IETF Logo Mail Archive

Re: [Captive-portals] I-D Action: draft-ietf-capport-api-00.txt

David Bird <dbird@google.com> Mon, 05 February 2018 21:41 UTC

Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9116812D969 for <captive-portals@ietfa.amsl.com>; Mon, 5 Feb 2018 13:41:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XG7R0q-YPGnv for <captive-portals@ietfa.amsl.com>; Mon, 5 Feb 2018 13:41:35 -0800 (PST)
Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D5A412DA08 for <captive-portals@ietf.org>; Mon, 5 Feb 2018 13:41:35 -0800 (PST)
Received: by mail-it0-x233.google.com with SMTP id u12-v6so10075593ite.0 for <captive-portals@ietf.org>; Mon, 05 Feb 2018 13:41:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=DV0UhztBsW6LmegmzTVeRUCkwV2F8tJrrxceWFrTpPU=; b=Zrm5NymDum9LJz8kItzhSfV2Pl13Oq3nNyAhRmCk9HMkbr/hjVnCkKOnAI1083kuuH AYAHhQXj2Unpff7JWfucZo3itZLqhXLjdt9YlOaCXVr1iyxHjyOsxJ8CK7aqL7B7Vgjm dMdYFiajIrlRTegWIj/HWIzPJ6rvTraZP1zZ1DsADgW/Colha6/KsxmXVWsXx99Y25si IaGKBoVoS5IXM5l/WwzMXaHp/Q3msVXEtkWoYyfy93osnz1h70L1Izpe5OmIU4JkvZ2G KQv4gtQIOtfog1qfJvC49qDHP2G4bZ0PMF2vpeyOerIGoGaXDnfCM0u+eut1Air8msje foDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=DV0UhztBsW6LmegmzTVeRUCkwV2F8tJrrxceWFrTpPU=; b=JEjsbO8QF6WxLxdKN42GiduBu8xcxDzj2vzyQN4+w5cooQMe+SOoe+MiocDtAL4pkJ RWMKlsHVdUxM50WHQpljP7t4TDHb8PT/I0Xv2lqH8xe5qEY0mWUQyoly6gkamY4+RN/p KRwOqhDauOvUBePN/V4hHfbBkPV+1mkF9OozRFWW/wYVMvRq00E+YbO5CMUHHofmpuVa 0tZVx03od42HezEy6Ic05xv8Vi1fFRs45k2+muCeRsEs9fgBUhsq/Y1C/sYNsuj0K/xT +mC0uBMFzpGqNzhHm0gnENBvE/Ejc5PIA9qHrKMCKtvOx24azGHn3g/uWtJcOYaztD7v Wawg==
X-Gm-Message-State: APf1xPA7eT9S8AAJmSbY5nxJy52uGIREXkk6LqPn7WDQH0xkiT4BVq5F M2XD37s1bRxznt27Fv7KcsPJct9DwQpFSGb7W25Wq1TW
X-Google-Smtp-Source: AH8x227ND0BC9PILknQ4sPN40N0ylKbdQ/Dg+hAKuPx7O0ZaK5uax07CFqjO93k9aI/hujpENACRVEZg6jFCclKMgUk=
X-Received: by 10.36.243.66 with SMTP id t2mr285842iti.26.1517866894275; Mon, 05 Feb 2018 13:41:34 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.137.229 with HTTP; Mon, 5 Feb 2018 13:41:33 -0800 (PST)
In-Reply-To: <CADo9JyXRtyuzoWJKA+aASGh-bEJ8hi323VRdBeyqsgXwNxSkbw@mail.gmail.com>
References: <151778535115.5816.386541967960931391@ietfa.amsl.com> <CADo9JyV2Rz2B9H_h9JMne7XLtMeVb2OajheZ86i5g8nsPmmFOw@mail.gmail.com> <CABkgnnW_x6sokdEo-yyzk0DKFqom6b7aHpoLgRnBHOW_cGB6yA@mail.gmail.com> <CADo9JyXRtyuzoWJKA+aASGh-bEJ8hi323VRdBeyqsgXwNxSkbw@mail.gmail.com>
From: David Bird <dbird@google.com>
Date: Mon, 05 Feb 2018 13:41:33 -0800
Message-ID: <CADo9JyVtKMCwcXsZgfNSJ8VshjaTxSPS7YWro71Z4Y7K4UWFxA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>, captive-portals@ietf.org
Content-Type: multipart/alternative; boundary="f403045fb9040d565205647ded37"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/6O1Gyb2TEQzAiKWQimYcU5CVGmU>
Subject: Re: [Captive-portals] I-D Action: draft-ietf-capport-api-00.txt
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2018 21:41:38 -0000

+captive-portals

On Mon, Feb 5, 2018 at 1:40 PM, David Bird <dbird@google.com> wrote:

> On Mon, Feb 5, 2018 at 12:03 PM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
>
>> On Tue, Feb 6, 2018 at 5:03 AM, David Bird <dbird@google.com> wrote:
>> [snip]
>
> I have heard UE vendors express a strong desire to be able to know
>> about status before they attempt to use the network.
>>
>>
> Hm, but (assuming you are using the provided network for DNS, CRL checks,
> and the API itself), the UE is *already* using the network.
>
> I believe this desire on the UE vendor part is a case of 'be careful what
> you wish for' ... Having an API telling you it is "all clear" vs "do
> internal (often sandboxed for various reasons browser) captive portal
> dialog" amounts to making this a configuration of the network administrator
> -- Remember the (current) arms race concerning captive  portal detection?
> Well, the network operator wins with this API (!).
>
> As I've said before, I predict said vendors will quickly be of a different
> mind when support calls come in concerning how their new product gets (and
> perhaps is stuck) thinking there is a captive  portal, when in fact, there
> isn't one implemented and other devices work just fine... This API will be
> obsoleted a few months later.
>
>
>
>> > In 3.1 URI of Captive Portal endpoint, I think we must go beyond making
>> TLS
>> > a MUST --- we need to define how trust is handled. We must require the
>> API
>> > client to validate the hostname, present that hostname to the user for
>> > acknowledgement. Or, are we explicitly saying that TLS is for privacy
>> and
>> > not security? (e.g. that we really don't care what the server cert is...
>> > just that the cert is consistent for that location / domain?). Is the
>> client
>> > expected to check revocation lists?
>>
>> Good point.  This is likely an architecture question in the sense that
>> we need to determine what the trust model is and where that is
>> anchored.  We have an established pattern already where we trust that
>> the initial bootstrapping protocols (DHCP, RAs) produce a URL that is
>> accurate.  Once you have a URL, the rest of the process needs to
>> follow the rules: clients are expected to follow the usual rules for
>> server authentication.
>>
>> In this particular case, we should explore that last point further,
>> because CRLs or OCSP are likely to fail in this sort of environment.
>> That's relatively easy to address, but we would have to mandate OCSP
>> stapling.
>>
>>
> Locations will often whitelist the necessary resources for the browser's
> sake...
>
>
>
>> I've opened an issue: https://github.com/capport-wg/api/issues/7
>>
>> > In 3.2, ' "permitted" (required, boolean): indicates whether or not the
>> > Captive Portal is open to the requesting host ' is confusing... does it
>> mean
>> > the UE is subject to a captive portal?  I dislike how boolean this is!
>> Why
>> > does it have to be all or nothing (especially if ICMP is providing
>> > enforcement notification?)
>>
>> Can you motivate something less boolean?  That's a question we've
>> struggled with.
>>
>>
> Over the years on this list we have seen many use-cases come through, I
> recall:
>
> -  A school/library network that allows most of the Internet, but captures
> and redirects for certain networks / sites
> -  A network allows all sorts of protocols - IMAP, HTTPS, for example -
> but not others - like HTTP, SMTP - and want to redirect / signal portal
> -  A network that allows all Internet traffic, but just at a low QoS tier.
> No "captive" portal, but a portal is  yet available for upgrading tier
> -  Any network that allows a large walled garden, or even a *very large*
> garden, but otherwise has a captive portal
> -  A network that will 99.99% of the time allow all traffic, but will
> (perhaps because of virus detection) interrupts sessions  into captive
> state [technically, this is a "boolean" use-case, but one where polling
> would just be huge noise]
>
> I know where were more ... ;)
>
>
>> > Also in 3.2, I'm not sure about the time/data remaining info.. Is the
>> > expectation that the client keeps polling? (never goes idle on any
>> network?)
>> > Is the expectation that the UE  will break connections after it sees
>> this
>> > API expire timer or counter, or shall the (smart) UE wait until the
>> network
>> > notification (ICMP) ?
>>
>> I think that the way this is intended to work is that the UE will
>> contact the actual portal some time in advance of this time.
>>
>> Why do you ask about polling?  Are there networks that will extend
>> active time in the case that clients go idle?
>>
>
> Clients that go idle typically have their session terminated - so, yes, it
> does save the user time (depending on "time" is billed - real time vs
> metered, etc).
>
>

v2.23.0 | Report a Bug | By Email