IETF Logo Mail Archive

Re: [IPv6] Link-local URI status (rfc6874bis)

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 02 November 2023 19:40 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4615DC151542 for <ipv6@ietfa.amsl.com>; Thu, 2 Nov 2023 12:40:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.196
X-Spam-Level:
X-Spam-Status: No, score=-7.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G7-mVe6ILcYh for <ipv6@ietfa.amsl.com>; Thu, 2 Nov 2023 12:40:17 -0700 (PDT)
Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08602C15154D for <ipv6@ietf.org>; Thu, 2 Nov 2023 12:40:17 -0700 (PDT)
Received: by mail-pj1-x102f.google.com with SMTP id 98e67ed59e1d1-2800f7c8125so1992196a91.1 for <ipv6@ietf.org>; Thu, 02 Nov 2023 12:40:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698954016; x=1699558816; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=t5PSTaFCE4tnUxud5+2SRAYx4fmjV49xJEFiCAiHeZI=; b=aJPET1Ejlx3T3PTnOBhIDCJ/bMJ8MsGombn7tBgnB07/bA489dt6Y57bO0YRe2/kOf eEjNTSFd8BP8unYGX6YuyKOLhzA8/pkLk+fZ07yf+A9iojef6Cur1tGHmfoacWfXYQT7 n7wjAvX3P4T6x4SnGKqlVO5ir0XoSuFtld9bSj0aWCbrZyluEM54AHJzTdZm8/WOOgGX TkhwUj5WlEAf2pWaUzOS9mHshfmbcAn9t4j6iH7kLH+2cmlNmbFAxws/xT3/tcmEDys/ MVSy0c5TQJXFewmhnT5EN3A3MUByDBBwD7R1voXtXOqVX6pVj7vWgu1XON5KPwqRjpMZ ZceA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698954016; x=1699558816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=t5PSTaFCE4tnUxud5+2SRAYx4fmjV49xJEFiCAiHeZI=; b=Rtr6j8IdogeR2ZCULZBCQy0B3qgZHIpNRcataPLT+HXMjFfXNcttplE0zOht8kGPZq vk+gshH+7BiFTAEmSZr0cb3lXliAUALzVe7c8+KbNAGP3j7ztKU4cS9vM26rXIA1n1zy jR9PWPXlgwLebXZbC5uzc4jqAM3JdoIIBmlDuyYngSfRhefjENh+JRuUXWkvcMnZOF8U c1W/RTQjbq6E/JVnU/npXo7Dz6l/gkUmp95PMssyeTggUH6dc6k8vCKiTqg55y4iv09Y WTcTHjdbk9lGaj9vw1hVqk+cwCEerCPJGoED0/Zzjsvmu++6rA9FZ3XI9Or+MKqHNFG2 bC5Q==
X-Gm-Message-State: AOJu0YztIX8nMMx1mnWuT+EqNXtNtnk3go/Hiyf4hrm44I+ZDL+7P5de 2YyfYRJ6Ubi0zir5p2jicjw=
X-Google-Smtp-Source: AGHT+IErkY+bIbIJdo1AoDsOITUPdbU/xLri6mOO0L4FAb7b5eZEyZWwv7ndLB6cCnia9m/uCq8TaA==
X-Received: by 2002:a17:90a:ff0e:b0:280:37a0:69d4 with SMTP id ce14-20020a17090aff0e00b0028037a069d4mr490681pjb.19.1698954015790; Thu, 02 Nov 2023 12:40:15 -0700 (PDT)
Received: from ?IPV6:2406:e003:110d:5301:8cb6:a2c:7461:4047? ([2406:e003:110d:5301:8cb6:a2c:7461:4047]) by smtp.gmail.com with ESMTPSA id i12-20020a17090a2a0c00b0026b3f76a063sm144788pjd.44.2023.11.02.12.40.13 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 02 Nov 2023 12:40:15 -0700 (PDT)
Message-ID: <d9a6f288-058c-10d2-43dd-ffbd7a8959c7@gmail.com>
Date: Fri, 03 Nov 2023 08:40:11 +1300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Michael Sweet <msweet@msweet.org>
Cc: 6man <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>, Stuart Cheshire <cheshire@apple.com>, "Rob Wilton (rwilton)" <rwilton@cisco.com>, "Murray S. Kucherawy" <superuser@gmail.com>
References: <17352fa3-c3c9-3cc3-27f2-f8f57dfff383@gmail.com> <5B3DDEB8-36F1-428C-89AA-B765A600824A@msweet.org>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <5B3DDEB8-36F1-428C-89AA-B765A600824A@msweet.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/nnuZ5LBZ2rBuyN2RHPC9WyLYmLY>
Subject: Re: [IPv6] Link-local URI status (rfc6874bis)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Nov 2023 19:40:21 -0000

Michael,
On 02-Nov-23 16:04, Michael Sweet wrote:
> Brian,
> 
> Comments inline...
> 
>> On Oct 31, 2023, at 10:02 PM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
>> ...
>> 2. Re Murray Kucherawy's DISCUSS:
>>
>> 2.1 The fact that almost no developers have decided to implement
>> this so far seems non-blocking to me. For all the use cases listed in
>> the draft, there is a user-side view that this just ought to work,
>> and when it fails, this is perceived as a bug.
>>
>> Arguments that it's 'unimplementable' or 'insecure' deserve answers:
>>
>> 2.2 The 'unimplementable' argument is based on using the '%' sign
>> as a separator, whereas its normal role in a URI is as an escape
>> character. Roy Fielding has argued that there are many URI parsers
>> around that handle percent-encoding in different ways (somewhat
>> regardless of the formal ABNF syntax). As result, he asserts
>> that stepwise introduction of the draft is impossible in practice.
>>
>> The draft argues that it doesn't matter if unmodified parsers
>> throw an error if they see the new syntax, because that is what
>> they do today anyway, so the new syntax can be deployed
>> progressively.
>>
>> There is an alternative (discussed in this WG years ago):
>> use a different separator, e.g. http://[fe80::1-eth0]
>> This still requires URI parsers to be modified and progressively
>> deployed, but without interacting with percent-encoding.
>> That is mainly a simplification of the programming problem. It
>> does have its own programming complication - the '-' must be
>> replaced by '%' before making relevant socket calls.
> 
> WRT this, CUPS first added support for the Fenner draft in January 2006:
> 
>      https://datatracker.ietf.org/doc/html/draft-fenner-literal-zone-02

Thanks for reminding us of that draft. I'm agnostic about "+" versus "-" for this. I've never really seen a reason for using the "IPvFuture" syntax in RFC 3986. If we decide to replace the "%", that seems to be enough to resolve the parsing problem.

> 
> This format (scheme://[v1.fe80::0123:4567:89ab:cdef+eth0]/resource) requires rewriting ("+" to "%") and hasn't been an issue for implementation in the billions of IPP printers and client devices that use it...
> 
> One advantage of using "-" instead of "%" is that it is both unambiguous (there is no other meaning for a "-" between the address and zone ID portions) and allows existing RFC 6874 implementations (like CUPS) to continue working unchanged and support the new "-" delimiter as well.
> 
> Regardless, today you basically can't use IPv6 link local addresses in browsers at all.  Claiming that you can't add a new format because it wouldn't work everywhere immediately makes no sense - better stop developing new protocols and standards then...

Yes. (But on a system such as Windows that implements a default Zone ID, you *can* use a link local address in any browser.)

> 
>> 2.3 The 'security' argument is related to what the Web community
>> calls Cross-Origin Resource Sharing (CORS). This is a very
>> complex topic that I do not claim to understand and will not
>> attempt to summarise here. IPv4 and IPv6 link-local address
>> literals are considered problematic, like other IP addresses
>> with local (a.k.a. private) scope, such as ULAs. The background
>> is at https://wicg.github.io/private-network-access/.
> 
> OK, so this is a little different from the normal CORS issues...
> 
>> What I do not understand about this argument is that the CORS
>> issue exists for http://[fe80::1] already, and as far as
>> I can see is identical for http://[fe80::1%eth0]. If so,
>> that is no reason to block rfc6874bis.
> 
> Agreed.  I suspect that, for any numeric address, the answer for CORS is simply to compare any two address fields and if they match, it is the same origin, otherwise it is not.

Right, but also fe80::1 and fe80::1 might be two different addresses, if they arrived via two different interfaces. Link-local is a bit special in that way.

> If you have a FQDN, then any numeric address does not match.
> 
> The zone ID can be part of this address string comparison because CORS applies to "security" restrictions the client browser is applying...

Yes.

>> ...
>> 1. Drop the draft and leave the use cases unsolved.
> 
> That's what was done back in 2005 and the problem hasn't gone away...
> 
>> 2. Accept the change to http://[fe80::1-eth0] and push the
>> IESG to dismiss the other objections as beside the point.
> 
> See above.  I've always been uncomfortable with a bare "%" given that it has a special meaning in URLs, can be misinterpreted with numeric zone IDs, and isn't backwards-compatible with RFC 6874.  If using "-" is enough to get this draft advanced, I'd go for it.

Ack.

> 
>> 2a. Also undertake a major revision of RFC4007.
> 
> Barn | Door | -------------------> Horse

Yes, there is a lot of running code, but there are also some serious gaps in that RFC, and quite a bit of historical material. However, that's a problem for another day.

Regards
    Brian Carpenter

> 
> ________________________
> Michael Sweet
>

v2.23.0 | Report a Bug | By Email