[ietf78-tech] portal enhancements for the future

[kemp]

portal improvements

There are a number of areas where the NAC system could have been
improved given more time, and some areas that are still open
to discussion. I thought this would be a good time to summarize
possible areas for improvment.

-- NEW FUNCTIONALITY

We have no IPV6 webpage, and not IPV6 automatic redirection.
It may be possible to implement this through packet marking and
internal routing.  But it's not clear which way to go on this feature
request.

-- APACHE ISSUES

We should have had a /wpad.dat file, and advertise our own proxy
file.  That would have reduced some of the caching we saw on the
130.129.0.0/16 address space.

It would be good to do some kind of rate-limit against the webpage
in Apache.  We could do this with "hash-limit" rules on the IPTABLES
headed towards port 80 and port 443.

-- CAPTIVATOR TOOLS

We didn't finish a "delete-user" script, or implement the
"limit-total-macs" subroutine for the login webpage.
Both of these would be fairly easy, and could be useful
to have.  Additionally, we could put all the
command-line script tools behind an "operator webpage"
on the management interface
of the machine.

-- PHYSICAL HARDWARE

Might be nice to have at least a small UPS on the services, management,
and nac machines.  I also like having a serial console sitting on a
terminal server port, to get to the machines in case of emergency.

-- MONITORING

The one thing I really missed was having a smokeping display sitting on
the wired parts of the network both in front of and behind the nac box.
Having these numbers are a very good way to determine the health of
the system in a very quicky way.

That's the short list.

-- 
John Kemp
kemp at network-services.uoregon.edu
RouteViews Engineer
541-346-1714