Re: [w3ctag/design-reviews] updated URI syntax for IPv6 link-local zone identifiers (Issue #774) from Brian E Carpenter on 2022-11-24 (public-webapps-github@w3.org from November 2022)

From: Brian E Carpenter <notifications@github.com>
Date: Thu, 24 Nov 2022 11:51:20 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/774/1326801509@github.com>

Hi,

(I am blind copying this to the IETF 6MAN WG. Be careful when replying.)

On 25-Nov-22 02:10, Yves Lafon wrote:
> Hi, we discussed the issue again during our last teleconference.
> The issue of malicious discovery is still there as it won't start with a brute-force attack, but more on probable zone names (especially if it involves interface names).

That is correct and is discussed at https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-05.html#section-6-6 . This theoretical risk has always existed for IPv6 literal addresses in URLs and is not specific to link-local addresses. The primary defence is the 64-bit size of the interface identifier space, which is impracticably large for a brute force search. This is one reason why the IETF now recommends pseudo-random interface identifiers, and has little to do with link-local addresses. (If you're looking for a practical brute force search, try starting at https://192.168.178.1/ .)

Given that, this is hardly an argument against supporting Zone IDs.

> Also the use of |%| as a delimiter is still seen as problematic as it is the escape delimiter and can lead to exploit of existing parsers that are not careful about when to apply unescaping.

Why is there an "exploit" here? The worst that can happen is that a server rejects the URL. We discuss this eventuality in the draft at https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-05.html#section-4-1 , and it's really a feature, not a bug.

> The lack of implementation support in browsers is another source of concern, it would be good also to get agreement within IETF, especially with the group in charge of maintenance of rfc3986.

We're trying to provide the egg half of the chicken-and-egg dilemma. It will be for each browser implementer to decide whether to proceed with the chicken. Of course the normal cross-area review process is under way in the IETF.

Thanks for the update.

     Brian

> Thanks
> 
> —
> Reply to this email directly, view it on GitHub <https://github.com/w3ctag/design-reviews/issues/774#issuecomment-1326433378>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABMKET5QCMHVPQNBQBM3IDTWJ5SMLANCNFSM6AAAAAAQK45ROU>.
> You are receiving this because you were mentioned.Message ID: ***@***.***>
> 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/774#issuecomment-1326801509

You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/774/1326801509@github.com>

Received on Thursday, 24 November 2022 19:51:32 UTC