Re: [Captive-portals] Questions about PvD/API

[David Bird <dbird@google.com>]

I don't think that is a fair comparison...

Geolocation isn't anything enforced by the network... and clearly not
designed for public/guest access networks (as they exists today).

You might re-read some of the Security Consideration in the docs
surrounding GEOPRIV.

HTTP-Enabled Location Delivery (HELD)
https://datatracker.ietf.org/doc/html/rfc5985#page-22

   HELD is a location acquisition protocol whereby the client requests
   its location from a LIS.  Specific requirements and security
   considerations for location acquisition protocols are provided in
   [RFC5687].  An in-depth discussion of the security considerations
   applicable to the use of Location URIs and by-reference provision of
   LI is included in [RFC5808].

   By using the HELD protocol, the client and the LIS expose themselves
   to two types of risk:

   Accuracy:  The client receives incorrect location information.

   Privacy:  An unauthorized entity receives location information.

   The provision of an accurate and privacy- and confidentiality-
   protected location to the requestor depends on the success of five
   steps:

   1.  The client must determine the proper LIS.

   2.  The client must connect to the proper LIS.

   3.  The LIS must be able to identify the Device by its identifier (IP
       address).

   4.  The LIS must be able to return the desired location.

   5.  HELD messages must be transmitted unmodified between the LIS and
       the client.

   Of these, only steps 2, 3, and 5 are within the scope of this
   document.  Step 1 is based on either manual configuration or on the
   LIS discovery defined in [RFC5986], in which appropriate security
   considerations are already discussed.  Step 4 is dependent on the
   specific positioning capabilities of the LIS and is thus outside the
   scope of this document.

Discovering the Local Location Information Server (LIS)
https://datatracker.ietf.org/doc/html/rfc5986#page-11

   The address of a *LIS is usually well-known within an access network*;
   therefore, interception of messages does not introduce any specific
   concerns.

   The primary attack against the methods described in this document is
   one that would lead to impersonation of a LIS.  The LIS is
   responsible for providing location information, and this information
   is critical to a number of network services; furthermore, a Device
   does not necessarily have a prior relationship with a LIS.  Several
   methods are described here that can limit the probability of, or
   provide some protection against, such an attack.  These methods MUST
   be applied unless similar protections are in place, or in cases --
   such as an emergency -- where location information of dubious origin
   is arguably better than none at all.

   An attacker could attempt to compromise LIS discovery at any of three
   stages:





*   1.  providing a falsified domain name to be used as input to U-NAPTR
 2.  altering the DNS records used in U-NAPTR resolution   3.
 impersonating the LIS*

   The domain name that used to authenticate the LIS is the domain name
   input to the U-NAPTR process, not the output of that process
   [RFC3958], [RFC4848].  As a result, the results of DNS queries do not
   need integrity protection.

   An HTTPS URI is authenticated using the method described in Section
   3.1 of [RFC2818].  HTTP client implementations frequently do not
   provide a means to authenticate based on a domain name other than the
   one indicated in the request URI, namely the U-NAPTR output.  To
   avoid having to authenticate the LIS with a domain name that is
   different from the one used to identify it, a client MAY choose to
   reject URIs that contain a domain name that is different to the
   U-NAPTR input.  To support endpoints that enforce the above
   restriction on URIs, network administrators SHOULD ensure that the
   domain name in the DHCP option is the same as the one contained in
   the resulting URI.



*Authentication of a LIS relies on the integrity of the domain name
 acquired from DHCP.  An attacker that is able to falsify a domain   name
circumvents the protections provided. * To ensure that the access
   network domain name DHCP option can be relied upon, preventing DHCP
   messages from being modified or spoofed by attackers is necessary.

*Physical- or link-layer security are commonly used to reduce the
 possibility of such an attack within an access network. * DHCP
   authentication [RFC3118] might also provide a degree of protection
   against modification or spoofing.

   A LIS that is identified by an HTTP URI cannot be authenticated.  Use
   of unsecured HTTP also does not meet requirements in HELD for
   confidentiality and integrity.  If an HTTP URI is the product of LIS
   discovery, this leaves Devices vulnerable to several attacks.

*Lower-   layer protections, such as Layer 2 traffic separation might be
used   to provide some guarantees.*

Requirements for a Location-by-Reference Mechanism
https://datatracker.ietf.org/doc/html/rfc5808#page-12

   The method of constructing the location URI to include randomized
   components helps to prevent adversaries from obtaining location
   information without ever retrieving a location URI.  In the
   possession model, a location URI, regardless of its construction, if
   made publicly available, implies no safeguard against anyone being
   able to dereference and get the location.  Care has to be paid when
   distributing such a location URI to the *trusted location recipients*.
   When this aspect is of concern, the authorization model has to be
   chosen.



*Even in this model, care has to be taken on how to construct   the
authorization policies to ensure that only those parties have   access to
location information that are considered trustworthy enough   to enforce
the basic rule set that is attached to location   information in a PIDF-LO
document.*

   Any location URI, by necessity, indicates the server (name) that
   hosts the location information.  Knowledge of the server in some
   specific domain could therefore reveal something about the location
   of the Target.  This kind of threat may be mitigated somewhat by
   introducing another layer of indirection: namely the use of a
   (remote) presence server.

   A covert channel for protocol message exchange is an important
   consideration, given an example scenario where user A subscribes to
   location information for user B, then every time A gets a location
   update, an (external) observer of the subscription notification may
   know that B has moved.  One mitigation of this is to have periodic
   notification, so that user B may appear to have moved even when
   static.



On Sun, Aug 20, 2017 at 6:34 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> Hi David,
>
> Can you explain more about why you believe that a lower-layer protocol
> needs to be used?
>
> I remember a similar discussion about this about 10 years ago with
> GEOPRIV.  Then it was asserted that DHCP was the only protocol that
> could deliver location information to user equipment.  That discussion
> took a long time, but ultimately ended with an HTTP-based protocol.  I
> have no desire to repeat that experience.
>
> It seems like this is - at least in part - based in how this might be
> configured.  That is, you believe that a lower-layer protocol offers
> no option for misconfiguration.  Is that correct?  Have I missed
> something?
>
>
> On 20 August 2017 at 00:12, David Bird <dbird@google.com> wrote:
> > HI Tommy,
> >
> > Agreed that RFC7710 is lacking notification of captive portal existence,
> it
> > only provides configuration information. ICMP would provide the
> > notification, as it does today for other forms of destination
> unreachable,
> > port unreachable, etc. In your first reply, I thought you were suggesting
> > that RFC7710 was at play along side PvD DHCP/RA (and I wasn't clear what
> you
> > meant by DHCP/RA).
> >
> > I think we both also agree that taking about both a Capport API *and*
> PvD is
> > adding to the confusion and we ultimately will not want two "APIs".
> >
> > ICMP today delivers more than hints... it provides signaling that can
> > directly influence traffic. Yes, there are security concerns around ICMP,
> > which is why it is common for it to be filtered out of networks (which
> is a
> > good think for Capport ICMP, it is only for the edge network).
> >
> > Regarding ICMP and the "content details of the network" ... I think that
> > statement conflates policy and enforcement. ICMP provides (as today)
> > notification of enforcement, and RFC7710 provides where to find out about
> > the policy (ToS, etc).
> >
> > The JSON API becomes a "web service" when it has a http(s):// in front
> of it
> > :) .. but, indeed, my concern is in the transport protocol. It being a
> URL
> > signals that this is meant to be deployed alongside the portal, or
> otherwise
> > 'remotely'... Vendors will likely have a "PvD URL: " configuration dialog
> > ... and there will be many hotspot services companies updating their
> "Howto"
> > instructions with their PvD URL info... it is a web service.
> >
> > I welcome suggestions that put that JSON API into a lower layer network
> > protocol. We could stuff JSON into ICMP :)
> >
> > Maybe there is a way to merge ICMP and PvD -- to where ICMP provides the
> > notification (with tokens) and PvD provides the policy (based on these
> > tokens) (?)
> >
> > With regard to vendor (NAS/UE) cooperation, perhaps PvD could be a new
> > start, but thus far (as my quote of Cisco documentation suggests), it is
> > more about what users/venues want. Cisco already today actively avoids
> iOS
> > captive portal detection because the "pseudo-browser" (as they call it)
> does
> > work with their portal. That is a problem that could be solve today by
> > Apple/Cisco, couldn't it? Just by not using the pseudo browser...
> > introducing PvD doesn't resolve the core problem there, but does make it
> > easier to avoid that pseudo browser.
> >
> > You also said "We can still get to a captive portal once the user goes
> into
> > the browser." ... However, this is increasingly untrue as the work moves
> to
> > https... So, doing this avoidance of detection will still be a problem.
> >
> > Cheers,
> > David
> >
> >
> > On Fri, Aug 18, 2017 at 7:23 PM, Tommy Pauly <tpauly@apple.com> wrote:
> >>
> >> Hi David,
> >>
> >> My thoughts with regards to RFC 7710 is that it is not deployed as far
> as
> >> I know, and no client stack respects the value sent in 7710. Without
> some
> >> API extensions, it isn't directly better than what we currently have.
> >> Ideally, this would not be an API that would get deployed if we were
> also
> >> using PvDs. My concern is that if PvDs are used for enterprise and
> private
> >> networks, we'll have a very similar but less complete path based on RFC
> >> 7710. We could end up deprecating or replacing that RFC, which was
> mentioned
> >> in our last meeting. I don't think RFC 7710 can be used without a URL,
> which
> >> is why I think we need a solution that does a better job of indicating
> the
> >> lack of captive or other extended network info.
> >>
> >> I would hope that since both iOS and Android stack developers are
> working
> >> on the UE side, we would actually see UE deployment of PvDs before any
> >> captive vendors adopt PvDs, and we'd be standardizing around Cisco/etc
> >> enterprise deployments. By the time there were NAS vendors deploying,
> they
> >> would test with both iOS and Android devices to validate support.
> >>
> >> Basing our standards on the idea that devices (either networks or UE's)
> >> may implement the RFCs incorrectly seems to be a difficult starting
> point.
> >>
> >> I like the point you bring up of splitting network notifications from
> web
> >> APIs. There is a need to be judicious about what properties fall into
> each
> >> category. I think you're saying that the fact that there is a captive
> >> network can be signaled via ICMP, etc, as a network-level property.
> While
> >> ICMP is a fine solution for giving the UE hints when something has
> expired,
> >> I am concerned that (possibly unsolicited) network signaling is not the
> >> correct mechanism for the content details of the network, whether that
> is
> >> the enterprise network properties, or the captive network Terms &
> >> Conditions, tokens, expiration timers, and URLs for various kinds of
> user
> >> interaction. An JSON API is one form of grabbing information—I don't
> think
> >> we should necessarily interpret that as something that is a high-level
> Web
> >> interaction. We could create some custom protocol over UDP like DNS
> records
> >> to get the information (that would be a lot of new protocol work here
> that
> >> people may not be willing to get into), but the key is that it needs to
> be
> >> the choice of a UE device that understands how to request and parse
> content
> >> that initiates a lookup, and can fetch information from the network
> >> infrastructure.
> >>
> >> With regards to your assertion that we'll always revert to doing a
> probe,
> >> I still would like to believe that if we have a network that advertises
> a
> >> PvD with no extended information, or extended information that doesn't
> >> include a captive portal, we can avoid the probe altogether. Will we
> still
> >> have networks that redirect HTTP requests? Yes. But that's no different
> from
> >> the scenario today in which a network whitelists our captive detection
> >> probes. We can still get to a captive portal once the user goes into the
> >> browser. We can stop doing probes whenever the RA on the network
> indicates
> >> that it supports explicit signaling about network properties. If a
> network
> >> operator wants to invoke the system-level captive interaction, then they
> >> will follow the RFCs we come up in the CAPPORT group as long as UEs end
> up
> >> deploying support first. If they want to avoid it, or they have a broken
> >> network, things will be like networks that whitelist our probes today.
> Not
> >> great, but still possible for the user to get through. My main goal in
> these
> >> standards is to make it possible for a network to give the user a good
> >> experience; not to make it impossible for the user to have a sub-par
> >> experience (since I don't think that goal is achievable).
> >>
> >> Best,
> >> Tommy
> >>
> >>
> >> On Aug 18, 2017, at 5:52 PM, David Bird <dbird@google.com> wrote:
> >>
> >> Thanks Tommy,
> >>
> >> I don't dispute that PvD provides an elegant set of solutions --
> >> particularly in enterprise and other 'private' networks. I question,
> >> however, the value in public(/guest) access -- where everyone wants you
> to
> >> access their network over others, for 'retail analytic' or
> >> branding/attribution(/exploit) purposes.
> >>
> >> Another way to see the PvD integration/deployment:
> >>
> >> 1. Today, we join a network, always do a probe, which redirects to
> captive
> >> portal
> >> 2. A PvD URL is provide, so a captive portal notification is generated
> to
> >> the user (is that what 'we just make a connection directly' means?)
> >> 3. We may have also gotten RFC7710 URL, there are potentially two APIs
> in
> >> play at the same time, which is extra confusing (?)
> >> 4. The first NAS vendor release products with support, venues deploy and
> >> start 'fiddling' with the new feature and URL to PvD end-points
> >> 5. The first UE vendor releases products with support, start using it at
> >> said venues... complain to vendor about problems unique to this new
> device
> >> 6. In some networks, users complain that *only* their new PvD device is
> >> seeing a captive portal, while all their other devices do not. Staff at
> the
> >> coffee shop don't believe me; all their devices work too.
> >>
> >> I think there are fundamental issues in splitting what should be
> 'network
> >> notification' into web APIs....
> >>
> >> 1. Tomorrow, we join a network, always do a probe, which redirects to
> >> captive portal
> >>
> >> It wasn't clear in your e-mail if RFC7710 can be used *without*
> providing
> >> a URL, or is there a PvD specific DHCP option?
> >>
> >> Thanks,
> >> David
> >>
> >>
> >> On Wed, Aug 16, 2017 at 9:20 AM, Tommy Pauly <tpauly@apple.com> wrote:
> >>>
> >>> Hi David,
> >>>
> >>> You mention in one of your emails that you'd expect there to be many
> >>> "broken PvD" deployments, which would either necessitate ignoring PvD
> and
> >>> using legacy mechanisms, or else having the user face a broken portal.
> My
> >>> impression is that if client-side deployments fail closed—that is, if
> there
> >>> is a PvD advertised, but it does not work well, then we treat the
> network as
> >>> broken. If this client behavior is consistent from the start of
> deployment,
> >>> then I would think that deployments would notice very quickly if they
> are
> >>> broken. The fundamental part of the PvD being advertised is in the
> RAs—if
> >>> our DHCP or RAs are broken on a network, we generally are going to be
> broken
> >>> anyhow.
> >>>
> >>> As far as where the API resides, I appreciate your explanation of the
> >>> various complexities. My initial take is this:
> >>>
> >>> - Where a PvD is being served is up to the deployment, and determined
> by
> >>> the entity that is providing the RAs. To that end, the server that
> hosts the
> >>> API for extended PvD information may be very different for
> >>> enterprise/carrier scenarios than in captive portals for coffee shops.
> >>> - For the initial take for Captive Portals, I would co-locate the "PvD
> >>> API" server with the "Captive API" and "Captive Web Server".
> Presumably, the
> >>> device that was previously doing the HTTP redirects would be able to
> do the
> >>> similar coordination of making sure the PvD ID that is given out to
> clients
> >>> matches the PvD API server (which is the same as the "Captive Web
> Server").
> >>>
> >>> For the captive use-case, I see the integration of PvDs as an
> incremental
> >>> step:
> >>>
> >>> 1. Today, we join a network, always do a probe, which may get
> redirected
> >>> to a captive web server
> >>> 2. With RFC 7710, we would join a network and do the same as (1),
> unless
> >>> the captive URL is given in the DHCP/RA and we just make a connection
> >>> directly.
> >>> 3. With the Captive API draft, we can interact with the portal other
> than
> >>> just showing a webpage; but this may still be bootstrapped by 7710 if
> not
> >>> using another mechanism
> >>> 4. With PvDs, the mechanism in 7710 is generalized to support APIs
> other
> >>> than just captive, and can indicate that no captive portal or other
> extended
> >>> info is present; and the PvD API in this form is just a more generic
> version
> >>> of the captive API that allows us to use the same mechanism for other
> >>> network properties that aren't specifically captive (like enterprise
> network
> >>> extended info, or walled gardens)
> >>>
> >>> Getting into the arms race of people avoiding the captive probes: if
> >>> someone doesn't want to interact with the client OS's captive portal
> system,
> >>> they can and likely will not change anything and just keep redirecting
> >>> pages. Hopefully if a better solution becomes prevalent enough in the
> >>> future, client OS's will be able to just ignore and reject any network
> that
> >>> redirects traffic, and the only supported captive portals would be
> ones that
> >>> interact in specified ways and advertise themselves as captive
> networks. In
> >>> order to get to this point, there certainly needs to be a carrot to
> >>> incentivize adoption. My goal with the more flexible interaction
> supported
> >>> by PvD is that we will allow the networks to provide a better user
> >>> experience to people joining their networks, and integrate with client
> OS's
> >>> to streamline the joining process (notification of the network being
> >>> available, who owns it, how to accept and how to pay), the maintenance
> >>> process (being able to integrate time left or bytes left on the
> network into
> >>> the system UI), and what is allowed or not on the network.
> >>>
> >>> Thanks,
> >>> Tommy
> >>>
> >>>
> >>> On Aug 16, 2017, at 6:51 AM, David Bird <dbird@google.com> wrote:
> >>>
> >>> My question about where the PvD API resides was somewhat rhetorical. In
> >>> reality, I'm sure you will find all of the above - In the NAS (e.g.
> Cisco),
> >>> at the hotspot services provider, and something hosted next to the
> venues
> >>> website. It depends mostly on how this URL is configured, and by whom.
> (One
> >>> could imagine people doing all sorts of things).
> >>>
> >>> My question more specifically for the authors is, how would Cisco
> >>> implement PvD for Guest/Public access and would it actively stop
> avoiding
> >>> Apple captive portal detection? Or, would turning on PvD just make that
> >>> 'feature' easier to implement?
> >>>
> >>> On Tue, Aug 15, 2017 at 5:19 PM, Erik Kline <ek@google.com> wrote:
> >>>>
> >>>> Randomly selecting Tommy and Eric so this bubbles up in their inbox.
> >>>>
> >>>> On 2 August 2017 at 10:36, David Bird <dbird@google.com> wrote:
> >>>> > Could an author of PvD help me understand the following questions
> for
> >>>> > each
> >>>> > of the diagrams below I found on the Internet -- which represent
> some
> >>>> > typical hotspot configurations out there...
> >>>> >
> >>>> > - Where would the API reside?
> >>>> >
> >>>> > - Who 'owns' the API?
> >>>> >
> >>>> > - How does the API keep in-sync with the NAS? Who's responsible for
> >>>> > that
> >>>> > (possibly multi-vendor, multi-AAA) integration?
> >>>> >
> >>>> > 1) Typical Hotspot service company outsourcing:
> >>>> >
> >>>> > http://cloudessa.com/wp-content/uploads/2013/08/shema-
> CaptivePortalSolution_beta2b.png
> >>>> >
> >>>> > 2) Same as above, except venue owns portal:
> >>>> >
> >>>> > http://cloudessa.com/wp-content/uploads/2013/07/
> solutions_hotspots-co-working-cloudessa_2p1.png
> >>>> >
> >>>> > 3) Now consider the above, but the venue has more roaming partners
> and
> >>>> > multi-realm RADIUS setup in their Cisco NAS:
> >>>> >
> >>>> > http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-
> 3/config-guide/b_cg83/b_cg83_chapter_0100111.html
> >>>> > describes many options -- including separate MAC authentication
> >>>> > sources,
> >>>> > optional portals for 802.1x (RADIUS) authenticated users, and so
> much
> >>>> > more...
> >>>> >
> >>>> > "Cisco ISE supports internal and external identity sources. Both
> >>>> > sources can
> >>>> > be used as an authentication source for sponsor-user and guest-user
> >>>> > authentication."
> >>>> >
> >>>> > Also note this interesting article:  the section Information About
> >>>> > Captive
> >>>> > Bypassing and how it describes how to avoid Apple captive portal
> >>>> > detection!!! "If no response is received, then the Internet access
> is
> >>>> > assumed to be blocked by the captive portal and Apple’s Captive
> >>>> > Network
> >>>> > Assistant (CNA) auto-launches the pseudo-browser to request portal
> >>>> > login in
> >>>> > a controlled window. The CNA may break when redirecting to an ISE
> >>>> > captive
> >>>> > portal. The controller prevents this pseudo-browser from popping
> up."
> >>>> >
> >>>> >
> >>>> >
> >>>> > _______________________________________________
> >>>> > Captive-portals mailing list
> >>>> > Captive-portals@ietf.org
> >>>> > https://www.ietf.org/mailman/listinfo/captive-portals
> >>>> >
> >>>
> >>>
> >>>
> >>
> >> _______________________________________________
> >> Captive-portals mailing list
> >> Captive-portals@ietf.org
> >> https://www.ietf.org/mailman/listinfo/captive-portals
> >>
> >>
> >
> >
> > _______________________________________________
> > Captive-portals mailing list
> > Captive-portals@ietf.org
> > https://www.ietf.org/mailman/listinfo/captive-portals
> >
>