IETF Logo Mail Archive

Re: [Captive-portals] Questions about PvD/API

Tommy Pauly <tpauly@apple.com> Wed, 16 August 2017 16:20 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4185C1320BE for <captive-portals@ietfa.amsl.com>; Wed, 16 Aug 2017 09:20:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j9StqkkbVCOI for <captive-portals@ietfa.amsl.com>; Wed, 16 Aug 2017 09:20:16 -0700 (PDT)
Received: from mail-in5.apple.com (mail-out5.apple.com [17.151.62.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5274B132626 for <captive-portals@ietf.org>; Wed, 16 Aug 2017 09:20:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1502900416; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=IXr919pMv4PkohhYmJ4RqtnlbGAUL3Y2ivd82QebMAw=; b=Yvv1tnH0BkbXfHYc4yKE8EV3PG/WOQXiiBANWtZlbCvfB/T5+cwCYiv3zjll/1U4 ZSJ0sYmL3ChzgFcEEhrBhiP2qJFwT/S49wlcziR35Gadz2kaob9JE8AcOLNsmBEI Avlf0TkCSk/FXa6U4ruIZbE8Ne8nJCx5ZVVtf/fATO047jGEqcWOYeP7HZLb4jqn BV/M2DVs/oNYFUr4bP9dLH5CT3YSeh07P6ODuChesy5gHsLkz7RusAgTJepdONFW 7B76oj7kFr1XyFgM6OqWz+iX5fXAmvQnwXRPBgQJWsLWfC25VlvnSjn2+Vau8oyQ BT1K/8GbDEGVMhM6GOWWuw==;
Received: from relay2.apple.com (relay2.apple.com [17.128.113.67]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in5.apple.com (Apple Secure Mail Relay) with SMTP id 0A.DF.30368.0C074995; Wed, 16 Aug 2017 09:20:16 -0700 (PDT)
X-AuditID: 11973e13-821a09c0000076a0-a0-599470c0ce4f
Received: from nwk-mmpp-sz11.apple.com (nwk-mmpp-sz11.apple.com [17.128.115.155]) by relay2.apple.com (Apple SCV relay) with SMTP id 67.CF.09069.FB074995; Wed, 16 Aug 2017 09:20:15 -0700 (PDT)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_fkT6S1//At6VENOK84T78A)"
Received: from [17.234.116.8] by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170621 64bit (built Jun 21 2017)) with ESMTPSA id <0OUS000JJDDR8460@nwk-mmpp-sz11.apple.com>; Wed, 16 Aug 2017 09:20:15 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <A5B74413-32D8-4FE4-BDF7-DAA95266AAF4@apple.com>
Date: Wed, 16 Aug 2017 09:20:14 -0700
In-reply-to: <CADo9JyW0J7xzaosG5PJOFPHMy2g6vZ1cVpW6_YsuOdaKWqumkQ@mail.gmail.com>
Cc: Erik Kline <ek@google.com>, captive-portals@ietf.org, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: David Bird <dbird@google.com>
References: <CADo9JyU+XGYFWdNeXOBw1O43Pjyn0jZhGxDTb7VbLF+Jg4Xj4w@mail.gmail.com> <CAAedzxq4UhueFW=U-Tuc1gvG8Tapc7VE7BM2Akt9OXuzN3jLyQ@mail.gmail.com> <CADo9JyW0J7xzaosG5PJOFPHMy2g6vZ1cVpW6_YsuOdaKWqumkQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3439)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrILMWRmVeSWpSXmKPExsUi2FDorHugYEqkwa6ljBZzZzWwWnz6sZ3R 4vPteewWX/YvYHRg8ZjyeyOrx4JNpR5LlvxkCmCO4rJJSc3JLEst0rdL4MpYv28Vc8HEdsaK tUuWsDYwri3sYuTkkBAwkXiw7ChrFyMXh5DAaiaJk1dvscIkGjZPZ4RIHGKUmPGiiwUkwSsg KPFj8j0wm1kgTOL5giYmEFtI4AujxIn/Jl2MHBzCAhISm/ckgoTZBFQkjn/bwAzRaiPxcPE3 sFZhATOJPU0fwFpZBFQlmjqOgtmcAsESJ1buZoYYny7x5fMRsHoRAUWJU9eOM0Hc84BR4sfK b4wguyQEZCWW/gkBiUsITGaXuPG1l3ECo9AsJKfOQnLqLKAWZgF1iSlTciHC2hJP3l1ghbDV JBb+XsSELL6AkW0Vo1BuYmaObmaeqV5iQUFOql5yfu4mRlCcTLcT3sF4epXVIUYBDkYlHt6I vCmRQqyJZcWVuYcYpTlYlMR5bSwmRQoJpCeWpGanphakFsUXleakFh9iZOLglGpglPZ/fE1m 0ev/DjZXrO9sf76s+6Tc6z8mz3KfqyfZbRVO92dtO732tY1kZamcsPJ05cDvB5dIvBezd1J/ Fr7UZmFu+Y1Oibkm61efTfw0YdonxV+7xNX0Z2hW/2hz+J3B/nz6ildCTft63f7wGVx6sEJU dmHSfnuW7GrFFOENkm5pnH+DL557r8RSnJFoqMVcVJwIACo2VPd0AgAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrFKsWRmVeSWpSXmKPExsUi2FA8W3d/wZRIg3nvLC3mzmpgtfj0Yzuj xefb89gtvuxfwOjA4jHl90ZWjwWbSj2WLPnJFMAcZW2Tll9UnliUolCUXFBiq1SckZiSXx5v aWxk6pBYUJCTqpecn6ukb2eTkpqTWZZahMxKsM5Yv28Vc8HEdsaKtUuWsDYwri3sYuTkkBAw kWjYPJ2xi5GLQ0jgEKPEjBddLCAJXgFBiR+T74HZzAJhEs8XNDGB2EICXxglTvw36WLk4BAW kJDYvCcRJMwmoCJx/NsGZohWG4mHi7+BtQoLmEnsafoA1soioCrR1HEUzOYUCJY4sXI3M8T4 dIkvn4+A1YsIKEqcunacCeKeB4wSP1Z+YwTZJSEgK7H0T8gERv5ZSK6bheS6WUBVzALqElOm 5EKEtSWevLvACmGrSSz8vYgJWXwBI9sqRoGi1JzESiM9ePBtYgRHTqHzDsZjy6wOMQpwMCrx 8AZYT44UYk0sK67MBQYRB7OSCG9N/pRIId6UxMqq1KL8+KLSnNTiQ4z7GYGenMgsJZqcD4zr vJJ4Q2MLY0sTCwMDE0szE8LCJiYGJsbGZsbG5ibmtBRWEueVKQJ6SSA9sSQ1OzW1ILUI5gUm Dk6pBsaSs8U/PtkyZQecV/r9XnW9ZbjceQPWY0l1x8/xR2Q4zvyXPl3tzUkOztgj6q4ujq95 uKsZpswXyRO+w+UZ/kTkX092cK6uHn9CgqjXzeaFatPvyVXcnnVee4vf/pDD+7YXv21+uONB 0sSquH6blOMrlviveyrMJL9pRaK1rW+houruzff+1CmxABO3oRZzUXEiAJHmmi89AwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/3A-VRn-cBmTgX1QcLG2NkQ8-wPw>
Subject: Re: [Captive-portals] Questions about PvD/API
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 16:20:18 -0000

Hi David,

You mention in one of your emails that you'd expect there to be many "broken PvD" deployments, which would either necessitate ignoring PvD and using legacy mechanisms, or else having the user face a broken portal. My impression is that if client-side deployments fail closed—that is, if there is a PvD advertised, but it does not work well, then we treat the network as broken. If this client behavior is consistent from the start of deployment, then I would think that deployments would notice very quickly if they are broken. The fundamental part of the PvD being advertised is in the RAs—if our DHCP or RAs are broken on a network, we generally are going to be broken anyhow.

As far as where the API resides, I appreciate your explanation of the various complexities. My initial take is this:

- Where a PvD is being served is up to the deployment, and determined by the entity that is providing the RAs. To that end, the server that hosts the API for extended PvD information may be very different for enterprise/carrier scenarios than in captive portals for coffee shops.
- For the initial take for Captive Portals, I would co-locate the "PvD API" server with the "Captive API" and "Captive Web Server". Presumably, the device that was previously doing the HTTP redirects would be able to do the similar coordination of making sure the PvD ID that is given out to clients matches the PvD API server (which is the same as the "Captive Web Server").

For the captive use-case, I see the integration of PvDs as an incremental step:

1. Today, we join a network, always do a probe, which may get redirected to a captive web server
2. With RFC 7710, we would join a network and do the same as (1), unless the captive URL is given in the DHCP/RA and we just make a connection directly.
3. With the Captive API draft, we can interact with the portal other than just showing a webpage; but this may still be bootstrapped by 7710 if not using another mechanism
4. With PvDs, the mechanism in 7710 is generalized to support APIs other than just captive, and can indicate that no captive portal or other extended info is present; and the PvD API in this form is just a more generic version of the captive API that allows us to use the same mechanism for other network properties that aren't specifically captive (like enterprise network extended info, or walled gardens)

Getting into the arms race of people avoiding the captive probes: if someone doesn't want to interact with the client OS's captive portal system, they can and likely will not change anything and just keep redirecting pages. Hopefully if a better solution becomes prevalent enough in the future, client OS's will be able to just ignore and reject any network that redirects traffic, and the only supported captive portals would be ones that interact in specified ways and advertise themselves as captive networks. In order to get to this point, there certainly needs to be a carrot to incentivize adoption. My goal with the more flexible interaction supported by PvD is that we will allow the networks to provide a better user experience to people joining their networks, and integrate with client OS's to streamline the joining process (notification of the network being available, who owns it, how to accept and how to pay), the maintenance process (being able to integrate time left or bytes left on the network into the system UI), and what is allowed or not on the network.

Thanks,
Tommy

> On Aug 16, 2017, at 6:51 AM, David Bird <dbird@google.com> wrote:
> 
> My question about where the PvD API resides was somewhat rhetorical. In reality, I'm sure you will find all of the above - In the NAS (e.g. Cisco), at the hotspot services provider, and something hosted next to the venues website. It depends mostly on how this URL is configured, and by whom. (One could imagine people doing all sorts of things). 
> 
> My question more specifically for the authors is, how would Cisco implement PvD for Guest/Public access and would it actively stop avoiding Apple captive portal detection? Or, would turning on PvD just make that 'feature' easier to implement?
> 
> On Tue, Aug 15, 2017 at 5:19 PM, Erik Kline <ek@google.com <mailto:ek@google.com>> wrote:
> Randomly selecting Tommy and Eric so this bubbles up in their inbox.
> 
> On 2 August 2017 at 10:36, David Bird <dbird@google.com <mailto:dbird@google.com>> wrote:
> > Could an author of PvD help me understand the following questions for each
> > of the diagrams below I found on the Internet -- which represent some
> > typical hotspot configurations out there...
> >
> > - Where would the API reside?
> >
> > - Who 'owns' the API?
> >
> > - How does the API keep in-sync with the NAS? Who's responsible for that
> > (possibly multi-vendor, multi-AAA) integration?
> >
> > 1) Typical Hotspot service company outsourcing:
> > http://cloudessa.com/wp-content/uploads/2013/08/shema-CaptivePortalSolution_beta2b.png <http://cloudessa.com/wp-content/uploads/2013/08/shema-CaptivePortalSolution_beta2b.png>
> >
> > 2) Same as above, except venue owns portal:
> > http://cloudessa.com/wp-content/uploads/2013/07/solutions_hotspots-co-working-cloudessa_2p1.png <http://cloudessa.com/wp-content/uploads/2013/07/solutions_hotspots-co-working-cloudessa_2p1.png>
> >
> > 3) Now consider the above, but the venue has more roaming partners and
> > multi-realm RADIUS setup in their Cisco NAS:
> > http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-3/config-guide/b_cg83/b_cg83_chapter_0100111.html <http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-3/config-guide/b_cg83/b_cg83_chapter_0100111.html>
> > describes many options -- including separate MAC authentication sources,
> > optional portals for 802.1x (RADIUS) authenticated users, and so much
> > more...
> >
> > "Cisco ISE supports internal and external identity sources. Both sources can
> > be used as an authentication source for sponsor-user and guest-user
> > authentication."
> >
> > Also note this interesting article:  the section Information About Captive
> > Bypassing and how it describes how to avoid Apple captive portal
> > detection!!! "If no response is received, then the Internet access is
> > assumed to be blocked by the captive portal and Apple’s Captive Network
> > Assistant (CNA) auto-launches the pseudo-browser to request portal login in
> > a controlled window. The CNA may break when redirecting to an ISE captive
> > portal. The controller prevents this pseudo-browser from popping up."
> >
> >
> >
> > _______________________________________________
> > Captive-portals mailing list
> > Captive-portals@ietf.org <mailto:Captive-portals@ietf.org>
> > https://www.ietf.org/mailman/listinfo/captive-portals <https://www.ietf.org/mailman/listinfo/captive-portals>
> >
>

v2.23.0 | Report a Bug | By Email