IETF Logo Mail Archive

Re: Strange use of link-local

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 29 May 2013 21:46 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 467B621F9779 for <ipv6@ietfa.amsl.com>; Wed, 29 May 2013 14:46:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.466
X-Spam-Level:
X-Spam-Status: No, score=-102.466 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qrl7HMII4x+s for <ipv6@ietfa.amsl.com>; Wed, 29 May 2013 14:46:03 -0700 (PDT)
Received: from mail-pd0-f182.google.com (mail-pd0-f182.google.com [209.85.192.182]) by ietfa.amsl.com (Postfix) with ESMTP id E511C21F9769 for <ipv6@ietf.org>; Wed, 29 May 2013 14:46:02 -0700 (PDT)
Received: by mail-pd0-f182.google.com with SMTP id g10so9450657pdj.41 for <ipv6@ietf.org>; Wed, 29 May 2013 14:46:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=hWV4+DQ3yEumAbG90KFoR9NcdoW5xLLBQFJXUHYIORw=; b=Kh94An3OPDBJ685htwN3WkdqojCEUHZQUV6Ybr2Is098UK+CjAkdbJEVhiDtISzZ6o PVonBaA5aeFDIUuNoSS7CzM/sa+fnP5txiPI/y5E67Z5mr6fiN/hXDsLLd+kqPWlkAy8 fb4RDe63wxMPMLS0OqWlbJe8lgwqJyfU5jPT5XHQyyIMiji0Jxl4U06duZoE9hH2S7BF Wc6F0U64i00+WoQ8ZglMvurTczIpZEmQKZlx5MasPEQvtLq8/htWBA961HJkPXR78b8K 1hS3Va2qSxdjbYx5eSfVLwi8qu+R6uDmB+P9y46jWLAg5LbyKb7CYhUfvQTn7s78u+qg cS5w==
X-Received: by 10.66.145.164 with SMTP id sv4mr5366370pab.46.1369863962677; Wed, 29 May 2013 14:46:02 -0700 (PDT)
Received: from [192.168.1.2] (51.191.252.27.dyn.cust.vf.net.nz. [27.252.191.51]) by mx.google.com with ESMTPSA id at1sm38791441pbc.10.2013.05.29.14.45.58 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 29 May 2013 14:46:01 -0700 (PDT)
Message-ID: <51A6771C.5030805@gmail.com>
Date: Thu, 30 May 2013 09:46:04 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Michael Sweet <msweet@apple.com>
Subject: Re: Strange use of link-local
References: <20130523035151.7B24A6210A@rfc-editor.org> <519DA89C.5070704@gmail.com> <13FD8630-3CB7-46D5-9A27-A83EAD2E7F74@apple.com> <C91E67751B1EFF41B857DE2FE1F68ABA0FF4CC0A@TK5EX14MBXC274.redmond.corp.microsoft.com> <CF457469-49FC-42CC-9E04-487FE035CA10@apple.com> <014b01ce5854$be6c7880$4001a8c0@gateway.2wire.net> <9B503485-D9A7-4D90-991C-162D9C7EE8FF@apple.com> <033d01ce5893$c3522360$4001a8c0@gateway.2wire.net> <C91E67751B1EFF41B857DE2FE1F68ABA0FF60CCD@TK5EX14MBXC273.redmond.corp.microsoft.com> <51A2795C-4D7D-4A59-933B-7CCF527CE10C@apple.com> <51A506BD.9060804@globis.net> <51A515C2.1090208@gmail.com> <A9ABF29D-3195-4C62-AA99-9A599F4204F3@apple.com>
In-Reply-To: <A9ABF29D-3195-4C62-AA99-9A599F4204F3@apple.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: Ray Hunter <v6ops@globis.net>, "ipv6@ietf.org" <ipv6@ietf.org>, "t.petch" <ietfc@btconnect.com>, Christian Huitema <huitema@microsoft.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2013 21:46:09 -0000

On 29/05/2013 11:57, Michael Sweet wrote:
> Brian,
> 
> On 2013-05-28, at 4:38 PM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
>> I'm increasingly baffled by the use case. If the host is
>> in a context where it can reach a server *and* has more than
>> one interface (such that a ZoneID is needed at all), it
>> shouldn't be using a link local address anyway - it
>> should have configured a global scope address (possibly
>> under a ULA prefix). Discussion of this use case surely
>> belongs in MIF or HOMENET.
> 
> Most hosts (and probably all of the ones we care about) have multiple network interfaces, if only the loopback interface plus some sort of external network interface, forcing the use of the zoneid.  Also, the most common place you would need to use a link-local address for access is the place where global scope addresses are basically never used - the home.
> 
> So I agree that the MIF or HOMENET working groups might have something to say here, but RFC 6874 was published by *this* group and IPv6 link local addresses have broader context than either of the other groups.

Yes, but the limitation of the meaning of the Zone ID to a single
host isn't new; RFC 6874 simply reiterates it. The problem is that
the whole notion of scope is defective as currently defined (hence
http://tools.ietf.org/html/draft-carpenter-referral-ps, which we plan
to come back to when time permits). Today, the only clean fix is
to use a global-scope address, which means a ULA for disconnected
networks.

    Brian

>>    Brian
>>
>> On 29/05/2013 07:34, Ray Hunter wrote:
>>> Warning: post contains dumb questions.
>>>
>>> Michael Sweet wrote:
>>>> Christian,
>>>>
>>>> On 2013-05-24, at 1:45 PM, Christian Huitema <huitema@microsoft.com> wrote:
>>>>> Can we move from the process discussion to the technical discussion?
>>>>>
>>>>> Michael raised an interesting issue, and we have to analyze it. The consensus of the working group so far is that interface identifiers are private to the host, that any leakage outside the host should be prevented, and that a way to prevent that leakage is to ask proxies to erase them whenever they have an opportunity. Michael points that some servers take an opposite approach, want to record the interface from which the host called them, and want to ensure that further calls in the same session use exactly the same interface. That seems that a fairly legitimate debate, and I can see two alternatives -- one would be to reaffirm the old guidance and provides alternative to ensure session continuity, and the other would be to reverse the guidance and accept that the layer violation performed by servers is just fine.
>>>> (the following is printer-centric, but the same applies to network video cameras and other embedded network devices)
>>>>
>>>> Some background: HTTP and IPP services in printers include absolute URIs in the content they return. For IPP this can be http/https URLs to the printer's web page, ICC profiles, and other resources, along with the ipp/ipps URIs that the printer supports. For HTTP the most common are https URLs for "secure" areas of the printer's web interface.  Because a printer is often known by multiple names and addresses ("printer.local.", "printer.example.com.", 192.168.0.100, fe80::1234, etc.), the implementation guidance (and in IPP Everywhere, this is a conformance requirement) is that the server use the HTTP Host header provided in the request in the host/address field of its responses, subject to the usual security considerations (SHOULD validate Host value, etc.)  This allows the client to use the name or address it can resolve/connect to and makes sure that the printer-generated absolute URIs lead back to same printer.
>>>>
>>>> All of this falls apart with link-local addresses and RFC 6874.  Because the client is required to remove the zoneid from the outgoing request, the URIs it gets back from the server are no longer "reachable".
>>> Trying to understand what's going on here and what the root problem is.
>>>
>>> I have some dumb questions:
>>>
>>> Is the zoneid in the URI the interface on the client or the server node?
>>>
>>> What does other party learn from this information, since zoneid is
>>> currently defined as being local to the node and has no significance
>>> outside the context of the node?
>>>
>>> If the other party learns nothing, and the originating node just needs
>>> to hear an echo of it's own information for it's own use, what's wrong
>>> with using a cookie (server originated), or a hidden variable (client
>>> originated), to transport this interface information along with the
>>> request/reply?
>>>
>>> What if both the server AND the client have multiple interfaces: how do
>>> they both know which local interface on their own node is mutually
>>> connected and to be used for communication? There's only one single
>>> zoneid in the URI, so presumably one of the nodes is lacking some
>>> information.
>>>
>>> Shouldn't both nodes be using ND to learn this information?
>>> If there's nothing in the cache, try all interfaces?
>>>
>>> regards,
>>> RayH
>>>
>>>> What I propose is that we change the wording to allow the zoneid in the Host header but not in the Request-URI.  HTTP proxies would be required to strip any zoneid information in the Host header.  HTTP servers would be required to ignore any zoneid information for purposes of address validation but include it for any absolute URIs to the server they generate.
>>>>
>>>> Thoughts?
>>>>
>>>> _________________________________________________________
>>>> Michael Sweet, Senior Printing System Engineer, PWG Chair
>>>>
>>>>
>>> --------------------------------------------------------------------
>>> IETF IPv6 working group mailing list
>>> ipv6@ietf.org
>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> --------------------------------------------------------------------
>>>
> 
> _________________________________________________________
> Michael Sweet, Senior Printing System Engineer, PWG Chair
> 
>

v2.23.0 | Report a Bug | By Email