IETF Logo Mail Archive

Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon

Lorenzo Colitti <lorenzo@google.com> Wed, 22 February 2017 17:06 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24BF9129A72 for <captive-portals@ietfa.amsl.com>; Wed, 22 Feb 2017 09:06:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGtqI3V2N1Qj for <captive-portals@ietfa.amsl.com>; Wed, 22 Feb 2017 09:06:19 -0800 (PST)
Received: from mail-yb0-x230.google.com (mail-yb0-x230.google.com [IPv6:2607:f8b0:4002:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64D39129A6F for <captive-portals@ietf.org>; Wed, 22 Feb 2017 09:06:19 -0800 (PST)
Received: by mail-yb0-x230.google.com with SMTP id a5so2351301ybb.2 for <captive-portals@ietf.org>; Wed, 22 Feb 2017 09:06:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=De8i9gFs/W+DvucHFDdL++NGBBRkSOKwXDn11eOT1TY=; b=piHzZKPN3ktsL2Io+zVsQn54pupVnyyXV7rzvae2XoAvOsTF5dzSuIUKsWNyn8EQJo Ck9WwB7g46P2SU1wrYh8o4PBBV3IkkCsds05h/lp+4vU20Q8tGV5k7CV2o7oFyqMNjXT SIdA7+j1D+HX1Pd/ltAgiVirycfTGwaeqe49pCFMgpBKvgYKE6+yOpIj3vxNLeK6vpfd Iz8N6fSLtUwt4UMQCyK09LczL+fOQKyKP4NLdkkBit8kFTlntxgr2iYTdPu/LGj2tJMI vdGvdhZyEHBiR7XxkJH0qENH89wmNpDy07xcJ9NXNjY18sQNJ/gE8bkTUa46FPD5zH++ 33gQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=De8i9gFs/W+DvucHFDdL++NGBBRkSOKwXDn11eOT1TY=; b=hSOcLShkWnwzdXUfwGz8M4n2/akt4AF4Cd2tXpWuQd3O0aRQQ6T6fNNG1DjQUmm77K UhAqlv5YLv8FWqQjzZg1KYawVQydtlPJN1jCjJyoNIPhKDLVj8d/6/gIFhdSvmrrba75 SoVRIQA7W5kBpqO9rad2K7X9EKhn1gp8sELbQz6joYCoF8yNx8k2pOHAMewSl3yGx9Xl 0ep9CGpN7lVOt81ZWkUSkNVezu+2fogI76zgl2iMUP/WFhlKJrY4Be8XYhbpRNJORasa 1FHETp+xJ/KNNereDW0kuOr3aKvQFITtZNPeD7lvhet/5RwSSDDpbblQrIUG14wGhBzc wbtw==
X-Gm-Message-State: AMke39nIicsOh5IqaolId+bmAUMEa7rFW+X1oOoClm+tW4LhGhvmDin2PuR6ZZuNyfCojqCeAUzHZl2tmRfUV0BM
X-Received: by 10.37.177.167 with SMTP id h39mr24931770ybj.110.1487783178320; Wed, 22 Feb 2017 09:06:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.51.139 with HTTP; Wed, 22 Feb 2017 09:05:57 -0800 (PST)
In-Reply-To: <E8355113905631478EFF04F5AA706E987051F25D@wtl-exchp-1.sandvine.com>
References: <D76BBBCF97F57144BB5FCF08007244A77058108A@wtl-exchp-1.sandvine.com> <CADo9JyUz6QRVg23cFmv7xTu_0dzbQM-xVXx7=79k3ao+59szVg@mail.gmail.com> <CAKD1Yr0B2HUz6AXExA7nK3URqkq3yFFuBXRVGM+mMR+KjnO1Ag@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051EC6E@wtl-exchp-1.sandvine.com> <CAKD1Yr0p37+SuE03SLKQ2tZDxxeL3=jO8gSw9y66UnYXSDzeKw@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051F25D@wtl-exchp-1.sandvine.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Thu, 23 Feb 2017 02:05:57 +0900
Message-ID: <CAKD1Yr06UukkD+vM5ueiBfqe4h2t53G=-7hZN=wy1nO1_efJ2w@mail.gmail.com>
To: Dave Dolson <ddolson@sandvine.com>
Content-Type: multipart/alternative; boundary="f403045eae30d91e890549218396"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/7NUtoMomjVhKetsuQA41uhx2754>
Cc: "captive-portals@ietf.org" <captive-portals@ietf.org>, Kyle Larose <klarose@sandvine.com>, "warren@kumari.net" <warren@kumari.net>, David Bird <dbird@google.com>
Subject: Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 17:06:21 -0000

The ability for any host in the Internet to trigger an instant response
sounds it could turn into a DOS vector, though.

On Thu, Feb 23, 2017 at 2:04 AM, Dave Dolson <ddolson@sandvine.com> wrote:

> As I understand it, to "think something is wrong" requires an
> application-layer timeout. Some people think this is about 5s, but I don't
> believe TCP specifies an upper bound.
>
> An ICMP message can give an "instant" response.
>
> It's worth considering that the ICMP message may trigger the "sacrificial"
> HTTP request by the operating system.
>
>
>
> ------------------------------
> *From:* Lorenzo Colitti [lorenzo@google.com]
> *Sent:* Wednesday, February 22, 2017 10:24 AM
> *To:* Dave Dolson
> *Cc:* David Bird; warren@kumari.net; Kyle Larose; captive-portals@ietf.org
>
> *Subject:* Re: [Captive-portals] Thinking of something related to captive
> portals for the ietf98 hackathon
>
> Ok, but the implementations that are the most likely to implement this
> sort of feature already send sacrificial plaintext HTTP requests on
> connect, and are quite capable of generating HTTP requests on demand when
> they think something is wrong.
>
> On Wed, Feb 22, 2017 at 11:53 PM, Dave Dolson <ddolson@sandvine.com>
> wrote:
>
>> Lorenzo,
>> My interest in ICMP is that it could work with any protocol, not just
>> HTTP, and doesn't require any MITM for HTTPS.
>> I recall a discussion about adding a difficult-to-guess token to the ICMP
>> message, making it hard to spoof.
>>
>> -Dave
>>
>>
>>
>> ------------------------------
>> *From:* Captive-portals [captive-portals-bounces@ietf.org] on behalf of
>> Lorenzo Colitti [lorenzo@google.com]
>> *Sent:* Wednesday, February 22, 2017 9:42 AM
>> *To:* David Bird
>> *Cc:* warren@kumari.net; Kyle Larose; captive-portals@ietf.org
>> *Subject:* Re: [Captive-portals] Thinking of something related to
>> captive portals for the ietf98 hackathon
>>
>> I'm not a fan of the ICMP method. I think the security implications need
>> more thought.
>>
>> As is, it looks like pretty much anyone on the Internet can send you one
>> of these packets, and you have no way of knowing if it's legitimate.
>> Relying on such an easy-to-spoof signal to decide that a network no longer
>> provides Internet access could be quite harmful, particularly if the
>> receiving device decided to switch to cellular data and incur the
>> associated traffic costs. Even if the signal is only taken as a hint to
>> revalidate the network, that still has battery implications.
>>
>> It would seem to be much more useful to use:
>>
>>    - A header in the initial redirect that captive portals almost always
>>    generate.
>>    - A well-known URL where the state of the captive portal can be
>>    revalidated, either periodically or when some other indication of loss of
>>    connectivity is observed.
>>
>> At the last IETF we talked about possibly having a more structured way of
>> communicating this and other bits of information from captive portal to
>> host (a RESTful API, IIRC). That would also be useful, if we can all
>> collectively resist the temptation to overengineer such a mechanism. :-)
>>
>> On Wed, Feb 22, 2017 at 11:31 PM, David Bird <dbird@google.com> wrote:
>>
>>> Hi Kyle,
>>>
>>> I think that is a great idea!
>>>
>>> I had started to implement here: https://github.com/coova
>>> /coova-chilli/tree/capport-icmp
>>>
>>> What would be nice, in addition to the NAS changes, is to also
>>> demonstrate the client side ... either something like icmpd
>>> <https://github.com/snaewe/books-code/tree/master/unpv13e/icmpd> (to
>>> listen for the ICMP and provide applications a way of checking the status
>>> of their dest. unreach. connections), or the necessary Linux kernel
>>> changes. Also with kernel changes, the I-D could also be implemented using
>>> iptables, or other NAS software too.
>>>
>>> Cheers,
>>> David
>>>
>>>
>>> On Wed, Feb 22, 2017 at 6:12 AM, Kyle Larose <klarose@sandvine.com>
>>> wrote:
>>>
>>>> Hey everyone,
>>>>
>>>> I was thinking of doing something (anything) related to captive portals
>>>> for the ietf 98 hackathon. In particular,
>>>> https://tools.ietf.org/html/draft-wkumari-capport-icmp-unreach-01
>>>> caught my eye. I was wondering if anyone had thoughts on that, and whether
>>>> there is anything else they'd like to see me champion.
>>>>
>>>> Thanks,
>>>>
>>>> Kyle
>>>>
>>>> _______________________________________________
>>>> Captive-portals mailing list
>>>> Captive-portals@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/captive-portals
>>>>
>>>
>>>
>>> _______________________________________________
>>> Captive-portals mailing list
>>> Captive-portals@ietf.org
>>> https://www.ietf.org/mailman/listinfo/captive-portals
>>>
>>>
>>
>

v2.23.0 | Report a Bug | By Email