Internet Engineering Task Force 101, 20 Mar 2018

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF101-CAPPORT-20180320-1330

Description

CAPPORT meeting session at IETF101
2018/03/20 1330

https://datatracker.ietf.org/meeting/101/proceedings/

A

B

It's kept for time, alright, if you're not here for captive portals, stay.

C

Anyway, because the rooms kind of empty so.

D

E

C

Sad I saw brick on the way out and he's not here. You must have something else on nevermind, so apologies from Eric, my co-chair, who is dealing with family medical emergencies. I don't see him online, so we'll just have to do this without him. If there's any anything, we need to decide concretely we'll take it to the list anyway. So that's not a big problem.

C

Forms we have to do this at some point during the presentation which reminds people of their IP our obligations and.

C

And oh, this is this is very, very new and somewhat mangled, but you get the drift dad I'm still reading, I'm, sorry Adam, but.

C

Alright, everyone saying that so ah this is the old one, damn never mind.

E

C

Have the means, of course, the slides didn't update the engine? The agenda has the stupid all right, and so we've had a request from check to talk about some of the hot spot. Light security on properties. We'll do that. If we have time it's been some how we go and the meaty issues that we have in front of us. Does anyone have any agenda great next, very brief status. Other working groups do this. So just around people we have to go to drafts. They're adopted.

C

One of them was even updated. This week, thanks Karl, you missed the cutoff by I think seconds. If it was an hour yeah.

C

But that should be should be updated. This is one github as well, so you can see the latest version right there. ah That's for later the agenda says that I think Tommy's going to talk right now.

B

F

I'm Tully, so this is on behalf of both Tasha and myself, so we do have a working group draft version of the captive portal API. Now, as I mentioned, it is up on github. It is also on the main document, so this is taken from the one that had been started before and cleaned up with some of the feedback from the group, and it is still very much a work in progress with open issues, but this is what we have.

F

So we want to go over is what we've put in there so far, it's pretty basic and what are the open issues and how we want to see it at all from there. Next slide, please great! So it's a pretty basic API we have here. We define first, that we have some URI that we get by some other means. That is not part of this document, and this URI specifies some resource that is accessible using HTTP over TLS, and this resource is a json dictionary which is fetched from this api server.

F

Presently, it is with a get request and the json keys at the most basic form define whether or not you are currently allowed to get through the captive portal permitted. It's a boolean, a HVAC key, which we are going to help discuss a little bit more, which allows us to hopefully authenticate other items in the captive portal interaction. It has the user portal URL, which defines here's the user facing a website which you can go to to actually do your normal interaction and it may be the same server as what you have.

F

It may be a different one, the expiry date, which is an optional field, our best guess of when this captive portal will close on you and the bytes remaining, which is essentially, if the bytes driven rather than time, driven form of the same thing as the last of when you're going to get recap. T'v captivated.

F

So that's essentially what it has right now, fairly straightforward, just kind of the minimum set of things we think the API needs to have it slide, please all right. So there are several open issues on the github, so I just thought. I'd cover them here and maybe, as we were, going through them. If people want to comment on them, please come up to the mic. Is there we can kind of just gnaw on them? And if you have more thoughts, please do go to the github and write your thoughts and comments on the issues there.

F

So first one privacy I think Martin brought this one up. So we want to make sure that the pro client information, such as the HVAC cave, this is you know, is not being stored and shared caches. If we have some proxy and stuff going on, and so the document should specify that respond should include cache-control private, to say you know, don't just cash. This chase on information everywhere. Do people think this is the right way to do it I think it sounds fine. Any objections that we're good for this are.

F

There are other things that we should do to specify privacy around this API information here.

C

Good to be clear, this is confidentiality they absorb the privacy risk here would be related to the captive portal, harvesting user information or something along those lines which I don't think we to kill II worried about I mean yes, we might worry about that at some point, but I'm not sure, there's anything we do about it. This.

G

C

Fine. Thank you. That's a good clarification. All right.

F

We will do it next issue, okay, so discussing the HVAC you so currently the APA document refers to this.

F

It is, admittedly under specified as of right now, because it essentially needs to refer to something in the architecture document to say what is this being used for? How is this being used between the various things last time at the last moment, we were talking about this key as token for validating ICMP messages such that ICMP messages could use this key in some manner to sign that hey I came from someone who has the same authority as the API server that you first opened with.

F

So what are people's thoughts on which documents should be defining this? Does this belong in the architecture document? Are we going to have another document that talks about ICMP for blocking that uses this key? What do you think Kyle.

H

Kyle Rose I mean we're not sure. Yet, if you're even going to have ICMP- and if that's the case, do we still need HVAC key, potentially not but I mean. Supposing we do go of ICMP I'm, not sure that the API should be specifically sorry. The architecture document should be talking about the specifics of the API I think it should still be general talking about a token and then maybe the ICMP draft, presumably and the API draft would both say.

H

This is the token by which we communicate I guess only concern there is now we have these two documents that are using the same thing that aren't necessarily tied together externally I.

F

Could imagine if you want to in the architecture document define very strongly. There is a notion of a token that can be given from the captor for law enforcement cluster to the UE to to validate future communications, which may be ICP, which may be other things that come up down the line, but you don't see how we get it or how it's used. Api says hey: this is how you get it and an ICMP document says this is how it's used.

H

She'll probably talk about the.

F

Requirements on that token, essentially.

H

Right right, yes, that makes sense. Okay, I would.

F

Like that to have something to refer to in your document, do you have thoughts marching? Yes,.

C

So then, this is not chair, head stuff, I, don't know the there's number of ways we can cut this particular one because it sort of crosses a couple documents. One option would be to if we were to decide to do ICMP, do that in an ICMP specific document and define an extension to this document. That did that. That means we get this document out of out of the critical path on that decision, but I'm not necessarily sure, that's really going to help us long term, because we have the architecture thing that needs to addressed.

C

It actually needs to address the core question of whether whether it exists or not so I think. Probably what we need is that decision and then that will make all things clear. The decision about ICA.

F

C

Yeah and that's on the agenda for later today, so we're.

F

C

Essentially, based on.

F

That something will change in the API document to reflect our decision later today. Likewise, with the architecture great.

I

I wonder if that discussion is just not one of the reason why I mean? Maybe that's a hints that nice young people solution is a bit complicated because it requires can between different.

J

I

Like a Pepsi bottle, API server and some routers devices that are going to send those ICMP messages so that that's pretty for later, but I wanted to say it not because we have the list. You know about the complexity of the of the standardization of that solution. Maybe that's a hint that the technical solution using that would be actually complex as well. That's that's.

F

Fair I in the case of using ICMP in the most basic sense of just saying, hey, you were blocked. I, see that as a useful piece of architecture and anything that's doing that should be validated I could imagine we could end up going some other way than ICMP, but as long as we have some interaction, that's not directly coming from this client initiated connection to an API server that we want to essentially have some other out-of-band channel for saying, oh, you did something wrong.

F

Anything wouldn't probably need to be validated, and so we could find other uses for this too. Potentially so anyway. You'll have that discussion later next slide. Please all right, surfer authentication, so the EPA document does not currently but needs to describe the server authentication model, and specifically, it was brought up that CR, ELLs and OCSP will generally fail if you're captive, unless those things are explicitly whitelisted.

F

This could get a little bit complicated, but we really do want to do HTTPS, so it was brought up that OCSP stapling does avoid the issue because it essentially puts the burden on the server to get the or CSP credentials and pass them through. That seems to be pretty clean to me as a way of validating this authentication, so I think the option here would be make OCSP stapling mandatory. As part of this, that sounds fine to me. One question is: what do we do if that stapling is not present?

F

Do we reject the portal altogether? Do we throw up an error? What what happens when we cannot validate the server? Do we have thoughts.

C

That's an excellent question.

K

Brian thanks for coming, hey, Ryan, sleevee, Google um so and I was looking over this wondering the same question. One potential implication: this is going to be figuring out intermediates and you know obviously TLS. One three has the ability to staple intermediates, but client path building is going to be non-deterministic based on their trust.

I

K

Even if you had a stable set of intermediates you're going to have this, this set of problems, where are this and the other part is going to figure out? What is the client going to do like? Does it actually care about? Because his piece.

I

Ahead for the validation.

K

It's no matter, I I hesitate to say that OCSP stapling is a must for that reason. Right, you're gonna have client behavior who's, going to have alternative mechanisms for intermediates and 4-leaf certs. Alternatively, guidance.

K

The fact that if you want to look at a client profile and supporting an effort, the RC v lightweight OCSP profile, namely the get method, would allow these captive portals to distinguish OCSP from the other set of requests and could potentially allow anything conforming to the lightweight profile through and so, rather than trying to force the OCSP stapling to say, like here's, how you can identify OCSP, request responses and potentially allow them through on the captive portal, in the same way that certain other traffic and that's from looking at some of the capital portals that we've seen in the the real world.

K

That is something that has fairly commonly come up most commonly flight semantics, though CSP responders, are red listed in captive portals. For that exact reason, those the signup page needs to get through.

F

So essentially, would we end up saying in the text? Maybe something like you should do: OCSP stapling, when you can, because it's nice in a more efficient and then you should also whitelist yeah.

K

I think because there's of these aspects of client behavior non-determinism, because.

I

K

Anchor, if you then providing guidance is probably going to be. The best option, mostly, is be stating absolutely like choice for forgetting that server configuration, but the intermediate problem won't go away even with three. That's a great point. Thank you.

L

M

Donnelley pin.

L

With security um I, looking at it in the real world, I love the idea of the OCSP for CP same stapling. As for whether it should be mandatory.

L

Making it mandatory I looking at the real world I can't imagine that the implementers will will agree to make it mandatory. So, like sure, though, this is a nice idea but and impossibly even if you want to make something mandatory, you might mandates that implementers. If they choose to ignore the stapling, must present the user. A message, something like that.

F

What are your thoughts, then, if we cannot validate the server authentication? So what do you have in? You know what the you we should do if we fail to validate the server we just drop from the network, do we prompt the user? Do you want to trust this invalid.

C

Certificate, the IP IP, the IP I, doesn't work, therefore it doesn't exist and then you fall back to them. Get the crappy behavior to say: if this is a work, this entire feature does.

F

Not exist right, I think.

C

Sorry, yeah try again one of the things that might happen in that case. Is you someone there's a Mis configuration somewhere and there's any number of mr. miss configurations that are possible in this context, and one of them might be that you are actually hitting the captive portal is trying to intercept your communications, and that suggests that you need to go probing probing again at that point, yeah I.

N

Think that there's two different issues that I think he started to get to them, which are what do we do if we can't validate the certificate at all? And what do we do if we it's can, we think, validate the certificate and find that it's invalid and I'm not sure whether those should we should any of this? Those two cases or not, there's also the question I mean given the number of sites but having valid certificates or are not signed by a certificate authority. They are self signed or other things like that.

N

I, don't know you know one of the goals and security I think here is to make it no worse than it is now. I. Also think one of the goals of the service in this case should be that by inserting this we make it no worse than it is now you know, and so why you want to try that URL and just try to log in like we do now.

N

If there's no Bella, D I think I'm not even sure we're trying to validate the certificate on some of them, because it right now, people aren't and they get logged in. And if this gets in the way of people getting.

N

F

Think we can distinguish here between the site that people, essentially users directly interact with and this other channel, which is more of a system level communication to get the JSON if we essentially fall back- and we imagine that for some time being captive, portals still deploy the old I redirect you model, we essentially just go down that route and ignore everything that's in the API right. So we allow you to do what you do today, but we don't take into account anything that may have been inside the JSON. That would say.

F

Oh here's, your expired time here was this. Here's that you essentially that is not trusted. We just fall back to the dumb model right.

N

I mean that that works for me is that this stuff is supposed to be secured. But we don't want to make any of the stuff that previously work to.

F

Stop working. We can essentially end up in the future using the API JSON to bootstrap devices that don't have thousands on them, enable new use cases. Those cases don't work today, and so we don't have to get the goodness. If we can't well validates beyond what we have today, yeah.

N

H

O

I mean once service.

H

This could provide is some just confidence that your character portal was not out to get you. Are these a bit more confidence? It is.

H

Should we recommend that the user equipment manufacturers, rather than just doing the same thing, regardless of whether or not it's secure, insecure, actually say hey? You know this. This thing failed to validate. You can use it if you want, but that gets.

F

Into a very UI system, specific area I could.

H

F

One way that it falls out is that if people are using a validated method of discovering their captive portal that maybe, rather than shaming the ones they're using the legacy system, we just kind of had the little green checkmark or like hey. We have a secure lock on this new portal, which we didn't have previously. We about to start shaming people who don't.

H

Use HTTPS right.

F

I think it should follow whatever mechanisms are standard for that system or that browser.

O

There should type of develops, so one reason for kind of trying to authenticate right is to at least give an indication of saying that there might be a man, the middle kind of attack right if somebody is actually trying to do sleeping or something so you still tell the using you are connected to and just like. Have you get a notification right now, you're connected to know that anybody can look at you right and same message might pop up in this case.

F

All right, very good, thank you for the discussion. Everyone I think we'll move on to the next issue: Thank You, Martin, right, media type. It was brought up that, rather than just requesting the application JSON, we should have a specific media type to allow better versioning. That sounds like a good idea. I like it first does everything that's a good idea, and then second one is this media type? What should we define it as a bike shed warning you pick? Okay, if we decide to pick something and if you.

C

Don't like it, you can sorry we should discuss whether we want one or not do.

I

We want to first.

C

When it comes to the decision about what it is, please choose don't make us discuss it, be here. I'm.

N

Young in my Eve or something and I, could you just explain quickly why this supports.

C

Pass so one of the one of the standard problems that we have with these, these sorts of API is. Is that you go to them and there has a particular format and you develop expectations about those sorts of things you can with HTTP use content negotiation to get different media types. So we say we pick the first one on this list right now and later on. We we have a challenge of mind and want to make a backwardly incompatible change to the format. We could pick the second one and Kaplan.

I

Is an extended clients.

C

That support the old one, which would send nothing or would send except the first one and clients, addicts that accept the new one, would send the accept header with the second one in it, and the server could use that information to provide the new one and you can then seamlessly transition from one of the other. Okay.

N

So like we probably wouldn't change it from characteristic at I mean kept low. We might, but it might be, that captives null is the current version and cactus 1 or 2 or X or Y.

F

Optimistically and just call it captive and and and then, if we you know, come up with a secondary name right right right leave off the version number you mean hopes.

C

Tears ideas, Jason, which is, brings all sorts of horrible images into my mind.

G

C

C

F

I didn't find this approach compelling so I think we'll add it into the next version, all right next slide. Okay, I'm, just gonna, follow up to discussion that we had them list. One of the non published versions of this was playing with doing a well known inside the URI that was discussed to be an inappropriate.

F

You said well known, I just wanted to discuss here with the group, the approach that we haven't of essentially making sure that we're getting the right resource from this URI there's severe suggestions made about link relations, specifying also that the UE could first issue just ahead. Requests to figure out. What's there, I would like to in the API document, be a little bit more clear about how we're going to use this year.I and exactly you know what the contract is for when we're fetching the API and went or not.

F

We could just say you know: I accept content of application, captive, JSON and say that's the way to do it, but I do think we should be more explicit than we are today. So do one of our thoughts on that I. Don't have a particularly strong opinion here.

I

Jeff, you saw my first so I didn't see. The discussion on the mainland is, but my first thought would be that what the situation we are trying to get away from is having to send probes and issues. Something like that. Well known that sliced JSON API, maybe you will open it all to use probes again. So I would say that it's better if you must have a way to discover deterministically the the captive api and so that capture API can be using any alright. So you cannot just guess it. That's.

F

Very true, so, let's you have to get it from DSP are a PVD RS that so we receive this information, we have the URI. You know there is a question of like we had in the original document. This URI could be the same or very similar to the one. That's actually the user-facing landing page, potentially there only differentiated by the type of content I'm requesting, maybe they're totally different, is essentially that relationship that needs to be very clearly specified, and so it's.

C

Alright, so I'm not leaving this chair but I do have a question. We have 7710 and we're going to talk about that in a little bit that only produces one URL. That's are we going to mandate the use of this new media type to distinguish between clients that support the API and clients that are ignorant Lea hitting this URL, or are we going to say that that URL in 7710 points to this is.

F

Through the question right, so if we do get to the 7710 equivalent or the theme from PVD or whatever, is that always like if I don't include any content type? Is that the API- and it just tells me hey, I'm application captive JSON or do I specifically have to ask for captive JSON? You know the question.

O

So my my opinion on this one is maybe what we should do is that if we can say that if the 7710 URI is a HTML and just should on a recommendation saying if you are doing now, if you have the cassava last, you pointed HTML page then in there. If I do a get on that, maybe we use the moon creation in there to point to the capture photo.

O

If you, then that way, it's up to them to in terms of deployment to decide whether they want to point to the captive portal or this chip, and maybe we can do the Reavers we can even allow for saying we already have a URI for the HTML page right, so we already covered so, but if they, if we can.

I

Allow the HTML.

O

Wise to say, okay, just add a link relation to the capture portal, then from.

I

When we say as one of the PD draft matters so for information issue, you should discover the these URIs from the PV objects. We can just have two keys one for them, one for em, but I'll, separate, very clear, and you can yeah.

C

So, to be clear, this is not a problem for PV DS, where we have essentially the ability to provide two URLs when there are two things. The question here is which one and at the shack suggesting Nick, which was not a an option I, had considered what do people think about how bad, but.

F

I'd like to think more about that, maybe if you could write up a poor request for how that would look in the text. That would be interesting to see.

P

Not much is individual, so I must have missed something Martin. Can you highlight what you think differences between that and what what you proposed in the list earlier, because it sounded pretty much the same brooch, so the.

C

There are a number of options that we have here, one one of which is the URL points canonically to the user interface page that exists, and you would use a link relation to point from that to the API document right. The next option is that this always points to the API document already.

P

However, we have a, we have.

C

A link in here already so that's fine. We can. We can follow that link and now dark has suggested a third option, which is you choose and we'll work it out?

C

Yes, that's the face that I would make the.

J

C

Q

Well, no, we would, when.

C

It arrives in the network, it sees this URL, it didn't make some requests to it and and sees.

P

Oneself what it gets: okay.

C

It's certainly possible technically possible, but I'm not sure. There's you.

O

Know you should say that if you're going to serve an HTML, then at least have a link relation being sent in the response. So.

F

Necessary necessary.

O

F

Since we use a link relation, if that's how you want to set it up, but if you just deliver us directly, a vacation.

I

F

Json then we already know we have what we need and we just used that instead, okay I see that so.

P

They essentially make the client resilient to multiple deployment models right. They basically means that the original 7710 deployment model is gone, because if something shows up, does that query and drives render it to the user, then you might be gonna Baba, JSON and.

F

Right right, I mean this kind of based on the assumption that we haven't actually seen deployment of that, and we haven't seen any uese actually adopt anything that deals with that right.

C

F

If there's, if.

C

There's anyone that has actually used 7710 so.

P

What am I doing on the first one if we're doing the site, that 7710 just never happened and we're like this isn't say? If now always this, then there's no point in using any negotiation at all. There's one. Your eye is the API. No one's ever use a human under Inc text. That would also be very clean.

F

And so I guess that kind of transition into our the other discussion. I think this is my last slide. I think this is your last one. No, no! Yes,.

C

Into the road, according to this, there's a blank slide after that. Yes,.

F

Great okay, so I think that covers the open issues. We will be updating the document for next time. Please raise more issues or write more requests. If you would like Thank, You excellent Thank.

C

C

All right, so the next question that we have and thanks for those people who responded on the list on this on this one already is what to do with 7710. There wasn't nice long list of issues, I'm gonna bring them up just yeah.

C

So look at that. That's the discussion. We just had there's a big question. There's a number one question: well, what does the URI point to? We can I presented option three.

C

Then there was the the intent to signal explicitly that there's no captive portal, so I think this one's I can't remember where this idea came from, but it might be nice to have some sort of explicit signal to say: hey this network is not captive, don't bother going off talking to an API or anything like that, but that would be particularly useful in the case where the we made the assumption that this points to HTML rather than the API, because then you have further fewer steps in the whole, you know whole process, but a part of what we're trying to address here is the amount of time that it takes to actually get a network up.

C

When you connect to it, so that would be helpful there, the third ones, an interesting one. 7710 has a requirement for euro le the URI URL to contain an an address literal. This is one paragraph. Just you know do this, and it turns out that runs counter to the discussion we had previously about it actually authenticating things so we'd remove that and there might be some other things but I'm not aware of anything. It's actually a pretty short document and it's pretty hard to find faults in the document.

C

That's that short, but we found this many.

B

E

Want to answer.

C

Basically, the question here primarily is: do we want to take on the work and who wants to take on that work? Speaker so on? We have two of the authors: I think we might have more how.

R

Many were there a four of them- oh my god, so yeah, one kumari. Sorry, one of the original authors of this so under this state said that I thought two was a bad idea and then somebody replied, and it now seems like a good idea, but I forgot to mention that so yeah, where I said that's a bad idea, I'm, sorry and then for number. Three I think that the addressed literal requirements was one of those things that was put in because we kind of had to with the assumption that nobody would ever do it.

R

That was one of those yeah. I know I, know yeah. Somebody asked for it, but we didn't think it would actually in the real world, be used that way. I know yeah somebody they couldn't do anything else, but you know so we stuck it in with the assumption that most sane people would put in non address literal URLs, so yeah I'm, sorry it all sucks. That's.

C

All right we can, we can change them and.

R

If anybody wants to updated great I'm, also happy to help update it, or you know that many issues in one document I'm fine, if you see.

C

What we might actually do in that case is enlist you as a as a co-author, or something like that, but find someone to actually hold the pen since I understand that you're somewhat busy yeah.

D

I

So if you sell again as a PDF thought again obviously trying to push my stuff I just want you to understand if there is, if it's either, that all the PBE or if there any scenario where both are in the question, my question is as well, so the PvE option no has an option. Number it's showing good progress. Do you want to go that way or try to piggyback what we are doing, which seems for me at least you have a good traction and could be a I mean I.

I

Honestly, the captivity is a wonderful wonderful use case for PD stuff, so optimum I mean I would like to understand how those two options work together or not.

M

S

S

If there's no captive portal, that nothing should be broadcasted and included in the options and also if we I think that I Triple E, you have an eight eight eight zero to Dottie, we're being you has some kind of option that tells that I verify client. That's they have this network is a restricted or this network is open. So we haven't as a choice to tell that this network is not not no captive, poker. I thought I, don't think that option tears should be included. So hello.

C

Can you send point it to the the places where that information is? You said I know to something.

F

C

S

H

C

H

Target only wireless access, we're also trying to target wired axis which may not be used a Attila.

F

Totally Polly Apple um right just try me and that I think it's we want to do something. That's beyond just Wi-Fi we're on do something that is at kind of layer three and up in this case. As far as the main portal, even in the Wi-Fi case. As far as I'm aware, you can indicate that there is blocking, but there's no explicit indication that there's not, and so as a you, a developer.

F

I would really love not to have to wait on probes or wait on other requests such that, if I see a redirect, I can treat it as a Miss configuration or some attack regarding peers point on the PVD stuff.

F

Well thinking about 7710, because people can look at this today, I think we should update it or visit or something just to point people to whatever we're now thinking and how this is going to play with the overall architecture. It essentially could become the captive portal discovery draft part of the architecture. I would not I I would love to see the Peabody stuff be used here. I can also see a very strong reason not to tie the fate of deploying any captive portal.

F

Api to that I could imagine that the miss or update to this document, because we already have the option to find four seven, seven, ten so essentially just say: hey.

I

F

This option and here's what the UI means and also we do need some document that references PVD that extends PVD with the definition of. Where does that option? Go in that because I believe at the current time we're not including any captive notion in the base, PVD Duckman, so I says we.

T

I

F

One document that updates this, which is like here's, how you do discovery I've, kept a photo thin. Here's how you interpret it when it's just directly in DHCP, and it could also be inside an already extension called a PVD that gives you this other data. So like here's, the DHCP and Ra based ways of getting this to your eye, and it's.

C

Kind of one story there so now I have to ask the question how how how close? How were you getting that PVD doc, because this could be done theoretically in months, if not weeks with basically lost calls and whatnot? We could do this reasonably quickly, and could we couldn't do the same affinity was in that makes could be I. Don't.

I

Want to be too optimistic because the entire working group is not only not or usually slow, but we are all people hoping to ask for work in the best hole for before or at next HEV yeah well, Phil. Last.

F

O

Must talk yeah.

F

Yeah, either way, if we did have this, then we could just have like another extension graph, specifically for PVD, so yeah.

T

I have a kitchen like the and the purpose of that you know Kobayashi and for one the purpose of you are a vacation like so should we have to. We have do we have to sir Oh, which one like, which is the strong point like a or V right now in this working group, so.

C

That one we haven't answered yet and I'd like to I'd, still like to get an answer to that one I might actually ask for I, don't know a show of hands or preferences or something we're not going to get a hum in this room is there's not enough. People.

C

So the question is, do we say a do we say B or do we say work it out for yourselves.

E

C

Yes, it's a good question.

T

C

T

So I think first, we have to know about it. So what's your preference like um for my opinion, like the.

T

Just user interface and the users music, it could mean itself over communicate to your ApS. Alright, so I think the API uli up as an API.

T

And also like actively liquid the IOT device use case, but the like in there some headers IOT devices, which you know does not have the web interfaces. So the I think the user, loving taste is not always like yeah. Thank.

C

You that is option I yeah, that's option. I, mr.

I

For me, it's really obvious that if the assumption of the working group is that 70 cent and is not deployed today, and that we can do pretty much everything we want, it has to be the API and inside this API we can put one of the key being the I mean that was progress there, the key to to the it's already there login page and that just works fairly easy I.

N

Don't object to any, but I think you know original before this version of the API there had been a mechanism to allow it to be both and I. Don't know if there's a desire to do that where, when you just do a get, you actually get the login page and we were doing a set I think it was in order to enter into the API, and that would allow it to be both. Not you figure it out yourself. So I guess I'm, saying, there's actually a fourth option as well. If.

C

Anyone wants to speak to the fourth option: that's reasonable and and to sort of expand on what Margaret said there. We would probably want to use content negotiation for that people, don't like using content negotiation for that sort of thing, but it is possible yeah.

H

Today's be just the reiterate Mary this point: you know the word I know we trying aren't trying to solve. The IOT is as color as I know. We are trying to solve the IOT use case, but our Charter does hint that we should think about it and I wouldn't want to go out of our way right now to preclude us from doing an IOT solution in the future.

H

So if the architecture can leave the way open without too many changes, namely by requiring that at point to the API or that there's a way to get the API directly from the URI I, think it's a good thing, so I favor, a or C.

C

Or D so so to be clear, the in the discussion on the mailing list- I, don't know who it was. The point of this out might have been Adam that if you do the point to the login page, you can still make a head request to that one as an IOT device harvest the link relation and then make your way across to the API. It just takes more steps and more code, and maybe we aren't doing the IOT folks very much of a service by doing so, but it's still possible yeah. So one.

R

Kumari I mean I, kinda, think hey for B or C or D, because there are a lot of people. You know you could currently deploy this in point. An existing capture photos not the ones that are being upgraded, and you know we have no idea if there will be API is deployed on them, so the advantage to be, and then you know you could fetch something from that point to the API, provides you some backwards compatibility or option e.

F

Tell me kind of opposed to your point, ah so I agree that if you do something like B or the other derivatives, then you definitely could essentially stay with the existing model and all you've added is a way to not probe on the initial thing. That makes me sad, though, is that we essentially don't get any of the other benefits that we could imagine with this, and it actually kind of harms the deployment of something that we well potentially. If we're talking to something that is over htps, that gets us.

F

It makes it trickier to do things in the future, such as the IOT devices right like if.

I

The deployment.

F

Of this really becomes people just ignoring all the other documents other than a way to find your landing page. I could see that as regards to kind of what we had in the original API raft, what Margaret was bringing up I think I was trying to go for a little bit simpler approach here, rather than having kind of like the multi-step.

F

It's a lot more straightforward. If we just have oh I just do again, and this is the one thing that this URI means, and it is a little bit optimistic, hoping that someday we can get to a point where we don't necessarily need any user facing web portal that we have today and so baking. This into mean that oh yeah, that login page is the thing that you get with the get means that, if, in the future we don't have that page, do what do you have? What do you get in response to that?

F

Get request may be nice to just say, have allied that question in the future, I.

N

Understand I mean it doesn't actually make there be more steps to do a set in yeah, but but it does mean that if get I mean get could eventually go away and people might go. Why are they setting? But you know so.

O

O

Think it's a personal preference I think I would say like II. But my comment is the same thing as what you mentioned earlier is. We are not sure that, like there is no deployment of 7071 by while we're discussing somebody else by deployed so I'm not sure how we can really actually say it's just going to be a API when somebody and then you actually breaking things right, because the client is expecting Jason dark and then it gets a mess here and it goes blah right. So yeah.

C

So there is an option, a that. Your comment just suggested to me, which.

I

Is essentially Margaret's.

C

Idea with content negotiation, we we insist, the clients, use the accept header field and produce the mime type that we just talked about.

C

But the expectation is, if you don't get back what you want, then you're back into the HTML maresi yeah yeah yeah.

S

Yeah I believe isn't working that idea, because the currently there is very limited deployment with a seventy to seventy seven, seventy, seven, ten, so yeah and also we made we met. We might consider the vacancy between the API a captive portal and the client because, like especially in the virus type the cap, that there is some vacancy, we can reduce communication between the API and the API and user agent user. You a user equipment, so my opinion is be alright.

R

So this doesn't seem to be resolving and I'm moving the microphone away from Adam. So he can't reach me. I've got option F, so 7710 signals with the dhcp option and we could leave the existing stuff alone and the new thing could have a new dhcp option code.

O

So the other option just tells whether so, if you have another option, also right, then we tell you, maybe that's the same, that whether it's JSON all option so then I get the URL from 7710 like I get the other thing that tells me whether it's a JSON or an HTML. If there other thing doing show, I can just assume it's a nasty ml page all.

C

Right doesn't seem like we're gonna, be resolving this anytime soon, but.

H

One last crazy idea: what if the URI is ended our JSON or Die HTML, and it tells you which way is I.

C

Would like you to take that comment to the HTTP working group, which is after this session and see how that flies? I.

C

Don't think we're going to get a real sense of where we're at I think we'll take this to the list and try to come to some conclusion. There I got a sense that we have roughly and even split between those people who would like to do the just just the API and those people, maybe a little bit concerned about. Maybe maybe there is some use out there and maybe sort of retconning. This whole thing might not be a good idea, so we.

P

Almost know again, we'll cook, if I could so then warns that actually I think was suddenly different than that and in a very important way, which is not that there's like currently deployed stuff out there. It doesn't turn on that. It turns on whether there might be deployments of this with new dhcp new client portal, and that was a combination. I don't think we have considered before, and I think it actually is relevant it's that was it's after.

P

He said that I began rolling things over and honestly of the choices have been given so far, the one that I'm in voting so now based on that is the content negotiation one. Even though I've been really hard on the link ever before that, okay.

M

C

This gentleman he's gonna solve all our problems for us. Oh.

U

Thank you very much hope Loffler. When we're old, 77 ten bits, we would just only go up a trial balloon its assad that I was taking this long to get to abyss. If what I would like is if I go into as a user go into a portal, is I have been able to tell my computer negotiate if the policies are bra, so I don't want to see another cap default page ever unless they want my payment or they want to steal all my information, so API is where we should be going.

U

So, let's not worry two months apart existing deployment and let's just get something useful really fast. Is that solve your problem? No really I gave your direction I.

C

Certainly agree with you, but yes.

U

So with more yes, now I'm sitting based if it is interesting and only using a web page yeah.

C

All right, so the last question was: does: does anyone want to stick their hand out for this one? What Warren's already done that anyway? If you can unstick your hand, it seems like there is the potential for some more work than this would imply, which makes me a little sad but nonetheless, so maybe what we'll do is we? We will resolve that question and then try to now someone to the wall for this particular one. So so.

M

Maybe we should be an issue proposal options and this one gets paid has to right. If you want your option to win volunteer.

C

Sorry, that's just how the process works. Oh I'm, not supposed to say that am I mm-hm.

F

Tommy parley Apple I'm happy to help work on this. Whichever way we end up going as far as scheduled, I appreciate that we do want to get this done quickly, because it should be short. However, especially if this is pointing to things like the API etc, it does seem like it should be aligned with the other documents. These it'll be a lot stronger. If you can point to those, so I mean, were you thinking that this would actually come before other documents end up getting pushed so one of the.

C

Things one of the things we've done in other working groups is call something done. Working group last call it and pocket until the other things are ready to go and great. That may be what we do with this one as well sound reasonable.

C

Okay, well, thank you, everyone that was most helpful. Go back up to my agenda, Kyle you're on them.

H

Hello, unarmed, caller, Oz and I'll be talking about some updates. We've made to the character board architecture since Singapore next slide. Please alright! So, as Martin nicely pointed out, I missed the deadline to upload. However I have uploaded it since then, so if you've managed to look at it in the last few days, it's great the editors copy I mentioned I mean unless.

C

It's also great.

H

But it is what it is all right. So, let's change to major things. Changed first I tried to make the Security section relating to the guys old, stronger and then I added a very large section, which attempted to summarize the majority of the discussion we had in Singapore and what user Equipment Identity and then. Finally, on lists and github we've been discussing quite a few issues related to the architecture and also go over these during the presentation here next slide.

H

Alright, so security of the API I've kept this pretty short. I basically mentioned that the privacy and integrity of the information exchange with the API is a must. We must use TLS, I didn't specify HTTPS so because I wasn't sure we wanted to get into HTTP versus other applications, but I left it at that.

H

That's pretty much it so one thing I want to ask: is: is this enough or do I need to get into a bit more detail in the typo'd architecture? There it's pretty vague, but maybe it's better for the API to be precise, about exactly how this Security's gonna happen and from.

I

What Tony was seen.

H

It sounds like we're really thinking about in the API as well. There any thoughts on that I'll take that snow next slide all right. So this is something that's been bothering us for a bit user equipment identity.

H

Basically, when all the devices are interacting, how do we agree on the identity of the equipment? That's trying to traverse the network.

H

In particular, we have two distinct components: the VI server and the enforcement device that need to act on the identity to use equipment devices that decide whether or not the packet needs to be allowed through, based on where the packet came from, who belongs to essentially, and the API server needs to be able to tell the equipment whether or not it is blocked, as well as interact with user equipment to tell it to allow the the packets through so the enforcement device. So how do we do that?

H

Well, we discussed it and I've tried to capture some of the thoughts we had, in particular I, think from the mailing list and from those discussions that there's some requirements on the identity that need to be met. In order for this to work, and so I try to capture those in particular that if I should be unique, so only one person or equipment, it's a little vague there. But basically one thing: that's allowed the device at the time can have the identifier, otherwise things might not work. She had to spoof.

H

So you don't want people pretending to be somebody else with us whether or not they're on a network. Obviously the API needs to be able to infer the information or get the information from its communications like.

H

Why is the enforcement device needs to be able to infer than get it and I didn't mention here on land of action forgot to mention in the architecture, but they also need to agree on the identity, so the API can think the identity is a source ID and the person device can think it's MAC address and that's not very useful unless they have some way of correlating it to you together. So I should make that if I haven't I need to make that clear. So it's probably an issue with the document right now.

H

Next slide, please so beyond, actually specifying what I think what we should think the identity should, but probably that any should have I talked about. I didn't want to get into suggesting a specific, because I I think that different deployments, different networks are going to have different requirements and those requirements might preclude you from using a particular identity over another, and so I gave some recommendations on how to actually evaluate to the identity our potential identity against another, so that you can choose the best possible one, and then I gave two examples.

H

I gave the physical interface to which the device is attached as a possible identity and I have the IP address. Local device is another possible identity and then I evaluated them. So much now, when I talk about these two examples here, because I had a bunch of discussions with people this week and I also worked on this jacket on a bit.

H

I'll start the IP address. So we e IP address it's nice because it should you need to identify these equipment, or maybe you know if you're, behind an ad or something inside I mean it's okay. But it's pretty easy to smooth, so what you need is you need some way of the network and foreseen that only one user has an IP address at a time, and not only that, but if the ownership of the IP address changes, maybe notifying the enforcement device and the API server that that has changed, so they can invalidate their records.

H

So I played around that at the hackathon and what I ended up actually doing was splitting the enforcement into two.

H

You had the section of the enforcement on link with the user equipment, and then you had upstream with the enforcement of ice, the enforcement device was doing the couch for mortal, and that made me think that mainly and Erica textured, we should be splitting enforcement in the two modular components, a component that is responsible for ensuring the uniqueness, validity, etc of the identifier on link, and then the actual enforcement device is responsible for doing deciding whether or not to allow the packet outside to the external Network and what pretty? Well what I did?

H

So it's something worth considering. I'll, probably propose it on thoughts. Please talk about it now. This was the physical.

T

H

I was talking to Pierre about this, and you know this bit this like we're saying you know. Well, if you just if you can communicate the physical interface to which the device is attached, all the way up to the other point, I'd be a personal device it doesn't is. It doesn't actually have to be on link, it's possible that you use a tunnel to make it super Wan link, or maybe you tagged the packet somehow with maybe so, every six or something to indicate the the origin of the packet in the network.

H

There's a bunch of options there, and maybe we should explore them a bit more, maybe not in this. This draft, maybe in another draft, but I, would like to think more about the physical interface case, because it could simplify.

I

Things in a lot of.

H

I

Esther I just wanted to mention one aspects that is that you didn't mention is that the user equipment identifier doesn't need to be known by the device itself. It's something that is decided by the by the network, and we just did that to be a thing that the EAP or the wireless controller or the the first switch or the first water is able to to know, and, as you mentioned then, which receives a packet tag.

I

Somehow the packet with that idea, and that idea is going to go to the enforcement point and then the policy can be applied so it just. It just needs to be something that is secure, but.

H

The device doesn't need to know it, I mean my main concerns with that one were whether or not constrained the location of the API server, somehow and and what that would mean to the overall solution. This.

C

Was the essence of the discussion we had in Singapore and we went through this at great lengths and I think he is capturing most of what we concluded, though, are you suggesting that we might want to not foreclose on that possibility? I would.

H

Wait I don't know like my personal preference, is to allow as many solutions as possible as a, but it's not really what we want to do here. So I.

H

I guess no I'm someone, this is one who'd want to recommend a specific identifier, or do we want to talk about classes of identifiers and what properties they need to have and what.

I

I've done right now is.

H

I've I've suggested properties most did not, but no specific identifiers, yeah.

C

You've just hit all of the like red buttons, all over Nick and he's like twitching right now. So let Nick say what he has.

J

To say, and we'll do it later: okay, Nick, Terry, uc-berkeley and so I I think capabilities are other than specific identifiers is a best practice and in particular, I'm concerned that so far, the properties that are described in there are or how hard the identifier needs to be, and but we might also want to specify how soft the identifier should be that I'm particularly concerned when I'm recommending physical interface and trying to send up physical identifiers as high as we can, that they might that they might leak essentially so I think there are substantial privacy concerns to saying.

J

Oh, we need this really hard permanent identifier and we should share it with all these other parties. So I think we should talk about properties and I think we should specifically talk about this, this privacy property in trying to limit who we're disclosing these permanent identifiers, Stu yeah.

H

Well, I definitely do that now. Would you prefer that? Does that mean that we can't use a physical interface or does it limit the scope over which we can communicate that information without an authorizing it somehow yeah.

J

I mean that that's something you could you could go different directions of. That I mean if, if, if we actually think like people will follow like a fairly specific recommendation, then maybe we should be specifically providing. This is how you insulate some identifiers so that it's different when users connect to different portals.

I

J

That it doesn't leak to higher layers. That's that sort of thing, I don't know. If people are going to follow that specific now, where them for this, but if we think so, then we could explicitly try to recommend all.

H

Right now, I think that's the privacy.

C

Of that information is certainly important. I would like to so so for background on Finnick. The part of the point of this is is how does this particular network? Think of this particular user equipment? And yes, we don't want that identifier escaping that their network and part of part of that I think is making sure that the user equipment doesn't actually know what's how it's being identified to so then it's not propagating that identifier through the network in indirectly.

C

So, for instance, if you had a situation where you you went from there portal and the URI of that portal contained the identity, I can contain the identifier, then you know suddenly sprang referrer headers all over the Internet as a result of those those interactions. They have to be real hit. Be careful about that sort of thing, but IP address is really something you just you just can't avoid having sprite all over the Internet in you know, Internet as we know it yeah.

C

Yes, that is a problem. I always.

I

Want to say that that's this decision shows that user, Equipment, Identity and IP addresses have completely different properties and an equipment who is going to use multiple addresses and privacy versus. So the address is going to change over time.

I

To answer your question whether this should whether the architectural, even the working group, should specify a specific tip, I think not because this is really specific to the type of link the device is attached to so I think the this could be many different things and even for one capture photo. If that Porter is providing a service to Wi-Fi link, my link might be to use different identifiers I.

J

Think part of the danger of this leaking is that, like and I absolutely support, we should provide variation and and there's going to be variation, so we should accept it, but like I'm starting to see in cafe.

J

Oh, you have to login on Facebook and and posa so like where there are definitely options that are like on the internet through a particular social network before so I'm concerned that, like we would need to specify kind of directly what what the woman's on an identifier is, because just saying, oh well, the enforcement point one take care of it or the like that and enforcement point. They, like might already be too late. At that point, you know.

M

C

Done we out of time yep carry on I, think we're done the first three yeah.

H

I, just you know if you were select here, I'm just going over the open issues that we have so we've discussed a few we're discussing here and we discussed a few elsewhere, so we can produce go through the next few slides next slide, something that was raised in in a github, repo and I. Don't know why he decided to do it but there's a question: does he give the state of your captivity the API or both I?

H

Think it's just given the API but I wanna. You know no one's discussed this on their working of it. All and I just want to see what people think.

I

H

Sarah has an author of.

I

The beauty draft again and I, don't think kind of yeah I think it cannot leave the state. It cannot give the state it's not designed for that purpose, to do something instead designed to get something that depends on the user. It's not designed to give something that is private, and it's not designed to give something that changes all the time. Okay, so it can give the API that's really clear, but not the state. So.

H

I think we should probably been just that directly closed. There's the answer. It's dangerous.

H

No yes, true Tommy's, not there I.

C

Can ask Tommy after Nancy, where did Tommy go we just hit. We just hit one.

A

C

Like it is pretend to be alone well, no check would tell me whether he has an objection to that, but I've recorded that the three points that you made that it's not very good at dynamic things: it's not very good at user things and it's not very good at confidentiality. So maybe it's not a little exactly the thing we're looking for so we'll see what.

H

But the question here is what we do by CP hey, so the current draft that has expired, I think David refresh it or not. Either.

E

Way this is John right now. It's.

H

Quite complex, it describes sort of two different versions of ICMP one which is intended to notify you that there's a problem and another one. That's intended to notify you that there might be a problem.

H

For example, you know you're being shaved or there's some QoS issues. Things like that and you might need you might want to visit the captive oral to upgrade your service.

H

So we have something we can do here. Do we go with ICMP at all and if we do which of the two mechanisms do we use a simple one of the more complex one where you have a lot more flexibility and how you signal the user equipment, or do we just say no ICP is out? Are these for now? I would personally prefer to have some ICP mechanism, because I think it is. It is nice for cases like where you're not necessarily denying all it's not an all-or-nothing type of captive portal.

H

But it's a category used to notify the user of issues they.

O

Should talk so can be I mean sort of my question is: can we even get rid of I? See me completely I, don't I mean without that, then. How would if, let's say whatever the time expire or something happened right well.

H

The client expire, you know the time so presumably you know.

O

The users browsing.

L

Right and then it's not working right so I think it requires that the user pull the API okay.

H

And- and do we want that, is that better Atlee.

O

Okay, my suggestion would be at least to have an ICMP enough to say I'm like at least send the unreachable right, so that the device can't react and go and check the API.

C

R

No I'm one Kumari so I'll happily admit that I stopped following the discussion, a while back, but was the whole. How do you stop this being spoofed thing ever settled, which we had some discussions.

H

About it, so one discussion was me: the one point made earlier was maybe just the entropy contained in the in the transponders enough and I think there was an objection to that. Another.

C

One was the H Mac that we're talking about.

H

Passing around in the API can we use that as a token okay, yeah, yeah, okay,.

C

Now your men said that we have a design for that. We have a design that could be deployed in it. In that case,.

J

You know it'd be really nice if I knew that I was gonna, be locked down before I get locked down. You know because that's like to me, the only literally the the thing, that's the most important that we can't do today and that we need a way to do is like to log in, and we up your re-up your time before it expires.

J

It's like you know, because everything else you know 302s work right like stupid, plain text here to work for everything else, but not for this and so I, don't think the ICMP messages is particularly useful. I think it's basically security wise is very difficult, but but I think. Most importantly, like you know, we want something to tell us in advance and I think if we, if we're gonna, have an API anyway, then this is kind of useless one.

H

Day it helps you with is where you are doing. For some reason: there is a problem in the network and you or or the captive, or maybe you hate this even more. The captain walls decided that you are not to go here right now, because there's not in the walled garden. That's fine destination unreachable! That's what that's for.

H

What's the response of the system, it doesn't work and when the age is like one right things, not working I get it yeah we're.

I

D

I'm gonna complain: that's.

H

Exactly how it works: okay,.

D

You know it would be much nicer, but you just.

H

V

N

Wondering it would have obviously IC and PL together there are going to be times when a destination is unreachable and so you're going to get a destination unreachable, and you need to know what to do and what you do when you get a destination unreachable. Is you stop trying to go to it? Okay, and if you do something else with the destination that you're going to start screwing up what this I mean, we don't screw up what basic networking stuff is already for.

N

If you had to redirect your me direct okay, because we don't want to play the bills now. The question is whether to create a new ICMP message right well,.

H

I think the I know I know I seem the expert, but the original suggestion was an extension to the ICP destination unreachable. So it's.

T

N

T

H

Same is intelligible well,.

N

You have to expect that 99.9% of those for a long time, I'm not going to implement this and they're going to get a destination unreachable with a code they don't understand and before you do anything at all, you need to understand what they do at that point and whether that is what you wanted them to be doing and I I'm guessing, probably not, but we could talk about that. So it's what.

C

B

N

You know some a destination unreachable. What you want them to do is actually not to think the routing system can't get where they're going, but to realize that their timing has expired. You.

I

Know this nation.

N

Of each of us are cached with IP level, and what you're really wanting is the UI from the nodes throughout that right now, the user needs to figure out what his time has expired and go back into web browser and hook back up and I'm, not sure they're sending a destination unreachable is for them. The.

H

N

H

Captive portal destination unreachable would indicate to the user equipment that there's a problem with the captive portal and would prompt them to go to the API, see new implementations. Yes, in.

N

The 99% of No we've never read this document like the implementers another word lease document or the OT out there. What are they going to do right, they're, going to cash it that this nation is unreachable when I try to go into the web browser to get to it to renegotiate and I need it to get to it.

N

What destination are you gonna tell? It is unreachable? It's part of the photo problem, anything that happened to be going to at the time, I.

H

Started that way as well like if you're talking about the case, where it's not all or nothing, it's you know which one is bad. How does the user know which one is bad and one thing is I thought maybe be used it? The Forsman device could signal the API server, somehow immunising awful races there. It does seem a little complicated so.

R

One Kumari I have some sort of background on this or some of Margaret's questions so I mean it could be that if you only have access to certain sets of things because you're in the world garden, you will try and reach outside the walled garden and you will get back a normal ICMP reachable, which is normal device, would treat this unreachable. However, it would also have an extension so that it could provide information to the user. You know in their web browser or whatever, and so just be like you can't get there.

R

You can't get there because something something captured, port or a hand wave hand wave and are actually supporting this interest. You know the background and then there was also some other discussion on. You could use a different ICMP type, just as a signal to you should probably come back soon, because your time is about to expire. Not your time has already expired, so more of just a sort of notify type mechanism, just some background.

R

Yeah yeah, a new one as well see ya, annotate, ICMP, Thuy I mean unreachable to be unreachable because captive portal and we don't like whatever.

T

My commercial University and a white project, and the occasion for okay, I'm. Sorry, if I missed your explain before but like what is your original idea, motivation for this second one, more complex, mechanics and like did you have any original? Yes, that's what.

T

H

Are can tell you, for example, that expire or that you are being shaved because you haven't purchased the expensive service. Thank.

T

C

So not hearing a lot from people I'd like to know whether or not we continue to pursue this I'm, not hearing a huge amount of enthusiasm for it, though I.

H

Think I'll make it be like whether likes it yeah.

C

And, if that's the case, then, then maybe we're in into the well. How do we make sure that we can do? This is an extension if we decide to change your minds later on and just proceed without it for the time being mode. 2, sir, is that right, yeah.

O

Let's say I decide not to do ICMP right mr. Sun right and what would it be I'm heavy agent? Do we have any other options to achieve? Consider.

C

If the network stops working stops working well, it stops working and you treat it like a network that is stopped working and.

O

Then so there's no work yourself, so we don't solve the problem of being able to tell that your time is about to expire, I.

H

Would say, maybe we we changed the workflow a little bit to support these use cases. So Susilo suggests that the that the api is consulted with some frequency things.

G

Like this so I mean, if you just initially simple, it would be what you I will go and fetch they use. The IP I'd see how much time I have left. Oh she's had to do something. I was wrong, I was actually I had one minute, but not yeah. So.

C

There is an administrative administrative verges disabled option in yes,.

G

There is subtitles, there's like communication prohibited by administration for Network and host and then there's just interrupted reservations and so I mean.

I

There is several.

G

Of those seem total and I think you know most of the host destination unreachable, whatever shop code, take they don't care. It's.

I

All the same way, if.

C

They don't understand that we did.

G

Same way, yeah.

C

Maybe gonna tell me what he does, but that.

J

C

J

Was just think about other use cases where the user is trying to go outside of a walled garden because their time has expired. Some other reason it doesn't work and we don't want that captive portal trying to impersonate the page and so it'd be nice to contact them.

J

So it was being discussed over the weekend that, like there are some HTTP 451 cases where someone else along the way is interfering, but we and some people might say: oh well but perfect, you can use HTTP 451, except that means you have to impersonate the end server and and obviously we don't want to tell people to do that. So I'm just curious. If we like and then maybe it is, I need to look more at icmp, but and if we can have a code saying you can't get to this so.

C

We talked about this there's we've already had this discussion. Okay,.

E

C

Should talk about this afterwards? Okay, thanks.

S

Just a quick comment: I am currently I could on the considering the network deployment. So I could send a are. That's my speed, just poking ICMP, an entire ICMP packet, so I, don't think that we have another extension to ICMP I. Think it's a little bit hard to deploy because, like I, we have a API server, api server and a new client, but the middle network is like old network in this case like if even the Internet has a new extension. But you know switches, all those things may block the pockets I.

H

Guess there's a question of you know how much control, how far away if he is the enforcement device, if the operator had if whoever's operating the captive portal has full control of the entire network and it's not too complex for them to change it. To support this sure. But it's a good point: I mean having to enable either a specific ICMP message or or allow all I see the message or something might be cumbersome to some operators.

H

On the other hand, I heard people complaining about not allowing ice to be through the other day because by the fragmentation and path, MTU discovery all that fun stuff. So maybe those operators are bad people, but.

I

S

I

That this message could be hard to operate and also opportunity to make as Margot mentioned. This is this, if it exists, would be a new thing that would be implemented by hosts alongside the API, so I think for now. The answer is that we shouldn't do that and try to solve the issues we find using the API, and if we ever fail to address all the problems with the API, then we can ask ourselves: do we need a new tab and you type a destination? Unreachable is enough so.

H

Going in maybe you know for thinking among one possibility to keep the architecture open to. This is to mention that there may be some on path, signaling that doesn't interfere with the actual HTTP transactions, real customer traffic at a inappropriate layer and just leave it at that in the future. We got more but yeah as far as the.

I

H

I

Concerned, yes, I.

N

Think that if I'm you try to out to somewhere, you can't get new argument like we get it well. If it comes all the way back to you, an ICMP destination unreachable, and that doesn't tell you that much the assumption that we're going to figure out when we are the garden from that it just doesn't make sense. It could be that a routers down we have a temporary routing issue, I. Think that what there's good ways to find out.

N

You know a garden like we could add to this or we could have you use pvd's and you get you're in a world garden. You could even get what address ranges. You can reach you this world garden or some other information that tells you when to use this world garden and when to use another interface. If you have one and that right, CMP unreachable is not really going to tell you you're in a walled garden, it's it's having stuff happen where you try to go to a website when you get a death station.

N

Unreachable just seems wrong to me I just like, because they may there's a lot of times when you give the destination unreachable and that's not what you want to do, and so I'm I'm concerned about that. And yes, you could say the only if you go destination of each word, this option in it and the HVAC matches this and all that but you're kind of taking ICMP out of what it's supposed to do at that point, because you're you're doing using it as a signaling protocol.

N

And if you want a signaling protocol on this API, add one I.

F

Kind of do like the ICMP model for at least letting you know that something has closed on me because I they said well, we have right now the API can indicate to you if you grab it once. Oh here's your expected lifetime in time. Here's our expected lifetime in bites the Yui estimating the number of bites it is sent is not necessarily deterministic. It's going to be wrong right like so.

F

You know what happens if I think I have more life time left on my portal, unless we're mandating that you have a long-lived push connection to your API server at all times, which sounds Ruby fraught go that direction. If we wanted to. Essentially what happens is like do we? We should recommend some behavior when the captive portal closes.

F

Is it just redirecting us like it is today because I'd like to get away from that, and so some rejections, maybe sorry I assume he maybe is the your captive HTTP error or something else, but that only works our HTTP. So there are some benefits to I simpiy here and just just for that model, not signaling your anawalt go to now. Your captive now, but you already knew you were captive and it.

H

Closed that raises something in my mind that dear bird I mentioned a while back I mean if you wanted me on mr. personally, but the enforcement device is ultimately the truth for whether or not attack can make the network and if something happens or maybe crash, maybe it rebooted. Maybe someone pulled the cable or something things are bad and the API might not know I mean, which might that raise a whole other series of concerns. What.

N

Well, my objection is not to having a single protocol. It is not to using ICMP message protocol it's to overloading ICMP unreachable as the signaling method. A different ICMP message might be the right way, because.

H

It may be that maybe the question is the first question we should ask is: do we does Canada portal require a signal cortical protocol, the next, and what? Where does a signaling protocol exist, and and and maybe we didn't spend enough time thinking about it? Abstractly like that.

F

Sorry, yeah I would argue that we do require that a signal protocol, but some specified behavior for what happens when your portal is closed, what happens to your traffic? You could say there is no signal portal and you're just left out in the dark and no I just have a black hole, but that's not ideal.

G

Okay, it actually so changing the definition of destination unreachable. If you'd say that okay you're, you know you know captive portal- decided decide to talk you now it is destination unreachable. Yes, we should probably had a new sock over there like we have already multiple of those we have 15 bit selves. You know five thousand the original RFC and then we have. You know, fight, wanna, fight, more.

I

G

Could add a new one as I said, most of those are going to be processed by the client exactly same way that they do everything else, except fragmentation needed, which is step one a special case. That is also there, but I mean it's it's not it's not overloading that because we are still working the device and the source address of that ICMP is going to be. The enforcement device, so actually know a little bit where it is, but it doesn't, it doesn't have to know it.

G

You just know that something is blocking your connections and you are supposed to stop doing what you are trying to do and then, whatever you do to recover from that, if you are using IPSec and mobile, you just switch to different IP address, because that one is pretty broken. I.

N

Maybe I'm misunderstanding something, but I thought I heard we use destination, which reachable so I add a field to them to contain the HVAC that gets checked to determine whether or not to do certain things which is defining destination unreachable differently, and you also- and you just have to make sure there are many uses of destination unreachable, for instance, a correspondent node if it receives steps, decks, persistent definite destination unreachable well, as soon as the mobile node might have moved to the mask. Is that going to you know really cause any problems for that? I.

N

Don't know, that's a long time, okay, but it's there's a lot. There lies a destination unreachable and maybe we'd always be sending one. Now anyway,.

N

And you know, and that's okay, because your destination is unreachable, but if you start talking about weight and put extra fields in it and you should do X if the H mark is right and y if the each rank is wrong, that's really redefining something. That's an IP weather message.

I

So, as I think your argument, your points about the fact that the enforcement points and the API server might be out of think of out of sync is very good. So what about something that would basically tell the hosts something went wrong. You should probably check out the API server now, instead of doing something that is going to mess really hard with the IP layer. Just do something just a message that tells you yeah III, don't you should you should know your captain and you should check the API.

H

Server to understand wireless packet or drops I think that was the point of the this. The more complex I see anything that Candice was talking about and.

W

Maybe we do that.

H

We propose the capture portal, ICMP version or option and and leave it simple like that. For now.

G

I want to be, as it is now, it's different, adding a new fields there for him, and his map is completely out of the question. I think that's that's but I'm using the icpsr hint to say that okay, now there's something wrong with the network. I need to do something for everyone, but I didn't IPSec in mobike. If you get an ICMP on host unreachable, we started okay, that's for fake or it might be blocked. Let's try with right level pocket and see if the other one is right. Oh he's alive that was fake.

G

Oh he I cannot get Englishness back. Okay, I promise! You try some mother out. Oh I found this right. It works so the ice amp is always a hint there, and here we can do the same thing because usually ICMP under this nation hundred distillation unreachable. Because of the communication, probably by which the reasons that's really in telling okay, it might be from the captive football telling us telling something using the API what's going on and that's that's just a hint and there's no point of you know really try you do all navigate it.

G

That's going to be completed, you know very difficult, and even if you tell others it's it's going to get all got a free player issues and that kind of issues. So don't even try that so.

H

Supposing we don't give an H max.

G

So we don't have any security.

H

So to speak in it, maybe that's me, that's where the API becomes hidden away from the user. If you automatically receive you and says hey, what's my state? Yes, and if it is bad, then it pops up the browser I.

G

Mean if you want to do authentication test, use, dcpl, auditory, paste, Mac or, for example, IP sake or H or something other protocol already have then in that anyone, but forget it, don't do that all.

C

Right so I want to give people to concentrate on the question or when we have it. I have a signal here, rather than talk about designing solutions and I know that's appealing to stand at the microphone and spitball new ideas, but the question of whether we want a signal or not cus away a lot of things very simply if we can decide not and if we decide that we need one.

C

Obviously we can. We can then talk about taking a little work, but it could be very easy for us if we, if we make a decision in one particular direction, so Tommy hinted that I might all right. Tommy, Polly.

F

So I appreciate the comments. Turo I think if we the direction of saying- and we don't need an explicit signal for this- which is attractor so I'll, say, I- can vote in that direction. I just want to say also like in the architecture API.

F

We should clearly specify that if you do use this as a hint, if something goes wrong as a hint make sure that that is somehow rate limited that you're not turning this into an attack on the API server dadada, so that becomes a security consideration, but beyond that I think you can totally live without having that explicit signaling. We may also want to mention like oh you shouldn't. Do these other types of signaling or redirects that are no longer preferred I.

N

Think we do need some sort of signal that tells us to look back at the API I think it might be sufficient to say that captive portals that implement this must send an ICMP unreachable to the administrative one or whatever it. Whichever one of the current codes is the closest and that clients when receiving an ICMP unreachable- and they know they're captive, should check, and you can say well, this could turn into an attack.

N

But since the butt check is a single message and an ICMP unreachable is a single message and we don't accept broadcast ICMP messages. You can't do a multiplicative attack here, so you could slam I mean if you're sitting there and you can send icing and pee messages. You also could just access the API over and over again I. Don't think you're opening up an attack. They couldn't already make.

N

Well, if it's not your packet, you don't have that port opened. You won't have anybody to send the ICMP message up to who would do anything? So it's you have to sleep in the traffic craft messages you do better to just slam. I.

H

Mean you could I, don't know, I, don't know if you need to go to Tennessee and a second's, probably enough to do your job all.

J

Right so I criticize Luann's ability. I have criticized the ICMP proposal bitterly long and hard, but I'm not going to talk about solutions. What I am gonna say is. We should not have something that's easy to spoof, unless it's just a hint all right. You know point one right. Otherwise, even when you have a hint person, two people go forget what who it was you haven't? You have an implicit. You have a boss attack against the API server, it's not multiplicative. So if maybe it's not too bad, but like something that's not authenticated.

J

Like ICMP has this problem it would be. It is I, think a spectacular failure if we standardize a solution that only works when stuff is broken because, like I, don't want that I want something that can tell me before it's going to be broken. Now, if we say that the API can't tell us what time it is, or we can't agree on what time it is where we can't agree on how many bytes we've passed, then, okay, then maybe we need a signal.

J

It would be nice if we didn't but like as long as as long as the signal is really just a hint, because I don't see how an unsolicited message like this can be made secure in any way right. So it really just has to be him. So, yes, it has to be. Him would be nice if it showed up before it's a problem, and you know, let's not try to make it secure, because if it will never be secure.

R

Yeah, whatever yeah you know, yeah Warren, Kumari I, think it's good to say something similar I think whatever I mean yeah we've been talking about, like you know, destination and reachable and stuff I. Think much better would be something else like a by the way. Your time is almost up. You should come and talk to me. Cuz.

W

R

Yeah, whatever I mean no but unreachable will trigger certain behavior and the stack usually like, don't send packets. There I think, like echo reply with no echos.

P

I just wanted to throw in one little bit thing when you're talking about this not being usable for an attack, it is multiplicative in a way because single ICP, a packet is gonna cause since in ack-ack fin fin. So it's a 5x right. You do need to have some sort of throttle on here. I just want to make sure that wasn't lost in the conversation.

C

You're gonna get what you're gonna get once in multiple times might be, but you're gonna get sins. It's.

C

The clown will try to talk to the API. The the client will send sin sin sin, but the the the API has a choice of how fast it can respond. Sure.

P

I'm hoping to use like normal web servers for these things.

N

It's not exponential the if there's something about having using my cmp unreachable and explaining how we use it and what we do that stops us from having another thing that signaling protocol that stops us from having these things are running out signal which could it could not be an ICMP signal, but is not nice EMP unreachable, an ICMP reach will says, stop trying to come this way. Man.

H

All right so next steps here, it sounds like people aren't happy with the existing proposed ICMP solutions sounds like people want some sort of signal. What, and probably that is just a hint, so is it worth taking to the list? You know for suggestions, or is that like I should just all.

C

Right, so what I'm gonna suggest is if anyone wants to actually do the work, to define a new signal that they make a proposal until such time as we have that proposal. We assume that we don't proposal I didn't hear it was as strong an interest in having the signal, as would demand that we actually do something right away. I heard that they were, you know, Tommy couldn't live without it. Lorenzo probably doesn't want it at all, but.

H

If we live and we need to specify it right well,.

C

Suggestions only.

N

N

C

They can then they'd be quite happy to well, not maybe not entirely happy but would would would live without one. No, if I can't live without and they're gonna be doing some work and I don't think either. Looking at.

J

Asana for more work, I think procedure perspective right. If somebody starts doing work, there's gonna be screams of agony from the people. Who've spent a lot of time working on this, so we would probably need at least some form of like requirements before we say okay. Well, we don't want to do this. We want to build something new, because we don't like your standard right so that that I just wanted to say that I mean like Soho asking.

H

For work might not be there, or maybe it rather than just specifying ICP I need to talk about the requirements on the signaling protocol in the architecture.

J

H

J

Shouldn't be too hard is a paragraph of text right I mean I. Can I can try and put three bullet points into an email and then my.

I

Time he has another two.

J

Bullet points that we get.

I

J

I said it needs to be, you know probably hard to secure. Therefore, like most likely used to be hint- and you know would be nice if they showed up in advance.

R

So Warren Kumari, hopefully my final comment. So whatever we build like an API whatever that tells people how long they've got is going to be so much better than what we've got now that maybe we should solve that. But first and then you know we can always revisit this later and add more sexiness.

C

Thank you for restating what I was trying to say here. We go so I actually think that it would be good if Lorenzo you could produce those requirements.

C

It would be because I think that that sets the bar for any for any implementation and what we will do to Warren's point I, think and I'll have to talk to Eric about this one is we will we will assume that we don't have one until we have one and at the point that someone is interested enough to invest the effort in describing this signaling protocol, something that meets lorenzo's requirements, then we will talk about adopting it at that point. I, don't think, there's any burning desire to have that at the moment, but nor.

I

Is there any strong.

C

Opposition to someone doing that work should someone will be willing to invest the effort, so I think there might be a way forward. Thank you can I think you everyone for being so constructive. I have nothing more here, but Jacque has something for to share. We have a little bit of time. It's less time than you asked for, but.

C

You tell her what tell us all what it is and we'll go from there.

O

Well, I'm Vishal Tucker I work for Keira labs and this is I think.

O

This presentation is just kind of just throw out an idea right now and kind of pause. The workgroup kind of question right. It is there's not a little there's a lot of details not in here and that I may not be able to even talk about it right now, but in general. So next slide.

O

So here's kind of the problem right. So we have seen right now. Public Wi-Fi hotspots in public hotspots are usually open right and if you have, you know, wpa2 personal powershell passphrase, and if everybody knows it, then you kind of don't have too much security open, don't have any security at all. There's always already push going on towards trying to make this better right. I mean if you see that a new p3 and knots something's happening there and then so.

O

The only real solution is like something like pass point and hot to the door, which are pretty complicated for most deployments right. So I think this there's an increasing desire in general to come up with a solution that actually doesn't require. You know having a network administrator or any things like that, but like mom-and-pop shops and simple, and people can actually just deploy something that is relatively secure right and not just completely open. So that's kind of the problem, and so here's a question.

O

This is I'm just working with a few other people and we the question yet that we are asking here. Is there some discussions going around we're thinking about coming up with a solution that may be there where we may be able to leverage the capture portal api's to provide a mechanism by which a Yui device or ion device that connects to sort of a untrusted or open network might be able to actually authenticate and connect or figure out that this is actually a right network.

O

So in the sense that if you have a right now, it's easy to do a man-in-the-middle attack right. If you have an open network, you probably won't even need to do that. You can just move, but even if you have an end of unauthenticated encrypted connection, which is one of the things that feature go, w/e provides right. This still open to active man in the middle attacks, so this is just kind of throwing out in the air right now to see would kept with the working group here right.

O

We open them to discussing or having you know, having something added to the API or something in a way where, even if a new device connects to you know kind of sort of an untrusted Network right at least it can then somehow interact with the captive portal and do all kind of a trust, connect but Trust later kind of a verify leader kind of mechanism and there's still a lot of details to be figured out right, but the idea it would suddenly require something on the side of the API to actually help with that effort with that part.

O

So next, right, yes- and this is just yeah- this is kind of just talking about all the other things that are probably already being done in order to solve this thing, kind of I think other organizations Wi-Fi land, specifically WBA- are already working on trying to solve this problem. So it is that's, that's right, but the problem is going to be solved.

O

The question to this working group is that, if part of that there's something that where we can leverage the capital API to actually make it make a better solution right, what the working would be open towards entertaining that and adding that to the captive portal. Api work right I mean we charter explicitly says we don't do you want to worry about roaming staff, onboarding and provisioning stuff, and you know things like that, but this is not about our use, our trying to select a network.

O

This is more about helping a user verify that they actually did connect to the network that they intended to connect right as opposed to being an evil twin network. So anyway, next slide I guess so that's that's just my general question is I just wanted to see. If there is interest in that of this first is: does this will fall somewhat within the scope of the Charter?

O

Is there any interest, and it's so maybe I can talk to the other people that I'm working with, especially in other organizations, would receive if we can come up with some crazy way to solve.

C

This so thanks for bringing the question here I as a chair. This is definitely not in our current charter.

C

Whatever we produce, him may be used by others to do any number of things, and that would not be our responsibility or would require explicit collaboration necessarily, but I will let the people speak to see whether or not they're interested in in what they have all whether they have ideas about what what you might do. Tony.

F

Polly Apple is this an interest I mean to people in really. Probably yes, yes, I think it's interesting music within scope, I, don't think so. I, don't think this is the right place for that. I do think that the degree to which this overlaps with cap hood is very much kind of a PVD stuff.

F

So I think it'd be interesting to look at that as a Potter, maybe like with Indy area where we do, the PPD work see how it fits in there right, because that is also a JSON blob, that is, a network identify that we're trying to validate in a very similar way.

F

To this we view the kamcord stuff as a extension for the cat port interaction itself, but the relationship between cat port and your network, provisioning, like a PVD or DSP Ras, seems to be very similar to the relationship between what you're talking about and that same provisioning. So it's a parallel or parallel thing, but not the same thing.

I

So first I just wanted to say the same thing. Could you have this discussion wisdom in the context of the PD work, I, think that's that that can be generalized not only to capital 3d to PD and I.

J

Think we need that if.

I

You can select tools to better authenticates the TIG. That would be awesome because that's something we miss right now, because we cannot trust the others will receive and send.

O

In terms of what we really don't want to have overlapping work, but if it's something that we can do collaboratively or in a more collaborative fashion, right, I.

S

I think that people here is interesting that this this work but I, don't think this is a scope of this working group, but and also I, want to mention that I think. If I understand correctly, this is kind of like HTTP upgrade for Wi-Fi the Wi-Fi up for like using the young, unencrypted pathway in and access points which kept people hey. You may 20 crates security or more secure, so here's the things.

S

So if it, if you have a discussion like we need to incorporate with because like it's, it's definitely to make changes to the Wi-Fi architecture, because, like there's no way no such mechanism to upgrade the connection between that's point the clients so before I think it's a good idea, but I could before starting the discussion. I think we may. We may talk about the HIV as well. Yeah.

O

The idea, the question here was cool: if there's interesting year that used to kind of work about it, then the next step would be talking. Maybe with WFA there will be a trip or whatever the relevant places are where the work is being done to actually make sure it's in sync, I.

Q

Think this is great for situations where you're for networks that don't have captive prose as well like, for example, your home network, someone comes by and drowns out. The signal makes you connect to their router, so, but that goes to demonstrate that this is beyond the scope of the program here. I think by still something really needed, because these attacks do happen. So it'd be great for users to do this kind of work. Okay,.

C

Thanks right, so that concludes our agenda. Unless do you have anything more right now.

O

It's also, it seems like they're I mean it's. A lot of this is real scope, but if we, if there's something concrete body- and it would be yes.

C

Speaking with you know, IB hats on if there's anything that that one of these groups wants to come and talk to us about, we can, we can do formal liaisons, we can do people come into the working group and simply sending emails. I prefer the latter yeah. But if it comes to that and that's the way those work groups need to work, then we we can accommodate that yeah.

O

The study would be something like how a few requirements episode if you need to add this to the captive portal. Api.

C

Right now, I see no action for this. For this group other than awareness, which is which is good. So the number of people are quite interested in working and will.

K

With you, yeah.

O

C

Thank you, okay, thank you, and that concludes our agenda. If anyone has any other items, take them to the list. Thank you. I hope.

T

This one comment further, like the I know, once we clear their IOT use, cases right, I think a lot of discussion Chicago and like really think without our devices, but I, think um it's I mean this station picture for had a hit with IOT devices means the automation kept before a process without the browser and I think we can sync again as one of the years case, like the one section to that fixture document or like I, wish.

T

The I'm not sure, but the draft for, like they architecture for IOT device, my earnings headed devices and then, if there is event I'd like to volunteer for it. Okay, so.

C

Yeah, just the comments, if you think you can provide text, send an email for the list with that text or talk to Carlo. Send a pull request. Welcome welcome those sorts of additions. Yes, so I mean I.

H

Knew clay did all of that, but if proposing actually make it possible right now and specify exactly how and I have this IOT device will be able to connect to your captor portal that will require changes to the API, because the API is only providing you a place to go to login. It's not providing you the button to login, and so maybe we just need to make make it clearer than the architecture.

H

So, if you're not preventing this from happening, and we can start extending it a future and that's what Noriko saying great I agree: okay,.

C

Thank you. Everyone.

O

So what can we do.