IPV6 Flow LabelsIPV6 Flow Labels

Binan AL HalabiBinan AL HalabiMaster In CommunicationMaster In Communication

03-Sep-1503-Sep-15Blog: voipmagazine.wordpress.com/

2

What does IPV6 mean to your What does IPV6 mean to your networknetwork

Overcome the address shortage of the Overcome the address shortage of the current current IPv4 protocolIPv4 protocol

Flow LabelingFlow Labeling

3

Flow DefinitionFlow Definition

RFC [6437]:RFC [6437]: Network Layer point of viewNetwork Layer point of view““The flow is a sequence of packets sent from a The flow is a sequence of packets sent from a particular particular

sourcesource to a to a particularparticular unicastunicast, , anycastanycast, or , or multicastmulticast destinationdestination that a node desires to label as a flow” that a node desires to label as a flow”

Upper layer point of viewUpper layer point of view ““flow could consist of flow could consist of all packets in one directionall packets in one direction of a of a

specific transport connection or media stream” specific transport connection or media stream” A flow is not necessarily 1:1 mapped to a transport A flow is not necessarily 1:1 mapped to a transport

connection: connection: Example: TCP flowExample: TCP flow After connection establishment (Three-way handshake), After connection establishment (Three-way handshake),

we have two flows (one in each direction).we have two flows (one in each direction). The flow should not be reordered The flow should not be reordered

4

Why identifying the flows ?Why identifying the flows ?

Because we want Because we want special handling special handling forfor special flows like special flows like real time application real time application flowsflows

5

Traditional Flow ClassifierTraditional Flow Classifier

Based on:Based on: Source AddressSource Address Destination AddressDestination Address Source PortSource Port Destination PortDestination Port Transport Protocol TypeTransport Protocol Type

Are the above fields always available ?Are the above fields always available ?

Fragmentation Encryption

Using IPV6 Extension Headers Using IPV6 Extension Headers (Options)(Options)

Locating the transport information Locating the transport information past a chain of IPv6 extension headerspast a chain of IPv6 extension headers

NOT Sufficient

Parsing of the extension headers is Parsing of the extension headers is neededneeded

Causes Layer violationCauses Layer violation

Flows in IP-in-IP TunnelsFlows in IP-in-IP Tunnels Classify based on IP layer information (source, Classify based on IP layer information (source,

destination) ???destination) ??? How to identify a How to identify a flow inside the tunnelflow inside the tunnel ??? ???

All the packets have the All the packets have the same outermost IP Headersame outermost IP Header Problem when doing Tunneling + Load Balancing:Problem when doing Tunneling + Load Balancing:

Traffic from Traffic from many sourcesmany sources to to many destinations many destinations is is aggregated aggregated iin a n a single IP-in-IP tunnelsingle IP-in-IP tunnel

PolarizationPolarization Traffic from many sources to many destinations is Traffic from many sources to many destinations is

aggregated in aggregated in small number of tunnelssmall number of tunnels Partial polarizationPartial polarization

IP-Layer (IPv6) ClassifierIP-Layer (IPv6) Classifier

Based on:Based on: Flow Label (exists in a fixed position in all Flow Label (exists in a fixed position in all

fragments)fragments) Source AddressSource Address Destination AddressDestination Address

These fields are combined to provide uniformly distributed hash outputs

IPV6 HeaderIPV6 Header

Flow Label Field LengthFlow Label Field Length

Year-1994, RFC[1710]: Length = Year-1994, RFC[1710]: Length = 2828 bits bits Year-1995, RFC[1883]: Length = Year-1995, RFC[1883]: Length = 2424 bits bits Finally: Year-1898, RFC[2460]: Length =Finally: Year-1898, RFC[2460]: Length =2020 bits bits

Flow Label Field Specification Flow Label Field Specification /1//1/RFC [6437]RFC [6437] 20-bit20-bit Flow Label field used to label the packets Flow Label field used to label the packets

of a flow.of a flow. If the Flow Label field is If the Flow Label field is set to zeroset to zero, this means , this means

the packet is the packet is not labelednot labeled (not part of any flow) (not part of any flow) UniqueUnique: low-probability event: : low-probability event:

Two simultaneous flows have the same flow Two simultaneous flows have the same flow label and the same source and destination label and the same source and destination addresses.addresses.

Timeout = 120 secondsTimeout = 120 seconds Set by the source and must not be changed en Set by the source and must not be changed en

routeroute

Flow Label Field Specification Flow Label Field Specification /2//2/RFC [6437]RFC [6437] Allows the routers (such the first-hop router) to set Allows the routers (such the first-hop router) to set

the labelthe label on behalf of hosts that do not do that: on behalf of hosts that do not do that: Need to track all the 3-tuple {Source Address, Need to track all the 3-tuple {Source Address,

Destination Address, Flow Label} in use to prevent Destination Address, Flow Label} in use to prevent mixing separate flowsmixing separate flows

Flow Label bits have a Flow Label bits have a high degree of variabilityhigh degree of variability Suitable to be as part of input to hash Suitable to be as part of input to hash

function used in load distribution mechanism function used in load distribution mechanism Difficult to be guessed by third partyDifficult to be guessed by third party

Avoid reuse of the recent flow labels when Avoid reuse of the recent flow labels when system restartssystem restarts

Flow Label Field Specification Flow Label Field Specification /3//3/RFC [6437]RFC [6437] Uniformly distributed flow label values are Uniformly distributed flow label values are

recommended recommended NO particular encoding schemeNO particular encoding scheme for the flow for the flow

label is assumed by the IPv6 nodes.label is assumed by the IPv6 nodes. Compatibility between the source, the routers, Compatibility between the source, the routers,

and the destination.and the destination. Avoid reuse of the recent flow labels when Avoid reuse of the recent flow labels when

system restartssystem restarts

Flow Label Use ScenariosFlow Label Use Scenarios

Stateless: No information is stored about the flow in Stateless: No information is stored about the flow in the node that is working on the packet the node that is working on the packet

Stateful: Information is stored about the flow (flow-Stateful: Information is stored about the flow (flow-specific state) in the node that is working on the specific state) in the node that is working on the packet. packet.

Stateless Multipath Load Stateless Multipath Load balancingbalancing

RFC[6438]:RFC[6438]: Several network paths between the same two nodesSeveral network paths between the same two nodes The paths are known by the The paths are known by the routing systerouting system to be m to be

roughly roughly equal equal (in terms of (in terms of capacitycapacity and and latencylatency)) Avoid out-of-order Avoid out-of-order packets deliverypackets delivery for for individual flowsindividual flows Identify the flow: using the 3-tuple: {Source, Flow Label, Identify the flow: using the 3-tuple: {Source, Flow Label,

Destination} as input keys to the module (N) hash Destination} as input keys to the module (N) hash algorithmalgorithm

Using the resulting output hash value to select a Using the resulting output hash value to select a particular path among N different pathsparticular path among N different paths

Flow Label Stateful ScenarioFlow Label Stateful Scenario Packets can receive flow-specific treatment.Packets can receive flow-specific treatment. Signaling mechanism can used to establish the flow Signaling mechanism can used to establish the flow

state in the network. E.g. RSVP protocol RFC [2205]. state in the network. E.g. RSVP protocol RFC [2205]. Admission controlAdmission control is required for resource reservation. is required for resource reservation.

Stick table can be used in load balancing to map the 3-Stick table can be used in load balancing to map the 3-tuple {source, flow label} to server idtuple {source, flow label} to server id

The server is selected when the first packet is The server is selected when the first packet is processedprocessed

Security ConsiderationsSecurity Considerations

The Flow label Field is NOT protected

Protection for the IPv6 header excludes the mutable fields like the Traffic Class and the Flow Label

Except in tunnel mode

where the encapsulated IP header's Flow Label is protected

Use it within the administrative domain

Security ConsiderationsSecurity Considerations

Denial Of Service (DOS) attacks against a given Denial Of Service (DOS) attacks against a given Flow Label/sFlow Label/s

In case load balancing → overload a In case load balancing → overload a particular pathparticular path

Theft of Service: Obtaining a class of service Theft of Service: Obtaining a class of service without permission from the networkwithout permission from the network

Deleting Old Flow LabelsDeleting Old Flow Labels

TimeoutTimeout Transport layer observationTransport layer observation Explicit signalingExplicit signaling

This is an open issue

Flow Label ReflectionFlow Label Reflection

[draft-wang-6man-flow-label-reflection-01], March 8, [draft-wang-6man-flow-label-reflection-01], March 8, 2015:2015:

Application session ↔ IP traffics in two opposite directionsApplication session ↔ IP traffics in two opposite directions

The two IPv6 flows of the same session can be correlated The two IPv6 flows of the same session can be correlated togethertogether

Assign the same flow label to the flows {Source, Assign the same flow label to the flows {Source, Destination, Flow Label} and {Destination, Source, Flow Destination, Flow Label} and {Destination, Source, Flow Label}Label}

Application-aware operations can be placed in the network. Application-aware operations can be placed in the network.

Flow Label ReflectionFlow Label Reflection ExamplesExamples

Content server: Content server: Upstream (small data) and Upstream (small data) and downstream traffic (large data) downstream traffic (large data)

Real time communication service :Real time communication service :Session Session with media in both directionwith media in both direction

Useful forUseful for Traffic statistics Traffic statistics Network diagnosesNetwork diagnoses QoS for sessionsQoS for sessions Traffic-specific policy Traffic-specific policy

Read MoreRead More

RFC [6294]: RFC [6294]: “Flow Label Use Cases”“Flow Label Use Cases”Some use cases have a particular encoding scheme Some use cases have a particular encoding scheme for the Flow label field → dependency problem:for the Flow label field → dependency problem:

This is not compatible with the RFC[3697]This is not compatible with the RFC[3697] RFC[7098]: RFC[7098]: “Flow Label for Server Load “Flow Label for Server Load

Balancing”Balancing”