IETF Logo Mail Archive

[mif] declaring interface 'up', with WiFi DNS/HTTP interception (login) proxies [was RE: DNS selection with HE-MIF]

"Dan Wing" <dwing@cisco.com> Thu, 07 February 2013 17:13 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D6DB21F890D for <mif@ietfa.amsl.com>; Thu, 7 Feb 2013 09:13:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.639
X-Spam-Level:
X-Spam-Status: No, score=-109.639 tagged_above=-999 required=5 tests=[AWL=0.154, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 68BqqIoJtsWz for <mif@ietfa.amsl.com>; Thu, 7 Feb 2013 09:13:09 -0800 (PST)
Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id 3BC7821F87AB for <mif@ietf.org>; Thu, 7 Feb 2013 09:13:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2776; q=dns/txt; s=iport; t=1360257189; x=1361466789; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=+t9uY6OyGLlRMMQg04eMZgmGFYhsJX8wp7dviZtkYJ8=; b=SjZ9JZGTOY5mdcG6hGzcItC5fYKA/Ota8uofaShSPXRgBvLb8VTu4Cm5 MZOEUt1C59CUNEdaOg7ekQ7QitxUx7AiDig0d7iFOxIG++IO5scMFc0oC AhJuJz8XoLuf/Yl+6+LR5x03IdSBC/yHMTffdyMYKfp+w5ACtLW0nMvlC k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAOrfE1GrRDoH/2dsb2JhbABFwGgWcz2BYgEBAQQIAjAPMAwBBRoEAQEBFgEMBCAIJQkJAQQBEgsFh28DDg21Ow2JVowWfYEcAYMsA4hmhSGGQoFYgR2KIoUTgyGBRwcXBg
X-IronPort-AV: E=Sophos;i="4.84,623,1355097600"; d="scan'208";a="71363627"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-2.cisco.com with ESMTP; 07 Feb 2013 17:13:08 +0000
Received: from DWINGWS01 ([10.32.240.196]) by mtv-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id r17HD8vR014555; Thu, 7 Feb 2013 17:13:08 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Ted Lemon' <Ted.Lemon@nominum.com>, 'GangChen' <phdgang@gmail.com>
Date: Thu, 07 Feb 2013 09:13:08 -0800
Message-ID: <0f2e01ce0556$6698cf60$33ca6e20$@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac4FVmZSGKWVpQUTTQOUBfohgFXrhQ==
Content-Language: en-us
Cc: 'mif' <mif@ietf.org>, 'draft-ietf-mif-happy-eyeballs-extension' <draft-ietf-mif-happy-eyeballs-extension@tools.ietf.org>
Subject: [mif] declaring interface 'up', with WiFi DNS/HTTP interception (login) proxies [was RE: DNS selection with HE-MIF]
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2013 17:13:10 -0000

> -----Original Message-----
> From: mif-bounces@ietf.org [mailto:mif-bounces@ietf.org] On Behalf Of
> Ted Lemon
> Sent: Monday, February 04, 2013 9:35 PM
> To: GangChen
> Cc: mif; draft-ietf-mif-happy-eyeballs-extension
> Subject: Re: [mif] DNS selection with HE-MIF
> 
> On Feb 4, 2013, at 11:02 PM, GangChen <phdgang@gmail.com> wrote:
> > I can't comment on benefits of "doing DNS queries within one
> > provisioning domain, and then using the results in the other
> > provisioning domain." But HE-MIF has to do in some cases, because that
> > maybe a normal node behavior, like stated in RFC6418 "A node usually
> > has a node-scoped routing table". This issue may retrospect to basic
> > Internet host design in RFC1122. Changing the model would go beyond
> > HE-MIF scope.
> 
> Okay, so your point is that we can't do connections within a
> provisioning domain, because we don't have control over how a connection
> is routed.
> 
> I agree that this is a problem, but it is explicitly within the scope of
> the MIF charter to consider this problem and document it.   It is quite
> likely the case that solving the problem is outside of the current MIF
> charter, and that such work, if attempted, ought not to occur in MIF.
> 
> However, if in fact the HE-MIF document can't work correctly without
> solving this problem, then it is certainly within the scope of the
> current charter for the MIF working group to draw that conclusion.
> 
> For my part, what I am saying is that HE-MIF can't really be very useful
> without solving this problem.   It is not in fact the case that a MIF
> node can have a single node-scoped routing table and still succeed in
> communicating on the network in the face of, for example, an interface
> that's connected to a captive portal but providing a default route, as
> such captive portals typically do.

The technique used by both Apple and Microsoft is, when joining a new
network, to attempt to retrieve a certain URI.  Microsoft's procedure
is described in
http://technet.microsoft.com/en-us/library/cc766017%28v=ws.10%29.aspx,
which queries www.msftncsi.com and needs to see 131.107.255.255 as
the answer, and then does an HTTP GET.  If anything is abnormal, it
assumes there is a proxy on the path.  Apple does something similar by 
attempting to retrieve https://www.apple.com/library/test/success.html.  
Unfortunately, this seems the best technique available to detect such
DNS interception and HTTP interception proxies that force a login or
force a click-through.  

For MIF -- not just HE-MIF, but all of MIF -- we should not declare an
interface "up" until such a validation succeeds.  It is unfortunate
this is not solved at layer 2, where it arguably belongs.

-d

v2.23.0 | Report a Bug | By Email