IETF Logo Mail Archive

Re: [Captive-portals] Discovering captive portal API URL via DNS?

"Cappalli, Tim (Aruba Security)" <timc@hpe.com> Wed, 04 September 2019 00:32 UTC

Return-Path: <prvs=0150f295eb=timc@hpe.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F34F12006F for <captive-portals@ietfa.amsl.com>; Tue, 3 Sep 2019 17:32:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Level:
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTP_ESCAPED_HOST=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EnwATG5gsMfE for <captive-portals@ietfa.amsl.com>; Tue, 3 Sep 2019 17:32:07 -0700 (PDT)
Received: from mx0a-002e3701.pphosted.com (mx0a-002e3701.pphosted.com [148.163.147.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8346B12009C for <captive-portals@ietf.org>; Tue, 3 Sep 2019 17:32:07 -0700 (PDT)
Received: from pps.filterd (m0150241.ppops.net [127.0.0.1]) by mx0a-002e3701.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x840VolF021799; Wed, 4 Sep 2019 00:32:04 GMT
Received: from g2t2354.austin.hpe.com (g2t2354.austin.hpe.com [15.233.44.27]) by mx0a-002e3701.pphosted.com with ESMTP id 2usp2bnp35-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 04 Sep 2019 00:32:04 +0000
Received: from G2W6311.americas.hpqcorp.net (g2w6311.austin.hp.com [16.197.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g2t2354.austin.hpe.com (Postfix) with ESMTPS id 628D8BD; Wed, 4 Sep 2019 00:32:03 +0000 (UTC)
Received: from G9W8670.americas.hpqcorp.net (16.220.49.29) by G2W6311.americas.hpqcorp.net (16.197.64.53) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 4 Sep 2019 00:31:36 +0000
Received: from G4W10205.americas.hpqcorp.net (2002:10cf:520f::10cf:520f) by G9W8670.americas.hpqcorp.net (2002:10dc:311d::10dc:311d) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 4 Sep 2019 00:31:35 +0000
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (15.241.52.12) by G4W10205.americas.hpqcorp.net (16.207.82.15) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Wed, 4 Sep 2019 00:31:35 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aacg5yVmbE0n1650ivXeBW/aCfzTsvf3u6MW3rxNfb1QK5y4UTi6uzfrpjItR9sSErd6OAE1VjdNRtrYT2yGhf8le0kKXfotw8J59IAVFseiu7mxCrdFSCTY4Y/tp64JwLdG70QSlcIwnNcA1AppAETMBXAD0kwqsAh+JTocUwxloMNn9TCPpkwCe+ckB9yL3vATjQPDiGZjwZEl6HZ7smRHxzvnCxvV9JsIb2Vv3yPsPYa9AltDFh5hpjvBXMf6opLkRxANQbAcuEVd5b2YKELxoBDOUyLzaVqn/6n4I0gHqlJUfXPsdjd9gqOgqUAb3KFySTUlbH1ew64UM0182g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KumDFbW9JNLdUwC9KED8SJtDWe008djfaKva/tmzw3A=; b=bATaDsY5pJiVgHjWwCLZjV0xhrkLRXBBVPZUiBw5p1C6o1DPSaiSqHPT/UoMZCT2MME4giUJjHidJdLZ46AWwiq+gt3dyPMqP3lEtLLtv5nuKgpBpwCPHlK7H3Z2pHy3a8KZD2IlrS93sJrIEmhFzEjPy4xSnNqT3C4NNAZtNKpiEl02OvlscX+c9we+nl6NQefT3SXTayd3bXsqR0xl9Fgb5CS/35NqUZD+mOG/+GcGo0Zbc+6xVbh/ISbgR4eiSQg+8EnVBwXknVPunAwGqX7CvlvrQ8lLgG8oezpHgzF9aGTTmbcMFf5en05LRc67Odx0Ny5S23ywSdjlUqY4sw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
Received: from AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM (10.169.4.9) by AT5PR8401MB0435.NAMPRD84.PROD.OUTLOOK.COM (10.169.2.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2220.20; Wed, 4 Sep 2019 00:31:34 +0000
Received: from AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM ([fe80::e884:1d34:9569:d2f9]) by AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM ([fe80::e884:1d34:9569:d2f9%7]) with mapi id 15.20.2220.022; Wed, 4 Sep 2019 00:31:34 +0000
From: "Cappalli, Tim (Aruba Security)" <timc@hpe.com>
To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>, "captive-portals@ietf.org" <captive-portals@ietf.org>
Thread-Topic: [Captive-portals] Discovering captive portal API URL via DNS?
Thread-Index: AQHVYrGcQWtyXlK9wUKHMB64Vlgzb6caNXkA
Date: Wed, 04 Sep 2019 00:31:34 +0000
Message-ID: <99C952E5-7D05-4F9E-A280-F422DF39FE1D@hpe.com>
References: <CAKD1Yr1mR57OsOzDtjM=7YCV_R6zFF9WPxqA-XrWsuJWv+VTag@mail.gmail.com>
In-Reply-To: <CAKD1Yr1mR57OsOzDtjM=7YCV_R6zFF9WPxqA-XrWsuJWv+VTag@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1c.0.190812
x-originating-ip: [216.243.17.14]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 508fd88d-e7f7-450a-e645-08d730cf3d9b
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:AT5PR8401MB0435;
x-ms-traffictypediagnostic: AT5PR8401MB0435:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <AT5PR8401MB0435D083BA22348C7F602337DBB80@AT5PR8401MB0435.NAMPRD84.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0150F3F97D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(346002)(366004)(136003)(39860400002)(376002)(199004)(189003)(33656002)(14444005)(256004)(8676002)(99286004)(36756003)(7736002)(8936002)(66066001)(316002)(81156014)(486006)(446003)(11346002)(2906002)(81166006)(2616005)(476003)(64756008)(66556008)(66476007)(91956017)(76116006)(66446008)(66946007)(229853002)(110136005)(58126008)(71200400001)(71190400001)(76176011)(3846002)(6116002)(186003)(2501003)(6506007)(6436002)(53546011)(26005)(6512007)(236005)(54896002)(6306002)(25786009)(6246003)(5660300002)(6486002)(966005)(53936002)(606006)(14454004)(86362001)(102836004)(478600001); DIR:OUT; SFP:1102; SCL:1; SRVR:AT5PR8401MB0435; H:AT5PR8401MB0530.NAMPRD84.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: hpe.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: hDzbvJxc8qXCRA9+fWvPA5oqKB72pOvfJhaD6qGN2vivxI9a70lM/FuKFSq2UrX2xcHKHDvr++DUrRTI+j1GCiwHa3JTFkC38U/0XY9rb+X0IYtkCCr1rR1dkCvVbGeQDAedOU4gjkwj5qYx6yIWhUEy9Y1b4qBMy0vHV6/BDc+jFSqfFPbCBKjxMe/beYY0vZkldfGAudXvn/GglhXeFvp6FEFX2wa7K9PxbZkXzuIsV8eq/rsL9bJ2UIqKg/cEmBf9L+n8paZJ5SHKnyrC0WrkFOF3xmQeVyh/alqHUx45knUUTvLbLAY4CHByoSsUsOWv8Z6etq0GbLJxDD1Ds8A3pY0xAg3mm/gsn8AkP4YdiGwjPQfQLCJuOPjIwaQGqyDLwSut7fwvzbXDrF9wPHqrTQ7wup/JppPfaQI0VBU=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_99C952E57D054F9EA280F422DF39FE1Dhpecom_"
X-MS-Exchange-CrossTenant-Network-Message-Id: 508fd88d-e7f7-450a-e645-08d730cf3d9b
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Sep 2019 00:31:34.5225 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Wsf6HOBIijNbie0D9rnX9Wq4nnpGZJdlVBC7KQNmtFcL+wTKefj5w6QCGh6EDqx1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AT5PR8401MB0435
X-OriginatorOrg: hpe.com
X-Proofpoint-UnRewURL: 2 URL's were un-rewritten
MIME-Version: 1.0
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.70,1.0.8 definitions=2019-09-03_05:2019-09-03,2019-09-03 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 bulkscore=0 priorityscore=1501 spamscore=0 clxscore=1011 mlxlogscore=999 phishscore=0 impostorscore=0 suspectscore=0 lowpriorityscore=0 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1906280000 definitions=main-1909040002
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/XPqkhLm41ZyysryZIgTYvMFQgQQ>
Subject: Re: [Captive-portals] Discovering captive portal API URL via DNS?
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 00:32:09 -0000

I like that idea, combined with well known. Ex: https://<targetofcname>/.well-known/capport-api/xyz<https://%3ctargetofcname%3e/.well-known/capport-api/xyz>

Ideally there would be some standardized precedence order as there are different cases for each of these. An example would be a common DNS a service that doesn’t have views-like functionality so the ability to return a different value based on the source IP/subnet may not be possible. In this case, the operator may have control of DHCP and could use 7710.

Tim


Tim Cappalli | Identity & Policy Architect | Aruba Security<https://www.arubanetworks.com/products/security/> | @timcappalli<https://twitter.com/timcappalli>

From: Captive-portals <captive-portals-bounces@ietf.org> on behalf of Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>
Date: Tuesday, September 3, 2019 at 4:45 PM
To: "captive-portals@ietf.org" <captive-portals@ietf.org>
Subject: [Captive-portals] Discovering captive portal API URL via DNS?

All,

During discussions with captive portal operators about implementing the capport API, one of the stumbling blocks that keeps coming up is that the captive portal operator does not always control the DHCP configuration and thus cannot easily use RFC7710.

The WG has previously rejected the option of using a well-known DNS name to discover the URL, because the API itself requires TLS, and without a hostname it is not possible (or at least not easy) to validate the server. However, what if the client did a CNAME query for capport.arpa (or equivalent other local-only, non-DNSSEC-signed name), got back a CNAME for the real server, and then assumed that the API server was https://<targetofcname>/capport-api<https://%3Ctargetofcname%3E/capport-api> ?

Alternatively, Erik and Warren suggest RFC 7553. In this scheme the client would do a URI lookup for "capport.arpa" or equivalent, and would take the result of that URL as the API endpoint.

Thoughts?

Regards,
Lorenzo

v2.23.0 | Report a Bug | By Email