[Captive-portals] Review of draft-wkumari-capport-icmp-unreach-01
Martin Thomson <martin.thomson@gmail.com> Sat, 01 April 2017 20:48 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D4B71292F4; Sat, 1 Apr 2017 13:48:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8JJiqpLsA3Tn; Sat, 1 Apr 2017 13:48:43 -0700 (PDT)
Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F28F129573; Sat, 1 Apr 2017 13:40:33 -0700 (PDT)
Received: by mail-qt0-x22f.google.com with SMTP id n21so88655797qta.1; Sat, 01 Apr 2017 13:40:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=0xREs4nCbnO+29mRIetuPuCaX7dHBM+n50qcyIQN60k=; b=E7q41yudDIR6SguPoxwFGbW//v7h8RXn37ong2H8EnNxam5OHqp8hqFmaqCZySL8e/ YC2NiwNY/svCDxkWIBnBiMqC6hiEFUk6dGjT4RzkK9UC5Y1v+POOUuHS+cpNtp4z6+5M UPrZlKJgQ4C+0DBBCmJk6pnNLVUtq9igu75mA9YAFa9mDNDJxWcB2MnwGYp4grRUNZzv S9rGKHz/Y4Xd+voN9+qgN/kiPAJTKxbcpE5NkSEbn0cBU2RhaD06JNM/E5MyCPNLNRCD GnqAlLA4j6SSumQhrLdtae+FNwbwAqI9sCftJ2Zq+w1vI4G04iE/b9RKb9MziztBKnej CNTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=0xREs4nCbnO+29mRIetuPuCaX7dHBM+n50qcyIQN60k=; b=AOy+djSSE2CBnTtoXPfMF9CRLgFL+ENwdiu7bNd2F2msXy/XG7jDu1KcdnH3ggYdBz WmEOiyuZycHbDmHVryvonYW0Ld6THmI6giIlHQP0OjakO9GLbWGioZgVWexpgS9d4+0D Lz4NQaYAnGVdOWalXD5WdFuwkz2ff67HIMeP5TVWSoFWDVT/sfmFw7TpjOiKrRvFHgGV 3GkAADUZwiApxxiGv80VZC2cN8KDsvu1HKpHNT84Al3qVHTcLrxeCM0GcaLTNdin7iEG NN+AQi8cp6KWMZYmpuLYTP00EsSbecTjQeqK6SW3MajGm3Kzxztwij0P2hsCk6nRV+MD GC8g==
X-Gm-Message-State: AFeK/H1PKOyz9S5YMhk2f86tZuBU0IIRiYK1kuqQXr26PSyDiqVVm9HDJC9gxUHqztaInMNSbueUAj2SgztdAA==
X-Received: by 10.237.34.250 with SMTP id q55mr9592473qtc.144.1491079232713; Sat, 01 Apr 2017 13:40:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.27.194 with HTTP; Sat, 1 Apr 2017 13:40:32 -0700 (PDT)
From: Martin Thomson <martin.thomson@gmail.com>
Date: Sat, 01 Apr 2017 15:40:32 -0500
Message-ID: <CABkgnnXkDSnn2C3cFtdcsX+chDMqnbZO9t5pp4dVMaVLQPXAig@mail.gmail.com>
To: captive-portals@ietf.org, draft-wkumari-capport-icmp-unreach@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/cfv9jNwLJpAhvntjGwUSLarXwgg>
Subject: [Captive-portals] Review of draft-wkumari-capport-icmp-unreach-01
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Apr 2017 20:48:44 -0000
(As a contributor only.) David, Warren, Looking at this draft, I think that there are a few fairly major changes that this could benefit from. # Extension payload The presence of the extension is sufficient signaling for this channel. If we accept that there will be a protocol for asking the portal for basic information about connectivity, the UE/device/etc can query that interface for expiration time. The warning bit seems dangerous in this context given that it establishes a non-backwards-compatible behaviour. To an entity that doesn't understand this extension, ICMP Unreachable means that the packet was not forwarded. I don't think that an extension can safely change this. The one obvious caveat for this comment is if we determine that RFC 7710 is insufficient for advertisement of the captive portal URL. In that case, we might consider adding the URL to the ICMP message. I don't see any evidence that this is necessary yet, and that would compound the next issue, but it's something to consider. # Security considerations There is a fairly direct path between this message and a user visiting the site identified. Now, it is well-accepted that it is easy to cause a user to visit any site, but nonetheless this needs to be discussed. We can also offer some suggestions for reducing the use of this message by arbitrary endpoints. For example, a device that receives this message might not act immediately, but instead trigger portal detection routines before opening a browser. Those routines might involve sending more packets and looking for more ICMP unreachable packets. For this reason, I think that we should mandate the use of RFC 4884 and a minimum size for the echo of the dropped packet.
- [Captive-portals] Review of draft-wkumari-capport… Martin Thomson
- Re: [Captive-portals] Review of draft-wkumari-cap… David Bird
- Re: [Captive-portals] Review of draft-wkumari-cap… Dave Dolson
- Re: [Captive-portals] Review of draft-wkumari-cap… David Bird
- Re: [Captive-portals] Review of draft-wkumari-cap… Dave Dolson
- Re: [Captive-portals] Review of draft-wkumari-cap… David Bird