[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] Requirements for "captive portal closed" notifications



Dave Dolson writes:
> And querying the API should be harmless (GET having no side-effects), aside
> from the load imposed on it. So we should say that the UE must rate-limit
> ICMP-triggered API visits.  Example wording: "The UE MUST rate-limit
> ICMP-triggered API requests to once every 5s."

That might be applicable for other cases too. I.e., we do not want
client to go to the API every second to be able to show the timeout on
the screen with one second accuracy.

So perhaps UE MUST rate-limit API requests in general, not only
ICMP-triggered ones. 

Also if the UE uses HTTP keepalive and keeps API connection open for
60 seconds or so after use, that will of course also limit traffic
generated, especially in case if the API connection is over TLS.

> We could get fancy with back-off retries, or allowing the API to specify the
> rate limit, but my main point is that the ICMP message does not require any
> sort of authentication if we make a spoofed message harmless.

Yes.

Also if authenticating ICMP messages would be easy there would already
be authentication in them :-)
-- 
[email protected]