[lacnog] IPv6 in Wifi Hotspots

[Fernando Gont]

Hello, Fernando,

On 16/10/19 10:01, Fernando Frediani wrote:
[....]
> What comes to my mind and one of the key points is the web
> authorization. In a IPv4 environment the client gets its IPv4 address
> via traditional DHCP and after web authorization that address is
> permitted to go out to the internet. 

Normally, the MAC address is whitelisted.



> In IPv6 we have RA where the client
> assigns its own IPv6 Address in stateless autoconfiguration. The web
> authorization system could in theory get the IPv6 address the client is
> talking and authorize it but there is also the figure of multiple and
> Temporary IPv6 Addresses which may break this.

The solution here is to "authenticate"/whitelist the MAC address, as
opposed to the IPv{4,6} address. Firstly, because it might be tricky to
"log" both the IPv6 and IPv4 addresses employed. Secondly, because as
you correctly note, multiple addresses might be in use.



> If DHCPv6 only was enabled though Managed RA flag then some clients like
> Android would not work.
> For me the only thing that comes to mind is the Hotspot to work in Layer
> 2 authorizing the MAC Address and not the IP address however in that
> case there may be a problem with access to the authorization website
> itself.

Forget about dhcpv6. It is not widely supported -- unfortunately.

P.S.: If you are charging users, please beware that newer clients also
do MAC address randomization. Some implementations use a scheme similar
to RFC7217 (but for mac addresses),and thus you get mac addresses that
are stable on a per-ap-basis. But others might use plain randomization,
and thus a reassociation might result in a new MAC addresses, meaning
that if e.g. credit was tied to the old mac address, things might not
work as expected.

Thnx,
-- 
Fernando Gont
e-mail: fernando en gont.com.ar || fgont en si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1