IETF Logo Mail Archive

Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon

Erik Kline <ek@google.com> Thu, 23 February 2017 02:58 UTC

Return-Path: <ek@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE9431294FC for <captive-portals@ietfa.amsl.com>; Wed, 22 Feb 2017 18:58:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ewFxUPbBe0F for <captive-portals@ietfa.amsl.com>; Wed, 22 Feb 2017 18:58:07 -0800 (PST)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F940129EA4 for <captive-portals@ietf.org>; Wed, 22 Feb 2017 18:51:55 -0800 (PST)
Received: by mail-yw0-x22f.google.com with SMTP id v200so10873213ywc.3 for <captive-portals@ietf.org>; Wed, 22 Feb 2017 18:51:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+wA8qeOdJsSHH0J4e+/78v8ShkAGn3D6XroJvcK3tEE=; b=BWK/0uT30tpFKIjKumvuR5Kkuy3gmkqw0snKk1v3TmZdPDKcD2YIyLyWZ2qiiejwWZ q8EI8x/wjTDabFIhEmpehGLtTtwZzPkCh1SJEwAR5BxGj3qRwro80h55KOH3rSmTJllK hUvvobS0Foq+pEDPP0vZeQ7q0C28LJnmc7BXaruTi2yKGUgfKd5LvRdODEmoY1Jo/W1z HiKrAnd4iH6X8RiXkUoPI5+WaAe4KFX449iI1PSkaZh8O8RP9BSHrBv4qF5AG4qnMusI Es0MXHg1pc28GZ+tyUO9yRwLnAvrRlA/Nx99epoejm2+Bz2F1AaXTGQQpGOZ171yD/px 3Qjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+wA8qeOdJsSHH0J4e+/78v8ShkAGn3D6XroJvcK3tEE=; b=nW95mosLgm+yvEnVd+twgk7WNs5ebOfgb3SIUWaZkreDzcCcGiF4iszn9jsrTkeZjE pc1m4POYdPlWWG13VEU04CaOywyAivXuoGbPqrBGIxPpBthwsJk0Tq+bITVDp21pGq1i Ttf7LlPCMGPpstUsK67LMNhJib5gUH5bbOn/7shXmBR0YrcTtPRyo7vkKzvH3FH7va5W kj40g7K2fUOImH1HC/6VXIAPVXZdue8ve+H/7pxhyX+Uy4MKvpw5bc1F8U3YLym3ODPj J5FkTNUJMZCoF2nXLoMHOzUtWXQua7r4uBzqrhnaIaNh4Eh7o1lJS1r0EShQuGla5gJK Jw+w==
X-Gm-Message-State: AMke39kl1uxkQFKQbp9AumswrWDxaBCLPOe/hIh3g9YhLvq5Jyq4nIL3Hmx0/pS0nE+DOHdoe/oQ/FIuciOmMpRP
X-Received: by 10.129.41.69 with SMTP id p66mr23210854ywp.223.1487818314278; Wed, 22 Feb 2017 18:51:54 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.207.4 with HTTP; Wed, 22 Feb 2017 18:51:33 -0800 (PST)
In-Reply-To: <CADo9JyXki8J_Gd_ac8xAsp9V0b79rK0dPdXzHkuoLV-OQ47C2w@mail.gmail.com>
References: <D76BBBCF97F57144BB5FCF08007244A77058108A@wtl-exchp-1.sandvine.com> <CADo9JyUz6QRVg23cFmv7xTu_0dzbQM-xVXx7=79k3ao+59szVg@mail.gmail.com> <CAKD1Yr0B2HUz6AXExA7nK3URqkq3yFFuBXRVGM+mMR+KjnO1Ag@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051EC6E@wtl-exchp-1.sandvine.com> <CAKD1Yr0p37+SuE03SLKQ2tZDxxeL3=jO8gSw9y66UnYXSDzeKw@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051F25D@wtl-exchp-1.sandvine.com> <CAKD1Yr06UukkD+vM5ueiBfqe4h2t53G=-7hZN=wy1nO1_efJ2w@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051F305@wtl-exchp-1.sandvine.com> <CADo9JyXki8J_Gd_ac8xAsp9V0b79rK0dPdXzHkuoLV-OQ47C2w@mail.gmail.com>
From: Erik Kline <ek@google.com>
Date: Thu, 23 Feb 2017 11:51:33 +0900
Message-ID: <CAAedzxp1GZ8J5h2YnEo+xDAHTjhPHL6_YcfD4p5148G=0a6Mxg@mail.gmail.com>
To: David Bird <dbird@google.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a114160ba240e55054929b207"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/Ttwz0YQFUZa6eUJYSZN_EULA7o4>
Cc: "warren@kumari.net" <warren@kumari.net>, Kyle Larose <klarose@sandvine.com>, "captive-portals@ietf.org" <captive-portals@ietf.org>, Dave Dolson <ddolson@sandvine.com>, Lorenzo Colitti <lorenzo@google.com>
Subject: Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 02:58:10 -0000

How onerous would it be to require that an ICMPv[46] message with a captive
portal code also have a hoplimit of 255 (i.e. be link-local / from an
on-link source)?

I could imagine writing a user-space daemon that listens for ICMP message
of one specific type, and validates the hoplimit with traditional cmsg
tricks.  Furthermore, only having to do so on networks advertising a 7710
option would be good.

On 23 February 2017 at 02:10, David Bird <dbird@google.com> wrote:

> Further, we could tie this to RFC 7710, so that you can disregard this
> ICMP from networks not expected to be captive portal and networks who do
> implement captive portal can easily (as in iptables rules) filter out
> external ICMP of this nature.
>
> On Wed, Feb 22, 2017 at 9:07 AM, Dave Dolson <ddolson@sandvine.com> wrote:
>
>> Agreed. Hence the discussion about using a difficult-to-guess token in
>> the message.
>>
>> ------------------------------
>> *From:* Lorenzo Colitti [lorenzo@google.com]
>> *Sent:* Wednesday, February 22, 2017 12:05 PM
>>
>> *To:* Dave Dolson
>> *Cc:* David Bird; warren@kumari.net; Kyle Larose;
>> captive-portals@ietf.org
>> *Subject:* Re: [Captive-portals] Thinking of something related to
>> captive portals for the ietf98 hackathon
>>
>> The ability for any host in the Internet to trigger an instant response
>> sounds it could turn into a DOS vector, though.
>>
>> On Thu, Feb 23, 2017 at 2:04 AM, Dave Dolson <ddolson@sandvine.com>
>> wrote:
>>
>>> As I understand it, to "think something is wrong" requires an
>>> application-layer timeout. Some people think this is about 5s, but I don't
>>> believe TCP specifies an upper bound.
>>>
>>> An ICMP message can give an "instant" response.
>>>
>>> It's worth considering that the ICMP message may trigger the
>>> "sacrificial" HTTP request by the operating system.
>>>
>>>
>>>
>>> ------------------------------
>>> *From:* Lorenzo Colitti [lorenzo@google.com]
>>> *Sent:* Wednesday, February 22, 2017 10:24 AM
>>> *To:* Dave Dolson
>>> *Cc:* David Bird; warren@kumari.net; Kyle Larose;
>>> captive-portals@ietf.org
>>>
>>> *Subject:* Re: [Captive-portals] Thinking of something related to
>>> captive portals for the ietf98 hackathon
>>>
>>> Ok, but the implementations that are the most likely to implement this
>>> sort of feature already send sacrificial plaintext HTTP requests on
>>> connect, and are quite capable of generating HTTP requests on demand when
>>> they think something is wrong.
>>>
>>> On Wed, Feb 22, 2017 at 11:53 PM, Dave Dolson <ddolson@sandvine.com>
>>> wrote:
>>>
>>>> Lorenzo,
>>>> My interest in ICMP is that it could work with any protocol, not just
>>>> HTTP, and doesn't require any MITM for HTTPS.
>>>> I recall a discussion about adding a difficult-to-guess token to the
>>>> ICMP message, making it hard to spoof.
>>>>
>>>> -Dave
>>>>
>>>>
>>>>
>>>> ------------------------------
>>>> *From:* Captive-portals [captive-portals-bounces@ietf.org] on behalf
>>>> of Lorenzo Colitti [lorenzo@google.com]
>>>> *Sent:* Wednesday, February 22, 2017 9:42 AM
>>>> *To:* David Bird
>>>> *Cc:* warren@kumari.net; Kyle Larose; captive-portals@ietf.org
>>>> *Subject:* Re: [Captive-portals] Thinking of something related to
>>>> captive portals for the ietf98 hackathon
>>>>
>>>> I'm not a fan of the ICMP method. I think the security implications
>>>> need more thought.
>>>>
>>>> As is, it looks like pretty much anyone on the Internet can send you
>>>> one of these packets, and you have no way of knowing if it's legitimate.
>>>> Relying on such an easy-to-spoof signal to decide that a network no longer
>>>> provides Internet access could be quite harmful, particularly if the
>>>> receiving device decided to switch to cellular data and incur the
>>>> associated traffic costs. Even if the signal is only taken as a hint to
>>>> revalidate the network, that still has battery implications.
>>>>
>>>> It would seem to be much more useful to use:
>>>>
>>>>    - A header in the initial redirect that captive portals almost
>>>>    always generate.
>>>>    - A well-known URL where the state of the captive portal can be
>>>>    revalidated, either periodically or when some other indication of loss of
>>>>    connectivity is observed.
>>>>
>>>> At the last IETF we talked about possibly having a more structured way
>>>> of communicating this and other bits of information from captive portal to
>>>> host (a RESTful API, IIRC). That would also be useful, if we can all
>>>> collectively resist the temptation to overengineer such a mechanism. :-)
>>>>
>>>> On Wed, Feb 22, 2017 at 11:31 PM, David Bird <dbird@google.com> wrote:
>>>>
>>>>> Hi Kyle,
>>>>>
>>>>> I think that is a great idea!
>>>>>
>>>>> I had started to implement here: https://github.com/coova
>>>>> /coova-chilli/tree/capport-icmp
>>>>>
>>>>> What would be nice, in addition to the NAS changes, is to also
>>>>> demonstrate the client side ... either something like icmpd
>>>>> <https://github.com/snaewe/books-code/tree/master/unpv13e/icmpd> (to
>>>>> listen for the ICMP and provide applications a way of checking the status
>>>>> of their dest. unreach. connections), or the necessary Linux kernel
>>>>> changes. Also with kernel changes, the I-D could also be implemented using
>>>>> iptables, or other NAS software too.
>>>>>
>>>>> Cheers,
>>>>> David
>>>>>
>>>>>
>>>>> On Wed, Feb 22, 2017 at 6:12 AM, Kyle Larose <klarose@sandvine.com>
>>>>> wrote:
>>>>>
>>>>>> Hey everyone,
>>>>>>
>>>>>> I was thinking of doing something (anything) related to captive
>>>>>> portals for the ietf 98 hackathon. In particular,
>>>>>> https://tools.ietf.org/html/draft-wkumari-capport-icmp-unreach-01
>>>>>> caught my eye. I was wondering if anyone had thoughts on that, and whether
>>>>>> there is anything else they'd like to see me champion.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Kyle
>>>>>>
>>>>>> _______________________________________________
>>>>>> Captive-portals mailing list
>>>>>> Captive-portals@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/captive-portals
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Captive-portals mailing list
>>>>> Captive-portals@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/captive-portals
>>>>>
>>>>>
>>>>
>>>
>>
>
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
>
>

v2.23.0 | Report a Bug | By Email