IETF Logo Mail Archive

Re: [Captive-portals] Discovering captive portal API URL via DNS?

Lorenzo Colitti <lorenzo@google.com> Wed, 04 September 2019 01:08 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDFF2120098 for <captive-portals@ietfa.amsl.com>; Tue, 3 Sep 2019 18:08:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.399
X-Spam-Level:
X-Spam-Status: No, score=-17.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, HTTP_ESCAPED_HOST=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tRL32hShdI5t for <captive-portals@ietfa.amsl.com>; Tue, 3 Sep 2019 18:08:45 -0700 (PDT)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12E9912004A for <captive-portals@ietf.org>; Tue, 3 Sep 2019 18:08:45 -0700 (PDT)
Received: by mail-wr1-x434.google.com with SMTP id h7so18018328wrt.13 for <captive-portals@ietf.org>; Tue, 03 Sep 2019 18:08:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qW0RFU/GjWJM4wMl13hbhHGmHXQdtR6JUzSmdcBU2ek=; b=nycWb3vVNIDuAhH09T6nozU0Yis8Ij+PHR6R/qyMXcvNCbRejGJ+yTjt2VupwEcRRH 6aE856TKh77JAB6MVkqWYeY2FEMcC/LfrPTSOychu8JJflm9/LgvcpUjM/xBWz0TkLKt 29Z995VMYNQ8/BNPM4D51Q9CEIQLDzCXXZIMkSjrJC5J9j8CR0NrZYcVxnYmfI3ibIBn ZVjyygQsEdVzAGVIYiqDmnKMPOyQ/4ulrHB6f+xU4t8Kd+h9q6aVA96lT9zsU8+7/n+5 ZgGiAEngDd9jNS63LpkTikaKCVG61rywVfpj1T82HVOBctQVbv7TSQphe/AiyBf/elSW JmEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qW0RFU/GjWJM4wMl13hbhHGmHXQdtR6JUzSmdcBU2ek=; b=hDoi+Sk+bOrb+VRE7VBhUzkBqlqNzZnuRUxZMqKP25bImPaweskrsfn7AzuokwB4Zz jfai18zFmMURIQsScYZvfj/6Jcz09fEdYvUTLsxYYAyIvDriA+sRNtLeyVZxcWHdHIUC WC2ryjcIZQgKy7dl4Qz2jPCZ5vk/BGWBIREEEMCzycI0fWP68neIegZfyieAWLvjgWUr vKqcnG/w7wY1Y7YrXf8R3mVuNxFNQp4oPMqEwCphxSlSPKq6ZVtopwOu9c/CvGXro3xX ok+YOUPmClDVst08Jd2kLqkaB2H+Lf1+s04tNfiyAiTv4XCcQavRMt5GXP3iHaPLQMl5 tBXQ==
X-Gm-Message-State: APjAAAVqolB+XxErw6Tc0tztg5ctLdruhq8yEhihw+WosxjzQStyRvgQ JVjNeF7pFhsNwlmElF6jSXpOIrq1n71JhQEkhBWHOA==
X-Google-Smtp-Source: APXvYqwwW/MEkvyOs93MuKthXqGJQsHOki9vDuPhb2+5sCYJ8eP1tjOIJ5ImIu9PIQMtQs4Rk/jW8UgRmiYC7GQqEP0=
X-Received: by 2002:a05:6000:1189:: with SMTP id g9mr15309276wrx.117.1567559323239; Tue, 03 Sep 2019 18:08:43 -0700 (PDT)
MIME-Version: 1.0
References: <CAKD1Yr1mR57OsOzDtjM=7YCV_R6zFF9WPxqA-XrWsuJWv+VTag@mail.gmail.com> <99C952E5-7D05-4F9E-A280-F422DF39FE1D@hpe.com> <CAAedzxoJpCavhkzM01Fekwv_A-n6VwfcM7Z37WdPdEKk77expQ@mail.gmail.com>
In-Reply-To: <CAAedzxoJpCavhkzM01Fekwv_A-n6VwfcM7Z37WdPdEKk77expQ@mail.gmail.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 04 Sep 2019 10:08:30 +0900
Message-ID: <CAKD1Yr09m-EVBhED6AMgDiTxwOr=n2wwc9Mnquf+5E6ce7DvTA@mail.gmail.com>
To: Erik Kline <ek@loon.com>
Cc: "Cappalli, Tim (Aruba Security)" <timc@hpe.com>, "captive-portals@ietf.org" <captive-portals@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a0cc8b0591afd842"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/Gk7KjGX7YOrzcQj0vNrfMO2QITc>
Subject: Re: [Captive-portals] Discovering captive portal API URL via DNS?
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 01:08:48 -0000

If we have a way to discover the portal via DNS, then maybe we don't need
<link rel> at all? The problem with <link rel> is that it cannot be used
once the portal is open, so if the device logs in, and then disconnects and
reconnects, it doesn't work.

On Wed, Sep 4, 2019 at 10:05 AM Erik Kline <ek@loon.com> wrote:

> Chair hat off, co-author hat on.
>
> We can certain craft some text to round out
> https://tools.ietf.org/html/draft-ietf-capport-rfc7710bis-00#section-4
> when the time comes..  Certainly DHCP/RA would retain highest precedence.
>
> RFC 7553 URI records would obviate the inevitable discussion about the
> merits of .well-known (I know nothing about .well-known/ except that it
> tends to bring up some (.)well-known responses).
>
> Where would you slot DNS results relative to link relation in an HTTP
> intercept/redirect?
>
> On Tue, 3 Sep 2019 at 17:32, Cappalli, Tim (Aruba Security) <timc@hpe.com>
> wrote:
>
>> I like that idea, combined with well known. Ex:
>> https://<targetofcname>/.well-known/capport-api/xyz
>>
>>
>>
>> Ideally there would be some standardized precedence order as there are
>> different cases for each of these. An example would be a common DNS a
>> service that doesn’t have views-like functionality so the ability to return
>> a different value based on the source IP/subnet may not be possible. In
>> this case, the operator may have control of DHCP and could use 7710.
>>
>>
>>
>> Tim
>>
>>
>>
>>
>>
>> *Tim Cappalli* *|* Identity & Policy Architect *|* Aruba Security
>> <https://www.arubanetworks.com/products/security/> *|* @timcappalli
>> <https://twitter.com/timcappalli>
>>
>>
>>
>> *From: *Captive-portals <captive-portals-bounces@ietf.org> on behalf of
>> Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>
>> *Date: *Tuesday, September 3, 2019 at 4:45 PM
>> *To: *"captive-portals@ietf.org" <captive-portals@ietf.org>
>> *Subject: *[Captive-portals] Discovering captive portal API URL via DNS?
>>
>>
>>
>> All,
>>
>>
>>
>> During discussions with captive portal operators about implementing the
>> capport API, one of the stumbling blocks that keeps coming up is that the
>> captive portal operator does not always control the DHCP configuration and
>> thus cannot easily use RFC7710.
>>
>>
>>
>> The WG has previously rejected the option of using a well-known DNS name
>> to discover the URL, because the API itself requires TLS, and without a
>> hostname it is not possible (or at least not easy) to validate the server.
>> However, what if the client did a CNAME query for capport.arpa (or
>> equivalent other local-only, non-DNSSEC-signed name), got back a CNAME for
>> the real server, and then assumed that the API server was
>> https://<targetofcname>/capport-api ?
>>
>>
>>
>> Alternatively, Erik and Warren suggest RFC 7553. In this scheme the
>> client would do a URI lookup for "capport.arpa" or equivalent, and would
>> take the result of that URL as the API endpoint.
>>
>>
>>
>> Thoughts?
>>
>>
>>
>> Regards,
>>
>> Lorenzo
>> _______________________________________________
>> Captive-portals mailing list
>> Captive-portals@ietf.org
>> https://www.ietf.org/mailman/listinfo/captive-portals
>>
>

v2.23.0 | Report a Bug | By Email