Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon
Erik Kline <ek@google.com> Thu, 23 February 2017 02:58 UTC
Return-Path: <ek@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE9431294FC for <captive-portals@ietfa.amsl.com>; Wed, 22 Feb 2017 18:58:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ewFxUPbBe0F for <captive-portals@ietfa.amsl.com>; Wed, 22 Feb 2017 18:58:07 -0800 (PST)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F940129EA4 for <captive-portals@ietf.org>; Wed, 22 Feb 2017 18:51:55 -0800 (PST)
Received: by mail-yw0-x22f.google.com with SMTP id v200so10873213ywc.3 for <captive-portals@ietf.org>; Wed, 22 Feb 2017 18:51:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+wA8qeOdJsSHH0J4e+/78v8ShkAGn3D6XroJvcK3tEE=; b=BWK/0uT30tpFKIjKumvuR5Kkuy3gmkqw0snKk1v3TmZdPDKcD2YIyLyWZ2qiiejwWZ q8EI8x/wjTDabFIhEmpehGLtTtwZzPkCh1SJEwAR5BxGj3qRwro80h55KOH3rSmTJllK hUvvobS0Foq+pEDPP0vZeQ7q0C28LJnmc7BXaruTi2yKGUgfKd5LvRdODEmoY1Jo/W1z HiKrAnd4iH6X8RiXkUoPI5+WaAe4KFX449iI1PSkaZh8O8RP9BSHrBv4qF5AG4qnMusI Es0MXHg1pc28GZ+tyUO9yRwLnAvrRlA/Nx99epoejm2+Bz2F1AaXTGQQpGOZ171yD/px 3Qjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+wA8qeOdJsSHH0J4e+/78v8ShkAGn3D6XroJvcK3tEE=; b=nW95mosLgm+yvEnVd+twgk7WNs5ebOfgb3SIUWaZkreDzcCcGiF4iszn9jsrTkeZjE pc1m4POYdPlWWG13VEU04CaOywyAivXuoGbPqrBGIxPpBthwsJk0Tq+bITVDp21pGq1i Ttf7LlPCMGPpstUsK67LMNhJib5gUH5bbOn/7shXmBR0YrcTtPRyo7vkKzvH3FH7va5W kj40g7K2fUOImH1HC/6VXIAPVXZdue8ve+H/7pxhyX+Uy4MKvpw5bc1F8U3YLym3ODPj J5FkTNUJMZCoF2nXLoMHOzUtWXQua7r4uBzqrhnaIaNh4Eh7o1lJS1r0EShQuGla5gJK Jw+w==
X-Gm-Message-State: AMke39kl1uxkQFKQbp9AumswrWDxaBCLPOe/hIh3g9YhLvq5Jyq4nIL3Hmx0/pS0nE+DOHdoe/oQ/FIuciOmMpRP
X-Received: by 10.129.41.69 with SMTP id p66mr23210854ywp.223.1487818314278; Wed, 22 Feb 2017 18:51:54 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.207.4 with HTTP; Wed, 22 Feb 2017 18:51:33 -0800 (PST)
In-Reply-To: <CADo9JyXki8J_Gd_ac8xAsp9V0b79rK0dPdXzHkuoLV-OQ47C2w@mail.gmail.com>
References: <D76BBBCF97F57144BB5FCF08007244A77058108A@wtl-exchp-1.sandvine.com> <CADo9JyUz6QRVg23cFmv7xTu_0dzbQM-xVXx7=79k3ao+59szVg@mail.gmail.com> <CAKD1Yr0B2HUz6AXExA7nK3URqkq3yFFuBXRVGM+mMR+KjnO1Ag@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051EC6E@wtl-exchp-1.sandvine.com> <CAKD1Yr0p37+SuE03SLKQ2tZDxxeL3=jO8gSw9y66UnYXSDzeKw@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051F25D@wtl-exchp-1.sandvine.com> <CAKD1Yr06UukkD+vM5ueiBfqe4h2t53G=-7hZN=wy1nO1_efJ2w@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051F305@wtl-exchp-1.sandvine.com> <CADo9JyXki8J_Gd_ac8xAsp9V0b79rK0dPdXzHkuoLV-OQ47C2w@mail.gmail.com>
From: Erik Kline <ek@google.com>
Date: Thu, 23 Feb 2017 11:51:33 +0900
Message-ID: <CAAedzxp1GZ8J5h2YnEo+xDAHTjhPHL6_YcfD4p5148G=0a6Mxg@mail.gmail.com>
To: David Bird <dbird@google.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a114160ba240e55054929b207"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/Ttwz0YQFUZa6eUJYSZN_EULA7o4>
Cc: "warren@kumari.net" <warren@kumari.net>, Kyle Larose <klarose@sandvine.com>, "captive-portals@ietf.org" <captive-portals@ietf.org>, Dave Dolson <ddolson@sandvine.com>, Lorenzo Colitti <lorenzo@google.com>
Subject: Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 02:58:10 -0000
How onerous would it be to require that an ICMPv[46] message with a captive portal code also have a hoplimit of 255 (i.e. be link-local / from an on-link source)? I could imagine writing a user-space daemon that listens for ICMP message of one specific type, and validates the hoplimit with traditional cmsg tricks. Furthermore, only having to do so on networks advertising a 7710 option would be good. On 23 February 2017 at 02:10, David Bird <dbird@google.com> wrote: > Further, we could tie this to RFC 7710, so that you can disregard this > ICMP from networks not expected to be captive portal and networks who do > implement captive portal can easily (as in iptables rules) filter out > external ICMP of this nature. > > On Wed, Feb 22, 2017 at 9:07 AM, Dave Dolson <ddolson@sandvine.com> wrote: > >> Agreed. Hence the discussion about using a difficult-to-guess token in >> the message. >> >> ------------------------------ >> *From:* Lorenzo Colitti [lorenzo@google.com] >> *Sent:* Wednesday, February 22, 2017 12:05 PM >> >> *To:* Dave Dolson >> *Cc:* David Bird; warren@kumari.net; Kyle Larose; >> captive-portals@ietf.org >> *Subject:* Re: [Captive-portals] Thinking of something related to >> captive portals for the ietf98 hackathon >> >> The ability for any host in the Internet to trigger an instant response >> sounds it could turn into a DOS vector, though. >> >> On Thu, Feb 23, 2017 at 2:04 AM, Dave Dolson <ddolson@sandvine.com> >> wrote: >> >>> As I understand it, to "think something is wrong" requires an >>> application-layer timeout. Some people think this is about 5s, but I don't >>> believe TCP specifies an upper bound. >>> >>> An ICMP message can give an "instant" response. >>> >>> It's worth considering that the ICMP message may trigger the >>> "sacrificial" HTTP request by the operating system. >>> >>> >>> >>> ------------------------------ >>> *From:* Lorenzo Colitti [lorenzo@google.com] >>> *Sent:* Wednesday, February 22, 2017 10:24 AM >>> *To:* Dave Dolson >>> *Cc:* David Bird; warren@kumari.net; Kyle Larose; >>> captive-portals@ietf.org >>> >>> *Subject:* Re: [Captive-portals] Thinking of something related to >>> captive portals for the ietf98 hackathon >>> >>> Ok, but the implementations that are the most likely to implement this >>> sort of feature already send sacrificial plaintext HTTP requests on >>> connect, and are quite capable of generating HTTP requests on demand when >>> they think something is wrong. >>> >>> On Wed, Feb 22, 2017 at 11:53 PM, Dave Dolson <ddolson@sandvine.com> >>> wrote: >>> >>>> Lorenzo, >>>> My interest in ICMP is that it could work with any protocol, not just >>>> HTTP, and doesn't require any MITM for HTTPS. >>>> I recall a discussion about adding a difficult-to-guess token to the >>>> ICMP message, making it hard to spoof. >>>> >>>> -Dave >>>> >>>> >>>> >>>> ------------------------------ >>>> *From:* Captive-portals [captive-portals-bounces@ietf.org] on behalf >>>> of Lorenzo Colitti [lorenzo@google.com] >>>> *Sent:* Wednesday, February 22, 2017 9:42 AM >>>> *To:* David Bird >>>> *Cc:* warren@kumari.net; Kyle Larose; captive-portals@ietf.org >>>> *Subject:* Re: [Captive-portals] Thinking of something related to >>>> captive portals for the ietf98 hackathon >>>> >>>> I'm not a fan of the ICMP method. I think the security implications >>>> need more thought. >>>> >>>> As is, it looks like pretty much anyone on the Internet can send you >>>> one of these packets, and you have no way of knowing if it's legitimate. >>>> Relying on such an easy-to-spoof signal to decide that a network no longer >>>> provides Internet access could be quite harmful, particularly if the >>>> receiving device decided to switch to cellular data and incur the >>>> associated traffic costs. Even if the signal is only taken as a hint to >>>> revalidate the network, that still has battery implications. >>>> >>>> It would seem to be much more useful to use: >>>> >>>> - A header in the initial redirect that captive portals almost >>>> always generate. >>>> - A well-known URL where the state of the captive portal can be >>>> revalidated, either periodically or when some other indication of loss of >>>> connectivity is observed. >>>> >>>> At the last IETF we talked about possibly having a more structured way >>>> of communicating this and other bits of information from captive portal to >>>> host (a RESTful API, IIRC). That would also be useful, if we can all >>>> collectively resist the temptation to overengineer such a mechanism. :-) >>>> >>>> On Wed, Feb 22, 2017 at 11:31 PM, David Bird <dbird@google.com> wrote: >>>> >>>>> Hi Kyle, >>>>> >>>>> I think that is a great idea! >>>>> >>>>> I had started to implement here: https://github.com/coova >>>>> /coova-chilli/tree/capport-icmp >>>>> >>>>> What would be nice, in addition to the NAS changes, is to also >>>>> demonstrate the client side ... either something like icmpd >>>>> <https://github.com/snaewe/books-code/tree/master/unpv13e/icmpd> (to >>>>> listen for the ICMP and provide applications a way of checking the status >>>>> of their dest. unreach. connections), or the necessary Linux kernel >>>>> changes. Also with kernel changes, the I-D could also be implemented using >>>>> iptables, or other NAS software too. >>>>> >>>>> Cheers, >>>>> David >>>>> >>>>> >>>>> On Wed, Feb 22, 2017 at 6:12 AM, Kyle Larose <klarose@sandvine.com> >>>>> wrote: >>>>> >>>>>> Hey everyone, >>>>>> >>>>>> I was thinking of doing something (anything) related to captive >>>>>> portals for the ietf 98 hackathon. In particular, >>>>>> https://tools.ietf.org/html/draft-wkumari-capport-icmp-unreach-01 >>>>>> caught my eye. I was wondering if anyone had thoughts on that, and whether >>>>>> there is anything else they'd like to see me champion. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Kyle >>>>>> >>>>>> _______________________________________________ >>>>>> Captive-portals mailing list >>>>>> Captive-portals@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/captive-portals >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Captive-portals mailing list >>>>> Captive-portals@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/captive-portals >>>>> >>>>> >>>> >>> >> > > _______________________________________________ > Captive-portals mailing list > Captive-portals@ietf.org > https://www.ietf.org/mailman/listinfo/captive-portals > >
- [Captive-portals] Thinking of something related t… Kyle Larose
- Re: [Captive-portals] Thinking of something relat… David Bird
- Re: [Captive-portals] Thinking of something relat… Lorenzo Colitti
- Re: [Captive-portals] Thinking of something relat… Dave Dolson
- Re: [Captive-portals] Thinking of something relat… Lorenzo Colitti
- Re: [Captive-portals] Thinking of something relat… David Bird
- Re: [Captive-portals] Thinking of something relat… Alexander Szlezak
- Re: [Captive-portals] Thinking of something relat… Dave Dolson
- Re: [Captive-portals] Thinking of something relat… Lorenzo Colitti
- Re: [Captive-portals] Thinking of something relat… Dave Dolson
- Re: [Captive-portals] Thinking of something relat… David Bird
- Re: [Captive-portals] Thinking of something relat… David Farmer
- Re: [Captive-portals] Thinking of something relat… Erik Kline
- Re: [Captive-portals] Thinking of something relat… Dave Dolson
- Re: [Captive-portals] Thinking of something relat… Kyle Larose
- Re: [Captive-portals] Thinking of something relat… David Bird
- Re: [Captive-portals] Thinking of something relat… Christian Saunders