Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon
Lorenzo Colitti <lorenzo@google.com> Wed, 22 February 2017 17:06 UTC
Return-Path: <lorenzo@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24BF9129A72 for <captive-portals@ietfa.amsl.com>; Wed, 22 Feb 2017 09:06:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGtqI3V2N1Qj for <captive-portals@ietfa.amsl.com>; Wed, 22 Feb 2017 09:06:19 -0800 (PST)
Received: from mail-yb0-x230.google.com (mail-yb0-x230.google.com [IPv6:2607:f8b0:4002:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64D39129A6F for <captive-portals@ietf.org>; Wed, 22 Feb 2017 09:06:19 -0800 (PST)
Received: by mail-yb0-x230.google.com with SMTP id a5so2351301ybb.2 for <captive-portals@ietf.org>; Wed, 22 Feb 2017 09:06:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=De8i9gFs/W+DvucHFDdL++NGBBRkSOKwXDn11eOT1TY=; b=piHzZKPN3ktsL2Io+zVsQn54pupVnyyXV7rzvae2XoAvOsTF5dzSuIUKsWNyn8EQJo Ck9WwB7g46P2SU1wrYh8o4PBBV3IkkCsds05h/lp+4vU20Q8tGV5k7CV2o7oFyqMNjXT SIdA7+j1D+HX1Pd/ltAgiVirycfTGwaeqe49pCFMgpBKvgYKE6+yOpIj3vxNLeK6vpfd Iz8N6fSLtUwt4UMQCyK09LczL+fOQKyKP4NLdkkBit8kFTlntxgr2iYTdPu/LGj2tJMI vdGvdhZyEHBiR7XxkJH0qENH89wmNpDy07xcJ9NXNjY18sQNJ/gE8bkTUa46FPD5zH++ 33gQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=De8i9gFs/W+DvucHFDdL++NGBBRkSOKwXDn11eOT1TY=; b=hSOcLShkWnwzdXUfwGz8M4n2/akt4AF4Cd2tXpWuQd3O0aRQQ6T6fNNG1DjQUmm77K UhAqlv5YLv8FWqQjzZg1KYawVQydtlPJN1jCjJyoNIPhKDLVj8d/6/gIFhdSvmrrba75 SoVRIQA7W5kBpqO9rad2K7X9EKhn1gp8sELbQz6joYCoF8yNx8k2pOHAMewSl3yGx9Xl 0ep9CGpN7lVOt81ZWkUSkNVezu+2fogI76zgl2iMUP/WFhlKJrY4Be8XYhbpRNJORasa 1FHETp+xJ/KNNereDW0kuOr3aKvQFITtZNPeD7lvhet/5RwSSDDpbblQrIUG14wGhBzc wbtw==
X-Gm-Message-State: AMke39nIicsOh5IqaolId+bmAUMEa7rFW+X1oOoClm+tW4LhGhvmDin2PuR6ZZuNyfCojqCeAUzHZl2tmRfUV0BM
X-Received: by 10.37.177.167 with SMTP id h39mr24931770ybj.110.1487783178320; Wed, 22 Feb 2017 09:06:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.51.139 with HTTP; Wed, 22 Feb 2017 09:05:57 -0800 (PST)
In-Reply-To: <E8355113905631478EFF04F5AA706E987051F25D@wtl-exchp-1.sandvine.com>
References: <D76BBBCF97F57144BB5FCF08007244A77058108A@wtl-exchp-1.sandvine.com> <CADo9JyUz6QRVg23cFmv7xTu_0dzbQM-xVXx7=79k3ao+59szVg@mail.gmail.com> <CAKD1Yr0B2HUz6AXExA7nK3URqkq3yFFuBXRVGM+mMR+KjnO1Ag@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051EC6E@wtl-exchp-1.sandvine.com> <CAKD1Yr0p37+SuE03SLKQ2tZDxxeL3=jO8gSw9y66UnYXSDzeKw@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051F25D@wtl-exchp-1.sandvine.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Thu, 23 Feb 2017 02:05:57 +0900
Message-ID: <CAKD1Yr06UukkD+vM5ueiBfqe4h2t53G=-7hZN=wy1nO1_efJ2w@mail.gmail.com>
To: Dave Dolson <ddolson@sandvine.com>
Content-Type: multipart/alternative; boundary="f403045eae30d91e890549218396"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/7NUtoMomjVhKetsuQA41uhx2754>
Cc: "captive-portals@ietf.org" <captive-portals@ietf.org>, Kyle Larose <klarose@sandvine.com>, "warren@kumari.net" <warren@kumari.net>, David Bird <dbird@google.com>
Subject: Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 17:06:21 -0000
The ability for any host in the Internet to trigger an instant response sounds it could turn into a DOS vector, though. On Thu, Feb 23, 2017 at 2:04 AM, Dave Dolson <ddolson@sandvine.com> wrote: > As I understand it, to "think something is wrong" requires an > application-layer timeout. Some people think this is about 5s, but I don't > believe TCP specifies an upper bound. > > An ICMP message can give an "instant" response. > > It's worth considering that the ICMP message may trigger the "sacrificial" > HTTP request by the operating system. > > > > ------------------------------ > *From:* Lorenzo Colitti [lorenzo@google.com] > *Sent:* Wednesday, February 22, 2017 10:24 AM > *To:* Dave Dolson > *Cc:* David Bird; warren@kumari.net; Kyle Larose; captive-portals@ietf.org > > *Subject:* Re: [Captive-portals] Thinking of something related to captive > portals for the ietf98 hackathon > > Ok, but the implementations that are the most likely to implement this > sort of feature already send sacrificial plaintext HTTP requests on > connect, and are quite capable of generating HTTP requests on demand when > they think something is wrong. > > On Wed, Feb 22, 2017 at 11:53 PM, Dave Dolson <ddolson@sandvine.com> > wrote: > >> Lorenzo, >> My interest in ICMP is that it could work with any protocol, not just >> HTTP, and doesn't require any MITM for HTTPS. >> I recall a discussion about adding a difficult-to-guess token to the ICMP >> message, making it hard to spoof. >> >> -Dave >> >> >> >> ------------------------------ >> *From:* Captive-portals [captive-portals-bounces@ietf.org] on behalf of >> Lorenzo Colitti [lorenzo@google.com] >> *Sent:* Wednesday, February 22, 2017 9:42 AM >> *To:* David Bird >> *Cc:* warren@kumari.net; Kyle Larose; captive-portals@ietf.org >> *Subject:* Re: [Captive-portals] Thinking of something related to >> captive portals for the ietf98 hackathon >> >> I'm not a fan of the ICMP method. I think the security implications need >> more thought. >> >> As is, it looks like pretty much anyone on the Internet can send you one >> of these packets, and you have no way of knowing if it's legitimate. >> Relying on such an easy-to-spoof signal to decide that a network no longer >> provides Internet access could be quite harmful, particularly if the >> receiving device decided to switch to cellular data and incur the >> associated traffic costs. Even if the signal is only taken as a hint to >> revalidate the network, that still has battery implications. >> >> It would seem to be much more useful to use: >> >> - A header in the initial redirect that captive portals almost always >> generate. >> - A well-known URL where the state of the captive portal can be >> revalidated, either periodically or when some other indication of loss of >> connectivity is observed. >> >> At the last IETF we talked about possibly having a more structured way of >> communicating this and other bits of information from captive portal to >> host (a RESTful API, IIRC). That would also be useful, if we can all >> collectively resist the temptation to overengineer such a mechanism. :-) >> >> On Wed, Feb 22, 2017 at 11:31 PM, David Bird <dbird@google.com> wrote: >> >>> Hi Kyle, >>> >>> I think that is a great idea! >>> >>> I had started to implement here: https://github.com/coova >>> /coova-chilli/tree/capport-icmp >>> >>> What would be nice, in addition to the NAS changes, is to also >>> demonstrate the client side ... either something like icmpd >>> <https://github.com/snaewe/books-code/tree/master/unpv13e/icmpd> (to >>> listen for the ICMP and provide applications a way of checking the status >>> of their dest. unreach. connections), or the necessary Linux kernel >>> changes. Also with kernel changes, the I-D could also be implemented using >>> iptables, or other NAS software too. >>> >>> Cheers, >>> David >>> >>> >>> On Wed, Feb 22, 2017 at 6:12 AM, Kyle Larose <klarose@sandvine.com> >>> wrote: >>> >>>> Hey everyone, >>>> >>>> I was thinking of doing something (anything) related to captive portals >>>> for the ietf 98 hackathon. In particular, >>>> https://tools.ietf.org/html/draft-wkumari-capport-icmp-unreach-01 >>>> caught my eye. I was wondering if anyone had thoughts on that, and whether >>>> there is anything else they'd like to see me champion. >>>> >>>> Thanks, >>>> >>>> Kyle >>>> >>>> _______________________________________________ >>>> Captive-portals mailing list >>>> Captive-portals@ietf.org >>>> https://www.ietf.org/mailman/listinfo/captive-portals >>>> >>> >>> >>> _______________________________________________ >>> Captive-portals mailing list >>> Captive-portals@ietf.org >>> https://www.ietf.org/mailman/listinfo/captive-portals >>> >>> >> >
- [Captive-portals] Thinking of something related t… Kyle Larose
- Re: [Captive-portals] Thinking of something relat… David Bird
- Re: [Captive-portals] Thinking of something relat… Lorenzo Colitti
- Re: [Captive-portals] Thinking of something relat… Dave Dolson
- Re: [Captive-portals] Thinking of something relat… Lorenzo Colitti
- Re: [Captive-portals] Thinking of something relat… David Bird
- Re: [Captive-portals] Thinking of something relat… Alexander Szlezak
- Re: [Captive-portals] Thinking of something relat… Dave Dolson
- Re: [Captive-portals] Thinking of something relat… Lorenzo Colitti
- Re: [Captive-portals] Thinking of something relat… Dave Dolson
- Re: [Captive-portals] Thinking of something relat… David Bird
- Re: [Captive-portals] Thinking of something relat… David Farmer
- Re: [Captive-portals] Thinking of something relat… Erik Kline
- Re: [Captive-portals] Thinking of something relat… Dave Dolson
- Re: [Captive-portals] Thinking of something relat… Kyle Larose
- Re: [Captive-portals] Thinking of something relat… David Bird
- Re: [Captive-portals] Thinking of something relat… Christian Saunders