Re: [Captive-portals] AD review of draft-ietf-capport-rfc7710bis-03
Barry Leiba <barryleiba@computer.org> Wed, 29 April 2020 05:46 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13E7D3A08E2; Tue, 28 Apr 2020 22:46:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.217
X-Spam-Level:
X-Spam-Status: No, score=-2.217 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.82, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Br5XXDHGRBKP; Tue, 28 Apr 2020 22:46:28 -0700 (PDT)
Received: from mail-il1-f178.google.com (mail-il1-f178.google.com [209.85.166.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0C793A08DE; Tue, 28 Apr 2020 22:46:27 -0700 (PDT)
Received: by mail-il1-f178.google.com with SMTP id c18so1279915ile.5; Tue, 28 Apr 2020 22:46:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WN1MGwy6HxfdWCHiGyWQ0kReUhlAD2Ik7OdD7Zp/b5E=; b=O6NE9WbLkEEU/ocBiFgRUDTUdJ1OCEv7BIUbb2sAgqycscrv2578Pu/eYGIfnVdjAF iuaDLll/EwI9Fr4SFd1AKR+ctb6VFCoDUxrEChc2wwl6AiP+NEjwsNmfPJTWQ2M1wf7F YCN1LonqS3OPgo92tE3KxOg+LqE+hVB5v7fSaVeAwehUAoTNea/d7ZpOlH99yYy20cs1 aF5XH5ZI9R4N5Z3cEy7RyGxuG7nLXu6aFs1So2cm78dhxAYAhh7/HTBP3DLxPULoRJQM mDQ6LLLCrQy5f//gZ6DWk40izgN9Yx2gx0miOv2xOgBCQHFeZN/V/tIDPhvgX2vSMbo8 DkdA==
X-Gm-Message-State: AGi0PuZnayAs42M/E5ALBtEG2f6ke8sDu7ogNfcGBRg1xIgaY8OOpdY/ TpvoXceOsHgshf6eAaN4RXLnkxEO4dCmZ3DtDng=
X-Google-Smtp-Source: APiQypIhYuz1QTArCd2K9ELft+Y500KZj12CGaGtrZ1u36g79UelXHNzAzihRw0Q6a2d3l8z8FL5QtnUAeDG9r2l7Jc=
X-Received: by 2002:a92:4b10:: with SMTP id m16mr30403432ilg.107.1588139186822; Tue, 28 Apr 2020 22:46:26 -0700 (PDT)
MIME-Version: 1.0
References: <CALaySJ+tmuU_DZU6ZvC4RsnuRJAVfLgYyw_=RYbA6XBcgvgKJQ@mail.gmail.com> <CAMGpriU0LbpZC+57hO-MAgjXq-nMTJgWSTWh1ycPjU1hCOsrpg@mail.gmail.com> <CAHw9_i+XXSV9SVzCxw7FDeKv-RAjf3iEc=DjZAEgBqJ5JzgJZQ@mail.gmail.com>
In-Reply-To: <CAHw9_i+XXSV9SVzCxw7FDeKv-RAjf3iEc=DjZAEgBqJ5JzgJZQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Wed, 29 Apr 2020 01:46:15 -0400
Message-ID: <CALaySJKMcrCzDtX7AyE2kOABp8bM9UqNbDH1g=oG2yeyRB1SuA@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Cc: Erik Kline <ek.ietf@gmail.com>, "captive-portals@ietf.org" <captive-portals@ietf.org>, "draft-ietf-capport-rfc7710bis.all@ietf.org" <draft-ietf-capport-rfc7710bis.all@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000015a29005a46778e4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/57ta-RSonTvlaqX7jvyq1GnOxOI>
Subject: Re: [Captive-portals] AD review of draft-ietf-capport-rfc7710bis-03
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 05:46:32 -0000
You have, indeed, and I’ve just requested last call. Thanks! Barry On Tue, Apr 28, 2020 at 5:52 PM Warren Kumari <warren@kumari.net> wrote: > Thank you -- I think that we have addressed all of the comments (thank > you!). > > See below. > > On Sun, Apr 26, 2020 at 12:37 AM Erik Kline <ek.ietf@gmail.com> wrote: > > > > Barry, > > > > Thanks for the prompt review. > > > > On Thu, Apr 23, 2020 at 9:18 PM Barry Leiba <barryleiba@computer.org> > wrote: > >> > >> Good work on this, folks: a nice improvement on 7710, and let’s hope > for wider deployment. Some comments below; I think we should have a quick > revised I-D before we go to last call, mostly because of the comment about > the diagrams in Sections 2.1 and 2.2, though most of the comments are > editorial. > >> > >> — Section 1.1 — > >> Please use the new BCP 14 boilerplate from RFC 8174. > > > > > > Fixed in the repo (commit). > > > >> — Section 2 — > >> > >> negotiation ([RFC7231] Section 3.4), captive portals implementors > >> > >> Make it “captive portal implementors” (or “implementors of captive > portals”). > > > > > > Fixed in the repo (commit). > > > >> It looks like the two consecutive paragraphs that both begin with “A > captive portal” have some duplication with regard to the absence of > “Accept” headers; please check that and adjust if you agree that some > information can be merged or removed. > > > > > > Filed issue #17. > > > >> The URI SHOULD NOT contain an IP address literal. > >> > >> Why not, and how does it maintain interoperability to have this as > SHOULD NOT, rather than MUST NOT? > > > > > > Filed issue #18. > > > >> Networks with no captive portals MAY explicitly indicate this > >> condition by using this option with the IANA-assigned URI for this > >> purpose (see Section 4.1.1). Clients observing the URI value > >> "urn:ietf:params:capport-unrestricted" MAY forego time-consuming > >> forms of captive portal detection. > >> > >> Two things here: I don’t see that the forward reference to 4.1.1 adds > anything, as the only thing that section does that’s useful here is to > repeat the URI that you’re already including. And why > “capport-unrestricted” rather than “capport:unrestricted”? The latter > would seem more in line with how “ietf:param” URNs are generally done. > > ... so, we had incorrectly thought that the colon character (:) was > similar in operation to the . in a DNS name, and implied a hierarchy > -- looking at RFC8141 it turns out that we were wrong, and that colons > can be part of the NSS: > > Because the colon character (":") is used to separate "urn" from the > NID and the NID from the NSS, it's tempting to think of the entire > URN as being structured by colon characters and to assume that colons > create a structure or hierarchy within the NSS portion of the URN. > Such structure could be specified by a particular NID specification, > but there is no implicit structure. In a URN such as > > urn:example:apple:pear:plum:cherry > > the NSS string is "apple:pear:plum:cherry" as a whole, and there is > no specific meaning to the colon characters within that NSS string > unless such meaning is described in the specification of the > "example" namespace. > > So, we are changing to capport:unrestricted (Commit: > > https://github.com/capport-wg/7710bis/commit/aae1c3cbd08d3822fa22056f7c2a7ec4a12e0a9a > ) -- Thank you! > > > > > > > Filed issue: #19. > > > >> — Sections 2.1 and 2.2 — > >> Why aren’t the diagrams for the two in the same format? And neither > explicitly says what the length of the “len” field is. In the v4 version, > one has to guess that it’s the same size as the “code” field, 1 byte. In > the v6 version, one can look at the diagram. I suggest making the diagrams > the same format (calibrated with bit/byte markings) and explicitly > specifying in the text the size of the “len” field. > > These were represented differently because of hysterical raisins / > tradition -- the format we had used for IPv4 was how many of the other > IPv4 documents represented their DHCP option (and the same for > IPv6)... however, seeing them on the same page does look silly, and so > we have changed the IPv4 one to look like the IPv6 one ( > https://github.com/capport-wg/7710bis/pull/28 ) > > We also fixed the missing length for length... > ( > https://github.com/capport-wg/7710bis/commit/d229279dfba7f2a7d3e1f50be2ecf9244b4bc9ba > ) > > In addition, we clarify that the URI should not exceed 255 bytes if > you are using IPv4 and IPv6 (because they have to match) - this closes > Issues #20 and PR #25 (https://github.com/capport-wg/7710bis/issues/20 > , https://github.com/capport-wg/7710bis/pull/25 ). Thanks to Subash > Tirupachur Comerica for pointing this out. > > > > > > > > Filed issue: #20. > > > >> — Section 3 — > >> > >> Specifically, > >> URIs learned via any of the options in Section 2 should take > >> precedence over any URI learned via some other mechanism > >> > >> Given the MUST that comes before this, I think the word “should” ought > to be removed, to avoid any confusion. > > > > > > Filed issue: #21. > > > >> — Section 5 — > >> Purely a judgment thing here, so do what you hink is best: it seems to > me that the Security Considerations in 7710 rather buried the lede. The > bottom line is that by removing the MitM interception, this mechanism > improves security by making the portal and its actions visible, rather than > hidden, and that vulnerabilities that exist here also existed before and > are now lessened. I would say something like that up front, in a new first > paragraph, and then continue with the existing text as is. > >> > >> But, again, as you judge best; this is just a comment. > > Thank you! We (well, mainly Erik) are bad at tootin' our own horn, but > with your prompting we have reordered and strengthered this -- > https://github.com/capport-wg/7710bis/pull/29 > > We also fixed the TBD to say Option 114 - > > https://github.com/capport-wg/7710bis/commit/edbaca20dab8a5b83353b9637c7cde0a8ac5486e > > > Thank you again for your comments, I think we've addressed them all > and are uploading a new version (-04) > Warren and Erik. > > > > > > > Filed issue: #22. > > > >> — > >> Barry > >> > > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. > ---maf >
- [Captive-portals] AD review of draft-ietf-capport… Barry Leiba
- Re: [Captive-portals] AD review of draft-ietf-cap… Erik Kline
- Re: [Captive-portals] AD review of draft-ietf-cap… Barry Leiba
- Re: [Captive-portals] AD review of draft-ietf-cap… Warren Kumari
- Re: [Captive-portals] AD review of draft-ietf-cap… Barry Leiba