Re: Gen-ART and OPS-Dir review of draft-wkumari-dhc-capport-13

David Farmer <farmer@umn.edu> Wed, 15 July 2015 05:43 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3906A1A6EF2 for <ietf@ietfa.amsl.com>; Tue, 14 Jul 2015 22:43:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8EOsode_Byyr for <ietf@ietfa.amsl.com>; Tue, 14 Jul 2015 22:43:49 -0700 (PDT)
Received: from vs-m.tc.umn.edu (vs-m.tc.umn.edu [134.84.119.120]) by ietfa.amsl.com (Postfix) with ESMTP id 746AD1A6F33 for <ietf@ietf.org>; Tue, 14 Jul 2015 22:43:48 -0700 (PDT)
Received: from mail-ie0-f174.google.com (mail-ie0-f174.google.com [209.85.223.174]) by vs-m.tc.umn.edu (UMN smtpd) with ESMTP (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128/128); for <ietf@ietf.org>; Wed, 15 Jul 2015 00:43:45 -0500 (CDT)
X-Umn-Remote-Mta: [N] mail-ie0-f174.google.com [209.85.223.174] #+LO+TS+TR
X-Umn-Classification: local
Received: by ietj16 with SMTP id j16so26424511iet.0 for <ietf@ietf.org>; Tue, 14 Jul 2015 22:43:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=message-id:date:from:reply-to:organization:user-agent:mime-version :to:cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=FZy7JRkFJklQKK/EeLa9AXogwalNziog7Z6H0cc7pZ0=; b=EZz97c+cTSAFoRS/eMWRBWeUQioQlYG9wRF/bDNDoe9xLMBwLJpMNbvNMECcWfDDyJ tB5U6fYZRBZJvVO9oasuG7pQlVeZSWwpFsv92Kt8PyzXl96wjxbiJMwGvJ1qhLXanZRZ tEJYLPyZvspKp/lqo+7of20ij2bnBO7r6P9o4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:reply-to:organization :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=FZy7JRkFJklQKK/EeLa9AXogwalNziog7Z6H0cc7pZ0=; b=WY6xv1WPW299GK7O4/BVky2/JpB5jZHWWXn6tzvwWn9lYxCu312ryrX5iaC8aNjlYI kDLf2iT79HVI5PQl1t0mYFXMp3w0f8Menq2jbXAxCXeRfpRmkaJpi0mZY9jd2jjpqYrx bJYvaYpgxM20CMa80UlLHfr4mxpb+l/QcF3xwjncguRuI9y23jrFwF5djQga4i0TTxSh 1i0RwTJcnAFNf7wjRiP9zflbOSCXK1CDZ/e7ng3K2Pk9abi5alNyFqskdZPOaSMAS6B4 cmQQm34By09lPuMm+Iy/Nb7RVMXGx161QetXkIOlQH+GLLKaCHPbvZOjtp/cl4ZNee9h ykRQ==
X-Gm-Message-State: ALoCoQkUefJS03B4GCAMURtjW31Smq2fjcmzYK8UQ/UNBgh5gi85vRlyXPrQD9asWxkSzwe+d1dcPathKf7EdbKs/ihGtsVMnfubi7foZFxXDOziKywHGyODE14wYa78302BX7k9EwRw
X-Received: by 10.50.87.74 with SMTP id v10mr8235525igz.37.1436939024923; Tue, 14 Jul 2015 22:43:44 -0700 (PDT)
X-Received: by 10.50.87.74 with SMTP id v10mr8235514igz.37.1436939024757; Tue, 14 Jul 2015 22:43:44 -0700 (PDT)
Received: from oit201651646.local ([2601:449:8100:a59f:4d28:1bfb:5488:b95f]) by smtp.gmail.com with ESMTPSA id h7sm9448594igt.3.2015.07.14.22.43.42 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Jul 2015 22:43:43 -0700 (PDT)
Message-ID: <55A5F30B.6040801@umn.edu>
Date: Wed, 15 Jul 2015 00:43:39 -0500
From: David Farmer <farmer@umn.edu>
Organization: University of Minnesota
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Ted Lemon <ted.lemon@nominum.com>, Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: Gen-ART and OPS-Dir review of draft-wkumari-dhc-capport-13
References: <CE03DB3D7B45C245BCA0D2432779493613FF7529@MX104CL02.corp.emc.com> <55A13B30.4070208@bogus.com> <DM2PR0301MB065593620A6E227EB2D5421CA89E0@DM2PR0301MB0655.namprd03.prod.outlook.com> <CAHw9_iLS1BGmUfeUP7fX58QAZ4QmM72ZcTV6hZZwper40bG+=Q@mail.gmail.com> <DM2PR0301MB0655F71CD565888B3F1A4DCAA89E0@DM2PR0301MB0655.namprd03.prod.outlook.com> <55A2B3EE.9030406@nominum.com> <DM2PR0301MB06556CCF1464FCC56A4F3EF8A89D0@DM2PR0301MB0655.namprd03.prod.outlook.com> <55A2D520.60907@nominum.com> <tslio9odlz6.fsf@mit.edu> <55A3F49B.7060701@nominum.com> <55A561D4.9040008@umn.edu> <55A56A60.2030802@nominum.com>
In-Reply-To: <55A56A60.2030802@nominum.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/CsskWlBomYdvYj4YcFeOus2vsh0>
Cc: "ietf@ietf.org" <ietf@ietf.org>, Christian Huitema <huitema@microsoft.com>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: David Farmer <farmer@umn.edu>
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2015 05:43:51 -0000

On 7/14/15 15:00 , Ted Lemon wrote:
> On 07/14/2015 12:24 PM, David Farmer wrote:
>> However, what if the only purpose of the portal is to display
>> marketing and/or acceptance of Term & Conditions?  Is DNSSEC and SSL
>> still required in this case?  I tend to think not, but I'm happy to
>> hear why I'm wrong.
>>
>> Frequently that is all the captive portal is, a little marketing and
>> maybe T's & C's to keep the lawyers happy.  For most coffee shops or
>> restaurants and a lot of other public places this all the portal does.
>
> The issue is that we want to avoid being infected by malware, and if the
> captive portal controls all of our access to the information we'd use to
> avoid connecting to an untrustworthy source, we are in trouble. Chances
> are that your marketing splash is some kind of flash or javascript
> thing, and we'd like to be able to know that we are really talking to
> you and that you aren't on a malware blacklist.   DNSSEC and TLS (not
> SSL, all versions of SSL are known to be vulnerable to hacks of various
> kinds) are required to make this work.

OK fine TLS, but don't pick on me, Ted you said SSL in your list, I was 
just going off of that.

So to be clear your saying all captive portals even if they don't 
exchange information with users need to be TLS and DNSSEC verifiable? 
Correct me if I'm wrong, but I think that also means they need to be 
using public address too, not RFC 1918 or ULA.

Personally, happy to do that, especially with a DHCP or RA option like 
proposed.  Because of the stupid way many apps deal with the 
redirection, you need to redirect to a plain HTTP page first.  Otherwise 
TLS resources needed can be very massive in some situations, 100s or 
1000s of redirects per second aren't unheard of.  And, 100s or 1000s TLS 
session per second is not something your going to do on a typical 
wireless controller.

However, I'm not sure it really makes that much difference, it isn't 
what our captive portal does that will be your issue it's what be bad 
guy's captive portal does and there ain't much we can to about that. 
And I'm not sure how much TLS will really help there, as SAM points out 
domain names and certificates are that hard to come by, not really an 
excuse for the good guys to not do it, but its not going to fix the 
problem either.

The only thing we can really do is NOT have you use insecure open 
wireless by providing secure wireless options.  But, I'm some what 
depressed by the number of people who WANT to use insecure open wireless 
for many reasons, ease of use, anonymity, etc...

We provide secure options and are working on proving easy ways to have 
even visitors/guest use secure wireless.  But honestly, most people 
don't want to be bothered, I'm the bad guy tying to make their life 
harder, or I want to monitor their usage or something.

-- 
================================================
David Farmer               Email: farmer@umn.edu
Office of Information Technology
University of Minnesota
2218 University Ave SE     Phone: 1-612-626-0815
Minneapolis, MN 55414-3029  Cell: 1-612-812-9952
================================================