Re: [Captive-portals] Arguments against (any) Capport "API"
David Bird <dbird@google.com> Wed, 05 April 2017 16:06 UTC
Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 189C4127871 for <captive-portals@ietfa.amsl.com>; Wed, 5 Apr 2017 09:06:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iP2Pvm4rKbHh for <captive-portals@ietfa.amsl.com>; Wed, 5 Apr 2017 09:06:30 -0700 (PDT)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0E3E128C82 for <captive-portals@ietf.org>; Wed, 5 Apr 2017 09:06:29 -0700 (PDT)
Received: by mail-qk0-x22b.google.com with SMTP id h67so15109815qke.0 for <captive-portals@ietf.org>; Wed, 05 Apr 2017 09:06:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0eXiZVXbr022X8PvADrqd+Kj0trp2m/1ZDqCKloV86I=; b=Bpll8wjOeBsjxFzrC5sLC6Sl176EXv1zNAQod+OYWancKIa1PrxmZrDqsHa6x/MM+s AUJXbaZb/jCxWuXfZri4djxjollb420ToUQkMyxYlWuhZ7QQO08uunbGRqDrEVH4wZkf 8EHthoXXpaKOsmMnSl8BEFhE8Wcgths7iJzOvExmHQq+l8hMmzbgKTydFLIr69JxluYa Pb6IvscRljD/NMQA3zBiKjGkwjtO65ld2ucGwCiBaUZUuRLQNejXkKVzAp8n7uR3wcke 88pI1y0V/8L3q6h0+lmodzl35EWcdgi+wxCHvXfVrUjP83DwmNqClko8bpJ/SjQaKIEq QcBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0eXiZVXbr022X8PvADrqd+Kj0trp2m/1ZDqCKloV86I=; b=enfrifD14K7uLKpyQA39Y6KI9BqTJ3/xXdAf9BCTbrZbqCg2vJdV4Cm5zoG2TP0Z4c W/HzmjUUPfT4I0UA9iD6Bhm7ph4U/9JnmgnWNOcQUdz4wEcBeML2rlVCtIf1i3QW/4Uy yEpfEzzvhv6Vjt+eBwD5M9gUfu9Xa3+saTF+MjfmARiK9+SlJMIikCBPLGt/qIDxhTHl 6LjuU0fIPMcf5Dn7JHKtSMEVnkrd+vO5pKMJ/ppSctSmaxez//yC/KPxrtqnRUXHAPBR 2uOOGfxuk2E0ilE7XSFZZhuB4QDPGIW5NsnBZP9zezkQJeW3C3UrG50hMSv6RRNWsKq2 Ylgg==
X-Gm-Message-State: AFeK/H1O8XorZlBKk9RqVDb1nMLsTqHzkGjyghUbiOMTgOipDGjP3lT1JfKq7/NnAuDOEGe5DBJMBm6N2R3RDRFq
X-Received: by 10.55.6.83 with SMTP id 80mr24947912qkg.156.1491408388638; Wed, 05 Apr 2017 09:06:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.128.233 with HTTP; Wed, 5 Apr 2017 09:06:27 -0700 (PDT)
In-Reply-To: <c878b23d-c078-987f-84e0-2a99f2e08dbd@sjrb.ca>
References: <CADo9JyU2wiEBB4L7ADSybt9se7jCN764JSEoHuGTcuiU_jDscQ@mail.gmail.com> <alpine.DEB.2.02.1704042139110.27978@uplift.swm.pp.se> <CADo9JyVr07w5GRpF+UzSBHRuo=V=3p9MeyhFdzB+5pZk7_amNw@mail.gmail.com> <alpine.DEB.2.02.1704050613130.27978@uplift.swm.pp.se> <CADo9JyXMkqomOpvUWhzZs77eOPvx-g0L-tR5oSz6D4mfjaaUWQ@mail.gmail.com> <c878b23d-c078-987f-84e0-2a99f2e08dbd@sjrb.ca>
From: David Bird <dbird@google.com>
Date: Wed, 05 Apr 2017 09:06:27 -0700
Message-ID: <CADo9JyUyQo++b=_oLHd33vjsA_KxLcwwTFjb3T4PDeWmyBfPwQ@mail.gmail.com>
To: Christian Saunders <Christian.Saunders@sjrb.ca>
Cc: Mikael Abrahamsson <swmike@swm.pp.se>, "captive-portals@ietf.org" <captive-portals@ietf.org>
Content-Type: multipart/alternative; boundary="001a1148bc9239153e054c6d93f4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/9ogQWc1F8_9pE1MsaI3S7Eb_p3E>
Subject: Re: [Captive-portals] Arguments against (any) Capport "API"
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2017 16:06:33 -0000
A few more key benefits of the ICMP approach : - Capport detection is made easier for the client, even when RFC 7710 (or any API) is implemented (as long as the NAS is Capport compliant). - "Signaling" can be done by different components (NAS, iptables, rate-limiter, PCEF, etc), without (necessarily) needing to coordinate with a central service. - In defining the RFC in how a NAS should handle blocking traffic for Capport compliant devices, we are also defining how the NAS should handle Legacy devices - which is, there is no difference - they both get ICMP Dest Unreach w/Capport extension) - which is helpful. On Wed, Apr 5, 2017 at 8:15 AM, Christian Saunders < Christian.Saunders@sjrb.ca> wrote: > You are describing Hotspot 2.0. > > 802.1x technology already exists today, but there are reasons for it not > taking off in public access: > > > Really there are two problems that need addressing when accessing Wi-Fi: > > 1. Distributing 802.1x credentials - which Hotspot 2.0 makes headway > towards accomplishing. > > 2. Network access - particularly the user experience which is what the > Captive Portals exist to resolve. > > I find it conceptually more elegant to consider the connectivity and > access layers separately. > > If we can address the access/experience problem we may be able to inform > Hotspot 2.0 r3+. > > Also, the access/experience/portal issue may be more widely applicable > than just Wi-Fi connectivity. > > Cheers! > > Christian > > > On 17-04-05 07:04 AM, David Bird wrote: > > On Tue, Apr 4, 2017 at 9:19 PM, Mikael Abrahamsson <swmike@swm.pp.se> > wrote: > >> On Tue, 4 Apr 2017, David Bird wrote: >> >> For some locations, they may simply WANT to annoy you! (While also >>> collecting per session fees from Boingo or iPass for the privileged of >>> skipping that annoying portal.) More than likely, however, sites like the >>> one you mentioned are just themselves concerned about liability and want >>> that minimal amount of disclaimer... >>> >> >> Let me rephrase the question: >> >> Is there today a mechanism widely deployed in mobile devices for free use >> by (for instance) a hotel that just wants to make sure that someone enters >> their credentials (to stop passers-by to use it) and wants to view and >> accept the TOS *once*, and then subsequenty it's ok if you just enter same >> credentials each time you connect and it's fine if the user never sees the >> captive portal for subsequent attempts. >> >> > Yes, mechanisms exists today. It is not uncommon, for instance, for the > portal to record your acceptance along with your MAC address and then do > "MAC authentication" for your device for some time thereafter. > > The Hotspot portal could also do a lot of things in the website itself to > help with ease of use... (provided you are not using a crippled browser > because of a naive captive portal detector) like remembering your state > from cookies, etc, and logging you in without you noticing. > > > >> Is this available? In that case, what mechanism is that and where can I >> read up on it? >> >> If it's not available, then that's one thing I think we should do here. >> >> > The mechanisms exists... and, this is very much dependent on the access > policy of the venue -- not all venues will want the same thing. > > >> What about an enterprise SSID that allows anyone to connect to it, but >> the only thing you get is a captive portal. After you've accepted terms of >> service and entered username/password, this is now somehow provisioned into >> your device as 802.1x credentials and you then disconnect and reconnect >> with these new credentials, which gives you access as long as these >> credentials are valid? >> >> > You are describing Hotspot 2.0. > > 802.1x technology already exists today, but there are reasons for it not > taking off in public access: > > - It isn't easy to use (without Hotspot 2.0) and doesn't necessarily mean > you don't have a portal anymore. For instance, what does the network do > when you run out of time? Just dump you off the secure wireless or give you > a portal on the secure wireless? > > - Users don't care (and prefer the ease of use) > > - I'd argue it gives a FALSE sense of security to users, who are, after > all, using public access with no real trust relationship with the venue or > the network provider. Sure, wireless security moves the bar (a little bit) > in terms of passive attacks, but doesn't protect the user from active > attacks or in-line snooping off the wire. Having users see the SECURE WiFi > indication on public access networks (like they see at home) is misleading. > The user is better off with end-to-end security. As QUIC deploys, perhaps > wireless security in public access will be less of an issue. > > [Note: 802.1X can be _implemented_ in ways that still leave the user > vulnerable to active attacks. For instance, with EAP-TTLS, if you don't pin > the profile to a server certificate, your device can be fooled into > revealing your credentials to a rogue AP.] > > > >> >> -- >> Mikael Abrahamsson email: swmike@swm.pp.se >> > > > > _______________________________________________ > Captive-portals mailing listCaptive-portals@ietf.orghttps://www.ietf.org/mailman/listinfo/captive-portals > > >
- Re: [Captive-portals] Arguments against (any) Cap… Michael Richardson
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Erik Kline
- Re: [Captive-portals] Arguments against (any) Cap… Erik Kline
- Re: [Captive-portals] Arguments against (any) Cap… Mark Nottingham
- [Captive-portals] time-based walled gardens Michael Richardson
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Michael Richardson
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Mikael Abrahamsson
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Mikael Abrahamsson
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Mikael Abrahamsson
- Re: [Captive-portals] Arguments against (any) Cap… Lorenzo Colitti
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Dave Dolson
- Re: [Captive-portals] time-based walled gardens Erik Kline
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Mark Nottingham
- Re: [Captive-portals] time-based walled gardens Mark Nottingham
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Mikael Abrahamsson
- Re: [Captive-portals] time-based walled gardens Niall Hogg
- Re: [Captive-portals] time-based walled gardens Mikael Abrahamsson
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Mikael Abrahamsson
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Christian Saunders
- Re: [Captive-portals] Arguments against (any) Cap… Dave Dolson
- Re: [Captive-portals] Arguments against (any) Cap… Martin Thomson
- Re: [Captive-portals] time-based walled gardens Erik Kline
- [Captive-portals] Arguments against (any) Capport… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Mikael Abrahamsson
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Kyle Larose
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Christian Saunders
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Mikael Abrahamsson
- Re: [Captive-portals] Arguments against (any) Cap… Tim Chown
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Michael Richardson
- Re: [Captive-portals] Arguments against (any) Cap… Erik Kline
- Re: [Captive-portals] Arguments against (any) Cap… Erik Kline
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Christian Saunders
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Dave Dolson
- Re: [Captive-portals] Arguments against (any) Cap… Christian Saunders
- Re: [Captive-portals] Arguments against (any) Cap… Dave Dolson
- Re: [Captive-portals] Arguments against (any) Cap… Dave Dolson
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Christian Saunders
- Re: [Captive-portals] Arguments against (any) Cap… Christian Saunders
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Christian Saunders
- Re: [Captive-portals] Arguments against (any) Cap… Sascha.Dech
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Vincent van Dam
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Michael Richardson
- Re: [Captive-portals] Arguments against (any) Cap… Michael Richardson
- Re: [Captive-portals] Arguments against (any) Cap… Michael Richardson
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Martin Thomson
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Vincent van Dam
- Re: [Captive-portals] Arguments against (any) Cap… Martin J. Dürst
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Erik Kline
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Erik Kline
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Mark Nottingham
- Re: [Captive-portals] time-based walled gardens Mikael Abrahamsson
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Kyle Larose
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Erik Kline