IETF Logo Mail Archive

Re: [IPv6] Link-local URI status (rfc6874bis)

Brian Carpenter <brian.e.carpenter@gmail.com> Fri, 03 November 2023 06:28 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 319A5C16F3FA for <ipv6@ietfa.amsl.com>; Thu, 2 Nov 2023 23:28:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y8Msc_Mt8B_A for <ipv6@ietfa.amsl.com>; Thu, 2 Nov 2023 23:28:52 -0700 (PDT)
Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92C52C16F3FC for <ipv6@ietf.org>; Thu, 2 Nov 2023 23:28:48 -0700 (PDT)
Received: by mail-ua1-x930.google.com with SMTP id a1e0cc1a2514c-7baba7de286so501213241.2 for <ipv6@ietf.org>; Thu, 02 Nov 2023 23:28:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698992927; x=1699597727; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=lAWvZpW0xEXT9weJVGPFWySephlsXiOpQ5AjCPm48cg=; b=hY9bHs1KKU/fgbV6sCWsdxbE/ihe/KsjWDiV64OpIg+UCFROOFPlBuYi/rJLtY2Ggc 4axmegj2BzBdSiRULaH0p/MziC7xpOW9+SPIYjWCtGGNJ45TXP0rcGvkZXwcAPUUfSlt WAcvt2OGSu6l60NI4pH0b2JuyVhlmJ/Ti45Fuzqhsos+GIkafZDn/M8/uy+5UWMgugnY j11g3VOSmhXwyUwEQ9JXZc+rC8OeCHrKoIzl/Ht/qAqM8r4GaDEY1txRSbWVIESV01EP 952JZ+stPh7SWom3qax4NwYmAd43idLgpXM+acLJ/vsblUAFxZ/6tFiYDT+hZwCqBp8o x22A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698992927; x=1699597727; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lAWvZpW0xEXT9weJVGPFWySephlsXiOpQ5AjCPm48cg=; b=QPjkLh2dej57uXw3LAqnxkTsKxu9IiBSkHxaxmXLoUTlNTM0+Syz+Lc59UamHVz4PF Ob1j7s3fxlB82AGrpnDdy7nJvDPUUmzpyVPXnMug4Ll3UtddYKhEHOdHahUQ6vW2wuNa uQ0CeIS4Z65oDiuV/1ZDIw8yDdwki7ycYXGbxzBVb3l4xi+Tt99Oa6ujagcku2BX/xZ8 ffodw83jhC1ym7QsJT1TsJdysuNPSFXeJSdqT9t3bmdu/FEFMEfn1LH0yhA/sR6N8swS X9c7JJkG8ZOpoFVVNo7CxqeCHOIvpVlyY0tgonY9s6qiXqnMzKlyeh9bL28sVkf2sI1k Dz1Q==
X-Gm-Message-State: AOJu0YyrsEzZQIpGFOz1dn7813Jf4tOoXNpR4Ab0d7zIj0X6EdfMGf/5 N7V76o4Fh09ZUWB6Kly1SWa2FQW8L938vA5Xpog=
X-Google-Smtp-Source: AGHT+IFHXNsjsP6rgnQIecqIDcitvAxEkRuZchqbVdWxc8WEdB/cSHcB8QyZbfUzRfyK5ZnZWCshP92J4xd3px4UFLs=
X-Received: by 2002:a67:c21d:0:b0:45b:f938:26c5 with SMTP id i29-20020a67c21d000000b0045bf93826c5mr9010634vsj.12.1698992927323; Thu, 02 Nov 2023 23:28:47 -0700 (PDT)
MIME-Version: 1.0
References: <17352fa3-c3c9-3cc3-27f2-f8f57dfff383@gmail.com> <5B3DDEB8-36F1-428C-89AA-B765A600824A@msweet.org> <d9a6f288-058c-10d2-43dd-ffbd7a8959c7@gmail.com> <PH0PR11MB49662B93E5241CEB7906858BA9A5A@PH0PR11MB4966.namprd11.prod.outlook.com>
In-Reply-To: <PH0PR11MB49662B93E5241CEB7906858BA9A5A@PH0PR11MB4966.namprd11.prod.outlook.com>
From: Brian Carpenter <brian.e.carpenter@gmail.com>
Date: Fri, 03 Nov 2023 19:28:35 +1300
Message-ID: <CANMZLAY4-kvkSap79=AeWKOcnkq3=frcuxtz9N8PA4KWs+kPaA@mail.gmail.com>
To: "Eric Vyncke (evyncke)" <evyncke=40cisco.com@dmarc.ietf.org>
Cc: Michael Sweet <msweet@msweet.org>, 6man <ipv6@ietf.org>, Stuart Cheshire <cheshire@apple.com>, "Rob Wilton (rwilton)" <rwilton@cisco.com>, "Murray S. Kucherawy" <superuser@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000e8c05d0609399d9f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/1qZtVUJeKd9011Q3n3sxnXbVaPs>
Subject: Re: [IPv6] Link-local URI status (rfc6874bis)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Nov 2023 06:28:56 -0000

No, that doesn't matter, it's fine if the name contains the separator. Only
the first one counts. An escape character is much harder to deal with.

(via tiny screen & keyboard)
Regards,
        Brian Carpenter

On Fri, 3 Nov 2023, 19:22 Eric Vyncke (evyncke), <evyncke=
40cisco.com@dmarc.ietf.org> wrote:

> Reacting to:
>
>
>
> > Thanks for reminding us of that draft. I'm agnostic about "+" versus
> "-" for this.
>
> > I've never really seen a reason for using the "IPvFuture" syntax in RFC
> 3986.
>
> > If we decide to replace the "%", that seems to be enough to resolve the
> parsing problem.
>
>
>
> With a big potential caveat that some interfaces may have a ‘-‘ in their
> names ?
>
>
>
> -éric (obviously no hat)
>
>
>
> *From: *ipv6 <ipv6-bounces@ietf.org> on behalf of Brian E Carpenter <
> brian.e.carpenter@gmail.com>
> *Date: *Thursday, 2 November 2023 at 20:41
> *To: *Michael Sweet <msweet@msweet.org>
> *Cc: *6man <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>, Stuart
> Cheshire <cheshire@apple.com>, Rob Wilton (rwilton) <rwilton@cisco.com>,
> Murray S. Kucherawy <superuser@gmail.com>
> *Subject: *Re: [IPv6] Link-local URI status (rfc6874bis)
>
> Michael,
> On 02-Nov-23 16:04, Michael Sweet wrote:
> > Brian,
> >
> > Comments inline...
> >
> >> On Oct 31, 2023, at 10:02 PM, Brian E Carpenter <
> brian.e.carpenter@gmail.com> wrote:
> >> ...
> >> 2. Re Murray Kucherawy's DISCUSS:
> >>
> >> 2.1 The fact that almost no developers have decided to implement
> >> this so far seems non-blocking to me. For all the use cases listed in
> >> the draft, there is a user-side view that this just ought to work,
> >> and when it fails, this is perceived as a bug.
> >>
> >> Arguments that it's 'unimplementable' or 'insecure' deserve answers:
> >>
> >> 2.2 The 'unimplementable' argument is based on using the '%' sign
> >> as a separator, whereas its normal role in a URI is as an escape
> >> character. Roy Fielding has argued that there are many URI parsers
> >> around that handle percent-encoding in different ways (somewhat
> >> regardless of the formal ABNF syntax). As result, he asserts
> >> that stepwise introduction of the draft is impossible in practice.
> >>
> >> The draft argues that it doesn't matter if unmodified parsers
> >> throw an error if they see the new syntax, because that is what
> >> they do today anyway, so the new syntax can be deployed
> >> progressively.
> >>
> >> There is an alternative (discussed in this WG years ago):
> >> use a different separator, e.g. http://[fe80::1-eth0]
> >> This still requires URI parsers to be modified and progressively
> >> deployed, but without interacting with percent-encoding.
> >> That is mainly a simplification of the programming problem. It
> >> does have its own programming complication - the '-' must be
> >> replaced by '%' before making relevant socket calls.
> >
> > WRT this, CUPS first added support for the Fenner draft in January 2006:
> >
> >      https://datatracker.ietf.org/doc/html/draft-fenner-literal-zone-02
>
> Thanks for reminding us of that draft. I'm agnostic about "+" versus "-"
> for this. I've never really seen a reason for using the "IPvFuture" syntax
> in RFC 3986. If we decide to replace the "%", that seems to be enough to
> resolve the parsing problem.
>
> >
> > This format (scheme://[v1.fe80::0123:4567:89ab:cdef+eth0]/resource)
> requires rewriting ("+" to "%") and hasn't been an issue for implementation
> in the billions of IPP printers and client devices that use it...
> >
> > One advantage of using "-" instead of "%" is that it is both unambiguous
> (there is no other meaning for a "-" between the address and zone ID
> portions) and allows existing RFC 6874 implementations (like CUPS) to
> continue working unchanged and support the new "-" delimiter as well.
> >
> > Regardless, today you basically can't use IPv6 link local addresses in
> browsers at all.  Claiming that you can't add a new format because it
> wouldn't work everywhere immediately makes no sense - better stop
> developing new protocols and standards then...
>
> Yes. (But on a system such as Windows that implements a default Zone ID,
> you *can* use a link local address in any browser.)
>
> >
> >> 2.3 The 'security' argument is related to what the Web community
> >> calls Cross-Origin Resource Sharing (CORS). This is a very
> >> complex topic that I do not claim to understand and will not
> >> attempt to summarise here. IPv4 and IPv6 link-local address
> >> literals are considered problematic, like other IP addresses
> >> with local (a.k.a. private) scope, such as ULAs. The background
> >> is at https://wicg.github.io/private-network-access/.
> >
> > OK, so this is a little different from the normal CORS issues...
> >
> >> What I do not understand about this argument is that the CORS
> >> issue exists for http://[fe80::1] already, and as far as
> >> I can see is identical for http://[fe80::1%eth0]. If so,
> >> that is no reason to block rfc6874bis.
> >
> > Agreed.  I suspect that, for any numeric address, the answer for CORS is
> simply to compare any two address fields and if they match, it is the same
> origin, otherwise it is not.
>
> Right, but also fe80::1 and fe80::1 might be two different addresses, if
> they arrived via two different interfaces. Link-local is a bit special in
> that way.
>
> > If you have a FQDN, then any numeric address does not match.
> >
> > The zone ID can be part of this address string comparison because CORS
> applies to "security" restrictions the client browser is applying...
>
> Yes.
>
> >> ...
> >> 1. Drop the draft and leave the use cases unsolved.
> >
> > That's what was done back in 2005 and the problem hasn't gone away...
> >
> >> 2. Accept the change to http://[fe80::1-eth0] and push the
> >> IESG to dismiss the other objections as beside the point.
> >
> > See above.  I've always been uncomfortable with a bare "%" given that it
> has a special meaning in URLs, can be misinterpreted with numeric zone IDs,
> and isn't backwards-compatible with RFC 6874.  If using "-" is enough to
> get this draft advanced, I'd go for it.
>
> Ack.
>
> >
> >> 2a. Also undertake a major revision of RFC4007.
> >
> > Barn | Door | -------------------> Horse
>
> Yes, there is a lot of running code, but there are also some serious gaps
> in that RFC, and quite a bit of historical material. However, that's a
> problem for another day.
>
> Regards
>     Brian Carpenter
>
> >
> > ________________________
> > Michael Sweet
> >
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email