IETF Logo Mail Archive

Re: [Captive-portals] Questions about PvD/API

Vincent van Dam <VvanDam@sandvine.com> Thu, 24 August 2017 20:58 UTC

Return-Path: <VvanDam@sandvine.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71A7E13238E for <captive-portals@ietfa.amsl.com>; Thu, 24 Aug 2017 13:58:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XZb3UllNWNVG for <captive-portals@ietfa.amsl.com>; Thu, 24 Aug 2017 13:58:11 -0700 (PDT)
Received: from mail1.sandvine.com (Mail1.sandvine.com [64.7.137.134]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D940C13235C for <captive-portals@ietf.org>; Thu, 24 Aug 2017 13:58:10 -0700 (PDT)
Received: from BLR-EXCHP-2.sandvine.com (192.168.196.172) by WTL-EXCHP-2.sandvine.com (192.168.194.177) with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 24 Aug 2017 16:58:08 -0400
Received: from WTL-EXCHP-2.sandvine.com ([fe80::68ac:f071:19ff:3455]) by blr-exchp-2.sandvine.com ([::1]) with mapi id 14.03.0319.002; Thu, 24 Aug 2017 16:58:08 -0400
From: Vincent van Dam <VvanDam@sandvine.com>
To: Tommy Pauly <tpauly@apple.com>, Lorenzo Colitti <lorenzo@google.com>
CC: Erik Kline <ek@google.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, Martin Thomson <martin.thomson@gmail.com>, "captive-portals@ietf.org" <captive-portals@ietf.org>, David Bird <dbird@google.com>
Thread-Topic: [Captive-portals] Questions about PvD/API
Thread-Index: AQHTC7XWxrFeE70lFk65jmltS0Fvk6KGdjQAgADjFgCAACltAIADs7qAgAAZXQCAAMYwAIACUQUAgALJqgCAADqIAIACfZ0AgAAF1YCAAAfCgIAAAyaAgAAJeACAAAIGgIAAA1cAgAAIWoCAAA7H5g==
Date: Thu, 24 Aug 2017 20:58:06 +0000
Message-ID: <D2A19ABBC0147C40BFBB83D1CF3E95F04010655B@wtl-exchp-2.sandvine.com>
References: <CADo9JyU+XGYFWdNeXOBw1O43Pjyn0jZhGxDTb7VbLF+Jg4Xj4w@mail.gmail.com> <CAAedzxq4UhueFW=U-Tuc1gvG8Tapc7VE7BM2Akt9OXuzN3jLyQ@mail.gmail.com> <CADo9JyW0J7xzaosG5PJOFPHMy2g6vZ1cVpW6_YsuOdaKWqumkQ@mail.gmail.com> <A5B74413-32D8-4FE4-BDF7-DAA95266AAF4@apple.com> <CADo9JyUJTPRT9454VdZEM1nwFfxPSrMX3+Uk9i325uboQUya7g@mail.gmail.com> <7B520EA6-7B55-46B1-B084-F1CADF7DE28B@apple.com> <CADo9JyVSW5==nQOUMUUYWj743LmZCUjE9=W-YXnK-KMS-88AoQ@mail.gmail.com> <CABkgnnV1OT_29fdNbCDDJMgeRDNeOM8u2PYA94opo+ujj2=Avw@mail.gmail.com> <CADo9JyUdBZbBmwE0B21ryFuefQEaTiWLHD-w8AZSyWACH9u2dg@mail.gmail.com> <CABkgnnWbhHOmZRsvpEb0XusRtUJUPp7vpdM7V_4nLnC_B-mfKQ@mail.gmail.com> <CADo9JyUP_FWznzDWDO1s9-8B8-hMAUkFAMaa68uUZ1xR8CKHyw@mail.gmail.com> <CAKD1Yr0OrthUda3+ic3g83vWEpBATpcF4Z=4ENNg+ZuyySDMdg@mail.gmail.com> <CADo9JyW=wYh5y87KZrfs56fFze_VkdvUt-hF_SNeokPONxDuGA@mail.gmail.com> <CAKD1Yr2GpTX9NPTNJVbGjF+PxuNNyhgaRNjr0qMW90rVHeM_+g@mail.gmail.com> <98352984-4E92-42EC-97FE-B652C0FC41AF@apple.com> <CADo9JyVzW3TxFCHv=1N=Qsm2Th7gw7Yby8mdG2hOVWQQ_9YGpw@mail.gmail.com> <CAKD1Yr0_ksXDy6Ckc6RuFjYf+t4fiA4dJfAToZjfgrqed4h4QA@mail.gmail.com>, <B05E727C-6F8B-438F-8DC9-1B1528CE73A5@apple.com>
In-Reply-To: <B05E727C-6F8B-438F-8DC9-1B1528CE73A5@apple.com>
Accept-Language: nl-NL, en-US
Content-Language: nl-NL
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.141.1]
x-c2processedorg: b2f06e69-072f-40ee-90c5-80a34e700794
Content-Type: multipart/alternative; boundary="_000_D2A19ABBC0147C40BFBB83D1CF3E95F04010655Bwtlexchp2sandvi_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/YHR0zkxHGeKdsZfjRMjFGd4XP6U>
Subject: Re: [Captive-portals] Questions about PvD/API
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2017 20:58:13 -0000

I agree that the information you describe should be pulled from somewhere, however, I am more concerned _when_ they should be pulled.


In this working group we acknowledged (welcomed) use cases that go beyond connecting to a network; the latest example: https://www.ietf.org/mail-archive/web/captive-portals/current/msg00455.html


If these use cases are indeed in scope; signalling, or a solution that allows detection that the walled garden is (re)activated after joining the network, need to be in place. The alternative to a signal would be polling, or doing some mitm on protocols that allow it. I think both mitm, and polling regularly to see if the connection state is walled are bad.


Just focussing on signalling (without the semantics/api); I think that leaves us with three directions:


* descope any solution that would improve the scenario where walled gardens are (re-)activated

* accept icmp is a valid direction, and think of a way on how we can use this securely in our use-case

* invent a new signal? something the nas is allowed to send to the ue, but not icmp?


Gr., Vincent

________________________________
Van: Captive-portals [captive-portals-bounces@ietf.org] namens Tommy Pauly [tpauly@apple.com]
Verzonden: donderdag 24 augustus 2017 18:03
Aan: Lorenzo Colitti
CC: Erik Kline; Eric Vyncke (evyncke); Martin Thomson; captive-portals@ietf.org; David Bird
Onderwerp: Re: [Captive-portals] Questions about PvD/API

If the client OS needs to add in heuristics to reach a certain volume of ICMP messages before trusting them, I think the design is flawed. Beyond that, the information we'd like to get isn't just as simple as a boolean value that can be aggregated (like unreachable would be). Among the problems we're trying to solve for CAPPORT is "how much time do I have left", and "when to re-join the portal". Having a source we can query about those properties seems to dramatically simplify the flow and trust model. However we do things, it seems like this information should be pull-able (even if it allows the client to open a connection on which changes are pushed or notified) rather than unsolicited pushes of ICMP by the network.

On Aug 24, 2017, at 8:33 AM, Lorenzo Colitti <lorenzo@google.com<mailto:lorenzo@google.com>> wrote:

It seems to me that any solution involving coordination between two protocols is little different, in terms of your criticism that it will lead to "a higher rate of misconfiguration", from the PVD solution. (Personally I don't think that's a valid argument - saying that if you misconfigure the network it won't work well is pretty much a tautology - but you were the one that cited that argument in support of the ICMP solution.)

As for several flows, I don't see what would stop an attacker from trying to spoof several flows.

On Fri, Aug 25, 2017 at 12:21 AM, David Bird <dbird@google.com<mailto:dbird@google.com>> wrote:
You are both describing decisions the UE makes... perhaps the UE waits for several flows (with same session-id) to indicate capport warning/errors before acting on it... especially when already connected. There were also proposals to link the ICMP messages to the DHCP message somehow so that ICMP is 'authenticated' against the original DHCP. Theses are solvable concerns, not road blocks.



On Thu, Aug 24, 2017 at 8:14 AM, Tommy Pauly <tpauly@apple.com<mailto:tpauly@apple.com>> wrote:
Right, I think the difference between an unreachable destination, and a captive portal or walled garden, is that we expect the captive portal style interaction to be an Operating System-level action, and one that will have consequences on everything the device does while associated to a given network. You can certain use spoofed ICMP to disrupt connections, but (a) the user would notice and (b) you're not causing the Operating System to change behavior. When the OS thinks it is on a captive network or not, it will change what network it considers primary/usable, which may potentially be invisible to the user other than an icon change. I would be able to go onto a captive network, start sending out ICMP messages, and potentially bump other people's connection off the network.

Having the UE fetch some resource in order to determine captive state, especially if that resource can be somehow signed, makes it much harder for an attacker to cause the OS to take silent behavior.

Tommy

On Aug 24, 2017, at 7:40 AM, Lorenzo Colitti <lorenzo@google.com<mailto:lorenzo@google.com>> wrote:

A forged destination unreachable can't cause someone else's device to think that wifi is a portal and switch to possibly expensive cellular data.

On Thu, Aug 24, 2017 at 11:29 PM, David Bird <dbird@google.com<mailto:dbird@google.com>> wrote:
Just like the rampant problem we see in ICMP Dest-Unreachable forgery attacks?

On Thu, Aug 24, 2017 at 7:01 AM, Lorenzo Colitti <lorenzo@google.com<mailto:lorenzo@google.com>> wrote:
On Thu, Aug 24, 2017 at 10:40 PM, David Bird <dbird@google.com<mailto:dbird@google.com>> wrote:
Can you give an example of how ICMP could be misconfigured?

It doesn't matter how hard it is to misconfigure, because it is trivial to forge.


_______________________________________________
Captive-portals mailing list
Captive-portals@ietf.org<mailto:Captive-portals@ietf.org>
https://www.ietf.org/mailman/listinfo/captive-portals

v2.23.0 | Report a Bug | By Email