Support for IPv6 link local

[marsounjan]

#1706

[swankjesse]

This is cool!

We aren't in a position to merge new features now, and for about 8 weeks. We're doing a Kotlin conversion and that is complex enough that I don't want to make any other changes alongside it.

Can you explain how you found yourself using this? I read it in the spec but really want context around how this gets used in practice.

[marsounjan]

I work for a company which makes network appliances. Using IPv6 link local address solves for example the connection issues when you take the device configured with static IPv4 address from some network and plug it into you LAN with different subnet configured.
With IPv6 Link Local you can always communicate with the device when it's plugged in LAN :)

[swankjesse]

Now I'm confused. I was expecting linklocal to be about the local interface. I need to do some studying.

In general I'm somewhat reluctant to do this because it opens up attack vectors.

[marsounjan]

it's definitely about the local interface. To use link local address you must specify the interface.

I don't see how it could open up attack vendors.

[swankjesse]

An attacker server could redirect a client to DoS a server that isn’t on the public internet.

[yschimke]

Util.java change will need to target kotlin. Seems like something we could support via caller urls (with some risk), but disallow for automatic redirects.

[swankjesse]

I'm gonna close this because I'm not ready to impose the security consequences of link local on all of our users.

[marsounjan]

@swankjesse @yschimke we'd really like okhttp to support link local, since it's really pain for us updating our local fork every time when we need to update okhttp version..

So what's exactly the problem you see here? If it's just you worring about being redirected to different network interface, it can be solved quite easily.

Also I can see several other users would like to have this feature in okhttp :)

[swankjesse]

I'm worried about URLs that would use this feature that currently fail and would soon succeed! This feels like a big security problem.

What's the easy solution?

[marsounjan]

well, I wanted to write that it'll be easy to implement it the way that doesn't allow to switch interfaces by redirections, because that doesn't make much sense anyway.

But then I look at the code and found out that it's already implemented that way :)

Is not allowing redirects to switch network interfaces for traffic enough for you to stop worrying about security?
Other then that I really can't imagine any possible security risk or anything like that since it's behaving the same as IPv6

[swankjesse]

I don't want new calls to switch interfaces either. Imagine crawling the web with OkHttp and a malicious page attempts to get the crawler to index URLs on it's internal interface.

[marsounjan]

is this really a security issue which should be okhttp client library worried about? Isn't it more about good/bad crawler implementation?

I am not proposing okhttp to support some custom hacky protocol, just RFC documented addressing :)

[swankjesse]

Do browsers support this? If they do we should; if they don't we shouldn't.

[swankjesse]

Looks like the answer is no.
https://stackoverflow.com/a/46881540/40013

[swankjesse]

Also! Not supporting link local addresses URLs does not mean OkHttp cannot access the resources at those URLs! You just need to specify a SocketFactory that chooses the link you want. That's not too much code and it keeps this feature safe.

[yschimke]

@marsounjan What's the typical use case for this? Any examples of where you need it for typical development or app uses?