Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
David Bird <dbird@google.com> Wed, 17 May 2017 15:16 UTC
Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC3C012EB9C for <captive-portals@ietfa.amsl.com>; Wed, 17 May 2017 08:16:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Level:
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IxU-YEw8FDWT for <captive-portals@ietfa.amsl.com>; Wed, 17 May 2017 08:16:35 -0700 (PDT)
Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6D8812947B for <captive-portals@ietf.org>; Wed, 17 May 2017 08:11:56 -0700 (PDT)
Received: by mail-it0-x22f.google.com with SMTP id o5so83139209ith.1 for <captive-portals@ietf.org>; Wed, 17 May 2017 08:11:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Ux5yephVF8bcjnBfzpbLG1rWzOs976UfzKAKVG2vFVU=; b=bE61jAVQIwYgwZOVObM4ffepmzEv/Po1QSE+MtjADLqblK9N7kHtJbHTeHwL0lPHHM uS3l9vlHa4l3xyn5zhsBGsItuhwU9iCm2zUSJhJBoMgco6MEl+pXKVMY4fV4j3Q2E9jL Y23ejyhD8Tk3mYyViSAxQgPe1wUzzC5vIYxiRXmGyTb4auM/rRlgwE0g8JH3KwqRJ9z3 Vsf4vi7IoIpUMnNlJhtjFYBZ+64UidEI59g8cvIHNAjhzAtZUQAEoD9DIS64GxAXXHXB yLKUX8JkamsYCUM2yJdcq2UGL9Qh+59j2drdaCS6T3xsZsxF1lqHAux/ZCJbWnYdb269 j1wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Ux5yephVF8bcjnBfzpbLG1rWzOs976UfzKAKVG2vFVU=; b=LhstiJoPYoUhZB/BfdMgOBelRnaestd/Fttof1Snlx+yWQKzSzL8h8EnUeCEKkWHyZ 6TQS7jlzi5KPmj9sZLt7JgYWnCGnpkVEAyK8Nxc+EFHJDy2LEsZAGLndtzsQLTRj1zCN kxrmFIdh6zD3ygEqVG4kFrLxyBBMUtzBUsdl0zpMfnti7Z9KsOJdf/voTQsfn0WAEkQA emafkeYVen5o3J8NisgcgzbJA9S3mmmtfdJL4ICbhMViCikDNLj+bzMUeIq59vs50Tfe JwjRA1JMAf+gJPckXzRyY1Twg6fEoFLpic//otSup3XuAsgJl7/MkyLrDDPiXFEhKQDC 8GWA==
X-Gm-Message-State: AODbwcDKJsW+rExJTk72axGV/9jnGAJ96dL4TAxz582jbKWprPAKBnST T58wy5t0iKFXVNKPHpdoDxkV6tClIwEr
X-Received: by 10.36.0.86 with SMTP id 83mr17599927ita.63.1495033915731; Wed, 17 May 2017 08:11:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.12.147 with HTTP; Wed, 17 May 2017 08:11:54 -0700 (PDT)
In-Reply-To: <8951dd0a-044b-b3ed-4454-e24fac407c4e@netcologne.de>
References: <201705031442.50683.heiko.folkerts@bsi.bund.de> <8951dd0a-044b-b3ed-4454-e24fac407c4e@netcologne.de>
From: David Bird <dbird@google.com>
Date: Wed, 17 May 2017 08:11:54 -0700
Message-ID: <CADo9JyVdkzrtWE6RMt3CVYCkHrdB=+LKA9eDazN8Xf+R=Vza_Q@mail.gmail.com>
To: Gunther Nitzsche <gnitzsche@netcologne.de>
Cc: captive-portals@ietf.org, Heiko Folkerts <heiko.folkerts@bsi.bund.de>, "Herzig, Willi" <willi.herzig@bsi.bund.de>
Content-Type: multipart/alternative; boundary="001a11c00bfa79cb13054fb9b516"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/MPmKWgraC2kUFyOHGyV6wfWqCcw>
Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 May 2017 15:16:38 -0000
Thanks for your input!... a few comments inline. On Tue, May 16, 2017 at 9:33 AM, Gunther Nitzsche <gnitzsche@netcologne.de> wrote: > The different solutions mentioned on this mailing list do not all aim at > our > specific scenario; but some do and could help us. I want to pick a few: > > Not preferred by us: > > * ICMP response: > 1) we tunnel our blocked clients via l2tp to a dedicated lns, from > there a GRE > tunnel reaches a squid proxy, redirecting all requests via iptables to > local port 80 and 443. > I doubt that ICMP responses would work here..maybe.. > > We need to stop the 443 redirecting! Thus far, I don't see any reason why ICMP wouldn't work. In fact, if *no* ICMP worked, some basic networking stops working (general dest unreach, MTU discovery, etc). 2) more and more providers will use IPv6 and/or NAT Scenarios to > handle their customers > That sounds difficult to implement (icmp via v6 via NAT ..) > > There is ICMP for v6 and typically captive portal enforcement happens prior to NAT'ing to the Internet. > 3) A lot of customers will have same kind of personal firewall in place > which might > just block any ICMP traffic. > > Again, probably not all ICMP is blocked and this becomes UE dependent - e.g. if capport detection uses a raw packet socket it will see packets prior to firewalling. > 4) the icmp response may just be ignored and does not force anything > > That is by design, in some respects. The "capport compliant" device will not ignore these messages (by definition). "Legacy" devices would ignore them, and they will still depend on the HTTP redirect. > 5) the relocation page to be shown instead is probably not part of the > icmp message. > > The separation of "configuration" and "notification" is by design. > > => If the customers wants to communicate via a browser, then we should > answer > via the browser. All other separate communication forms may work but are > unreliable > and are dependent on the customer setup. > > Increasingly, it is the operating system's captive portal detection that is detecting the need for portal interaction. I agree that it is convenient to have an in-line HTTP response with the redirect or 511 status code, but plain old HTTP is becoming obsolete. Hijacking HTTPS to return a 511 response is a bad idea. The ICMP approach gives 'notification' without requiring (in-line protocol dependent) man-in-the-middle responses and is protocol agnostic. > > * DHCP Option: well, that reaches the dhcp-router (cpe), not the > browser of the > customers device. While there is an option "160" to redirect traffic > (RFC 7710) this option is > currently not really supported by vendors. This option is also not > transparent to > the enduser; it will only be received by the cpe. It is still unknown > how the enduser's browser > will be informed through this mechanism. > * no other access mechanisms are covered by this. (e.g. radius) so only > a subset of > users could be reached at all. > > * layer 2 solutions: they all do not reach the enduser (at least in our > case:) > > It isn't clear to me how subscriber UEs get assigned their IP addresses in your network; they don't use DHCP? The UE browser will be 'informed' of the captive portal URL by the captive portal detection mechanism (OS/vendor dependent like today). There is a bit of a race condition between the captive portal detection mechanism and the human interacting with the browser in real-time. However, it is possible for browsers (or any Apps) to integrate with the platform captive portal detection service to get additional information like the portal URL. Agreed that UE (and browser) behaviors need to be better defined, but that gets tricky to mandate in RFC, imho. What we can do is define networking 'building blocks' and recommendations on how vendors build user experiences with them.
- [Captive-portals] Use Case: "Carrier Grade Captiv… Heiko Folkerts
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Warren Kumari
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Mark Nottingham
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Michael Richardson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Gunther Nitzsche
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Gunther Nitzsche
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Vincent van Dam
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Livingood, Jason
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Martin Thomson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Livingood, Jason
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Martin Thomson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Gunther Nitzsche
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Michael Richardson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Vincent van Dam
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Eric Vyncke (evyncke)
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Tommy Pauly
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Tommy Pauly
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Tommy Pauly
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird