IETF Logo Mail Archive

Re: [Captive-portals] Questions about PvD/API

David Bird <dbird@google.com> Thu, 24 August 2017 15:55 UTC

Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D97A13294B for <captive-portals@ietfa.amsl.com>; Thu, 24 Aug 2017 08:55:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gw2HPAb-MKt0 for <captive-portals@ietfa.amsl.com>; Thu, 24 Aug 2017 08:55:17 -0700 (PDT)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10C9913239A for <captive-portals@ietf.org>; Thu, 24 Aug 2017 08:55:17 -0700 (PDT)
Received: by mail-qk0-x22a.google.com with SMTP id y77so5274848qka.4 for <captive-portals@ietf.org>; Thu, 24 Aug 2017 08:55:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/ZBODKIW/G0aqi82VkbB4xsYgJGMxoEXQc4AYJ082LQ=; b=ACfG7e1Q9Lj59eUR2pX+mYmN58D5WVu5Cfh9v6FM1qjc9hbu6p7XCoUZOwa308OCPq WsLOqhqKh00D1uQ2OnWAoElOCbPZ/Y++vzFHypszAVR5vjz2w/RkR5PsYRUefmYhbQd3 8GJpgjQ5/HC0RrvvXxh1o3XeSpiGkt4BthYc2ihtU9GI0yXXzsDOByv/GIuv50bi5kxF w31HO5E2QLbSHuXXe8LI0SVtfI/cHZFC/afiMpTp1UcvaneEzSKTc7jBt6Ecwik++A1O OmGPm7ke5rnKUChOXNx0XOODUdLGohaLO/2HFpmvwt8jUNx60gJIp3uBjALkmwMpRP4g 1o0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/ZBODKIW/G0aqi82VkbB4xsYgJGMxoEXQc4AYJ082LQ=; b=Hmwwqu8cg+TuGjN2NoJEsDk93MLx+Qc35HCFqX2JMrko3OPIdtCqUPlS9ALMeGRTAV 87V7me3cvqYUUJ45nUBAK/f8LGilfng0W6aJntgPDD46jobfBMyv4uH3fZs33IM+42AQ dSTVyGWhez+jVeqNIZxvtnxj7uSvgrqMjgBs6o+IqQpUMn6i6DgcbgmzvfI1s+h1x+SW 88ODTGAlPG1vIqHfHcOwuV17t5JGpUGcc7XFrcda36CsRD3EPNdWjsHRqjV65pKWbeAn f/TMJL6XmTWJbxNpx2W28bTzUWpCP8nDh0tkkDkgvii3Ynux91QG7NdWBBWvDwLbv5zn 6H3A==
X-Gm-Message-State: AHYfb5gSFcIYXEzMIsYramZjjez/asruXukfaxW+7jsyi3l3h3lnHEIc JxS88Yf1lbmFL2urg4jdnvioIw4UEQ8K
X-Google-Smtp-Source: ADKCNb7pCLulQsXX1yCE99S114HkC45Ji4yaZfvbuOIx3EPuGGji3lc82tY555lgM96IvISuSp7jW5Etgt4uBovj7ys=
X-Received: by 10.55.207.21 with SMTP id e21mr8736957qkj.106.1503590115888; Thu, 24 Aug 2017 08:55:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.132.102 with HTTP; Thu, 24 Aug 2017 08:55:14 -0700 (PDT)
In-Reply-To: <CAKD1Yr0_ksXDy6Ckc6RuFjYf+t4fiA4dJfAToZjfgrqed4h4QA@mail.gmail.com>
References: <CADo9JyU+XGYFWdNeXOBw1O43Pjyn0jZhGxDTb7VbLF+Jg4Xj4w@mail.gmail.com> <CAAedzxq4UhueFW=U-Tuc1gvG8Tapc7VE7BM2Akt9OXuzN3jLyQ@mail.gmail.com> <CADo9JyW0J7xzaosG5PJOFPHMy2g6vZ1cVpW6_YsuOdaKWqumkQ@mail.gmail.com> <A5B74413-32D8-4FE4-BDF7-DAA95266AAF4@apple.com> <CADo9JyUJTPRT9454VdZEM1nwFfxPSrMX3+Uk9i325uboQUya7g@mail.gmail.com> <7B520EA6-7B55-46B1-B084-F1CADF7DE28B@apple.com> <CADo9JyVSW5==nQOUMUUYWj743LmZCUjE9=W-YXnK-KMS-88AoQ@mail.gmail.com> <CABkgnnV1OT_29fdNbCDDJMgeRDNeOM8u2PYA94opo+ujj2=Avw@mail.gmail.com> <CADo9JyUdBZbBmwE0B21ryFuefQEaTiWLHD-w8AZSyWACH9u2dg@mail.gmail.com> <CABkgnnWbhHOmZRsvpEb0XusRtUJUPp7vpdM7V_4nLnC_B-mfKQ@mail.gmail.com> <CADo9JyUP_FWznzDWDO1s9-8B8-hMAUkFAMaa68uUZ1xR8CKHyw@mail.gmail.com> <CAKD1Yr0OrthUda3+ic3g83vWEpBATpcF4Z=4ENNg+ZuyySDMdg@mail.gmail.com> <CADo9JyW=wYh5y87KZrfs56fFze_VkdvUt-hF_SNeokPONxDuGA@mail.gmail.com> <CAKD1Yr2GpTX9NPTNJVbGjF+PxuNNyhgaRNjr0qMW90rVHeM_+g@mail.gmail.com> <98352984-4E92-42EC-97FE-B652C0FC41AF@apple.com> <CADo9JyVzW3TxFCHv=1N=Qsm2Th7gw7Yby8mdG2hOVWQQ_9YGpw@mail.gmail.com> <CAKD1Yr0_ksXDy6Ckc6RuFjYf+t4fiA4dJfAToZjfgrqed4h4QA@mail.gmail.com>
From: David Bird <dbird@google.com>
Date: Thu, 24 Aug 2017 08:55:14 -0700
Message-ID: <CADo9JyXydQSF3Gb2a=4iphzL-mmu_pVKNnn=2dF8d+7HtrGY2g@mail.gmail.com>
To: Lorenzo Colitti <lorenzo@google.com>
Cc: Tommy Pauly <tpauly@apple.com>, Erik Kline <ek@google.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, captive-portals@ietf.org, Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a11459986bf80ce055781dab8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/EyTjitmuUI6ni-zeO73JI17cVwE>
Subject: Re: [Captive-portals] Questions about PvD/API
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2017 15:55:19 -0000

Indeed, one could just as easily misconfigure the "Captive Portal URL: "
field in the NAS. A key difference is that this configuration is enforced
the same way (with slight variation for capport) for all devices... It is
not just a misconfiguration only visible to "First Vendor to Release PvD
Client" products.

I'm trying to figure out the value the attacker is gaining (e.g. the
motivation) for putting others off the network using Capport ICMP. If they
are off-network, chances are their attacks will not work because of
firewalls. If they are on-network, particularly if this is Open SSID public
access network, I'd say they are wasting their time... Sending 802.11
Disassoc would be easier.

On Thu, Aug 24, 2017 at 8:33 AM, Lorenzo Colitti <lorenzo@google.com> wrote:

> It seems to me that any solution involving coordination between two
> protocols is little different, in terms of your criticism that it will lead
> to "a higher rate of misconfiguration", from the PVD solution. (Personally
> I don't think that's a valid argument - saying that if you misconfigure the
> network it won't work well is pretty much a tautology - but you were the
> one that cited that argument in support of the ICMP solution.)
>
> As for several flows, I don't see what would stop an attacker from trying
> to spoof several flows.
>
> On Fri, Aug 25, 2017 at 12:21 AM, David Bird <dbird@google.com> wrote:
>
>> You are both describing decisions the UE makes... perhaps the UE waits
>> for several flows (with same session-id) to indicate capport warning/errors
>> before acting on it... especially when already connected. There were also
>> proposals to link the ICMP messages to the DHCP message somehow so that
>> ICMP is 'authenticated' against the original DHCP. Theses are solvable
>> concerns, not road blocks.
>>
>>
>>
>> On Thu, Aug 24, 2017 at 8:14 AM, Tommy Pauly <tpauly@apple.com> wrote:
>>
>>> Right, I think the difference between an unreachable destination, and a
>>> captive portal or walled garden, is that we expect the captive portal style
>>> interaction to be an Operating System-level action, and one that will have
>>> consequences on everything the device does while associated to a given
>>> network. You can certain use spoofed ICMP to disrupt connections, but (a)
>>> the user would notice and (b) you're not causing the Operating System to
>>> change behavior. When the OS thinks it is on a captive network or not, it
>>> will change what network it considers primary/usable, which may potentially
>>> be invisible to the user other than an icon change. I would be able to go
>>> onto a captive network, start sending out ICMP messages, and potentially
>>> bump other people's connection off the network.
>>>
>>> Having the UE fetch some resource in order to determine captive state,
>>> especially if that resource can be somehow signed, makes it much harder for
>>> an attacker to cause the OS to take silent behavior.
>>>
>>> Tommy
>>>
>>> On Aug 24, 2017, at 7:40 AM, Lorenzo Colitti <lorenzo@google.com> wrote:
>>>
>>> A forged destination unreachable can't cause someone else's device to
>>> think that wifi is a portal and switch to possibly expensive cellular data.
>>>
>>> On Thu, Aug 24, 2017 at 11:29 PM, David Bird <dbird@google.com> wrote:
>>>
>>>> Just like the rampant problem we see in ICMP Dest-Unreachable forgery
>>>> attacks?
>>>>
>>>> On Thu, Aug 24, 2017 at 7:01 AM, Lorenzo Colitti <lorenzo@google.com>
>>>> wrote:
>>>>
>>>>> On Thu, Aug 24, 2017 at 10:40 PM, David Bird <dbird@google.com> wrote:
>>>>>
>>>>>> Can you give an example of how ICMP could be misconfigured?
>>>>>>
>>>>>
>>>>> It doesn't matter how hard it is to misconfigure, because it is
>>>>> trivial to forge.
>>>>>
>>>>
>>>>
>>> _______________________________________________
>>> Captive-portals mailing list
>>> Captive-portals@ietf.org
>>> https://www.ietf.org/mailman/listinfo/captive-portals
>>>
>>>
>>>
>>
>

v2.23.0 | Report a Bug | By Email