IETF Logo Mail Archive

Re: [mif] prblem statement: DNS/captive portals - was (RE: AD review of draft-ietf-mif-current-practices)

<pierrick.seite@orange-ftgroup.com> Tue, 12 April 2011 08:48 UTC

Return-Path: <pierrick.seite@orange-ftgroup.com>
X-Original-To: mif@ietfc.amsl.com
Delivered-To: mif@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 01496E06A6 for <mif@ietfc.amsl.com>; Tue, 12 Apr 2011 01:48:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.248
X-Spam-Level:
X-Spam-Status: No, score=-3.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5rJKYhfhHqZF for <mif@ietfc.amsl.com>; Tue, 12 Apr 2011 01:48:44 -0700 (PDT)
Received: from p-mail2.rd.francetelecom.com (p-mail2.rd.francetelecom.com [195.101.245.16]) by ietfc.amsl.com (Postfix) with ESMTP id B2636E0682 for <mif@ietf.org>; Tue, 12 Apr 2011 01:48:43 -0700 (PDT)
Received: from p-mail2.rd.francetelecom.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 3D858858002; Tue, 12 Apr 2011 10:54:59 +0200 (CEST)
Received: from ftrdsmtp2.rd.francetelecom.fr (unknown [10.192.128.47]) by p-mail2.rd.francetelecom.com (Postfix) with ESMTP id 08A1F778001; Tue, 12 Apr 2011 10:54:58 +0200 (CEST)
Received: from ftrdmel0.rd.francetelecom.fr ([10.192.128.56]) by ftrdsmtp2.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.4675); Tue, 12 Apr 2011 10:48:42 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CBF8EE.6C271457"
Date: Tue, 12 Apr 2011 10:48:40 +0200
Message-ID: <843DA8228A1BA74CA31FB4E111A5C46201A16430@ftrdmel0.rd.francetelecom.fr>
In-Reply-To: <BANLkTinpZ0R7o5T_ALOYyok-8fFqkO41Rg@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [mif] prblem statement: DNS/captive portals - was (RE: AD review of draft-ietf-mif-current-practices)
Thread-Index: Acv3ODKf/W/Zwd4DS1WHAm0LTDWMBwBs8epw
References: <4D90926D.3030700@piuha.net><8D91C7B0-190C-4C82-868A-CA0507F9C09B@nominum.com><916CE6CF87173740BC8A2CE443096962015946@008-AM1MPN1-036.mgdnok.nokia.com><843DA8228A1BA74CA31FB4E111A5C462019B5E9B@ftrdmel0.rd.francetelecom.fr> <BANLkTinpZ0R7o5T_ALOYyok-8fFqkO41Rg@mail.gmail.com>
From: pierrick.seite@orange-ftgroup.com
To: denghui02@gmail.com
X-OriginalArrivalTime: 12 Apr 2011 08:48:42.0027 (UTC) FILETIME=[6CBAAFB0:01CBF8EE]
Cc: mif@ietf.org
Subject: Re: [mif] prblem statement: DNS/captive portals - was (RE: AD review of draft-ietf-mif-current-practices)
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2011 08:48:50 -0000

Hi,

 

-11 of problem statement has succinct considerations on captive portal; but clearly it is worth to be detailed. So, based on Ted's text, the problem statement has been updated accordingly: http://www.ietf.org/internet-drafts/draft-ietf-mif-problem-statement-12.txt   (section 4.1)

 

Pierrick

 

 

 

________________________________

De : Hui Deng [mailto:denghui02@gmail.com] 
Envoyé : dimanche 10 avril 2011 06:32
À : SEITE Pierrick RD-RESA-REN
Cc : teemu.savolainen@nokia.com; Ted.Lemon@nominum.com; jari.arkko@piuha.net; mif@ietf.org
Objet : Re: [mif] prblem statement: DNS/captive portals - was (RE: AD review of draft-ietf-mif-current-practices)

 

Today's most operators are using captive portal for wifi authentication,

I would agree this problem exists widely and encourage to include it into the PS.

 

thanks a lot

 

-Hui

2011/3/31 <pierrick.seite@orange-ftgroup.com>


Any other comments with regards to this text? Is there an agreement to include it into the PS?

> -----Message d'origine-----
> De : teemu.savolainen@nokia.com [mailto:teemu.savolainen@nokia.com]
> Envoyé : lundi 28 mars 2011 17:47
> À : Ted.Lemon@nominum.com; jari.arkko@piuha.net
> Cc : draft-ietf-mif-current-practices@tools.ietf.org; mif@ietf.org
> Objet : RE: AD review of draft-ietf-mif-current-practices
>
> Ted,
>
> Good text. I agree the problem exist. The DNS server selection points to
> this issue as well:
> --
> (DISCUSS:
>    What about those DNS servers that instead of negative answer always
>    return positive reply with an IP address of some captive portal?)
> --
>
> IMHO the problem section should say that this problem (usually/always)
> disappears right after M1 has authenticated to the captive portal and
> interface becomes truly "up". I.e. human intervention is required to clear
> the situation, but once cleared, things work as they should - until
> captive portal possibly wants to renew authentication..
>
> This problem btw means the M1 cannot start validating responses until
> authentication with captive portal shas been completed.
>
> Best regards,
>
>       Teemu
>
>
> > -----Original Message-----
> > From: mif-bounces@ietf.org [mailto:mif-bounces@ietf.org] On Behalf Of
> > ext Ted Lemon
> > Sent: 28. maaliskuuta 2011 17:25
> > To: Jari Arkko
> > Cc: draft-ietf-mif-current-practices@tools.ietf.org; mif
> > Subject: Re: [mif] AD review of draft-ietf-mif-current-practices
> >
> > FYI, this is a rough approximation of the text I would want to add:
> >
> > 4.1a.  DNS resolution issues with captive portals
> >
> >    A MIF node (M1) has an active interface(I1) connected to a network
> >    (N1) which has its DNS server (S1) and another active interface
> >    (I2) connected to a network (N2) which has its DNS server (S2).  S1
> >    is configured to respond to any A or AAAA record query with the
> >    IP address of a captive portal, so as to redirect web browsers to an
> >    access control portal web page.  Any of the following situations
> >    may occur:
> >
> >    1.  M1 stack, based on its routing table, uses I2 to reach S1 to
> >        resolve "a.example.com <http://a.example.com/> ".  M1 never reaches S1.  The name
> >        is not resolved.
> >    2.  M1 keeps only one set of DNS server addresses from the received
> >        configuration objects and kept S2 address.  M1 sends the
> >        forward DNS query for a.example.com <http://a.example.com/>  to S2.  S2 responds with the
> >        correct answer, R1.   M1 attempts to contact R1 by way of I1.
> >        The connection fails.     Or, the connection succeeds,
> >        bypassing the security policy on N1, possibly exposing the
> >        owner of M1 to prosecution.
> >    3.  M1 keeps only one set of DNS server addresses from the received
> >        configuration objects and kept S1 address.  M1 sends the DNS
> >        query for a.example.com <http://a.example.com/>  to S1.  S1 provides the address of its
> >        captive portal.   S1 attempts to contact this IP address using
> >        I1.   The application tries to connect to the wrong destination
> >        node, resulting in lack of service and possible security issues.
> >    4.  M1 has resolved an FQDN to the IP address of the captive portal
> >        connected to N1.  If the node loses connection to N1, the node
> >        may try to connect, via N2, to the same IP address as earlier,
> >        but as the address was only locally valid, connection setup
> >        fails.
> > _______________________________________________
> > mif mailing list
> > mif@ietf.org
> > https://www.ietf.org/mailman/listinfo/mif
_______________________________________________
mif mailing list
mif@ietf.org
https://www.ietf.org/mailman/listinfo/mif

v2.23.0 | Report a Bug | By Email