Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
David Bird <dbird@google.com> Wed, 03 May 2017 13:24 UTC
Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4574512949D for <captive-portals@ietfa.amsl.com>; Wed, 3 May 2017 06:24:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJsyk6yezjed for <captive-portals@ietfa.amsl.com>; Wed, 3 May 2017 06:24:27 -0700 (PDT)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 605B3129400 for <captive-portals@ietf.org>; Wed, 3 May 2017 06:20:08 -0700 (PDT)
Received: by mail-io0-x233.google.com with SMTP id k91so12032506ioi.1 for <captive-portals@ietf.org>; Wed, 03 May 2017 06:20:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5TnBgAn0MThL8cVJWT7BKOsDvhSaeQUN7WoRnhsdLRs=; b=isvjWS/d2VmnuxbCdheet1zyFAkz9P/5HQ9iljugNz/pZOnhve6lLqmz8D0sUhurx5 QEKLKgOaVVum7lfuPVnlkNDQKp3vdsiHNzgXD3Z8Tnf3J8XkwKibtrDIhQI6bkTLX8jB kzmKdPtjcub30SSDx/LjcShNDeQNhvNXlOA/L3L4WYEhoM61siPXtlwSdb2mpJ/PMmHV /tYUynY9YEUZczcEYN0Q3ECuFOGG+noB088zOyCI0zLpgpakiOQ0JVF7qO+ba2FiAeUR Z+sJ6kwcn1wbq0tlirAA3weZH/uK0QeKho2bIAVt2qk1O0YmMZJYxAM9G5wuH99WWKRn vGtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5TnBgAn0MThL8cVJWT7BKOsDvhSaeQUN7WoRnhsdLRs=; b=FuExY4gCjXCcFa6cb45cw3dUQHeCWi6dJFSMw8/xzOnYvBJp96Sc1OJMi0L0Np11FK 9irvjVg/h0oVutYu2pxQkJ224c1denY8V9iyfSUe8PZCnuUnCIYjBA/w8pDeS74ncEq3 Uu3UGx0VCRSEBBhZYhGQHgmFKCWXwD3/Lr8kzClHhMqoQ8eKxQ/7yfCQC+D4ThUL9yhi fUq0WN7t7Hhmbzuk2yxGHdyqMDwmbpSH9lZXmTclcLU6AkTS0gbRFXHyyijt6DKlkVhA 6Wnc7usQ0fcXwRKTyg2NqA3eEiZDbOtv/I5RrLzGEQYbsY2qJ700/1DbkuDNhbxg6oCC wsYQ==
X-Gm-Message-State: AN3rC/5HiAwhyzkyU5eRF3BQV/lqUsN8CCb9NU4FGcnWvql34IBVZSRB l4p+sPZdQiEIQDI+5miaTxo7w59PCr71
X-Received: by 10.107.174.71 with SMTP id x68mr18458222ioe.35.1493817607472; Wed, 03 May 2017 06:20:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.12.147 with HTTP; Wed, 3 May 2017 06:20:06 -0700 (PDT)
In-Reply-To: <201705031442.50683.heiko.folkerts@bsi.bund.de>
References: <201705031442.50683.heiko.folkerts@bsi.bund.de>
From: David Bird <dbird@google.com>
Date: Wed, 03 May 2017 06:20:06 -0700
Message-ID: <CADo9JyV2w-K7QhJaqAFvXEN8gLD6DjuYqzuELEiihK+0J1X3rQ@mail.gmail.com>
To: Heiko Folkerts <heiko.folkerts@bsi.bund.de>
Cc: captive-portals@ietf.org, "Herzig, Willi" <willi.herzig@bsi.bund.de>, Gunther Nitzsche <gnitzsche@netcologne.de>
Content-Type: multipart/alternative; boundary="001a114409eedb1e49054e9e83c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/zxC09uhxuJGZLN5fs7df3o3s6vU>
Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 13:24:30 -0000
Thanks for your presentation! Yes, I think that use-case fits in with the group's understanding of captive portals. Fixing HTTPS hijacking is priority #1 for this WG, imho. On Wed, May 3, 2017 at 5:42 AM, Heiko Folkerts <heiko.folkerts@bsi.bund.de> wrote: > Hi everybody, > > I visited the capport WG the first time in Chicago. Thank you very much for > the presentations! Afterwards I had a very brief chat with Martin about a > use > case, I name “carrier grade captive portals”. As a result I want to present > this use case to you on this mailing list: > > *Background and use case:* > In Germany the Federal Office for Information Security informs the ISPs > with > IPs, timestamp and other information of users that are part of a botnet. > The > ISPs are informing the users about the infection. We can not inform the > users > without the help of the ISP as they are the only ones knowing who is behind > the dynamic IP address users get normally in Germany. > There are different ways to inform users by the ISPs: e-mail, snail mail > or a > carrier grade captive portal (aka walled garden, forced portal), > > The most efficient way to inform and get systems cleaned has been proven is > the carrier grade captive portal. > One of the internet service providers, NetCologne, uses a, as they call > it, > Forced Portal. The current solution is legal in germany, if the ISPs terms > of > service are appropriate. > > *Technically it roughly works like this:* > - When the abuse management system detects that a user is infected, the CPE > customers router connection (PPOE connection) is disconnected and > immediately > a new PPOE connection is started. > - With the new PPOE connection, the CPE customers router gets a new > DNSServer, > IP, gateway (policy routing) and is connected to a carrier grade captive > portal. > - Within the new network connection all traffic is routed through a > HTTP/HTTPS > proxy. This proxy allows the user to access selected sites like > informational > sites about infections, AV and OS vendors and will otherwise present an > information page to the user. This information page tells the user about > the > situation, including information about the infection(s) and instructs him > how > to clean the system. > > *Problem (almost the same as you know it):* > As with captive portals in local networks this worked pretty well using > HTTP. > Also on Browsers, which first tries a HTTP connection, the information > page is displayed. Problem occurs now with HTTPS. Especially Google Chrome > does no longer connect first using HTTP when the user enters a domain name > of > a web page if using HSTS and HSTS preload. > Connecting with HTTPS, the browser detects a MITM attack (which of course > makes sense, because it is MITM) and does not display the information page. > Instead an error page is displayed, which generates a whole lot of calls to > the costumer support. An addional problem we encounter is that the well > known > detection strategies used by iOS/macOS, Windows and Android for captive > portals do *never* work in our case. > Reason is that these detection strategies will only test for captive > portals, > when the network connection of the actual device (for example using WiFi) > is > started new. In our case the customers CPE router gets a new PPPOE > connection, but the client does not detect that the network connection to > the internet was dropped by the router. > > Do you think that „carrier grade captive portals“ are in scope of the > capport > WG charta? Would the work already done at capport help to cope with this > problem? > My understanding of the current work in capport is, that it will not solve > this problem entirely, but I think, it may already be half-way towards a > solution. Because pushing a customer to a walled garden does not do a > status > change on the client system, but the CPE might work as some kind of > “captive > portal relais”, using at least parts of the current architecture of capport > on the internal LAN. > > Do you think it is usful that the capport WG considers our use case in its > work? Any help is appreciated. > > Best regards, > > Heiko. > > -- > Heiko Folkerts > --------------------------------------------------- > Referat CK 15 > Federal Office for Information Security (BSI) > > Godesberger Allee 185 -189 > 53175 Bonn > Germany > Telefon: +49 228 99 9582-5955 > Fax: +49 228 99 10 9582-5955 > E-Mail: heiko.folkerts@bsi.bund.de > Internet: www.bsi.bund.de > www.bsi-fuer-buerger.de > > _______________________________________________ > Captive-portals mailing list > Captive-portals@ietf.org > https://www.ietf.org/mailman/listinfo/captive-portals >
- [Captive-portals] Use Case: "Carrier Grade Captiv… Heiko Folkerts
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Warren Kumari
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Mark Nottingham
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Michael Richardson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Gunther Nitzsche
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Gunther Nitzsche
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Vincent van Dam
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Livingood, Jason
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Martin Thomson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Livingood, Jason
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Martin Thomson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Gunther Nitzsche
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Michael Richardson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Vincent van Dam
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Eric Vyncke (evyncke)
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Tommy Pauly
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Tommy Pauly
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Tommy Pauly
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird