[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] A new draft / idea - draft-wkumari-capport-icmp-unreach



With Linux, at least, I believe applications can make use of it immediately using icmp(7) (requiring root or CAP_NET_RAW capabilities). I'm not aware of any RFC4884 support in Linux, but it would be interesting to have non-root applications access this data via an errno code and a subsequent ioctl() call. 

ICMP does allow for a more immediate notification and the possibility to allow certain traffic, or all traffic for a certain time. Consider the following case:

1) Client connects, he gets DHCP IP and CP info (a typical Hotspot)
2) Client does a HTTP redirect check anyway, it doesn't detect captive portal (maybe he MAC-authed for a 30-min session)
3) After some time, he gets the ICMP/DestUnreach/Host/CP-Extension warnings (CP discovery already knows the URL from step 1 and can prompt user)
4) After session expires, he gets ICMP/DestUnreach/AdminProhib/CP-Extension fatals (CP discovery does HTTP redirect check to get URL)

In this scenario, I think it works well with the DHCP / RA idea - improving the user experience.

David

On Fri, May 1, 2015 at 5:28 AM, Dave Dolson <[email protected]> wrote:

‎I like the ICMP idea because it is immediate, and can be applied to any traffic (not just http).

I think it even allows use cases where some traffic is permitted and other traffic denied. ‎ E.g., allow http to certain web sites, but otherwise access portal to unlock full features.

However, I'm concerned application software won't be able to receive these ICMP messages on most operating systems. I'm unsure about this.

David Dolson
Senior Software Architect, Sandvine Inc.
From: David Bird
Sent: Friday, May 1, 2015 12:29 AM
To: Dave Dolson
Cc: Warren Kumari; Yaron Sheffer; [email protected]
Subject: Re: [Captive-portals] A new draft / idea - draft-wkumari-capport-icmp-unreach


I think there are two (probably more :) concepts at play here; assisting a client's captive portal discovery mechanism in identifying a CP network and the discovery of the login URL, and the notification ("hints") to the client about why connections failed (and to trigger a new CP detection loop), and when they may start failing. I tried to combine these with the optional URL/URI, but agree that's problematic. In the absence of CP info from DHCP (or RA), CP detection can do the current HTTP redirect check.

I think the ICMP notification mechanism is helpful, thoughts?

On Thu, Apr 30, 2015 at 7:49 PM, Dave Dolson <[email protected]<mailto:[email protected]>> wrote:
I think it would be desirable to keep the captive portal mechanism independent of DHCP. The captive portal enforcement need not be on the same link as the user device. Furthermore, DHCP is not the only way to obtain an IP address.

David Dolson
Senior Software Architect, Sandvine Inc.
  Original Message
From: Warren Kumari
Sent: Thursday, April 30, 2015 8:02 PM
To: Yaron Sheffer
Cc: [email protected]<mailto:[email protected]>
Subject: Re: [Captive-portals] A new draft / idea - draft-wkumari-capport-icmp-unreach


On Thu, Apr 30, 2015 at 10:52 AM, Yaron Sheffer <[email protected]<mailto:[email protected]>> wrote:
> Hi Warren.
>
> The security consideration (an attacker can send any arbitrary URL, and will
> redirect you at will) seems like a showstopper to me.

Yeah, we were a bit freaked about that too :-)

I have removed the URL / URI stuff - now this is simply annotates
Destination Unreachable to explain that the reason for the Dest
Unreachable is because of a captive portal.

>
> Also, once you have the DHCP mechanism, you can have client-initiated
> communication to a well-defined interface, and you don't need to deal with
> arbitrary connections being rejected. After all, the client needs to get an
> IP address from DHCP before it can initiate any such connection.


One reason that this is still useful is that eventually your captive
portal connection will expire and the CP will close. If you have
gotten CP information from DHCP, and then start getting these
Destination Unreachables you will know to connect to the captive
portal URL and pay again....
So, basically, get CP information from DHCP and use it. After 4hours
(or whatever), you start getting these new unrechables and know to
connect and pay again...

I think that the security implications are now the same as for
"regular" (extended) Destination Unreachable.

Thoughts?

Thank you very much for your feedback,
W

>
> Thanks,
>         Yaron
>
>
> On 04/29/2015 11:32 PM, Warren Kumari wrote:
>>
>> Hi y'all.
>>
>>
>> So, this short document discusses another way for Captive Portals to
>> inform users that they are behind a CP. Basically, it uses an extended
>> ICMP Destination Unreachable message to let the host know that the
>> reason it cannot reach a destination is because it is behind a CP and
>> also includes a URL to reach the CP.
>>
>> This idea is mainly David's, I'm largely the editor. We'd really like
>> some feedback on this idea and the implementation we've written up.
>> Obviously the document would need a bunch more work, but we'd like to
>> get some idea if folk think this is worth pursuing.
>>
>> URL:
>>
>> https://www.ietf.org/internet-drafts/draft-wkumari-capport-icmp-unreach-00.txt
>> Status:
>> https://datatracker.ietf.org/doc/draft-wkumari-capport-icmp-unreach/
>> Htmlized:
>> https://tools.ietf.org/html/draft-wkumari-capport-icmp-unreach-00
>>
>> It is somewhat similar to the wkumari-dhc-capport document, but solves
>> a different issue, in a different way - I think that they are
>> complementary documents.
>>
>>
>> Any feedback gratefully accepted.
>> W
>>
>



--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

_______________________________________________
Captive-portals mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/captive-portals

_______________________________________________
Captive-portals mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/captive-portals