Re: [Captive-portals] CAPPORT ICMP
David Bird <dbird@google.com> Sun, 02 April 2017 00:47 UTC
Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38C07120725 for <captive-portals@ietfa.amsl.com>; Sat, 1 Apr 2017 17:47:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.494
X-Spam-Level:
X-Spam-Status: No, score=-0.494 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.506, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23WfPvBN7325 for <captive-portals@ietfa.amsl.com>; Sat, 1 Apr 2017 17:47:38 -0700 (PDT)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1054112785F for <captive-portals@ietf.org>; Sat, 1 Apr 2017 17:47:38 -0700 (PDT)
Received: by mail-qt0-x229.google.com with SMTP id i34so90337046qtc.0 for <captive-portals@ietf.org>; Sat, 01 Apr 2017 17:47:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xMNvhtoOg9hPQkCs9kpUtUEgQ13+npOj14NJ+89RzVE=; b=VGJO0hQBNAD6Q/P3htXtaCfeXDbLTrBba5WqUwVqJ5JIi5hpjgBp7Vjl0ztrJbQjqg zozFltVdMeHGDFyFdLvxZ+p4C65UimtKJHhZuA8Y1MFrV1qrMxYr2go1YMv/eVubodHx 7U3cKruPbONmyZJdRMmZ5RGfONtm0HwoItNq8K5HwO5FViYGHb1TDKV98tFfBYYsP5TG fDHBtFEYrW1YFw+cKlfEaPnofKaP3OctKGAAPLjzXmi4r652e2I5unU5HdORfBtRsBQz 1kuXy7Lnqa6uUD0hFLjo8OkMBN3w9kvKJGz08FoXtRRsYJRL7ViCmIjQ1yvZoqms4++Z mMFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xMNvhtoOg9hPQkCs9kpUtUEgQ13+npOj14NJ+89RzVE=; b=Wk8imoCuXlAtaZoD5nis757YnnezWlQYRSiYrIJsQGQe6uyu1kpHw2URCp90e0IlLh 48fKTIRjZBjTiGwmxtFDwJdiS/he+KV2V7S68ODjX/HT/Wfb80w9V0/MT8iK+AbVrgP8 5I+GizA3q2rwHNXfN3aXYi3jRYwwhQpGL+fCCABQw10jlCqULkypB/mxKSnQxn56Lyu7 ih52Rpi9ZdqH1rPRKoCeHdFh3PulpK4FuMmzpfa9ZUHmjsYIaPdocy6a3lljw5hV6COr fFLkH3DOqDW4RRfH8ghfI0tF4rU80Hd12aJpgWyFfLzTYfi0mcKbkfy0wIAZFh3hWxdh uilQ==
X-Gm-Message-State: AFeK/H39re+7eApUNY04C34L5ZvRko6mUwxp6UuA6BAAzwDmFe6oFRkBGQYLwggpSPy0n/4mxaRZAnlB/cYvOQdd
X-Received: by 10.237.60.65 with SMTP id u1mr9605893qte.176.1491094056923; Sat, 01 Apr 2017 17:47:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.128.233 with HTTP; Sat, 1 Apr 2017 17:47:36 -0700 (PDT)
In-Reply-To: <CABkgnnW5G7NmXyvEuUFd1LQ5x8+EGi1vopy4c29GveY_scOsBQ@mail.gmail.com>
References: <E8355113905631478EFF04F5AA706E987056EF97@wtl-exchp-1.sandvine.com> <CABkgnnVuyhkywH6YF0VPot_h1dTXWta+psZvU62r1zKjNv=87g@mail.gmail.com> <E8355113905631478EFF04F5AA706E987056F0CB@wtl-exchp-1.sandvine.com> <CADo9JyWOe8xEoh83xC7Vg1iwHNKjvBDpDcmusUzd8dgEgQM78A@mail.gmail.com> <CABkgnnUW7PTWH7NqMD9kGbE3R3pXZfkO-Q8jSeBBT7gaVbRqcg@mail.gmail.com> <CADo9JyV_My13ieoDxp8tsmpRyozxjD+38dO3NwbzqKCLvgY=nA@mail.gmail.com> <20170331140239.7209037.57152.4973@sandvine.com> <CADo9JyWWKtoHfwNuXQ=x-B91J+SU87=gc4NX9=_JNmsxUPZxzQ@mail.gmail.com> <CADo9JyUAj81mLYSygJa4LkoMKsSyneM=qg-7A7-N0Uchso3ZUw@mail.gmail.com> <CADo9JyUEZ1tFMqJvqGHoXJLZifdQ7bFuCTTbmzx6FQSdLKYQ2Q@mail.gmail.com> <CADo9JyVDFhpQgZg0niqQJeJ1KWT6wX+zU94hvCMLBcVs5aZsAw@mail.gmail.com> <20170401173834.7209037.40616.5210@sandvine.com> <CADo9JyWPRDZM9wBNhFSbfiLPzQ2Nm20adGcwYfmu3QoFb0qzrA@mail.gmail.com> <CABkgnnW5G7NmXyvEuUFd1LQ5x8+EGi1vopy4c29GveY_scOsBQ@mail.gmail.com>
From: David Bird <dbird@google.com>
Date: Sat, 01 Apr 2017 17:47:36 -0700
Message-ID: <CADo9JyViuDxEiHafPndCRaPns7=hOL8PHeKAzyCxHbnPb647YA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>, captive-portals@ietf.org
Cc: Erik Kline <ek@google.com>, Dave Dolson <ddolson@sandvine.com>, Kyle Larose <klarose@sandvine.com>
Content-Type: multipart/alternative; boundary="94eb2c0e6796977e2d054c2463f7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/1lIGCXD0KYoOpz5akwlEQr92GSc>
Subject: Re: [Captive-portals] CAPPORT ICMP
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Apr 2017 00:47:40 -0000
+captive-portals On Sat, Apr 1, 2017 at 1:22 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > (Adding ek; though I'm thinking that we should just take this discussion > to the list.) > > Those places that use a public address space for their closed network (or > the part that houses the enforcement device) would suffer in that case. > > That wouldn't matter much -- unless there is some sort of source routing in play... > Maybe we should step back and examine the security goal. We want to > reduce the chance that a spurious signal is accepted by a client. In this > case, a signal is spurious if it comes from off path, if it is sent from a > network that is too remote (a definition that probably needs some > refinement), or if data flows despite the signal. > > I'd argue that are goals are not particularly 'security' focused.. Though, agreed it is a concern. We certainly shouldn't *worsen* the security. > I'm starting to think that an explicit probe is what we want here, just as > David (Bird) said. That is, a message that is guaranteed* to elicit a > response from a portal. Let's say that an endpoint receives an ICMP > unreachable with the captive portal decoration. At that point, it kicks > the detection engine. That generates a series of ICMP messages** with low > TTLs and high entropy payloads (this could be a traceroute in effect) and > the same capport extension. If the captive portal is valid, it will return > the packet and include the capport extension. > > Agreed, good point. > It shouldn't take very long to detect a legitimate block this way. So > during the check, the endpoint does not disable the affected interface. If > it continues to receive data on the flow that triggered this, it should > consider the original ICMP unreachable as spurious and cancel the probe. > Ideally this is all in the kernel, but an application could implement this > logic itself. > > (BTW, I think that the entire payload in draft-kumari is unwise. It would > be better if we rely on something like draft-donnelly and ask for > expiration times. I'll follow up on the list.) > > My concern (fundamentally) about asking the API anything is that it could be wrong (and, I'd argue, it WILL be wrong so often that UEs will just start ignoring it). I think the API should only, more or less, confirm information and provide a means for "auto-login" (pinning saved credentials in the WiFi profile to an API URI and server x509 certificate). The NAS, imho, MUST be the source of truth. Yes, the API *can* be in the NAS, but if you secure it with https (and want a real cert) that is expensive. Moreover, many operator would want that API more centralized. As they do that, things will start falling apart... Some examples: - What if a network (configured by mistake, configured poorly, or otherwise) configures RFC 7710 in their DHCP server and creates the CAPPORT API, and that is it! Now, imagine the *customer complaints* about the CAPPORT detection features in handsets when they figure out only THEY get the portal when legacy devices do NOT. - It is not unusual for a Hotspot to have MULTIPLE authentication sources: MAC Authentication, different RADIUS servers used by realm, etc. Having an API that is the source of truth would require networks redesign -- broken networks galore. - It is also not unusual for captive portals to be outsources to companies that DO NOT own, operator, install, or otherwise administer the Wi-Fi infrastructure. Sure, they need to coordinate configurations, to some degree, for things like Walled garden to work, but once that is done once, the configuration is fragile (unless the operator does out-of-band synchronization of configurations to APs). -- again, broken networks galore. - You are pretty much guaranteed (minus the risk for forgery) that the one sending the ICMP is the NAS! > * by our specification at least, we have to allow for packet loss, of > course. > ** straw man example only > > > On 1 April 2017 at 12:59, David Bird <dbird@google.com> wrote: > >> We could restrict the sending address space to something in rfc1918... >> >> On Sat, Apr 1, 2017 at 10:38 AM, Dave Dolson <ddolson@sandvine.com> >> wrote: >> >>> I don't think we should assume the enforcement point is always on the >>> local link. >>> >>> David Dolson >>> Sandvine >>> *From: *David Bird >>> *Sent: *Saturday, April 1, 2017 12:14 PM >>> *To: *Dave Dolson >>> *Cc: *Martin Thomson; Kyle Larose >>> *Subject: *Re: CAPPORT ICMP >>> >>> Also, as suggested by Erik Kline, we can make further limitations on who >>> can send these messages - link local / unroutable addresses, etc. >>> >>> On Apr 1, 2017 8:46 AM, "David Bird" <dbird@google.com> wrote: >>> >>> In https://github.com/wlanmac/draft-wkumari-capport-icmp-unreach I was >>> thinking that a Session ID could be used to group ICMP messages into, more >>> or less, a single event. Only when the Session ID changes (and also based >>> on input from the Validity and Delay times) would the UE revisit the API. >>> And, a UE would not expect the Session ID to constantly be changing (I >>> think then it can assume it is under attack from a malicious user or just a >>> really unfriendly network provider). >>> >>> >>> >>> On Fri, Mar 31, 2017 at 7:02 AM, Dave Dolson <ddolson@sandvine.com> >>> wrote: >>> >>>> I think we can mitigate concerns about the ICMP by rate-limiting visits >>>> to the capport API, which is not something that can be done with current >>>> redirect approaches. >>>> >>>> >>>> >>>> *From: *David Bird >>>> *Sent: *Friday, March 31, 2017 8:09 AM >>>> *To: *Martin Thomson >>>> *Cc: *Dave Dolson; Kyle Larose >>>> *Subject: *Re: CAPPORT ICMP >>>> >>>> >>>>> With RFC 4884, which we could require, the UE still has to remember >>>>> every packet it sends. I think that is the larger burden. One >>>>> potential way to fix that would be to treat an ICMP unreachable as >>>>> provisional and then run an explicit test. >>>>> >>>> >>>> It wasn't the intention that UEs would have to remember what it sends. >>>> Should the ICMP be supported in the kernel, the capport "enriched" Dest >>>> Unreach bubbles up to the application. Without kernel support, something >>>> similar can be done where the application can ask another service "was my >>>> Dest Unreach with this tuple blocked by capport?" In that scenario, the >>>> "another service" just needs to intercept ICMP and hold the tuple for a >>>> little while in case an application queries about it. >>>> >>>> And, yes, the capport detection engine in the OS should be kicked >>>> whenever a capport ICMP is received. It is also not the intention that a UE >>>> will do something for EVERY ICMP, rather taken as input/signal to the >>>> capport detection. >>>> >>> >>> >>> >> >
- Re: [Captive-portals] CAPPORT ICMP David Bird