On Fri, Jul 3, 2020 at 1:27 PM Michael Schneider <michael.schnei...@onway.ch> wrote: > > Hi, > > I have read the documents about CAPPORT and as a Captive Portal vendor I find > the current drafts very reasonable and well thought out. But a question came > up when I was thinking about a dual stack user equipment. How does the client > behave if it has an IPv4 and an IPv6 address and one of the two addresses is > captive=false and the other captive=true. Do you see ways for the enforcement > device to match these two addresses and allow both if one of them gets > captive=false? Furthermore, a user equipment can hold more than one IPv6 > address at a time and/or change it frequently.
I had often thought that it's going to take mapping clients by L2 identifiers to really pull this off. However, even if the on-site infrastructure live-streamed the neighbor table to the enforcement device/other elements, there's always the possibility it will not really be sure about the MAC address of an IPv6 client until it has to do ND for it to deliver a reply packet. One client per L2 domain is an approach that I think solves this: each IPv6 client gets its own /64 (see https://tools.ietf.org/html/rfc8273) and then I think you can identify the IPv4 address and the IPv6 /64 addresses easily enough as being the same client. This has some other nice security properties as well. 2 cents, -ek _______________________________________________ Captive-portals mailing list Captive-portals@ietf.org https://www.ietf.org/mailman/listinfo/captive-portals
