Re: [Captive-portals] Arguments against (any) Capport "API"

Subject: Re: [Captive-portals] Arguments against (any) Capport "API"

From: Christian Saunders <[email protected]>

Date: Wed, 5 Apr 2017 17:23:12 +0000

Accept-language: en-GB, en-US

Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/gFMqgQTfw5Z0UFwKUm12AsPOrts>

Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sjrb.onmicrosoft.com

Authentication-results: sandvine.com; dkim=none (message not signed) header.d=none;sandvine.com; dmarc=none action=none header.from=sjrb.ca;

Cc: "[email protected]" <[email protected]>

Delivered-to: [email protected]

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=SJRB.onmicrosoft.com; s=selector1-sjrb-ca; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=otoy3YGb4QT72TiDDjp3xJsO04FrU+o31+I+xyyRw5Y=; b=EQEi2G8Np/zET0kuTLjk17Tkx1WOxu9/r6keOYaYu3edINNycrWDdr8T3RoiadtXYdY09jaZkMlU2hJOd4UnguDuNv5AKoph2KdtiIWMGlWR5QtiPs/njP4b2VC56GzK9jMGv5x8CnSmPXTdcI1Xmntcp45T82XQDKON0ibmhSM=

In-reply-to: <E8355113905631478EFF04F5AA706E9870579542@wtl-exchp-1.sandvine.com>

List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>

List-help: <mailto:[email protected]?subject=help>

List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>

List-post: <mailto:[email protected]>

List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>

List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>

References: <CADo9JyU2wiEBB4L7ADSybt9se7jCN764JSEoHuGTcuiU_jDscQ@mail.gmail.com> <[email protected]> <CADo9JyVr07w5GRpF+UzSBHRuo=V=3p9MeyhFdzB+5pZk7_amNw@mail.gmail.com> <[email protected]> <CADo9JyXMkqomOpvUWhzZs77eOPvx-g0L-tR5oSz6D4mfjaaUWQ@mail.gmail.com> <[email protected]> <CADo9JyUyQo++b=_oLHd33vjsA_KxLcwwTFjb3T4PDeWmyBfPwQ@mail.gmail.com> <CADo9JyUwVp+xkO444NRH=oMW++MJeCpPHo+j6vg8hfA6wBYGKw@mail.gmail.com> <[email protected]> <E8355113905631478EFF04F5AA706E9870579542@wtl-exchp-1.sandvine.com>

Spamdiagnosticmetadata: NSPM

Spamdiagnosticoutput: 1:99

Thread-index: AQHSrXZ7NljHjdeUFkmXES27Lm70saG1nKgAgAACQoCAAI3uAIAAkrCAgAAkegCAAA45gIAABVEAgAADdACAAAPJgIAACOWA

Thread-topic: [Captive-portals] Arguments against (any) Capport "API"

User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

Good point.

Maybe for an operator this bumps the API to a 'SHOULD'.

In a lot of cases a limited IoT device will be incapable of satisfying the requirements.

What I would like here is some means of delegating the authorization process off to another device that would have a more capable interface. Do we need to add a spec for this?

Cheers,

Christian

On 17-04-05 10:51 AM, Dave Dolson wrote:

This is OK if you only need to serve devices with browsers and attentive humans.

The API offers possibilities for automation in the device by making a formal data model (vs. HTML).

From: Captive-portals [mailto:[email protected]] On Behalf Of Christian Saunders
Sent: Wednesday, April 5, 2017 12:38 PM
To: David Bird
Cc: [email protected]
Subject: Re: [Captive-portals] Arguments against (any) Capport "API"

The currently proposed solution has 3 components:

1. The ICMP component is used to detect a captive network.

2. The DHCP component is used to discover the address of the Captive Portal.

3. The API is an information service with a standardized interface that allows discovery and potentially remediation of the requirements for network access.

The ICMP and DHCP components are sufficient to resolve the redirection and HTTPS issue.

I would consider the API as an optional component - it might create some user experience benefits if the device developers and network operators choose to use it.

The difficulty with the API is having a way of codifying all of the possible network access requirements. I'm not sure this is reasonably possible.

Assuming that such a definition is possible, then there is some benefit to the common definition.

(It also strikes me that this definition would make a nice back end design for the Captive Portal itself.)

Cheers!

Christian
 
On 17-04-05 10:25 AM, David Bird wrote:

Edits in-line :)

On Wed, Apr 5, 2017 at 9:06 AM, David Bird <[email protected]> wrote:

A few more key benefits of the ICMP approach :

- Capport detection is made easier for the client, even when RFC 7710 (or any API) is NOT implemented (as long as the NAS is Capport compliant).

- "Signaling" can be done by different components (NAS, iptables, rate-limiter, PCEF, etc), without (necessarily) needing to coordinate with a central service.

- In defining the RFC in how a NAS should handle blocking traffic for Capport compliant devices, we are also defining how the NAS should handle Legacy devices - which is, there is no difference - they both get ICMP Dest Unreach w/Capport extension) - which is helpful.
_______________________________________________
Captive-portals mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/captive-portals