[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] Discovering captive portal API URL via DNS?

Yes, the query would have to be directed to the resolver provided by
the network.

I agree that this could increases the attack surface compared to a
DHCP solution. DHCP is also a cleartext protocol, but it is typically
secured via other means like DHCP guard. If the network provides
equivalent protections to DNS traffic (most simply, by providing
strong protections against IP spoofing and on-link attacks), then the
security properties are likely equivalent.

On Wed, Sep 4, 2019 at 11:48 AM Martin Thomson <[email protected]> wrote:
> What about those resolvers that collapse CNAME responses, effectively eliding them?
> I assume that you are going to explicitly say that this has to be directed to the resolver provided in network configuration.  If that resolver is outside the network or less tightly secured than DHCP/RAs, then we have the possibility of attack on the DNS-over-UDP-53 that is used to get the CNAME response.
> (Just contributin' not chairin'.)
> On Wed, Sep 4, 2019, at 09:44, Lorenzo Colitti wrote:
> > All,
> >
> > During discussions with captive portal operators about implementing the
> > capport API, one of the stumbling blocks that keeps coming up is that
> > the captive portal operator does not always control the DHCP
> > configuration and thus cannot easily use RFC7710.
> >
> > The WG has previously rejected the option of using a well-known DNS
> > name to discover the URL, because the API itself requires TLS, and
> > without a hostname it is not possible (or at least not easy) to
> > validate the server. However, what if the client did a CNAME query for
> > capport.arpa (or equivalent other local-only, non-DNSSEC-signed name),
> > got back a CNAME for the real server, and then assumed that the API
> > server was https://<targetofcname>/capport-api ?
> >
> > Alternatively, Erik and Warren suggest RFC 7553. In this scheme the
> > client would do a URI lookup for "capport.arpa" or equivalent, and
> > would take the result of that URL as the API endpoint.
> >
> > Thoughts?
> >
> > Regards,
> > Lorenzo
> > _______________________________________________
> > Captive-portals mailing list
> > [email protected]
> > https://www.ietf.org/mailman/listinfo/captive-portals
> >
> _______________________________________________
> Captive-portals mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/captive-portals