Re: [Captive-portals] time-based walled gardens
David Bird <dbird@google.com> Mon, 10 April 2017 23:28 UTC
Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35CB2128708 for <captive-portals@ietfa.amsl.com>; Mon, 10 Apr 2017 16:28:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j_0QKcxXJRE1 for <captive-portals@ietfa.amsl.com>; Mon, 10 Apr 2017 16:28:03 -0700 (PDT)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E400A127871 for <captive-portals@ietf.org>; Mon, 10 Apr 2017 16:28:02 -0700 (PDT)
Received: by mail-qt0-x229.google.com with SMTP id m36so16566687qtb.0 for <captive-portals@ietf.org>; Mon, 10 Apr 2017 16:28:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oOEVQy6/vYsPPBbCDuYNVDdlEpt7DxDBL9eDlHjCtXE=; b=VQb49aiZWivGee1TACTJopyjT43zE4mCO/IWRjHS1EQfs+rkkKQ/ewirvVswZHUaOm mWq5+dPwnDJeaOOQDSW/apvAlY68R7zQ+bl/F26RnaT60cH5xoedHsay3gKwCnyLfwYx quhkzFB0f1MB9QB4uXyLFImcr9LtqTKtNRcvJwWRQzsiKpk6D+TGpidBmcYCDGBUL52K 8uKcAs1AC/JMmp9wmaW+OBhIXnwhzzZcSEY90qQbfSwEUVSqRDjtfj2w6IF53yxYfQix 9so6TIr5XHkcWjOfp/CFKduLevfkErjVYQ/cfXrar2oHwCKbCz9AUIF2KvjI5elLBrmm O33A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oOEVQy6/vYsPPBbCDuYNVDdlEpt7DxDBL9eDlHjCtXE=; b=buDuymH/F2jnsXwFB1QMOJHxp6RN9duPuxjh535tkzOdd25GsY++/xFn+jtaelzSzY ZPtXg8I0XL+ha9JGFsKbx1UMZuJgWVAlHOKThx/J4zWsSnm0jgmA9xurfoPDyC4ucsQU yBxdVHBjMIgcjyYsMqEChDhMchgUvpaOchz+nFnRO+XhdOb/+xMo2mRvz54aZVHNL4KV 5J4dRUGDdEmEQN8QjeGfk4ftVzlAkv5RqFeiDyTO2VNPhY8yP6pcdUJZ9psC8NYOZ6aM wi08HU13bNq46jClqwsN9L7wBTndjb0Lg+YCdhYXnkFnucddwtm0TVMYQO9/wvkTbZCd ah6g==
X-Gm-Message-State: AFeK/H1Tn+rHiKivPup4xISiLSWZUYevVAtx42Fg003YajX9qqZR9/iv63Bp3kIJRL7WPwKPV/YQngyjcev212oX
X-Received: by 10.237.35.218 with SMTP id k26mr60401770qtc.60.1491866881916; Mon, 10 Apr 2017 16:28:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.128.166 with HTTP; Mon, 10 Apr 2017 16:28:01 -0700 (PDT)
In-Reply-To: <alpine.DEB.2.02.1704101753350.27978@uplift.swm.pp.se>
References: <CADo9JyU2wiEBB4L7ADSybt9se7jCN764JSEoHuGTcuiU_jDscQ@mail.gmail.com> <CAAedzxqR5bWTP_gou+hC5cgQ99tV275nX_ijm7iUok4-h+3wMQ@mail.gmail.com> <CADo9JyVfmhir8YtOR2mzzaaPL_9mBKgFmht6-SA50SfPmh9z6w@mail.gmail.com> <CAAedzxrck9+TBpEp-x8_tG-oxxKh4MQ4-x+iuGNGd6JsG=poQQ@mail.gmail.com> <CADo9JyUKb_c6SPigjUqngUyPvDsbN10TLZX0+B9r92xm6XGgAA@mail.gmail.com> <27524.1491594871@dooku.sandelman.ca> <CAAedzxo3Gp9ZhLeujZBC0vn9GO=+xHxkAstisoUAX1BCTEtYvQ@mail.gmail.com> <CADo9JyUr2rpZBjz5zMrrUmi8+gR9VGxBFhMLGVqFGYiWsOic6w@mail.gmail.com> <23307.1491830383@obiwan.sandelman.ca> <alpine.DEB.2.02.1704101549180.27978@uplift.swm.pp.se> <CADo9JyX6CzoxyxnGWq+sP+PM20DQUxYxvyqpHkDTJCWYUi99dg@mail.gmail.com> <alpine.DEB.2.02.1704101654550.27978@uplift.swm.pp.se> <CADo9JyW+PZEmSVg6oS5Pw2zPOr7rAeKAVy6QUtvVbgTkdVPqQg@mail.gmail.com> <alpine.DEB.2.02.1704101753350.27978@uplift.swm.pp.se>
From: David Bird <dbird@google.com>
Date: Mon, 10 Apr 2017 16:28:01 -0700
Message-ID: <CADo9JyWX-MCdQ5VxyGs8SKNEDmnpDUBanoOQZRwqL30rJxcUkQ@mail.gmail.com>
To: Mikael Abrahamsson <swmike@swm.pp.se>
Cc: captive-portals@ietf.org
Content-Type: multipart/alternative; boundary="001a113e3fda8cdb2a054cd853d6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/KlkD4Sr4ENAJHep8AiVYZM6aExI>
Subject: Re: [Captive-portals] time-based walled gardens
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Apr 2017 23:28:05 -0000
On Mon, Apr 10, 2017 at 8:57 AM, Mikael Abrahamsson <swmike@swm.pp.se> wrote: > On Mon, 10 Apr 2017, David Bird wrote: > > As far as being use-case specific, you mean the captive portal use-case? >> (I like to think that within captive portal use-cases, the ICMP concept is >> actually very use-case agnostic). If so, I see you point... but, this is >> the Capport WG. Perhaps we are now talking more generally about any >> 'network prompted portal interaction' ? >> > > I'm talking about "general network information". For me CAPPORT use-case > is one use-case for this kind of information. There are others. > > CAPPORT doesn't have to just solve its own problems, perhaps it'd be good > to try to come up with a slightly more generic solution and send it for > review in INT-AREA for instance? I keep mentioning ALTO because I see their > use-case as similar as well, but they invented their own discovery > mechanism. > > I took a quick look at ALTO. I'd have some concerns about the complexity and the high incentive for "attacker" or hostile behavior. The 5 Security subsections all seemed a bit scary, with the protection strategy for a server wanting to provide misleading information: To protect applications from undesirable ALTO information resources, it is important to note that there is no protocol mechanism to require conforming behaviors on how applications use ALTO information resources. An application using ALTO may consider including a mechanism to detect misleading or undesirable results from using ALTO information resources. For example, if throughput measurements do not show "better-than-random" results when using an ALTO cost map to select resource providers, the application may want to disable ALTO usage or switch to an external ALTO server provided by an "independent organization" (see AR-20 and AR-21 in [RFC6708 <https://tools.ietf.org/html/rfc6708>]). In public access networks, I think it is more appropriate to take the information you get and: trust, but verify. DHCP/RA gives you the portal URL, it might as well since it is also giving you your default route and IP. The network is providing notification, because it might as well, it is doing that anyway and the in-line components enforcing any limitation (NAS, rate-limiting, etc) have the information they need. Also, the ICMP error we're talking about, is that feature parity with > RFC7710? Because I would like to see DHCP options, RA options and ICMP > messages all being able to do the same thing. I could even imagine the ICMP > unreach message (perhaps very similar in content) be sent to a multicast > group on the LAN, completely replacing the RA/DHCP option? Or we could do > it using mDNS instead of in RA? Is there even work on feature parity using > mDNS instead? > > > No, the Capport ICMP protocol doesn't provide parity with rfc7710, rather works in combination. My first draft allowed for the portal URL in the ICMP message, but even with other precautions, the group quickly determined that was too risky for threat of an ICMP message sending you to an arbitrary site. It seems reasonable to separate 'notification' from 'configuration' in this way... > -- > Mikael Abrahamsson email: swmike@swm.pp.se >
- Re: [Captive-portals] Arguments against (any) Cap… Michael Richardson
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Erik Kline
- Re: [Captive-portals] Arguments against (any) Cap… Erik Kline
- Re: [Captive-portals] Arguments against (any) Cap… Mark Nottingham
- [Captive-portals] time-based walled gardens Michael Richardson
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Michael Richardson
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Mikael Abrahamsson
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Mikael Abrahamsson
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Mikael Abrahamsson
- Re: [Captive-portals] Arguments against (any) Cap… Lorenzo Colitti
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Dave Dolson
- Re: [Captive-portals] time-based walled gardens Erik Kline
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Mark Nottingham
- Re: [Captive-portals] time-based walled gardens Mark Nottingham
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Mikael Abrahamsson
- Re: [Captive-portals] time-based walled gardens Niall Hogg
- Re: [Captive-portals] time-based walled gardens Mikael Abrahamsson
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Mikael Abrahamsson
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Christian Saunders
- Re: [Captive-portals] Arguments against (any) Cap… Dave Dolson
- Re: [Captive-portals] Arguments against (any) Cap… Martin Thomson
- Re: [Captive-portals] time-based walled gardens Erik Kline
- [Captive-portals] Arguments against (any) Capport… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Mikael Abrahamsson
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Kyle Larose
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Christian Saunders
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Mikael Abrahamsson
- Re: [Captive-portals] Arguments against (any) Cap… Tim Chown
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Michael Richardson
- Re: [Captive-portals] Arguments against (any) Cap… Erik Kline
- Re: [Captive-portals] Arguments against (any) Cap… Erik Kline
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Christian Saunders
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Dave Dolson
- Re: [Captive-portals] Arguments against (any) Cap… Christian Saunders
- Re: [Captive-portals] Arguments against (any) Cap… Dave Dolson
- Re: [Captive-portals] Arguments against (any) Cap… Dave Dolson
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Christian Saunders
- Re: [Captive-portals] Arguments against (any) Cap… Christian Saunders
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Christian Saunders
- Re: [Captive-portals] Arguments against (any) Cap… Sascha.Dech
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Vincent van Dam
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Michael Richardson
- Re: [Captive-portals] Arguments against (any) Cap… Michael Richardson
- Re: [Captive-portals] Arguments against (any) Cap… Michael Richardson
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Martin Thomson
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Vincent van Dam
- Re: [Captive-portals] Arguments against (any) Cap… Martin J. Dürst
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Erik Kline
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] Arguments against (any) Cap… Erik Kline
- Re: [Captive-portals] Arguments against (any) Cap… David Bird
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Mark Nottingham
- Re: [Captive-portals] time-based walled gardens Mikael Abrahamsson
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Kyle Larose
- Re: [Captive-portals] time-based walled gardens David Bird
- Re: [Captive-portals] time-based walled gardens Erik Kline