Re: [Captive-portals] Review of draft-ietf-capport-rfc7710bis
Remi NGUYEN VAN <reminv@google.com> Mon, 29 July 2019 03:51 UTC
Return-Path: <reminv@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95B731200DF for <captive-portals@ietfa.amsl.com>; Sun, 28 Jul 2019 20:51:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z6S4zXvDPa6H for <captive-portals@ietfa.amsl.com>; Sun, 28 Jul 2019 20:51:22 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFA101200D5 for <captive-portals@ietf.org>; Sun, 28 Jul 2019 20:51:21 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id h6so30451753iom.7 for <captive-portals@ietf.org>; Sun, 28 Jul 2019 20:51:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CU6UMWUEyzVDxFRqDn0JM9vsbfG6w48ldDrPHVAQgL8=; b=mN+/vFYWaqMtTymLTpQtq8PDWziOz4j979igJubIftJKuAUWw/nUEHTLQE9eIaAO7A 3QhiBmmEX7GJROEZB8O89IRsL+LcA7STaMaMuUuuylTm3HKhNiBNMLJaHNG3o0QtGu2r 94wrseTjfMJj524DYA0Fx9GyPLamq7L/wetiX6IIjolwYiCMkyu+GYM7zwyH9MV0Tjr+ x3DOyFY0w1ACjbEvNOd8MR/cgTGqbDWQ6uDL4MTk9wwb4Qm550D+V+1z6cKkuO1/HONT WlAEe0L2CQRsZkAHoNdC6Dt6E0tXG4HMvmndAEvT6TuXjSSm8LaawHVYU6J+qadM8kWo sJtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CU6UMWUEyzVDxFRqDn0JM9vsbfG6w48ldDrPHVAQgL8=; b=jJdvoUh90ZncPipPgHLXDza/ESqTNWgA9vGPtgOIRnxZKPAjJ/RxAT5tglmzpKwLsV 5mLVQ3Z3PWxB19m3eDRU6+dAeBVrTdwuUJ9DR3SEbHChJWGJjk5xN4SbfZdqmbthGRCV nzWyQZm9D2aMZ1vtzuzx7SsS7FI6C5zJXlGrHXT4lKFD2Dz6lPuBxJ48gK5HdbiklVgp pMUAWPGRPTEBOwoOdkmO7SJOxa9xA044hOUBZZMlkYFxZZBM2SC9D4RzYo5hz6fbw9RD FE2Y7b+bRelDzPwLkf16AMAMV05SSS+tlXNx2LyXGzUjicQxVysbR8nr0PfSlGsy6w/K +T4w==
X-Gm-Message-State: APjAAAVH8ihzU6KKDFH6WJlFCBqFrUQ3rcF9fEiVASnU3fuhFrINZSWb fwSSpzb2R72oR+u14VgSDsjeeUke3OF3XOtwEKNrHX4I
X-Google-Smtp-Source: APXvYqxVF5XZoa+Jav7Os0nwZ/pXIi0nHSIg5C7jAGqV+Of48ZZeYGtypcNCaRPQAdJ8f1DPR/tk3aBf4v8g9XvZSf8=
X-Received: by 2002:a6b:4101:: with SMTP id n1mr73453799ioa.138.1564372280636; Sun, 28 Jul 2019 20:51:20 -0700 (PDT)
MIME-Version: 1.0
References: <CAKD1Yr32DXr8fYHP_x7z9pQWwSchey8zQW11vw02bW9ONEV8Kg@mail.gmail.com> <01ad5bf0-1f60-4dbb-aa83-31d14fce6082@www.fastmail.com> <CAKD1Yr08LmfDhmDLqpR87iQQ4Z61CVpR9BTDeRHobpsvVxFJvA@mail.gmail.com> <CADo9JyW6TmBnr5f0AuSXKnKMXnMxGhMkgYbGQ1WYOQjSMefy=w@mail.gmail.com> <CAKD1Yr1Zo0NQod=p4ZqT6fJYJ=Xqh1q8eJT2+ich+p7Jmg1WiA@mail.gmail.com> <CADo9JyX1T8AnxirXLfGdcJzmjvy5_UGJktnbYByAuO7H++y8uA@mail.gmail.com> <CAKD1Yr0C_KEUpGUC-wbAV-ufG_VpNposecmzNQU5rEXaCeSZNQ@mail.gmail.com> <26405.1564182227@dooku.sandelman.ca>
In-Reply-To: <26405.1564182227@dooku.sandelman.ca>
From: Remi NGUYEN VAN <reminv@google.com>
Date: Mon, 29 Jul 2019 12:51:08 +0900
Message-ID: <CAKxhTx_CngPfs3V8sZ5n0SYbTN4zcu3L_cvGuLpbLJOZYu-1Kg@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: captive-portals <captive-portals@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000001e9d16058ec9ce10"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/croUkAiWj5gEbfZnM6jI2LoO1jM>
Subject: Re: [Captive-portals] Review of draft-ietf-capport-rfc7710bis
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jul 2019 03:51:25 -0000
So to summarize, we've got a problem where the WLAN controller has some rules to know who is blocked / allowed (probably based on mac address ?), and can advertise a single API URL through DHCP / RAs / Link-Relation and generate redirects, but does not have capabilities to serve login pages or the API: this is handled by another box upstream which has more capabilities like handling payment pages etc, and holds the SSL certs. Because the API uses HTTPS (contrary to lots of login pages), the WLAN controller can't easily insert identity of the requestor in the request and the API has no way to know who it's replying to. Since we can't advertise different addresses for different clients in RAs, how about having the client add a session identifier in their API requests ? Having the client add a mac address in an HTTP request header field would be a solution. Many devices are using random per-SSID mac addresses now, so this sounds like a reasonable identifier for the device to give to the API server (which could get it anyway through some complicated setup). It would be possible for clients to make requests for API data of other clients (assuming they know their mac address), but that's already possible by spoofing the address anyway. Cheers, Remi On Sat, Jul 27, 2019 at 8:04 AM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org> wrote: > > Is there a problem with saying that the portal server should > identify the > > device by IP address? > > Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org> wrote: > > To that end, any enforcement of other traffic (such as normal web > page > > loading) will not be carrying any session identifier, so only signals > > that are already present in the packets, such as the IP address, are > > effectively useful here. > > It's not obvious to me that you are talking about the same thing! > The portal server *could* use IP address as the key by which to identify > the device to the Captive Portal Enforcer. > > That requires that the access to the Captive Portal Server to always > be on the same side of a NAT44 as the client, and I don't think that is > realistic given how these services are outsourced. > > (In architecture-04, we have "Captive Portal Enforcement", which seems > to be an activity, while the description is about a thing. So I think > that either the word "Point" should be added, or Enforcement->Enforcer) > > The Captive Portal Enforcer SHOULD enable traffic based upon the mapped > L2 address, otherwise, there would have to be a new portal session for > IPv4 and IPv6, and for each new IPv6 temporary/privacy address. > I don't think we want that. It would also, I think, force the portal > server to speak both v4 and v6. > > The communication between Captive Portal Server and Captive Portal Enforcer > COULD identify the client by L3 address, but I wouldn't want to build > things > that way, because it would result in a poor experience for returning users, > such as sleepy phones, or hotel guests that might leave the hotel and then > return later in the day, and expect their 24hr pass to just work, despite > DHCP leases being much shorter. > > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > > _______________________________________________ > Captive-portals mailing list > Captive-portals@ietf.org > https://www.ietf.org/mailman/listinfo/captive-portals >
- [Captive-portals] Review of draft-ietf-capport-rf… Lorenzo Colitti
- Re: [Captive-portals] Review of draft-ietf-cappor… Martin Thomson
- Re: [Captive-portals] Review of draft-ietf-cappor… Lorenzo Colitti
- Re: [Captive-portals] Review of draft-ietf-cappor… David Bird
- Re: [Captive-portals] Review of draft-ietf-cappor… Martin Thomson
- Re: [Captive-portals] Review of draft-ietf-cappor… Lorenzo Colitti
- Re: [Captive-portals] Review of draft-ietf-cappor… David Bird
- Re: [Captive-portals] Review of draft-ietf-cappor… Martin Thomson
- Re: [Captive-portals] Review of draft-ietf-cappor… David Bird
- Re: [Captive-portals] Review of draft-ietf-cappor… David Bird
- Re: [Captive-portals] Review of draft-ietf-cappor… Martin Thomson
- Re: [Captive-portals] Review of draft-ietf-cappor… Lorenzo Colitti
- Re: [Captive-portals] Review of draft-ietf-cappor… Tommy Pauly
- Re: [Captive-portals] Review of draft-ietf-cappor… Michael Richardson
- Re: [Captive-portals] Review of draft-ietf-cappor… Remi NGUYEN VAN
- Re: [Captive-portals] Review of draft-ietf-cappor… Martin Thomson
- Re: [Captive-portals] Review of draft-ietf-cappor… Chris Spencer
- Re: [Captive-portals] Review of draft-ietf-cappor… Martin Thomson
- Re: [Captive-portals] Review of draft-ietf-cappor… Remi NGUYEN VAN
- [Captive-portals] customizing API URLs vs ??? Michael Richardson
- Re: [Captive-portals] customizing API URLs vs ??? Nicolas Mailhot
- Re: [Captive-portals] customizing API URLs vs ??? Michael Richardson
- Re: [Captive-portals] customizing API URLs vs ??? Nicolas Mailhot