<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \(Cuerpo en alfa";
panose-1:2 2 6 3 5 4 5 2 3 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML con formato previo Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.gmail-tlid-translation
{mso-style-name:gmail-tlid-translation;}
span.HTMLconformatoprevioCar
{mso-style-name:"HTML con formato previo Car";
mso-style-priority:99;
mso-style-link:"HTML con formato previo";
font-family:Consolas;}
span.EstiloCorreo22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=ES link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'>Hi Fernando,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div><p class=MsoNormal style='margin-left:35.4pt'>El 16/10/19 20:24, "LACNOG en nombre de Fernando Frediani" <<a href="mailto:lacnog-bounces@lacnic.net">lacnog-bounces@lacnic.net</a> en nombre de <a href="mailto:fhfrediani@gmail.com">fhfrediani@gmail.com</a>> escribió:<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p style='margin-left:35.4pt'>Thanks for the inputs so far.<o:p></o:p></p><p style='margin-left:35.4pt'>Jordi - Getting the addresses via the portal and tie them to the MAC Address may be something that works, but although you don't see a problem with IPv6 Temporary <o:p></o:p></p><p><span lang=EN-US>Actually, I’m convinced is the only way (MAC addresses), as this is the only way that allows the captive portal to keep working even if users or apps make anything with IP addresses. See what Henri posted.<o:p></o:p></span></p><p style='margin-left:35.4pt'><span lang=EN-US>Addresses I think that should be a concern until 100% resolved , even for a few applications otherwise there will be internet browsing problems. </span>As it is a feature of the Operating System it's harder to have a fix in the authorization system.<o:p></o:p></p><p><span lang=EN-US style='font-size:12.0pt'>Is not just OS, is apps the ones that can choose what addresses to use (temporary vs non-temporary, IPv6 vs IPv4), but I’ve not yet seen “general” apps that use the non-temporary ones and work with non-persistent addresses. It doesn’t make sense, it will be a clear software design bug.<o:p></o:p></span></p><p style='margin-left:35.4pt'><span lang=EN-US><br>Perhaps considering only one address initially (the one that talks to the authorization portal) to authenticate the client and then, after authorized, add a Layer 2 rule to allow everything coming from the MAC Address may be the way to a solution.<o:p></o:p></span></p><p><span lang=EN-US style='font-size:12.0pt'>You can make sure about that by double checking (as I explained before, having in the portal IPv4-only objects and IPv6-only objects), if both of them match with the same MAC address (they should!).<o:p></o:p></span></p><p style='margin-left:35.4pt'><span lang=EN-US>Regarding the /64 per client I don't think that can be done only via RA at the moment and would require DHCPv6-PD which then is a problem for Android clients and therefore a showstopper.<o:p></o:p></span></p><p><span lang=EN-US style='font-size:12.0pt'>Read the RFC, it is just RA. This is being used actually by some hot-spot providers. I cannot provide more details, just that it is done with Nokia devices. Anyway, I guess you are interested in using OpenSource, so Nokia details not so useful.<o:p></o:p></span></p><p style='margin-left:35.4pt'><span lang=EN-US>Henri - I am not sure I fully understood your solution and how you the system is able to authorize the client if via the Temporary IPv6 he is talking to the portal or other method. </span>I guess DHCPv6 wouldn't make much difference in this case, again, due to Android clients.<br>I believe the Radius Attribute Framed-IPv6-Prefix is only for DHCPv6 scenarios and not all end-user Operating Systems take that into consideration by default, specially if there is no DHCPv6 Client at all. Still if the client received and configures the interface with the Framed-IPv6-Prefix it may not necessarily use it for browsing and may just use the Temporary IPv6 Addresses. The way to resolve that would be to use RA with Managed flag which, once again, would break Android usage.<o:p></o:p></p><p style='margin-left:35.4pt'>Welcome more comments about these various scenarios and what you believe would be best approach to resolve these scenarios from a more conceptual point of view in order to have a fully functional IPv6 Hotspot system.<o:p></o:p></p><p style='margin-left:35.4pt'>Fernando Frediani<o:p></o:p></p><div><p class=MsoNormal style='margin-left:35.4pt'>On 16/10/2019 14:14, Henri Alves de Godoy wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN>Hi Fernando, Uesley and Jordi,<br><br>I understand your question as it can clarify what I have been doing here at the University.<br><br>I am enabling in some access points the use of 464XLAT via captive portal via web, for students to authenticate with username and password. I understand it works like a hotspot, which is your question.<br><br>Both the wireless controller, the apache portal webpage and also the radius server are ipv6 enabled. The user when connecting he accesses the captive portal peacefully via ipv6 and authenticates. All this operation from what I tracked is being done by Temporary IPv6 acquired via stateless.<br><br>As I do not know which operating system of my visitor and I have to enable dhcpv6 and necessarily radvd (because of Android clients).<br><br>One of my concerns about identifying users in IPv6 for a future audit seems to be being resolved with the log I have gotten from radius in this update, which I did not have before and that will definitely help me.<br><br>Here's an example of a log via captive portal or hotspot if you want to call it that.</span> <o:p></o:p></p><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Wed Oct 16 13:30:02 2019<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><br> Acct-Session-Id = "5DA74532-8401D503"<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'> Framed-IP-Address = 192.168.200.11 - <b>This is the CLAT IP</b><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'> Framed-Interface-Id = 1dd7:5af7:44fe:1b2b - <b>This is the IPv6 Temporary Client </b><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'> Framed-IPv6-Prefix = 2801:8a:c040:200::/64 - <b>This is the IPv6 network </b><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'> Acct-Multi-Session-Id = "e0107f3f693a00234e5b789a5da74532040a"<br> Acct-Link-Count = 1<br> Acct-Status-Type = Start<br> Acct-Authentic = RADIUS<br> User-Name = "henri.godoy"<br> Called-Station-Id = "E0-10-7F-3F-69-3A:FCA6"<br> Calling-Station-Id = "00-23-4E-5B-78-9A" - <b> MAC Client Device</b><br> NAS-Port-Type = Wireless-802.11<br> Connect-Info = "CONNECT 802.11b/g"<br> Event-Timestamp = "Oct 16 2019 13:30:03 -03"<br> Ruckus-SSID = "FCA6"<br> Ruckus-BSSID = 0xe0107f3f693a<br> Ruckus-VLAN-ID = 3<br> Ruckus-SCG-CBlade-IP = 2886773770<br> Proxy-State = 0x31<br> NAS-IPv6-Address = 2801:8a:c040:fca1::4<br> FreeRADIUS-Acct-Session-Start-Time = "Oct 16 2019 13:30:02 -03"<br> Tmp-String-9 = "ai:"<br> Acct-Unique-Session-Id = "aec4dd2b04755858e966afebb33e366f"<br> Timestamp = 1571243402<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span class=gmail-tlid-translation><span lang=EN>Apache captive portal access log</span></span> <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>2801:8a:c040:200:1dd7:5af7:44fe:1b2b - - [16/Oct/2019:13:29:31 -0300] "GET /wifi/portal/fca/&nbiIPv6=2801:8a:c040:fca1::4&client_mac=00:23:4e:5b:78:9a&reason=Un-Auth-Captive&wlanName=FCA6&dn=<a href="http://vsz.fca.unicamp.br">vsz.fca.unicamp.br</a>&ssid=FCA6&mac=e0:10:7f:3f:69:30&url=http%3A%2F%<a href="http://2Fdetectportal.firefox.com">2Fdetectportal.firefox.com</a>%2Fsuccess.txt&proxy=0&vlan=3&wlan=12&sip=<a href="http://vsz.fca.unicamp.br">vsz.fca.unicamp.br</a>&sshTunnelStatus=1&uip=2801:8a:c040:200:1dd7:5af7:44fe:1b2b&StartURL=http%3A%2F%<a href="http://2Fwww.fca.unicamp.br">2Fwww.fca.unicamp.br</a> HTTP/1.1" 200 5291<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span class=gmail-tlid-translation><span lang=EN>With this information I have been able to relate the client's IPv6 with the name of the user who authenticated the mac address and the times, in case there is any case that we have to investigate. If the IP to be investigated is from the IPv4 pool and has been translated, then the work is a bit more boring because we have to check Jool's logs to find IP + Port. :-(</span></span> <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Regards,<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Henri <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:35.4pt'><o:p> </o:p></p><div><div><p class=MsoNormal style='margin-left:35.4pt'>Em qua, 16 de out de 2019 às 12:01, Fernando Frediani <<a href="mailto:fhfrediani@gmail.com" target="_blank">fhfrediani@gmail.com</a>> escreveu:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><p class=MsoNormal style='margin-left:35.4pt'>Hello there<br>I will put in English in order to facilitate for some in the list and <br>are english speakers which perhaps may also know about it.<br><br>A while ago I asked about IPv6 in Hotspot environments and some people <br>responded that had it working but the thread never came to a conclusion <br>of what exactly is the key point for IPv6 to work in Hotspot. I <br>understand that some people may have public Wifi with IPv6 enabled which <br>is not necessarily the same thing as a Hotspot system with IPv6 which I <br>am interested to know more about.<br><br>What comes to my mind and one of the key points is the web <br>authorization. In a IPv4 environment the client gets its IPv4 address <br>via traditional DHCP and after web authorization that address is <br>permitted to go out to the internet. In IPv6 we have RA where the client <br>assigns its own IPv6 Address in stateless autoconfiguration. The web <br>authorization system could in theory get the IPv6 address the client is <br>talking and authorize it but there is also the figure of multiple and <br>Temporary IPv6 Addresses which may break this.<br><br>If DHCPv6 only was enabled though Managed RA flag then some clients like <br>Android would not work.<br>For me the only thing that comes to mind is the Hotspot to work in Layer <br>2 authorizing the MAC Address and not the IP address however in that <br>case there may be a problem with access to the authorization website itself.<br><br>Given that does anyone see any proper way for Hotspot to work with IPv6 <br>after a client is web authorized ?<br><br>Regards<br>Fernando Frediani<br><br>_______________________________________________<br>LACNOG mailing list<br><a href="mailto:LACNOG@lacnic.net" target="_blank">LACNOG@lacnic.net</a><br><a href="https://mail.lacnic.net/mailman/listinfo/lacnog" target="_blank">https://mail.lacnic.net/mailman/listinfo/lacnog</a><br>Cancelar suscripcion: <a href="https://mail.lacnic.net/mailman/options/lacnog" target="_blank">https://mail.lacnic.net/mailman/options/lacnog</a><o:p></o:p></p></blockquote></div></div></div><p class=MsoNormal style='margin-left:35.4pt'><br clear=all><o:p></o:p></p><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'>-- <o:p></o:p></p><div><div><div><p class=MsoNormal style='margin-left:35.4pt'>-- <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Henri Alves Godoy<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Tecnologia da Informação e Comunicação<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Faculdade de Ciências Aplicadas - FCA<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Universidade Estadual de Campinas - UNICAMP<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Fone: (19) 3701-6682<o:p></o:p></p></div></div></div><p class=MsoNormal style='margin-left:35.4pt'><br><br><o:p></o:p></p><pre style='margin-left:35.4pt'>_______________________________________________<o:p></o:p></pre><pre style='margin-left:35.4pt'>LACNOG mailing list<o:p></o:p></pre><pre style='margin-left:35.4pt'><a href="mailto:LACNOG@lacnic.net">LACNOG@lacnic.net</a><o:p></o:p></pre><pre style='margin-left:35.4pt'><a href="https://mail.lacnic.net/mailman/listinfo/lacnog">https://mail.lacnic.net/mailman/listinfo/lacnog</a><o:p></o:p></pre><pre style='margin-left:35.4pt'>Cancelar suscripcion: <a href="https://mail.lacnic.net/mailman/options/lacnog">https://mail.lacnic.net/mailman/options/lacnog</a><o:p></o:p></pre></blockquote><p class=MsoNormal style='margin-left:35.4pt'>_______________________________________________ LACNOG mailing list LACNOG@lacnic.net https://mail.lacnic.net/mailman/listinfo/lacnog Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog <o:p></o:p></p></div><br>**********************************************<br>
IPv4 is over<br>
Are you ready for the new Internet ?<br>
http://www.theipv6company.com<br>
The IPv6 Company<br>
<br>
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.<br>
<br>
</body></html>