Re: [Captive-portals] Requirements for "captive portal closed" notifications

Tero Kivinen <> Tue, 20 March 2018 17:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 39282126DCA for <>; Tue, 20 Mar 2018 10:08:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qQMJ3i7AeruC for <>; Tue, 20 Mar 2018 10:08:36 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D21F012778D for <>; Tue, 20 Mar 2018 10:08:35 -0700 (PDT)
Received: from (localhost []) by (8.15.2/8.15.2) with ESMTPS id w2KH8L6R029293 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 20 Mar 2018 19:08:21 +0200 (EET)
Received: (from kivinen@localhost) by (8.15.2/8.14.8/Submit) id w2KH8LlK005654; Tue, 20 Mar 2018 19:08:21 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Message-ID: <>
Date: Tue, 20 Mar 2018 19:08:21 +0200
From: Tero Kivinen <>
To: Dave Dolson <>
In-Reply-To: <>
References: <> <>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 6 min
X-Total-Time: 6 min
Archived-At: <>
Subject: Re: [Captive-portals] Requirements for "captive portal closed" notifications
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Mar 2018 17:08:42 -0000

Dave Dolson writes:
> And querying the API should be harmless (GET having no side-effects), aside
> from the load imposed on it. So we should say that the UE must rate-limit
> ICMP-triggered API visits.  Example wording: "The UE MUST rate-limit
> ICMP-triggered API requests to once every 5s."

That might be applicable for other cases too. I.e., we do not want
client to go to the API every second to be able to show the timeout on
the screen with one second accuracy.

So perhaps UE MUST rate-limit API requests in general, not only
ICMP-triggered ones. 

Also if the UE uses HTTP keepalive and keeps API connection open for
60 seconds or so after use, that will of course also limit traffic
generated, especially in case if the API connection is over TLS.

> We could get fancy with back-off retries, or allowing the API to specify the
> rate limit, but my main point is that the ICMP message does not require any
> sort of authentication if we make a spoofed message harmless.


Also if authenticating ICMP messages would be easy there would already
be authentication in them :-)