Re: [Captive-portals] client identifying info between API and enforcement

• To: [email protected]
• Subject: Re: [Captive-portals] client identifying info between API and enforcement
• From: Michael Richardson <[email protected]>
• Date: Tue, 31 Oct 2017 14:58:22 -0400
• Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/sJum1bZeK_riGyrlUujV18jXSqU>
• Delivered-to: [email protected]
• In-reply-to: <[email protected]om>
• List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
• List-help: <mailto:[email protected]?subject=help>
• List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>
• References: <[email protected]om> <[email protected]m> <[email protected]om> <[email protected]> <[email protected]om> <[email protected]m> <[email protected]om> <[email protected]m> <[email protected]om>

Erik Kline <[email protected]> wrote:
    > I was expecting this is what might be required, given the
    > architectures that are currently in use:

I think that I got you, but I need a picture.

    > [3] login service updates enforcement point about token_1's state
    > (assuming login success)

I think that login service updating enforcement point can simply say:
  "allow the L2 address associated with token_1"

If the tokens are big enough (16 bytes or more), they could be the L2 address
encrypted (privately) by the enforcement point, making the enforcement point
stateless.

I think that the access decisions need to be made by the enforcement device
at the L2 level for a bunch of different reasons including auditing.

At this point I think the industry has established that L2-mac-address
randomization is good, but that having it totally random is bad.

It should be the same whenever the ESSID/AP is the same, with some caveats,
and this gets us the nice property that access control doesn't have to be
done every time one visits the same place.

--
Michael Richardson <[email protected]>, Sandelman Software Works
 -= IPv6 IoT consulting =-

Attachment: signature.asc
Description: PGP signature

• References:
  • [Captive-portals] client identifying info between API and enforcement
    • From: Erik Kline <[email protected]>
  • Re: [Captive-portals] client identifying info between API and enforcement
    • From: Kyle Larose <[email protected]>
  • Re: [Captive-portals] client identifying info between API and enforcement
    • From: Erik Kline <[email protected]>
  • Re: [Captive-portals] client identifying info between API and enforcement
    • From: Dave Dolson <[email protected]>
  • Re: [Captive-portals] client identifying info between API and enforcement
    • From: Erik Kline <[email protected]>
  • Re: [Captive-portals] client identifying info between API and enforcement
    • From: Dave Dolson <[email protected]>
  • Re: [Captive-portals] client identifying info between API and enforcement
    • From: Erik Kline <[email protected]>
  • Re: [Captive-portals] client identifying info between API and enforcement
    • From: Kyle Larose <[email protected]>
  • Re: [Captive-portals] client identifying info between API and enforcement
    • From: Erik Kline <[email protected]>

• Prev by Date: Re: [Captive-portals] client identifying info between API and enforcement
• Next by Date: [no subject]
• Previous by thread: Re: [Captive-portals] client identifying info between API and enforcement
• Next by thread: [Captive-portals] capport - Requested session has been scheduled for IETF 100
• Index(es):
  • Date
  • Thread