Re: [Captive-portals] Benjamin Kaduk's Discuss on draft-ietf-capport-rfc7710bis-07: (with DISCUSS and COMMENT)

Warren Kumari <warren@kumari.net> Wed, 01 July 2020 18:14 UTC

Return-Path: <warren@kumari.net>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DCF23A0952 for <captive-portals@ietfa.amsl.com>; Wed, 1 Jul 2020 11:14:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r-p8l1QKUTJG for <captive-portals@ietfa.amsl.com>; Wed, 1 Jul 2020 11:14:16 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E661F3A0953 for <captive-portals@ietf.org>; Wed, 1 Jul 2020 11:14:15 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id 9so28318769ljv.5 for <captive-portals@ietf.org>; Wed, 01 Jul 2020 11:14:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=y1TXDxaQNL8guOmTTbP4y1DHVgwQcZgon6/3U4ac0YY=; b=LT68NVF0WHfb+UTsJAxKMxwXG/54wg/LYGDbsBeDz+FvtuD+nWv4DPj83wu2pkP70F OvkIfQM03UtG257hI2npQW5aOFNKjJ+eE4s1eNefK81bpop6txrQ2F465Hg+ULBxNkd6 pMDio7Qefvc2WsNBBvnNX8ntwoFuexvd4b0hlAUGsCK0YlIhLq/yrDoCQCa7GHrk9lcI ZHrcgBNbzIEIpDm5CWF/bhdj0Rww3lcTwcWtEcOCZnXTDGhlFXg05nv88oE9/lHHfihZ 0pEtRgLujhFEl470WtS/u/WENXmrbAm/uzIKa4uZmCB5K1ePkTmv+WEpyeMr9/7kIO94 2myg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=y1TXDxaQNL8guOmTTbP4y1DHVgwQcZgon6/3U4ac0YY=; b=MsK0M/iSTfMqdG8bm1BFeZVhSe2szXh3OLMQXREjFB5mAVxaT0bcC+twaEadf3HEWq K8covGRHOdDIrjQcy4iNt1q3H0PTfKH2yB898Cp1HaT+PmCDl/mlsEcL3IcqmW8ahBJh 9pw+pcZN/2NRxHzS5yZZgbomZ7qFdrSt41Wk6ExNqPj7iQKmPOreLuAQZnfWmbDXtMlT IKDSCJeAB99qP6eAApLO3GSxCiSWplHhgVwiGrslAucKqRPnAQQ9aFMlSjt4I2j5SVrL 8MnpWVVkbQjTuzlygbjLUSmpb/yyrxwfGnNISHwwIwWDibZQKbVH+CzuzfTnTh/hybdA 01jg==
X-Gm-Message-State: AOAM532EoG3xmUmqt9vj/mkaP0X/XkDFhgJvQIVu+TMoZCGqG6q/QTnx ObCRkiZant40/lFn5qrUCI/Kl3OE5aeEmlnTQnyhsw==
X-Google-Smtp-Source: ABdhPJwiBKH1FhSO8YvTkabYto2W3Lk3DFlMCJnrueNDXcYse88Y4EWVblg7bAqI5PjPZmS4fUNg0ddbWTS26WV16Ck=
X-Received: by 2002:a2e:9696:: with SMTP id q22mr4293091lji.11.1593627252896; Wed, 01 Jul 2020 11:14:12 -0700 (PDT)
MIME-Version: 1.0
References: <159174996055.13317.16933447481232601779@ietfa.amsl.com> <CAHw9_iLVYXEu1zfo0+AYc=u8KAZzGVqeuez4cTfEO=PhGE+WcQ@mail.gmail.com> <20200630205011.GV58278@kduck.mit.edu>
In-Reply-To: <20200630205011.GV58278@kduck.mit.edu>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 1 Jul 2020 14:13:36 -0400
Message-ID: <CAHw9_iJgaTYxQXFXRdKoWAvRKqaeKUqrRE8e-pjMe8x0oEXWsA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-capport-rfc7710bis@ietf.org, capport-chairs@ietf.org, captive-portals <captive-portals@ietf.org>, Martin Thomson <mt@lowentropy.net>
Content-Type: multipart/alternative; boundary="00000000000050487605a96542e9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/MUVUPlm9LSmn1BXZQtMK6k_LjmY>
Subject: Re: [Captive-portals] Benjamin Kaduk's Discuss on draft-ietf-capport-rfc7710bis-07: (with DISCUSS and COMMENT)
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 18:14:21 -0000

On Tue, Jun 30, 2020 at 4:50 PM Benjamin Kaduk <kaduk@mit.edu> wrote:

> Hi Warren and Erik,
>
> On Tue, Jun 23, 2020 at 07:25:24PM -0400, Warren Kumari wrote:
> > On Tue, Jun 9, 2020 at 8:46 PM Benjamin Kaduk via Datatracker
> > <noreply@ietf.org> wrote:
> > >
> > > Benjamin Kaduk has entered the following ballot position for
> > > draft-ietf-capport-rfc7710bis-07: Discuss
> > >
> > > When responding, please keep the subject line intact and reply to all
> > > email addresses included in the To and CC lines. (Feel free to cut this
> > > introductory paragraph, however.)
> > >
> > >
> > > Please refer to
> https://www.ietf.org/iesg/statement/discuss-criteria.html
> > > for more information about IESG DISCUSS and COMMENT positions.
> > >
> > >
> > > The document, along with other ballot positions, can be found here:
> > > https://datatracker.ietf.org/doc/draft-ietf-capport-rfc7710bis/
> > >
> > >
> > >
> > > ----------------------------------------------------------------------
> > > DISCUSS:
> > > ----------------------------------------------------------------------
> > >
> > > There seems to be an internal inconsistency about whether, when the API
> > > URL is available in a given network via multiple mechanisms, the URLs
> > > provided by the different mechanisms must be "identical" (Section 3) or
> > > merely "equivalent" (Section 2).  I think we need to be consistent in
> > > the requirement, as it is possible for URLs to be equivalent but not
> > > identical just by virtue of mundane encoding tricks, even without
> > > getting to the question of semantic equivalence of pointed-to
> resources.
> >
> > Thank you - we have addressed this in the most recent commit by using
> > "identical" and adding some words.
> > Please confirm that these meet with your approval.
>
> Yes, this looks good, and I've cleared my Discuss in the datatracker (but
> had it not send mail, since I'm sending this one).
>

Ta, thanks.



>
> > >
> > >
> > > ----------------------------------------------------------------------
> > > COMMENT:
> > > ----------------------------------------------------------------------
> > >
> > > There is perhaps something to be said about how us moving from DHCP
> code
> > > point 160 to 114 is in effect making a mockery of the registration
> > > policy of IETF Review, when it is in practice First Come First Served
> as
> > > the squatter wins.  I think we should consider making a stronger
> > > statement about squatting being bad (though if I understand correctly
> > > for this case, the registration policy in this range has changed since
> > > the creation of the registry, so maybe there are extenuating
> > > circumstances).  [N.B. that this is the COMMENT section, not the
> DISCUSS section.]
> > >
> > > I also think we should be more explicit about the potential gap in the
> > > chain of custody for getting the user to the captive portal server to
> > > fulfil the Captive Portal Conditions.  In order for the user to trust
> > > that they're in the right place (even as they may be, e.g., entering
> > > payment information), they rely on the network to only provide
> > > legitimate versions of the signals defined in this document, blocking
> > > sppofed ones.  At present, this seems to involve a component of "blind
> > > faith", and though we do discuss the technical capabilities of the
> > > attacker we don't go into how this affects the "trust chain" from
> > > initial network attachment.  (More discussion in the section-by-section
> > > comments.)
> > >
> > > Abstract
> > >
> > >    In many environments offering short-term or temporary Internet
> access
> > >    (such as coffee shops), it is common to start new connections in a
> > >    captive portal mode.  This highly restricts what the customer can do
> > >    until the customer has authenticated.
> > >
> > > side note: I don't remember seeing "customer" used in the architecture
> or API
> > > document.
> >
> > DONE.
> > Thank you - we have gone with "user" (to address others comments) - I
> > was picturing someone (a customer) buying coffee, and so that is where
> > this usage originally came from.
> >
> > >
> > >    This document describes a DHCPv4 and DHCPv6 option and a Router
> > >    Advertisement (RA) option to inform clients that they are behind
> some
> > >    sort of captive-portal enforcement device, and that they will need
> to
> > >    authenticate to get Internet access.  It is not a full solution to
> > >
> > > In the terminology of the architecture doc, the client will "satisfy
> the
> > > Captive Portal Conditions" (as opposed to "authenticate").  Is there a
> > > reason to use divergent terminology?
> >
> > DONE. Thank you -- using "satisfy the Captive Portal conditions"
> >
> > >
> > >    hosts to interact with such portals.  While this document defines
> how
> > >    the network operator may convey the captive portal API endpoint to
> > >    hosts, the specific methods of authenticating to, and interacting
> > >    with the captive portal are out of scope of this document.
> > >
> > > ["authenticating" again]
> >
> > DONE. Thank you. As above.
> >
> > >
> > > Section 2
> > >
> > >    information faster and more reliably.  Note that, for the
> foreseeable
> > >    future, captive portals will still need to implement interception
> > >    techniques to serve legacy clients, and clients will need to perform
> > >    probing to detect captive portals.
> > >
> > > side note: I'd consider reiterating the "faster and more reliably" here
> > > to incentivize adoption of the new mechanisms even though the legacy
> > > ones are still needed.
> >
> > Thank you -- we were not able to parse this suggestion - unless you
> > were suggesting that the second sentence say that legacy clients don't
> > benefit from this?
> > Please provide text :-P
>
> I was just thinking that if we have a whole sentence about how "you're
> going to have to do the old thing anyway, though", someone might read that
> and say "well, if I have to keep doing the old thing, why should I bother
> with this new thing".  So, appending a "; nonetheless, the mechanism
> provided by this document provides a more reliable and performant way to do
> so, and is therefore the preferred mechanism for captive-portal detection"
> or similar is what I had in mind.
>

Oh, nice. I added that, and sent a PR to EK.



>
> > >
> > >    to reduce the chance of operational problems.  The maximum length of
> > >    the URI that can be carried in IPv4 DHCP is 255 bytes, so URIs
> longer
> > >    than 255 bytes should not be provisioned via IPv6 DHCP nor IPv6 RA
> > >    options.
> > >
> > > I'm not sure whether this text is conveying the intended meaning -- the
> > > current version sounds like it's saying that because IPv4 DHCP is
> > > limited, we need an entirely new mechanism to convey longer URIs,
> > > leaving the reader to guess that this is out of some desire to keep the
> > > existing mechanisms at feature parity.  Is the intent more along the
> > > lines of "URIs longer than 255 bytes should not be used at all, so that
> > > it's easier to present a consistent view across the three different
> > > provisioning mechanisms defined in this document"?
> >
> > DONE. Thank you.
> > We changed this to: "As the maximum length
> >    of the URI that can be carried in IPv4 DHCP is 255 bytes, URIs longer
> >    than this SHOULD NOT be provisioned by any of the IPv6 options
> >    described in this document.  In IPv6-only environments this
> >    restriction can be relaxed."
> >
> > Does that address your concern?
>
> That text looks good, thanks.  Whether or not it matches up with my
> previous understanding of the intent is not super-relevant :)
>
> > >
> > >    In all variants of this option, the URI MUST be that of the captive
> > >    portal API endpoint, conforming to the recommendations for such URIs
> > >    [draft-ietf-capport-api].
> > >
> > > I'm sympathetic to the intdir reviewer's comments about the
> > > "recommendations" from draft-ietf-capport-api not being laid out
> > > particularly clearly.
> >
> > Ah, good point - we took the Intdir reviewers suggestion and dropped
> > the subclause.
> >
> > >
> > >    "user-portal-url" API key.  When performing such content negotiation
> > >    ([RFC7231] Section 3.4), implementors of captive portals need to
> keep
> > >    in mind that such responses might be cached, and therefore SHOULD
> > >    include an appropriate Vary header field ([RFC7231] Section 7.1.4)
> or
> > >    mark them explicitly uncacheable (for example, using Cache-Control:
> > >    no-store [RFC7234] Section 5.2.2.3).
> > >
> > > The API doc says "'private' or a more restrictive value"; do we want to
> > > be diverging from that recommendation?
> >
> > DONE. Thank you, good catch. We plagiarized from the API document :-)
> >
> > >
> > >    The URI SHOULD NOT contain an IP address literal.  Exceptions to
> this
> > >    might include networks with only one operational IP address family
> > >    where DNS is either not available or not fully functional until the
> > >    captive portal has been satisfied.
> > >
> > > If we don't heed the SHOULD then we end up trying to speak TLS with
> only
> > > an IP address for the server identifier, so we want an iPAddress
> > > certificate, which adds complications of its own.  (Perhaps most of the
> > > discussion of these complications should be in the API document, and
> > > I'm pretty amenable to arguments that they are out of scope for
> > > *extended* discussion here.  I'd still like to see a brief mention that
> > > this scenario has some complications.)
> >
> > DONE. Thank you. We largely stole your above text, and added a
> > reference to 3779.
> >
> > >
> > >    Networks with no captive portals MAY explicitly indicate this
> > >    condition by using this option with the IANA-assigned URI for this
> > >    purpose.  Clients observing the URI value
> > >    "urn:ietf:params:capport:unrestricted" MAY forego time-consuming
> > >    forms of captive portal detection.
> > >
> > > It's not entirely clear that the BCP 14 "MAY" is adding much here.
> >
> > DONE. Thank you - it was fairly clear that it doesn't add much, and so
> > we made them "may".
> >
> > >
> > > Section 2.1
> > >
> > >    o  Len: The length (one octet), in octets of the URI.
> > >
> > > nit: comma after "in octets" as well as before.
> >
> > DONE. Thank you.
> >
> > >
> > > Section 2.2
> > >
> > >    The maximum length of the URI that can be carried in IPv4 DHCP is
> 255
> > >    bytes, so URIs longer than 255 bytes should not be provisioned via
> > >    IPv6 DHCP options.
> > >
> > > [similar comment as above]
> > >
> >
> > DONE. Thank you. As above.
> >
> > > Section 2.3
> > >
> > >    URI  The URI for the captive portal API endpoint to which the user
> > >       should connect.  This MUST be padded with NULL (0x00) to make the
> > >
> > > nit: in the context of (ASCII) characters, the octet with all bits zero
> > > is usually written a "NUL", not "NULL".
> > >
> >
> > DONE. Thank you.
> >
> > >    Note that the URI parameter is not guaranteed to be null terminated.
> > >
> > > (ditto)
> > >
> > >    The maximum length of the URI that can be carried in IPv4 DHCP is
> 255
> > >    bytes, so URIs longer than 255 bytes should not be provisioned via
> > >    IPv6 RA options.
> > >
> > > [similar comment as above]
> > >
> > > Section 4
> > >
> > > Shouldn't we also request the reference be updated for the DHCPv6
> option
> > > code and RA option type?
> >
> > DONE. Thank you (Magnus had a discuss on this)
> >
> > >
> > > Section 4.1
> > >
> > > (I assume the question of "capport:unrestricted" vs.
> > > "capport-unrestricted" was discussed already and don't wish to rehash
> it
> > > again.)
> >
> > Thank you, yes, we had a discussion with Barry and Martin on this.
> >
> > >
> > > Section 4.2
> > >
> > > If this document is just de-registering the former capport use of code
> > > 160, what process is going to mark it as used for the polycom thing?
> >
> > We have updated the IANA considerations section to say:
> >
> >    Tag: 160
> >    Name: Unassigned
> >    Data Length:
> >    Meaning: Previously assigned by RFC7710; known to also be used by
> Polycom.
> >    Reference: [THIS-RFC][RFC7710]
> >
> > This seems to be the right way to refer to is, but, as always, we will
> > discuss with IANA.
>
> Sounds good, thanks.
>
> >
> > >
> > > Section 5
> > >
> > > RFC 7227 (BCP 187) "strongly advises" authors of documents defining new
> > > DHCP options to define validation measures for recipients of such
> > > options.  I don't see any such validation measures specified in this
> > > document; why is it okay to diverge from the BCP recommendation?
> >
> > DONE. Thank you.
> > Added:
> > Clients processing these options SHOULD validate that the option's
> > contents conform to the validation requirements for URIs, including
> > RFC3986.
> >
> > >
> > >    By removing or reducing the need for captive portals to perform MITM
> > >    hijacking, this mechanism improves security by making the portal and
> > >    its actions visible, rather than hidden, and reduces the likelihood
> > >    that users will disable useful security safeguards like DNSSEC
> > >    validation, VPNs, etc.  In addition, because the system knows that
> it
> > >
> > > Perhaps we should say why the users would be disabling those mechanisms
> > > in the absence of this mechanism?
> >
> > DONE. Thank you. - "... reduces the likelihood that users will disable
> > useful security safeguards like DNSSEC validation and VPNs, in order
> > to interact with the captive portal."
> >
> > >
> > >    credentials, etc.  By handing out a URI which is protected with TLS,
> > >    the captive portal operator can attempt to reassure the user that
> the
> > >    captive portal is not malicious.
> > >
> > > It's not entirely clear how successful such attempts will be, though,
> as
> > > the trustworthiness of the captive-portal provisioning signal depends
> on
> > > the network operator implementing (e.g.) RA-guard and DHCP sheild to
> > > prevent the client from receiving signals not authorized by the network
> > > operator, and the client does not in general know whether or not that
> is
> > > the case.  (While we do talk about those mechanisms in the following
> > > paragraph, we don't really talk about how the user can('t) know for
> sure
> > > that those mechanisms are in place.)
> > >
> >
> > Agreed, but this is better than the current situation....
> >
> > >    However, as the operating systems and application that make use of
> > >    this information know that they are connecting to a captive-portal
> > >    device (as opposed to intercepted connections) they can render the
> > >
> > > I think we want to clarify in the parenthetical that for the case of
> > > intercepted connections the OS/application may not know that they are
> > > connecting to a captive-portal or hostile device.
> >
> > DONE. Thank you. Added your text into the parenthetical, it now says:
> > " however, as the operating systems and application(s) that make use
> > of this information know that they are connecting to a captive-portal
> > device (as opposed to intercepted connections where the OS/application
> > may not know that they are connecting to a captive portal or hostile
> > device) they can render the page in a sandboxed environment and take
> > other precautions, such as clearly labeling the page as untrusted."
> >
> > >
> > > Appendix B
> > >
> > >    2.  Clarify that the option URI SHOULD be that of the captive portal
> > >        API endpoint.
> > >
> > > I couldn't find where this is done -- I just see descriptive text that
> > > the URI is the URI of the API endpoint.
> >
> > This is in Section 2, paragraph 4:
> > "In all variants of this option, the URI MUST be that of the captive
> > portal API endpoint [draft-ietf-capport-api]." - we had the discussion
> > on this in the WG, and so we are updating Appendix B to say MUST.
> > Great catch!
>
> Ah, got it.
>
> Thanks for the updates!
>

No, no, no, thank you for all of the suggestions and making the document
better...
W



>
> -Ben
>
> >
> > Thank you for all of your comments, I think that we have addressed them
> now.
> >
> > Thanks you,
> >   Warren and Erik
> >
> > >
> > >
> > >
> >
> >
> > --
> > I don't think the execution is relevant when it was obviously a bad
> > idea in the first place.
> > This is like putting rabid weasels in your pants, and later expressing
> > regret at having chosen those particular rabid weasels and that pair
> > of pants.
> >    ---maf
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf