IETF Logo Mail Archive

Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"

Tommy Pauly <tpauly@apple.com> Tue, 11 July 2017 03:26 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80DBB12EC13 for <captive-portals@ietfa.amsl.com>; Mon, 10 Jul 2017 20:26:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MARKETING_PARTNERS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jjKcnq0TIF1p for <captive-portals@ietfa.amsl.com>; Mon, 10 Jul 2017 20:26:02 -0700 (PDT)
Received: from mail-in2.apple.com (mail-out2.apple.com [17.151.62.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2B36129B29 for <captive-portals@ietf.org>; Mon, 10 Jul 2017 20:26:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1499743562; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=qQdT8HJTMPffX2h+NnUcfp9scIyihdKpH6ZlLFs0sPE=; b=OIEC/LFFjDN5RFwpSzrved1epZ6Awx8QW9aVQ4ThnSMUakkyH/p4Rm9n1EsYxjU9 2JlR0I8Unbs8D2YnQCUBJnwTWISSoEfQjI9ro/OwjbYl+n0/M+RWB11Lg5s8x0o0 DOH/i146OqRLLaGtiV8Gd4aGAQ36sX/KdpFFQx46/KWAwEvrSzodL9tESmXv5Kax qaVRXvOlGwk010R5J6fBNovwUu5jQ3PNZROkK2jtp8RbASJ8sTKj9M885L9EtmNT qWdMeIStX0vtQRwWV3Eu+VWMz8pcOXXZz6pNRYH7UUay6F8F0jKYXHCSim4G9GmY LrIgT57hg+GePOa4jRw4xg==;
Received: from relay7.apple.com (relay7.apple.com [17.128.113.101]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in2.apple.com (Apple Secure Mail Relay) with SMTP id 88.E9.07214.A4544695; Mon, 10 Jul 2017 20:26:02 -0700 (PDT)
X-AuditID: 11973e11-30dff70000001c2e-85-5964454a5f5e
Received: from nwk-mmpp-sz09.apple.com (nwk-mmpp-sz09.apple.com [17.128.115.80]) by relay7.apple.com (Apple SCV relay) with SMTP id 33.A1.07283.A4544695; Mon, 10 Jul 2017 20:26:02 -0700 (PDT)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_fMBk8mYj/Z+rx/9c2fh94w)"
Received: from [17.234.24.3] (unknown [17.234.24.3]) by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170210 64bit (built Feb 10 2017)) with ESMTPSA id <0OSW00DVNPJDOX80@nwk-mmpp-sz09.apple.com>; Mon, 10 Jul 2017 20:26:02 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <ACBA1E38-CDB0-48E0-8B14-4010329CD93A@apple.com>
Date: Mon, 10 Jul 2017 20:26:01 -0700
In-reply-to: <E8355113905631478EFF04F5AA706E9870638DFD@wtl-exchp-1.sandvine.com>
Cc: David Bird <dbird@google.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "captive-portals@ietf.org" <captive-portals@ietf.org>
To: Dave Dolson <ddolson@sandvine.com>
References: <201705031442.50683.heiko.folkerts@bsi.bund.de> <E8355113905631478EFF04F5AA706E98705C6C57@wtl-exchp-1.sandvine.com> <CAHw9_iJARf4MUA8nHqHA54jLvJNq-_Vek67A-rjHpSK6vC7r+Q@mail.gmail.com> <1BB90528-B35F-43F0-AF18-0215DC735FF0@cable.comcast.com> <CABkgnnWT6Xtqyx6pofpNOGa5E1FjJO1gPX1axmmiRaMnzxdoPg@mail.gmail.com> <AD3F2B14-E9AD-4156-96A6-9B83F8545B54@cable.comcast.com> <754719c5-c74c-fbdc-405e-b8c91478c0a5@netcologne.de> <CAAedzxoZkuauME8n3B3aZqE1rra8p2hB9rGJLqoYyVi8usnx+g@mail.gmail.com> <CADo9JyVsfVYTPQjHiEn1JcJ=_NzOOvtWjbuCZdQ-4jsRPpz2wQ@mail.gmail.com> <E8355113905631478EFF04F5AA706E987061FACA@wtl-exchp-1.sandvine.com> <CE7B0AC2-8803-41B5-9B0B-EB1217A5A8EC@cisco.com> <E8355113905631478EFF04F5AA706E98706252AA@wtl-exchp-1.sandvine.com> <E4CEB868-5100-4F7E-8AB7-2826F56D4BA7@apple.com> <CADo9JyWZCqdgS6PYrFoin-QBL2OZQqm3s9JyU=sn6T1CWBaesQ@mail.gmail.com> <E8355113905631478EFF04F5AA706E9870638DFD@wtl-exchp-1.sandvine.com>
X-Mailer: Apple Mail (2.3439)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrJLMWRmVeSWpSXmKPExsUi2FCYquvlmhJpcLFR0WLurAZWi08/tjNa bF32kN3iy/4FjA4sHlN+b2T1WLCp1GPJkp9MHl83b2cNYInisklJzcksSy3St0vgyvh44Q5b wY21zBXzJu1kamDs+cbUxcjJISFgInH08C3WLkYuDiGBNUwSizrfMsIkVvXfY4ZIHGSUmNhy ixkkwSsgKPFj8j0WEJtZIEzi14s9UN3dTBJTHkxh72Lk4BAWkJDYvCcRpIZNQEXi+LcNUL02 ErPnzAKzhQXcJY69eAO2jEVAVeLN3B6wmZwCARKP13WzgcxkFmhnlHhy6SVYg4iAmsTSG5+g lp1kl2iZs5gJZJmEgKzE0j8hIHEJgWXsEpu+zmOewCg0C8mxs5AcOwuohVlAXWLKlFyIsLbE k3cXWCFsNYmFvxcxIYsvYGRbxSiUm5iZo5uZZ6SXWFCQk6qXnJ+7iREUN9PtBHcwHl9ldYhR gINRiYdXoDc5Uog1say4MvcQozQHi5I4704FoJBAemJJanZqakFqUXxRaU5q8SFGJg5OqQbG RVPmMlYyVYpa5d7mUt1hJ/VBZs8yzrrpfBt2MinPnOy0oWJLkPPGsvDgrttPnyvfPm51bJt8 3OeD2aonJXdlpKo+/37+gjtbYtEv+xlHPpws8EtrU//XE1f5YdEL7WOak061m547yfXCcr2q o6j5nu3L5+4xDtpq8fnrzKAn3xi8JiummkQHKbEUZyQaajEXFScCAL/qgfF8AgAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrEKsWRmVeSWpSXmKPExsUi2FAcoOvlmhJp8GyFhMXcWQ2sFp9+bGe0 2LrsIbvFl/0LGB1YPKb83sjqsWBTqceSJT+ZPL5u3s4awBJlbZOWX1SeWJSiUJRcUGKrVJyR mJJfHm9pbGTqkFhQkJOql5yfq6RvZ5OSmpNZllqEzEqwzvh44Q5bwY21zBXzJu1kamDs+cbU xcjJISFgIrGq/x5zFyMXh5DAQUaJiS23mEESvAKCEj8m32MBsZkFwiR+vdjDClHUzSQx5cEU 9i5GDg5hAQmJzXsSQWrYBFQkjn/bANVrIzF7ziwwW1jAXeLYizeMIDaLgKrEm7k9YDM5BQIk Hq/rZgOZySzQzijx5NJLsAYRATWJpTc+QS07yS7RMmcxE8gyCQFZiaV/QiYw8s9Cct8sJPfN AqpiFlCXmDIlFyKsLfHk3QVWCFtNYuHvRUzI4gsY2VYxChSl5iRWmuvBQ3ATIziSClN3MDYu tzrEKMDBqMTDK9CbHCnEmlhWXJl7iFGCg1lJhDdHPCVSiDclsbIqtSg/vqg0J7X4EON+RqAv JzJLiSbnA+M8ryTe0NjC2NLEwsDAxNLMhLCwiYmBibGxmbGxuYk5LYWVxHlN+GIjhQTSE0tS s1NTC1KLYF5g4uCUamAskpYTuttwolJTcUnnusYHH3j0D60sXH5d/ury2irWR7JHWX9wq26W Md93YOOZtPn9Xl8evpZvZ+KeOnmD7I1ArmwN41cf+IM2pJzIco/RrnjCVlZYfmFHaqbu+YJp 01pe7JyVUtzyaQmLzJLPlbxyt3L9JF+8knp5fv3qGNfWhWtT8jcyTnuoxAJM34ZazEXFiQDA YHJgRQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/BmHmRKkoNyCnMDBur25hYCXb4Lo>
Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2017 03:26:05 -0000

To chime in on the problem of misconfigured networks, I can picture three variations of issues:

1. If the PvD captivity information is unavailable due to misconfiguration, I would argue that an implementation MUST fall back to any legacy mechanisms like today’s HTTP probes. This means that on misconfigured networks that advertised a PvD server, we would have a delay after failing to fetch the information.
2. If the PvD information is wrong and lies saying that there is no captivity, when in fact there is, that could be detected by clients by the redirects that happen with future connections. This is essentially the situation we’re in today in which a captive network whitelists hosts such as captive.apple.com <http://captive.apple.com/>, and the user is forced to manually browse to a site and get redirected. This case is unfortunate, and exists today (and likely with any solution).
3. If the PvD information is wrong and lies that that there is captivity when there isn’t any, I would assume that the portal site would fail to connect or load, and would be ignored or dismissed by the system. The system could also run explicit probes in this case.

Between all three of these, there shouldn’t be any fundamental reason a device that is PvD-aware would fail to join a network that a legacy device was able to join. These cases may still involve probing, or waiting for connections to fail, but if we can hope that misconfiguration is not the norm (which must always be our hope), then we’re still benefiting most cases.

As for cases in which you join a network and then captivity starts partway through after expiration, I think the PvD solution is very elegant: we would still do explicit PvD discovery, and be altered that there is an expiration time on the access from the moment the network is joined.

Also, the configuration that’s accessed for the PvD captivity doesn’t need to be public—the information can be specific to a local network, and only needs to tell as much information as the network is willing to share for the device’s benefit.

Thanks,
Tommy

> On Jul 10, 2017, at 8:54 AM, Dave Dolson <ddolson@sandvine.com> wrote:
> 
> David,
> Is it fair to say your concerns are mainly about misconfigured networks?
> And this is the reason that devices will always be incented to probe regardless of any method of provisioning?
>  
> -Dave
>  
>  
> From: David Bird [mailto:dbird@google.com <mailto:dbird@google.com>] 
> Sent: Monday, July 10, 2017 9:39 AM
> To: Tommy Pauly
> Cc: Dave Dolson; Eric Vyncke (evyncke); captive-portals@ietf.org <mailto:captive-portals@ietf.org>
> Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
>  
> On Sat, Jul 8, 2017 at 6:14 PM, Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com>> wrote:
> [snip] 
> The idea with explicit PvD discovery is that it would, as a step, replace a separate captive portal detection strategy.
>  
> My overall concern with discovery mechanisms that are specific to only captive portals is that this is an extra step that is performed potentially on every network association, that may have limited extensibility for non-captive use cases. Since the explicit PvD design promises a way to discover many properties beyond captivity, and is bootstrapped very early on in the network association, it should hopefully allow clients to avoid the extra probe.
> 
> 
>  
> I have concerns with the PvD approach, as described.
>  
> If a network was misconfigured to advertise a PvD that does have a (Internet based) HTTPS server with a JSON file on it describing a captive portal network, then devices utilizing the PvD information will *never* get on this network while devices not using the PvD information do. That could be very confusing to users and network administrators alike. 
>  
> If you have seen walled garden configurations for large networks, you will notice a lot about the network operator's marketing partners. Indeed, many walled gardens are much larger than the network really wants... sometimes they just need to make things work in the garden. My point here is that operators may not *want* to list out their walled garden configuration on a public JSON file...
>  
> At the end of the day, I'd argue that the client *will always probe* -- wether it means to or not... A networking using PvD could just advertise all networks routes are available so that the device connects only to get caught up in a captive portal redirect anyway... back to step 1 and captive portal detection..
>  
> I'm also unclear how PvD would deal with scenarios where you might start out with internet connectivity (e.g. "MAC Authentication") then to have a captive portal return after a session timeout has occurred...
>  
>  
>  
>  
>  
> Note: the same “captivePortal” key is also defined in section 5.3 as a Boolean. Should I consider this to be a defect in the draft, or am I missing something?
>  
> The updated version of the draft (https://tools.ietf.org/html/draft-bruneau-intarea-provisioning-domains-01 <https://tools.ietf.org/html/draft-bruneau-intarea-provisioning-domains-01>) leaves out the specific keys for captive portals, and discusses it more abstractly. That would be a good thing to nail down at the Prague meeting. If PvD detection is done generically on network association, then a boolean or some way to indicate that this is *not* a captive portal will allow the device to not perform extra probing. If there is a captive network, we should be able to get the page or instructions on how to get beyond captivity.
>  
> Thanks,
> Tommy
> 
> 
> 
>  
> -Dave
>  
>  
>  
> From: Eric Vyncke (evyncke) [mailto:evyncke@cisco.com <mailto:evyncke@cisco.com>] 
> Sent: Sunday, June 25, 2017 8:27 PM
> To: Dave Dolson; captive-portals@ietf.org <mailto:captive-portals@ietf.org>
> Cc: David Bird
> Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
>  
> At least Erik Kline and myself are following the captive-portal list :-)
>  
> And the more we think about it, PvD could really be useful and we, the PvD I-D authors, would be pleased to present at your WG
>  
> -éric
>  
> From: Captive-portals <captive-portals-bounces@ietf.org <mailto:captive-portals-bounces@ietf.org>> on behalf of Dave Dolson <ddolson@sandvine.com <mailto:ddolson@sandvine.com>>
> Date: Friday 23 June 2017 at 11:57
> To: "captive-portals@ietf.org <mailto:captive-portals@ietf.org>" <captive-portals@ietf.org <mailto:captive-portals@ietf.org>>
> Cc: David Bird <dbird@google.com <mailto:dbird@google.com>>
> Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
>  
> [resend with fewer recipients to avoid mailing list problems]
>  
> To echo David’s request,
> > If the authors of the PvD concept (re-)present their I-D to the mailing list, and stick around for discussion, that would be helpful.
>  
>  
> From: David Bird [mailto:dbird@google.com <mailto:dbird@google.com>] 
> Sent: Wednesday, June 14, 2017 9:36 AM
> To: Erik Kline
> Cc: Gunther Nitzsche; Mark Townsley; Heiko Folkerts; Martin Thomson; captive-portals@ietf.org <mailto:captive-portals@ietf.org>; Livingood, Jason; Herzig, Willi; Warren Kumari; Dave Dolson
> Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
>  
> On Sun, Jun 11, 2017 at 11:17 PM, Erik Kline <ek@google.com <mailto:ek@google.com>> wrote:
> I'm not sure we have enough input on whether 511 is useful or not.  There seemed to be some suggestion it would help, and some that it wouldn't.  Perhaps one question we could ask is whether it's harmful?  And if we agree it's not harmful, is it worth developing some recommendations for its use?
>  
>  
> In of itself, I don't believe it is harmful. However, if vendors use it as a reason to continue to terminate TLS connection in order to deliver the 511, then perhaps it is a bit harmful - or at least misleading. As the world moves to TLS (and QUIC), I think the time for the 511 code has already passed, to some degree. That, combined with the fact you may still have browsers not handling that return code properly, I don't see the value for any vendor or venue to implement this.
>  
>  
> As for the ICMP unreachable option, I certainly don't think it would be harmful (with the extra URL bits removed for now).  Is that something we wish to progress?
>  
>  
> I will work on a new draft that is only the basics. The additional fields could always be add in their own draft as extensions. 
>  
>  
> Given that we're probably looking at a portal detection method based on entirely new work, it seems to me we're free to look at new things like utilizing the PVD detection scheme (DNS queries for "provisioning domain names", followed by other interaction still TBD).  Have the portal implementors reviewed this and given consideration as to whether its useful?  (I think of the discovery of the portal and subsequent interaction with it as 2 separate processes conducted, obviously, in serial.)
>  
>  
> I believe there are several talking points here, as the PvD method seems to have several possible implementations. 
>  
> I think requiring Ipv6 to configure Ipv4 is weird (I believe that was one proposed method to convey configuration)
>  
> Several points I made in the thread "Arguments against any Capport API" regarding a web service - detached from the NAS - controlling the UE/station I think are relevant.
>  
> If the authors of the PvD concept (re-)present their I-D to the mailing list, and stick around for discussion, that would be helpful. 
>  
>  
> Thoughts?
> 
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org <mailto:Captive-portals@ietf.org>
> https://www.ietf.org/mailman/listinfo/captive-portals <https://www.ietf.org/mailman/listinfo/captive-portals>
>  
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org <mailto:Captive-portals@ietf.org>
> https://www.ietf.org/mailman/listinfo/captive-portals <https://www.ietf.org/mailman/listinfo/captive-portals>
>  
>  
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org <mailto:Captive-portals@ietf.org>
> https://www.ietf.org/mailman/listinfo/captive-portals <https://www.ietf.org/mailman/listinfo/captive-portals>

v2.23.0 | Report a Bug | By Email