting a Flow Label when the source finishes using a Flow. An internet may have partioned since the flow was created. Or the deletion message may be lost before reaching all routers. Furthermore, the source may crash before it can send out a Flow Label deletion message. The point here is that we cannot expect the source (or, for the same reasons, a third party) always to clear out stale Flow Labels. Rather, routers will have to find some mechanism to flush Flow Labels themselves.
The obvious mechanism is to use a timer. Routers should discard Flow Labels whose state has not been refreshed within some period of time. At the same time, a source that crashes must observe a quiet time, during which it creates no flows, until it knows that all Flow Labels from its previous life must have expired. (Sources can avoid quiet time restrictions by keeping information about active Flow Labels in stable storage that survives crashes). This is precisely how TCP initial sequence numbers are managed and it seems the same mechanism should work well for Flow Labels.
Exactly how the Flow Label and its state should be refreshed needs some study. There are two obvious options. The source could periodically send out a special refresh message (such as an RSVP Path message) to explicitly refresh the Flow Label and its state. Or, the router could treat every datagram that carries the Flow Label as an implicit refresh or sources could send explicit refresh options. The choice is between periodically handling a special update message and doing an extra computation on each datagram (namely noting in the Flow Label's entry that the Flow Label has been refreshed).
Which Datagrams Should Carry (Non-Zero) Flow Labels?
Interestingly, this is the problem on which the least progress has been made.
There were some points of basic agreement. Small exchanges of data should have a zero Flow Label, because it is not worth creating a flow for a few datagrams. Real-time flows must obviously always have a Flow Label, since flows are a primary reason Flow Labels were created. The issue is what to do with peers sending large amounts of best effort traffic (e.g., TCP connections). Some people want all long-term TCP connections to use Flow Labels, others do not.
The argument in favour of using Flow Labels on individual TCP connections is that even if the source does not request special service, a network provider's routers may be able to recognize a large amount of traffic and use the Flow Label field to establish a special route that gives the TCP connection better service (e.g., lower delay or bigger bandwidth). Another argument is to assist in efficient demux at the receiver (i.e., IP and TCP demuxing could be done once).
An argument against using Flow Labels in individual TCP connections is that it changes how we handling route caches in routers. Currently one can cache a route for a destination host, regardless of how many different sources are sending to that destination host. I.e., if five sources each have two TCP connections sending data to a server, one cache entry containing the route to the server handles all ten TCPs' traffic. Putting Flow Labels in each datagram changes the cache into a Flow Label cache, in which there is a cache entry for every TCP connection. So there's a potential for cache explosion. There are ways to alleviate this problem, such as managing the Flow Label cache as an LRU cache, in which infrequently used Flow Labels get discarded (and then recovered later). It is not clear, however, whether this will cause cache thrashing.
Observe that there is no easy compromise between these positions. One cannot, for instance, let the application decide whether to use a Flow Label. Those who want different Flow Labels for every TCP connection assume that they may optimize a route without the application's knowledge. And forcing all applications to use Flow Labels will force routing vendors to deal with the cache explosion issue, even if we later discover that we don't want to optimize individual TCP connections.
Note about the Priority Field
The original IPv6 specification combined the Priority and Flow Label fields and allowed flows to redefine the means of different values of the Priority field. During its discussions, the End-to-End group realized this meant that if a router forwarded a datagram with an unknown Flow Label it had to ignore the Priority field, because the priority values might have been redefined. (For instance, the priorities might have been inverted). The IPv6 community concluded this behavior was undesirable. Indeed, it seems likely that when the Flow Label are unknown, the router will be able to give much better service if it use the Priority field to make a more informed routing decision. So the Priority field is now a distinct field, unaffected by the Flow Label.
Flow Label Field makes packet transportation pretty well organized and consequently, Real Time Traffic gets great support and benefits from the particular field. Let us now take a deeper look into Real Time Traffic.
Real Time Traffic
Real-time traffic supports real-time interactive applications, the most prominent of which are voice and video conferencing. Both of these have users at each end of a connection who expect that what they say or do will be transmitted ââ‚¬Ëœinstantlyââ‚¬â„¢ to the other end of the connection, and the conversation will proceed as if the two parties were in the same room. Some of the most difficult aspects of real-time traffic come from this need for speed. Sometimes certain aspects of a normal data network interfere with this requirement. Consequently, the Flow Label Field is essential in Reak time Traffic.
In Packet Switched Network (PSN), "differentiated service" classification enables a network to perform different treatments on service type basis. For example, different queue processing allows the packets sent to high priority queue to be transported first and the packets sent to low priority queue to be transported after these treatments let the high priority service traffic transported with less delay and delay various compared to the low priority service traffic. Another example is in congestion control. For some "real time" traffic, it is better to drop the packets than to buffer the packets at the congestion time while for some "file download" traffic, it is better to buffer the packets and transmit later. These QoS based "differentiated service" treatments aim on for the network to meet different service requirements. Existing traffic classification scheme is to facilitate "differentiated service" treatments.
Today network traffic flows are generated by many different applications. They appears with very significant bit rate differences such as the flows yield by web browsing and stock ticks vs. the flows by video stream and file download. Experiments have shown that applying the same treatment to large flows and small flows in ECMP or LAG process conducts performance issue or uneven load balance over multi paths. If the network uses stateful method for flow placement over the paths, a huge amount of small flows add a big burden for device to handle. If the network uses stateless method (hashing) that works well on when there is a large amount of micro-flows, the flows with significant high bit rate will cause uneven load balance on the paths. This results a desire for ECMP or LAG process to perform different treatments on large flows and small flows. Thus, the large flow classification is necessary. This classification lets the network performing better load balance over ECMP or LAG, which improves network resource utilization and efficiency.
With large flow classification, the network can have several ways to perform different treatments. Appendix A of [Flow-Based-Load-Balance] gives one example. It uses hashing for all small flow placements and uses a table for large flow placements. The simulation uses the network traffic model and has shown the significant improvement on load balance when classifying a small amount of top bit rate ranked flows as large flows. The stateful large flow placement evenly distributes large flows over the paths. Other implementations can be done as well. The large flow classification also brings benefits in congestion control, i.e. just moving some large flows can release congestion condition.
IPv6 protocol contains a flow label field. [FLOW-ECMP] has specified the rule to use IPv6 flow label in ECMP operation. ECMP operation applies both IP packets and label switched packets. This draft proposes to use one bit in Traffic Class field of IPv6 protocol for large flow classification.
IPv6 Protocol and Traffic Classification
The figure below illustrates IPv6 protocol
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Version 4-bit Internet Protocol version number = 6
Traffic Class 8-bit traffic class field
Flow Label 20-bit flow label
The 20-bit Flow Label field in the IPv6 header may be used by a source to label packets of a flow. A flow is uniquely identified by the combination of a source address and a non-zero flow label. Flow labels must be chosen (pseudo-)randomly and uniformly from the range 1 to FFFFF hex. [RFC3697] further specified that Flow Label of zero is used to indicate packets not part of any flow. Packet classifiers use the triplet of Flow Label, Source Address, and Destination Address fields to identify which flow a particular packet belongs to. Packets are processed in a flow-specific manner by the nodes that have been set up with flow-specific state.
The 8-bit Traffic Class field in the IPv6 header is available for the use by originating nodes and/or forwarding routers to identify and distinguish between different classes or priorities of IPv6 packets. There are a number of experiments in the use of the IPv4 Type of Service and/or Precedence bits to provide various forms of "differentiated service" for IP packets, other than through the use of explicit flow set-up. This implies that, in today, flow label and traffic class are used in mutually exclusive in the network. The large flow classification proposed in this draft is for enhanced ECMP process that uses both flow label field and traffic class field.
The figure above shows Flow-Aware Transport of Pseudowires in IP/MPLS Networks.
The figure above shows Advanced VPLS Load Balancing Reduces Congestion and Delay.
In IP networks, load balancing will be supported across the IP core networks using Generic Routing Encapsulation (GRE). As in IP/MPLS networks, the flow-label enable command tells the edge routers to perform hash calculations on fields in the IP header to generate a flow label. As the edge router, the Cisco Catalyst 6500 Series uses the hashing process to distribute the flows across multiple available egress interfaces. Across the IP core, GRE encapsulates the MPLS payload and tunnels pseudowire traffic over the network (MPLS over GRE). In this case, instead of an additional flow label being added, the flow label is inserted in the (optional) Key field of the GRE header. Load balancing across IP networks using GRE will be supported in a future release.
Here is an example of Avanced VPLS Configuration
It introduces flow load balancing and flow-label imposition together with the compact virtual Ethernet configuration commands.
! enable load-balancing on the edge router based on ECMP
! enable load balancing across the network core
! using flow labels
interface virtual-ethernet 1
! transport configuration
transport vpls mesh
neighbor 188.8.131.52 pw-class cl1
neighbor 184.108.40.206 pw-class cl1
! service configuration
switchport mode trunk
switchport trunk allowed vlan 10, 20