Re: [Captive-portals] Éric Vyncke's No Objection on draft-ietf-capport-architecture-08: (with COMMENT)
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Tue, 09 June 2020 21:33 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36FCC3A0928; Tue, 9 Jun 2020 14:33:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=h+bgNDc/; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=k4/sPHKZ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8AE2me9_OaVl; Tue, 9 Jun 2020 14:33:17 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D8D83A0916; Tue, 9 Jun 2020 14:33:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9332; q=dns/txt; s=iport; t=1591738397; x=1592947997; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=GnkPG9KzC4AmxmkkZRRzlGr7BjvauDtrS/r3jbRwRmE=; b=h+bgNDc/86JW455Ba14V9kIKRak2W2b0b1wgM2+bdvcv20Z0zBSIpzgG SR0q9ETC3bB/rmPBN6nVMn9ufUDCNPdt9K8UxZMduZf4XECBJcyisDC2q qClyI4sECxN3tsQkCV/hYXUtvyGf/iuSMuk0aJCccBShCpYylkNCVVBxZ A=;
IronPort-PHdr: 9a23:J8aLvRQbV5lV5TfERmvRBN43otpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESQB92J4v1Fj+vdrrumUmsFst6Ns3EHJZpLURJNycAbhBcpD8PND0rnZOXrYCo3EIUnNhdl8ni3PFITFJP4YFvf8XS97DoTEQjkcwFyI7e9Fovblc/i0ee09tXaaBlJgzzoZ7R0IV22oAzdu9NQj5FlL/M6ywDCpT1DfOEFyA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CgBQC2/99e/4oNJK1cAQkcAQEBAQEBBwEBEgEBBAQBAUCBSoFSUgeBRy8shCSDRgONQZhSgUKBEANVCwEBAQwBAS0CBAEBhEQCF4F+AiQ4EwIDAQELAQEFAQEBAgEGBG2FWwyFcgEBAQECARIREQwBASoNAQsEAgEIEQECAQIBAgImAgICMBUCAwMIAgQOBRsHgwSCTAMOIAGnJwKBOYhhdoEygwEBAQWFYhiCDgmBDiqCZIJThxwagUE/gREnHIFPfj6EEBEBFBiDFDOCLYp5g2kOFYJSPIk1iBeQPwqCWZNDaYRhAx2CbYkThRWNPYQLpwSEGgIEAgQFAg4BAQWBaiKBVnAVZQGCPlAXAg2QQAwXFYM6ilZ0NwIGAQcBAQMJAXuONWABAQ
X-IronPort-AV: E=Sophos;i="5.73,493,1583193600"; d="scan'208";a="690535122"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 Jun 2020 21:33:08 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 059LX814025344 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 9 Jun 2020 21:33:08 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 9 Jun 2020 16:33:07 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 9 Jun 2020 16:33:07 -0500
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 9 Jun 2020 16:33:07 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G/KrNX6IxtWZeInXpBHZG3DgJe2ydqFf7xmQFkSl2+pFTuseLwr+d526Vuk/R/OmmXH9Xb+CZbIaG6j0NlluC+Bkm3fk1f4/P2m6TdmOol+YPK6hnBdaiNlafWqeuPsAy7dNbNrOIADDP+33//lwBih8BI5RdmNyIgY6qJuh4Wlq12ASbY3uiWs3zdQK21TQG03yydYQKuqswwEFndKsYw8BgMn+hNv6Dtwt8W7P20+pA1PNfwP39i14hjN3+Z/8/PYoQNX2WHtC7SBlAu7wpRwAT9wBvPUTUP5T3EqPOhKb77m72bqJJhTNjlWD1L+lGdMar/fjJOzorMHCQi9mIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GnkPG9KzC4AmxmkkZRRzlGr7BjvauDtrS/r3jbRwRmE=; b=gwGHeKUH5NghA608JbCAxFV1cTAT9R8tKVDDFOVNx2XeS0qlH2XkZDznebT+5YIkQcflCtONPnPDfhHSBGsS4y8JZMrqWboY5ZeXhT1RO2X1sYnwmt0XetdQTYaTHUb/RJ6iKo2QiOcBdHCJWJuVZHszfVSuNEecdJRvHPOYL6S1wQV4X0STnQp5YObAqMLdmInxNsEmkiHG8w/F0n9Xz8Aej1bbDoEbXd3Tt7UNfny3nDJMYJiK8OEyMI/GUeIm+MnArCnMMw10ogWQNvDfrjNq7Wht4ZvCEq4STB81DCESy0of/9Eo+zDyEkAx/RhXiNwjIUiIgp2laHqfggA6oA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GnkPG9KzC4AmxmkkZRRzlGr7BjvauDtrS/r3jbRwRmE=; b=k4/sPHKZ98gtaeq69hdhXCqhkVTfj9STeIrtmq06sEPWFNEJAe3gDnl4chbd5ZOzvBoZNoPVRAt4rWseqC8YSCyZ9p7G4Qi+BLyEBYV0PCA09j5RNhf0DMYRtRIPEsoCFE73xqgs3Q0ALD/Soy7EyHELoETbKgux4cx65ZG9pB8=
Received: from DM5PR11MB1753.namprd11.prod.outlook.com (2603:10b6:3:10d::13) by DM5PR11MB0027.namprd11.prod.outlook.com (2603:10b6:4:6b::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.20; Tue, 9 Jun 2020 21:33:05 +0000
Received: from DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::a14c:59b6:47b0:f630]) by DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::a14c:59b6:47b0:f630%7]) with mapi id 15.20.3066.023; Tue, 9 Jun 2020 21:33:05 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Kyle Larose <kyle@agilicus.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-capport-architecture@ietf.org" <draft-ietf-capport-architecture@ietf.org>, "capport-chairs@ietf.org" <capport-chairs@ietf.org>, captive-portals <captive-portals@ietf.org>, Martin Thomson <mt@lowentropy.net>
Thread-Topic: Éric Vyncke's No Objection on draft-ietf-capport-architecture-08: (with COMMENT)
Thread-Index: AQHWPlud5bKfG7+TK0CBXB3Ry3RUfKjQ7+6A
Date: Tue, 09 Jun 2020 21:33:05 +0000
Message-ID: <DBD270C7-9B34-4CAF-A73B-13B135F38893@cisco.com>
References: <159162520700.29504.9009111229374325326@ietfa.amsl.com> <CACuvLgywX+6jejmcP6mvOQkcraGXpugv_DUjVev__ON3KaqFDw@mail.gmail.com>
In-Reply-To: <CACuvLgywX+6jejmcP6mvOQkcraGXpugv_DUjVev__ON3KaqFDw@mail.gmail.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.37.20051002
authentication-results: agilicus.com; dkim=none (message not signed) header.d=none;agilicus.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2001:420:c0c1:36:1f8:60ff:614c:5bec]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e4ccd373-ceb1-4636-8b0d-08d80cbcb264
x-ms-traffictypediagnostic: DM5PR11MB0027:
x-microsoft-antispam-prvs: <DM5PR11MB002730A3A7C899CD1B3991BDA9820@DM5PR11MB0027.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 042957ACD7
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FNYp6Qd56xUtz1uljacgrPOA3JJ0ZIXqvFxQwaKGZYAdmSiiCUHQsa9I3uA7HiZ4XnrEdH5Rk0MoKK1kRgylwZNJm0Bg1ypNs5aH5dtWOMqeE1XWQhS846+PGX27SguGolBWEl4syvIwApd1puWd3uxExhvKtBbVeiNQT7EEP72d/dC+eZf4RVQS4AQNHjXMAMWflXwvyQKU+obfrhNHhWPFQo23k+gUVC/X3KKgfRej0aScUtSXM8Ya14JAtAPS8hJ2yF71ocpt0+G7QR9AxilGzyT7+xHAdPHZ8Z6YxsFdzy24+3dPL0xxoDBpdV0p9bODK/8KRl2wYC8ImTy79A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM5PR11MB1753.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(396003)(366004)(376002)(346002)(136003)(66574014)(86362001)(2906002)(186003)(53546011)(8936002)(6506007)(478600001)(6512007)(4326008)(83380400001)(54906003)(6486002)(2616005)(5660300002)(224303003)(316002)(64756008)(33656002)(91956017)(76116006)(36756003)(66946007)(6916009)(71200400001)(66556008)(66446008)(66476007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: HFHxlXn2xBFMz/Ks1zLUlr+Qp0H17VJd/tLUNmo9/dgrktysDffS8OSBhVUiQeW6J0WRPkhxd4a++jiVeR3CHc0Pw5vQpqZq8CRsl2N61bcUpfv+KTz9g+TaF78xpDaf4L0/Rgap53Cdx8gpX0pprRIOv6wcR5N7T/XOdP07sSq0BtMUBrqSNVeHJTHoxSAIObPHkNkDHBmkvbeLIPLWLZtJu9AX/u5kK82wIQ5SzhlIclv0gXXkCrj+Dmu3oWV7Xuvv2XQX+FvwxdiYVEg7s0mbrYeIWmZz1N/P3lJWQyhkbCP6rXQY1u39NZxDzS3r8S5tUFHWgrJUCzRWajBxy0MkyXplkru9QTRtbPwsjxFePjDxdWDgTfpyMg/kWPZpa00jMUxq5ElW/hUILSCTF+KBqV7NRaHmrn2M5iuoqLXtBRvBxT6K/jYk5IavLGYMd6hyErv8XfRoSurftAo7vGsmrmp+qhAE5IbT5ZTxnlubNiamxZ0f2CD+LNjIX2BIB8/RRlrMpOsf3S2M7EvjEGHciaeir8NYhWqsOn2CWbs=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <4F3A216969ECDA4B8C7DC70E23555A74@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e4ccd373-ceb1-4636-8b0d-08d80cbcb264
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jun 2020 21:33:05.7874 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ywJujNNcbM0Lgc5jKwbo+a3mKltkDrtNRnB3gehV8hBstz/KgGtl4OA54uIaReSJqfwgihEDo3oc5qmSgtRxfg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB0027
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/rR0ZsrCnP0DDtPFn4f9nRgJ7RO0>
Subject: Re: [Captive-portals] Éric Vyncke's No Objection on draft-ietf-capport-architecture-08: (with COMMENT)
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2020 21:33:19 -0000
Hello Kyle Thank you for the prompt reply, look for EV> for any remaining non-blocking comments of mine -eric -----Original Message----- From: Kyle Larose <kyle@agilicus.com> Date: Tuesday, 9 June 2020 at 14:43 To: Eric Vyncke <evyncke@cisco.com> Cc: The IESG <iesg@ietf.org>, "draft-ietf-capport-architecture@ietf.org" <draft-ietf-capport-architecture@ietf.org>, "capport-chairs@ietf.org" <capport-chairs@ietf.org>, captive-portals <captive-portals@ietf.org>, Martin Thomson <mt@lowentropy.net> Subject: Re: Éric Vyncke's No Objection on draft-ietf-capport-architecture-08: (with COMMENT) Hi Éric, Thanks for the review! Responses inline. On Mon, 8 Jun 2020 at 10:07, Éric Vyncke via Datatracker <noreply@ietf.org> wrote: > > Éric Vyncke has entered the following ballot position for > draft-ietf-capport-architecture-08: No Objection > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you for the work put into this document. The document is easy to read. I > also appreciate the fact that "devices without user interfaces" are not ignored > by this document. > > Please find below a couple on non-blocking COMMENTs. A response/comment for > those COMMENT will be read with interest. > > I hope that this helps to improve the document, > > Regards, > > -éric > > == COMMENTS == > > Is there a reason why the words "captive portal" do not appear in the abstract? > This would assist normal human beings (outside of the WG) to find the document. > Good point! We'll fix that up. > I found no text about what happens to the traffic inside the captive network. > Is it allowed even when still in captive mode ? This would be up to the network operator, I suppose -- they define the extent of the walled garden. The only hosts that must be reachable are any necessary to perform the workflows related to gaining access. The document mentions those in a few places. In section 2.4, the document states: Typically User Equipment is permitted access to a small number of services and is denied general network access until it satisfies the Captive Portal Conditions. Perhaps we could add some language indicating that this isn't intended to be a normative requirement -- the restrictions placed by the captive portal depend on its use-case. EV> you may add "(.g., local communication)" after "small number of services" ? > > -- Section 1.2 -- > Even if the document support "devices without user interfaces", I wonder why > the I-D uses "User Equipment" rather than "Client Equipment" (which is also > more aligned with "Server"). Nothing dramatic, just curious about the reason. > This is the language that evolved during our discussions. I can't recall any particular reason we chose this. Does anyone with a better memory than me remember why we chose User Equipment over Client Equipment? EV> nothing critical and possibly impacting too many other documents to be changed now > -- Section 2.1 -- > "At this time we consider only devices with web browsers" while the previous > text was about "devices without user interfaces". Finally, is this document for > devices with or without human interface ? When we first set out to tackle the architecture, we were hoping to solve the problem for devices without user interfaces. However, the working group aligned on solving it for the simpler use-case of devices with user interfaces. To ensure we're talking about the same thing, the earlier text you're referring to is this, correct? EV> correct -- Section 1 -- A side-benefit of the architecture described in this document is that devices without user interfaces are able to identify parameters of captivity. However, this document does not yet describe a mechanism for such devices to escape captivity. Our intent was to point out that solutions for devices without user interfaces could be developed using the mechanisms provided by the architecture, but that those solutions were out of scope for the document. Which text do you think conflicts with that? Perhaps we should rephrase it to be less confusing. EV> I would suggest that at the first mention of " devices without user interfaces", the text mention "for future version" or something in the same line. The focus on user-interface devices is written a little too deep in the document, should come earlier in the text to avoid confusion. > > -- Section 2.6 -- > While the components are described as being optional collocated, what about > resiliency ? I.e., having two different instances on one component. > That's a good point (and one I was thinking about the other day!) We should add some text pointing that out. Let's mention scale for good measure as well. > -- Section 3.4.2 --- > While I appreciate that the section contains text about multiple IPv6 > addresses, I suggest to mention the dual-stack use case explicitly. > I.e. something like "Further attention should be paid to a device using dual-stack [rfc4213]: it could have both an IPv4 and an IPv6 address at the same time. There could be no properties in common between the two addresses, meaning that some form of mapping solution could be required to form a single identity from the two address" EV> perfect ;-) > -- Section 3.4 -- > I was expecting to see the MAC address also used as identifier. Is there any > reason why it is not mentioned? If so, may I suggest to document the absence of > a MAC address section in the examples? > This was also raised during an earlier last call. The primary reason to leave it out was brevity, but there were some concerns about its security as well. Perhaps we can leave a simple note along the lines of the following since it is likely others will ask the same question: "The MAC address of a device is often used as an identity in existing implementations. A discussion of it has been omitted for brevity, but the MAC address could be used subject to the criteria in section 3.2" EV> could be good. And, I am not sure whether it is more difficult to spoof an IP address vs. a MAC address. But, the added text is enough for me -éric > > Thanks! Kyle
- [Captive-portals] Éric Vyncke's No Objection on d… Éric Vyncke via Datatracker
- Re: [Captive-portals] Éric Vyncke's No Objection … Kyle Larose
- Re: [Captive-portals] Éric Vyncke's No Objection … Eric Vyncke (evyncke)
- Re: [Captive-portals] Éric Vyncke's No Objection … Kyle Larose
- Re: [Captive-portals] Éric Vyncke's No Objection … Eric Vyncke (evyncke)
- Re: [Captive-portals] Éric Vyncke's No Objection … David Dolson
- Re: [Captive-portals] Éric Vyncke's No Objection … Eric Vyncke (evyncke)