| < draft-wkumari-dhc-capport-07.txt | draft-wkumari-dhc-capport-08.txt > | |||
|---|---|---|---|---|
| Network Working Group W. Kumari | Network Working Group W. Kumari | |||
| Internet-Draft Google | Internet-Draft Google | |||
| Intended status: Informational O. Gudmundsson | Intended status: Informational O. Gudmundsson | |||
| Expires: June 25, 2015 Shinkuro Inc. | Expires: July 31, 2015 Shinkuro Inc. | |||
| P. Ebersman | P. Ebersman | |||
| Comcast | Comcast | |||
| S. Sheng | S. Sheng | |||
| ICANN | ICANN | |||
| December 22, 2014 | January 27, 2015 | |||
| Captive-Portal identification in DHCP / RA | Captive-Portal identification in DHCPv4 / RA | |||
| draft-wkumari-dhc-capport-07 | draft-wkumari-dhc-capport-08 | |||
| Abstract | Abstract | |||
| In many environments (such as hotels, coffee shops and other | In many environments offering short-term or temporary Internet access | |||
| establishments that offer Internet service to customers), it is | (such as coffee shops), it is common to start new connections in a | |||
| common to start new connections in a captive portal mode, i.e. highly | captive portal mode. This highly restricts what the customer can do | |||
| restrict what the customer can do until the customer has accepted | until the customer has authenticated. | |||
| terms of service, provided payment information and / or | ||||
| authenticated. | ||||
| This document describes a DHCP option (and an RA extension) to inform | This document describes a DHCPv4 option (and an IPv6 RA extension) to | |||
| clients that they are behind some sort of captive portal device, and | inform clients that they are behind some sort of captive portal | |||
| that they will need to authenticate to get Internet Access. | device, and that they will need to authenticate to get Internet | |||
| Access. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 25, 2015. | This Internet-Draft will expire on July 31, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. DNS Redirection . . . . . . . . . . . . . . . . . . . . . 4 | 2.1. DNS Redirection . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.2. HTTP Redirection . . . . . . . . . . . . . . . . . . . . 4 | 2.2. HTTP Redirection . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.3. IP Hijacking . . . . . . . . . . . . . . . . . . . . . . 5 | 2.3. IP Hijacking . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. The Captive-Portal DHCP Option . . . . . . . . . . . . . . . 5 | 3. The Captive-Portal IPv4 DHCP Option . . . . . . . . . . . . . 4 | |||
| 4. The Captive-Portal RA Option . . . . . . . . . . . . . . . . 6 | 4. The Captive-Portal IPv6 RA Option . . . . . . . . . . . . . . 5 | |||
| 5. Use of the Captive-Portal Option . . . . . . . . . . . . . . 7 | 5. Use of the Captive-Portal Option . . . . . . . . . . . . . . 6 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 9. Normative References . . . . . . . . . . . . . . . . . . . . 9 | 9. Normative References . . . . . . . . . . . . . . . . . . . . 8 | |||
| Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 9 | Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 1. Introduction | 1. Introduction | |||
| In many environments, users need to connect to a captive portal | In many environments, users need to connect to a captive portal | |||
| device and agree to an acceptable use policy and / or provide billing | device and agree to an acceptable use policy and / or provide billing | |||
| information before they can access the Internet. | information before they can access the Internet. | |||
| In order to present the user with the captive portal web page, many | Many devices perform DNS, HHTP, and / or IP hijacks in order to | |||
| devices perform DNS and / or HTTP and / or IP hijacks. In addition | present the user with the captive portal web page. These kludgy | |||
| to being kludgy hacks, these techniques resemble attacks that DNSSEC | workarounds and techniques resemble attacks that DNSSEC and TLS are | |||
| and TLS are intended to protect against. In an attempt to discourage | intended to protect against. This document describes a DHCPv4 option | |||
| the deliberate subversion of basic security tools, this document | (Captive Portal) and an IPv6 Router Advertisement (RA) extension that | |||
| describes a DHCP option (Captive-Portal) and an IPv6 Router | informs clients that they are behind a captive portal device and how | |||
| Advertisement (RA) extension that informs clients that they are | to contact it. | |||
| behind a captive portal device, and how to contact it. | ||||
| This document neither condones nor condemns the use of captive | This document neither condones nor condemns the use of captive | |||
| portals; instead, it recognises that their apparent necessity, and | portals; instead, it recognises that their apparent necessity, and | |||
| attempts to improve the user experience. | attempts to improve the user experience. | |||
| The technique described in this document mainly improve the user | [ Ed note: This solution complements 802.11U / WiFi Passpoint. It | |||
| experience when first connecting to a network behind a captive | can be quickly and easily deployed, and works on wired as well ] | |||
| portal. It may also help if the captive portal access times out | ||||
| after connecting, but this is less reliable. | ||||
| 1.1. Requirements notation | 1.1. Requirements notation | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. Background | 2. Background | |||
| Many Internet Service Providers (ISPs) that offer public Internet | Some ISPs implement a captive portal (CP) - a system that intercepts | |||
| access require the user to accept an Acceptable Use Policy (AUP) and | user requests and redirects them to an interstitial login page - in | |||
| / or provides billing information (such as their last name and room | order to require the user accept an Acceptable Use Policy (AUP), | |||
| number in a hotel, credit card information, etc.) through a web | provide billing information, or otherwise authenticate a user prior | |||
| interface before the user can access the Internet. | to allowing them to access the Internet. | |||
| In order to meet this requirement, some ISPs implement a captive | ||||
| portal (CP) - a system that intercepts user requests and redirects | ||||
| them to an interstitial login page. | ||||
| Captive portals intercept and redirects user requests in a number of | Captive portals intercept and redirect user requests in a number of | |||
| ways, including: | ways, including: | |||
| o DNS Redirection | o DNS Redirection | |||
| o IP Redirection | o IP Redirection | |||
| o HTTP Redirection | o HTTP Redirection | |||
| o Restricted scope addresses | o Restricted scope addresses | |||
| o Traffic blocking (until the user is authenticated) | o Traffic blocking (until the user is authenticated) | |||
| In order to ensure that the user is unable to access the Internet | In order to ensure that the user is unable to access the Internet | |||
| until they have satisfied the requirements, captive portals usually | until they have satisfied the requirements, captive portals usually | |||
| implement IP based filters, or place the user into a restricted VLAN | implement IP based filters, or place the user into a restricted VLAN | |||
| (or restricted IP range) until after they have been authorized / | (or restricted IP range) until after they have been authorized / | |||
| satisfied. | satisfied. | |||
| These techniques are very similar to attacks that protocols (such as | These techniques are very similar to attacks that protocols (such as | |||
| VPNs, DNSSEC, TLS) are designed to protect against. The interaction | VPNs, DNSSEC, TLS) are designed to protect against. The interaction | |||
| of the these protections and the interception leads to poor user | of these protections and the interception leads to poor user | |||
| experiences, such as long timeouts, inability to reach the captive | experiences, such as long timeouts, inability to reach the captive | |||
| portal web page, etc. The interception may also leak user | portal web page, etc. The interception may also leak user | |||
| information (for example, if the captive portal intercepts and logs | information (for example, if the captive portal intercepts and logs | |||
| an HTTP Cookie, or URL of the form http://fred:password@example.com). | an HTTP Cookie, or URL of the form http://fred:password@example.com). | |||
| The user is often unaware of what is causing the issue (their browser | The user is often unaware of what is causing the issue (their browser | |||
| appears to hang, saying something like "Downloading Proxy Script", or | appears to hang, saying something like "Downloading Proxy Script", or | |||
| simply "The Internet doesn't work"), and they become frustrated. | simply "The Internet doesn't work"), and they become frustrated. | |||
| This may results in them not purchasing the Internet access provided | This may result in them not purchasing the Internet access provided | |||
| by the captive portal. The connectivity attempts may also facilitate | by the captive portal. The connectivity attempts may also facilitate | |||
| OS fingerprinting even before a client attempts to connect to the | OS fingerprinting even before a client attempts to connect to the | |||
| portal itself. | portal itself. | |||
| 2.1. DNS Redirection | 2.1. DNS Redirection | |||
| The CP either intercepts all DNS traffic or advertises itself (for | The CP either intercepts all DNS traffic or advertises itself (for | |||
| example using DHCP) as the recursive server for the network. Until | example using DHCP) as the recursive server for the network. Until | |||
| the user has authenticated to the captive portal, the CP responds to | the user has authenticated to the captive portal, the CP responds to | |||
| all DNS requests listing the address of its web portal. Once the | all DNS requests listing the address of its web portal. Once the | |||
| user has authenticated the CP returns the "correct" addresses. | user has authenticated, the CP returns the "correct" addresses. | |||
| This technique has many shortcomings. It fails if the client is | This technique has many shortcomings. It fails if the client is | |||
| performing DNSSEC validation, is running their own resolver, is using | performing DNSSEC validation, is running their own resolver, is using | |||
| a VPN, or already has the DNS information cached. | a VPN, or already has the DNS information cached. | |||
| 2.2. HTTP Redirection | 2.2. HTTP Redirection | |||
| In this implementation, the CP acts like a transparent HTTP proxy; | In this implementation, the CP acts like a transparent HTTP proxy; | |||
| but when it sees an HTTP request from an unauthenticated client using | but when it sees an HTTP request from an unauthenticated client using | |||
| HTTP/1.0, it intercepts the request and responds with an HTTP status | HTTP/1.0, it intercepts the request and responds with an HTTP status | |||
| skipping to change at page 5, line 15 ¶ | skipping to change at page 4, line 46 ¶ | |||
| 2.3. IP Hijacking | 2.3. IP Hijacking | |||
| In this scenario, the captive portal intercepts connections to any IP | In this scenario, the captive portal intercepts connections to any IP | |||
| address. It spoofs the destination IP address and "pretends" to be | address. It spoofs the destination IP address and "pretends" to be | |||
| whatever the user tried to access. | whatever the user tried to access. | |||
| This technique has issues similar to the HTTP solution, but may also | This technique has issues similar to the HTTP solution, but may also | |||
| break other protocols, and may expose more of the user's private | break other protocols, and may expose more of the user's private | |||
| information. | information. | |||
| 3. The Captive-Portal DHCP Option | 3. The Captive-Portal IPv4 DHCP Option | |||
| The Captive Portal DHCP Option (TBA1) informs the DHCP client that it | The Captive Portal DHCP Option (TBA1) informs an IPv4 client that it | |||
| is behind a captive portal and provides the URI to access an | is behind a captive portal and provides the URI to access an | |||
| authentication page. This is primarily intended to improve the user | authentication page. This is primarily intended to improve the user | |||
| experience; for the foreseeable future (until such time that most | experience; for the foreseeable future (until such time that most | |||
| systems implement this technique) captive portals will still need to | systems implement this technique) captive portals will still need to | |||
| implement the interception techniques to serve legacy clients. | implement the interception techniques to serve legacy clients. | |||
| The format of the DHCP Captive-Portal DHCP option is shown below. | The format of the DHCP Captive-Portal DHCP option is shown below. | |||
| Code Len Data | Code Len Data | |||
| +------+------+------+------+------+-- --+-----+ | +------+------+------+------+------+-- --+-----+ | |||
| | code | len | URI ... | | | code | len | URI ... | | |||
| +------+------+------+------+------+-- --+-----+ | +------+------+------+------+------+-- --+-----+ | |||
| o Code: The Captive-Portal DHCP Option (TBA1 for DHCPv4, TBA2 for | o Code: The Captive-Portal DHCP Option (TBA1) | |||
| DHCPv6) | ||||
| o Len: The length, in octets of the URI. | o Len: The length, in octets of the URI. | |||
| o URI: The URI of the authentication page that the user should | o URI: The URI of the authentication page that the user should | |||
| connect to. | connect to. | |||
| The URI MUST NOT contain a DNS name, in order to not require the CP | In order to avoid having to perform DNS interception, the URI SHOULD | |||
| to access DNS queries from an unauthenticated user. Rather, if IPv4 | contain an IPv4 address literal. | |||
| is supported in the network, one option's URI MUST contain an IPv4 | ||||
| address literal, and if IPv6 is supported in the network, one | ||||
| option's URI MUST contain an IPv6 address literal. Note that this | ||||
| implies that a dual stack network would include two such options in | ||||
| its DHCP reply or RA. | ||||
| In many cases, a CP would like to collect billing infomation (for | ||||
| example, credit card information), and will want to do this over SSL/ | ||||
| TLS. In order to make this work, the web server on the IP literal | ||||
| can redirect to a URI containing a DNS name. The CP implementor/ | ||||
| operator will need to ensure that the client machine can access this | ||||
| URI and all service needed to make that work (for example, DNS, | ||||
| etc.). In this case, the operator/implementor will potentially need | ||||
| to deal with issues such as DNS tunnelling. | ||||
| Captive Portals are free to serve a HTTP redirect on this address to | For cases requiring SSL/TLS (collection of billing information for | |||
| a DNS name (for example, so they can provide a TLS protected web page | example), the IP literal can redirect to a URI containing a DNS name. | |||
| for credit card information). This will require that the client be | ||||
| able to perform DNS requests. | ||||
| [ED NOTE: Using an address literal is less than ideal, but better | [ED NOTE: Using an address literal is less than ideal, but better | |||
| than the alternatives. Recommending a DNS name means that the CP | than the alternatives. Recommending a DNS name means that the CP | |||
| would need to allow DNS from unauthenticated clients (as we don't | would need to allow DNS from unauthenticated clients (as we don't | |||
| want to force users to use the CP's provided DNS) and some users | want to force users to use the CP's provided DNS) and some users | |||
| would use this to DNS Tunnel out. This would make the CP admin block | would use this to DNS Tunnel out. This would make the CP admin block | |||
| external recursives).] | external recursives).] | |||
| 4. The Captive-Portal RA Option | 4. The Captive-Portal IPv6 RA Option | |||
| [Ed: I'm far from an RA expert. I think there are only 8 bits for | ||||
| Type, is it worth burning an option code on this? I have also | ||||
| specified that the option length should padded to multiples of 8 byte | ||||
| to better align with the examples I've seen. Is this required / | ||||
| preferred, or is smaller RAs better? ] | ||||
| This section describes the Captive-Portal Router Advertisement | This section describes the Captive-Portal Router Advertisement | |||
| option. | option. | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type | Length | URI . | | Type | Length | URI . | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . | |||
| . . | . . | |||
| . . | . . | |||
| . . | . . | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 2: Captive-Portal RA Option Format | Figure 2: Captive-Portal RA Option Format | |||
| Type TBA3 | Type TBA2 | |||
| Length 8-bit unsigned integer. The length of the option (including | Length 8-bit unsigned integer. The length of the option (including | |||
| the Type and Length fields) in units of 8 bytes. | the Type and Length fields) in units of 8 bytes. | |||
| URI The URI (containing an IPv6 literal) of the authentication page | URI The URI of the authentication page that the user should connect | |||
| that the user should connect to. This should be padded with NULL | to. For the reasons described above, the implementer might want | |||
| (0x0) to make the total option length (including the Type and | to use an IP address literal instead of a DNS name. This should | |||
| Length fields) a multiple of 8 bytes. | be padded with NULL (0x0) to make the total option length | |||
| (including the Type and Length fields) a multiple of 8 bytes. | ||||
| 5. Use of the Captive-Portal Option | 5. Use of the Captive-Portal Option | |||
| [ED NOTE: This option provides notice to the OS / User applications | [ED NOTE: This option provides notice to the OS / User applications | |||
| that there is a CP. Because of differences in UI design between | that there is a CP. Because of differences in UI design between | |||
| Operating Systems, the exact behaviour by OS and Applications is left | Operating Systems, the exact behaviour by OS and Applications is left | |||
| to the OS vendor/Application Developer.] | to the OS vendor/Application Developer.] | |||
| The purpose of the Captive-Portal Option is to inform the operating | The purpose of the Captive-Portal Option is to inform the operating | |||
| system and applications that they are behind a captive portal type | system and applications that they are behind a captive portal type | |||
| device and will need to authenticate before getting network access | device and will need to authenticate before getting network access | |||
| (and how to reach the authentication page). What is done with this | (and how to reach the authentication page). What is done with this | |||
| information is left up to the operating system and application | information is left up to the operating system and application | |||
| vendors. This document provides a very high level example of what | vendors. This document provides a very high level example of what | |||
| could be done with this information. | could be done with this information. | |||
| Many operating systems / applications already include a "connectivity | Many operating systems / applications already include a "connectivity | |||
| test" to determine if they are behind a captive portal (for example, | test" to determine if they are behind a captive portal (for example, | |||
| attempting to fetch a specific URL and looking for a specific string | attempting to fetch a specific URL and looking for a specific string | |||
| (such as "Success")). These tests sometimes fail or take a long time | (such as "Success"). These tests sometimes fail or take a long time | |||
| to determine when they are behind a CP, but are usually effective for | to determine when they are behind a CP, but are usually effective for | |||
| determining that the captive portal has been satisfied. These tests | determining that the captive portal has been satisfied. These tests | |||
| will continue to be needed, because there is currently no definitive | will continue to be needed, because there is currently no definitive | |||
| signal from the captive portal that it has been satisfied. [ Editor | signal from the captive portal that it has been satisfied. [ Editor | |||
| note: It may be useful to write another document that specifies how a | note: It may be useful to write another document that specifies how a | |||
| client can determine that it has passed the CP. This document could | client can determine that it has passed the CP. This document could | |||
| also contain advice to implmentors on only intercepting actually | also contain advice to implmentors on only intercepting actually | |||
| needed ports, how to advertise that the CP needs to be statisfied | needed ports, how to advertise that the CP needs to be statisfied | |||
| *again*, etc. This should not be done in this document though. ] The | *again*, etc. This should not be done in this document though. ] The | |||
| connectivity test may also need to be used if the captive portal | connectivity test may also need to be used if the captive portal | |||
| times out the user session and needs the user to re-authenticate / | times out the user session and needs the user to re-authenticate. | |||
| pay again. The operating system may still find the information about | The operating system may still find the information about the captive | |||
| the captive portal URI useful in this case. | portal URI useful in this case. | |||
| When the device is informed that it is behind a captive portal it | When the device is informed that it is behind a captive portal it | |||
| SHOULD: | should: | |||
| 1. Not initiate new IP connections until the CP has been satisfied | 1. Not initiate new IP connections until the CP has been satisfied | |||
| (other than those to the captive portal browser session and | (other than those to the captive portal browser session and | |||
| connectivity checks). Existing connections should be quiesced | connectivity checks). Existing connections should be quiesced | |||
| (this will happen more often than some expect -- for example, the | (this will happen more often than some expect -- for example, the | |||
| user purchases 1 hour of Internet at a cafe and stays there for 3 | user purchases 1 hour of Internet at a cafe and stays there for 3 | |||
| hours -- this will "interrupt" the user a few times). | hours -- this will "interrupt" the user a few times). | |||
| 2. Present a dialog box to the user informing them that they are | 2. Present a dialog box to the user informing them that they are | |||
| behind a captive portal and ask if they wish to proceed. | behind a captive portal and ask if they wish to proceed. | |||
| skipping to change at page 8, line 26 ¶ | skipping to change at page 7, line 35 ¶ | |||
| 5. The device should (using an OS dependent method) expose to the | 5. The device should (using an OS dependent method) expose to the | |||
| user / user applications that they have connected though a | user / user applications that they have connected though a | |||
| captive portal (for example by creating a file in /proc/net/ | captive portal (for example by creating a file in /proc/net/ | |||
| containing the interface and captive portal URI). This should | containing the interface and captive portal URI). This should | |||
| continue until the network changes, or a new DHCP message without | continue until the network changes, or a new DHCP message without | |||
| the CP is received. | the CP is received. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| This document defines DHCPv4 Captive-Portal option which requires | This document defines the DHCP Captive-Portal option and requires | |||
| assignment of DHCPv4 option code TBA1 assigned from "Bootp and DHCP | assignment of an option code (TBA1) to be assigned from "Bootp and | |||
| options" registry (http://www.iana.org/assignments/ bootp-dhcp- | DHCP options" registry (http://www.iana.org/assignments/ bootp-dhcp- | |||
| parameters/bootp-dhcp-parameters.xml), as specified in [RFC2939]. | parameters/bootp-dhcp-parameters.xml), as specified in [RFC2939]. | |||
| IANA is also requested to assign an IPv6 RA Option Type code (TBA3) | IANA is also requested to assign an IPv6 RA Option Type code (TBA2) | |||
| from the "IPv6 Neighbor Discovery Option Formats" registry. Thanks | from the "IPv6 Neighbor Discovery Option Formats" registry. Thanks | |||
| IANA! | IANA! | |||
| 7. Security Considerations | 7. Security Considerations | |||
| An attacker with the ability to inject DHCP messages could include | An attacker with the ability to inject DHCP messages could include | |||
| this option and so force users to contact an address of his choosing. | this option and so force users to contact an address of his choosing. | |||
| As an attacker with this capability could simply list himself as the | As an attacker with this capability could simply list himself as the | |||
| default gateway (and so intercept all the victim's traffic), this | default gateway (and so intercept all the victim's traffic), this | |||
| does not provide them with significantly more capabilities. Fake | does not provide them with significantly more capabilities. Fake | |||
| skipping to change at page 9, line 16 ¶ | skipping to change at page 8, line 25 ¶ | |||
| doing away with the need for interception, we think that users will | doing away with the need for interception, we think that users will | |||
| be less likely to disable useful security safeguards like DNSSEC | be less likely to disable useful security safeguards like DNSSEC | |||
| validation, VPNs, etc. In addition, because the system knows that it | validation, VPNs, etc. In addition, because the system knows that it | |||
| is behind a captive portal, it can know not to send cookies, | is behind a captive portal, it can know not to send cookies, | |||
| credentials, etc. Redirection to a portal where TLS can be used | credentials, etc. Redirection to a portal where TLS can be used | |||
| without hijacking can ameliorate some of the implications of | without hijacking can ameliorate some of the implications of | |||
| connecting to a potentially malicious captive portal. | connecting to a potentially malicious captive portal. | |||
| 8. Acknowledgements | 8. Acknowledgements | |||
| The primary author has discussed this idea with a number of folk, and | ||||
| asked them to assist by becoming co-authors. Unfortunately he has | ||||
| forgotten who many of them were; if you were one of them, I | ||||
| apologize. | ||||
| Thanks to Vint Cerf for the initial idea / asking me to write this. | Thanks to Vint Cerf for the initial idea / asking me to write this. | |||
| Thanks to Wes George for supplying the IPv6 text. Thanks to Lorenzo | Thanks to Wes George for supplying the IPv6 text. Thanks to Lorenzo | |||
| and Erik for the V6 RA kick in the pants. | and Erik for the V6 RA kick in the pants. | |||
| Thanks to Fred Baker and Asbjorn Tonnesen for detailed review and | Thanks to Fred Baker, Ted Lemon, Ole Troan and Asbjorn Tonnesen for | |||
| comments. Also great thanks to Joel Jaeggli for providing feedback | detailed review and comments. Also great thanks to Joel Jaeggli for | |||
| and text. | providing feedback and text. | |||
| 9. Normative References | 9. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| Appendix A. Changes / Author Notes. | Appendix A. Changes / Author Notes. | |||
| [RFC Editor: Please remove this section before publication ] | [RFC Editor: Please remove this section before publication ] | |||
| From 07 to 08: | ||||
| o Incorporated comments from Ted Lemon. Made the document much | ||||
| shorter. | ||||
| o Some cleanup. | ||||
| From 06 to 07: | From 06 to 07: | |||
| o Incoroprated a bunch of comments from Asbjorn Tonnesen | o Incoroprated a bunch of comments from Asbjorn Tonnesen | |||
| o Clarified that this document is only for the DHCP bits, not | o Clarified that this document is only for the DHCP bits, not | |||
| everything. | everything. | |||
| o CP's *can* do HTTP redirects to DNS banes, as long as they allow | o CP's *can* do HTTP redirects to DNS banes, as long as they allow | |||
| access to all needed services. | access to all needed services. | |||
| From 05 to 06: | From 05 to 06: | |||
| o Integrated comments from Joel, as below | o Integrated comments from Joel, as below | |||
| End of changes. 32 change blocks. | ||||
| 105 lines changed or deleted | 75 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||