IETF Logo Mail Archive

Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon

Christian Saunders <Christian.Saunders@sjrb.ca> Thu, 02 March 2017 16:53 UTC

Return-Path: <Christian.Saunders@sjrb.ca>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BA42129435 for <captive-portals@ietfa.amsl.com>; Thu, 2 Mar 2017 08:53:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sjrb.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t1JxfGUB8QPS for <captive-portals@ietfa.amsl.com>; Thu, 2 Mar 2017 08:53:07 -0800 (PST)
Received: from prdcg4ipta01x-ext.shaw.ca (prdcg4ipta01x-ext.shaw.ca [204.209.208.146]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A84B129515 for <captive-portals@ietf.org>; Thu, 2 Mar 2017 08:53:06 -0800 (PST)
X-IronPort-AV: E=Sophos; i="5.35,232,1484031600"; d="scan'208,217"; a="65493987"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=SJRB.onmicrosoft.com; s=selector1-sjrb-ca; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ZkSb89cwYH4jT48ESpYsEBCp9AKhrw+7CFRVhjztP+A=; b=YIHndyv3LRu8ElaSSb4jgopvRc00X9a+AhLHDY4UOkoN4fseuyfSthPfvmrlh/Y4jvdv7F3L+2+wv0cSVs99dYC92fX/W0NthCeIG33db06vdeamqMgSTh2QFt9IoCVnWfJZ2pUueWV7EEJ8UlP6p4663SLWPZi7GqYE9slU0zk=
From: Christian Saunders <Christian.Saunders@sjrb.ca>
To: "captive-portals@ietf.org" <captive-portals@ietf.org>
Thread-Topic: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon
Thread-Index: AdKNFR+bf0xZqFFnS8Og1nbMlvXDPgAAzZ6AAABiywAAAGXtAAABDnSAAAOAwYAAAA5OgAAAD1kAAAAcdoAAFEfdgAAYSkGAAAVlo4ABX72hgA==
Date: Thu, 02 Mar 2017 16:53:01 +0000
Message-ID: <42ccd318-31dd-04a6-0524-5502a74e78e9@sjrb.ca>
References: <D76BBBCF97F57144BB5FCF08007244A77058108A@wtl-exchp-1.sandvine.com> <CADo9JyUz6QRVg23cFmv7xTu_0dzbQM-xVXx7=79k3ao+59szVg@mail.gmail.com> <CAKD1Yr0B2HUz6AXExA7nK3URqkq3yFFuBXRVGM+mMR+KjnO1Ag@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051EC6E@wtl-exchp-1.sandvine.com> <CAKD1Yr0p37+SuE03SLKQ2tZDxxeL3=jO8gSw9y66UnYXSDzeKw@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051F25D@wtl-exchp-1.sandvine.com> <CAKD1Yr06UukkD+vM5ueiBfqe4h2t53G=-7hZN=wy1nO1_efJ2w@mail.gmail.com> <E8355113905631478EFF04F5AA706E987051F305@wtl-exchp-1.sandvine.com> <CADo9JyXki8J_Gd_ac8xAsp9V0b79rK0dPdXzHkuoLV-OQ47C2w@mail.gmail.com> <CAAedzxp1GZ8J5h2YnEo+xDAHTjhPHL6_YcfD4p5148G=0a6Mxg@mail.gmail.com> <E8355113905631478EFF04F5AA706E987052118B@wtl-exchp-1.sandvine.com> <D76BBBCF97F57144BB5FCF08007244A770581B9A@wtl-exchp-1.sandvine.com>
In-Reply-To: <D76BBBCF97F57144BB5FCF08007244A770581B9A@wtl-exchp-1.sandvine.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=sjrb.ca;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [204.209.209.138]
x-microsoft-exchange-diagnostics: 1; BN3PR04MB2292; 7:EodfJqWEU7i8lWx4TpjfQyn6Uaf65qd1+jBUntkgaAQWIRXrWbs+6Dty51t5Mdl8Y0wVqZgfjfIkGZpyONGnsXbGOXfBdoIvFqo4UNBX/e9XWJ6r4LhaV9TJPuxdPzYB5krx3ZKrrCMlUlDw2AtxyeWnQCEj8cGv94rJhOlbuflgElvLaaQvJZosm4DdaggbL8sfpO+k5fEK73M49lBlYbizwJQRguRKANm+yGPCPiHgSR//zE1ukv+2O+Q26KwPNmU+8kx1Odt2OV6aaeh5O9UkngHmjNMgZaBxQCoos3YWz92VCEyd9UjSYzcoVZWbmX+0nooRo/Iw76ljWBMIdQ==
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10009020)(979002)(7916002)(39450400003)(165144002)(377454003)(51444003)(52314003)(24454002)(53754006)(377424004)(2501003)(2900100001)(83506001)(5630700001)(53546006)(93886004)(31686004)(74482002)(2351001)(7736002)(2906002)(76176999)(50986999)(3660700001)(54356999)(3280700002)(7906003)(15187005004)(36756003)(65956001)(65806001)(92566002)(66066001)(6246003)(53936002)(790700001)(86362001)(102836003)(54896002)(64126003)(6116002)(8676002)(4001350100001)(31696002)(450100001)(25786008)(5640700003)(99286003)(3846002)(6306002)(6916009)(38730400002)(53946003)(189998001)(2950100002)(16200700003)(65826007)(229853002)(236005)(6436002)(122556002)(606005)(77096006)(81166006)(5660300001)(6512007)(6486002)(8936002)(33646002)(110136004)(6506006)(959014)(579004)(559001)(569005); DIR:OUT; SFP:1101; SCL:1; SRVR:BN3PR04MB2292; H:BN3PR04MB2290.namprd04.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
x-ms-office365-filtering-correlation-id: 1b2961c2-7bde-4c13-a114-08d4618c96a4
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:BN3PR04MB2292;
x-microsoft-antispam-prvs: <BN3PR04MB229283AF413D462B90F9EF8E89280@BN3PR04MB2292.namprd04.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(166708455590820)(192374486261705)(227817650892897)(211936372134217)(275809806118684)(5213294742642)(21532816269658);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6041248)(20161123558025)(20161123555025)(20161123560025)(20161123564025)(20161123562025)(6072148); SRVR:BN3PR04MB2292; BCL:0; PCL:0; RULEID:; SRVR:BN3PR04MB2292;
x-forefront-prvs: 023495660C
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_42ccd31831dd04a605245502a74e78e9sjrbca_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2017 16:53:01.4247 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8b30192e-1388-4ed6-8208-e35dd72ad2ad
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR04MB2292
X-OriginatorOrg: sjrb.ca
X-TM-AS-Product-Ver: SMEX-11.0.0.4255-8.100.1062-22918.000
X-TM-AS-Result: No--30.893100-0.000000-31
X-TM-AS-User-Approved-Sender: Yes
X-TM-AS-User-Blocked-Sender: No
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/zmGwbVYF_rjw8kZWCJlA3nk-rpE>
Subject: Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 16:53:11 -0000

There were some volunteers for writing a document defining the aforementioned REST API at the BoF. Is there a rough draft we could work from at the hackathon?
I wasn't able to attend the BoF, but I have some experience developing RESTful APIs and would be happy to help out.

Thanks,

Christian

On 17-02-23 10:01 AM, Kyle Larose wrote:
Alright. Thanks everyone for the great discussion. Please continue. ☺

It sounds like there may be some value in making more progress on the ICMP message simply so we can play around with exposing any security holes, and finding ways to plug them. So, it still seems like a good hackathon candidate to me.

Also, since this is a hackathon, why not try to work on more than I can possibly handle? Let’s try to tackle the REST API for RFC 7710 as well. I’ll admit that I’m awful at defining REST APIs, and I don’t really have much experience with this technology, so I’m probably not right to do it, but maybe someone else could help contribute?

Can someone maybe confirm the intent of the REST API? I vaguely recall a discussion at the BoF about allowing less interactive devices, such as smart watches, to authenticate without needing a browser. Was that it?

There were some volunteers for writing a document defining the aforementioned REST API at the BoF. Is there a rough draft we could work from at the hackathon?

Anyway, I think I’ll add the following to the hackathon wiki:

Technology: Captive Portal
Projects

·         Finish up the icmp I-D in coova-chili

·         Try out various client solutions for consuming the icmp message.

·         Try to find security holes in the icmp I-D, and plug them (the output being suggestions to improve the I-D)

·         Work on defining and implementing a REST API for RFC 7710

How does that sound?

Thanks,

Kyle

From: Dave Dolson
Sent: Thursday, February 23, 2017 9:27 AM
To: Erik Kline; David Bird
Cc: captive-portals@ietf.org<mailto:captive-portals@ietf.org>; Kyle Larose; warren@kumari.net<mailto:warren@kumari.net>; Lorenzo Colitti
Subject: RE: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon

Erik,
I don’t think it is onerous.
But, the device causing captive portal is not always on the local subnet of the end-user device.

I think it is better to have a security scheme that doesn’t depend on TTL.

-Dave


From: Erik Kline [mailto:ek@google.com]
Sent: Wednesday, February 22, 2017 9:52 PM
To: David Bird
Cc: Dave Dolson; captive-portals@ietf.org<mailto:captive-portals@ietf.org>; Kyle Larose; warren@kumari.net<mailto:warren@kumari.net>; Lorenzo Colitti
Subject: Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon

How onerous would it be to require that an ICMPv[46] message with a captive portal code also have a hoplimit of 255 (i.e. be link-local / from an on-link source)?

I could imagine writing a user-space daemon that listens for ICMP message of one specific type, and validates the hoplimit with traditional cmsg tricks.  Furthermore, only having to do so on networks advertising a 7710 option would be good.

On 23 February 2017 at 02:10, David Bird <dbird@google.com<mailto:dbird@google.com>> wrote:
Further, we could tie this to RFC 7710, so that you can disregard this ICMP from networks not expected to be captive portal and networks who do implement captive portal can easily (as in iptables rules) filter out external ICMP of this nature.

On Wed, Feb 22, 2017 at 9:07 AM, Dave Dolson <ddolson@sandvine.com<mailto:ddolson@sandvine.com>> wrote:
Agreed. Hence the discussion about using a difficult-to-guess token in the message.
________________________________
From: Lorenzo Colitti [lorenzo@google.com<mailto:lorenzo@google.com>]
Sent: Wednesday, February 22, 2017 12:05 PM

To: Dave Dolson
Cc: David Bird; warren@kumari.net<mailto:warren@kumari.net>; Kyle Larose; captive-portals@ietf.org<mailto:captive-portals@ietf.org>
Subject: Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon

The ability for any host in the Internet to trigger an instant response sounds it could turn into a DOS vector, though.

On Thu, Feb 23, 2017 at 2:04 AM, Dave Dolson <ddolson@sandvine.com<mailto:ddolson@sandvine.com>> wrote:
As I understand it, to "think something is wrong" requires an application-layer timeout. Some people think this is about 5s, but I don't believe TCP specifies an upper bound.

An ICMP message can give an "instant" response.

It's worth considering that the ICMP message may trigger the "sacrificial" HTTP request by the operating system.

________________________________
From: Lorenzo Colitti [lorenzo@google.com<mailto:lorenzo@google.com>]
Sent: Wednesday, February 22, 2017 10:24 AM
To: Dave Dolson
Cc: David Bird; warren@kumari.net<mailto:warren@kumari.net>; Kyle Larose; captive-portals@ietf.org<mailto:captive-portals@ietf.org>

Subject: Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon

Ok, but the implementations that are the most likely to implement this sort of feature already send sacrificial plaintext HTTP requests on connect, and are quite capable of generating HTTP requests on demand when they think something is wrong.

On Wed, Feb 22, 2017 at 11:53 PM, Dave Dolson <ddolson@sandvine.com<mailto:ddolson@sandvine.com>> wrote:
Lorenzo,
My interest in ICMP is that it could work with any protocol, not just HTTP, and doesn't require any MITM for HTTPS.
I recall a discussion about adding a difficult-to-guess token to the ICMP message, making it hard to spoof.

-Dave

________________________________
From: Captive-portals [captive-portals-bounces@ietf.org<mailto:captive-portals-bounces@ietf.org>] on behalf of Lorenzo Colitti [lorenzo@google.com<mailto:lorenzo@google.com>]
Sent: Wednesday, February 22, 2017 9:42 AM
To: David Bird
Cc: warren@kumari.net<mailto:warren@kumari.net>; Kyle Larose; captive-portals@ietf.org<mailto:captive-portals@ietf.org>
Subject: Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon
I'm not a fan of the ICMP method. I think the security implications need more thought.

As is, it looks like pretty much anyone on the Internet can send you one of these packets, and you have no way of knowing if it's legitimate. Relying on such an easy-to-spoof signal to decide that a network no longer provides Internet access could be quite harmful, particularly if the receiving device decided to switch to cellular data and incur the associated traffic costs. Even if the signal is only taken as a hint to revalidate the network, that still has battery implications.

It would seem to be much more useful to use:

  *   A header in the initial redirect that captive portals almost always generate.
  *   A well-known URL where the state of the captive portal can be revalidated, either periodically or when some other indication of loss of connectivity is observed.
At the last IETF we talked about possibly having a more structured way of communicating this and other bits of information from captive portal to host (a RESTful API, IIRC). That would also be useful, if we can all collectively resist the temptation to overengineer such a mechanism. :-)

On Wed, Feb 22, 2017 at 11:31 PM, David Bird <dbird@google.com<mailto:dbird@google.com>> wrote:
Hi Kyle,

I think that is a great idea!

I had started to implement here: https://github.com/coova/coova-chilli/tree/capport-icmp

What would be nice, in addition to the NAS changes, is to also demonstrate the client side ... either something like icmpd<https://github.com/snaewe/books-code/tree/master/unpv13e/icmpd> (to listen for the ICMP and provide applications a way of checking the status of their dest. unreach. connections), or the necessary Linux kernel changes. Also with kernel changes, the I-D could also be implemented using iptables, or other NAS software too.

Cheers,
David


On Wed, Feb 22, 2017 at 6:12 AM, Kyle Larose <klarose@sandvine.com<mailto:klarose@sandvine.com>> wrote:
Hey everyone,

I was thinking of doing something (anything) related to captive portals for the ietf 98 hackathon. In particular, https://tools.ietf.org/html/draft-wkumari-capport-icmp-unreach-01 caught my eye. I was wondering if anyone had thoughts on that, and whether there is anything else they'd like to see me champion.

Thanks,

Kyle

_______________________________________________
Captive-portals mailing list
Captive-portals@ietf.org<mailto:Captive-portals@ietf.org>
https://www.ietf.org/mailman/listinfo/captive-portals


_______________________________________________
Captive-portals mailing list
Captive-portals@ietf.org<mailto:Captive-portals@ietf.org>
https://www.ietf.org/mailman/listinfo/captive-portals





_______________________________________________
Captive-portals mailing list
Captive-portals@ietf.org<mailto:Captive-portals@ietf.org>
https://www.ietf.org/mailman/listinfo/captive-portals




_______________________________________________
Captive-portals mailing list
Captive-portals@ietf.org<mailto:Captive-portals@ietf.org>
https://www.ietf.org/mailman/listinfo/captive-portals

v2.23.0 | Report a Bug | By Email