[lacnog] IPv6 in Wifi Hotspots

Uesley Correa uesleycorrea en gmail.com
Jue Oct 17 10:35:10 -03 2019


Hello everyone,

With the ability to authorize via MAC Address, what would roaming between
hotspot cells look like? Or would all cells be in the same L2 segment?

Regards,

Uesley Corrêa - Analista de Telecomunicações
CEO Telecom Consultoria, Entrenamiento y Servicios
CEO Telecom Fiber Solutions


Em qui, 17 de out de 2019 às 08:02, Fernando Gont <fernando en gont.com.ar>
escreveu:

> Hello, Fernando,
>
> On 16/10/19 10:01, Fernando Frediani wrote:
> [....]
> > What comes to my mind and one of the key points is the web
> > authorization. In a IPv4 environment the client gets its IPv4 address
> > via traditional DHCP and after web authorization that address is
> > permitted to go out to the internet.
>
> Normally, the MAC address is whitelisted.
>
>
>
> > In IPv6 we have RA where the client
> > assigns its own IPv6 Address in stateless autoconfiguration. The web
> > authorization system could in theory get the IPv6 address the client is
> > talking and authorize it but there is also the figure of multiple and
> > Temporary IPv6 Addresses which may break this.
>
> The solution here is to "authenticate"/whitelist the MAC address, as
> opposed to the IPv{4,6} address. Firstly, because it might be tricky to
> "log" both the IPv6 and IPv4 addresses employed. Secondly, because as
> you correctly note, multiple addresses might be in use.
>
>
>
> > If DHCPv6 only was enabled though Managed RA flag then some clients like
> > Android would not work.
> > For me the only thing that comes to mind is the Hotspot to work in Layer
> > 2 authorizing the MAC Address and not the IP address however in that
> > case there may be a problem with access to the authorization website
> > itself.
>
> Forget about dhcpv6. It is not widely supported -- unfortunately.
>
> P.S.: If you are charging users, please beware that newer clients also
> do MAC address randomization. Some implementations use a scheme similar
> to RFC7217 (but for mac addresses),and thus you get mac addresses that
> are stable on a per-ap-basis. But others might use plain randomization,
> and thus a reassociation might result in a new MAC addresses, meaning
> that if e.g. credit was tied to the old mac address, things might not
> work as expected.
>
> Thnx,
> --
> Fernando Gont
> e-mail: fernando en gont.com.ar || fgont en si6networks.com
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20191017/ec400b4e/attachment.html>


Más información sobre la lista de distribución LACNOG