IETF Logo Mail Archive

Re: [Captive-portals] Questions about PvD/API

Martin Thomson <martin.thomson@gmail.com> Thu, 24 August 2017 23:55 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D08FA13295F for <captive-portals@ietfa.amsl.com>; Thu, 24 Aug 2017 16:55:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BNGGrC1dc_cJ for <captive-portals@ietfa.amsl.com>; Thu, 24 Aug 2017 16:55:42 -0700 (PDT)
Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C07D13293A for <captive-portals@ietf.org>; Thu, 24 Aug 2017 16:55:42 -0700 (PDT)
Received: by mail-io0-x22b.google.com with SMTP id s101so3380433ioe.0 for <captive-portals@ietf.org>; Thu, 24 Aug 2017 16:55:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lzK+8qU0CPy2h3LT4iJGRpbJGCzx+EvynSbYd0o3rrw=; b=Fri5ObOFAVrToyrVYElE+BBKddxCDpDjMjWipkSeaBbW4Ym15/vLINIro5O9nQdHBh 2eJt+rXHhgA2pY6cJCh4kFjw+OCJvbvjogzjI2Cr3MlYZTxnD6vzpBBY++uQa/lr7d8c A4IfPFzT1PG5tWjI1JiNHBPBhElPhDP+1N75DHnvAIBD3dpqD0D/JfsGiMVro7G+LC1x I/qiKVJFeFAQ79tRTOV75cFUEq+8hV1S6JQyWC6Nia26gvNK24S7BMUEmcnK7J9PDS9o eh5KI0O6nySdWMk4Qy1lYOZVBacmWaIGzhx/IdKKVGWYKn+6/eDprBiuRJENj9DZMXYs wfqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lzK+8qU0CPy2h3LT4iJGRpbJGCzx+EvynSbYd0o3rrw=; b=mC+ehWj/2lqlSQJpRrgbd++jeMmB8k7QDpLy62bV7T3nfBCLRARzoaEIxyn0C/R2aD 65D9e2W88N32/wI/Cp7+MQblaKDU6lnLsEcFebzvjknVxERIpVBs20Jg9DwCqMst6Vph ZctdyHJFQMdEC4Z14Bj8JVXcD7iV0lNYpx4fA/wmcZpZr+mBb6E+n3hFw10NgEu3fjNH WBsduXk6w1Xmszzge4g4lUGTPhBfBXm6IXrirtr7RMrJhrSZMlh3xQxgTbrxN4k+yUsu 0Q5DD9xxwIVX5FZqUS5+CXXpUtQN6U+wfkYZvB4kdThtgukVF1uta8SEQiNQvSsyPt+0 7RDw==
X-Gm-Message-State: AHYfb5gtl2TUGaxupX7TTMTc+hQuIrW1OaT8lrRm2R64cHho6DLx2Yb0 8pwkNEbkFsDV7WWLU6tD1tiRu/9vCQ==
X-Received: by 10.107.180.72 with SMTP id d69mr6686549iof.291.1503618941318; Thu, 24 Aug 2017 16:55:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.133.37 with HTTP; Thu, 24 Aug 2017 16:55:40 -0700 (PDT)
In-Reply-To: <D2A19ABBC0147C40BFBB83D1CF3E95F04010655B@wtl-exchp-2.sandvine.com>
References: <CADo9JyU+XGYFWdNeXOBw1O43Pjyn0jZhGxDTb7VbLF+Jg4Xj4w@mail.gmail.com> <CAAedzxq4UhueFW=U-Tuc1gvG8Tapc7VE7BM2Akt9OXuzN3jLyQ@mail.gmail.com> <CADo9JyW0J7xzaosG5PJOFPHMy2g6vZ1cVpW6_YsuOdaKWqumkQ@mail.gmail.com> <A5B74413-32D8-4FE4-BDF7-DAA95266AAF4@apple.com> <CADo9JyUJTPRT9454VdZEM1nwFfxPSrMX3+Uk9i325uboQUya7g@mail.gmail.com> <7B520EA6-7B55-46B1-B084-F1CADF7DE28B@apple.com> <CADo9JyVSW5==nQOUMUUYWj743LmZCUjE9=W-YXnK-KMS-88AoQ@mail.gmail.com> <CABkgnnV1OT_29fdNbCDDJMgeRDNeOM8u2PYA94opo+ujj2=Avw@mail.gmail.com> <CADo9JyUdBZbBmwE0B21ryFuefQEaTiWLHD-w8AZSyWACH9u2dg@mail.gmail.com> <CABkgnnWbhHOmZRsvpEb0XusRtUJUPp7vpdM7V_4nLnC_B-mfKQ@mail.gmail.com> <CADo9JyUP_FWznzDWDO1s9-8B8-hMAUkFAMaa68uUZ1xR8CKHyw@mail.gmail.com> <CAKD1Yr0OrthUda3+ic3g83vWEpBATpcF4Z=4ENNg+ZuyySDMdg@mail.gmail.com> <CADo9JyW=wYh5y87KZrfs56fFze_VkdvUt-hF_SNeokPONxDuGA@mail.gmail.com> <CAKD1Yr2GpTX9NPTNJVbGjF+PxuNNyhgaRNjr0qMW90rVHeM_+g@mail.gmail.com> <98352984-4E92-42EC-97FE-B652C0FC41AF@apple.com> <CADo9JyVzW3TxFCHv=1N=Qsm2Th7gw7Yby8mdG2hOVWQQ_9YGpw@mail.gmail.com> <CAKD1Yr0_ksXDy6Ckc6RuFjYf+t4fiA4dJfAToZjfgrqed4h4QA@mail.gmail.com> <B05E727C-6F8B-438F-8DC9-1B1528CE73A5@apple.com> <D2A19ABBC0147C40BFBB83D1CF3E95F04010655B@wtl-exchp-2.sandvine.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 25 Aug 2017 09:55:40 +1000
Message-ID: <CABkgnnXdMDd2BF0r0ekmwxFECSiLPxPruc46BpVTNDCFz8+Tvg@mail.gmail.com>
To: Vincent van Dam <VvanDam@sandvine.com>
Cc: Tommy Pauly <tpauly@apple.com>, Lorenzo Colitti <lorenzo@google.com>, Erik Kline <ek@google.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "captive-portals@ietf.org" <captive-portals@ietf.org>, David Bird <dbird@google.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/Pq8ToQdTXgglcO2X9KkeEKtb1oY>
Subject: Re: [Captive-portals] Questions about PvD/API
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2017 23:55:45 -0000

What is interesting about Heiko's example here is that this transition
is not necessarily visible to endpoints. Nor can they be forewarned
(assuming they are ignorant of the botnet using their link).
Endpoints were previously on a network without a captive portal, but
one is suddenly interjected.

I see several problems, different for each of the various solutions:

* With 7710 or PvD, the original network would have to be provisioned
with a captive portal, or the switch would happen and the endpoint
won't have a URI to talk to.  That seems relatively tractable,
providing that this didn't lead to a false assumption of captivity
(this is a problem with 7710, I think, because the existence of the
option seems to imply captivity, though this is quite unclear from the
RFC).

* With ICMP, the signal comes from more than one hop away.  An
unmodified router in the home would receive the ICMP message, reduce
the TTL and then it looks like a random Internet host was trying to
deny service.

So running through all the combinations:

7710/PvD + ICMP - you know where to go to get status information and
the network can signal

7710/PvD - ICMP - you know where to go to get status information, but
how would you decide to ask?  Is there some other trigger you would
use?  (This is, I think Vincent's question.)

ICMP - 7710/PvD - you get a signal, but is it legit?  How do you validate it?

Neither - that's the situation we have today.

It seems that there are at least a few people who think that this use
case is in scope.  It doesn't seem materially different from the case
where you run out of bytes (for networks that do accounting that way).
Maybe this use case can inform the design a little better.  Or maybe
someone would like to argue that we don't need to worry about this.



On 25 August 2017 at 06:58, Vincent van Dam <VvanDam@sandvine.com> wrote:
> I agree that the information you describe should be pulled from somewhere,
> however, I am more concerned _when_ they should be pulled.
>
>
> In this working group we acknowledged (welcomed) use cases that go beyond
> connecting to a network; the latest example:
> https://www.ietf.org/mail-archive/web/captive-portals/current/msg00455.html
>
>
> If these use cases are indeed in scope; signalling, or a solution that
> allows detection that the walled garden is (re)activated after joining the
> network, need to be in place. The alternative to a signal would be polling,
> or doing some mitm on protocols that allow it. I think both mitm, and
> polling regularly to see if the connection state is walled are bad.
>
>
> Just focussing on signalling (without the semantics/api); I think that
> leaves us with three directions:
>
>
> * descope any solution that would improve the scenario where walled gardens
> are (re-)activated
>
> * accept icmp is a valid direction, and think of a way on how we can use
> this securely in our use-case
>
> * invent a new signal? something the nas is allowed to send to the ue, but
> not icmp?
>
>
> Gr., Vincent
>
>
> ________________________________
> Van: Captive-portals [captive-portals-bounces@ietf.org] namens Tommy Pauly
> [tpauly@apple.com]
> Verzonden: donderdag 24 augustus 2017 18:03
> Aan: Lorenzo Colitti
> CC: Erik Kline; Eric Vyncke (evyncke); Martin Thomson;
> captive-portals@ietf.org; David Bird
> Onderwerp: Re: [Captive-portals] Questions about PvD/API
>
> If the client OS needs to add in heuristics to reach a certain volume of
> ICMP messages before trusting them, I think the design is flawed. Beyond
> that, the information we'd like to get isn't just as simple as a boolean
> value that can be aggregated (like unreachable would be). Among the problems
> we're trying to solve for CAPPORT is "how much time do I have left", and
> "when to re-join the portal". Having a source we can query about those
> properties seems to dramatically simplify the flow and trust model. However
> we do things, it seems like this information should be pull-able (even if it
> allows the client to open a connection on which changes are pushed or
> notified) rather than unsolicited pushes of ICMP by the network.
>
> On Aug 24, 2017, at 8:33 AM, Lorenzo Colitti <lorenzo@google.com> wrote:
>
> It seems to me that any solution involving coordination between two
> protocols is little different, in terms of your criticism that it will lead
> to "a higher rate of misconfiguration", from the PVD solution. (Personally I
> don't think that's a valid argument - saying that if you misconfigure the
> network it won't work well is pretty much a tautology - but you were the one
> that cited that argument in support of the ICMP solution.)
>
> As for several flows, I don't see what would stop an attacker from trying to
> spoof several flows.
>
> On Fri, Aug 25, 2017 at 12:21 AM, David Bird <dbird@google.com> wrote:
>>
>> You are both describing decisions the UE makes... perhaps the UE waits for
>> several flows (with same session-id) to indicate capport warning/errors
>> before acting on it... especially when already connected. There were also
>> proposals to link the ICMP messages to the DHCP message somehow so that ICMP
>> is 'authenticated' against the original DHCP. Theses are solvable concerns,
>> not road blocks.
>>
>>
>>
>> On Thu, Aug 24, 2017 at 8:14 AM, Tommy Pauly <tpauly@apple.com> wrote:
>>>
>>> Right, I think the difference between an unreachable destination, and a
>>> captive portal or walled garden, is that we expect the captive portal style
>>> interaction to be an Operating System-level action, and one that will have
>>> consequences on everything the device does while associated to a given
>>> network. You can certain use spoofed ICMP to disrupt connections, but (a)
>>> the user would notice and (b) you're not causing the Operating System to
>>> change behavior. When the OS thinks it is on a captive network or not, it
>>> will change what network it considers primary/usable, which may potentially
>>> be invisible to the user other than an icon change. I would be able to go
>>> onto a captive network, start sending out ICMP messages, and potentially
>>> bump other people's connection off the network.
>>>
>>> Having the UE fetch some resource in order to determine captive state,
>>> especially if that resource can be somehow signed, makes it much harder for
>>> an attacker to cause the OS to take silent behavior.
>>>
>>> Tommy
>>>
>>> On Aug 24, 2017, at 7:40 AM, Lorenzo Colitti <lorenzo@google.com> wrote:
>>>
>>> A forged destination unreachable can't cause someone else's device to
>>> think that wifi is a portal and switch to possibly expensive cellular data.
>>>
>>> On Thu, Aug 24, 2017 at 11:29 PM, David Bird <dbird@google.com> wrote:
>>>>
>>>> Just like the rampant problem we see in ICMP Dest-Unreachable forgery
>>>> attacks?
>>>>
>>>> On Thu, Aug 24, 2017 at 7:01 AM, Lorenzo Colitti <lorenzo@google.com>
>>>> wrote:
>>>>>
>>>>> On Thu, Aug 24, 2017 at 10:40 PM, David Bird <dbird@google.com> wrote:
>>>>>>
>>>>>> Can you give an example of how ICMP could be misconfigured?
>>>>>
>>>>>
>>>>> It doesn't matter how hard it is to misconfigure, because it is trivial
>>>>> to forge.
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Captive-portals mailing list
>>> Captive-portals@ietf.org
>>> https://www.ietf.org/mailman/listinfo/captive-portals
>>>
>>>
>>
>
>

v2.23.0 | Report a Bug | By Email