Bug #118744 Make IPv4 / IPv6 CIDR network range notation a 1st class citizen in MySQL
Submitted: 29 Jul 10:16 Modified: 29 Jul 18:29
Reporter: Simon Mudd (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S4 (Feature request)
Version:8.0 / 8.4 / 9.4.0 OS:Any
Assigned to: CPU Architecture:Any

[29 Jul 10:16] Simon Mudd 
Description:
Documentation here: https://dev.mysql.com/doc/refman/9.4/en/account-names.html

This states that you can use as the host part an ip address/netmask setting for configuring network access for a given username.

e.g. 'user'@'192.168.40.0/255.255.255.0'

This format is ok but rather long. There is no support for IPv6 address ranges.

These days many people use a shorter CIDR format which can be used for IPv4 and IPv6:

e.g. 'user'@'192.168.40.0/24' or 'user'@'2001:1234:5678::/48'

There are other related "bug" reports but this one is  more general.

Bug#89404 (Verified): inconsistent support of CIDR or subnet notation
Bug#96302 (Verified): cloning: support CIDR notation for clone-valid-donor-list

How to repeat:
Check the docs above and see that IPv6 address ranges are not supported nor is the  CIDR notation which is used frequently now.

Suggested fix:
Make CIDR notation for network ranges a first class citizen so it works in IPv4 and IPv6 across any places where the MySQL code base needs such values.

Sample usage for user creation would be:

- 'user'@'192.168.40.0/24'           IPv4 network range
- 'user'@'192.168.0.0/16'            RFC 1918 range
- 'user'@'10.0.0.0/8'                RFC 1918 range
- 'user'@'2001:1234:5678::/48'       IPv6 network range
- 'user'@'2001:1234:5678:10::/64'    IPv6 network range
- 'user'@'2001:1234:5678:10::1/128'  IPv6 host ip address

However, cloning and other functionality also uses network addresses ranges and probably should support CIDR ranges too.
[29 Jul 10:20] Simon Mudd 
modify title
[29 Jul 10:43] MySQL Verification Team 
Hello Simon,

Thank you for the reasonable feature request!

regards,
Umesh
[29 Jul 18:29] Simon Mudd 
A comment about incremental changes in behaviour. I got rather confused about this when creating this feature request. I've always used network ranges with % wildcards. I wasn't aware of the 10.11.12.0/24 CIDR notation being valid yet it is , squeezed in at the bottom of the 9.4 URL I pasted.

I checked back:
-  https://dev.mysql.com/doc/refman/5.7/en/account-names.html does not mention CIDR notation
- https://dev.mysql.com/doc/refman/8.0/en/account-names.html mentions it by saying: As of MySQL 8.0.23, a host value specified as an IPv4 address can be written using CIDR notation, such as 198.51.100.44/24.

So there have been incremental improvements.
It really is helpful to reference these changes as for those of us who have used older versions it's hard often to catch the subtle change in documentation from one version to the next to catch the improvment.

If you support CIDR notation now for IPv4 I think that adding it for IPv6 would be good and should be straight forward.

Considering making "The host name part of an account name can take many forms, and wildcards are permitted:" a section in bold and then provide a list of formats with more verbose details afterwards. This would help in finding changes.

Also recording when changes were made is helpful. This is sometimes provided in global variable or global variable documentation but it is not done consistently.

This makes it harder for us to catch changes over the MySQL software base when our own tooling may need to be adapted.