| < draft-ekwk-capport-rfc7710bis-01.txt | draft-ekwk-capport-rfc7710bis-02.txt > | |||
|---|---|---|---|---|
| Network Working Group W. Kumari | Network Working Group W. Kumari | |||
| Internet-Draft Google | Internet-Draft Google | |||
| Updates: 7710 (if approved) E. Kline | Updates: 7710 (if approved) E. Kline | |||
| Intended status: Standards Track Loon | Intended status: Standards Track Loon | |||
| Expires: July 19, 2019 January 15, 2019 | Expires: September 12, 2019 March 11, 2019 | |||
| Captive-Portal Identification in DHCP / RA | Captive-Portal Identification in DHCP / RA | |||
| draft-ekwk-capport-rfc7710bis-01 | draft-ekwk-capport-rfc7710bis-02 | |||
| Abstract | Abstract | |||
| In many environments offering short-term or temporary Internet access | In many environments offering short-term or temporary Internet access | |||
| (such as coffee shops), it is common to start new connections in a | (such as coffee shops), it is common to start new connections in a | |||
| captive portal mode. This highly restricts what the customer can do | captive portal mode. This highly restricts what the customer can do | |||
| until the customer has authenticated. | until the customer has authenticated. | |||
| This document describes a DHCP option (and a Router Advertisement | This document describes a DHCP option (and a Router Advertisement | |||
| (RA) extension) to inform clients that they are behind some sort of | (RA) extension) to inform clients that they are behind some sort of | |||
| skipping to change at page 1, line 48 ¶ | skipping to change at page 1, line 48 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 19, 2019. | This Internet-Draft will expire on September 12, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 29 ¶ | skipping to change at page 2, line 29 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3 | |||
| 2. The Captive-Portal Option . . . . . . . . . . . . . . . . . . 3 | 2. The Captive-Portal Option . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. IPv4 DHCP Option . . . . . . . . . . . . . . . . . . . . 4 | 2.1. IPv4 DHCP Option . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.2. IPv6 DHCP Option . . . . . . . . . . . . . . . . . . . . 4 | 2.2. IPv6 DHCP Option . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.3. The Captive-Portal IPv6 RA Option . . . . . . . . . . . . 5 | 2.3. The Captive-Portal IPv6 RA Option . . . . . . . . . . . . 5 | |||
| 3. The Captive-Portal Link Relation Type . . . . . . . . . . . . 5 | 3. The Captive-Portal Link Relation Type . . . . . . . . . . . . 5 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 4. Precedence of API URIs . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1. IETF params Registration . . . . . . . . . . . . . . . . 6 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1.1. Registry name: Captive Portal Unrestricted Identifier 6 | 5.1. IETF params Registration . . . . . . . . . . . . . . . . 6 | |||
| 4.1.2. Registry name: Captive Portal API Link Relation Type 6 | 5.1.1. Registry name: Captive Portal Unrestricted Identifier 6 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | 5.1.2. Registry name: Captive Portal API Link Relation Type 6 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 7. Normative References . . . . . . . . . . . . . . . . . . . . 7 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 8 | 8. Normative References . . . . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 9 | |||
| Appendix B. Differences from RFC 7710 . . . . . . . . . . . . . 9 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | ||||
| 1. Introduction | 1. Introduction | |||
| In many environments, users need to connect to a captive-portal | In many environments, users need to connect to a captive-portal | |||
| device and agree to an Acceptable Use Policy (AUP) and / or provide | device and agree to an Acceptable Use Policy (AUP) and / or provide | |||
| billing information before they can access the Internet. It is | billing information before they can access the Internet. It is | |||
| anticipated that the IETF will work on a more fully featured protocol | anticipated that the IETF will work on a more fully featured protocol | |||
| at some point, to ease interaction with Captive Portals. Regardless | at some point, to ease interaction with Captive Portals. Regardless | |||
| of how that protocol operates, it is expected that this document will | of how that protocol operates, it is expected that this document will | |||
| provide needed functionality because the client will need to know | provide needed functionality because the client will need to know | |||
| skipping to change at page 3, line 43 ¶ | skipping to change at page 3, line 47 ¶ | |||
| DHCP, IPv6 RA). The captive portal operator should ensure that the | DHCP, IPv6 RA). The captive portal operator should ensure that the | |||
| URIs handed out are equivalent to reduce the chance of operational | URIs handed out are equivalent to reduce the chance of operational | |||
| problems. The maximum length of the URI that can be carried in IPv4 | problems. The maximum length of the URI that can be carried in IPv4 | |||
| DHCP is 255 bytes, so URIs longer than 255 bytes should not be used | DHCP is 255 bytes, so URIs longer than 255 bytes should not be used | |||
| in IPv6 DHCP or IPv6 RA. | in IPv6 DHCP or IPv6 RA. | |||
| In all variants of this option, the URI SHOULD be that of the captive | In all variants of this option, the URI SHOULD be that of the captive | |||
| portal API endpoint, conforming to the recommendations for such URIs | portal API endpoint, conforming to the recommendations for such URIs | |||
| [cite:API] (i.e. the URI SHOULD contain a DNS name and SHOULD | [cite:API] (i.e. the URI SHOULD contain a DNS name and SHOULD | |||
| reference a secure transport, e.g. https). A captive portal MAY do | reference a secure transport, e.g. https). A captive portal MAY do | |||
| content negotiation [citation?] and attempt to redirect clients | content negotiation ([RFC7231] section 3.4) and attempt to redirect | |||
| querying without an explicit indication of support for the captive | clients querying without an explicit indication of support for the | |||
| portal API content type (i.e. without application/capport+json listed | captive portal API content type (i.e. without application/ | |||
| explicitly anywhere within an Accepts header [citation]). In so | capport+json listed explicitly anywhere within an Accept header vis. | |||
| doing, the captive portal SHOULD redirect the client to the value | [RFC7231] section 5.3). In so doing, the captive portal SHOULD | |||
| associated with the "user-portal-url" API key. | redirect the client to the value associated with the "user-portal- | |||
| url" API key. | ||||
| The URI SHOULD NOT contain an IP address literal. | The URI SHOULD NOT contain an IP address literal. | |||
| The URI parameter is not null terminated. | The URI parameter is not null terminated. | |||
| Networks with no captive portals MAY explicitly indicate this | Networks with no captive portals MAY explicitly indicate this | |||
| condition by using this option with the IANA-assigned URI for this | condition by using this option with the IANA-assigned URI for this | |||
| purpose (see Section 4.1.1). Clients observing the URI value | purpose (see Section 5.1.1). Clients observing the URI value | |||
| "urn:ietf:params:capport-unrestricted" MAY forego time-consuming | "urn:ietf:params:capport-unrestricted" MAY forego time-consuming | |||
| forms of captive portal detection. | forms of captive portal detection. | |||
| 2.1. IPv4 DHCP Option | 2.1. IPv4 DHCP Option | |||
| The format of the IPv4 Captive-Portal DHCP option is shown below. | The format of the IPv4 Captive-Portal DHCP option is shown below. | |||
| Code Len Data | Code Len Data | |||
| +------+------+------+------+------+-- --+-----+ | +------+------+------+------+------+-- --+-----+ | |||
| | code | len | URI ... | | | code | len | URI ... | | |||
| skipping to change at page 5, line 46 ¶ | skipping to change at page 6, line 5 ¶ | |||
| HTTP intercept and redirection are used, a Link relation header | HTTP intercept and redirection are used, a Link relation header | |||
| ([RFC8288], Section 3.3) MAY be inserted to convey to a HTTP client | ([RFC8288], Section 3.3) MAY be inserted to convey to a HTTP client | |||
| (user agent) the associated Captive Portal API URI. | (user agent) the associated Captive Portal API URI. | |||
| HTTP user agents MUST ignore this link relation in any context other | HTTP user agents MUST ignore this link relation in any context other | |||
| than when explicitly probing to detect the presence of a captive | than when explicitly probing to detect the presence of a captive | |||
| portal. Failure to do so could allow an attacker to inject a Captive | portal. Failure to do so could allow an attacker to inject a Captive | |||
| Portal API URI other than the correct URI for a given network or for | Portal API URI other than the correct URI for a given network or for | |||
| networks where there is no captive portal present at all. | networks where there is no captive portal present at all. | |||
| 4. IANA Considerations | 4. Precedence of API URIs | |||
| A device may learn about Captive Portal API URIs through more than | ||||
| one of (or indeed all of) the above options. It is a network | ||||
| configuration error if the learned URIs are not all identical. | ||||
| However, if the URIs learned are not in fact all identical the | ||||
| captive device MUST prioritize URIs learned from network provisioning | ||||
| or configuration mechanisms before all other URIs. Specifically, | ||||
| URIs learned via any of the options in Section 2 should take | ||||
| precedence over any URI learned via a mechanism like the one | ||||
| described in Section 3. | ||||
| If the URIs learned via more than one option described in Section 2 | ||||
| are not all identical, this condition should be logged for the device | ||||
| owner or administrator. URI precedence in this situation is not | ||||
| specified by this document. | ||||
| 5. IANA Considerations | ||||
| This document requests two new IETF URN protocol parameter | This document requests two new IETF URN protocol parameter | |||
| ([RFC3553]) entries. | ([RFC3553]) entries. | |||
| Thanks IANA! | Thanks IANA! | |||
| 4.1. IETF params Registration | 5.1. IETF params Registration | |||
| 4.1.1. Registry name: Captive Portal Unrestricted Identifier | 5.1.1. Registry name: Captive Portal Unrestricted Identifier | |||
| Registry name: Captive Portal Unrestricted Identifier | Registry name: Captive Portal Unrestricted Identifier | |||
| URN: urn:ietf:params:capport-unrestricted | URN: urn:ietf:params:capport-unrestricted | |||
| Specification: RFC TBD (this document) | Specification: RFC TBD (this document) | |||
| Repository: RFC TBD (this document) | Repository: RFC TBD (this document) | |||
| Index value: Only one value is defined (see URN above). No hierarchy | Index value: Only one value is defined (see URN above). No hierarchy | |||
| is defined and therefore no sub-namespace registrations are possible. | is defined and therefore no sub-namespace registrations are possible. | |||
| 4.1.2. Registry name: Captive Portal API Link Relation Type | 5.1.2. Registry name: Captive Portal API Link Relation Type | |||
| Registry name: Captive Portal API Link Relation Type | Registry name: Captive Portal API Link Relation Type | |||
| URN: urn:ietf:params:capport-api | URN: urn:ietf:params:capport-api | |||
| Specification: RFC TBD (this document) | Specification: RFC TBD (this document) | |||
| Repository: RFC TBD (this document) | Repository: RFC TBD (this document) | |||
| Index value: Only one value is defined (see URN above). No hierarchy | Index value: Only one value is defined (see URN above). No hierarchy | |||
| is defined and therefore no sub-namespace registrations are possible. | is defined and therefore no sub-namespace registrations are possible. | |||
| 5. Security Considerations | 6. Security Considerations | |||
| An attacker with the ability to inject DHCP messages could include | An attacker with the ability to inject DHCP messages, RAs, or HTTP | |||
| this option and so force users to contact an address of his choosing. | headers into cleartext HTTP communications could include an option or | |||
| As an attacker with this capability could simply list himself as the | link relation from this document and so force users to contact an | |||
| default gateway (and so intercept all the victim's traffic); this | address of his choosing. As an attacker with this capability could | |||
| does not provide them with significantly more capabilities, but | simply list himself as the default gateway (and so intercept all the | |||
| because this document removes the need for interception, the attacker | victim's traffic); this does not provide them with significantly more | |||
| may have an easier time performing the attack. As the operating | capabilities, but because this document removes the need for | |||
| systems and application that make use of this information know that | interception, the attacker may have an easier time performing the | |||
| they are connecting to a captive-portal device (as opposed to | attack. As the operating systems and application that make use of | |||
| intercepted connections) they can render the page in a sandboxed | this information know that they are connecting to a captive-portal | |||
| environment and take other precautions, such as clearly labeling the | device (as opposed to intercepted connections) they can render the | |||
| page as untrusted. The means of sandboxing and user interface | page in a sandboxed environment and take other precautions, such as | |||
| presenting this information is not covered in this document - by its | clearly labeling the page as untrusted. The means of sandboxing and | |||
| nature it is implementation specific and best left to the application | user interface presenting this information is not covered in this | |||
| and user interface designers. | document - by its nature it is implementation specific and best left | |||
| to the application and user interface designers. | ||||
| Devices and systems that automatically connect to an open network | Devices and systems that automatically connect to an open network | |||
| could potentially be tracked using the techniques described in this | could potentially be tracked using the techniques described in this | |||
| document (forcing the user to continually authenticate, or exposing | document (forcing the user to continually authenticate, or exposing | |||
| their browser fingerprint). However, similar tracking can already be | their browser fingerprint). However, similar tracking can already be | |||
| performed with the standard captive portal mechanisms, so this | performed with the standard captive portal mechanisms, so this | |||
| technique does not give the attackers more capabilities. | technique does not give the attackers more capabilities. | |||
| Captive portals are increasingly hijacking TLS connections to force | Captive portals are increasingly hijacking TLS connections to force | |||
| browsers to talk to the portal. Providing the portal's URI via a | browsers to talk to the portal. Providing the portal's URI via a | |||
| skipping to change at page 7, line 25 ¶ | skipping to change at page 8, line 5 ¶ | |||
| By simplifying the interaction with the captive portal systems, and | By simplifying the interaction with the captive portal systems, and | |||
| doing away with the need for interception, we think that users will | doing away with the need for interception, we think that users will | |||
| be less likely to disable useful security safeguards like DNSSEC | be less likely to disable useful security safeguards like DNSSEC | |||
| validation, VPNs, etc. In addition, because the system knows that it | validation, VPNs, etc. In addition, because the system knows that it | |||
| is behind a captive portal, it can know not to send cookies, | is behind a captive portal, it can know not to send cookies, | |||
| credentials, etc. By handing out a URI using which is protected with | credentials, etc. By handing out a URI using which is protected with | |||
| TLS, the captive portal operator can attempt to reassure the user | TLS, the captive portal operator can attempt to reassure the user | |||
| that the captive portal is not malicious. | that the captive portal is not malicious. | |||
| 6. Acknowledgements | 7. Acknowledgements | |||
| This document is a -bis of RFC7710. Thanks to all of the original | This document is a -bis of RFC7710. Thanks to all of the original | |||
| authors (Warren Kumari, Olafur Gudmundsson, Paul Ebersman, Steve | authors (Warren Kumari, Olafur Gudmundsson, Paul Ebersman, Steve | |||
| Sheng), and original contributors. | Sheng), and original contributors. | |||
| Also thanks to the CAPPORT WG for all of the discussion and | Also thanks to the CAPPORT WG for all of the discussion and | |||
| improvements. | improvements. | |||
| 7. Normative References | 8. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | |||
| editor.org/info/rfc2119>. | editor.org/info/rfc2119>. | |||
| [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", | [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", | |||
| RFC 2131, DOI 10.17487/RFC2131, March 1997, | RFC 2131, DOI 10.17487/RFC2131, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2131>. | <https://www.rfc-editor.org/info/rfc2131>. | |||
| skipping to change at page 8, line 30 ¶ | skipping to change at page 9, line 10 ¶ | |||
| [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | |||
| "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | |||
| DOI 10.17487/RFC4861, September 2007, <https://www.rfc- | DOI 10.17487/RFC4861, September 2007, <https://www.rfc- | |||
| editor.org/info/rfc4861>. | editor.org/info/rfc4861>. | |||
| [RFC7227] Hankins, D., Mrugalski, T., Siodelski, M., Jiang, S., and | [RFC7227] Hankins, D., Mrugalski, T., Siodelski, M., Jiang, S., and | |||
| S. Krishnan, "Guidelines for Creating New DHCPv6 Options", | S. Krishnan, "Guidelines for Creating New DHCPv6 Options", | |||
| BCP 187, RFC 7227, DOI 10.17487/RFC7227, May 2014, | BCP 187, RFC 7227, DOI 10.17487/RFC7227, May 2014, | |||
| <https://www.rfc-editor.org/info/rfc7227>. | <https://www.rfc-editor.org/info/rfc7227>. | |||
| [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | ||||
| Protocol (HTTP/1.1): Semantics and Content", RFC 7231, | ||||
| DOI 10.17487/RFC7231, June 2014, <https://www.rfc- | ||||
| editor.org/info/rfc7231>. | ||||
| [RFC7710] Kumari, W., Gudmundsson, O., Ebersman, P., and S. Sheng, | ||||
| "Captive-Portal Identification Using DHCP or Router | ||||
| Advertisements (RAs)", RFC 7710, DOI 10.17487/RFC7710, | ||||
| December 2015, <https://www.rfc-editor.org/info/rfc7710>. | ||||
| [RFC8288] Nottingham, M., "Web Linking", RFC 8288, | [RFC8288] Nottingham, M., "Web Linking", RFC 8288, | |||
| DOI 10.17487/RFC8288, October 2017, <https://www.rfc- | DOI 10.17487/RFC8288, October 2017, <https://www.rfc- | |||
| editor.org/info/rfc8288>. | editor.org/info/rfc8288>. | |||
| Appendix A. Changes / Author Notes. | Appendix A. Changes / Author Notes. | |||
| [RFC Editor: Please remove this section before publication ] | [RFC Editor: Please remove this section before publication ] | |||
| From initial to -00. | From initial to -00. | |||
| o Import of RFC7710. | o Import of RFC7710. | |||
| Appendix B. Differences from RFC 7710 | ||||
| This document incorporates the following differences from [RFC7710]. | ||||
| o Clarify that IP string literals are NOT RECOMMENDED. | ||||
| o Clarify that the option URI SHOULD be that of the captive portal | ||||
| API endpoint. | ||||
| o Clarify that captive portals MAY do content negotiation. | ||||
| o Added text about Captive Portal API URI precedence in the event of | ||||
| a network configuration error. | ||||
| o Added urn:ietf:params:capport-unrestricted URN. | ||||
| o Added urn:ietf:params:capport-api URN. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Warren Kumari | Warren Kumari | |||
| 1600 Amphitheatre Parkway | 1600 Amphitheatre Parkway | |||
| Mountain View, CA 94043 | Mountain View, CA 94043 | |||
| US | US | |||
| Email: warren@kumari.net | Email: warren@kumari.net | |||
| Erik Kline | Erik Kline | |||
| Loon | Loon | |||
| 1600 Amphitheatre Parkway | 1600 Amphitheatre Parkway | |||
| Mountain View, CA 94043 | Mountain View, CA 94043 | |||
| US | US | |||
| Email: ek@google.com | Email: ek@google.com | |||
| End of changes. 18 change blocks. | ||||
| 42 lines changed or deleted | 92 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||