IETF Logo Mail Archive

Re: Link-local connectivity in Web browsers

Toerless Eckert <tte@cs.fau.de> Tue, 27 February 2024 02:28 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 481EDC1CAF2E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 26 Feb 2024 18:28:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.756
X-Spam-Level:
X-Spam-Status: No, score=-2.756 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="INjJfx1N"; dkim=pass (2048-bit key) header.d=w3.org header.b="f3KCWtTB"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9K8A1ZfX43Gd for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 26 Feb 2024 18:28:00 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55F57C19ECB8 for <httpbisa-archive-bis2Juki@ietf.org>; Mon, 26 Feb 2024 18:28:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Cc:To:From:Date:Reply-To; bh=E6DZp4Qbgz305NFTFTVGfAi3sJBMelYuaKIdNIcVhTc=; b= INjJfx1NtRpzTzR+VDnhxIRuKGCQTxQk4wrfZ0lOW1z9TTiE/Oe5gMIgy8x1KgYyvBmCmjC/nCA3Z dlWE/MUdA/GceIpYTdntWVCwdzxGgVNu1+FHIlAgV+gY/5Az5a5PyPDrgxDbw8DxtNL7Bl+uoT5YT q63NJ4m0edMk+qcEXKO6DO1qpbyaFiy8kA4RgbKV/up1Ed+WN6obdLhmruKxQEesmgp3j8ebzHyy3 1idhRO9ofqHYfuwW5yI/TJvF2vYsbtUX+5Dn7JHI1NC7fVVfVGErLQZhjOGzxbNYlAHwTF4jenDLx rbyV8LmbZytl5BpPfJCRVo4x531IlqhX3g==;
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1renC4-000zZJ-GY for ietf-http-wg-dist@listhub.w3.org; Tue, 27 Feb 2024 02:27:44 +0000
Resent-Date: Tue, 27 Feb 2024 02:27:44 +0000
Resent-Message-Id: <E1renC4-000zZJ-GY@lyra.w3.org>
Received: from pan.w3.org ([3.222.182.102]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <eckert@i4.informatik.uni-erlangen.de>) id 1renC2-000zY6-7U for ietf-http-wg@listhub.w3.org; Tue, 27 Feb 2024 02:27:42 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject: Cc:To:From:Date:Reply-To; bh=E6DZp4Qbgz305NFTFTVGfAi3sJBMelYuaKIdNIcVhTc=; t=1709000862; x=1709864862; b=f3KCWtTByyHCpsfBfypagkGo/baxLVccPoMUwazIXVOJg8G u3mRCQ2xJ7jiZfluLYGmjQ0VoDSQB/PWZnRL3ziSvK9KaRsDSQQh3YXXRTkmiQXtqBeqDbQHnefN7 xAMCqhbYhNI8rs8VLspzzmoC9Pp1dSK33EH9torsaRisJiOV8hWYX3wh/gtXDsk4BwwapPnRYf+tV 1zLlL96CNVdk+g86qMea7gtv5Vx3W12L3yE1xXahR51JoibtYeqK964ozgcwrpeMpC4BqL59mjviT dHBAJ65Q+xnVvDVqdkjl9d5+Yd49G9SMzNazCLGKLH0u/kx5oOIBadkiJXjUkRhQ==;
Received-SPF: pass (pan.w3.org: domain of i4.informatik.uni-erlangen.de designates 2001:638:a000:4134::ffff:40 as permitted sender) client-ip=2001:638:a000:4134::ffff:40; envelope-from=eckert@i4.informatik.uni-erlangen.de; helo=faui40.informatik.uni-erlangen.de;
Received: from faui40.informatik.uni-erlangen.de ([2001:638:a000:4134::ffff:40]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <eckert@i4.informatik.uni-erlangen.de>) id 1renC0-004ZbS-2W for ietf-http-wg@w3.org; Tue, 27 Feb 2024 02:27:42 +0000
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 4TkLx14mxCznkV8; Tue, 27 Feb 2024 03:27:33 +0100 (CET)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 4TkLx13pfRzkmxQ; Tue, 27 Feb 2024 03:27:33 +0100 (CET)
Date: Tue, 27 Feb 2024 03:27:33 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: David Schinazi <dschinazi.ietf@gmail.com>
Cc: Ben Schwartz <bemasc@meta.com>, Michael Sweet <msweet@msweet.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <Zd1IlafNogGHtaWK@faui48e.informatik.uni-erlangen.de>
References: <CAPDSy+7h3SSeKyA2CUazyWWsUi6+xhn2i91zNW1uz4NhgOGkug@mail.gmail.com> <AA46BAE0-EEC9-4985-AEFC-DF2423C9E582@msweet.org> <Zdamt16camKdi-z8@faui48e.informatik.uni-erlangen.de> <22C7EB50-FA1F-4DD5-9A92-ACAF54DD5B3C@msweet.org> <ZdfHM64RdHLHXQ4H@faui48e.informatik.uni-erlangen.de> <SA1PR15MB4370D9A3CB02716FB228D59EB35A2@SA1PR15MB4370.namprd15.prod.outlook.com> <Zd01iJLSs4qWnjEj@faui48e.informatik.uni-erlangen.de> <CAPDSy+5qHB0ih19aC=R5gM2j1z01x9goa=EXV=kYOj-1TaGE9g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAPDSy+5qHB0ih19aC=R5gM2j1z01x9goa=EXV=kYOj-1TaGE9g@mail.gmail.com>
X-W3C-Hub-Spam-Status: No, score=-3.7
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DMARC_MISSING=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1renC0-004ZbS-2W dd65389715ed1bb2506feb0d10331f46
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Link-local connectivity in Web browsers
Archived-At: <https://www.w3.org/mid/Zd1IlafNogGHtaWK@faui48e.informatik.uni-erlangen.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51837
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Thanks, David.

Neverthless i do not see a technical issue to extend what rfc9110 says
about transmitting origin by e.g. not including local context (such as zone_id).

The examples i think show that if we want to support the whole IPv4/IPv6
addressing architecture as well as also ambiguous domain names, that
origin is not necessarily 1:1 between client and server except for
the simple case

  - the client may need to distinguish zone_id
  - the server may need to distinguish client-source-ip-address (source country).

And the problems aren't related only to IPv6 link-local.

Cheers
    Toerless

On Mon, Feb 26, 2024 at 05:14:12PM -0800, David Schinazi wrote:
> Hi Toerless,
> The IP address is sent in the Host header.
> David
> 
> On Mon, Feb 26, 2024 at 5:06 PM Toerless Eckert <tte@cs.fau.de> wrote:
> 
> > On Mon, Feb 26, 2024 at 03:10:35PM +0000, Ben Schwartz wrote:
> > > I think it would help if this draft discussed scoping of cookies (and
> > other HTTP client state).  In particular, I shouldn't be able to vacuum up
> > your home "printer-123.local"'s cookies just by naming myself
> > "printer-123.local" on the coffee-shop network.  Client state for .local
> > domains needs to be partitioned by network to avoid these attacks.
> >
> > Not sure how to actually trigger the attack unless the user actively
> > connects to
> > that attacker in the coffee-shop explicitly, but architecturally you are
> > of course
> > putting the finger on the problem.
> >
> > Not sure if this problem has an existing technial term, but i would call
> > it "ambiguous name/addresses".
> >
> > My last experience with this was when i set up a second Internet
> > connection at home for
> > reliability and other reasons, both Internet connections then had the same
> > vendors type of
> > router (Germany, AVM "Fritzbox"), both using the same IP address
> > 192.168.178.1 and mDNS
> > name fritz.box (*).
> >
> > So, oviously, when i connect my notebook from the SSID for one internet
> > connection to the
> > SSID of the other internet connection i do get all type of crappy
> > web-browser results, because
> > there are all type of incompatible cached web pages from the prior SSID's
> > routers web interface.
> >
> > The same of course is happening, when i am streaming content from some
> > web-page,
> > and then i am changing my network path to come in via another country,
> > because those domain name
> > are actually offering differnt services depending how i arrive at them,
> > and hence cached
> > web-page information is really incorrect after such a change. Again, it
> > does not depend
> > on whether i am using an anycast address or a domain name, i am just
> > running into use-cases
> > that show the fact that even supposedly global names/addresses are not
> > really global, but
> > will also depend on the routing path.
> >
> > So, if i was to generalize this problem, i end up with:
> >
> >     https://<dnsname>%<network-context>/..
> >     https://<ipaddress>%<network-context>/..
> >
> > Aka: IMHO i can pefecty well disambiguate these cases by adding
> > network-context to the origin
> > which is only evaluated by te local host. David Schinazi is pointing out
> > that RFC9110 says that
> > all part of the origin need to be sent to the remote system, and that may
> > be a problem for
> > ambiguous DNS names, but AFAIK it would not be a problem for IP-addresses,
> > becasue they
> > are not sent in server_name in TLS nor AFAIK in the Host: header. So even
> > without a %zone_id,
> > i think the RFC9110 statement is correct - i may be wrong.
> >
> > In any case, that's what i was trying to get bck from David, but have not
> > seen a reply to my
> > repeated asks to him about it.
> >
> > Cheers
> >     Toerless
> >
> > (*) I think AVM came up with their .box pseudo TLS before they understood
> > .local, and some time
> > ago there was a reall .box TLD allocation happening, so now they have
> > another fun problem to
> > solve with their pseudo TLD. Talk about ambiguous domain names...
> >
> > >
> > > I also think opportunistic encryption (RFC 8164) should be considered
> > seriously in this context.  The security properties of local networks are
> > different from the public internet, and opportunistic encryption seems to
> > provide more value in this context.
> > >
> > > --Ben Schwartz
> > > ________________________________
> > > From: Toerless Eckert <tte@cs.fau.de>
> > > Sent: Thursday, February 22, 2024 5:14 PM
> > > To: Michael Sweet <msweet@msweet.org>
> > > Cc: David Schinazi <dschinazi.ietf@gmail.com>; HTTP Working Group <
> > ietf-http-wg@w3.org>
> > > Subject: Re: Link-local connectivity in Web browsers
> > >
> > > On Thu, Feb 22, 2024 at 07:04:33AM -0500, Michael Sweet wrote:
> > > > >> 2. Locally-Unique Addresses (ULAs) can be assigned automatically
> > and are better supported by the various client OS's than the RFC 4007
> > default scope for link-local addresses.
> > > > >
> > > > > I am not aware of schemes that would automatically assign ULAs,
> > would love a reference.
> > > > > I have written a scheme based on network wide
> > configuration/autoprovisioning (RFC8994), but
> > > > > i am not aware of any similar solutions like that widely used.
> > > >
> > > > Enterprise networks often make use of ULAs, and that is where I would
> > expect them to be used most often since 'normal users' don't typically have
> > the expertise to set those things up.
> > >
> > > Sure, but there is no "assigned automatically" the way i understand it.
> > YOu may have
> > > meant something different, so maybe its not a sufficiently well defined
> > term.
> > >
> > > But in any case, ULA like global addresses do require additional address
> > allocation/management
> > > operations which may not have happened and/or which may not be desirable
> > to be required,
> > > so the underlying interest at least IMHO from the IPv6 networking world
> > is to figure out
> > > what the sanest way is to support LLA across all representations where
> > they may be needed
> > > including browsers. That's nonwithstanding that we wuold want to
> > minimize the need
> > > for having to use any IPv6 address by normal users under normal
> > circumstances.
> > >
> > > Cheers
> > >     toerless
> > >
> > > > ________________________
> > > > Michael Sweet
> > >
> >
> > --
> > ---
> > tte@cs.fau.de
> >

-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email