IETF Logo Mail Archive

Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"

Gunther Nitzsche <gnitzsche@netcologne.de> Tue, 16 May 2017 16:38 UTC

Return-Path: <gnitzsche@netcologne.de>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E277712EAC2 for <captive-portals@ietfa.amsl.com>; Tue, 16 May 2017 09:38:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=netcologne.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FUKZV6My4aX5 for <captive-portals@ietfa.amsl.com>; Tue, 16 May 2017 09:38:01 -0700 (PDT)
Received: from cc-smtpout3.netcologne.de (cc-smtpout3.netcologne.de [IPv6:2001:4dd0:100:1062:25:2:0:3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B358B12EB35 for <captive-portals@ietf.org>; Tue, 16 May 2017 09:33:38 -0700 (PDT)
Received: from cc-smtpin2.netcologne.de (cc-smtpin2.netcologne.de [89.1.8.202]) by cc-smtpout3.netcologne.de (Postfix) with ESMTP id E9994127E6; Tue, 16 May 2017 18:33:35 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=netcologne.de; s=nc1116a; t=1494952415; bh=qAIjdKWstUSnRvJGDR8+mkfADYMq7okm9B8UoYwDcUM=; h=Subject:To:References:Cc:From:Message-ID:Date:In-Reply-To:From; b=duSPaQxZop+6FogNoHZKiaFhvEZ0lr5Xn0IwrEcjmBzk0MRrFfdLPvx/a/mkDdynR duWmMpCfbANERixYivNF8HPbOomYF0Q45IfEseZ4JLTym2de5Ag9W0gkiYP3D6kBbI fQLvZ2+uihwLJcrXxW9TIECfmzObM6ffTFv3ggDncPPFryhS70e/GgW7VlRs7r3buR 00CtoqXYyzb58FO1qV/Fv57cD2PNnWCjeJ2p+y+heWYZImC8/UOxoUuGj++/GB4dVT wH+qwwy5aC47G3uAlrqPsWp/6waA/z6vQYLEJ+kugmVC20AUuopUpNRGurBRjnwjMc dFinwzlUbCnXw==
Received: from localhost (localhost [127.0.0.1]) by cc-smtpin2.netcologne.de (Postfix) with ESMTP id DAAE611D71; Tue, 16 May 2017 18:33:35 +0200 (CEST)
Received: from [2001:4dd0:0:193:222::] (helo=cc-smtpin2.netcologne.de) by localhost with ESMTP (eXpurgate 4.1.9) (envelope-from <gnitzsche@netcologne.de>) id 591b29df-022c-7f0000012729-7f000001d9a4-1 for <multiple-recipients>; Tue, 16 May 2017 18:33:35 +0200
Received: from [IPv6:2001:4dd0:0:193:222::] (sys-222.netcologne.de [IPv6:2001:4dd0:0:193:222::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by cc-smtpin2.netcologne.de (Postfix) with ESMTPSA; Tue, 16 May 2017 18:33:35 +0200 (CEST)
To: captive-portals@ietf.org
References: <201705031442.50683.heiko.folkerts@bsi.bund.de>
Cc: Heiko Folkerts <heiko.folkerts@bsi.bund.de>, "Herzig, Willi" <willi.herzig@bsi.bund.de>
From: Gunther Nitzsche <gnitzsche@netcologne.de>
X-Enigmail-Draft-Status: N0210
Message-ID: <8951dd0a-044b-b3ed-4454-e24fac407c4e@netcologne.de>
Date: Tue, 16 May 2017 18:33:35 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <201705031442.50683.heiko.folkerts@bsi.bund.de>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/TGpTz0uJWVYzB8kMz9lorlP0uZY>
Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2017 16:38:04 -0000

Hello everybody,

On 03.05.2017 14:42, Heiko Folkerts wrote:

>Hi everybody, I visited the capport WG the first time in Chicago. Thank
you very much for the presentations!
>Afterwards I had a very brief chat with Martin about a use case, I name
“carrier grade captive portals”.
>As a result I want to present this use case to you on this mailing
list: <...>
>...
> carrier grade captive portal (aka walled garden, forced portal),
>
> The most efficient way to inform and get systems cleaned has been
proven is the carrier grade captive portal. One of the 
> internet service providers, NetCologne, uses a, as they call it,
Forced Portal.

That's us :)

Indeed we use this technique for quite a couple of years now. We
realized we had
to inform our customers about blocking (caused by abusive behaviour or by
not paying the bill) in a quick way without causing too much effort at
support
or customers side.

Showing them an informational webpage with the blocking reason (including
an option to unblock themselves) was and is the fastest way to inform
and help the
customer without having too much support trouble (including the option
to reach out for some selected domains for downloading e.g.
antivirus-patterns or
get other kind of help).

That worked pretty well all the years.. until someone implemented
certificate
pinning to protect customers from mitm and phishing attacks. You know the
problems.. 

The different solutions mentioned on this mailing list do not all aim at our
specific scenario; but some do and could help us. I want to pick a few:

Not preferred by us:

* ICMP response:  
   1) we tunnel our blocked clients via l2tp to a dedicated lns, from
there a GRE
tunnel reaches a squid proxy, redirecting all requests via iptables to 
local port 80 and 443.
I doubt that ICMP responses would work here..maybe..

  2) more and more providers will use IPv6 and/or NAT Scenarios to
handle their customers
That sounds difficult to implement (icmp via v6 via NAT ..)

 3) A lot of customers will have same kind of personal firewall in place
which might
just block any ICMP traffic.

4) the icmp response may just be ignored and does not force anything

5) the relocation page to be shown instead is probably not part of the
icmp message.


=> If the customers wants to communicate via a browser, then we should
answer
via the browser. All other separate communication forms may work but are
unreliable
and are dependent on the customer setup.


* DHCP Option:  well, that reaches the dhcp-router (cpe), not the
browser of the
customers device. While there is an option "160" to redirect traffic
(RFC 7710) this option is
currently not really supported by vendors. This option is also not
transparent to
the enduser; it will only be received by the cpe. It is still unknown
how the enduser's browser
will be informed through this mechanism.
* no other access mechanisms are covered by this. (e.g. radius) so only
a subset of
users could be reached at all.

* layer 2 solutions: they all do not reach the enduser (at least in our
case:)


From the current solutions so far beeing suggested I strongly
prefer a specific HTTP status return code which will lead to a certain
behaviour on the enduser's browser. The 511 looks promising ..

This will work regardless of the access technology used. It will also
only appear
if the user will use a browser at all, it is no "push" technology.
So we will not catch all situations - if the user only receives e-mail via
this connection we would need additional measures. But in the normal
standard
situation we will reach the customer and can inform him about the
status.

The browser does not need to follow the url given with the return code
silently;
instead it SHOULD show some warning that the shown page is not the one the
user requested originally. While the enduser usually clicks "ok" on
every button
he finds, this information should not be presented as a clickable button but
somehow different. Up to further discussion..



just my 0,02 € :-) ; hope this was useful for the discussion.


best greetings,

Gunther

(sorry about the language errors..)

NetCologne Systemadministration
-- 
NetCologne Gesellschaft für Telekommunikation mbH
Am Coloneum 9 ; 50829 Köln
Geschäftsführer:   
  Timo von Lepel,
  Mario Wilhelm  
Vorsitzender des Aufsichtsrates:
  Dr. Andreas Cerbe
  HRB 25580, AG Köln

v2.23.0 | Report a Bug | By Email