IETF Logo Mail Archive

Re: [Captive-portals] Review of draft-ietf-capport-rfc7710bis

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 26 July 2019 23:03 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B416112019C for <captive-portals@ietfa.amsl.com>; Fri, 26 Jul 2019 16:03:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VfPbb0DPJnFS for <captive-portals@ietfa.amsl.com>; Fri, 26 Jul 2019 16:03:54 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4238120191 for <captive-portals@ietf.org>; Fri, 26 Jul 2019 16:03:53 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [75.98.19.134]) by relay.sandelman.ca (Postfix) with ESMTPS id 6FCA31F44B for <captive-portals@ietf.org>; Fri, 26 Jul 2019 23:03:51 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id AC0771A97; Fri, 26 Jul 2019 19:03:47 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: captive-portals@ietf.org
In-reply-to: <CAKD1Yr0C_KEUpGUC-wbAV-ufG_VpNposecmzNQU5rEXaCeSZNQ@mail.gmail.com>
References: <CAKD1Yr32DXr8fYHP_x7z9pQWwSchey8zQW11vw02bW9ONEV8Kg@mail.gmail.com> <01ad5bf0-1f60-4dbb-aa83-31d14fce6082@www.fastmail.com> <CAKD1Yr08LmfDhmDLqpR87iQQ4Z61CVpR9BTDeRHobpsvVxFJvA@mail.gmail.com> <CADo9JyW6TmBnr5f0AuSXKnKMXnMxGhMkgYbGQ1WYOQjSMefy=w@mail.gmail.com> <CAKD1Yr1Zo0NQod=p4ZqT6fJYJ=Xqh1q8eJT2+ich+p7Jmg1WiA@mail.gmail.com> <CADo9JyX1T8AnxirXLfGdcJzmjvy5_UGJktnbYByAuO7H++y8uA@mail.gmail.com> <CAKD1Yr0C_KEUpGUC-wbAV-ufG_VpNposecmzNQU5rEXaCeSZNQ@mail.gmail.com>
Comments: In-reply-to Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org> message dated "Thu, 25 Jul 2019 14:43:54 -0400."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Fri, 26 Jul 2019 19:03:47 -0400
Message-ID: <26405.1564182227@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/bngq0jvpNibdPs3CFwJpQC2JAFY>
Subject: Re: [Captive-portals] Review of draft-ietf-capport-rfc7710bis
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jul 2019 23:03:56 -0000

Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org> wrote:
    > Is there a problem with saying that the portal server should identify the
    > device by IP address?

Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org> wrote:
    > To that end, any enforcement of other traffic (such as normal web page
    > loading) will not be carrying any session identifier, so only signals
    > that are already present in the packets, such as the IP address, are
    > effectively useful here.

It's not obvious to me that you are talking about the same thing!
The portal server *could* use IP address as the key by which to identify
the device to the Captive Portal Enforcer.

That requires that the access to the Captive Portal Server to always
be on the same side of a NAT44 as the client, and I don't think that is
realistic given how these services are outsourced.

(In architecture-04, we have "Captive Portal Enforcement", which seems
to be an activity, while the description is about a thing.  So I think
that either the word "Point" should be added, or Enforcement->Enforcer)

The Captive Portal Enforcer SHOULD enable traffic based upon the mapped
L2 address, otherwise, there would have to be a new portal session for
IPv4 and IPv6, and for each new IPv6 temporary/privacy address.
I don't think we want that.  It would also, I think, force the portal
server to speak both v4 and v6.

The communication between Captive Portal Server and Captive Portal Enforcer
COULD identify the client by L3 address, but I wouldn't want to build things
that way, because it would result in a poor experience for returning users,
such as sleepy phones, or hotel guests that might leave the hotel and then
return later in the day, and expect their 24hr pass to just work, despite
DHCP leases being much shorter.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email