-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdraft-ietf-capport-architecture.xml
More file actions
executable file
·701 lines (661 loc) · 33 KB
/
draft-ietf-capport-architecture.xml
File metadata and controls
executable file
·701 lines (661 loc) · 33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc,
which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!-- One method to get references from the online citation libraries.
There has to be one entity for each item to be referenced.
An alternate method (rfc include) is described in the references. -->
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
(Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="info" docName="draft-ietf-capport-architecture-00" ipr="trust200902">
<!-- category values: std, bcp, info, exp, and historic
ipr values: trust200902, noModificationTrust200902, noDerivativesTrust200902,
or pre5378Trust200902
you can add the attributes updates="NNNN" and obsoletes="NNNN"
they will automatically be output with "(if approved)" -->
<!-- ***** FRONT MATTER ***** -->
<front>
<!-- The abbreviated title is used in the page header - it is only necessary if the
full title is longer than 39 characters -->
<title abbrev="CAPPORT Architecture">CAPPORT Architecture</title>
<!-- add 'role="editor"' below for the editors if appropriate -->
<!-- Another author who claims to be an editor -->
<author fullname="Kyle Larose" initials="K." surname="Larose">
<organization>Sandvine</organization>
<address>
<postal>
<street>408 Albert Street</street>
<!-- Reorder these if your country does things differently -->
<city>Waterloo</city>
<region>ON</region>
<code>N2L 3V3</code>
<country>Canada</country>
</postal>
<phone>+1 519 880 2400</phone>
<email>klarose@sandvine.com</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<author fullname="David Dolson" initials="D." surname="Dolson">
<organization>Sandvine</organization>
<address>
<postal>
<street>408 Albert Street</street>
<!-- Reorder these if your country does things differently -->
<city>Waterloo</city>
<region>ON</region>
<code>N2L 3V3</code>
<country>Canada</country>
</postal>
<phone>+1 519 880 2400</phone>
<email>ddolson@sandvine.com</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<date year="2017" />
<!-- If the month and year are both specified and are the current ones, xml2rfc will fill
in the current day for you. If only the current year is specified, xml2rfc will fill
in the current day and month for you. If the year is not the current one, it is
necessary to specify at least a month (xml2rfc assumes day="1" if not specified for the
purpose of calculating the expiry date). With drafts it is normally sufficient to
specify just the year. -->
<!-- Meta-data Declarations -->
<area>art</area>
<workgroup>Internet Engineering Task Force</workgroup>
<!-- WG name at the upperleft corner of the doc,
IETF is fine for individual submissions.
If this element is not present, the default is "Network Working Group",
which is used by the RFC Editor as a nod to the history of the IETF. -->
<keyword>plus</keyword>
<!-- Keywords will be incorporated into HTML output
files in a meta tag but they have no effect on text or nroff
output. If you submit your draft to the RFC Editor, the
keywords will be used for the search engine. -->
<abstract>
<t>This document aims to document consensus on the CAPPORT architecture.
DHCP or Router Advertisements, ICMP, and an HTTP API are used to
provide the solution. The role of Provisioning Domains (PvDs) is
described.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
In this document, "Captive Portal" is used to describe a network to
which a device may be voluntarily attached, such that network access is
limited until some requirements have been fulfilled. Typically a user
is required to use a web browser to fulfil requirements imposed by the
network operator, such as reading advertisements, accepting an
acceptable-use policy, or providing some form of credentials.
</t>
<t>
Implementations generally require a web server, some method to
allow/block traffic, and some method to alert the user. Common methods
of alerting the user involve modifying HTTP or DNS traffic.
</t>
<t>
Problems with captive portal implementations have been described in
<xref target="I-D.nottingham-capport-problem"/>. [If that document
cannot be published, consider putting its best parts into an appendix of
this document.]
</t>
<t>
This document standardizes an architecture for implementing captive portals
that provides tools for addressing most of those problems. We are guided
by these principles:
<list style="symbols">
<t>Solutions SHOULD NOT require the forging of responses from DNS or
HTTP servers, or any other protocol. In particular, solutions
SHOULD NOT require man-in-the-middle proxy of TLS traffic.</t>
<t>Solutions MUST operate at the layer of Internet Protocol (IP) or
above, not being specific to any particular access technology such
as Cable, WiFi or 3GPP.</t>
<t>Solutions SHOULD allow a device to be alerted that it is in a
captive network when attempting to use any application on the
network. (Versus requiring a user to visit a clear-text HTTP
site in order to receive a notification.)</t>
<t>The state of captivity SHOULD be explicitly available to devices
(in contrast to modification of DNS or HTTP, which is only
indirectly machine-detectable by the client--by comparing
responses to well-known queries with expected responses).</t>
<t>The architecture MUST provide a path of incremental migration,
acknowledging a huge variety of portals and end-user device
implementations and software versions.</t>
<t>The architecture SHOULD improve security by providing mechanisms
for trust, allowing alerts from trusted network operators to be
distinguished from attacks from untrusted agents.</t>
</list>
</t>
<t>
A side-benefit of the architecture described in this document is that
devices without user interfaces are able to identify parameters of
captivity. (However, this document does not yet describe a mechanism
for such devices to escape captivity.)
</t>
<t>
The architecture uses the following mechanisms:
<list style="symbols">
<t>Network provisioning protocols provide end-user devices with a
URI for the API that end-user devices query for information about
what is required to escape captivity. DHCP, DHCPv6, and
Router-Advertisement options for this purpose are available in
<xref target="RFC7710"/>. Other protocols (such as RADIUS),
Provisioning Domains
<xref target="I-D.bruneau-intarea-provisioning-domains"/>, or
static configuration may also be used.
A device MAY query this API at any time to determine whether the
network is holding the device in a captive state.
</t>
<t>End-user devices are notified of captivity with ICMP/ICMP6 messages
in response to traffic.
This notification can work with any Internet protocol, not just
clear-text HTTP. This notification does not carry the portal URI;
rather it provides a notification to the User Equipment that it
is in a captive state.
</t>
<t>
Receipt of the ICMP/ICMP6 messages informs an end-user device that
it is captive.
In response, the device SHOULD query the provisioned API to obtain
information about the network state.
The device MAY take immediate action to satisfy the portal
(according to its configuration/policy).
</t>
</list>
</t>
<t>
The architecture attempts to provide privacy, authentication, and safety mechanisms
to the extent possible.
</t>
<section title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</section>
<section title="Terminology">
<t>Captive Network: A network which limits communication of attached
devices to restricted hosts until the user has satisfied
Captive Portal Conditions, after which access is permitted to a wider
set of hosts (typically the internet).</t>
<t>Captive Portal Conditions: site-specific requirements that a user
or device must satisfy in order to gain access to the wider network.</t>
<t>Captive Portal Enforcement: The network equipment which enforces the
traffic restriction and notifies the User Equipment it is in a captive
state.</t>
<t>Captive Portal User Equipment: Also known as User Equipment. A device
which has voluntarily joined a network for purposes of communicating
beyond the constraints of the captive network.</t>
<t>Captive Portal Server: The web server providing a user interface for
assisting the user in satisfying the conditions to escape
captivity.</t>
</section>
</section>
<section title="Components">
<section anchor="section_client" title="User Equipment">
<t>
The User Equipment is the device that a user desires to be attached to
a network with full access to all hosts on the network (e.g., to have
Internet access). The User Equipment communication is typically
restricted by the Captive Portal Enforcement, described in <xref target="section_capport_enforcement"/>,
until site-specific requirements have been met.
</t>
<t>
At this time we consider only devices with web browsers, with web
applications being the means of satisfying Captive Portal Conditions.
</t>
<t>
<list style="symbols">
<t>An example interactive User Equipment is a smart phone.</t>
<t>SHOULD support provisioning of the URI for the Captive Portal API (e.g., by DHCP)</t>
<t>MAY distinguish Captive Portal API access per network interface, in the manner
of Provisioning Domain Architecture <xref target="RFC7556"/>.</t>
<t>SHOULD have a mechanism for notifying the user of the Captive Portal</t>
<t>SHOULD have a web browser so that the user may navigate the Captive Portal
user interface.</t>
<t>SHOULD be able to receive and validate the Captive Portal ICMP message
types, and to access the Captive Portal API in response.</t>
<t>MAY restrict application access to networks not granting full
network access. E.g., a device connected to a mobile network may
be connecting to a WiFi network; the operating system MAY
avoid updating the default route until network access restrictions
have been lifted (excepting access to the Captive Portal server).
This has been termed "make before break".</t>
</list>
</t>
<t>
None of the above requirements are mandatory because (a) we do not wish
to say users or devices must seek access beyond the captive network,
(b) the requirements may be fulfilled by manually visiting the captive
portal web application, and (c) legacy devices must continue to be
supported.
</t>
</section>
<section anchor="section_provisioning" title="Provisioning Service">
<t>
Here we discuss candidate mechanisms for provisioning the User
Equipment with the URI of the API to query captive portal state and
navigate the portal.
</t>
<section anchor="section_dhcp" title="DHCP or Router Advertisements">
<t>
A standard for providing a portal URI using DHCP or Router
Advertisements is described in <xref target="RFC7710"/>. The
CAPPORT architecture expects this URI to indicate the API described
in <xref target="section_api"/>.
</t>
<t>
Although it is not clear from RFC7710 what protocol should be
executed at the specified URI, some readers might have assumed it to
be an HTML page, and hence there might be User Equipment assuming a
browser should open this URI. For backwards compatibility, it is
RECOMMENDED that the server check the "Accept" field when serving
the URI, and serve HTML pages for "text/html" and serve the API for
"application/json". [REVISIT: are these details appropriate?]
</t>
</section>
<section anchor="section_pvd" title="Provisioning Domains">
<t>
Although still a work in progress,
<xref target="I-D.bruneau-intarea-provisioning-domains"/>
proposes a mechanism for User Equipment to be provided with PvD
Bootstrap Information containing the URI for a JSON file containing
key-value pairs to be downloaded over HTTPS.
This JSON file would fill the role of the Captive Portal API
described in <xref target="section_api"/>.
</t>
<t>
One key-value pair can be used to indicate the network
has restricted access, requiring captive portal navigation by a user.
E.g., key="captivePortal" and value=<URI of portal>.
The key-value pair should provide a different result when
access is not restricted. E.g., key="captivePortal" and value="".
</t>
<t>
This JSON file is extensible, allowing new key-value pairs
to indicate such things as network access expiry time,
URI for API access by IOT devices, etc.
</t>
<t>
The PvD server MUST support multiple (repeated) queries from each
User Equipment, always returning the current captive portal
information. The User Equipment is expected to make this query upon
receiving (and validating) an ICMP Captive Portal message
(see <xref target="section_icmp"/>).
</t>
</section>
</section>
<section anchor="section_api" title="Captive Portal API Server">
<t>
The purpose of a Captive Portal API is to permit a query of Captive
Portal state without interrupting the user. This API thereby removes
the need for a device to perform clear-text "canary" HTTP queries to
check for response tampering.
</t>
<t>
The URI of this API will have been provisioned to the User Equipment.
(Refer to <xref target="section_provisioning"/>).
</t>
<t>
This architecture expects the User Equipment to query the API when the
User Equipment attaches to the network and multiple times thereafter.
Therefore the API MUST support multiple repeated queries from the same
User Equipment, returning current state of captivity for the
equipment.
</t>
<t>
At minimum the API MUST provide: (1) the state of captivity and (2) a URI
for a browser to present the portal application to the user.
The API SHOULD provide evidence to the caller that it supports
the present architecture.
</t>
<t>
When user equipment receives (and validates) ICMP Captive Portal
alerts, the user equipment SHOULD query the API to check the state.
The User Equipment SHOULD rate-limit these API queries in the event of
ICMP flooding by an attacker. (See <xref target="Security"/>.)
</t>
<t>
The API MUST be extensible to support future use-cases by allowing
extensible information elements. Suggestions include quota information,
expiry time, method of providing credentials, security token for
validating ICMP messages.
</t>
<t>
This document does not specify the details of the API.
</t>
<t>
The CAPPORT API SHOULD support TLS for privacy and server authentication.
</t>
</section>
<section anchor="section_capport_enforcement" title="Captive Portal Enforcement">
<t>
The Captive Portal Enforcement component restricts network access to
User Equipment according to site-specific policy. Typically User Equipment
is permitted access to a small number of services and
is denied general network access until it has performed some action.
</t>
<t>
The Captive Portal Enforcement component:
<list style="symbols">
<t>Allows traffic through for allowed User Equipment.</t>
<t>Blocks (discards) traffic and sends ICMP notifications for disallowed User Equipment.</t>
<t>Permits disallowed User Equipment to access necessary APIs and web pages to
fulfill requirements of exiting captivity.</t>
<t>Updates allow/block rules per User Equipment in response to operations
from the Captive Portal back-end.</t>
</list>
</t>
<t>
As an upgrade path, captive portals MAY continue to support methods
that work today, such as modification of port-80 HTTP responses to
redirect users to the portal. Various user-equipment vendors probe
canary URLs to identify the state captivity [reference Mariko
Kobayashi's survey]. While doing so, ICMP messages SHOULD also be sent,
to activate work-flows in supporting devices.
[TODO: give some thought to precise recommendations for backwards compatibility.]
</t>
</section>
<section anchor="section_icmp" title="ICMP/ICMP6">
<t>
ICMP messages have been selected for indicating to a sender that
packets could not be delivered for reason of a network policy (in
particular, captive portal). ICMP is already used to indicate reasons
that packets could not be delivered (network unreachable, port
unreachable, packet too large, etc.).
</t>
<t>
A mechanism to trigger captive portal work-flows in the User Equipment
is proposed in <xref target="I-D.wkumari-capport-icmp-unreach"/>.
</t>
<t>
The Captive Portal Enforcement function is REQUIRED to send such
ICMP messages when disallowed User Equipment attempts to send
to the network.
These ICMP messages MUST be rate-limited to a configurable rate.
</t>
<t>
The ICMP messages MUST NOT be sent to the Internet devices. The indications
are only sent to the User Equipment.
</t>
<t>
The User Equipment operating system is NOT REQUIRED to deliver the
impact of the ICMP message to the application that triggered it.
The User Equipment might be able to satisfy the Captive Portal
requirements quickly enough that existing transport connections are
not impacted.
</t>
</section>
<section title="Component Diagram">
<t>
<figure>
<preamble>
The following diagram shows the communication between each component.
</preamble>
<artwork><![CDATA[
o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . o
. CAPTIVE NETWORK .
. +--------------+ .
. +------------+ Provision API URI | Provisioning | .
. | |<---------------------------+| Service | .
. | User | +--------------+ .
. | Equipment | Query CAPPORT status; +-------------+ .
. | |+--------------------------->| CAPPORT API | .
. | | | Server | .
. | | +------+------+ .
. | | |Status .
. | | Portal user interface +------+------+ .
. | |+--------------------------> | CAPPORT | .
. +------------+ | web portal | .
. ^ | Connection Attempt +-------------+ .
. | | to prohibited service. | .
. | +------------------> +---------------+ Allow/Deny .
. | | | Rules .
. | ICMP Unreachable | Captive Portal| | .
. +---------------------+ | Enforcement | <---+ .
. +---------------+ .
. | .
. To/from external network .
. | .
. | .
o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . o
EXTERNAL NETWORK
Figure 1: Captive Portal Architecture Component Diagram
]]></artwork>
</figure>
In the diagram:
<list style="symbols">
<t>During provisioning (e.g., DHCP), the User Equipment acquires
the URI for the CAPPORT API.</t>
<t>The User Equipment queries the API to learn of its state of
captivity. If captive, the User Equipment presents the portal
user interface to the user.</t>
<t>The User Equipment attempts to communicate to the external
network through the Captive Portal enforcement device.</t>
<t>The Captive Portal Enforcement device either allows the User
Equipment's packets to the external network, or responds with
an ICMP message.</t>
<t>The CAPPORT web portal server directs the Captive Portal
Enforcement device to either allow or deny external network
access for the User Equipment.</t>
</list>
</t>
<t>
Although the provisioning, API, and web portal functions are shown as
discrete blocks, they could of course be combined into a single element.
</t>
</section>
</section>
<section anchor="section_workflow" title="Solution Workflow">
<t>
This section aims to improve understanding by describing a possible
workflow of solutions adhering to the architecture.
</t>
<section title="Initial Connection">
<t>
This section describes a possible work-flow when User Equipment initially
joins a Captive Network.
</t>
<t>
<list style="numbers">
<t>The User Equipment joins the Captive Network by acquiring a DHCP
lease, RA, or similar, acquiring provisioning information.</t>
<t>The User Equipment learns the URI for the Captive Portal API from the
provisioning information (e.g., <xref target="RFC7710"/>).</t>
<t>The User Equipment accesses the CAPPORT API to receive parameters
of the Captive Network, including web-portal URI. (This step replaces
the clear-text query to a canary URL.)</t>
<t>If necessary, the User navigates the web portal to gain access to the
external network.</t>
<t>The Captive Portal API server indicates to the Captive Portal Enforcement
device that the User Equipment is allowed to access the external network.</t>
<t>The User Equipment attempts a connection outside the captive network</t>
<t>If the requirements have been satisfied, the access is permitted;
otherwise the "Expired" behavior occurs.</t>
<t>The User Equipment accesses the network until conditions Expire.</t>
</list>
</t>
</section>
<section title="Conditions Expire">
<t>
This section describes a possible work-flow when conditions expire and
the user visits the portal again (e.g., low quota, or time expiry).
</t>
<t>
<list style="numbers">
<t>Pre-condition: the Captive Portal Enforcement has been configured to
detect an expiry condition, which has now occurred.</t>
<t>The User Equipment sends a packet to the outside network.</t>
<t>The Captive Portal Enforcement detects that the packet is from an
expired User Equipment.</t>
<t>The Captive Portal Enforcement sends an ICMP message to
the User Equipment indicating that it needs to refresh its access.
<xref target="I-D.wkumari-capport-icmp-unreach"/>.</t>
<t>The User Equipment verifies the ICMP message is plausible.</t>
<t>The User Equipment queries the Captive Portal API to refresh
parameters and status of the Captive Network.</t>
<t>If necessary, the User once again navigates the web portal to gain
access to the external network.</t>
<t>The Captive Portal API Server gives more quota (time, bytes, etc.) to
the User Equipment by indicating to the Captive Portal Enforcement the new, extended quota.</t>
<t>The User Equipment accesses the external network.</t>
</list>
</t>
</section>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>The authors thank various individuals for their feedback on
the mailing list and during the IETF98 hackathon:
David Bird,
Eric Kline,
Alexis La Goulette,
Alex Roscoe,
Darshak Thakore,
and Vincent van Dam.
</t>
</section>
<!-- Possibly a 'Contributors' section ... -->
<section anchor="IANA" title="IANA Considerations">
<t>This memo includes no request to IANA.</t>
</section>
<section anchor="Security" title="Security Considerations">
<!--All drafts are required to have a security considerations section. See RFC3552 -->
<section title="Trusting the Network">
<t>
When joining a network, some trust is placed in the network operator.
This is usually considered to be a decision by a user on the basis of
the reputation of an organization. However, once a user makes such a
decision, protocols can support authenticating a network is operated
by who claims to be operating it. The Provisioning Domain
Architecture <xref target="RFC7556"/> provides some discussion on
authenticating an operator.
</t>
<t>
Given that a user chooses to visit a Captive Portal URI, the URI location
SHOULD be securely provided to the user's device. E.g., the DHCPv6 AUTH
option can sign this information.
</t>
<t>
If a user decides to incorrectly trust an attacking network, they might
be convinced to visit an attacking web page and unwittingly provide
credentials to an attacker. Browsers can authenticate servers but
cannot detect cleverly misspelled domains, for example.
</t>
</section>
<section title="Authenticated APIs">
<t>
The solution described here assumes that when the User Equipment needs to
trust the API server, server authentication will be utilized using TLS
mechanisms.
</t>
</section>
<section title="Risk of Nuisance Captive Portal">
<t>
It is possible for any user on the Internet to send ICMP packets in an attempt
to cause the receiving equipment to go to the captive portal. This has been
considered and addressed in the following ways:
<list>
<t>The ICMP packet does not carry the URL, making this method safer
than HTTP 3xx-redirect methods currently in use.
The User Equipment does not have to use clear-text HTTP to solicit
the URL of the portal.
</t>
<t>Because the ICMP messages will carry embedded packets sent by the
sender, the receiver of the ICMP message can validate that the
transport header is plausibly one it sent (i.e., the
transport-layer 5-tuple matches an open connection; there is no
need to save every packet it sent).
This validation requires an off-path attacker to guess the
5-tuple in order to affect a flow.
It is trivial for an on-path attacker to send a plausible ICMP
packet. (This is not a new ICMP attack.)
The impact of getting a valid ICMP packet to the User Equipment
is that it will visit the CAPPORT API to check the status.
For this reason we recommend the User Equipment rate-limit these
requests to the API.
</t>
<t>We considered that the ICMP packet could carry a short secret
token that would be known to the User Equipment and Captive
Portal Enforcement device but would not be available to an
attacker, even to an on-path attacker.
Although possible to guess by brute force, the impact would be at
worst a nuisance visit to the API. We suggest that a 32-bit
token would be sufficient to deter nuisance attacks.
</t>
<t>Even when redirected, the User Equipment securely authenticates with API servers.
</t>
</list>
</t>
</section>
<section title="User Options">
<t>
The ICMP messaging informs the User Equipment that it is being held
captive. There is no requirement that the User Equipment do something
about this.
Devices MAY permit users to disable automatic reaction to
captive-portal indications for privacy reasons.
However, there is the trade-off that the user doesn't get notified
when network access is restricted.
Hence, end-user devices MAY allow users to manually control captive
portal interactions, possibly on the granularity of Provisioning
Domains.
</t>
</section>
</section>
</middle>
<!-- *****BACK MATTER ***** -->
<back>
<!-- References split into informative and normative -->
<!-- There are 2 ways to insert reference entries from the citation libraries:
1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
(for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")
Both are cited textually in the same manner: by using xref elements.
If you use the PI option, xml2rfc will, by default, try to find included files in the same
directory as the including file. You can also define the XML_LIBRARY environment variable
with a value containing a set of directories to search. These can be either in the local
filing system or remote ones accessed by http (http://domain/dir/... ).-->
<references title="Normative References">
<!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?-->
&RFC2119;
<?rfc include="reference.RFC.7710.xml"?>
<?rfc include="reference.RFC.7556.xml"?>
</references>
<references title="Informative References">
<?rfc include="reference.I-D.wkumari-capport-icmp-unreach.xml"?>
<?rfc include="reference.I-D.nottingham-capport-problem.xml"?>
<?rfc include="reference.I-D.bruneau-intarea-provisioning-domains.xml"?>
</references>
<!--
<section anchor="app-additional" title="Additional Stuff">
<t>This becomes an Appendix.</t>
</section>
-->
</back>
</rfc>