IETF Logo Mail Archive

Re: [Captive-portals] Requirements for "captive portal closed" notifications

David Bird <dbird@google.com> Tue, 20 March 2018 17:41 UTC

Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BC50126CB6 for <captive-portals@ietfa.amsl.com>; Tue, 20 Mar 2018 10:41:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u2wU-G9iwgFb for <captive-portals@ietfa.amsl.com>; Tue, 20 Mar 2018 10:41:11 -0700 (PDT)
Received: from mail-it0-x229.google.com (mail-it0-x229.google.com [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 875D2126BF7 for <captive-portals@ietf.org>; Tue, 20 Mar 2018 10:41:11 -0700 (PDT)
Received: by mail-it0-x229.google.com with SMTP id y20-v6so3422478itc.5 for <captive-portals@ietf.org>; Tue, 20 Mar 2018 10:41:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Zt3RWhLMTRM7x8HZt3psDQaLF0GLjOv4qr4rDfHgnTc=; b=jUASUVMMTgFzxwhMp/DaJ1YOzTdCji3gRt5ioi7VEhFXUTEESYxjmfmp9WFP34ToCu lIaPAJ3+QF54C54OagRMmcayPmcp9+r/RTu4fXTx6cP5kRV87Ys1ixvUmuF6Ysg5fJXi 6MHLOBr9X5NKEtNj8bfZo3U260yn6/1wycGT/JH91IMqC0qp84sjKVPLug0eLc28miKe q/ZKr3cd5wSH3HFqPedT9hGfA4cGCclsZTQlAISQtwCMN3xdXJe33Hk6+mwN7jQVkkZs rF7sXhjWBrHkg7frbHiDhg8rCLAsOskIvNvG0W8I2zqkalklRVJR5l30Hk1KnSWLLtsM FIWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Zt3RWhLMTRM7x8HZt3psDQaLF0GLjOv4qr4rDfHgnTc=; b=Wmkcj6a/dqHzPk6wlghCMHwHLdunZZyEmxku2pw7EbzU9GGbdxhkvdKZ2U1FZlDcBw gnv39AlvtAkAlZRxxWTX0APVwSEmytAWOHDDUweCPU6GUh8IRymOzAHvpEBlkvmSMouB LZGEiGqQXneyacYUd5HBWpQISLheQOAenoIkesjp+ItH8zF9b1ZNVU12bWmiunU/EO6h LjFJHfgCKVGOe+pRLXv3wkHFRK9art0fkVgXHkexrZNzYFR7dvgPbMip6yPuadEg7WP0 MVePfeP1kY1IqzihFgL+gwP3plXPdwI8GSPSWVlBbchE7GvS/ZOp8pHBbzuRs3QDpuxo Pcwg==
X-Gm-Message-State: AElRT7EuR6CJdJfyeqIRXsltKfsqmx/3L3noLjihWMsFZBPmv01v21Ts K4ZBqNR+kOAECJh57+RAIEgRUjJqwtYfdCXO6qJaHg==
X-Google-Smtp-Source: AG47ELu4rU+E4uudg9gvBnPlMEQuvm4gjOZRiUnmyIZZ1IF1G/XQ5/fOeVPb0rlfSUsjRNWgbe9L4hsVS+FkOb4C/dU=
X-Received: by 2002:a24:4413:: with SMTP id o19-v6mr532098ita.137.1521567670455; Tue, 20 Mar 2018 10:41:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAKD1Yr3rP24jQ6sMpoXZ3pU02FmvwDNc9=w2oAh4bMWZmEtQ_A@mail.gmail.com> <337A848A-F36A-45AD-9343-E1A14A5CBE1C@darou.fr> <CADo9JyWDsz114MYuaXiNAOu=Xy++vxKfMZzcgBnUzkT-BYBO=g@mail.gmail.com> <ADC61440-BDE3-41CC-8618-55B7A210ADC9@darou.fr>
In-Reply-To: <ADC61440-BDE3-41CC-8618-55B7A210ADC9@darou.fr>
From: David Bird <dbird@google.com>
Date: Tue, 20 Mar 2018 17:40:59 +0000
Message-ID: <CADo9JyXBKh8cQaUbv8TJdA3BRTrAHvg54TmSZ+4iVPXiG308vA@mail.gmail.com>
To: pierre.pfister@darou.fr, captive-portals@ietf.org
Content-Type: multipart/alternative; boundary="000000000000808ae00567db9435"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/Kp9xVcLFiNf2B7C8k0gm8y0B8-A>
Subject: Re: [Captive-portals] Requirements for "captive portal closed" notifications
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 17:41:14 -0000

Likewise, I'm not saying the API can't play a role either (especially in
verifying / confirming ICMP) ...

My biggest concern with the API providing this kind of notification,
instead of the NAS/network, is that the API can so very easily be wrong or
misinformed - especially when you consider how some hotspots may have
multiple RADIUS servers because of roaming partners and the like. Sure, it
requires "more work" to get the ICMP feature plumbed through a hotspot
architecture (e.g. RADIUS client updates, development required, etc). But,
that is *good* that all that must take place before the feature can be
used... opposed to creating an API with these features and worrying about
the network integration later (with a broken network in the meantime). By
"broken" ... I mean a network that works fine with older devices, just
generating a lot of complaints from UE users with the new Capport enabled
UE devices...




On Tue, Mar 20, 2018 at 10:29 AM Pierre Pfister <pierre.pfister@darou.fr>
wrote:

>
>
> Le 20 mars 2018 à 17:06, David Bird <dbird@google.com> a écrit :
>
>
>
> On Tue, Mar 20, 2018, 9:56 AM Pierre Pfister <pierre.pfister@darou.fr>
> wrote:
>
>> Turning the requirements around I would add that sending ICMP messages
>> based on a session being ‘almost done’ might be challenging from a
>> router/hardware perspective. Routers might have to rate-limit such
>> messages, and sometimes fail to send them.
>>
>
> My feeling is just the opposite.. the NAS knows perfectly when it will or
> will not hold a session captive. If that NAS is being told what to do (e.g.
> it isn't working on it's own counters, but relying on a radius server),
> then the radius CoA could just come early with extra parameters (e.g.
> 'grace period' or even how many and how often to send icmp warnings…)
>
>
> Which would rely on the CoA to tell the NAS to let the client know in an
> unauthenticated way (and if it ever sees traffic, and if it doesn’t get
> rate-limited) that it should maybe contact the API…
> On the other hand we can leverage the direct and secure protocol between
> the API and the client.
>
> I am not saying the ICMP message is useless. It might even be necessary.
> But it should be used as a backup to the API<->client interactions.
>
> - Pierre
>
>
>
>> So I would add that the ICMP message should only be relied upon as a
>> backup mechanism to detect that something is wrong while the API mechanism
>> already failed to detect that the session is almost over.
>> In other words, I think the detection of a session being almost over is
>> first and foremost a problem to be solved by the API mechanism, and as a
>> backup (i.e. in case of inconsistency between the API and the Enforcement
>> point), with the ICMP mechanism.
>>
>> - Pierre
>>
>> Le 20 mars 2018 à 15:29, Lorenzo Colitti <lorenzo@google.com> a écrit :
>>
>> Per discussion at the mike today on what we should do with the ICMP
>> unreachable draft - here are some properties I think are necessary in a
>> hint to the UE that the captive portal is closed.
>>
>> 1. The notification should not be easy to spoof. This is easiest to do by
>> making it a hint to the UE that it should talk to the API.
>>
>>    - An ICMP message by itself is not secure. For example, it's trivial
>>    for an off-path attacker to generate ICMP messages for sessions from
>>    legitimate UEs to <popularwebsite>:443. Getting a UE to trust such a
>>    message only requires getting the ephemeral port right, and many OSes have
>>    a quite limited range of ephemeral ports.
>>    - Tero points out that if we do want to secure such a message, then
>>    we should not roll our own security but should use an existing, secure
>>    protocol such as IPsec.
>>
>>
>> 2. It should be possible to send the notification *before* the captive
>> portal closes, to facilitate seamless connectivity. Ideally the user should
>> be able to re-up the captive portal without having to wait until the
>> network is dead or the device has switched to another network.
>>
>> 3. The notification should not be on a per-destination basis. A hint that
>> conveys the information "you can reach facebook, but to reach CNN you need
>> to upgrade to another service plan" is not technically infeasible but is
>> unlikely ever to reach WG and IETF consensus and therefore I think we
>> should not spend our time talking about it.
>>
>> 4. I'm not sure whether it's possible for the hint to be anything more
>> than a binary "you are or will very soon be captive". Saying things like
>> "an upgrade opportunity is available" may be hard to encode.
>>
>> Cheers,
>> Lorenzo
>> _______________________________________________
>> Captive-portals mailing list
>> Captive-portals@ietf.org
>> https://www.ietf.org/mailman/listinfo/captive-portals
>>
>>
>> _______________________________________________
>> Captive-portals mailing list
>> Captive-portals@ietf.org
>> https://www.ietf.org/mailman/listinfo/captive-portals
>>
>
>

v2.23.0 | Report a Bug | By Email