Traditionally, flow classifiers have been based on the 5-tuple of the beginning and finish references, ports, and the conveyance protocol type. However, some of these Fieldss may non be available due to either atomization or encoding, or turn uping them past a concatenation of IPv6 option headings may be inefficient. Furthermore, if classifiers depend merely on IP bed headings, ulterior debut of alternate conveyance bed protocols becomes comparatively easy.
The use of the 3-tuple of the Flow Label and the Source and Destination Address Fieldss enables efficient IPv6 flow categorization, where merely IPv6 chief heading Fieldss in fixed places are used.
The minimal degree of IPv6 flow support consists of labeling the flows. IPv6 beginning nodes back uping the flow labeling MUST be able to label known flows ( e.g. , TCP connexions, application watercourses ) , even if the node itself would non necessitate any flow-specific intervention. Making this enables burden spreading and receiving system oriented resource reserves, for illustration.
The Flow Label Field was created to supply extra support for real-time datagram bringing and quality of service characteristics. The construct of a flow is defined as a sequence of datagrams sent from a beginning device to one or more finish devices. A alone flow label is used to place all the datagrams in a peculiar flow, so that routers between the beginning and finish all handle them the same manner, to assist guarantee uniformity in how the datagrams in the flow are delivered. For illustration, if a picture watercourse is being sent across an IP internetwork, the datagrams incorporating the watercourse could be identified with a flow label to guarantee that they are delivered with minimum latency.
Not all devices and routers may back up flux label handling, and usage of the field by a beginning device is wholly optional. Besides, the field is still slightly experimental and may be refined over clip.
IPv6 Flow Label Specification
The 20-bit Flow Label field in the IPv6 heading is used by a beginning to label packages of a flow. A Flow Label of nothing is used to bespeak packages non portion of any flow. Packet classifiers use the three of Flow Label, Source Address, and Destination Address Fieldss to place which flux a peculiar package belongs to. Packages are processed in a flow-specific mode by the nodes that have been set up with flow-specific province. The nature of the specific intervention and the methods for the flow province constitution are out of range for this specification. The Flow Label value set by the beginning MUST be delivered unchanged to the finish node ( s ) . IPv6 nodes MUST NOT presume any mathematical or other belongingss of the Flow Label values assigned by beginning nodes. Router public presentation SHOULD NOT be dependent on the distribution of the Flow Label values. Particularly, the Flow Label bits entirely make hapless stuff for a hash key.
Nodes maintaining dynamic flow province MUST NOT presume packages geting 120 seconds or more after the old package of a flow still belong to the same flow, unless a flow province constitution method in usage defines a longer flow province life-time or the flow province has been explicitly refreshed within the lifetime continuance.
The usage of the Flow Label field does non needfully signal any demand on package reordering. Particularly, the zero label does non connote that important reordering is acceptable.
If an IPv6 node is non supplying flow-specific intervention, it MUST disregard the field when receiving or send oning a package.
Flow Labeling Requirements
To enable Flow Label based categorization, beginning nodes SHOULD delegate each unrelated conveyance connexion and application informations watercourse to a new flow. The beginning node MAY besides take portion in flow province constitution methods that result in delegating certain packages to specific flows. A beginning node which does non delegate traffic to flows MUST set the Flow Label to zero.
To enable applications and conveyance protocols to specify what packets constitute a flow, the beginning node MUST provide means for the applications and conveyance protocols to stipulate the Flow Label values to be used with their flows. The usage of the agencies to stipulate Flow Label values is depends on appropriate privileges. The beginning node SHOULD be able to choose fresh Flow Label values for flows non bespeaking a specific value to be used.
A beginning node MUST do certain that it does non by chance do reuse of Flow Label values it is presently utilizing or has late used when making new flows. Flow Label values antecedently used with a specific brace of beginning and finish references MUST NOT be assigned to new flows with the same reference brace within 120 seconds of the expiration of the old flow. The beginning node SHOULD supply the agencies for the applications and conveyance protocols to stipulate quarantine periods longer than the default 120 seconds for single flows.
To avoid unwilled Flow Label value reuse, the beginning node SHOULD choose new Flow Label values in a chiseled sequence ( e.g. , consecutive or pseudo-random ) and utilize an initial value that avoids reuse of late used Flow Label values each clip the system restarts. The initial value SHOULD be derived from a old value stored in non-volatile memory, or in the absence of such history, a indiscriminately generated initial value utilizing techniques that produce good entropy belongingss [ RND ] SHOULD be used.
What are the Flow State Establishment Requirements?
To enable flow-specific intervention, flow province demands to be established on all or a subset of the IPv6 nodes on the way from the beginning to the finish ( s ) . The methods for the province constitution, every bit good as the theoretical accounts for flow-specific intervention will be defined in separate specifications.
To enable co-existence of different methods in IPv6 nodes, the methods MUST run into the following basic demands:
( 1 ) The method MUST supply the agency for flow province clean-up from
the IPv6 nodes supplying the flow-specific intervention. Signing
based methods where the beginning node is involved are free to
specify flow province life-times longer than the default 120
( 2 ) Flow province constitution methods MUST be able to retrieve from
the instance where the requested flow province can non be supported.
Here we take into consideration, the security issues raised by the usage of the Flow Label, chiefly the possible for denial-of-service onslaughts, and the related potency for larceny of service by unauthorised traffic. We besides take a expression into the usage of the Flow Label in the presence of IPsec including its interaction with IPsec tunnel manner and other tunneling protocols. We besides note that review of unencrypted Flow Labels may let some signifiers of traffic analysis by uncovering some construction of the implicit in communications. Even if the flow label were encrypted, its presence as a changeless value in a fixed place might help traffic analysis and cryptoanalysis.
Larceny and Denial of Service
Since the function of web traffic to flow-specific intervention is triggered by the IP references and Flow Label value of the IPv6 heading, an antagonist may be able to obtain better service by modifying the IPv6 heading or by shooting packages with false references and/or labels. Taken to its bounds, such theft-of-service becomes denial-of-service onslaught when the modified or injected traffic depletes the resources available to send on it and other traffic watercourses. A wonder is that if a DoS onslaught were undertaken against a given Flow Label ( or set of Flow Labels ) , so traffic incorporating an affected Flow Label might good see worse-than-best-effort web public presentation.
Note that since the intervention of IP headings by nodes is typically unverified, there is no warrant that flow labels sent by a node are set harmonizing to the recommendations in this papers. Therefore, any premises made by the web about heading Fieldss such as flow labels should be limited to the extent that the upstream nodes are explicitly trusted.
Since flows are identified by the 3-tuple of the Flow Label and the Source and Destination Address, the hazard of larceny or denial of service introduced by the Flow Label is closely related to the hazard of larceny or denial of service by reference spoofing. An antagonist who is in a place to hammer an reference is besides likely to be able to hammer a label, and frailty versa.
There are two issues with different belongingss: Spoofing of the Flow Label merely, and spoofing of the whole 3-tuple, including Source and Destination Address.
The former can be done inside a node which is utilizing or conveying the right beginning reference. The ability to burlesque a Flow Label typically implies being in a place to besides hammer an reference, but in many instances, burlesquing an reference may non be interesting to the spoofer, particularly if the spoofer ‘s end is larceny of service, instead than denial of service.
The latter can be done by a host which is non capable to ingress filtrating [ INGR ] or by an intermediate router. Due to its belongingss, such is typically utile merely for denial of service. In the absence of immersion filtering, about any 3rd party could incite such an onslaught.
In the presence of immersion filtering, hammering a non-zero Flow Label on packages that originated with a nothing label, or modifying or uncluttering a label, could merely happen if an intermediate system such as a router was compromised, or through some other signifier of man-in-the-middle onslaught. However, the hazard is limited to traffic having better or worse quality of service than intended. For illustration, if Flow Labels are altered or cleared at random, flow categorization will no longer go on as intended, and the altered packages will have default intervention. If a complete 3-tuple is forged, the altered packages will be classified into the forged flow and will have the corresponding quality of service ; this will make a denial of service onslaught subtly different from one where merely the references are forged. Because it is limited to a individual flow definition, e.g. , to a limited sum of bandwidth, such an onslaught will be more specific and at a finer coarseness than a normal address-spoofing onslaught.
Since flows are identified by the complete 3-tuple, ingress filtering will, as noted above, extenuate portion of the hazard. If the beginning reference of a package is validated by immersion filtering, there can be a grade of trust that the package has non transited a compromised router, to the extent that ISP substructure may be trusted. However, this gives no confidence that another signifier of man-in-the-middle onslaught has non occurred.
Merely applications with an appropriate privilege in a sending host will be entitled to put a non-zero Flow Label. Mechanisms for this are runing system dependent. Related policy and mandate mechanisms may besides be required ; for illustration, in a multi-user host, merely some users may be entitled to put the Flow Label. Such mandate issues are outside the range of this specification.
IPsec and Tunneling Interactions
The IPsec protocol, as defined in [ IPSec, AH, ESP ] , does non include the IPv6 heading ‘s Flow Label in any of its cryptanalytic computations ( in the instance of tunnel manner, it is the outer IPv6 heading ‘s Flow Label that is non included ) . Hence alteration of the Flow Label by a web node has no consequence on IPsec end-to-end security, because it can non do any IPsec unity cheque to neglect. As a effect, IPsec does non supply any defence against an antagonist ‘s alteration of the Flow Label ( i.e. , a man-in-the-middle onslaught ) .
IPsec tunnel manner provides security for the encapsulated IP heading ‘s Flow Label. A tunnel manner IPsec package contains two IP headings: an outer heading supplied by the tunnel immersion node and an encapsulated inner heading supplied by the original beginning of the package. When an IPsec tunnel is go throughing through nodes executing flow categorization, the intermediate web nodes operate on the Flow Label in the outer heading. At the tunnel emersion node, IPsec treating includes taking the outer heading and send oning the package ( if required ) utilizing the interior heading. The IPsec protocol requires that the interior heading ‘s Flow Label non be changed by this decapsulation processing to guarantee that alterations to label can non be used to establish theft- or denial-of-service onslaughts across an IPsec tunnel end point. This papers makes no alteration to that demand ; so it forbids alterations to the Flow Label.
When IPsec tunnel emersion decapsulation processing includes a sufficiently strong cryptanalytic unity cheque of the encapsulated package ( where sufficiency is determined by local security policy ) , the tunnel emersion node can safely presume that the Flow Label in the inner heading has the same value as it had at the tunnel immersion node.
This analysis and its deductions apply to any burrowing protocol that performs unity cheques. Of class, any Flow Label set in an encapsulating IPv6 heading is capable to the hazards described in the old subdivision.
Security Filtering Interactions
The Flow Label does nil to extinguish the demand for package filtering based on headings past the IP heading, if such filtering is deemed necessary for security grounds on nodes such as firewalls or filtrating routers.
Using the Flow Label Field in IPv6
The current bill of exchange of the IPv6 specification provinces that every IPv6 heading contains a 24-bit Flow Label. ( Originally the specification called for a 28-bit Flow ID field, which included the flow label and a 4-bit precedence field. The precedence field is now distinguishable, for grounds discussed at the terminal of this memo ) .
The Flow Label is a pseudo-random figure between 1 and FFFFFF ( jinx ) that is alone when combined with the beginning reference. The nothing Flow Label is reserved to state that no Flow Label is being used. The specification requires that a beginning must non recycle a Flow Label value until all province information for the old usage of the Flow Label has been flushed from all routers in the cyberspace.
The specification farther requires that all datagrams with the same
( non-zero ) Flow Label must hold the same Destination Address, Hop-by-Hop Options heading, Routing Header and Source Address contents. The impression is that by merely looking up the Flow Label in a tabular array, the router can make up one’s mind how to route and send on the datagram without analyzing the remainder of the heading.
Two Subfields of an IPv6 Flow
Flow Label Issues
The IPv6 specification originally left open a figure of inquiries, of which these three were among the most of import:
1. What should a router do if a datagram with a ( non-zero )
Flow Label arrives and the router has no province for that
2. How does an cyberspace flower old Flow Labels?
3. Which datagrams should transport ( non-zero ) Flow Labels?
What Does a Router Do With Flow Labels for Which It Has No State?
If a datagram with a non-zero Flow Label arrives at a router and the router discovers it has no province information for that Flow Label, what is the right thing for the router to make?
The IPv6 specification allows routers to disregard Flow Labels and besides allows for the possibility that IPv6 datagrams may transport flux setup information in their options. Unknown Flow Labels may besides happen if a router clangs and loses its province. During a recovery period, the router will have datagrams with Flow Labels it does non cognize, but this is arguably non an mistake, but instead a portion of the recovery period. Finally, if the controversial suggestion that each TCP connexion be assigned a separate Flow Label is adopted, it may be necessary to pull off Flow Labels utilizing an LRU cache ( to avoid Flow Label cache flood in routers ) , in which instance an active but infrequently used flow ‘s province may hold been deliberately discarded.
In any instance, it is clear that handling this state of affairs as an mistake and, say dropping the datagram and directing an ICMP message, is inappropriate. Indeed, it seems likely that in most instances, merely send oning the datagram as one would a datagram with a nothing Flow Label would give better service to the flow than dropping the datagram.
Of class, there will be state of affairss in which routing the datagram as if its Flow Label were zero will do the incorrect consequence. An illustration is a router which has two waies to the datagram ‘s finish, one via a high-bandwidth orbiter nexus and the other via a low-bandwidth tellurian nexus. A high bandwidth flow evidently should be routed via the high-bandwidth nexus, but if the router loses the flow province, the router may route the traffic via the low-bandwidth nexus, with the potency for the flow ‘s traffic to drench the low-bandwidth nexus. It seems likely, nevertheless, these state of affairss will be exclusions instead than the regulation. So it seems sensible to manage these state of affairss utilizing options that indicate that if the flow province is absent, the
datagram needs particular handling. ( The options may be Hop-by-Hop or merely handled at some routers, depending on the flow ‘s demands ) .
It would clearly be desirable to hold some method for signalling to stop systems that the flow province has been lost and needs to be refreshed. One possibility is to add a state-lost spot to the Flow Label field, nevertheless there is sensitiveness to eating into the cherished 24-bits of the field. Other possibilities include adding options to the datagram to bespeak its Flow Label was unknown or directing an ICMP message back to the flow beginning.
In drumhead, the position is that the default regulation should be that if a router receives a datagram with an unknown Flow Label, it treats the datagram as if the Flow Label is zero. As portion of forwarding, the router will analyze any hop-by-hop options and larn if the datagram requires particular handling. The options could include merely the information that the datagram m is to be dropped if the Flow Label is unknown or could incorporate the flow province the router should hold. There is clearly room here for experimentation with option design.
Blushing Old Flow Labels
The flow mechanism assumes that province associated with a given Flow Label is someway deposited in routers, so they know how to manage datagrams that carry the Flow Label. A serious job is how to blush Flow Labels that are no longer being used ( stale Flow Labels ) from the routers.
Stale Flow Labels can go on a figure of ways, even if we assume that the beginning ever sends a message canceling a Flow Label when the beginning coatings utilizing a Flow. An cyberspace may hold partioned since the flow was created. Or the omission message may be lost before making all routers. Furthermore, the beginning may crash before it can direct out a Flow Label omission message. The point here is that we can non anticipate the beginning ( or, for the same grounds, a 3rd party ) ever to unclutter out stale Flow Labels. Rather, routers will hold to happen some mechanism to blush Flow Labels themselves.
The obvious mechanism is to utilize a timer. Routers should fling Flow Labels whose province has non been refreshed within some period of clip. At the same clip, a beginning that crashes must detect a quiet clip, during which it creates no flows, until it knows that all Flow Labels from its old life must hold expired. ( Sources can avoid quiet clip limitations by maintaining information about active Flow Labels in stable storage that survives clangs ) . This is exactly how TCP initial sequence Numberss are managed and it seems the same mechanism should work good for Flow Labels.
Precisely how the Flow Label and its province should be refreshed needs some survey. There are two obvious options. The beginning could sporadically direct out a particular refresh message ( such as an RSVP Path message ) to explicitly review the Flow Label and its province. Or, the router could handle every datagram that carries the Flow Label as an inexplicit refresh or beginnings could direct expressed refresh options. The pick is between sporadically managing a particular update message and making an excess calculation on each datagram ( viz. observing in the Flow Label ‘s entry that the Flow Label has been refreshed ) .
Which Datagrams Should Carry ( Non-Zero ) Flow Labels?
Interestingly, this is the job on which the least advancement has been made.
There were some points of basic understanding. Small exchanges of informations should hold a zero Flow Label, because it is non deserving making a flow for a few datagrams. Real-time flows must evidently ever have a Flow Label, since flows are a primary ground Flow Labels were created. The issue is what to make with equals directing big sums of best attempt traffic ( e.g. , TCP connexions ) . Some people want all long-run TCP connexions to utilize Flow Labels, others do non.
The statement in favor of utilizing Flow Labels on single TCP connexions is that even if the beginning does non bespeak particular service, a web supplier ‘s routers may be able to acknowledge a big sum of traffic and utilize the Flow Label field to set up a particular path that gives the TCP connexion better service ( e.g. , lower hold or bigger bandwidth ) . Another statement is to help in efficient demux at the receiving system ( i.e. , IP and TCP demuxing could be done one time ) .
An statement against utilizing Flow Labels in single TCP connexions is that it changes how we managing route caches in routers. Presently one can hoard a path for a finish host, irrespective of how many different beginnings are directing to that finish host. I.e. , if five beginnings each have two TCP connexions directing informations to a waiter, one cache entry incorporating the path to the waiter handles all 10 TCPs ‘ traffic. Puting Flow Labels in each datagram changes the cache into a Flow Label cache, in which there is a cache entry for every TCP connexion. So there ‘s a possible for cache detonation. There are ways to relieve this job, such as pull offing the Flow Label cache as an LRU cache, in which infrequently used Flow Labels acquire discarded ( and so recovered subsequently ) . It is non clear, nevertheless, whether this will do cache walloping.
Observe that there is no easy via media between these places. One can non, for case, allow the application decide whether to utilize a Flow Label. Those who want different Flow Labels for every TCP connexion assume that they may optimise a path without the application ‘s cognition. And coercing all applications to utilize Flow Labels will coerce routing sellers to cover with the cache detonation issue, even if we later discover that we do n’t desire to optimise single TCP connexions.
Note about the Priority Field
The original IPv6 specification combined the Priority and Flow Label Fieldss and allowed flows to redefine the agencies of different values of the Priority field. During its treatments, the End-to-End group realized this meant that if a router forwarded a datagram with an unknown Flow Label it had to disregard the Priority field, because the precedence values might hold been redefined. ( For case, the precedences might hold been inverted ) . The IPv6 community concluded this behaviour was unwanted. Indeed, it seems likely that when the Flow Label are unknown, the router will be able to give much better service if it use the Priority field to do a more informed routing determination. So the Priority field is now a distinguishable field, unaffected by the Flow Label.
Flow Label Field makes package transit reasonably good organized and accordingly, Real Time Traffic gets great support and benefits from the peculiar field. Let us now take a deeper expression into Real Time Traffic.
Real Time Traffic
Real-time traffic supports real-time synergistic applications, the most outstanding of which are voice and picture conferencing. Both of these have users at each terminal of a connexion who expect that what they say or do will be transmitted aa‚¬E?instantlyaa‚¬a„? to the other terminal of the connexion, and the conversation will continue as if the two parties were in the same room. Some of the most hard facets of real-time traffic come from this demand for velocity. Sometimes certain facets of a normal information web interfere with this demand. Consequently, the Flow Label Field is indispensable in Reak clip Traffic.
In Packet Switched Network ( PSN ) , “ differentiated service ” categorization enables a web to execute different interventions on service type footing. For illustration, different waiting line processing allows the packages sent to high precedence waiting line to be transported foremost and the packages sent to low precedence waiting line to be transported after these interventions let the high precedence service traffic transported with less hold and hold assorted compared to the low precedence service traffic. Another illustration is in congestion control. For some “ existent clip ” traffic, it is better to drop the packages than to buffer the packages at the congestion clip while for some “ file download ” traffic, it is better to buffer the packages and transmit subsequently. These QoS based “ differentiated service ” interventions aim on for the web to run into different service demands. Existing traffic categorization strategy is to ease “ differentiated service ” interventions.
Today web traffic flows are generated by many different applications. They appears with really important spot rate differences such as the flows yield by web browse and stock ticks vs. the flows by video watercourse and file download. Experiments have shown that using the same intervention to big flows and little flows in ECMP or LAG procedure conducts public presentation issue or uneven burden balance over multi waies. If the web uses stateful method for flow arrangement over the waies, a immense sum of little flows add a large load for device to manage. If the web uses stateless method ( hashing ) that works good on when there is a big sum of micro-flows, the flows with important high spot rate will do uneven burden balance on the waies. This consequences a desire for ECMP or LAG procedure to execute different interventions on big flows and little flows. Therefore, the big flow categorization is necessary. This categorization lets the web executing better burden balance over ECMP or LAG, which improves web resource use and efficiency.
With big flow categorization, the web can hold several ways to execute different interventions. Appendix A of [ Flow-Based-Load-Balance ] gives one illustration. It uses hashing for all little flow arrangements and uses a tabular array for big flow arrangements. The simulation uses the web traffic theoretical account and has shown the important betterment on burden balance when sorting a little sum of top spot rate ranked flows as big flows. The stateful big flow arrangement equally distributes big flows over the waies. Other executions can be done every bit good. The big flow categorization besides brings benefits in congestion control, i.e. merely traveling some big flows can let go of congestion status.
IPv6 protocol contains a flow label field. [ FLOW-ECMP ] has specified the regulation to utilize IPv6 flow label in ECMP operation. ECMP operation applies both IP packages and label switched packages. This bill of exchange proposes to utilize one spot in Traffic Class field of IPv6 protocol for big flow categorization.
IPv6 Protocol and Traffic Classification
The figure below illustrates IPv6 protocol
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Version 4-bit Internet Protocol version figure = 6
Traffic Class 8-bit traffic category field
Flow Label 20-bit flow label
The 20-bit Flow Label field in the IPv6 heading may be used by a beginning to label packages of a flow. A flow is unambiguously identified by the combination of a beginning reference and a non-zero flow label. Flow labels must be chosen ( pseudo- ) randomly and uniformly from the scope 1 to FFFFF jinx. [ RFC3697 ] farther specified that Flow Label of nothing is used to bespeak packages non portion of any flow. Packet classifiers use the three of Flow Label, Source Address, and Destination Address Fieldss to place which flux a peculiar package belongs to. Packages are processed in a flow-specific mode by the nodes that have been set up with flow-specific province.
The 8-bit Traffic Class field in the IPv6 heading is available for the usage by arising nodes and/or send oning routers to place and separate between different categories or precedences of IPv6 packages. There are a figure of experiments in the usage of the IPv4 Type of Service and/or Precedence spots to supply assorted signifiers of “ differentiated service ” for IP packages, other than through the usage of expressed flow set-up. This implies that, in today, flow label and traffic category are used in reciprocally sole in the web. The big flow categorization proposed in this bill of exchange is for enhanced ECMP procedure that uses both flow label field and traffic category field.
hypertext transfer protocol: //www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns224/ns949/ns304/ns975/images/product_bulletin_c25-602184-1.jpg
The figure above shows Flow-Aware Transport of Pseudowires in IP/MPLS Networks.
The figure above shows Advanced VPLS Load Balancing Reduces Congestion and Delay.
In IP webs, burden reconciliation will be supported across the IP nucleus webs utilizing Generic Routing Encapsulation ( GRE ) . As in IP/MPLS webs, the flow-label enable bid tells the border routers to execute hash computations on Fieldss in the IP heading to bring forth a flow label. As the border router, the Cisco Catalyst 6500 Series uses the hashing procedure to administer the flows across multiple available emersion interfaces. Across the IP nucleus, GRE encapsulates the MPLS warhead and tunnels pseudowire traffic over the web ( MPLS over GRE ) . In this instance, alternatively of an extra flow label being added, the flow label is inserted in the ( optional ) Key field of the GRE heading. Load equilibrating across IP webs utilizing GRE will be supported in a future release.
Here is an illustration of Avanced VPLS Configuration
It introduces flow burden reconciliation and flow-label infliction together with the compact practical Ethernet constellation bids.
! enable load-balancing on the border router based on ECMP
! enable burden equilibrating across the web nucleus
! utilizing flow labels
interface virtual-ethernet 1
! conveyance constellation
conveyance vpls mesh
neighbor 220.127.116.11 pw-class cl1
neighbor 18.104.22.168 pw-class cl1
! service constellation
switchport manners bole
switchport bole allowed vlan 10, 20