Project

General

Profile

Actions

Feature #8599

open

IPv6 flow labels

Added by Isaac McDonald over 6 years ago. Updated over 6 years ago.

Status:
New
Priority:
Very Low
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
06/25/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

Here's a short list of possible uses for IPv6 flow labels in pfSense:

Windows 10 now populates IPv6 flow labels by default: [[https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/]]

Beginning with the Creators Update, outbound TCP and UDP packets over IPv6 have this field set to a hash of the 5-tuple (Src IP, Dst IP, Src Port, Dst Port). Middleboxes can use the FlowLabel field to perform ECMP for in-encapsulated native IPv6 traffic without having to parse the transport headers. This will make IPv6 only datacenters doing load balancing or flow classification more efficient.

FreeBSD also includes support for IPv6 flow labels.

Thanks

Actions #1

Updated by Jim Pingle over 6 years ago

  • Category set to Rules / NAT
  • Priority changed from Normal to Very Low

Looks like ipfw can match, but not set the IPv6 flow-id. I don't see any reference to a similar function to match in pf, and thus neither would have a way to set the flow-id. Limiters use ipfw/dummynet but the rules are still created through pf, so again, no way to match or set the flow-id. So that isn't going to be possible. You can ask upstream in FreeBSD if that can be added to pf, and we could pick up support for that if they add it.

For load balancing, that would maybe be found in the HAProxy package. Since someone from HAProxy wrote that RFC, you may be in luck there. The HAProxy package maintainer may want to look into that eventually. That should be moved to a separate ticket in the pfSense Packages area here.

For ECMP/LAGG, I don't see that as supported in FreeBSD but if you can point out where it is, I can take a look. ECMP isn't supported currently for IPv4 or v6. We don't have any GUI options for controlling LAGG hashing either, though the OS supports some things there. There is a flowid reference in LAGG support but it is unrelated to IPv6, it's for allowing the NIC to control hashing. Looks like that would need to be handled by FreeBSD first as well.

Actions #2

Updated by David Horn over 6 years ago

sysctl -d net.inet6.ip6.auto_flowlabel

net.inet6.ip6.auto_flowlabel: Provide an IPv6 flowlabel in outbound packets

man inet6

IPV6CTL_AUTO_FLOWLABEL  (ip6.auto_flowlabel) Boolean: enable/disable
                 automatic filling of IPv6 flowlabel field,    for
                 outstanding connected transport protocol packets.
                 The field might be    used by    intermediate routers
                 to    identify packet    flows.    Defaults to on.

Just for reference. I'm not sure if this particular kernel knob givens the requester part of what they are looking for.

Actions #3

Updated by Jim Pingle over 6 years ago

Since that's fully automatic it doesn't appear to allow the kind of control implied in the original request. That likely only affects packets sourced from the firewall itself, as well, and not for traffic flowing through the firewall.

Actions

Also available in: Atom PDF