IETF Logo Mail Archive

Re: Link-local connectivity in Web browsers

Toerless Eckert <tte@cs.fau.de> Tue, 27 February 2024 01:08 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21A6BC151097 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 26 Feb 2024 17:08:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.757
X-Spam-Level:
X-Spam-Status: No, score=-7.757 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="DgYaixPI"; dkim=pass (2048-bit key) header.d=w3.org header.b="PVgjSIVa"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FIAwfolJNQMw for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 26 Feb 2024 17:08:33 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3773DC151556 for <httpbisa-archive-bis2Juki@ietf.org>; Mon, 26 Feb 2024 17:08:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Cc:To:From:Date:Reply-To; bh=ny9X0IfJNQhkPuwqeeOJr9Fhcei17ktBWlHjkE6QA2k=; b= DgYaixPIGcjspcPS+jYkgtkmPDE22Lhc77sPfYBSF5FrDOUnKqzNgRA2Vr2e/Vkqbyaz5qLXomAlF BFO2sZ023cJRrbkeAIvNZ8XCeW24FUixDNpOYmyuQS6FmPTqKP91mHefgWRoDaWr+XFh/k/YMl37D Wmb2O/wvk5XYK8D3FO7853X+Zhn0Iwbg0wBWDNyQw9cnyvVq1Imhyf0KWi/DGGrEzDojoLkHCcscl gOG+2V2sVyQPFYKpc0t1ePgCg405fSsBPHlygWSlnnTR4RBPHxqTM+guuAgsDOYx0XmZIytpWbKiT 810WB0k6/g1A6MYWL0jXzkBXUowqXg6CHg==;
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1relvP-000qQT-Po for ietf-http-wg-dist@listhub.w3.org; Tue, 27 Feb 2024 01:06:27 +0000
Resent-Date: Tue, 27 Feb 2024 01:06:27 +0000
Resent-Message-Id: <E1relvP-000qQT-Po@lyra.w3.org>
Received: from pan.w3.org ([3.222.182.102]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <eckert@i4.informatik.uni-erlangen.de>) id 1relvN-000qPR-1Y for ietf-http-wg@listhub.w3.org; Tue, 27 Feb 2024 01:06:25 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject: Cc:To:From:Date:Reply-To; bh=ny9X0IfJNQhkPuwqeeOJr9Fhcei17ktBWlHjkE6QA2k=; t=1708995985; x=1709859985; b=PVgjSIVaCyde3cZwEbBzNHREl2QzZXwlYkkB4CSb3edNi4Q wjJ7fwdDFIIceSOwsDQ+js8tuBEKZVUUqgrIuaJQNrpuT1zNUai38l/jgNK25CheD9+SIuWhZn9ru HSOKClSovi0XY9v8WB781FBD6L28OY0+XC+70kQ1loJssdn9eZuAezNSV0rVUIzm6j5iKL6Ga+JWZ dENHXcQ92dIsncViWQ05l9iEOn2IOe1DDWdCRMkkZkq4UwQMjH1QJ1XHqQZCO4fI/S65MTUKmgwC5 YoFe4awFYZx44boG/qu7tb7u5wY4c4AC1LaNFy0l1mVS3HrLwvLfCFRmv9KX5MUQ==;
Received-SPF: pass (pan.w3.org: domain of i4.informatik.uni-erlangen.de designates 131.188.34.40 as permitted sender) client-ip=131.188.34.40; envelope-from=eckert@i4.informatik.uni-erlangen.de; helo=faui40.informatik.uni-erlangen.de;
Received: from faui40.informatik.uni-erlangen.de ([131.188.34.40]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <eckert@i4.informatik.uni-erlangen.de>) id 1relvL-004YR2-1A for ietf-http-wg@w3.org; Tue, 27 Feb 2024 01:06:24 +0000
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [131.188.34.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 4TkK7D22LDznkV1; Tue, 27 Feb 2024 02:06:16 +0100 (CET)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 4TkK7D12njzkmxP; Tue, 27 Feb 2024 02:06:16 +0100 (CET)
Date: Tue, 27 Feb 2024 02:06:16 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Ben Schwartz <bemasc@meta.com>
Cc: Michael Sweet <msweet@msweet.org>, David Schinazi <dschinazi.ietf@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <Zd01iJLSs4qWnjEj@faui48e.informatik.uni-erlangen.de>
References: <CAPDSy+7h3SSeKyA2CUazyWWsUi6+xhn2i91zNW1uz4NhgOGkug@mail.gmail.com> <AA46BAE0-EEC9-4985-AEFC-DF2423C9E582@msweet.org> <Zdamt16camKdi-z8@faui48e.informatik.uni-erlangen.de> <22C7EB50-FA1F-4DD5-9A92-ACAF54DD5B3C@msweet.org> <ZdfHM64RdHLHXQ4H@faui48e.informatik.uni-erlangen.de> <SA1PR15MB4370D9A3CB02716FB228D59EB35A2@SA1PR15MB4370.namprd15.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <SA1PR15MB4370D9A3CB02716FB228D59EB35A2@SA1PR15MB4370.namprd15.prod.outlook.com>
X-W3C-Hub-Spam-Status: No, score=-3.7
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DMARC_MISSING=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1relvL-004YR2-1A b6fb29210a300eca4be351d246a12fb2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Link-local connectivity in Web browsers
Archived-At: <https://www.w3.org/mid/Zd01iJLSs4qWnjEj@faui48e.informatik.uni-erlangen.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51835
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Mon, Feb 26, 2024 at 03:10:35PM +0000, Ben Schwartz wrote:
> I think it would help if this draft discussed scoping of cookies (and other HTTP client state).  In particular, I shouldn't be able to vacuum up your home "printer-123.local"'s cookies just by naming myself "printer-123.local" on the coffee-shop network.  Client state for .local domains needs to be partitioned by network to avoid these attacks.

Not sure how to actually trigger the attack unless the user actively connects to
that attacker in the coffee-shop explicitly, but architecturally you are of course
putting the finger on the problem.

Not sure if this problem has an existing technial term, but i would call it "ambiguous name/addresses".

My last experience with this was when i set up a second Internet connection at home for
reliability and other reasons, both Internet connections then had the same vendors type of
router (Germany, AVM "Fritzbox"), both using the same IP address 192.168.178.1 and mDNS
name fritz.box (*).

So, oviously, when i connect my notebook from the SSID for one internet connection to the
SSID of the other internet connection i do get all type of crappy web-browser results, because
there are all type of incompatible cached web pages from the prior SSID's routers web interface.

The same of course is happening, when i am streaming content from some web-page,
and then i am changing my network path to come in via another country, because those domain name
are actually offering differnt services depending how i arrive at them, and hence cached
web-page information is really incorrect after such a change. Again, it does not depend
on whether i am using an anycast address or a domain name, i am just running into use-cases
that show the fact that even supposedly global names/addresses are not really global, but
will also depend on the routing path.

So, if i was to generalize this problem, i end up with:

    https://<dnsname>%<network-context>/..
    https://<ipaddress>%<network-context>/..

Aka: IMHO i can pefecty well disambiguate these cases by adding network-context to the origin
which is only evaluated by te local host. David Schinazi is pointing out that RFC9110 says that
all part of the origin need to be sent to the remote system, and that may be a problem for
ambiguous DNS names, but AFAIK it would not be a problem for IP-addresses, becasue they
are not sent in server_name in TLS nor AFAIK in the Host: header. So even without a %zone_id,
i think the RFC9110 statement is correct - i may be wrong.

In any case, that's what i was trying to get bck from David, but have not seen a reply to my
repeated asks to him about it.

Cheers
    Toerless

(*) I think AVM came up with their .box pseudo TLS before they understood .local, and some time
ago there was a reall .box TLD allocation happening, so now they have another fun problem to
solve with their pseudo TLD. Talk about ambiguous domain names...

> 
> I also think opportunistic encryption (RFC 8164) should be considered seriously in this context.  The security properties of local networks are different from the public internet, and opportunistic encryption seems to provide more value in this context.
> 
> --Ben Schwartz
> ________________________________
> From: Toerless Eckert <tte@cs.fau.de>
> Sent: Thursday, February 22, 2024 5:14 PM
> To: Michael Sweet <msweet@msweet.org>
> Cc: David Schinazi <dschinazi.ietf@gmail.com>; HTTP Working Group <ietf-http-wg@w3.org>
> Subject: Re: Link-local connectivity in Web browsers
> 
> On Thu, Feb 22, 2024 at 07:04:33AM -0500, Michael Sweet wrote:
> > >> 2. Locally-Unique Addresses (ULAs) can be assigned automatically and are better supported by the various client OS's than the RFC 4007 default scope for link-local addresses.
> > >
> > > I am not aware of schemes that would automatically assign ULAs, would love a reference.
> > > I have written a scheme based on network wide configuration/autoprovisioning (RFC8994), but
> > > i am not aware of any similar solutions like that widely used.
> >
> > Enterprise networks often make use of ULAs, and that is where I would expect them to be used most often since 'normal users' don't typically have the expertise to set those things up.
> 
> Sure, but there is no "assigned automatically" the way i understand it. YOu may have
> meant something different, so maybe its not a sufficiently well defined term.
> 
> But in any case, ULA like global addresses do require additional address allocation/management
> operations which may not have happened and/or which may not be desirable to be required,
> so the underlying interest at least IMHO from the IPv6 networking world is to figure out
> what the sanest way is to support LLA across all representations where they may be needed
> including browsers. That's nonwithstanding that we wuold want to minimize the need
> for having to use any IPv6 address by normal users under normal circumstances.
> 
> Cheers
>     toerless
> 
> > ________________________
> > Michael Sweet
> 

-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email