Re: [Captive-portals] Discovering captive portal API URL via DNS?
Erik Kline <ek@loon.com> Wed, 04 September 2019 01:05 UTC
Return-Path: <ek@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC7B5120098 for <captive-portals@ietfa.amsl.com>; Tue, 3 Sep 2019 18:05:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.149
X-Spam-Level:
X-Spam-Status: No, score=-9.149 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, HTTP_ESCAPED_HOST=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=loon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CXhF9DVPNP_G for <captive-portals@ietfa.amsl.com>; Tue, 3 Sep 2019 18:05:41 -0700 (PDT)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 177F812006F for <captive-portals@ietf.org>; Tue, 3 Sep 2019 18:05:41 -0700 (PDT)
Received: by mail-wr1-x436.google.com with SMTP id s18so19387891wrn.1 for <captive-portals@ietf.org>; Tue, 03 Sep 2019 18:05:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=loon.com; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=0bqPyf9hGTLJY6kE8eu+r2/oAllhYqX7XM0bn/beLdA=; b=R8EZYeIePIlCcCLGqY/kQtABJJaRLFbdPLB0CEk9BtCC+/vqyDEYijPfEbI6Glu5AV mqtuNo3iTD9GGZ2dTDYKsrMZiVHg1gI+RqLkcRKLHHOcI2/BlfgplF7BDvgXrk9N8eF3 PinS/z6tMo1Pe/AcnWhsXSd1GceUjqNuSvP+Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=0bqPyf9hGTLJY6kE8eu+r2/oAllhYqX7XM0bn/beLdA=; b=J2DF89+PN6nxgQBeV/8RyKtZhw2MN8y0o4NORVDjrwAdi8tX6cUkAh4kDd7McuBbPc r3wfX87C9NOycfjK6midwu/EyBVXzjiC6mdRn7qciVrfo0BRJom315QGK+dEAiqpetME N1yo7UXIZLpD5vzKY0CCAlhKBZPruzxLrBVs58CyFt0xqESF8BDN0dN966cGWZ7yRrGe cK8Q5zK9tobD+Jtta0yRP0wlinE6YCq4Zd27XwpljRsqQCQtQFAzNiMuJYvcTPt0cbKG 0b3iymPW4BQpz5fXd2Kh5WIgr0Yv+TfRnwI2QQe5mDJVIV8krEkRya2pexEAPI1nMQP+ pvDA==
X-Gm-Message-State: APjAAAV8EV/jz6ZzkxsuNAAZankc+hrNBlWNAYXv8JrEURgmrEUpDD4j J23RRZ4rq3d2+TYiDJy1454pOLvv+LxrC5PbEElOqw==
X-Google-Smtp-Source: APXvYqyR6j3VuMnvr76zxgClNSBqjpe5hEa1/OLVkJNmImsQHjAx63DsXCoWoplOBn/0OkrZpVVYEF7wEx+N8h40KpE=
X-Received: by 2002:adf:ff8e:: with SMTP id j14mr45274325wrr.141.1567559139191; Tue, 03 Sep 2019 18:05:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAKD1Yr1mR57OsOzDtjM=7YCV_R6zFF9WPxqA-XrWsuJWv+VTag@mail.gmail.com> <99C952E5-7D05-4F9E-A280-F422DF39FE1D@hpe.com>
In-Reply-To: <99C952E5-7D05-4F9E-A280-F422DF39FE1D@hpe.com>
Reply-To: ek@loon.com
From: Erik Kline <ek@loon.com>
Date: Tue, 03 Sep 2019 18:05:27 -0700
Message-ID: <CAAedzxoJpCavhkzM01Fekwv_A-n6VwfcM7Z37WdPdEKk77expQ@mail.gmail.com>
To: "Cappalli, Tim (Aruba Security)" <timc@hpe.com>
Cc: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>, "captive-portals@ietf.org" <captive-portals@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a853ce0591afcd8e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/UQ4soiJHtLpTTsKELhYvJGxB6Ik>
Subject: Re: [Captive-portals] Discovering captive portal API URL via DNS?
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 01:05:43 -0000
Chair hat off, co-author hat on. We can certain craft some text to round out https://tools.ietf.org/html/draft-ietf-capport-rfc7710bis-00#section-4 when the time comes. Certainly DHCP/RA would retain highest precedence. RFC 7553 URI records would obviate the inevitable discussion about the merits of .well-known (I know nothing about .well-known/ except that it tends to bring up some (.)well-known responses). Where would you slot DNS results relative to link relation in an HTTP intercept/redirect? On Tue, 3 Sep 2019 at 17:32, Cappalli, Tim (Aruba Security) <timc@hpe.com> wrote: > I like that idea, combined with well known. Ex: > https://<targetofcname>/.well-known/capport-api/xyz > > > > Ideally there would be some standardized precedence order as there are > different cases for each of these. An example would be a common DNS a > service that doesn’t have views-like functionality so the ability to return > a different value based on the source IP/subnet may not be possible. In > this case, the operator may have control of DHCP and could use 7710. > > > > Tim > > > > > > *Tim Cappalli* *|* Identity & Policy Architect *|* Aruba Security > <https://www.arubanetworks.com/products/security/> *|* @timcappalli > <https://twitter.com/timcappalli> > > > > *From: *Captive-portals <captive-portals-bounces@ietf.org> on behalf of > Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org> > *Date: *Tuesday, September 3, 2019 at 4:45 PM > *To: *"captive-portals@ietf.org" <captive-portals@ietf.org> > *Subject: *[Captive-portals] Discovering captive portal API URL via DNS? > > > > All, > > > > During discussions with captive portal operators about implementing the > capport API, one of the stumbling blocks that keeps coming up is that the > captive portal operator does not always control the DHCP configuration and > thus cannot easily use RFC7710. > > > > The WG has previously rejected the option of using a well-known DNS name > to discover the URL, because the API itself requires TLS, and without a > hostname it is not possible (or at least not easy) to validate the server. > However, what if the client did a CNAME query for capport.arpa (or > equivalent other local-only, non-DNSSEC-signed name), got back a CNAME for > the real server, and then assumed that the API server was > https://<targetofcname>/capport-api ? > > > > Alternatively, Erik and Warren suggest RFC 7553. In this scheme the client > would do a URI lookup for "capport.arpa" or equivalent, and would take the > result of that URL as the API endpoint. > > > > Thoughts? > > > > Regards, > > Lorenzo > _______________________________________________ > Captive-portals mailing list > Captive-portals@ietf.org > https://www.ietf.org/mailman/listinfo/captive-portals >
- [Captive-portals] Discovering captive portal API … Lorenzo Colitti
- Re: [Captive-portals] Discovering captive portal … Cappalli, Tim (Aruba Security)
- Re: [Captive-portals] Discovering captive portal … Erik Kline
- Re: [Captive-portals] Discovering captive portal … Lorenzo Colitti
- Re: [Captive-portals] Discovering captive portal … Erik Kline
- Re: [Captive-portals] Discovering captive portal … Martin Thomson
- Re: [Captive-portals] Discovering captive portal … Lorenzo Colitti
- Re: [Captive-portals] Discovering captive portal … Michael Richardson
- Re: [Captive-portals] Discovering captive portal … Lorenzo Colitti
- Re: [Captive-portals] Discovering captive portal … Michael Richardson
- Re: [Captive-portals] Discovering captive portal … Tommy Pauly
- Re: [Captive-portals] Discovering captive portal … Tommy Pauly
- Re: [Captive-portals] Discovering captive portal … Michael Richardson
- Re: [Captive-portals] Discovering captive portal … Nicolas Mailhot