IETF Logo Mail Archive

Re: [Captive-portals] Discovering captive portal API URL via DNS?

Tommy Pauly <tpauly@apple.com> Wed, 04 September 2019 16:00 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EADA1208D6 for <captive-portals@ietfa.amsl.com>; Wed, 4 Sep 2019 09:00:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V5psS2hvEHy4 for <captive-portals@ietfa.amsl.com>; Wed, 4 Sep 2019 09:00:36 -0700 (PDT)
Received: from nwk-aaemail-lapp01.apple.com (nwk-aaemail-lapp01.apple.com [17.151.62.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 608351208E5 for <captive-portals@ietf.org>; Wed, 4 Sep 2019 09:00:36 -0700 (PDT)
Received: from pps.filterd (nwk-aaemail-lapp01.apple.com [127.0.0.1]) by nwk-aaemail-lapp01.apple.com (8.16.0.27/8.16.0.27) with SMTP id x84FvT5e023770; Wed, 4 Sep 2019 09:00:35 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=20180706; bh=nxo3E2ZFH5QO70XGbYEzjHzS6kKYDrH2dZfEh8C/6HQ=; b=YdmEnleprpOFAcSP35Bf0x3qzBFoUsrDIMTnxs/2Rj/L0e+Z2tw6nGN4sSnJqLYM8UQ9 8Ba1WlAOH49ZrO/jg7HWT80YrCezC1rHrCb4Tcd1gun83Oo5Pz2CiFOueBJz0wX5UKAw bW1C2ppzEA2FGh7GsqZbg66XGQ6MhU5EdeafYbxEyP7+U9sF6OMt2NM46wBKw0Nz34oB D6XjfL6ATHX3U6+fyk0c/5bWW1TgKQGSIhOzxX64F2us0k6Z0kZYCbLWAhItdhBOZ4F2 fqbBtXfgebWk+96igLIqTaWK2KUhp4jkQ0KfipJj6i755FGCR1xe/wP3+8b1bL8JmL6Q HQ==
Received: from mr2-mtap-s03.rno.apple.com (mr2-mtap-s03.rno.apple.com [17.179.226.135]) by nwk-aaemail-lapp01.apple.com with ESMTP id 2uqqu94sdx-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 04 Sep 2019 09:00:35 -0700
Received: from nwk-mmpp-sz13.apple.com (nwk-mmpp-sz13.apple.com [17.128.115.216]) by mr2-mtap-s03.rno.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPS id <0PXB00GKHDSYGWA0@mr2-mtap-s03.rno.apple.com>; Wed, 04 Sep 2019 09:00:34 -0700 (PDT)
Received: from process_milters-daemon.nwk-mmpp-sz13.apple.com by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) id <0PXB00K00DDI6T00@nwk-mmpp-sz13.apple.com>; Wed, 04 Sep 2019 09:00:34 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 08daaeda8696783f7bdde9d2f4757251
X-Va-E-CD: 1678caf26564d39010d11a2a7fa44003
X-Va-R-CD: 4422c39fb9d4f5c432303b352875d325
X-Va-CD: 0
X-Va-ID: 2a0aeb22-8841-498c-9fdf-5ff179fcd2f1
X-V-A:
X-V-T-CD: 08daaeda8696783f7bdde9d2f4757251
X-V-E-CD: 1678caf26564d39010d11a2a7fa44003
X-V-R-CD: 4422c39fb9d4f5c432303b352875d325
X-V-CD: 0
X-V-ID: 70f665c9-77e2-4ccd-b064-ac0940af080a
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-09-04_05:,, signatures=0
Received: from [17.234.100.84] by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPSA id <0PXB00KJ3DSYUK90@nwk-mmpp-sz13.apple.com>; Wed, 04 Sep 2019 09:00:34 -0700 (PDT)
Sender: tpauly@apple.com
Content-type: text/plain; charset="us-ascii"
MIME-version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\))
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <CAKD1Yr1mR57OsOzDtjM=7YCV_R6zFF9WPxqA-XrWsuJWv+VTag@mail.gmail.com>
Date: Wed, 04 Sep 2019 09:00:27 -0700
Cc: captive-portals@ietf.org
Content-transfer-encoding: quoted-printable
Message-id: <D49021C8-A3E5-4351-84CC-812AA20B0899@apple.com>
References: <CAKD1Yr1mR57OsOzDtjM=7YCV_R6zFF9WPxqA-XrWsuJWv+VTag@mail.gmail.com>
To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.104.2)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-09-04_05:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/XnK21iDfvjTa0sx18_YfxpUJc9I>
Subject: Re: [Captive-portals] Discovering captive portal API URL via DNS?
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 16:00:39 -0000


> On Sep 3, 2019, at 4:44 PM, Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org> wrote:
> 
> All,
> 
> During discussions with captive portal operators about implementing the capport API, one of the stumbling blocks that keeps coming up is that the captive portal operator does not always control the DHCP configuration and thus cannot easily use RFC7710.

Thanks for bringing this up.

I wanted to clarify the issue a bit before diving into the mitigations. Do these captive portal operators have *no* relationship to the DHCP configuration? Presumably, the captive portal enforcement is done somewhere on path, in the router, or between the router and the Internet connection. And, if there is redirection of DNS going on, presumably, this is a DNS server that the captive portal (or the operator of the network) has some control over, and is provisioned via DHCP. For such portals, I would assume that it would be as easy to add a DHCP CAPPORT option as it would be to add the DNS server address of the captive portal's resolver (assuming the DHCP implementation supports the option).

Since the mitigation below is specific to modifying the DNS, I assume that we are talking about captive portal solutions that work, in part, by intercepting DNS.

Thanks,
Tommy
> 
> The WG has previously rejected the option of using a well-known DNS name to discover the URL, because the API itself requires TLS, and without a hostname it is not possible (or at least not easy) to validate the server. However, what if the client did a CNAME query for capport.arpa (or equivalent other local-only, non-DNSSEC-signed name), got back a CNAME for the real server, and then assumed that the API server was https://<targetofcname>/capport-api ?
> 
> Alternatively, Erik and Warren suggest RFC 7553. In this scheme the client would do a URI lookup for "capport.arpa" or equivalent, and would take the result of that URL as the API endpoint.
> 
> Thoughts?
> 
> Regards,
> Lorenzo
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals

v2.23.0 | Report a Bug | By Email