IETF Logo Mail Archive

Re: [Captive-portals] Arguments against (any) Capport "API"

David Bird <dbird@google.com> Wed, 05 April 2017 17:45 UTC

Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F459126C26 for <captive-portals@ietfa.amsl.com>; Wed, 5 Apr 2017 10:45:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.991
X-Spam-Level:
X-Spam-Status: No, score=-1.991 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u1JItsHspXOA for <captive-portals@ietfa.amsl.com>; Wed, 5 Apr 2017 10:45:35 -0700 (PDT)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E59BD127871 for <captive-portals@ietf.org>; Wed, 5 Apr 2017 10:45:34 -0700 (PDT)
Received: by mail-qt0-x230.google.com with SMTP id r45so17083304qte.3 for <captive-portals@ietf.org>; Wed, 05 Apr 2017 10:45:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=90xtrJVBIlfeIGFdAQoYtPMqa2H0nGs+JJzNtBRddl8=; b=QYUq5qCArvDf46hWWsTD3eXtonKlguZCdo6QnMARYPZB9tJrrcUG1RmVUyjCG2RpVk 08alI6GcwNcaGpmUt6hBVO5MVKya8Vy+y4hrh5tcwE822ObaKoXVMihQG6q+7t+Gsg68 VtaLat1Cq7PEJ0OnCW+Ky0P5cWVBMrPQNJK3WQgiQcSaK5lDfoS9C8jDNiwpQosTapeZ uiFz2NExAEy8dtXXUCFw4GPlxD5PZQ8JjqlSL0ikRGOcAlU92P5HBqhNF8AswmN5OooE GGjj1TMFmoVbTL+wQKeyJJURqjz2LY+4EjqNztDr9pkb8pxGTIrvMie1k0/8or9uqIh4 cxbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=90xtrJVBIlfeIGFdAQoYtPMqa2H0nGs+JJzNtBRddl8=; b=iY4aj+fudGkX5aIp6yHHfGngqRUuUAQsGRsQ6J8Fn8c4McnwG5W+ShZeVW41C8knCv VkzKypopIp760Fj+sE/0OWO9VRTjMDW+3uKBd6gj3zjbs2gcbYrbMyQI6l+U+MLngMMW owxGZqarmboZ70JgXTmOhUuSch6u9/yKL/634JX9fn0E23ZhmM8ba3S5oJpzjotoGeMZ /xO8JxbQakv0mnb89z33bSAxcR/PbwlkyfcMYwN8htPQDJRXKrEwdDT+lSniGYMUOk5b qefP0rpkI1xStZNjmtoIl4YrSPvHxc950OujqVldGDByJEqZWF6WE8zgNGose6AOMsN4 2bGw==
X-Gm-Message-State: AFeK/H3Ru23+VgiwWnChAIuxXVwBqsPR59UJm1oxkGZnipzivf8PZRYRzk3w0ni9Lw+HcwJ2dTGtXgQmDO2DAF4b
X-Received: by 10.200.47.129 with SMTP id l1mr30391066qta.112.1491414333823; Wed, 05 Apr 2017 10:45:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.128.233 with HTTP; Wed, 5 Apr 2017 10:45:32 -0700 (PDT)
In-Reply-To: <c7ace5a6-8b0d-40d8-066c-dea49a9dd4e0@sjrb.ca>
References: <CADo9JyU2wiEBB4L7ADSybt9se7jCN764JSEoHuGTcuiU_jDscQ@mail.gmail.com> <alpine.DEB.2.02.1704042139110.27978@uplift.swm.pp.se> <CADo9JyVr07w5GRpF+UzSBHRuo=V=3p9MeyhFdzB+5pZk7_amNw@mail.gmail.com> <alpine.DEB.2.02.1704050613130.27978@uplift.swm.pp.se> <CADo9JyXMkqomOpvUWhzZs77eOPvx-g0L-tR5oSz6D4mfjaaUWQ@mail.gmail.com> <c878b23d-c078-987f-84e0-2a99f2e08dbd@sjrb.ca> <CADo9JyUyQo++b=_oLHd33vjsA_KxLcwwTFjb3T4PDeWmyBfPwQ@mail.gmail.com> <CADo9JyUwVp+xkO444NRH=oMW++MJeCpPHo+j6vg8hfA6wBYGKw@mail.gmail.com> <c57d722e-6d1e-7023-dcf2-a589a8d3d5cc@sjrb.ca> <E8355113905631478EFF04F5AA706E9870579542@wtl-exchp-1.sandvine.com> <CADo9JyWPQeDO1iDDi_ywQie21UgcaBuOArZ+wBBxkRV1E6YA_Q@mail.gmail.com> <c7ace5a6-8b0d-40d8-066c-dea49a9dd4e0@sjrb.ca>
From: David Bird <dbird@google.com>
Date: Wed, 05 Apr 2017 10:45:32 -0700
Message-ID: <CADo9JyX+iUFYae_fYqWVi7AwQCnLQYP0dHgwM+fxf_5OTVwuqA@mail.gmail.com>
To: Christian Saunders <Christian.Saunders@sjrb.ca>
Cc: "captive-portals@ietf.org" <captive-portals@ietf.org>
Content-Type: multipart/alternative; boundary="001a113776f2952946054c6ef5ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/BXt6NEa8x5YD0mF5wD-_wQ7C2nY>
Subject: Re: [Captive-portals] Arguments against (any) Capport "API"
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2017 17:45:38 -0000

There are problems with WISPr, one being that it has somewhat ambiguous
copyrights, which is why you will not find it easily on-line.

It was proposed by WFA, but never ratified. With that said, there are some
lessons to be learned from it:

- It probably would be good to have something with cleaner specifications,
but adoption by the long-tail hotspot operators could be slow (even slower
thank upgrading NAS capabilities). Critical to vendor/venue adaption will
be roaming aggregator adoption, and you have the chick and egg problem.

- WISPr XML wasn't overly complicated, but it being implemented by all
sorts of portals, in all sorts of ways, gave it a very bad reputation as
being broken. (A fear I have for our API as well.)

- WISPr only defined, basically, a Username / Password login method, which
fits AAA/RADIUS models, and the industry has largely adapted to (for
instance, it is common to do 'Mac Auth' using a shared 'Password' field or
to fit voucher codes into a username/password combinations).




On Wed, Apr 5, 2017 at 10:30 AM, Christian Saunders <
Christian.Saunders@sjrb.ca> wrote:

> Does WISPr support all of the use cases?  Is there a publicly available
> source for the WISPr XML spec?
>
> Cheers!
>
> Christian
>
>
> On 17-04-05 11:15 AM, David Bird wrote:
>
> I agree with that... but, to be clear, it really is just an improvement on
> WISPr XML, and with WISPr XML already, not only used, but used to make
> money, the reasons for supporting this API MUST be inline with the
> venue/Operator needs. 'Automating login' (as a focus for the API) quickly
> becomes venue / regional / legal / vertical / application / access policy
> dependent.. Not to mention, I question the value for the user in making it
> super simple for their devices to auto-login into public access networks
> (without clear user intent). This seems irresponsible, on our part, when
> there are solutions out there already that do automate this login, but only
> after taking extra security measures (presumably, hotspot aggregators
> conceal your identity when roaming, and their Apps can do more things).
>
> On Wed, Apr 5, 2017 at 9:51 AM, Dave Dolson <ddolson@sandvine.com> wrote:
>
>> This is OK if you only need to serve devices with browsers and attentive
>> humans.
>>
>> The API offers possibilities for automation in the device by making a
>> formal data model (vs. HTML).
>>
>>
>>
>>
>>
>> *From:* Captive-portals [mailto:captive-portals-bounces@ietf.org] *On
>> Behalf Of *Christian Saunders
>> *Sent:* Wednesday, April 5, 2017 12:38 PM
>> *To:* David Bird
>> *Cc:* captive-portals@ietf.org
>> *Subject:* Re: [Captive-portals] Arguments against (any) Capport "API"
>>
>>
>>
>> The currently proposed solution has 3 components:
>>
>>
>> 1. The ICMP component is used to detect a captive network.
>>
>> 2. The DHCP component is used to discover the address of the Captive
>> Portal.
>>
>> 3. The API is an information service with a standardized interface that
>> allows discovery and potentially remediation of the requirements for
>> network access.
>>
>> The ICMP and DHCP components are sufficient to resolve the redirection
>> and HTTPS issue.
>>
>> I would consider the API as an optional component - it might create some
>> user experience benefits if the device developers and network operators
>> choose to use it.
>>
>> The difficulty with the API is having a way of codifying all of the
>> possible network access requirements.  I'm not sure this is reasonably
>> possible.
>>
>> Assuming that such a definition is possible, then there is some benefit
>> to the common definition.
>>
>> (It also strikes me that this definition would make a nice back end
>> design for the Captive Portal itself.)
>>
>> Cheers!
>>
>> Christian
>>
>>
>>
>> On 17-04-05 10:25 AM, David Bird wrote:
>>
>> Edits in-line :)
>>
>>
>>
>> On Wed, Apr 5, 2017 at 9:06 AM, David Bird <dbird@google.com> wrote:
>>
>> A few more key benefits of the ICMP approach :
>>
>>
>>
>> - Capport detection is made easier for the client, even when RFC 7710 (or
>> any API) is *NOT* implemented (as long as the NAS is Capport compliant).
>>
>>
>>
>> - "Signaling" can be done by different components (NAS, iptables,
>> rate-limiter, PCEF, etc), without (necessarily) needing to coordinate with
>> a central service.
>>
>>
>>
>> - In defining the RFC in how a NAS should handle blocking traffic for
>> Capport compliant devices, we are also defining how the NAS should handle
>> Legacy devices - which is, there is no difference - they both get ICMP Dest
>> Unreach w/Capport extension) - which is helpful.
>>
>>
>>
>>
>>
>>
>>
>
>
>
> _______________________________________________
> Captive-portals mailing listCaptive-portals@ietf.orghttps://www.ietf.org/mailman/listinfo/captive-portals
>
>
>

v2.23.0 | Report a Bug | By Email