Re: [Captive-portals] Arguments against (any) Capport "API"

To: Erik Kline <[email protected]>

Subject: Re: [Captive-portals] Arguments against (any) Capport "API"

From: David Bird <[email protected]>

Date: Sun, 9 Apr 2017 21:30:10 -0700

Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/QDw-bwmJ2EtwuRZ0R_LOG_aSwt8>

Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com

Cc: Michael Richardson <[email protected]>, [email protected]

Delivered-to: [email protected]

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=c6KhpbV9BhzMJOOYreloxZvn8hhxDbkPabYEegqMJ8s=; b=Rr1lEoH83LMR9cuEEKv+qDiVBY0JJrThIFud2apN3SPp2LB+Sc+BxV6gwAi8BU3SSI PvUgqq1AtiaVuTYR21xpN6oZYfP059Gb9LBiw4E3uj+BIdTUByblbVOz7OIjYWg2l/aP HxGHu6bXTlslFzALhR1Abi7JJ3VC3v1mQ/tzrLJ9DvHp3MkbbreYt54K7fu2wcDmxwRf fjxKR3OwRv3hvscmHdNCwrtm0130Yj+JDdRVAVlLWtLDNvRbYkOvXm9KSpS7qKV8dYlr 4ZCytV2qy2vsb73/+JzKTZrdpiJ69JH7ITXlBImFvYfz1GX95JRpuKc6k1DjcQ0Ks1Vs 0Utw==

In-reply-to: <CAAedzxo3Gp9ZhLeujZBC0vn9GO=+xHxkAstisoUAX1BCTEtYvQ@mail.gmail.com>

List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>

List-help: <mailto:[email protected]?subject=help>

List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>

List-post: <mailto:[email protected]>

List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>

List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>

References: <CADo9JyU2wiEBB4L7ADSybt9se7jCN764JSEoHuGTcuiU_jDscQ@mail.gmail.com> <CAAedzxqR5bWTP_gou+hC5cgQ99tV275nX_ijm7iUok4-h+3wMQ@mail.gmail.com> <CADo9JyVfmhir8YtOR2mzzaaPL_9mBKgFmht6-SA50SfPmh9z6w@mail.gmail.com> <CAAedzxrck9+TBpEp-x8_tG-oxxKh4MQ4-x+iuGNGd6JsG=poQQ@mail.gmail.com> <CADo9JyUKb_c6SPigjUqngUyPvDsbN10TLZX0+B9r92xm6XGgAA@mail.gmail.com> <[email protected]> <CAAedzxo3Gp9ZhLeujZBC0vn9GO=+xHxkAstisoUAX1BCTEtYvQ@mail.gmail.com>

On Sun, Apr 9, 2017 at 7:53 PM, Erik Kline <[email protected]> wrote:

On 8 April 2017 at 04:54, Michael Richardson <[email protected]> wrote:
David Bird <[email protected]> wrote:
> portal (or when the venue evaded your detection). Maybe the captive
> portal networks wants to offer these services in their walled
> garden... and it is likely the user would be happy about that
> (provided they selected the network on purpose).

Consider a school that uses Google Apps (like my sons').

They run a somewhat loose firewall that blacklists stuff; but probably would
be better off to whitelist things.

The ICMP reply could very well be used to trigger the teacher override.

This is an interesting point. We should consider what types of access restriction are in scope.

Consider zero-rating, for example. Should the aim be to provide a general hint of network restriction, or on a per-destination basis?

One difference in consideration is whether interaction with a captive portal could theoretically provide remediation. If so, perhaps a new code under Destination Unreachable is best, and for those things that are effectively "permanently unreachable" Administratively Prohibited might be the best code.

Doesn't ICMP Dest Unreachable generally "aim to provide a general hint of network restrictions", routing, firewall, or otherwise ? (Should we revisit ICMP in general in light of zero-rating?)

I'm not taking a position on zero-rating, but that is essentially what a walled garden is: content allowed before authorization. One use-case might be designed for zero-rating, others might be to prevent kids from going to unknown resources from the school network.

I don't know how you can mandate that 'authorization' is always free and the walled garden isn't used for zero-rating...