On Fri, Jul 3, 2020 at 1:27 PM Michael Schneider
wrote:
>
> Hi,
>
> I have read the documents about CAPPORT and as a Captive Portal vendor I find
> the current drafts very reasonable and well thought out. But a question came
> up when I was thinking about a dual stack user equipment. How does the client
> behave if it has an IPv4 and an IPv6 address and one of the two addresses is
> captive=false and the other captive=true. Do you see ways for the enforcement
> device to match these two addresses and allow both if one of them gets
> captive=false? Furthermore, a user equipment can hold more than one IPv6
> address at a time and/or change it frequently.
I had often thought that it's going to take mapping clients by L2
identifiers to really pull this off. However, even if the on-site
infrastructure live-streamed the neighbor table to the enforcement
device/other elements, there's always the possibility it will not
really be sure about the MAC address of an IPv6 client until it has to
do ND for it to deliver a reply packet.
One client per L2 domain is an approach that I think solves this: each
IPv6 client gets its own /64 (see https://tools.ietf.org/html/rfc8273)
and then I think you can identify the IPv4 address and the IPv6 /64
addresses easily enough as being the same client. This has some other
nice security properties as well.
2 cents,
-ek
___
Captive-portals mailing list
Captive-portals@ietf.org
https://www.ietf.org/mailman/listinfo/captive-portals
