[Captive-portals] Use Case: "Carrier Grade Captive Portal"
Heiko Folkerts <heiko.folkerts@bsi.bund.de> Wed, 03 May 2017 12:45 UTC
Return-Path: <heiko.folkerts@bsi.bund.de>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBFC2129AEB for <captive-portals@ietfa.amsl.com>; Wed, 3 May 2017 05:45:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.52
X-Spam-Level:
X-Spam-Status: No, score=-1.52 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 33L58ck3rA6k for <captive-portals@ietfa.amsl.com>; Wed, 3 May 2017 05:45:27 -0700 (PDT)
Received: from m3-bn.bund.de (m3-bn.bund.de [77.87.228.75]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D695D12951E for <captive-portals@ietf.org>; Wed, 3 May 2017 05:43:10 -0700 (PDT)
Received: from m3.mfw.bn.ivbb.bund.de (localhost.mfw.bn.ivbb.bund.de [127.0.0.1]) by m3-bn.bund.de (8.14.5/8.14.5) with ESMTP id v43Ch8HR013325 for <captive-portals@ietf.org>; Wed, 3 May 2017 14:43:08 +0200 (CEST)
Received: (from localhost) by m3.mfw.bn.ivbb.bund.de (MSCAN) id 4/m3.mfw.bn.ivbb.bund.de/smtp-gw/mscan; Wed May 3 14:43:08 2017
X-P350-Id: 484e828a5721f2d8
X-Virus-Scanned: amavisd-new at bsi.bund.de
X-Virus-Scanned: by amavisd-new at bsi.bund.de
From: Heiko Folkerts <heiko.folkerts@bsi.bund.de>
Organization: BSI Bonn
To: captive-portals@ietf.org
Date: Wed, 03 May 2017 14:42:50 +0200
User-Agent: KMail/1.9.10 (enterprise35 20150610.75555ff)
Cc: Gunther Nitzsche <gnitzsche@netcologne.de>, "Herzig, Willi" <willi.herzig@bsi.bund.de>
MIME-Version: 1.0
Content-Disposition: inline
Message-ID: <201705031442.50683.heiko.folkerts@bsi.bund.de>
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/hW-grbmEZOHHmvAL_A5e33Ubr0s>
Subject: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 12:45:31 -0000
Hi everybody, I visited the capport WG the first time in Chicago. Thank you very much for the presentations! Afterwards I had a very brief chat with Martin about a use case, I name “carrier grade captive portals”. As a result I want to present this use case to you on this mailing list: *Background and use case:* In Germany the Federal Office for Information Security informs the ISPs with IPs, timestamp and other information of users that are part of a botnet. The ISPs are informing the users about the infection. We can not inform the users without the help of the ISP as they are the only ones knowing who is behind the dynamic IP address users get normally in Germany. There are different ways to inform users by the ISPs: e-mail, snail mail or a carrier grade captive portal (aka walled garden, forced portal), The most efficient way to inform and get systems cleaned has been proven is the carrier grade captive portal. One of the internet service providers, NetCologne, uses a, as they call it, Forced Portal. The current solution is legal in germany, if the ISPs terms of service are appropriate. *Technically it roughly works like this:* - When the abuse management system detects that a user is infected, the CPE customers router connection (PPOE connection) is disconnected and immediately a new PPOE connection is started. - With the new PPOE connection, the CPE customers router gets a new DNSServer, IP, gateway (policy routing) and is connected to a carrier grade captive portal. - Within the new network connection all traffic is routed through a HTTP/HTTPS proxy. This proxy allows the user to access selected sites like informational sites about infections, AV and OS vendors and will otherwise present an information page to the user. This information page tells the user about the situation, including information about the infection(s) and instructs him how to clean the system. *Problem (almost the same as you know it):* As with captive portals in local networks this worked pretty well using HTTP. Also on Browsers, which first tries a HTTP connection, the information page is displayed. Problem occurs now with HTTPS. Especially Google Chrome does no longer connect first using HTTP when the user enters a domain name of a web page if using HSTS and HSTS preload. Connecting with HTTPS, the browser detects a MITM attack (which of course makes sense, because it is MITM) and does not display the information page. Instead an error page is displayed, which generates a whole lot of calls to the costumer support. An addional problem we encounter is that the well known detection strategies used by iOS/macOS, Windows and Android for captive portals do *never* work in our case. Reason is that these detection strategies will only test for captive portals, when the network connection of the actual device (for example using WiFi) is started new. In our case the customers CPE router gets a new PPPOE connection, but the client does not detect that the network connection to the internet was dropped by the router. Do you think that „carrier grade captive portals“ are in scope of the capport WG charta? Would the work already done at capport help to cope with this problem? My understanding of the current work in capport is, that it will not solve this problem entirely, but I think, it may already be half-way towards a solution. Because pushing a customer to a walled garden does not do a status change on the client system, but the CPE might work as some kind of “captive portal relais”, using at least parts of the current architecture of capport on the internal LAN. Do you think it is usful that the capport WG considers our use case in its work? Any help is appreciated. Best regards, Heiko. -- Heiko Folkerts --------------------------------------------------- Referat CK 15 Federal Office for Information Security (BSI) Godesberger Allee 185 -189 53175 Bonn Germany Telefon: +49 228 99 9582-5955 Fax: +49 228 99 10 9582-5955 E-Mail: heiko.folkerts@bsi.bund.de Internet: www.bsi.bund.de www.bsi-fuer-buerger.de
- [Captive-portals] Use Case: "Carrier Grade Captiv… Heiko Folkerts
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Warren Kumari
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Mark Nottingham
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Michael Richardson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Gunther Nitzsche
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Gunther Nitzsche
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Vincent van Dam
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Livingood, Jason
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Martin Thomson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Livingood, Jason
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Martin Thomson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Gunther Nitzsche
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Michael Richardson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Vincent van Dam
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Eric Vyncke (evyncke)
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Tommy Pauly
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Tommy Pauly
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Tommy Pauly
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird