[Captive-portals] Re: [dhcwg] HTTP Proxy option
Bernie Volz <bevolz@gmail.com> Sun, 06 July 2025 22:01 UTC
Return-Path: <bevolz@gmail.com>
X-Original-To: captive-portals@mail2.ietf.org
Delivered-To: captive-portals@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 01C303F4B1C0; Sun, 6 Jul 2025 15:01:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hCTEr2rrME0b; Sun, 6 Jul 2025 15:01:23 -0700 (PDT)
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 621BC3F4B1B9; Sun, 6 Jul 2025 15:01:23 -0700 (PDT)
Received: by mail-qt1-x835.google.com with SMTP id d75a77b69052e-4a43972dcd7so33012881cf.3; Sun, 06 Jul 2025 15:01:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1751839282; x=1752444082; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=STPOlTVLOLHJqGE3gKiT5O/vkSUISSrvTddswonFpz4=; b=S5gmpZjFagt1/WkPQiwhF59NZwUgQaMLcCe9kyaeHhEInWPaN6zMvxuy5FimIN60b2 M8Btl507cBdaCMErqww9SoWcJrxqiQMG2nBI/rgdd/bZGdMKx9KO5lrAAMM5btkUmVsd 4vY1lX884cCboMNGTlAcWAH0Tozg2eXZIgNlXtCFNNNC8m6VwYq3yePqPp4IW29EUVXq 4Wtlk+wsoDj0/iHcpQnyX/BSVymVVtHbE25Ylt1nA1/+CzYZB7gejXYVdBIGuwLkn3zn XJX58H4BW7vofyhON8VsLcrWm4SWWI1u3PzWYF92fXtJOW2zpws8G0z0KQDFoEh7JsDr u3VQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751839282; x=1752444082; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=STPOlTVLOLHJqGE3gKiT5O/vkSUISSrvTddswonFpz4=; b=crY4LhH2yQVI+eRz4GSEBkE3mSyw3XzXK0gIGkk8mHCn1BZqPKxO1z2Z9lcQvuZi0N eD2h+J7gbD9Rc79fgQ9RoxzFeiIo7b/xPBJ6gVXRfc8t69QTFm+yxyG3PXIIURvhpqnw DCIxTgAMm1gCcceHQacsTJEciWSoeGLqR9/xNDniXmakTV6986I2P54KWNQW6OYWO48P QfYIF44h0cX7zLEf82tWHzx7KQEq17pWvoJs0YXgEA7Zk3ojiyQNjMPM7SZ47eQ6y3mK 6vXWbGj6KAsUIpXLz6TGIL1oJ8ERGGcSqbQdVvYJn3ogXFt4C+f90UlrXIY8pMZgRuR3 ailw==
X-Forwarded-Encrypted: i=1; AJvYcCUfL7/t8aUBzcXsKyLG2Sqgz7nVddycYQtDpo8yV0p/K/cDtMnM8ZNs+8raYMd5692TsrArFw==@ietf.org
X-Gm-Message-State: AOJu0YyWTHGhj428Gg36r53wmE6BTm5ldYXQhwovvxCd/RAJlLJrbzdq 0Au7o0aUt1LyklaxFsVu9ACnU35bR6I8u2d2vJvyiWcx6b36PwXHh84RCPgG
X-Gm-Gg: ASbGncsBdniAs42jtkA/F41vwzFye0A7us259kzG2A+aWi44tXTLvycutbStMK4G30l cooopEgskF/87Ck1bbHS0SQH9BzpWpKV/Dw0K7sVrgfk60s9lAYpL6CRem+0vIf3zPpMvaq049E 8fosG0hh7AamriPrQVwGKlBYCnED8MQy1Ch5SOg+U+MfsL9KRTeSMhsvNY4MWcvp28bpOwOrJPd HlWmIe/XgV7aown5oHoMz+Ml5qQ9cK6AgD4uU+5MxZ3wCD0VBK0lO96EaHH2T1bw+mvJEBgN2Fd ccb+MkZjYSVIq9uF74Pb52sMTZeDJiaLdol4OmULTHO7/CyRIqhcW6uCdogJ+RPTAATDMQ==
X-Google-Smtp-Source: AGHT+IGg+bX4iJO+BDxzdfGjSA+t19YuNj5HQwNCL0bdq6yxiPmmxYjfO4LOU/cf5TYPoNVfCURSAQ==
X-Received: by 2002:a05:622a:408c:b0:4a9:ace0:b24e with SMTP id d75a77b69052e-4a9ace0b4b6mr98333501cf.37.1751839282205; Sun, 06 Jul 2025 15:01:22 -0700 (PDT)
Received: from smtpclient.apple ([38.7.155.32]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-4a994a0db63sm53071041cf.33.2025.07.06.15.01.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 06 Jul 2025 15:01:20 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-548D8907-D65C-4972-9891-8B2738AEB748"
Content-Transfer-Encoding: 7bit
From: Bernie Volz <bevolz@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Sun, 06 Jul 2025 18:01:09 -0400
Message-Id: <1125DC3F-16D9-4B5F-91CD-5E1004A44DC8@gmail.com>
References: <18123.1751833872@obiwan.sandelman.ca>
In-Reply-To: <18123.1751833872@obiwan.sandelman.ca>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: iPad Mail (22F76)
Message-ID-Hash: 65VYKM46JBJMIZLHKKEYUEWJB4UB6PKJ
X-Message-ID-Hash: 65VYKM46JBJMIZLHKKEYUEWJB4UB6PKJ
X-MailFrom: bevolz@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-captive-portals.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: captive-portals@ietf.org, dhcwg@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Captive-portals] Re: [dhcwg] HTTP Proxy option
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/oftDR6mRay4AM4qcUb32icR7OFw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Owner: <mailto:captive-portals-owner@ietf.org>
List-Post: <mailto:captive-portals@ietf.org>
List-Subscribe: <mailto:captive-portals-join@ietf.org>
List-Unsubscribe: <mailto:captive-portals-leave@ietf.org>
Michael: Regarding option 135 … See https://www.ietf.org/archive/id/draft-blatherwick-dhc-mitel-site-options-usage-00.txt as that’s where this reported usage of the option was “documented”, but sadly there’s not really any useful information. This likely was reported when we were trying to expand the dhcpv4 option space by reclaiming much of the “custom” space (it used to be 128 and up). We wanted to know what was in use so we could have IANA avoid assigning from those in use options unless absolutely necessary. And, so that option 135 usage is vendor specific. - Bernie > On Jul 6, 2025, at 4:31 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > > {resending without typo on captive-portals@ietf.org. See I looked up the ML > name to be sure, but then fat-fingered it...} > > https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml#options > lists option 135, "HTTP Proxy for phone-specific applications" > but with no reference! > > What does this option do, and who uses it? > > I was looking if there was a way to set an HTTP Proxy, specifically in the > context of a captive-portal network that wanted to quarantine untrustworthy > hosts, but also wanted to allow them to reach out to a firmware update server > in order to get patched back to trustworthiness. > > Going through an HTTP proxy allows the captive-portal/quarantine system to > see what end-system is being asked for. In the case of HTTP, the content > might even be cached, which is useful in avoiding a (bandwidth) DoS. > While most updates would be HTTPS now, using CONNECT still shows the URL. > > {The infrastructure, once it figured out that the host was trustworthy, would > disconnect the client device, and when it reconnected, it would be put on a > real network. Or, the user might ask for an exception via the portal interface} > > My conclusion is that no such DHCP option was ever practical/common. > > The Proxy auto-config (PAC) is javascript, which is not so widely useful, and > not very secure. There is the Web Proxy Auto-Discovery Protocol (WPAD), > which claims to be available via DHCP option, but I don't think any DHCP > option was ever recorded by IANA... it seems it's "site-local" option 252 > according to: https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > > > _______________________________________________ > dhcwg mailing list -- dhcwg@ietf.org > To unsubscribe send an email to dhcwg-leave@ietf.org > <signature.asc>
- [Captive-portals] HTTP Proxy option Michael Richardson
- [Captive-portals] Re: [dhcwg] HTTP Proxy option Bernie Volz