Re: [Captive-portals] Éric Vyncke's No Objection on draft-ietf-capport-architecture-08: (with COMMENT)
David Dolson <ddolson@acm.org> Mon, 15 June 2020 02:32 UTC
Return-Path: <ddolson@acm.org>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B55D13A08AC; Sun, 14 Jun 2020 19:32:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aTYbJ2lnzFoL; Sun, 14 Jun 2020 19:31:59 -0700 (PDT)
Received: from smtp1.execulink.net (smtp1.execulink.net [69.63.44.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6DEA3A08AA; Sun, 14 Jun 2020 19:31:58 -0700 (PDT)
Received: from webmail.execulink.ca ([199.166.6.210]) by smtp1.execulink.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from <ddolson@acm.org>) id 1jkeui-0005OK-LA; Sun, 14 Jun 2020 22:31:57 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Date: Sun, 14 Jun 2020 22:31:56 -0400
From: David Dolson <ddolson@acm.org>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Cc: Kyle Larose <kyle@agilicus.com>, The IESG <iesg@ietf.org>, draft-ietf-capport-architecture@ietf.org, capport-chairs@ietf.org, captive-portals <captive-portals@ietf.org>, Martin Thomson <mt@lowentropy.net>
Reply-To: ddolson@acm.org
In-Reply-To: <3E1A71D0-F0BC-411D-9A0A-062054DB5EDB@cisco.com>
References: <159162520700.29504.9009111229374325326@ietfa.amsl.com> <CACuvLgywX+6jejmcP6mvOQkcraGXpugv_DUjVev__ON3KaqFDw@mail.gmail.com> <DBD270C7-9B34-4CAF-A73B-13B135F38893@cisco.com> <CACuvLgzUfKxbOn51k7uipW1osTDHBrZWbtGZn29PUS2w0b41pg@mail.gmail.com> <3E1A71D0-F0BC-411D-9A0A-062054DB5EDB@cisco.com>
User-Agent: Roundcube Webmail/1.4-git
Message-ID: <bcb3e3762d803920f70f830ae77d6896@acm.org>
X-Sender: ddolson@acm.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/LDyu-cJpxpPQB_CVcaI_jJmbGQM>
Subject: Re: [Captive-portals] Éric Vyncke's No Objection on draft-ietf-capport-architecture-08: (with COMMENT)
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jun 2020 02:32:01 -0000
One comment from me regarding this exchange: > > Typically User Equipment is permitted access to a small > number of > > services and is > > denied general network access until it satisfies the > Captive Portal > > Conditions. > > > > Perhaps we could add some language indicating that this isn't > intended > > to be a normative requirement -- the restrictions placed by > the > > captive portal depend on its use-case. > EV> you may add "(.g., local communication)" after "small number of services" ? KL> Thanks for the suggestion! We'll clarify along those lines. I don't think "local", implying physical proximity, is the correct word. There are multiple technologies for serving DHCP, DNS, user portal, API, etc. from *remote* machines. I feel that adding "e.g., local communication" would add more confusion than clarity. How about, "... permitted access to a small number of services (according to the policies of the network provider) and is denied general network access..." -Dave On 2020-06-14 11:30, Eric Vyncke (evyncke) wrote: > Thank you Kyle, I appreciate your answer and your comments. > > Good to go ;-) > > -éric > > -----Original Message----- > From: Kyle Larose <kyle@agilicus.com> > Date: Sunday, 14 June 2020 at 17:07 > To: Eric Vyncke <evyncke@cisco.com> > Cc: The IESG <iesg@ietf.org>, > "draft-ietf-capport-architecture@ietf.org" > <draft-ietf-capport-architecture@ietf.org>, "capport-chairs@ietf.org" > <capport-chairs@ietf.org>, captive-portals <captive-portals@ietf.org>, > Martin Thomson <mt@lowentropy.net> > Subject: Re: Éric Vyncke's No Objection on > draft-ietf-capport-architecture-08: (with COMMENT) > > Thanks again, Eric. > > Resposnes inline. I'll take the same approach as you did, with KL> > > On Tue, 9 Jun 2020 at 17:33, Eric Vyncke (evyncke) > <evyncke@cisco.com> wrote: > > > > Hello Kyle > > > > Thank you for the prompt reply, look for EV> for any remaining > non-blocking comments of mine > > > > -eric > > > > -----Original Message----- > > From: Kyle Larose <kyle@agilicus.com> > > Date: Tuesday, 9 June 2020 at 14:43 > > To: Eric Vyncke <evyncke@cisco.com> > > Cc: The IESG <iesg@ietf.org>, > "draft-ietf-capport-architecture@ietf.org" > <draft-ietf-capport-architecture@ietf.org>, "capport-chairs@ietf.org" > <capport-chairs@ietf.org>, captive-portals <captive-portals@ietf.org>, > Martin Thomson <mt@lowentropy.net> > > Subject: Re: Éric Vyncke's No Objection on > draft-ietf-capport-architecture-08: (with COMMENT) > > > > Hi Éric, > > > > Thanks for the review! > > > > Responses inline. > > > > On Mon, 8 Jun 2020 at 10:07, Éric Vyncke via Datatracker > > <noreply@ietf.org> wrote: > > > > > > Éric Vyncke has entered the following ballot position for > > > draft-ietf-capport-architecture-08: No Objection > > > > > > > > > ---------------------------------------------------------------------- > > > COMMENT: > > > > ---------------------------------------------------------------------- > > > > > > Thank you for the work put into this document. The > document is easy to read. I > > > also appreciate the fact that "devices without user > interfaces" are not ignored > > > by this document. > > > > > > Please find below a couple on non-blocking COMMENTs. A > response/comment for > > > those COMMENT will be read with interest. > > > > > > I hope that this helps to improve the document, > > > > > > Regards, > > > > > > -éric > > > > > > == COMMENTS == > > > > > > Is there a reason why the words "captive portal" do not > appear in the abstract? > > > This would assist normal human beings (outside of the WG) > to find the document. > > > > > > > Good point! We'll fix that up. > > > > > I found no text about what happens to the traffic inside > the captive network. > > > Is it allowed even when still in captive mode ? > > > > This would be up to the network operator, I suppose -- they > define the > > extent of the walled garden. The only hosts that must be > reachable are > > any necessary to perform the workflows related to gaining > access. The > > document mentions those in a few places. In section 2.4, the > document > > states: > > > > Typically User Equipment is permitted access to a small > number of > > services and is > > denied general network access until it satisfies the > Captive Portal > > Conditions. > > > > Perhaps we could add some language indicating that this isn't > intended > > to be a normative requirement -- the restrictions placed by > the > > captive portal depend on its use-case. > > > > EV> you may add "(.g., local communication)" after "small number > of services" ? > > KL> Thanks for the suggestion! We'll clarify along those lines. > > > > > > > -- Section 1.2 -- > > > Even if the document support "devices without user > interfaces", I wonder why > > > the I-D uses "User Equipment" rather than "Client > Equipment" (which is also > > > more aligned with "Server"). Nothing dramatic, just > curious about the reason. > > > > > > > This is the language that evolved during our discussions. I > can't > > recall any particular reason we chose this. > > > > Does anyone with a better memory than me remember why we > chose User > > Equipment over Client Equipment? > > > > EV> nothing critical and possibly impacting too many other > documents to be changed now > > > > > -- Section 2.1 -- > > > "At this time we consider only devices with web browsers" > while the previous > > > text was about "devices without user interfaces". Finally, > is this document for > > > devices with or without human interface ? > > > > When we first set out to tackle the architecture, we were > hoping to > > solve the problem for devices without user interfaces. > However, the > > working group aligned on solving it for the simpler use-case > of > > devices with user interfaces. > > > > To ensure we're talking about the same thing, the earlier > text you're > > referring to is this, correct? > > > > EV> correct > > > > -- Section 1 -- > > > > A side-benefit of the architecture described in this > document is that > > devices without user interfaces are able to identify > parameters of > > captivity. However, this document does not yet describe > a mechanism > > for such devices to escape captivity. > > > > Our intent was to point out that solutions for devices > without user > > interfaces could be developed using the mechanisms provided > by the > > architecture, but that those solutions were out of scope for > the > > document. > > > > Which text do you think conflicts with that? Perhaps we > should > > rephrase it to be less confusing. > > > > EV> I would suggest that at the first mention of " devices > without user interfaces", the text mention "for future version" or > something in the same line. The focus on user-interface devices is > written a little too deep in the document, should come earlier in the > text to avoid confusion. > > KL> Thanks again for the suggestion. In section 1, where we first > mention these devices, I'll add text along the following lines: > > "A future document could provide a solution for devices without > user > interfaces. This document focuses on devices with user interfaces." > > > > > > > > > -- Section 2.6 -- > > > While the components are described as being optional > collocated, what about > > > resiliency ? I.e., having two different instances on one > component. > > > > > > > That's a good point (and one I was thinking about the other > day!) We > > should add some text pointing that out. Let's mention scale > for good > > measure as well. > > > > > -- Section 3.4.2 --- > > > While I appreciate that the section contains text about > multiple IPv6 > > > addresses, I suggest to mention the dual-stack use case > explicitly. > > > > > > > I.e. something like > > > > "Further attention should be paid to a device using > dual-stack > > [rfc4213]: it could have both an IPv4 and an IPv6 address at > the same > > time. There could be no properties in common between the two > > addresses, meaning that some form of mapping solution could > be > > required to form a single identity from the two address" > > > > EV> perfect ;-) > > > > > -- Section 3.4 -- > > > I was expecting to see the MAC address also used as > identifier. Is there any > > > reason why it is not mentioned? If so, may I suggest to > document the absence of > > > a MAC address section in the examples? > > > > > > > This was also raised during an earlier last call. The primary > reason > > to leave it out was brevity, but there were some concerns > about its > > security as well. Perhaps we can leave a simple note along > the lines > > of the following since it is likely others will ask the same > question: > > > > "The MAC address of a device is often used as an identity in > existing > > implementations. A discussion of it has been omitted for > brevity, but > > the MAC address could be used subject to the criteria in > section 3.2" > > > > EV> could be good. And, I am not sure whether it is more > difficult to spoof an IP address vs. a MAC address. But, the added > text is enough for me > > > > -éric > > > > > > > > > > > > Thanks! > > > > Kyle > >
- [Captive-portals] Éric Vyncke's No Objection on d… Éric Vyncke via Datatracker
- Re: [Captive-portals] Éric Vyncke's No Objection … Kyle Larose
- Re: [Captive-portals] Éric Vyncke's No Objection … Eric Vyncke (evyncke)
- Re: [Captive-portals] Éric Vyncke's No Objection … Kyle Larose
- Re: [Captive-portals] Éric Vyncke's No Objection … Eric Vyncke (evyncke)
- Re: [Captive-portals] Éric Vyncke's No Objection … David Dolson
- Re: [Captive-portals] Éric Vyncke's No Objection … Eric Vyncke (evyncke)