Re: [IPv6] Link-local URI status (rfc6874bis)
Brian Carpenter <brian.e.carpenter@gmail.com> Fri, 03 November 2023 06:28 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 319A5C16F3FA for <ipv6@ietfa.amsl.com>; Thu, 2 Nov 2023 23:28:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y8Msc_Mt8B_A for <ipv6@ietfa.amsl.com>; Thu, 2 Nov 2023 23:28:52 -0700 (PDT)
Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92C52C16F3FC for <ipv6@ietf.org>; Thu, 2 Nov 2023 23:28:48 -0700 (PDT)
Received: by mail-ua1-x930.google.com with SMTP id a1e0cc1a2514c-7baba7de286so501213241.2 for <ipv6@ietf.org>; Thu, 02 Nov 2023 23:28:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698992927; x=1699597727; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=lAWvZpW0xEXT9weJVGPFWySephlsXiOpQ5AjCPm48cg=; b=hY9bHs1KKU/fgbV6sCWsdxbE/ihe/KsjWDiV64OpIg+UCFROOFPlBuYi/rJLtY2Ggc 4axmegj2BzBdSiRULaH0p/MziC7xpOW9+SPIYjWCtGGNJ45TXP0rcGvkZXwcAPUUfSlt WAcvt2OGSu6l60NI4pH0b2JuyVhlmJ/Ti45Fuzqhsos+GIkafZDn/M8/uy+5UWMgugnY j11g3VOSmhXwyUwEQ9JXZc+rC8OeCHrKoIzl/Ht/qAqM8r4GaDEY1txRSbWVIESV01EP 952JZ+stPh7SWom3qax4NwYmAd43idLgpXM+acLJ/vsblUAFxZ/6tFiYDT+hZwCqBp8o x22A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698992927; x=1699597727; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lAWvZpW0xEXT9weJVGPFWySephlsXiOpQ5AjCPm48cg=; b=QPjkLh2dej57uXw3LAqnxkTsKxu9IiBSkHxaxmXLoUTlNTM0+Syz+Lc59UamHVz4PF Ob1j7s3fxlB82AGrpnDdy7nJvDPUUmzpyVPXnMug4Ll3UtddYKhEHOdHahUQ6vW2wuNa uQ0CeIS4Z65oDiuV/1ZDIw8yDdwki7ycYXGbxzBVb3l4xi+Tt99Oa6ujagcku2BX/xZ8 ffodw83jhC1ym7QsJT1TsJdysuNPSFXeJSdqT9t3bmdu/FEFMEfn1LH0yhA/sR6N8swS X9c7JJkG8ZOpoFVVNo7CxqeCHOIvpVlyY0tgonY9s6qiXqnMzKlyeh9bL28sVkf2sI1k Dz1Q==
X-Gm-Message-State: AOJu0YyrsEzZQIpGFOz1dn7813Jf4tOoXNpR4Ab0d7zIj0X6EdfMGf/5 N7V76o4Fh09ZUWB6Kly1SWa2FQW8L938vA5Xpog=
X-Google-Smtp-Source: AGHT+IFHXNsjsP6rgnQIecqIDcitvAxEkRuZchqbVdWxc8WEdB/cSHcB8QyZbfUzRfyK5ZnZWCshP92J4xd3px4UFLs=
X-Received: by 2002:a67:c21d:0:b0:45b:f938:26c5 with SMTP id i29-20020a67c21d000000b0045bf93826c5mr9010634vsj.12.1698992927323; Thu, 02 Nov 2023 23:28:47 -0700 (PDT)
MIME-Version: 1.0
References: <17352fa3-c3c9-3cc3-27f2-f8f57dfff383@gmail.com> <5B3DDEB8-36F1-428C-89AA-B765A600824A@msweet.org> <d9a6f288-058c-10d2-43dd-ffbd7a8959c7@gmail.com> <PH0PR11MB49662B93E5241CEB7906858BA9A5A@PH0PR11MB4966.namprd11.prod.outlook.com>
In-Reply-To: <PH0PR11MB49662B93E5241CEB7906858BA9A5A@PH0PR11MB4966.namprd11.prod.outlook.com>
From: Brian Carpenter <brian.e.carpenter@gmail.com>
Date: Fri, 03 Nov 2023 19:28:35 +1300
Message-ID: <CANMZLAY4-kvkSap79=AeWKOcnkq3=frcuxtz9N8PA4KWs+kPaA@mail.gmail.com>
To: "Eric Vyncke (evyncke)" <evyncke=40cisco.com@dmarc.ietf.org>
Cc: Michael Sweet <msweet@msweet.org>, 6man <ipv6@ietf.org>, Stuart Cheshire <cheshire@apple.com>, "Rob Wilton (rwilton)" <rwilton@cisco.com>, "Murray S. Kucherawy" <superuser@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000e8c05d0609399d9f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/1qZtVUJeKd9011Q3n3sxnXbVaPs>
Subject: Re: [IPv6] Link-local URI status (rfc6874bis)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Nov 2023 06:28:56 -0000
No, that doesn't matter, it's fine if the name contains the separator. Only the first one counts. An escape character is much harder to deal with. (via tiny screen & keyboard) Regards, Brian Carpenter On Fri, 3 Nov 2023, 19:22 Eric Vyncke (evyncke), <evyncke= 40cisco.com@dmarc.ietf.org> wrote: > Reacting to: > > > > > Thanks for reminding us of that draft. I'm agnostic about "+" versus > "-" for this. > > > I've never really seen a reason for using the "IPvFuture" syntax in RFC > 3986. > > > If we decide to replace the "%", that seems to be enough to resolve the > parsing problem. > > > > With a big potential caveat that some interfaces may have a ‘-‘ in their > names ? > > > > -éric (obviously no hat) > > > > *From: *ipv6 <ipv6-bounces@ietf.org> on behalf of Brian E Carpenter < > brian.e.carpenter@gmail.com> > *Date: *Thursday, 2 November 2023 at 20:41 > *To: *Michael Sweet <msweet@msweet.org> > *Cc: *6man <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>, Stuart > Cheshire <cheshire@apple.com>, Rob Wilton (rwilton) <rwilton@cisco.com>, > Murray S. Kucherawy <superuser@gmail.com> > *Subject: *Re: [IPv6] Link-local URI status (rfc6874bis) > > Michael, > On 02-Nov-23 16:04, Michael Sweet wrote: > > Brian, > > > > Comments inline... > > > >> On Oct 31, 2023, at 10:02 PM, Brian E Carpenter < > brian.e.carpenter@gmail.com> wrote: > >> ... > >> 2. Re Murray Kucherawy's DISCUSS: > >> > >> 2.1 The fact that almost no developers have decided to implement > >> this so far seems non-blocking to me. For all the use cases listed in > >> the draft, there is a user-side view that this just ought to work, > >> and when it fails, this is perceived as a bug. > >> > >> Arguments that it's 'unimplementable' or 'insecure' deserve answers: > >> > >> 2.2 The 'unimplementable' argument is based on using the '%' sign > >> as a separator, whereas its normal role in a URI is as an escape > >> character. Roy Fielding has argued that there are many URI parsers > >> around that handle percent-encoding in different ways (somewhat > >> regardless of the formal ABNF syntax). As result, he asserts > >> that stepwise introduction of the draft is impossible in practice. > >> > >> The draft argues that it doesn't matter if unmodified parsers > >> throw an error if they see the new syntax, because that is what > >> they do today anyway, so the new syntax can be deployed > >> progressively. > >> > >> There is an alternative (discussed in this WG years ago): > >> use a different separator, e.g. http://[fe80::1-eth0] > >> This still requires URI parsers to be modified and progressively > >> deployed, but without interacting with percent-encoding. > >> That is mainly a simplification of the programming problem. It > >> does have its own programming complication - the '-' must be > >> replaced by '%' before making relevant socket calls. > > > > WRT this, CUPS first added support for the Fenner draft in January 2006: > > > > https://datatracker.ietf.org/doc/html/draft-fenner-literal-zone-02 > > Thanks for reminding us of that draft. I'm agnostic about "+" versus "-" > for this. I've never really seen a reason for using the "IPvFuture" syntax > in RFC 3986. If we decide to replace the "%", that seems to be enough to > resolve the parsing problem. > > > > > This format (scheme://[v1.fe80::0123:4567:89ab:cdef+eth0]/resource) > requires rewriting ("+" to "%") and hasn't been an issue for implementation > in the billions of IPP printers and client devices that use it... > > > > One advantage of using "-" instead of "%" is that it is both unambiguous > (there is no other meaning for a "-" between the address and zone ID > portions) and allows existing RFC 6874 implementations (like CUPS) to > continue working unchanged and support the new "-" delimiter as well. > > > > Regardless, today you basically can't use IPv6 link local addresses in > browsers at all. Claiming that you can't add a new format because it > wouldn't work everywhere immediately makes no sense - better stop > developing new protocols and standards then... > > Yes. (But on a system such as Windows that implements a default Zone ID, > you *can* use a link local address in any browser.) > > > > >> 2.3 The 'security' argument is related to what the Web community > >> calls Cross-Origin Resource Sharing (CORS). This is a very > >> complex topic that I do not claim to understand and will not > >> attempt to summarise here. IPv4 and IPv6 link-local address > >> literals are considered problematic, like other IP addresses > >> with local (a.k.a. private) scope, such as ULAs. The background > >> is at https://wicg.github.io/private-network-access/. > > > > OK, so this is a little different from the normal CORS issues... > > > >> What I do not understand about this argument is that the CORS > >> issue exists for http://[fe80::1] already, and as far as > >> I can see is identical for http://[fe80::1%eth0]. If so, > >> that is no reason to block rfc6874bis. > > > > Agreed. I suspect that, for any numeric address, the answer for CORS is > simply to compare any two address fields and if they match, it is the same > origin, otherwise it is not. > > Right, but also fe80::1 and fe80::1 might be two different addresses, if > they arrived via two different interfaces. Link-local is a bit special in > that way. > > > If you have a FQDN, then any numeric address does not match. > > > > The zone ID can be part of this address string comparison because CORS > applies to "security" restrictions the client browser is applying... > > Yes. > > >> ... > >> 1. Drop the draft and leave the use cases unsolved. > > > > That's what was done back in 2005 and the problem hasn't gone away... > > > >> 2. Accept the change to http://[fe80::1-eth0] and push the > >> IESG to dismiss the other objections as beside the point. > > > > See above. I've always been uncomfortable with a bare "%" given that it > has a special meaning in URLs, can be misinterpreted with numeric zone IDs, > and isn't backwards-compatible with RFC 6874. If using "-" is enough to > get this draft advanced, I'd go for it. > > Ack. > > > > >> 2a. Also undertake a major revision of RFC4007. > > > > Barn | Door | -------------------> Horse > > Yes, there is a lot of running code, but there are also some serious gaps > in that RFC, and quite a bit of historical material. However, that's a > problem for another day. > > Regards > Brian Carpenter > > > > > ________________________ > > Michael Sweet > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- >
- [IPv6] Link-local URI status (rfc6874bis) Brian E Carpenter
- Re: [IPv6] Link-local URI status (rfc6874bis) Carsten Bormann
- Re: [IPv6] Link-local URI status (rfc6874bis) Brian E Carpenter
- Re: [IPv6] Link-local URI status (rfc6874bis) Michael Richardson
- Re: [IPv6] Link-local URI status (rfc6874bis) Michael Sweet
- Re: [IPv6] Link-local URI status (rfc6874bis) Brian E Carpenter
- Re: [IPv6] Link-local URI status (rfc6874bis) Brian E Carpenter
- Re: [IPv6] Link-local URI status (rfc6874bis) Michael Sweet
- Re: [IPv6] Link-local URI status (rfc6874bis) Michael Sweet
- Re: [IPv6] Link-local URI status (rfc6874bis) Brian E Carpenter
- Re: [IPv6] Link-local URI status (rfc6874bis) Eric Vyncke (evyncke)
- Re: [IPv6] Link-local URI status (rfc6874bis) Brian Carpenter
- Re: [IPv6] Link-local URI status (rfc6874bis) Michael Richardson
- Re: [IPv6] Link-local URI status (rfc6874bis) Erik Nygren
- Re: [IPv6] Link-local URI status (rfc6874bis) Brian E Carpenter