[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] time-based walled gardens

To: David Bird <[email protected]>
Subject: Re: [Captive-portals] time-based walled gardens
From: Mark Nottingham <[email protected]>
Date: Tue, 24 Jul 2018 11:36:08 -0700
Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/fYZhPKhXwjYr6EK7sLhKPxwoBPs>
Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=DNC4qh0l; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Nfrtf1pI
Cc: Mikael Abrahamsson <[email protected]>, Martin Thomson <[email protected]>, Erik Kline <[email protected]>, [email protected]
Delivered-to: [email protected]
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; bh=g0ugFOnFDZEmim4Xt6B/hBa5adGuG k5GKx0/FDBd/6U=; b=DNC4qh0lX/xgZvQCxFFWsVkanixbVhWBaW0GwIHTPKkw3 utbrE1MqEkbMrfKlyxs4jruJQIPOtlZrFcUvWN2kBQNTEfe562M/ajpeHlHM3swv gyvz0W1i7Ci3LpmlC80FAqRk+7UjOw9X/7HIjIb6ifAtWllt0HCuQFIjSS+qM6Ni KZsCOz0z+RWvL6kZlDKtHQlfWoqIY8JT7YGhMzDArxB/UcCp/3c5udlyksYW1I3I yiU0b9kkx9NN8LD2AVWqAmGfuOQXGNFiwZh5feTc1oM9Mz49bnatwzHuicRxj0L+ wiIVpb7i5EOfdqdt1IzlZ5t/BXscTm6KY+zLWKy7A==
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=g0ugFO nFDZEmim4Xt6B/hBa5adGuGk5GKx0/FDBd/6U=; b=Nfrtf1pIWHIR8oWTewsst1 T+C6CU/XPsY4CR02lw9mEtAwifLtpFyYwx3bYL/fYCO0ws4HnM3qXaMZFtgP4JF4 Jab9oDA3U3k6LE7o/IH/x9BziO3xfqw3PyjPqPy31sTOJott3WWnNv1GRlZ3hXdE ziVFaBuWpV80LRyhAU77o3nvzIXoatAhlapvUEbrIBfpZEvgyICsRgPnRsTbyDWe Cmtmy0/dKr8+o0YCUEieHQUppoiIvpRNH+CAeFBr0XLI0c52rnkqkpSsrsSF05jM SMB/0upPqTPssWOlBz0K1Tx/cHQvwq296TbOV0IksLc4fn24ggq4vAMmIT4oreIg ==
In-reply-to: <CADo9JyUk5mkism_u_hODOTocfWvPTPr4j6neCmD7gyHTEenTog@mail.gmail.com>
List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-help: <mailto:[email protected]?subject=help>
List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-post: <mailto:[email protected]>
List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>
References: <CADo9JyU2wiEBB4L7ADSybt9se7jCN764JSEoHuGTcuiU_jDscQ@mail.gmail.com> <CAAedzxqR5bWTP_gou+hC5cgQ99tV275nX_ijm7iUok4-h+3wMQ@mail.gmail.com> <CADo9JyVfmhir8YtOR2mzzaaPL_9mBKgFmht6-SA50SfPmh9z6w@mail.gmail.com> <CAAedzxrck9+TBpEp-x8_tG-oxxKh4MQ4-x+iuGNGd6JsG=poQQ@mail.gmail.com> <CADo9JyUKb_c6SPigjUqngUyPvDsbN10TLZX0+B9r92xm6XGgAA@mail.gmail.com> <[email protected]> <CAAedzxo3Gp9ZhLeujZBC0vn9GO=+xHxkAstisoUAX1BCTEtYvQ@mail.gmail.com> <CADo9JyUr2rpZBjz5zMrrUmi8+gR9VGxBFhMLGVqFGYiWsOic6w@mail.gmail.com> <[email protected]> <[email protected]> <CADo9JyX6CzoxyxnGWq+sP+PM20DQUxYxvyqpHkDTJCWYUi99dg@mail.gmail.com> <[email protected]> <CADo9JyW+PZEmSVg6oS5Pw2zPOr7rAeKAVy6QUtvVbgTkdVPqQg@mail.gmail.com> <[email protected]> <[email protected]> <CADo9JyUk5mkism_u_hODOTocfWvPTPr4j6neCmD7gyHTEenTog@mail.gmail.com>

Hi David,

> On 22 Jul 2018, at 6:27 am, David Bird <[email protected]> wrote:
> 
> Hi Mark,
> 
> I was reminded of this thread, as I believe some of the points continue to be on topic. 
> 
> Networks, particularly public access networks, already do, and will continue to do, all sorts of things we might find questionable - on several levels. We have some questions because the network infrastructure itself has no way to be transparent about the things it does today. It will silently (or at least ideally transparently) hijack HTTP(S). It will silently drop packets not in the walled garden. It will rate-limit packets without indication. With captive portals, that guesswork has led to probing, having to hijack HTTPS (because the UE will not understand a Drop), and other usability problems.
> 
> We can remove this UE guesswork by defining how networks *should* implement these enforcement functions, with the proper transparency for the UE to no longer need to guess. This will actually help make the operator more accountable for their enforcement function behavior. 

I agree, but realise there's a flip side to this -- by standardising and making these functions explicit, we are encouraging their use, both tacitly (standardisation == approval) and by making the functionality more reliable (when implementations support those well-defined cowpaths). That effectively encourages they deployment of those enforcement functions.

The ever-so-careful line we need to walk in this work, I think, is to balance the amount of damage caused by the deployment of these mechanisms, while not encouraging an increase in their deployment by making them more viable. Of course, that's a judgement call, but if we didn't have those, standards would be much quicker...

> By addressing the core issue of ‘signaling captivity’ at the network layer, we are just annotating (e.g. with ICMP feedback) what is already happening in the network, in real-time, transparently (as in full-disclosure). This, in of itself, does not add new captive portal capabilities - only better information for the UE to provide better user experiences.

As per above, I'd dispute the "only" -- there may not be new capabilities, but making existing capabilities work more reliably, predictably and with the "air cover" of standards will change their deployment patterns. 

In other words, the implicit goal of most interoperability work is to encourage increased deployment. We try to make HTTP more interoperable so that it's easier for more people to use, so they use it more, so that we enjoy the increased network effects of its use. I don't think increasing deployment of captive portals is a good goal. Others may disagree, for various reasons, of course. 

I do think that where a captive portal is deployed, making it less painful is a good goal. Hopefully we can all agree on that.

> What is concerning with the API and direction of the WG, is that we are defining a new form of captivity … “self enforced”. Which will lead to the UEs doing probing to “confirm” the API captivity matches the Network captivity. Networks with API captivity can even be put on top of previously Open WiFi networks (that have no Network captivity). This is new - even if the UE allows the user to ignore the API captivity. 
> 
> Having written the problem statement, what are your thoughts on the direction today?

I have lots of questions about how it's going to play out, but at first glance it looks interesting -- if only because it provides a way for some portals to be less intrusive on the network. For non-financial cases (e.g., T&Cs, ads), it *might* be enough to deploy a captive portal without any blocking. One could argue that it might encourage increased deployment, but *if* it works out, the less intrusive nature might balance that out.

Hope that helps,

> 
> 
> 
> On Mon, Apr 10, 2017 at 4:46 PM Mark Nottingham <[email protected]> wrote:
> 
> > On 11 Apr 2017, at 1:57 am, Mikael Abrahamsson <[email protected]> wrote:
> > 
> > CAPPORT doesn't have to just solve its own problems, perhaps it'd be good to try to come up with a slightly more generic solution and send it for review in INT-AREA for instance?
> 
> If I follow the discussion here and on the issues list correctly, I'm concerned.
> 
> My understanding when this WG was chartered was that we didn't really *like* captive portals, but people thought there was some benefit to at least making their operation smoother; we had lots of examples of interop problems and bad user outcomes in the discussion leading up to it. In that manner, the goal here AIUI is to codify current practice and incrementally improve it.
> 
> As I said in the BoF, even mitigating those problems might not lead to a great outcome, as it will encourage the deployment of more captive portals (as many networks are rolling them back, at least in my experience).
> 
> There is one use case defined in our charter:
> 
> """
> Some networks require interaction from users prior to authorizing
> network access. Before that authorization is granted, network access
> might be limited in some fashion. Frequently, this authorization process
> requires human interaction to arrange for payment or to accept some
> legal terms.
> """
> 
> Expanding the scope of this work to allow networks to further control their users' experience after authorisation to use the network (even if that is just giving a better user experience of that control) is not a small change. Allowing networks to interpose themselves in communication after authorisation is not a small change. 
> 
> AFAICT addressing these use cases would require re-chartering, and that's something I would argue vigorously against. I'd like to hear a clear statement from the Chairs about what they think the scope of work is here.
> 
> Regards,
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 
> _______________________________________________
> Captive-portals mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/captive-portals

--
Mark Nottingham   https://www.mnot.net/

Follow-Ups:
- Re: [Captive-portals] time-based walled gardens
  - From: Mikael Abrahamsson <[email protected]>
- Re: [Captive-portals] time-based walled gardens
  - From: David Bird <[email protected]>

References:
- Re: [Captive-portals] time-based walled gardens
  - From: David Bird <[email protected]>

Prev by Date: Re: [Captive-portals] How to talk about filtering/network management (was 102 minutes)
Next by Date: Re: [Captive-portals] time-based walled gardens
Previous by thread: Re: [Captive-portals] time-based walled gardens
Next by thread: Re: [Captive-portals] time-based walled gardens
Index(es):
- Date
- Thread