Re: [Captive-portals] Review of draft-ietf-capport-rfc7710bis

To: Martin Thomson <[email protected]>

Subject: Re: [Captive-portals] Review of draft-ietf-capport-rfc7710bis

From: David Bird <[email protected]>

Date: Thu, 25 Jul 2019 07:09:50 -0700

Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/uwNxuDnqIUgVgWIoLqlMNyYG0VA>

Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com

Cc: [email protected]

Delivered-to: [email protected]

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UBTkrYfUzBtm/RGdGFtpnfOPYKdNo/P6ru1JkBhAMMc=; b=tMODYmAtqgmoIu/0cNOon9RDqjFXiyTnzyp8r+JHag5Xzln34SRSILfIVgScFldcJZ ItWwTNHrelPp2wPR59JPmymx86qQHmJjMxRqIJbXVqz5h486Yo9lS2xGpbYt6ZgyJ6DS Z1iNCDxjnWKRmc6yvUeZ6NomycyXnlzNlb34wQOvNPkIMCY0pBFkJNsxQsTHUZkQC8CY 7DNE2uKXVC2gCyGrzRmErqoPzkkIBjv3TbzH+fjlB5EuYwOeSsDJS44nzxmfZZ27VUTh Mrzhiy2FZWYorlAF7/ab8HS6tabdtLPy1JALpF87Ta1g8woXGQBSAYq2gCcRFo/D5RiG GiWQ==

In-reply-to: <CADo9JyWZ0YjXUky+m_PDWc8BrjFVzOvs6XmjqUcV18hbPE_BpA@mail.gmail.com>

List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>

List-help: <mailto:[email protected]?subject=help>

List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>

List-post: <mailto:[email protected]>

List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>

List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>

References: <CAKD1Yr32DXr8fYHP_x7z9pQWwSchey8zQW11vw02bW9ONEV8Kg@mail.gmail.com> <[email protected]> <CAKD1Yr08LmfDhmDLqpR87iQQ4Z61CVpR9BTDeRHobpsvVxFJvA@mail.gmail.com> <CADo9JyW6TmBnr5f0AuSXKnKMXnMxGhMkgYbGQ1WYOQjSMefy=w@mail.gmail.com> <CAKD1Yr1Zo0NQod=p4ZqT6fJYJ=Xqh1q8eJT2+ich+p7Jmg1WiA@mail.gmail.com> <CADo9JyX1T8AnxirXLfGdcJzmjvy5_UGJktnbYByAuO7H++y8uA@mail.gmail.com> <[email protected]> <CADo9JyWZ0YjXUky+m_PDWc8BrjFVzOvs6XmjqUcV18hbPE_BpA@mail.gmail.com>

Expanding on that Cisco example for a minute....

How would Cisco implement 7710bis and API?

It would make sense for Cisco to implement the API server directly into their WLAN controller... In that case, it probably could use the same URL for the API server for all subscribers (and be in a position to uniquely identify the session and lookup internally its state). [As I've argued before, the NAS/WLC is the *right* place for capport notification - or API - mechanism because it is the ultimate source of truth for the state of the session -- it is, after all, the one doing the enforcement].

However, who would own the API SSL cert? Often times, the "hotspot services company" isn't the owner of the WLAN Controller. Ideally, the venue is buying their own certs and installing them in their own gear.. but, is that what will happen in practice? I could also imagine that hotspot services companies will see the API an extension of their service and want to control it... so, my question is, how will vendors implement this?

On Thu, Jul 25, 2019 at 5:56 AM David Bird <[email protected]> wrote:

Hi Martin,

The "this" refers to uniquely identifying the UE/session. The API server will need to "lookup" the UE/session in some way (like in a database shared with AAA) to get its state (captive or not, how much time/data remaining, etc). In this regard, the API and the Captive Portal itself *both* need this ability to uniquely identify the UE/session.

Sure, one *could* design an API server, to reside on the same L2 segment as the subscribers, so that it can determine the UE mac address from looking up the remote IP address in the local ARP table. But... in practice, I think the tendency would be to host the API in the same centralized place as the captive portal itself (and share the same database).

In terms of generating a "session-id" ... a lot of this is very implementation dependent. For example, many hotspot systems are integrated with DHCP/RA because the IP address of subscribers may come from AAA (or a PGW in 3gpp). The redirection URL is often "minted" with the right session_id for that session by the backend AAA/PCRF.

Here is one example:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/configuration-guide/b_cg75/b_cg75_chapter_01011101.pdf

On Thu, Jul 25, 2019 at 4:31 AM Martin Thomson <[email protected]> wrote:
Hi David,

On Mon, Jul 22, 2019, at 19:40, David Bird wrote:
> ultimately a "session-id" is
> typically carried in the redirect URL on a per UE/session basis. If
> everyone gets the exact same URL, this can only be done by IP address
> at the portal... Is that the design networks are encouraged to take?

I'm not following your "this" here. Can you say more?

I understand that a session ID is needed, but is this something that can be inserted on the transition from the API endpoint to the web page?

_______________________________________________
Captive-portals mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/captive-portals