[lacnog] IPv6 in Wifi Hotspots

JORDI PALET MARTINEZ jordi.palet en consulintel.es
Mie Oct 16 13:55:58 -03 2019

Hi Fernando,

I recall having found some opensource captive portals some time ago just googling.

Also, you can modify an existing open source captive portal to offer some "objects" in the login web page with are IPv4-only and IPv6-only in the web page. This way you will get both addresses from the customer and "tie" them to the same MAC address.

You also have RFC7710 and RFC8273 (this also allows you to assign a single /64 for each device, so they are isolated form other "hot-spot" clients). I've done presentations on this one in LACNIC.

I don't think temporary addresses are a problem (in general). Why? Client apps use by default the temporary address. Only very specific apps that run on the client that require "incoming" connections, will use the non-temporary address. Really a weird case in a hot-spot, because that requires a DNS entry, etc. If an app wants to allow incoming connections via non-DNS, they will use a "tracking server" that will also use the temporary addresses (if correctly designed).

Now, if you mean that the temporary addresses change from time to time, in the worst case, will mean re-authenticating, or checking if the new IPv6 address uses an "authorized" MAC, etc. Anyway, if a customer is using a hotspot for more than (for example) 3 days, it is probably good to re-authenticate it, right?.

Of course, the alternative is using layer-2 authentication (802.11x) and vendors of captive portals or wireless controllers have proprietary solutions.


El 16/10/19 17:01, "LACNOG en nombre de Fernando Frediani" <lacnog-bounces en lacnic.net en nombre de fhfrediani en gmail.com> escribió:

    Hello there
    I will put in English in order to facilitate for some in the list and 
    are english speakers which perhaps may also know about it.
    A while ago I asked about IPv6 in Hotspot environments and some people 
    responded that had it working but the thread never came to a conclusion 
    of what exactly is the key point for IPv6 to work in Hotspot. I 
    understand that some people may have public Wifi with IPv6 enabled which 
    is not necessarily the same thing as a Hotspot system with IPv6 which I 
    am interested to know more about.
    What comes to my mind and one of the key points is the web 
    authorization. In a IPv4 environment the client gets its IPv4 address 
    via traditional DHCP and after web authorization that address is 
    permitted to go out to the internet. In IPv6 we have RA where the client 
    assigns its own IPv6 Address in stateless autoconfiguration. The web 
    authorization system could in theory get the IPv6 address the client is 
    talking and authorize it but there is also the figure of multiple and 
    Temporary IPv6 Addresses which may break this.
    If DHCPv6 only was enabled though Managed RA flag then some clients like 
    Android would not work.
    For me the only thing that comes to mind is the Hotspot to work in Layer 
    2 authorizing the MAC Address and not the IP address however in that 
    case there may be a problem with access to the authorization website itself.
    Given that does anyone see any proper way for Hotspot to work with IPv6 
    after a client is web authorized ?
    Fernando Frediani
    LACNOG mailing list
    LACNOG en lacnic.net
    Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog

IPv4 is over
Are you ready for the new Internet ?
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

Más información sobre la lista de distribución LACNOG