[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] Signals from the network and ICMP

Erik Kline <[email protected]> wrote:
    > One problem with UDP is that if the enforcement point is well upstream of
    > several firewalls, it likely won't get through.

... because random UDP is evil?
I thought it was just enterprise firewalls that felt this way.
Surely, people setting up a captive portal could configure things to work?

    > Consider the case of a DSLAM doing some captive portal enforcement on a
    > per-line-ID basis.  Originating a packet from the DSLAM back to the sender
    > can reasonably be expected to get to the home CPE (DSL modem), but if the
    > user has installed firewall devices downstream of this then ICMP stands a
    > better chance of getting through than UDP, I feel.

I feel I need a digram to explain this.
(Is this even in scope?)

    > Thinking about this case in particular suggests to me that /new/ ICMP types
    > for "captive portal in force" may not work well either, as I strongly
    > suspect that firewall devices/software inspects ICMP messages.

So, we should use an old type (unreachable), but a new code?
I sure prefer ICMP from an architectural point of view.

Michael Richardson <[email protected]>, Sandelman Software Works
 -= IPv6 IoT consulting =-

Attachment: signature.asc
Description: PGP signature