【免费】RFC-CaptivePortal资源-CSDN文库

共3个文件

pdf：3个

网络

需积分: 0 26 浏览量 2024-02-29 17:13:41 上传评论收藏 286KB ZIP 举报

资源推荐

资源详情

资源评论

收起资源包目录

RFC - Captive Portal.zip （3个子文件）

rfc8910.pdf 169KB

rfc8908.pdf 154KB

rfc8952.pdf 227KB

RFC 8952

Captive Portal Architecture

Abstract

This document describes a captive portal architecture. Network provisioning protocols such as

DHCP or Router Advertisements (RAs), an optional signaling protocol, and an HTTP API are used

to provide the solution.

Stream: Internet Engineering Task Force (IETF)

RFC: 8952

Category: Informational

Published: November 2020

ISSN: 2070-1721

Authors: K. Larose

Agilicus

D. Dolson H. Liu

Google

Status of This Memo

This document is not an Internet Standards Track speciﬁcation; it is published for informational

purposes.

This document is a product of the Internet Engineering Task Force (IETF). It represents the

consensus of the IETF community. It has received public review and has been approved for

publication by the Internet Engineering Steering Group (IESG). Not all documents approved by

the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841.

Information about the current status of this document, any errata, and how to provide feedback

on it may be obtained at .https://www.rfc-editor.org/info/rfc8952

reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF

Documents ( ) in eﬀect on the date of publication of this

document. Please review these documents carefully, as they describe your rights and restrictions

with respect to this document. Code Components extracted from this document must include

Simpliﬁed BSD License text as described in Section 4.e of the Trust Legal Provisions and are

provided without warranty as described in the Simpliﬁed BSD License.

https://trustee.ietf.org/license-info

Larose, et al. Informational Page 1

Table of Contents 
 Introduction
1.  Requirements Language
2.  Terminology
 Components
1.  User Equipment
2.  Provisioning Service
2.1.  DHCP or Router Advertisements
2.2.  Provisioning Domains
3.  Captive Portal API Server
4.  Captive Portal Enforcement Device
5.  Captive Portal Signal
6.  Component Diagram
 User Equipment Identity
1.  Identiﬁers
2.  Recommended Properties
2.1.  Uniquely Identify User Equipment
2.2.  Hard to Spoof
2.3.  Visible to the API Server
2.4.  Visible to the Enforcement Device
3.  Evaluating Types of Identiﬁers
4.  Example Identiﬁer Types
4.1.  Physical Interface
4.2.  IP Address
4.3.  Media Access Control (MAC) Address
5.  Context-Free URI
 Solution Workﬂow
1.  Initial Connection
RFC 8952 Captive Portal Architecture November 2020
Larose, et al. Informational Page 2

1. Introduction

In this document, "Captive Portal" is used to describe a network to which a device may be

voluntarily attached, such that network access is limited until some requirements have been

fulﬁlled. Typically, a user is required to use a web browser to fulﬁll requirements imposed by the

network operator, such as reading advertisements, accepting an acceptable-use policy, or

providing some form of credentials.

Implementations of captive portals generally require a web server, some method to allow/block

traﬃc, and some method to alert the user. Common methods of alerting the user in

implementations prior to this work involve modifying HTTP or DNS traﬃc.

This document describes an architecture for implementing captive portals while addressing most

of the problems arising for current captive portal mechanisms. The architecture is guided by

these requirements:

Current captive portal solutions typically implement some variations of forging DNS or HTTP

responses. Some attempt man-in-the-middle (MITM) proxy of HTTPS in order to forge

responses. Captive portal solutions should not have to break any protocols or otherwise act

4.2. Conditions about to Expire

4.3. Handling of Changes in Portal URI

5. IANA Considerations

6. Security Considerations

6.1. Trusting the Network

6.2. Authenticated APIs

6.3. Secure APIs

6.4. Risks Associated with the Signaling Protocol

6.5. User Options

6.6. Privacy

7. References

7.1. Normative References

7.2. Informative References

Appendix A. Existing Captive Portal Detection Implementations

Acknowledgments

Authors' Addresses

•

RFC 8952 Captive Portal Architecture November 2020

Larose, et al. Informational Page 3

in the manner of an attacker. Therefore, solutions require the forging of

responses from DNS or HTTP servers or from any other protocol.

Solutions permit clients to perform DNSSEC validation, which rules out solutions that

forge DNS responses. Solutions permit clients to detect and avoid TLS man-in-the-

middle attacks without requiring a human to perform any kind of "exception" processing.

To maximize universality and adoption, solutions operate at the layer of Internet

Protocol (IP) or above, not being speciﬁc to any particular access technology such as cable,

Wi-Fi, or mobile telecom.

Solutions allow a device to query the network to determine whether the device is

captive, without the solution being coupled to forging intercepted protocols or requiring the

device to make sacriﬁcial queries to "canary" URIs to check for response tampering (see

Appendix A). Current captive portal solutions that work by aﬀecting DNS or HTTP generally

only function as intended with browsers, breaking other applications using those protocols;

applications using other protocols are not alerted that the network is a captive portal.

The state of captivity be explicitly available to devices via a standard protocol,

rather than having to infer the state indirectly.

The architecture provide a path of incremental migration, acknowledging the

existence of a huge variety of pre-existing portals and end-user device implementations and

software versions. This requirement is not to recommend or standardize existing

approaches, but rather to provide device and portal implementors a path to a new standard.

A side beneﬁt of the architecture described in this document is that devices without user

interfaces are able to identify parameters of captivity. However, this document does not describe

a mechanism for such devices to negotiate for unrestricted network access. A future document

could provide a solution to devices without user interfaces. This document focuses on devices

with user interfaces.

The architecture uses the following mechanisms:

Network provisioning protocols provide end-user devices with a Uniform Resource Identiﬁer

(URI) for the API that end-user devices query for information about what is

required to escape captivity. DHCP, DHCPv6, and Router Advertisement options for this

purpose are available in . Other protocols (such as RADIUS), Provisioning Domains

, or static conﬁguration may also be used to convey this Captive Portal API

URI. A device query this API at any time to determine whether the network is holding

the device in a captive state.

A Captive Portal can signal User Equipment in response to transmissions by the User

Equipment. This signal works in response to any Internet protocol and is not done by

modifying protocols in band. This signal does not carry the Captive Portal API URI; rather, it

provides a signal to the User Equipment that it is in a captive state.

Receipt of a Captive Portal Signal provides a hint that User Equipment could be captive. In

response, the device query the provisioned API to obtain information about the

network state. The device can take immediate action to satisfy the portal (according to its

conﬁguration/policy).

MUST NOT

• MUST

SHOULD

• MUST

• SHOULD

• MUST

•

[RFC3986]

[RFC8910]

[CAPPORT-PVD]

MAY

•

MAY

RFC 8952 Captive Portal Architecture November 2020

Larose, et al. Informational Page 4

The architecture attempts to provide conﬁdentiality, authentication, and safety mechanisms to

the extent possible.

1.1. Requirements Language

The key words " ", " ", " ", " ", " ", " ", "

", " ", " ", " ", and " " in this document are to

be interpreted as described in BCP 14 when, and only when, they appear in

all capitals, as shown here.

1.2. Terminology

Captive Portal

A network that limits the communication of attached devices to restricted hosts until the user

has satisﬁed Captive Portal Conditions, after which access is permitted to a wider set of hosts

(typically the Internet).

Captive Portal Conditions

Site-speciﬁc requirements that a user or device must satisfy in order to gain access to the

wider network.

Captive Portal Enforcement Device

The network equipment that enforces the traﬃc restriction. Also known as "Enforcement

Device".

Captive Portal User Equipment

A device that has voluntarily joined a network for purposes of communicating beyond the

constraints of the Captive Portal. Also known as "User Equipment".

User Portal

The web server providing a user interface for assisting the user in satisfying the conditions to

escape captivity.

Captive Portal API

An HTTP API allowing User Equipment to query information about its state of captivity within

the Captive Portal. This information might include how to obtain full network access (e.g., by

visiting a URI). Also known as "API".

Captive Portal API Server

A server hosting the Captive Portal API. Also known as "API Server".

Captive Portal Signal

A notiﬁcation from the network used to signal to the User Equipment that the state of its

captivity could have changed.

Captive Portal Signaling Protocol

The protocol for communicating Captive Portal Signals. Also known as "Signaling Protocol".

MUST MUST NOT REQUIRED SHALL SHALL NOT SHOULD SHOULD

NOT RECOMMENDED NOT RECOMMENDED MAY OPTIONAL

[RFC2119] [RFC8174]

RFC 8952 Captive Portal Architecture November 2020

Larose, et al. Informational Page 5

评论收藏

内容反馈

夏洛克·汗

粉丝: 68
资源: 4

RFC - Captive Portal

Python库 | rfc-xmldiff-0.5.2.tar.gz

RFC-33A.rar_rfc-33a

rfc-index.zip_RFC_index_rfc-all

SAP PI RFC-to-Web Service Scenario

sapjco3-call RFC-code

RFC-2543---SIP Session Initiation Protocol.doc

sap-java-rfc-jco3

配套资料－FTP协议的RFC－rfc0959.txt

RFC-3550 RTP中英文版

RFC-3550-中文版.pdf

google-rfc-2445:自动从code.google.compgoogle-rfc-2445导出

rfc-quic.7z

saprfc-1.4.1.All.zip

RFC-5340 OSPFv3 for IPv6 的中文翻译

这是rfc-2246的原文

Python库 | sf-rfc-validate-0.0.8.tar.gz

中方RFC RFC3---RFC3093，chm文件,查找、学习、引用的好帮手

SAP资料集有ABAP-PP-MM-RFC-BAPI-JCO等.rar

RFC-30F硬件开发资料

解决Win 10与不兼容VirtualBox操作过程文档+（附带软件）.zip

计算机网络知识点总结(谢希仁第八版).pdf

Xshell软件(配色方案&amp;高亮关键字/突出显示集)的相关文件

湖南科技大学《计算机网络》配套课件（PDF版）

《计算机网络自顶向下方法第7版》中文PDF+复习题问题中文版答案

计算机网络自顶向下方法第八版答案

H3C-iNode-PC-7.3-E0630

hevc视频扩展免费2.0.53348.0x64

matlab输入到abaqus

quickping下载

最新资源

Xshell软件(配色方案&高亮关键字/突出显示集)的相关文件