[Captive-portals] Requirements for "captive portal closed" notifications

Lorenzo Colitti <lorenzo@google.com> Tue, 20 March 2018 15:29 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A4A3127077 for <captive-portals@ietfa.amsl.com>; Tue, 20 Mar 2018 08:29:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zAqsbcsg4AWD for <captive-portals@ietfa.amsl.com>; Tue, 20 Mar 2018 08:29:27 -0700 (PDT)
Received: from mail-wr0-x232.google.com (mail-wr0-x232.google.com [IPv6:2a00:1450:400c:c0c::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73706126579 for <captive-portals@ietf.org>; Tue, 20 Mar 2018 08:29:27 -0700 (PDT)
Received: by mail-wr0-x232.google.com with SMTP id h2so2122154wre.12 for <captive-portals@ietf.org>; Tue, 20 Mar 2018 08:29:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=vuIuBPjK4ksI8KWDh6Zk3K64dTMTYfDVyNU7xIOFh7o=; b=U8V+xUkoPXsFTxYR/ygGQI3JcscUpaK2sWObqxDa3ZbMsb9Ti4DNYhOuth4JrZC0TU REeNJCNQPQ872wIYJFWLRn728zGn/wHTIm8+hIL7XJSDG1qS3DmCW6NZeWoVFQlIzXpL OH7w9xYPN0dMH27OVi0ZXl+D9HbPd35y8ZTrAp401O5WWVGL10iKgTDX0+smvEUIFK/s A8StIX6sNCIuPJfjwEZq8dNZ+BVmgZyvwmTipKiMkc/p4jDWaSJOjZ/5+p7/4Lf/2Zi6 Dx4QAGlqO4WhIh5DMpswrf0mF8RKOJ8CGrFAvMnswZP6oYM2LzauqxHz6Q2LH00vP7+8 8VFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=vuIuBPjK4ksI8KWDh6Zk3K64dTMTYfDVyNU7xIOFh7o=; b=agfq8FgtwBgIGPf6yFFz8LNuWJdbL3gOj3yrQvkHoVahiQRNcc+WioXRdi6tkZXRzD RpuwmpyS/qjXp+UZ+uZXLEiwMTkaEPK+t2qIrYalhznjNZBVS0lgO4eliAF42TkQecrV B9lbdli6HPnKx3qWM9ViMxkmnjXvylM/h/VFEH2ljG6jTKBkGIkz0OHUiNlBdlxdf/wN iBnZJ2UiNkIKmyMGcCs5tWweUZPSB1+WO1Ixopa6h1b/Vn+owpFMpHRM4IoDCopFrRG+ gsTipoe8oYxBrk4QVekTco/4knpzewGEI1wDYipSOj2NtQuPmyU6gkGh50Z8YD9gDlcd oy7w==
X-Gm-Message-State: AElRT7EDiYi31IsArfeB2GP6DEBXQu+z9EwAHr1h+SOjo6IQMNW1uxu6 cOG1/sbi2dmfGXd30qZewyOAYgBzvp2o/G74beZMEpxJbPQ=
X-Google-Smtp-Source: AG47ELvJZVUgXlMsd3C/DY+7ei5u2kXwS/KJgzhqNlsHjuO99e6hEOPRIjwWBSk/7tfT613+BKJTRuZU9gq6rc65/qM=
X-Received: by 10.223.208.141 with SMTP id y13mr391681wrh.152.1521559765109; Tue, 20 Mar 2018 08:29:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.130.204 with HTTP; Tue, 20 Mar 2018 08:29:04 -0700 (PDT)
From: Lorenzo Colitti <lorenzo@google.com>
Date: Tue, 20 Mar 2018 15:29:04 +0000
Message-ID: <CAKD1Yr3rP24jQ6sMpoXZ3pU02FmvwDNc9=w2oAh4bMWZmEtQ_A@mail.gmail.com>
To: captive-portals@ietf.org
Content-Type: multipart/alternative; boundary="f4f5e80a061c4e5a760567d9bd6c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/pYYQqxAzJp8ZVLtfu1QLqJdMiiM>
Subject: [Captive-portals] Requirements for "captive portal closed" notifications
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 15:29:29 -0000

Per discussion at the mike today on what we should do with the ICMP
unreachable draft - here are some properties I think are necessary in a
hint to the UE that the captive portal is closed.

1. The notification should not be easy to spoof. This is easiest to do by
making it a hint to the UE that it should talk to the API.

   - An ICMP message by itself is not secure. For example, it's trivial for
   an off-path attacker to generate ICMP messages for sessions from legitimate
   UEs to <popularwebsite>:443. Getting a UE to trust such a message only
   requires getting the ephemeral port right, and many OSes have a quite
   limited range of ephemeral ports.
   - Tero points out that if we do want to secure such a message, then we
   should not roll our own security but should use an existing, secure
   protocol such as IPsec.


2. It should be possible to send the notification *before* the captive
portal closes, to facilitate seamless connectivity. Ideally the user should
be able to re-up the captive portal without having to wait until the
network is dead or the device has switched to another network.

3. The notification should not be on a per-destination basis. A hint that
conveys the information "you can reach facebook, but to reach CNN you need
to upgrade to another service plan" is not technically infeasible but is
unlikely ever to reach WG and IETF consensus and therefore I think we
should not spend our time talking about it.

4. I'm not sure whether it's possible for the hint to be anything more than
a binary "you are or will very soon be captive". Saying things like "an
upgrade opportunity is available" may be hard to encode.

Cheers,
Lorenzo