Re: Link-local IPv6 addresses in URIs

Brian E Carpenter <> Mon, 14 November 2011 09:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0EEB721F8DC8 for <>; Mon, 14 Nov 2011 01:41:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.268
X-Spam-Status: No, score=-103.268 tagged_above=-999 required=5 tests=[AWL=-0.268, BAYES_00=-2.599, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id v5mcp+vCggST for <>; Mon, 14 Nov 2011 01:40:57 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 56EB021F8F3F for <>; Mon, 14 Nov 2011 01:40:27 -0800 (PST)
Received: by ywt34 with SMTP id 34so4510062ywt.31 for <>; Mon, 14 Nov 2011 01:40:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=gzLLpqvEVKha5yc4I8hBCYE0Mus6HYCbRUVJ9Jjc9VI=; b=qVzElKAWa7+fIVXiH/2oyUIHXrP2dfzCaKBnKw0Gc7uJxMFLYLpnFCMKa6KwR4qaA9 v2+u/ESXk3lsdf3tyCbWK5ZDqwDLjKDNZGA9PtgVbuFCfWuecuHP5nWnykel9gHhfr+T Ly/YjanjO7++MoX9rvYKoKmLqgHd7fUns40eg=
Received: by with SMTP id y48mr13287270yhl.17.1321263626388; Mon, 14 Nov 2011 01:40:26 -0800 (PST)
Received: from [] ( []) by with ESMTPS id l19sm59708466anc.14.2011. (version=SSLv3 cipher=OTHER); Mon, 14 Nov 2011 01:40:25 -0800 (PST)
Message-ID: <>
Date: Mon, 14 Nov 2011 22:40:13 +1300
From: Brian E Carpenter <>
Organization: University of Auckland
User-Agent: Thunderbird (Windows/20070728)
MIME-Version: 1.0
To: Kerry Lynn <>
Subject: Re: Link-local IPv6 addresses in URIs
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: 6man <>
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Nov 2011 09:41:24 -0000


On 2011-11-14 18:41, Kerry Lynn wrote:
> Greetings,
> I've noticed that a "bug" has re-appeared in Firefox:
> In older versions of Firefox (e.g. 3.6.23) it is possible to enter URIs of
> the form http://[fe80::206:98ff:fe00:232%tap0] in the
> location bar and get a positive result.  This capability is quite handy in
> simple testing scenarios and obviously requires the client and server
> to be on a common link (so I don't necessarily see how it creates a
> security risk.)
> According to a note attached to the bug, the regression occurred as a
> result of fixing a security bug:
> 504014 <>
> I don't seem to have access to that bug, so I don't know the complete
> rationale.  However, the note on 700999 says the title is "Enforce RFC
> 3986 syntax for IPv6 literals".  It goes on to say that RFC 3986
> "disallows" interface specifiers (a.k.a. zone indices:
> ).
> I don't see how a link-local address can be used in this context w/o
> using a zone index.  

As soon as there's more than one interface, there is an issue.

> Granted, RFC 3986 doesn't cover this case but
> it also doesn't prohibit it.  

Yes it does, because the ABNF for IPv6address is for an address, not
a scoped address. A scoped address would not conform to the ABNF, so
that amounts to a prohibition.

> This leads me to suspect it was an oversight,

This part of RFC 3986 derives from RFC 2732 (which had broken ABNF,
and didn't allow for a scoped address, because they didn't exist then).

> so I'm wondering if RFC 3986 needs to be updated to cover it link-
> local IPv6 literals?  If so, is there a reference that could be used to
> derive the necessary ABNF?

I don't believe so. The ABNF has never been extended to cover RFC 4007
as far as I know.

Getting RFC 3986 updated would be reasonably complicated I suspect.
It involves a chat with the W3C people for a start.