IETF Logo Mail Archive

Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon

David Bird <dbird@google.com> Wed, 01 March 2017 14:33 UTC

Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8B761289C4 for <captive-portals@ietfa.amsl.com>; Wed, 1 Mar 2017 06:33:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dqxZPLVBkehk for <captive-portals@ietfa.amsl.com>; Wed, 1 Mar 2017 06:33:06 -0800 (PST)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D459C1294F8 for <captive-portals@ietf.org>; Wed, 1 Mar 2017 06:24:01 -0800 (PST)
Received: by mail-qk0-x22a.google.com with SMTP id n127so72424637qkf.0 for <captive-portals@ietf.org>; Wed, 01 Mar 2017 06:24:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PvXH91XR39X/nGVNWC2JY+Q84DB6cYYpdrO5MQXNi5A=; b=KnmmTIEu1T34OplYhfN3vIeIWw09IJh7J93yJdyBdx5DCdhigtyOwPI/SVGZd+Yyyy Qfi6sUyPLHpTGJkoTnE+/jx9eXTdoXU6EHWJTkBzsu4azWlBKWH4HujXxYLyNXBv2i+G 8ROlHmWxoH9F01q2J18gUdrQel+2aN254vj7GfopINtCZ2gPhJyECYfJXIfHxezHZ2+R eordQlVMbuNZXD4KyfIvncpzvAvWE18MuROVVI0I2ehMUBOb8uGifZE3HdrF0+jt5Gan kJXJ+RREG5MuuIqfHSnw/C/aoHaYpCnvQcsiEYsJKYpxj0SuMd/k4bwm0TwM5QRv8UhX tGOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PvXH91XR39X/nGVNWC2JY+Q84DB6cYYpdrO5MQXNi5A=; b=nJN07j4VeVPWlsIgTkJ88corzGX9Ms92AITF8fLELw1+eQDQCSIzJYL3sMHWqP3OmP f/oMO7IZXCxhJqh2YiHXT8acmqvYjRzKhplDM3dtdpd7ylUdXrRJTGlxJxh8KqZplQ+T vr5Dev++6uBqf7zRdJdfy4T9F2gebo65N34X65bOk5yhFD1rVIxp6HPxGxcqh/VHMLc0 jXFAD9g79ybodmc0RE8NmgFvnxU/xMb/SR7NqdeGuzozjU5+QsdNUB08wzwE7wZ5lYuW YPamNLSyjjmSDG3z6KXd7bL1LfbI/jK9/wxEyFd/PnF6VvaRlN2DfAnHeRoFlB6BYwx/ sR3g==
X-Gm-Message-State: AMke39ny8N+Z/9DkHEXcGTW/eKIRfr0/0+CuyOCzJRjtfG9iyKzDAZXfGko73PtTs0Nl6osgsySBXgWNz06TBu9o
X-Received: by 10.55.77.198 with SMTP id a189mr10302336qkb.318.1488378240631; Wed, 01 Mar 2017 06:24:00 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.128.167 with HTTP; Wed, 1 Mar 2017 06:24:00 -0800 (PST)
In-Reply-To: <D76BBBCF97F57144BB5FCF08007244A770581B9A@wtl-exchp-1.sandvine.com>
References: <D76BBBCF97F57144BB5FCF08007244A77058108A@wtl-exchp-1.sandvine.com> <CADo9JyUz6QRVg23cFmv7xTu_0dzbQM-xVXx7=79k3ao+59szVg@mail.gmail.com> <CAKD1Yr0B2HUz6AXExA7nK3URqkq3yFFuBXRVGM+mMR+KjnO1Ag@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051EC6E@wtl-exchp-1.sandvine.com> <CAKD1Yr0p37+SuE03SLKQ2tZDxxeL3=jO8gSw9y66UnYXSDzeKw@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051F25D@wtl-exchp-1.sandvine.com> <CAKD1Yr06UukkD+vM5ueiBfqe4h2t53G=-7hZN=wy1nO1_efJ2w@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051F305@wtl-exchp-1.sandvine.com> <CADo9JyXki8J_Gd_ac8xAsp9V0b79rK0dPdXzHkuoLV-OQ47C2w@mail.gmail.com> <CAAedzxp1GZ8J5h2YnEo+xDAHTjhPHL6_YcfD4p5148G=0a6Mxg@mail.gmail.com> <E8355113905631478EFF04F5AA706E987052118B@wtl-exchp-1.sandvine.com> <D76BBBCF97F57144BB5FCF08007244A770581B9A@wtl-exchp-1.sandvine.com>
From: David Bird <dbird@google.com>
Date: Wed, 01 Mar 2017 06:24:00 -0800
Message-ID: <CADo9JyUq7WjYCWM==udEmtSLUYZP3J07y0Xy7VS22fNjWZGqqQ@mail.gmail.com>
To: Kyle Larose <klarose@sandvine.com>
Content-Type: multipart/alternative; boundary="001a114a836a537bb00549ac1022"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/jmqZnhEY6LAYjWO0Q5HAacxXA2I>
Cc: "warren@kumari.net" <warren@kumari.net>, Erik Kline <ek@google.com>, "captive-portals@ietf.org" <captive-portals@ietf.org>, Dave Dolson <ddolson@sandvine.com>, Lorenzo Colitti <lorenzo@google.com>
Subject: Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 14:33:09 -0000

Kyle, I think participating in the hackathon is a great idea...

On Thu, Feb 23, 2017 at 9:01 AM, Kyle Larose <klarose@sandvine.com> wrote:

> Alright. Thanks everyone for the great discussion. Please continue. J
>
>
>
> It sounds like there may be some value in making more progress on the ICMP
> message simply so we can play around with exposing any security holes, and
> finding ways to plug them. So, it still seems like a good hackathon
> candidate to me.
>
>
>
> Also, since this is a hackathon, why not try to work on more than I can
> possibly handle? Let’s try to tackle the REST API for RFC 7710 as well.
> I’ll admit that I’m awful at defining REST APIs, and I don’t really have
> much experience with this technology, so I’m probably not right to do it,
> but maybe someone else could help contribute?
>
>
>
> Can someone maybe confirm the intent of the REST API? I vaguely recall a
> discussion at the BoF about allowing less interactive devices, such as
> smart watches, to authenticate without needing a browser. Was that it?
>
>
>
> There were some volunteers for writing a document defining the
> aforementioned REST API at the BoF. Is there a rough draft we could work
> from at the hackathon?
>
>
>
> Anyway, I think I’ll add the following to the hackathon wiki:
>
>
>
> Technology: Captive Portal
>
> Projects
>
> ·         Finish up the icmp I-D in coova-chili
>
> ·         Try out various client solutions for consuming the icmp message.
>
> ·         Try to find security holes in the icmp I-D, and plug them (the
> output being suggestions to improve the I-D)
>
> ·         Work on defining and implementing a REST API for RFC 7710
>
>
>
> How does that sound?
>
>
>
> Thanks,
>
>
>
> Kyle
>
>
>
> *From:* Dave Dolson
> *Sent:* Thursday, February 23, 2017 9:27 AM
> *To:* Erik Kline; David Bird
> *Cc:* captive-portals@ietf.org; Kyle Larose; warren@kumari.net; Lorenzo
> Colitti
> *Subject:* RE: [Captive-portals] Thinking of something related to captive
> portals for the ietf98 hackathon
>
>
>
> Erik,
>
> I don’t think it is onerous.
>
> But, the device causing captive portal is not always on the local subnet
> of the end-user device.
>
>
>
> I think it is better to have a security scheme that doesn’t depend on TTL.
>
>
>
> -Dave
>
>
>
>
>
> *From:* Erik Kline [mailto:ek@google.com]
> *Sent:* Wednesday, February 22, 2017 9:52 PM
> *To:* David Bird
> *Cc:* Dave Dolson; captive-portals@ietf.org; Kyle Larose;
> warren@kumari.net; Lorenzo Colitti
> *Subject:* Re: [Captive-portals] Thinking of something related to captive
> portals for the ietf98 hackathon
>
>
>
> How onerous would it be to require that an ICMPv[46] message with a
> captive portal code also have a hoplimit of 255 (i.e. be link-local / from
> an on-link source)?
>
>
>
> I could imagine writing a user-space daemon that listens for ICMP message
> of one specific type, and validates the hoplimit with traditional cmsg
> tricks.  Furthermore, only having to do so on networks advertising a 7710
> option would be good.
>
>
>
> On 23 February 2017 at 02:10, David Bird <dbird@google.com> wrote:
>
> Further, we could tie this to RFC 7710, so that you can disregard this
> ICMP from networks not expected to be captive portal and networks who do
> implement captive portal can easily (as in iptables rules) filter out
> external ICMP of this nature.
>
>
>
> On Wed, Feb 22, 2017 at 9:07 AM, Dave Dolson <ddolson@sandvine.com> wrote:
>
> Agreed. Hence the discussion about using a difficult-to-guess token in the
> message.
> ------------------------------
>
> *From:* Lorenzo Colitti [lorenzo@google.com]
> *Sent:* Wednesday, February 22, 2017 12:05 PM
>
>
> *To:* Dave Dolson
> *Cc:* David Bird; warren@kumari.net; Kyle Larose; captive-portals@ietf.org
> *Subject:* Re: [Captive-portals] Thinking of something related to captive
> portals for the ietf98 hackathon
>
>
>
> The ability for any host in the Internet to trigger an instant response
> sounds it could turn into a DOS vector, though.
>
>
>
> On Thu, Feb 23, 2017 at 2:04 AM, Dave Dolson <ddolson@sandvine.com> wrote:
>
> As I understand it, to "think something is wrong" requires an
> application-layer timeout. Some people think this is about 5s, but I don't
> believe TCP specifies an upper bound.
>
> An ICMP message can give an "instant" response.
>
> It's worth considering that the ICMP message may trigger the "sacrificial"
> HTTP request by the operating system.
>
> ------------------------------
>
> *From:* Lorenzo Colitti [lorenzo@google.com]
> *Sent:* Wednesday, February 22, 2017 10:24 AM
> *To:* Dave Dolson
> *Cc:* David Bird; warren@kumari.net; Kyle Larose; captive-portals@ietf.org
>
>
> *Subject:* Re: [Captive-portals] Thinking of something related to captive
> portals for the ietf98 hackathon
>
>
>
> Ok, but the implementations that are the most likely to implement this
> sort of feature already send sacrificial plaintext HTTP requests on
> connect, and are quite capable of generating HTTP requests on demand when
> they think something is wrong.
>
>
>
> On Wed, Feb 22, 2017 at 11:53 PM, Dave Dolson <ddolson@sandvine.com>
> wrote:
>
> Lorenzo,
> My interest in ICMP is that it could work with any protocol, not just
> HTTP, and doesn't require any MITM for HTTPS.
> I recall a discussion about adding a difficult-to-guess token to the ICMP
> message, making it hard to spoof.
>
> -Dave
>
> ------------------------------
>
> *From:* Captive-portals [captive-portals-bounces@ietf.org] on behalf of
> Lorenzo Colitti [lorenzo@google.com]
> *Sent:* Wednesday, February 22, 2017 9:42 AM
> *To:* David Bird
> *Cc:* warren@kumari.net; Kyle Larose; captive-portals@ietf.org
> *Subject:* Re: [Captive-portals] Thinking of something related to captive
> portals for the ietf98 hackathon
>
> I'm not a fan of the ICMP method. I think the security implications need
> more thought.
>
>
>
> As is, it looks like pretty much anyone on the Internet can send you one
> of these packets, and you have no way of knowing if it's legitimate.
> Relying on such an easy-to-spoof signal to decide that a network no longer
> provides Internet access could be quite harmful, particularly if the
> receiving device decided to switch to cellular data and incur the
> associated traffic costs. Even if the signal is only taken as a hint to
> revalidate the network, that still has battery implications.
>
>
>
> It would seem to be much more useful to use:
>
>    - A header in the initial redirect that captive portals almost always
>    generate.
>    - A well-known URL where the state of the captive portal can be
>    revalidated, either periodically or when some other indication of loss of
>    connectivity is observed.
>
> At the last IETF we talked about possibly having a more structured way of
> communicating this and other bits of information from captive portal to
> host (a RESTful API, IIRC). That would also be useful, if we can all
> collectively resist the temptation to overengineer such a mechanism. :-)
>
>
>
> On Wed, Feb 22, 2017 at 11:31 PM, David Bird <dbird@google.com> wrote:
>
> Hi Kyle,
>
>
>
> I think that is a great idea!
>
>
>
> I had started to implement here: https://github.com/
> coova/coova-chilli/tree/capport-icmp
>
>
>
> What would be nice, in addition to the NAS changes, is to also demonstrate
> the client side ... either something like icmpd
> <https://github.com/snaewe/books-code/tree/master/unpv13e/icmpd> (to
> listen for the ICMP and provide applications a way of checking the status
> of their dest. unreach. connections), or the necessary Linux kernel
> changes. Also with kernel changes, the I-D could also be implemented using
> iptables, or other NAS software too.
>
>
>
> Cheers,
>
> David
>
>
>
>
>
> On Wed, Feb 22, 2017 at 6:12 AM, Kyle Larose <klarose@sandvine.com> wrote:
>
> Hey everyone,
>
> I was thinking of doing something (anything) related to captive portals
> for the ietf 98 hackathon. In particular, https://tools.ietf.org/html/
> draft-wkumari-capport-icmp-unreach-01 caught my eye. I was wondering if
> anyone had thoughts on that, and whether there is anything else they'd like
> to see me champion.
>
> Thanks,
>
> Kyle
>
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
>
>
>
>
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
>
>
>

v2.23.0 | Report a Bug | By Email