Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Flow Label Filtering Feasibility Orla McGann and David Malone December 2005 1

advertisement 
Flow Label Filtering Feasibility
Orla McGann and David Malone
December 2005
1
Stateful filtering
• Packet filter examines each packet.
• Originally done in isolation.
• Stateful stored stuff about network state.
• Does IPv6 offer anything new.
2
IPv4 Header
Version
Head Len
ToS
Total Length
4 bit
4 bit
8 bit
16 bit
ID
Flags
Frag Offset
16 bit
3 bit
13 bit
Time to Live
Protocol
Header Checksum
8 bit
8 bit
16 bit
Source Address (32 bit)
Destination Address (32 bit)
Options — variable
3
IPv6 header
Version
Traffic Class
Flow Label
4 bit
8 bit
20 bit
Payload Length
Next Header
Hop Limit
16 bit
8 bit
8 bit
Source
Address
128 bit
Destination
Address
128 bit
4
Proposal
• Filter on flow label.
• Learn one direction from SYN.
• Learn other from SYN/ACK.
• Requires flowlabel to be fixed.
• Currently supposed to be immutable.
5
Is it actually constant?
• Measure how host/net behaves.
• Initial ad hoc testing.
• Gather list of IPv6 web servers.
• Fetch page and monitor flow label.
6
Initial results
• 60% of hosts set zero flow label.
• FreeBSD missing code for outgoing.
• Inconsistent on incoming.
• Found that SYN/ACK had different label.
7
FreeBSD
Syncache/Syncookie
• No traditional setup code.
• Syncache uses small PCB.
• Syncookie
IN S = hash(IP s, sequencenumber, index).
• /* ip6_flow = ??? */
8
Fix
Syncache/Syncookie
• Syncache: choose any flowlabel.
• Syncookie: Must be able to reconstruct from
ACK.
• Hash produces many bits, use some for
flowlabel.
• If syncookies disabled could also use
sequential/. . .
9
Source Address
Destination
Address
Source Port
Destination Port
Random Secret
MD5 HASH
5−bits
7−bits
Secret Index
MSS Index
32−bits
20−bits
Flow Label
32−bits
TCP ISN
10
Measurements of Flow
Label Consistency
TCP Hosts
Hosts
%
Flow Label set to something other than 0
427
39
Flow Label = 0
784
Consistently setting Flow Label to 0
678
Flow Label to 0, change after handshake
106
Flow Label to non-0
321
Consistently set the Flow Label
Inconsistently set the flow
11
61
84
20
343
80
Considerations
• Do we strictly filter?
• Do we allow 1 change early in lifetime?
• Don’t want to open DoS chances.
• How do we find flow ID for RST packets?
12
Thanks, Questions?
13
Related documents
ipv6
ipv6
IPv6
IPv6
BITS Special Editorial Reports
BITS Special Editorial Reports
Chapter 8 Practice Test Answers
Chapter 8 Practice Test Answers
Recitation_Week10
Recitation_Week10
• Review the key networking concepts – TCP/IP reference model – Ethernet
• Review the key networking concepts – TCP/IP reference model – Ethernet
Data Representation Practice Questions
Data Representation Practice Questions
Blue and Grey
Blue and Grey
Issues in Designing the Next Generation Transport Protocol
Issues in Designing the Next Generation Transport Protocol
Math 480/690 +Special Topics in Coding Theory Section 201
Math 480/690 +Special Topics in Coding Theory Section 201
CSCI-1680 Network Layer: Wrapup Rodrigo Fonseca
CSCI-1680 Network Layer: Wrapup Rodrigo Fonseca
CSCI-1680 Network Layer: Wrapup Rodrigo Fonseca
CSCI-1680 Network Layer: Wrapup Rodrigo Fonseca
Download
advertisement