IETF Logo Mail Archive

Re: [Captive-portals] Benjamin Kaduk's Discuss on draft-ietf-capport-architecture-08: (with DISCUSS and COMMENT)

Kyle Larose <kyle@agilicus.com> Fri, 12 June 2020 12:20 UTC

Return-Path: <kyle@agilicus.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBD1F3A0F97 for <captive-portals@ietfa.amsl.com>; Fri, 12 Jun 2020 05:20:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=agilicus.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O-EURteXjVq4 for <captive-portals@ietfa.amsl.com>; Fri, 12 Jun 2020 05:20:02 -0700 (PDT)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4564B3A0F93 for <captive-portals@ietf.org>; Fri, 12 Jun 2020 05:20:02 -0700 (PDT)
Received: by mail-il1-x12f.google.com with SMTP id e11so8563975ilr.4 for <captive-portals@ietf.org>; Fri, 12 Jun 2020 05:20:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=agilicus.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rnJ/lrQFOmIC7JxH4/gbNuvL1f0Kk6clemDU1N4u4vY=; b=B8diGdkc4zVjf2cGVwmz7dKvMU3GydlZadWugS832TP7ZuFG0cyxIHMe+ttPjJedtN Nm7qOjgKOipK3ajJ/VfuUPxp3OWxKrBv0Amrj+rPN1pTLv9/7xLnxpk5z0uYJU0V8hap xyULxuWaWIEdJ66gTbEC0zKT2fqYZ0SqLMqYppslGWmXRo4HRTOC7dbzvW10gUEgURsz 6HwKX5fDo4w05c2feun3irPIdfDQcyUA90V/tCbE6F3qo/9yl0x3xvycuc69rGruM1TP Lqn2JWi70x/i+Yv1eVa7hhKpohisJBo9n7TD+hCRaK/MmHroakpNdfFtP5C4hGE8fWVo laiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rnJ/lrQFOmIC7JxH4/gbNuvL1f0Kk6clemDU1N4u4vY=; b=eIUapJuUJlcYer6BWlquxK1knNGsdfySAVzFXYLyQSt9U8MK1igFn6mmS7Q4fCnF6D iJ5abpALPUDShee80wSHVD2stDdRz9M+GJFFrdjKHDCYf7+V2OK4Tk11q1lNE43L7K6t TBcEzX/7njswgQc92kOLwAiHoStQU5Zpje6Yt1cM7n0NfmMYKTXrubawnRIvoo46hWC9 dQgsCFpDn7eHdEQReO7Sjj6tuAsQU3xja8xBuAcv16Pky242U9upYesflF0g8SsD0Ev6 XVZJ/uYdjyj+Qi/qdiOOfaD1aNK7bWxDB0UKcpiUdZTkHarIFh/AKg0Cy2LGtMVaxrCV hqjA==
X-Gm-Message-State: AOAM532lbD2B/PQyqQI6NxnX2/xeVIUzjRx3uuCl4pFf8Xzh0GkMe+zw q7Osht6qIDQeLNF3TnAA8KMenCebyMnUw7tgl69g
X-Google-Smtp-Source: ABdhPJwi9IDxpiMcf99a6s6NRCUe3+08UxYccXrLcllOUewkxSZZrPio1nXMYWBkRuJ82xdQV99qzJib74b8Jo7+HnE=
X-Received: by 2002:a92:d112:: with SMTP id a18mr12462404ilb.3.1591964401362; Fri, 12 Jun 2020 05:20:01 -0700 (PDT)
MIME-Version: 1.0
References: <159168063615.8302.17239207964322081612@ietfa.amsl.com> <26066.1591720017@localhost>
In-Reply-To: <26066.1591720017@localhost>
From: Kyle Larose <kyle@agilicus.com>
Date: Fri, 12 Jun 2020 08:19:50 -0400
Message-ID: <CACuvLgz0hrMKqKSAkBU7gG61ZxdVnefX0qgLjyWKQtiPTdOjdw@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>, captive-portals <captive-portals@ietf.org>, capport-chairs@ietf.org, draft-ietf-capport-architecture@ietf.org, Martin Thomson <mt@lowentropy.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/BquFosg2m3Zk7g6NdaEZ-Ygaj4c>
Subject: Re: [Captive-portals] Benjamin Kaduk's Discuss on draft-ietf-capport-architecture-08: (with DISCUSS and COMMENT)
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jun 2020 12:20:04 -0000

Responses inline

On Tue, 9 Jun 2020 at 12:27, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>
> Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote:
>     > (3) Probably a "discuss discuss", but ... in Section 1 we have:
>
>     >    * Solutions SHOULD NOT require the forging of responses from DNS or
>     > HTTP servers, or any other protocol.  In particular, solutions SHOULD
>     > NOT require man-in-the-middle proxy of TLS traffic.
>
>     > I'd like to understand the motivation for this one a little better.
>     > Naively, it seems like we could get away with "MUST NOT require" while
>     > still allowing it to be done.  Am I missing something obvious?
>
> Speaking as a contributor,
> a) I hate "SHOULD NOT", and "MUST NOT", because I find it confusing
>    to non-native english speakers, and so I'd rather write in the form
>    of positive statements.
>       Solutions MUST permit clients to perform DNSSEC validation,
>       which rules out solutions that forge DNS responses.
>
>       Solutions SHOULD permit clients to detect and avoid TLS
>       man-in-the-middle attacks without requiring a human to
>       perform any kind of "exception" processing.
>

I think I prefer turning this around like you've suggested. It
achieves the same goal,
but with, as you've said, less confusing language. We lose the
constraint on not
forging responses from other protocols, but I think that's covered by requiring
TLS for other interactions, and the next point about TLS MITM. Thanks for
the suggestion!

How do the other participants feel about this phrasing?


> b) I think that we have "SHOULD NOT" for TLS, because there are many
>    Windows-Group-Policy situations which have been deployed where the
>    MITM is official and is authenticated, but this fails for BYOD.
>    While most of the captive portals we are aware of are at airports, etc.
>    they are also used for corporate guest networks, and when writing
>    an RFP for such a thing, we need this document to describe something
>    sensible.
>

Yes, this was the motivation.

>
>     > ----------------------------------------------------------------------
>     > COMMENT:
>     > ----------------------------------------------------------------------
>
>     > I'd like to see some more discussion of which signals are authenticated
>     > and how, and what kind of authorization checks are possible.  In
>     > well-run networks DHCP and RA signals should be relatively trustworthy,
>     > but clients don't always have a good indicator for whether a given
>     > network falls into that category.  Are there (other) mechanisms that
>     > can be used to give trust in the authenticity of a given Captive Portal
>     > API URI and that that API is authorthorized to provide unconstrained
>     > access for the network in question?
>
> Yes, there are mechanisms, but they are very specific to the client operating
> systems involved, and they are not standardized.  Most index upon the ESSID
> identity to catagorize the network into "Home" / "Work" / "Public", to use
> the Windows terminology.
> I think that the WG decided that this was a rathole we did not need to go
> into, particularly for a PS.
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-
>
>
>

Thanks,

Kyle

v2.23.0 | Report a Bug | By Email