IETF Logo Mail Archive

Re: [netmod] Changes to IPv6 zone definition in draft-ietf-netmod-rfc6991-bis-15

Brian E Carpenter <brian.e.carpenter@gmail.com> Sat, 06 April 2024 20:57 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57854C14F60F for <netmod@ietfa.amsl.com>; Sat, 6 Apr 2024 13:57:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.095
X-Spam-Level:
X-Spam-Status: No, score=-1.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W8oZKesdCif6 for <netmod@ietfa.amsl.com>; Sat, 6 Apr 2024 13:57:28 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33165C14F601 for <netmod@ietf.org>; Sat, 6 Apr 2024 13:57:28 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id ca18e2360f4ac-7d5d7d570dcso21579339f.1 for <netmod@ietf.org>; Sat, 06 Apr 2024 13:57:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712437047; x=1713041847; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=sa4cK+VEJZGxtGCPyBKZVpkIoWl+pMCfZSdufuidRxw=; b=G171z9/VbIMB0hJI/r6kAcTfbJPChgS+R6+e9cHrd3Wr0iqI0RAyAfHfIy0Ce6rQVH eVWnQF4G6qqRDgNWQuxS+d3fe09citLB/om7btIKvzN5QlCtN1FdUvmtmue5q2QIesqy gscTz0WStnCkBeNB3lLsJ3JeGDR5fg55JXX46bKHwStu+4C4xF1hx7B42PP11AaASFa+ JbdbsMY5mqMGQZNfmJnYazCyFEQG4SFITvMKQ0CQoIFcpTo6KorimYxbiSjV8mCdPnwq dCrXYizVw5icqEFzLVO4INTS1o1sTVvQUGVHUISNOq6Fs8jIc/8/BOWFbcWYEQark/LG u1eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712437047; x=1713041847; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=sa4cK+VEJZGxtGCPyBKZVpkIoWl+pMCfZSdufuidRxw=; b=hM/d7RJeFt/IzOq8FHUDbF1OQZPYXpe44oY+AtcsvjX6ecr8qB3xqmFgMudabVfj29 t1Dn5OdnP3HxV+EjJvsUBKh4C0KDILllatSslSzDYERZn1PMtY4Sqj9ab5q0XCa0oStG 9pS848pWL7P8mMB9lgWqbe3nMv1coaNHl7jUK3Q0uSQA3d4OTmLEQPYbj2oRk2xOKEop H+mvGV9bulLGtqlij1LuyN1xhZ6ZWg9psNGVacy8TaUunVB21s31ODQ1X8F6hIBjk0rx dVbcUPOLwSIW/R5LS88AKOcYiAGFiXgWU5wORv/oIjTWblZw9Sq6UfN8N7ItOrJFPi3w IcnA==
X-Gm-Message-State: AOJu0YwLBrSyDD+DUBxFBTbBrV18VU9gPkRAjkSieJC35X78FIJtz5Vj A+daHO7cqs3vVxB9S4WmjImDB/3JJqvnDtZfW9B1h2vpfpfw6+2+
X-Google-Smtp-Source: AGHT+IF5uVuHZjAP6CC1x1P3DZAlL6pIRNat4/BKP6v+52hnNUceoajFLtyLcuo+etMO/Bs+q8VG0g==
X-Received: by 2002:a05:6e02:184d:b0:369:98a3:6f82 with SMTP id b13-20020a056e02184d00b0036998a36f82mr6235007ilv.13.1712437047184; Sat, 06 Apr 2024 13:57:27 -0700 (PDT)
Received: from ?IPV6:2404:4400:541d:a600:44b7:2c2e:2bc6:8707? ([2404:4400:541d:a600:44b7:2c2e:2bc6:8707]) by smtp.gmail.com with ESMTPSA id q5-20020a170902c74500b001e2670c3406sm3835403plq.306.2024.04.06.13.57.25 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 06 Apr 2024 13:57:26 -0700 (PDT)
Message-ID: <9d40a5bb-02cb-414b-9aa5-acc532cb6786@gmail.com>
Date: Sun, 07 Apr 2024 08:57:23 +1200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Jürgen Schönwälder <jschoenwaelder@constructor.university>, Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: NETMOD Working Group <netmod@ietf.org>
References: <BY5PR11MB41966FD2ECEFB84708C5A325B5869@BY5PR11MB4196.namprd11.prod.outlook.com> <16d6f918-ea40-3596-9292-d2656eec8ad4@gmail.com> <8d491135-c720-228c-efad-f1f3fa113545@gmail.com> <B655FE46-F8B9-4BAD-A4AF-7E6E2627ACE9@gmail.com> <24f6a539-3abd-4d30-afd0-bc976ccbbd8d@constructor.university>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <24f6a539-3abd-4d30-afd0-bc976ccbbd8d@constructor.university>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/3HXQ4kfnocftSOq1KS-vvJnJH1Y>
Subject: Re: [netmod] Changes to IPv6 zone definition in draft-ietf-netmod-rfc6991-bis-15
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2024 20:57:32 -0000

On 06-Apr-24 19:52, Jürgen Schönwälder wrote:
> Mahesh,
> 
> the main goal of these definition is compatibility with the
> representations of zone names and identifeirs that systems use
> natively (say on the command line), compatibility with what is
> allowed in URLs is a lower priority issue. The changes that were
> made were motivated by the fact that some vendors include
> characters in their interface names that the existing definition
> did not allow. (I consider this a bug.)
> 
> It is true that a zone name is not well defined. We can't fix
> this but we have a definition that is apparently too narrow. So
> what we can do is to address this limitation.

Yes.

> 
> I believe numeric zone identifiers were always supported so they
> always work as a fallback. 

Correct, but do all network elements actually support RFC4007? Maybe there are devices where interfaces do not have a simple sequential numbering.

I do not think we have any motivation to
> introduce any % escape encodings. Our target is compatibility with
> the native system representation of zone names, the representation
> of zone names in URLs is a different problem (since URLs have more
> restrictions than we have).

Yes. I think the typedef uri {} is good, because it doesn't call on
other typedefs such as ipv6_addresss {}.

    Brian

> 
> /js
> 
> PS: As it is too late to properly define zone names, perhaps all the
>       IETF can do is to write a document about best practices that
>       system designers should consider when choosing interface or
>       zone naming schemes. Something along the lines "everything
>       is possible but if you include x you will face problem X, if
>       you include y you will face problem Y and so on.
> 
> On 06.04.24 06:18, Mahesh Jethanandani wrote:
>> I notice that draft-ietf-6man-rfc6874bis has expired. What is the plan with that document? Was there any consensus on the zone identifier?
>>
>> I ask, because I am interested in moving rfc6991-bis forward. Can we close on this thread with lowercase and % encoding of special characters as the consensus?
>>
>> Thanks.
>>
>>> On Mar 31, 2023, at 3:43 PM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
>>>
>>> I just put two and two together and got five. There are so many threads that I can't remember who brought this point up, but the editor's copy of draft-ietf-6man-rfc6874bis now includes this:
>>>
>>> "The mapping
>>> between the human-readable zone identifier string and the numeric value is a host-specific
>>> function that varies between operating systems. The present document is concerned only
>>> with the human-readable string. However, in some operating systems it is possible
>>> to use the underlying interface number, represented as a decimal integer, as an alternative
>>> to the human-readable string. For example, on Linux, a user can determine interface
>>> numbers simply by issuing the command "ip link show" and then, for example,
>>> use "fe80::1%5" instead of "fe80::1%Ethernet1/0/1", if the interface number
>>> happens to be 5."
>>>
>>> I don't know whether this work-around will apply in every type of device, but I certainly can't see any other solution, since the URI syntax is very insistent on lowercase normalization and special characters.
>>>
>>> Comments?
>>>
>>> Regards
>>>     Brian Carpenter
>>>
>>> On 23-Mar-23 14:48, Brian E Carpenter wrote:
>>>> Hi Rob,
>>>> On 23-Mar-23 02:32, Rob Wilton (rwilton) wrote:
>>>>> Hi Jürgen, Netmod, & rfc6874bis interested parties,
>>>>>
>>>>> In my AD review of draft-ietf-netmod-rfc6991-bis-15, Jurgen has proposed a change to definition of the zone-id in the ip-address, ipv4-address, and ipv6-address types.  These changes move the definition somewhat closer to what is in rfc6874bis, but they are still different enough that we don't have wide compatibility.
>>>>>
>>>>> I think that it may be useful to have a discussion to see if we can find a technical solution that works both for YANG models and that is compatible with being used in URIs.  Hence, I've separated my AD review comments for these two specific issues into this separate thread to try and ensure that interested parties can be involved in the discussion:
>>>>>
>>>>> (2) In RFC 6991:
>>>>>         typedef ipv6-address {
>>>>>           type string {
>>>>>             pattern '((:|[0-9a-fA-F]{0,4}):)([0-9a-fA-F]{0,4}:){0,5}'
>>>>>                   + '((([0-9a-fA-F]{0,4}:)?(:|[0-9a-fA-F]{0,4}))|'
>>>>>                   + '(((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}'
>>>>>                   + '(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])))'
>>>>>                   + '(%[\p{N}\p{L}]+)?';
>>>>>
>>>>> In draft-ietf-netmod-rfc6991-bis-15, p 27, sec 4.  Internet Protocol Suite Types
>>>>>         typedef ipv6-address {
>>>>>           type string {
>>>>>             pattern '((:|[0-9a-fA-F]{0,4}):)([0-9a-fA-F]{0,4}:){0,5}'
>>>>>                   + '((([0-9a-fA-F]{0,4}:)?(:|[0-9a-fA-F]{0,4}))|'
>>>>>                   + '(((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}'
>>>>>                   + '(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])))'
>>>>>                   + '(%[A-Za-z0-9][A-Za-z0-9\-\._~/]*)?';
>>>>>
>>>>> I'm not saying that this change is wrong, but this technically looks to be a non-backwards-compatible change (depending on whether interface names could ever use non-ASCII characters).  Where is the set of allowed characters for zone-ids defined?  I couldn't find them in an RFC, RFC 4007 section 11.2 seems to indicate that there is no restriction.
>>>> RFC 4007 is woefully vague, but it does limit the character set to ASCII. The failings I have noted so far include:
>>>> 1) No length limit - i.e. exposed to buffer overrun bugs and exploits;
>>>> 2) NULL is not disallowed - i.e. exposed to NULL-terminated string bugs and exploits;
>>>> 3) In fact, no statement about non-alphanumeric characters at all;
>>>> 4) No statement about case sensitivity or case folding;
>>>> [It's clear to me that RFC 4007 needs to be revisited after we have settled the current issues.]
>>>> All of these are problematic in the URI context, not to mention the poor choice of "%" as a delimiter.
>>>> The above doesn't tell me what is intended about case sensitivity, and it does include "/" which is troublesome in URIs.
>>>> Maybe you could consider an even more complex definition that distinguishes general zone identifiers from URI-friendly zone identifiers? The latter would be something like
>>>> '(%[a-z0-9][a-z0-9\-\._~]*)?'
>>>> Then there could be a general recommendation to use the restricted character set if, and only if, there is an operational requirement to generate URIs for a given interface.
>>>>>    draft-ietf-6man-rfc6874bis, which I'm currently holding a 'discuss' ballot position on, effectively limits the usable character set of zone-ids to the unreserved set in URIs, which seems to match those above except for '/' that is allowed above (and used in many interface names), but not in the URI's unreserved character set.  A further difference is that upper case characters are allowed in this typedef but are not allowed when used in the host part of URIs.
>>>> Well, more precisely they will almost certainly be normalized to lower case by the URI parser.
>>>>     
>>>>> Update - I've now seen the thread 'ipv6-address in RFC 6991 (and bis)', and Jürgen has put together a useful blog post, thanks!
>>>>>
>>>>> Given that "interface-name" in RFC 8343, and the text in RFC 4007 section 11.2, then arguably the safest thing here would be to allow the zone-id to be unrestricted, i.e., "(%.*)?"  However, this would leave draft-ietf-6man-rfc6874bis as only being able to support a small fraction of interface names as zone-ids in URLs.  The authors of draft-ietf-6man-rfc6874bis seem to indicate that it works for all interface names that currently matter for their use case.
>>>> That appears to be correct, as noted in the newly proposed text at
>>>> https://www.cs.auckland.ac.nz/~brian/draft-ietf-6man-rfc6874bis-06X.html#section-1-5
>>>>>
>>>>> An alternative solution could be to somewhere define the zone-ids in YANG to match the restrictive set in draft-ietf-6man-rfc6874bis (i.e., lower case only, and disallow '/').  I think that this would then require that we recommend a conversion of interface names into draft-ietf-6man-rfc6874bis compatible zone-ids interface-names.  E.g., such a conversion could take the interface name, and change any uppercase characters to lower case, and replace any symbol that isn't in the allowed character set with '_'.  This conversion is effectively one way, and there is a theoretical risk that the converted interface names could collide, but this may be unlikely in practice.  Obviously, this conversation doesn't handle non-ASCII interface names, but I'm not sure how realistic it is that they would be used anyway.
>>>> Remember there is a browser between the URI and the operating system, and the browser communicates with the operating system via a socket interface. So such a conversion is useless unless the socket interface in the device concerned is fully aware of the mapping. So even if there is a use case, there are a lot of moving parts here.
>>>> Personally I think allowing non-ASCII would be disastrously complex and would have no real advantage for netops staff. Езернет1/0/1 instead of Ethernet1/0/1 doesn't seem worth all the resultant hassle.
>>>>>
>>>>> This general comment also applies for the same change for 'ipv4-address'.
>>>> Fortunately this is 100% out of scope for the 6man draft.
>>>>>
>>>>> (3) draft-ietf-netmod-rfc6991-bis-15, p 28, sec 4.  Internet Protocol Suite Types
>>>>>
>>>>>             The canonical format of IPv6 addresses uses the textual
>>>>>             representation defined in Section 4 of RFC 5952.  The
>>>>>             canonical format for the zone index is the numerical
>>>>>             format as described in Section 11.2 of RFC 4007.";
>>>>>
>>>>> Would it make sense to also change the canonical format for the zone index to be interface name (or converted interface name) rather than numeric id (when used in YANG models)?
>>>> Please not. In a completely different context (RFC 8990) I've written code handling link local addresses and multiple interfaces, and driving it by interface index rather than by name is definitely the way to go. Humans may like the names, but the numbers are much better for programs.
>>>> Regard
>>>>       Brian
>>>>>
>>>>> This comment also applies for the same change for 'ipv4-address'.
>>>>>
>>>>>
>>>>> Thoughts and comments on these two issues are welcome.
>>>>>
>>>>> Regards,
>>>>> Rob
>>> _______________________________________________
>>> netmod mailing list
>>> netmod@ietf.org
>>> https://www.ietf.org/mailman/listinfo/netmod
>>
>>
>> Mahesh Jethanandani
>> mjethanandani@gmail.com
>>
>>
>>
>>
>>
>>
>>
>

v2.23.0 | Report a Bug | By Email