IETF Logo Mail Archive

Re: [arch-d] Treating "private" address ranges specially

Ted Hardie <ted.ietf@gmail.com> Thu, 01 April 2021 09:37 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D1F63A126C for <architecture-discuss@ietfa.amsl.com>; Thu, 1 Apr 2021 02:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i5xgeULVabGB for <architecture-discuss@ietfa.amsl.com>; Thu, 1 Apr 2021 02:37:19 -0700 (PDT)
Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0725C3A122C for <architecture-discuss@ietf.org>; Thu, 1 Apr 2021 02:37:18 -0700 (PDT)
Received: by mail-ot1-x330.google.com with SMTP id h6-20020a0568300346b02901b71a850ab4so1561298ote.6 for <architecture-discuss@ietf.org>; Thu, 01 Apr 2021 02:37:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+nob+s9zW14gpmKc7xV7orUhfiPgoHPnMIhz8/Aa6n0=; b=QXmO5F6MdiTHLElhhpX6ey2xEsbCEBYGE0EcNV0Ur8UjbccDqBeQ+3KNQL2JzMFzwR sjKnZVtvb3qhQT6AYVQjMNrsECs3tGhm6n9SP5oA/ZtITQYU9+Nyj5IPGx+2u2I/LWuh izl8rUv3PhPxMa2QcGIgWG/iojMOFLwG74JIDmxhNblpFJcr5aMc93G0oJecYCc2nyO2 hIlbGa3qrCIlWRMFeHBMiX17KnJkRGjOztP+0QmdVK/5r+v9DziQv0xLZHaD4FWn4gAd cwpZ1km/i54ojzyzNjB3qY6sgRbuFrGHyAOx3RnDSCbXIab2jHMqJaFLCHPlVRgyJ4BX jxhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+nob+s9zW14gpmKc7xV7orUhfiPgoHPnMIhz8/Aa6n0=; b=PgkuLf6GHq3SSIjz/edz71sKaSPekEtZIk1XJT8NzeqL5Q1qUGtc8cP/AivM46iwm7 GvGWR/ynR5qm+nuzE1u1L2WU19Uf2i7yBDu52F5CVdXOsGHY1wM+JkRVA7Ku0OOwkWd+ d9zDnmJp03Ufvjds+qs9mNlZ4wV47NWhOzyLsaeQQciuI4CrAxuCvL8oOBK+nH7PKX3d miLawtyd81hRS7pJXOGt0uI4Q75+dEsn9C6t/dVixujUDReLGgPPUQtuyZM4ZYL2RbFE s1NyGmQWu5s/wv7YVhRPqjawmX+HxoFkpahP/TxjkXbCn0SMy/LuRB+JI3hERkZGQK5b sTvw==
X-Gm-Message-State: AOAM530Mbr/5mm/WxV/C0DfJkNBVYUTYRiWkfpU2/d7iD4GpbbOoFCn1 DZ0K5PM76m2kqUE56PquPYhoGuwLWZO3YG3yGyOnUjVu5TtuuQ==
X-Google-Smtp-Source: ABdhPJxqdQm8Sx/bLTpKiIQEcn8UuNjnNx8yiRi9H2YG3uAyPEEY5oAPipw13wQiT4vPr0fCPokB0HdNLE4y1vycH10=
X-Received: by 2002:a05:6830:1515:: with SMTP id k21mr6077982otp.269.1617269836560; Thu, 01 Apr 2021 02:37:16 -0700 (PDT)
MIME-Version: 1.0
References: <4329d51a-d5ba-45b3-9fb0-6795dc6fccd3@www.fastmail.com> <CAMGpriWA4B8AThNKBOHo-bfAdQ2s5iYv8rBOB7X8UVc5GsqENA@mail.gmail.com> <CAMGpriUJkWYPyw7=oAj_GnGu2J14T3=VZYNWPZtAs870P=x0sg@mail.gmail.com> <a68636c2-5df0-46eb-8147-79ec6a992f8a@www.fastmail.com> <CAMGpriU_L8HbLFX_mMBtBXxy=XOc5BAnYgVR9R8TQO=DPvRD_g@mail.gmail.com> <F59E2FC3-19CE-4D14-9F1C-9F7125D89455@mnot.net> <CAMGpriVJCsird15oBfT=gSDTr59_yf9TkLmOSO7a9DGX0VRjOg@mail.gmail.com> <CA+9kkMB2iOA-QaCidJHVN=qqZ8TtPXV=xyfuKh+i44VzZLWG3w@mail.gmail.com> <c88bbb17-4a30-4241-af98-436ddf01ca5c@www.fastmail.com>
In-Reply-To: <c88bbb17-4a30-4241-af98-436ddf01ca5c@www.fastmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Thu, 01 Apr 2021 10:36:50 +0100
Message-ID: <CA+9kkMD0AGtzCFRTJDAHZODadBqeFhAGircz6EppVs4Rj9U2sQ@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: architecture-discuss@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001d3ba405bee5fa59"
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/o-6BBhU3rYq7EypoqK1ahroRHk8>
Subject: Re: [arch-d] Treating "private" address ranges specially
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 09:37:24 -0000

I've snipped almost everything to give a narrow response to your follow-up
question.

On Thu, Apr 1, 2021 at 12:53 AM Martin Thomson <mt@lowentropy.net> wrote:


> The question I'm now interested in answering is whether using these as
> part of a heuristic in order to limit the scope of a change like the
> proposed is tolerable.
>
> The goal here is to close off a security loophole in how browser make
> request for a tiny slice of the total set of requests that are made.  The
> ultimate goal might be to remove the loopholes uniformly.  However, that
> would break so much stuff that a change like that would never stick.  This
> is a more narrowly-scoped approach that tries to identify conditions where
> the requests are a) more dangerous in general, and b) rare enough that any
> breaks would not be widely felt.
>
> I've pointed out some of the limitations of this approach (and several
> more have been identified, thanks!), but I haven't seen reasons here why a
> heuristic like that proposed would be strictly problematic.  Assuming that
> these shortcoming are acknowledged properly (they are not currently) is
> there any reason not to use some sort of address-based heuristic for this
> sort of purpose?
>
> I can see how building on top of this simplistic base for other purposes
> might be harmful, but is the specific action being taken inherently bad, or
> is it just not very good?  It not being very good is a totally fair
> criticism, but that will be balanced against the apparent utility here.
> This design protects the badly-secured router provided by my ISP from
> requests from the big bad Internet.  That is a tangible outcome against
> which "addressing is more complex than this design allows for" doesn't
> weigh very heavily.
>

My personal take is that this does not do what it says on the tin, and that
deploying a security mitigation that doesn't do what it says it does is
inherently bad.

As Toerless pointed out, the simple designations tell you whether something
is *potentially* globally routable or *potentially* private.  In
organizations that got lots of globally routable space, parts of it were
carved into limited reachability domains.  Those are just as private for
those organizations as those marked in the IANA registry.  They are not
protected by this, but in the presence of this method, the organizations
might assume those private addresses were (and the number of organizations
with sufficient address space to do this in IPv6-land is not small).  There
are lots of other organizations that have deployed methods to make IP
address space that is nominally private actually have a greater scope.
They would lose the ability to reference resources that should be
reachable.  That breaks the character of the web.

Mapping the reachability overlap of two hosts on the network is,
unfortunately, a complex problem in the current Internet.  I don't think
that this registry-based approach is a sound basis for tackling the
problem.

Just my two cents,

Ted Hardie

v2.23.0 | Report a Bug | By Email