In message <56C5808C.1090906@xxxxxxxxxxxxxxxxxxxxxxxxxx>, Masataka Ohta writes: > Masataka Ohta (I) wrote: > > > The RFC is a complete mess, in various ways. It says flow IDs are > > good because it is random, but, at the same time, it says flow > > IDs may not be random. > > I found the rfc is even worse. > > The most important thing the rfc must have stated (it > does not, of course) is: > > (SRC1, DST1, flow_ID1) > > of a stateful flow MUST be unique (not used by packets > not belonging to the flow) within the Internet, > which can be guaranteed only by an end (source or > destination), which is a straight forward manifestation > of the end to end argument. > > But, the rfc allow routers (firewalls) change flow IDs to > nonzero value. > > So, if a router changes flow ID of (SRC1, DST1, flow_ID2), > from flow_ID2 to flow_ID3, then, there is a possibility > that flow_ID1==flow_ID3, which is fatal for the stateful > flow, if the modified packets are merged to the stateful > flow (certain protection against merging possible but > not robust against route changes). > > Of course, section 6.1 of the rfc on covert channels is > abstract nonsense, because covert channels may be created > in various ways to carry information, for example, with > extension headers (fragmentation boundaries, for example, > can be arbitrary), which means firewalls should reject > packets with extension headers. No, it doesn't. Firewalls have a purpose. Most of the time the purpose isn't to block communication. It is to block wasting resources or to try to prevent poorly written applications / ip stacks being compromised. Often people forget that firewalls need to let packets though that are part of a legitimate communications flow through. You don't actually need to stop *every* potential packet that isn't part of a communications flow. You just need to make it hard enough that it is not worth the effort to find the open paths if you are not part of a legitimate flow. > Masataka Ohta -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx