| < draft-wkumari-dhc-capport-08.txt | draft-wkumari-dhc-capport-09.txt > | |||
|---|---|---|---|---|
| skipping to change at page 1, line 13 ¶ | skipping to change at page 1, line 13 ¶ | |||
| Network Working Group W. Kumari | Network Working Group W. Kumari | |||
| Internet-Draft Google | Internet-Draft Google | |||
| Intended status: Informational O. Gudmundsson | Intended status: Informational O. Gudmundsson | |||
| Expires: July 31, 2015 Shinkuro Inc. | Expires: July 31, 2015 Shinkuro Inc. | |||
| P. Ebersman | P. Ebersman | |||
| Comcast | Comcast | |||
| S. Sheng | S. Sheng | |||
| ICANN | ICANN | |||
| January 27, 2015 | January 27, 2015 | |||
| Captive-Portal identification in DHCPv4 / RA | Captive-Portal identification in DHCP / RA | |||
| draft-wkumari-dhc-capport-08 | draft-wkumari-dhc-capport-09 | |||
| Abstract | Abstract | |||
| In many environments offering short-term or temporary Internet access | In many environments offering short-term or temporary Internet access | |||
| (such as coffee shops), it is common to start new connections in a | (such as coffee shops), it is common to start new connections in a | |||
| captive portal mode. This highly restricts what the customer can do | captive portal mode. This highly restricts what the customer can do | |||
| until the customer has authenticated. | until the customer has authenticated. | |||
| This document describes a DHCPv4 option (and an IPv6 RA extension) to | This document describes a DHCP option (and a RA extension) to inform | |||
| inform clients that they are behind some sort of captive portal | clients that they are behind some sort of captive portal device, and | |||
| device, and that they will need to authenticate to get Internet | that they will need to authenticate to get Internet Access. | |||
| Access. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| skipping to change at page 2, line 23 ¶ | skipping to change at page 2, line 23 ¶ | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. DNS Redirection . . . . . . . . . . . . . . . . . . . . . 4 | 2.1. DNS Redirection . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.2. HTTP Redirection . . . . . . . . . . . . . . . . . . . . 4 | 2.2. HTTP Redirection . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.3. IP Hijacking . . . . . . . . . . . . . . . . . . . . . . 4 | 2.3. IP Hijacking . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. The Captive-Portal IPv4 DHCP Option . . . . . . . . . . . . . 4 | 3. The Captive-Portal DHCP Option . . . . . . . . . . . . . . . 5 | |||
| 4. The Captive-Portal IPv6 RA Option . . . . . . . . . . . . . . 5 | 3.1. IPv4 DHCP Option . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2. IPv6 DHCP Option . . . . . . . . . . . . . . . . . . . . 5 | ||||
| 4. The Captive-Portal IPv6 RA Option . . . . . . . . . . . . . . 6 | ||||
| 5. Use of the Captive-Portal Option . . . . . . . . . . . . . . 6 | 5. Use of the Captive-Portal Option . . . . . . . . . . . . . . 6 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 9. Normative References . . . . . . . . . . . . . . . . . . . . 8 | 9. Normative References . . . . . . . . . . . . . . . . . . . . 9 | |||
| Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 8 | Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 9 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 1. Introduction | 1. Introduction | |||
| In many environments, users need to connect to a captive portal | In many environments, users need to connect to a captive portal | |||
| device and agree to an acceptable use policy and / or provide billing | device and agree to an acceptable use policy and / or provide billing | |||
| information before they can access the Internet. | information before they can access the Internet. | |||
| Many devices perform DNS, HHTP, and / or IP hijacks in order to | Many devices perform DNS, HTTP, and / or IP hijacks in order to | |||
| present the user with the captive portal web page. These kludgy | present the user with the captive portal web page. These workarounds | |||
| workarounds and techniques resemble attacks that DNSSEC and TLS are | and techniques resemble attacks that DNSSEC and TLS are intended to | |||
| intended to protect against. This document describes a DHCPv4 option | protect against. This document describe a DHCP option (Captive | |||
| (Captive Portal) and an IPv6 Router Advertisement (RA) extension that | Portal) and an IPv6 Router Advertisement (RA) extension that informs | |||
| informs clients that they are behind a captive portal device and how | clients that they are behind a captive portal device and how to | |||
| to contact it. | contact it. | |||
| This document neither condones nor condemns the use of captive | This document neither condones nor condemns the use of captive | |||
| portals; instead, it recognises that their apparent necessity, and | portals; instead, it recognises that their apparent necessity, and | |||
| attempts to improve the user experience. | attempts to improve the user experience. | |||
| [ Ed note: This solution complements 802.11U / WiFi Passpoint. It | [ Ed note: This solution is somewhat similar / complements 802.11u / | |||
| can be quickly and easily deployed, and works on wired as well ] | WiFi Passpoint Online Sign-up, but is much simpler, easier to deploy, | |||
| and works on wired as well ] | ||||
| 1.1. Requirements notation | 1.1. Requirements notation | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. Background | 2. Background | |||
| Some ISPs implement a captive portal (CP) - a system that intercepts | Some ISPs implement a captive portal (CP) - a system that intercepts | |||
| skipping to change at page 4, line 46 ¶ | skipping to change at page 5, line 5 ¶ | |||
| 2.3. IP Hijacking | 2.3. IP Hijacking | |||
| In this scenario, the captive portal intercepts connections to any IP | In this scenario, the captive portal intercepts connections to any IP | |||
| address. It spoofs the destination IP address and "pretends" to be | address. It spoofs the destination IP address and "pretends" to be | |||
| whatever the user tried to access. | whatever the user tried to access. | |||
| This technique has issues similar to the HTTP solution, but may also | This technique has issues similar to the HTTP solution, but may also | |||
| break other protocols, and may expose more of the user's private | break other protocols, and may expose more of the user's private | |||
| information. | information. | |||
| 3. The Captive-Portal IPv4 DHCP Option | 3. The Captive-Portal DHCP Option | |||
| The Captive Portal DHCP Option (TBA1) informs an IPv4 client that it | The Captive Portal DHCP Option informs the client that it is behind a | |||
| is behind a captive portal and provides the URI to access an | captive portal and provides the URI to access an authentication page. | |||
| authentication page. This is primarily intended to improve the user | This is primarily intended to improve the user experience; for the | |||
| experience; for the foreseeable future (until such time that most | foreseeable future (until such time that most systems implement this | |||
| systems implement this technique) captive portals will still need to | technique) captive portals will still need to implement the | |||
| implement the interception techniques to serve legacy clients. | interception techniques to serve legacy clients. | |||
| The format of the DHCP Captive-Portal DHCP option is shown below. | In order to avoid having to perform DNS interception, the URI SHOULD | |||
| contain an address literal, but MAY contain a DNS name if the captive | ||||
| portal allows the client to perform DNS requests to resolve the name. | ||||
| [ED NOTE: Using an address literal is less than ideal, but better | ||||
| than the alternatives. Recommending a DNS name means that the CP | ||||
| would need to allow DNS from unauthenticated clients (as we don't | ||||
| want to force users to use the CP's provided DNS) and some users | ||||
| would use this to DNS Tunnel out, which may make the CP admin block | ||||
| external recursives). DNS is needed to allow operators to serve SSL/ | ||||
| TLS for e.g billing (certificates with IP addresses are frowned upon | ||||
| :-))] | ||||
| 3.1. IPv4 DHCP Option | ||||
| The format of the IPv4 Captive-Portal DHCP option is shown below. | ||||
| Code Len Data | Code Len Data | |||
| +------+------+------+------+------+-- --+-----+ | +------+------+------+------+------+-- --+-----+ | |||
| | code | len | URI ... | | | code | len | URI ... | | |||
| +------+------+------+------+------+-- --+-----+ | +------+------+------+------+------+-- --+-----+ | |||
| o Code: The Captive-Portal DHCP Option (TBA1) | o Code: The Captive-Portal DHCPv4 Option (TBA1) | |||
| o Len: The length, in octets of the URI. | o Len: The length, in octets of the URI. | |||
| o URI: The URI of the authentication page that the user should | o URI: The URI of the authentication page that the user should | |||
| connect to. | connect to. | |||
| In order to avoid having to perform DNS interception, the URI SHOULD | 3.2. IPv6 DHCP Option | |||
| contain an IPv4 address literal. | ||||
| For cases requiring SSL/TLS (collection of billing information for | The format of the IPv6 Captive-Portal DHCP option is shown below. | |||
| example), the IP literal can redirect to a URI containing a DNS name. | Other than the code it is identical to the IPv4 DHCP option. | |||
| [ED NOTE: Using an address literal is less than ideal, but better | Code Len Data | |||
| than the alternatives. Recommending a DNS name means that the CP | +------+------+------+------+------+-- --+-----+ | |||
| would need to allow DNS from unauthenticated clients (as we don't | | code | len | URI ... | | |||
| want to force users to use the CP's provided DNS) and some users | +------+------+------+------+------+-- --+-----+ | |||
| would use this to DNS Tunnel out. This would make the CP admin block | ||||
| external recursives).] | o Code: The Captive-Portal DHCPv6Option (TBA2) | |||
| o Len: The length, in octets of the URI. | ||||
| o URI: The URI of the authentication page that the user should | ||||
| connect to. | ||||
| 4. The Captive-Portal IPv6 RA Option | 4. The Captive-Portal IPv6 RA Option | |||
| This section describes the Captive-Portal Router Advertisement | This section describes the Captive-Portal Router Advertisement | |||
| option. | option. | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type | Length | URI . | | Type | Length | URI . | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . | |||
| . . | . . | |||
| . . | . . | |||
| . . | . . | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 2: Captive-Portal RA Option Format | Figure 2: Captive-Portal RA Option Format | |||
| Type TBA2 | Type TBA3 | |||
| Length 8-bit unsigned integer. The length of the option (including | Length 8-bit unsigned integer. The length of the option (including | |||
| the Type and Length fields) in units of 8 bytes. | the Type and Length fields) in units of 8 bytes. | |||
| URI The URI of the authentication page that the user should connect | URI The URI of the authentication page that the user should connect | |||
| to. For the reasons described above, the implementer might want | to. For the reasons described above, the implementer might want | |||
| to use an IP address literal instead of a DNS name. This should | to use an IP address literal instead of a DNS name. This should | |||
| be padded with NULL (0x0) to make the total option length | be padded with NULL (0x0) to make the total option length | |||
| (including the Type and Length fields) a multiple of 8 bytes. | (including the Type and Length fields) a multiple of 8 bytes. | |||
| 5. Use of the Captive-Portal Option | 5. Use of the Captive-Portal Option | |||
| skipping to change at page 6, line 38 ¶ | skipping to change at page 7, line 15 ¶ | |||
| Many operating systems / applications already include a "connectivity | Many operating systems / applications already include a "connectivity | |||
| test" to determine if they are behind a captive portal (for example, | test" to determine if they are behind a captive portal (for example, | |||
| attempting to fetch a specific URL and looking for a specific string | attempting to fetch a specific URL and looking for a specific string | |||
| (such as "Success"). These tests sometimes fail or take a long time | (such as "Success"). These tests sometimes fail or take a long time | |||
| to determine when they are behind a CP, but are usually effective for | to determine when they are behind a CP, but are usually effective for | |||
| determining that the captive portal has been satisfied. These tests | determining that the captive portal has been satisfied. These tests | |||
| will continue to be needed, because there is currently no definitive | will continue to be needed, because there is currently no definitive | |||
| signal from the captive portal that it has been satisfied. [ Editor | signal from the captive portal that it has been satisfied. [ Editor | |||
| note: It may be useful to write another document that specifies how a | note: It may be useful to write another document that specifies how a | |||
| client can determine that it has passed the CP. This document could | client can determine that it has passed the CP. This document could | |||
| also contain advice to implmentors on only intercepting actually | also contain advice to implementors on only intercepting actually | |||
| needed ports, how to advertise that the CP needs to be statisfied | needed ports, how to advertise that the CP needs to be satisfied | |||
| *again*, etc. This should not be done in this document though. ] The | *again*, etc. This should not be done in this document though. ] The | |||
| connectivity test may also need to be used if the captive portal | connectivity test may also need to be used if the captive portal | |||
| times out the user session and needs the user to re-authenticate. | times out the user session and needs the user to re-authenticate. | |||
| The operating system may still find the information about the captive | The operating system may still find the information about the captive | |||
| portal URI useful in this case. | portal URI useful in this case. | |||
| If the device gets different URIs (for example, via DHCPv6 and IPv6 | ||||
| RA) it should try them in the following order: DHCPv4, DHCPv6, RA. | ||||
| [Ed note: This ordering is somewhat arbitrary - this order was chosen | ||||
| because this is the order I expect the code to be implemented by OS | ||||
| vendors, and I'd like the same behavior from newer and older devices | ||||
| to make troubleshooting easier.] | ||||
| When the device is informed that it is behind a captive portal it | When the device is informed that it is behind a captive portal it | |||
| should: | should: | |||
| 1. Not initiate new IP connections until the CP has been satisfied | 1. Not initiate new IP connections until the CP has been satisfied | |||
| (other than those to the captive portal browser session and | (other than those to the captive portal browser session and | |||
| connectivity checks). Existing connections should be quiesced | connectivity checks). Existing connections should be quiesced | |||
| (this will happen more often than some expect -- for example, the | (this will happen more often than some expect -- for example, the | |||
| user purchases 1 hour of Internet at a cafe and stays there for 3 | user purchases 1 hour of Internet at a cafe and stays there for 3 | |||
| hours -- this will "interrupt" the user a few times). | hours -- this will "interrupt" the user a few times). | |||
| skipping to change at page 7, line 35 ¶ | skipping to change at page 8, line 19 ¶ | |||
| 5. The device should (using an OS dependent method) expose to the | 5. The device should (using an OS dependent method) expose to the | |||
| user / user applications that they have connected though a | user / user applications that they have connected though a | |||
| captive portal (for example by creating a file in /proc/net/ | captive portal (for example by creating a file in /proc/net/ | |||
| containing the interface and captive portal URI). This should | containing the interface and captive portal URI). This should | |||
| continue until the network changes, or a new DHCP message without | continue until the network changes, or a new DHCP message without | |||
| the CP is received. | the CP is received. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| This document defines the DHCP Captive-Portal option and requires | This document defines two DHCP Captive-Portal options, one for IPv6 | |||
| assignment of an option code (TBA1) to be assigned from "Bootp and | and one for IPv6. It requires assignment of an option code (TBA1) to | |||
| DHCP options" registry (http://www.iana.org/assignments/ bootp-dhcp- | be assigned from "Bootp and DHCP options" registry (http://www.iana | |||
| parameters/bootp-dhcp-parameters.xml), as specified in [RFC2939]. | .org/assignments/ bootp-dhcp-parameters/bootp-dhcp-parameters.xml), | |||
| as specified in [RFC2939]. It also requires assignment of an option | ||||
| code (TBA2) from the "DHCPv6 and DHCPv6 options" registry | ||||
| (http://www.iana.org/assignments/dhcpv6-parameters/ | ||||
| dhcpv6-parameters.xml). | ||||
| IANA is also requested to assign an IPv6 RA Option Type code (TBA2) | IANA is also requested to assign an IPv6 RA Option Type code (TBA2) | |||
| from the "IPv6 Neighbor Discovery Option Formats" registry. Thanks | from the "IPv6 Neighbor Discovery Option Formats" registry. Thanks | |||
| IANA! | IANA! | |||
| 7. Security Considerations | 7. Security Considerations | |||
| An attacker with the ability to inject DHCP messages could include | An attacker with the ability to inject DHCP messages could include | |||
| this option and so force users to contact an address of his choosing. | this option and so force users to contact an address of his choosing. | |||
| As an attacker with this capability could simply list himself as the | As an attacker with this capability could simply list himself as the | |||
| skipping to change at page 8, line 42 ¶ | skipping to change at page 9, line 28 ¶ | |||
| 9. Normative References | 9. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| Appendix A. Changes / Author Notes. | Appendix A. Changes / Author Notes. | |||
| [RFC Editor: Please remove this section before publication ] | [RFC Editor: Please remove this section before publication ] | |||
| From 08 to 09: | ||||
| o Put back the DHCPv6 option, and made the fact that is separate | ||||
| from the DHCPv4 option clearer (Ted Lemon) | ||||
| From 07 to 08: | From 07 to 08: | |||
| o Incorporated comments from Ted Lemon. Made the document much | o Incorporated comments from Ted Lemon. Made the document much | |||
| shorter. | shorter. | |||
| o Some cleanup. | o Some cleanup. | |||
| From 06 to 07: | From 06 to 07: | |||
| o Incoroprated a bunch of comments from Asbjorn Tonnesen | o Incoroprated a bunch of comments from Asbjorn Tonnesen | |||
| End of changes. 18 change blocks. | ||||
| 49 lines changed or deleted | 88 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||