[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Captive-portals] Comments on draft-donnelly-capport-detection-01



Mark and Margaret,

Thanks for putting this together. I have some questions and comments.

 

I suspect there are a number of nits in the syntax, but first I’d like to discuss some high-level questions.

 

1.       Regarding $toplevel, is this intended to be used as the body for both request and response? I suspect no, this is the body of the response and the body of the POST has not been defined. For example, how is the MD5 sum of the t&c to be presented?

2.       I see a role for performing GET, once the session has been established.

3.       Do you see any opposition to including various hrefs for satisfying requirements in the browser?

 

I think working through some examples would be useful. This differs from your proposal, but I was thinking:

 

-------

GET from the DHCP-provided URL:

GET http://<server>/capport (Accept: application/json)

200 OK

{

   "create_href": "http://<server>/capport/sessions",

   "browse_href": "http://portal.example.com/"

}

 

----

Posting to the create_href:

POST http://<server>/capport/sessions (Accept: application/json)

{ "identity": "<USERNAME>"}

200 OK

{ " id": { "uuid": "<session_uuid>",

           "href": "http://<server>/capport/sessions/<session_uuid>" },

  "identity": "<USERNAME>",                       

  "state": { "permitted": false },

  "requirements": [

    {"view_page": "http://portal.example.com/welcome/terms_and_conditions.html?session=<session_uuid>"},

    {"provide_credentials": "http://<server>/capport/sessions/<session_uuid>/credentials"}]

}

 

-------

The session now exists, and GET works:

GET http://<server>/capport/sessions/<session_uuid> (Accept: application/json)

200 OK

{ " id": { "uuid": "<session_uuid>",

           "href": "http://<server>/capport/sessions/<session_uuid>" },

  "identity": "<USERNAME>",                       

  "state": { "permitted": false },

  "requirements": [

    {"view_page": "http://portal.example.com/welcome/terms_and_conditions.html?session=<session_uuid>"},

    {"provide_credentials": "http://<server>/capport/sessions/<session_uuid>/credentials"}]

}

 

------

Or GET for browser:

GET http://<server>/capport/sessions/<session_uuid> (Accept: text/html)

200 OK

<html> Human readable page of above information </html>

 

----------

After visiting the view_page URL and clicking OK, the internet works, and the info is available for query:

GET http://<server>/capport/sessions/<session_uuid> (Accept: application/json)

200 OK

{ " id": { "uuid": "<session_uuid>",

           "href": "http://<server>/capport/sessions/<session_uuid>" },

  "identity": "<USERNAME>",                       

  "token": "<TOKEN>",

  "state": { "permitted": true, "expires": "2017-02-25T19:00:00-06:00", "bytes_remaining": 10000000 },

  "requirements": []

}

 

----

When the session expires, ICMP alert occurs, the client GETs again (note different value for view_page):

GET http://<server>/capport/sessions/<session_uuid> (Accept: application/json)

200 OK

{ " id": { "uuid": "<session_uuid>",

           "href": "http://<server>/capport/sessions/<session_uuid>" },

  "identity": "<USERNAME>",                       

  "state": { "permitted": false, "expires": "2017-02-25T19:00:00-06:00", "bytes_remaining": 0 },

  "requirements": [

    {"view_page": "http://portal.example.com/welcome/renew.html?session=<session_uuid>"},

    {"provide_credentials": "http://<server>/capport/sessions/<session_uuid>/credentials"}]

}

 

The client can fulfil requirements again.

 

----

When the client wants to explicitly leave the network, delete the href for the session:

DELETE http://<server>/capport/sessions/<session_uuid>

200 OK

 

 

The USERNAME could be DHCP option-12 value or MAC address or ?  I don’t think it is too important for security, but useful for diagnostics.

I did not delve into how the TOKEN would be used with provide_credentials. But the idea is that it could be shared (e.g., with devices lacking displays.)

 

Does this make sense?

 

-Dave