IETF Logo Mail Archive

Re: [Captive-portals] putting quarantined IoT devices behind a captive portal (fwd) Michael Richardson: putting quarantined IoT devices behind a captive portal

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 24 July 2019 00:03 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87B45120995; Tue, 23 Jul 2019 17:03:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6iGpyu56X5u; Tue, 23 Jul 2019 17:03:30 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FA6F120991; Tue, 23 Jul 2019 17:03:29 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [IPv6:2001:67c:370:128:6e88:14ff:fe34:93bc]) by relay.sandelman.ca (Postfix) with ESMTPS id 558411F47F; Wed, 24 Jul 2019 00:03:27 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id B2D951BBF; Tue, 23 Jul 2019 20:03:49 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: ek@loon.com
cc: captive-portals <captive-portals@ietf.org>, opsawg@ietf.org, mud@ietf.org
In-reply-to: <CAAedzxq6b3Ec-az0nUFbowfJS71GFoN2bq=vBo5GY73ze=sVGA@mail.gmail.com>
References: <27897.1562697682@localhost> <CAAedzxq6b3Ec-az0nUFbowfJS71GFoN2bq=vBo5GY73ze=sVGA@mail.gmail.com>
Comments: In-reply-to Erik Kline <ek@loon.com> message dated "Sat, 20 Jul 2019 23:33:44 -0400."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 23 Jul 2019 20:03:49 -0400
Message-ID: <7357.1563926629@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/RwDziZ_eKMtesz6szahY87oYzTc>
Subject: Re: [Captive-portals] putting quarantined IoT devices behind a captive portal (fwd) Michael Richardson: putting quarantined IoT devices behind a captive portal
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 00:03:33 -0000

Erik Kline <ek@loon.com> wrote:
    > Most discussion has, co-chair hat off, be circling around some minimal
    > working API mechanism to get things started.

    > That said, one could easily imagine, for example, something as simple
    > as an additional API boolean key,

    > "quarantined": true|false,

I think that I want to implement exactly this then.

This means providing the API info in the DHCPv4 to all devices, but
for many devices, even though there is no restriction at all. 

A concern that was recently raised is attackers that might attempt to
impersonate other devices (same L2/L3 address), and do things to trigger
quarantine.  Once you train the users to unquarantine without thinking...

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email