[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon
I'm not a fan of the ICMP method. I think the security implications need more thought.
As is, it looks like pretty much anyone on the Internet can send you one of these packets, and you have no way of knowing if it's legitimate. Relying on such an easy-to-spoof signal to decide that a network no longer provides Internet access could be quite harmful, particularly if the receiving device decided to switch to cellular data and incur the associated traffic costs. Even if the signal is only taken as a hint to revalidate the network, that still has battery implications.
It would seem to be much more useful to use:
- A header in the initial redirect that captive portals almost always generate.
- A well-known URL where the state of the captive portal can be revalidated, either periodically or when some other indication of loss of connectivity is observed.
At the last IETF we talked about possibly having a more structured way of communicating this and other bits of information from captive portal to host (a RESTful API, IIRC). That would also be useful, if we can all collectively resist the temptation to overengineer such a mechanism. :-)