IETF Logo Mail Archive

Re: [Captive-portals] I-D Action: draft-ietf-capport-api-00.txt

Martin Thomson <martin.thomson@gmail.com> Mon, 05 February 2018 20:03 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49D10128954 for <captive-portals@ietfa.amsl.com>; Mon, 5 Feb 2018 12:03:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JEioGalnknt9 for <captive-portals@ietfa.amsl.com>; Mon, 5 Feb 2018 12:03:37 -0800 (PST)
Received: from mail-oi0-x233.google.com (mail-oi0-x233.google.com [IPv6:2607:f8b0:4003:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF3FB127909 for <captive-portals@ietf.org>; Mon, 5 Feb 2018 12:03:36 -0800 (PST)
Received: by mail-oi0-x233.google.com with SMTP id c189so21391338oib.12 for <captive-portals@ietf.org>; Mon, 05 Feb 2018 12:03:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=AJ6cXg6nRLJL+2dvFYVBM+kN70p0rTRa026/X+Y167k=; b=lKoBDPJe++1xUHMgWFuGRQzirI0TK7poaRR+BoUdVm96LUh4BlXmQ3ldy8U9QoDqne DL3I6tj+f+jZ11MaLX3mSsxiYDtUZNuq09m7zcXzJI7CiCrl7V2MgtFWjnDovokpCxx4 Zkh9hv5ZIo+02j4+udQ2vYatCTPtxgQDAmTxCqFeLB83tHCmUkbuqkU2eVpHN2C7L2fO xEk0a9PuKOx5FGX7q4NvNYBJabYuPMi3SQRafUg07+vWYrR8kUCSrh4Kgql4o1np9Chc bbmMEwW9Hul9vM7uSx31GK/dQ2cPs3DzQR64/4rfOK44Aq39cXD2FdvIF062XjhpPHgc ifOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=AJ6cXg6nRLJL+2dvFYVBM+kN70p0rTRa026/X+Y167k=; b=Yq284mQVvkCGrE30Fz5ISSTbp0mTjKGM0CnkQW91qmY04J7ErqJEWws2wboZsPhyUV 6Y3lluPt7TYQtVcaHv/zh/FRQ5rMHFMnwCSWJvugsaEjLH+IMaw6YbNHyRUiX4xyyOiw gcFvuZUpha0KUE4yAzSdBrU6jXeAYou9sez4goIl2HXoc2F6cxtPgfCDULUURrkkSIWM 5tS16LIYHU8VngBN0hoM/ngHBeWff7e8RehoXxr73TVuBuR30P83h/qTsGdJDsjXh34l 5w1IrmqpL8+fvfL20e0DC5uvLOlFBf9+gyKcrkbTbRgKu8Mjo7u2d2m1TrRKHRQBxvfN TGKA==
X-Gm-Message-State: APf1xPCpEQi1LsRqngBzed1ZLJTqhJzomoE7pDNQmKH6fA66AIEkoYBN ZG50t9rHiY0ClTOeioDs6kbyeHze+8A4Gaq6Gpc=
X-Google-Smtp-Source: AH8x224Yp/LmDm+QJO67GBViIcIPaQ7g9JNz//+gUnmB0YwJy77FGVKXs2xAoPM0Xw2x9dpJ/2Kid1219qaUX/lgxJg=
X-Received: by 10.202.23.9 with SMTP id j9mr16854oii.50.1517861016172; Mon, 05 Feb 2018 12:03:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.52.196 with HTTP; Mon, 5 Feb 2018 12:03:35 -0800 (PST)
In-Reply-To: <CADo9JyV2Rz2B9H_h9JMne7XLtMeVb2OajheZ86i5g8nsPmmFOw@mail.gmail.com>
References: <151778535115.5816.386541967960931391@ietfa.amsl.com> <CADo9JyV2Rz2B9H_h9JMne7XLtMeVb2OajheZ86i5g8nsPmmFOw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 06 Feb 2018 07:03:35 +1100
Message-ID: <CABkgnnW_x6sokdEo-yyzk0DKFqom6b7aHpoLgRnBHOW_cGB6yA@mail.gmail.com>
To: David Bird <dbird@google.com>
Cc: captive-portals@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/_QlfCp2MY_Ym52_3g9nWkuNEzxg>
Subject: Re: [Captive-portals] I-D Action: draft-ietf-capport-api-00.txt
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2018 20:03:43 -0000

On Tue, Feb 6, 2018 at 5:03 AM, David Bird <dbird@google.com> wrote:
> Thanks Darshak and Tommy, this is really helpful.

Yes, thank you both.

> Some comments:
>
> In 2. Workflow: Does it make sense to reorder 2) and 3)? It would seem
> 'Enforcement' should come before determining status (of said enforcement)
> and how to proceed. I would argue that the UE might as well try to use the
> network and wait for the network to respond (e.g. with Enforcement and/or
> routing notifications/errors. Indeed, the UE sorta already *did* this if it
> resolved DNS and checked certificate status of the API server hostname.

I have heard UE vendors express a strong desire to be able to know
about status before they attempt to use the network.

> In 3.1 URI of Captive Portal endpoint, I think we must go beyond making TLS
> a MUST --- we need to define how trust is handled. We must require the API
> client to validate the hostname, present that hostname to the user for
> acknowledgement. Or, are we explicitly saying that TLS is for privacy and
> not security? (e.g. that we really don't care what the server cert is...
> just that the cert is consistent for that location / domain?). Is the client
> expected to check revocation lists?

Good point.  This is likely an architecture question in the sense that
we need to determine what the trust model is and where that is
anchored.  We have an established pattern already where we trust that
the initial bootstrapping protocols (DHCP, RAs) produce a URL that is
accurate.  Once you have a URL, the rest of the process needs to
follow the rules: clients are expected to follow the usual rules for
server authentication.

In this particular case, we should explore that last point further,
because CRLs or OCSP are likely to fail in this sort of environment.
That's relatively easy to address, but we would have to mandate OCSP
stapling.

I've opened an issue: https://github.com/capport-wg/api/issues/7

> In 3.2, ' "permitted" (required, boolean): indicates whether or not the
> Captive Portal is open to the requesting host ' is confusing... does it mean
> the UE is subject to a captive portal?  I dislike how boolean this is! Why
> does it have to be all or nothing (especially if ICMP is providing
> enforcement notification?)

Can you motivate something less boolean?  That's a question we've
struggled with.

> Also in 3.2, I'm not sure about the time/data remaining info.. Is the
> expectation that the client keeps polling? (never goes idle on any network?)
> Is the expectation that the UE  will break connections after it sees this
> API expire timer or counter, or shall the (smart) UE wait until the network
> notification (ICMP) ?

I think that the way this is intended to work is that the UE will
contact the actual portal some time in advance of this time.

Why do you ask about polling?  Are there networks that will extend
active time in the case that clients go idle?

v2.23.0 | Report a Bug | By Email