►
From YouTube: IETF98-CAPPORT-20170328-1450
Description
CAPPORT meeting session at IETF98
2017/03/28 1450
A
B
C
D
D
A
A
E
A
There
were
a
few
issues,
but
I
just
wanted
to
clear
up
before
we
get
into
the
agenda.
So
the
first
thing
is:
we
have
a
new
area
director
is
wearing
the
Hat
there's.
A
lot
of
people
with
in
here
who
aren't
perhaps
accustomed
to
working
in
the
apps
area.
Welcome
so
Adam
here
is
now
looking
after
this
working
group,
I
guess
in
the
in
a
very
abstract
sense
that
an
area
director
does
we've
been
having
some
discussions
about
finding
and
an
occupant
for
the
seat
sitting
beside
me.
A
A
You
have
a
fairly
open
agenda,
this
time,
I'm
giving
15
minutes
to
which
the
the
people
who
asked
for
time
we
try
to
keep
on
time
off
deal.
That
is
there
any
bashing
that
anyone
would
like
to
do
to
this
agenda.
New
items,
people
think
they're
going
to
take
less
time.
You
had
allowed
to
take
more
time.
Okay,
Rico!
C
F
Hi
I'm
America,
kobayashi
flown
japan
and
I'm
from
keio
university,
and
I
have
a
presentation
about
survey
on
behavior
as
a
captive
photo
and
at
this
time
I
conducted
a
survey,
especially
focusing
on
Japan
next
slide.
Please
so
in
the
previous
ITF
I
give
that
again
seven,
and
so
all
we
have
a
captive
portal
and
stuff.
It
is
not
official
things,
but
we
have
a
lot
of
discussion
of
10
40
minutes
and
the
other
is
so.
We
discuss
the
necessity
of
the
industry
survey
for
captive
borders.
F
So
that's
why
I
implement
that
survey
to
our
to
automate
a
survey
on
my
last
great
play
and
use
it
for
this
time
and
this
time
I
shall
not
an
actual
survey
about
a
captive
portal
in
Tokyo
Japan.
So
next
time,
please
so
on.
This
is
survey,
overview
and
I
connected
survey
on
behaviors
of
40,
about
40,
captive
borders
in
central
area
of
Tokyo
Japan
and
the
arm.
F
Here's
survey
items
and
the
first
one
is
for
negatives
of
like
I'll,
try
to
check
the
iOS
uploads,
kept
people,
the
detection
strategy
and
also
windows
strategy
and
the
entree
one
and
the
second
one.
It's
a
TD,
HTTP
status
code
are
explained,
I
work
experience
later
and
the
third
one
in
DNS
poisoning.
So
on
next
slide,
please!
So
if
you
are
Apple
engine
Yahoo
or
Google,
oh,
please.
F
They
get
a
collect,
IP
address
the
one
and
the
like,
and
the
second
one
is
the
they
also
arm
access
that
will
know
both
basic
and
whether
they
can
get
that
correct
a
case
or
not,
and
so
on.
It
android
strategy,
and
they
have
also
already
waited
for
HTTP,
poop
and
https
loop
and
the
arm
Doug
web
page
is
just
on
the
sponsor
204
and
not
content.
F
So
if
they
get
the
that
list
bones,
there
is
for
internet
connectivity,
but
if
they
cannot
get
that
the
spouse
on
there
are
very
in
behind
up
kappa
photo
the
next
slide,
please
and
okay.
So
first
one
it
falls
negative,
so
Mac,
OS
and
iOS
the
strategy
and
for
this
strategy,
oh
I,
can
I
could
detect
them
about
ninety
percent
of
captive
water,
but
less
than
ten
percent
on
the
strategy
could
not
detect
the
snakes,
which
breeds.
F
So
next
one
is
false:
negative,
so
windows
strategy
and,
as
I
said,
as
I
explained
in
the
previous
slides
on
windows
strategy-
has
a
two
steps
to
the
capital
photo,
and
this
is
the
result
and
the
about
Oh
about
ten
percent
of
captive
portal
on
defeat
of
window
detection
strategy.
So
not
so
many,
but
the
window
strategy
also
cannot
all
of
the
top
captive
order
in
tokyo
in
japan.
The
next
track,
please.
F
So
this
is
the.
I
think
this
is
most
interesting
information
for
you,
and
this
is
false
negatives
for
android
in
the
strategy
and
the
left
one.
It's
the
glass
for
on
hd2
checking,
eight
HD
deep
lip
and
the
right
one
is
for
checking
https
flip
and,
as
you
know,
our
most
of
HTTPS
flip
does
not
suck
test
on
kappa
photo
and
the
ok
so
in
this,
so
for
HTTP
plug
one
should
up
capital,
poor
old,
a
captive
water
defeat,
the
detection
strategy
and
daily
flight
204,
and
not
content
to
unravel
of
apt.
F
So
it
means
not.
This
is
not
captive
photo,
but
extra
adi
captive
or
oh,
so
the
untrained
eye
cannot
detect
the
concert
or
captive
portal.
As
always
old,
so
next
slide,
please
so,
and
so
this
data
scouts
means
I
analyze
the
littering
HTTP
status
code
arm
when
the
to
my
survey
to
get
access
to
burn
away
places
up,
iOS
or
mac
OS
and
windows
on
droid
and
the
list
update
really
beats
falling
without
and
current
proposal.
It's
on,
mark
Nottingham
has
awesome,
HTTP
status
code
proposal,
but
extra
the
status
card,
alkyl
entry
I
get.
F
I
got
the
30
two
and
three
of
seven
and
two
hundred
and
my
prediction
was
30
two
or
three
of
seven,
but
actually
they
are
out
of
200
sixth
card.
So
next
slide.
Please
so
are
the.
I
also
should
be
about
the
imposing,
but
most
of
the
captive
portal
de
nada,
tiene,
quien
smith
poisoning
are
for
this
time
and
I
also
check
the
setting
of
public
opinion
dns
from
my
tool,
kit
and
the
most
of
our
clothes
fade
when
nice
at
public
in
it
dns
like
888
84,
my
survey
ticket.
F
So
next
slide,
please.
So
as
all
these
out,
I
can
say,
there's
two
types
of
behaviors
of
Kappa
40,
and
this
is
expected.
Behavior
of
captive
or
oh
I.
Think-
and
this
is
most
standard
one
and
the
most
of
our
operating
system
can
detect
this
type
of
a
captive
photo
and
the
daily
fly
with
either
co,
2
or
3
of
7
wittle.
I
lecturing
you
ll
so
see
this
is
the
good
type
of
captive
portal,
but
the
next
slide
please.
F
G
G
F
G
F
A
F
You
so
the
next
slide,
please
so
the
wine
immersive
spider
to
try
to
defeat
captive.
All
that
addiction
is,
I
thik
biggest
pop
in
force
and
the
country.
I
asked
the
that
name
for
such
vibrant.
I
asked
the
technical
manager
of
network
service
provider,
but
I.
I
cannot
get
answer
yet,
but
this
is
my
prediction,
but
like
originally,
the
captain
photodetection
is
deployed
for
the
protection
of
users.
F
Privacy
like
the
to
use
in
cognate
window
and
like
they
cannot
get
uses
cookies
or
something
like
and
the
so
incognito
window
have
some
some
trouble
with
logging
pulses
or
API,
and
the
users
complain
about
a
detection
is
one
of
the
lesson
or
something
worship
wider
want
to
get
some
information
from
our
users
Blauser,
I'm
not
sure,
but
for
marketing
on
business,
listen
and
the
or
not
sure
would
only
Japanese
intercepts
flight
a
defeat
for
some
concert
ilysm
how
about
other
countries?
The
next
slide.
Please.
A
F
I
think
the
next
slide
please
so,
and
my
proposal
is
a
writing
captive.
Water
Survey
ID
will
be
variable
output
for
us
and
this
time
I
conduct
is
just
only
in
Japan,
but
the
connected
to
further
survey
like
in
other
country,
that's
aah
year
order
us
or
logic
miracle
or
Zelda.
Some
ulip
could
be
good,
I,
think
and
on
for
that
I
wanna
focus
on
some
rain
CD
in
other
countries
and
I'll.
Now
my
plan
is
implements,
have
kept
captive
portal
survey
up
or
Android
up
or
some
other
way.
F
If
you
have
any
create
any
pop
water,
please
let
me
know,
and
the
next
slide
please
so
on
one
discussion
is
the
captive
portal.
Depiction
does
not
work.
Collector
e
in
Japan
actually
and
the
neighbor
said
what
next
dinner
service
riders
cannot
provide
your
service
also,
and
so
we
need
to
calculate
with
never
observed
fighters,
not
only
oil
spenders.
It
is
important
to
mediate
events
for
our
captive
or
a
solution
like
if
like
like.
F
G
C
G
Hostname
various
times
so
one
thing
one
thing
with
the
would
be
great:
is
it
you
know
if
you
need
an
actual
Android
device
mm-hmm,
you
know,
I
will
give
you
one,
and
so
you
can
actually
run
the
code
on
a
real
device
because
it
it
those
two
probes
are
very
different.
Also
part
of
the
goal
of
this
one
is
to
is
to
ensure
that
that
the
user,
even
if
the
captive
portal,
is
not
cooperating,
that
the
user
still
keeps
working
internet
access
and
so
doing,
SSL
is
kind
of
that.
F
G
F
G
C
G
F
G
I
Tommy
Kali
Apple,
so
first
of
all,
thank
you
so
much
for
doing
this,
this
is
I
think
would
be
great
work
to
have
a
survey.
I
think
you
should
engage
in
you
doing
more
of
these
right,
I
mean
using
real
devices
is
great,
but
I
think
we
could
also
just
be
make
sure
that
the
vendors
are
open
with
what
our
current.
C
I
Are
so
that
we
can,
I
think,
is
a
cool
idea
to
have
just
a
device.
I
can
go
around,
just
try
all
of
them
at
the
same
time,
on
the
same
network,
advanced,
really
cool
approach.
I
do
want
to
mention
one
thing:
if
people
wanted
to
test
this,
there
is
an
API
that
we
have
run
iOS
devices
called
hotspot
helper,
which
allows
people
who
have
their
own
captive
portal
authentication
to
head
of
interpose
themselves
during
the
Association
phase
and
be
part
of
the
probing.
F
J
J
F
B
My
question
is
a
follow-on
is
what
affects
me
with
what
I'm
trying
to
do
at
the
moment?
Is
you
discover
the
captive
portal,
you
log
into
the
captive
portal,
I'd
love
to
see
the
survey
record.
What
the
captive
portal
is
monitoring
and
what
Howard
is
building
this
association?
Is
it
just
IP
address?
Is
it
Mac
because
I've
come
across.
H
Are
here
don't
have
any
way
to
get
this
automatically,
but
well
we
can
see
that
some
of
the
recipes
are
actively
defeating
the
captive
portal
detection
and-
and
we
have
lots
of
speculation,
do
you
have
any
knowledge
of
why
they
do
this?
These
things
any
concrete
statements
for
them?
Why
did
why
they're
doing
it?
It's.
H
A
K
David's
kanazawa
to
jumping
in
to
quickly
answer
your
question
from
what
we've
understood
by
talking
to
them
a
lot
of
them.
Don't
like
the
UI
that
the
vendors
are,
and
by
that
I
mean
the
client
devices
show
when
we
detect
captive
mortals.
So
they
explicitly
go
out
of
their
way
to
defeat
our
probes
to
show
their
own
UI
by
man
in
the
middle
lane.
While
the
HTTP
traffic
mm-hmm.
L
L
C
L
D
Ideas
about
and
extending
your
savvy
into
other
locations
I'll
get
any
thoughts
about
how
to
go
about
that.
Are
you
looking
for
volunteers
or
as
a
web
page,
but
people
get
copper
to
the
software
the
hobby
decide
for
themselves,
or
is
that
still
something
that
stillness
it
of
the
North
can
give
us
some
ideas
about?
What
you
want
to
do
next
is.
F
F
F
So
might
pull
em
observe
first
of
its
on
the
most
biggest
point.
Is
the
I
want
to
be
about
other
countries
and
the
other
one
is
I
want
to
include
more
cervical
taste
like
like
to
see
it.
Give
me
like
more
surveillance
for
clone
war.
So,
if
you
have
some
survey
you
like
to
see
on,
please
let
me
know
I
want
to
include
more
items.
Okay,
thanks!
Thank
you.
H
A
M
N
This
is
aren't
right:
okay,
hi
everyone,
I'm
Kyle,
arose
from
San
vine
and
I'm
here
to
talk
about
an
architecture
for
captive
portal
interactions.
X,
like
so
I,
mean
we're
all
here
to
learn
about
captive
portal.
So
we
pretty
much
probably
know
what
you
know
how
they
work,
what
the
problems
are,
but
a
bit
of
a
summary
here.
So
you
know
they.
The
interfere
with
normal
traffic
flow.
First
establishing
your
login.
N
P
N
C
N
Figure
out
what
you
are
I
to
go
to
to
interact
with
the
capital
Port-
and
you
know
the
tech,
the
captive
portal
in
a
consistent
manner,
I'm
learned
about
it
deal
with
it
and
you
know
even
better,
if
necessary,
to
do
it
without
any
human
interaction
which
enables
abundant
bunch
of
use
cases.
That
would
otherwise
be
impossible,
and
we
had
a
lot
of
discussions
about
this
on
the
mailing
list
in
meetings.
And
so
what
me
and
Dave
tried
to
do
with
the
architecture
was
condensed
all
that
down
into.
N
You
know
one
doctor
that
describe
sort
of
how
that
should
all
work
together
and
that's
likely
so
you
know
again,
the
main
goals
of
the
architecture
is
to
provide
a
standard
way
to
employing
capital
portals,
or
you
know,
set
of
ways.
Maybe
maybe
there's
a
few
pieces
that
could
bury,
or
you
know,
work
one
without
the
others.
N
N
It's
there
me,
maybe
the
text
diagram
that
I
had
in
the
the
draft
was
actually
better
than
this,
but
I
tried
to
make
it
a
little
more
readable
here,
sort
of
draw
the
four
main
components
there
that
are
all
interacting
and
in
the
further
to
fall
on,
slides
I'll,
discuss
a
bit
more
what
they
do,
but
essentially
the
arrows
show
the
flow
of
information
in
the
system.
Next
slide,
please.
N
N
N
One
thing
I
want
to
make
clear:
is
that
what
this
architecture?
We
don't
want
to
specify
the
UI?
That's
really
up
to
the
user
equipment,
because
that
that
interaction
different
devices
might
want
to
do
it
differently
for
various
reasons.
Next
slide,
please,
the
dhcp
server
may
be
the
router.
It
implements
r
@
c
7
7
10,
which
basically
the
intention
there
is
to
give
the
user
appointments
the
uri
with
which
to
interact
with
the
captive
portal.
I
think
it
initially
was
was
intended
to
be
a
generic
API.
N
N
The
web
server
providing
the
browser
where
you
click.
Ok,
yes,
I
accept
the
Terms
of
Service
or
interview
login
credentials,
but
it
could
also
be
some
sort
of
generic
rest
api
that
allow
you
to
do
things
automatically
now
next
slide,
so
the
cat
poor
law
enforcement.
This
is
a
fancy
way
of
saying
the
thing:
that's
walking
you,
so
you
know
poppy
the
wipe
a
hotspot.
It
could
be
a
router
could
be
you.
N
In
the
mobile
network,
but
it
is
responsible
for
enforcing
the
policy,
pick
a
quarrel
see
and
informing
the
user
when
they
are,
they
don't
have
access
or
they're
about
to
lose
access
or
a
few
other
things
and
I'll
get
to
that
in
a
second
one.
Other
key
point
is
that
me
allow
access
to
a
walled
garden,
which
you
might
need
to
get
more
information
about
the
network
or
maybe
do
some
free
stuff.
You
can
do
so
it's
worth
calling
that
out
next
slide,
please.
N
So
the
icing
be
unreachable
message.
This
is
an
extension
to
the
icing,
reachable
message,
which
indicates
that
you're
behind
the
captive
portal
we've
there
was
a
draft
about
it.
Expired
I,
think
it's
a
being
revived
by
David
bird
and
the
intention
there
is
to
inform
the
user,
though
there's
a
problem
with
that
them
having
to
pull
the
the
API
server
too
and
even
more
further.
N
The
new
version
of
the
draft
is
calling
out
a
an
entirely
new
ICMP
message,
type,
which
can
give
more
sort
of
graceful
interactions
after
your
character
portals
been
established,
so
maybe
don't
learn
you
to
quality
of
service
issues
or
a
pending
expiry
or
things
like
that
I
kind
of
a
string,
the
hackathon
was
kind
of
cool
to
play
around
with.
So
this
is
some
security
concerns
that
were
mentioned
on
the
mailing
list
and
I
think
Weesa
laid
the
hammer
lizotte.
N
So
one
option
was
to
use
a
token
for
authentication,
but
we
need
to
figure
how
to
get
that
I
next
slide,
please
all
right.
So
this
is
kind
of
the
workflow
for
someone
who's
using
a
web
browser
to
login
I
probably
need
to
change
the
wording
in
the
document.
I
don't
want
to
call
it
this
out
as
being
the
only
workflow,
it's
more
of
an
example
workflow
of
how
we
would
actually
do
things.
But
the
idea
is
the
you
know:
the
user
turns
on
his
phone
connects
to
the
network.
N
N
You
know,
like
their
network,
monitor
thing,
saying:
hey
you're
on
a
captive
portal,
what
you
need
to
login
again,
that's
the
point
of
the
ICP
message
there
so
you're
some
very
equal
to
some
options.
Here
you
know,
maybe
the
user
just
tries
to
connect
to
the
internet,
sort
of
assumes,
there's
no
capital
portal
and
the
ICMP
message
would
tell
it
that
there
is
one
and
if
there,
if
they
happen
to
access
something
behind
the
walled
garden,
you
don't
even
need
to
login.
N
That's
why
I
said
this
isn't
really
the
only
way
of
doing
it,
so
I
think
of
some
options
there
excellent.
This
is
pretty
much
exactly
the
same
with
some
sort
of
Internet
of
Things
device.
The
only
difference
is
there's
on
a
stick
figure
there:
the
user
equipment
basically
automatically
does
the
login,
whereas
before
somebody
would
have
hit
a
button
next
slide,
please
all
right.
So
security
concerns,
as
you
know,
is
the
token
approach
to
fishing
for
icmp
validation.
Are
we
going
out
roll
getting
in
token?
N
The
concern
here
for
those
who
haven't
been
following
the
mailing
list
is
some
random.
You
know
bad
actor
on
the
internet,
sending
in
one
of
these.
I
simpiy
unreachable
messages
to
you
know,
handhelds
and
stuff,
and
just
causing
generally
Dawsey
number
wreaking
havoc
on
them.
If
we're
doing
more
than
just
closing
connections,
maybe
it'll
drain
their
battery
or
worse
or
something
if
it
pops
up,
causes
a
bunch
of
popups.
N
N
Is
someone
driving
around
with
an
open
access
point
and
just
having
people
connected
to
it
and
then
authenticate
themselves
and
trust
that
connection
you
know
start
sending
their
own
during
their
plaintext
internet
traffic
through
it
or
something
maybe
there's
something
that
has
to
happen
there
too,
particularly
for
the
automatic
login
to
make
sure
that
they
only
login
where
they're
supposed
to
and
I
think
I've
heard
talk
that
there's
a
hotspot.
2.0
is
going
to
solve
that
problem,
so
maybe
not
a
big
deal,
but
we
should
talk
about
it
anyway.
So
what
concerns
there's?
N
Also
some
positive
sides
to
it,
so
getting
rid
of
the
redirect
the
DNS
poisoning,
all
that
there's
a
longer
man
in
the
middle
when
we're
explicitly
saying
how
to
interact
with
things
were
explicitly
saying,
there's
something
to
do
the
user.
You
know
just
just
cleans
things
up
and
makes
it
explicit.
It
makes
it
sort
of
above
ground
and
everyone
can
play
nicely
together.
N
You
know
what
you
just
saw.
There's
a
whole
bunch
of
ways
of
doing
this,
and
people
seem
to
want
to
try
and
defeat
it
not
sure
if
this
will
make
them
not
do
that.
But
hopefully,
if
there's
a
neat
sort
of
all
the
decline,
devices
start
implanting
these
simple
easy
ways
to
authenticate.
There
will
be
some
push
for
the
habit
of
portal
vendors
to
actually
adhere
to
the
standard,
and
another
security
benefit
is
the
cat.
The
portal
is
restricted
to
what
the
dhcp
server
a
router,
appetizer
or
whatever
said
so.
N
N
So
I
bunch
one
into
questions,
I
think
the
some
stuff
I
think
we
need
to
answer
on
the
working
group
to
it
was
document
forward.
I
guess
I'll
mostly
skip
these,
and
can
we
always
talk
about
them
in
mailing
those
itself,
so
I
slide
alright,
so
next
step.
So
what
we
want
to
do
with
it?
If
we
want
to
keep
working
on
it,
is
it
a
waste
of
time?
I
hope
not
I'd
like
to
see
see
it
move
forward.
N
A
From
my
perspective,
I'd
like
I'd
like
to
see
a
little
more
discussion
about
this
and
a
little
more
feedback,
and
probably
some
of
the
architectural
questions
need
to
be
explored
in
a
little
more
detail
before
I
think
we
want
to
actually
ask
the
room
whether
this
is
something
we
want
to
work
on,
but
it's
certainly
promising
all
right.
That's
on
that's
largely
a
personal
opinion,
because
I've
not
singled
on
the
discussion
yet
so
I'd
like
to
see
that
I.
N
A
G
A
G
So
I
don't
think
it's
a
girl
to
get
rid
of
the
redirect.
We're
gonna
have
to
do
that
until
you
know,
until
the
end
of
the
until
the
end
of
time
anyway.
So
you
know
that
that
doesn't
seem
to
be
a
goal.
I
wish
we
had
something
better
to
do
than
the
ICMP
method.
It
seems
like
really
messy.
It
gets
right,
limited
it's.
G
You
know
to
some
degree
subject
to
forging
it
sort
of
be
better
if
we
had
something
else,
one
thing
that
I
think
we
discussed
this
in
forget
what
at
least
you
know
to
ITX
ago.
Maybe
if
the
captive
portal
is
time-based,
just
tell
the
tell
the
device
how
long
it's
got
left
on
the
clock,
and
so
you
don't
have
to
rely
on
the
ICMP
message.
If
its
24-hour
thing
just
say,
hey
in
2400,
login
is
good
for
24
hours,
and
you
know
if
you
want
to
check
periodically
here's.
G
N
I
think
most
of
the
components
actually
provide
benefit
on
their
own,
so
just
the
API
server
could
help
just
the
dhcp.
A
extensions
can
help
and
you
could
even
get
some
adjust.
The
ICMP
messages,
so
I
think
we
need
to
iterate
a
bit
more
on
the
architecture,
to
figure
out
what's
actually
necessary
and
talk
about
what
the
benefits
of
each
of
the
components
are.
Amigos
will
have
helped
give
some.
You
know
follow
on
drafts
to
talk
about
recommendations
and
methods
of
building
real
systems.
R
Margaret
Cullen,
painless
security,
I
think
I
think
you
were
right
that
it
should
have
a
little
bit
more
in
there
about
both
of
the
HP
and
the
RA
option,
both
of
which
are
in
7710.
That's
just
editorial
really
I
agree
with
what
Lorenzo
said
about
the
ICMP
messages.
I'd
like
to
add
I
mean
one.
Is
that
I
see
some
fear
that
these
ICMP
messages
could
be
used
to
shut
down
nodes
in
cases
where
there
isn't
even
a
captive
portal?
R
Okay,
the
other
is
that
if
you're
going
to
implement
a
new
spec,
I
think
we
probably
want
them
to
implement
a
new
spec
that
actually
goes
in
and
navigates
the
portal.
Well,
you
say,
like
the
ICMP
messages,
add
something
on
their
own,
but
there
was
a
previous
draft
for
it.
That
apparently
didn't
have
enough
traction
to
think
it
would
add
on
its
own
right
and
I'm,
not
I,
think
it
raises
a
potential
attack
and
I.
Don't
think
it
helps
that
much
well.
N
There
we
had
some
pretty
discussions
during
the
hackathon
about
what
the
ICMP
messages
could
give
you
and
I
mean.
Maybe
you
could
do
without
it,
but
you
know:
David's
working
on
on
a
new
version
of
a
draft
and
I
died.
I
think
it's
worth
discussing
the
draft
a
bit
more,
the
one
who's
workin
on
cuz.
It
does
extend
to
IC
because
of
quite
a
bit-
and
maybe
you
know
I.
Oh
man,
maybe.
R
R
R
P
Middle
kappa
pista,
so
in
a
previous
presentation
there
was
a
few
details
about
the
different
behaviors
that
are
currently
implemented
in
the
devices.
As
far
as
I
understood
this
proposal,
this
is
not
backward
compatible
with
existing
devices,
so
this
may
be
fine
okay,
but
if
you
think
there
is
strong
reasons
why
the
proposals
from
the
working
group
should
not
be
compatible
with
existing
devices,
it
must
be
augmented,
very
strongly.
I
think
the.
N
This,
the
cap,
our
API,
talks
with
backwards
compatibility.
So
if
you
go
to
that
server-
and
so
you
would
read-
you
know,
I
suppose
you
were
you
you're
behind
a
captive
portal
and
they
didn't
really
support
anything
other
than
the
redirect.
Then
it
would
redirect
you
to
that
API
and
it
would
just
serve
up
the
old
browser
style
webpage.
P
P
H
H
The
thing
is
what
we
have
today:
kind
of
works,
mostly
and
where
it
doesn't
work,
is
where
the
people
who
put
on
put
up
the
portal
are
actively
defeating
it
and
because
we
sort
of
at
least
partially
understand
why
they're
doing
it
I
don't
see
how
that's
of
their
issues
I
mean.
Why?
Wouldn't
they
want
to
defeat
this
thing
as
much
as
they
are
defeating
the
things
that
already
exists.
N
Q
All
right,
let's
David
burden,
just
a
comment
about
the
ICMP,
so
the
idea
is
that
at
an
ass
right,
today
only
has
a
few
options
when
it
has
traffic
that
it
doesn't
will
let
through
it
can
either
just
black
hole
it
if
its
GPU
can
give
it
a
reset
or
it
can
give
it
a
destination
unreachable.
The
idea,
the
cow
port
ICMP
extension
is
just
to
give
the
the
user
equipment
a
little
bit
more
information,
so,
instead
of
just
giving
it
a
distinction
unreachable
and
then
the
assuming
is
not
accessible.
Q
S
Be
surprised,
then
Chris
Sale
from
Hutchison
speaking
from
mobile
operators
perspective.
The
only
issue
I
have
is
on
the
dhcp.
Are
a
side.
I
can
I,
don't
think
I
put
a
way
of
issuing
a
URI,
as
well
as
the
IP
address,
cuz
it
mobile
networks
in
PDP
context.
They
provide
you
with
the
IP
address,
but
there's
no
Westerfield.
That
I'm
aware
of
there
is
a.
N
A
A
S
Focus
is
usually
put
private
IP
address
ranges
right,
but
I
mean
I
mean.
My
point
is
I.
Think
it's
great
solution,
because
I
mean
the
only
use
I
have
for
this
is
prepaid.
Customers
have
run
out
of
credit
and
they
either
get
a
nice
message
on
a
page
thing.
These
pattern
is
we
pay
or
if
they
get
nothing,
they'll,
be
calling
the
call
center
with
much
prefer
the
format,
so
maybe
maybe
those
people
can
be
can
have
the
URL
printed
somewhere
for
them.
T
T
The
way
I
was
thinking
about
that
was
compared
to
you
know.
Currently
you
could
try
to
do
that,
but
you
know
in
this
case
we
thank
you
know,
unlike
the
307,
let's
go
to
redirect
the
the
URL
is
not
coming
in
that
message.
So,
on
the
one
hand
you
know
the
worst
you
can
do
is
make
the
user
go
to
the
portal
URL.
You
can't
make
them
go
to
an
arbitrary
URL
and
to
commit
it.
You
know
that
well,
then
you
could
say.
T
Maybe
we
could
you
know
Doss
the
URL
with
by
reflection,
but
then
went
that's
what
we
were
thinking
about.
Kyle
mentioned
the
token
or
something
if
you
could
put
something
something
in
there.
That
was
hard
to
guess.
You
could
make
it.
You
know
at
least
as
hard
as
killing
a
session
with
a
tease
if
you
reset
or
something
so.
You
know
that
that's
a
thought,
womb
and
discussion
on
narrowing
or
sorry
fixing
it
weighs
like.
That
is
how
we
were
thinking
of
it.
So
we
think
it's
better
than
current.
E
I
want
to
make
one
less
coming
about
that,
and
that
was
perhaps
we
could
also
require
on
processing
this
ICMP
message
that
we
actually
validate
that
some
part
of
the
message
that
is
responding
to
is
there
right.
So
you
had
to
be
a
non
path
attacker,
because
the
capture
portal
device
must
effectively
be
on
on
path
right,
I,.
T
E
B
I
Hello,
everyone
I'm
tell
me
Paulie
from
Apple
I'm,
a
co-author
with
a
bunch
of
other
friendly
people,
Francisco
on
a
draft
for
doing
provisioning
domains,
and
what
I
want
to
highlight
here
is
not
the
whole
draft,
but
specifically
the
part
of
it.
That
applies
to
captive
portals
next.
Ok,
so
what
our
provisioning
domains?
Not
everyone
knows
what
they
are
unless
you've
gone
to
myth
x1,
so
it's
defined
in
RFC,
755
6,
which
is
a
myth
document.
Essentially,
a
PVD
is
a
self
consistent
set
of
configuration
information
that
a
host
can
use.
I
So
this
is
your
addresses,
your
DNS.
How
can
I
actually
effectively
use
one
particular
network
connectivity
next
slide,
so
there
are
two
conceptual
ways
of
getting
these
things.
One
is
through
implicit
discovery
and
that's
essentially
what
everyone
does
now
you
get
provision
things
by
dhcp,
it's
a
few
Ras,
some
things
you
know
just
because
I'm
connected
to
a
Wi-Fi,
I
know
it's
Wi-Fi
I
know
it's
l
VPNs
have
their
own
whole
set
of
configuration
that
comes
down
all
of
these
configure.
I
What
a
device
can
consider
if
you
also
includes
DNS
attributes,
so
these
are
great,
but
the
holes
that
we
have
our
when
you
potentially
have
multiple
PVD
uplinks
from
what
looks
to
you
like
a
single
interface,
so
I
have
a
Wi-Fi
router
that
actually
gives
me
access
to
multiple
networks.
That's
very
hyper
cooling
like
the
home
net
cases.
I
So
in
those
cases
I
am
blind
to
those
other
PPD's
that
may
be
there,
but
then
there's
also
the
case
in
which
there
are
properties
about
the
pvm
associated
to
like
its
captive
and
I'm,
also
blind
to
those
attributes
and
effectively
I
want
those
to
be
part
of
my
PVD
and
sometimes
essentially,
like
you
know,
an
Apple
device,
Android
device.
We
can
kind
of
infer
that
oh
yeah,
I
did
this
probe
its
captive
and
we
just
guess-
and
we
put
that
into
the
pbd
information,
but
it's
not
explicit
next
slide.
I
So
a
lot
of
what
this
draft
is
about
is
saying:
can
we
finally
have
a
way
to
explicitly
define
new
PVD
s
and
what
the
PVD
attributes
are,
so
this
is
required
to
use
multiple
PVD
s
on
a
single
interface.
The
draft
goes
into
how
you
can
have
essentially
a
PVD
for
each
ipv6.
Prefix
DVDs
are
given
out
by
different
Ras
and
rs
have
a
PPD
ID,
which
is
nephew
t
and
inside
of
it,
but
we
can
also
use
that
to
convey
extended
attributes.
So
what
are
the
captivity
or
limited
access?
I
Walled
garden
attributes
cost
requirements.
What
could
have
a
quality?
Should
you
expect
what's
the
time
out,
so
this
list
could
grow
and
grow
and
grow,
and
it's
not
really
clear
how
much
is
appropriate
to
have
in
here,
but
we
wanted
to
get.
The
conversation
started
next
slide.
Okay,
so
we've
been
talking
about
this
for
a
while
we're
also
very
interestin,
captive
portal.
We
see
the
conversations
going
very
much
in
the
same
place
of
oh.
I
We
need
to
know
where
on
this
type
of
network
and
then
we
need
to
contact
something
to
get
more
information
and
interact
with
it.
It's
like
this
is
very
parallel,
so
my
main
goal
presenting
this
is
saying:
can
we
make
sure
we
don't
go
down?
Two
different
paths?
Is
there
a
way
that
you
can
have
a
kind
of
coherent
story
that
gets
the
captive
portal
benefits
and
we
can
actually
convince
captain
portal
vendors
to
implement
this
and
also
get
Cisco,
routers
and
home
that
Roberts
to
implement
the
same
thing
next
slide?
I
Okay,
so
in
this
draft
just
takes
a
stab
at
proposing.
Here
is
one
way
we
think
we
could
do
it.
So
it
says
that
the
PVD
is
identified
by
a
fully
qualified
domain
name
in
the
draft.
It
comes
down
through
an
RA.
It
could
come
from
something
else.
It
can
come
from
your
VPN.
Your
carrier
could
provision
in
the
same
way
that
it
provisions
the
addresses
we
don't
care,
how
it
gets,
pushed
down,
slide
go
and
then
you
would
want
to
be
able
to.
I
If
you
have
other
metadata,
go
out
and
query
that
I'm
in
the
draft
it
says
you
know,
go
to
an
HBS
connection
to
some
JSON
file,
that's
based
on
your
PVD
ID.
This
is
very
nascent.
It
needs
to
be
expanded
upon,
but
I
think
it'd
be
good
to
see.
Does
this
API
look
similar
to
what
we're
about
to
hear
about
from
the
captive
portal
API?
Can
those
end
up
being
a
similar
mechanism,
or
does
this
blob
then
point
you
to
the
rest
api?
Is
it
on
the
same
server
as
a
different
thing?
I
You
can
interact
with
next
slide,
so
here
are
just
a
subset
of
the
properties
that
were
listed
in
the
draft.
It
lists
a
bunch
of
options
based
on
presentation
earlier
I'm
sure
we
need
to
call
a
lot
of
them
out
I.
Imagine
that
will
probably
want
to
split
up
the
drop
into
like
here's,
the
ID
and
here's
how
you
discover
where
to
talk
to,
and
then
you
can
extend
what
you
can
talk
to.
I
But
basic
parts
unit
has
have
name
says:
what
are
your
prefixes?
Do
you
have
internet
either
the
captive
portal?
If
it
is
what's
the
API
can
use
to
interact
with
it?
This
could
allow
us
to
finish.
We
have
different
versions
of
how
we
interact
with
captor
portals,
etc,
etc.
Timeouts,
when
she
unix
check
in
with
me,
that's
a
way
of
potentially
avoiding
the
ICMP
ground
yeah.
So,
just
to
summarize,
these
problem
areas
look
very
similar.
The
PVD
area
is
I,
just
think
the
generalized
form
of
the
captive
portal
problem.
I
So
please
give
your
feedback
on
that.
Let's
see
if
we
can
have
cohesive
solutions,
just
kind
of
thinking
about
the
structures
that
incentivize
people
to
do
something
or
not.
If
there
are
ways
in
which
you
know
you
say,
enterprises
and
other
groups
want
to
start
deploying
PVD
s,
because
that
allows
the
end
devices
to
get
new
cool
interactions
and
new
features.
I
Is
there
other
goodies
that
we
can
toss
in
there?
That
will
incentivize
them
to
adopt
these
models
and
then
oh
look.
We
also
happen
to
know
their
captive.
At
the
same
time,
of
course,
we
won't
get
all
the
malicious
people
who
want
to
just
check
us
through,
but
at
least
the
you
know,
cutting
edge
devices
would
work
better
with
this
new
book,
so
you
feedback
would
be
appreciated.
A
I'm
going
to
suggest
that
this
one
requires
a
little
bit
of
thinking,
thanks
for
doing
the
presentation,
but
with
the
draft
read
the
draft
think
about
how
this
how
this
is
going
to
fit
in
with
what
the
various
people
who
have
architectures
and
protocols
in
mind,
think
about
how
that's
going
to
fit
in,
because
some
this
is
seems
very
close,
you're
right.
Yes,.
Q
Q
E
E
Yeah
I
think
I,
you
know
I'm
a
fan
of
dvds.
I
do
think
that
there's
more
information
in
here
than
certain
things
wrong
in
certain
places
and
there's
sometimes
some
of
the
stuff
seems
to
be
like.
You
may
have
two
places
to
do
things.
I
think
when
it
comes
to
like
expressing
charging
information,
that
kind
of
stuff
I
would
rather
presume
the
feed
device.
I
G
What
run
security
I
think
actually
I
think
this
is
great
and
I
think
for
two
reasons.
First
of
all,
it
might
work,
and-
and
second
I'd,
like
I
honestly,
don't
know
if
it
will
work
but
I
think
even
if
it
doesn't
work,
the
PVD
general
infrastructure
will
be
so
much
the
richer
for
having
tackled
this
challenging
problem
right
in
the
sense
that
here,
like
you,
if
you
try
to
solve
the
captive
portal
problem
with
this,
you
will
have
to
build
update
ability.
You
know
maybe
scopes
or
whatever
all
this
stuff
right.
G
You
really
needs
to
be
in
there.
For
example,
like
you
know,
how
do
you,
how
do
you
check
you
know?
What
do
you
do
when
the
captive
portal
goes
from
closed
to
open
because
you
logged
in
right?
How
do
you
like
do?
Give
it
a
different
PVD
ID?
Do
you
like
change
the
URL
like?
What
do
you
do
right
and
so
it'll
be
very,
very
interesting
than
them
and
I
think
this?
Is
it's
going
to
be
a
great
exercise?
Another
point
that
I
wanted
to
make
is
a
is
a
a
is.
G
It
is
a
matter
point
for
the
whole.
You
know:
we've
gone
over
this
I
think
many
times.
For
my
personal
perspective,
it
is
not
ever
should
not
ever
be
a
goal
for
this
group
to
work
on.
You
know
to
optimize
for
the
case
where
an
operator
is
trying
to
defeat
the
portal
right,
because
there's
just
no
point
in
that
right.
If
that's
what
they
want
to,
do
it's
a
business
reason-
and
you
know
we
can-
we
can
get
into
an
arms
race,
but
that's
not
something.
G
That's
and
some
of
us
might-
and
some
of
us
might
not,
but
that's
not
something
that
we
need
to
worry
about
here,
because
it's
going
to
be
inherently
like
very
hard
to
it's
going
to
be
a
moving
target.
There's
no
point
in
talking
about
this.
So
let's
not,
let's
not
try
to
do
this,
for
sort
of
malicious
cases
or,
let's
say
conflicts
of
interest.
Let's
just
you
know
do
this
for
participating
parties.
A
G
By
the
way,
bows,
if
you
basically
move
beyond
the
captive
portal
to
something
that
just
tries
to
enforce
a
policy,
I
mean
a
lot
of
the
time
they're
just
trying
to
talk
to
the
user.
So
this
is
not
going
to
help
right.
They
try
to
get
someone
to
click
on
a
button
to
say
they
agree,
and
you
know
you
can
just
know
that.
But
you
don't
can't
agree
yourself
right
have
to
get
these
River.
Q
H
Now
y'all
know
like
put
back
on
set
for
because
true
we
can't
win
the
arms
race,
somebody,
the
network,
they
can
block
the
network
for
you.
But
if
you
understand
what
why
they're
doing
what
they're
doing
then,
if
like
they
need
access
to
the
regular
browser,
cookies
well,
I
want
the
regular
browser.
They
want
a
regular
browser.
We
can
provide
that
or
we
can
decide
that
we
don't
want
to
play
with
them
and
get
to
the
thing
shut
up.
I
Want
these
things
so
just
respond
to
that
before
sit
down
I.
I
think
I
agree
that
doing
a
survey
of
this
like
what
we
had
before
of
a
survey
of
what
are
the
interactions.
What
are
the
surveys
of
why
people
avoid
going
through
the
cap?
Referral
is
very
useful
as
a
design
consideration,
but
I
think
the
solution
to
that
long
term,
if
there
is
one,
is
not
going
to
be
a
protocol
one.
I
J
O
O
First
thing:
that's
a
the
first
bit
of
feedback
was
that
people
wanted
to
see
examples
of
what
the
protocol
would
it
look
like.
So
here's
a
walkthrough
starts
with
URL
acquisition
starts
with
that
cap
board.
Api
URLs
obtained
from
dhcp
or
ipv6,
are
a
through
RFC
7710
user
equipments.
If
the
user
equipment
doesn't
support
the
protocol,
it
just
grows
a
web
browser
requests.
If
it
does
support
the
protocol.
It's
starts
to
JSON
rest
JSON
session
next.
O
The
cap
port
API
server
responds
with
available
networks
requirements,
so
on
so
forth
it
may
have
multiple
networks
that
it
deals
with.
It
can
advertise
all
the
networks
that
that
it
has
available
default.
I
declare
to
be
a
a
convention
that
if
user
equipment
doesn't
know
what
they
want,
it
doesn't
necessarily
know
anything
about
these.
It
should
just
choose
the
default.
It
kind
of
intrinsically
has
internet
access
if
by
convention
next.
O
The
user
equipment
attempts
to
satisfy
the
requirements
of
the
API
server.
Actually,
could
we
go
back
one
real,
quick
down
at
the
bottom.
You'll
see
the
you
have
in
the
JSON.
You
have
a
set
of
conditions.
That's
an
array
of
JSON
objects,
hashes
with
an
ID,
a
type,
each
condition
as
an
ID.
Each
condition
has
a
type
and
requirement
details
that
are
specific
to
that
type
and
down
the
bottom.
We
have
the
state
of
current
network
access
being
not
permitted
so
forward
again.
O
The
user
equipment
attempts
to
satisfy
the
conditions
we
regurgitate
the
ID
that
we're
trying
to
attempting
to
satisfy,
and
we
give
back
the
satisfaction
details
in
this
case.
The
previous
one
had
been
a
terms
and
conditions
and
the
satisfaction
is
regurgitating
back
in
md5
sum
to
prove
that
we've
looked
at
them.
O
The
the
last
two
steps
can
repeat
as
needed.
For
instance,
if
a
user
equipment
doesn't
wants
to
satisfy
all
of
them
at
once.
If
they
can
only
do
two
first
of
the
five
it
can
go
through
with
the
to
the
server
they
kappa
poor,
ol
API
server
responds
with
the
same
sort
of
a
JSON
from
last
step
is
just
the
leave.
It
leaves
out
all
of
the
conditions
that
are
satisfied
and
transmitted
or
communicates
only
these.
O
The
conditions
that
have
yet
to
be
satisfied
or
the
Kepler
API
server
might
decide
that
it
has
reasons
you
add
requirements
on
as
it
goes
through
and
satisfies
the
as
the
user
equipment
satisfies
different
conditions
that
may
trigger
follow-on
conditions
next
and
then,
finally,
we
grant
access
this
one.
The
network
with
we
don't
have
any
conditions
left
in
this.
The
state
is
permitted.
We
have
potentially
an
expiration
date
or
the
number
of
bytes
remaining
next.
O
So
the
conditions
each
Network
as
an
array
of
conditions
for
access,
as
I
said
each
condition,
has
an
ID
I
was
thinking
of
uuid
for
that
a
type
and
then
details
of
the
condition
requirements
graph
currently
defines
a
type
for
pass
codes
and
four
terms
and
conditions
Margaret.
My
co-author
pointed
out
that
we
should
really
have
one
for
go,
get
this
URL
as
one
of
the
conditions,
but
we
definitely
need
more
that
the
the
idea
here
was
that
this
would
be
extensible.
O
If
we
do
this,
probably
once
you
get
to
nayana
registry
for
additional
condition
types,
if
the
user
equipment
cannot
satisfy
the
conditions
on
its
own,
it
should
open
up
a
web
browser
to
the
cap,
port
server
URL
as
a
web
browser
and
just
give
up
on
the
the
chemport
protocol
questions
I
had
on
this.
Do
we
actually
need
to
return
any
errors
in
the
conditions?
If
we
attempt
to
satisfy
a
condition-
and
it
fails,
do
should
we
return
an
error?
O
Next
terms
and
conditions
type
T&C
requirement
details,
you
can
have
a
field
named
plain
text
or
a
field
named
HTML.
Let's
just
give
the
the
verbiage
of
the
terms
and
condition
the
satisfaction
details.
You
just
take
the
md5
sum
of
what
you
were
given
as
ways
way
to
prove
that
you've
done
some
sort
of
inspection
on
it.
I
don't
know
if
md5
is
the
best
way
to
go
here.
O
Html
or
both
I
was
wondering
if
both
is
just
opening
up
the
potential
for
people
to
get
it
wrong
like
what
happens,
if
only
one
of
them
is
right,
next
pass
code.
The
idea
here
is
the
is
the
hotel
that
gives
you
your
room
number
in
the
passcode,
the
Wi-Fi
password
the
requirement
details
that
excuse
me,
the
type
is
passcode
the
requirement
details
is
just
an
empty
JSON
hash
and
the
satisfaction
details.
You
say
passcode
with
the
value
of
whatever
they
give
you
next
sessions.
O
This
was
I.
Think
one
of
the
big
difference,
a
big
thing.
One
of
the
major
points
thats
at
David,
Olsen's
response
to
mine
to
the
start
document
had
different
I
was
one
of
the
was
LEDs.
They
had
had
a
call
explicitly
to
create
a
session
where,
as
my
draft
was
written,
using
the
assumption
that
the
cat
port
API
server
would
just
use
the
source
address
as
the
session
figuring
that
since
it's
the
network
equipment,
it
would
it
it
would
know.
O
A
A
Going
to
stop
with
a
bit
of
a
comment,
no
chair,
hat
I
observe
that
you
are
designing
a
protocol.
That's
very
much
like
the
acne
protocol
in
some
respects,
without
some
of
the
security
requirements
would,
with
some
that's
different
characteristics,
but
it's
very
similar
in
the
central
design.
I'd
encourage
you
to
go
and
look
at
that
do
I
will
from
an
HTTP
perspective.
It
is
a
much
cleaner
design
than
what
you
have
here.
A
Obviously,
what
the
is
rough
crafting,
the
very
first
version,
but
they
have
some
significant
improvements
over
what
you
have
given
in
various
ways.
They've
also
grappled
with
some
of
the
questions
that
you're
asking.
If
so,
it
might
pay
to
even
go
and
have
a
look
at
older
versions
and
see
why
they
removed
those
things,
and
you
can
find
the
authors
of
them
that
document
here
this
week
and
I'm
sure
they'd
be
happy
to
help
you.
Thank
you.
J
Alex
Roscoe
comcast,
so
the
VRA
and
dhcp
options
I
think,
to
provide
backwards.
Compatibility
on
the
API
I
think
it'd
be
interesting
to
use
a
30
to
the
URL
in
the
302
redirect.
So
if,
for
example,
captive
portals
are
real
easy
to
change
an
update
while
routers
to
provide
the
dhcp
and
our
a
option
may
come
later,
so
you
could
d
couple
those
two
things
together,
so
device
could
check
the
302
redirect
URL
maybe
hit
it
with
like
a
JSON
request.
Are
you
an
API,
endpoint
and
itself
so.
D
Hi
Jim
needs.
It
seems
a
bit
odd
to
me
that
you're
using
md5
or
suggest
the
md5
friend,
what's
the
cryptic
community
of
sexless,
you
don't
use
it
anymore.
It's
almost
tinted,
so
wonder.
Maybe
we
need
to
think
about
having
some
mechanism
for
comedy
thing,
but
I
think
different,
secure,
hash
algorithms
and
be
able
to
have
the
flexibility
to
the
in
sweat,
see
from
shower
to
shower
or
whatever
as
to
when
the
need
arises.
D
A
A
R
O
C
O
I
had
was
that,
if
the,
if
the
user
equipment
decides
to
store
the
terms
in
terms
of
conditions
text,
it
could
preemptively
put
forth
when
it
tries
to
connect
to
the
network
that
here's
I
agree
to
these
terms
and
conditions.
And
if
the
terms
and
conditions
have
changed,
then
the
md5
would
fail,
whereas
the
yes,
but
not
yeah,.
E
Eric
plane
yeah.
Well,
you
can
find
a
6331
I
think
for
salesell
deprecating
md5,
but
I.
Think
I
want
to
ask
you
about
the
one
of
the
places
like
I
lost
in
the
document.
Was
the
networks
and
then
a
subset?
If
underneath
networks,
there's
a
there's
set
a
set
of
networks
and
one
of
them
is
called
default
and
I
didn't
understand
what
the
purpose
of
having
I
got
lost
in
the
purpose
of
having
multiple
networks
and
not
just
the
one
purpose.
O
There
is
if
the
captive
portals
has
multiple
networks,
that
it
guards
multiple
of
protected
networks.
If
you
have
one
that
the,
if
you
have
a
captive
portal
in
your
office,
corporate
environments,
that
has
the
walls
off
guest
access,
that
gets
you
access
to
the
internet
only
versus
corporate
access,
if
you
have
the
the
right,
username
and
password
to
get
into
it,
that's
one
of
the
thoughts
that
I'd
had
there.
So.
R
What
I
mean
the
other
one
is
when
a
hotel
will
give
you
free
access,
if
you
just
provide
your
name
and
room
number
about
they'll,
give
you
high
speed
access.
If
you
provide
payment,
information
and
yes,
I
mean
I,
guess
part
of
the
you
I
would
be
either
like
an
IOT
device
that
just
wants
limited
access
might
just
take
whatever
is
cheapest,
but
I
would
think
on
your
phone
or
whatever
you'd
want
to
pick
whether
you're
taking
the
slow
non-pay
or
the
higher
cost.
R
I
Polly
Apple
to
that
point
I
also
find
the
hierarchy
of
networks
potentially
a
little
confusing.
It
also
seems,
like
maybe
overlap
with
dvds-
I
don't
know,
but
I
can
c
HC
like
from,
I
think,
like
a
VPN,
I
say:
Who
I
am
I
authenticate
to
you
and
based
on
the
authentication,
I
choose
and
we
negotiate
between
us.
I
You
may
put
me
in
a
different
group
and
give
me
different
access,
so
if
we
just
have
like
authentication
options
of
like
well
really
here's
the
things
I'm
willing
to
give
you
and
then
based
on
that
I
get
dumped
into
a
different
access
pocket
on
the
captive
portal.
So
if
I
have
the
admin
credentials,
I
go
to
that,
but
the
average
user
who
has
just
the
room
number
doesn't
need
to
know
who
there's
this
admin
thing.
I
can
try
to
poke
it
and
see
what
it
does.
P
Chef
Easter
so
just
to
comment
on
desert
as
well.
So
that's
under
multiple
networks,
that's
something
that
we're
trying
to
solve
is
the
PBS
and
that's
something
that
is
more
general
than
just
captive
photos.
The
fact
that,
even
on
a
single
link,
you
may
have
multiple
ways
of
accessing
to
the
network.
So
it
could
be.
Maybe
not
the
best
idea
to
solve
the
same
problem
twice
so
I
think
the
right
way
to
do
it
is
in
the
network
layer
so
using
arrays
and
not
as
part
of
the
captive
powerful
API.
P
A
And
so
we're
almost
done
as
well
on
the
time
Carl
did
you
have
any
very
short
summary
that
you
want
to
share
the
slides
are
up
here.
Kyle
was
going
to
present
time
permitting,
but
we
were
having
such
a
good
discussion
on
the
other
things.
I
think
it
was
probably
time
better
spent
on
on
those
just
spend
a
couple
of
minutes
and
sort
of
explain
what
you
did.
N
So
when
I,
this
bunch
of
people
in
this
room
actually
were
at
the
hackathon
working
on
this.
So
essentially
we
had
a
couple
laptops
wired
together
and
we
put
together
an
API
server
and
puts
my
C&P
stuff,
a
client,
my
cmp
stuff
in
the
captive
portal
and
made
so
that
when
you
connect
you
pretty
much,
you
know
the
instant
you
try
to
do
something
you
automatically
log
in
and
then
you
have
network
access,
so
we
implanted
the
ICMP
on
the
client
can
be
on
the
cata
portal.
N
We
implemented
something
kind
of
like
the
cow
to
portal
API
to
describe
the
draft,
not
quite
on
the
server
itself.
Sorry,
on
the
con,
the
cap
enforcement
device
itself,
we
did
some
tcpdump
and
Wireshark
work
to
dissect
to
the
captive
portal.
Icp,
enhancements
and
I
think
we
also
implemented
up
in
plenty
in
the
dhcp
server
side
stuff,
but
never
got
have
really
tested
it
because
the
client
side
stuff
wasn't
done,
but
no
it
worked
and
it
was.
It
was
actually
not
that
hard
to
do
raw
sockets
made
it
pretty
easy
to
do
in
Linux.