capport - Wednesday, July 22, 2015

capport

capport@jabber.ietf.org

Wednesday, July 22, 2015< ^ >

Room Configuration

Room Occupants

GMT+0
[10:10:10] ilari.liusvaara joins the room
[13:31:33] hildjj joins the room
[13:52:32] Russ Mundy joins the room
[13:53:12] Sircan ss joins the room
[13:54:15] <Russ Mundy> sound & slides are good but no people video on meetecho
[13:54:28] Martin Thomson joins the room
[13:54:43] Wes George joins the room
[13:54:43] <Martin Thomson> I have a different acronym
[13:54:45] Barry Leiba joins the room
[13:54:50] <Martin Thomson> but it's a really bad one
[13:54:52] bortzmeyer joins the room
[13:54:55] DanYork joins the room
[13:55:00] <Wes George> I'll be jabber scribing, anyone remote?
[13:55:13] <Martin Thomson> I know that Ilari is
[13:55:32] <Russ Mundy> yup - in sykesville md, usa
[13:55:37] <Wes George> ok, audio/video check?
[13:56:13] <Russ Mundy> audio is okay - slides are there but not people
[13:56:36] whatdafuq joins the room
[13:56:37] <Russ Mundy> ie, no speaker video frame
[13:56:39] <Wes George> ok
[13:57:36] <ilari.liusvaara> Opus audio stream sounds ok.
[13:59:00] Ted Lemon joins the room
[14:00:04] Paolo Saviano joins the room
[14:00:45] Andrew Sullivan joins the room
[14:01:04] mnot joins the room
[14:01:28] <mnot> More information: https://github.com/httpwg/wiki/wiki/Captive-Portals
[14:02:34] Meetecho joins the room
[14:04:59] Michael Richardson joins the room
[14:05:18] mcr2 joins the room
[14:05:49] whatdafuq leaves the room: Replaced by new connection
[14:05:57] whatdafuq joins the room
[14:06:04] <Ted Lemon> doesn't Android already block app access prior to authentication?
[14:06:29] wseltzer joins the room
[14:06:30] <Wes George> dunno. the VPN case is only relevant for me on the laptop
[14:08:44] <mcr2> "motivation"--- total and often wilful ignorance.
[14:08:44] <bortzmeyer> "because they suck"
[14:08:49] <Russ Mundy> @Wes: vpn for 'phone' type devices is perhaps even more important than laptops since there is normally more control available in laptop
[14:09:29] <Ted Lemon> It's indeed not a simple problem.   It requires a coordinated set of requirements for various protocols, including DHCP, DNS and HTTPS
[14:09:43] James Gould joins the room
[14:09:55] <mcr2> There seem to be a few (two) people on the list from some vendors.
[14:11:20] James Gould leaves the room
[14:11:21] <mnot> Working for a particular company doesn't mean you have ownership of or input to the relevant product...
[14:11:41] <Wes George> true, but you have a better chance of finding someone who does
[14:12:00] Patrik Wallstrom joins the room
[14:12:42] <Ted Lemon> It's worth noting that captive portals that deliberately prevent detection are not captive portals end-users ought tobe communicating with.   THey are operated by criminals.
[14:12:54] <Ted Lemon> Most captive portals _do not_ do this.
[14:13:01] <Wes George> ted, mic?
[14:13:10] <Michael Richardson> hummmmm
[14:13:11] <Russ Mundy> hummmmm
[14:13:17] <Ted Lemon> hummmmm
[14:13:18] <Michael Richardson> I have ideas.
[14:13:30] <mcr2> I'm not finding much in the way of useful google hits for "Hotspot 2.0"....
[14:13:32] <mcr2> http://a030f85c1e25003d7609-b98377aee968aad08453374eb1df3398.r40.cf2.rackcdn.com/wp/wp-hotspot-2.0.pdf
[14:13:36] <Ted Lemon> Wes, it might be worth mentioning at the mic, although the conversation is moving fast.
[14:13:53] Wes George leaves the room
[14:14:05] Ted.h joins the room
[14:14:11] mnot leaves the room: Disconnected: closed
[14:14:41] <mcr2> wow, so we have a lot of implementers... 3x the number I expected. WOW. AWESOME. More than Homenet!
[14:14:48] <Ted Lemon> heh
[14:16:13] <mcr2> the "incentive" is that they will continue to have "customers" after HTTPS everywhere.
[14:17:09] Wes George joins the room
[14:17:11] <Ted.h> Hmm, I have no facebook account.  Will they accept g+?
[14:17:16] <wseltzer> and then they wonder why so many fakesters "like" them
[14:17:19] <Ted.h> (Sort of like having a discover card, I guess)
[14:17:28] <Wes George> sorry, jabber went kaboom for me
[14:17:32] <Wes George> erik kline at mic
[14:17:42] <Wes George> ted, did I miss anything you want relayed?
[14:17:50] <Ted.h> I'm in the room Wes, thanks
[14:18:08] mnot joins the room
[14:18:14] <Ted Lemon> I'm debating how to interject into this rather quickly moving conversation.   I'll let you know, but for not, no.   Thanks!
[14:18:23] <Wes George> ok
[14:18:24] <Ted Lemon> for now, not for not
[14:18:25] <mcr2> Ted.h, at least, if we succeed, you'd know at the network layer, that you should avoid that DHCP server as that network required facebook, and you'd stick to 3G, or something.
[14:18:32] whatdafuq leaves the room
[14:18:35] <Ted Lemon> Hm, Ted.h is MITMing me!
[14:18:52] <Ted.h> @Ted Lemon, I thought he multicast the question.
[14:19:02] <Ted Lemon> Suresure.   :)
[14:19:21] <bortzmeyer> [Relaying Twitter...] "2 SSIDs : One open and dedicated to registration, the other one is 802.1X protected?"
[14:20:44] whatdafuq joins the room
[14:21:43] <mcr2> Thank you Dave, that is a really really valuable observation. and the solutions might even be similar.
[14:22:20] mnot leaves the room: Disconnected: Replaced by new connection
[14:22:39] mnot joins the room
[14:23:21] whatdafuq leaves the room
[14:24:45] lhedstrom joins the room
[14:24:59] <Ted Lemon> Marlboro College has a captive portal that sends you email and asks you to confirm _after_ you have connectivity.
[14:25:37] Paolo Saviano leaves the room
[14:25:55] aaron joins the room
[14:26:56] <mcr2> Ted Lemon, much of the municipal wifi (i.e. "ogwifi.ca", and "ilesansfil" in Montreal), do exactly that, but they give you a small amount of time (<30min) to get your email.
[14:27:42] <mcr2> is that wifidog?
[14:28:06] Guillermo Cicileo joins the room
[14:28:21] <DanYork> There is an open source implementation of a captive portal?
[14:28:43] <mcr2> https://github.com/wifidog
[14:28:45] <Ted Lemon> Dunno.
[14:28:49] <Ted Lemon> Could well be.
[14:29:01] <Ted Lemon> I'm sure it's some open source thing.   They only give you ten minutes.
[14:29:21] Guillermo Cicileo leaves the room
[14:29:34] <DanYork> "What does success look like?"
[14:29:50] <mcr2> last I looked, (and was about to be hired to work on) http://www.ilesansfil.org/ <http://www.ilesansfil.org/> , it was wifidog.
[14:29:53] <ilari.liusvaara> I have hit a captive portal that asks one to prove ones identity (actually, a legal requirement). It spans multiple sites, including some banking sites (for identification). Afterwards it gone away semi-permanently. And connection was wired.
[14:30:04] whatdafuq joins the room
[14:30:05] <Ted.h> From what Warren said, it fits in a wallet and folds nicely, and gets shared out between the network owner and the OS vendor.
[14:30:21] mnot leaves the room: Disconnected: closed
[14:30:24] <Ted.h> Or maybe that was Dave ("everybody can get paid")
[14:30:29] <Ted Lemon> mic: I think success looks like explaining what needs to be done to make a captive portal that we think is secure and implementable, and whatever supporting docs are required to make it work.   I think bad actor CP implementors are out of scope.
[14:30:35] Dan Wing joins the room
[14:30:37] <ilari.liusvaara> (It also didn't work very well, but one could reach the portal from outside, that worked much better).
[14:30:41] <Wes George> ack
[14:30:59] <mcr2> mic: success for me is having a taxonomy of captive portal techniques, a security considerations for each method.  That would be enough for now, because if that's as far as we get, then we can apply Dan Harkins' method.
[14:31:00] Andrew Sullivan joins the room
[14:31:19] <Wes George> whois mcr2
[14:31:20] <Ted Lemon> that would certainly be a good start, but I'd like to go a wee bit farther.
[14:31:25] <Ted Lemon> Michael Richardson
[14:31:27] <Wes George> k
[14:31:34] whatdafuq leaves the room: Replaced by new connection
[14:31:34] <Patrik Wallstrom> https://github.com/nodogsplash/nodogsplash and http://www.coova.org/ is two other examples
[14:31:35] whatdafuq joins the room
[14:31:47] <mcr2> mic: more success is having advice (in DHCP and RA) that says, "this is a captive portal of type FOO"
[14:31:47] Andrew Sullivan leaves the room
[14:31:53] <mcr2> mcr2 = Michael Richardson.
[14:33:37] <Ted Lemon> mic: by "bad actors" I mean operators who do things that compromise the end user's security in order to get them to access the net.
[14:33:55] <Wes George> ted, fwiw, we're about 7 deep on the mic line
[14:33:56] mnot joins the room
[14:34:00] <Ted Lemon> heh
[14:34:00] <Wes George> dan will proxy in a few people
[14:34:05] <Ted Lemon> you are my hero, Wes.
[14:34:10] <DanYork> I'm in line to relay
[14:34:19] <mcr2> mic: but, I do want my phone to decide whether or not it should leave 3G for a better service... or not.  We might even want advise in the 1x process... my understanding is that there are huge incentives to do 3G offload to wifi
[14:34:19] <Ted Lemon> wow, multi-path!
[14:34:55] <Ted Lemon> Michael, I think Android does the right thing there.
[14:35:25] Jason Livingood joins the room
[14:35:30] <Wes George> michael, sounds like warren just covered your comment
[14:35:40] <mcr2> Ted, but, actually it doesn't work that well.. It can sometimes figure out that the wifi is useless, but it can't figure out the half-case.
[14:35:47] <mcr2> Wes, yes.
[14:35:55] Ted.h leaves the room
[14:36:39] <Ted Lemon> A ToS click-through ought to be easy.
[14:36:41] <DanYork> mcr2and Ted Lemon - i will relay
[14:37:00] <mcr2> Dan, Warren covered my point.
[14:37:54] <DanYork> ok
[14:38:21] <DanYork> ted - stll valid? mic: by "bad actors" I mean operators who do things that compromise the end user's security in order to get them to access the net.
[14:38:26] <Jason Livingood> As an aside I touched on some of the downsides of CPs in some use cases at https://tools.ietf.org/html/rfc6108#section-12
[14:39:01] <mcr2> "This site uses legacy 32-bit addresses"
[14:39:39] <Jason Livingood> +1 at the mic — not all devices have user interfaces where you can show a message
[14:42:01] <mcr2> +1 --- we actually need the ESSID announcement to tell us something about what is behind.
[14:42:07] <Andrew Sullivan> I still don't see how the straw charter doesn't have the problem that the previous efforts to define these mechanisms all failed to get big uptake
[14:42:17] <mcr2> that's where the taxonomy has value on its own.
[14:42:23] <DanYork> ANYONE REMOTE WANT ANYTHING RELAYED?  (almost to mic)
[14:42:39] <mcr2> Dan, if I do, I'll mic:
[14:43:51] <Wes George> Andrew, I think it's a matter of making it available. not fixing it because we don't know it'll get deployed isn't the right thing
[14:44:31] <Wes George> IOW, "dear capport vendors and operators, if you'd like to demonstrate that you don't hate your customers, and want them to have a better experience, here's how"
[14:45:03] <Andrew Sullivan> Well, right, but there's real cost to the IETF in spinning up a WG, producting docs, and so on, and if there's no reason to suppose, "This time, for sure," we should find something more likely to succeed
[14:45:35] <Andrew Sullivan> I think these remarks at the mic right now are a big help
[14:45:39] <mcr2> Andrew: can you tell me what these previous efforts are, and how many were pay-to-participate industry "consortia"?
[14:45:51] <Wes George> well there's also the elephant in the room that many of the problems with open wifi of the type that uses capport likely also has lots of other problems (crappy design, dimensioning, lack of ipv6, etc)
[14:46:10] <Ted Lemon> mic: I don't think we want to compete with eduroam.   I want the CP in the local hospital to work right.   Automated logins are for big operator networks, not small CP setups.
[14:46:15] <DanYork> ok
[14:46:49] <Andrew Sullivan> @Wes: well, yeah, but if we're going to set up the STOPEVIL WG, we're gonna need a longer charter ;-)
[14:46:53] <mcr2> Ted: an automated login means that when you return to the coffee shop that you were at this morning, you get back online.
[14:47:09] <Wes George> andrew, I'd rather spend my "cost" in the IETf doing something like this than some other efforts I could name. Lack of deployment prospects has never stopped the IETF before, why should it now?
[14:47:11] <Ted Lemon> sure
[14:47:25] <Ted Lemon> :)
[14:47:44] <Ted Lemon> thanks, Dan!
[14:48:25] <mcr2> but, it's okay if the non-automated login portals say, "I'm a non-automated login"
[14:48:27] aaron leaves the room
[14:49:18] <Andrew Sullivan> @mcr2: I don't know how many of them were pay to play.  At the opening we heard about a couple such things, however.
[14:50:26] <Andrew Sullivan> @Wes: ok, but I'm just saying that there've been other efforts, they haven't succeeded, and it's just a waste of time to tackle this if we don't know what is impeding deployment already
[14:50:39] <Andrew Sullivan> since for all we know the other things already do everything we want
[14:51:17] <Wes George> fair enough
[14:54:29] <DanYork> I do think we need to scope this work appropriately
[14:54:34] Paolo Saviano joins the room
[14:55:11] <Jason Livingood> @DanYork - strongly agree
[14:55:47] <Wes George> yes. though what the IETF has learned about making ungefukt wifi networks should probably be documented too :-)
[14:56:50] <mcr2> noting that this state is similar to a walled garden.
[14:57:03] <Wes George> so, isn't "I have an IP but no default route" that sort of attached but not connected?
[14:57:06] <bortzmeyer> We don't have a Working Group and there is already IPR :-( http://www.dailywireless.org/2004/01/27/nomadix-claims-redirect-patent/
[14:58:16] <Dan Wing> lots of mic discussions around Observed Behaviors.  Should expand https://github.com/httpwg/wiki/wiki/Captive-Portals to include those?
[14:58:16] mmani joins the room
[14:58:18] Ted.h joins the room
[14:58:24] aaron joins the room
[14:58:26] <mcr2> Wes, one might need more than a link-route to get to the captive portal.
[14:58:58] <DanYork> Wes George: but is that how CPs handle connected devices?  They might give an IP and default route but then block traffic.
[14:59:04] bortzmeyer leaves the room: Replaced by new connection
[14:59:04] <mcr2> Wes, and DHCPv4 doesn't let us provide an address without a default route....
[14:59:05] <Jason Livingood> @bortzmeyer I suspect there is a great deal of prior art
[14:59:06] bortzmeyer joins the room
[14:59:12] whatdafuq leaves the room
[14:59:21] <Wes George> right, but it's a useful incremental step to let the OS behave better before all of the protocol stuff is implemented
[14:59:39] <Wes George> @mcr2 perhaps DHCPv4 isn't what we want to be optimizing for here ;-)
[14:59:59] <DanYork> Dan wing: Ah, nice wiki!  Thanks for sharing the linke
[15:00:06] <DanYork> s/linke/link/
[15:00:13] <Ted Lemon> That's a 1999 patent, so presumably it dies pretty soon.
[15:00:17] <mcr2> Wes, agreed. cf above: "This site uses legacy 32-bit addresses"
[15:01:00] <Ted Lemon> Also, I suspect that Warren's dhcp-capport mechanism doesn't infringe.
[15:01:35] <Ted Lemon> Indeed, the presence of this patent might provide an incentive for people to implement our solution, should we provide one.
[15:01:47] <mcr2> and operating systems, or systems, where a browser (and a user to interact with the browser) are unavailable, will stick to their 3G...
[15:01:59] aaron leaves the room
[15:02:08] <mcr2> so for instance, my phone might not attempt to switch to wifi until it comes out of my box, and the screen goes on.
[15:02:14] <Wes George> dan york, some do. some give an address with a very short lease, some manage it by not allowing NAT outbound except to their chosen site/port
[15:03:42] <Ted.h> There's a list in the Apple one, I think, and those are all allowed.
[15:03:53] <Wes George> Andrew, I think probably the limiting factor is the same reason that networks suck generally - they haven't been continually updated as the technology changes
[15:03:54] <mcr2> TLS_OBIWAN_DROIDS_NOTIFY
[15:04:55] <Ted.h> "If only they had set the ravish-me bits, I wouldn't have had to molest them"?
[15:05:07] <Ted Lemon> Yup.
[15:06:27] <Jason Livingood> Folks are reading a lot into what CP implementers want - e.g. facebook IDs, etc. But some CP needs may be things like "sorry you have not paid your bill in 6 months, click here to pay to re-enabled service" or "hey, you are DDoSing the network right now" etc. Large range of use cases - don't assume all CP uses are evil
[15:06:52] <Ted Lemon> It's not evil to want to pop up a web page.   It's evil to want to violate your security.
[15:06:56] <Ted.h> You could say those same things to an incognito page, Jason.
[15:06:57] <mcr2> Jason, it's a good point, and solving the 80% case is a good point.
[15:07:23] <Jason Livingood> @Ted, agree re incognito
[15:08:19] <mcr2> mic: and on the topic of toxonomy, that's how BEHAVE ultimately worked out.
[15:08:20] <Ted Lemon> hummmmm
[15:08:24] <mcr2> hummmM!
[15:08:25] <Russ Mundy> hummmmm
[15:08:30] <Patrik Wallstrom> hummmmm
[15:09:11] <Wes George> Jason, true but in a lot of cases that use is quite a lot different (all devices behind a given network vs a single user)
[15:09:34] <Wes George> and other methods exist for sandboxing those
[15:10:38] <mcr2> mic: the fastest we can go is to not finish the technical work before we finish the taxonomy.  I see no reason to limit when we start work if we have energy available.
[15:10:50] <mcr2> s/technical/protocol/
[15:10:58] Carlos M. Martinez joins the room
[15:11:45] Sircan ss leaves the room
[15:11:55] whatdafuq joins the room
[15:13:51] aaron joins the room
[15:15:39] <Patrik Wallstrom> (I think the Meetecho stream is missing the left six characters of the slide, alignment problem)
[15:15:49] whatdafuq leaves the room
[15:15:53] whatdafuq joins the room
[15:16:35] Dave Thaler joins the room
[15:16:46] <Carlos M. Martinez> regarding my earlier mention of skype wifi
[15:16:48] <Carlos M. Martinez> http://wifi.skype.com/?tab%5Bid%5D=osxTab&tab%5Bpreselected%5D=true
[15:17:02] <Carlos M. Martinez> really, i've used it and it feels almost like warren's definition of success
[15:17:15] resnick joins the room
[15:17:21] <Carlos M. Martinez> maybe it's a place to start looking for something that works right
[15:17:31] <Dave Thaler> Dan Wing, what was the link again?
[15:17:47] resnick leaves the room
[15:17:47] DanYork leaves the room
[15:18:40] <Wes George> ots of mic discussions around Observed Behaviors. Should expand [ https://github.com/httpwg/wiki/wiki/Captive-Portals ] to include those?
[15:18:54] Ted.h leaves the room
[15:18:57] aaron leaves the room
[15:18:59] whatdafuq leaves the room
[15:19:05] <Wes George> session ends
[15:19:06] mnot leaves the room: Disconnected: closed
[15:19:08] Wes George leaves the room
[15:19:09] <Ted Lemon> Thanks Wes, Dan, chairs, etc!
[15:19:12] hildjj joins the room
[15:19:14] Carlos M. Martinez leaves the room
[15:19:18] <mcr2> thank you.
[15:19:21] Paolo Saviano leaves the room
[15:19:23] hildjj leaves the room
[15:19:31] Barry Leiba leaves the room
[15:19:34] Michael Richardson leaves the room
[15:19:45] Patrik Wallstrom leaves the room
[15:19:48] ilari.liusvaara leaves the room: offline
[15:19:53] Russ Mundy leaves the room
[15:19:53] Andrew Sullivan leaves the room
[15:19:53] Jason Livingood leaves the room
[15:19:53] hildjj leaves the room
[15:19:59] Martin Thomson leaves the room
[15:20:45] Dan Wing leaves the room
[15:22:09] mmani leaves the room
[15:23:24] Meetecho leaves the room
[15:23:54] lhedstrom leaves the room
[15:24:15] Ted Lemon leaves the room
[15:25:12] whatdafuq joins the room
[15:25:18] <mcr2> that Skype WIFI is nice, but I can't find any technical details.
[15:27:07] whatdafuq leaves the room
[15:29:18] hildjj joins the room
[15:29:40] whatdafuq joins the room
[15:30:34] Jason Livingood joins the room
[15:31:06] whatdafuq leaves the room
[15:32:23] hildjj leaves the room
[15:32:27] hildjj joins the room
[15:34:30] whatdafuq joins the room
[15:35:53] Dave Thaler leaves the room
[15:35:59] whatdafuq leaves the room
[15:36:39] bortzmeyer leaves the room
[15:37:07] Ted.h joins the room
[15:37:53] wseltzer leaves the room
[15:37:58] Ted.h leaves the room
[15:38:39] hildjj joins the room
[15:40:53] Jason Livingood leaves the room
[15:41:15] aaron joins the room
[15:41:23] hildjj leaves the room
[15:41:30] Jason Livingood joins the room
[15:42:02] Ted.h joins the room
[15:42:16] Ted.h leaves the room
[15:43:15] DanYork joins the room
[15:45:13] mnot joins the room
[15:45:16] DanYork leaves the room
[15:45:29] whatdafuq joins the room
[15:45:31] aaron leaves the room
[15:45:58] whatdafuq leaves the room
[15:46:53] hildjj leaves the room
[15:47:07] mnot leaves the room: Disconnected: closed
[15:47:18] bortzmeyer joins the room
[15:49:52] mnot joins the room
[15:51:17] Jason Livingood leaves the room
[15:51:28] Carlos M. Martinez joins the room
[15:52:08] hildjj joins the room
[15:52:13] mnot leaves the room
[15:53:47] Martin Thomson joins the room
[15:56:09] Carlos M. Martinez leaves the room
[15:56:36] hildjj joins the room
[15:56:53] hildjj leaves the room
[15:57:53] mnot joins the room
[16:01:23] hildjj leaves the room
[16:07:49] Dave Thaler joins the room
[16:07:57] Dave Thaler leaves the room
[16:10:36] wseltzer joins the room
[16:18:42] Martin Thomson leaves the room
[16:20:03] Martin Thomson joins the room
[16:27:08] Martin Thomson leaves the room
[16:28:34] Martin Thomson joins the room
[16:42:53] wseltzer leaves the room
[16:50:10] wseltzer joins the room
[16:55:06] mnot leaves the room
[17:34:54] wseltzer leaves the room
[17:35:32] wseltzer joins the room
[17:36:32] bortzmeyer leaves the room
[17:41:09] Martin Thomson leaves the room
[18:04:24] wseltzer leaves the room
[18:12:04] wseltzer joins the room
[18:24:02] bortzmeyer joins the room
[18:24:25] wseltzer joins the room
[18:28:54] wseltzer leaves the room
[18:29:02] mnot joins the room
[18:32:50] Martin Thomson joins the room
[18:42:25] wseltzer leaves the room
[20:07:08] Martin Thomson leaves the room
[20:07:31] mnot leaves the room
[20:16:36] mnot joins the room
[20:19:23] mnot leaves the room
[21:46:07] bortzmeyer leaves the room