IETF Logo Mail Archive

Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 30 June 2022 21:54 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6190C157903 for <ipv6@ietfa.amsl.com>; Thu, 30 Jun 2022 14:54:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.981
X-Spam-Level:
X-Spam-Status: No, score=-8.981 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vGb7PoJrb_0l for <ipv6@ietfa.amsl.com>; Thu, 30 Jun 2022 14:53:59 -0700 (PDT)
Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60BD1C14F739 for <ipv6@ietf.org>; Thu, 30 Jun 2022 14:53:59 -0700 (PDT)
Received: by mail-pj1-x1036.google.com with SMTP id w1-20020a17090a6b8100b001ef26ab992bso792535pjj.0 for <ipv6@ietf.org>; Thu, 30 Jun 2022 14:53:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=C1XnoAetc092Pr+KBgwQt11lkhynfFLN/lqTB4kZWTk=; b=NQoUT6LtBpIun5ZQJwHQu5Fa8579uR/9/odr6z9ZDbfyktojgi81UBLOu/QZMJI0s5 eq70vAXTtXDTR55VirOLMscmIb1Qd+RNUcW4DMVx6L3OppKkQdsDtHO4jHLMeAs62mED 7JAC6m6Dd9zkfO+KENi/h52iacTMCqDoXTzBj41WwTA4xzp6U7z4bc0usbcfRt8tGXO4 3GJHloKf2cdcRGNLa2mmtrPiPhTR9iv/uOXi1HiE+1EgWoVNJqJacT90CA1x2ithLNIV blL+CElxeEEh03+lycAVJlZY2wc2cfvVMg9myWZMi4KiEuxFEaNkQYFQVIOVme/8fy1K 6n8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=C1XnoAetc092Pr+KBgwQt11lkhynfFLN/lqTB4kZWTk=; b=n1lJj7vqiyMzxRyzR3ORVJL8cVAuDWi1XQKJ6ExEiR5PQ66brPd/DavbA5MmLr/Pqz 37zahLCTN2y0JMoEoVlE9opkNA+HKh1fmikTyw2m/Wq8NNmA/L06cLY1fDfo5q+hgN+3 ra3qJRjDqlNb9DsoWfh9/9Lmfa7Gyh9N4AZfQDpiEtLTfatKyX1JvEo9QVcrvDN7EmAa RjEx1IaLGfGgvYOtUAp54QfMMwiOdmvZv9FTah98NVi0hrWSMLPrkjJJF2gXuJyUduLw vyqEtMC3u1POafAC6d+UPPvc0Koq59Yx09DDw3tMvsoFMic3rnwFJ7HZVWiap2YLWuGS AIGw==
X-Gm-Message-State: AJIora8ZY4OtrBTGMmGOfqLbb4NPEyiWkBjfTlMx7YzQzyG++wYttffx CEPGBcP7g1MbeBfYkJ0nlXk=
X-Google-Smtp-Source: AGRyM1vaF9OIPNpGjfXQei74rUu9aSckF0mvzUJuN0fKF5Nu7eVUUzJaydAisScVtDXFxT9GD+m/Bg==
X-Received: by 2002:a17:90a:9401:b0:1ee:e31f:7523 with SMTP id r1-20020a17090a940100b001eee31f7523mr12205813pjo.175.1656626038800; Thu, 30 Jun 2022 14:53:58 -0700 (PDT)
Received: from ?IPV6:2406:e003:1124:9301:80b2:5c79:2266:e431? ([2406:e003:1124:9301:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id a11-20020a1709027e4b00b0016a3b5a46f0sm14011879pln.241.2022.06.30.14.53.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Jun 2022 14:53:58 -0700 (PDT)
Message-ID: <1b98520c-6fb8-330d-91e1-64377e8bea1e@gmail.com>
Date: Fri, 01 Jul 2022 09:53:53 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Subject: Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt
Content-Language: en-US
To: Ted Lemon <mellon@fugue.com>, Vasilenko Eduard <vasilenko.eduard@huawei.com>
Cc: Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org>, 6man WG <ipv6@ietf.org>
References: <164938402532.17740.11717866110301931501@ietfa.amsl.com> <b1780128-2069-b32e-7ca5-86977c119f0c@gmail.com> <11d4e419-11a9-8768-abf2-1335e5f1c3d8@gmail.com> <f650c051650b4e5891b80dafb2dfaaaa@huawei.com> <CANMZLAZPuA_Yey4tG0orU0m5Y3rmZhB84p8Pk_aXhu707mygNA@mail.gmail.com> <2de18ad0ef784ad19148d215221178a4@huawei.com> <CAPt1N1nhzYCZB88GfMxh8Txf8qDTVjQPdkh8di22a+D2ipwZ0w@mail.gmail.com> <d02b8bcd4a454790a93c9426b267109c@huawei.com> <CAPt1N1=xgWceDCaaR9QMFJBWi2tGmF+G7Rx6z2vOM+gaG0He9w@mail.gmail.com> <525ef64d48cf425ea91b278cc0f28624@huawei.com> <CAPt1N1=4LxEeD9u84WZ4tZADnEiby1aXU1HmHY6NDBQTBjuo9g@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <CAPt1N1=4LxEeD9u84WZ4tZADnEiby1aXU1HmHY6NDBQTBjuo9g@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/5kzPEH6NcHKQX9ODbJImyMHvI1Q>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2022 21:54:03 -0000

It's true, and you can find snippets of Javascript for this on stackexchange and such places.

But for the purpose of rfc6874bis, all we care about is whether the proposed new format makes things worse. If someone wants to draft an RFC on scripting attacks in the context of RFC7707, that's great, but it's not this draft.

Regards
    Brian

On 01-Jul-22 04:44, Ted Lemon wrote:
> Yes, that will work for GUAs, as I said earlier. :)
> 
> On Thu, Jun 30, 2022 at 9:06 AM Vasilenko Eduard <vasilenko.eduard@huawei.com <mailto:vasilenko.eduard@huawei.com>> wrote:
> 
>     Thanks Ted. Good to know.____
> 
>     What about opening a session to https://whatismyipaddress.com <https://whatismyipaddress.com> or similar? (from the victim)____
> 
>     /64 is easy to assume.____
> 
>     Ed/____
> 
>     *From:*Ted Lemon [mailto:mellon@fugue.com <mailto:mellon@fugue.com>]
>     *Sent:* Thursday, June 30, 2022 6:19 PM
>     *To:* Vasilenko Eduard <vasilenko.eduard@huawei.com <mailto:vasilenko.eduard@huawei.com>>
>     *Cc:* Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org <mailto:40huawei.com@dmarc.ietf.org>>; 6man WG <ipv6@ietf.org <mailto:ipv6@ietf.org>>
>     *Subject:* Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt____
> 
>     __ __
> 
>     At least according to Stack Overflow, no such API exists in web browsers. It used to be possible to use WebRTC for this, but apparently that has been fixed.____
> 
>     __ __
> 
>     On Thu, Jun 30, 2022 at 6:33 AM Vasilenko Eduard <vasilenko.eduard@huawei.com <mailto:vasilenko.eduard@huawei.com>> wrote:____
> 
>         We are talking about malicious script in the browser on the victim client.____
> 
>         It could ask the OS about available GUA addresses.____
> 
>         No need to guess.____
> 
>         Ed/____
> 
>         *From:*ipv6 [mailto:ipv6-bounces@ietf.org <mailto:ipv6-bounces@ietf.org>] *On Behalf Of *Ted Lemon
>         *Sent:* Thursday, June 30, 2022 3:45 PM
>         *To:* Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org <mailto:40huawei.com@dmarc.ietf.org>>
>         *Cc:* 6man WG <ipv6@ietf.org <mailto:ipv6@ietf.org>>
>         *Subject:* Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt____
> 
>         ____
> 
>         With GUA/ULA you have to guess the prefix. LLAs all share the same prefix. So you have a lot fewer bits to guess with a LLA. Of course, you might be able to get the GUA prefix by connecting to some service, but this won’t work for ULA. ____
> 
>         ____
> 
>         On Thu, Jun 30, 2022 at 03:37 Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org <mailto:40huawei.com@dmarc.ietf.org>> wrote:____
> 
>             I do not see the difference from the scan of the local GUA/ULA subnet (it does not need a zone too).____
> 
>             Why improve security only for LLA, leaving GUA/ULA with the same level of security?____
> 
>             IMHO: it does not make sense. The attacker would scan GUA/ULA if LLA is more difficult. He would get his result anyway.____
> 
>             ____
> 
>             Moreover, the interface name is a challenge only for the legitimate user.____
> 
>             An attacker could easily find the type of the operating system and guess it.____
> 
>             It is weak protection against attacker.____
> 
>             ____
> 
>             Moreover2, a daemon to listen for port 80 would have much more probability to be connected to GUA/ULA, not LLA.____
> 
>             The attacker would probably start scanning from GUA anyway.____
> 
>             ____
> 
>             Hence, better to give the user more convenience because security is not possible to improve in this way.____
> 
>             Ed/____
> 
>             *From:*Brian Carpenter [mailto:brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>]
>             *Sent:* Thursday, June 30, 2022 1:03 PM
>             *To:* Vasilenko Eduard <vasilenko.eduard@huawei.com <mailto:vasilenko.eduard@huawei.com>>
>             *Cc:* 6man WG <ipv6@ietf.org <mailto:ipv6@ietf.org>>
>             *Subject:* Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt____
> 
>             ____
> 
>             There is an opposite argument: supporting a default zone makes an attack easier because the zone does not need to to be guessed.____
> 
>             Windows does exactly what you suggest, by the way; I could not run my tests on Linux.____
> 
>             Regards,
>                  Brian Carpenter
>                  (via tiny screen & keyboard)
>             ____
> 
>             ____
> 
>             On Thu, 30 Jun 2022, 21:22 Vasilenko Eduard, <vasilenko.eduard@huawei.com <mailto:vasilenko.eduard@huawei.com>> wrote:____
> 
>                 Hi Brian,
>                 Just one small idea: does it make sense to request
>                 "All applications claiming support for this document SHOULD choose one LLA zone as the default.
>                 If the user would omit the zone for the literal request to fe80:: then the application SHOULD use the default zone".
>                 It would greatly simplify life for many users because they have only one interface on the host - they would never need to investigate the name of the zone that is very OS-specific.
> 
>                 I do not like the request in RFC 4007:
>                 index value zero at each scope SHOULD be reserved to mean "use the default zone"
>                 IMHO: it is much better to omit the zone name completely to get access to the default zone.
>                 People may not know that zone 0 has a special meaning.
> 
>                 Formally, what I have proposed does not contradict RFC 4007
>                 Because the default zone could be omitted and could be 0 at the same time
>                 (both would lead to the same default zone).
> 
>                 If you would say "No" to this request
>                 Then please, repeat RFC 4007 that the default zone SHOULD be and SHOULD be "0".
>                 Please, remind people of this fact.
>                 Eduard
>                 -----Original Message-----
>                 From: ipv6 [mailto:ipv6-bounces@ietf.org <mailto:ipv6-bounces@ietf.org>] On Behalf Of Brian E Carpenter
>                 Sent: Thursday, May 19, 2022 3:53 AM
>                 To: ipv6@ietf.org <mailto:ipv6@ietf.org>
>                 Subject: Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt
> 
>                 There's been no more discussion for several weeks. Can we move on to a WG Last Call?
> 
>                 Regards
>                      Brian Carpenter
>                 On 08-Apr-22 14:29, Brian E Carpenter wrote:
>                  > Hi,
>                  >
>                  > This version reflects comments at the IETF and on the list.
>                  > Change log:
>                  > * Extended use cases (added Microsoft WSD)
>                  > * Clarified relationship with RFC3986 language
>                  > * Allow for legacy use of RFC6874 format
>                  > * Augmented security considerations
>                  > * Editorial and reference improvements
>                  >
>                  > Note that some of the text about RFC3986 that Shang Ye suggested to
>                  > remove has been retained, but modified. Further comments about this,
>                  > or any other aspect, are very welcome.
>                  >
>                  > Regards
>                  >      Brian + co-authors
>                  >
>                  > On 08-Apr-22 14:13, internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> wrote:
>                  >>
>                  >> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>                  >> This draft is a work item of the IPv6 Maintenance WG of the IETF.
>                  >>
>                  >>           Title           : Representing IPv6 Zone Identifiers in Address Literals and Uniform Resource Identifiers
>                  >>           Authors         : Brian Carpenter
>                  >>                             Stuart Cheshire
>                  >>                             Robert M. Hinden
>                  >>      Filename        : draft-ietf-6man-rfc6874bis-01.txt
>                  >>      Pages           : 13
>                  >>      Date            : 2022-04-07
>                  >>
>                  >> Abstract:
>                  >>      This document describes how the zone identifier of an IPv6 scoped
>                  >>      address, defined as <zone_id> in the IPv6 Scoped Address Architecture
>                  >>      (RFC 4007), can be represented in a literal IPv6 address and in a
>                  >>      Uniform Resource Identifier that includes such a literal address.  It
>                  >>      updates the URI Generic Syntax and Internationalized Resource
>                  >>      Identifier specifications (RFC 3986, RFC 3987) accordingly, and
>                  >>      obsoletes RFC 6874.
>                  >>
>                  >>
>                  >> The IETF datatracker status page for this draft is:
>                  >> https://datatracker.ietf.org/doc/draft-ietf-6man-rfc6874bis/ <https://datatracker.ietf.org/doc/draft-ietf-6man-rfc6874bis/>
>                  >>
>                  >> There is also an HTML version available at:
>                  >> https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-01.html <https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-01.html>
>                  >>
>                  >> A diff from the previous version is available at:
>                  >> https://www.ietf.org/rfcdiff?url2=draft-ietf-6man-rfc6874bis-01 <https://www.ietf.org/rfcdiff?url2=draft-ietf-6man-rfc6874bis-01>
>                  >>
>                  >>
>                  >> Internet-Drafts are also available by rsync at
>                  >> rsync.ietf.org::internet-drafts
>                  >>
>                  >>
>                  >> _______________________________________________
>                  >> I-D-Announce mailing list
>                  >> I-D-Announce@ietf.org <mailto:I-D-Announce@ietf.org>
>                  >> https://www.ietf.org/mailman/listinfo/i-d-announce <https://www.ietf.org/mailman/listinfo/i-d-announce>
>                  >> Internet-Draft directories: http://www.ietf.org/shadow.html <http://www.ietf.org/shadow.html> or
>                  >> ftp://ftp.ietf.org/ietf/1shadow-sites.txt <ftp://ftp.ietf.org/ietf/1shadow-sites.txt>
>                  >>
> 
>                 --------------------------------------------------------------------
>                 IETF IPv6 working group mailing list
>                 ipv6@ietf.org <mailto:ipv6@ietf.org>
>                 Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
>                 --------------------------------------------------------------------____
> 
>             --------------------------------------------------------------------
>             IETF IPv6 working group mailing list
>             ipv6@ietf.org <mailto:ipv6@ietf.org>
>             Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
>             --------------------------------------------------------------------____
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email