Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
Dave Dolson <ddolson@sandvine.com> Thu, 18 May 2017 13:21 UTC
Return-Path: <ddolson@sandvine.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C73A1126C25 for <captive-portals@ietfa.amsl.com>; Thu, 18 May 2017 06:21:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lN6KwB3EKZR9 for <captive-portals@ietfa.amsl.com>; Thu, 18 May 2017 06:21:31 -0700 (PDT)
Received: from mail1.sandvine.com (Mail1.sandvine.com [64.7.137.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C191612EB04 for <captive-portals@ietf.org>; Thu, 18 May 2017 06:15:33 -0700 (PDT)
Received: from BLR-EXCHP-2.sandvine.com (192.168.196.172) by wtl-exchp-1.sandvine.com (192.168.194.176) with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 18 May 2017 09:15:32 -0400
Received: from WTL-EXCHP-1.sandvine.com ([fe80::ac6b:cc1e:f2ff:93aa]) by blr-exchp-2.sandvine.com ([::1]) with mapi id 14.03.0319.002; Thu, 18 May 2017 09:15:31 -0400
From: Dave Dolson <ddolson@sandvine.com>
To: Gunther Nitzsche <gnitzsche@netcologne.de>, David Bird <dbird@google.com>
CC: Heiko Folkerts <heiko.folkerts@bsi.bund.de>, "captive-portals@ietf.org" <captive-portals@ietf.org>, "Herzig, Willi" <willi.herzig@bsi.bund.de>
Thread-Topic: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
Thread-Index: AQHSxAspm2jwFnBWgkqjQKiot+mYpKH3f0uAgAF7ggCAAWCtAP//zOKg
Date: Thu, 18 May 2017 13:15:31 +0000
Message-ID: <E8355113905631478EFF04F5AA706E98705E3AC4@wtl-exchp-1.sandvine.com>
References: <201705031442.50683.heiko.folkerts@bsi.bund.de> <8951dd0a-044b-b3ed-4454-e24fac407c4e@netcologne.de> <CADo9JyVdkzrtWE6RMt3CVYCkHrdB=+LKA9eDazN8Xf+R=Vza_Q@mail.gmail.com> <7e4e6be2-3f2e-897e-4c7b-0374f0b7b0b5@netcologne.de>
In-Reply-To: <7e4e6be2-3f2e-897e-4c7b-0374f0b7b0b5@netcologne.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.200.114]
x-c2processedorg: b2f06e69-072f-40ee-90c5-80a34e700794
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/R7-WU4SKDDwgTpu0MO8c7p8vrn4>
Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2017 13:21:35 -0000
Gunther, My view is that new mechanisms we propose will be used in addition to existing capture/redirect of port 80. E.g., applied to email, ftp, bittorrent, etc. When devices support it, and access networks provide it, the user experience will be better. That would be the motivation for deployment. It does seem like it could take a long time to deploy, but if it is completely backwards compatible and fairly cheap to implement, it might happen. -Dave -----Original Message----- From: Captive-portals [mailto:captive-portals-bounces@ietf.org] On Behalf Of Gunther Nitzsche Sent: Thursday, May 18, 2017 8:14 AM To: David Bird Cc: Heiko Folkerts; captive-portals@ietf.org; Herzig, Willi Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal" Hello, thanks for your reply. Let me argue against ..:) On 17.05.2017 17:11, David Bird wrote: > > > We need to stop the 443 redirecting! > > Thus far, I don't see any reason why ICMP wouldn't work. In fact, if > *no* ICMP worked, some basic networking stops working (general dest > unreach, MTU discovery, etc). > In a theoretical point of view I absolutely second your opinion. In real world scenarios I don't see how this could work out. >That is by design, in some respects. The "capport compliant" device will not ignore these messages (by definition). "Legacy" devices would ignore them, and they will still depend on the >HTTP redirect. I guess that is the crux. There are no "capport compliant devices" outside wifi and there won't be any for long long time.(as I said: outside the mobile world)) (I may be wrong here?) I do not see how to tell Microsoft, Apple, sun/oracle or the linux community to insert a capport detection inside their OS. And even if a Windows 11 and a linux kernel 5 would support that, there will be a wide majority of devices which would not be updated and will not meet the criteria and still has to be handled in a different way. When the major browsers would support that (like the Chromium Project for ChromeBooks in https://www.chromium.org/chromium-os/chromiumos-design-docs/network-portal-detection#TOC-Interpretation-of-Portal-State ) we might get a step further. But I doubt that the majority of users will accept permanent "test-traffic" in normal circumstances. > The separation of "configuration" and "notification" is by design. > That might be a design error. Notification is done by the provider, but configuration (how to react on e.g. icmp unreachable) is up to the enduser. The provider cannot (and will not) configure any customer's client device. Maybe the CPE can be (pre-)configured (cable-modem/dsl-router) but not the home-PC. How do I tell the home-PC to open up a specific URL when capport detection gets activated (if it would exist)? > > => If the customers wants to communicate via a browser, then we should > answer via the browser. All other separate communication forms may > work but are > unreliable and are dependent on the customer setup. > > > > Increasingly, it is the operating system's captive portal detection > that is detecting the need for portal interaction. I agree that it is > convenient to have an in-line HTTP response with the redirect or 511 > status code, but plain old HTTP is becoming obsolete. Hijacking HTTPS > to return a 511 response is a bad idea. The ICMP approach gives > 'notification' without requiring (in-line protocol dependent) > man-in-the-middle responses and is protocol agnostic. > Now let's see how that would look like. If an ICMP unreachable is sent out to the customer, he will see an error in the browser. A different one like the ssl-breaking/stopping error, but still an error. But what comes next? Now we have lost the only channel to the customer - the http(s) session has ended. And we have lost the opportunity to tell the customer's browser what to show instead. If we sent out a status code instead we have at least the chance to show >something< in the browser which might help the customer to get on the right way. Maybe the return code just triggers a warning of the kind "the webserver is unreachable due to providers action and asks you to go to <URL> instead" and does not do a redirection by itself. Everything is better (for the customers experience, not for the pure theoretical doctrine) than just showing a site unreachable. > > > It isn't clear to me how subscriber UEs get assigned their IP > addresses in your network; they don't use DHCP? Some do, some don't. cable users do DHCP, DSL customers do radius (via ppp). Pretty standard stuff. Actually that doesn't matter a lot, since the connection termination is done by the CPE, not by the customer's client device (PC). Even if the cable-modem realizes that something strange is going on, the home-PC will not be affected by that. > > The UE browser will be 'informed' of the captive portal URL by the > captive portal detection mechanism (OS/vendor dependent like today). That might be true in the mobile world; For home-pc, small networks. and so on there is no cpdm which I know of. (That is why I am here :-) > There is a bit of a race condition between the captive portal > detection mechanism and the human interacting with the browser in > real-time. However, it is possible for browsers (or any Apps) to > integrate with the platform captive portal detection service to get > additional information like the portal URL. Could you name an example for this? Valid for a standard home-PC ? And..without having the user to install a cpd - service on his device? (remember: not mobile) ("If you want to be our customer you have to install <this> software here on all your devices; for Ubuntu please use <this> and for windows XP click <here>.." -> .. will not work) As I see it there is no detection mechanism in standard OS (outside wifi) today. And I cannot blame the customer to not have such service installed if it would exist. It is up to the provider to use the existing sources and work with the (unknown) equipment of different customers. So I fear we are stuck to work with the return codes.. > Agreed that UE (and browser) behaviors need to be better defined, but > that gets tricky to mandate in RFC, imho. What we can do is define > networking 'building blocks' and recommendations on how vendors build > user experiences with them. > (What is UE ?) tl;dr : while I support the opinion to stop breaking/redirecting https and do proper signaling with icmp instead, I do not see working setups in real world scenarios without sending a http-status code leading to specific browser's behaviour (outside of the mobile world). Otherwise the customer is left alone with a browser showing an error page. (If there would be a possibility to trigger a webpage with a capportdetection - icmp unreachable message, that would be great.. any hints welcome. Very well possible that I just overlooked something..) Thanks for listening and sorry for the again (too) long text... best greetings, Gunther NetCologne Systemadministration -- NetCologne Gesellschaft für Telekommunikation mbH Am Coloneum 9 ; 50829 Köln Geschäftsführer: Timo von Lepel, Mario Wilhelm Vorsitzender des Aufsichtsrates: Dr. Andreas Cerbe HRB 25580, AG Köln _______________________________________________ Captive-portals mailing list Captive-portals@ietf.org https://www.ietf.org/mailman/listinfo/captive-portals
- [Captive-portals] Use Case: "Carrier Grade Captiv… Heiko Folkerts
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Warren Kumari
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Mark Nottingham
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Michael Richardson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Gunther Nitzsche
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Gunther Nitzsche
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Vincent van Dam
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Livingood, Jason
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Martin Thomson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Livingood, Jason
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Martin Thomson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Gunther Nitzsche
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Michael Richardson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Vincent van Dam
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Eric Vyncke (evyncke)
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Erik Kline
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Tommy Pauly
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Dave Dolson
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Tommy Pauly
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… Tommy Pauly
- Re: [Captive-portals] Use Case: "Carrier Grade Ca… David Bird