IETF Logo Mail Archive

Re: [arch-d] Treating "private" address ranges specially

Mark Nottingham <mnot@mnot.net> Wed, 31 March 2021 07:16 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3EF13A1D9C for <architecture-discuss@ietfa.amsl.com>; Wed, 31 Mar 2021 00:16:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.82
X-Spam-Level:
X-Spam-Status: No, score=-2.82 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=ENwjqUKj; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=qXWY/RQO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IhagT3uzphYF for <architecture-discuss@ietfa.amsl.com>; Wed, 31 Mar 2021 00:15:58 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 723F13A1D9B for <architecture-discuss@ietf.org>; Wed, 31 Mar 2021 00:15:58 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id 302971F52; Wed, 31 Mar 2021 03:15:55 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Wed, 31 Mar 2021 03:15:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm2; bh=7 rldPsuyevaK3Nk+9mxCThcNSBFDmXLEWDVPOVGyqWA=; b=ENwjqUKjOAfc15dK+ uZM2n3XHzA4fd8p+Dp4iZ/RmtzjmEAB9qdTaszhuvuIcEPoY49r91349UePqmjD5 xwBQVCgEf+5yXMTRlu8UpUwwrVYGwesEl11y/PQcYULsA+7p1bM6mnSQ/KOAiTz5 2Q2yf7lzpdiKxRoiA8sBUtqElsTse5wB4cioKTDfVvOIDnFZYh9yA706bk+xWXtj VZR+cARh+MeeB9PhW2xJ+NsgLoSblhzT5TaCw6Edrp625wJTDd6tZOFT1vMxS2Ae VwYwMFqKdigkYXVulLeALm8LiYGnMv1ZhXSnpWvGQq5vjaASET2fbARjiB2ggpEZ dFcrg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=7rldPsuyevaK3Nk+9mxCThcNSBFDmXLEWDVPOVGyq WA=; b=qXWY/RQODjxyQiqcmIGQBbFuxEfFm7MV6BgkxIDEi8Cng5JyIkrHrtAEz GNoAuWlwMf/h/hyAfb2ojJHSFqRzMMyGpChSBPpdQNsOgQFf5A7uHYVtG6tpMLbz w2V455GIxYRQP9U+6LQ992SM7w+mAnJD5aBeAhWWWPQzlOk8Gq/5cB7ASFxuwvV9 XBPelfFYrOcuWwSMxUsQCYJzbiFRAL0bOSB9utr+M5lx6JJNkT5xlEREPU0pV2EJ RQ6etf/xoT94Y4JkNDkoSJjYO0P4MT2b4tP15O2nTeIIZ3tbxq/HdMobOOVUWMys dLYlY8DLHWvESEQwS6Ea5lk9GTMaQ==
X-ME-Sender: <xms:qSFkYPu3Wuw_fiB_-pqy_FWSjEm6jeS4TQAeZCnqyqK99yJwgQPwFg> <xme:qSFkYAf0RbEd3sM5WHJR3Y1WGyS0vdsJUzrXYwOPDjmAu8aMEht-KKukAs4MSdZY7 2h3jTSWGKhOiM5mRw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudeiuddgudduiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpeforghr khcupfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuggftrfgrth htvghrnhepvefffffhudetveevhfeuffeigedtuedtheffleetffeftddtgeegjeehieeu teetnecuffhomhgrihhnpehmnhhothdrnhgvthenucfkphepudduledrudejrdduheekrd dvhedunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep mhhnohhtsehmnhhothdrnhgvth
X-ME-Proxy: <xmx:qSFkYCyJ21NSe3sruc0IJsQkP-LJFpoC_Ikt2md16PWVObcVCQkLfw> <xmx:qSFkYONbKtMAsil0AqEqqk7Ov-4TCj57St3oZdTvpCMRq4pdrCcSkw> <xmx:qSFkYP_VHsNB_KyEyBHiAaPqGzYXpz9-e99nRt2EVYD07PE5H2y9OA> <xmx:qiFkYCbxlaRRhQk9mw5GPgviIOcT3Cb76xtpSh3BB4KU82UHrWVung>
Received: from [192.168.7.30] (119-17-158-251.77119e.mel.static.aussiebb.net [119.17.158.251]) by mail.messagingengine.com (Postfix) with ESMTPA id 751FB1080054; Wed, 31 Mar 2021 03:15:52 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CAMGpriU_L8HbLFX_mMBtBXxy=XOc5BAnYgVR9R8TQO=DPvRD_g@mail.gmail.com>
Date: Wed, 31 Mar 2021 18:15:48 +1100
Cc: Martin Thomson <mt@lowentropy.net>, architecture-discuss@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <F59E2FC3-19CE-4D14-9F1C-9F7125D89455@mnot.net>
References: <4329d51a-d5ba-45b3-9fb0-6795dc6fccd3@www.fastmail.com> <CAMGpriWA4B8AThNKBOHo-bfAdQ2s5iYv8rBOB7X8UVc5GsqENA@mail.gmail.com> <CAMGpriUJkWYPyw7=oAj_GnGu2J14T3=VZYNWPZtAs870P=x0sg@mail.gmail.com> <a68636c2-5df0-46eb-8147-79ec6a992f8a@www.fastmail.com> <CAMGpriU_L8HbLFX_mMBtBXxy=XOc5BAnYgVR9R8TQO=DPvRD_g@mail.gmail.com>
To: Erik Kline <ek.ietf@gmail.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/mSUzKuMtAtoh6MSK2LctAx0nKHw>
Subject: Re: [arch-d] Treating "private" address ranges specially
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2021 07:16:04 -0000


> On 31 Mar 2021, at 6:07 pm, Erik Kline <ek.ietf@gmail.com> wrote:
> 
> On Tue, Mar 30, 2021 at 11:21 PM Martin Thomson <mt@lowentropy.net> wrote:
> On Wed, Mar 31, 2021, at 17:17, Erik Kline wrote:
> > My mistake.  I think the key text I didn't property absord was "the 
> > current url's host".
> 
> :) Yes, though if you have name resolution that produces a ULA (which might happen in mDNS), then you would be contacting a "private" address.
> 
> I will say that this approach would seem to functionally treat all private spaces as equivalent.  It's fairly easy to think of there being, essentially, _one_ public sphere, but I think in practice there can be many different private spaces.  I'm not sure how well that will play out [1], but maybe it's no worse than today.
> 
> [1] I'm imagining a client w/ a private address and VPNs to two different organizations using two different private spaces.  Now a web page from ORG1's private address space can cause the client to issue queries to ORG2's privately addressed resources.

Is that the case? My understanding is that this proposal only reduces privilege when interacting with resources that are considered private, it doesn't add new privileges .  But I could misunderstand.

Cheers,


--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email