Re: [mif] prblem statement: DNS/captive portals - was (RE: AD review of draft-ietf-mif-current-practices)
<pierrick.seite@orange-ftgroup.com> Tue, 12 April 2011 08:48 UTC
Return-Path: <pierrick.seite@orange-ftgroup.com>
X-Original-To: mif@ietfc.amsl.com
Delivered-To: mif@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 01496E06A6 for <mif@ietfc.amsl.com>; Tue, 12 Apr 2011 01:48:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.248
X-Spam-Level:
X-Spam-Status: No, score=-3.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5rJKYhfhHqZF for <mif@ietfc.amsl.com>; Tue, 12 Apr 2011 01:48:44 -0700 (PDT)
Received: from p-mail2.rd.francetelecom.com (p-mail2.rd.francetelecom.com [195.101.245.16]) by ietfc.amsl.com (Postfix) with ESMTP id B2636E0682 for <mif@ietf.org>; Tue, 12 Apr 2011 01:48:43 -0700 (PDT)
Received: from p-mail2.rd.francetelecom.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 3D858858002; Tue, 12 Apr 2011 10:54:59 +0200 (CEST)
Received: from ftrdsmtp2.rd.francetelecom.fr (unknown [10.192.128.47]) by p-mail2.rd.francetelecom.com (Postfix) with ESMTP id 08A1F778001; Tue, 12 Apr 2011 10:54:58 +0200 (CEST)
Received: from ftrdmel0.rd.francetelecom.fr ([10.192.128.56]) by ftrdsmtp2.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.4675); Tue, 12 Apr 2011 10:48:42 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CBF8EE.6C271457"
Date: Tue, 12 Apr 2011 10:48:40 +0200
Message-ID: <843DA8228A1BA74CA31FB4E111A5C46201A16430@ftrdmel0.rd.francetelecom.fr>
In-Reply-To: <BANLkTinpZ0R7o5T_ALOYyok-8fFqkO41Rg@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [mif] prblem statement: DNS/captive portals - was (RE: AD review of draft-ietf-mif-current-practices)
Thread-Index: Acv3ODKf/W/Zwd4DS1WHAm0LTDWMBwBs8epw
References: <4D90926D.3030700@piuha.net><8D91C7B0-190C-4C82-868A-CA0507F9C09B@nominum.com><916CE6CF87173740BC8A2CE443096962015946@008-AM1MPN1-036.mgdnok.nokia.com><843DA8228A1BA74CA31FB4E111A5C462019B5E9B@ftrdmel0.rd.francetelecom.fr> <BANLkTinpZ0R7o5T_ALOYyok-8fFqkO41Rg@mail.gmail.com>
From: pierrick.seite@orange-ftgroup.com
To: denghui02@gmail.com
X-OriginalArrivalTime: 12 Apr 2011 08:48:42.0027 (UTC) FILETIME=[6CBAAFB0:01CBF8EE]
Cc: mif@ietf.org
Subject: Re: [mif] prblem statement: DNS/captive portals - was (RE: AD review of draft-ietf-mif-current-practices)
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2011 08:48:50 -0000
Hi, -11 of problem statement has succinct considerations on captive portal; but clearly it is worth to be detailed. So, based on Ted's text, the problem statement has been updated accordingly: http://www.ietf.org/internet-drafts/draft-ietf-mif-problem-statement-12.txt (section 4.1) Pierrick ________________________________ De : Hui Deng [mailto:denghui02@gmail.com] Envoyé : dimanche 10 avril 2011 06:32 À : SEITE Pierrick RD-RESA-REN Cc : teemu.savolainen@nokia.com; Ted.Lemon@nominum.com; jari.arkko@piuha.net; mif@ietf.org Objet : Re: [mif] prblem statement: DNS/captive portals - was (RE: AD review of draft-ietf-mif-current-practices) Today's most operators are using captive portal for wifi authentication, I would agree this problem exists widely and encourage to include it into the PS. thanks a lot -Hui 2011/3/31 <pierrick.seite@orange-ftgroup.com> Any other comments with regards to this text? Is there an agreement to include it into the PS? > -----Message d'origine----- > De : teemu.savolainen@nokia.com [mailto:teemu.savolainen@nokia.com] > Envoyé : lundi 28 mars 2011 17:47 > À : Ted.Lemon@nominum.com; jari.arkko@piuha.net > Cc : draft-ietf-mif-current-practices@tools.ietf.org; mif@ietf.org > Objet : RE: AD review of draft-ietf-mif-current-practices > > Ted, > > Good text. I agree the problem exist. The DNS server selection points to > this issue as well: > -- > (DISCUSS: > What about those DNS servers that instead of negative answer always > return positive reply with an IP address of some captive portal?) > -- > > IMHO the problem section should say that this problem (usually/always) > disappears right after M1 has authenticated to the captive portal and > interface becomes truly "up". I.e. human intervention is required to clear > the situation, but once cleared, things work as they should - until > captive portal possibly wants to renew authentication.. > > This problem btw means the M1 cannot start validating responses until > authentication with captive portal shas been completed. > > Best regards, > > Teemu > > > > -----Original Message----- > > From: mif-bounces@ietf.org [mailto:mif-bounces@ietf.org] On Behalf Of > > ext Ted Lemon > > Sent: 28. maaliskuuta 2011 17:25 > > To: Jari Arkko > > Cc: draft-ietf-mif-current-practices@tools.ietf.org; mif > > Subject: Re: [mif] AD review of draft-ietf-mif-current-practices > > > > FYI, this is a rough approximation of the text I would want to add: > > > > 4.1a. DNS resolution issues with captive portals > > > > A MIF node (M1) has an active interface(I1) connected to a network > > (N1) which has its DNS server (S1) and another active interface > > (I2) connected to a network (N2) which has its DNS server (S2). S1 > > is configured to respond to any A or AAAA record query with the > > IP address of a captive portal, so as to redirect web browsers to an > > access control portal web page. Any of the following situations > > may occur: > > > > 1. M1 stack, based on its routing table, uses I2 to reach S1 to > > resolve "a.example.com <http://a.example.com/> ". M1 never reaches S1. The name > > is not resolved. > > 2. M1 keeps only one set of DNS server addresses from the received > > configuration objects and kept S2 address. M1 sends the > > forward DNS query for a.example.com <http://a.example.com/> to S2. S2 responds with the > > correct answer, R1. M1 attempts to contact R1 by way of I1. > > The connection fails. Or, the connection succeeds, > > bypassing the security policy on N1, possibly exposing the > > owner of M1 to prosecution. > > 3. M1 keeps only one set of DNS server addresses from the received > > configuration objects and kept S1 address. M1 sends the DNS > > query for a.example.com <http://a.example.com/> to S1. S1 provides the address of its > > captive portal. S1 attempts to contact this IP address using > > I1. The application tries to connect to the wrong destination > > node, resulting in lack of service and possible security issues. > > 4. M1 has resolved an FQDN to the IP address of the captive portal > > connected to N1. If the node loses connection to N1, the node > > may try to connect, via N2, to the same IP address as earlier, > > but as the address was only locally valid, connection setup > > fails. > > _______________________________________________ > > mif mailing list > > mif@ietf.org > > https://www.ietf.org/mailman/listinfo/mif _______________________________________________ mif mailing list mif@ietf.org https://www.ietf.org/mailman/listinfo/mif
- [mif] AD review of draft-ietf-mif-current-practic… Jari Arkko
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… Stefano Faccin
- Re: [mif] AD review of draft-ietf-mif-current-pra… stefano faccin
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… Stefano Faccin
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… Stefano Faccin
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- [mif] AD review of draft-ietf-mif-current-practic… Jari Arkko
- Re: [mif] AD review of draft-ietf-mif-current-pra… Ted Lemon
- Re: [mif] AD review of draft-ietf-mif-current-pra… teemu.savolainen
- Re: [mif] AD review of draft-ietf-mif-current-pra… pierrick.seite
- Re: [mif] AD review of draft-ietf-mif-current-pra… Ted Lemon
- [mif] prblem statement: DNS/captive portals - was… pierrick.seite
- Re: [mif] prblem statement: DNS/captive portals -… Hui Deng
- Re: [mif] prblem statement: DNS/captive portals -… pierrick.seite
- Re: [mif] prblem statement: DNS/captive portals -… Julien Laganier
- Re: [mif] prblem statement: DNS/captive portals -… Ted Lemon
- Re: [mif] prblem statement: DNS/captive portals -… pierrick.seite