Erik Kline <[email protected]> wrote:
> One problem with UDP is that if the enforcement point is well upstream of
> several firewalls, it likely won't get through.
... because random UDP is evil?
I thought it was just enterprise firewalls that felt this way.
Surely, people setting up a captive portal could configure things to work?
> Consider the case of a DSLAM doing some captive portal enforcement on a
> per-line-ID basis. Originating a packet from the DSLAM back to the sender
> can reasonably be expected to get to the home CPE (DSL modem), but if the
> user has installed firewall devices downstream of this then ICMP stands a
> better chance of getting through than UDP, I feel.
I feel I need a digram to explain this.
(Is this even in scope?)
> Thinking about this case in particular suggests to me that /new/ ICMP types
> for "captive portal in force" may not work well either, as I strongly
> suspect that firewall devices/software inspects ICMP messages.
So, we should use an old type (unreachable), but a new code?
I sure prefer ICMP from an architectural point of view.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
Attachment:
signature.asc
Description: PGP signature