| < draft-wkumari-dhc-capport-11.txt | draft-wkumari-dhc-capport-12.txt > | |||
|---|---|---|---|---|
| Network Working Group W. Kumari | Network Working Group W. Kumari | |||
| Internet-Draft Google | Internet-Draft Google | |||
| Intended status: Informational O. Gudmundsson | Intended status: Standards Track O. Gudmundsson | |||
| Expires: August 3, 2015 CloudFlare | Expires: September 5, 2015 CloudFlare | |||
| P. Ebersman | P. Ebersman | |||
| Comcast | Comcast | |||
| S. Sheng | S. Sheng | |||
| ICANN | ICANN | |||
| January 30, 2015 | March 04, 2015 | |||
| Captive-Portal identification in DHCP / RA | Captive-Portal identification in DHCP / RA | |||
| draft-wkumari-dhc-capport-11 | draft-wkumari-dhc-capport-12 | |||
| Abstract | Abstract | |||
| In many environments offering short-term or temporary Internet access | In many environments offering short-term or temporary Internet access | |||
| (such as coffee shops), it is common to start new connections in a | (such as coffee shops), it is common to start new connections in a | |||
| captive portal mode. This highly restricts what the customer can do | captive portal mode. This highly restricts what the customer can do | |||
| until the customer has authenticated. | until the customer has authenticated. | |||
| This document describes a DHCP option (and a RA extension) to inform | This document describes a DHCP option (and a RA extension) to inform | |||
| clients that they are behind some sort of captive portal device, and | clients that they are behind some sort of captive portal device, and | |||
| skipping to change at page 1, line 42 ¶ | skipping to change at page 1, line 42 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 3, 2015. | This Internet-Draft will expire on September 5, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 32 ¶ | skipping to change at page 2, line 32 ¶ | |||
| 2.3. IP Hijacking . . . . . . . . . . . . . . . . . . . . . . 4 | 2.3. IP Hijacking . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. The Captive-Portal Option . . . . . . . . . . . . . . . . . . 5 | 3. The Captive-Portal Option . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. IPv4 DHCP Option . . . . . . . . . . . . . . . . . . . . 5 | 3.1. IPv4 DHCP Option . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2. IPv6 DHCP Option . . . . . . . . . . . . . . . . . . . . 6 | 3.2. IPv6 DHCP Option . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4. The Captive-Portal IPv6 RA Option . . . . . . . . . . . . . . 6 | 4. The Captive-Portal IPv6 RA Option . . . . . . . . . . . . . . 6 | |||
| 5. Use of the Captive-Portal Option . . . . . . . . . . . . . . 7 | 5. Use of the Captive-Portal Option . . . . . . . . . . . . . . 7 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 9. Normative References . . . . . . . . . . . . . . . . . . . . 9 | 9. Normative References . . . . . . . . . . . . . . . . . . . . 9 | |||
| Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 9 | Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 10 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 1. Introduction | 1. Introduction | |||
| In many environments, users need to connect to a captive portal | In many environments, users need to connect to a captive portal | |||
| device and agree to an acceptable use policy and / or provide billing | device and agree to an acceptable use policy and / or provide billing | |||
| information before they can access the Internet. | information before they can access the Internet. | |||
| Many devices perform DNS, HTTP, and / or IP hijacks in order to | Many devices perform DNS, HTTP, and / or IP hijacks in order to | |||
| present the user with the captive portal web page. These workarounds | present the user with the captive portal web page. These workarounds | |||
| and techniques resemble attacks that DNSSEC and TLS are intended to | and techniques resemble attacks that DNSSEC and TLS are intended to | |||
| protect against. This document describe a DHCP option (Captive | protect against. This document describe a DHCP ([RFC2131]) option | |||
| Portal) and an IPv6 Router Advertisement (RA) extension that informs | (Captive Portal) and an IPv6 Router Advertisement (RA) ([RFC4861]) | |||
| clients that they are behind a captive portal device and how to | extension that informs clients that they are behind a captive portal | |||
| contact it. | device and how to contact it. | |||
| This document neither condones nor condemns the use of captive | This document neither condones nor condemns the use of captive | |||
| portals; instead, it recognises that their apparent necessity, and | portals; instead, it recognises that their apparent necessity, and | |||
| attempts to improve the user experience. | attempts to improve the user experience. | |||
| [ Ed note: This solution is somewhat similar / complements 802.11u / | [ Ed note: This solution is somewhat similar / complements 802.11u / | |||
| WiFi Passpoint Online Sign-up, but is much simpler, easier to deploy, | WiFi Passpoint Online Sign-up, but is much simpler, easier to deploy, | |||
| and works on wired as well ] | and works on wired as well ] | |||
| 1.1. Requirements notation | 1.1. Requirements notation | |||
| skipping to change at page 5, line 15 ¶ | skipping to change at page 5, line 15 ¶ | |||
| 3. The Captive-Portal Option | 3. The Captive-Portal Option | |||
| The Captive Portal DHCP / RA Option informs the client that it is | The Captive Portal DHCP / RA Option informs the client that it is | |||
| behind a captive portal and provides the URI to access an | behind a captive portal and provides the URI to access an | |||
| authentication page. This is primarily intended to improve the user | authentication page. This is primarily intended to improve the user | |||
| experience; for the foreseeable future (until such time that most | experience; for the foreseeable future (until such time that most | |||
| systems implement this technique) captive portals will still need to | systems implement this technique) captive portals will still need to | |||
| implement the interception techniques to serve legacy clients. | implement the interception techniques to serve legacy clients. | |||
| In order to support multiple "classes" of clients (e.g: IPv4 only, | In order to support multiple "classes" of clients (e.g: IPv4 only, | |||
| IPv6 only with DHCPv6, IPv6 only with RA) the captive portal can | IPv6 only with DHCPv6([RFC3315]), IPv6 only with RA) the captive | |||
| provide the URI via multiple methods (IPv4 DHCP, IPv6 DHCP, IPv6 RA). | portal can provide the URI via multiple methods (IPv4 DHCP, IPv6 | |||
| The captive portal operator should ensure that the URIs handed out | DHCP, IPv6 RA). The captive portal operator should ensure that the | |||
| are equivalent to reduce the chance of operational problems. | URIs handed out are equivalent to reduce the chance of operational | |||
| problems. | ||||
| In order to avoid having to perform DNS interception, the URI SHOULD | In order to avoid having to perform DNS interception, the URI SHOULD | |||
| contain an address literal, but MAY contain a DNS name if the captive | contain an address literal, but MAY contain a DNS name if the captive | |||
| portal allows the client to perform DNS requests to resolve the name. | portal allows the client to perform DNS requests to resolve the name. | |||
| [ED NOTE: Using an address literal is less than ideal, but better | [ED NOTE: Using an address literal is less than ideal, but better | |||
| than the alternatives. Recommending a DNS name means that the CP | than the alternatives. Recommending a DNS name means that the CP | |||
| would need to allow DNS from unauthenticated clients (as we don't | would need to allow DNS from unauthenticated clients (as we don't | |||
| want to force users to use the CP's provided DNS) and some users | want to force users to use the CP's provided DNS) and some users | |||
| would use this to DNS Tunnel out, which may make the CP admin block | would use this to DNS Tunnel out, which may make the CP admin block | |||
| external recursives). DNS is needed to allow operators to serve SSL/ | external recursives). DNS is needed to allow operators to serve SSL/ | |||
| TLS for e.g billing (certificates with IP addresses are frowned upon | TLS for e.g billing (certificates with IP addresses are frowned upon | |||
| :-))] | :-))] | |||
| 3.1. IPv4 DHCP Option | 3.1. IPv4 DHCP Option | |||
| The format of the IPv4 Captive-Portal DHCP option is shown below. | The format of the IPv4 Captive-Portal DHCP option is shown below. | |||
| Code Len Data | Code Len Data | |||
| +------+------+------+------+------+-- --+-----+ | +------+------+------+------+------+-- --+-----+ | |||
| | code | len | URI ... | | | code | len | URI ... | | |||
| +------+------+------+------+------+-- --+-----+ | +------+------+------+------+------+-- --+-----+ | |||
| o Code: The Captive-Portal DHCPv4 Option (TBA1) | o Code: The Captive-Portal DHCPv4 Option (TBA1) (one octet) | |||
| o Len: The length, in octets of the URI. | o Len: The length, in octets of the URI. | |||
| o URI: The URI of the authentication page that the user should | o URI: The URI of the authentication page that the user should | |||
| connect to. | connect to. | |||
| 3.2. IPv6 DHCP Option | 3.2. IPv6 DHCP Option | |||
| The format of the IPv6 Captive-Portal DHCP option is shown below. | The format of the IPv6 Captive-Portal DHCP option is shown below. | |||
| Other than the code it is identical to the IPv4 DHCP option. | ||||
| Code Len Data | 0 1 2 3 | |||
| +------+------+------+------+------+-- --+-----+ | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| | code | len | URI ... | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| +------+------+------+------+------+-- --+-----+ | | option-code | option-len | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| . URI (variable length) . | ||||
| | ... | | ||||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| o Code: The Captive-Portal DHCPv6Option (TBA2) | o option-code: The Captive-Portal DHCPv6Option (TBA2) (two octets) | |||
| o Len: The length, in octets of the URI. | o option-len: The length, in octets of the URI. | |||
| o URI: The URI of the authentication page that the user should | o URI: The URI of the authentication page that the user should | |||
| connect to. | connect to. | |||
| See [RFC7227], Section 5.7 for more examples of DHCP Options with | ||||
| URIs. | ||||
| 4. The Captive-Portal IPv6 RA Option | 4. The Captive-Portal IPv6 RA Option | |||
| This section describes the Captive-Portal Router Advertisement | This section describes the Captive-Portal Router Advertisement | |||
| option. | option. | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type | Length | URI . | | Type | Length | URI . | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . | |||
| skipping to change at page 7, line 38 ¶ | skipping to change at page 7, line 40 ¶ | |||
| note: It may be useful to write another document that specifies how a | note: It may be useful to write another document that specifies how a | |||
| client can determine that it has passed the CP. This document could | client can determine that it has passed the CP. This document could | |||
| also contain advice to implementors on only intercepting actually | also contain advice to implementors on only intercepting actually | |||
| needed ports, how to advertise that the CP needs to be satisfied | needed ports, how to advertise that the CP needs to be satisfied | |||
| *again*, etc. This should not be done in this document though. ] The | *again*, etc. This should not be done in this document though. ] The | |||
| connectivity test may also need to be used if the captive portal | connectivity test may also need to be used if the captive portal | |||
| times out the user session and needs the user to re-authenticate. | times out the user session and needs the user to re-authenticate. | |||
| The operating system may still find the information about the captive | The operating system may still find the information about the captive | |||
| portal URI useful in this case. | portal URI useful in this case. | |||
| When the device is informed that it is behind a captive portal it | When the device is informed that it is behind a captive portal on a | |||
| should: | particular network interface, it should: | |||
| 1. Not initiate new IP connections until the CP has been satisfied | 1. Not initiate new IP connections through that interface until | |||
| (other than those to the captive portal browser session and | until the CP has been satisfied (other than those to the captive | |||
| connectivity checks). Existing connections should be quiesced | portal browser session and connectivity checks). Existing | |||
| (this will happen more often than some expect -- for example, the | connections should be quiesced (this will happen more often than | |||
| user purchases 1 hour of Internet at a cafe and stays there for 3 | some expect -- for example, the user purchases 1 hour of Internet | |||
| hours -- this will "interrupt" the user a few times). | at a cafe and stays there for 3 hours -- this will "interrupt" | |||
| the user a few times). | ||||
| 2. Present a dialog box to the user informing them that they are | 2. Present a dialog box to the user informing them that they are | |||
| behind a captive portal and ask if they wish to proceed. | behind a captive portal and ask if they wish to proceed. | |||
| 3. If the user elects to proceed, the device should initiate a | 3. If the user elects to proceed, the device should initiate a | |||
| connection to the captive portal login page using a web browser | connection to the captive portal login page using a web browser | |||
| configured with a separate cookie store, and without a proxy | configured with a separate cookie store, and without a proxy | |||
| server. If there is a VPN in place, this connection should be | server. If there is a VPN in place, this connection should be | |||
| made outside of the VPN and the user should be informed that | made outside of the VPN and the user should be informed that | |||
| connection is outside the VPN. Some captive portals send the | connection is outside the VPN. Some captive portals send the | |||
| skipping to change at page 8, line 35 ¶ | skipping to change at page 8, line 41 ¶ | |||
| This document defines two DHCP Captive-Portal options, one for IPv6 | This document defines two DHCP Captive-Portal options, one for IPv6 | |||
| and one for IPv6. It requires assignment of an option code (TBA1) to | and one for IPv6. It requires assignment of an option code (TBA1) to | |||
| be assigned from "Bootp and DHCP options" registry (http://www.iana | be assigned from "Bootp and DHCP options" registry (http://www.iana | |||
| .org/assignments/ bootp-dhcp-parameters/bootp-dhcp-parameters.xml), | .org/assignments/ bootp-dhcp-parameters/bootp-dhcp-parameters.xml), | |||
| as specified in [RFC2939]. It also requires assignment of an option | as specified in [RFC2939]. It also requires assignment of an option | |||
| code (TBA2) from the "DHCPv6 and DHCPv6 options" registry | code (TBA2) from the "DHCPv6 and DHCPv6 options" registry | |||
| (http://www.iana.org/assignments/dhcpv6-parameters/ | (http://www.iana.org/assignments/dhcpv6-parameters/ | |||
| dhcpv6-parameters.xml). | dhcpv6-parameters.xml). | |||
| IANA is also requested to assign an IPv6 RA Option Type code (TBA2) | IANA is also requested to assign an IPv6 RA Option Type code (TBA3) | |||
| from the "IPv6 Neighbor Discovery Option Formats" registry. Thanks | from the "IPv6 Neighbor Discovery Option Formats" registry. Thanks | |||
| IANA! | IANA! | |||
| 7. Security Considerations | 7. Security Considerations | |||
| An attacker with the ability to inject DHCP messages could include | An attacker with the ability to inject DHCP messages could include | |||
| this option and so force users to contact an address of his choosing. | this option and so force users to contact an address of his choosing. | |||
| As an attacker with this capability could simply list himself as the | As an attacker with this capability could simply list himself as the | |||
| default gateway (and so intercept all the victim's traffic), this | default gateway (and so intercept all the victim's traffic), this | |||
| does not provide them with significantly more capabilities. Fake | does not provide them with significantly more capabilities. Fake | |||
| skipping to change at page 9, line 32 ¶ | skipping to change at page 9, line 38 ¶ | |||
| Thanks to Fred Baker, Ted Lemon, Ole Troan and Asbjorn Tonnesen for | Thanks to Fred Baker, Ted Lemon, Ole Troan and Asbjorn Tonnesen for | |||
| detailed review and comments. Also great thanks to Joel Jaeggli for | detailed review and comments. Also great thanks to Joel Jaeggli for | |||
| providing feedback and text. | providing feedback and text. | |||
| 9. Normative References | 9. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC | ||||
| 2131, March 1997. | ||||
| [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., | ||||
| and M. Carney, "Dynamic Host Configuration Protocol for | ||||
| IPv6 (DHCPv6)", RFC 3315, July 2003. | ||||
| [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | ||||
| "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | ||||
| September 2007. | ||||
| [RFC7227] Hankins, D., Mrugalski, T., Siodelski, M., Jiang, S., and | ||||
| S. Krishnan, "Guidelines for Creating New DHCPv6 Options", | ||||
| BCP 187, RFC 7227, May 2014. | ||||
| Appendix A. Changes / Author Notes. | Appendix A. Changes / Author Notes. | |||
| [RFC Editor: Please remove this section before publication ] | [RFC Editor: Please remove this section before publication ] | |||
| From -11 to -12: | ||||
| o Integrated a whole bunch of comments from Ted Lemon, including | ||||
| missing references, track, missing size of DHCP option, | ||||
| From 10 to 11: | From 10 to 11: | |||
| o Updared Olafur's affiliation. | o Updared Olafur's affiliation. | |||
| From 09 to 10: | From 09 to 10: | |||
| o Ted Lemon and Joel Jaeggli: there's no benefit to insisting on an | o Ted Lemon and Joel Jaeggli: there's no benefit to insisting on an | |||
| ordering. I think you should just say that the ordering is | ordering. I think you should just say that the ordering is | |||
| indeterminate, and if different mechanisms give non-equivalent | indeterminate, and if different mechanisms give non-equivalent | |||
| answers, this is likely to cause operational problems in practice. | answers, this is likely to cause operational problems in practice. | |||
| End of changes. 19 change blocks. | ||||
| 33 lines changed or deleted | 61 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||