On 1/22/15 3:39 PM, Ted Lemon wrote: > On Jan 4, 2015, at 4:32 PM, joel jaeggli <[email protected]> wrote: >> After some dicussion last year, I have agreed to sponsor >> draft-wkumari-dhc-capport >> (https://tools.ietf.org/html/draft-wkumari-dhc-capport-07). what >> I'm looking for feeback on right now is feedback from potential >> implementors, either of client implementations of captive portal >> detection or captive portals as to: >> >> * Whether or not this represents a reasonable optimization, >> >> * Have we gotten the security considerations right? >> >> * Would you use it if there was general consensus to the approach. > > I haven't seen any responses to this. I don't expect you'll see any > "we would use this responses," and you shouldn't predicate this work > on seeing any. I think the idea is fine, although I think the > requirement that the URI use an address literal is unnecessary. If > the implementor wants to do that, they can, or they can just only > answer DNS queries for the local domain until the user authenticates. > They'd have to do that to support the redirect anyway. > > I think the document has way too much explanatory text. It's good > that it's there for now so that people can understand the problem > that this draft purports to solve, but it should not be in the final > version. Just explain how to use DHCP and ND to send this option (I > think supporting it in ND is worthwhile, because DHCP isn't really > very useful in an IPv6 hotspot environment). > > It would be nice to talk about ways to authenticate this, e.g. PKI or > DNSSEC certs. > > I think you should run it by some people with HTTP fu to make sure > that you haven't missed any obvious gaps, and of course run it by > somebody with HTTP security fu to make sure there aren't any security > flaws that need to be addressed. > > I would not object to you AD-sponsoring this. It's not in-charter > for DHC, nor for 6man. You should get it reviewed in both places, > not just in DHC.
Yeah this is inline with my assumptions, thank you. > You may find section 5.7 of RFC 7227 useful: it would be good to make > sure that your use of the DHCP URI option format meshes with what RFC > 7227 does. I didn't notice a problem, but didn't look all that > carefully. > >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
