Re: [Captive-portals] Discovering captive portal API URL via DNS?
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 04 September 2019 17:39 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F614120ABB for <captive-portals@ietfa.amsl.com>; Wed, 4 Sep 2019 10:39:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Ry_XoJHlZYE for <captive-portals@ietfa.amsl.com>; Wed, 4 Sep 2019 10:39:25 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DE00120809 for <captive-portals@ietf.org>; Wed, 4 Sep 2019 10:39:24 -0700 (PDT)
Received: from dooku.sandelman.ca (85-76-97-167-nat.elisa-mobile.fi [85.76.97.167]) by relay.sandelman.ca (Postfix) with ESMTPS id ED8F41F45A; Wed, 4 Sep 2019 17:39:22 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 25D5D2BFB; Wed, 4 Sep 2019 13:39:56 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
cc: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>, captive-portals@ietf.org
In-reply-to: <D49021C8-A3E5-4351-84CC-812AA20B0899@apple.com>
References: <CAKD1Yr1mR57OsOzDtjM=7YCV_R6zFF9WPxqA-XrWsuJWv+VTag@mail.gmail.com> <D49021C8-A3E5-4351-84CC-812AA20B0899@apple.com>
Comments: In-reply-to Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org> message dated "Wed, 04 Sep 2019 09:00:27 -0700."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 04 Sep 2019 20:39:56 +0300
Message-ID: <5962.1567618796@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/P8AaSyWLxUnxSk8XkYt1pDfz4og>
Subject: Re: [Captive-portals] Discovering captive portal API URL via DNS?
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 17:39:28 -0000
Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org> wrote: > I wanted to clarify the issue a bit before diving into the > mitigations. Do these captive portal operators have *no* relationship > to the DHCP configuration? Presumably, the captive portal enforcement I think that the issue is that the relationship is adversarial: different silos. The example that was given previously was that DHCP belonged to the "desktop" group, while DNS belongs to the "network" group in some enterprise. The DHCP all backends (via relays) to some DHCP servers, while the DNS is operated by the "Internet" group. That probably means that capport.arpa (and ipv4.arpa) will get populated, and all of the non-captive desktops will see that. I think that this is okay. > Since the mitigation below is specific to modifying the DNS, I assume > that we are talking about captive portal solutions that work, in part, > by intercepting DNS. I don't think that is necessarily the case. The Internet group probably controls the routers, just not the DHCP. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [Captive-portals] Discovering captive portal API … Lorenzo Colitti
- Re: [Captive-portals] Discovering captive portal … Cappalli, Tim (Aruba Security)
- Re: [Captive-portals] Discovering captive portal … Erik Kline
- Re: [Captive-portals] Discovering captive portal … Lorenzo Colitti
- Re: [Captive-portals] Discovering captive portal … Erik Kline
- Re: [Captive-portals] Discovering captive portal … Martin Thomson
- Re: [Captive-portals] Discovering captive portal … Lorenzo Colitti
- Re: [Captive-portals] Discovering captive portal … Michael Richardson
- Re: [Captive-portals] Discovering captive portal … Lorenzo Colitti
- Re: [Captive-portals] Discovering captive portal … Michael Richardson
- Re: [Captive-portals] Discovering captive portal … Tommy Pauly
- Re: [Captive-portals] Discovering captive portal … Tommy Pauly
- Re: [Captive-portals] Discovering captive portal … Michael Richardson
- Re: [Captive-portals] Discovering captive portal … Nicolas Mailhot