Re: [Captive-portals] Review of draft-ietf-capport-rfc7710bis
Tommy Pauly <tpauly@apple.com> Fri, 26 July 2019 14:02 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF4D1120024 for <captive-portals@ietfa.amsl.com>; Fri, 26 Jul 2019 07:02:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U-z2oXWIstIi for <captive-portals@ietfa.amsl.com>; Fri, 26 Jul 2019 07:02:57 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15E2612003E for <captive-portals@ietf.org>; Fri, 26 Jul 2019 07:02:57 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.27/8.16.0.27) with SMTP id x6QE2QEa029055; Fri, 26 Jul 2019 07:02:54 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=s3AZmSIyWZEKkgy7xgQhR7y4XmEPy8LrB34kO6UKXvM=; b=Bjx+XCH2fTXPio4EuDe2v3Qq/2KJYGRzoHdE1dCZLPEf53ii68isvS3fm9SdxcRt/Wms JJZailJfNoSwv/fNb7l7FBMpi93j9EstTKT3fILbSPO07QHdM2HKBy3PNZ3DLGkz+MsU t+AFDB59PC0C9Q7dts/rs7RN5DvhdEbaocpR9oy2CT7C9Uo29Nx4iASIjfDXzatsaoV0 EyId+ywgIXqSAt5Lxm8mWf3rgHpZOvEKtjgyc1rCe18HPF/ynpGi7L9b2IJyuQg0q7+u 71Rc80VqU6I/cUWYPXZviLtaK/lWXr6Rk2o1SeeeGZK453xHq8Vq0n6nyCaj93ghtzod rg==
Received: from ma1-mtap-s03.corp.apple.com (ma1-mtap-s03.corp.apple.com [17.40.76.7]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 2tymeth5fy-6 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 26 Jul 2019 07:02:54 -0700
Received: from nwk-mmpp-sz10.apple.com (nwk-mmpp-sz10.apple.com [17.128.115.122]) by ma1-mtap-s03.corp.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPS id <0PV900DLO5ORXX50@ma1-mtap-s03.corp.apple.com>; Fri, 26 Jul 2019 07:02:53 -0700 (PDT)
Received: from process_milters-daemon.nwk-mmpp-sz10.apple.com by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) id <0PV900I005M0J900@nwk-mmpp-sz10.apple.com>; Fri, 26 Jul 2019 07:02:52 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 08daaeda8696783f7bdde9d2f4757251
X-Va-E-CD: 78982227d2a234b47dafb290de967976
X-Va-R-CD: 066c7cb7e1963bb15250540666e7a491
X-Va-CD: 0
X-Va-ID: 7bf2f86d-8a6c-4503-a60d-89fbd96ca996
X-V-A:
X-V-T-CD: 08daaeda8696783f7bdde9d2f4757251
X-V-E-CD: 78982227d2a234b47dafb290de967976
X-V-R-CD: 066c7cb7e1963bb15250540666e7a491
X-V-CD: 0
X-V-ID: 5cd7a93f-e13e-4321-a663-f2ff836d40b0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-07-26_10:,, signatures=0
Received: from [17.235.29.186] by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPSA id <0PV900DM45M2SE10@nwk-mmpp-sz10.apple.com>; Fri, 26 Jul 2019 07:01:16 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <C82C4A97-AEEE-48D1-9FD4-908D53E2767A@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_68164741-869B-431B-BC23-18FE9B275A01"
MIME-version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\))
Date: Fri, 26 Jul 2019 10:01:09 -0400
In-reply-to: <CAKD1Yr0C_KEUpGUC-wbAV-ufG_VpNposecmzNQU5rEXaCeSZNQ@mail.gmail.com>
Cc: David Bird <dbird=40google.com@dmarc.ietf.org>, captive-portals@ietf.org, Martin Thomson <mt@lowentropy.net>, David Bird <dbird@google.com>
To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>
References: <CAKD1Yr32DXr8fYHP_x7z9pQWwSchey8zQW11vw02bW9ONEV8Kg@mail.gmail.com> <01ad5bf0-1f60-4dbb-aa83-31d14fce6082@www.fastmail.com> <CAKD1Yr08LmfDhmDLqpR87iQQ4Z61CVpR9BTDeRHobpsvVxFJvA@mail.gmail.com> <CADo9JyW6TmBnr5f0AuSXKnKMXnMxGhMkgYbGQ1WYOQjSMefy=w@mail.gmail.com> <CAKD1Yr1Zo0NQod=p4ZqT6fJYJ=Xqh1q8eJT2+ich+p7Jmg1WiA@mail.gmail.com> <CADo9JyX1T8AnxirXLfGdcJzmjvy5_UGJktnbYByAuO7H++y8uA@mail.gmail.com> <CAKD1Yr0C_KEUpGUC-wbAV-ufG_VpNposecmzNQU5rEXaCeSZNQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.2)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-07-26_10:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/GzPNLEYXZpW6dI3QVoM6T43tO8c>
Subject: Re: [Captive-portals] Review of draft-ietf-capport-rfc7710bis
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jul 2019 14:02:59 -0000
To that end, any enforcement of other traffic (such as normal web page loading) will not be carrying any session identifier, so only signals that are already present in the packets, such as the IP address, are effectively useful here. Thanks, Tommy > On Jul 25, 2019, at 2:43 PM, Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org> wrote: > > Is there a problem with saying that the portal server should identify the device by IP address? > > On Mon, Jul 22, 2019 at 7:40 PM David Bird <dbird=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>> wrote: > I think that assumption is problematic... the nature of captive portal means the portal will be taking some action (e.g. releasing the UE from captivity) specific to the UE/session, regardless of the content generated for the URL. Captive portal networks work differently in uniquely identifying the UE/session, but ultimately a "session-id" is typically carried in the redirect URL on a per UE/session basis. If everyone gets the exact same URL, this can only be done by IP address at the portal... Is that the design networks are encouraged to take? > > On Mon, Jul 22, 2019 at 4:25 PM Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>> wrote: > No, I'm assuming that the URL in the RA is identical for all users and that if any per-user behaviour is needed, then the content of that URL will be dynamically generated. > > On Mon, Jul 22, 2019, 18:12 David Bird <dbird=40google..com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>> wrote: > Are we assuming that the URL contained in the DHCP/RA is the final "session specific" URL for which the portal is able to uniquely identify the UE/session ? > > On Mon, Jul 22, 2019 at 2:43 PM Lorenzo Colitti <lorenzo=40google..com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>> wrote: > On Mon, Jul 22, 2019 at 4:49 PM Martin Thomson <mt@lowentropy.net <mailto:mt@lowentropy.net>> wrote: > > 2. I'm surprised that the following text is present. It seems like we > > should disallow IP literals for compatibility with IPv6. But perhaps > > SHOULD is enough here. > > > > The URI SHOULD NOT contain an IP address literal. > > I tend to think that the core goal is that the URI contain a target identity that can be authenticated when accessed over HTTPS. > > That generally means that IP literals aren't a good idea, but I wouldn't make this statement. I would instead emphasize that this is an HTTPS URI. Though I would not go into great detail on what that means, I would refer to RFC 7230. > > It's possible to use HTTPS to IP literals. But IP literals are address-family specific. That makes it impossible to support this option in a dual-stack network because the two URLs will be different. > > > 3. The section that documents the link relation type should mention > > what should happen if the portal is already open. Should the captive > > portal add this header to probe responses even if the portal is already > > open? if it does not, there is no way for a device to learn the API URL > > if it connects to a portal, logs in, disconnects, and then reconnects, > > because when it reconnects the portal will be open. > > Good point. I would be interested in hearing what the working group thinks of this. > > To my understanding, this is a problem that exists today. So we may decide not to worry about this particular problem, but just document it. That would make this path less good than other options (like DHCP/RA), but I don't want to encourage networks to intercept EVERY request that passes. > > Right, for networks without the capport API (i.e., all networks today) this works. But for a network with the capport API, I think it's a problem if the device cannot find the API URL just because the portal is open. The reason I mention it is: this document says that the URL in the option is in fact the API URL, and the link rel mechanism doesn't work well for the API URL. > > One option would just be to drop this mechanism. If it is clear that the DHCP / RA solutions are feasible in real networks, I don't see much of a need for the link rel version at all. > _______________________________________________ > Captive-portals mailing list > Captive-portals@ietf.org <mailto:Captive-portals@ietf.org> > https://www.ietf.org/mailman/listinfo/captive-portals <https://www.ietf.org/mailman/listinfo/captive-portals> > _______________________________________________ > Captive-portals mailing list > Captive-portals@ietf.org <mailto:Captive-portals@ietf.org> > https://www.ietf.org/mailman/listinfo/captive-portals <https://www.ietf.org/mailman/listinfo/captive-portals> > _______________________________________________ > Captive-portals mailing list > Captive-portals@ietf.org > https://www.ietf.org/mailman/listinfo/captive-portals
- [Captive-portals] Review of draft-ietf-capport-rf… Lorenzo Colitti
- Re: [Captive-portals] Review of draft-ietf-cappor… Martin Thomson
- Re: [Captive-portals] Review of draft-ietf-cappor… Lorenzo Colitti
- Re: [Captive-portals] Review of draft-ietf-cappor… David Bird
- Re: [Captive-portals] Review of draft-ietf-cappor… Martin Thomson
- Re: [Captive-portals] Review of draft-ietf-cappor… Lorenzo Colitti
- Re: [Captive-portals] Review of draft-ietf-cappor… David Bird
- Re: [Captive-portals] Review of draft-ietf-cappor… Martin Thomson
- Re: [Captive-portals] Review of draft-ietf-cappor… David Bird
- Re: [Captive-portals] Review of draft-ietf-cappor… David Bird
- Re: [Captive-portals] Review of draft-ietf-cappor… Martin Thomson
- Re: [Captive-portals] Review of draft-ietf-cappor… Lorenzo Colitti
- Re: [Captive-portals] Review of draft-ietf-cappor… Tommy Pauly
- Re: [Captive-portals] Review of draft-ietf-cappor… Michael Richardson
- Re: [Captive-portals] Review of draft-ietf-cappor… Remi NGUYEN VAN
- Re: [Captive-portals] Review of draft-ietf-cappor… Martin Thomson
- Re: [Captive-portals] Review of draft-ietf-cappor… Chris Spencer
- Re: [Captive-portals] Review of draft-ietf-cappor… Martin Thomson
- Re: [Captive-portals] Review of draft-ietf-cappor… Remi NGUYEN VAN
- [Captive-portals] customizing API URLs vs ??? Michael Richardson
- Re: [Captive-portals] customizing API URLs vs ??? Nicolas Mailhot
- Re: [Captive-portals] customizing API URLs vs ??? Michael Richardson
- Re: [Captive-portals] customizing API URLs vs ??? Nicolas Mailhot