Dual stack hotspot/captive portal

Marc Blanchet marc.blanchet at viagenie.ca
Thu Feb 24 13:22:24 CET 2011

Le 11-02-23 21:35, Mikael Abrahamsson a écrit :
> On Wed, 23 Feb 2011, Marc Blanchet wrote:
>> I thought we were talking about hotspot with captive portal which
>> suggests public places with not the same level of security
>> requirements as an enterprise network.
> Not protecting users from man-in-the-middle attacks and session
> hijackings is really bad business practice. You need to protect the
> users MORE in that kind of environment than on an enterprise LAN.

right. but the question is about who does it and how. protecting 
man-in-the-middle and session hijacking can be done at different layers.

If I would have choices, I would like to deploy 802.1x for admission 
control and first level of encryption. but that not easy for the typical 

> The
> most adverse environment securitywise is the role of an ISP, not the
> enterprise.
>> To me, captive portals are just fine with router advertisements and I
>> don't see real need for DHCPv6. However, DHCPv6 can be a solution in
>> this environment, but there is currently some lack of clients
>> implementations. That might change in a not so distant future.
>> However, if one wants to do it right now, and it is for the general
>> public, I guess RA are probably more simple than DHCPv6, given all
>> implementations support RA.
> You use RAs always, even in DHCPv6. You probably mean SLAAC.


> And I would design it so that people with DHCPv6 support get IPv6, if
> they don't, they don't get IPv6. No SLAAC allowed. I guess we can agree
> to disagree.

currently dhcpv6 is just too early. too many devices won't be able to 
connect. so maybe later. again, it also depends on your expected user 
base profiles. The project I'm involved with is about free public wifi, 
where almost any kind of devices can connect. in that group of devices, 
still too many are not supporting dhcpv6.


IPv6 book: Migrating to IPv6, Wiley. http://www.ipv6book.ca
Stun/Turn server for VoIP NAT-FW traversal: http://numb.viagenie.ca
DTN Implementation: http://postellation.viagenie.ca
NAT64-DNS64 Opensource: http://ecdysis.viagenie.ca

More information about the ipv6-ops mailing list