Re: WG Last Call for for draft-ietf-6man-rfc6874bis
Ted Lemon <mellon@fugue.com> Thu, 16 June 2022 13:36 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06B6AC14F743 for <ipv6@ietfa.amsl.com>; Thu, 16 Jun 2022 06:36:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KzJ0T3YmUG-i for <ipv6@ietfa.amsl.com>; Thu, 16 Jun 2022 06:36:45 -0700 (PDT)
Received: from mail-oi1-x22d.google.com (mail-oi1-x22d.google.com [IPv6:2607:f8b0:4864:20::22d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F97DC14F741 for <ipv6@ietf.org>; Thu, 16 Jun 2022 06:36:45 -0700 (PDT)
Received: by mail-oi1-x22d.google.com with SMTP id u9so1871171oiv.12 for <ipv6@ietf.org>; Thu, 16 Jun 2022 06:36:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=t7FmJG1WOD2RtD4ESUweeqsp3xwmR7gDo9ny+hCjNng=; b=BQn21cgrx85dNaSpFDlC1pC6V9zIHX1voHGajT5BEX8jEh+f0evlpgMmJe0nzoSR+A uuEFl0w7ndndLOx9ZOxj8wEuNJ+y9X5c8pjWUaxDQ10dLLFq94SEXmoxaAxHAXopGEie tqizEHsFAMm8iH0UEI2UK2rD2bz0/N5cPnMnlDq5oS6rtSE23Azr/XchorXtrEgXErsp tYpIC+ad6PaSfOBKNhfi/3Sq2I9IFs2lFiuXU0Xbr0ugyo8NWkNPOjY4ict2lw0y2Gkm UQ4Sis/Sq0AkBotRZ7AoZS7rgVe554BXHmx79gC6b9JEQkQ4pTncxX+wqrVkGfH3AMWz ZnPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=t7FmJG1WOD2RtD4ESUweeqsp3xwmR7gDo9ny+hCjNng=; b=ddEZjIn6QeybmKf9Bhy8ZgBnjaAKjeZCoJdbXeVYWn7ZoI5zOb1HkUGceLdMBcFEZa 17dhg/FN12Xc81vTHd+2JY9Z8j01LiKjLIzvmV040/OKmUYkZ4Rbxf/Yh5D/swV0RzOg pMinvq4j1YwYexGd1Lz5uE/JClIy4NcauVDb4ePCF89vbrK3HXMhDFBTIP9Bf4ynSL2f 582gyYK6It4etNnEZo3qNHKROhgoKW5mt8tyGTJ+p1ww06U9OPF+0C6LWSebLWJtPBLW MStp9tDd/VbYO071V8O73NGcjzN6YwgEKR+GXbwXgXoXUUNsPZ/AlbkD6ijZ7KdamPtH QhGQ==
X-Gm-Message-State: AJIora/8DysjAXs0SksuCNgIgk+gFhjpRFBXbIKb7uMPdRcmHE+psllF yvZJEY4nUXcil6NSbRjWfruUxKs7aI6oeo7QgOeVgMGkTjOLMQ==
X-Google-Smtp-Source: AGRyM1spF4jEUInfU4pwuigxxdzAcVkdKAiwk1Ut9y/4LKgVQyLIEAL0jNEKTwsnVVzjWiFG2luswRx/ebAQIMWUMow=
X-Received: by 2002:a05:6808:2194:b0:32f:1309:c4e0 with SMTP id be20-20020a056808219400b0032f1309c4e0mr2713544oib.12.1655386604091; Thu, 16 Jun 2022 06:36:44 -0700 (PDT)
MIME-Version: 1.0
References: <CAFU7BAQVr_UMK_v7O7DGTV363j7q25X9GwrgraTEypzq_Lz3gQ@mail.gmail.com>
In-Reply-To: <CAFU7BAQVr_UMK_v7O7DGTV363j7q25X9GwrgraTEypzq_Lz3gQ@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Thu, 16 Jun 2022 09:36:08 -0400
Message-ID: <CAPt1N1m+g8Yu9rPyvfvrxG_bST_9_z3siByOCsMmeTpWAfAiZA@mail.gmail.com>
Subject: Re: WG Last Call for for draft-ietf-6man-rfc6874bis
To: 6man <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000080cf6405e190ba59"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/-_xdPn1gExurri3nwx2X-93jpd8>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2022 13:36:47 -0000
> > The URI syntax specification [RFC3986 > <https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-01.html#RFC3986> > ] states that URIs have a global scope, but that in some cases their > interpretation depends on the end-user's context. URIs including a zone > identifier are to be interpreted only in the context of the host at which > they originate, since the zone identifier is of local significance only. Does this mean that when a browser loads a web page, and that web page contains IPv6 address literal URIs with zone identifiers, and the source of the web page was not the local host, the URIs are un-interpretable? That is, what does "at which they originate" mean? It is desirable for all URI parsers to recognise a zone identifier > according to the syntax defined in Section 3 > <https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-01.html#spec>. > Any code handling percent-encoding or percent-decoding must be aware that > the "%" character preceding the zone identifier is never itself > percent-encoded, as specified by ABNF above. In terms of Section 2.4 of [ > RFC3986 > <https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-01.html#RFC3986> > ], this "%" character is acting as a delimiter, not as data. Would it be correct to say that the text within an IPv6 address literal never contains percent-encodings? If so, then it might be less complicated to just say that. I think a parser that follows this rule would be more regular than one that doesn't make this restriction and does allow percent encoding within the literal except in the case of the stated exception. The various use cases for the zone identifier syntax will cause it to be > entered in a browser's input dialogue box. Do you mean "the zone identifier syntax is only expected to be entered in the browser's dialog box: there is no use case for such a URI appearing elsewhere?" Or at least "The various use cases for the zone identifier syntax all involve entering it in the browser's input dialogue box?" I feel very uncomfortable with "cause" in this sentence. In the security considerations section, I think if the syntax were only allowed in the case of input into the browser's dialog box, then most of the possible attacks would go away. If there is no anticipated use case other than manual input (perhaps a scripted input would also count) then unless the script would be allowed to open the URI but not otherwise probe IPv6 address literals, it's hard to see what additional vulnerability this would create. Anyway, overall I think the document is good and the above are all nits, not reasons not to publish. So I support publishing the document. Thanks for doing the work!
- WG Last Call for for draft-ietf-6man-rfc6874bis Jen Linkova
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Ted Lemon
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Brian E Carpenter
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Ted Lemon
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Michael Sweet
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Brian E Carpenter
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… David Farmer
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Ted Lemon
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… David Farmer
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Ted Lemon
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Brian E Carpenter
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… David Farmer
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Brian E Carpenter
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Jen Linkova
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Brian Carpenter