ABSTRACT
Introduction Th is chapter continues the discussion on IPv6 security that we started in Chapter 4. Th e topics of Flows, Neighbor Discovery, and routing headers are covered.
5.1 IPv6 Flow Labels Issues RFC 3697 defi nes in IPv6 Flow Labels. Th e 20-bit Flow Label fi eld in the IPv6 header is used by a source to label packets of a fl ow. A fl ow is a sequence of packets sent from a particular source to a particular unicast, anycast, or multicast destination that the source desires to label as a fl ow. Flows are associated with a source and destination address pair. A fl ow could consist of all packets in a specifi c transport connection or a media stream; however, a fl ow is not necessarily mapped one-toone to a transport connection. Th e usage of the 3-tuple of the Flow Label and the Source and Destination Address fi elds enables effi cient IPv6 fl ow classifi cation, where only IPv6 main header fi elds in fi xed positions are used.* Th e minimum level of IPv6 fl ow support consists of labeling the fl ows. IPv6 source nodes supporting
the fl ow labeling must be able to label known fl ows (e.g., Transmission Control Protocol [TCP] connections, application streams), even if the node itself would not require any fl ow-specifi c treatment. Doing this enables load spreading and receiver oriented resource reservations, for example. Packet classifi ers use the triplet of Flow Label, Source Address, and Destination Address fi elds to identify which fl ow a particular packet belongs to. Packets are processed in a fl ow-specifi c manner by the nodes that have been set up with fl ow-specifi c state [RFC3697].
