IETF Logo Mail Archive

Re: [Captive-portals] Questions about PvD/API

Tommy Pauly <tpauly@apple.com> Thu, 24 August 2017 16:03 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5119E132335 for <captive-portals@ietfa.amsl.com>; Thu, 24 Aug 2017 09:03:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7m4g1vPvpdY for <captive-portals@ietfa.amsl.com>; Thu, 24 Aug 2017 09:03:44 -0700 (PDT)
Received: from mail-in2.apple.com (mail-out2.apple.com [17.151.62.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E9061320BD for <captive-portals@ietf.org>; Thu, 24 Aug 2017 09:03:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1503590623; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=jVafiEctT9PSbSN0eqRN09fAeL91Pm2LXC92Fyoc2lg=; b=PJC5S/PEbR3dSwDSENUYUO2ZUQBw81d5SVSJS5AeDNxUAqCQTACcKfXBv+4Ztu3r DYefUmKjW8nb7WCRyddIyC+5QfMvjPQD7lvOE5DxFeXaiWNBREvPxravz+l0TeFS kWxU6ieGloLRM1p5Swb41wiYE082t7TIGAoqQM0m3pl/66oeVCrNvPM4V2noQx7a m9x8dT+Jqa5VCmHMmJM6bHMaI5X51l2JlTkrr0EwEOX1fviBCmPCjQ5mXycrmB4s ebVzydxkQWby7uHpF0M62YnerMVWImULZpU66IeyvS5dTjNUZedH9X2rcJSiqvrp BCzFc3y5oxfqgtMt89w1aw==;
Received: from relay8.apple.com (relay8.apple.com [17.128.113.102]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in2.apple.com (Apple Secure Mail Relay) with SMTP id E4.DC.28433.FD8FE995; Thu, 24 Aug 2017 09:03:43 -0700 (PDT)
X-AuditID: 11973e11-c4e0f9c000006f11-a8-599ef8dfc839
Received: from nwk-mmpp-sz12.apple.com (nwk-mmpp-sz12.apple.com [17.128.115.204]) by relay8.apple.com (Apple SCV relay) with SMTP id 05.34.06978.FD8FE995; Thu, 24 Aug 2017 09:03:43 -0700 (PDT)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_Mz7+Xjg8CXbmmfwR8KhWVA)"
Received: from [17.234.50.132] by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170621 64bit (built Jun 21 2017)) with ESMTPSA id <0OV7002T15Y6EW40@nwk-mmpp-sz12.apple.com>; Thu, 24 Aug 2017 09:03:43 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <B05E727C-6F8B-438F-8DC9-1B1528CE73A5@apple.com>
Date: Thu, 24 Aug 2017 09:03:41 -0700
In-reply-to: <CAKD1Yr0_ksXDy6Ckc6RuFjYf+t4fiA4dJfAToZjfgrqed4h4QA@mail.gmail.com>
Cc: David Bird <dbird@google.com>, Erik Kline <ek@google.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, captive-portals@ietf.org, Martin Thomson <martin.thomson@gmail.com>
To: Lorenzo Colitti <lorenzo@google.com>
References: <CADo9JyU+XGYFWdNeXOBw1O43Pjyn0jZhGxDTb7VbLF+Jg4Xj4w@mail.gmail.com> <CAAedzxq4UhueFW=U-Tuc1gvG8Tapc7VE7BM2Akt9OXuzN3jLyQ@mail.gmail.com> <CADo9JyW0J7xzaosG5PJOFPHMy2g6vZ1cVpW6_YsuOdaKWqumkQ@mail.gmail.com> <A5B74413-32D8-4FE4-BDF7-DAA95266AAF4@apple.com> <CADo9JyUJTPRT9454VdZEM1nwFfxPSrMX3+Uk9i325uboQUya7g@mail.gmail.com> <7B520EA6-7B55-46B1-B084-F1CADF7DE28B@apple.com> <CADo9JyVSW5==nQOUMUUYWj743LmZCUjE9=W-YXnK-KMS-88AoQ@mail.gmail.com> <CABkgnnV1OT_29fdNbCDDJMgeRDNeOM8u2PYA94opo+ujj2=Avw@mail.gmail.com> <CADo9JyUdBZbBmwE0B21ryFuefQEaTiWLHD-w8AZSyWACH9u2dg@mail.gmail.com> <CABkgnnWbhHOmZRsvpEb0XusRtUJUPp7vpdM7V_4nLnC_B-mfKQ@mail.gmail.com> <CADo9JyUP_FWznzDWDO1s9-8B8-hMAUkFAMaa68uUZ1xR8CKHyw@mail.gmail.com> <CAKD1Yr0OrthUda3+ic3g83vWEpBATpcF4Z=4ENNg+ZuyySDMdg@mail.gmail.com> <CADo9JyW=wYh5y87KZrfs56fFze_VkdvUt-hF_SNeokPONxDuGA@mail.gmail.com> <CAKD1Yr2GpTX9NPTNJVbGjF+PxuNNyhgaRNjr0qMW90rVHeM_+g@mail.gmail.com> <98352984-4E92-42EC-97FE-B652C0FC41AF@apple.com> <CADo9JyVzW3TxFCHv=1N=Qsm2Th7gw7Yby8mdG2hOVWQQ_9YGpw@mail.gmail.com> <CAKD1Yr0_ksXDy6Ckc6RuFjYf+t4fiA4dJfAToZjfgrqed4h4QA@mail.gmail.com>
X-Mailer: Apple Mail (2.3439)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrHLMWRmVeSWpSXmKPExsUi2FCYpnv/x7xIg1mvLCzmzmpgtfj0Yzuj xefb89gtvuxfwGix/vQ7RotrZ/4xOrB5TPm9kdVj56y77B4LNpV6LFnykymAJYrLJiU1J7Ms tUjfLoEro3PHB8aCXwkVnS9NGhi3B3cxcnJICJhI7Hv3nLmLkYtDSGANk8SPbRfYYBLXfx5i gUgcYpS41PWTGSTBKyAo8WPyPRYQm1kgTGL2x26ooq+MEn0n/gN1c3AIC0hIbN6TCFLDJqAi cfzbBqheG4nLN76ygtjCAmYSe5o+MIGUswioSuz6pwsS5hQIlni8uBVsJLPAZkaJP2ufMoIk RAQ0JB6sO84EsauNU2L3392sIM0SArISS/+EQBy9iV3i9s6qCYxCs5CcOgvJqRC2lsT3R61A NgeQLS9x8LwsRFhT4tm9T+wQtrbEk3cXWBcwsq1iFMpNzMzRzcwz0kssKMhJ1UvOz93ECIqg 6XaCOxiPr7I6xCjAwajEw3vjyrxIIdbEsuLK3EOM0hwsSuK8TLJAIYH0xJLU7NTUgtSi+KLS nNTiQ4xMHJxSDYys058139r27fV1b5O12442e8sZvS+3YV/KY77EiG3JnCuXlyx1nHdN9GHG ueUf21VS0100nxcYTjsp8rP+bFnV1KP3SlbtOZXq1DnrPZvK2jNfJ9fF+rxQvH5jz8Sgd4q7 f21ZvNbw5fag85e+n9lQdnZFqlXH1raUtMvHhI4+qDWbdLNt1gG1RiWW4oxEQy3mouJEAEbw ZzyBAgAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrBKsWRmVeSWpSXmKPExsUi2FB8Rvf+j3mRBpsWmVjMndXAavHpx3ZG i8+357FbfNm/gNFi/el3jBbXzvxjdGDzmPJ7I6vHzll32T0WbCr1WLLkJ1MAS5S1TVp+UXli UYpCUXJBia1ScUZiSn55vKWxkalDYkFBTqpecn6ukr6dTUpqTmZZahEyK8E6o3PHB8aCXwkV nS9NGhi3B3cxcnJICJhIXP95iKWLkYtDSOAQo8Slrp/MIAleAUGJH5PvsYDYzAJhErM/dkMV fWWU6Dvxn62LkYNDWEBCYvOeRJAaNgEViePfNkD12khcvvGVFcQWFjCT2NP0gQmknEVAVWLX P12QMKdAsMTjxa1gI5kFNjNK/Fn7lBEkISKgIfFg3XEmiF1tnBK7/+5mBWmWEJCVWPonZAIj /ywk581Cch6ErSXx/VErkM0BZMtLHDwvCxHWlHh27xM7hK0t8eTdBdYFjGyrGAWKUnMSKy30 4KG3iREcVYVpOxibllsdYhTgYFTi4b1xZV6kEGtiWXFlLjCMOJiVRHi3PQAK8aYkVlalFuXH F5XmpBYfYtzPCPTkRGYp0eR8YMznlcQbGlsYW5pYGBiYWJqZEBY2MTEwMTY2MzY2NzGnpbCS OG/fkTmRQgLpiSWp2ampBalFMC8wcXBKNTAmvTtYYZb2IuXHzgq1221rgtkjrydM6pqxY/Wv 3XdNMn28Mouq8o/MmPKycErr2r1s3yaqvpfZ+5D7uYBkQVGOzmEt2/b2GSZ6Da9FdrELxbiz 3FLWvTRbyOim0YpGnbZKE/V4RxUHFwttsd01qVsDOO6b1xyeHqEhx/x4XdLyP4otmhwz7imx ANO2oRZzUXEiAMGqMMpLAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/EwXc35ompU6dMSctl447_pxzSA8>
Subject: Re: [Captive-portals] Questions about PvD/API
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2017 16:03:46 -0000

If the client OS needs to add in heuristics to reach a certain volume of ICMP messages before trusting them, I think the design is flawed. Beyond that, the information we'd like to get isn't just as simple as a boolean value that can be aggregated (like unreachable would be). Among the problems we're trying to solve for CAPPORT is "how much time do I have left", and "when to re-join the portal". Having a source we can query about those properties seems to dramatically simplify the flow and trust model. However we do things, it seems like this information should be pull-able (even if it allows the client to open a connection on which changes are pushed or notified) rather than unsolicited pushes of ICMP by the network.

> On Aug 24, 2017, at 8:33 AM, Lorenzo Colitti <lorenzo@google.com> wrote:
> 
> It seems to me that any solution involving coordination between two protocols is little different, in terms of your criticism that it will lead to "a higher rate of misconfiguration", from the PVD solution. (Personally I don't think that's a valid argument - saying that if you misconfigure the network it won't work well is pretty much a tautology - but you were the one that cited that argument in support of the ICMP solution.)
> 
> As for several flows, I don't see what would stop an attacker from trying to spoof several flows.
> 
> On Fri, Aug 25, 2017 at 12:21 AM, David Bird <dbird@google.com <mailto:dbird@google.com>> wrote:
> You are both describing decisions the UE makes... perhaps the UE waits for several flows (with same session-id) to indicate capport warning/errors before acting on it... especially when already connected. There were also proposals to link the ICMP messages to the DHCP message somehow so that ICMP is 'authenticated' against the original DHCP. Theses are solvable concerns, not road blocks. 
> 
> 
> 
> On Thu, Aug 24, 2017 at 8:14 AM, Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com>> wrote:
> Right, I think the difference between an unreachable destination, and a captive portal or walled garden, is that we expect the captive portal style interaction to be an Operating System-level action, and one that will have consequences on everything the device does while associated to a given network. You can certain use spoofed ICMP to disrupt connections, but (a) the user would notice and (b) you're not causing the Operating System to change behavior. When the OS thinks it is on a captive network or not, it will change what network it considers primary/usable, which may potentially be invisible to the user other than an icon change. I would be able to go onto a captive network, start sending out ICMP messages, and potentially bump other people's connection off the network. 
> 
> Having the UE fetch some resource in order to determine captive state, especially if that resource can be somehow signed, makes it much harder for an attacker to cause the OS to take silent behavior.
> 
> Tommy
> 
>> On Aug 24, 2017, at 7:40 AM, Lorenzo Colitti <lorenzo@google.com <mailto:lorenzo@google.com>> wrote:
>> 
>> A forged destination unreachable can't cause someone else's device to think that wifi is a portal and switch to possibly expensive cellular data.
>> 
>> On Thu, Aug 24, 2017 at 11:29 PM, David Bird <dbird@google.com <mailto:dbird@google.com>> wrote:
>> Just like the rampant problem we see in ICMP Dest-Unreachable forgery attacks? 
>> 
>> On Thu, Aug 24, 2017 at 7:01 AM, Lorenzo Colitti <lorenzo@google.com <mailto:lorenzo@google.com>> wrote:
>> On Thu, Aug 24, 2017 at 10:40 PM, David Bird <dbird@google.com <mailto:dbird@google.com>> wrote:
>> Can you give an example of how ICMP could be misconfigured? 
>> 
>> It doesn't matter how hard it is to misconfigure, because it is trivial to forge.
>> 
>> 
>> _______________________________________________
>> Captive-portals mailing list
>> Captive-portals@ietf.org <mailto:Captive-portals@ietf.org>
>> https://www.ietf.org/mailman/listinfo/captive-portals <https://www.ietf.org/mailman/listinfo/captive-portals>
> 
> 
>

v2.23.0 | Report a Bug | By Email