Re: [Captive-portals] A view from a WiFi provider on captive portal requirements, challenges and improvements
Dave Dolson <ddolson@sandvine.com> Tue, 18 April 2017 17:18 UTC
Return-Path: <ddolson@sandvine.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76F9C1200F1 for <captive-portals@ietfa.amsl.com>; Tue, 18 Apr 2017 10:18:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.776
X-Spam-Level:
X-Spam-Status: No, score=-0.776 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTP_ESCAPED_HOST=1.125, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sBUgUZPQ6195 for <captive-portals@ietfa.amsl.com>; Tue, 18 Apr 2017 10:18:09 -0700 (PDT)
Received: from mail1.sandvine.com (Mail1.sandvine.com [64.7.137.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F06D7128BB6 for <captive-portals@ietf.org>; Tue, 18 Apr 2017 10:18:08 -0700 (PDT)
Received: from BLR-EXCHP-2.sandvine.com (192.168.196.172) by wtl-exchp-1.sandvine.com (192.168.194.176) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 18 Apr 2017 13:18:07 -0400
Received: from WTL-EXCHP-1.sandvine.com ([fe80::ac6b:cc1e:f2ff:93aa]) by blr-exchp-2.sandvine.com ([::1]) with mapi id 14.03.0319.002; Tue, 18 Apr 2017 13:18:04 -0400
From: Dave Dolson <ddolson@sandvine.com>
To: David Bird <dbird@google.com>, James Wood <james.wood@purplewifi.com>
CC: "captive-portals@ietf.org" <captive-portals@ietf.org>
Thread-Topic: [Captive-portals] A view from a WiFi provider on captive portal requirements, challenges and improvements
Thread-Index: AdK4VwX87jLJleJdT9iyu7jBysxWVAAMO8kAAAg0rJA=
Date: Tue, 18 Apr 2017 17:18:03 +0000
Message-ID: <E8355113905631478EFF04F5AA706E98705A0136@wtl-exchp-1.sandvine.com>
References: <026901d2b857$7c091040$741b30c0$@purplewifi.com> <CADo9JyUr1NFnLRa5Sw4LBPuW9D7r5QWT2wnCY8xbkLQ_uwa-_g@mail.gmail.com>
In-Reply-To: <CADo9JyUr1NFnLRa5Sw4LBPuW9D7r5QWT2wnCY8xbkLQ_uwa-_g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.200.114]
x-c2processedorg: b2f06e69-072f-40ee-90c5-80a34e700794
Content-Type: multipart/alternative; boundary="_000_E8355113905631478EFF04F5AA706E98705A0136wtlexchp1sandvi_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/BMw1u4wCAdO6-voHwg4t64r0mP8>
Subject: Re: [Captive-portals] A view from a WiFi provider on captive portal requirements, challenges and improvements
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 17:18:11 -0000
Regarding the AP/client identification, this is the reason I suggested in an earlier email, https://mailarchive.ietf.org/arch/msg/captive-portals/RPwEIuLlW6ZSLmEyaqfxgDrF88Q " Posting to the create_href: POST http://<server>/capport/sessions (Accept: application/json) { "identity": "<USERNAME>"} … The USERNAME could be DHCP option-12 value or MAC address or ? " I didn’t know exactly what this identity should be. Maybe multiple identity options are useful. -Dave From: Captive-portals [mailto:captive-portals-bounces@ietf.org] On Behalf Of David Bird Sent: Tuesday, April 18, 2017 1:09 PM To: James Wood Cc: captive-portals@ietf.org Subject: Re: [Captive-portals] A view from a WiFi provider on captive portal requirements, challenges and improvements Welcome and thanks for the input James! Comments in-line. On Tue, Apr 18, 2017 at 8:21 AM, James Wood <james.wood@purplewifi.com<mailto:james.wood@purplewifi.com>> wrote: [snip] 1. Security. Nobody prefers to join an open network, but most end up doing because that's the way it is. The hype around Hotspot 2.0 came and went as that was never really deisgned to help captive portals but rather for seamless, non-interaction from the user. As a portal provider, we don't want that, we want to show a portal even if it's just a 'welcome back, you're now online' message. No doubt, Wi-Fi security is important in public access, but I'd argue outside the scope of the WG. While captive portals are often used on Open Wi-Fi, they are not limited to public access (there are LTE use-cases, for example). Also, security in public access transcends L1 security -- do you trust any wired LAN you plug into while in public places? HS2.0 (more or less) solves the public Wi-Fi security problem in that users trust their providers (albeit to varying degrees) and their providers have a relationship with the HS2.0 network provider. Even if deployed, this doesn't address situations where users have no trust relationship with the network provider and still want Wi-Fi (as most people, they assume Apps are increasingly using TLS and provide end-to-end security). 2. More devices/browers/web servers are defaulting to checking/redirecting to a HTTPs URL. As you know, when in a captive portal/walled garden state, this will cause a problem because you can't intercept a HTTPs request (rightly so!) to a captive portal page without a browser/certificate warning. This breaks everything from the end user perspective. Yes, we need to fix this! It is disturbing that vendors commonly hijack https even with the security errors. 3. Built-in OS captive popups provide limited browser functionality/cookies/etc. When trying to offer login options like Facebook, it can really affect the user experience when cookies are not permitted or other features disabled. The behaviour is also different per device. In Android 5.0+, the captive portal window immediately dissappears when the user is authenticated. This is a pain for us as we want to display a "you are now online" page, or redirect the user to a landing page with information etc. Very common problems. 4. Walled garden. It's a nightmare having to manage lists of domains/IP's across all the different vendors kit out there. For example to offer a social login through Facebook we need to allow certain domains like facebook.com<http://facebook.com>, akamaihd.net<http://akamaihd.net> and connect.facebook.net<http://connect.facebook.net> etc. This is all static lists inside an AP/controller, and would be a nightmare to update should Facebook change the URLs they send authentication requests throught etc. How about some way to dynamicly pass back a list of domains as part of the DHCP option or some other way to allow the operator to set the required domains at time of connection? Or, how about, as part of the capport API, we are able to send a list of domains back to the AP, so if someone chooses Facebook, we open the Facebook domains for that MAC for a few minutes to allow them to login. Managing the walled garden configuration is probably also outside the code of the WG. I don't think we should have any API inform the client directly of the walled garden as that information could be misleading, or wrong. I do agree that the real issue is having the walled garden configuration synchronized with the NAS/AP ... however, vendors do their own proprietary ways of doing this already. Other thoughts... I had a look at "draft-wkumari-capport-icmp-unreach-02". I note that it describes the example URL that could be returned as part of the captive portal URL: https://wifi.domain.com/portal?icmp_session=10&policy_class=100. However, what about the other traditional parameters that a captive portal redirect injects? As a minimum, we need the ap_mac, client_mac and login_url to which we post the login request back to (traditional captive portal login request). Without such parameters, we cannot identify the venue/ap/client and provide the relevant portal splash page and user specific options. I may have misunderstood this? This is an area where I expect discussion. If the DHCP server is integrated with the NAS, then the RFC7710 URL could contain all the necessary session-specific query string parameters and the additional parameters are just added. It is also possible that the RFC7710 URL is something like http://<NAS-IP>/redirect<http://%3cNAS-IP%3e/redirect> which the NAS responds to with a redirect to https://<real-portal-domain>/<https://%3creal-portal-domain%3e/>... with all the necessary parameters. This becomes implementation specific, but all the information required can be captured one way or another. Does anyone here see Hotspot 2.0 (release 2 or further in particular) and OSU as the answer? I don't think I do. It just doesn't seem to help us as a provider but instead tries to be around getting the user online as quickly and without any interaction. Providers are all for making it easy for users to on board, but they need to get something out of it to make it pay. I think Hotspot 2.0 has its place and will get deployed... and addresses, imho, the security of Wi-Fi in public access. It is doing do with security and "auto-connect" in mind. One issue I think that remains is that post authentication, HS2.0 doesn't necessarily protect the data-plane on the LAN or send it back to the operator. I think operators will be selective in which networks they trust and partner with. I don't think this will replace captive portals on Open Wi-Fi or elsewhere. I am more than willing to take any questions and offer as much insight as I can. Thanks James _______________________________________________ Captive-portals mailing list Captive-portals@ietf.org<mailto:Captive-portals@ietf.org> https://www.ietf.org/mailman/listinfo/captive-portals
- Re: [Captive-portals] A view from a WiFi provider… Dave Dolson
- Re: [Captive-portals] A view from a WiFi provider… David Bird
- Re: [Captive-portals] A view from a WiFi provider… James Wood
- Re: [Captive-portals] A view from a WiFi provider… Joel Jaeggli
- Re: [Captive-portals] A view from a WiFi provider… Erik Kline