IETF Logo Mail Archive

Re: Link-local connectivity in Web browsers

David Schinazi <dschinazi.ietf@gmail.com> Tue, 27 February 2024 02:37 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC1C8C14CF1D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 26 Feb 2024 18:37:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.856
X-Spam-Level:
X-Spam-Status: No, score=-2.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="VpuCPIpZ"; dkim=pass (2048-bit key) header.d=w3.org header.b="KZQnbz3T"; dkim=pass (2048-bit key) header.d=gmail.com header.b="lV0gqu8Z"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YN1Su_UwxI8Z for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 26 Feb 2024 18:37:52 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC1D6C14F74E for <httpbisa-archive-bis2Juki@ietf.org>; Mon, 26 Feb 2024 18:37:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:Cc:To:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=1+/uDd/0zPRn+yPpc07Ast1h5Uk5ZuI8DCqftJcynrU=; b=VpuCPIpZlta9AkrwdvTpNdukt9 htDfnoLFvtqWkU/AotjYURQwUfxgTZ2K8YQrGcqVqKNE/xM8tMbzNAXqSedCqk7TmEZkR7ntKZAS9 GGPUiY1B0HnBo88OfGbvpAJ4YJQQ84OvLsizttrYyTj2h1S7O5MgANjz6q3Ib/sQCWInVBFOh4NXC xT6C2KypGMwVkc3b+pcq3r47jdIUr9SMOqNXDKvW4OeS5Mu8YnEpZjvMr3Z1Ibt5o2KdprzEY/JUD 0gM2rewMQ5H531MYl+4ESAwKl+qsIq2/zBUizUx+5oFEDP8ZC5Z2gl+Y/g7ZyDoUwLsE3hLT60NOJ QhaoYoCA==;
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1renLg-0012wM-DS for ietf-http-wg-dist@listhub.w3.org; Tue, 27 Feb 2024 02:37:40 +0000
Resent-Date: Tue, 27 Feb 2024 02:37:40 +0000
Resent-Message-Id: <E1renLg-0012wM-DS@lyra.w3.org>
Received: from pan.w3.org ([3.222.182.102]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <dschinazi.ietf@gmail.com>) id 1renLe-0012v5-3I for ietf-http-wg@listhub.w3.org; Tue, 27 Feb 2024 02:37:38 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=1+/uDd/0zPRn+yPpc07Ast1h5Uk5ZuI8DCqftJcynrU=; t=1709001458; x=1709865458; b=KZQnbz3TaSsmueUjh7qMuATVFxZ1K37SRCwcBO/Oqj9oTZaOz8b2oUbgb8KKfd+9q1KhovjjlX0 enSMf2ippfQtW4G1KWkKGKm4OmwUZ6pZRe83iTyHRvOjeGBWDCBnDloHuOPodgXEZ9B6ibu79OwoX Jb7YOyBZCyOjWH5Tos7UMvA3tkutfU/jAV73sZI4rVdrkMd9q4fiSgToVGNiuc+Sd9QxWUD9EOKEq MzA6fWulGOW3vQa5PzVEBV1OV56CTH+6yQvaPP1GUsi2beVlH8b4O5KFQZXtjV+xF48ueX0fJIfkF j4JP5z87y2IIR7OAj1kM1b5dmZjXJhWXx6og==;
Received-SPF: pass (pan.w3.org: domain of gmail.com designates 2a00:1450:4864:20::12d as permitted sender) client-ip=2a00:1450:4864:20::12d; envelope-from=dschinazi.ietf@gmail.com; helo=mail-lf1-x12d.google.com;
Received: from mail-lf1-x12d.google.com ([2a00:1450:4864:20::12d]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <dschinazi.ietf@gmail.com>) id 1renLc-004ZoT-0G for ietf-http-wg@w3.org; Tue, 27 Feb 2024 02:37:37 +0000
Received: by mail-lf1-x12d.google.com with SMTP id 2adb3069b0e04-512fb30dbc9so1823941e87.2 for <ietf-http-wg@w3.org>; Mon, 26 Feb 2024 18:37:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709001451; x=1709606251; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1+/uDd/0zPRn+yPpc07Ast1h5Uk5ZuI8DCqftJcynrU=; b=lV0gqu8Z0RlEd2vZ5/Trg/LMnqKYgSlUSCFWB+yAIctT8LH+M4+xedP/aD0AeL/EiM aCBRveWApPMXX05Q6ZsBX60ObYr3sjdtxYo+g+KyvZpky12ek7wM/eGuJI7PnWGfPFtf CD5k5hkf7oHFrN2an1weTO24BtvqtjzryLZQY7u4ImXC1GWY72glevAFUm2TLCW57gEf 9aKcOVQBfLVgTNIubfekZdx9so6iylcdSVZeffG++7CblR++hpbbVkvTlfxiJ9yl1zWL WCk/pYDUV8PT4Z20Nl0OZORgKd3Wb8UIeYn0ahZD+FsstezP/HhNrKL1+8OxT6+/jI5d QpOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709001451; x=1709606251; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1+/uDd/0zPRn+yPpc07Ast1h5Uk5ZuI8DCqftJcynrU=; b=Ak0gLrcVOHiadXNH4LlJvSMpJFTDTwzPY2BT9+h4LOtbtcxlMxgx34yvDCVZ2KIhbY 7UT2XL6lUsR5EtJwExVoTIoIUePNXPm31os9NfA+yoqJfKlGlPUEFqdsFk5B09F91X+0 FklxcXpWwb5K2S6SKeETBIBG/YgE4jpUlDRYy5ONrQ7hnSL2HSxfKnka+uJ5CWODuaUI OzUM2sUGmD3qRp5PRkjsy5F5QUw7MdySGMla9pZZDFCafr7l9aS/1c8lyNFU8wLlXcTR UqUJvKmdCAdoz/cUKD3JlgJlnmYgQW8o/TcwJIVjcR9gYE+avJiZ1hogRK1Zvt0AxKaU vq4w==
X-Forwarded-Encrypted: i=1; AJvYcCVNX/2RqpNa1G2xiL3e8NkdJTO0nfTqCKN1ekewgItewhDiIe1myScgCkZCnItyVT/45zKPnTQL+RLObVUPoihSr3WA
X-Gm-Message-State: AOJu0YwdaJTzdWb4xBJ780sC6gp6pnIyETAPPqi8YcnGzzfeiTxyAdSJ J9My0Z1Y2gsTQ2jWErWA88GeZdsDUawnaabrLEGkXHJF36PxV1xfa+CprM6IhsfcX2F5ixEpoST /LlU7FrTKvv8jIq+txu9XcqtAh+w=
X-Google-Smtp-Source: AGHT+IE6xu2B+n0uozDJOvNY9zHSmPhHBWJHS15jDff2lpegipbihtkkgFQ9iuQLVBMZdTdQS6UA9aN3mYYqeswj6J0=
X-Received: by 2002:a05:6512:1253:b0:512:f307:71b0 with SMTP id fb19-20020a056512125300b00512f30771b0mr5959357lfb.7.1709001451145; Mon, 26 Feb 2024 18:37:31 -0800 (PST)
MIME-Version: 1.0
References: <CAPDSy+7h3SSeKyA2CUazyWWsUi6+xhn2i91zNW1uz4NhgOGkug@mail.gmail.com> <AA46BAE0-EEC9-4985-AEFC-DF2423C9E582@msweet.org> <Zdamt16camKdi-z8@faui48e.informatik.uni-erlangen.de> <22C7EB50-FA1F-4DD5-9A92-ACAF54DD5B3C@msweet.org> <ZdfHM64RdHLHXQ4H@faui48e.informatik.uni-erlangen.de> <SA1PR15MB4370D9A3CB02716FB228D59EB35A2@SA1PR15MB4370.namprd15.prod.outlook.com> <Zd01iJLSs4qWnjEj@faui48e.informatik.uni-erlangen.de> <CAPDSy+5qHB0ih19aC=R5gM2j1z01x9goa=EXV=kYOj-1TaGE9g@mail.gmail.com> <Zd1IlafNogGHtaWK@faui48e.informatik.uni-erlangen.de>
In-Reply-To: <Zd1IlafNogGHtaWK@faui48e.informatik.uni-erlangen.de>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Mon, 26 Feb 2024 18:37:19 -0800
Message-ID: <CAPDSy+6B+07vm_cZbhDvWo=AOkyP-jMLC-Jx9bbEEVv4yBV5sA@mail.gmail.com>
To: Toerless Eckert <tte@cs.fau.de>
Cc: Ben Schwartz <bemasc@meta.com>, Michael Sweet <msweet@msweet.org>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000006a8d0d061253e81f"
X-W3C-Hub-DKIM-Status: validation passed: (address=dschinazi.ietf@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-9.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1renLc-004ZoT-0G 9a0f52cb0107dfe860aae0d6cf44cc34
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Link-local connectivity in Web browsers
Archived-At: <https://www.w3.org/mid/CAPDSy+6B+07vm_cZbhDvWo=AOkyP-jMLC-Jx9bbEEVv4yBV5sA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51838
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Toerless,

As discussed in previous email in the quite lengthy threads about
draft-schinazi-httpbis-link-local-uri-bcp, draft-carpenter-6man-zone-ui,
and draft-ietf-6man-rfc6874bis, you can't magically change how the origin
is used without considering all of the numerous places where the origin is
used, especially for security decisions. That means significant
standardization work, and also significant implementation work.
Implementers of HTTP have indicated their disinterest in performing that
work.

David


On Mon, Feb 26, 2024 at 6:27 PM Toerless Eckert <tte@cs.fau.de> wrote:

> Thanks, David.
>
> Neverthless i do not see a technical issue to extend what rfc9110 says
> about transmitting origin by e.g. not including local context (such as
> zone_id).
>
> The examples i think show that if we want to support the whole IPv4/IPv6
> addressing architecture as well as also ambiguous domain names, that
> origin is not necessarily 1:1 between client and server except for
> the simple case
>
>   - the client may need to distinguish zone_id
>   - the server may need to distinguish client-source-ip-address (source
> country).
>
> And the problems aren't related only to IPv6 link-local.
>
> Cheers
>     Toerless
>
> On Mon, Feb 26, 2024 at 05:14:12PM -0800, David Schinazi wrote:
> > Hi Toerless,
> > The IP address is sent in the Host header.
> > David
> >
> > On Mon, Feb 26, 2024 at 5:06 PM Toerless Eckert <tte@cs.fau.de> wrote:
> >
> > > On Mon, Feb 26, 2024 at 03:10:35PM +0000, Ben Schwartz wrote:
> > > > I think it would help if this draft discussed scoping of cookies (and
> > > other HTTP client state).  In particular, I shouldn't be able to
> vacuum up
> > > your home "printer-123.local"'s cookies just by naming myself
> > > "printer-123.local" on the coffee-shop network.  Client state for
> .local
> > > domains needs to be partitioned by network to avoid these attacks.
> > >
> > > Not sure how to actually trigger the attack unless the user actively
> > > connects to
> > > that attacker in the coffee-shop explicitly, but architecturally you
> are
> > > of course
> > > putting the finger on the problem.
> > >
> > > Not sure if this problem has an existing technial term, but i would
> call
> > > it "ambiguous name/addresses".
> > >
> > > My last experience with this was when i set up a second Internet
> > > connection at home for
> > > reliability and other reasons, both Internet connections then had the
> same
> > > vendors type of
> > > router (Germany, AVM "Fritzbox"), both using the same IP address
> > > 192.168.178.1 and mDNS
> > > name fritz.box (*).
> > >
> > > So, oviously, when i connect my notebook from the SSID for one internet
> > > connection to the
> > > SSID of the other internet connection i do get all type of crappy
> > > web-browser results, because
> > > there are all type of incompatible cached web pages from the prior
> SSID's
> > > routers web interface.
> > >
> > > The same of course is happening, when i am streaming content from some
> > > web-page,
> > > and then i am changing my network path to come in via another country,
> > > because those domain name
> > > are actually offering differnt services depending how i arrive at them,
> > > and hence cached
> > > web-page information is really incorrect after such a change. Again, it
> > > does not depend
> > > on whether i am using an anycast address or a domain name, i am just
> > > running into use-cases
> > > that show the fact that even supposedly global names/addresses are not
> > > really global, but
> > > will also depend on the routing path.
> > >
> > > So, if i was to generalize this problem, i end up with:
> > >
> > >     https://<dnsname>%<network-context>/..
> > >     https://<ipaddress>%<network-context>/..
> > >
> > > Aka: IMHO i can pefecty well disambiguate these cases by adding
> > > network-context to the origin
> > > which is only evaluated by te local host. David Schinazi is pointing
> out
> > > that RFC9110 says that
> > > all part of the origin need to be sent to the remote system, and that
> may
> > > be a problem for
> > > ambiguous DNS names, but AFAIK it would not be a problem for
> IP-addresses,
> > > becasue they
> > > are not sent in server_name in TLS nor AFAIK in the Host: header. So
> even
> > > without a %zone_id,
> > > i think the RFC9110 statement is correct - i may be wrong.
> > >
> > > In any case, that's what i was trying to get bck from David, but have
> not
> > > seen a reply to my
> > > repeated asks to him about it.
> > >
> > > Cheers
> > >     Toerless
> > >
> > > (*) I think AVM came up with their .box pseudo TLS before they
> understood
> > > .local, and some time
> > > ago there was a reall .box TLD allocation happening, so now they have
> > > another fun problem to
> > > solve with their pseudo TLD. Talk about ambiguous domain names...
> > >
> > > >
> > > > I also think opportunistic encryption (RFC 8164) should be considered
> > > seriously in this context.  The security properties of local networks
> are
> > > different from the public internet, and opportunistic encryption seems
> to
> > > provide more value in this context.
> > > >
> > > > --Ben Schwartz
> > > > ________________________________
> > > > From: Toerless Eckert <tte@cs.fau.de>
> > > > Sent: Thursday, February 22, 2024 5:14 PM
> > > > To: Michael Sweet <msweet@msweet.org>
> > > > Cc: David Schinazi <dschinazi.ietf@gmail.com>; HTTP Working Group <
> > > ietf-http-wg@w3.org>
> > > > Subject: Re: Link-local connectivity in Web browsers
> > > >
> > > > On Thu, Feb 22, 2024 at 07:04:33AM -0500, Michael Sweet wrote:
> > > > > >> 2. Locally-Unique Addresses (ULAs) can be assigned automatically
> > > and are better supported by the various client OS's than the RFC 4007
> > > default scope for link-local addresses.
> > > > > >
> > > > > > I am not aware of schemes that would automatically assign ULAs,
> > > would love a reference.
> > > > > > I have written a scheme based on network wide
> > > configuration/autoprovisioning (RFC8994), but
> > > > > > i am not aware of any similar solutions like that widely used.
> > > > >
> > > > > Enterprise networks often make use of ULAs, and that is where I
> would
> > > expect them to be used most often since 'normal users' don't typically
> have
> > > the expertise to set those things up.
> > > >
> > > > Sure, but there is no "assigned automatically" the way i understand
> it.
> > > YOu may have
> > > > meant something different, so maybe its not a sufficiently well
> defined
> > > term.
> > > >
> > > > But in any case, ULA like global addresses do require additional
> address
> > > allocation/management
> > > > operations which may not have happened and/or which may not be
> desirable
> > > to be required,
> > > > so the underlying interest at least IMHO from the IPv6 networking
> world
> > > is to figure out
> > > > what the sanest way is to support LLA across all representations
> where
> > > they may be needed
> > > > including browsers. That's nonwithstanding that we wuold want to
> > > minimize the need
> > > > for having to use any IPv6 address by normal users under normal
> > > circumstances.
> > > >
> > > > Cheers
> > > >     toerless
> > > >
> > > > > ________________________
> > > > > Michael Sweet
> > > >
> > >
> > > --
> > > ---
> > > tte@cs.fau.de
> > >
>
> --
> ---
> tte@cs.fau.de
>

v2.23.0 | Report a Bug | By Email