[Captive-portals] Comments on draft-donnelly-capport-detection-01
Dave Dolson <ddolson@sandvine.com> Tue, 21 March 2017 19:21 UTC
Return-Path: <ddolson@sandvine.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 585B01277BB; Tue, 21 Mar 2017 12:21:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cifLQZFjBohf; Tue, 21 Mar 2017 12:21:00 -0700 (PDT)
Received: from mail1.sandvine.com (mail1.sandvine.com [64.7.137.165]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12391128990; Tue, 21 Mar 2017 12:21:00 -0700 (PDT)
Received: from WTL-EXCHP-1.sandvine.com ([fe80::ac6b:cc1e:f2ff:93aa]) by WTL-EXCHP-3.sandvine.com ([::1]) with mapi id 14.03.0319.002; Tue, 21 Mar 2017 15:20:58 -0400
From: Dave Dolson <ddolson@sandvine.com>
To: "draft-donnelly-capport-detection@ietf.org" <draft-donnelly-capport-detection@ietf.org>
CC: "captive-portals@ietf.org" <captive-portals@ietf.org>
Thread-Topic: Comments on draft-donnelly-capport-detection-01
Thread-Index: AdKiXr3+zSa6K/bQSNe4MPUJ6NkG8g==
Date: Tue, 21 Mar 2017 19:20:56 +0000
Message-ID: <E8355113905631478EFF04F5AA706E9870559643@wtl-exchp-1.sandvine.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.200.114]
x-c2processedorg: b2f06e69-072f-40ee-90c5-80a34e700794
Content-Type: multipart/alternative; boundary="_000_E8355113905631478EFF04F5AA706E9870559643wtlexchp1sandvi_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/RPwEIuLlW6ZSLmEyaqfxgDrF88Q>
Subject: [Captive-portals] Comments on draft-donnelly-capport-detection-01
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 19:21:02 -0000
Mark and Margaret, Thanks for putting this together. I have some questions and comments. I suspect there are a number of nits in the syntax, but first I'd like to discuss some high-level questions. 1. Regarding $toplevel, is this intended to be used as the body for both request and response? I suspect no, this is the body of the response and the body of the POST has not been defined. For example, how is the MD5 sum of the t&c to be presented? 2. I see a role for performing GET, once the session has been established. 3. Do you see any opposition to including various hrefs for satisfying requirements in the browser? I think working through some examples would be useful. This differs from your proposal, but I was thinking: ------- GET from the DHCP-provided URL: GET http://<server>/capport (Accept: application/json) 200 OK { "create_href": "http://<server>/capport/sessions", "browse_href": "http://portal.example.com/" } ---- Posting to the create_href: POST http://<server>/capport/sessions (Accept: application/json) { "identity": "<USERNAME>"} 200 OK { " id": { "uuid": "<session_uuid>", "href": "http://<server>/capport/sessions/<session_uuid>" }, "identity": "<USERNAME>", "state": { "permitted": false }, "requirements": [ {"view_page": "http://portal.example.com/welcome/terms_and_conditions.html?session=<session_uuid>"}, {"provide_credentials": "http://<server>/capport/sessions/<session_uuid>/credentials"}] } ------- The session now exists, and GET works: GET http://<server>/capport/sessions/<session_uuid> (Accept: application/json) 200 OK { " id": { "uuid": "<session_uuid>", "href": "http://<server>/capport/sessions/<session_uuid>" }, "identity": "<USERNAME>", "state": { "permitted": false }, "requirements": [ {"view_page": "http://portal.example.com/welcome/terms_and_conditions.html?session=<session_uuid>"}, {"provide_credentials": "http://<server>/capport/sessions/<session_uuid>/credentials"}] } ------ Or GET for browser: GET http://<server>/capport/sessions/<session_uuid> (Accept: text/html) 200 OK <html> Human readable page of above information </html> ---------- After visiting the view_page URL and clicking OK, the internet works, and the info is available for query: GET http://<server>/capport/sessions/<session_uuid> (Accept: application/json) 200 OK { " id": { "uuid": "<session_uuid>", "href": "http://<server>/capport/sessions/<session_uuid>" }, "identity": "<USERNAME>", "token": "<TOKEN>", "state": { "permitted": true, "expires": "2017-02-25T19:00:00-06:00", "bytes_remaining": 10000000 }, "requirements": [] } ---- When the session expires, ICMP alert occurs, the client GETs again (note different value for view_page): GET http://<server>/capport/sessions/<session_uuid> (Accept: application/json) 200 OK { " id": { "uuid": "<session_uuid>", "href": "http://<server>/capport/sessions/<session_uuid>" }, "identity": "<USERNAME>", "state": { "permitted": false, "expires": "2017-02-25T19:00:00-06:00", "bytes_remaining": 0 }, "requirements": [ {"view_page": "http://portal.example.com/welcome/renew.html?session=<session_uuid>"}, {"provide_credentials": "http://<server>/capport/sessions/<session_uuid>/credentials"}] } The client can fulfil requirements again. ---- When the client wants to explicitly leave the network, delete the href for the session: DELETE http://<server>/capport/sessions/<session_uuid> 200 OK The USERNAME could be DHCP option-12 value or MAC address or ? I don't think it is too important for security, but useful for diagnostics. I did not delve into how the TOKEN would be used with provide_credentials. But the idea is that it could be shared (e.g., with devices lacking displays.) Does this make sense? -Dave
- [Captive-portals] Comments on draft-donnelly-capp… Dave Dolson
- Re: [Captive-portals] Comments on draft-donnelly-… Vincent van Dam