[mif] prblem statement: DNS/captive portals - was (RE: AD review of draft-ietf-mif-current-practices)
<pierrick.seite@orange-ftgroup.com> Wed, 30 March 2011 21:49 UTC
Return-Path: <pierrick.seite@orange-ftgroup.com>
X-Original-To: mif@core3.amsl.com
Delivered-To: mif@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 73D9F3A693D for <mif@core3.amsl.com>; Wed, 30 Mar 2011 14:49:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.029
X-Spam-Level:
X-Spam-Status: No, score=-3.029 tagged_above=-999 required=5 tests=[AWL=0.220, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I96lFfgJqc26 for <mif@core3.amsl.com>; Wed, 30 Mar 2011 14:49:42 -0700 (PDT)
Received: from p-mail2.rd.francetelecom.com (p-mail2.rd.francetelecom.com [195.101.245.16]) by core3.amsl.com (Postfix) with ESMTP id 02A423A6ABD for <mif@ietf.org>; Wed, 30 Mar 2011 14:49:42 -0700 (PDT)
Received: from p-mail2.rd.francetelecom.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 536BE778002; Wed, 30 Mar 2011 23:57:23 +0200 (CEST)
Received: from ftrdsmtp2.rd.francetelecom.fr (unknown [10.192.128.47]) by p-mail2.rd.francetelecom.com (Postfix) with ESMTP id 49F12778001; Wed, 30 Mar 2011 23:57:23 +0200 (CEST)
Received: from ftrdmel0.rd.francetelecom.fr ([10.192.128.56]) by ftrdsmtp2.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.4675); Wed, 30 Mar 2011 23:51:20 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 30 Mar 2011 23:51:19 +0200
Message-ID: <843DA8228A1BA74CA31FB4E111A5C462019B5E9B@ftrdmel0.rd.francetelecom.fr>
In-Reply-To: <916CE6CF87173740BC8A2CE443096962015946@008-AM1MPN1-036.mgdnok.nokia.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: prblem statement: DNS/captive portals - was (RE: AD review of draft-ietf-mif-current-practices)
Thread-Index: AQHL7U9IuT4hgyWp1kuj9x/QaruM85RC3eqbgAADDKCAA4tsUA==
References: <4D90926D.3030700@piuha.net> <8D91C7B0-190C-4C82-868A-CA0507F9C09B@nominum.com> <916CE6CF87173740BC8A2CE443096962015946@008-AM1MPN1-036.mgdnok.nokia.com>
From: pierrick.seite@orange-ftgroup.com
To: teemu.savolainen@nokia.com, Ted.Lemon@nominum.com, jari.arkko@piuha.net
X-OriginalArrivalTime: 30 Mar 2011 21:51:20.0792 (UTC) FILETIME=[9AF6D580:01CBEF24]
Cc: mif@ietf.org
Subject: [mif] prblem statement: DNS/captive portals - was (RE: AD review of draft-ietf-mif-current-practices)
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 21:49:43 -0000
Any other comments with regards to this text? Is there an agreement to include it into the PS? > -----Message d'origine----- > De : teemu.savolainen@nokia.com [mailto:teemu.savolainen@nokia.com] > Envoyé : lundi 28 mars 2011 17:47 > À : Ted.Lemon@nominum.com; jari.arkko@piuha.net > Cc : draft-ietf-mif-current-practices@tools.ietf.org; mif@ietf.org > Objet : RE: AD review of draft-ietf-mif-current-practices > > Ted, > > Good text. I agree the problem exist. The DNS server selection points to > this issue as well: > -- > (DISCUSS: > What about those DNS servers that instead of negative answer always > return positive reply with an IP address of some captive portal?) > -- > > IMHO the problem section should say that this problem (usually/always) > disappears right after M1 has authenticated to the captive portal and > interface becomes truly "up". I.e. human intervention is required to clear > the situation, but once cleared, things work as they should - until > captive portal possibly wants to renew authentication.. > > This problem btw means the M1 cannot start validating responses until > authentication with captive portal shas been completed. > > Best regards, > > Teemu > > > > -----Original Message----- > > From: mif-bounces@ietf.org [mailto:mif-bounces@ietf.org] On Behalf Of > > ext Ted Lemon > > Sent: 28. maaliskuuta 2011 17:25 > > To: Jari Arkko > > Cc: draft-ietf-mif-current-practices@tools.ietf.org; mif > > Subject: Re: [mif] AD review of draft-ietf-mif-current-practices > > > > FYI, this is a rough approximation of the text I would want to add: > > > > 4.1a. DNS resolution issues with captive portals > > > > A MIF node (M1) has an active interface(I1) connected to a network > > (N1) which has its DNS server (S1) and another active interface > > (I2) connected to a network (N2) which has its DNS server (S2). S1 > > is configured to respond to any A or AAAA record query with the > > IP address of a captive portal, so as to redirect web browsers to an > > access control portal web page. Any of the following situations > > may occur: > > > > 1. M1 stack, based on its routing table, uses I2 to reach S1 to > > resolve "a.example.com". M1 never reaches S1. The name > > is not resolved. > > 2. M1 keeps only one set of DNS server addresses from the received > > configuration objects and kept S2 address. M1 sends the > > forward DNS query for a.example.com to S2. S2 responds with the > > correct answer, R1. M1 attempts to contact R1 by way of I1. > > The connection fails. Or, the connection succeeds, > > bypassing the security policy on N1, possibly exposing the > > owner of M1 to prosecution. > > 3. M1 keeps only one set of DNS server addresses from the received > > configuration objects and kept S1 address. M1 sends the DNS > > query for a.example.com to S1. S1 provides the address of its > > captive portal. S1 attempts to contact this IP address using > > I1. The application tries to connect to the wrong destination > > node, resulting in lack of service and possible security issues. > > 4. M1 has resolved an FQDN to the IP address of the captive portal > > connected to N1. If the node loses connection to N1, the node > > may try to connect, via N2, to the same IP address as earlier, > > but as the address was only locally valid, connection setup > > fails. > > _______________________________________________ > > mif mailing list > > mif@ietf.org > > https://www.ietf.org/mailman/listinfo/mif
- [mif] AD review of draft-ietf-mif-current-practic… Jari Arkko
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… Stefano Faccin
- Re: [mif] AD review of draft-ietf-mif-current-pra… stefano faccin
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… Stefano Faccin
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… Stefano Faccin
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- [mif] AD review of draft-ietf-mif-current-practic… Jari Arkko
- Re: [mif] AD review of draft-ietf-mif-current-pra… Ted Lemon
- Re: [mif] AD review of draft-ietf-mif-current-pra… teemu.savolainen
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… Ted Lemon
- [mif] prblem statement: DNS/captive portals - was… pierrick.seite
- Re: [mif] prblem statement: DNS/captive portals -… Hui Deng
- Re: [mif] prblem statement: DNS/captive portals -… pierrick.seite
- Re: [mif] prblem statement: DNS/captive portals -… Julien Laganier
- Re: [mif] prblem statement: DNS/captive portals -… Ted Lemon
- Re: [mif] prblem statement: DNS/captive portals -… pierrick.seite