* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Capport Status Pages

Captive Portal Interaction (Active WG)
Art Area: Adam Roach, Alexey Melnikov, Ben Campbell | 2016-Jan-04 —  
Chairs
 
 


IETF-99 capport minutes

Session 2017-07-18 1550-1750: Karlin III - Audio stream - capport chatroom

Minutes

minutes-99-capport-00 minute



          Note takers: David Dolson & volunteer?
          
          CAPPORT Working Group
                    IETF 99
                    Prague
                    2017-07-18
                    15:50-17:50 Tuesday Afternoon session II
                    Chairs: Erik Kline, Martin Thomson
                    Materials:
                    https://github.com/capport-wg/wg-materials/tree/master/ietf99
          Martin:
              - dates for deliverables are in the past, and some of the milestone
              docs are probably not relevant
              - we want to deliver something.
          (A/V is hard)
              - is minimum set OK?
          David Dolson: need to notify non-http-80
          Tommy Pauly: expect to interact with web pages
          Martin: considers status code 511 to be dead until new information.
          
                    Agenda
                    Administrivia                   5   Chairs
                    MVP                            20   Chairs
                    Architecture                   20   Dave Dolson
                      https://datatracker.ietf.org/doc/html/draft-larose-capport-architecture
          Did anyone take notes while Dave was talking??
          Tommy: if adopting, work in parallel, not waterfall.
          Adam Roach: Low value in problem statement
          Martin: adopt?
          Margaret: discuss adoption after other slides & discussion
          Martin: Mark Nottingham doesn't want to work on problem statement;
          so we would incorporate the good parts into arch doc.
          
                    ICMP                           20   David Bird
                      https://datatracker.ietf.org/doc/html/draft-wkumari-capport-icmp-unreach
          Lorenzo no-nametag: how to tell attacker session-ID vs. proper session-ID.
          David Bird: can check quoted packet
          David Dolson: session-ID help filter out duplicate messages
          Lorenzo: ephemeral port ranges are not huge; not hard to guess
          Dave Dolson: in arch doc we said worst case ICMP impact is going to API
          and asking
          Tommy: want to keep ICMP simpler, not put a lot in ICMP
          no-nametag: I don't understand how we say both the ICMP is a hint and
          also that API and ICMP can be out of sync. Otherwise we need security on
          ICMP. If it is a hint, OK. but if it gives more then there are security
          issues.
          Tommy: building on that, I see your point, but I don't have a ton of
          sympathy for the complexity argument bc today there is a web server that
          can tell me how much time, and can control the enforcement point. We
          should be able to do an API that is as simple as a web portal serving
          up a static/dynamic web page.
          Martin:  Some feedback I got was (a) there are far too many bits &
          messages (maybe dest unreach is enough), you allow provider to provide
          discriminatory services.
          David B: That's what walled garden does. We shouldn't go there.
          Martin: we should be very careful about talking about discriminatory
          services. We need to be very careful about what we say, including
          social effects.
          David B: is this applicable to ICMP?
          Martin: Yes, fine grained control my enable it.
          Dave Dolson: if we bring more in scope, we could restrict the enforcement
          point to having a single tier.
          
                    PvD                            20   Tommy Pauly
                      https://datatracker.ietf.org/doc/html/draft-bruneau-intarea-provisioning-domains
          Martin: Do you mean that if there is non-capport PvD, do probing
          funny-business is not required?
          Tommy: yes
          Margaret: some odd timing things. If you get capport PvD, you can't send
          traffic until checking PvD API.
          Lorenzo: I'm not optimistic we will get this soon. Realistically, until
          we get to HTTPS everywhere, this might provide wrong incentives.
          Lorenzo: Do you really want to wait until letting traffic use the network?
          Tommy: today, we wait for capport probe to complete until allowing
          network access.
          David Bird: confused by flow: what if PvD API is misconfigured or lying?
          Tommy: this is not a new thing; capport defeating approaches happen
          today. Devices will consider the network to be evil.
          Dorothy Stanley: How does the client trust the information? Or does
          it not?
          Tommy: need more in-depth analysis. In this case, PvD is secure
          connection. Assuming HTTPS.
          Eric Vinke: in ? protocol, a blob sent back, advertise prefixes in the
          JSON. (I didn't understand this point)
          Martin: maybe not giving security, just misconfiguration protection?
          David B: doesn't get rid of probe.
          Tommy: if someone is browsing to a server they want to go to, it isn't
          wasted.
          Pierre Pfister: in IPv6 it is generally accepted the RA is trusted.
          Lorenzo: Can we ignore this problem?
          Tommy: yes
          David B: security is provided by TLS. Do you present the cert to the user?
          Tommy: Yes, in demo, yes we presented FQDN to user.
          
                    API                            20   Mark Donnelly
                      https://datatracker.ietf.org/doc/html/draft-donnelly-capport-detection
          Eric Kline: in favor of the reduction. What might non-default networks
          in the API mean?
          Mark: intended to provide different ways of accessing
          Eric: is there overlap with PvDs
          Yes
          r
          Martin: the question is, with multiple PvDs, do you need multiple networks
          at this layer?
          Tommy: no
          Martin: what is session token?
          Mark: people seemed to want session token. o
          Lorenzo: can we update on demand?
          Lorenzo: counting issues: when does client know it has reached limit:
          Maybe ask at 80%?
          Dave Dolson: Please see my comments on the API wrt style of using GET
          vs. POST and RESTful approach.
          David Bird: wrt counting... (missed this)
          
          Martin:
              Three questions:
              1. for arch doc, do we want a milestone for architecture. Humming:
              in favor.
              2. is the document a good basis for the milestone? Humming: in favor.
              3. do we need milestone for the ICMP signal? Humming: divided:
              not clear.
              4. API document: do we need a milestone? Humming: in favor.
              5. Is this document a good basis. Humming in favor.
          Probably will cut milestones back by removing survey and
          taxonomy. (Discuss with AD)
          
          



Generated from PyHt script /wg/capport/minutes.pyht Latest update: 24 Oct 2012 16:51 GMT -