Re: [Doh] Captive portals (was Re: suggested slides for IETF 104 on draft-reid-doh-operator)

Jim Reid <jim@rfc1035.com> Fri, 15 March 2019 07:39 UTC

Return-Path: <jim@rfc1035.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C65E6131236 for <doh@ietfa.amsl.com>; Fri, 15 Mar 2019 00:39:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dv8IkqnPAuBM for <doh@ietfa.amsl.com>; Fri, 15 Mar 2019 00:39:32 -0700 (PDT)
Received: from shaun.rfc1035.com (shaun.rfc1035.com [93.186.33.42]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44B71131223 for <doh@ietf.org>; Fri, 15 Mar 2019 00:39:32 -0700 (PDT)
Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id 3B3C0242109D; Fri, 15 Mar 2019 07:39:29 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Jim Reid <jim@rfc1035.com>
In-Reply-To: <0fce90e8-38ef-4503-8e52-0ef8c8d87f64@www.fastmail.com>
Date: Fri, 15 Mar 2019 07:39:28 +0000
Cc: doh@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <9B23961D-8D05-462C-A444-0139B354F171@rfc1035.com>
References: <A0E89D03-9D2D-462F-88F4-11824AC9A523@rfc1035.com> <0fce90e8-38ef-4503-8e52-0ef8c8d87f64@www.fastmail.com>
To: Martin Thomson <mt@lowentropy.net>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/kNk9XkSoh0qGTbvdSBu6Pg5b27w>
Subject: Re: [Doh] Captive portals (was Re: suggested slides for IETF 104 on draft-reid-doh-operator)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2019 07:39:39 -0000


> On 15 Mar 2019, at 02:19, Martin Thomson <mt@lowentropy.net> wrote:
> 
> Thanks for sharing the slides Jim,
> 
> (As an aside, the parallels between your summary of the draft and draft-mm-wg-effect-encrypt are striking.)

I wasn’t aware of that draft Martin. Thanks for the tip.

> ... details snipped ...

> That makes me conclude that captive portals aren't any worse off as a result of operating systems or applications choosing to configure their own encrypted resolver service.

Thanks. That’s good to know. Though I think we need more experience and use cases of what actually happens when DoH clients and captive portals bump into each other.

Somewhat off at a tangent: I run a validating resolver on my laptop and generally use that in preference to whatever DNS service is provided on some guest network. This sometimes mean I bypass that network’s captive portal and end up in a (self-inflicted) world of pain. If widespread use of DoT makes that sort of thing happen for large numbers of unsuspecting users...

Suppose a DoH client has already bootstrapped itself and knows the address of its chosen DoH server. The device moves to a new net that has a captive portal. Will the device try to speak DoH to that server’s address directly instead of doing the captive portal dance? Likewise, what happens what a DoH client is configured to only use DoH and therefore never interacts with the network’s or captive portal’s por 53 resolver?