Re: [Captive-portals] Discovering captive portal API URL via DNS?

Wed, 04 Sep 2019 09:00:53 -0700 


> On Sep 3, 2019, at 4:44 PM, Lorenzo Colitti 
> <lorenzo=40google....@dmarc.ietf.org> wrote:
> 
> All,
> 
> During discussions with captive portal operators about implementing the 
> capport API, one of the stumbling blocks that keeps coming up is that the 
> captive portal operator does not always control the DHCP configuration and 
> thus cannot easily use RFC7710.

Thanks for bringing this up.

I wanted to clarify the issue a bit before diving into the mitigations. Do 
these captive portal operators have *no* relationship to the DHCP 
configuration? Presumably, the captive portal enforcement is done somewhere on 
path, in the router, or between the router and the Internet connection. And, if 
there is redirection of DNS going on, presumably, this is a DNS server that the 
captive portal (or the operator of the network) has some control over, and is 
provisioned via DHCP. For such portals, I would assume that it would be as easy 
to add a DHCP CAPPORT option as it would be to add the DNS server address of 
the captive portal's resolver (assuming the DHCP implementation supports the 
option).

Since the mitigation below is specific to modifying the DNS, I assume that we 
are talking about captive portal solutions that work, in part, by intercepting 
DNS.

Thanks,
Tommy
> 
> The WG has previously rejected the option of using a well-known DNS name to 
> discover the URL, because the API itself requires TLS, and without a hostname 
> it is not possible (or at least not easy) to validate the server. However, 
> what if the client did a CNAME query for capport.arpa (or equivalent other 
> local-only, non-DNSSEC-signed name), got back a CNAME for the real server, 
> and then assumed that the API server was https://<targetofcname>/capport-api ?
> 
> Alternatively, Erik and Warren suggest RFC 7553. In this scheme the client 
> would do a URI lookup for "capport.arpa" or equivalent, and would take the 
> result of that URL as the API endpoint.
> 
> Thoughts?
> 
> Regards,
> Lorenzo
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals

_______________________________________________
Captive-portals mailing list
Captive-portals@ietf.org
https://www.ietf.org/mailman/listinfo/captive-portals






















					Reply via email to