Hacker Remix

Captive Portal IPv6 Support

41 points by abdrzj 9 months ago | 54 comments

zamadatix 9 months ago

As a heads up your project is MIT licensed - that means companies do not need to reach out to purchase a license for commercial use. It might make sense to change that to an offer for official support (or relicense the project to meet your desires if applicable).

WatchDog 9 months ago

SQLite is public domain, but they apparently get enough enquiries about purchasing licenses, that they offer a warranty of title.

https://www.sqlite.org/purchase/license

sebazzz 9 months ago

Yes but that is specifically (they actually mention this) because some companies don’t recognize public domain license, so those companies rather buy a few thousand dollar license than going through the internal bureaucracy to get it approved - if even possible.

richrichardsson 9 months ago

Was going to make a similar comment.

> Note: Companies interested in purchasing a license to use the source code commercially can contact this number

and then

> This project is licensed under the MIT License.

I guess they didn't understand the MIT license and what rights it confers.

abdrzj 8 months ago

I forgot to delete the mit license. I have now removed the mit license and modified the license to accommodate commercial use of the source code.

Best regards

thwarted 9 months ago

It says right in the readme:

    This project is licensed under the MIT License.

    I hope everyone benefits from this open-source project for the development of IPv6.

jacobaul 9 months ago

The readme of repository includes a paragraph suggesting that companies should reach out for a commercial license. For an MIT licensed codebase that is unusual. I believe the top-level commenter is assuming that discrepancy is by mistake and is giving a heads up.

From the readme:

>Note: Companies interested in purchasing a license to use the source code commercially can contact this number on WhatsApp

abdrzj 8 months ago

You are right, I forgot to delete the mit license. I have now removed the mit license and modified the license to accommodate commercial use of the source code.

Best regards

richrichardsson 8 months ago

Not a lawyer, but can you retroactively apply your new license to the previous commits?

Pretty sure though any commercial entity that downloaded the code whilst it was MIT licensed (or if they just clone from the commit before you changed the license) that they can use the code with that license. Again, not a lawyer, I may be full of shit!

abdrzj 8 months ago

When using the previous MIT license, the original license and copyright must be included. The original license may change in this case, and the new license must follow the original one.

abdrzj 8 months ago

The previous source code was incomplete; they must download the latest version of the source code with the latest license for it to work correctly.

abdrzj 8 months ago

You are right, I forgot to delete the mit license.

I have now removed the mit license and modified the license to accommodate commercial use of the source code.

Best regards

arjvik 9 months ago

As much as we need infrastructure to move us all the way to IPv6 (no more CGNAT please!), I'm not sure I want more captive portals in the world. I'd much rather an addition to the WiFi standard to support interactive login, though I suppose that would be hard pressed to come by now.

zamadatix 9 months ago

Interactive auth sounds attractive at first but it's really the wrong place for an answer once you look at all of the ways captive portals are used (i.e. more than just "check this agreement box"). You really need the power of the browser to display a custom form behind the solution or you end up with n+1 solutions instead of replacing captive portals.

Something like a DHCP option or NDP option ends up being a lot more natural: "Hey, here's your IP along with the information needed to access the network" is already a function of that layer. Some devices (e.g. macOS/iOS/iPadOS, Windows, Android) take a similar approach in the reverse by probing for a specific test url. That's also a bit hacky and unreliable (e.g. it can falsely trigger) but some minor standardization of it to e.g. a well known DNS name could be another good option.

0xbadcafebee 9 months ago

A DHCP option would be the correct way to specify a captive portal on a LAN. We have DHCP options for tons of things: IP phones, TFTP servers, cable boxes. One more option for a captive portal authentication URL would properly inform clients that there is a captive portal and how to access it. (It being a URL means it can also specify the protocol, so you aren't even locked into web browsers)

My assumption is this wasn't adopted because operators want the option of placing the captive portal upstream of the local network DHCP server. DNS spoofing works great over multiple network hops, but DHCP doesn't. (I'm not sure if that's a valid argument, but I'm sure somebody insisted on it)

gavinsyancey 9 months ago

There is a DHCP option for a captive portal URL. It isn't very well supported and nobody uses it.

https://datatracker.ietf.org/doc/html/rfc7710

gavinsyancey 9 months ago

Apparently, there's a newer one that is supported by Android 11+, iOS 14+, and macOS Big Sur, at least

https://www.rfc-editor.org/rfc/rfc8910.html https://www.rfc-editor.org/rfc/rfc8908.html

https://developer.android.com/about/versions/11/features/cap... https://developer.apple.com/news/?id=q78sq5rv

0xbadcafebee 9 months ago

If they got the top 5 wifi router vendors to support it, for sure you'd see other clients support it too, because the whole point of captive portal support in browsers is to react to what those routers are doing for captive portaling.

Since those vendors largely use open source tools, if you patched open source DHCP servers with that option, it would get adopted quicker by them.

- KEA DHCPD supports it as option 114: https://gitlab.isc.org/isc-projects/kea/-/blob/master/src/li...

- ISC DHCPD is officially ended (whoa!), but it looks like it supports option 114: https://gitlab.isc.org/isc-projects/dhcp/-/blob/master/commo...

- Dnsmasq author says they added the option (https://www.mail-archive.com/dnsmasq-discuss@lists.thekelley...) but I don't see it in their latest release

- Udhcpd doesn't seem to support it, so somebody could send them a patch, looks trivial to add

willidiots 9 months ago

There already was! It was called Passpoint R2 Online Sign-Up, but it never got traction on the phone side of things, so it's now being deprecated by the Wi-Fi alliance.

It's really a business problem. IMO you shouldn't have to solve this just because you've gone indoors – you already pay a carrier for connectivity – but many carriers don't want to own that responsibility.

gruez 9 months ago

Is there even an alternative to captive portals?

snvzz 9 months ago

Just give internet access directly.

Or do not offer internet access at all. People carry their own already-connected devices anyway.

somerandomqaguy 9 months ago

16% of Canadians in 2022 didn't have a data plan on their phone, according to Statistics Canada. Roughly 6 million Canadians or so.

So not everyone. Actually a decent number of people that don't.

sulandor 9 months ago

seems easy to confuse % of plans with % of ppl. probably a lot of obscure use-cases in there

leptons 9 months ago

Captive portals are used for many, many things that aren't just internet access gateways. Many IoT devices use them to enter wifi credentials so the device can connect to the wifi router. One of my projects is an IoT device with a custom web interface that can be used from a cellphone when there are no nearby wifi routers for the IoT device and phone to connect to - the phone connects directly to the IoT device and gets the custom device control interface.

Gud 9 months ago

Hotels absolutely don’t want to provide open access to all for obvious reasons. Although I have a “global unlimited” business SIM, I find it rarely works all that great. Getting a local SIM is not always an option.

gruez 9 months ago

What if legal wants to show a TOS page, or you want finer grained authentication than a shared key?

>Or do not offer internet access at all. People carry their own already-connected devices anyway.

Travelers don't typically have gigabytes of bandwidth to spare. I for one like having unmetered internet access even when there's theoretically internet access available through roaming (absurdly expensive) or esims (expensive)

snvzz 9 months ago

>What if legal wants to show a TOS page?

The reality is that nobody wants to bother with any of that.

Either just connect me to the internet without extra steps, or don't at all. Don't waste my time.

gruez 9 months ago

>The reality is that nobody wants to bother with any of that.

I don't either, but for IT departments in large organizations, ignoring the legal department isn't an option.

immibis 9 months ago

Gues they just won't provide access then. Oh, what's that? There's a reason they need to provide access? Well, too bad the IT standards people invented a way to make sure we didn't interfere!

notpushkin 9 months ago

I appreciate the sentiment, but having a shitty Wi-Fi is better than none at all IMO.

stephenr 9 months ago

> or you want finer grained authentication than a shared key?

Configure your access points to use RADIUS or SAML for auth?

gruez 9 months ago

Is WPA enterprise authentication still a dumpster fire? Last time I set it up it was still a hassle because you had to import CAs and manually choose the authentication protocol. Definitely not a good experience for someone who's stopping by a cafe for 30min and wants wifi.

stephenr 9 months ago

In your coffee shop-like scenario, what benefit does a captive portal on anonymous Wifi offer to either the customer or the coffee shop, over regular Wifi authentication, and a sign on the wall that says "wifi username/passowrd is..."

As for importing a private CA. Use a certificate trusted by a public CA and you won't have this problem?

gruez 9 months ago

>In your coffee shop-like scenario, what benefit does a captive portal on anonymous Wifi offer to either the customer or the coffee shop, over regular Wifi authentication, and a sign on the wall that says "wifi username/passowrd is..."

From an access control perspective, it probably doesn't matter much for a coffee shop, but matters more for something for a hotel where you want to limit to certain guests only (eg. ones with room or loyalty program members)

From a legal perspective, having an interstitial might provide cover for when a baddie uses the connection to order drugs or whatever. IANAL and I'm not sure whether it's actually needed or not, but most companies rather not risk it. Moreover it's unlikely that no jurisdictions require it, so you'd still support for it.

>As for importing a private CA. Use a certificate trusted by a public CA and you won't have this problem?

No idea. Last time I had to use WPA enterprise, the organization providing the connection isn't exactly small and couldn't afford a certificate, but still required me to import a CA. That makes me think it might be an inherent issue with WPA enterprise.

stephenr 9 months ago

> Legal cover for when a baddie uses the connection to order drugs or whatever.

.... Is this meant to be a joke?

> still required me to import a CA

It's reasonably likely that they wanted it to only work on known devices with their private CA cert installed; but either way, and regardless of the technology in question, I wouldn't suggest it's particularly meaningful to use one organisation's setup as the basis for how things inherently work.

gruez 9 months ago

>.... Is this meant to be a joke?

Are you a lawyer? I wasn't making a definitive statement, but if you have stronger evidence to the contrary please present them rather than making shallow dismissals.

>It's reasonably likely that they wanted it to only work on known devices with their private CA cert installed

It's an organization where BYOD is very common.

chikere232 9 months ago

If someone makes you import a CA, you have to assume they intend to eavesdrop on ssl encrypted communications. Enterprise WPA doesn't require it.

The right flavour of incompetence might get you there without bad intentions but really if you give someone the capability of eavesdropping you have to behave as if they're intending to use it

gruez 9 months ago

Doesn't seem like it. For instance the WPA enterprise setup dialog has a field specifically for a CA certificate[1]. Other OSes have something similar [2]. Presumably that's only used for WPA authentication purposes rather than being added as a sytem CA.

[1] https://askubuntu.com/questions/1317320/how-can-i-automatica...

[2] https://documentation.meraki.com/MR/Encryption_and_Authentic...

stephenr 9 months ago

... use regular authenticated wifi?

coretx 9 months ago

CGNAT is ok for IPV4 because it provides us some level of protection against state ( sponsored ) actors.

apearson 9 months ago

You’re going to have to explain that one.

I don’t see how CGNAT does anything but allow easier access to attacks (using private ip space outside of the local network)

coretx 9 months ago

All the details can be found in the EUROPOL publications begging for it to be banned.

zamadatix 9 months ago

IIRC there was some hullabaloo made with RIPE in ~2017. Half of it was "go to IPv6 and it isn't a problem" and the other half was "or also log the source ports so we can complete the identification through CG-NAT".

It's nearly 8 years later, we haven't moved to IPv6, and they stopped making noise so I'm left to assume they either got more source port logging or found some other method?

sulandor 9 months ago

politics still clinging to the idea of identifying ppl by obvious traffic meta-data

coretx 8 months ago

There is people using chef/kitchen knifes for murder too. That doesn't mean we should regulate them for army use and monitor all cooks. Yet this is what many but certainly not all decision makers are doing. Good, fundamental, stuff is happening too, such as RPKI for example. Some "politics" is definitely not happy about that, but its good for the internet.

apearson 9 months ago

Ah, allows hiding behind a massively shared single address with less traceability.

Uptrenda 9 months ago

This is really cool. Nice work and I find the MIT license you've chosen to be interesting. I chose the very same license for my own open source project because I wanted there to be few excuses not to use it.

Damn, you've done significant work on this. Will have to check this out more in depth.

abdrzj 8 months ago

I forgot to delete the mit license. I have now removed the mit license and modified the license to accommodate commercial use of the source code.

Best regards

immibis 9 months ago

Indeed. MIT license means you are working for large corporations for free, if your software is useful. As a capitalist parasite, I strongly support its use.

abdrzj 8 months ago

I forgot to delete the mit license. I have now removed the mit license and modified the license to accommodate commercial use of the source code.

Best regards

ninkendo 9 months ago

I wonder how captive portals are supposed to work with IPv6 temporary private addresses (RFC4941).

I’ve never run a captive portal but I always assumed that the router just redirects all port 80 packets to the portal (and rejects everything else), and then upon authenticating, the gateway puts your IP in the “allow” bucket and you get access.

But if you’re generating random addresses every few minutes, you’d need to continually reauthenticate, unless the system has some way of associating the temporary addresses with the original connection. Maybe it listens to ndp and uses MAC addresses to associate? That would be more advanced than most captive portals I’ve seen which seem to only care about ip addresses. Maybe just none of them use IPv6, or simply break with temporary addresses?

mannyv 9 months ago

In general they work by having an allow list and by using a captive DNS. Some will also try to redirect http/https.

Once the agreement is accepted the MAC is added to the allow list.

Not sure how MAC address randomization works in these schemes, but it does. There must be some standard algorithm that everyone follows.

zamadatix 9 months ago

There are 3 main types of "random Wi-Fi MAC addresses". The most well known one is randomization of the MAC while the client is probing from SSIDs (prior to connection). This has been around for many years and doesn't change the actual connection MAC later on. Another randomization type that's slightly more common these days (e.g. iPhones default to it now) is choosing a random MAC per SSID. That way you can't be tracked by MAC across multiple networks but you still have consistency for captive portals and business networks. The third is true rotating randomization - this is relatively uncommon as it breaks captive portals (there is no well known algorithm or it'd be relatively pointless). iPhones were going to adopt this with rolling MACs but it was too broken and offered little over approach 2 in terms of privacy.

ninkendo 9 months ago

I guess different captive portals work differently, because I’ve heard of plenty of them that can be bypassed by simply statically assigning the address of someone else who’s already authenticated (ie session hijacking), but it makes sense that any “decent” captive portal system uses MAC addresses to mitigate this.

The randomization I refer to is of the outgoing IPv6 address, not the MAC address… nothing that I’m aware of randomly cycles MAC addresses (Apple’s OSes can be configured to randomly generate a MAC every time you connect to a network, but it won’t regenerate them continuously in a session. IPv6 addresses however are continuously generated, as per the RFC4941 spec.) If the system is using MAC addresses to identify users, then temporary/cycled IPv6 addresses should be no problem.

9 months ago