IETF Logo Mail Archive

Re: [Captive-portals] A new draft / idea - draft-wkumari-capport-icmp-unreach

Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 03 May 2015 07:42 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B48B1A01E7 for <captive-portals@ietfa.amsl.com>; Sun, 3 May 2015 00:42:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8_2nETHQSrP5 for <captive-portals@ietfa.amsl.com>; Sun, 3 May 2015 00:42:12 -0700 (PDT)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4057E1A017F for <captive-portals@ietf.org>; Sun, 3 May 2015 00:42:12 -0700 (PDT)
Received: by wizk4 with SMTP id k4so90842238wiz.1 for <captive-portals@ietf.org>; Sun, 03 May 2015 00:42:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=OlyhFBUL8MjtalHGXKR+lc8LL+eLA0JjGXDK2KW7NIA=; b=TzPgQJdZ6uACGzUVj3BJhlfFRVXPwXmLH4yLFHTVrOXd6ESTOvKGh7LD3m/blXTf+2 RWcOVmJB36a0ZVMByMJRsJIWXfX1gTkHim4Yo4MwYllgFRe/xEsm6nHmcrWxDTw+c72Y I2RYNjwLV2K4do1FshhQHCEliH9PJnL+gUeADgJoGMac30t6IVxFHHL1fNWK0V6sgjv0 TxLnY7EVmEnq718u3ckJDtNCGnHzqCu3sndK48JWdQvKfNyTZzSNRI0C74RUMkcfQREp kqwlM9nDh66SP8/xbxyf2GSHJF5vQvhOZ21OylHnEp/EB7V6PfElUsnpz9qTxlXHgRqg 3MbA==
X-Received: by 10.180.160.145 with SMTP id xk17mr10085206wib.85.1430638931008; Sun, 03 May 2015 00:42:11 -0700 (PDT)
Received: from [192.168.12.107] (bzq-218-112-74.red.bezeqint.net. [81.218.112.74]) by mx.google.com with ESMTPSA id ex5sm5550256wib.2.2015.05.03.00.42.09 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 03 May 2015 00:42:09 -0700 (PDT)
Message-ID: <5545D150.4000501@gmail.com>
Date: Sun, 03 May 2015 10:42:08 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Dave Dolson <ddolson@sandvine.com>, Warren Kumari <warren@kumari.net>
References: <CAHw9_iJ35ZFbbnjwt4=eV+pGamjVGDfh4PBvuvTNO2vs06U_tw@mail.gmail.com> <55424195.2010901@gmail.com>, <CAHw9_iKBrNj-wM5QkM7dbRnO9M7+dtm3mF6_3haE0eshrqRODw@mail.gmail.com> <20150501024958.35872859.97951.11481@sandvine.com>, <554366C1.6030000@gmail.com> <20150501122222.35872859.70721.11515@sandvine.com>
In-Reply-To: <20150501122222.35872859.70721.11515@sandvine.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/captive-portals/BqZKRoR6ZQtXXsxGZAZJ7oqIKXk>
Cc: "captive-portals@ietf.org" <captive-portals@ietf.org>
Subject: Re: [Captive-portals] A new draft / idea - draft-wkumari-capport-icmp-unreach
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2015 07:42:14 -0000

Hi Dave,

Yes, any middlebox can block/redirect traffic. But all clients must 
obtain an IP address before they send anything out.

I would say that both DHCP and IPv6 RA are in our scope. GTP is not, and 
in fact GTP captive portals (yes, these things do exist!) use 
alternative means to notify the user. My personal experience was that 
they'll send you an SMS.

DHCP is commonly used to provide various types of information about the 
local network, so what we're proposing to do is very common DHCP, and 
does not mix layers at all. See 
http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml#options

Thanks,
	Yaron

On 05/01/2015 03:22 PM, Dave Dolson wrote:
> Any middlebox between user and server can block traffic and redirect http.
> An IETF protocol should not mix layering or be limited to specific access technology.
>
> IPv6 has ‎autoconfiguration for obtaining IP addresses.
>
> 3GPP has specific GTP-based mechanisms for obtaining IP addresses.
>
> So DHCP isn't even always used to access the internet.
>
> David Dolson
> Senior Software Architect, Sandvine Inc.
>    Original Message
> From: Yaron Sheffer
> Sent: Friday, May 1, 2015 7:43 AM
> To: Dave Dolson; Warren Kumari
> Cc: captive-portals@ietf.org
> Subject: Re: [Captive-portals] A new draft / idea - draft-wkumari-capport-icmp-unreach
>
>
> As a user, I have never seen a case where the captive portal is not on
> the same link as the client device, and never seen a case where an IP is
> obtained using a non-DHCP mechanism when in a CP setting. Can you give
> some concrete examples?
>
> Thanks,
>          Yaron
>
> On 05/01/2015 05:49 AM, Dave Dolson wrote:
>> I think it would be desirable to keep the captive portal mechanism independent of DHCP. The captive portal enforcement need not be on the same link as the user device. Furthermore, DHCP is not the only way to obtain an IP address.
>>
>> David Dolson
>> Senior Software Architect, Sandvine Inc.
>>     Original Message
>> From: Warren Kumari
>> Sent: Thursday, April 30, 2015 8:02 PM
>> To: Yaron Sheffer
>> Cc: captive-portals@ietf.org
>> Subject: Re: [Captive-portals] A new draft / idea - draft-wkumari-capport-icmp-unreach
>>
>>
>> On Thu, Apr 30, 2015 at 10:52 AM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:
>>> Hi Warren.
>>>
>>> The security consideration (an attacker can send any arbitrary URL, and will
>>> redirect you at will) seems like a showstopper to me.
>>
>> Yeah, we were a bit freaked about that too :-)
>>
>> I have removed the URL / URI stuff - now this is simply annotates
>> Destination Unreachable to explain that the reason for the Dest
>> Unreachable is because of a captive portal.
>>
>>>
>>> Also, once you have the DHCP mechanism, you can have client-initiated
>>> communication to a well-defined interface, and you don't need to deal with
>>> arbitrary connections being rejected. After all, the client needs to get an
>>> IP address from DHCP before it can initiate any such connection.
>>
>>
>> One reason that this is still useful is that eventually your captive
>> portal connection will expire and the CP will close. If you have
>> gotten CP information from DHCP, and then start getting these
>> Destination Unreachables you will know to connect to the captive
>> portal URL and pay again....
>> So, basically, get CP information from DHCP and use it. After 4hours
>> (or whatever), you start getting these new unrechables and know to
>> connect and pay again...
>>
>> I think that the security implications are now the same as for
>> "regular" (extended) Destination Unreachable.
>>
>> Thoughts?
>>
>> Thank you very much for your feedback,
>> W
>>
>>>
>>> Thanks,
>>>           Yaron
>>>
>>>
>>> On 04/29/2015 11:32 PM, Warren Kumari wrote:
>>>>
>>>> Hi y'all.
>>>>
>>>>
>>>> So, this short document discusses another way for Captive Portals to
>>>> inform users that they are behind a CP. Basically, it uses an extended
>>>> ICMP Destination Unreachable message to let the host know that the
>>>> reason it cannot reach a destination is because it is behind a CP and
>>>> also includes a URL to reach the CP.
>>>>
>>>> This idea is mainly David's, I'm largely the editor. We'd really like
>>>> some feedback on this idea and the implementation we've written up.
>>>> Obviously the document would need a bunch more work, but we'd like to
>>>> get some idea if folk think this is worth pursuing.
>>>>
>>>> URL:
>>>>
>>>> https://www.ietf.org/internet-drafts/draft-wkumari-capport-icmp-unreach-00.txt
>>>> Status:
>>>> https://datatracker.ietf.org/doc/draft-wkumari-capport-icmp-unreach/
>>>> Htmlized:
>>>> https://tools.ietf.org/html/draft-wkumari-capport-icmp-unreach-00
>>>>
>>>> It is somewhat similar to the wkumari-dhc-capport document, but solves
>>>> a different issue, in a different way - I think that they are
>>>> complementary documents.
>>>>
>>>>
>>>> Any feedback gratefully accepted.
>>>> W
>>>>
>>>
>>
>>
>>
>> --
>> I don't think the execution is relevant when it was obviously a bad
>> idea in the first place.
>> This is like putting rabid weasels in your pants, and later expressing
>> regret at having chosen those particular rabid weasels and that pair
>> of pants.
>>      ---maf
>>
>> _______________________________________________
>> Captive-portals mailing list
>> Captive-portals@ietf.org
>> https://www.ietf.org/mailman/listinfo/captive-portals
>>

v2.23.0 | Report a Bug | By Email