Re: [Captive-portals] Splitting the enforcement device into two logical components

To: nicolas.mailhot=[email protected]

Subject: Re: [Captive-portals] Splitting the enforcement device into two logical components

From: David Bird <[email protected]>

Date: Sat, 30 Jun 2018 06:12:18 -0700

Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/DWrwi0VBg7cThnsNIG6fFG1hyS0>

Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com

Cc: [email protected], [email protected]

Delivered-to: [email protected]

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hP7RuR9oIi7X3UB9nOJR2HMYtPb6fSvXBHhdW+QHzUM=; b=px3X/1dhH3cjl0Vn61SYrtzLEjvzWtOoIOgZ5N5hUiU3Isy1V/kHdyC2lJh4vH22SF chrB6pLdMk2z13KsTEkRs2SDqxkCxeJoda8wd9CdvUR0KHYIx7j7ZSmQqf1v3SRmPvtv agUHCCHQs7wDxRHd/iC6jWn752XKytCSohv0Xo/VzewWz1CzR2/nTupDbdKIDtcZsw7U VFXe11YaYLNEp/OehA8rrTh/Q5CvaSJ3e0/4D4veHzAZdm+c6ezCcAyadwMFKnX0U33o pg0hlNE9NgGYmt8Sg5ZHrazlJLN6ijJFvx5Dyjv8m4I3EkNbi51tNAlBURi/gqda1719 OuDw==

In-reply-to: <[email protected]>

List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>

List-help: <mailto:[email protected]?subject=help>

List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>

List-post: <mailto:[email protected]>

List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>

List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>

References: <[email protected]om> <[email protected]om> <[email protected]om> <[email protected]>

Thanks Nicolas,

I too have been hoping this WG addresses the core issues for several years now. Indeed, I will upgrade my statement in this thread from saying defining how the enforcement function should behave would be beneficial, to being fundamental. We need you, and others that agree, to speak up in the WG as, when needed, it seems support for these concepts isn't always present on the list and meetings. The API is a nice to have, but trying to solve network layer issues at an application layer (with no network feedback) is inherently going to problematic. It provides a bigger path for networks to be misconfigured, misinformed, and not fully integrated, than it does in solving the core issues at hand.

Cheers,

David

On Fri, Jun 29, 2018 at 9:48 AM Nicolas Mailhot <nicolas.mailhot=[email protected]> wrote:

Thanks a lot for the analysis. That is pretty much what I prayed for
months/years ago before this group was formed.

You have enforcement nodes. Their sole function is to stop or limit
whatever traffic the network owner does not like (abusive users, rogue
iot gadgets, slacking students, ddos attacks, whatever). They can
potentially process huge levels of traffic. Their location in the
network topology varies depending on what the network owner wants to
achieve. They don't have any fancy UI because they can address all kinds
of traffic.

And you have autorisation nodes. They allow network clients to request
being treated some other way by enforcing. They can have fancy human-
oriented UIs, or robot-oriented enrolment portals. They communicate with
enforcing out of band (client does not see this part). If the network
operator is nice, he makes sures they can be reached without enforcing
interference :).

The only message needed by network clients is indication of the location
of the corresponding authorization node when some enforcing node drops
or limits parts of their communication attempts. (and the network client
can choose to talk to the authorization node, stop communicating, or
switch to another traffic form that does not trigger enforcing)

Regards,

--
Nicolas Mailhot