Should you strip the IPv6 zone?

There have recently been three different (but related) contexts where I have asked or been asked that question: When a reverse proxy is adding the client IP to the X-Forwarded-For header. When the client IP is being used for rate limiting. When checking if a client IP is contained in a configured list of ranges/prefixes/CIDRs. As I understood more about zones my opinion on this changed. This is an attempt to capture my understanding and where I ended up.

A tiny flaw in Go's netip design


Update 2022-03-23: Matt Layher created a Go issue about this.

Update 2022-04-14: In response to that issue, two weeks ago a change was committed to Go that makes netip.ParsePrefix behave like net.ParseCIDR: they both return an error when a zone is present. It wasn’t released in 1.18.1, but I’m guessing it’ll be in 1.18.2. So that’s great!

Does this surprise you? (Try it in the playground.)

prefix := netip.MustParsePrefix("fe80::%zone/10")
addr := netip.MustParseAddr("fe80::1%zone")
fmt.Println(prefix.Contains(addr)) // ==> false

Go’s new-as-of-1.18 netip package is better in every way than the previous net.IP, etc., but this one design decision will probably burn someone, somewhere, sometime.