Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon

To: David Bird <[email protected]>

Subject: Re: [Captive-portals] Thinking of something related to captive portals for the ietf98 hackathon

From: Lorenzo Colitti <[email protected]>

Date: Wed, 22 Feb 2017 23:42:24 +0900

Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/CdycOUSC5C-MUx9vw73W6qZEFA8>

Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com

Cc: "[email protected]" <[email protected]>, Kyle Larose <[email protected]>, "[email protected]" <[email protected]>

Delivered-to: [email protected]

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tIn4uqnlAZ9klh4cf57HzqWJVqIGL+Tl3RSg0QGQ9N0=; b=uRnQjvtKO/IbpG6tE2+KaKPNmWpihQSOgF3A3DZ3GzLUQ/EMyZkYCAVIELt8mTbWQs +AZcw334Wfdyc51zZq7aIXmDMeo7Tki9iL6U9Es+HDcjAZmOSAd86EPagqyaQ8iGeMHz CTl+JxSU0CuDc3ZWna5JwPs44VIcLj+Qn7/CJeII9i3S8fwB91iw0ZNGOLud8lfjIw2U DjKU9/grF6UulAWqHtnV4ovJvgaHkV2doT2sx+j8AWsaFSc9mlE3YFJ4cQQPj4iE8aSp 4e2WqhpPgkF04adPfLprwV9EhBg85BM8952TN5ICMt1nwHasXqruCHRsuDIdmP5Od83H bRGg==

In-reply-to: <[email protected]om>

List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>

List-help: <mailto:[email protected]?subject=help>

List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>

List-post: <mailto:[email protected]>

List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>

List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>

References: <[email protected]m> <[email protected]om>

I'm not a fan of the ICMP method. I think the security implications need more thought.

As is, it looks like pretty much anyone on the Internet can send you one of these packets, and you have no way of knowing if it's legitimate. Relying on such an easy-to-spoof signal to decide that a network no longer provides Internet access could be quite harmful, particularly if the receiving device decided to switch to cellular data and incur the associated traffic costs. Even if the signal is only taken as a hint to revalidate the network, that still has battery implications.

It would seem to be much more useful to use:

A header in the initial redirect that captive portals almost always generate.
A well-known URL where the state of the captive portal can be revalidated, either periodically or when some other indication of loss of connectivity is observed.

At the last IETF we talked about possibly having a more structured way of communicating this and other bits of information from captive portal to host (a RESTful API, IIRC). That would also be useful, if we can all collectively resist the temptation to overengineer such a mechanism. :-)

On Wed, Feb 22, 2017 at 11:31 PM, David Bird <[email protected]> wrote:

Hi Kyle,

I think that is a great idea!

I had started to implement here: https://github.com/coova/coova-chilli/tree/capport-icmp

What would be nice, in addition to the NAS changes, is to also demonstrate the client side ... either something like icmpd (to listen for the ICMP and provide applications a way of checking the status of their dest. unreach. connections), or the necessary Linux kernel changes. Also with kernel changes, the I-D could also be implemented using iptables, or other NAS software too.

Cheers,
David

On Wed, Feb 22, 2017 at 6:12 AM, Kyle Larose <[email protected]> wrote:
Hey everyone,

I was thinking of doing something (anything) related to captive portals for the ietf 98 hackathon. In particular, https://tools.ietf.org/html/draft-wkumari-capport-icmp-unreach-01 caught my eye. I was wondering if anyone had thoughts on that, and whether there is anything else they'd like to see me champion.

Thanks,

Kyle

_______________________________________________
Captive-portals mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/captive-portals

_______________________________________________
Captive-portals mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/captive-portals