IETF Logo Mail Archive

Re: [Captive-portals] practicality of 511 HTTP status code

Dave Dolson <ddolson@sandvine.com> Fri, 23 June 2017 18:11 UTC

Return-Path: <ddolson@sandvine.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F400912708C for <captive-portals@ietfa.amsl.com>; Fri, 23 Jun 2017 11:11:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IRIgqMYLekfX for <captive-portals@ietfa.amsl.com>; Fri, 23 Jun 2017 11:11:26 -0700 (PDT)
Received: from mail1.sandvine.com (Mail1.sandvine.com [64.7.137.134]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47E6412717E for <captive-portals@ietf.org>; Fri, 23 Jun 2017 11:11:26 -0700 (PDT)
Received: from BLR-EXCHP-2.sandvine.com (192.168.196.172) by WTL-EXCHP-2.sandvine.com (192.168.194.177) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 23 Jun 2017 14:11:24 -0400
Received: from WTL-EXCHP-1.sandvine.com ([fe80::ac6b:cc1e:f2ff:93aa]) by blr-exchp-2.sandvine.com ([::1]) with mapi id 14.03.0319.002; Fri, 23 Jun 2017 14:11:24 -0400
From: Dave Dolson <ddolson@sandvine.com>
To: Vincent van Dam <VvanDam@sandvine.com>, David Bird <dbird@google.com>, Erik Kline <ek@google.com>
CC: "captive-portals@ietf.org" <captive-portals@ietf.org>
Thread-Topic: [Captive-portals] practicality of 511 HTTP status code
Thread-Index: AQHSxwjSIR4ujCHIEk2JPkRI6Cld3aHpdqUAgAAJPICASYFSsA==
Date: Fri, 23 Jun 2017 18:11:23 +0000
Message-ID: <E8355113905631478EFF04F5AA706E987061F965@wtl-exchp-1.sandvine.com>
References: <CAAedzxrPo+qSBWP23=fpwG0ZzBrdOMgs0gykAxOPSFbojeR79A@mail.gmail.com>, <CADo9JyVrO6fcOtYXc=VtrfmhFsYdHY=3t4nM2xLG3CBnzizWJQ@mail.gmail.com> <D2A19ABBC0147C40BFBB83D1CF3E95F03FEB4A22@wtl-exchp-2.sandvine.com>
In-Reply-To: <D2A19ABBC0147C40BFBB83D1CF3E95F03FEB4A22@wtl-exchp-2.sandvine.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.200.114]
x-c2processedorg: b2f06e69-072f-40ee-90c5-80a34e700794
Content-Type: multipart/alternative; boundary="_000_E8355113905631478EFF04F5AA706E987061F965wtlexchp1sandvi_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/uzuC2wPlkrPLLt95cQdMAofGB_A>
Subject: Re: [Captive-portals] practicality of 511 HTTP status code
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2017 18:11:29 -0000

It seems 511 is probably better than 30x for non-browser requests-clearly an error instead of redirecting to something unexpected.
Is 511 likely to be OK for old IoT devices? Probably a better outcome than 307.

Do we expect the enforcement device should be checking user-agent to decide on 511 vs. 30x code?

For captive portals to want to use 511 (vs. 307), the browsers would have to behave in a better way from the network operator's perspective.
I would expect the browsers to show the information that the operator wants to be displayed.


Having said all of that, this solution is specific to HTTP, vs. the ICMP approach that works for any protocol.

-Dave


From: Captive-portals [mailto:captive-portals-bounces@ietf.org] On Behalf Of Vincent van Dam
Sent: Sunday, May 7, 2017 3:09 PM
To: David Bird; Erik Kline
Cc: captive-portals@ietf.org
Subject: Re: [Captive-portals] practicality of 511 HTTP status code

- A legacy 30X response will still be needed for some user-agents

Is that because you don't expect all user-agents (webbrowsers specifically) to support it?

- The response contains HTML that should contain the login URL (or a meta refresh, etc), which isn't a very well structured way to get the URL

I agree, it makes more sense that the url would be in a response header instead (like the 30x status).


   It is not intended to

   encourage deployment of captive portals -- only to limit the damage

   caused by them.



Damage? Hm...



In terms of non-browsers accessing apis, they should be using TLS! And perhaps not follow redirects or otherwise add some integrity to their api.



I agree, apis should use tls. Not every developer might agree though (a rest api containing weather predictions?).

But also, I don't think we can fix the world, fix every api/client that is ever made. We can only at least identify mitm 30x scenarios are implemented, and try to regulate that scenario a bit more, which has been done by introducing the 511.


________________________________
Van: Captive-portals [captive-portals-bounces@ietf.org] namens David Bird [dbird@google.com]
Verzonden: zondag 7 mei 2017 20:36
Aan: Erik Kline
CC: captive-portals@ietf.org<mailto:captive-portals@ietf.org>
Onderwerp: Re: [Captive-portals] practicality of 511 HTTP status code
I personally do not find it very useful in public access networks, because:
- A legacy 30X response will still be needed for some user-agents
- Returning 511 is still a man-in-the-middle response (nothing changed there)
- The response contains HTML that should contain the login URL (or a meta refresh, etc), which isn't a very well structured way to get the URL
- differences in how browsers handle the 'error' and the associated user experience

There are a couple other oddities:


   Note that the 511 response SHOULD NOT contain a challenge or the

   login interface itself, because browsers would show the login

   interface as being associated with the originally requested URL,

   which may cause confusion.



Why shouldn't it contain a challenge? (the reason given only relates to the 'login interface itself').



   It is not intended to

   encourage deployment of captive portals -- only to limit the damage

   caused by them.



Damage? Hm...



In terms of non-browsers accessing apis, they should be using TLS! And perhaps not follow redirects or otherwise add some integrity to their api.

On Sun, May 7, 2017 at 1:05 AM, Erik Kline <ek@google.com<mailto:ek@google.com>> wrote:
I wanted to poll the group's thoughts on the usefulness of the rfc6585#section-6 511 HTTP status code.

Has anybody tried to serve 511s to clients, and if so what were the results?

Might it be useful to serve an API endpoint (rather than the full-blown HTML UI)?

I'm trying to get a sense of whether this will be a useful tool to use in assembling a recommended portal interaction.  If we determine it's not really going to be a workable component, then that's useful to know too.

_______________________________________________
Captive-portals mailing list
Captive-portals@ietf.org<mailto:Captive-portals@ietf.org>
https://www.ietf.org/mailman/listinfo/captive-portals

v2.23.0 | Report a Bug | By Email