IETF Logo Mail Archive

[Captive-portals] Discovering captive portal API URL via DNS?

Lorenzo Colitti <lorenzo@google.com> Tue, 03 September 2019 23:44 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9E6E12004F for <captive-portals@ietfa.amsl.com>; Tue, 3 Sep 2019 16:44:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Level:
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F4XS7EHC4cQH for <captive-portals@ietfa.amsl.com>; Tue, 3 Sep 2019 16:44:26 -0700 (PDT)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7B4B12004C for <captive-portals@ietf.org>; Tue, 3 Sep 2019 16:44:25 -0700 (PDT)
Received: by mail-wr1-x42e.google.com with SMTP id j16so19224872wrr.8 for <captive-portals@ietf.org>; Tue, 03 Sep 2019 16:44:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=vpl7P1EobcNiOD1AIKLjiPU/Cx/Iv3gN29B+5+DeEz8=; b=QebmeeVjg9Nqgb8YJ0CNn31ZUE3jgA5Z8b5dEeOPN2kLqZBrLdRRNF9qOqVToFC+LK LwNXCRVQ/q8aLArDrSIYAFtmxk3w/FxVUQ585oVQ4fUdsqOsDKal5CNrTEHC4azsNI5H GulI9gddfVdt2GeqkYrL/rx/B9I8b7X9FM7+ufoPiYks9RBueAv+qlPNCZJXPJkvjPB6 XgiAZHTvaRnYH9JalEuoxA2IeOyujaEVySvfqX4FP6TgWbTgzhCbVjmt9z78idCbp8bx Gs1lL8rK0dsins/eVQtXZc+iRms9QujlN3xO/y9FMiCFEa09mnJmG6qftmFixqHgFUpl yfdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=vpl7P1EobcNiOD1AIKLjiPU/Cx/Iv3gN29B+5+DeEz8=; b=sXJB7awhnDhEFeTKAWw5ggd5Apd7vJ0TvCvxfq9q2FekRc6E4kJfVZ20T7f09L4tA4 P7syceAcJbP7JOkHIrOGBqmN4LuYuDW4uppCnX0u4ydO5+kumS0AWPVu7rlRoSKeCT46 vHdZas+jEoE0Tg8ihrGVTRv9LI2wO5riguKCP1HJjR2uXU3aU4HJKqtsvc/K4NMyE/pN tKIWom9rRA3Xj5XyBiaVfveStvRpKCgOInGGFu8wTn8hJANQoMg+NPm00lYQsLl/cczk GInpi117A3ltmiXHEB7qNBqpp/xAQWesRchNlr9Fs3NvbrdexKCm46YsOZNwWPxKBJd/ pPMA==
X-Gm-Message-State: APjAAAXM2NWz6HzkogPO3JfG3Vs9fhe5My6YKohM1gDOVx4tqXPKTSzy QXvQKcI0vI0NoMe6vkNR93kV0Br8MTFgMABtNeljBUugOeQ=
X-Google-Smtp-Source: APXvYqxNjHgrxfki8YBiHCTxka4W+Vq2v56zx3PLcvQhI4xPn5wdnmvX/b/n3ioKCdn6qRJjJ5/CFMqyuhMPuAWdFBA=
X-Received: by 2002:a5d:6811:: with SMTP id w17mr10857867wru.181.1567554263768; Tue, 03 Sep 2019 16:44:23 -0700 (PDT)
MIME-Version: 1.0
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 04 Sep 2019 08:44:10 +0900
Message-ID: <CAKD1Yr1mR57OsOzDtjM=7YCV_R6zFF9WPxqA-XrWsuJWv+VTag@mail.gmail.com>
To: captive-portals@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000f43650591aeab26"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/XlwgyBh85Ag9Ififr2rAsdh3ScA>
Subject: [Captive-portals] Discovering captive portal API URL via DNS?
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 23:44:28 -0000

All,

During discussions with captive portal operators about implementing the
capport API, one of the stumbling blocks that keeps coming up is that the
captive portal operator does not always control the DHCP configuration and
thus cannot easily use RFC7710.

The WG has previously rejected the option of using a well-known DNS name to
discover the URL, because the API itself requires TLS, and without a
hostname it is not possible (or at least not easy) to validate the server.
However, what if the client did a CNAME query for capport.arpa (or
equivalent other local-only, non-DNSSEC-signed name), got back a CNAME for
the real server, and then assumed that the API server was
https://<targetofcname>/capport-api
?

Alternatively, Erik and Warren suggest RFC 7553. In this scheme the client
would do a URI lookup for "capport.arpa" or equivalent, and would take the
result of that URL as the API endpoint.

Thoughts?

Regards,
Lorenzo

v2.23.0 | Report a Bug | By Email