IETF Logo Mail Archive

Re: [Captive-portals] Review of draft-ietf-capport-rfc7710bis

Lorenzo Colitti <lorenzo@google.com> Mon, 22 July 2019 21:43 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0F74120125 for <captive-portals@ietfa.amsl.com>; Mon, 22 Jul 2019 14:43:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Level:
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TIlmiQzGZloK for <captive-portals@ietfa.amsl.com>; Mon, 22 Jul 2019 14:43:42 -0700 (PDT)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5487712011B for <captive-portals@ietf.org>; Mon, 22 Jul 2019 14:43:42 -0700 (PDT)
Received: by mail-wr1-x432.google.com with SMTP id c2so37719908wrm.8 for <captive-portals@ietf.org>; Mon, 22 Jul 2019 14:43:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=D3x5xkahNg5Nw8MqEDEXCtpHs74UoNu0gSanTV2wnjA=; b=EYb+ZeSVCmedZQkY18IqoK0UvLZubJBcI19hQnbqqEinMJfT1Ptcn0jQJfxNqjAauA 6mHrhDm3jWf87eJEDkIKj/U4rG7HOtc7JoM+yLde1D5PlqPEmzVWcSDRDwi106WyyZHe Yj+c85TP8pLU8KWplZUo2cfclNVLMApws8JevLP3qy2GshYwbRmqfCRUNwD3wJnMDtPy ITgV4O9U9wHBMaG7A2Lc9zd4RQR3qDXG+8WH9jjawwvX1YPONeTYnlSFrZ4DQ0KqUmy8 D7VSrJjNjCbt7cZQdQg8RP1cbdY/qesVUbQ8e1WB0DuJErqyOmw9RGVERM1/Aq60T3gg mU8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=D3x5xkahNg5Nw8MqEDEXCtpHs74UoNu0gSanTV2wnjA=; b=KVTL5Xu+Jabw+O0J6SThImagzTQpE5Trv+MvxG6UYn7/Nk064fHUdQrMwa4X9afUfP 9QFmL+8/HwcLQyezCDDB/2weN2Lbv3chQgEIYPG3zMqIRrUcA6II5yiAij/DcOQfXImI nBR6BVM0N272T3FgswWoOycN2/OAZo8bRATzFU8NwpnXp43tf46J8fLmNjNE2+e5lHic 0lOXY3SoISKglEjjlpvY95ZF3IH0qQ6VAobzGKJxzmVOXTFvO5jjR4/9ybyECi/eX/vy u/1Ceh7X5T9Yh0wO+NURR/IAo91E0w6uls7XFJNwNgX48PC3oO4TUbcPupQymE6EJH6w R+0Q==
X-Gm-Message-State: APjAAAUJZKgaoIxhwYxwPYH9mqEGdqRJY0efs1xQuXfJBaeI5jGhN5K9 cRQbsqmSfH7DJW85IqRKBuJhUW/304Ac/m5SPw7v8JPzBt+lEw==
X-Google-Smtp-Source: APXvYqydLj6EAtexypeZO2RxyihJRlMJBVYD09S7phQtV8u26iJYCdl6DmHDJyKYts6eH13+K0pDkoso45Z96FGPqOw=
X-Received: by 2002:adf:e50c:: with SMTP id j12mr6064388wrm.117.1563831820519; Mon, 22 Jul 2019 14:43:40 -0700 (PDT)
MIME-Version: 1.0
References: <CAKD1Yr32DXr8fYHP_x7z9pQWwSchey8zQW11vw02bW9ONEV8Kg@mail.gmail.com> <01ad5bf0-1f60-4dbb-aa83-31d14fce6082@www.fastmail.com>
In-Reply-To: <01ad5bf0-1f60-4dbb-aa83-31d14fce6082@www.fastmail.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Mon, 22 Jul 2019 17:43:26 -0400
Message-ID: <CAKD1Yr08LmfDhmDLqpR87iQQ4Z61CVpR9BTDeRHobpsvVxFJvA@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: captive-portals@ietf.org
Content-Type: multipart/alternative; boundary="00000000000026de71058e4bf822"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/2C_nn0NZ3y8WEGVCg7tnTa1S_kU>
Subject: Re: [Captive-portals] Review of draft-ietf-capport-rfc7710bis
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 21:43:45 -0000

On Mon, Jul 22, 2019 at 4:49 PM Martin Thomson <mt@lowentropy.net> wrote:

> > 2. I'm surprised that the following text is present. It seems like we
> > should disallow IP literals for compatibility with IPv6. But perhaps
> > SHOULD is enough here.
> >
> >  The URI SHOULD NOT contain an IP address literal.
>
> I tend to think that the core goal is that the URI contain a target
> identity that can be authenticated when accessed over HTTPS.
>
> That generally means that IP literals aren't a good idea, but I wouldn't
> make this statement.  I would instead emphasize that this is an HTTPS URI.
> Though I would not go into great detail on what that means, I would refer
> to RFC 7230.
>

It's possible to use HTTPS to IP literals. But IP literals are
address-family specific. That makes it impossible to support this option in
a dual-stack network because the two URLs will be different.

> 3. The section that documents the link relation type should mention
> > what should happen if the portal is already open. Should the captive
> > portal add this header to probe responses even if the portal is already
> > open? if it does not, there is no way for a device to learn the API URL
> > if it connects to a portal, logs in, disconnects, and then reconnects,
> > because when it reconnects the portal will be open.
>
> Good point.  I would be interested in hearing what the working group
> thinks of this.
>
> To my understanding, this is a problem that exists today.  So we may
> decide not to worry about this particular problem, but just document it.
> That would make this path less good than other options (like DHCP/RA), but
> I don't want to encourage networks to intercept EVERY request that passes.
>

Right, for networks without the capport API (i.e., all networks today) this
works. But for a network with the capport API, I think it's a problem if
the device cannot find the API URL just because the portal is open. The
reason I mention it is: this document says that the URL in the option is in
fact the API URL, and the link rel mechanism doesn't work well for the API
URL.

One option would just be to drop this mechanism. If it is clear that the
DHCP / RA solutions are feasible in real networks, I don't see much of a
need for the link rel version at all.

v2.23.0 | Report a Bug | By Email