IETF Logo Mail Archive

Re: [Captive-portals] Questions about PvD/API

David Bird <dbird@google.com> Thu, 24 August 2017 19:34 UTC

Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA23213213D for <captive-portals@ietfa.amsl.com>; Thu, 24 Aug 2017 12:34:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eRW4tiYPE-XV for <captive-portals@ietfa.amsl.com>; Thu, 24 Aug 2017 12:34:42 -0700 (PDT)
Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA42A132031 for <captive-portals@ietf.org>; Thu, 24 Aug 2017 12:34:41 -0700 (PDT)
Received: by mail-qt0-x232.google.com with SMTP id v29so2266124qtv.3 for <captive-portals@ietf.org>; Thu, 24 Aug 2017 12:34:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PhRripqSXz8GYSwOVt3tPkAJGzYrWC4pjOkEbNt0mQ0=; b=AZJhuXhv8CcZHDZLor12BBkLTDk7kKCNGMQW0QAQbVxNAgq0l7sQE6RTBA8nqFEwr+ X1j8xf1TyTzcAj/kD0qQ/+4u6veArAv9WRZLZZif/XAyG316KtLtts+EqMdGel3b/hnw FjoCghBbq0GGlI91duM3+mvH2hPK7PxX67MHkWlXSaIu65EGPlTste9xHsI24Nsjkr0D dC4kbP9sBy572+a07ShB+9tkPof5crL7mNpSE/tjae20oQuyhgnA2QtNbINyfG8gzv3q 6nJk+YNhBt5Lb80x1ESS6pCmGvm749DDjpZn7voXTfgmk1rGsS/OO62woHhUtcA2maUA Vrrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PhRripqSXz8GYSwOVt3tPkAJGzYrWC4pjOkEbNt0mQ0=; b=nDrXpilA/ovj0NVJ4TK3CWRTlQuVtnaPC7yBetq6rXWe+lzyWXdv7uwrIKTxGc/7dV 2nNUEXpKEUJANnlZDekQ3W9hiwJRXAd51Cfs/JphHi5eqInUE6Ik12YgXXcjNxf/9FUu suEiDtq5YbtKYREH7RCJI/si1RXxg8qLbqd/LfZEP2Cm7bKhRzsS0h0Lhw2IAQdiPlXl dnLAEUFl8l13VbedpeXClqsBzMZsj7n/B9jWXv8uWd+JsTI5s4RYgArA6NftPizi8U2c vh4s9q7q02/8nZnzQSWayAIYSm2OIWpxfRR2qteoXxpOdD/lASb9rZ9l4fBj/Z71mNnJ wVQw==
X-Gm-Message-State: AHYfb5i6+ovUUtS8T/qIkpBigEn4OheFp3T0jz6XwszGzw0fNN5ICig7 3CJ6Wcqfp/X44btFr7RJCL+zUEbxySaJ
X-Google-Smtp-Source: ADKCNb5r3z+u9Du5f14y1pVFaVJRlUkbPLkuJ7X0lGSDj1FJCYGVdYpJGMpUHczLk8Blhi3u0IoxsdmHwpcrgF8vh7M=
X-Received: by 10.200.47.118 with SMTP id k51mr3768889qta.46.1503603280577; Thu, 24 Aug 2017 12:34:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.132.102 with HTTP; Thu, 24 Aug 2017 12:34:39 -0700 (PDT)
In-Reply-To: <B05E727C-6F8B-438F-8DC9-1B1528CE73A5@apple.com>
References: <CADo9JyU+XGYFWdNeXOBw1O43Pjyn0jZhGxDTb7VbLF+Jg4Xj4w@mail.gmail.com> <CAAedzxq4UhueFW=U-Tuc1gvG8Tapc7VE7BM2Akt9OXuzN3jLyQ@mail.gmail.com> <CADo9JyW0J7xzaosG5PJOFPHMy2g6vZ1cVpW6_YsuOdaKWqumkQ@mail.gmail.com> <A5B74413-32D8-4FE4-BDF7-DAA95266AAF4@apple.com> <CADo9JyUJTPRT9454VdZEM1nwFfxPSrMX3+Uk9i325uboQUya7g@mail.gmail.com> <7B520EA6-7B55-46B1-B084-F1CADF7DE28B@apple.com> <CADo9JyVSW5==nQOUMUUYWj743LmZCUjE9=W-YXnK-KMS-88AoQ@mail.gmail.com> <CABkgnnV1OT_29fdNbCDDJMgeRDNeOM8u2PYA94opo+ujj2=Avw@mail.gmail.com> <CADo9JyUdBZbBmwE0B21ryFuefQEaTiWLHD-w8AZSyWACH9u2dg@mail.gmail.com> <CABkgnnWbhHOmZRsvpEb0XusRtUJUPp7vpdM7V_4nLnC_B-mfKQ@mail.gmail.com> <CADo9JyUP_FWznzDWDO1s9-8B8-hMAUkFAMaa68uUZ1xR8CKHyw@mail.gmail.com> <CAKD1Yr0OrthUda3+ic3g83vWEpBATpcF4Z=4ENNg+ZuyySDMdg@mail.gmail.com> <CADo9JyW=wYh5y87KZrfs56fFze_VkdvUt-hF_SNeokPONxDuGA@mail.gmail.com> <CAKD1Yr2GpTX9NPTNJVbGjF+PxuNNyhgaRNjr0qMW90rVHeM_+g@mail.gmail.com> <98352984-4E92-42EC-97FE-B652C0FC41AF@apple.com> <CADo9JyVzW3TxFCHv=1N=Qsm2Th7gw7Yby8mdG2hOVWQQ_9YGpw@mail.gmail.com> <CAKD1Yr0_ksXDy6Ckc6RuFjYf+t4fiA4dJfAToZjfgrqed4h4QA@mail.gmail.com> <B05E727C-6F8B-438F-8DC9-1B1528CE73A5@apple.com>
From: David Bird <dbird@google.com>
Date: Thu, 24 Aug 2017 12:34:39 -0700
Message-ID: <CADo9JyW8sciu2V4g9e3V2M+9VmMs6DdvPhktJKZ-uhWQkzztQQ@mail.gmail.com>
To: Tommy Pauly <tpauly@apple.com>
Cc: Lorenzo Colitti <lorenzo@google.com>, Erik Kline <ek@google.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, captive-portals@ietf.org, Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a11431cea6cb59a055784ebf9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/fp-3O-sXPCcPMMzxt0XW8krcDUE>
Subject: Re: [Captive-portals] Questions about PvD/API
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2017 19:34:45 -0000

There are no unsolicited pushes of ICMP by the network; they all have a
flow context and in response to traffic (in the latest draft). There isn't
any need for an idle device to require notification (and should be left to
go idle... stop session, lose lease, etc). The ICMP proposal does
allow for "when
to re-join the portal" warning notifications... and, when time does expire,
the notification is immediate (assuming there is traffic).

I'm not convinced this really improves the 'trust model' as the weakest
link, as discussed, was in discovery. Having a source to query about
information is a good idea, and some networks even already do such things
[1]...

However, the assumptions behind a PvD web service 'working' are huge.. It
will *require* RADIUS Accounting integration such that this API knows when
sessions start/stop. It will *require* knowing RADIUS Authorization logic
to know, before hand, when the RADIUS server might be sending a CoA to stop
the session (to provide the warnings) -- it would also need to be
integrated with provisioning logic (be it in RADIUS, or a portal, or both)
for situations where a CoA is sent for reasons other than Stop (to change
walled garden, session parameters, etc).

Should "First Vendor to Release PvD Client" products start getting
complaints about their devices having problems at Hotspots, unseen by other
devices, what will they do?

I was only proposing the client heuristics as something the client _could_
do, should that _threat_ actually materialize... (which I doubt)

[1]
https://sourceforge.net/p/hotcakes/wiki/Coova%20Chilli%20JSON%20Interface/

On Thu, Aug 24, 2017 at 9:03 AM, Tommy Pauly <tpauly@apple.com> wrote:

> If the client OS needs to add in heuristics to reach a certain volume of
> ICMP messages before trusting them, I think the design is flawed. Beyond
> that, the information we'd like to get isn't just as simple as a boolean
> value that can be aggregated (like unreachable would be). Among the
> problems we're trying to solve for CAPPORT is "how much time do I have
> left", and "when to re-join the portal". Having a source we can query about
> those properties seems to dramatically simplify the flow and trust model.
> However we do things, it seems like this information should be pull-able
> (even if it allows the client to open a connection on which changes are
> pushed or notified) rather than unsolicited pushes of ICMP by the network.
>
> On Aug 24, 2017, at 8:33 AM, Lorenzo Colitti <lorenzo@google.com> wrote:
>
> It seems to me that any solution involving coordination between two
> protocols is little different, in terms of your criticism that it will lead
> to "a higher rate of misconfiguration", from the PVD solution. (Personally
> I don't think that's a valid argument - saying that if you misconfigure the
> network it won't work well is pretty much a tautology - but you were the
> one that cited that argument in support of the ICMP solution.)
>
> As for several flows, I don't see what would stop an attacker from trying
> to spoof several flows.
>
> On Fri, Aug 25, 2017 at 12:21 AM, David Bird <dbird@google.com> wrote:
>
>> You are both describing decisions the UE makes... perhaps the UE waits
>> for several flows (with same session-id) to indicate capport warning/errors
>> before acting on it... especially when already connected. There were also
>> proposals to link the ICMP messages to the DHCP message somehow so that
>> ICMP is 'authenticated' against the original DHCP. Theses are solvable
>> concerns, not road blocks.
>>
>>
>>
>> On Thu, Aug 24, 2017 at 8:14 AM, Tommy Pauly <tpauly@apple.com> wrote:
>>
>>> Right, I think the difference between an unreachable destination, and a
>>> captive portal or walled garden, is that we expect the captive portal style
>>> interaction to be an Operating System-level action, and one that will have
>>> consequences on everything the device does while associated to a given
>>> network. You can certain use spoofed ICMP to disrupt connections, but (a)
>>> the user would notice and (b) you're not causing the Operating System to
>>> change behavior. When the OS thinks it is on a captive network or not, it
>>> will change what network it considers primary/usable, which may potentially
>>> be invisible to the user other than an icon change. I would be able to go
>>> onto a captive network, start sending out ICMP messages, and potentially
>>> bump other people's connection off the network.
>>>
>>> Having the UE fetch some resource in order to determine captive state,
>>> especially if that resource can be somehow signed, makes it much harder for
>>> an attacker to cause the OS to take silent behavior.
>>>
>>> Tommy
>>>
>>> On Aug 24, 2017, at 7:40 AM, Lorenzo Colitti <lorenzo@google.com> wrote:
>>>
>>> A forged destination unreachable can't cause someone else's device to
>>> think that wifi is a portal and switch to possibly expensive cellular data.
>>>
>>> On Thu, Aug 24, 2017 at 11:29 PM, David Bird <dbird@google.com> wrote:
>>>
>>>> Just like the rampant problem we see in ICMP Dest-Unreachable forgery
>>>> attacks?
>>>>
>>>> On Thu, Aug 24, 2017 at 7:01 AM, Lorenzo Colitti <lorenzo@google.com>
>>>> wrote:
>>>>
>>>>> On Thu, Aug 24, 2017 at 10:40 PM, David Bird <dbird@google.com> wrote:
>>>>>
>>>>>> Can you give an example of how ICMP could be misconfigured?
>>>>>>
>>>>>
>>>>> It doesn't matter how hard it is to misconfigure, because it is
>>>>> trivial to forge.
>>>>>
>>>>
>>>>
>>> _______________________________________________
>>> Captive-portals mailing list
>>> Captive-portals@ietf.org
>>> https://www.ietf.org/mailman/listinfo/captive-portals
>>>
>>>
>>>
>>
>
>

v2.23.0 | Report a Bug | By Email