IETF Logo Mail Archive

Re: [Captive-portals] Discovering captive portal API URL via DNS?

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 04 September 2019 07:26 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA8AF1200D7 for <captive-portals@ietfa.amsl.com>; Wed, 4 Sep 2019 00:26:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bgKB-psjBtxD for <captive-portals@ietfa.amsl.com>; Wed, 4 Sep 2019 00:26:53 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16B881200B9 for <captive-portals@ietf.org>; Wed, 4 Sep 2019 00:26:52 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [89.248.140.11]) by relay.sandelman.ca (Postfix) with ESMTPS id E61CE1F45A; Wed, 4 Sep 2019 07:26:50 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 7F9AA167E; Wed, 4 Sep 2019 03:27:18 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>
cc: captive-portals@ietf.org
In-reply-to: <CAKD1Yr1mR57OsOzDtjM=7YCV_R6zFF9WPxqA-XrWsuJWv+VTag@mail.gmail.com>
References: <CAKD1Yr1mR57OsOzDtjM=7YCV_R6zFF9WPxqA-XrWsuJWv+VTag@mail.gmail.com>
Comments: In-reply-to Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org> message dated "Wed, 04 Sep 2019 08:44:10 +0900."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 04 Sep 2019 03:27:18 -0400
Message-ID: <18051.1567582038@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/Bp4RPB483ShCq2BF1l3WgsSQkT4>
Subject: Re: [Captive-portals] Discovering captive portal API URL via DNS?
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 07:26:55 -0000

Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org> wrote:
    > During discussions with captive portal operators about implementing the
    > capport API, one of the stumbling blocks that keeps coming up is that
    > the captive portal operator does not always control the DHCP
    > configuration and thus cannot easily use RFC7710.

Agreed.

    > The WG has previously rejected the option of using a well-known DNS
    > name to discover the URL, because the API itself requires TLS, and
    > without a hostname it is not possible (or at least not easy) to
    > validate the server. However, what if the client did a CNAME query for
    > capport.arpa (or equivalent other local-only, non-DNSSEC-signed name),
    > got back a CNAME for the real server, and then assumed that the API
    > server was https://<targetofcname>/capport-api ?

    > Alternatively, Erik and Warren suggest RFC 7553. In this scheme the
    > client would do a URI lookup for "capport.arpa" or equivalent, and
    > would take the result of that URL as the API endpoint.

RFC7553 seems like a better choice than a CNAME hack.

So we are trading the assumption that captive portal operator can control
DHCP to one where captive portal operator can control/influence DNS, and
that things like DoT/DoH can not be used by the captive portal client.
(I just want to make the assumption explicit. I'm not complaining about it)

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email