IETF Logo Mail Archive

Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 01 July 2022 02:48 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC89AC15AD4B for <ipv6@ietfa.amsl.com>; Thu, 30 Jun 2022 19:48:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.981
X-Spam-Level:
X-Spam-Status: No, score=-3.981 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-1.876, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OIClOAmQ0nQq for <ipv6@ietfa.amsl.com>; Thu, 30 Jun 2022 19:48:34 -0700 (PDT)
Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E318BC15AD3B for <ipv6@ietf.org>; Thu, 30 Jun 2022 19:48:34 -0700 (PDT)
Received: by mail-pf1-x433.google.com with SMTP id p14so1172248pfh.6 for <ipv6@ietf.org>; Thu, 30 Jun 2022 19:48:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=smp0Qirs0wGsG4bpT0xqLiDFEZkKloYtCvij0asDOW0=; b=dghBB1qfS78wxSYhKDuDX82AMf+a9bGh1EgOesteql+RI/ykTAG8spbxeSGR+h0LMZ 4p2VeG4mlmR4YRBclplK7IPv4n1O+tvBEdeuU7jR3oR4hhJuDpuXUMKfd/y8kBO/PJzM rlSQNAOO2i2Qqg9Z1SgrRFDrqmZ9FuYLMfdz6axvmEfSJ/uO2TnUQpHg6LFBz6+JuIdO YvSlSmMf2mNcvmgQFc270uaViSEla33vlhwObvBM5dGPb4ReoisacuGxJgdqwMOtCOGt nJ3yx245NT98NI/CIv3LbUSFDP1454b5rsuN9JKnaQQM+Zakr/3JbF4byEe7PdYnZy4g jMcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=smp0Qirs0wGsG4bpT0xqLiDFEZkKloYtCvij0asDOW0=; b=4Qip5GEjV/eVtJefZSTePA97lYPvRye7r02emGbyxvgn3w6pfGvTlbdAdBkPa17Kbo GVVN2hlxCBqEg38CW6ABR5fbTcv7JZSvmsO32ET0ccRS+0++MI4kb4p6eXm20UBr+ZXA EG5Qfox6ddqJ85OfeDAQDsf39G6tYRKw/YbJKYoBghFih2PXcgnig61PwX93gD+1yPPt kVEjEqDLB+fzRx5Hc3L6q5U59ZPYLqKF5hDGsCCC4JiKVmnwkMwj2xgnIUUkgn3oiNxX Z33rrGDqTMSTorkbMfSYaAsb5caZ1vTBq7dQk9Lb+9ViX4s2RkHCenFqqd63c118Yruv Wm0g==
X-Gm-Message-State: AJIora8tsJC4gLMzvcDtHZ3jEnLQFtwA91b2oPPd8LunPmfi7sg279gC +Kxzk5wPkoyk4kLzz8VvS0U=
X-Google-Smtp-Source: AGRyM1tvgzePbf5nu7Fh7E/ttvAL3NPc5p2PsNnoqhs0PhalenxrObxSOBWPrSwcEObQslXQ4PDcrA==
X-Received: by 2002:aa7:870b:0:b0:522:c223:5c5e with SMTP id b11-20020aa7870b000000b00522c2235c5emr17734484pfo.6.1656643713681; Thu, 30 Jun 2022 19:48:33 -0700 (PDT)
Received: from ?IPV6:2406:e003:1124:9301:80b2:5c79:2266:e431? ([2406:e003:1124:9301:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id jf1-20020a170903268100b0016a4db1342esm14162408plb.193.2022.06.30.19.48.31 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Jun 2022 19:48:33 -0700 (PDT)
Message-ID: <7e192ef4-dfae-990d-f910-ee87510c2344@gmail.com>
Date: Fri, 01 Jul 2022 14:48:28 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Subject: Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt
Content-Language: en-US
To: Ted Lemon <mellon@fugue.com>, Vasilenko Eduard <vasilenko.eduard@huawei.com>
Cc: 6man WG <ipv6@ietf.org>
References: <164938402532.17740.11717866110301931501@ietfa.amsl.com> <b1780128-2069-b32e-7ca5-86977c119f0c@gmail.com> <11d4e419-11a9-8768-abf2-1335e5f1c3d8@gmail.com> <f650c051650b4e5891b80dafb2dfaaaa@huawei.com> <CANMZLAZPuA_Yey4tG0orU0m5Y3rmZhB84p8Pk_aXhu707mygNA@mail.gmail.com> <2de18ad0ef784ad19148d215221178a4@huawei.com> <CAPt1N1nhzYCZB88GfMxh8Txf8qDTVjQPdkh8di22a+D2ipwZ0w@mail.gmail.com> <d02b8bcd4a454790a93c9426b267109c@huawei.com> <CAPt1N1=xgWceDCaaR9QMFJBWi2tGmF+G7Rx6z2vOM+gaG0He9w@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <CAPt1N1=xgWceDCaaR9QMFJBWi2tGmF+G7Rx6z2vOM+gaG0He9w@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/QzNEZu4TeNmamogqkr3YHX18arI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jul 2022 02:48:36 -0000

On 01-Jul-22 03:18, Ted Lemon wrote:
> At least according to Stack Overflow, no such API exists in web browsers. It used to be possible to use WebRTC for this, but apparently that has been fixed.

Exactly. The script I wrote uses a very basic feature of Javascript, which is the ability to launch an HTTP operation towards an arbitrary URL.

    Brian


> 
> On Thu, Jun 30, 2022 at 6:33 AM Vasilenko Eduard <vasilenko.eduard@huawei.com <mailto:vasilenko.eduard@huawei.com>> wrote:
> 
>     We are talking about malicious script in the browser on the victim client.____
> 
>     It could ask the OS about available GUA addresses.____
> 
>     No need to guess.____
> 
>     Ed/____
> 
>     *From:*ipv6 [mailto:ipv6-bounces@ietf.org <mailto:ipv6-bounces@ietf.org>] *On Behalf Of *Ted Lemon
>     *Sent:* Thursday, June 30, 2022 3:45 PM
>     *To:* Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org <mailto:40huawei.com@dmarc.ietf.org>>
>     *Cc:* 6man WG <ipv6@ietf.org <mailto:ipv6@ietf.org>>
>     *Subject:* Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt____
> 
>     __ __
> 
>     With GUA/ULA you have to guess the prefix. LLAs all share the same prefix. So you have a lot fewer bits to guess with a LLA. Of course, you might be able to get the GUA prefix by connecting to some service, but this won’t work for ULA. ____
> 
>     __ __
> 
>     On Thu, Jun 30, 2022 at 03:37 Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org <mailto:40huawei.com@dmarc.ietf.org>> wrote:____
> 
>         I do not see the difference from the scan of the local GUA/ULA subnet (it does not need a zone too).____
> 
>         Why improve security only for LLA, leaving GUA/ULA with the same level of security?____
> 
>         IMHO: it does not make sense. The attacker would scan GUA/ULA if LLA is more difficult. He would get his result anyway.____
> 
>         ____
> 
>         Moreover, the interface name is a challenge only for the legitimate user.____
> 
>         An attacker could easily find the type of the operating system and guess it.____
> 
>         It is weak protection against attacker.____
> 
>         ____
> 
>         Moreover2, a daemon to listen for port 80 would have much more probability to be connected to GUA/ULA, not LLA.____
> 
>         The attacker would probably start scanning from GUA anyway.____
> 
>         ____
> 
>         Hence, better to give the user more convenience because security is not possible to improve in this way.____
> 
>         Ed/____
> 
>         *From:*Brian Carpenter [mailto:brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>]
>         *Sent:* Thursday, June 30, 2022 1:03 PM
>         *To:* Vasilenko Eduard <vasilenko.eduard@huawei.com <mailto:vasilenko.eduard@huawei.com>>
>         *Cc:* 6man WG <ipv6@ietf.org <mailto:ipv6@ietf.org>>
>         *Subject:* Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt____
> 
>         ____
> 
>         There is an opposite argument: supporting a default zone makes an attack easier because the zone does not need to to be guessed.____
> 
>         Windows does exactly what you suggest, by the way; I could not run my tests on Linux.____
> 
>         Regards,
>              Brian Carpenter
>              (via tiny screen & keyboard)
>         ____
> 
>         ____
> 
>         On Thu, 30 Jun 2022, 21:22 Vasilenko Eduard, <vasilenko.eduard@huawei.com <mailto:vasilenko.eduard@huawei.com>> wrote:____
> 
>             Hi Brian,
>             Just one small idea: does it make sense to request
>             "All applications claiming support for this document SHOULD choose one LLA zone as the default.
>             If the user would omit the zone for the literal request to fe80:: then the application SHOULD use the default zone".
>             It would greatly simplify life for many users because they have only one interface on the host - they would never need to investigate the name of the zone that is very OS-specific.
> 
>             I do not like the request in RFC 4007:
>             index value zero at each scope SHOULD be reserved to mean "use the default zone"
>             IMHO: it is much better to omit the zone name completely to get access to the default zone.
>             People may not know that zone 0 has a special meaning.
> 
>             Formally, what I have proposed does not contradict RFC 4007
>             Because the default zone could be omitted and could be 0 at the same time
>             (both would lead to the same default zone).
> 
>             If you would say "No" to this request
>             Then please, repeat RFC 4007 that the default zone SHOULD be and SHOULD be "0".
>             Please, remind people of this fact.
>             Eduard
>             -----Original Message-----
>             From: ipv6 [mailto:ipv6-bounces@ietf.org <mailto:ipv6-bounces@ietf.org>] On Behalf Of Brian E Carpenter
>             Sent: Thursday, May 19, 2022 3:53 AM
>             To: ipv6@ietf.org <mailto:ipv6@ietf.org>
>             Subject: Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt
> 
>             There's been no more discussion for several weeks. Can we move on to a WG Last Call?
> 
>             Regards
>                  Brian Carpenter
>             On 08-Apr-22 14:29, Brian E Carpenter wrote:
>              > Hi,
>              >
>              > This version reflects comments at the IETF and on the list.
>              > Change log:
>              > * Extended use cases (added Microsoft WSD)
>              > * Clarified relationship with RFC3986 language
>              > * Allow for legacy use of RFC6874 format
>              > * Augmented security considerations
>              > * Editorial and reference improvements
>              >
>              > Note that some of the text about RFC3986 that Shang Ye suggested to
>              > remove has been retained, but modified. Further comments about this,
>              > or any other aspect, are very welcome.
>              >
>              > Regards
>              >      Brian + co-authors
>              >
>              > On 08-Apr-22 14:13, internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> wrote:
>              >>
>              >> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>              >> This draft is a work item of the IPv6 Maintenance WG of the IETF.
>              >>
>              >>           Title           : Representing IPv6 Zone Identifiers in Address Literals and Uniform Resource Identifiers
>              >>           Authors         : Brian Carpenter
>              >>                             Stuart Cheshire
>              >>                             Robert M. Hinden
>              >>      Filename        : draft-ietf-6man-rfc6874bis-01.txt
>              >>      Pages           : 13
>              >>      Date            : 2022-04-07
>              >>
>              >> Abstract:
>              >>      This document describes how the zone identifier of an IPv6 scoped
>              >>      address, defined as <zone_id> in the IPv6 Scoped Address Architecture
>              >>      (RFC 4007), can be represented in a literal IPv6 address and in a
>              >>      Uniform Resource Identifier that includes such a literal address.  It
>              >>      updates the URI Generic Syntax and Internationalized Resource
>              >>      Identifier specifications (RFC 3986, RFC 3987) accordingly, and
>              >>      obsoletes RFC 6874.
>              >>
>              >>
>              >> The IETF datatracker status page for this draft is:
>              >> https://datatracker.ietf.org/doc/draft-ietf-6man-rfc6874bis/ <https://datatracker.ietf.org/doc/draft-ietf-6man-rfc6874bis/>
>              >>
>              >> There is also an HTML version available at:
>              >> https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-01.html <https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-01.html>
>              >>
>              >> A diff from the previous version is available at:
>              >> https://www.ietf.org/rfcdiff?url2=draft-ietf-6man-rfc6874bis-01 <https://www.ietf.org/rfcdiff?url2=draft-ietf-6man-rfc6874bis-01>
>              >>
>              >>
>              >> Internet-Drafts are also available by rsync at
>              >> rsync.ietf.org::internet-drafts
>              >>
>              >>
>              >> _______________________________________________
>              >> I-D-Announce mailing list
>              >> I-D-Announce@ietf.org <mailto:I-D-Announce@ietf.org>
>              >> https://www.ietf.org/mailman/listinfo/i-d-announce <https://www.ietf.org/mailman/listinfo/i-d-announce>
>              >> Internet-Draft directories: http://www.ietf.org/shadow.html <http://www.ietf.org/shadow.html> or
>              >> ftp://ftp.ietf.org/ietf/1shadow-sites.txt <ftp://ftp.ietf.org/ietf/1shadow-sites.txt>
>              >>
> 
>             --------------------------------------------------------------------
>             IETF IPv6 working group mailing list
>             ipv6@ietf.org <mailto:ipv6@ietf.org>
>             Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
>             --------------------------------------------------------------------____
> 
>         --------------------------------------------------------------------
>         IETF IPv6 working group mailing list
>         ipv6@ietf.org <mailto:ipv6@ietf.org>
>         Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
>         --------------------------------------------------------------------____
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email