IETF Logo Mail Archive

Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt

Ted Lemon <mellon@fugue.com> Thu, 30 June 2022 15:19 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 687B6C14CF09 for <ipv6@ietfa.amsl.com>; Thu, 30 Jun 2022 08:19:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mORIFmv6JQYs for <ipv6@ietfa.amsl.com>; Thu, 30 Jun 2022 08:19:30 -0700 (PDT)
Received: from mail-oa1-x32.google.com (mail-oa1-x32.google.com [IPv6:2001:4860:4864:20::32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7881C15CF59 for <ipv6@ietf.org>; Thu, 30 Jun 2022 08:19:30 -0700 (PDT)
Received: by mail-oa1-x32.google.com with SMTP id 586e51a60fabf-101d96fe0a5so26240805fac.2 for <ipv6@ietf.org>; Thu, 30 Jun 2022 08:19:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iIabAwZYe6h+lN67ZQMdHBDe3kEMJE/sTdnWnPsgdCk=; b=JvOeCBHoBvHMy2Egm6QUk+SQ3GUjc0J6eLlLs3h/4Y790k3JGS9eZuTMdH6fqlS1m1 9Rl6uZkwQgD+K99t/xCHo2ZnBd6AKd8PyLONSTI7oWCmzxvHVZWcY1NoLwAV+wMI7Zi2 w0WwWoSTQoUWQWltKIsgBiprNSZhhxQrMWvq8a3F9FXdvFRAeAnBLsGiy0AMGaC19qEc CuRsEHl8BMF7BUJxkSnYPGrv1T3R/SIM9zxn4LToOA3hBYyCCRiI0iZ7gY+Y6GXHTQLt INP8G4nzFDEhHQfY9NUFlTkqcRnNz2rCZRY7FaJYKOQhwqAq0BoNinub1G2CtAWurgaU 1WsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iIabAwZYe6h+lN67ZQMdHBDe3kEMJE/sTdnWnPsgdCk=; b=OCQUe1/7O2a8jcJ+qiGk5Bf3HuvyzcCn7MwrU+XafY67quJCCatdfv1aluhuiPqSlD Uo/cp6SCZ46II4xZtYar61XkGk4F3ip4drCC6JP5112w4DWt8bjbQg7UAkmYXqofjhUQ 8e8l9DzYZELtZxvudshvPoc26VogYaNcD4yqbtpGE3pUXDiW4hk4pfe7T6351reAujT/ MeO4BuWBg9I55AXSOfu8WyPNiJuSugarQbpJSTCsVSDErnywUxmkc6KC1UPMQHNMdFKn s38bfwNYXaGLJAro8Sd1vJVZtSOK6pdq2me3/6uA2eMTJOn1kegtfe8gTEvbEIswhIIj fddA==
X-Gm-Message-State: AJIora8iKiK1zYTb4y0qhPUpyT7b9Ir2s+avPNx1huuBOhiGn3wZPg7h Khg0E+upzAzNwjwcjI8fDtgyKqqozYjQ4Z2Ad3o+KfvUoPQ=
X-Google-Smtp-Source: AGRyM1vPefa657s6Hk0/BsflFBi4zHuvHyw65Q8usXNLvwBOkIBcCzPZhO/OxAhiFityPTRyWHLQDmjUYZAkG1O2gwA=
X-Received: by 2002:a05:6870:45a9:b0:10a:9ebc:63ab with SMTP id y41-20020a05687045a900b0010a9ebc63abmr5311698oao.209.1656602368999; Thu, 30 Jun 2022 08:19:28 -0700 (PDT)
MIME-Version: 1.0
References: <164938402532.17740.11717866110301931501@ietfa.amsl.com> <b1780128-2069-b32e-7ca5-86977c119f0c@gmail.com> <11d4e419-11a9-8768-abf2-1335e5f1c3d8@gmail.com> <f650c051650b4e5891b80dafb2dfaaaa@huawei.com> <CANMZLAZPuA_Yey4tG0orU0m5Y3rmZhB84p8Pk_aXhu707mygNA@mail.gmail.com> <2de18ad0ef784ad19148d215221178a4@huawei.com> <CAPt1N1nhzYCZB88GfMxh8Txf8qDTVjQPdkh8di22a+D2ipwZ0w@mail.gmail.com> <d02b8bcd4a454790a93c9426b267109c@huawei.com>
In-Reply-To: <d02b8bcd4a454790a93c9426b267109c@huawei.com>
From: Ted Lemon <mellon@fugue.com>
Date: Thu, 30 Jun 2022 08:18:52 -0700
Message-ID: <CAPt1N1=xgWceDCaaR9QMFJBWi2tGmF+G7Rx6z2vOM+gaG0He9w@mail.gmail.com>
Subject: Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
Cc: Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org>, 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bd1a6805e2abcb05"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/1PTQTbguD5lgrj3cgvYIXWfzVXM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2022 15:19:34 -0000

At least according to Stack Overflow, no such API exists in web browsers.
It used to be possible to use WebRTC for this, but apparently that has been
fixed.

On Thu, Jun 30, 2022 at 6:33 AM Vasilenko Eduard <
vasilenko.eduard@huawei.com> wrote:

> We are talking about malicious script in the browser on the victim client.
>
> It could ask the OS about available GUA addresses.
>
> No need to guess.
>
> Ed/
>
> *From:* ipv6 [mailto:ipv6-bounces@ietf.org] *On Behalf Of *Ted Lemon
> *Sent:* Thursday, June 30, 2022 3:45 PM
> *To:* Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org>
> *Cc:* 6man WG <ipv6@ietf.org>
> *Subject:* Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt
>
>
>
> With GUA/ULA you have to guess the prefix. LLAs all share the same prefix.
> So you have a lot fewer bits to guess with a LLA. Of course, you might be
> able to get the GUA prefix by connecting to some service, but this won’t
> work for ULA.
>
>
>
> On Thu, Jun 30, 2022 at 03:37 Vasilenko Eduard <vasilenko.eduard=
> 40huawei.com@dmarc.ietf.org> wrote:
>
> I do not see the difference from the scan of the local GUA/ULA subnet (it
> does not need a zone too).
>
> Why improve security only for LLA, leaving GUA/ULA with the same level of
> security?
>
> IMHO: it does not make sense. The attacker would scan GUA/ULA if LLA is
> more difficult. He would get his result anyway.
>
>
>
> Moreover, the interface name is a challenge only for the legitimate user.
>
> An attacker could easily find the type of the operating system and guess
> it.
>
> It is weak protection against attacker.
>
>
>
> Moreover2, a daemon to listen for port 80 would have much more probability
> to be connected to GUA/ULA, not LLA.
>
> The attacker would probably start scanning from GUA anyway.
>
>
>
> Hence, better to give the user more convenience because security is not
> possible to improve in this way.
>
> Ed/
>
> *From:* Brian Carpenter [mailto:brian.e.carpenter@gmail.com]
> *Sent:* Thursday, June 30, 2022 1:03 PM
> *To:* Vasilenko Eduard <vasilenko.eduard@huawei.com>
> *Cc:* 6man WG <ipv6@ietf.org>
> *Subject:* Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt
>
>
>
> There is an opposite argument: supporting a default zone makes an attack
> easier because the zone does not need to to be guessed.
>
> Windows does exactly what you suggest, by the way; I could not run my
> tests on Linux.
>
> Regards,
>     Brian Carpenter
>     (via tiny screen & keyboard)
>
>
>
>
> On Thu, 30 Jun 2022, 21:22 Vasilenko Eduard, <vasilenko.eduard@huawei.com>
> wrote:
>
> Hi Brian,
> Just one small idea: does it make sense to request
> "All applications claiming support for this document SHOULD choose one LLA
> zone as the default.
> If the user would omit the zone for the literal request to fe80:: then the
> application SHOULD use the default zone".
> It would greatly simplify life for many users because they have only one
> interface on the host - they would never need to investigate the name of
> the zone that is very OS-specific.
>
> I do not like the request in RFC 4007:
> index value zero at each scope SHOULD be reserved to mean "use the default
> zone"
> IMHO: it is much better to omit the zone name completely to get access to
> the default zone.
> People may not know that zone 0 has a special meaning.
>
> Formally, what I have proposed does not contradict RFC 4007
> Because the default zone could be omitted and could be 0 at the same time
> (both would lead to the same default zone).
>
> If you would say "No" to this request
> Then please, repeat RFC 4007 that the default zone SHOULD be and SHOULD be
> "0".
> Please, remind people of this fact.
> Eduard
> -----Original Message-----
> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Brian E Carpenter
> Sent: Thursday, May 19, 2022 3:53 AM
> To: ipv6@ietf.org
> Subject: Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt
>
> There's been no more discussion for several weeks. Can we move on to a WG
> Last Call?
>
> Regards
>     Brian Carpenter
> On 08-Apr-22 14:29, Brian E Carpenter wrote:
> > Hi,
> >
> > This version reflects comments at the IETF and on the list.
> > Change log:
> > * Extended use cases (added Microsoft WSD)
> > * Clarified relationship with RFC3986 language
> > * Allow for legacy use of RFC6874 format
> > * Augmented security considerations
> > * Editorial and reference improvements
> >
> > Note that some of the text about RFC3986 that Shang Ye suggested to
> > remove has been retained, but modified. Further comments about this,
> > or any other aspect, are very welcome.
> >
> > Regards
> >      Brian + co-authors
> >
> > On 08-Apr-22 14:13, internet-drafts@ietf.org wrote:
> >>
> >> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> >> This draft is a work item of the IPv6 Maintenance WG of the IETF.
> >>
> >>           Title           : Representing IPv6 Zone Identifiers in
> Address Literals and Uniform Resource Identifiers
> >>           Authors         : Brian Carpenter
> >>                             Stuart Cheshire
> >>                             Robert M. Hinden
> >>      Filename        : draft-ietf-6man-rfc6874bis-01.txt
> >>      Pages           : 13
> >>      Date            : 2022-04-07
> >>
> >> Abstract:
> >>      This document describes how the zone identifier of an IPv6 scoped
> >>      address, defined as <zone_id> in the IPv6 Scoped Address
> Architecture
> >>      (RFC 4007), can be represented in a literal IPv6 address and in a
> >>      Uniform Resource Identifier that includes such a literal address.
> It
> >>      updates the URI Generic Syntax and Internationalized Resource
> >>      Identifier specifications (RFC 3986, RFC 3987) accordingly, and
> >>      obsoletes RFC 6874.
> >>
> >>
> >> The IETF datatracker status page for this draft is:
> >> https://datatracker.ietf.org/doc/draft-ietf-6man-rfc6874bis/
> >>
> >> There is also an HTML version available at:
> >> https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-01.html
> >>
> >> A diff from the previous version is available at:
> >> https://www.ietf.org/rfcdiff?url2=draft-ietf-6man-rfc6874bis-01
> >>
> >>
> >> Internet-Drafts are also available by rsync at
> >> rsync.ietf.org::internet-drafts
> >>
> >>
> >> _______________________________________________
> >> I-D-Announce mailing list
> >> I-D-Announce@ietf.org
> >> https://www.ietf.org/mailman/listinfo/i-d-announce
> >> Internet-Draft directories: http://www.ietf.org/shadow.html or
> >> ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> >>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
>

v2.23.0 | Report a Bug | By Email