Re: Link-local connectivity in Web browsers from Ben Schwartz on 2024-02-26 (ietf-http-wg@w3.org from January to March 2024)

From: Ben Schwartz <bemasc@meta.com>
Date: Mon, 26 Feb 2024 15:10:35 +0000
To: Toerless Eckert <tte@cs.fau.de>, Michael Sweet <msweet@msweet.org>
CC: David Schinazi <dschinazi.ietf@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <SA1PR15MB4370D9A3CB02716FB228D59EB35A2@SA1PR15MB4370.namprd15.prod.outlook.com>

I think it would help if this draft discussed scoping of cookies (and other HTTP client state).  In particular, I shouldn't be able to vacuum up your home "printer-123.local"'s cookies just by naming myself "printer-123.local" on the coffee-shop network.  Client state for .local domains needs to be partitioned by network to avoid these attacks.

I also think opportunistic encryption (RFC 8164) should be considered seriously in this context.  The security properties of local networks are different from the public internet, and opportunistic encryption seems to provide more value in this context.

--Ben Schwartz
________________________________
From: Toerless Eckert <tte@cs.fau.de>
Sent: Thursday, February 22, 2024 5:14 PM
To: Michael Sweet <msweet@msweet.org>
Cc: David Schinazi <dschinazi.ietf@gmail.com>; HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: Link-local connectivity in Web browsers

On Thu, Feb 22, 2024 at 07:04:33AM -0500, Michael Sweet wrote:
> >> 2. Locally-Unique Addresses (ULAs) can be assigned automatically and are better supported by the various client OS's than the RFC 4007 default scope for link-local addresses.
> >
> > I am not aware of schemes that would automatically assign ULAs, would love a reference.
> > I have written a scheme based on network wide configuration/autoprovisioning (RFC8994), but
> > i am not aware of any similar solutions like that widely used.
>
> Enterprise networks often make use of ULAs, and that is where I would expect them to be used most often since 'normal users' don't typically have the expertise to set those things up.

Sure, but there is no "assigned automatically" the way i understand it. YOu may have
meant something different, so maybe its not a sufficiently well defined term.

But in any case, ULA like global addresses do require additional address allocation/management
operations which may not have happened and/or which may not be desirable to be required,
so the underlying interest at least IMHO from the IPv6 networking world is to figure out
what the sanest way is to support LLA across all representations where they may be needed
including browsers. That's nonwithstanding that we wuold want to minimize the need
for having to use any IPv6 address by normal users under normal circumstances.

Cheers
    toerless

> ________________________
> Michael Sweet

Received on Monday, 26 February 2024 15:10:52 UTC