es, including home routers. (The Home CPE that has no uplink
configured is a defacto captive portal)
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Capt
tured new ICMPs, for the
tcpdump tests/ subdirectory. Please touch ".devel" and run "make check"
And please send pull request; your code looks well formed to me.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
Martin Thomson <martin.thom...@gmail.com> wrote:
> On 2 April 2017 at 17:27, Michael Richardson <mcr+i...@sandelman.ca>
wrote:
>> One of the things we are going to need to do is to find a way use the
>> stick as well as the carrot when it comes to poorly be
Michael Richardson <mcr+i...@sandelman.ca> wrote:
> Yes, I agree. That's the carrot part. "Do X and life will be better"
> But, I was talking about the stick part: "Until you do X, you'll get a
> bad review"
> I realize that this isn't a p
the end-user can be sure that the
certificate in question is really from the location they are in. In many
cases, it's not "chicago-ord.com", but rather, "ord.boingo.com"...
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consultin
handle something similar, but I believe that it hasn't (yet?) got
Intents that are as flexible.
On a desktop system there are fewer options, but given dbus, and
OSX/microsoft equivalents, I don't see why it couldn't happen.
The "gcalapi" python script nicely asks my browser for
out
having me pay after my free sample wore off. At my hotel, it was about
keeping the network from being overrun by riff-raff.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
__
me source IP address MUST be considered by the client to
mean a change in access policy has occurred and previous
notifications are no longer valid.
I don't know what it means if an ICMP comes from a different source IP.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Softwar
lected the network on purpose).
Consider a school that uses Google Apps (like my sons').
They run a somewhat loose firewall that blacklists stuff; but probably would
be better off to whitelist things.
The ICMP reply could very well be used to trigger the teacher override.
--
Michael Richardson <
Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
> ___ Captive-portals mailing
> list Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
--
Michael Richardson &l
issing the point of the URL. It's not after login, but it's
how to find the login page. Once you have it, you can do anything. Also, I
think you can include any additional parameters you want. It's descriptive,
not prescriptive.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman
Mark Nottingham <m...@mnot.net> wrote:
> That's useful as long as the client is a human is behind a browser. It
> can also break lots of stuff...
Exactly why the ICMP is useful :-)
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= I
iscovers that this malware looked for zones that
ought not to exist, and if they did, assumed it was in a quaranteen/lab..
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
__
pt it.
After adoption, I think the WG should consider if describing the JSON in YANG
would make sense. I've been through this in netconf/anima/6tisch now, and
while it seems like a silly annoyance at first, it seems to have some
advantages in the long run.
--
Michael Richardson <m
we can get the MAC address via DHCP relay, the
portal can't verify the address is the correct one accessing it anyway.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_
uot;capport";
> import ietf-yang-types {
> prefix yang;
> }
> // ... metadata stuff
> container top {
> leaf captive {
> type boolean;
> }
> leaf end {
> type yang:date-and-time;
> }
> }
> }
See, and we are done
ticated. Not only does it mean that my host
has to figure out how to use what might be an expired temporary address, but
it also means that I could add my friends' IPs to my ACL rather easily.
How many can I add? All 2^64 of them? :-)
--
Michael Richardson <mcr+i...@sandelman.ca>,
ather than
> communicating further state within it). We need to work on what exactly
> this entails, and what we lose by taking out the more advanced
> capabilities (i.e. maybe first round has the simple methods, but we can
> add more extensions as the base technology is a
bad.
It should be the same whenever the ESSID/AP is the same, with some caveats,
and this gets us the nice property that access control doesn't have to be
done every time one visits the same place.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
isn't handed off to random shell scripts. The kernel does some
validation of the incoming packet.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Captive-por
ypes
> for "captive portal in force" may not work well either, as I strongly
> suspect that firewall devices/software inspects ICMP messages.
So, we should use an old type (unreachable), but a new code?
I sure prefer ICMP from an architectural point of view.
--
Michael
l the priviledges it
needs anyway?
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails[
--
Michael
Martin Thomson <martin.thom...@gmail.com> wrote:
> On Wed, May 2, 2018 at 10:06 PM Michael Richardson <mcr+i...@sandelman.ca>
> wrote:
>> Have we considered TCP RST already? (I don't think it's better than ICMP,
>> but
>> I don't remember i
> discovery mechanism.
> I’d vote for some variation on (a), but we can just explain the meaning
> of the URL we discover more clearly, instead of using a well known
> URL.
I think that we need the 7710 mechanism to get the HOST part, and that the
URL part SHOULD be .well-know
gister a /.well-known value as a suggestion.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Captive-portals mailing list
Captive-portals@ietf.org
h
t; decides to do. As Martin says, the human using the UE might be
lc> interested (e.g., in the upgrading case), but that's not hard to do by
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
y much out of scope for current work.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Captive-portals mailing list
Captive-portals@ietf.org
https://www.ietf.org/mailman/li
___
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signa
Michael Richardson quoted:
> From
https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
> "The two people who did get popped, both were traveling and were on their
> iPhones, and they had to traverse through captive
hotels and enterprises where
there is more local operational clue.
So I just don't see how option 82 helps with IPv6 RAs.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works|IoT architect [
] m...@sandel
HCP to one where captive portal operator can control/influence DNS, and
that things like DoT/DoH can not be used by the captive portal client.
(I just want to make the assumption explicit. I'm not complaining about it)
--
] Never tell me the odds! | ipv6 mesh networks
t captive portal solutions that work, in part,
> by intercepting DNS.
I don't think that is necessarily the case.
The Internet group probably controls the routers, just not the DHCP.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Softw
oday *do* depend upon creating answers for names that aren't
real. That fails today if you do DNSSEC validation. Of course, some still
depend upon lying about all DNS requests, and but we have agreed that this is
bad.
--
] Never tell me the odds! | ipv6 mesh ne
we have to find a way to send unique URLs in IPv6 RAs?
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works|IoT architect [
] m...@sandelman.ca http://www
Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works|IoT architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[
signature.asc
Description: PGP signature
___
addresses to L2 addresses
between portal system and first-hop router
5) captive mechanism
will have to be done for L3 addresses, which means doing it for
v4, v6 and each privacy address.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
ortal Standards for Wi-Fi Workgroup, WBA
>
> Alternatives:
>
> ___
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailma
Brian Shields wrote:
> activities to practical trials. The WBA next event will be in Frankfurt on
> Oct 2-3, and we would be glad to invite a IETF delegation to discuss a way
> forward on the joint collaboration and potentially trials kick-off.
I will be in Belgrade Oct. 5-6, but I
n flash a LED, or attempt a firmware upgrade, or maybe just reboot if a
timer goes off. (%)
This requires that the IoT device get the captive portal API end point, which
https://datatracker.ietf.org/doc/draft-ietf-capport-rfc7710bis/ can deliver
via DHCPv4/v6 or RA.
>> On 9 Jul 2019, a
Christopher Morrow wrote:
> During setup at the IETF meeting this week in Singapore the noc folk
> setup an experiment on the IETF wireless network, specifically on the
> IETF SSID to test your shiny new DHCP option(s) for captive portal,
> information about that is detailed
Erik Kline wrote:
> Some of the comments in that thread seem very disappointing and
> aggravating even (saying they'll use 161 if they need to, for example,
> which is allocated for MUD).
DHCP options are not hard to get.
Polycom should know better.
signature.asc
Description: PGP
ghts drive our decisions, and I don’t think that conflicts
> with others will be as bad
Warren,
I'd like to ask the IAB Program that produced draft-iab-protocol-maintenance
to consider some set of processes for squatters. (Squatters are tolerated by
by being liberal in what you accep
| ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[
___
Captive-portals mailing list
Captive-portals@ietf.org
https://www.ie
network (e.g. it
> could present its signed MUD URL) that can be evaluated challenged by
> the captive portal server.
> Following up on a suggestion by Michael Richardson, can the Captive
> Portal API be extended to do this?
I think that there are two important things here:
>the range below 128, it should be safer to use.
> I *really* like this idea - the options even contains something that
> looks like a URL :-)
I also like it.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
e the others wait.
So you want to have:
1) API
2) architecture
3) rfc7710bis
all on the 2020-05-21 telechat?
That would be awesome!
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works|IoT architect
MAC addresses negates a lot
> of the benefits of randomized MAC addresses,
This assumes that a single observer can observe both at the same time.
WEP++ leaves MAC addresses visible, but encrypts the rest of L3 content.
--
] Never tell me the odds! | ipv6 mes
ation
proponents (if there is such a group), to explain the thread profile.
I don't think it includes active compromised hosts.
Such hosts can also ARP/ND spoof, and can even do that for the router (".1"),
capturing all the traffic on the network.
--
Michael Richardson. o O ( IPv6 IøT
Stephen Farrell wrote:
> On 29/09/2020 19:41, Michael Richardson wrote:
>> It will be good if we can get a document from the MAC randomization
>> proponents (if there is such a group), to explain the thread profile.
>> I don't think it includes act
r.
The MAC address is outside of the WEP encryption, so it is always seen, even
if the traffic is otherwise encrypted.
An EAP-*TLS based upon TLS1.2 would reveal the identity, at least the first
time. Perhaps this is a reason to support resumption tokens in EAP-TLS!
--
Michael Richardson
different IP(v4), right?
If you solve persistent DHCP, then you solve those, don't you?
--
Michael Richardson. o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
___
K6I>
To: int-a...@ietf.org, captive-por...@ietf.org, home...@ietf.org
From: Michael Richardson
Date: Tue, 22 Sep 2020 16:34:33 -0400
This thread was started today on the INTAREA WG ML.
While I don't object to a BOF, I don't know where it goes.
What I see is that much of this problem
d excitement.
Our mailman strips off Reply-To: since we did that DMARC avoidant hack
(AFAIK), so redirecting replies only works if we all agree.
--
Michael Richardson. o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: P
e BOF/WG output
> is}, after which the MAC gets changed to {something else}.
An interesting idea.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| IoT architect [
] m...@sandelman.ca http://www.sandelman.ca/
Stephen Farrell wrote:
>> Stephen Farrell wrote:
>>
>> > On 29/09/2020 19:41, Michael Richardson wrote: >> It will be good if
>> we can get a document from the MAC randomization >> proponents (if
>> there is such a group
we say that
they have to be identical. Oops.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works|IoT architect [
] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[
signature.asc
Des
time. The whole
> point being to provide timely information about revocation without
> depending on a live OCSP or CRL fetch (which have poor privacy
> properties in addition to adding to fragility).
Ah, okay. The CRL is "built-in", so it does not need to be fetched
-Stapling is not what I'm talking about, and eliminates the need.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Captive-portals mailing list
Captive-portals@ietf.org
https
f circumstances in which a network
> can display content to the user is not increased.
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
Captive-portals mailing list
Cap
lient operating
systems involved, and they are not standardized. Most index upon the ESSID
identity to catagorize the network into "Home" / "Work" / "Public", to use
the Windows terminology.
I think that the WG decided that this was a rathole we did not need to go
into, p
e!
Sounds legit, and a great way to show off the XML patcher!
--
Michael Richardson. o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
___
Captive-portals mailing
bout this, perhaps offering to
debug this with you. (This might be a job for the IETF Hackathon
VPN... which does L2 stuff)
> Unfortunatly we decided to stop support of capport on our national
> network until we are able to fix a workaround about this.
:-(
--
Michael Richardson ,
62 matches
Mail list logo