Re: [Captive-portals] A view from a WiFi provider on captive portal requirements, challenges and improvements
David Bird <dbird@google.com> Tue, 18 April 2017 17:08 UTC
Return-Path: <dbird@google.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E768A1200F1 for <captive-portals@ietfa.amsl.com>; Tue, 18 Apr 2017 10:08:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qw9Ofpu_6Vvv for <captive-portals@ietfa.amsl.com>; Tue, 18 Apr 2017 10:08:44 -0700 (PDT)
Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66FD11292C5 for <captive-portals@ietf.org>; Tue, 18 Apr 2017 10:08:44 -0700 (PDT)
Received: by mail-qk0-x22e.google.com with SMTP id f133so135977781qke.2 for <captive-portals@ietf.org>; Tue, 18 Apr 2017 10:08:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xd2MoNg4CNyZz7W2LasyAuKLb1rD/34U9irPZXh7yxQ=; b=voXHjFINTqXNT8LG3C+IXWNlM5BxOQIMzF78kqj9+nc3c5RH27mU7GJRuVL6/VRVx6 5jJ2Sy4+qWU6POqSNy7EDLd0SACq7R76NYUCpjYt8pgYPeeLHO342rVkbE3/33f/9t6v PALcmXN54cjoldJuTRcxkdizrd7zfnSNdo/KA3GfaWSBA6c2G/0/ZjkT/d+x+cx9fI2E saKeqhZAkoV0QdpyaZ+tNYf13btu8M8hktYO0Jeq9BnWUb9aVDnA2sfcQXYM5/mY2v2b 4XUKzsPoRScxuEFOBEvJNN+SVxF3aiLNWvI0sQphZM7tW6wnqGPjb8fWUPE3zfQuC8Td 3suw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xd2MoNg4CNyZz7W2LasyAuKLb1rD/34U9irPZXh7yxQ=; b=AGPNzZDq8dqX8kje7i4OECr53Si6JTWQ5HPaAsclsoHR2tBGYOsZqv+IGiruGNAOoe tbUyO6hRyjpc5ZphgXPVzeFl6twbLGAl0P6HTMHkg4v//0RsOTunNc+zQSdkESCXlSQq ce0XWWQf4T1rLhHJhgS+a8XG4wCdykTWRqpQb5pm3g4aNVB+Qeu6TcQTsCOsMgbhAAyo xp8tB7DaVRbVMP4X8R30gEUDSGoZMQTcGuBlMRjulTCT5oyh0S+U/l9C60lu5LgbdgWa 2tJt/qETB1O4VcOEDEvCP/djF4su5tfh8VNnwYGUUOEf3t6yNj8xXSIdCXIH5RgQEDiz CipA==
X-Gm-Message-State: AN3rC/6WcQkwxboJJV1pQpHW6Gpk1Oue+j0IpOjxQlSU3Xlp2scLbwcl D1VdqFxmymtgosH3GXpJmmaVlR/cMDKfvgc=
X-Received: by 10.55.176.7 with SMTP id z7mr4527523qke.182.1492535323256; Tue, 18 Apr 2017 10:08:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.150.251 with HTTP; Tue, 18 Apr 2017 10:08:42 -0700 (PDT)
In-Reply-To: <026901d2b857$7c091040$741b30c0$@purplewifi.com>
References: <026901d2b857$7c091040$741b30c0$@purplewifi.com>
From: David Bird <dbird@google.com>
Date: Tue, 18 Apr 2017 10:08:42 -0700
Message-ID: <CADo9JyUr1NFnLRa5Sw4LBPuW9D7r5QWT2wnCY8xbkLQ_uwa-_g@mail.gmail.com>
To: James Wood <james.wood@purplewifi.com>
Cc: captive-portals@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c06ff3ec24eac054d73f53b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/gcSeIbmB13XS4ZJb-6CHLLXYlR4>
Subject: Re: [Captive-portals] A view from a WiFi provider on captive portal requirements, challenges and improvements
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 17:08:58 -0000
Welcome and thanks for the input James! Comments in-line. On Tue, Apr 18, 2017 at 8:21 AM, James Wood <james.wood@purplewifi.com> wrote: > [snip] > 1. Security. Nobody prefers to join an open network, but most end up doing > because that's the way it is. The hype around Hotspot 2.0 came and went as > that was never really deisgned to help captive portals but rather for > seamless, non-interaction from the user. As a portal provider, we don't > want > that, we want to show a portal even if it's just a 'welcome back, you're > now > online' message. > > No doubt, Wi-Fi security is important in public access, but I'd argue outside the scope of the WG. While captive portals are often used on Open Wi-Fi, they are not limited to public access (there are LTE use-cases, for example). Also, security in public access transcends L1 security -- do you trust any wired LAN you plug into while in public places? HS2.0 (more or less) solves the public Wi-Fi security problem in that users trust their providers (albeit to varying degrees) and their providers have a relationship with the HS2.0 network provider. Even if deployed, this doesn't address situations where users have no trust relationship with the network provider and still want Wi-Fi (as most people, they assume Apps are increasingly using TLS and provide end-to-end security). > 2. More devices/browers/web servers are defaulting to checking/redirecting > to a HTTPs URL. As you know, when in a captive portal/walled garden state, > this will cause a problem because you can't intercept a HTTPs request > (rightly so!) to a captive portal page without a browser/certificate > warning. This breaks everything from the end user perspective. > > Yes, we need to fix this! It is disturbing that vendors commonly hijack https even with the security errors. > 3. Built-in OS captive popups provide limited browser > functionality/cookies/etc. When trying to offer login options like > Facebook, > it can really affect the user experience when cookies are not permitted or > other features disabled. The behaviour is also different per device. In > Android 5.0+, the captive portal window immediately dissappears when the > user is authenticated. This is a pain for us as we want to display a "you > are now online" page, or redirect the user to a landing page with > information etc. > > Very common problems. > 4. Walled garden. It's a nightmare having to manage lists of domains/IP's > across all the different vendors kit out there. For example to offer a > social login through Facebook we need to allow certain domains like > facebook.com, akamaihd.net and connect.facebook.net etc. This is all > static > lists inside an AP/controller, and would be a nightmare to update should > Facebook change the URLs they send authentication requests throught etc. > How > about some way to dynamicly pass back a list of domains as part of the DHCP > option or some other way to allow the operator to set the required domains > at time of connection? Or, how about, as part of the capport API, we are > able to send a list of domains back to the AP, so if someone chooses > Facebook, we open the Facebook domains for that MAC for a few minutes to > allow them to login. > > Managing the walled garden configuration is probably also outside the code of the WG. I don't think we should have any API inform the client directly of the walled garden as that information could be misleading, or wrong. I do agree that the real issue is having the walled garden configuration synchronized with the NAS/AP ... however, vendors do their own proprietary ways of doing this already. > Other thoughts... > > I had a look at "draft-wkumari-capport-icmp-unreach-02". I note that it > describes the example URL that could be returned as part of the captive > portal URL: https://wifi.domain.com/portal?icmp_session=10&policy_ > class=100. > However, what about the other traditional parameters that a captive portal > redirect injects? As a minimum, we need the ap_mac, client_mac and > login_url > to which we post the login request back to (traditional captive portal > login > request). Without such parameters, we cannot identify the venue/ap/client > and provide the relevant portal splash page and user specific options. I > may > have misunderstood this? > > This is an area where I expect discussion. If the DHCP server is integrated with the NAS, then the RFC7710 URL could contain all the necessary session-specific query string parameters and the additional parameters are just added. It is also possible that the RFC7710 URL is something like http://<NAS-IP>/redirect which the NAS responds to with a redirect to https://<real-portal-domain>/... with all the necessary parameters. This becomes implementation specific, but all the information required can be captured one way or another. > Does anyone here see Hotspot 2.0 (release 2 or further in particular) and > OSU as the answer? I don't think I do. It just doesn't seem to help us as a > provider but instead tries to be around getting the user online as quickly > and without any interaction. Providers are all for making it easy for users > to on board, but they need to get something out of it to make it pay. > > I think Hotspot 2.0 has its place and will get deployed... and addresses, imho, the security of Wi-Fi in public access. It is doing do with security and "auto-connect" in mind. One issue I think that remains is that post authentication, HS2.0 doesn't necessarily protect the data-plane on the LAN or send it back to the operator. I think operators will be selective in which networks they trust and partner with. I don't think this will replace captive portals on Open Wi-Fi or elsewhere. > I am more than willing to take any questions and offer as much insight as I > can. > > Thanks > > James > > > _______________________________________________ > Captive-portals mailing list > Captive-portals@ietf.org > https://www.ietf.org/mailman/listinfo/captive-portals >
- Re: [Captive-portals] A view from a WiFi provider… Dave Dolson
- Re: [Captive-portals] A view from a WiFi provider… David Bird
- Re: [Captive-portals] A view from a WiFi provider… James Wood
- Re: [Captive-portals] A view from a WiFi provider… Joel Jaeggli
- Re: [Captive-portals] A view from a WiFi provider… Erik Kline