Re: [Captive-portals] Arguments against (any) Capport "API"

To: David Bird <[email protected]>

Subject: Re: [Captive-portals] Arguments against (any) Capport "API"

From: Erik Kline <[email protected]>

Date: Sat, 8 Apr 2017 01:11:36 +0900

Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/7NWGlOd5wnxr1pcoIBJbc0HwZKs>

Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com

Cc: [email protected]

Delivered-to: [email protected]

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=HItJgPk7j9jlAjAK4PQHFcvs2FW62OUGkFdNAWrxoY0=; b=ieLMF/bgE7F00p6O3KqyCrPaJ4afjs9cdcb1o7ffxJ5EuEq31Q9qKBTBfZvO+Sznv3 UiZRlV+u4Pvwy7cWkmDRH03+BbwQtdPEeeyhol6gA+T6vCpihw0pr+XkyezHUk/1eCL5 19WnHv2M/NqDf40ShijbUpkH3o8z4coTQ+8QVgXopXoKV/RvB3a5EbaovQBAQ/++8CSq oyCbTJXTi5pkjXY2B3qpeqZk9l/b7VoKEFWDhMvDPsqOfSA8cWk4EMdTE/wZ9qIIyzV7 s3bEoPGR8SMON6NXNvnA0h5liZg41p3EswwpE2XS9aM8B6iYNKoe+vQYeNGa66GjELbw Hqhg==

In-reply-to: <CADo9JyUbjD-Q-Oic0d7KqE4xRyUMxoN-5eVppmhp23NWBEkZwg@mail.gmail.com>

List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>

List-help: <mailto:[email protected]?subject=help>

List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>

List-post: <mailto:[email protected]>

List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>

List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>

References: <CADo9JyU2wiEBB4L7ADSybt9se7jCN764JSEoHuGTcuiU_jDscQ@mail.gmail.com> <CAAedzxqR5bWTP_gou+hC5cgQ99tV275nX_ijm7iUok4-h+3wMQ@mail.gmail.com> <CADo9JyVfmhir8YtOR2mzzaaPL_9mBKgFmht6-SA50SfPmh9z6w@mail.gmail.com> <CAAedzxrck9+TBpEp-x8_tG-oxxKh4MQ4-x+iuGNGd6JsG=poQQ@mail.gmail.com> <CADo9JyUKb_c6SPigjUqngUyPvDsbN10TLZX0+B9r92xm6XGgAA@mail.gmail.com> <CADo9JyUbjD-Q-Oic0d7KqE4xRyUMxoN-5eVppmhp23NWBEkZwg@mail.gmail.com>

I fundamentally do not understand what it is you're trying to say here. I apologize for being thick.

The mobile devices with which I am most familiar do "make before break" even for unsecured SSIDs without a captive portal. They do a few probes of various types and to various destinations (vis. Mariko's research and presentation) on /every/ network before deciding whether to switch general traffic over to it.

(Note that a few apps that style themselves as networking sophisticates may try to fling a few packets on a newly attached network before the OS has done its validation, but those are the very rare exception. And we see the occasional bug report when they get themselves confused because they haven't waited for the system's detection to do its thing or haven't trusted the detection result. =)

I don't understand how these mobile devices should be doing something different. Failing to do what they currently do and going back to "break before make" will not sit well with users. I personally do not see a solution down that road, but perhaps I misunderstand or others see something I don't yet.

On 8 April 2017 at 00:03, David Bird <[email protected]> wrote:

A root cause of the so-called 'arms race' around captive portal detection that I'm trying to highlight is that it will always continue for as long as UEs treat captive portal networks specifically different than they do public access networks generally, you will have incentive to exploit that difference in behavior in the public access industry.

On Fri, Apr 7, 2017 at 6:52 AM, David Bird <[email protected]> wrote:
On Fri, Apr 7, 2017 at 6:36 AM, Erik Kline <[email protected]> wrote:
I think the client should, ideally do:

- Use the network for all connections (why ask permission when forgiveness is cheap).

Not gonna happen. Mobile clients do a ton of work to enable "make before break". There is no such thing as forgiveness from users who can't get Facebook updates, Twitter notifications, nor email while their device is held hostage because it switched to Wi-Fi and tore down mobile before checking for a captive portal.

But, it DOES happen when you connect to Open SSID without captive portal (or when the venue evaded your detection). Maybe the captive portal networks wants to offer these services in their walled garden... and it is likely the user would be happy about that (provided they selected the network on purpose).

If you had ICMP giving you real-time feedback, you could more accurately (and quickly) detect what connections will work and which will not on the network. QUIC will help in maintaining session continuity as connections are pinned to different interfaces.

This may also address your question elsewhere about browsers and "sandboxing". I suspect the sandboxing to which you're referring is about cookie isolation (primarily), but there's a kind of "network sanboxing" that is applied as well to ensure the browser uses a self-consistent networking configuration.

Cookie isolation on secure websites doesn't really help the user any...

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature