Re: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]
Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 30 June 2022 04:40 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA516C15CF4E for <ipv6@ietfa.amsl.com>; Wed, 29 Jun 2022 21:40:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.984
X-Spam-Level:
X-Spam-Status: No, score=-8.984 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C-cu00adce9A for <ipv6@ietfa.amsl.com>; Wed, 29 Jun 2022 21:40:23 -0700 (PDT)
Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 872A2C15BED3 for <ipv6@ietf.org>; Wed, 29 Jun 2022 21:40:23 -0700 (PDT)
Received: by mail-pf1-x430.google.com with SMTP id 136so11901828pfy.10 for <ipv6@ietf.org>; Wed, 29 Jun 2022 21:40:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=oa+UTgaK90o82CL85X2gI1Rys+DuhqDalL8HKqhYdyE=; b=cjd+vIxtSg+KBrzeyNIm6Dbaru9uUNuK4xa+FA0pzfZ0nNlm7ihl+1KjyLf5c8v7fp /v0vrn0fn6QKR6vLMzEmCahenOIefY3rKYI/Vm2/JpLDWF/NPEU4miM/dcdHKxqNplt/ /7UMiQIgYzDns7SOkvLxcrRMw8Dp6zviJnsjBS9k3DsDuvWg+lBIYFFfWQiTnNPUHR+M Umkky7wFnkfMhqzKtIPhFK2hxCizM5xABqcoK22UamB5e6UC6BI+VVWxhs7pFyAgirgC 8JK2y1vpC9GWw9U2dv9FFjSsNQKjG9moEDa9NkZlvRLkSgJTjXiyU4XZsz3/s0u0Hk52 skVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=oa+UTgaK90o82CL85X2gI1Rys+DuhqDalL8HKqhYdyE=; b=XI3FF0IbEC9fXfrvHivgoKd0DCIMFxzzIhR2fbP7uTbRjTSfmU6Op5SsuaKMk+ODI8 X1lktFfdCUrFdejN9lZUN4EtIfaqFMZcUEpT2OqgnXmwxk8O5cEa9mchokLZ0Dv4EBFo cUOXENT5Si68hK5RUgrQbXPXd4as4Uwt8olmcgzgIyh4DQ3Gr4efuFwUf3d05nrFv9UT OkL/+jPJw/unJ4sjHki41C8PmYLOBIS1nDB5Blq4pDW6uv4JcPJh66S6N7a1Xk9tEycC 1S4g+yzDJixYQOmQ5ruVuB0RpNhdsw6oKs/cmGCMArP/Lo+0Mox500lBjFzcQc6yWM+w taag==
X-Gm-Message-State: AJIora++lGb6pQLm5/QsY6RjSCxy5tn3f8wJWJFWmBPt1LO02rB8U/8v BBnbS4tSSF8HG/hvmXmcfpg=
X-Google-Smtp-Source: AGRyM1sEpAikdx7vYTJ4bu/zU9Gjz8NIV9G/pNNXFlD0RXhOhb7/ZnuYrxSwqSk76ISkHZB9yDiaHQ==
X-Received: by 2002:a63:7d44:0:b0:40c:8cb1:eeaa with SMTP id m4-20020a637d44000000b0040c8cb1eeaamr6141800pgn.597.1656564022697; Wed, 29 Jun 2022 21:40:22 -0700 (PDT)
Received: from ?IPV6:2406:e003:1124:9301:80b2:5c79:2266:e431? ([2406:e003:1124:9301:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id q26-20020aa7983a000000b0051b95c76752sm12363111pfl.153.2022.06.29.21.40.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Jun 2022 21:40:22 -0700 (PDT)
Message-ID: <d3d9d68a-adff-b29b-4d1b-78f82e6bf282@gmail.com>
Date: Thu, 30 Jun 2022 16:40:16 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Subject: Re: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]
Content-Language: en-US
To: Ted Lemon <mellon@fugue.com>, Carsten Bormann <cabo@tzi.org>
Cc: Stuart Cheshire <cheshire@apple.com>, Bob Hinden <bob.hinden@gmail.com>, 6man <ipv6@ietf.org>
References: <164938402532.17740.11717866110301931501@ietfa.amsl.com> <b1780128-2069-b32e-7ca5-86977c119f0c@gmail.com> <11d4e419-11a9-8768-abf2-1335e5f1c3d8@gmail.com> <149924f9-da30-fa79-0509-c01c439d1796@gmail.com> <5BEFA97B-CF09-44D7-8C10-017FEAE4C3A8@tiesel.net> <e6ff75e7-b6c6-ea03-2e10-b1ad95d650f0@gmail.com> <98D15BD9-A631-4D09-AE9E-9D4C750714C9@tiesel.net> <95c82ad3-2138-ab2a-7ba5-57ad80472964@gmail.com> <E5C368C5-9DAE-4C61-ADDE-B881EA11EDA0@tiesel.net> <6968ca7b-dac3-b192-41ed-a193adab7eb4@gmail.com> <529B863C-BCC9-40C1-A5B8-B0598E7DF17C@tzi.org> <bf8c5c54-d548-a40a-0381-0583ef946f26@gmail.com> <CAPt1N1=4wbqrrzvwdr4FD7awa6pkyffhwRZC3zAWLs7uzY3BJQ@mail.gmail.com> <86509E47-77CE-4210-A1B7-C1E9955D9672@tzi.org> <CAPt1N1kYBMSA5Y7BZLMd9o96tBxFY7SrRUxb9jxfBNvBiA_OJQ@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <CAPt1N1kYBMSA5Y7BZLMd9o96tBxFY7SrRUxb9jxfBNvBiA_OJQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/wXf3lAeRMJkPDAX_5uaNFnUCbWU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2022 04:40:24 -0000
On 30-Jun-22 12:30, Ted Lemon wrote:
> Depends what they are doing for those 3500 ms. They're definitely consuming a lot of local resources, in any case. Should a browser allow 1000 outgoing connections from a single javascript app?
I don't know. I'd have to learn more Javascript to find out ;-).
For the present draft, one thing my small experiment shows is that we won't make things worse by adding zone identifiers to URLs. They too have to be guessed by the attacker, and in modern Linux they are things like "enxb813ebc170a4" out of the box. That makes the attacker's job significantly harder.
Brian
>
> On Wed, Jun 29, 2022 at 5:06 PM Carsten Bormann <cabo@tzi.org <mailto:cabo@tzi.org>> wrote:
>
> On 30. Jun 2022, at 02:03, Ted Lemon <mellon@fugue.com <mailto:mellon@fugue.com>> wrote:
> >
> > Of course, many browsers will, at this point, notify the user that "a tab is consuming a lot of power”.
>
> But are even 1000 parallel threads, each mostly waiting for 3500 ms, consuming a lot of power?
>
> Grüße, Carsten
>
- I-D Action: draft-ietf-6man-rfc6874bis-01.txt internet-drafts
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Brian E Carpenter
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt… tom petch
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt… Brian E Carpenter
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt… tom petch
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Brian E Carpenter
- Next step for draft-ietf-6man-rfc6874bis Brian E Carpenter
- Re: Next step for draft-ietf-6man-rfc6874bis Philipp S. Tiesel
- Re: Next step for draft-ietf-6man-rfc6874bis Bob Hinden
- Re: Next step for draft-ietf-6man-rfc6874bis Brian E Carpenter
- Re: Next step for draft-ietf-6man-rfc6874bis Jen Linkova
- Re: Next step for draft-ietf-6man-rfc6874bis Brian E Carpenter
- Re: Next step for draft-ietf-6man-rfc6874bis Philipp S. Tiesel
- Re: Next step for draft-ietf-6man-rfc6874bis Brian E Carpenter
- Re: Next step for draft-ietf-6man-rfc6874bis Philipp S. Tiesel
- Re: Next step for draft-ietf-6man-rfc6874bis Brian E Carpenter
- Scripting attacks [was Next step for draft-ietf-6… Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Carsten Bormann
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Ted Lemon
- Re: Scripting attacks [was Next step for draft-ie… Carsten Bormann
- Re: Scripting attacks [was Next step for draft-ie… Ted Lemon
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Carsten Bormann
- RE: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Vasilenko Eduard
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Brian Carpenter
- RE: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Vasilenko Eduard
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Ted Lemon
- RE: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Vasilenko Eduard
- Re: Scripting attacks [was Next step for draft-ie… Kerry Lynn
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Ted Lemon
- RE: Scripting attacks [was Next step for draft-ie… Vasilenko Eduard
- RE: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Vasilenko Eduard
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Ted Lemon
- Re: Scripting attacks [was Next step for draft-ie… Fernando Gont
- Re: Scripting attacks [was Next step for draft-ie… Fernando Gont
- Re: Scripting attacks [was Next step for draft-ie… Fernando Gont
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Simon
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Michael Richardson
- Re: Scripting attacks [was Next step for draft-ie… Ted Lemon
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Michael Richardson
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter