Re: [Captive-portals] Signals from the network and ICMP

• To: [email protected]
• Subject: Re: [Captive-portals] Signals from the network and ICMP
• From: Erik Kline <[email protected]>
• Date: Thu, 17 May 2018 17:09:01 +0900
• Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/vBONUAEiIiXxVPSBHtkrwfMl1eY>
• Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
• Cc: [email protected], Michael Richardson <[email protected]>
• Delivered-to: [email protected]
• Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EehXPKiZQLZDHUTBRtbZv4erbBejes4+yNtsU5sUQ50=; b=Z33/Jl2tYBm39H0Sf5sHlJhyQ2zV1zaUHxIT3NbwP3MOk1TgINXIWCnHmUoQ9GZEsX ydu2jZLVaJ9Xw4J/LJU7XRsxqNHGs4AdL+f6feyVxhUpOOL2IiGPVD4gjSpJTjsJv6il 3rUVxJlNR+UbWuwHNkfUxia1Cb1rygGKfgS/D5FZYeQPjpPWvjBQg+r5RF5Xrr3XRvEY AFW7XxED2ZCYc02mlBd9SNqrdORqdRH5AYTSBUEv0+Bovkdi/60IiAnwXQKDjmWYlu56 Sh2QFkkE5zx3dw1QA2//UfP03nsiL64jPPl97F3AYJ1BGPJ2Yi2Un09syO8U2NTyUBwN YvAg==
• In-reply-to: <[email protected]>
• List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
• List-help: <mailto:[email protected]?subject=help>
• List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>
• References: <[email protected]om> <[email protected]> <[email protected]om> <[email protected]om> <[email protected]> <[email protected]om> <[email protected]> <[email protected]om> <[email protected]>

On Thu, 17 May 2018 at 16:21, Vincent van Dam <[email protected]>
wrote:


> > On 16 May 2018, at 15:49, Erik Kline <[email protected]> wrote:
> >
> > In the latter case especially, what becomes clear is that the UE needs
> > to be able to receive an unsolicited packet.  ICMP is a canonical
> > example of receiving and processing an unsolicited packet.  But it
> > could also be something like a UDP socket listening on a well known
> > port that receives a 1-byte datagram, which causes the UE to enqueue
> > (for rate-limiting purposes) a captive API query.

> I think UDP on a well-known port could be a viable alternative to ICMP.
The interface should have deliver at least the same level of trust as the
ICMP unreachable can provide. In the unreachable ICMP it is possible to
relate the packet to the packet that caused the notification. I am not
claiming the UDP interface (or other interface) should use this exact same
approach for reliability, but if we use it as just a single byte message,
we would actually make it easier for malicious users to trigger calls to
the capport-api (even though it’s rate limited). Maybe some token as
payload, or a better idea that has lesser dependencies on moving parts in
the capport deployment.

Well, if we're doing application protocol stuff (like UDP), then perhaps we
could revisit the API key used for signing messages (which I think was
removed from the API doc :).

One problem with UDP is that if the enforcement point is well upstream of
several firewalls, it likely won't get through.

Consider the case of a DSLAM doing some captive portal enforcement on a
per-line-ID basis.  Originating a packet from the DSLAM back to the sender
can reasonably be expected to get to the home CPE (DSL modem), but if the
user has installed firewall devices downstream of this then ICMP stands a
better chance of getting through than UDP, I feel.

Thinking about this case in particular suggests to me that /new/ ICMP types
for "captive portal in force" may not work well either, as I strongly
suspect that firewall devices/software inspects ICMP messages.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

• Follow-Ups:
  • Re: [Captive-portals] Signals from the network and ICMP
    • From: Michael Richardson <[email protected]>

• References:
  • Re: [Captive-portals] Signals from the network and ICMP
    • From: Martin Thomson <[email protected]>
  • Re: [Captive-portals] Signals from the network and ICMP
    • From: Michael Richardson <[email protected]>
  • Re: [Captive-portals] Signals from the network and ICMP
    • From: Martin Thomson <[email protected]>
  • Re: [Captive-portals] Signals from the network and ICMP
    • From: Michael Richardson <[email protected]>
  • Re: [Captive-portals] Signals from the network and ICMP
    • From: Erik Kline <[email protected]>
  • Re: [Captive-portals] Signals from the network and ICMP
    • From: Vincent van Dam <[email protected]>

• Prev by Date: Re: [Captive-portals] Signals from the network and ICMP
• Next by Date: Re: [Captive-portals] Signals from the network and ICMP
• Previous by thread: Re: [Captive-portals] Signals from the network and ICMP
• Next by thread: Re: [Captive-portals] Signals from the network and ICMP
• Index(es):
  • Date
  • Thread