Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
Gunther Nitzsche <gnitzsche@netcologne.de> Tue, 16 May 2017 16:38 UTC
Return-Path: <gnitzsche@netcologne.de>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E277712EAC2 for <captive-portals@ietfa.amsl.com>; Tue, 16 May 2017 09:38:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=netcologne.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FUKZV6My4aX5 for <captive-portals@ietfa.amsl.com>; Tue, 16 May 2017 09:38:01 -0700 (PDT)
Received: from cc-smtpout3.netcologne.de (cc-smtpout3.netcologne.de [IPv6:2001:4dd0:100:1062:25:2:0:3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B358B12EB35 for <captive-portals@ietf.org>; Tue, 16 May 2017 09:33:38 -0700 (PDT)
Received: from cc-smtpin2.netcologne.de (cc-smtpin2.netcologne.de [89.1.8.202]) by cc-smtpout3.netcologne.de (Postfix) with ESMTP id E9994127E6; Tue, 16 May 2017 18:33:35 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=netcologne.de; s=nc1116a; t=1494952415; bh=qAIjdKWstUSnRvJGDR8+mkfADYMq7okm9B8UoYwDcUM=; h=Subject:To:References:Cc:From:Message-ID:Date:In-Reply-To:From; b=duSPaQxZop+6FogNoHZKiaFhvEZ0lr5Xn0IwrEcjmBzk0MRrFfdLPvx/a/mkDdynR duWmMpCfbANERixYivNF8HPbOomYF0Q45IfEseZ4JLTym2de5Ag9W0gkiYP3D6kBbI fQLvZ2+uihwLJcrXxW9TIECfmzObM6ffTFv3ggDncPPFryhS70e/GgW7VlRs7r3buR 00CtoqXYyzb58FO1qV/Fv57cD2PNnWCjeJ2p+y+heWYZImC8/UOxoUuGj++/GB4dVT wH+qwwy5aC47G3uAlrqPsWp/6waA/z6vQYLEJ+kugmVC20AUuopUpNRGurBRjnwjMc dFinwzlUbCnXw==
Received: from localhost (localhost [127.0.0.1]) by cc-smtpin2.netcologne.de (Postfix) with ESMTP id DAAE611D71; Tue, 16 May 2017 18:33:35 +0200 (CEST)
Received: from [2001:4dd0:0:193:222::] (helo=cc-smtpin2.netcologne.de) by localhost with ESMTP (eXpurgate 4.1.9) (envelope-from <gnitzsche@netcologne.de>) id 591b29df-022c-7f0000012729-7f000001d9a4-1 for <multiple-recipients>; Tue, 16 May 2017 18:33:35 +0200
Received: from [IPv6:2001:4dd0:0:193:222::] (sys-222.netcologne.de [IPv6:2001:4dd0:0:193:222::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by cc-smtpin2.netcologne.de (Postfix) with ESMTPSA; Tue, 16 May 2017 18:33:35 +0200 (CEST)
To: captive-portals@ietf.org
References: <201705031442.50683.heiko.folkerts@bsi.bund.de>
Cc: Heiko Folkerts <heiko.folkerts@bsi.bund.de>, "Herzig, Willi" <willi.herzig@bsi.bund.de>
From: Gunther Nitzsche <gnitzsche@netcologne.de>
X-Enigmail-Draft-Status: N0210
Message-ID: <8951dd0a-044b-b3ed-4454-e24fac407c4e@netcologne.de>
Date: Tue, 16 May 2017 18:33:35 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <201705031442.50683.heiko.folkerts@bsi.bund.de>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/TGpTz0uJWVYzB8kMz9lorlP0uZY>
Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2017 16:38:04 -0000
Hello everybody, On 03.05.2017 14:42, Heiko Folkerts wrote: >Hi everybody, I visited the capport WG the first time in Chicago. Thank you very much for the presentations! >Afterwards I had a very brief chat with Martin about a use case, I name “carrier grade captive portals”. >As a result I want to present this use case to you on this mailing list: <...> >... > carrier grade captive portal (aka walled garden, forced portal), > > The most efficient way to inform and get systems cleaned has been proven is the carrier grade captive portal. One of the > internet service providers, NetCologne, uses a, as they call it, Forced Portal. That's us :) Indeed we use this technique for quite a couple of years now. We realized we had to inform our customers about blocking (caused by abusive behaviour or by not paying the bill) in a quick way without causing too much effort at support or customers side. Showing them an informational webpage with the blocking reason (including an option to unblock themselves) was and is the fastest way to inform and help the customer without having too much support trouble (including the option to reach out for some selected domains for downloading e.g. antivirus-patterns or get other kind of help). That worked pretty well all the years.. until someone implemented certificate pinning to protect customers from mitm and phishing attacks. You know the problems.. The different solutions mentioned on this mailing list do not all aim at our specific scenario; but some do and could help us. I want to pick a few: Not preferred by us: * ICMP response: 1) we tunnel our blocked clients via l2tp to a dedicated lns, from there a GRE tunnel reaches a squid proxy, redirecting all requests via iptables to local port 80 and 443. I doubt that ICMP responses would work here..maybe.. 2) more and more providers will use IPv6 and/or NAT Scenarios to handle their customers That sounds difficult to implement (icmp via v6 via NAT ..) 3) A lot of customers will have same kind of personal firewall in place which might just block any ICMP traffic. 4) the icmp response may just be ignored and does not force anything 5) the relocation page to be shown instead is probably not part of the icmp message. => If the customers wants to communicate via a browser, then we should answer via the browser. All other separate communication forms may work but are unreliable and are dependent on the customer setup. * DHCP Option: well, that reaches the dhcp-router (cpe), not the browser of the customers device. While there is an option "160" to redirect traffic (RFC 7710) this option is currently not really supported by vendors. This option is also not transparent to the enduser; it will only be received by the cpe. It is still unknown how the enduser's browser will be informed through this mechanism. * no other access mechanisms are covered by this. (e.g. radius) so only a subset of users could be reached at all. * layer 2 solutions: they all do not reach the enduser (at least in our case:) From the current solutions so far beeing suggested I strongly prefer a specific HTTP status return code which will lead to a certain behaviour on the enduser's browser. The 511 looks promising .. This will work regardless of the access technology used. It will also only appear if the user will use a browser at all, it is no "push" technology. So we will not catch all situations - if the user only receives e-mail via this connection we would need additional measures. But in the normal standard situation we will reach the customer and can inform him about the status. The browser does not need to follow the url given with the return code silently; instead it SHOULD show some warning that the shown page is not the one the user requested originally. While the enduser usually clicks "ok" on every button he finds, this information should not be presented as a clickable button but somehow different. Up to further discussion.. just my 0,02 € :-) ; hope this was useful for the discussion. best greetings, Gunther (sorry about the language errors..) NetCologne Systemadministration -- NetCologne Gesellschaft für Telekommunikation mbH Am Coloneum 9 ; 50829 Köln Geschäftsführer: Timo von Lepel, Mario Wilhelm Vorsitzender des Aufsichtsrates: Dr. Andreas Cerbe HRB 25580, AG Köln
- [Captive-portals] Use Case: "Carrier Grade Captiv… Heiko Folkerts
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Warren Kumari
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Mark Nottingham
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Michael Richardson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Gunther Nitzsche
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Gunther Nitzsche
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Vincent van Dam
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Livingood, Jason
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Martin Thomson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Livingood, Jason
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Martin Thomson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Gunther Nitzsche
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Michael Richardson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Vincent van Dam
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Eric Vyncke (evyncke)
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Tommy Pauly
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Tommy Pauly
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Tommy Pauly
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird