[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] Use Case: "Carrier Grade Captive Portal"



On 02.06.2017 14:47, Livingood, Jason wrote:
> [JL] But let me summarize the malware/hacked IoT device use case. A computing device is compromised and being used as part of a DDoS attack (a la the Dyn attack) or sending spam or doing keylogging or whatever. One alternative is to put them in a walled garden with CAPPORT whereby they have no access from any device in the home or, if the network architecture can do it, no access for only that specific device (other 

> The CAPPORT walled garden page would direct the device(s) or user(s) to a page explaining what the malware is and how to remediate, for example. 

..And how to get out of the walled garden.  (nobody wants to stay there )

> Another alternative is a method to direct a device to a page / deliver a message about this malware issue without otherwise affecting or constraining their Internet access. In this alternative method, the objective is to get a critical security message to the user (e.g. Device X has malware Y and needs to be fixed ASAP) while not affecting things like gaming, OTT voice, OTT video, etc.

This alternative is no option. The device in question seems to be a real
danger for
other internet users and also for the device owner himself (like data
loss..).
Letting traffic be unaffected by a walled garden means that a
participation in
e.g. a DDoS attack will go on.  A differentiation between "internet" and
"voice" should be made though.
(skype would be considered as internet use) A POP-UP window or
notification during gaming / trading /
whatsoever will just be ignored or delete-clicked or not even noticed
because of not having a browser like tool.

But that is a topic for a different mailinglist - "how to react to
internet abuse". MAAWG and others are
discussing this for many years now ..:)    We do stop internet access in
case of abuse immediately
and have therefor built our own form of walled garden; others may have a
more tolerant view or just
have bad contracts with their customers :/

So it seems we agree that there are valid reasons for walled gardens -
now we should concentrate
on *how* to implement this in the best way.

(the 511 error page does not seem to be the worst variant.. if the user
sees an error in the browser
then the next reload puts him to the correct walled garden page)


best greetings,
Gunther

NetCologne Systemadministration

-- 
NetCologne Gesellschaft für Telekommunikation mbH
Am Coloneum 9 ; 50829 Köln
Geschäftsführer:   
  Timo von Lepel,
  Mario Wilhelm  
Vorsitzender des Aufsichtsrates:
  Dr. Andreas Cerbe
  HRB 25580, AG Köln