IETF Logo Mail Archive

Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"

Erik Kline <ek@google.com> Sun, 07 May 2017 07:46 UTC

Return-Path: <ek@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C42F126FB3 for <captive-portals@ietfa.amsl.com>; Sun, 7 May 2017 00:46:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nj2AXFt37mcT for <captive-portals@ietfa.amsl.com>; Sun, 7 May 2017 00:46:08 -0700 (PDT)
Received: from mail-yb0-x231.google.com (mail-yb0-x231.google.com [IPv6:2607:f8b0:4002:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BAC6124D85 for <captive-portals@ietf.org>; Sun, 7 May 2017 00:46:08 -0700 (PDT)
Received: by mail-yb0-x231.google.com with SMTP id 8so5731575ybw.1 for <captive-portals@ietf.org>; Sun, 07 May 2017 00:46:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fEn/EGnVMowuLLXd4y323cPl8H/kZVYPfQ4xLemsZ1w=; b=nBARcP30AmExlDaqJWedQPRotRn0Tc6mf4R/Z2ej89jpP2hRdrw0q4duWGQ6KcNxmK CJFhFCa8T+AHDUFqNq6q+5OeMpOL8RLqPiBRpRHZzy/5hzyLZh3yGDeh9QsHFa6NUIBr MhzWdarQE49huGX5rnOmZ3tPkCZR/t+OfM7yfZ6AfyHyXXolqJ8EFu7+cYirHQgknYd8 CFDliUM0hnzzCzKVw04WKM9yi2zBEA0jwFngYhAIxeob12OpGjp2/ZVFhNWDevi1Snwc kubur4nDGQDZXq8vYvnplgwR9R8om0xVIKnoHuGq9F+ane+wHXV6lvYwpYU1GirOjr0c Dm4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fEn/EGnVMowuLLXd4y323cPl8H/kZVYPfQ4xLemsZ1w=; b=mMYhcTr9JJPJ1s+mCoEhfuEfkQvc8DL4l7ni0k6RH2URoVo+LtOoEbel5f6BNbvZMC bhFr8osK74LTscw3cIOAx0SFf8dCbQ2az8b1PTOCqr1zz/kB4mPVglJCB+hPrAImiRzA LpezGTicsxEqbg5byOPwvQFTLwiagORFXFcNYgGsxbwIlcKDvBGUAHsjWNnlrXQV5EkW QdMLGm+pkUb6oX/gisk7s8BJwMcoTfzb2cH0Sg/A3IEx8OV+CI6VHNYUeEguWn3/gfzh a4XRWzPzudfX86p8a9oOhYd7ZBEW3oghPOqc2BQLKTLSqXmmxY/lSPF1tTm0/n7cUsrX 9KfA==
X-Gm-Message-State: AODbwcB4LwI7nRxMuYugRYO1/PMYlQKspyjcWOTiP07ZGH/v8vRExdbf I6FU//Shp0BW23LFyfHewSeQrtIrdT4c
X-Received: by 10.37.215.11 with SMTP id o11mr5747087ybg.30.1494143167058; Sun, 07 May 2017 00:46:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.105.84 with HTTP; Sun, 7 May 2017 00:45:46 -0700 (PDT)
In-Reply-To: <CAHw9_iJARf4MUA8nHqHA54jLvJNq-_Vek67A-rjHpSK6vC7r+Q@mail.gmail.com>
References: <201705031442.50683.heiko.folkerts@bsi.bund.de> <E8355113905631478EFF04F5AA706E98705C6C57@wtl-exchp-1.sandvine.com> <CAHw9_iJARf4MUA8nHqHA54jLvJNq-_Vek67A-rjHpSK6vC7r+Q@mail.gmail.com>
From: Erik Kline <ek@google.com>
Date: Sun, 07 May 2017 16:45:46 +0900
Message-ID: <CAAedzxrmHyuC90EqsxNXra--VHN4x24XpC+fex5ka0pb3gGvFA@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Cc: Dave Dolson <ddolson@sandvine.com>, Heiko Folkerts <heiko.folkerts@bsi.bund.de>, "Herzig, Willi" <willi.herzig@bsi.bund.de>, "captive-portals@ietf.org" <captive-portals@ietf.org>, Gunther Nitzsche <gnitzsche@netcologne.de>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="94eb2c06ad04bd84e1054eea50d8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/3ifZhKcrmfKhFg8b_lSJUys1W7s>
Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 May 2017 07:46:11 -0000

Agreed.

I wanted to also include an anecdote about a previous boss who had DSL at
home (AT&T, maybe?).  The CPE they gave him threw up a captive portal page
whenever the CPE detected that the DSL link was down.  This seems fairly
useful compared to everything just timing out (of course network
unreachables would have been quick, but somewhat less useful for
non-technical folks, especially given that the portal page could include
the service hotline phone number).

On 5 May 2017 at 00:14, Warren Kumari <warren@kumari.net> wrote:

> I *think* that this is quite similar to a captive portal system run by
> Comcast -- I recently upgraded my cable-modem (my old one didn't
> support v6). This means that I ended up with a new MAC address on the
> CM, and Comcast placed me into a walled garden until I signed in (and
> they associated my new MAC with my account) -- while a different cause
> (new MAC vs malware), the rest is very similar.
>
> So, I think that these would be well within scope.
> W
>
> On Wed, May 3, 2017 at 9:37 AM, Dave Dolson <ddolson@sandvine.com> wrote:
> > I consider this in scope. It is an excellent example of why captive
> portals should be handled at the IP layer (layer3) with IP protocols, and
> are not only a WiFi (layer 2) problem.
> >
> >
> > -----Original Message-----
> > From: Captive-portals [mailto:captive-portals-bounces@ietf.org] On
> Behalf Of Heiko Folkerts
> > Sent: Wednesday, May 3, 2017 8:43 AM
> > To: captive-portals@ietf.org
> > Cc: Herzig, Willi; Gunther Nitzsche
> > Subject: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
> >
> > Hi everybody,
> >
> > I visited the capport WG the first time in Chicago. Thank you very much
> for the presentations! Afterwards I had a very brief chat with Martin about
> a use case, I name “carrier grade captive portals”. As a result I want to
> present this use case to you on this mailing list:
> >
> > *Background and use case:*
> > In Germany the Federal Office for Information Security informs the ISPs
> with IPs, timestamp and other information of users that are part of a
> botnet. The ISPs are informing the users about the infection. We can not
> inform the users without the help of the ISP as they are the only ones
> knowing who is behind the dynamic IP address users get normally in Germany.
> > There are different ways to inform users by the ISPs: e-mail, snail mail
> or a carrier grade captive portal (aka walled garden, forced portal),
> >
> > The most efficient way to inform and get systems cleaned has been proven
> is the carrier grade captive portal.
> > One of the  internet service providers, NetCologne, uses a, as they call
> it, Forced Portal. The current solution is legal in germany, if the ISPs
> terms of service are appropriate.
> >
> > *Technically it roughly works like this:*
> > - When the abuse management system detects that a user is infected, the
> CPE customers router connection (PPOE connection) is disconnected and
> immediately a new PPOE connection is started.
> > - With the new PPOE connection, the CPE customers router gets a new
> DNSServer, IP, gateway (policy routing) and is connected to a carrier grade
> captive portal.
> > - Within the new network connection all traffic is routed through a
> HTTP/HTTPS proxy. This proxy allows the user to access selected sites like
> informational sites about infections, AV and OS vendors and will otherwise
> present an information page to the user. This information page tells the
> user about the situation, including information about the infection(s) and
> instructs him how to clean the system.
> >
> > *Problem (almost the same as you know it):* As with captive portals in
> local networks this worked pretty well using HTTP.
> > Also on Browsers, which first tries a HTTP connection, the information
> page  is displayed. Problem occurs now with HTTPS. Especially Google Chrome
> does no longer connect first using HTTP when the user enters a domain name
> of a web page if using HSTS and HSTS preload.
> > Connecting with HTTPS, the browser detects a MITM attack (which of
> course makes sense, because it is MITM) and does not display the
> information page.
> > Instead an error page is displayed, which generates a whole lot of calls
> to the costumer support. An addional problem we encounter is that the well
> known detection strategies used by iOS/macOS, Windows and Android for
> captive portals do *never* work in our case.
> > Reason is that these detection strategies will only test for captive
> portals, when the network connection of the actual device (for example
> using WiFi) is started new. In our case the customers CPE router gets a new
> PPPOE connection, but the client  does not detect that the network
> connection to the internet was dropped by the router.
> >
> > Do you think that „carrier grade captive portals“ are in scope of the
> capport WG charta? Would the work already done at capport help to cope with
> this problem?
> > My understanding of the current work in capport is, that it will not
> solve this problem entirely, but I think, it may already be half-way
> towards a solution. Because pushing a customer to a walled garden does not
> do a status change on the client system, but the CPE might work as some
> kind of “captive portal relais”, using at least parts of the current
> architecture of capport on the internal LAN.
> >
> > Do you think it is usful that the capport WG considers our use case in
> its work? Any help is appreciated.
> >
> > Best regards,
> >
> > Heiko.
> >
> > --
> > Heiko Folkerts
> > ---------------------------------------------------
> > Referat CK 15
> > Federal Office for Information Security (BSI)
> >
> > Godesberger Allee 185 -189
> > 53175 Bonn
> > Germany
> > Telefon:        +49 228 99 9582-5955
> > Fax:            +49 228 99 10 9582-5955
> > E-Mail: heiko.folkerts@bsi.bund.de
> > Internet:       www.bsi.bund.de
> >                 www.bsi-fuer-buerger.de
> >
> > _______________________________________________
> > Captive-portals mailing list
> > Captive-portals@ietf.org
> > https://www.ietf.org/mailman/listinfo/captive-portals
> > _______________________________________________
> > Captive-portals mailing list
> > Captive-portals@ietf.org
> > https://www.ietf.org/mailman/listinfo/captive-portals
>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>    ---maf
>
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
>

v2.23.0 | Report a Bug | By Email