capport - Tuesday, April 5, 2016

capport

capport@jabber.ietf.org

Tuesday, April 5, 2016< ^ >

Room Configuration

Room Occupants

GMT+0
[08:52:02] alex joins the room
[08:52:10] alex leaves the room
[20:25:07] Meetecho joins the room
[20:37:24] Mariko Kobayashi joins the room
[20:38:04] Yoav Nir joins the room
[20:38:27] Valentin Gosu joins the room
[20:39:38] Yoav Nir has set the subject to: IETF 95 - CAPPORT - https://tools.ietf.org/wg/capport/agenda
[20:39:45] Dale Carder joins the room
[20:40:17] Mark Donnelly joins the room
[20:41:08] Michael Richardson joins the room
[20:41:08] Michael Breuer joins the room
[20:41:34] mcr2 joins the room
[20:41:47] DanYork joins the room
[20:41:50] <mcr2> "THY" IPR. Slash.
[20:42:15] Caciano Mchado joins the room
[20:43:15] David Bird joins the room
[20:43:15] Martin Thomson joins the room
[20:43:19] Valentin Gosu leaves the room
[20:43:26] <mcr2> do you have bier, or beer?
[20:43:40] <mcr2> LOL on red button.
[20:43:50] Tony Hansen joins the room
[20:43:56] Douglas Stamper joins the room
[20:43:57] <Mark Donnelly> I'll be the Jabber relay for the session.  If you want me to say anything at the microphone, please prefix your message with MIC:
[20:44:13] Valentin Gosu joins the room
[20:46:01] Hiroyuki Goto joins the room
[20:46:29] Barry Leiba joins the room
[20:46:44] Michael Breuer leaves the room
[20:47:33] Michael Breuer joins the room
[20:52:23] Matias Charriere joins the room
[20:53:29] Mariko Kobayashi leaves the room
[20:53:46] Mariko Kobayashi joins the room
[20:54:05] Hiroyuki Goto leaves the room
[20:54:21] Hiroyuki Goto joins the room
[20:56:28] Alex Deacon joins the room
[20:57:20] Mariko Kobayashi leaves the room
[20:57:50] Mariko Kobayashi joins the room
[20:57:54] Alex Deacon leaves the room
[20:58:08] Mike Bishop joins the room
[21:00:19] jch joins the room
[21:01:08] <Michael Richardson> s/Evil bit/Eyeball bit/
[21:02:04] Dan Wing joins the room
[21:06:46] <mcr2> mic: I think that we can avoid the arms-race.
[21:07:12] <mcr2> mic: some of this happens at NANOG, but I suggest we look at the hospitality industry conferences.
[21:08:00] mcr2 is now known as mcr
[21:08:08] <mcr> I am Michael Richardson, btw.
[21:09:51] <mcr> I suggest that Stuart present at NANOG to refine presentation. I think that we should exploit our Hilton relationship to find out where our Hilton managers would go for info.
[21:10:06] <mcr> (that's not for the mic, but for the minutes...)
[21:11:31] Alan DeKok joins the room
[21:11:39] <mcr> Dan Wing: how can we get the product managers from those 6 cisco groups in this room?  Are you part of one of those groups?
[21:11:45] <Valentin Gosu> I think it makes sense to target the 90% of captive portals that are willing to play nice with everyone, and not the ones which do bad stuff
[21:11:59] <mcr> +1 Valentin Gosu
[21:12:08] kivinen joins the room
[21:16:00] <Dan Wing> said at the mic:  I'm just an engineer.  I have corralled a bunch of the engineers internally, but we don't have a direction to go yet.
[21:16:34] Hiroyuki Goto leaves the room
[21:16:38] Dan Wing joins the room
[21:16:46] Hiroyuki Goto joins the room
[21:17:23] <Yoav Nir> At Check Point we also have one captive portal. But we don't try to evade detection. I asked the engineers there last week, but they couldn't think of a reason why anyone would want that.
[21:17:24] Dan Wing leaves the room
[21:18:06] <Yoav Nir> The only thing we could come up with was that the captive browser is limited. You can't even count on it running javascript.
[21:19:03] <Michael Richardson> good point...
[21:19:07] <Michael Richardson> (not for mic)
[21:19:24] <Yoav Nir> Our captive portal just asks for a username and a password and then prints "access granted". Others who want a more nice portal might find this limiting
[21:21:45] Mike Bishop leaves the room
[21:22:26] Mike Bishop joins the room
[21:22:55] <Yoav Nir> OTOH the captive portal at my hotel this time is really bad.
[21:23:44] Dan Wing leaves the room
[21:23:57] Dan Wing joins the room
[21:24:10] <Yoav Nir> It didn't trigger the OS detection on any of my devices (Windows 7, Windows 10 Mobile, Mac OS). Typing "www.ietf.org" in the browser didn't help - got a blank screen. Only typing "http://10.10.10.10" finally convinced it to redirect.
[21:25:34] <Dan Wing> Yaov, I bet your hotel's captive portal caused that all-important WiFi "pie" to display. That is biggest reason I have seen for portals to evade OS detection.
[21:25:44] Mike Bishop leaves the room
[21:26:00] Mike Bishop joins the room
[21:26:01] <Yoav Nir> If only we could get that vendor in the room and ask them stuff...
[21:26:21] <Michael Richardson> Dan, what's the wifi pie?
[21:26:36] <Dan Wing> 8C000B9D-0969-438B-A89E-66ABDB762388-17588-0000B3F6D4EEEB41
[21:26:40] <Dan Wing> arg.
[21:27:21] <Dan Wing> https://maxcdn.icons8.com/Share/google/w/wifi.png
[21:28:02] <jch> Dan, could you please clarify why displaying the "pie" is a reason for portals to evade OS detection?
[21:28:15] <mcr> yeah, okay, I get the image, I didn't understand how that lets it evade.
[21:28:41] <Yoav Nir> Yeah, they *can* show a basic image like that in the portal
[21:28:45] <Mike Bishop> mic:  Someone from Comcast may know WFA situations better than I.  Hotspot 2.0 R2 seems to define a lot of the purchase/T&C/etc. flow and transfer to full network access.  How much of this is already solved and the problem is deployment?
[21:29:13] <Alan DeKok> I see hotspot 2.0 rolling out now.
[21:29:56] <Mike Bishop> IIRC, R1 assumed you already had credentials and was just for roaming (i.e. cell phones), while R2 provided a sign-up / payment / consent to T&C path to acquire credentials in the first place.
[21:30:12] <Dan Wing> I'll write it up and get it into Mark's I-D (or the Wiki, I forget which is canonical now.)  Basic reason to evade OS's captive portal detection is so the human sees the WiFi pie, and knows there is WiFi (just like advertised on the restaurant's front door, for example).
[21:30:19] Caciano Mchado leaves the room
[21:30:19] <Mark Donnelly> There are two people ahead of Mike's comment at the mic line right now - I'm there, but it will take a minute to get to the head of the line
[21:30:35] Caciano Machado joins the room
[21:31:03] <Dan Wing> we (IETF) need to explain how Hotspot 2.0 does not resolve the world's captive portal problems.  (That question came up within my company, too.)
[21:33:34] <David Bird> One things HS 2.0R2 doesn't solve is the non-service-interrupting messaging. It has Remediation, but that takes you off-network.
[21:33:40] Dale Carder leaves the room
[21:34:00] <mcr> Alan DeKok: do you have a non-marketing technical explanation of Hotspot 2.0 R2?   Is it about getting appropriate EAP/TLS credentials into mobile devices?
[21:34:11] <Alan DeKok> I'll send something offline
[21:34:29] <mcr> yeah, a good write up to the list would be great.
[21:34:30] <Mike Bishop> Yes, that helps a bit.  I'm interested to see Dan's write-up.
[21:35:19] <Mike Bishop> mcr:  Short form, HS2.0 defines how you use 802.11u to detect networks that you can roam to with credentials you already have, or networks that might enable you to purchase such credentials.
[21:37:12] <Valentin Gosu> I expect CP operators would be willing to cooperate, because if they had a clear signaling mechanism they wouldn't need to intercept HTTPS (which is bad for both parties)
[21:37:32] <Mark Donnelly> Do you want that on the MIC?
[21:37:49] <jch> Valentin, that deserves mic IMHO.
[21:37:59] <Valentin Gosu> yes please
[21:38:03] <Dan Wing> Valentin: Agreed.  Ubiquitous HTTPS changes things considerably.
[21:40:45] <Yoav Nir> I think ubiquitous HTTPS is what killed the detection at my hotel.  Typing "www.ietf.org" got converted to "https://www.ietf.org". Just the numerical URL was first tried as HTTP
[21:41:32] <Barry Leiba> HSTS and captive portals are definitely a current problem.
[21:41:48] <Barry Leiba> Yoav, are you using the HTTP Everywhere extension?
[21:41:58] <Barry Leiba> HTTPS Everywhere, I mean.
[21:42:05] Jonathan Lennox joins the room
[21:42:07] <Yoav Nir> Not on any device
[21:45:18] Caciano Machado leaves the room
[21:46:30] Caciano Machado joins the room
[21:47:26] Barry Leiba leaves the room
[21:47:51] Barry Leiba joins the room
[21:48:30] <Alan DeKok> The cheaper and more ubuqitous the end device, the worse the impleentation
[21:48:41] <Alan DeKok> I'll second the comment about bad captive portal implementations
[21:49:05] <jch> (Not necessarily, you can buy expensive and badly implemented devices.)
[21:49:32] <Alan DeKok> that's true, too
[21:50:25] <Mark Donnelly> As a reminder, if you want anything to be said at the microphone, please prefix your comment with "MIC:"
[21:50:41] Caciano Machado leaves the room
[21:50:54] <Yoav Nir> But those cheap and ubiquitous end devices usually run Android. So do they ship their own captive portal detection, or do they ship detection code written by Google?
[21:51:48] <Alan DeKok> not sure... but it's not just the end devices.  cheap captive portals are "inventive" with their interpretation of standards
[21:52:45] <Yoav Nir> Right, the web development cycle:  1. Write the code.   2. Test it with IE6.   3. Ship
[21:52:55] <jch> Alan DeKok: don't the cheapest devices just run ChilliSpot with cosmetic modifications?  ChilliSpot is pretty decent, no?
[21:53:12] Mike Bishop2 joins the room
[21:53:15] Caciano Machado joins the room
[21:53:35] Mike Bishop leaves the room
[21:53:41] <Alan DeKok> chillispot hasn't been maintained for years.  Coova is newer, but since David Bird moved to google, there's been less development
[21:54:11] <Alan DeKok> i.e. the open source captive portal implementations are largely dead.  i.e. what people use is old, insecure, and unsupported
[21:54:12] <David Bird> :)
[21:54:48] <Alan DeKok> MIC: what about deployment time frames?  with 100's of 1000's of captive portals, are we doing the work of Sisyphus here?
[21:55:16] <David Bird> I think solving the HTTPS issue is a priority for the group.
[21:55:21] <Alan DeKok> yes
[21:56:18] <jch> I see, thanks.
[21:57:20] <Yoav Nir> @Alan: It's worse than that. Remember shell-shock? A bug in home router code that was fixed in 2004 was still present in routers being shipped in 2014.  Even if we can predict that all software is fixed tomorrow and all captive portals are replaced within the next 5 years we'll still have bad stuff out there years from now.
[21:57:45] <David Bird> A CP NAS has limited options for HTTPS (or, anything non-port-80). It can drop, ICMP reject, TCP RST, or try to hijack. I think a simple solution is a new Destination Unreachable subtype for captive portal prohibited.
[21:58:08] <Alan DeKok> @yoah yes :(  But I don't think this is the work of Sisyphus.  If we create (and deploy) something useful, it will embarrass others into using it
[21:58:26] <David Bird> ICMP + DHCP URL option can solve the HTTPS issue.
[21:59:07] <jch> Why ICMP?
[21:59:47] <David Bird> Already used to indicate other "drops" ... http://www.networksorcery.com/enp/protocol/icmp/msg3.htm
[21:59:49] <Caciano Machado> DHCP URL -> RFC 7710, and ICMP -> draft-wkumari-capport-icmp-unreach-01
[21:59:51] <Alan DeKok> ICMP type 451: administratively prohibited?  (yes, I know ICMP types are 8 bits...)
[22:00:33] <jch> Caciano, ty.
[22:01:22] Yoav Nir leaves the room
[22:01:35] Barry Leiba leaves the room
[22:01:48] Meetecho leaves the room
[22:01:48] Caciano Machado leaves the room
[22:02:20] Douglas Stamper leaves the room
[22:02:20] Alan DeKok leaves the room
[22:02:26] Mike Bishop2 leaves the room
[22:02:51] Valentin Gosu leaves the room
[22:03:01] Hiroyuki Goto leaves the room
[22:03:41] David Bird leaves the room
[22:03:43] Martin Thomson leaves the room
[22:03:46] Tony Hansen leaves the room
[22:03:48] Dan Wing leaves the room
[22:03:52] kivinen leaves the room
[22:03:57] Matias Charriere leaves the room
[22:03:57] Mariko Kobayashi leaves the room
[22:03:57] Michael Richardson leaves the room
[22:03:59] Michael Breuer leaves the room
[22:04:26] mcr leaves the room
[22:05:18] Mark Donnelly leaves the room
[22:05:37] Jonathan Lennox leaves the room
[22:14:22] Barry Leiba joins the room
[22:15:51] DanYork leaves the room
[22:20:14] Barry Leiba leaves the room
[22:30:12] jch leaves the room
[23:11:20] Martin Thomson joins the room
[23:29:35] Martin Thomson leaves the room

Powered by ejabberd - robust, scalable and extensible XMPP server