IETF Logo Mail Archive

Re: [IPv6] Link-local URI status (rfc6874bis)

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 06 November 2023 19:39 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84180C151525 for <ipv6@ietfa.amsl.com>; Mon, 6 Nov 2023 11:39:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.196
X-Spam-Level:
X-Spam-Status: No, score=-2.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.091, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OAwAOtFoLsWW for <ipv6@ietfa.amsl.com>; Mon, 6 Nov 2023 11:39:55 -0800 (PST)
Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC8BDC18E1A5 for <ipv6@ietf.org>; Mon, 6 Nov 2023 11:39:55 -0800 (PST)
Received: by mail-pg1-x52c.google.com with SMTP id 41be03b00d2f7-577fff1cae6so3585119a12.1 for <ipv6@ietf.org>; Mon, 06 Nov 2023 11:39:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699299595; x=1699904395; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=DCVfk+LGNrdLNfpdHAv/FRxSXtvgFgPzAuykC+j7nq4=; b=J1Qh1Kci3N5rTXByyhixTaL5wKEmc1tYbVGVCW4HVcrdAaIOtGcSXMyJI/yeg+N1Jc a0Ia2VOnqi9flAB/K3KxEw0V/1prQbcsmRo9GxhAbG9V/O++fhTsNSGOH9JruU2V87uX IJZng8F2fwvPoVz/HIwlFd3mc5Co01dYIXjayH3xEyc5LwSKGRnihxCxU23+VZ/B++9l CU+5zV4vxyrKJQP2bXm1BHJimh03pw1mBYBu9ZBqYeLKQaqu0ZxNMlnCXH8KopsEei4t OMTXSU4SbDb4IuK64mF+85SSRrCWEYMuiPv6zyoEtbrknY1GZxQpEaNKR2np16TH8c8X AeyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699299595; x=1699904395; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DCVfk+LGNrdLNfpdHAv/FRxSXtvgFgPzAuykC+j7nq4=; b=DXoHbcnRCNI+oUnwTfiosB6aJrBqJP5Cl3zarlTWZfIEak3hEDYc0Y9k51jZ2q9wKw ZutujHDje0mZY29hCjcGaVS5iEGFFnIiGDsERx1KBTkbpQOLeu+eybZEgYHuPN4SJxux UUW8gLgC8KUYhbNaQASTevOXzp3epUmp4q2hzRdj+snb30MN2xqy2ilsvfI7/YTXoZd+ xU6NZKtJh3zxLIC5E1Ik35x6NVeM5aR29nDq3JwjrmKO9RS4s02kkwPOsCjO482qUBr+ Qo8p/9FORP6xUmptwdKH3hPjLvFuNwjEjUtVehtR4LRuHZVWKtTCRBoYDpe3DBby07uo R2Mg==
X-Gm-Message-State: AOJu0YzXd1sjrXTQjaMH9ryCHrrVKwvPz4QZwTuTJOehpiBpKzhNeclL KB4ISWdR1RNuRsd+ral9NpQ=
X-Google-Smtp-Source: AGHT+IHcC7RdcdnXUGFegZtBqdO405jHddvvzovApx94guBVu/qSkrwqFhTc8Axc+h2ov2KjbcpAZA==
X-Received: by 2002:a05:6a20:9185:b0:15e:7323:5bf3 with SMTP id v5-20020a056a20918500b0015e73235bf3mr590285pzd.26.1699299594654; Mon, 06 Nov 2023 11:39:54 -0800 (PST)
Received: from ?IPV6:2406:e003:110d:5301:8cb6:a2c:7461:4047? ([2406:e003:110d:5301:8cb6:a2c:7461:4047]) by smtp.gmail.com with ESMTPSA id g23-20020aa78757000000b006c39efc97b3sm4266541pfo.113.2023.11.06.11.39.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 06 Nov 2023 11:39:54 -0800 (PST)
Message-ID: <886375cb-64a9-9cdb-e7be-4cc1ff8cf3c2@gmail.com>
Date: Tue, 07 Nov 2023 08:39:50 +1300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Erik Nygren <erik+ietf@nygren.org>
Cc: 6man <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>, Stuart Cheshire <cheshire@apple.com>, "Rob Wilton (rwilton)" <rwilton@cisco.com>, "Murray S. Kucherawy" <superuser@gmail.com>
References: <17352fa3-c3c9-3cc3-27f2-f8f57dfff383@gmail.com> <CAKC-DJh3jxqKOh5SwD7WULxYmGJU4-HH8LbqB8Aj2P96+FpA+w@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <CAKC-DJh3jxqKOh5SwD7WULxYmGJU4-HH8LbqB8Aj2P96+FpA+w@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/Zk_5LkhqEQzwmLgUlaku0733P6U>
Subject: Re: [IPv6] Link-local URI status (rfc6874bis)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 19:39:59 -0000

On 07-Nov-23 06:53, Erik Nygren wrote:
> I'd propose that we decouple what is in the URI on the wire and what is in the user interface, similar to rfc5894 / IDNA.
> That way we stick with always using %25 as in rfc6874 on the wire and in any URI references (eg, in an href, etc)
> to keep things unambiguous and protocol-compliant.  For example:
> 
>      http://[fe80::a%25en1]
> 
> We can separately define that user interfaces may do a conversion to add/remove this escaping as appropriate.

Which user interfaces? If you mean the dialogue box in browsers, I am definitely no expert, but these days it seems that any deviation from accepted URI syntax sends you off into search mode.

> There's a precedent for this model already with the IDNA conversion between punycode and UTF-8 already.

Yes, but of course punycode looks like standard ASCII fodder for hostname parsing. So when I type https://smörgåsbord.blåbærsyltetøy.com into Firefox, it echos https://xn--smrgsbord-82a8p.xn--blbrsyltety-y8ao3x.com and that parses just fine.

> 
> This approach seems like it might be the best compromise:
> * It will keep the HTTP and URI people happy by not adding in some weird special-case which seems like a non-starter.

I'm not sure about that. That is of course the syntax of RFC6874, but from what I've gathered about the wide variety of URI parsers in the world, whether or not a % is treated as an escape at that particular point in a URI (inside the host part, inside square brackets, inside a numeric address) isn't necessarily consistent. Changing to a different symbol definitely avoids that inconsistency.

> * It is a minimum change to what is already specified (eg, rfc6874)
> * It doesn't change how we encode interface names in a way that would be exposed to users.
> * It still allows users to interact with interface aliases with an experience that hides them from this complexity.
> 
> There is still the ambiguous case (eg, interface  "251") but perhaps we can strongly discourage
> naming interfaces in such a way that they start with "25".  Messy, but might be the least bad option.

It isn't ambiguous if we make the %25 mandatory, but this is precisely the grey area where some parsers will get it wrong. And unfortunately %2525 is very likely to occur - the Windows machine on which I am typing has interface index 22 for Wi-Fi, for example.

But the other point is that this only resolves one of the three blocking issues.

    Brian

> 
>    Erik
> 
> 
> 
>       Erik
> 
> 
> 
> 
> 
> On Wed, Nov 1, 2023 at 3:03 AM Brian E Carpenter <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
> 
>     Hi 6man,
> 
>     Since I will not be in Prague or on-line, this is an update for the WG
>     on the status of draft-ietf-6man-rfc6874bis.
> 
>     If you've forgotten, the draft allows http://[fe80::1%eth0] as a valid URI.
> 
>     In summary: it is blocked in the IESG. Possible WG actions are listed
>     at the end.
> 
>     There are two unresolved DISCUSS ballots:
>     https://datatracker.ietf.org/doc/draft-ietf-6man-rfc6874bis/ballot/#draft-ietf-6man-rfc6874bis_robert-wilton <https://datatracker.ietf.org/doc/draft-ietf-6man-rfc6874bis/ballot/#draft-ietf-6man-rfc6874bis_robert-wilton>
>     https://datatracker.ietf.org/doc/draft-ietf-6man-rfc6874bis/ballot/#draft-ietf-6man-rfc6874bis_murray-kucherawy <https://datatracker.ietf.org/doc/draft-ietf-6man-rfc6874bis/ballot/#draft-ietf-6man-rfc6874bis_murray-kucherawy>
> 
>     Here is my personal summary of the remaining issues, and what we
>     have done since IETF Last Call and IESG review to resolve them:
> 
>     1. Re Rob Wilton's DISCUSS: We clarified character set restrictions needed
>     for compatibility with URI rules, and the applicability of numeric identifiers
>     as a work-around for these character set restrictions. I believe these are
>     the only changes possible, given RFC4007, the ~20 years of history in the
>     POSIX and Winsock APIs, and the widespread implemention of these in host
>     stacks.
> 
>     The difficulties that Rob has are not so much with this draft but more
>     with that underlying model. Quoting his off-list message: "I don’t regard
>     interfaces on network devices as inherently having a numeric identifier."
>     But like it or not, the nodes on which browsers normally run follow
>     RFC4007 and *do* inherently have numeric interface indices. We don't
>     have any choices there. (I do think that RFC4007 is inadequate and
>     needs to be updated to reflect current reality, but that's orthogonal.)
> 
>     2. Re Murray Kucherawy's DISCUSS:
> 
>     2.1 The fact that almost no developers have decided to implement
>     this so far seems non-blocking to me. For all the use cases listed in
>     the draft, there is a user-side view that this just ought to work,
>     and when it fails, this is perceived as a bug.
> 
>     Arguments that it's 'unimplementable' or 'insecure' deserve answers:
> 
>     2.2 The 'unimplementable' argument is based on using the '%' sign
>     as a separator, whereas its normal role in a URI is as an escape
>     character. Roy Fielding has argued that there are many URI parsers
>     around that handle percent-encoding in different ways (somewhat
>     regardless of the formal ABNF syntax). As result, he asserts
>     that stepwise introduction of the draft is impossible in practice.
> 
>     The draft argues that it doesn't matter if unmodified parsers
>     throw an error if they see the new syntax, because that is what
>     they do today anyway, so the new syntax can be deployed
>     progressively.
> 
>     There is an alternative (discussed in this WG years ago):
>     use a different separator, e.g. http://[fe80::1-eth0]
>     This still requires URI parsers to be modified and progressively
>     deployed, but without interacting with percent-encoding.
>     That is mainly a simplification of the programming problem. It
>     does have its own programming complication - the '-' must be
>     replaced by '%' before making relevant socket calls.
> 
>     2.3 The 'security' argument is related to what the Web community
>     calls Cross-Origin Resource Sharing (CORS). This is a very
>     complex topic that I do not claim to understand and will not
>     attempt to summarise here. IPv4 and IPv6 link-local address
>     literals are considered problematic, like other IP addresses
>     with local (a.k.a. private) scope, such as ULAs. The background
>     is at https://wicg.github.io/private-network-access/ <https://wicg.github.io/private-network-access/>.
> 
>     What I do not understand about this argument is that the CORS
>     issue exists for http://[fe80::1] already, and as far as
>     I can see is identical for http://[fe80::1%eth0]. If so,
>     that is no reason to block rfc6874bis.
> 
>     The draft has been updated several times in an attempt to
>     resolve these two DISCUSSes, and a couple of side meetings have
>     been held at recent IETFs. We tried to set up a video chat
>     before IETF 118 but it didn't work out.
> 
>     Possible WG actions:
> 
>     1. Drop the draft and leave the use cases unsolved.
> 
>     2. Accept the change to http://[fe80::1-eth0] and push the
>     IESG to dismiss the other objections as beside the point.
> 
>     2a. Also undertake a major revision of RFC4007.
> 
>     3. Something else.
> 
>     I'd be interested to hear opinions about these options.
> 
>     Regards
>          Brian Carpenter
>     --------------------------------------------------------------------
>     IETF IPv6 working group mailing list
>     ipv6@ietf.org <mailto:ipv6@ietf.org>
>     Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
>     --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email