Per discussion at the mike today on what we should
do with the ICMP unreachable draft - here are some properties I
think are necessary in a hint to the UE that the captive portal
is closed.
1. The notification should not be easy to spoof. This is
easiest to do by making it a hint to the UE that it should
talk to the API.
- An ICMP message by itself is not secure. For example,
it's trivial for an off-path attacker to generate ICMP
messages for sessions from legitimate UEs to
<popularwebsite>:443. Getting a UE to trust such a
message only requires getting the ephemeral port right,
and many OSes have a quite limited range of ephemeral
ports.
- Tero points out that if we do want to secure such a
message, then we should not roll our own security but
should use an existing, secure protocol such as IPsec.
2. It should be possible to send the notification
*before* the captive portal closes, to facilitate seamless
connectivity. Ideally the user should be able to re-up the
captive portal without having to wait until the network is
dead or the device has switched to another network.
3. The notification should not be on a per-destination
basis. A hint that conveys the information "you can reach
facebook, but to reach CNN you need to upgrade to another
service plan" is not technically infeasible but is unlikely
ever to reach WG and IETF consensus and therefore I think we
should not spend our time talking about it.
4. I'm not sure whether it's possible for the hint to be
anything more than a binary "you are or will very soon be
captive". Saying things like "an upgrade opportunity is
available" may be hard to encode.
Cheers,
Lorenzo