IETF Logo Mail Archive

Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"

Tommy Pauly <tpauly@apple.com> Tue, 11 July 2017 03:13 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8236E129B33 for <captive-portals@ietfa.amsl.com>; Mon, 10 Jul 2017 20:13:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2p-MHl3StXy0 for <captive-portals@ietfa.amsl.com>; Mon, 10 Jul 2017 20:13:34 -0700 (PDT)
Received: from mail-in23.apple.com (mail-out23.apple.com [17.171.2.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D921512EC13 for <captive-portals@ietf.org>; Mon, 10 Jul 2017 20:13:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1499742813; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=PcEDG7A10ovXrp+EwUDMcrU1uzX8cLOo9ryCTfshuUk=; b=txhNG6rKxjDPrO72X1G/bkGI+UR6NydcwVMnMXvA/vMLnZRJtd1zHmlRc11CGZRN nh9ppS/Fj7MWJLKssdmoThw76TmmmimCKLKwzg+O0OhcE0somNB4tUW6iG13PGqT cef/Neoqabwm+G1i6M9ygUtwb0Dqknt/OOfOm8kVIfC+gq+6qQ679nQgra4r/VS7 lXNzmuPBlTuALeIZ2tV314TmH+Gnesi1UOYSWTD+j4momsr09PkQJSrODOyB4tYp 4thju6sSEIjHQFh0nkPo+1RiLq1mIEirGLNQIcmwEMsNa1Ge5SwpYu+n24if8X9s WHXEj3ilidPxQtBF7OIxIA==;
Received: from relay4.apple.com (relay4.apple.com [17.128.113.87]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in23.apple.com (Apple Secure Mail Relay) with SMTP id AD.E3.08001.C5244695; Mon, 10 Jul 2017 20:13:33 -0700 (PDT)
X-AuditID: 11ab0217-c21ff70000001f41-41-5964425b310d
Received: from nwk-mmpp-sz12.apple.com (nwk-mmpp-sz12.apple.com [17.128.115.204]) by relay4.apple.com (Apple SCV relay) with SMTP id FE.F0.06992.B5244695; Mon, 10 Jul 2017 20:13:31 -0700 (PDT)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_PNKqFKT2gSv4mN4sBuaSxw)"
Received: from [17.234.24.3] (unknown [17.234.24.3]) by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170210 64bit (built Feb 10 2017)) with ESMTPSA id <0OSW00D2HOYJ9P50@nwk-mmpp-sz12.apple.com>; Mon, 10 Jul 2017 20:13:31 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <F2639652-C1C6-4BED-BDFA-E3EE1B722D07@apple.com>
Date: Mon, 10 Jul 2017 20:13:30 -0700
In-reply-to: <E8355113905631478EFF04F5AA706E9870638DF6@wtl-exchp-1.sandvine.com>
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "captive-portals@ietf.org" <captive-portals@ietf.org>, David Bird <dbird@google.com>
To: Dave Dolson <ddolson@sandvine.com>
References: <201705031442.50683.heiko.folkerts@bsi.bund.de> <E8355113905631478EFF04F5AA706E98705C6C57@wtl-exchp-1.sandvine.com> <CAHw9_iJARf4MUA8nHqHA54jLvJNq-_Vek67A-rjHpSK6vC7r+Q@mail.gmail.com> <1BB90528-B35F-43F0-AF18-0215DC735FF0@cable.comcast.com> <CABkgnnWT6Xtqyx6pofpNOGa5E1FjJO1gPX1axmmiRaMnzxdoPg@mail.gmail.com> <AD3F2B14-E9AD-4156-96A6-9B83F8545B54@cable.comcast.com> <754719c5-c74c-fbdc-405e-b8c91478c0a5@netcologne.de> <CAAedzxoZkuauME8n3B3aZqE1rra8p2hB9rGJLqoYyVi8usnx+g@mail.gmail.com> <CADo9JyVsfVYTPQjHiEn1JcJ=_NzOOvtWjbuCZdQ-4jsRPpz2wQ@mail.gmail.com> <E8355113905631478EFF04F5AA706E987061FACA@wtl-exchp-1.sandvine.com> <CE7B0AC2-8803-41B5-9B0B-EB1217A5A8EC@cisco.com> <E8355113905631478EFF04F5AA706E98706252AA@wtl-exchp-1.sandvine.com> <E4CEB868-5100-4F7E-8AB7-2826F56D4BA7@apple.com> <E8355113905631478EFF04F5AA706E9870638DF6@wtl-exchp-1.sandvine.com>
X-Mailer: Apple Mail (2.3439)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrFLMWRmVeSWpSXmKPExsUi2FAYrhvrlBJpcKyXzWLurAZWi08/tjNa bF32kN3iy/4FjA4sHlN+b2T1WLCp1GPJkp9MHl83b2cNYInisklJzcksSy3St0vgylj79yN7 wdKTzBWXHh5nbmA8NoG5i5GTQ0LARKJ5aj9bFyMXh5DAGiaJnv4nTDCJ1dteM0MkDjFKNO68 yAiS4BUQlPgx+R4LiM0sECbxuPUUI0RRN5PEnJ5JQA4Hh7CAhMTmPYkgNWwCKhLHv21ghui1 kTj2eBUriC0s4C5x7MUbsJksAqoSK5/3gs3kFAiQmNl8lwlkJrNAJ6PEhA07wJpFBNQklt74 xAqxrIld4sur06wgyyQEZCWW/gkBiUsILGOXaJyyg2UCo9AsJMfOQnLsLKAWZgF1iSlTciHC 2hJP3l1ghbDVJBb+XsSELL6AkW0Vo3BuYmaObmaekbFeYkFBTqpecn7uJkZQ5KxmEt/B+Pm1 4SFGAQ5GJR5ejbfJkUKsiWXFlbmHGKU5WJTEeU8oAoUE0hNLUrNTUwtSi+KLSnNSiw8xMnFw SjUwdgp3zmp89sG+v948Jl7cTIpFRjj1xWwmdYao3fcnzRfeJhYb/EUla+YD04qflxttM3VX vNgQ0rqy5Jg2U+WfvzZMCid5DB1CU7rYr9XayWlPU13z/OiFCvF6uSXLTqt3W78/avc2/Fz1 4rtip67c8phqlP/C9+/WyNK2d6LzVOR/7mToNb6lxFKckWioxVxUnAgAEPyoeH0CAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrEKsWRmVeSWpSXmKPExsUi2FB8RjfaKSXSYOolbYu5sxpYLT792M5o sXXZQ3aLL/sXMDqweEz5vZHVY8GmUo8lS34yeXzdvJ01gCXK2iYtv6g8sShFoSi5oMRWqTgj MSW/PN7S2MjUIbGgICdVLzk/V0nfziYlNSezLLUImZVgnbH270f2gqUnmSsuPTzO3MB4bAJz FyMnh4SAicTqba+BbC4OIYFDjBKNOy8ygiR4BQQlfky+xwJiMwuESTxuPcUIUdTNJDGnZxKQ w8EhLCAhsXlPIkgNm4CKxPFvG5ghem0kjj1exQpiCwu4Sxx78QZsJouAqsTK571gMzkFAiRm Nt9lApnJLNDJKDFhww6wZhEBNYmlNz6xQixrYpf48uo0K8gyCQFZiaV/QiYw8s9Cct8sJPfN AqpiFlCXmDIlFyKsLfHk3QVWCFtNYuHvRUzI4gsY2VYxChSl5iRWmujBQ3ATIziSCsN3MP5b ZnWIUYCDUYmHV6A3OVKINbGsuDIXGEgczEoivDniKZFCvCmJlVWpRfnxRaU5qcWHGPczAn05 kVlKNDkfGOd5JfGGxhbGliYWBgYmlmYmhIVNTAxMjI3NjI3NTcxpKawkzmvCFxspJJCeWJKa nZpakFoE8wITB6dUA2OapISREzPvZkGeu/q7J71PdheI9v8ZdHRn7foeA98KpStxP0RXufx5 9NnY8ePJvqdRU/r4frne/fp6p7GzWsTtf/ZHZN6VvO3l3FW+6c1dVf1jLj2dq0XertSbmVjL cinpxPT5bUovDr29Wyn17OK8rztDP4r3SZyWnO/RWvHvC4ffTJlH61iUWIDp21CLuag4EQDo 2F4hRQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/nYrZXzyTXe6mOoaXEM9L2LYKcWQ>
Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2017 03:13:37 -0000

Hi Dave,

> On Jul 10, 2017, at 8:54 AM, Dave Dolson <ddolson@sandvine.com> wrote:
> 
> At the last meeting, I think we heard, “PvDs can help solve this problem.”
> (This seems to me to be true.)
> Are the PvD authors backing away from this assertion?

No, we’re definitely still saying that PvDs can help solve the Captive Portal problem. The details of the JSON aren’t in latest revision of the main PvD document just to focus the scope of the draft, but the idea would be that the PvD provisioning information would be how you bootstrap captive portal discovery.

>  
> I think there are two aspects:
> 1.       The PvD data structures on the end-user device, which track captivity state per PvD. (RFC 7556 discusses connectivity tests per PvD.)
> 2.       Whether the PvD protocol explicitly conveys the captive-portal concept.
>  
> If I understand correctly, (1) could be achieved even if capport information is conveyed in DHCP or RAs (vs. in the PvD protocol).
> However, that points to yet another API to query.

You’re correct. A client device can keep track of PvD information and already should associate captivity when discovered with the implicit PvD. Part (2) is saying that if we are doing external PvD discovery anyway, it should include captivity information. This is how we avoid the extra API to call.
>  
> I think that draft-bruneau-intarea-provisioning-domains has addressed a problem more generic than the CAPPORT API problem.
> And therefore I’m feeling it is still worth pursuing.

Right, the draft is more generic than the captive portal right now. I could imagine that we make sure that the CAPPORT solution references and works well with PvDs.

Thanks,
Tommy
>  
>  
> I think Tommy makes a great point that there is value in explicitly indicating, “this is not a captive portal”. This ought to speed up network association.
>  
>  
> -Dave
>  
>  
>  
> From: tpauly@apple.com <mailto:tpauly@apple.com> [mailto:tpauly@apple.com <mailto:tpauly@apple.com>] 
> Sent: Saturday, July 8, 2017 9:15 PM
> To: Dave Dolson
> Cc: Eric Vyncke (evyncke); captive-portals@ietf.org <mailto:captive-portals@ietf.org>; David Bird
> Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
>  
>  
> 
> 
> On Jun 27, 2017, at 12:46 PM, Dave Dolson <ddolson@sandvine.com <mailto:ddolson@sandvine.com>> wrote:
>  
> Eric,
> Do I understand correctly from https://tools.ietf.org/html/draft-bruneau-intarea-provisioning-domains-00#section-5.5 <https://tools.ietf.org/html/draft-bruneau-intarea-provisioning-domains-00#section-5.5>
> that the intention is for the JSON key “captivePortal” to indicate that the specified URL is to be visited by the browser to navigate the requirements for exiting captivity?
>  
> If so, would you say this URL should be used in place of performing a capport detection strategy (e.g., canary HTTP request)?
>  
> The idea with explicit PvD discovery is that it would, as a step, replace a separate captive portal detection strategy.
>  
> My overall concern with discovery mechanisms that are specific to only captive portals is that this is an extra step that is performed potentially on every network association, that may have limited extensibility for non-captive use cases. Since the explicit PvD design promises a way to discover many properties beyond captivity, and is bootstrapped very early on in the network association, it should hopefully allow clients to avoid the extra probe.
> 
> 
>  
>  
>  
> Note: the same “captivePortal” key is also defined in section 5.3 as a Boolean. Should I consider this to be a defect in the draft, or am I missing something?
>  
> The updated version of the draft (https://tools.ietf.org/html/draft-bruneau-intarea-provisioning-domains-01 <https://tools.ietf.org/html/draft-bruneau-intarea-provisioning-domains-01>) leaves out the specific keys for captive portals, and discusses it more abstractly. That would be a good thing to nail down at the Prague meeting. If PvD detection is done generically on network association, then a boolean or some way to indicate that this is *not* a captive portal will allow the device to not perform extra probing. If there is a captive network, we should be able to get the page or instructions on how to get beyond captivity.
>  
> Thanks,
> Tommy
> 
> 
>  
> -Dave
>  
>  
>  
> From: Eric Vyncke (evyncke) [mailto:evyncke@cisco.com <mailto:evyncke@cisco.com>] 
> Sent: Sunday, June 25, 2017 8:27 PM
> To: Dave Dolson; captive-portals@ietf.org <mailto:captive-portals@ietf.org>
> Cc: David Bird
> Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
>  
> At least Erik Kline and myself are following the captive-portal list :-)
>  
> And the more we think about it, PvD could really be useful and we, the PvD I-D authors, would be pleased to present at your WG
>  
> -éric
>  
> From: Captive-portals <captive-portals-bounces@ietf.org <mailto:captive-portals-bounces@ietf.org>> on behalf of Dave Dolson <ddolson@sandvine.com <mailto:ddolson@sandvine.com>>
> Date: Friday 23 June 2017 at 11:57
> To: "captive-portals@ietf.org <mailto:captive-portals@ietf.org>" <captive-portals@ietf.org <mailto:captive-portals@ietf.org>>
> Cc: David Bird <dbird@google.com <mailto:dbird@google.com>>
> Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
>  
> [resend with fewer recipients to avoid mailing list problems]
>  
> To echo David’s request,
> > If the authors of the PvD concept (re-)present their I-D to the mailing list, and stick around for discussion, that would be helpful.
>  
>  
> From: David Bird [mailto:dbird@google.com <mailto:dbird@google.com>] 
> Sent: Wednesday, June 14, 2017 9:36 AM
> To: Erik Kline
> Cc: Gunther Nitzsche; Mark Townsley; Heiko Folkerts; Martin Thomson; captive-portals@ietf.org <mailto:captive-portals@ietf.org>; Livingood, Jason; Herzig, Willi; Warren Kumari; Dave Dolson
> Subject: Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"
>  
> On Sun, Jun 11, 2017 at 11:17 PM, Erik Kline <ek@google.com <mailto:ek@google.com>> wrote:
> I'm not sure we have enough input on whether 511 is useful or not.  There seemed to be some suggestion it would help, and some that it wouldn't.  Perhaps one question we could ask is whether it's harmful?  And if we agree it's not harmful, is it worth developing some recommendations for its use?
>  
>  
> In of itself, I don't believe it is harmful. However, if vendors use it as a reason to continue to terminate TLS connection in order to deliver the 511, then perhaps it is a bit harmful - or at least misleading. As the world moves to TLS (and QUIC), I think the time for the 511 code has already passed, to some degree. That, combined with the fact you may still have browsers not handling that return code properly, I don't see the value for any vendor or venue to implement this.
>  
>  
> As for the ICMP unreachable option, I certainly don't think it would be harmful (with the extra URL bits removed for now).  Is that something we wish to progress?
>  
>  
> I will work on a new draft that is only the basics. The additional fields could always be add in their own draft as extensions. 
>  
>  
> Given that we're probably looking at a portal detection method based on entirely new work, it seems to me we're free to look at new things like utilizing the PVD detection scheme (DNS queries for "provisioning domain names", followed by other interaction still TBD).  Have the portal implementors reviewed this and given consideration as to whether its useful?  (I think of the discovery of the portal and subsequent interaction with it as 2 separate processes conducted, obviously, in serial.)
>  
>  
> I believe there are several talking points here, as the PvD method seems to have several possible implementations. 
>  
> I think requiring Ipv6 to configure Ipv4 is weird (I believe that was one proposed method to convey configuration)
>  
> Several points I made in the thread "Arguments against any Capport API" regarding a web service - detached from the NAS - controlling the UE/station I think are relevant.
>  
> If the authors of the PvD concept (re-)present their I-D to the mailing list, and stick around for discussion, that would be helpful. 
>  
>  
> Thoughts?
> 
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org <mailto:Captive-portals@ietf.org>
> https://www.ietf.org/mailman/listinfo/captive-portals <https://www.ietf.org/mailman/listinfo/captive-portals>
>  
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org <mailto:Captive-portals@ietf.org>
> https://www.ietf.org/mailman/listinfo/captive-portals <https://www.ietf.org/mailman/listinfo/captive-portals>
>  
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org <mailto:Captive-portals@ietf.org>
> https://www.ietf.org/mailman/listinfo/captive-portals <https://www.ietf.org/mailman/listinfo/captive-portals>

v2.23.0 | Report a Bug | By Email