[Captive-portals] Comments on draft-donnelly-capport-detection-01

[Dave Dolson <ddolson@sandvine.com>]

Mark and Margaret,
Thanks for putting this together. I have some questions and comments.

I suspect there are a number of nits in the syntax, but first I'd like to discuss some high-level questions.


1.       Regarding $toplevel, is this intended to be used as the body for both request and response? I suspect no, this is the body of the response and the body of the POST has not been defined. For example, how is the MD5 sum of the t&c to be presented?

2.       I see a role for performing GET, once the session has been established.

3.       Do you see any opposition to including various hrefs for satisfying requirements in the browser?

I think working through some examples would be useful. This differs from your proposal, but I was thinking:

-------
GET from the DHCP-provided URL:
GET http://<server>/capport (Accept: application/json)
200 OK
{
   "create_href": "http://<server>/capport/sessions",
   "browse_href": "http://portal.example.com/"
}

----
Posting to the create_href:
POST http://<server>/capport/sessions (Accept: application/json)
{ "identity": "<USERNAME>"}
200 OK
{ " id": { "uuid": "<session_uuid>",
           "href": "http://<server>/capport/sessions/<session_uuid>" },
  "identity": "<USERNAME>",
  "state": { "permitted": false },
  "requirements": [
    {"view_page": "http://portal.example.com/welcome/terms_and_conditions.html?session=<session_uuid>"},
    {"provide_credentials": "http://<server>/capport/sessions/<session_uuid>/credentials"}]
}

-------
The session now exists, and GET works:
GET http://<server>/capport/sessions/<session_uuid> (Accept: application/json)
200 OK
{ " id": { "uuid": "<session_uuid>",
           "href": "http://<server>/capport/sessions/<session_uuid>" },
  "identity": "<USERNAME>",
  "state": { "permitted": false },
  "requirements": [
    {"view_page": "http://portal.example.com/welcome/terms_and_conditions.html?session=<session_uuid>"},
    {"provide_credentials": "http://<server>/capport/sessions/<session_uuid>/credentials"}]
}

------
Or GET for browser:
GET http://<server>/capport/sessions/<session_uuid> (Accept: text/html)
200 OK
<html> Human readable page of above information </html>

----------
After visiting the view_page URL and clicking OK, the internet works, and the info is available for query:
GET http://<server>/capport/sessions/<session_uuid> (Accept: application/json)
200 OK
{ " id": { "uuid": "<session_uuid>",
           "href": "http://<server>/capport/sessions/<session_uuid>" },
  "identity": "<USERNAME>",
  "token": "<TOKEN>",
  "state": { "permitted": true, "expires": "2017-02-25T19:00:00-06:00", "bytes_remaining": 10000000 },
  "requirements": []
}

----
When the session expires, ICMP alert occurs, the client GETs again (note different value for view_page):
GET http://<server>/capport/sessions/<session_uuid> (Accept: application/json)
200 OK
{ " id": { "uuid": "<session_uuid>",
           "href": "http://<server>/capport/sessions/<session_uuid>" },
  "identity": "<USERNAME>",
  "state": { "permitted": false, "expires": "2017-02-25T19:00:00-06:00", "bytes_remaining": 0 },
  "requirements": [
    {"view_page": "http://portal.example.com/welcome/renew.html?session=<session_uuid>"},
    {"provide_credentials": "http://<server>/capport/sessions/<session_uuid>/credentials"}]
}

The client can fulfil requirements again.

----
When the client wants to explicitly leave the network, delete the href for the session:
DELETE http://<server>/capport/sessions/<session_uuid>
200 OK


The USERNAME could be DHCP option-12 value or MAC address or ?  I don't think it is too important for security, but useful for diagnostics.
I did not delve into how the TOKEN would be used with provide_credentials. But the idea is that it could be shared (e.g., with devices lacking displays.)

Does this make sense?

-Dave