IETF Logo Mail Archive

Re: [Captive-portals] customizing API URLs vs ???

Nicolas Mailhot <nicolas.mailhot@laposte.net> Thu, 01 August 2019 07:21 UTC

Return-Path: <nicolas.mailhot@laposte.net>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85652120026 for <captive-portals@ietfa.amsl.com>; Thu, 1 Aug 2019 00:21:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.398
X-Spam-Level:
X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=laposte.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kptjX9UHjjkK for <captive-portals@ietfa.amsl.com>; Thu, 1 Aug 2019 00:21:24 -0700 (PDT)
Received: from smtp.laposte.net (smtpoutz24.laposte.net [194.117.213.99]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2955912000F for <captive-portals@ietf.org>; Thu, 1 Aug 2019 00:21:23 -0700 (PDT)
Received: from smtp.laposte.net (localhost [127.0.0.1]) by lpn-prd-vrout012 (Postfix) with ESMTP id E4EAC163BE2 for <captive-portals@ietf.org>; Thu, 1 Aug 2019 09:21:21 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=laposte.net; s=mail0; t=1564644081; bh=ZmsNhMhEVQiRbyyUnjuOtn8QjQVyY0MKtcjlZ208NCw=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=OTVyHxTvcWYn6V8WGsRq8msrVvLJEWzNTElM2xsBycPfp4C81I0iJ8iuTbbXjKm1N 58x3IpfzXIe/15LQhxsh5BTbx7KKM6YDaETtHC4EJmJscRWng+tXSdzFNu6glrjJut gvzolaTBlFPSkBwLfv/C1tkn8WvtN8OImcc2XHpNKaxoKukSzjGA/rfHeicTjCRnGQ gKUTa0nRq92w3DO30AnkZLNbB05VIOKrJAP1xJSeKzX8WXV27o50jZwAe201ba9g1t joAbntwb96trnleVINJNfzz5pyWti7jkiLAqBT8hw9uSry7Od55WHHNtwzy3uGOV/T 5Ajy0HE0mENsw==
Received: from smtp.laposte.net (localhost [127.0.0.1]) by lpn-prd-vrout012 (Postfix) with ESMTP id D5C92163C49 for <captive-portals@ietf.org>; Thu, 1 Aug 2019 09:21:21 +0200 (CEST)
Received: from lpn-prd-vrin002 (lpn-prd-vrin002.laposte [10.128.63.3]) by lpn-prd-vrout012 (Postfix) with ESMTP id CB663163BE2 for <captive-portals@ietf.org>; Thu, 1 Aug 2019 09:21:21 +0200 (CEST)
Received: from lpn-prd-vrin002 (localhost [127.0.0.1]) by lpn-prd-vrin002 (Postfix) with ESMTP id B9DE95E85AB for <captive-portals@ietf.org>; Thu, 1 Aug 2019 09:21:21 +0200 (CEST)
Received: from arekh.ddns.net (82-64-49-105.subs.proxad.net [82.64.49.105]) by lpn-prd-vrin002 (Postfix) with ESMTPA id 88C465E8594; Thu, 1 Aug 2019 09:21:21 +0200 (CEST)
Received: from cerebro.okg (box.okg [192.168.0.1]) by arekh.ddns.net (Postfix) with ESMTPSA id 1BEC822010A; Thu, 1 Aug 2019 09:21:19 +0200 (CEST)
Message-ID: <eae0db02c6e6d3fef40f83cedb8a8f54809608b1.camel@laposte.net>
From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: captive-portals@ietf.org
Date: Thu, 01 Aug 2019 09:21:19 +0200
In-Reply-To: <16793.1564606845@localhost>
References: <CAKD1Yr32DXr8fYHP_x7z9pQWwSchey8zQW11vw02bW9ONEV8Kg@mail.gmail.com> <01ad5bf0-1f60-4dbb-aa83-31d14fce6082@www.fastmail.com> <CAKD1Yr08LmfDhmDLqpR87iQQ4Z61CVpR9BTDeRHobpsvVxFJvA@mail.gmail.com> <CADo9JyW6TmBnr5f0AuSXKnKMXnMxGhMkgYbGQ1WYOQjSMefy=w@mail.gmail.com> <CAKD1Yr1Zo0NQod=p4ZqT6fJYJ=Xqh1q8eJT2+ich+p7Jmg1WiA@mail.gmail.com> <CADo9JyX1T8AnxirXLfGdcJzmjvy5_UGJktnbYByAuO7H++y8uA@mail.gmail.com> <CAKD1Yr0C_KEUpGUC-wbAV-ufG_VpNposecmzNQU5rEXaCeSZNQ@mail.gmail.com> <26405.1564182227@dooku.sandelman.ca> <CAKxhTx_CngPfs3V8sZ5n0SYbTN4zcu3L_cvGuLpbLJOZYu-1Kg@mail.gmail.com> <14eba834-e18a-4324-8baa-3a8b90cdaec4@www.fastmail.com> <CAFaTyiG_LxmyaSvBcqKgkYb9-SiaMcDr1khPV7oV-AVs85_x8g@mail.gmail.com> <16883.1564590555@localhost> <99e64b26afc674f8411463b5ec55dde295e8c33d.camel@laposte.net> <16793.1564606845@localhost>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.33.4 (3.33.4-2.fc31)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-VR-FullState: 0
X-VR-Score: 0
X-VR-Cause-1: gggruggvucftvghtrhhoucdtuddrgeduvddrleeigdduudehucetufdoteggodetrfdotffvucfrrhho
X-VR-Cause-2: fhhilhgvmecunfetrffquffvgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefkuffhvfff
X-VR-Cause-3: jghftggfggfgsehtkeertddtreejnecuhfhrohhmpefpihgtohhlrghsucforghilhhhohhtuceonhhi
X-VR-Cause-4: tgholhgrshdrmhgrihhlhhhotheslhgrphhoshhtvgdrnhgvtheqnecuffhomhgrihhnpehhthhtphhh
X-VR-Cause-5: vggruggvrhhfihhrshhtrdhsohenucfkphepkedvrdeigedrgeelrddutdehnecurfgrrhgrmhepmhho
X-VR-Cause-6: uggvpehsmhhtphhouhhtpdhinhgvthepkedvrdeigedrgeelrddutdehpdhhvghloheprghrvghkhhdr
X-VR-Cause-7: uggunhhsrdhnvghtpdhmrghilhhfrhhomhepnhhitgholhgrshdrmhgrihhlhhhotheslhgrphhoshht
X-VR-Cause-8: vgdrnhgvthdprhgtphhtthhopegtrghpthhivhgvqdhpohhrthgrlhhssehivghtfhdrohhrghdprhgt
X-VR-Cause-9: phhtthhopehmtghrodhivghtfhesshgrnhguvghlmhgrnhdrtggrnecuvehluhhsthgvrhfuihiivgep
X-VR-Cause-10: td
X-VR-AvState: No
X-VR-State: 0
X-VR-State: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/b_tIQgVYdTEi-1yZ7aMALqZmo6c>
Subject: Re: [Captive-portals] customizing API URLs vs ???
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2019 07:21:28 -0000

Le mercredi 31 juillet 2019 à 17:00 -0400, Michael Richardson a écrit :
> Nicolas Mailhot <nicolas.mailhot@laposte.net> wrote:
>     >> It probably occurs less in places like airports, hotels and
>     >> enterprises where there is more local operational clue.
> 
>     > In entrerprises the dhcp layer is mostly owned by desktop IT
> (ADs, in
>     > the hands of people still stuggling to come to terms with the
> way
>     > Microsoft adopted networking and the cloud with a vengeance)
> while
>     > access to the internal network (or from the "safe" internal
> network to
>     > the wild internet, or from low-security visitor networks to
> high-
>     > security internal networks) is managed by network or security
> teams.
> 
> I'm not sure why you are bringing up desktop IT when I mention
> DHCPv4.
> In an enterprise captive portal use, I would expect it would be for
> visitors.

There are lots of nuances in enterprise IT, it's not the binary
access/no access of a coffee shop. What computers are allowed to do and
see before the portal dialog is successful can vary wildly.

Plus, the bigger the org, the harder it is to make people work
toguether. There will be silos because humans can not stop themselves
from playing politics.

> What is your preference: does the client API have to have the client
> self-identify, or do we have to find a way to send unique URLs in
> IPv6 RAs?

The most robust solution would be for the client to be aware of the key
used by the infra to id its access. That may be a mac, or an IP, or (if
the http workgroup could get its act toguether) a token given to a
proxy gateway in a specific proxy-oriented http2+ frame to let things
pass through. That all depends on the network topology and the point
and protocol level at which gating occurs.

So basically you want the portal to tell the client "ok with this ID".

That means the client must send the correct kind of id in a http header
first.

So, probably:

1. define a rejected id portal message, with a field containing the
kind of id it expected (ip, mac, whatever, an unconstrained list with
some usual values defined in the rfc)

2. require the client auth request to contain a field with the proposed
id kind (matching the field in reject) and another with the id value

And then the client can either send the most usual kind of id to a
portal it knows nothing about, hoping to save a roundtrip, or send a
bogus kind of id, to learn what the portal expects, making privacy guys
happy. It becomes client policy the RFC needn't concern itself about.

Anything else will just set in stone a specific network architecture or
policy.

Field can be an http header of an xml/json/yaml field in the body. The
only thing that is sure to be encrypted, making privacy guys happy,
especially if the portal is very very far away from the gating point,
is something in the body.


Regards,

-- 
Nicolas Mailhot

v2.23.0 | Report a Bug | By Email