IETF Logo Mail Archive

Re: [Captive-portals] Questions about PvD/API

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 27 September 2017 15:51 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26233134D3A for <captive-portals@ietfa.amsl.com>; Wed, 27 Sep 2017 08:51:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D8-ZgCAKBtmd for <captive-portals@ietfa.amsl.com>; Wed, 27 Sep 2017 08:51:00 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE8E4134D25 for <captive-portals@ietf.org>; Wed, 27 Sep 2017 08:50:59 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 6A98C2009E for <captive-portals@ietf.org>; Wed, 27 Sep 2017 11:55:59 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 1614B8189F for <captive-portals@ietf.org>; Wed, 27 Sep 2017 11:50:58 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: captive-portals@ietf.org
In-Reply-To: <CAAedzxqSy+xOPFwLQ5mh-HV88sdqvkQe+HgiHjw0HdnNOcftzQ@mail.gmail.com>
References: <CADo9JyU+XGYFWdNeXOBw1O43Pjyn0jZhGxDTb7VbLF+Jg4Xj4w@mail.gmail.com> <CAAedzxq4UhueFW=U-Tuc1gvG8Tapc7VE7BM2Akt9OXuzN3jLyQ@mail.gmail.com> <CADo9JyW0J7xzaosG5PJOFPHMy2g6vZ1cVpW6_YsuOdaKWqumkQ@mail.gmail.com> <A5B74413-32D8-4FE4-BDF7-DAA95266AAF4@apple.com> <CADo9JyUJTPRT9454VdZEM1nwFfxPSrMX3+Uk9i325uboQUya7g@mail.gmail.com> <7B520EA6-7B55-46B1-B084-F1CADF7DE28B@apple.com> <CADo9JyVSW5==nQOUMUUYWj743LmZCUjE9=W-YXnK-KMS-88AoQ@mail.gmail.com> <CABkgnnV1OT_29fdNbCDDJMgeRDNeOM8u2PYA94opo+ujj2=Avw@mail.gmail.com> <CADo9JyUdBZbBmwE0B21ryFuefQEaTiWLHD-w8AZSyWACH9u2dg@mail.gmail.com> <CABkgnnWbhHOmZRsvpEb0XusRtUJUPp7vpdM7V_4nLnC_B-mfKQ@mail.gmail.com> <CADo9JyUP_FWznzDWDO1s9-8B8-hMAUkFAMaa68uUZ1xR8CKHyw@mail.gmail.com> <CAKD1Yr0OrthUda3+ic3g83vWEpBATpcF4Z=4ENNg+ZuyySDMdg@mail.gmail.com> <CADo9JyW=wYh5y87KZrfs56fFze_VkdvUt-hF_SNeokPONxDuGA@mail.gmail.com> <CAKD1Yr2GpTX9NPTNJVbGjF+PxuNNyhgaRNjr0qMW90rVHeM_+g@mail.gmail.com> <98352984-4E92-42EC-97FE-B652C0FC41AF@apple.com> <CADo9JyVzW 3TxFCHv=1N=Qsm2Th7gw7Yby8mdG2hOVWQQ_9YGpw@mail.gmail.com> <CAKD1Yr0_ksXDy6Ckc6RuFjYf+t4fiA4dJfAToZjfgrqed4h4QA@mail.gmail.com> <B05E727C-6F8B-438F-8DC9-1B1528CE73A5@apple.com> <D2A19ABBC0147C40BFBB83D1CF3E95F04010655B@wtl-exchp-2.sandvine.com> <CABkgnnXdMDd2BF0r0ekmwxFECSiLPxPruc46BpVTNDCFz8+Tvg@mail.gmail.com> <CADo9JyVUE89QZajqxQ+0ofXY3L5vDSj18cXvFpXG1ViXeCnqhQ@mail.gmail.com> <CABkgnnVX8s5+MPeY=XRnc3Vkmf9gg3GY2-MxhSrVq98B_odGcg@mail.gmail.com> <CADo9JyVetrad0b1WMXfCHhBHy2x2Ew7oM0Stpq4qVfBnWuEtNg@mail.gmail.com> <CABkgnnW4h6RQHtyKfLzOtA4HuuMxfEKYmCnB1HTo5hEMVKQRaw@mail.gmail.com> <CADo9JyW932m0C_OKEHwS_9_S0oH7m-Z9ocM3jTHkumzto6sncw@mail.gmail.com> <CABkgnnWWB6-VtteJZ6o7_FY6haC8r0JPkoY1wMfFtwJ8VKaweg@mail.gmail.com> <CADo9JyV9t6KCf59ykm=+gHrR+CpkwBuKJVfaKpg=wVpZmiermg@mail.gmail.com> <CADo9JyUKuSCsUMAF5kZ7w5oL520ws8m6Gt5V_8JQQrKhkpctvA@mail.gmail.com> <CADo9JyXtkA2QB8GYzcxYqu80HwvXt0zgcZ852b3Tvvn3yi2wTA@mail.gmail.com> <CAAedzxqSy+xOPFwLQ5mh-HV88sdqvkQe+HgiHjw0HdnNOcftzQ@mail.gmail .com>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 27 Sep 2017 11:50:58 -0400
Message-ID: <15753.1506527458@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/sjjgsHAaYqCc2iGFuLa7TTYMCuI>
Subject: Re: [Captive-portals] Questions about PvD/API
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Sep 2017 15:51:02 -0000

Erik Kline <ek@google.com> wrote:
    >> 5.1.1.  Associating User Equipment with its URL
    >>
    >> The CAPPORT API Server SHOULD associate an incoming request with a
    >> particular User Equipment consistently.  [TODO: specify how this
    >> would happen.]
    >>
    >> This becomes a pretty important point because it can't be that each DHCP or
    >> RA is custom formatted for each station with a UE specific URL. It also
    >> needs to be a MUST if the API is returning information about
    >> 'bytes_remaining' and such. Or, does the UE self report it's MAC to the
    >> API/PvD? The service needs some way of associating that API/PvD session with
    >> the RADIUS accounting stream.

    > <no chair hat>

    > This is a very critical question, imho.

    > No captive portal vendor would want to trust clients to self-identify
    > their MAC addresses.  And even non-malicious clients might be prone to
    > introducing errors (say, by presenting the random MAC used during
    > scanning and not [as a result of a bug] the actual MAC used for the
    > session).

Not only do we have a problem with the clients presenting the wrong MAC by
accident, they could also present the wrong MAC on purpose to gain
information about adjacent clients. A simple multiple PING harvests that
list.

    > Given that, it seems the network infrastructure itself must be the
    > element that adds MAC addresses, or some equivalent token, in
    > communications with the API endpoint.  Yes?

It must provide a token based upon the MAC, but I think it must protect it as well.

In only the simplest cases will the portal/API receiver be on the same link
as the client, so even though we can get the MAC address via DHCP relay, the
portal can't verify the address is the correct one accessing it anyway.


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email