draft-ietf-capport-rfc7710bis-09.txt   draft-ietf-capport-rfc7710bis-10.txt 
Network Working Group W. Kumari Network Working Group W. Kumari
Internet-Draft Google Internet-Draft Google
Obsoletes: 7710 (if approved) E. Kline Obsoletes: 7710 (if approved) E. Kline
Updates: 3679 (if approved) Loon Updates: 3679 (if approved) Loon
Intended status: Standards Track June 24, 2020 Intended status: Standards Track July 1, 2020
Expires: December 26, 2020 Expires: January 2, 2021
Captive-Portal Identification in DHCP / RA Captive-Portal Identification in DHCP / RA
draft-ietf-capport-rfc7710bis-09 draft-ietf-capport-rfc7710bis-10
Abstract Abstract
In many environments offering short-term or temporary Internet access In many environments offering short-term or temporary Internet access
(such as coffee shops), it is common to start new connections in a (such as coffee shops), it is common to start new connections in a
captive portal mode. This highly restricts what the user can do captive portal mode. This highly restricts what the user can do
until the user has satified the Captive Portal conditions. until the user has satisfied the captive portal conditions.
This document describes a DHCPv4 and DHCPv6 option and a Router This document describes a DHCPv4 and DHCPv6 option and a Router
Advertisement (RA) option to inform clients that they are behind some Advertisement (RA) option to inform clients that they are behind some
sort of captive-portal enforcement device, and that they will need to sort of captive portal enforcement device, and that they will need to
satify the Captive Portal conditions to get Internet access. It is satify the Captive Portal conditions to get Internet access. It is
not a full solution to address all of the issues that clients may not a full solution to address all of the issues that clients may
have with captive portals; it is designed to be one component of a have with captive portals; it is designed to be one component of a
standardized approach for hosts to interact with such portals. While standardized approach for hosts to interact with such portals. While
this document defines how the network operator may convey the captive this document defines how the network operator may convey the captive
portal API endpoint to hosts, the specific methods of satisfying and portal API endpoint to hosts, the specific methods of satisfying and
interacting with the captive portal are out of scope of this interacting with the captive portal are out of scope of this
document. document.
This document replaces [RFC7710]. [RFC7710] used DHCP code point This document replaces [RFC7710]. [RFC7710] used DHCP code point
160. Due to a conflict, this document specifies 114. Consequently, 160. Due to a conflict, this document specifies 114. Consequently,
this document also updates [RFC3679]. this document also updates [RFC3679].
[ This document is being collaborated on in Github at:
https://github.com/capport-wg/7710bis. The most recent version of
the document, open issues, etc should all be available here. The
authors (gratefully) accept pull requests. Text in square brackets
will be removed before publication. ]
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 2, 2021.
This Internet-Draft will expire on December 26, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3
2. The Captive-Portal Option . . . . . . . . . . . . . . . . . . 3 2. The Captive-Portal Option . . . . . . . . . . . . . . . . . . 3
2.1. IPv4 DHCP Option . . . . . . . . . . . . . . . . . . . . 4 2.1. IPv4 DHCP Option . . . . . . . . . . . . . . . . . . . . 4
2.2. IPv6 DHCP Option . . . . . . . . . . . . . . . . . . . . 5 2.2. IPv6 DHCP Option . . . . . . . . . . . . . . . . . . . . 5
2.3. The Captive-Portal IPv6 RA Option . . . . . . . . . . . . 6 2.3. The Captive-Portal IPv6 RA Option . . . . . . . . . . . . 5
3. Precedence of API URIs . . . . . . . . . . . . . . . . . . . 6 3. Precedence of API URIs . . . . . . . . . . . . . . . . . . . 6
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
4.1. Captive Portal Unrestricted Identifier . . . . . . . . . 7 4.1. Captive Portal Unrestricted Identifier . . . . . . . . . 7
4.2. BOOTP Vendor Extensions and DHCP Options Code Change . . 7 4.2. BOOTP Vendor Extensions and DHCP Options Code Change . . 7
4.3. Update DHCPv6 and IPv6 ND Options Registries . . . . . . 8 4.3. Update DHCPv6 and IPv6 ND Options Registries . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.1. Normative References . . . . . . . . . . . . . . . . . . 9 7.1. Normative References . . . . . . . . . . . . . . . . . . 9
7.2. Informative References . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . 10
Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 11 Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 11
Appendix B. Changes from RFC 7710 . . . . . . . . . . . . . . . 12 Appendix B. Changes from RFC 7710 . . . . . . . . . . . . . . . 12
Appendix C. Observations From IETF 106 Network Experiment . . . 12 Appendix C. Observations From IETF 106 Network Experiment . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
In many environments, users need to connect to a captive-portal In many environments, users need to connect to a captive portal
device and agree to an Acceptable Use Policy (AUP) and / or provide device and agree to an Acceptable Use Policy (AUP) and / or provide
billing information before they can access the Internet. Regardless billing information before they can access the Internet. Regardless
of how that mechanism operates, this document provides functionality of how that mechanism operates, this document provides functionality
to allow the client to know when it is behind a captive portal and to allow the client to know when it is behind a captive portal and
how to contact it. how to contact it.
In order to present users with the payment or AUP pages, presently a In order to present users with the payment or AUP pages, presently a
captive-portal enforcement device has to intercept the user's captive portal enforcement device has to intercept the user's
connections and redirect the user to a captive portal server, using connections and redirect the user to a captive portal server, using
methods that are very similar to man-in-the-middle (MITM) attacks. methods that are very similar to man-in-the-middle (MITM) attacks.
As increasing focus is placed on security, and end nodes adopt a more As increasing focus is placed on security, and end nodes adopt a more
secure stance, these interception techniques will become less secure stance, these interception techniques will become less
effective and/or more intrusive. effective and/or more intrusive.
This document describes a DHCPv4 [RFC2131] and DHCPv6 [RFC8415] This document describes a DHCPv4 [RFC2131] and DHCPv6 [RFC8415]
option (Captive-Portal) and an IPv6 Router Advertisement (RA) option (Captive-Portal) and an IPv6 Router Advertisement (RA)
[RFC4861] option that informs clients that they are behind a captive- [RFC4861] option that informs clients that they are behind a captive
portal enforcement device and the API endpoint that the host can portal enforcement device and the API endpoint that the host can
contact for more information. contact for more information.
This document replaces RFC 7710 [RFC7710]. This document replaces RFC 7710 [RFC7710].
1.1. Requirements Notation 1.1. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. The Captive-Portal Option 2. The Captive-Portal Option
The Captive Portal DHCP / RA Option informs the client that it may be The Captive-Portal DHCP / RA Option informs the client that it may be
behind a captive portal and provides the URI to access an API as behind a captive portal and provides the URI to access an API as
defined by [draft-ietf-capport-api]. This is primarily intended to defined by [draft-ietf-capport-api]. This is primarily intended to
improve the user experience by showing the user the captive portal improve the user experience by showing the user the captive portal
information faster and more reliably. Note that, for the foreseeable information faster and more reliably. Note that, for the foreseeable
future, captive portals will still need to implement interception future, captive portals will still need to implement interception
techniques to serve legacy clients, and clients will need to perform techniques to serve legacy clients, and clients will need to perform
probing to detect captive portals. probing to detect captive portals"; nonetheless, the mechanism
provided by this document provides a more reliable and performant way
to do so, and is therefore the preferred mechanism for captive portal
detection.
Clients that support the Captive Portal DHCP option SHOULD include Clients that support the Captive Portal DHCP option SHOULD include
the option in the Parameter Request List in DHCPREQUEST messages. the option in the Parameter Request List in DHCPREQUEST messages.
DHCP servers MAY send the Captive Portal option without any explicit DHCP servers MAY send the Captive Portal option without any explicit
request. request.
In order to support multiple "classes" of clients (e.g. IPv4 only, In order to support multiple "classes" of clients (e.g. IPv4 only,
IPv6 only with DHCPv6 ([RFC8415]), and IPv6 only with RA) the captive IPv6 only with DHCPv6 ([RFC8415]), and IPv6 only with RA) the captive
network can provision the client with the URI via multiple methods network can provision the client with the URI via multiple methods
(IPv4 DHCP, IPv6 DHCP, and IPv6 RA). The captive portal operator (IPv4 DHCP, IPv6 DHCP, and IPv6 RA). The captive portal operator
skipping to change at page 8, line 52 skipping to change at page 8, line 41
An attacker with the ability to inject DHCP messages or RAs could An attacker with the ability to inject DHCP messages or RAs could
include an option from this document to force users to contact an include an option from this document to force users to contact an
address of his choosing. As an attacker with this capability could address of his choosing. As an attacker with this capability could
simply list themselves as the default gateway (and so intercept all simply list themselves as the default gateway (and so intercept all
the victim's traffic); this does not provide them with significantly the victim's traffic); this does not provide them with significantly
more capabilities, but because this document removes the need for more capabilities, but because this document removes the need for
interception, the attacker may have an easier time performing the interception, the attacker may have an easier time performing the
attack. attack.
However, as the operating systems and application(s) that make use of However, as the operating systems and application(s) that make use of
this information know that they are connecting to a captive-portal this information know that they are connecting to a captive portal
device (as opposed to intercepted connections where the OS/ device (as opposed to intercepted connections where the OS/
application may not know that they are connecting to a captive portal application may not know that they are connecting to a captive portal
or hostile device) they can render the page in a sandboxed or hostile device) they can render the page in a sandboxed
environment and take other precautions, such as clearly labeling the environment and take other precautions, such as clearly labeling the
page as untrusted. The means of sandboxing and user interface page as untrusted. The means of sandboxing and user interface
presenting this information is not covered in this document - by its presenting this information is not covered in this document - by its
nature it is implementation specific and best left to the application nature it is implementation specific and best left to the application
and user interface designers. and user interface designers.
Devices and systems that automatically connect to an open network Devices and systems that automatically connect to an open network
 End of changes. 17 change blocks. 
24 lines changed or deleted 20 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/