[Captive-portals] customizing API URLs vs ???
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 31 July 2019 16:35 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CFFB120167 for <captive-portals@ietfa.amsl.com>; Wed, 31 Jul 2019 09:35:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u0IPzffHYnoM for <captive-portals@ietfa.amsl.com>; Wed, 31 Jul 2019 09:35:43 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAEAE120104 for <captive-portals@ietf.org>; Wed, 31 Jul 2019 09:35:43 -0700 (PDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id 5447D380BE for <captive-portals@ietf.org>; Wed, 31 Jul 2019 12:35:16 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 4A1FA9BC for <captive-portals@ietf.org>; Wed, 31 Jul 2019 12:35:42 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: captive-portals <captive-portals@ietf.org>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 31 Jul 2019 12:35:42 -0400
Message-ID: <18288.1564590942@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/Pr5C5QF-rO_TqBVASAKdfM1QotI>
Subject: [Captive-portals] customizing API URLs vs ???
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2019 16:35:46 -0000
{trying to get this into it's own thread}
Remi NGUYEN VAN <reminv=40google.com@dmarc.ietf.org> wrote:
> I think we can either try to solve this problem by having the client
> send an identifier to the API, or state that the API needs to be hosted
> inside the network.
> If we go with option 2, I'm afraid many vendors
> may just rely on DHCPv4 or Link-Relation redirects to give different
> URLs based on the client, which would hurt IPv6 adoption. So I'm
> wondering if option 1 (for example having the client send an identifier
> in the host header of the API request) might be strategically better.
It's relatively easy to customize the URL that a local DHCPv4 server gives out.
Yes, it could also be done by a DHCPv4 relay (with option 82).
As you identify, this hurts enabling IPv6 in captive portals.
An advantage of having the URL change is that the token that is added can be
opaque to the client. Something encrypted. It could even be a JWT. The
client can't screw with the token to attempt to do API calls for a different
client.
If we go with something the client has to make up and provide (which I also
prefer), then we have to worry about how authentic it is. That at least
means that the client has to POST it's info to the captive portal API, and
then get back some things that identify it for subsequent API calls. That's
normal web interaction stuff, so not terribly innovative, but we do need to
think about this.
-- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [Captive-portals] customizing API URLs vs ??? Michael Richardson