IETF Logo Mail Archive

Re: [Captive-portals] Questions about PvD/API

David Bird <dbird@google.com> Wed, 16 August 2017 12:58 UTC

Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7441F13219A for <captive-portals@ietfa.amsl.com>; Wed, 16 Aug 2017 05:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.74
X-Spam-Level:
X-Spam-Status: No, score=-1.74 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id slZxjH2pAWFG for <captive-portals@ietfa.amsl.com>; Wed, 16 Aug 2017 05:58:19 -0700 (PDT)
Received: from mail-qt0-x234.google.com (mail-qt0-x234.google.com [IPv6:2607:f8b0:400d:c0d::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D9731326B0 for <captive-portals@ietf.org>; Wed, 16 Aug 2017 05:58:19 -0700 (PDT)
Received: by mail-qt0-x234.google.com with SMTP id t37so20031944qtg.5 for <captive-portals@ietf.org>; Wed, 16 Aug 2017 05:58:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=R4lBzDFDoTxO5JEpXFApxjDm/ziQ2sjm0+1ag9DoVZ0=; b=S1os0IdKaZGM1zsUJ48jgCL6lhorPAzmPPgT3MUCeqRxFmwqldj5H+ekT+mflYnZEQ q0hR+7K1dhJv20uJ8qzR//rUSiYy/E5KVrnp+dC7XFFIGkXwaawBqmb0D3md4SaY/873 wOfWDVnvrSuUVLXgeV8j1izM4Dfr2gOMzdxBh156Vo0fsLj5jrbtpK2jNfDud8f2UsXC iqjCaixVUuRDq8FVqic5kL8F+0lDyDYfdOk75UwFE+y72UH87vS0oXeZXDhakjZ7MO9i 7TBzKKHbMPzunOMrYzyOWgKe4ciGdAXVWi5OeqkF/eNFVUum1Nle6dih+W2qi2dC3blD S0jQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=R4lBzDFDoTxO5JEpXFApxjDm/ziQ2sjm0+1ag9DoVZ0=; b=TY5jddVELe34P+Z/cYtvcH/OR3TegNJY/xPFqV8n0ds3wiG4THlx2vD4g1cVVExkae DV5a/q90+9frlFtywCUO0sWNXsgbzPhxkAMnxzW0jKSPrbu5A932Xnudgr9LpeCg0k37 PRN9V/qDk84U3hrijPJh/zxajMa0p65fAGXKBNk8aG2yRozYUtzN61YShcIz+YStgBjk J5glNfZBH2A0O7k7aWNPQsfDBhHG6CFgiGg6Zo3sgdB6uNE8EFX5Xajz0FKxrcXzlVuf X64+qd795Ye+6Lx9fYqM5hfi7PiIDjd5mnYDKwiZ/Vv9sNrldr0xoPdlM3ICaAFuN2kA Eo2Q==
X-Gm-Message-State: AHYfb5hLECOGN+bTdl8krNI9g1uojTcx26CSqf2RLJzivdlO7BorY/Ga NVodERzwDIDXIkHNRo2qFAJwxOoRBc3E
X-Received: by 10.200.52.56 with SMTP id u53mr2193497qtb.217.1502888298211; Wed, 16 Aug 2017 05:58:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.149.58 with HTTP; Wed, 16 Aug 2017 05:58:17 -0700 (PDT)
In-Reply-To: <CAKD1Yr0ZXuyWScBx-rOsYgpuNKxi44PZAw8h8Hv5NKbWrhk0Bg@mail.gmail.com>
References: <CADo9JyU+XGYFWdNeXOBw1O43Pjyn0jZhGxDTb7VbLF+Jg4Xj4w@mail.gmail.com> <CAAedzxq4UhueFW=U-Tuc1gvG8Tapc7VE7BM2Akt9OXuzN3jLyQ@mail.gmail.com> <CAKD1Yr0ZXuyWScBx-rOsYgpuNKxi44PZAw8h8Hv5NKbWrhk0Bg@mail.gmail.com>
From: David Bird <dbird@google.com>
Date: Wed, 16 Aug 2017 05:58:17 -0700
Message-ID: <CADo9JyUAe8DQ1ZuPXe6Mq_bscHh+LhV3joMmep1yFDhYeN+tgA@mail.gmail.com>
To: Lorenzo Colitti <lorenzo@google.com>
Cc: Erik Kline <ek@google.com>, Tommy Pauly <tpauly@apple.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, captive-portals@ietf.org
Content-Type: multipart/alternative; boundary="001a11455776276d480556de7390"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/3FVF1Dlsp75SUELHjrapob_Nvqg>
Subject: Re: [Captive-portals] Questions about PvD/API
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 12:58:22 -0000

I have no doubt that PvD _could_ be setup and configured to work well. My
concern is that if it is difficult to implement/setup correctly, plenty of
locations will have a broken PvD. At that point, I wonder what the UE
vendors will do... Keep using the PvD (and get user complaints) or start
ignoring the PvD and doing 'legacy' portal detection anyway.

In 3GPP terms, PvD is like asking the UE to connect directly to the PCRF
(or systems like a captive portal that talks to PCRF) and not the PCEF. The
PCEF is analogous to the "NAS" and connects to PCRF using Diameter for AAA
(in WiFi the NAS typically uses RADIUS for AAA). The PCEF might be talking
to multiple PCRFs... It would make more sense if the UE only interacted
with the PCEF and never directly with the PCRF(s). PvD _could_ live in the
PCEF (or NAS), but would that be the common way to deploy PvD? Perhaps in
3GPP is would make sense to put PvD in the PCEF (assuming PCEF is
centralized, more or less, in their network). However, in WiFi, the "NAS"
can often be in the AP itself (so there are many of them) and often are not
physically owned by the same party running the AAA/Portal (a hotspot
services company). I don't think a hotspot services company wants to put
their SSL cert on other peoples devices...



On Wed, Aug 16, 2017 at 1:40 AM, Lorenzo Colitti <lorenzo@google.com> wrote:

> Per my understanding, the part of the system that returns the PVD
> information needs to be in sync with the network elements that are
> responsible for dropping unauthenticated users' packets and redirecting
> plaintext HTTP requests to the portal login page. If the two are not in
> sync then it is a configuration error.
>
> To the untrained eye, this does not seem different from saying that the
> part of the system that handles billing and authentication needs to be in
> sync with the network elements. For example, it would be bad if the user
> paid for service and then couldn't use the network.
>
> On Wed, Aug 16, 2017 at 9:19 AM, Erik Kline <ek@google.com> wrote:
>
>> Randomly selecting Tommy and Eric so this bubbles up in their inbox.
>>
>> On 2 August 2017 at 10:36, David Bird <dbird@google.com> wrote:
>> > Could an author of PvD help me understand the following questions for
>> each
>> > of the diagrams below I found on the Internet -- which represent some
>> > typical hotspot configurations out there...
>> >
>> > - Where would the API reside?
>> >
>> > - Who 'owns' the API?
>> >
>> > - How does the API keep in-sync with the NAS? Who's responsible for that
>> > (possibly multi-vendor, multi-AAA) integration?
>> >
>> > 1) Typical Hotspot service company outsourcing:
>> > http://cloudessa.com/wp-content/uploads/2013/08/shema-Captiv
>> ePortalSolution_beta2b.png
>> >
>> > 2) Same as above, except venue owns portal:
>> > http://cloudessa.com/wp-content/uploads/2013/07/solutions_
>> hotspots-co-working-cloudessa_2p1.png
>> >
>> > 3) Now consider the above, but the venue has more roaming partners and
>> > multi-realm RADIUS setup in their Cisco NAS:
>> > http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-3
>> /config-guide/b_cg83/b_cg83_chapter_0100111.html
>> > describes many options -- including separate MAC authentication sources,
>> > optional portals for 802.1x (RADIUS) authenticated users, and so much
>> > more...
>> >
>> > "Cisco ISE supports internal and external identity sources. Both
>> sources can
>> > be used as an authentication source for sponsor-user and guest-user
>> > authentication."
>> >
>> > Also note this interesting article:  the section Information About
>> Captive
>> > Bypassing and how it describes how to avoid Apple captive portal
>> > detection!!! "If no response is received, then the Internet access is
>> > assumed to be blocked by the captive portal and Appleā€™s Captive Network
>> > Assistant (CNA) auto-launches the pseudo-browser to request portal
>> login in
>> > a controlled window. The CNA may break when redirecting to an ISE
>> captive
>> > portal. The controller prevents this pseudo-browser from popping up."
>> >
>> >
>> >
>> > _______________________________________________
>> > Captive-portals mailing list
>> > Captive-portals@ietf.org
>> > https://www.ietf.org/mailman/listinfo/captive-portals
>> >
>>
>> _______________________________________________
>> Captive-portals mailing list
>> Captive-portals@ietf.org
>> https://www.ietf.org/mailman/listinfo/captive-portals
>>
>>
>

v2.23.0 | Report a Bug | By Email