Re: [Captive-portals] API / ICMP for status and remaining time

To: Michael Richardson <[email protected]>

Subject: Re: [Captive-portals] API / ICMP for status and remaining time

From: David Bird <[email protected]>

Date: Tue, 6 Sep 2016 13:02:30 -0700

Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/5oP5uvBRW3aZkyxufwSVHqPJOEU>

Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com

Cc: "[email protected]" <[email protected]>, Alexander Roscoe <[email protected]>, Dave Dolson <[email protected]>

Delivered-to: [email protected]

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wyLUuI9dF3M7WKfZ5GSfLnivhxHwArsf4GxS7xVsH6A=; b=bbd+ESjoYMJJh8AGQCJ3eqHZVjt+UjcMVoTvjj9jgUK7x9cSNuWLoosBzedEqc54EG OX67Z5wqtWWIu8ke8uQ4GkXGpB+8zYk9xRZPxvYUVwJ2exlpsvjujru2tT4YRpBBdQp+ oPOJPBvDGTx8HhMqW4AIrO8yFZweW4J+Fc5MgMrcnqxS8QtjHbeNP5SXx0ADaCs5r5Ce 0qo+hMnYov41RGX8YkBqwoK3Rn9hFYKpL0jOA67duY72t+uta6T9bgdcvHLUd0rDgNsx s7g3RKcDfztk12WyIeQ5Pe5q74EsrFCMM2+gQPO/tfOCyLWI76bcmlSC1odu3ewWHl2x 27oQ==

In-reply-to: <[email protected]>

List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>

List-help: <mailto:[email protected]?subject=help>

List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>

List-post: <mailto:[email protected]>

List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>

List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>

References: <[email protected]om> <[email protected]om> <[email protected]> <[email protected]>

Ideally, the "Policy Class" hint could be used instead of putting the URL in the ICMP packet (which was our original thought). I think it helps to require RFC 7710 to get the base CP URL so that Capport ICMP is meaningless in networks not configured with Capport DHCP.

On Tue, Sep 6, 2016 at 12:46 PM, Michael Richardson <[email protected]> wrote:

Dave Dolson <[email protected]> wrote:
> An ICMP extension could notify a sender that a 5-tuple connection is walled
> off‎. It works for all IP protocols (TCP, UDP, GRE, even ICMP-echo).
> ‎This will be more real-time than relying on the sender to periodically probe
> well-known servers on port 80.

Agreed, it's good. Like all ICMPs, we must assume that they could be forged.

> Such a message should indicate a reason, which could be a URL to a JSON/REST
> interface.
> Or, it could simply be an event that means "go probe port 80 to get
> redirected"

While I think it's slight less attackable to get redirected; I also favour
putting the URL in the packet, even if we ultimately can not trust it.

--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-