IETF Logo Mail Archive

Re: [arch-d] Treating "private" address ranges specially

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Thu, 01 April 2021 15:31 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51D8C3A18D2 for <architecture-discuss@ietfa.amsl.com>; Thu, 1 Apr 2021 08:31:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jofat_0jGINb for <architecture-discuss@ietfa.amsl.com>; Thu, 1 Apr 2021 08:31:21 -0700 (PDT)
Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE5E53A18D0 for <architecture-discuss@ietf.org>; Thu, 1 Apr 2021 08:31:21 -0700 (PDT)
Received: by mail-yb1-xb31.google.com with SMTP id i144so2215853ybg.1 for <architecture-discuss@ietf.org>; Thu, 01 Apr 2021 08:31:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iSNr5/MGT2u4/1dJsmpu/+B0vkjMkJL1PkqnKvejm1w=; b=e4k/jKCoNAxyAba1RyTpF/t3UalwJW9bnbIKHwSAQzMmuJfv0q03Xk3YYqBQjxWLfb Jy55BmibZSaCLR2D8V4fi4UwqjZUl6URY/CuacLy+KhfQZrYEYU227Teu2BuLhswAeeh WeRqiHlER4yhGlKz6U12wjbnp9uQ6AX1dqO7PyeRVUu/AjmvegVV6Ksc8Fpynn2g8ai1 AfY6xmGw/ONFLa5HaA3ZAOb3Cc+4WhGFgcBpD1PSuLOR86hX2sEUsXUSqbYoTfjbCK6N s+x61tGslmo/SOjCVe/ln9dkEE/Pn1ama/S50qz6gQvPlGvpFbgAArGyyS7MXHJj31N9 MhiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iSNr5/MGT2u4/1dJsmpu/+B0vkjMkJL1PkqnKvejm1w=; b=sZqlcWvbiSmPeeeSkcCwiOBlqFlEifpMF9Ym2naLHlUUMDwt89LNpsI6rDQWFl2mJE VyqBE0MYqbbBU+l1mVhqOB/4vZdO25hw2Cp7UeKFUbem/Y/WBGlrspcUVdVl/gOGVwCF Jn3eVSeVEWwQRGa2GGAviK/y8mdai8pK7lHmMJPfw2ighinOQTABfabWjLieEhISksLj M6TzuobreYDxlgTg7SjgfKV17rh2P3CjRPivKO2TA39roW9kfeiGMgPMO3YNjhw9GlB1 N6lIAwtYZO1huCQveG02/al3JxTdG1b1CUyRlMcNvvOPk0UXsb5lqHzhuxMPFDANrdCX EToA==
X-Gm-Message-State: AOAM530QtRl/QtLkFljb3zQY0fFlOZmGPAiuai0lkOb7l/Zq4/njm3gP fXM0dzRd00wfdBxaIlA1PvXm9VRvt3uUzai9kYHfQ0lcL9Y=
X-Google-Smtp-Source: ABdhPJybIYzPm/HNR6stO3Ha+MA7YvT12rBGzjfNxxJx327ty7y/YdnikJ09X7siCoXd8j04ZrIYetzuY17BFZuCEgs=
X-Received: by 2002:a25:6814:: with SMTP id d20mr12950056ybc.53.1617291078524; Thu, 01 Apr 2021 08:31:18 -0700 (PDT)
MIME-Version: 1.0
References: <4329d51a-d5ba-45b3-9fb0-6795dc6fccd3@www.fastmail.com> <CAMGpriWA4B8AThNKBOHo-bfAdQ2s5iYv8rBOB7X8UVc5GsqENA@mail.gmail.com> <CAMGpriUJkWYPyw7=oAj_GnGu2J14T3=VZYNWPZtAs870P=x0sg@mail.gmail.com> <a68636c2-5df0-46eb-8147-79ec6a992f8a@www.fastmail.com> <CAMGpriU_L8HbLFX_mMBtBXxy=XOc5BAnYgVR9R8TQO=DPvRD_g@mail.gmail.com> <F59E2FC3-19CE-4D14-9F1C-9F7125D89455@mnot.net> <CAMGpriVJCsird15oBfT=gSDTr59_yf9TkLmOSO7a9DGX0VRjOg@mail.gmail.com> <CA+9kkMB2iOA-QaCidJHVN=qqZ8TtPXV=xyfuKh+i44VzZLWG3w@mail.gmail.com> <c88bbb17-4a30-4241-af98-436ddf01ca5c@www.fastmail.com>
In-Reply-To: <c88bbb17-4a30-4241-af98-436ddf01ca5c@www.fastmail.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Thu, 01 Apr 2021 10:30:52 -0500
Message-ID: <CAKKJt-c8SsHLu+0F3czh8sx2uFnTOZEE_FXZXAAwHsnYxDVVPw@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: architecture-discuss@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003be1b205beeaecf7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/kxj1sDj6m6CZkS8XK3N6waDFaBc>
Subject: Re: [arch-d] Treating "private" address ranges specially
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 15:31:26 -0000

I shouldn't ask, but I'd feel worse if I didn't.

On Wed, Mar 31, 2021 at 6:53 PM Martin Thomson <mt@lowentropy.net> wrote:

> Thanks everyone for the insights.
>
> I'll reply to Ted as he hit the crux of the issue most adroitly...
>
> On Wed, Mar 31, 2021, at 20:07, Ted Hardie wrote:
> > What I think this proposal would actually like to do is to determine
> > whether a resource referenced by a specific web server would also be
> > reachable by that server.
>
> That's exactly it.
>
> Brian's point about the inherent folly of making such guesses is well
> taken.
>
> It's quite clear that it is generically bad to make these sorts of
> inferences from addresses.  That's good information.
>
> The question I'm now interested in answering is whether using these as
> part of a heuristic in order to limit the scope of a change like the
> proposed is tolerable.
>
> The goal here is to close off a security loophole in how browser make
> request for a tiny slice of the total set of requests that are made.  The
> ultimate goal might be to remove the loopholes uniformly.  However, that
> would break so much stuff that a change like that would never stick.  This
> is a more narrowly-scoped approach that tries to identify conditions where
> the requests are a) more dangerous in general, and b) rare enough that any
> breaks would not be widely felt.
>
> I've pointed out some of the limitations of this approach (and several
> more have been identified, thanks!), but I haven't seen reasons here why a
> heuristic like that proposed would be strictly problematic.  Assuming that
> these shortcoming are acknowledged properly (they are not currently) is
> there any reason not to use some sort of address-based heuristic for this
> sort of purpose?
>
> I can see how building on top of this simplistic base for other purposes
> might be harmful, but is the specific action being taken inherently bad, or
> is it just not very good?  It not being very good is a totally fair
> criticism, but that will be balanced against the apparent utility here.
> This design protects the badly-secured router provided by my ISP from
> requests from the big bad Internet.  That is a tangible outcome against
> which "addressing is more complex than this design allows for" doesn't
> weigh very heavily.
>
> > First, I'm not a huge fan
> > of "ask the user" in decisions that rely on an understanding of opaque
> > inner workings of the net, and this runs that risk.
>
> I made the same comment myself.  "Not a huge fan" doesn't really cover it
> :)  I think that the "ask the user" provisions here are entirely
> misguided.  Thankfully, my understanding is that this might be implemented
> without any such controls, which would be good - at least to the extent
> that you are not happy with "ask the user" as a component in any design.
>
> Eliot raised the converse question about consent, which is to say, is
> there an override so that users can enable access to stuff that doesn't
> provide consent on its own, such as old gear.  I agree that this would be
> desirable and made similar comments; I don't know what provision is being
> made there though.
>
> > Second, I don't understand the intended client behavior
> > here if it accesses web resources via a proxy, and I didn't find any
> > mention of proxy behavior in the text.  Text about this in the final
> > document would be useful.
>
> Good point; I had not considered that, but I believe that this does not
> make special provisions for proxies.  This protection would apply if proxy
> configuration says not to use a proxy, I think.  However, this could not
> apply if the vulnerable server were contacted via proxy, that is true.
>
> > This is especially true in the
> > unfortunately large number of organizations who have repurposed
> > unrouted addresses as "extra" private address space
> > (https://teamarin.net/2015/11/23/to-squat-or-not-to-squat/ is old, but
> > the practice is far from dead).
>
> Oh yeah, I had forgotten about that.  Another good point to add to those
> Brian makes.
>

Those notes are destined to go to W3C, in some way?

I had the privilege of including "The People Who Were Unable to See the
Elephant" in
https://datatracker.ietf.org/doc/html/draft-dawkins-quic-multipath-questions-01#section-1.1
last year, and that's what this conversation feels like - I wouldn't mind
seeing the final list of comments ("this is what the private addressing
elephant looks like") after everyone finishes reporting on what they know.

There seems to be a lot to report, and the discussion seems to be jogging
the understanding of some pretty experienced people.

Best,

Spencer

v2.23.0 | Report a Bug | By Email