IETF Logo Mail Archive

Re: [mif] prblem statement: DNS/captive portals - was (RE: AD review of draft-ietf-mif-current-practices)

Julien Laganier <julien.ietf@gmail.com> Tue, 12 April 2011 18:02 UTC

Return-Path: <julien.ietf@gmail.com>
X-Original-To: mif@ietfc.amsl.com
Delivered-To: mif@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 0A853E0812 for <mif@ietfc.amsl.com>; Tue, 12 Apr 2011 11:02:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yCqnyZPFboEI for <mif@ietfc.amsl.com>; Tue, 12 Apr 2011 11:02:24 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfc.amsl.com (Postfix) with ESMTP id 0AAC5E067F for <mif@ietf.org>; Tue, 12 Apr 2011 11:02:09 -0700 (PDT)
Received: by fxm15 with SMTP id 15so5163207fxm.31 for <mif@ietf.org>; Tue, 12 Apr 2011 11:02:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Hx1PB+BVIgMEq3ylFiHPacEA4Ev/n1b50bHfdY3wNMI=; b=DGoNgFTHf10EUg670YpRFz24Xv9FX7WzYk5qD5e0Y5mZmIcrMK/xJN8wbtY8U2rxG3 xl6i8Sga/ccVFy+c8uzKpjiRgrvrbcZ4I4GOHmoXymGHBJSLpzlWORzxKxsyFazG5J5C t8g9hR9rGW5LTiOp2TubYtDh70f2xhUUdF0Hs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=XCX1qmHViFSF55AbFiu8jKU+eJ4k2xC2YiE4iVxQtNRorzNtjdG6ZRlyBTa6KlTzyB EYj5ylNOIbELf7M42wp29/bEoE2/8SmWpddcC7krqyChgFt9mD69daiXWghAAXoWjvB/ v0y0JuhYsVGmOGL96A4AFHG9ifik7Pp45Baa8=
MIME-Version: 1.0
Received: by 10.223.6.198 with SMTP id a6mr2557510faa.130.1302631314387; Tue, 12 Apr 2011 11:01:54 -0700 (PDT)
Received: by 10.223.87.1 with HTTP; Tue, 12 Apr 2011 11:01:54 -0700 (PDT)
In-Reply-To: <BANLkTinpZ0R7o5T_ALOYyok-8fFqkO41Rg@mail.gmail.com>
References: <4D90926D.3030700@piuha.net> <8D91C7B0-190C-4C82-868A-CA0507F9C09B@nominum.com> <916CE6CF87173740BC8A2CE443096962015946@008-AM1MPN1-036.mgdnok.nokia.com> <843DA8228A1BA74CA31FB4E111A5C462019B5E9B@ftrdmel0.rd.francetelecom.fr> <BANLkTinpZ0R7o5T_ALOYyok-8fFqkO41Rg@mail.gmail.com>
Date: Tue, 12 Apr 2011 11:01:54 -0700
Message-ID: <BANLkTincH80ye2Wm6heeJa8zDZXC7Yhraw@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: Hui Deng <denghui02@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: mif@ietf.org
Subject: Re: [mif] prblem statement: DNS/captive portals - was (RE: AD review of draft-ietf-mif-current-practices)
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2011 18:02:25 -0000

On a side note, the captive portal systems I've encountered lately do
not reply with the IP address of the captive portal when queried with
an arbitrary FQDN (e.g. example.com), but rather reply with the IP
address of the queried FQDN, and then do IP masquerading as the
destination IP address when they receive a TCP SYN on port 80. When
the HTTP GET arrives, they operate an HTTP redirect to the captive
portal. In this way no DNS cache poisoning happens...

--julien

On Sat, Apr 9, 2011 at 9:31 PM, Hui Deng <denghui02@gmail.com> wrote:
> Today's most operators are using captive portal for wifi authentication,
> I would agree this problem exists widely and encourage to include it into
> the PS.
>
> thanks a lot
>
> -Hui
>
> 2011/3/31 <pierrick.seite@orange-ftgroup.com>
>>
>> Any other comments with regards to this text? Is there an agreement to
>> include it into the PS?
>>
>> > -----Message d'origine-----
>> > De : teemu.savolainen@nokia.com [mailto:teemu.savolainen@nokia.com]
>> > Envoyé : lundi 28 mars 2011 17:47
>> > À : Ted.Lemon@nominum.com; jari.arkko@piuha.net
>> > Cc : draft-ietf-mif-current-practices@tools.ietf.org; mif@ietf.org
>> > Objet : RE: AD review of draft-ietf-mif-current-practices
>> >
>> > Ted,
>> >
>> > Good text. I agree the problem exist. The DNS server selection points to
>> > this issue as well:
>> > --
>> > (DISCUSS:
>> >    What about those DNS servers that instead of negative answer always
>> >    return positive reply with an IP address of some captive portal?)
>> > --
>> >
>> > IMHO the problem section should say that this problem (usually/always)
>> > disappears right after M1 has authenticated to the captive portal and
>> > interface becomes truly "up". I.e. human intervention is required to
>> > clear
>> > the situation, but once cleared, things work as they should - until
>> > captive portal possibly wants to renew authentication..
>> >
>> > This problem btw means the M1 cannot start validating responses until
>> > authentication with captive portal shas been completed.
>> >
>> > Best regards,
>> >
>> >       Teemu
>> >
>> >
>> > > -----Original Message-----
>> > > From: mif-bounces@ietf.org [mailto:mif-bounces@ietf.org] On Behalf Of
>> > > ext Ted Lemon
>> > > Sent: 28. maaliskuuta 2011 17:25
>> > > To: Jari Arkko
>> > > Cc: draft-ietf-mif-current-practices@tools.ietf.org; mif
>> > > Subject: Re: [mif] AD review of draft-ietf-mif-current-practices
>> > >
>> > > FYI, this is a rough approximation of the text I would want to add:
>> > >
>> > > 4.1a.  DNS resolution issues with captive portals
>> > >
>> > >    A MIF node (M1) has an active interface(I1) connected to a network
>> > >    (N1) which has its DNS server (S1) and another active interface
>> > >    (I2) connected to a network (N2) which has its DNS server (S2).  S1
>> > >    is configured to respond to any A or AAAA record query with the
>> > >    IP address of a captive portal, so as to redirect web browsers to
>> > > an
>> > >    access control portal web page.  Any of the following situations
>> > >    may occur:
>> > >
>> > >    1.  M1 stack, based on its routing table, uses I2 to reach S1 to
>> > >        resolve "a.example.com".  M1 never reaches S1.  The name
>> > >        is not resolved.
>> > >    2.  M1 keeps only one set of DNS server addresses from the received
>> > >        configuration objects and kept S2 address.  M1 sends the
>> > >        forward DNS query for a.example.com to S2.  S2 responds with
>> > > the
>> > >        correct answer, R1.   M1 attempts to contact R1 by way of I1.
>> > >        The connection fails.     Or, the connection succeeds,
>> > >        bypassing the security policy on N1, possibly exposing the
>> > >        owner of M1 to prosecution.
>> > >    3.  M1 keeps only one set of DNS server addresses from the received
>> > >        configuration objects and kept S1 address.  M1 sends the DNS
>> > >        query for a.example.com to S1.  S1 provides the address of its
>> > >        captive portal.   S1 attempts to contact this IP address using
>> > >        I1.   The application tries to connect to the wrong destination
>> > >        node, resulting in lack of service and possible security
>> > > issues.
>> > >    4.  M1 has resolved an FQDN to the IP address of the captive portal
>> > >        connected to N1.  If the node loses connection to N1, the node
>> > >        may try to connect, via N2, to the same IP address as earlier,
>> > >        but as the address was only locally valid, connection setup
>> > >        fails.
>> > > _______________________________________________
>> > > mif mailing list
>> > > mif@ietf.org
>> > > https://www.ietf.org/mailman/listinfo/mif
>> _______________________________________________
>> mif mailing list
>> mif@ietf.org
>> https://www.ietf.org/mailman/listinfo/mif
>
>
> _______________________________________________
> mif mailing list
> mif@ietf.org
> https://www.ietf.org/mailman/listinfo/mif
>
>

v2.23.0 | Report a Bug | By Email