IPv6 (Internet Protocol version 6) is a new version of the Internet Protocol that is slowly replacing IPv4 that has been in use since the early 1970's. IP packets provisioned in accordance with IPv6 include a header containing, among other things, a source address, destination address and a flow label.
Traditionally IP packets were routed solely based on the destination or source address. This was difficult, time consuming, and inefficient, particularly when there were multiple flows from the same source and going to the same destination, each flow containing multiple packets.
The IPv6 flow label, therefore, was designed to indicate flows of related packets sent from a source to a destination through a network. For example, all video streaming packets from company A to user B can be distinguished from file download traffic between company A and user B through the use of different flow labels and so can be treated differently by the network. A flow typically includes a set of IP packets with the same source, the same destination, and going from a common source port/socket to a common destination port/socket. A flow is a one way communication, with two flow being used to implement bi-directional communications. There may be multiple flows from a given end user device at a given instant.
The current IETF (Internet Engineering Task Force) specifications state that the flow label is only to be set by the source of the packets. An application or end device is the source of the packets. As a result flow labels are assigned by an unknown and untrusted entity from the network's point of view. In addition, the ability of the network to provide additional treatments such as QoS or end-user correlation to the packets is very much affected by how this entity assigns the flow label values to the packets it originates.
Therefore, both the number of flows in a network and the flow classification mechanisms used to classify flows are currently under the control of the unknown and untrusted end devices/applications.
Because the source nodes are not trusted devices, various attacks against the intermediate nodes are possible. For example, a rogue source may create a different flow label for every packet, causing the intermediate nodes to create a flow state for each packet. This could quickly exhaust the intermediate node's memory and CPU processing resources.
More specifically, intermediate nodes may make routing and other QoS decisions when processing packets containing a flow label. In order to provide flow based services, these intermediate nodes maintain a flow state for each flow being tracked. Maintaining a flow state requires memory and CPU processing. In light of these problems the use of flow labels has not be prevalent.