Re: [Captive-portals] AD review of draft-ietf-capport-architecture-07

David Dolson <> Mon, 27 April 2020 03:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DD43B3A0901; Sun, 26 Apr 2020 20:39:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id T-cXZ5UknI-y; Sun, 26 Apr 2020 20:39:31 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 221F43A08FE; Sun, 26 Apr 2020 20:39:30 -0700 (PDT)
Received: from ([]) by with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from <>) id 1jSucD-0003hN-D5; Sun, 26 Apr 2020 23:39:30 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Date: Sun, 26 Apr 2020 23:39:29 -0400
From: David Dolson <>
To: Barry Leiba <>
In-Reply-To: <>
References: <>
User-Agent: Roundcube Webmail/1.4-git
Message-ID: <>
Archived-At: <>
Subject: Re: [Captive-portals] AD review of draft-ietf-capport-architecture-07
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 27 Apr 2020 03:41:59 -0000

Thanks for reviewing. I've committed some changes to the repo and opened 
some issues too.

Nits fixed in commit

On 2020-04-24 19:35, Barry Leiba wrote:
> Thanks for the work in this document.  Here’s my AD review; I think a
> revised I-D is needed before we go to last call.
> General:
> Expect comments during IESG Evaluation about the extensive use of BCP
> 14 key words in an Informational document.  I don’t object to it here,
> though I do find all the “MAY”s odd (example: “A device MAY query this
> API at any time”, rather than “A device may query this API at any
> time”), but I do expect some ADs to comment on it.

I've reviewed all upper-case "MAY", and I believe they are used as 
We've allowed the user equipment to participate or not in various ways.

> Please check consistency in capitalization of defined terms.  The one
> that stands out to me as inconsistent is “User Equipment” / “user
> equipment”, but I’ve also noticed others, such as “enforcement
> device”./User

User Equipment fixed with commit

The enforcement device language is inconsistently used, and is not such 
a quick fix.
Opened issue #60

> Please be consistent about using “URI”, and not “URL”.
Changed all URI to URL in commit

> — Section 1 —
>    This document standardizes an architecture for implementing captive
>    portals that provides tools for addressing most of those problems.
>    We are guided by these principles:
> The text that comes before this doesn’t identify anything as problems,
> so I don’t see, from what’s written, what “those problems” refers to.
> Maybe it would be better to say, “most of the problems that result
> from current captive portal mechanisms, guided by these principles:”
> or some such?
Right; we removed an earlier reference and forgot to update this.
See commit

>    *  Solutions MUST operate at the layer of Internet Protocol (IP) or
>       above, not being specific to any particular access technology 
> such
>       as Cable, WiFi or 3GPP.
> 3GPP is not an access technology; it’s an SDO (or a consortium of
> SDOs).  Maybe “mobile telecom”, or “LTE”, or “5G”?  Or if you want to
> retain 3GPP, maybe “protocols developed in 3GPP”?  I think my
> preference is “5G” (and it’s only an example anyway).

I think "mobile telecom" suits the intent. See commit

>    *  End-user devices can be notified of captivity with Captive Portal
>       Signals in response to traffic.  This notification should work
>       with any Internet protocol, not just clear-text HTTP.
> I’m not quite sure what this means.  It sounds like it says that the
> notification will be in-band with any Internet protocol, which clearly
> isn’t possible.  I think it’s talking about a separate protocol to
> deliver the notification, which can work alongside any Internet
> protocol, rather than having it be in-band to clear-text HTTP.  Maybe
> re-wording that sentence will help.

I believe the intent was, "we are no longer relying on modifying 
clear-text HTTP."
Because this is discussed elsewhere in the doc, I propose:

    *  End-user devices can be notified of captivity with Captive Portal
       Signals in response to traffic.  This notification works in 
       to any Internet protocol, and is not done by modifying protocols 
See commit

> — Section 1.2 —
>    hosts (typically the internet).
> Nit: capitalize “Internet”.

>    Captive Portal API: Also known as API.  An HTTP API allowing User
>    Equipment to query its state of captivity within the Captive Portal.
> This (and the Abstract) says “an HTTP API”, but there’s nothing at the
> architecture level that assumes HTTP, is there?  Instantiation may
> well be via HTTP, but why does that need to be in the architecture?  I
> don’t see anything else in this document, apart from these two
> definitions, binding the API to HTTP at the architecture level.

Yes, the architecture intentionally says it is HTTP.
No one argued for any alternatives, as far as I know.
Details of the API are left unspecified, so it's still pretty open.

>    If User Equipment supports the Captive Portal API, it MUST validate
>    API server TLS certificate (see [RFC2818]).
> Nit: “validate the API server’s TLS certificate”

> — Section 2.3 —
>    The API SHOULD provide evidence
>    to the caller that it supports the present architecture.
> I don’t understand what this means; can you explain?

To me, this means that User Equipment can determine from the
interaction that the API is implementing this architecture vs.
being some random API. I imagine that a version number or content-
type could achieve this.
I've opened
to track the issue.

> — Section 2.4 —
>    The Captive Portal Enforcement component restrict the network access
> Nit: “restricts”

>    *  Allows traffic through for allowed User Equipment that has
> “Allows traffic through” reads oddly to me.  Maybe “Allows traffic to
> pass through”? Or “Allows general Internet traffic”?

Changed to
     * Allows traffic to pass for User Equipment that is permitted to
       use the network and has satisfied the Captive Portal Conditions.

> — Section 2.6 —
> In Figure 1, shouldn’t “Query captivity status” and “Portal user
> interface” both have bidirectional arrows?

I think the idea was to show which agent initiated. I'll add a
status response. and bidirectional arrows to the UI.

See commit

> — Section 3 —
>    these interactions, the components must be able to both identify the
>    user equipment from their interactions with it, and be able to agree
> Common problem with “both” and “either”: “be able” is already outside
> the scope of “both”, so having it inside for the second case is wrong
> (and the comma is unnecessary):
>    these interactions, the components must be able to both identify the
>    User Equipment from their interactions with it and to agree
Accepted. Commit

> — Section 3.2.1 —
>    In order to uniquely identify the User Equipment, at most one user
>    equipment interacting with the other components of the Captive 
> Portal
>    MUST have a given value of the identifier.
> The way “MUST” is used here feels very odd.  I think you mean the MUST
> to be related to the uniqueness, not to what components MUST have.
> Maybe something like this works better?:
>    In order that User Equipment be uniquely identified, a given
>    identifier MUST NOT represent more than one User Equiment that
>    interacts with the other components of the Captive Portal.
You're right; it's poorly worded. It's just trying to say each UE must
have a unique ID at a point in time. The next point says they can be
recycled. E.g., dynamic IP addresses could be used.
I changed both bullets.
     * Each instance of User Equipment interacting with the Captive 
Network MUST be
       given an identifier that is unique among User Equipment 
interacting at that time.

     * Over time, the User Equipment assigned to an identifier value MAY 
change. Allowing the
       identified device to change over time ensures that the space of 
       identifying values need not be overly large.

> — Section 3.2.3 —
>    Since the API Server will need to perform operations which rely on
>    the identity of the user equipment, such as query whether it is
>    captive, the API Server needs to be able to relate requests to the
>    User Equipment making the request.
> The API server doesn’t query whether the UE is captive, it responds to
> such queries.
Addressed in commit

> — Section 3.2.4 —
>    The Enforcement Device will decide on a per packet basis whether it
>    should be permitted to communicate with the external network.
> Nit: hyphenate “per-packet”.
> “It” should be referring to the packet, not to the ED, so “whether the
> packet should”.

> — Section 3.3 —
> Are we really talking about evaluating individual identifiers here?
> Or does this really mean to discuss *methods* of generating or
> choosing identifiers?

I believe this is about choice of identifier in a solution/standard.
Opened issue

> — Section 3.4.3 —
> Is this section talking about using a context-free URI as a UE
> identifier?  It should be clearer about that, if so (and if that’s not
> what it’s about, the section is misplaced).  There’s nothing in here
> that discusses how such identifiers would meet the specified criteria.

I think this is trying to say the server should not be looking at
Ethernet addresses, for example, because the server is probably not
on the same subnet as the User Equipment. So the info needs to be
in the URL.
I hope others can weigh in on this. Created issue

> — Section 4 —
> Please be consistent about the use of “workflow” vs “work-flow”.

> — Appendix A —
>    method is to attempt to make a HTTP request to a known, vendor 
> hosted
> Nit: hyphenate “vendor-hosted”
>    DNS queries not using UDP
>    may potentially fail this test if operating over TCP or DNS over
>    HTTP.
> Nit: it’s “DNS over HTTPS”.  But I would say, “DNS queries not using
> UDP may potentially fail this test if operating over TCP or HTTPS.”
Thanks. I made some other improvements to that paragraph too.
As committed in, 
the two bullets are now:
     *  Another test that can be performed is a DNS lookup to a known 
        with an expected answer. If the answer differs from the expected 
        the equipment detects that a captive portal is present.
        DNS queries over TCP or HTTPS are less likely to be modified than 
        queries over UDP due to the complexity of implementation.

     *  The different tests may produce different conclusions, varying by
        whether or not the implementation treats both TCP and UDP 
        and by which types of DNS are intercepted.

Thanks again Barry. Great points!