IETF Logo Mail Archive

Re: [Captive-portals] Requirements for "captive portal closed" notifications

Pierre Pfister <pierre.pfister@darou.fr> Tue, 20 March 2018 16:52 UTC

Return-Path: <SRS0=cjKy=GK=darou.fr=pierre.pfister@bounces.m4x.org>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1B0F128961 for <captive-portals@ietfa.amsl.com>; Tue, 20 Mar 2018 09:52:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.951
X-Spam-Level:
X-Spam-Status: No, score=-3.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tml1JoS1ynW6 for <captive-portals@ietfa.amsl.com>; Tue, 20 Mar 2018 09:52:30 -0700 (PDT)
Received: from mx1.polytechnique.org (mx1.polytechnique.org [129.104.30.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D656312EB41 for <captive-portals@ietf.org>; Tue, 20 Mar 2018 09:51:51 -0700 (PDT)
Received: from ams3-vpn-dhcp2299.cisco.com (unknown [173.38.220.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 90D15564762; Tue, 20 Mar 2018 17:51:45 +0100 (CET)
From: Pierre Pfister <pierre.pfister@darou.fr>
Message-Id: <337A848A-F36A-45AD-9343-E1A14A5CBE1C@darou.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail=_27648BFD-5FC5-4F09-BABB-E0B80AE63938"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Tue, 20 Mar 2018 16:51:44 +0000
In-Reply-To: <CAKD1Yr3rP24jQ6sMpoXZ3pU02FmvwDNc9=w2oAh4bMWZmEtQ_A@mail.gmail.com>
Cc: captive-portals@ietf.org
To: Lorenzo Colitti <lorenzo@google.com>
References: <CAKD1Yr3rP24jQ6sMpoXZ3pU02FmvwDNc9=w2oAh4bMWZmEtQ_A@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.5.20)
X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Tue Mar 20 17:51:45 2018 +0100 (CET))
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/yz3LbGdSzl2xhdjP-8qwURcqWhY>
Subject: Re: [Captive-portals] Requirements for "captive portal closed" notifications
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 16:56:23 -0000

Turning the requirements around I would add that sending ICMP messages based on a session being ‘almost done’ might be challenging from a router/hardware perspective. Routers might have to rate-limit such messages, and sometimes fail to send them.

So I would add that the ICMP message should only be relied upon as a backup mechanism to detect that something is wrong while the API mechanism already failed to detect that the session is almost over.
In other words, I think the detection of a session being almost over is first and foremost a problem to be solved by the API mechanism, and as a backup (i.e. in case of inconsistency between the API and the Enforcement point), with the ICMP mechanism.

- Pierre

> Le 20 mars 2018 à 15:29, Lorenzo Colitti <lorenzo@google.com> a écrit :
> 
> Per discussion at the mike today on what we should do with the ICMP unreachable draft - here are some properties I think are necessary in a hint to the UE that the captive portal is closed.
> 
> 1. The notification should not be easy to spoof. This is easiest to do by making it a hint to the UE that it should talk to the API.
> An ICMP message by itself is not secure. For example, it's trivial for an off-path attacker to generate ICMP messages for sessions from legitimate UEs to <popularwebsite>:443. Getting a UE to trust such a message only requires getting the ephemeral port right, and many OSes have a quite limited range of ephemeral ports.
> Tero points out that if we do want to secure such a message, then we should not roll our own security but should use an existing, secure protocol such as IPsec.
> 
> 2. It should be possible to send the notification *before* the captive portal closes, to facilitate seamless connectivity. Ideally the user should be able to re-up the captive portal without having to wait until the network is dead or the device has switched to another network.
> 
> 3. The notification should not be on a per-destination basis. A hint that conveys the information "you can reach facebook, but to reach CNN you need to upgrade to another service plan" is not technically infeasible but is unlikely ever to reach WG and IETF consensus and therefore I think we should not spend our time talking about it.
> 
> 4. I'm not sure whether it's possible for the hint to be anything more than a binary "you are or will very soon be captive". Saying things like "an upgrade opportunity is available" may be hard to encode.
> 
> Cheers,
> Lorenzo
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals

v2.23.0 | Report a Bug | By Email