IETF Logo Mail Archive

Re: [Captive-portals] I-D Action: draft-ietf-capport-api-00.txt

Tommy Pauly <tpauly@apple.com> Tue, 06 February 2018 01:04 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EA4C12DA28 for <captive-portals@ietfa.amsl.com>; Mon, 5 Feb 2018 17:04:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.33
X-Spam-Level:
X-Spam-Status: No, score=-4.33 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y3iTcVRItkIB for <captive-portals@ietfa.amsl.com>; Mon, 5 Feb 2018 17:04:36 -0800 (PST)
Received: from mail-in7.apple.com (mail-out7.apple.com [17.151.62.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C22AD12DA27 for <captive-portals@ietf.org>; Mon, 5 Feb 2018 17:04:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1517879076; x=2381792676; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=SU8N2PlkcQ/6yKTgPc51rytvqdqhSsKefGVEDx5zUwc=; b=E8dIoeifrwyyIwgmnYdnHUfY2hfa15qExw6WdfL3Flc7O6lKmrosBC9FKMuUbexL Soei6w8yYmCgXg8IsnuUQVuzt0JQgg0jEQy1sNGta2S5OPvZ5Ywqt6QHVK7VUuBt DIoxrF2Z9gmoWch8KKN1gO4tPN4Ap5rctd6SOgyfVjoEgiCUt4onZNvY0TilwFj3 aQh+2zLEyFoh8AK16gBV9vqCQONN6IJx01JwQ7mLmQTpxvbCHsuQBY9lhvS4yVqO hdnTMXcahc5pBbu5aZIDRa6s5V43RleryN7iPCDtAa3cb/D0hZ6djGtiu5dxJ+/A 3YBZ+MlPv8RkDFmISWy4og==;
Received: from relay6.apple.com (relay6.apple.com [17.128.113.90]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in7.apple.com (Apple Secure Mail Relay) with SMTP id 3A.50.02108.42FF87A5; Mon, 5 Feb 2018 17:04:36 -0800 (PST)
X-AuditID: 11973e16-4bba19e00000083c-5b-5a78ff24a39c
Received: from nwk-mmpp-sz09.apple.com (nwk-mmpp-sz09.apple.com [17.128.115.80]) by relay6.apple.com (Apple SCV relay) with SMTP id 62.54.23861.42FF87A5; Mon, 5 Feb 2018 17:04:36 -0800 (PST)
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"
Received: from [17.234.114.143] (unknown [17.234.114.143]) by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.2.20180122 64bit (built Jan 22 2018)) with ESMTPSA id <0P3P008JXEZLKW00@nwk-mmpp-sz09.apple.com>; Mon, 05 Feb 2018 17:04:36 -0800 (PST)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <CABkgnnX2iQwDR_zgk15OQSCWh1pJBrJRvTwmEHbvsecaoQOuow@mail.gmail.com>
Date: Mon, 05 Feb 2018 17:04:33 -0800
Cc: David Bird <dbird@google.com>, captive-portals@ietf.org
Content-transfer-encoding: quoted-printable
Message-id: <216DAA74-F8EC-4BCD-B317-36DBCE7620E5@apple.com>
References: <151778535115.5816.386541967960931391@ietfa.amsl.com> <CADo9JyV2Rz2B9H_h9JMne7XLtMeVb2OajheZ86i5g8nsPmmFOw@mail.gmail.com> <CABkgnnW_x6sokdEo-yyzk0DKFqom6b7aHpoLgRnBHOW_cGB6yA@mail.gmail.com> <CADo9JyXRtyuzoWJKA+aASGh-bEJ8hi323VRdBeyqsgXwNxSkbw@mail.gmail.com> <CADo9JyVtKMCwcXsZgfNSJ8VshjaTxSPS7YWro71Z4Y7K4UWFxA@mail.gmail.com> <CABkgnnX2iQwDR_zgk15OQSCWh1pJBrJRvTwmEHbvsecaoQOuow@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.3458)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrELMWRmVeSWpSXmKPExsUi2FAYpavyvyLKYOZVDYu5sxpYLT792M5o ce3MP0YHZo+ds+6yeyzYVOqxZMlPpgDmKC6blNSczLLUIn27BK6MJy8bGQvWKVe0LF7C2MA4 UaaLkYNDQsBE4tRbti5GLg4hgdVMEsu+NDF1MXKCxa9cOs8OkTjIKPFw8V5mkASvgKDEj8n3 WECamQXUJaZMyYWomcwk8ej8LnaQuLCAhMTmPYkg5cICHhLdc7+wgthsAioSx79tABvDKRAs MXvBVyaQchYBVYmZX7RBwswC1hIze5YwQdjaEk/eXWCF2Goj0T53GwvEqiXMEgu3PmEBSYgI 6EosOvuAHeJmWYmVs++yghRJCDxnk2hbuop5AqPwLCRnz0I4exaSHQsYmVcxCuUmZuboZuaZ 6yUWFOSk6iXn525iBAX6dDuxHYwPV1kdYhTgYFTi4RXIqIgSYk0sK67MPcQozcGiJM574iFQ SCA9sSQ1OzW1ILUovqg0J7X4ECMTB6dUA+PuoHd1YXwVlUqrdsQZPNhV/7Lk7Aq5D7enz4q7 cW3Gza++3yZ37l60cGVByKSNwtvPXRZsWHdxx/GPWqznlTVO8EbJtrhJxm7dpm+19u33Ts8f Si6bXfKTf5XFblft4LtjEPB9dsNppy2TNoYdqLd/vf+lzZoXESE2FXwVN/8JqLy+0Zx8b0uJ EktxRqKhFnNRcSIA30HgalUCAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjkeLIzCtJLcpLzFFi42IRbCgO0FX5XxFl8HihisXcWQ2sFp9+bGe0 uHbmH6MDs8fOWXfZPRZsKvVYsuQnUwBzlKFNWn5ReWJRikJRckGJrVJxRmJKfnm8pbGRqUNi QUFOql5yfq6Svp1NSmpOZllqkb5dgmHGk5eNjAXrlCtaFi9hbGCcKNPFyMkhIWAiceXSefYu Ri4OIYGDjBIPF+9lBknwCghK/Jh8j6WLkYODWUBdYsqUXIiayUwSj87vYgeJCwtISGzekwhS LizgIdE99wsriM0moCJx/NsGsDGcAsESsxd8ZQIpZxFQlZj5RRskzCxgLTGzZwkThK0t8eTd BVaIrTYS7XO3sUCsWsIssXDrExaQhIiArsSisw/YIW6WlVg5+y7rBEaBWUgunYVw6SwkYxcw Mq9iFChKzUmsNNODh80mRnCgF0btYGxYbnWIUYCDUYmHVyCjIkqINbGsuDL3EKMEB7OSCK/T 9fIoId6UxMqq1KL8+KLSnNTiQ4w+QL9MZJYSTc4HRmFeSbyhsYWxpYmFgYGJpZkJDmElcd7D SkVRQgLpiSWp2ampBalFMOOYODilGhhTQ7bu6639JnlRcO/TVbO/r2tZ8vd+eDTTjBYvvbcJ N0PM61x0mw3e+BZermPY/u7Oo+nuESFfO7wvyRmLJwk8z9bf63qq67gab2vvhNszr6z7rL63 91ZHEqtGfc/bRNu3Jivs1Z4pb7yVKH1atvCK1l7uYu1la9sFF3yXa7GSP1TX1XJvvZQSCzAV GWoxFxUnAgCgkUXaoQIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/OokCSnODgyjjP00WXkDBVND_bRk>
Subject: Re: [Captive-portals] I-D Action: draft-ietf-capport-api-00.txt
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2018 01:04:39 -0000


> On Feb 5, 2018, at 4:54 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On Tue, Feb 6, 2018 at 8:41 AM, David Bird <dbird@google.com> wrote:
>>> I have heard UE vendors express a strong desire to be able to know
>>> about status before they attempt to use the network.
>>> 
>> 
>> Hm, but (assuming you are using the provided network for DNS, CRL checks,
>> and the API itself), the UE is *already* using the network.
> 
> Not really.  The way I understand it, the UE alters routing tables so
> that only applications that explicitly opt in to using the interface
> to the network can do so.  That state exists until the network is
> given an "all clear”.
> 

That’s correct—the device chooses how to expose the available interfaces/PvDs to the applications. If we have a cellular connection, for example, we won’t let any application traffic use the Wi-Fi network until we’re sure that it’s not captive (as far as we can tell).

>> I believe this desire on the UE vendor part is a case of 'be careful what
>> you wish for' ... Having an API telling you it is "all clear" vs "do
>> internal (often sandboxed for various reasons browser) captive portal
>> dialog" amounts to making this a configuration of the network administrator
>> -- Remember the (current) arms race concerning captive  portal detection?
>> Well, the network operator wins with this API (!).
> 
> Remember we already concluded that if the network wants to lie about
> status, we aren't planning to stop them.  There are still some
> discussions to be had about providing incentives to be truthful, but
> it's possible that we could never really plumb the depths of that
> issue productively, so we've been deferring it.

Right, we can’t know for sure that the network isn’t lying. We have to trust that in the same way we trust the provisioning of DHCP, etc. We don’t need to make it such that no captive network can pretend to be non-captive, but we do need to allow some captive networks let the devices known that they are captive.

> 
>> Over the years on this list we have seen many use-cases come through, I
>> recall:
>> 
>> -  A school/library network that allows most of the Internet, but captures
>> and redirects for certain networks / sites
>> -  A network allows all sorts of protocols - IMAP, HTTPS, for example -
>> but not others - like HTTP, SMTP - and want to redirect / signal portal
>> -  A network that allows all Internet traffic, but just at a low QoS tier.
>> No "captive" portal, but a portal is  yet available for upgrading tier
>> -  Any network that allows a large walled garden, or even a *very large*
>> garden, but otherwise has a captive portal
>> -  A network that will 99.99% of the time allow all traffic, but will
>> (perhaps because of virus detection) interrupts sessions  into captive state
>> [technically, this is a "boolean" use-case, but one where polling would just
>> be huge noise]
> 
> I'd say that the amount of information provided here is rich enough
> that you want to talk to a human.  Very few networks permit sending of
> arbitrary packets to arbitrary hosts and the receipt of similar.  The
> point is to ensure that you are managing expectations.  If I
> understand the expression of requirements, the idea is that a UE can
> use the boolean signal, but this other stuff is better presented on
> the web page.  If the network starts off in a captive state, then that
> page will be seen (if there is a human), and maybe not used (if there
> isn't).
> 
>> Clients that go idle typically have their session terminated - so, yes, it
>> does save the user time (depending on "time" is billed - real time vs
>> metered, etc).
> 
> Right.  Though this is relatively rare in my experience.  In those
> cases, I think that the idea is that the client can check with the API
> before its time comes due and notice the resulting extension and so go
> back to sleep.

An idle device will still time out if nothing checks in, but for a device that is actively using the network and will be timeout at some specific threshold, it is useful to allow the user to re-up the connection.
> 
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals

v2.23.0 | Report a Bug | By Email