Re: [v6ops] Fwd: I-D Action: draft-vyncke-v6ops-happy-eyeballs-cookie-00.txt
Erik Nygren <erik+ietf@nygren.org> Wed, 29 October 2014 21:25 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CEC61A9046 for <v6ops@ietfa.amsl.com>; Wed, 29 Oct 2014 14:25:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9qny7I6EiHi5 for <v6ops@ietfa.amsl.com>; Wed, 29 Oct 2014 14:25:10 -0700 (PDT)
Received: from mail-vc0-x230.google.com (mail-vc0-x230.google.com [IPv6:2607:f8b0:400c:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E3651A902A for <v6ops@ietf.org>; Wed, 29 Oct 2014 14:25:10 -0700 (PDT)
Received: by mail-vc0-f176.google.com with SMTP id hq11so2029307vcb.21 for <v6ops@ietf.org>; Wed, 29 Oct 2014 14:25:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=WZ8uDNAxW0brrj8jXh2xcTBWnUN3rFvwRM85QlF+JWs=; b=RFXxPvMfm5MWieJAsV0mzKfGTQc2DPrXOEsx7dzXajP3g73lZjcuZIr/Gn1gnjgNvW d+nZ80tohoZZHvF13e8Kdb16siObSGIL0ehGk16owXI45h0Knm7nJJ6KpkuwKUkTxTTB v51H/T5JJuH1nvOfleWHo4bXp4hC7SJCU3pcyPAf+46HC7lb0udpm+pWq3sR/5MlrtlV Hsszwjs5gbw+Sc+1482Xw1Nz9HJumidB2YIWlqcJJBMyImiSj2Nti9yEHJfp5bb57pB8 HO/n78MhHi1IDAZ+R4rqyMOWOPm5J3jCU+kGeJDzOiiIGF9DjsYn1J28/pcwlkG2lPkG R3cQ==
MIME-Version: 1.0
X-Received: by 10.220.118.74 with SMTP id u10mr8529618vcq.35.1414617909284; Wed, 29 Oct 2014 14:25:09 -0700 (PDT)
Sender: nygren@gmail.com
Received: by 10.220.190.71 with HTTP; Wed, 29 Oct 2014 14:25:09 -0700 (PDT)
In-Reply-To: <D0771643.30804%evyncke@cisco.com>
References: <20141027195522.23487.548.idtracker@ietfa.amsl.com> <5A5248BF-9E86-4B90-B344-C2DE1A3A8B56@cisco.com> <CAKC-DJhMf72D4wUcSL1_t_mSBLHotNm2KPE4v8OW94wfpHMN5w@mail.gmail.com> <D0771643.30804%evyncke@cisco.com>
Date: Wed, 29 Oct 2014 17:25:09 -0400
X-Google-Sender-Auth: ESnJBxbT6ALHsxLVPtyHbiowbCE
Message-ID: <CAKC-DJg+G59rjwj-UX0zGj01KLvq9Ark1sL=pVytGT0znC2BmQ@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Content-Type: multipart/alternative; boundary="001a11369940f9e39f05069665e8"
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/T8yZIQqKhGzv18KBvYwCM-xh80U
Cc: IPv6 Operations <v6ops@ietf.org>
Subject: Re: [v6ops] Fwd: I-D Action: draft-vyncke-v6ops-happy-eyeballs-cookie-00.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 21:25:12 -0000
I guess the question is whether it is worth having an Informational
covering this class of problem explicitly with a very clear "don't do
this!" focus?
In particular, there are two dimensions:
1) the classes of things people lock by IP address today (session cookies,
auth tokens, bearer tokens, etc)
2) the classes of multi-homing that cause problems here and how all of them
are increasing (happy eyeballs for dual-stack, privacy addressing,
multi-link multi-homing, load balanced proxies, load balanced NATs, ...)
With the summary that because of the increases in #2, it is strongly
advised not to do #1 anymore.
Questions sometimes come up on whether there are good technical solutions,
such as ways clients can force outbound connections across each link to
build up some sort of "association record" that glues the various IP
addresses together, but that is more of an apps-area topic, and also don't
work with some of the above.
Erik
On Wed, Oct 29, 2014 at 5:16 PM, Eric Vyncke (evyncke) <evyncke@cisco.com>
wrote:
> Erik, Bjoern and Simon,
>
> Thanks for your review and comments.
>
> The original intend was to document an issue faced by some content
> providers, but, Erik, you are right RFC 6883 section 8.2 clearly spells out
> the problem raised in my I-D, so, I guess my I-D is clearly useless and
> brings nothing.
>
> ==> let's let him die by expiration ;-)
>
> Else, I agree with Fred's, Jeroen's and others comment that the title
> was not well-chosen as it is not limited only to happy eyeball (the LSN
> case was also document in the I-D though)
>
> -éric
>
> From: Erik Nygren <erik+ietf@nygren.org>
> Date: mardi 28 octobre 2014 22:07
> To: Fred Baker <fred@cisco.com>
> Cc: IPv6 Operations <v6ops@ietf.org>
> Subject: Re: [v6ops] Fwd: I-D Action:
> draft-vyncke-v6ops-happy-eyeballs-cookie-00.txt
>
> On Tue, Oct 28, 2014 at 10:29 AM, Fred Baker (fred) <fred@cisco.com>
> wrote:
>
>> I would be interested in folks’ view of this. Is this interesting?
>>
>
> This is mentioned in section 8.2 of rfc6883 but keeps coming up over and
> over again
> so may be worth calling out more clearly. I'd title it in some way that
> didn't make it seem like
> a happy eyeball specific issue.
>
> It's not just a happy eyeballs issue. It also happens with dual-stack
> environments where cookies or session or authentication tokens span origins
> where some servers are dual-stack and some are IPv4-only. (For example,
> an auth granting service grants bearer tokens locked to the client IP
> address and then the client connects to some other service on a different
> hostname and passes along the tokens. Even absent Happy Eyeballs these can
> be on different IP versions.)
>
> The large-scale NAT/CGN issue does make this not just an IPv6 issue. At
> least some systems I've seen then check the IP in the cookie to make sure
> it's in the same /24 rather than the exact same IP, but that doesn't help
> in the dual-stack world.
>
> Another issue beyond Happy Eyeballs is that privacy addressing bites you
> here as well for cookies that are used across different TCP connections
> spanning a privacy address rotation.
>
> Having some more clear "don't do this" to point people to would be good,
> but I suspect we'll have many years of cleaning up applications doing this.
>
>
- [v6ops] Fwd: I-D Action: draft-vyncke-v6ops-happy… Fred Baker (fred)
- Re: [v6ops] Fwd: I-D Action: draft-vyncke-v6ops-h… Bjoern A. Zeeb
- Re: [v6ops] Fwd: I-D Action: draft-vyncke-v6ops-h… Simon Perreault
- Re: [v6ops] I-D Action: draft-vyncke-v6ops-happy-… Tim Chown
- Re: [v6ops] Fwd: I-D Action: draft-vyncke-v6ops-h… Erik Nygren
- Re: [v6ops] Fwd: I-D Action: draft-vyncke-v6ops-h… Fred Baker (fred)
- Re: [v6ops] Fwd: I-D Action: draft-vyncke-v6ops-h… Eric Vyncke (evyncke)
- Re: [v6ops] Fwd: I-D Action: draft-vyncke-v6ops-h… Erik Nygren
- Re: [v6ops] Fwd: I-D Action: draft-vyncke-v6ops-h… Bjoern A. Zeeb
- Re: [v6ops] Fwd: I-D Action: draft-vyncke-v6ops-h… Ted Lemon
- Re: [v6ops] I-D Action: draft-vyncke-v6ops-happy-… Fred Baker (fred)
- Re: [v6ops] I-D Action: draft-vyncke-v6ops-happy-… Bjoern A. Zeeb
- Re: [v6ops] I-D Action: draft-vyncke-v6ops-happy-… Simon Perreault
- Re: [v6ops] I-D Action: draft-vyncke-v6ops-happy-… Jeroen Massar
- Re: [v6ops] Fwd: I-D Action: draft-vyncke-v6ops-h… Mark ZZZ Smith
- Re: [v6ops] Fwd: I-D Action: draft-vyncke-v6ops-h… Eric Vyncke (evyncke)
- Re: [v6ops] I-D Action: draft-vyncke-v6ops-happy-… Eric Vyncke (evyncke)
- Re: [v6ops] I-D Action: draft-vyncke-v6ops-happy-… Andrew 👽 Yourtchenko
- Re: [v6ops] I-D Action: draft-vyncke-v6ops-happy-… Owen DeLong