IETF Logo Mail Archive

Re: [Captive-portals] Questions about PvD/API

David Bird <dbird@google.com> Fri, 25 August 2017 01:49 UTC

Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDB0E1329DC for <captive-portals@ietfa.amsl.com>; Thu, 24 Aug 2017 18:49:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RKCx976ap8JG for <captive-portals@ietfa.amsl.com>; Thu, 24 Aug 2017 18:49:04 -0700 (PDT)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96295132197 for <captive-portals@ietf.org>; Thu, 24 Aug 2017 18:49:03 -0700 (PDT)
Received: by mail-qk0-x22c.google.com with SMTP id p67so5873955qkd.2 for <captive-portals@ietf.org>; Thu, 24 Aug 2017 18:49:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PI0jxBgFR2eHGqYNb0E9ITk+rU+DXab/RlF+924DXZA=; b=L6EA13aBMERSIfBnsWUdIQu4R9OFGM3QO9RvToR0SHE8oWBWFELRR+HC1PpLP8thL3 sR8iCNWjA1OKLDG2qPzA9Iy/PGRpltTMv2QwB5ieNigYlrI5omTxJ/rZXLshgR+O70c0 pu8ld/TcNhp2CRZxqG7F0aYtI04uIsHcHJPHH7JbzlTkLRanqGGslzG5e6SzPQNZh9mX fUA34Bw62nmoX3LHBentCZhKnnWWS6GaYNYJf/lSAFnQq9BBhQFRCA5mVtJJz+KNw7Oc 7WADUKJVYmbD9wKb+JSGofHsVD50TN5acTrZQndBkqV6EksheizMg7KHkxW+MtbCb25Z Q3Gg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PI0jxBgFR2eHGqYNb0E9ITk+rU+DXab/RlF+924DXZA=; b=Kzuedn2kwBisb6QZDeres4vn14NFcJVtOjnbVPTOJBWaRVFqJ7dgCSAmT2xsfrVXFi 5WPGTcxrNUyTGwkrf1etrJw6iiI/oJMQZiM0UzD3+0g0LzG6vxTF40QulXIHMukfFHdx 1lHQ5DuroloX4IbBS1/4WBR0xMtvpnXFM+CvOLJXjTuGJqPXSBfXVxFbahweOeI0wEYU bVxLOEYTyuzp0WZFJgQq+UNs2r2ociSuWo83Y1mrFp44+Xgh3S6tE16UW9cVQLISs1l9 5IEWl51JRu+DsoHHfRSR1Dxy2lLQDT68Vy+0bXsFGrYJcmcpD8pHolxPf5LVf535wt7R mJDg==
X-Gm-Message-State: AHYfb5hveEleNvVCyPRscZ+PV7GbTxJSLiJyzW9Ghu3BD3AciprUL36j kJ1dgxIYIXE9ywHP42mJqR1ArvQVKU/W
X-Google-Smtp-Source: ADKCNb4C9S8n1VmJ0ebfWT5jZ9KWPXAgcAkLBeU33n3W/qQ2N+Qp0GZGdbeqTc34b5xuFUXjI1xCZJJRkaPjF87yEFw=
X-Received: by 10.55.212.18 with SMTP id l18mr12721969qki.42.1503625742303; Thu, 24 Aug 2017 18:49:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.132.102 with HTTP; Thu, 24 Aug 2017 18:49:01 -0700 (PDT)
In-Reply-To: <CABkgnnXdMDd2BF0r0ekmwxFECSiLPxPruc46BpVTNDCFz8+Tvg@mail.gmail.com>
References: <CADo9JyU+XGYFWdNeXOBw1O43Pjyn0jZhGxDTb7VbLF+Jg4Xj4w@mail.gmail.com> <CAAedzxq4UhueFW=U-Tuc1gvG8Tapc7VE7BM2Akt9OXuzN3jLyQ@mail.gmail.com> <CADo9JyW0J7xzaosG5PJOFPHMy2g6vZ1cVpW6_YsuOdaKWqumkQ@mail.gmail.com> <A5B74413-32D8-4FE4-BDF7-DAA95266AAF4@apple.com> <CADo9JyUJTPRT9454VdZEM1nwFfxPSrMX3+Uk9i325uboQUya7g@mail.gmail.com> <7B520EA6-7B55-46B1-B084-F1CADF7DE28B@apple.com> <CADo9JyVSW5==nQOUMUUYWj743LmZCUjE9=W-YXnK-KMS-88AoQ@mail.gmail.com> <CABkgnnV1OT_29fdNbCDDJMgeRDNeOM8u2PYA94opo+ujj2=Avw@mail.gmail.com> <CADo9JyUdBZbBmwE0B21ryFuefQEaTiWLHD-w8AZSyWACH9u2dg@mail.gmail.com> <CABkgnnWbhHOmZRsvpEb0XusRtUJUPp7vpdM7V_4nLnC_B-mfKQ@mail.gmail.com> <CADo9JyUP_FWznzDWDO1s9-8B8-hMAUkFAMaa68uUZ1xR8CKHyw@mail.gmail.com> <CAKD1Yr0OrthUda3+ic3g83vWEpBATpcF4Z=4ENNg+ZuyySDMdg@mail.gmail.com> <CADo9JyW=wYh5y87KZrfs56fFze_VkdvUt-hF_SNeokPONxDuGA@mail.gmail.com> <CAKD1Yr2GpTX9NPTNJVbGjF+PxuNNyhgaRNjr0qMW90rVHeM_+g@mail.gmail.com> <98352984-4E92-42EC-97FE-B652C0FC41AF@apple.com> <CADo9JyVzW3TxFCHv=1N=Qsm2Th7gw7Yby8mdG2hOVWQQ_9YGpw@mail.gmail.com> <CAKD1Yr0_ksXDy6Ckc6RuFjYf+t4fiA4dJfAToZjfgrqed4h4QA@mail.gmail.com> <B05E727C-6F8B-438F-8DC9-1B1528CE73A5@apple.com> <D2A19ABBC0147C40BFBB83D1CF3E95F04010655B@wtl-exchp-2.sandvine.com> <CABkgnnXdMDd2BF0r0ekmwxFECSiLPxPruc46BpVTNDCFz8+Tvg@mail.gmail.com>
From: David Bird <dbird@google.com>
Date: Thu, 24 Aug 2017 18:49:01 -0700
Message-ID: <CADo9JyVUE89QZajqxQ+0ofXY3L5vDSj18cXvFpXG1ViXeCnqhQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Vincent van Dam <VvanDam@sandvine.com>, Tommy Pauly <tpauly@apple.com>, Lorenzo Colitti <lorenzo@google.com>, Erik Kline <ek@google.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "captive-portals@ietf.org" <captive-portals@ietf.org>
Content-Type: multipart/alternative; boundary="001a11479db23f24c305578a26fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/Q24QNd2lG57jEpqvXo90RrBsCaM>
Subject: Re: [Captive-portals] Questions about PvD/API
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Aug 2017 01:49:08 -0000

I don't see RFC7710 grouped with PvD and vs ICMP. In fact, RFC7710 is
required in the ICMP draft.

So, it should be 7710 & ICMP vs PvD. Nobody is arguing 7710 should stand
alone, or is useful by itself.

There are unique considerations when the captive portal "client" is a
router and not the UE... In this example, no clients get 'released' from
captivity - so, it doesn't really have to trace clients by IP address. The
CPE firmware needs updating to have RFC7710 configurable via their
management system -- this might be a good opportunity to have a minimal
Capport ICMP based captive portal implemented completely in CPE firmware,
perhaps Linux iptables w/Capport ICMP support. Assuming they don't do that
(but do get RFC 7710 supported), the CPE can be configuring clients for
Capport and ICMP coming multiple hops away.. validated by (yet to be
defined) material in the original DHCP/RA, is just fine... (better, maybe
the CPE reconfigures into a bridge and has a L2 capport in the NOC, which
can maybe help users identity exactly which machine has the virus....)

There is no harm, btw, in having RFC7710 *always* configured in networks
that support features like this... it could be a multi-purpose portal. RFC
7710 should always be ignored until (yet to be defined) notification is
received.






On Thu, Aug 24, 2017 at 4:55 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> What is interesting about Heiko's example here is that this transition
> is not necessarily visible to endpoints. Nor can they be forewarned
> (assuming they are ignorant of the botnet using their link).
> Endpoints were previously on a network without a captive portal, but
> one is suddenly interjected.
>
> I see several problems, different for each of the various solutions:
>
> * With 7710 or PvD, the original network would have to be provisioned
> with a captive portal, or the switch would happen and the endpoint
> won't have a URI to talk to.  That seems relatively tractable,
> providing that this didn't lead to a false assumption of captivity
> (this is a problem with 7710, I think, because the existence of the
> option seems to imply captivity, though this is quite unclear from the
> RFC).
>
> * With ICMP, the signal comes from more than one hop away.  An
> unmodified router in the home would receive the ICMP message, reduce
> the TTL and then it looks like a random Internet host was trying to
> deny service.
>
> So running through all the combinations:
>
> 7710/PvD + ICMP - you know where to go to get status information and
> the network can signal
>
> 7710/PvD - ICMP - you know where to go to get status information, but
> how would you decide to ask?  Is there some other trigger you would
> use?  (This is, I think Vincent's question.)
>
> ICMP - 7710/PvD - you get a signal, but is it legit?  How do you validate
> it?
>
> Neither - that's the situation we have today.
>
> It seems that there are at least a few people who think that this use
> case is in scope.  It doesn't seem materially different from the case
> where you run out of bytes (for networks that do accounting that way).
> Maybe this use case can inform the design a little better.  Or maybe
> someone would like to argue that we don't need to worry about this.
>
>
>
> On 25 August 2017 at 06:58, Vincent van Dam <VvanDam@sandvine.com> wrote:
> > I agree that the information you describe should be pulled from
> somewhere,
> > however, I am more concerned _when_ they should be pulled.
> >
> >
> > In this working group we acknowledged (welcomed) use cases that go beyond
> > connecting to a network; the latest example:
> > https://www.ietf.org/mail-archive/web/captive-portals/
> current/msg00455.html
> >
> >
> > If these use cases are indeed in scope; signalling, or a solution that
> > allows detection that the walled garden is (re)activated after joining
> the
> > network, need to be in place. The alternative to a signal would be
> polling,
> > or doing some mitm on protocols that allow it. I think both mitm, and
> > polling regularly to see if the connection state is walled are bad.
> >
> >
> > Just focussing on signalling (without the semantics/api); I think that
> > leaves us with three directions:
> >
> >
> > * descope any solution that would improve the scenario where walled
> gardens
> > are (re-)activated
> >
> > * accept icmp is a valid direction, and think of a way on how we can use
> > this securely in our use-case
> >
> > * invent a new signal? something the nas is allowed to send to the ue,
> but
> > not icmp?
> >
> >
> > Gr., Vincent
> >
> >
> > ________________________________
> > Van: Captive-portals [captive-portals-bounces@ietf.org] namens Tommy
> Pauly
> > [tpauly@apple.com]
> > Verzonden: donderdag 24 augustus 2017 18:03
> > Aan: Lorenzo Colitti
> > CC: Erik Kline; Eric Vyncke (evyncke); Martin Thomson;
> > captive-portals@ietf.org; David Bird
> > Onderwerp: Re: [Captive-portals] Questions about PvD/API
> >
> > If the client OS needs to add in heuristics to reach a certain volume of
> > ICMP messages before trusting them, I think the design is flawed. Beyond
> > that, the information we'd like to get isn't just as simple as a boolean
> > value that can be aggregated (like unreachable would be). Among the
> problems
> > we're trying to solve for CAPPORT is "how much time do I have left", and
> > "when to re-join the portal". Having a source we can query about those
> > properties seems to dramatically simplify the flow and trust model.
> However
> > we do things, it seems like this information should be pull-able (even
> if it
> > allows the client to open a connection on which changes are pushed or
> > notified) rather than unsolicited pushes of ICMP by the network.
> >
> > On Aug 24, 2017, at 8:33 AM, Lorenzo Colitti <lorenzo@google.com> wrote:
> >
> > It seems to me that any solution involving coordination between two
> > protocols is little different, in terms of your criticism that it will
> lead
> > to "a higher rate of misconfiguration", from the PVD solution.
> (Personally I
> > don't think that's a valid argument - saying that if you misconfigure the
> > network it won't work well is pretty much a tautology - but you were the
> one
> > that cited that argument in support of the ICMP solution.)
> >
> > As for several flows, I don't see what would stop an attacker from
> trying to
> > spoof several flows.
> >
> > On Fri, Aug 25, 2017 at 12:21 AM, David Bird <dbird@google.com> wrote:
> >>
> >> You are both describing decisions the UE makes... perhaps the UE waits
> for
> >> several flows (with same session-id) to indicate capport warning/errors
> >> before acting on it... especially when already connected. There were
> also
> >> proposals to link the ICMP messages to the DHCP message somehow so that
> ICMP
> >> is 'authenticated' against the original DHCP. Theses are solvable
> concerns,
> >> not road blocks.
> >>
> >>
> >>
> >> On Thu, Aug 24, 2017 at 8:14 AM, Tommy Pauly <tpauly@apple.com> wrote:
> >>>
> >>> Right, I think the difference between an unreachable destination, and a
> >>> captive portal or walled garden, is that we expect the captive portal
> style
> >>> interaction to be an Operating System-level action, and one that will
> have
> >>> consequences on everything the device does while associated to a given
> >>> network. You can certain use spoofed ICMP to disrupt connections, but
> (a)
> >>> the user would notice and (b) you're not causing the Operating System
> to
> >>> change behavior. When the OS thinks it is on a captive network or not,
> it
> >>> will change what network it considers primary/usable, which may
> potentially
> >>> be invisible to the user other than an icon change. I would be able to
> go
> >>> onto a captive network, start sending out ICMP messages, and
> potentially
> >>> bump other people's connection off the network.
> >>>
> >>> Having the UE fetch some resource in order to determine captive state,
> >>> especially if that resource can be somehow signed, makes it much
> harder for
> >>> an attacker to cause the OS to take silent behavior.
> >>>
> >>> Tommy
> >>>
> >>> On Aug 24, 2017, at 7:40 AM, Lorenzo Colitti <lorenzo@google.com>
> wrote:
> >>>
> >>> A forged destination unreachable can't cause someone else's device to
> >>> think that wifi is a portal and switch to possibly expensive cellular
> data.
> >>>
> >>> On Thu, Aug 24, 2017 at 11:29 PM, David Bird <dbird@google.com> wrote:
> >>>>
> >>>> Just like the rampant problem we see in ICMP Dest-Unreachable forgery
> >>>> attacks?
> >>>>
> >>>> On Thu, Aug 24, 2017 at 7:01 AM, Lorenzo Colitti <lorenzo@google.com>
> >>>> wrote:
> >>>>>
> >>>>> On Thu, Aug 24, 2017 at 10:40 PM, David Bird <dbird@google.com>
> wrote:
> >>>>>>
> >>>>>> Can you give an example of how ICMP could be misconfigured?
> >>>>>
> >>>>>
> >>>>> It doesn't matter how hard it is to misconfigure, because it is
> trivial
> >>>>> to forge.
> >>>>
> >>>>
> >>>
> >>> _______________________________________________
> >>> Captive-portals mailing list
> >>> Captive-portals@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/captive-portals
> >>>
> >>>
> >>
> >
> >
>

v2.23.0 | Report a Bug | By Email