IETF Logo Mail Archive

Re: [Captive-portals] Comments on draft-nottingham-capport-problem-00

David Farmer <farmer@umn.edu> Tue, 08 March 2016 15:37 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DB1E12D791 for <captive-portals@ietfa.amsl.com>; Tue, 8 Mar 2016 07:37:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=umn.edu
Received: from mail.ietf.org ([127.0.0.1]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C_IkTJ8Sji5Y for <captive-portals@ietfa.amsl.com>; Tue, 8 Mar 2016 07:37:15 -0800 (PST)
Received: from mta-p8.oit.umn.edu (mta-p8.oit.umn.edu [134.84.196.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41EAC12D768 for <captive-portals@ietf.org>; Tue, 8 Mar 2016 07:37:15 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id AA4DF236 for <captive-portals@ietf.org>; Tue, 8 Mar 2016 15:37:14 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K6S955i40OYQ for <captive-portals@ietf.org>; Tue, 8 Mar 2016 09:37:14 -0600 (CST)
Received: from mail-ig0-f177.google.com (mail-ig0-f177.google.com [209.85.213.177]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 73652220 for <captive-portals@ietf.org>; Tue, 8 Mar 2016 09:37:14 -0600 (CST)
Received: by mail-ig0-f177.google.com with SMTP id hb3so67277548igb.0 for <captive-portals@ietf.org>; Tue, 08 Mar 2016 07:37:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=reply-to:subject:references:to:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=MH9yywSK+aU8ay2FO6TPiSPm8DZ0CQjWJ78Mlm+w9Uo=; b=D8Q+eADlnkKNS4kT1Pp9VGFJQ09f6/HuhX7grAYBoVEZJWqF3qPg1AeWmuwgvzxTPA mmtg2q5b+Ys0wNS7oSZQ949PjQbL2vY9t/M+8QMnNdCcGxTGpYwYZKUBfVLzAbT21ZYR R7/2r1SM7WU6pD2wEzu49TuGPLIIJeRFOMo0o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:reply-to:subject:references:to:cc:from :organization:message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=MH9yywSK+aU8ay2FO6TPiSPm8DZ0CQjWJ78Mlm+w9Uo=; b=HMGFyAw4uAeUo/xwEQToEOQI8V+gO6PRWJK0t16RxUq4iqME7/zYRsAPUSKZNG4Mkf oukycuIJpVPFsrQsLdnATDe1yjkoqIv4AQJNktS6Cuoufaka2jZDzKCjNWtRn/LiaKgw 8ZrKIjcvdeGIvurZyeIErupmt6jraLS6WBbEmwon7jR00QkzTf2AMn7gXZoW8HRn3fMP WxcLQXlsNUOXM/zMV+Aj7Th5J8vYutArSd825YWQ6gqkLQph8kEDb3R/uZC9hUQmPrDm 4HJv1W2qLxXWRMZPWvRS98mP/IJqKNhVdFrLhRkRwctLBbZ25qlcFioVMEpTqTwGc8lR G6mA==
X-Gm-Message-State: AD7BkJKaE6UVNQ7UVLwprMbzCkRffym6CAsjQQJArsIjDggzI1Kgu15Lbe02QiNoAx756vueHA87e5P8qm7RrvhMgtcND5e9GLFBFbnus7YMX4Pt5MbHhCc5vTEKPGB1SgsEUi8BFiV8/kxdww==
X-Received: by 10.50.73.161 with SMTP id m1mr18232191igv.48.1457451431953; Tue, 08 Mar 2016 07:37:11 -0800 (PST)
X-Received: by 10.50.73.161 with SMTP id m1mr18232173igv.48.1457451431742; Tue, 08 Mar 2016 07:37:11 -0800 (PST)
Received: from x-134-84-1-148.vpn.umn.edu (x-134-84-1-148.vpn.umn.edu. [134.84.1.148]) by smtp.gmail.com with ESMTPSA id 65sm490526ioq.43.2016.03.08.07.37.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 08 Mar 2016 07:37:10 -0800 (PST)
References: <D2FCEB47.12A6DC%jason_livingood@cable.comcast.com> <CABkgnnV-Nbbt3Mkh-ZOzWig7rJX32SFugkWLnx-t94bA-B__Lw@mail.gmail.com> <E8355113905631478EFF04F5AA706E9830EBCAE6@wtl-exchp-2.sandvine.com> <18C84D29-4E74-463D-B617-5CF25E9DCE7A@mnot.net>
To: Mark Nottingham <mnot@mnot.net>, Dave Dolson <ddolson@sandvine.com>
From: David Farmer <farmer@umn.edu>
Organization: University of Minnesota
Message-ID: <56DEF1A4.70206@umn.edu>
Date: Tue, 08 Mar 2016 09:37:08 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <18C84D29-4E74-463D-B617-5CF25E9DCE7A@mnot.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/captive-portals/ZcE0I8kHUn8A9xF9fYuwg-pnDL4>
Cc: David Farmer <farmer@umn.edu>, "Livingood, Jason" <Jason_Livingood@comcast.com>, "captive-portals@ietf.org" <captive-portals@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
Subject: Re: [Captive-portals] Comments on draft-nottingham-capport-problem-00
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: David Farmer <farmer@umn.edu>
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2016 15:37:17 -0000

While at the same time if we want people to actually use it, a non-HTTP 
solution can't become a trivially easy off-path attack vector or any of 
a number of other security problems either.

I think a non-HTTP solution is critically important, but it's equally 
important to get the security right for all of this, HTTP(S) based or 
not.  This is going to fundamentally be hard to get right, if it was 
easy we would have dealt with this long ago, but now it time to work 
through this and get it right.

Thanks

On 3/7/16 19:24 , Mark Nottingham wrote:
> On 8 Mar 2016, at 2:08 AM, Dave Dolson <ddolson@sandvine.com> wrote:
>>
>> Regarding non-browser clients, even non-HTTP clients, and considering
>> this is the IETF, it seems reasonable to find an IP-layer solution vs.
>> an HTTP-layer solution.
>
> Making the presence of a CP clear to non-HTTP clients seems like a good thing. Doing much more than that (e.g., presenting something to the user, getting their credentials) is less attractive.
>
> Cheers,
>
> --
> Mark Nottingham   https://www.mnot.net/

-- 
================================================
David Farmer               Email: farmer@umn.edu
Office of Information Technology
University of Minnesota
2218 University Ave SE     Phone: 1-612-626-0815
Minneapolis, MN 55414-3029  Cell: 1-612-812-9952
================================================

v2.23.0 | Report a Bug | By Email