[Captive-portals] Requirements for "captive portal closed" notifications
Lorenzo Colitti <lorenzo@google.com> Tue, 20 March 2018 15:29 UTC
Return-Path: <lorenzo@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A4A3127077 for <captive-portals@ietfa.amsl.com>; Tue, 20 Mar 2018 08:29:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zAqsbcsg4AWD for <captive-portals@ietfa.amsl.com>; Tue, 20 Mar 2018 08:29:27 -0700 (PDT)
Received: from mail-wr0-x232.google.com (mail-wr0-x232.google.com [IPv6:2a00:1450:400c:c0c::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73706126579 for <captive-portals@ietf.org>; Tue, 20 Mar 2018 08:29:27 -0700 (PDT)
Received: by mail-wr0-x232.google.com with SMTP id h2so2122154wre.12 for <captive-portals@ietf.org>; Tue, 20 Mar 2018 08:29:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=vuIuBPjK4ksI8KWDh6Zk3K64dTMTYfDVyNU7xIOFh7o=; b=U8V+xUkoPXsFTxYR/ygGQI3JcscUpaK2sWObqxDa3ZbMsb9Ti4DNYhOuth4JrZC0TU REeNJCNQPQ872wIYJFWLRn728zGn/wHTIm8+hIL7XJSDG1qS3DmCW6NZeWoVFQlIzXpL OH7w9xYPN0dMH27OVi0ZXl+D9HbPd35y8ZTrAp401O5WWVGL10iKgTDX0+smvEUIFK/s A8StIX6sNCIuPJfjwEZq8dNZ+BVmgZyvwmTipKiMkc/p4jDWaSJOjZ/5+p7/4Lf/2Zi6 Dx4QAGlqO4WhIh5DMpswrf0mF8RKOJ8CGrFAvMnswZP6oYM2LzauqxHz6Q2LH00vP7+8 8VFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=vuIuBPjK4ksI8KWDh6Zk3K64dTMTYfDVyNU7xIOFh7o=; b=agfq8FgtwBgIGPf6yFFz8LNuWJdbL3gOj3yrQvkHoVahiQRNcc+WioXRdi6tkZXRzD RpuwmpyS/qjXp+UZ+uZXLEiwMTkaEPK+t2qIrYalhznjNZBVS0lgO4eliAF42TkQecrV B9lbdli6HPnKx3qWM9ViMxkmnjXvylM/h/VFEH2ljG6jTKBkGIkz0OHUiNlBdlxdf/wN iBnZJ2UiNkIKmyMGcCs5tWweUZPSB1+WO1Ixopa6h1b/Vn+owpFMpHRM4IoDCopFrRG+ gsTipoe8oYxBrk4QVekTco/4knpzewGEI1wDYipSOj2NtQuPmyU6gkGh50Z8YD9gDlcd oy7w==
X-Gm-Message-State: AElRT7EDiYi31IsArfeB2GP6DEBXQu+z9EwAHr1h+SOjo6IQMNW1uxu6 cOG1/sbi2dmfGXd30qZewyOAYgBzvp2o/G74beZMEpxJbPQ=
X-Google-Smtp-Source: AG47ELvJZVUgXlMsd3C/DY+7ei5u2kXwS/KJgzhqNlsHjuO99e6hEOPRIjwWBSk/7tfT613+BKJTRuZU9gq6rc65/qM=
X-Received: by 10.223.208.141 with SMTP id y13mr391681wrh.152.1521559765109; Tue, 20 Mar 2018 08:29:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.130.204 with HTTP; Tue, 20 Mar 2018 08:29:04 -0700 (PDT)
From: Lorenzo Colitti <lorenzo@google.com>
Date: Tue, 20 Mar 2018 15:29:04 +0000
Message-ID: <CAKD1Yr3rP24jQ6sMpoXZ3pU02FmvwDNc9=w2oAh4bMWZmEtQ_A@mail.gmail.com>
To: captive-portals@ietf.org
Content-Type: multipart/alternative; boundary="f4f5e80a061c4e5a760567d9bd6c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/pYYQqxAzJp8ZVLtfu1QLqJdMiiM>
Subject: [Captive-portals] Requirements for "captive portal closed" notifications
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 15:29:29 -0000
Per discussion at the mike today on what we should do with the ICMP unreachable draft - here are some properties I think are necessary in a hint to the UE that the captive portal is closed. 1. The notification should not be easy to spoof. This is easiest to do by making it a hint to the UE that it should talk to the API. - An ICMP message by itself is not secure. For example, it's trivial for an off-path attacker to generate ICMP messages for sessions from legitimate UEs to <popularwebsite>:443. Getting a UE to trust such a message only requires getting the ephemeral port right, and many OSes have a quite limited range of ephemeral ports. - Tero points out that if we do want to secure such a message, then we should not roll our own security but should use an existing, secure protocol such as IPsec. 2. It should be possible to send the notification *before* the captive portal closes, to facilitate seamless connectivity. Ideally the user should be able to re-up the captive portal without having to wait until the network is dead or the device has switched to another network. 3. The notification should not be on a per-destination basis. A hint that conveys the information "you can reach facebook, but to reach CNN you need to upgrade to another service plan" is not technically infeasible but is unlikely ever to reach WG and IETF consensus and therefore I think we should not spend our time talking about it. 4. I'm not sure whether it's possible for the hint to be anything more than a binary "you are or will very soon be captive". Saying things like "an upgrade opportunity is available" may be hard to encode. Cheers, Lorenzo
- [Captive-portals] Requirements for "captive porta… Lorenzo Colitti
- Re: [Captive-portals] Requirements for "captive p… Dave Dolson
- Re: [Captive-portals] Requirements for "captive p… David Bird
- Re: [Captive-portals] Requirements for "captive p… Lorenzo Colitti
- Re: [Captive-portals] Requirements for "captive p… David Bird
- Re: [Captive-portals] Requirements for "captive p… Lorenzo Colitti
- Re: [Captive-portals] Requirements for "captive p… David Bird
- Re: [Captive-portals] Requirements for "captive p… Pierre Pfister
- Re: [Captive-portals] Requirements for "captive p… Tero Kivinen
- Re: [Captive-portals] Requirements for "captive p… David Bird
- Re: [Captive-portals] Requirements for "captive p… David Bird
- Re: [Captive-portals] Requirements for "captive p… David Bird
- Re: [Captive-portals] Requirements for "captive p… Nicolas Mailhot
- Re: [Captive-portals] Requirements for "captive p… David Bird
- Re: [Captive-portals] Requirements for "captive p… Michael Richardson
- Re: [Captive-portals] Requirements for "captive p… Michael Richardson
- Re: [Captive-portals] Requirements for "captive p… David Bird
- Re: [Captive-portals] Requirements for "captive p… Tero Kivinen