Feature #8599
openIPv6 flow labels
0%
Description
Here's a short list of possible uses for IPv6 flow labels in pfSense:
- Ability to apply QOS based on IPv6 flow labels
- Using the IPv6 Flow Label for Load Balancing in Server Farms[https://tools.ietf.org/html/rfc7098]
- Utilize IPv6 flow labels in Equal Cost MultiPath (ECMP) or Link Aggregation (LAG) implementations [https://tools.ietf.org/html/rfc6438]
Windows 10 now populates IPv6 flow labels by default: [[https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/]]
Beginning with the Creators Update, outbound TCP and UDP packets over IPv6 have this field set to a hash of the 5-tuple (Src IP, Dst IP, Src Port, Dst Port). Middleboxes can use the FlowLabel field to perform ECMP for in-encapsulated native IPv6 traffic without having to parse the transport headers. This will make IPv6 only datacenters doing load balancing or flow classification more efficient.
FreeBSD also includes support for IPv6 flow labels.
Thanks
Updated by Jim Pingle over 6 years ago
- Category set to Rules / NAT
- Priority changed from Normal to Very Low
Looks like ipfw
can match, but not set the IPv6 flow-id
. I don't see any reference to a similar function to match in pf, and thus neither would have a way to set the flow-id. Limiters use ipfw/dummynet but the rules are still created through pf, so again, no way to match or set the flow-id. So that isn't going to be possible. You can ask upstream in FreeBSD if that can be added to pf, and we could pick up support for that if they add it.
For load balancing, that would maybe be found in the HAProxy package. Since someone from HAProxy wrote that RFC, you may be in luck there. The HAProxy package maintainer may want to look into that eventually. That should be moved to a separate ticket in the pfSense Packages area here.
For ECMP/LAGG, I don't see that as supported in FreeBSD but if you can point out where it is, I can take a look. ECMP isn't supported currently for IPv4 or v6. We don't have any GUI options for controlling LAGG hashing either, though the OS supports some things there. There is a flowid reference in LAGG support but it is unrelated to IPv6, it's for allowing the NIC to control hashing. Looks like that would need to be handled by FreeBSD first as well.
Updated by David Horn over 6 years ago
sysctl -d net.inet6.ip6.auto_flowlabel
net.inet6.ip6.auto_flowlabel: Provide an IPv6 flowlabel in outbound packets
man inet6
IPV6CTL_AUTO_FLOWLABEL (ip6.auto_flowlabel) Boolean: enable/disable automatic filling of IPv6 flowlabel field, for outstanding connected transport protocol packets. The field might be used by intermediate routers to identify packet flows. Defaults to on.
Just for reference. I'm not sure if this particular kernel knob givens the requester part of what they are looking for.
Updated by Jim Pingle over 6 years ago
Since that's fully automatic it doesn't appear to allow the kind of control implied in the original request. That likely only affects packets sourced from the firewall itself, as well, and not for traffic flowing through the firewall.