Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon
David Bird <dbird@google.com> Wed, 01 March 2017 14:33 UTC
Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8B761289C4 for <captive-portals@ietfa.amsl.com>; Wed, 1 Mar 2017 06:33:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dqxZPLVBkehk for <captive-portals@ietfa.amsl.com>; Wed, 1 Mar 2017 06:33:06 -0800 (PST)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D459C1294F8 for <captive-portals@ietf.org>; Wed, 1 Mar 2017 06:24:01 -0800 (PST)
Received: by mail-qk0-x22a.google.com with SMTP id n127so72424637qkf.0 for <captive-portals@ietf.org>; Wed, 01 Mar 2017 06:24:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PvXH91XR39X/nGVNWC2JY+Q84DB6cYYpdrO5MQXNi5A=; b=KnmmTIEu1T34OplYhfN3vIeIWw09IJh7J93yJdyBdx5DCdhigtyOwPI/SVGZd+Yyyy Qfi6sUyPLHpTGJkoTnE+/jx9eXTdoXU6EHWJTkBzsu4azWlBKWH4HujXxYLyNXBv2i+G 8ROlHmWxoH9F01q2J18gUdrQel+2aN254vj7GfopINtCZ2gPhJyECYfJXIfHxezHZ2+R eordQlVMbuNZXD4KyfIvncpzvAvWE18MuROVVI0I2ehMUBOb8uGifZE3HdrF0+jt5Gan kJXJ+RREG5MuuIqfHSnw/C/aoHaYpCnvQcsiEYsJKYpxj0SuMd/k4bwm0TwM5QRv8UhX tGOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PvXH91XR39X/nGVNWC2JY+Q84DB6cYYpdrO5MQXNi5A=; b=nJN07j4VeVPWlsIgTkJ88corzGX9Ms92AITF8fLELw1+eQDQCSIzJYL3sMHWqP3OmP f/oMO7IZXCxhJqh2YiHXT8acmqvYjRzKhplDM3dtdpd7ylUdXrRJTGlxJxh8KqZplQ+T vr5Dev++6uBqf7zRdJdfy4T9F2gebo65N34X65bOk5yhFD1rVIxp6HPxGxcqh/VHMLc0 jXFAD9g79ybodmc0RE8NmgFvnxU/xMb/SR7NqdeGuzozjU5+QsdNUB08wzwE7wZ5lYuW YPamNLSyjjmSDG3z6KXd7bL1LfbI/jK9/wxEyFd/PnF6VvaRlN2DfAnHeRoFlB6BYwx/ sR3g==
X-Gm-Message-State: AMke39ny8N+Z/9DkHEXcGTW/eKIRfr0/0+CuyOCzJRjtfG9iyKzDAZXfGko73PtTs0Nl6osgsySBXgWNz06TBu9o
X-Received: by 10.55.77.198 with SMTP id a189mr10302336qkb.318.1488378240631; Wed, 01 Mar 2017 06:24:00 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.128.167 with HTTP; Wed, 1 Mar 2017 06:24:00 -0800 (PST)
In-Reply-To: <D76BBBCF97F57144BB5FCF08007244A770581B9A@wtl-exchp-1.sandvine.com>
References: <D76BBBCF97F57144BB5FCF08007244A77058108A@wtl-exchp-1.sandvine.com> <CADo9JyUz6QRVg23cFmv7xTu_0dzbQM-xVXx7=79k3ao+59szVg@mail.gmail.com> <CAKD1Yr0B2HUz6AXExA7nK3URqkq3yFFuBXRVGM+mMR+KjnO1Ag@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051EC6E@wtl-exchp-1.sandvine.com> <CAKD1Yr0p37+SuE03SLKQ2tZDxxeL3=jO8gSw9y66UnYXSDzeKw@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051F25D@wtl-exchp-1.sandvine.com> <CAKD1Yr06UukkD+vM5ueiBfqe4h2t53G=-7hZN=wy1nO1_efJ2w@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051F305@wtl-exchp-1.sandvine.com> <CADo9JyXki8J_Gd_ac8xAsp9V0b79rK0dPdXzHkuoLV-OQ47C2w@mail.gmail.com> <CAAedzxp1GZ8J5h2YnEo+xDAHTjhPHL6_YcfD4p5148G=0a6Mxg@mail.gmail.com> <E8355113905631478EFF04F5AA706E987052118B@wtl-exchp-1.sandvine.com> <D76BBBCF97F57144BB5FCF08007244A770581B9A@wtl-exchp-1.sandvine.com>
From: David Bird <dbird@google.com>
Date: Wed, 01 Mar 2017 06:24:00 -0800
Message-ID: <CADo9JyUq7WjYCWM==udEmtSLUYZP3J07y0Xy7VS22fNjWZGqqQ@mail.gmail.com>
To: Kyle Larose <klarose@sandvine.com>
Content-Type: multipart/alternative; boundary="001a114a836a537bb00549ac1022"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/jmqZnhEY6LAYjWO0Q5HAacxXA2I>
Cc: "warren@kumari.net" <warren@kumari.net>, Erik Kline <ek@google.com>, "captive-portals@ietf.org" <captive-portals@ietf.org>, Dave Dolson <ddolson@sandvine.com>, Lorenzo Colitti <lorenzo@google.com>
Subject: Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 14:33:09 -0000
Kyle, I think participating in the hackathon is a great idea... On Thu, Feb 23, 2017 at 9:01 AM, Kyle Larose <klarose@sandvine.com> wrote: > Alright. Thanks everyone for the great discussion. Please continue. J > > > > It sounds like there may be some value in making more progress on the ICMP > message simply so we can play around with exposing any security holes, and > finding ways to plug them. So, it still seems like a good hackathon > candidate to me. > > > > Also, since this is a hackathon, why not try to work on more than I can > possibly handle? Let’s try to tackle the REST API for RFC 7710 as well. > I’ll admit that I’m awful at defining REST APIs, and I don’t really have > much experience with this technology, so I’m probably not right to do it, > but maybe someone else could help contribute? > > > > Can someone maybe confirm the intent of the REST API? I vaguely recall a > discussion at the BoF about allowing less interactive devices, such as > smart watches, to authenticate without needing a browser. Was that it? > > > > There were some volunteers for writing a document defining the > aforementioned REST API at the BoF. Is there a rough draft we could work > from at the hackathon? > > > > Anyway, I think I’ll add the following to the hackathon wiki: > > > > Technology: Captive Portal > > Projects > > · Finish up the icmp I-D in coova-chili > > · Try out various client solutions for consuming the icmp message. > > · Try to find security holes in the icmp I-D, and plug them (the > output being suggestions to improve the I-D) > > · Work on defining and implementing a REST API for RFC 7710 > > > > How does that sound? > > > > Thanks, > > > > Kyle > > > > *From:* Dave Dolson > *Sent:* Thursday, February 23, 2017 9:27 AM > *To:* Erik Kline; David Bird > *Cc:* captive-portals@ietf.org; Kyle Larose; warren@kumari.net; Lorenzo > Colitti > *Subject:* RE: [Captive-portals] Thinking of something related to captive > portals for the ietf98 hackathon > > > > Erik, > > I don’t think it is onerous. > > But, the device causing captive portal is not always on the local subnet > of the end-user device. > > > > I think it is better to have a security scheme that doesn’t depend on TTL. > > > > -Dave > > > > > > *From:* Erik Kline [mailto:ek@google.com] > *Sent:* Wednesday, February 22, 2017 9:52 PM > *To:* David Bird > *Cc:* Dave Dolson; captive-portals@ietf.org; Kyle Larose; > warren@kumari.net; Lorenzo Colitti > *Subject:* Re: [Captive-portals] Thinking of something related to captive > portals for the ietf98 hackathon > > > > How onerous would it be to require that an ICMPv[46] message with a > captive portal code also have a hoplimit of 255 (i.e. be link-local / from > an on-link source)? > > > > I could imagine writing a user-space daemon that listens for ICMP message > of one specific type, and validates the hoplimit with traditional cmsg > tricks. Furthermore, only having to do so on networks advertising a 7710 > option would be good. > > > > On 23 February 2017 at 02:10, David Bird <dbird@google.com> wrote: > > Further, we could tie this to RFC 7710, so that you can disregard this > ICMP from networks not expected to be captive portal and networks who do > implement captive portal can easily (as in iptables rules) filter out > external ICMP of this nature. > > > > On Wed, Feb 22, 2017 at 9:07 AM, Dave Dolson <ddolson@sandvine.com> wrote: > > Agreed. Hence the discussion about using a difficult-to-guess token in the > message. > ------------------------------ > > *From:* Lorenzo Colitti [lorenzo@google.com] > *Sent:* Wednesday, February 22, 2017 12:05 PM > > > *To:* Dave Dolson > *Cc:* David Bird; warren@kumari.net; Kyle Larose; captive-portals@ietf.org > *Subject:* Re: [Captive-portals] Thinking of something related to captive > portals for the ietf98 hackathon > > > > The ability for any host in the Internet to trigger an instant response > sounds it could turn into a DOS vector, though. > > > > On Thu, Feb 23, 2017 at 2:04 AM, Dave Dolson <ddolson@sandvine.com> wrote: > > As I understand it, to "think something is wrong" requires an > application-layer timeout. Some people think this is about 5s, but I don't > believe TCP specifies an upper bound. > > An ICMP message can give an "instant" response. > > It's worth considering that the ICMP message may trigger the "sacrificial" > HTTP request by the operating system. > > ------------------------------ > > *From:* Lorenzo Colitti [lorenzo@google.com] > *Sent:* Wednesday, February 22, 2017 10:24 AM > *To:* Dave Dolson > *Cc:* David Bird; warren@kumari.net; Kyle Larose; captive-portals@ietf.org > > > *Subject:* Re: [Captive-portals] Thinking of something related to captive > portals for the ietf98 hackathon > > > > Ok, but the implementations that are the most likely to implement this > sort of feature already send sacrificial plaintext HTTP requests on > connect, and are quite capable of generating HTTP requests on demand when > they think something is wrong. > > > > On Wed, Feb 22, 2017 at 11:53 PM, Dave Dolson <ddolson@sandvine.com> > wrote: > > Lorenzo, > My interest in ICMP is that it could work with any protocol, not just > HTTP, and doesn't require any MITM for HTTPS. > I recall a discussion about adding a difficult-to-guess token to the ICMP > message, making it hard to spoof. > > -Dave > > ------------------------------ > > *From:* Captive-portals [captive-portals-bounces@ietf.org] on behalf of > Lorenzo Colitti [lorenzo@google.com] > *Sent:* Wednesday, February 22, 2017 9:42 AM > *To:* David Bird > *Cc:* warren@kumari.net; Kyle Larose; captive-portals@ietf.org > *Subject:* Re: [Captive-portals] Thinking of something related to captive > portals for the ietf98 hackathon > > I'm not a fan of the ICMP method. I think the security implications need > more thought. > > > > As is, it looks like pretty much anyone on the Internet can send you one > of these packets, and you have no way of knowing if it's legitimate. > Relying on such an easy-to-spoof signal to decide that a network no longer > provides Internet access could be quite harmful, particularly if the > receiving device decided to switch to cellular data and incur the > associated traffic costs. Even if the signal is only taken as a hint to > revalidate the network, that still has battery implications. > > > > It would seem to be much more useful to use: > > - A header in the initial redirect that captive portals almost always > generate. > - A well-known URL where the state of the captive portal can be > revalidated, either periodically or when some other indication of loss of > connectivity is observed. > > At the last IETF we talked about possibly having a more structured way of > communicating this and other bits of information from captive portal to > host (a RESTful API, IIRC). That would also be useful, if we can all > collectively resist the temptation to overengineer such a mechanism. :-) > > > > On Wed, Feb 22, 2017 at 11:31 PM, David Bird <dbird@google.com> wrote: > > Hi Kyle, > > > > I think that is a great idea! > > > > I had started to implement here: https://github.com/ > coova/coova-chilli/tree/capport-icmp > > > > What would be nice, in addition to the NAS changes, is to also demonstrate > the client side ... either something like icmpd > <https://github.com/snaewe/books-code/tree/master/unpv13e/icmpd> (to > listen for the ICMP and provide applications a way of checking the status > of their dest. unreach. connections), or the necessary Linux kernel > changes. Also with kernel changes, the I-D could also be implemented using > iptables, or other NAS software too. > > > > Cheers, > > David > > > > > > On Wed, Feb 22, 2017 at 6:12 AM, Kyle Larose <klarose@sandvine.com> wrote: > > Hey everyone, > > I was thinking of doing something (anything) related to captive portals > for the ietf 98 hackathon. In particular, https://tools.ietf.org/html/ > draft-wkumari-capport-icmp-unreach-01 caught my eye. I was wondering if > anyone had thoughts on that, and whether there is anything else they'd like > to see me champion. > > Thanks, > > Kyle > > _______________________________________________ > Captive-portals mailing list > Captive-portals@ietf.org > https://www.ietf.org/mailman/listinfo/captive-portals > > > > > _______________________________________________ > Captive-portals mailing list > Captive-portals@ietf.org > https://www.ietf.org/mailman/listinfo/captive-portals > > > > > > > > > > > _______________________________________________ > Captive-portals mailing list > Captive-portals@ietf.org > https://www.ietf.org/mailman/listinfo/captive-portals > > >
- [Captive-portals] Thinking of something related t… Kyle Larose
- Re: [Captive-portals] Thinking of something relat… David Bird
- Re: [Captive-portals] Thinking of something relat… Lorenzo Colitti
- Re: [Captive-portals] Thinking of something relat… Dave Dolson
- Re: [Captive-portals] Thinking of something relat… Lorenzo Colitti
- Re: [Captive-portals] Thinking of something relat… David Bird
- Re: [Captive-portals] Thinking of something relat… Alexander Szlezak
- Re: [Captive-portals] Thinking of something relat… Dave Dolson
- Re: [Captive-portals] Thinking of something relat… Lorenzo Colitti
- Re: [Captive-portals] Thinking of something relat… Dave Dolson
- Re: [Captive-portals] Thinking of something relat… David Bird
- Re: [Captive-portals] Thinking of something relat… David Farmer
- Re: [Captive-portals] Thinking of something relat… Erik Kline
- Re: [Captive-portals] Thinking of something relat… Dave Dolson
- Re: [Captive-portals] Thinking of something relat… Kyle Larose
- Re: [Captive-portals] Thinking of something relat… David Bird
- Re: [Captive-portals] Thinking of something relat… Christian Saunders