IETF Logo Mail Archive

Re: [Captive-portals] Discovering captive portal API URL via DNS?

"Martin Thomson" <mt@lowentropy.net> Wed, 04 September 2019 02:47 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68B9E120271 for <captive-portals@ietfa.amsl.com>; Tue, 3 Sep 2019 19:47:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=AgyWxj9u; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=E1j7j/xe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvCxFNXiYixs for <captive-portals@ietfa.amsl.com>; Tue, 3 Sep 2019 19:47:00 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78130120219 for <captive-portals@ietf.org>; Tue, 3 Sep 2019 19:47:00 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id CB03321FEB for <captive-portals@ietf.org>; Tue, 3 Sep 2019 22:46:59 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Tue, 03 Sep 2019 22:46:59 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=XuGIMxDgKG9QwT5J4MWESxk/WpTbp3W w4Lx/qLxtIEc=; b=AgyWxj9uWiCm8JyH/gRqpiyNiRuO5Dp+QgkaZb/6TH1V0b0 Py4azTArRJsU78GrKAOnYrLDV5tmOBAsOCA6FjFffOWMa0abffunteU4mg7kw8v7 yMxQ+o/Ht3P0pAObSzJxu8iPMDHNahm84Zys77QyTI5M9dtfbn1/hIsVd2bXDDCh p805aYNl3bw5SjGXv2vLSSDVCDKSb5bGT9y8u+fVL2xWkfbD3+56wlo8TmWrjbY/ s3chQpNRchLJfroVzwxEm0/WZMS7UTyQaUVQFgLYvHVSfuxlacI6RMnYKr02vvOJ UvHejJ+WtM+Gnu9QSfsTn9PRKyZvF/39RveduVw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=XuGIMx DgKG9QwT5J4MWESxk/WpTbp3Ww4Lx/qLxtIEc=; b=E1j7j/xeNrZU/6VPDXbzq0 KD6HFxAArA7l5qyYlWS1ACtfoimHUPaxRplnY4LbSX+NQLLFDe/5bmYS/+5c1yyZ OF3BCtJqUFtHJ5vl/HTn0tDdPpVbxm+UoK/9fMV0IHDfxoXhubjwLLYEfLUJIIPJ 0usXyWJiO66TwrXc3EV0W8P0QmTBiXeRx9tZ3HH+G9s+yygrkByosu9SfzGjj/p7 8DgkScvnBDhkKBaXKTILAhRmSd6wUdxKtIu6QjNr6wXY0Yvpy10lfW/2xv/93GdC qlMf/RX+MptZETYhHlIMsXiPkNLUel4Tx/VNS+SLsSWXoN9bEE0068AoH+1mq9zQ ==
X-ME-Sender: <xms:oyVvXYLmLEasLGoZYI9rYI9Vcd8hgTAc4dmTKqEzObsJAsSqtCFIdw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrudejgedgiedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucffohhmrghinhepihgvthhfrdhorhhgnecurfgrrh grmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvghtnecuvehluhhs thgvrhfuihiivgeptd
X-ME-Proxy: <xmx:oyVvXXPsdwLGsWevFrQOaZdlTCauC7FLsuw2Mbzu7UkwdUMXNg6ikg> <xmx:oyVvXe68DxNARenhpJ9t2ryLrOpLyOyotNXvsR1HgVmsHShFLLSFDA> <xmx:oyVvXR5jwkVRgMa73KYH7c6J3zs7Nk5qRU4Y4lYqnzX3T4d4edVAgw> <xmx:oyVvXXL7CyYqefNfoBBMvlbY1t9R_BqA77ZuLaAJifTtvxZiIc_GKg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 80D62E00A3; Tue, 3 Sep 2019 22:46:59 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-154-gfa7592a-fmstable-20190829v1
Mime-Version: 1.0
Message-Id: <dc464cef-360a-4444-ba2d-fa878e79790f@www.fastmail.com>
In-Reply-To: <CAKD1Yr1mR57OsOzDtjM=7YCV_R6zFF9WPxqA-XrWsuJWv+VTag@mail.gmail.com>
References: <CAKD1Yr1mR57OsOzDtjM=7YCV_R6zFF9WPxqA-XrWsuJWv+VTag@mail.gmail.com>
Date: Wed, 04 Sep 2019 12:46:38 +1000
From: Martin Thomson <mt@lowentropy.net>
To: captive-portals@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/AO6eyFej9C58gu6MgYD03xWm3-c>
Subject: Re: [Captive-portals] Discovering captive portal API URL via DNS?
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 02:47:13 -0000

What about those resolvers that collapse CNAME responses, effectively eliding them?

I assume that you are going to explicitly say that this has to be directed to the resolver provided in network configuration.  If that resolver is outside the network or less tightly secured than DHCP/RAs, then we have the possibility of attack on the DNS-over-UDP-53 that is used to get the CNAME response.

(Just contributin' not chairin'.)

On Wed, Sep 4, 2019, at 09:44, Lorenzo Colitti wrote:
> All,
> 
> During discussions with captive portal operators about implementing the 
> capport API, one of the stumbling blocks that keeps coming up is that 
> the captive portal operator does not always control the DHCP 
> configuration and thus cannot easily use RFC7710.
> 
> The WG has previously rejected the option of using a well-known DNS 
> name to discover the URL, because the API itself requires TLS, and 
> without a hostname it is not possible (or at least not easy) to 
> validate the server. However, what if the client did a CNAME query for 
> capport.arpa (or equivalent other local-only, non-DNSSEC-signed name), 
> got back a CNAME for the real server, and then assumed that the API 
> server was https://<targetofcname>/capport-api ?
> 
> Alternatively, Erik and Warren suggest RFC 7553. In this scheme the 
> client would do a URI lookup for "capport.arpa" or equivalent, and 
> would take the result of that URL as the API endpoint.
> 
> Thoughts?
> 
> Regards,
> Lorenzo
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
>

v2.23.0 | Report a Bug | By Email