IETF Logo Mail Archive

Re: Linking a cookie to an IP address is a very bad in 2015...

"Walter H." <Walter.H@mathemainzel.info> Sun, 05 April 2015 08:11 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68DB01A90B4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 5 Apr 2015 01:11:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dE7C9g9Toqja for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 5 Apr 2015 01:11:20 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B53F91A90B2 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 5 Apr 2015 01:11:20 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Yefa8-0001RQ-JI for ietf-http-wg-dist@listhub.w3.org; Sun, 05 Apr 2015 08:07:00 +0000
Resent-Date: Sun, 05 Apr 2015 08:07:00 +0000
Resent-Message-Id: <E1Yefa8-0001RQ-JI@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <Walter.H@mathemainzel.info>) id 1Yefa3-0001Qf-SY for ietf-http-wg@listhub.w3.org; Sun, 05 Apr 2015 08:06:55 +0000
Received: from mx17lb.world4you.com ([81.19.149.127]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <Walter.H@mathemainzel.info>) id 1YefZx-0004cS-HH for ietf-http-wg@w3.org; Sun, 05 Apr 2015 08:06:54 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mathemainzel.info; s=dkim11; h=Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=0hErDoQgqyFWpx3HriZ73OugeWuemkIHxtg/xrjUGzM=; b=jIkfgVGty1HSKx7HM7ruTPktWlvyZzA1gS9U+1cSj/M3s+UB/2JsnCyrdHVqrFBgf2gpabz9IavjLIH5NoOFiKVhI/Cp/yS+KiVbPUn6wMiCF1A/nQ37pfgMsJPYRiXL+ot3pqeX6AfUC2YUZdYXEBQlZWkz1HvN7UzTlUuchTk=;
Received: from [90.146.128.86] (helo=outgoing.router) by mx17lb.world4you.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <Walter.H@mathemainzel.info>) id 1YefZX-00029l-Ex; Sun, 05 Apr 2015 10:06:23 +0200
Received: <hidden>
Received: <hidden>
Received: <hidden>
Message-ID: <5520ECFE.30709@mathemainzel.info>
Date: Sun, 05 Apr 2015 10:06:22 +0200
From: "Walter H." <Walter.H@mathemainzel.info>
Organization: Home
X-Mailer: Mozilla/5.0 (UNIX; U; Cray X-MP/48; en-US; rv:2.70) Gecko/20110929 Communicator/7.20
MIME-Version: 1.0
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
CC: Jim Manico <jim@manico.net>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
References: <D141A3E5.4146E%evyncke@cisco.com> <20150401114608.GA7832@1wt.eu> <04DD393C-711F-4C9E-B21C-B184B8972DFC@apple.com> <20150401150716.GA7871@1wt.eu> <25C792A9-56D0-452D-A46C-561A44E4F229@manico.net> <20150401151634.GB7871@1wt.eu> <CABb0SYQ5=5BHSH-JQ5XsCi_bQ8h5FN=WNPvAYkzy94Bm=yTVwg@mail.gmail.com> <551E3D00.5090501@mathemainzel.info> <CABb0SYQAOXRWL5TvD5H5g_4VDwLxF=6kzhmVgCSK8Pv7pq8Apw@mail.gmail.com> <551FB3A5.503@mathemainzel.info> <CABb0SYRUvtTdZQGZkvNVTaA_yW79Q6Pd0Uh8exjE8zErzQNbsA@mail.gmail.com> <4B01B6DC-9EE3-4501-8CE1-CEBA3F19D9D3@manico.net> <55201693.70609@mathemainzel.info> <920932BC-302C-41B4-A112-D3CB7461878C@manico.net> <D14627BF.41AEC%evyncke@cisco.com>
In-Reply-To: <D14627BF.41AEC%evyncke@cisco.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms020004090607040301020800"
X-SA-Do-Not-Run: Yes
X-AV-Do-Run: Yes
X-SA-Exim-Connect-IP: 90.146.128.86
X-SA-Exim-Mail-From: Walter.H@mathemainzel.info
X-SA-Exim-Scanned: No (on mx17lb.world4you.com); SAEximRunCond expanded to false
Received-SPF: pass client-ip=81.19.149.127; envelope-from=Walter.H@mathemainzel.info; helo=mx17lb.world4you.com
X-W3C-Hub-Spam-Status: No, score=-2.7
X-W3C-Hub-Spam-Report: AWL=-3.616, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, W3C_NW=1
X-W3C-Scan-Sig: lisa.w3.org 1YefZx-0004cS-HH 310506652982528e712a74f23d9eeabb
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/5520ECFE.30709@mathemainzel.info>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29260
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Are you sure this is only NAT and not some proxies?
(this could be transparent proxies)

in case your public IP address changes even your phone RFC 1918 address 
doen't change can have a logic reason: it is not said that there is only 
one node for one mobile operator; it can have two or more nodes; and 
every node has the same DHCP range; and now you move from one node to 
the next node; in case the RFC1918 address from the first node is 
available at the second node, there is no reason to give you a different 
RFC1918 address, but you have a different public address; the other 
case, that your RFC1918 address from the first node is already taken at 
the second node, would not make any difference; you get a different 
RFC1918 address, too;

when talking about Thalys, there you could probably have a seat with a 
power plug for a portable computer (please don't talk about phones)
and maybe the train offers a public WLAN, too;

now compare someone using this with a portable computer 
(notebook/laptop) and you with your phone;
and now think of your session and maybe a VPN tunnel between this 
portable computer and his/her home/company;
your session cannot be any longer as the VPN tunnel stays available 
without having to reinitiate because of "breakdowns"

these "breakdowns" are: change of RFC1918 address and change of public 
address;
(would be strange if these are not)

On 04.04.2015 23:46, Eric Vyncke (evyncke) wrote:
> On the Thalys, we usually change of country (hence also of mobile 
> operator) every 45 minutes :-)
>
> Else, mobile operators are heavily relying on NAT and some NAT are not 
> RFC 6888 compatible (i.e. They keep changing your public IP address 
> even if your phone RFC 1918 address stays the same).
>
> In short, NEVER link a session cookie/state to an IP address ;-)
>

v2.23.0 | Report a Bug | By Email