Re: WG Last Call for for draft-ietf-6man-rfc6874bis
Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 17 June 2022 02:55 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C0ADC14CF1F for <ipv6@ietfa.amsl.com>; Thu, 16 Jun 2022 19:55:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.984
X-Spam-Level:
X-Spam-Status: No, score=-3.984 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-1.876, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h0QDoCcJIAMr for <ipv6@ietfa.amsl.com>; Thu, 16 Jun 2022 19:55:21 -0700 (PDT)
Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7269C14F6E7 for <ipv6@ietf.org>; Thu, 16 Jun 2022 19:55:21 -0700 (PDT)
Received: by mail-pj1-x102f.google.com with SMTP id o7-20020a17090a0a0700b001ebad897457so1979982pjo.0 for <ipv6@ietf.org>; Thu, 16 Jun 2022 19:55:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=8TZAnZKMm3vi7HHdYQMmG7HzLHoZrGRl0qm4iTB0G08=; b=IJplerLXcdCtBuF/mv6Zrec0VbRH5wte+sFSnUmziv707KnO8NEIkfFEcJ7ag4knAW 2Dv7LgptB0YyIbdoVVl/pmWjpPCUzGWaUws0BXE11nHDXSL7uuwdfS1gkPuXUakYZnSS 3sMw7J5BKcWqnNtkrlseaZxXUzO1XzIh49Bd1blVEk4VwXqLLIikaARUBYUrfkisvb37 H6jA92a3ACky1+3bfn7NGUCaCYyxl8ju+TMhnXe+BeDC8kaPGAyZ6Lk4YjDSPchDjIDd c4Zzugl3eTiIrX+xgtbor+xppV7LgCUhp3aM6E3WBWW39ZQ10LvwxVAvFd9ZwHyEWHQs EHhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=8TZAnZKMm3vi7HHdYQMmG7HzLHoZrGRl0qm4iTB0G08=; b=HqzuEeXB1ipeROKBFNy1PveC4tckpgWarBj1PO6OLx4cZdraWMZrzSStW740F6kYo8 9NwZr/d4RKkhmTByvxahIiZcNt+GsY7fo8nafu9daNaOfzsVWeMs4Dd4btys4dkmDcGB GlOBnFhuJvElKUBExOB3+4eFu46OlfyXh2jNtyKOzHyzUbx2d4qLufv2ZCjaLCKGi41W kwexri+l5Rp7faIhlYmbD5zXTiYWPzWSA+hE5ujLrnJKBUOgIywq+uU7VIUtPnkc62bQ OznkAeRZ0ArYyZydEYE6ofAnAiQ2qIqlLm+vqze+zEF88UCJRaGGWtLNlBwkdgwr/RDC DuMg==
X-Gm-Message-State: AJIora8TLesPjI9vNiiZTuf0bzsEf35mlQsTXK716NJTgMsYbBjSiLza dwFofKGKNaIvhdQKNWXQ3dxA6o757IUT3UQh
X-Google-Smtp-Source: AGRyM1uiP70uQrRbscaciH5tBnp0T4f+UE/3fe66me2zH35nbETqQieE1113Rd8I/LiBWVde2QR+sg==
X-Received: by 2002:a17:902:eac6:b0:168:da4b:61e8 with SMTP id p6-20020a170902eac600b00168da4b61e8mr7578719pld.109.1655434520798; Thu, 16 Jun 2022 19:55:20 -0700 (PDT)
Received: from ?IPV6:2406:e003:1124:9301:80b2:5c79:2266:e431? ([2406:e003:1124:9301:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id 15-20020aa7924f000000b0050dc76281d3sm2494895pfp.173.2022.06.16.19.55.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 16 Jun 2022 19:55:19 -0700 (PDT)
Message-ID: <223eeed3-40f0-1958-5df4-a6b310a29706@gmail.com>
Date: Fri, 17 Jun 2022 14:55:16 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Subject: Re: WG Last Call for for draft-ietf-6man-rfc6874bis
Content-Language: en-US
To: Ted Lemon <mellon@fugue.com>, 6man <ipv6@ietf.org>
References: <CAFU7BAQVr_UMK_v7O7DGTV363j7q25X9GwrgraTEypzq_Lz3gQ@mail.gmail.com> <CAPt1N1m+g8Yu9rPyvfvrxG_bST_9_z3siByOCsMmeTpWAfAiZA@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <CAPt1N1m+g8Yu9rPyvfvrxG_bST_9_z3siByOCsMmeTpWAfAiZA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/Qtdd6inrjZKiKOygH6Y2Aav-z5A>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2022 02:55:25 -0000
Hi Ted,
On 17-Jun-22 01:36, Ted Lemon wrote:
>> The URI syntax specification[RFC3986 <https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-01.html#RFC3986>]states that URIs have a global scope, but that in some cases their interpretation depends on the end-user's context. URIs including a zone identifier are to be interpreted only in the context of the host at which they originate, since the zone identifier is of local significance only.
>
>
> Does this mean that when a browser loads a web page, and that web page contains IPv6 address literal URIs with zone identifiers, and the source of the web page was not the local host, the URIs are un-interpretable? That is, what does "at which they originate" mean?
Hmm. I think it needs to be more explicitly worded.
If I create an HTML document that includes
<a href="http://[fe80::2ea3:fdff:fea4:dde7%7]">Brian's CE router</a>
and I then open that document with my browser, I would be able to open my CE's web interface from that document. But if I send that document to you, the URL will appear valid but will be useless.
In fact, on any o/s that supports a default zone for link-local addresses, this works today (at least with FireFox):
<a href="http://[fe80::2ea3:fdff:fea4:dde7]">Brian's CE router (no zone)</a>
However, that won't do anything useful for you unless by chance such an address exists on your LAN.
>> It is desirable for all URI parsers to recognise a zone identifier according to the syntax defined inSection 3 <https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-01.html#spec>. Any code handling percent-encoding or percent-decoding must be aware that the "%" character preceding the zone identifier is never itself percent-encoded, as specified by ABNF above. In terms of Section 2.4 of[RFC3986 <https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-01.html#RFC3986>], this "%" character is acting as a delimiter, not as data.
>
>
> Would it be correct to say that the text within an IPv6 address literal never contains percent-encodings? If so, then it might be less complicated to just say that. I think a parser that follows this rule would be more regular than one that doesn't make this restriction and does allow percent encoding within the literal except in the case of the stated exception.
That's what the proposed ABNF is supposed to say. We should clarify the text a bit more.
>
>> The various use cases for the zone identifier syntax will cause it to be entered in a browser's input dialogue box.
>
>
> Do you mean "the zone identifier syntax is only expected to be entered in the browser's dialog box: there is no use case for such a URI appearing elsewhere?" Or at least "The various use cases for the zone identifier syntax all involve entering it in the browser's input dialogue box?" I feel very uncomfortable with "cause" in this sentence.
Yes, will rephrase.
>
> In the security considerations section, I think if the syntax were only allowed in the case of input into the browser's dialog box, then most of the possible attacks would go away. If there is no anticipated use case other than manual input (perhaps a scripted input would also count) then unless the script would be allowed to open the URI but not otherwise probe IPv6 address literals, it's hard to see what additional vulnerability this would create.
I still have to review Phillip Tiesel's comment carefully, but if there is a real exploit, I'm pretty sure it would have to be Javascript, trying to find other devices on the LAN. I'm not sure why that would be more interesting than trying to find other devices with routeable IPv6 addresses in the same prefix, which is feasible today (and the reason why we recommend pseudo-random interface IDs). And at least on a Windows target, you don't need a Zone ID, so you could do it today. But the search space is still 2^64 in all cases. That's our primary defence against such attacks.
I can, however, see use cases where embedding such a URL in a web page would actually be useful to a service technician, so I'm fairly sure that saying "don't do this" won't work.
>
> Anyway, overall I think the document is good and the above are all nits, not reasons not to publish. So I support publishing the document. Thanks for doing the work!
Thanks,
Brian
- WG Last Call for for draft-ietf-6man-rfc6874bis Jen Linkova
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Ted Lemon
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Brian E Carpenter
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Ted Lemon
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Michael Sweet
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Brian E Carpenter
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… David Farmer
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Ted Lemon
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… David Farmer
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Ted Lemon
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Brian E Carpenter
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… David Farmer
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Brian E Carpenter
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Jen Linkova
- Re: WG Last Call for for draft-ietf-6man-rfc6874b… Brian Carpenter