Re: [dhcwg] Comment on draft-wkumari-dhc-capport-13
Alexandru Petrescu <alexandru.petrescu@gmail.com> Wed, 15 July 2015 11:23 UTC
Return-Path: <alexandru.petrescu@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4FCB1A88A7 for <dhcwg@ietfa.amsl.com>; Wed, 15 Jul 2015 04:23:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.983
X-Spam-Level:
X-Spam-Status: No, score=-4.983 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, HELO_EQ_FR=0.35, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_HI=-5, SPF_SOFTFAIL=0.665] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8p98zV9lXJm7 for <dhcwg@ietfa.amsl.com>; Wed, 15 Jul 2015 04:23:45 -0700 (PDT)
Received: from cirse-out.extra.cea.fr (cirse-out.extra.cea.fr [132.167.192.142]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0383D1A890B for <dhcwg@ietf.org>; Wed, 15 Jul 2015 04:23:44 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by cirse.extra.cea.fr (8.14.2/8.14.2/CEAnet-Internet-out-2.3) with ESMTP id t6FBNgNl011991 for <dhcwg@ietf.org>; Wed, 15 Jul 2015 13:23:42 +0200
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 700B4202D5F for <dhcwg@ietf.org>; Wed, 15 Jul 2015 13:27:08 +0200 (CEST)
Received: from muguet1.intra.cea.fr (muguet1.intra.cea.fr [132.166.192.6]) by pisaure.intra.cea.fr (Postfix) with ESMTP id 66FD9200B5C for <dhcwg@ietf.org>; Wed, 15 Jul 2015 13:27:08 +0200 (CEST)
Received: from [127.0.0.1] (is227335.intra.cea.fr [10.8.34.184]) by muguet1.intra.cea.fr (8.13.8/8.13.8/CEAnet-Intranet-out-1.2) with ESMTP id t6FBNeAm016296 for <dhcwg@ietf.org>; Wed, 15 Jul 2015 13:23:42 +0200
To: dhcwg@ietf.org
References: <CE03DB3D7B45C245BCA0D2432779493613FF7529@MX104CL02.corp.emc.com> <55A13B30.4070208@bogus.com> <DM2PR0301MB065593620A6E227EB2D5421CA89E0@DM2PR0301MB0655.namprd03.prod.outlook.com> <CAHw9_iLS1BGmUfeUP7fX58QAZ4QmM72ZcTV6hZZwper40bG+=Q@mail.gmail.com> <tsl380sf4et.fsf@mit.edu> <CAHw9_iJgNmmfx3=OoRXPdYcA37Q9Y5EhZ_TbKp+CRS6xuda8xA@mail.gmail.com>
From: Alexandru Petrescu <alexandru.petrescu@gmail.com>
Message-ID: <55A642BC.30307@gmail.com>
Date: Wed, 15 Jul 2015 13:23:40 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <CAHw9_iJgNmmfx3=OoRXPdYcA37Q9Y5EhZ_TbKp+CRS6xuda8xA@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/hifp4Ij4koXk0HXngi4daDZz-Xk>
Subject: Re: [dhcwg] Comment on draft-wkumari-dhc-capport-13
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2015 11:23:49 -0000
Hello, let me comment on on this. draft-wkumari-dhc-capport-13 says: > In order to avoid having to perform DNS interception, the URI SHOULD > contain an address literal, but MAY contain a DNS name if the captive > portal allows the client to perform DNS requests to resolve the name. It is not good to recommend IPv4 address literals in URIs. It's going to be hard to get rid of. Maybe accept human-readable IPv6 literals. Alex Le 13/07/2015 17:59, Warren Kumari a écrit : > Okey dokey, I'm happy to add something. > > Does anyone have any suggested text? > > W > > On Monday, July 13, 2015, Sam Hartman <hartmans-ietf@mit.edu > <mailto:hartmans-ietf@mit.edu>> wrote: > > >>>>> "Warren" == Warren Kumari <warren@kumari.net <javascript:;>> > writes: > > Warren> On Saturday, July 11, 2015, Christian Huitema > Warren> <huitema@microsoft.com <javascript:;>> > Warren> wrote: > > Warren> On Saturday, July 11, 2015 8:50 AM, joel jaeggli wrote > >> ... [5] Section 5: > >> > >> Fake DHCP servers / fake RAs are currently a security concern - > >> this doesn't make them any better or worse. > >> > >> Please cite a reference for this, preferably with operational > >> recommendations on limiting these problems (e.g., ensure that > >> DHCP > Warren> and > >> RA traffic cannot be injected from outside/beyond the network > >> that > Warren> is relevant to the portal). > > > There is definitely an > > attack vector there. Suppose an attacker can monitor the > > traffic, say on an unencrypted Wi-Fi hot spot. The attacker > > can see a DHCP request or INFORM, and race in a fake > > response with an URL of their own choosing. The mark's > > computer automatically connects there, and download some > > zero-day attack. Bingo! > > Warren> An attacker with this level of access can already do > Warren> this. They fake a DHCP response with themselves as the > Warren> gateway and insert a 302 into any http connection. Or, more > Warren> likely they simply inject malicious code into some > Warren> connection. > > > I'm with Christian. The attack he describes--injecting a URI--is less > likely in my mind to be noticed than setting up a gateway. So, I do > consider this a new vector. > > > > -- > I don't think the execution is relevant when it was obviously a bad idea > in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair of > pants. > ---maf > > > _______________________________________________ > dhcwg mailing list > dhcwg@ietf.org > https://www.ietf.org/mailman/listinfo/dhcwg >
- [dhcwg] Gen-ART and OPS-Dir review of draft-wkuma… Black, David
- Re: [dhcwg] Gen-ART and OPS-Dir review of draft-w… joel jaeggli
- Re: [dhcwg] Gen-ART and OPS-Dir review of draft-w… Christian Huitema
- Re: [dhcwg] Gen-ART and OPS-Dir review of draft-w… Warren Kumari
- Re: [dhcwg] Gen-ART and OPS-Dir review of draft-w… Christian Huitema
- Re: [dhcwg] Gen-ART and OPS-Dir review of draft-w… Randy Bush
- Re: [dhcwg] Gen-ART and OPS-Dir review of draft-w… Sam Hartman
- Re: [dhcwg] Gen-ART and OPS-Dir review of draft-w… Warren Kumari
- Re: [dhcwg] Comment on draft-wkumari-dhc-capport-… Alexandru Petrescu