IETF Logo Mail Archive

[arch-d] Treating "private" address ranges specially

Martin Thomson <mt@lowentropy.net> Wed, 31 March 2021 05:24 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49A353A1A14 for <architecture-discuss@ietfa.amsl.com>; Tue, 30 Mar 2021 22:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.82
X-Spam-Level:
X-Spam-Status: No, score=-2.82 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=IQaMQfqN; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=ClGKpQUF
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sigknjZuaDbb for <architecture-discuss@ietfa.amsl.com>; Tue, 30 Mar 2021 22:24:50 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C10F3A1A11 for <architecture-discuss@ietf.org>; Tue, 30 Mar 2021 22:24:49 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id DEEAB189D for <architecture-discuss@ietf.org>; Wed, 31 Mar 2021 01:24:47 -0400 (EDT)
Received: from imap10 ([10.202.2.60]) by compute1.internal (MEProxy); Wed, 31 Mar 2021 01:24:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:date:from:to:subject:content-type; s= fm1; bh=9kM/zc1Qbh6/xtZ9eOUDa7fteRUEYWf5FaB2wy21CV8=; b=IQaMQfqN 4pCNelyzCCF5UeeB0w5usB5qtXht6/aMWs7832kLhEO9UlI/BsZKQs1ZcQ07du2O 8C28CHFcAQDEmM8o1uLxYHEX/DQuCS9BNMCcIuwdL+z0YiVNXR2pkqGdauPfliu2 fExXwQqyiIts1PjrxPUAlZA90Esc+OgtMQjQCFqvFYrhlA5TIkOCXezupEbTgecR OpwDkQpbCq368lKC2roYw8LYIlDQd4LhJwApkJAZVAldj8NS81DQC3iTLasvl0x/ Gc6MM83xCC8RAD/WMPnUatO9x43vIp+zhLf0CGtJXpc3JkCruwdoNnQrct2fzfK1 4DygTEOzb9u5JA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=9kM/zc1Qbh6/xtZ9eOUDa7fteRUEY Wf5FaB2wy21CV8=; b=ClGKpQUFfy+jHaUHTdbUs691sb/dXWhF2Zuum1bpkj1gC T3iXgj45QPWVORzjTgDl1nzUJtagp8BBKSM4TpeRDV/nOOU/IQP4DrAl9fc1B+/7 M2w80V0/+GYCnj3TZN07HfHQogKRZgMZ3tPmnV/3UKgEPJ/Zo6suL6nmIZIy2N2A Vk+c+KSP6FJDd2/CWUzlcW8ysJur9DnP8xp7ZiQLnkdQFLA1C+lCbOOdRgRLkSge cdBuE+ZLOVrlhWiJhxoDynDPtzlLQtEXjOiizQtkOPJy0OQSONGGxEER7gL1eTmJ +KgHDz+DCaQzwSkr4xjtW4IoovZhHQxPookQB37ag==
X-ME-Sender: <xms:nwdkYEKwtPVG0ZGNwZcLIF80izbPSkRjtHENsEiTfDGsJr2KxQ42Jw> <xme:nwdkYEJ0GPWZdS9tNAMdo5hUAne2E-REd3cgU5Yzfo0zYvu0l9hxoivMV1lHpwL_O 6qI4EftHYiF7atMPD8>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudeiuddgleegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucgoufhushhpvggtthffohhmrghinhculdegledmne cujfgurhepofgfggfkfffhvffutgesthdtredtreertdenucfhrhhomhepfdforghrthhi nhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqnecuggftrf grthhtvghrnhepveehudehjefhffeivdduudefleeukeevieejteegleehtdeggfetgeeu ueeiffeinecuffhomhgrihhnpehgihhthhhusgdrihhopdhirghnrgdrohhrghenucevlh hushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigv nhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:nwdkYEskFbQlWQPUGuuqYjcKRNSyUhjAlchjl45Ocma79S4AG80TmA> <xmx:nwdkYBZCo2-LkSVFsIPZ2rFRFLYdWzesrNiyZTpEX-dwHt_YVGAmkg> <xmx:nwdkYLarbnKCNc_lcuJHXCu1R8qPvV0pBUWWdBwvHpdMgwOF1L0Gfw> <xmx:nwdkYEkhnukYrxX8y2Ma05-7skFVVAu1a94srIErFFSoFHr1vTDUlw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 41FB34E0160; Wed, 31 Mar 2021 01:24:47 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-273-g8500d2492d-fm-20210323.002-g8500d249
Mime-Version: 1.0
Message-Id: <4329d51a-d5ba-45b3-9fb0-6795dc6fccd3@www.fastmail.com>
Date: Wed, 31 Mar 2021 16:24:17 +1100
From: Martin Thomson <mt@lowentropy.net>
To: architecture-discuss@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/eYJ6XLyuzYxcwuYSm334W2F-72Y>
Subject: [arch-d] Treating "private" address ranges specially
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2021 05:24:55 -0000

There is a proposal to add extra controls to the Web to prevent servers on the "public" Internet from connecting to "private" resources without consent:

https://wicg.github.io/private-network-access/

The short story here is that the Web has always included was in which browsers aim to protect themselves from the repercussions of their actions on networks that have insecure local services.  Basically, the browser asks the service for permission before it makes requests.  However, in the interest of compatibility, these protections have always had exceptions where no such permission was requested.  This proposal simply eliminates those exceptions for "private" addresses.

The way that this works is fairly simple.  The IPv4 and IPv6 special-purpose address registries [1][2] have a "globally reachable" flag.  If this flag is false, then a browser will always ask for permission before using a service on one of those addresses.  The browser will look for a new signal from the server (one that is unlikely to appear purely by accident) before it continues to make requests.  There's another similar protection when going from non-globally reachable addresses to loopback addresses.

(Note that this doesn't prevent cross-protocol attacks; it assumes that the server is talking HTTP.  HTTP is not that great at cross-protocol attacks, but there is a separate blocklist for ports that aims to manage that.)

The question then: is this is a reasonable approach for minimizing harm?  Is this sort of approach consistent with the vision for the addressing architecture, or is this an abuse of these flags?  Are there guidelines that we might follow in treating addresses based on their attributes?

My read here is that this is in line with design intent, but I claim no particular expertise with respect to the addressing architecture.  From my perspective, closing consent loopholes is a good thing.

Obviously, there is a school of thought that says if you stand up a networked service, then you need to protect it properly.  This isn't about ensuring that you use HTTPS or that you properly authorize access to resources that should be protected.  This is about browsers taking steps to avoid being complicit in attacks on services that aren't properly protected.

I should also point out that there is no protection conferred if a service is reachable via an address in a globally reachable space.  The proposal doesn't really acknowledge this possibility, but it's implied.

Cheers,
Martin


[1] https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
[2] https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml

v2.23.0 | Report a Bug | By Email