| < draft-ietf-capport-rfc7710bis-02.txt | draft-ietf-capport-rfc7710bis-03.txt > | |||
|---|---|---|---|---|
| Network Working Group W. Kumari | Network Working Group W. Kumari | |||
| Internet-Draft Google | Internet-Draft Google | |||
| Obsoletes: 7710 (if approved) E. Kline | Obsoletes: 7710 (if approved) E. Kline | |||
| Intended status: Standards Track Loon | Intended status: Standards Track Loon | |||
| Expires: September 8, 2020 March 7, 2020 | Expires: October 1, 2020 March 30, 2020 | |||
| Captive-Portal Identification in DHCP / RA | Captive-Portal Identification in DHCP / RA | |||
| draft-ietf-capport-rfc7710bis-02 | draft-ietf-capport-rfc7710bis-03 | |||
| Abstract | Abstract | |||
| In many environments offering short-term or temporary Internet access | In many environments offering short-term or temporary Internet access | |||
| (such as coffee shops), it is common to start new connections in a | (such as coffee shops), it is common to start new connections in a | |||
| captive portal mode. This highly restricts what the customer can do | captive portal mode. This highly restricts what the customer can do | |||
| until the customer has authenticated. | until the customer has authenticated. | |||
| This document describes a DHCP option (and a Router Advertisement | This document describes a DHCP option (and a Router Advertisement | |||
| (RA) extension) to inform clients that they are behind some sort of | (RA) extension) to inform clients that they are behind some sort of | |||
| captive-portal device, and that they will need to authenticate to get | captive-portal enforcement device, and that they will need to | |||
| Internet access. It is not a full solution to address all of the | authenticate to get Internet access. It is not a full solution to | |||
| issues that clients may have with captive portals; it is designed to | address all of the issues that clients may have with captive portals; | |||
| be used in larger solutions. The method of authenticating to, and | it is designed to be used in larger solutions. The method of | |||
| interacting with the captive portal is out of scope of this document. | authenticating to, and interacting with the captive portal is out of | |||
| scope of this document. | ||||
| RFC7710 used DHCP code point 160. Due to a conflict, this document | RFC7710 used DHCP code point 160. Due to a conflict, this document | |||
| specifies TBD. | specifies TBD. | |||
| [ This document is being collaborated on in Github at: | [ This document is being collaborated on in Github at: | |||
| https://github.com/capport-wg/7710bis. The most recent version of | https://github.com/capport-wg/7710bis. The most recent version of | |||
| the document, open issues, etc should all be available here. The | the document, open issues, etc should all be available here. The | |||
| authors (gratefully) accept pull requests. Text in square brackets | authors (gratefully) accept pull requests. Text in square brackets | |||
| will be removed before publication. ] | will be removed before publication. ] | |||
| skipping to change at page 2, line 4 ¶ | skipping to change at page 2, line 6 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 8, 2020. | ||||
| This Internet-Draft will expire on October 1, 2020. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 27 ¶ | skipping to change at page 2, line 30 ¶ | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3 | |||
| 2. The Captive-Portal Option . . . . . . . . . . . . . . . . . . 3 | 2. The Captive-Portal Option . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. IPv4 DHCP Option . . . . . . . . . . . . . . . . . . . . 4 | 2.1. IPv4 DHCP Option . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.2. IPv6 DHCP Option . . . . . . . . . . . . . . . . . . . . 4 | 2.2. IPv6 DHCP Option . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.3. The Captive-Portal IPv6 RA Option . . . . . . . . . . . . 5 | 2.3. The Captive-Portal IPv6 RA Option . . . . . . . . . . . . 5 | |||
| 3. Precedence of API URIs . . . . . . . . . . . . . . . . . . . 6 | 3. Precedence of API URIs . . . . . . . . . . . . . . . . . . . 6 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1. IETF params Registration . . . . . . . . . . . . . . . . 6 | 4.1. IETF params Registration . . . . . . . . . . . . . . . . 6 | |||
| 4.1.1. Registry name: Captive Portal Unrestricted Identifier 6 | 4.1.1. Registry name: Captive Portal Unrestricted Identifier 6 | |||
| 4.2. BOOTP Vendor Extensions and DHCP Options Code Change . . 6 | 4.2. BOOTP Vendor Extensions and DHCP Options Code Change . . 7 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. Normative References . . . . . . . . . . . . . . . . . . . . 8 | 7. Normative References . . . . . . . . . . . . . . . . . . . . 8 | |||
| Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 10 | Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 10 | |||
| Appendix B. Changes from RFC 7710 . . . . . . . . . . . . . . . 10 | Appendix B. Changes from RFC 7710 . . . . . . . . . . . . . . . 10 | |||
| Appendix C. Observations From IETF 106 Network Experiment . . . 10 | Appendix C. Observations From IETF 106 Network Experiment . . . 10 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 1. Introduction | 1. Introduction | |||
| In many environments, users need to connect to a captive-portal | In many environments, users need to connect to a captive-portal | |||
| device and agree to an Acceptable Use Policy (AUP) and / or provide | device and agree to an Acceptable Use Policy (AUP) and / or provide | |||
| billing information before they can access the Internet. Regardless | billing information before they can access the Internet. Regardless | |||
| of how that mechanism operates, this document provides functionality | of how that mechanism operates, this document provides functionality | |||
| to allow the client to know when it is behind a captive portal and | to allow the client to know when it is behind a captive portal and | |||
| how to contact it. | how to contact it. | |||
| In order to present users with the payment or AUP pages, the captive- | In order to present users with the payment or AUP pages, presently a | |||
| portal device has to intercept the user's connections and redirect | captive-portal enforcement device has to intercept the user's | |||
| the user to the captive portal, using methods that are very similar | connections and redirect the user to a captive portal server, using | |||
| to man-in-the-middle (MITM) attacks. As increasing focus is placed | methods that are very similar to man-in-the-middle (MITM) attacks. | |||
| on security, and end nodes adopt a more secure stance, these | As increasing focus is placed on security, and end nodes adopt a more | |||
| interception techniques will become less effective and/or more | secure stance, these interception techniques will become less | |||
| intrusive. | effective and/or more intrusive. | |||
| This document describes a DHCP ([RFC2131]) option (Captive-Portal) | This document describes a DHCP ([RFC2131]) option (Captive-Portal) | |||
| and an IPv6 Router Advertisement (RA) ([RFC4861]) extension that | and an IPv6 Router Advertisement (RA) ([RFC4861]) extension that | |||
| informs clients that they are behind a captive-portal device and how | informs clients that they are behind a captive-portal enforcement | |||
| to contact it. | device and how to contact an API for more information. | |||
| 1.1. Requirements Notation | 1.1. Requirements Notation | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. The Captive-Portal Option | 2. The Captive-Portal Option | |||
| The Captive Portal DHCP / RA Option informs the client that it may be | The Captive Portal DHCP / RA Option informs the client that it may be | |||
| behind a captive portal and provides the URI to access an API as | behind a captive portal and provides the URI to access an API as | |||
| defined by [draft-ietf-capport-api]. This is primarily intended to | defined by [draft-ietf-capport-api]. This is primarily intended to | |||
| improve the user experience by getting them to the captive portal | improve the user experience by showing the user the captive portal | |||
| faster and more reliably. Note that, for the foreseeable future, | information faster and more reliably. Note that, for the foreseeable | |||
| captive portals will still need to implement the interception | future, captive portals will still need to implement the interception | |||
| techniques to serve legacy clients, and clients will need to perform | techniques to serve legacy clients, and clients will need to perform | |||
| probing to detect captive portals. | probing to detect captive portals. | |||
| Clients that support the Captive Portal DHCP option SHOULD include | Clients that support the Captive Portal DHCP option SHOULD include | |||
| the option in the Parameter Request List in DHCPREQUEST messages. | the option in the Parameter Request List in DHCPREQUEST messages. | |||
| DHCP servers MAY send the Captive Portal option without any explicit | DHCP servers MAY send the Captive Portal option without any explicit | |||
| request. | request. | |||
| In order to support multiple "classes" of clients (e.g. IPv4 only, | In order to support multiple "classes" of clients (e.g. IPv4 only, | |||
| IPv6 only with DHCPv6 ([RFC3315]), IPv6 only with RA) the captive | IPv6 only with DHCPv6 ([RFC3315]), and IPv6 only with RA) the captive | |||
| portal can provide the URI via multiple methods (IPv4 DHCP, IPv6 | network can provision the client with the URI via multiple methods | |||
| DHCP, IPv6 RA). The captive portal operator SHOULD ensure that the | (IPv4 DHCP, IPv6 DHCP, and IPv6 RA). The captive portal operator | |||
| URIs handed out are equivalent to reduce the chance of operational | SHOULD ensure that the URIs provisioned by each method are equivalent | |||
| problems. The maximum length of the URI that can be carried in IPv4 | to reduce the chance of operational problems. The maximum length of | |||
| DHCP is 255 bytes, so URIs longer than 255 bytes should not be used | the URI that can be carried in IPv4 DHCP is 255 bytes, so URIs longer | |||
| in IPv6 DHCP or IPv6 RA. | than 255 bytes should not be provisioned via IPv6 DHCP or IPv6 RA | |||
| either. | ||||
| In all variants of this option, the URI MUST be that of the captive | In all variants of this option, the URI MUST be that of the captive | |||
| portal API endpoint, conforming to the recommendations for such URIs | portal API endpoint, conforming to the recommendations for such URIs | |||
| [draft-ietf-capport-api] (i.e. the URI SHOULD contain a DNS name and | [draft-ietf-capport-api]. | |||
| SHOULD reference a secure transport, e.g. https). | ||||
| A captive portal MAY redirect requests that do not have an Accept | A captive portal server MAY redirect requests that do not have an | |||
| header field ([RFC7231] Section 5.3) containing a field item whose | Accept header field ([RFC7231] Section 5.3) containing a field item | |||
| content-type is "application/capport+json" to the URL conveyed in the | whose content-type is "application/capport+json" to the URL conveyed | |||
| "user-portal-url" API key. When performing such content negotiation | in the "user-portal-url" API key. When performing such content | |||
| ([RFC7231] Section 3.4), captive portals need to keep in mind that | negotiation ([RFC7231] Section 3.4), captive portals implementors | |||
| such responses might be cached, and therefore SHOULD include an | need to keep in mind that such responses might be cached, and | |||
| appropriate Vary header field ([RFC7231] Section 7.1.4) or mark them | therefore SHOULD include an appropriate Vary header field ([RFC7231] | |||
| explicitly uncacheable (for example, using Cache-Control: no-store | Section 7.1.4) or mark them explicitly uncacheable (for example, | |||
| [RFC7234] Section 5.2.2.3). | using Cache-Control: no-store [RFC7234] Section 5.2.2.3). | |||
| A captive portal MAY do content negotiation ([RFC7231] section 3.4) | A captive portal MAY do content negotiation ([RFC7231] section 3.4) | |||
| and attempt to redirect clients querying without an explicit | and attempt to redirect clients querying without an explicit | |||
| indication of support for the captive portal API content type (i.e. | indication of support for the captive portal API content type (i.e. | |||
| without application/capport+json listed explicitly anywhere within an | without application/capport+json listed explicitly anywhere within an | |||
| Accept header vis. [RFC7231] section 5.3). In so doing, the captive | Accept header vis. [RFC7231] section 5.3). In so doing, the captive | |||
| portal SHOULD redirect the client to the value associated with the | portal SHOULD redirect the client to the value associated with the | |||
| "user-portal-url" API key. | "user-portal-url" API key. | |||
| The URI SHOULD NOT contain an IP address literal. The URI parameter | The URI SHOULD NOT contain an IP address literal. | |||
| is not null terminated. | ||||
| Networks with no captive portals MAY explicitly indicate this | Networks with no captive portals MAY explicitly indicate this | |||
| condition by using this option with the IANA-assigned URI for this | condition by using this option with the IANA-assigned URI for this | |||
| purpose (see Section 4.1.1). Clients observing the URI value | purpose (see Section 4.1.1). Clients observing the URI value | |||
| "urn:ietf:params:capport-unrestricted" MAY forego time-consuming | "urn:ietf:params:capport-unrestricted" MAY forego time-consuming | |||
| forms of captive portal detection. | forms of captive portal detection. | |||
| 2.1. IPv4 DHCP Option | 2.1. IPv4 DHCP Option | |||
| The format of the IPv4 Captive-Portal DHCP option is shown below. | The format of the IPv4 Captive-Portal DHCP option is shown below. | |||
| skipping to change at page 4, line 48 ¶ | skipping to change at page 4, line 51 ¶ | |||
| | code | len | URI ... | | | code | len | URI ... | | |||
| +------+------+------+------+------+-- --+-----+ | +------+------+------+------+------+-- --+-----+ | |||
| o Code: The Captive-Portal DHCPv4 Option (TBD) (one octet) | o Code: The Captive-Portal DHCPv4 Option (TBD) (one octet) | |||
| o Len: The length, in octets of the URI. | o Len: The length, in octets of the URI. | |||
| o URI: The URI for the captive portal API endpoint to which the user | o URI: The URI for the captive portal API endpoint to which the user | |||
| should connect (encoded following the rules in [RFC3986]). | should connect (encoded following the rules in [RFC3986]). | |||
| Note that the URI parameter is not null terminated. | ||||
| 2.2. IPv6 DHCP Option | 2.2. IPv6 DHCP Option | |||
| The format of the IPv6 Captive-Portal DHCP option is shown below. | The format of the IPv6 Captive-Portal DHCP option is shown below. | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | option-code | option-len | | | option-code | option-len | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| . URI (variable length) . | . URI (variable length) . | |||
| skipping to change at page 5, line 24 ¶ | skipping to change at page 5, line 28 ¶ | |||
| o option-code: The Captive-Portal DHCPv6Option (103) (two octets) | o option-code: The Captive-Portal DHCPv6Option (103) (two octets) | |||
| o option-len: The length, in octets of the URI. | o option-len: The length, in octets of the URI. | |||
| o URI: The URI for the captive portal API endpoint to which the user | o URI: The URI for the captive portal API endpoint to which the user | |||
| should connect (encoded following the rules in [RFC3986]). | should connect (encoded following the rules in [RFC3986]). | |||
| See [RFC7227], Section 5.7 for more examples of DHCP Options with | See [RFC7227], Section 5.7 for more examples of DHCP Options with | |||
| URIs. | URIs. | |||
| Note that the URI parameter is not null terminated. | ||||
| 2.3. The Captive-Portal IPv6 RA Option | 2.3. The Captive-Portal IPv6 RA Option | |||
| This section describes the Captive-Portal Router Advertisement | This section describes the Captive-Portal Router Advertisement | |||
| option. | option. | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type | Length | URI . | | Type | Length | URI . | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . | |||
| skipping to change at page 6, line 5 ¶ | skipping to change at page 6, line 7 ¶ | |||
| Type 37 | Type 37 | |||
| Length 8-bit unsigned integer. The length of the option (including | Length 8-bit unsigned integer. The length of the option (including | |||
| the Type and Length fields) in units of 8 bytes. | the Type and Length fields) in units of 8 bytes. | |||
| URI The URI for the captive portal API endpoint to which the user | URI The URI for the captive portal API endpoint to which the user | |||
| should connect. This MUST be padded with NULL (0x00) to make the | should connect. This MUST be padded with NULL (0x00) to make the | |||
| total option length (including the Type and Length fields) a | total option length (including the Type and Length fields) a | |||
| multiple of 8 bytes. | multiple of 8 bytes. | |||
| Note that the URI parameter is not guaranteed to be null terminated. | ||||
| 3. Precedence of API URIs | 3. Precedence of API URIs | |||
| A device may learn about Captive Portal API URIs through more than | A device may learn about Captive Portal API URIs through more than | |||
| one of (or indeed all of) the above options. It is a network | one of (or indeed all of) the above options. It is a network | |||
| configuration error if the learned URIs are not all identical. | configuration error if the learned URIs are not all identical. | |||
| However, if the URIs learned are not in fact all identical the | However, if the URIs learned are not in fact all identical the | |||
| captive device MUST prioritize URIs learned from network provisioning | captive device MUST prioritize URIs learned from network provisioning | |||
| or configuration mechanisms before all other URIs. Specifically, | or configuration mechanisms before all other URIs. Specifically, | |||
| URIs learned via any of the options in Section 2 should take | URIs learned via any of the options in Section 2 should take | |||
| skipping to change at page 7, line 48 ¶ | skipping to change at page 8, line 9 ¶ | |||
| page in a sandboxed environment and take other precautions, such as | page in a sandboxed environment and take other precautions, such as | |||
| clearly labeling the page as untrusted. The means of sandboxing and | clearly labeling the page as untrusted. The means of sandboxing and | |||
| user interface presenting this information is not covered in this | user interface presenting this information is not covered in this | |||
| document - by its nature it is implementation specific and best left | document - by its nature it is implementation specific and best left | |||
| to the application and user interface designers. | to the application and user interface designers. | |||
| Devices and systems that automatically connect to an open network | Devices and systems that automatically connect to an open network | |||
| could potentially be tracked using the techniques described in this | could potentially be tracked using the techniques described in this | |||
| document (forcing the user to continually authenticate, or exposing | document (forcing the user to continually authenticate, or exposing | |||
| their browser fingerprint). However, similar tracking can already be | their browser fingerprint). However, similar tracking can already be | |||
| performed with the standard captive portal mechanisms, so this | performed with the presently common captive portal mechanisms, so | |||
| technique does not give the attackers more capabilities. | this technique does not give the attackers more capabilities. | |||
| Captive portals are increasingly hijacking TLS connections to force | Captive portals are increasingly hijacking TLS connections to force | |||
| browsers to talk to the portal. Providing the portal's URI via a | browsers to talk to the portal. Providing the portal's URI via a | |||
| DHCP or RA option is a cleaner technique, and reduces user | DHCP or RA option is a cleaner technique, and reduces user | |||
| expectations of being hijacked - this may improve security by making | expectations of being hijacked - this may improve security by making | |||
| users more reluctant to accept TLS hijacking, which can be performed | users more reluctant to accept TLS hijacking, which can be performed | |||
| from beyond the network associated with the captive portal. | from beyond the network associated with the captive portal. | |||
| By simplifying the interaction with the captive portal systems, and | By simplifying the interaction with the captive portal systems, and | |||
| doing away with the need for interception, we think that users will | doing away with the need for interception, we think that users will | |||
| End of changes. 17 change blocks. | ||||
| 44 lines changed or deleted | 51 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||