Hacker Remix

Captive Portal IPv6 Support

17 points by abdrzj 7 hours ago | 19 comments

zamadatix 2 hours ago

As a heads up your project is MIT licensed - that means companies do not need to reach out to purchase a license for commercial use. It might make sense to change that to an offer for official support (or relicense the project to meet your desires if applicable).

arjvik 3 hours ago

As much as we need infrastructure to move us all the way to IPv6 (no more CGNAT please!), I'm not sure I want more captive portals in the world. I'd much rather an addition to the WiFi standard to support interactive login, though I suppose that would be hard pressed to come by now.

zamadatix 1 hour ago

Interactive auth sounds attractive at first but it's really the wrong place for an answer once you look at all of the ways captive portals are used (i.e. more than just "check this agreement box"). You really need the power of the browser to display a custom form behind the solution or you end up with n+1 solutions instead of replacing captive portals.

Something like a DHCP option or NDP option ends up being a lot more natural: "Hey, here's your IP along with the information needed to access the network" is already a function of that layer. Some devices (e.g. macOS/iOS/iPadOS, Windows, Android) take a similar approach in the reverse by probing for a specific test url. That's also a bit hacky and unreliable (e.g. it can falsely trigger) but some minor standardization of it to e.g. a well known DNS name could be another good option.

0xbadcafebee 2 minutes ago

[delayed]

willidiots 48 minutes ago

There already was! It was called Passpoint R2 Online Sign-Up, but it never got traction on the phone side of things, so it's now being deprecated by the Wi-Fi alliance.

It's really a business problem. IMO you shouldn't have to solve this just because you've gone indoors – you already pay a carrier for connectivity – but many carriers don't want to own that responsibility.

coretx 2 hours ago

CGNAT is ok for IPV4 because it provides us some level of protection against state ( sponsored ) actors.

apearson 2 hours ago

You’re going to have to explain that one.

I don’t see how CGNAT does anything but allow easier access to attacks (using private ip space outside of the local network)

coretx 2 hours ago

All the details can be found in the EUROPOL publications begging for it to be banned.

zamadatix 1 hour ago

IIRC there was some hullabaloo made with RIPE in ~2017. Half of it was "go to IPv6 and it isn't a problem" and the other half was "or also log the source ports so we can complete the identification through CG-NAT".

It's nearly 8 years later, we haven't moved to IPv6, and they stopped making noise so I'm left to assume they either got more source port logging or found some other method?

apearson 1 hour ago

Ah, allows hiding behind a massively shared single address with less traceability.

gruez 2 hours ago

Is there even an alternative to captive portals?

snvzz 2 hours ago

Just give internet access directly.

Or do not offer internet access at all. People carry their own already-connected devices anyway.

gruez 2 hours ago

What if legal wants to show a TOS page, or you want finer grained authentication than a shared key?

>Or do not offer internet access at all. People carry their own already-connected devices anyway.

Travelers don't typically have gigabytes of bandwidth to spare. I for one like having unmetered internet access even when there's theoretically internet access available through roaming (absurdly expensive) or esims (expensive)

snvzz 49 minutes ago

>What if legal wants to show a TOS page?

The reality is that nobody wants to bother with any of that.

Either just connect me to the internet without extra steps, or don't at all. Don't waste my time.

gruez 31 minutes ago

>The reality is that nobody wants to bother with any of that.

I don't either, but for IT departments in large organizations, ignoring the legal department isn't an option.

notpushkin 25 minutes ago

I appreciate the sentiment, but having a shitty Wi-Fi is better than none at all IMO.

stephenr 41 minutes ago

> or you want finer grained authentication than a shared key?

Configure your access points to use RADIUS or SAML for auth?

gruez 27 minutes ago

Is WPA enterprise authentication still a dumpster fire? Last time I set it up it was still a hassle because you had to import CAs and manually choose the authentication protocol. Definitely not a good experience for someone who's stopping by a cafe for 30min and wants wifi.

stephenr 2 minutes ago

In your coffee shop-like scenario, what benefit does a captive portal on anonymous Wifi offer to either the customer or the coffee shop, over regular Wifi authentication, and a sign on the wall that says "wifi username/passowrd is..."

As for importing a private CA. Use a certificate trusted by a public CA and you won't have this problem?

stephenr 2 hours ago

... use regular authenticated wifi?

7 hours ago