IETF Logo Mail Archive

Re: [Captive-portals] Review of draft-ietf-capport-rfc7710bis

Remi NGUYEN VAN <reminv@google.com> Wed, 31 July 2019 04:04 UTC

Return-Path: <reminv@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D1B5120058 for <captive-portals@ietfa.amsl.com>; Tue, 30 Jul 2019 21:04:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.4
X-Spam-Level:
X-Spam-Status: No, score=-17.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wLaQoB1B2HIG for <captive-portals@ietfa.amsl.com>; Tue, 30 Jul 2019 21:04:01 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBBAF12002E for <captive-portals@ietf.org>; Tue, 30 Jul 2019 21:04:01 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id s7so133111707iob.11 for <captive-portals@ietf.org>; Tue, 30 Jul 2019 21:04:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WLZl5Tw9QCImGNc/6uJjNDfNtJMBnbC7ZJ2xX2z3w7s=; b=JxS+b3Ir/yDQtEmW1z7k0V+IIfMyIt7W3wOzRKC/uyNmNk6dgrmos6qYNC3zh00/cl 205v32xMdMJE3eWekdELS+MDPh6eHmmSVnhNxBvk44/7YXwibuF8rphtmjD/mnh6pb1D HiO5RBuPNQkX/BZjq5ZahMgBROLoSNzJdomSVG1I5l7pWYMui3jEtUbAfWHTCQaPk/iy ZoCmpqALuW7geDkgSnQB9BDUmy77g864o05YcWp5KQbXKDMqnWjNcuMfWiHjL58/jNsE OUpTV4crnh8P6Jr7n6KpZPY7XaDD0IBJfmVDQa8S8/liYao2rYNo+k1hOIgtxvPhRh1u L/Qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WLZl5Tw9QCImGNc/6uJjNDfNtJMBnbC7ZJ2xX2z3w7s=; b=i4Y9jJj+ng+xYD1nKKV6UAytVufrRtn9d2GtWz5gXG8Mg9Idmy9PZszcby7WxIpR/Z rdkv1K56OxAgssSm9Dx/5z4DmyysWKV36WDyr9KBNr8voFe3WaRzYlKQza7hyxyTgbgg aJHNB0yLg/wSgrLcfjMEOEJUr4fTWvJFYlcTgGJ81W8FYL8MWLxOxzB3sAFNv6KNBNjf yJz1rIrNgjgVFfjzF92MCHkxvopC6yLikXt9SOtMo21MYikt4zgcci1bjYZ7yrL1ZoPH XXpmPibGMeBCyXttFkmMteBVcrVckOD26j4gQsuEWfgAbVV0BJQgioeMUhT+SqLmorch C/Qw==
X-Gm-Message-State: APjAAAW3nWn+m5HH+GBnguQnxoikPR+mwvZtKveg0bLAwEeA2SNqbpxG qYlPpjTF/mYdQykTPPPHehk1wBVT+v/BxJY5M/I5Fw==
X-Google-Smtp-Source: APXvYqxadoIuIdGmxlgEhE8FRhqadPHda+XJ239Q8M7bJ9gGvRk9O6C+XRM7StEJqm2zX743nXZ0cXJFE0hJBuYJ3dg=
X-Received: by 2002:a6b:4101:: with SMTP id n1mr85014807ioa.138.1564545840696; Tue, 30 Jul 2019 21:04:00 -0700 (PDT)
MIME-Version: 1.0
References: <CAKD1Yr32DXr8fYHP_x7z9pQWwSchey8zQW11vw02bW9ONEV8Kg@mail.gmail.com> <01ad5bf0-1f60-4dbb-aa83-31d14fce6082@www.fastmail.com> <CAKD1Yr08LmfDhmDLqpR87iQQ4Z61CVpR9BTDeRHobpsvVxFJvA@mail.gmail.com> <CADo9JyW6TmBnr5f0AuSXKnKMXnMxGhMkgYbGQ1WYOQjSMefy=w@mail.gmail.com> <CAKD1Yr1Zo0NQod=p4ZqT6fJYJ=Xqh1q8eJT2+ich+p7Jmg1WiA@mail.gmail.com> <CADo9JyX1T8AnxirXLfGdcJzmjvy5_UGJktnbYByAuO7H++y8uA@mail.gmail.com> <CAKD1Yr0C_KEUpGUC-wbAV-ufG_VpNposecmzNQU5rEXaCeSZNQ@mail.gmail.com> <26405.1564182227@dooku.sandelman.ca> <CAKxhTx_CngPfs3V8sZ5n0SYbTN4zcu3L_cvGuLpbLJOZYu-1Kg@mail.gmail.com> <14eba834-e18a-4324-8baa-3a8b90cdaec4@www.fastmail.com> <CAFaTyiG_LxmyaSvBcqKgkYb9-SiaMcDr1khPV7oV-AVs85_x8g@mail.gmail.com> <348d27e7-6668-4323-aa75-663351da737d@www.fastmail.com>
In-Reply-To: <348d27e7-6668-4323-aa75-663351da737d@www.fastmail.com>
From: Remi NGUYEN VAN <reminv@google.com>
Date: Wed, 31 Jul 2019 13:03:49 +0900
Message-ID: <CAKxhTx_tmkvZLrUTZMC9JnBibcXK8_4LqCHA0iWu4nQH0Nc--A@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: Chris Spencer <chris.spencer@globalreachtech.com>, captive-portals <captive-portals@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000001b3a54058ef23728"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/MpLy_O6BJyBtS0BvnK0hqi6mJSg>
Subject: Re: [Captive-portals] Review of draft-ietf-capport-rfc7710bis
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2019 04:04:05 -0000

I think we can either try to solve this problem by having the client send
an identifier to the API, or state that the API needs to be hosted inside
the network.
If we go with option 2, I'm afraid many vendors may just rely on DHCPv4 or
Link-Relation redirects to give different URLs based on the client, which
would hurt IPv6 adoption. So I'm wondering if option 1 (for example having
the client send an identifier in the host header of the API request) might
be strategically better.

Cheers,

Remi


On Wed, Jul 31, 2019 at 12:56 PM Martin Thomson <mt@lowentropy.net> wrote:

> If DHCP is used, then it is possible to customize the API URL to include
> per-device information.  In that case, the API could be remote.
>
> However, an IPv6 RA has to contain information that is the same for every
> device in the network.
>
> On Wed, Jul 31, 2019, at 13:44, Chris Spencer wrote:
> > Please forgive, I'm new to this group and trying to come up to speed.
> >
> > Would not a feed of option 82 rather than create a new API work? option
> > 82 can carry MAC/IP (it could create a GUID/UUID) and other location
> > identifiers? if the external portal could get a feed of this, the
> > portal at layer 3 could look up the device MAC from the option 82
> > elements by the IP? or if the DHCP server is centralised along with the
> > portal architecture and DHCP relay is used on the local site?
> >
> > -
> > DHCP Option 82 Overview
> > If DHCP option 82 is enabled on a VLAN or bridge domain, then when a
> > network device—a DHCP client—that is connected to the VLAN or bridge
> > domain on an untrusted interface sends a DHCP request, the switching
> > device inserts information about the client's network location into the
> > packet header of that request."
> >
> >
> > On Wed, 31 Jul 2019 at 04:24, Martin Thomson <mt@lowentropy.net> wrote:
> > > This is one of the costs of this architecture. If the external system
> (portal HTML, etc...) needs access to identifiers, then the API endpoint
> will have to decorate the URLs it provides. That might mean having the API
> endpoint inside the network, where it can see source IP or BSSID or
> whatever is being used for identification.
> > >
> > >  An external service won't be able to validate any identifier it
> receives in this way, so you might want to make the decoration a little
> more complex than a simple addition of `?ip=192.0.2.3`. Of course, the
> worst I can think of (offhand) is that someone could pay for my network
> access.
> > >
> > >  On Mon, Jul 29, 2019, at 13:51, Remi NGUYEN VAN wrote:
> > >  > So to summarize, we've got a problem where the WLAN controller has
> some
> > >  > rules to know who is blocked / allowed (probably based on mac
> address
> > >  > ?), and can advertise a single API URL through DHCP / RAs /
> > >  > Link-Relation and generate redirects, but does not have
> capabilities to
> > >  > serve login pages or the API: this is handled by another box
> upstream
> > >  > which has more capabilities like handling payment pages etc, and
> holds
> > >  > the SSL certs. Because the API uses HTTPS (contrary to lots of
> login
> > >  > pages), the WLAN controller can't easily insert identity of the
> > >  > requestor in the request and the API has no way to know who it's
> > >  > replying to.
> > >  >
> > >  > Since we can't advertise different addresses for different clients
> in
> > >  > RAs, how about having the client add a session identifier in their
> API
> > >  > requests ? Having the client add a mac address in an HTTP request
> > >  > header field would be a solution. Many devices are using random
> > >  > per-SSID mac addresses now, so this sounds like a reasonable
> identifier
> > >  > for the device to give to the API server (which could get it anyway
> > >  > through some complicated setup).. It would be possible for clients
> to
> > >  > make requests for API data of other clients (assuming they know
> their
> > >  > mac address), but that's already possible by spoofing the address
> > >  > anyway.
> > >  >
> > >  > Cheers,
> > >  >
> > >  > Remi
> > >  >
> > >  >
> > >  > On Sat, Jul 27, 2019 at 8:04 AM Michael Richardson
> > >  > <mcr+ietf@sandelman.ca <mailto:mcr%2Bietf@sandelman.ca> <mailto:
> mcr%2Bietf@sandelman.ca <mailto:mcr%252Bietf@sandelman.ca>>> wrote:
> > >  > >
> > >  > > Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org> wrote:
> > >  > > > Is there a problem with saying that the portal server should
> identify the
> > >  > > > device by IP address?
> > >  > >
> > >  > > Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org> wrote:
> > >  > > > To that end, any enforcement of other traffic (such as normal
> web page
> > >  > > > loading) will not be carrying any session identifier, so only
> signals
> > >  > > > that are already present in the packets, such as the IP
> address, are
> > >  > > > effectively useful here.
> > >  > >
> > >  > > It's not obvious to me that you are talking about the same thing!
> > >  > > The portal server *could* use IP address as the key by which to
> identify
> > >  > > the device to the Captive Portal Enforcer.
> > >  > >
> > >  > > That requires that the access to the Captive Portal Server to
> always
> > >  > > be on the same side of a NAT44 as the client, and I don't think
> that is
> > >  > > realistic given how these services are outsourced.
> > >  > >
> > >  > > (In architecture-04, we have "Captive Portal Enforcement", which
> seems
> > >  > > to be an activity, while the description is about a thing. So I
> think
> > >  > > that either the word "Point" should be added, or
> Enforcement->Enforcer)
> > >  > >
> > >  > > The Captive Portal Enforcer SHOULD enable traffic based upon the
> mapped
> > >  > > L2 address, otherwise, there would have to be a new portal
> session for
> > >  > > IPv4 and IPv6, and for each new IPv6 temporary/privacy address.
> > >  > > I don't think we want that. It would also, I think, force the
> portal
> > >  > > server to speak both v4 and v6.
> > >  > >
> > >  > > The communication between Captive Portal Server and Captive
> Portal Enforcer
> > >  > > COULD identify the client by L3 address, but I wouldn't want to
> build things
> > >  > > that way, because it would result in a poor experience for
> returning users,
> > >  > > such as sleepy phones, or hotel guests that might leave the hotel
> and then
> > >  > > return later in the day, and expect their 24hr pass to just work,
> despite
> > >  > > DHCP leases being much shorter.
> > >  > >
> > >  > > --
> > >  > > Michael Richardson <mcr+IETF@sandelman.ca <mailto:
> mcr%2BIETF@sandelman.ca> <mailto:mcr%2BIETF@sandelman.ca <mailto:
> mcr%252BIETF@sandelman.ca>>>, Sandelman Software Works
> > >  > > -= IPv6 IoT consulting =-
> > >  > >
> > >  > >
> > >  > >
> > >  > > _______________________________________________
> > >  > > Captive-portals mailing list
> > >  > > Captive-portals@ietf.org
> > >  > > https://www.ietf.org/mailman/listinfo/captive-portals
> > >  > _______________________________________________
> > >  > Captive-portals mailing list
> > >  > Captive-portals@ietf.org
> > >  > https://www.ietf.org/mailman/listinfo/captive-portals
> > >  >
> > >  > Attachments:
> > >  > * smime.p7s
> > >
> > >  _______________________________________________
> > >  Captive-portals mailing list
> > > Captive-portals@ietf.org
> > > https://www.ietf.org/mailman/listinfo/captive-portals
> >
> >
> > --
> > Chris Spencer (D.Sc.)
> > Chief Technology Officer
> > Global Reach Technology Inc.t. +44 20 7831 5630  <tel:+442078315630>x.
> > 1107 m. +44 7894 391127 <tel:+447894391127>e.
> > chris.spencer@globalreachtech.comw. www.globalreachtech.comUK. 110
> > Cannon Street, London, EC4N 6EU
> > <
> https://www.google.com/maps/place/110+Cannon+St,+London+EC4N+6EU/@51.5108556,-0.0902022,17z/data=!3m1!4b1!4m5!3m4!1s0x48760353f58858c5:0xeb84b17451c1f57f!8m2!3d51.5108556!4d-0.0880135>US.
> 6203 San Ignacio Avenue, San Jose, CA 95119 <
> https://www.google.com/url?q=https://goo.gl/maps/JzwN68rbeUL2&sa=D&ust=1520535483922000&usg=AFQjCNFwcEcNSH8GeM_bPRMmr6BPUfglGg>Follow
> me on twitter @DrCSpencer <https://twitter.com/DrCSpencer>Together lets
> #makewifibetter <https://twitter.com/search?q=%23makewifibetter>The
> contents of this message are private and confidential. Intended for the
> exclusive use of the person named above and may be legally privileged.
> Should you receive this message by mistake, please be advised that its use,
> duplication or distribution is strictly prohibited. In any circumstances,
> please contact us immediately upon receipt by telephone.
> >
>
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
>

v2.23.0 | Report a Bug | By Email