IETF Logo Mail Archive

Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"

David Bird <dbird@google.com> Wed, 03 May 2017 13:24 UTC

Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4574512949D for <captive-portals@ietfa.amsl.com>; Wed, 3 May 2017 06:24:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJsyk6yezjed for <captive-portals@ietfa.amsl.com>; Wed, 3 May 2017 06:24:27 -0700 (PDT)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 605B3129400 for <captive-portals@ietf.org>; Wed, 3 May 2017 06:20:08 -0700 (PDT)
Received: by mail-io0-x233.google.com with SMTP id k91so12032506ioi.1 for <captive-portals@ietf.org>; Wed, 03 May 2017 06:20:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5TnBgAn0MThL8cVJWT7BKOsDvhSaeQUN7WoRnhsdLRs=; b=isvjWS/d2VmnuxbCdheet1zyFAkz9P/5HQ9iljugNz/pZOnhve6lLqmz8D0sUhurx5 QEKLKgOaVVum7lfuPVnlkNDQKp3vdsiHNzgXD3Z8Tnf3J8XkwKibtrDIhQI6bkTLX8jB kzmKdPtjcub30SSDx/LjcShNDeQNhvNXlOA/L3L4WYEhoM61siPXtlwSdb2mpJ/PMmHV /tYUynY9YEUZczcEYN0Q3ECuFOGG+noB088zOyCI0zLpgpakiOQ0JVF7qO+ba2FiAeUR Z+sJ6kwcn1wbq0tlirAA3weZH/uK0QeKho2bIAVt2qk1O0YmMZJYxAM9G5wuH99WWKRn vGtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5TnBgAn0MThL8cVJWT7BKOsDvhSaeQUN7WoRnhsdLRs=; b=FuExY4gCjXCcFa6cb45cw3dUQHeCWi6dJFSMw8/xzOnYvBJp96Sc1OJMi0L0Np11FK 9irvjVg/h0oVutYu2pxQkJ224c1denY8V9iyfSUe8PZCnuUnCIYjBA/w8pDeS74ncEq3 Uu3UGx0VCRSEBBhZYhGQHgmFKCWXwD3/Lr8kzClHhMqoQ8eKxQ/7yfCQC+D4ThUL9yhi fUq0WN7t7Hhmbzuk2yxGHdyqMDwmbpSH9lZXmTclcLU6AkTS0gbRFXHyyijt6DKlkVhA 6Wnc7usQ0fcXwRKTyg2NqA3eEiZDbOtv/I5RrLzGEQYbsY2qJ700/1DbkuDNhbxg6oCC wsYQ==
X-Gm-Message-State: AN3rC/5HiAwhyzkyU5eRF3BQV/lqUsN8CCb9NU4FGcnWvql34IBVZSRB l4p+sPZdQiEIQDI+5miaTxo7w59PCr71
X-Received: by 10.107.174.71 with SMTP id x68mr18458222ioe.35.1493817607472; Wed, 03 May 2017 06:20:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.12.147 with HTTP; Wed, 3 May 2017 06:20:06 -0700 (PDT)
In-Reply-To: <201705031442.50683.heiko.folkerts@bsi.bund.de>
References: <201705031442.50683.heiko.folkerts@bsi.bund.de>
From: David Bird <dbird@google.com>
Date: Wed, 03 May 2017 06:20:06 -0700
Message-ID: <CADo9JyV2w-K7QhJaqAFvXEN8gLD6DjuYqzuELEiihK+0J1X3rQ@mail.gmail.com>
To: Heiko Folkerts <heiko.folkerts@bsi.bund.de>
Cc: captive-portals@ietf.org, "Herzig, Willi" <willi.herzig@bsi.bund.de>, Gunther Nitzsche <gnitzsche@netcologne.de>
Content-Type: multipart/alternative; boundary="001a114409eedb1e49054e9e83c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/zxC09uhxuJGZLN5fs7df3o3s6vU>
Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 13:24:30 -0000

Thanks for your presentation! Yes, I think that use-case fits in with the
group's understanding of captive portals.

Fixing HTTPS hijacking is priority #1 for this WG, imho.

On Wed, May 3, 2017 at 5:42 AM, Heiko Folkerts <heiko.folkerts@bsi.bund.de>
wrote:

> Hi everybody,
>
> I visited the capport WG the first time in Chicago. Thank you very much for
> the presentations! Afterwards I had a very brief chat with Martin about a
> use
> case, I name “carrier grade captive portals”. As a result I want to present
> this use case to you on this mailing list:
>
> *Background and use case:*
> In Germany the Federal Office for Information Security informs the ISPs
> with
> IPs, timestamp and other information of users that are part of a botnet.
> The
> ISPs are informing the users about the infection. We can not inform the
> users
> without the help of the ISP as they are the only ones knowing who is behind
> the dynamic IP address users get normally in Germany.
> There are different ways to inform users by the ISPs: e-mail, snail mail
> or a
> carrier grade captive portal (aka walled garden, forced portal),
>
> The most efficient way to inform and get systems cleaned has been proven is
> the carrier grade captive portal.
> One of the  internet service providers, NetCologne, uses a, as they call
> it,
> Forced Portal. The current solution is legal in germany, if the ISPs terms
> of
> service are appropriate.
>
> *Technically it roughly works like this:*
> - When the abuse management system detects that a user is infected, the CPE
> customers router connection (PPOE connection) is disconnected and
> immediately
> a new PPOE connection is started.
> - With the new PPOE connection, the CPE customers router gets a new
> DNSServer,
> IP, gateway (policy routing) and is connected to a carrier grade captive
> portal.
> - Within the new network connection all traffic is routed through a
> HTTP/HTTPS
> proxy. This proxy allows the user to access selected sites like
> informational
> sites about infections, AV and OS vendors and will otherwise present an
> information page to the user. This information page tells the user about
> the
> situation, including information about the infection(s) and instructs him
> how
> to clean the system.
>
> *Problem (almost the same as you know it):*
> As with captive portals in local networks this worked pretty well using
> HTTP.
> Also on Browsers, which first tries a HTTP connection, the information
> page  is displayed. Problem occurs now with HTTPS. Especially Google Chrome
> does no longer connect first using HTTP when the user enters a domain name
> of
> a web page if using HSTS and HSTS preload.
> Connecting with HTTPS, the browser detects a MITM attack (which of course
> makes sense, because it is MITM) and does not display the information page.
> Instead an error page is displayed, which generates a whole lot of calls to
> the costumer support. An addional problem we encounter is that the well
> known
> detection strategies used by iOS/macOS, Windows and Android for captive
> portals do *never* work in our case.
> Reason is that these detection strategies will only test for captive
> portals,
> when the network connection of the actual device (for example using WiFi)
> is
> started new. In our case the customers CPE router gets a new PPPOE
> connection, but the client  does not detect that the network connection to
> the internet was dropped by the router.
>
> Do you think that „carrier grade captive portals“ are in scope of the
> capport
> WG charta? Would the work already done at capport help to cope with this
> problem?
> My understanding of the current work in capport is, that it will not solve
> this problem entirely, but I think, it may already be half-way towards a
> solution. Because pushing a customer to a walled garden does not do a
> status
> change on the client system, but the CPE might work as some kind of
> “captive
> portal relais”, using at least parts of the current architecture of capport
> on the internal LAN.
>
> Do you think it is usful that the capport WG considers our use case in its
> work? Any help is appreciated.
>
> Best regards,
>
> Heiko.
>
> --
> Heiko Folkerts
> ---------------------------------------------------
> Referat CK 15
> Federal Office for Information Security (BSI)
>
> Godesberger Allee 185 -189
> 53175 Bonn
> Germany
> Telefon:        +49 228 99 9582-5955
> Fax:            +49 228 99 10 9582-5955
> E-Mail: heiko.folkerts@bsi.bund.de
> Internet:       www.bsi.bund.de
>                 www.bsi-fuer-buerger.de
>
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
>

v2.23.0 | Report a Bug | By Email