[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] client identifying info between API and enforcement

To: Dave Dolson <[email protected]>
Subject: Re: [Captive-portals] client identifying info between API and enforcement
From: Lorenzo Colitti <[email protected]>
Date: Tue, 17 Oct 2017 00:59:34 +0900
Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/stqE-TAYa875huUtHV-bSxbjg2I>
Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Cc: Erik Kline <[email protected]>, Kyle Larose <[email protected]>, "[email protected]" <[email protected]>, David Bird <[email protected]>
Delivered-to: [email protected]
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tFAiXn+OqrzYdgf8rKc8m5PKeLGbpGW2XLztuON2chQ=; b=VGIcHHvqu7SWq0eJKN93UZjskHrgamt8tVy57b2D4o5FLVSwV3cY4vhe4i2RCwSx4i Wt0CPzvstdsPQDlD4K/E9EpDg0w+DBHw8bCsAggvAhOYErWGRUWc7tOLtLEqcvD7HyUP vesvY+9aBZt3eLYS95O2OSkxCoxx4Ff90P2ubQGKVmdbXU20jyr54B3J2KokUz6Jo5BI odiB4KDbHn82Jy4VigtnRL/iszrnB9AUYRxZNo3VLA9M+wEvyxncY69MoBwRUHDwl7ij hjA/AQR293RdhAwOxgwT+qkuWFkQMHryQ13chKTuyMHsS3KSQYsQ6crz4nDTfVv767tt NYhg==
In-reply-to: <[email protected]m>
List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-help: <mailto:[email protected]?subject=help>
List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-post: <mailto:[email protected]>
List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>
References: <[email protected]om> <[email protected]m> <[email protected]om> <[email protected]m>

We shouldn't be requiring devices to request permission from the network every time they create a new IPv6 address. See RFC 7934 for rationale and best current practices.

As for changing MAC addresses at will - captive portals are usually deployed on wifi, and 802.11 is very much tied to a single MAC address. On typical host platforms it's sometimes possible to change the MAC address, but it's very hard to use more than one at the same time.

On Tue, Oct 17, 2017 at 12:41 AM, Dave Dolson <[email protected]> wrote:

Or change MAC addresses at will?

Each change could be handled as a new capport session.

From: Lorenzo Colitti [mailto:[email protected]]
Sent: Monday, October 16, 2017 11:01 AM
To: Dave Dolson
Cc: Erik Kline; Kyle Larose; [email protected]; David Bird
Subject: Re: [Captive-portals] client identifying info between API and enforcement

On Mon, Oct 16, 2017 at 11:23 PM, Dave Dolson <[email protected]> wrote:

I infer you mean the MAC address is required so that the portal can open/close the firewall using it as a filter.
I'd prefer to see this done at the Internet layer (AKA layer3), with IPv4/6 addresses, to avoid limiting usefulness to a particular access technology.

How do you do that when devices can create new IPv6 addresses at will?

References:
- [Captive-portals] client identifying info between API and enforcement
  - From: Erik Kline <[email protected]>
- Re: [Captive-portals] client identifying info between API and enforcement
  - From: Dave Dolson <[email protected]>
- Re: [Captive-portals] client identifying info between API and enforcement
  - From: Lorenzo Colitti <[email protected]>
- Re: [Captive-portals] client identifying info between API and enforcement
  - From: Dave Dolson <[email protected]>

Prev by Date: Re: [Captive-portals] client identifying info between API and enforcement
Next by Date: Re: [Captive-portals] client identifying info between API and enforcement
Previous by thread: Re: [Captive-portals] client identifying info between API and enforcement
Next by thread: Re: [Captive-portals] client identifying info between API and enforcement
Index(es):
- Date
- Thread