dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
18302
share rss forum feed

amwdrizz

join:2013-01-16
Winchendon, MA

1 recommendation

[IPv6] Comcast IPv6 Address Assignment/Delegation

Alright, some simple (Well maybe not so simple, Comcast couldn't answer them) questions if I may relating to Comcast and IPv6... Also this is my first post so, hello all!

Anyways, Is Comcast issuing /64s or /48s to residential? Or is it all higher than a /64? I've read somewhere on these forums that Comcast does issue a /128 to the Consumer Endpoint (AKA Modem/Router/Gateway). But none beyond that if they issue a anything else to support internal devices.

Also is Comcast allowing the delegation of DNS of your assigned /64 or /48 (if they issue them)

The reason why I ask, is I run IPv6 over HE.net. While I would like to have native IPv6. At least having a /64 and having it delegated to my DNS servers is a requirement. The /48 is a nice to have option.

So some of you may wonder why would I need/want a /48. The main reason is to allow network separation between select networks. I don't want any of my networks in the same sub net. While yes, I could do this with a /64; a routed /48 is just easier to handle at the main router.

In addition I am currently using a routed /64 and a /48 on my network assigned from HE.net

As I stated earlier, I am quite happy with HE.net for my IPv6 needs, There are some slight 'issues' here and there; some sites that have IPv6 don't have a bgp with he.net, random slowness due to the nature of being on a tunnel server with other users, etc.

Thanks ahead of time for the responses,

amwdrizz
--
I am a Comcast residential customer with way too many devices.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
It's /64 on the LAN. I don't think they will delegate rDNS to you.

amwdrizz

join:2013-01-16
Winchendon, MA
@graysonf
Thanks for the reply, I figured they wouldn't delegate the rDNS. But was unsure about the /64 or nor for the lan.

Still a put off. Looks like I'll deal with HE.net until they shutdown tunnel services. (I am figuring that it is sufficently far ahead to not worry about it) Maybe by that point I'll have sufficient funds to get an dedicated line that will delegate the rDNS


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 recommendation

reply to amwdrizz
If you have a residential account (or a business class dynamic IP account and don't use Comcast's gateway router) and a router that supports DHCP6-PD, you will be assigned a /128 for the router's WAN and a /64 for the router's LAN.

Comcast does not yet support IPv6 for their static IPv4 business class accounts, but when they finally get around to it, I suspect that they will setup IPv6 PTR records just as they currently setup IPv4 PTR records. They will not delegate the rDNS to you, but you can contact business class support and request the PTR records that you want to use.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.

amwdrizz

join:2013-01-16
Winchendon, MA
I'll have to wait and see with the business side then. I didn't know that Comcast even offered PTR records for the static IPv4s.

Each individual I talked with in the business dept more than likely looked at me like I was crazy when I was asking about it awhile back on the IPv4 side of it. I will have to ask them more questions in the future then.

Thanks for additional info.

Kearnstd
Space Elf
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1
reply to amwdrizz
so a question then. If I went IPV6 I can use a router then? and instead of the router assigning IPs instead Comcast does the DHCP even for LAN clients?

More I am curious how does this effect SAMBA shares and does it still keep the public internet from seeing them.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
said by Kearnstd:

so a question then. If I went IPV6 I can use a router then? and instead of the router assigning IPs instead Comcast does the DHCP even for LAN clients?

More I am curious how does this effect SAMBA shares and does it still keep the public internet from seeing them.

Maybe I can help clear this up.

Comcast will assign a /128 for their on-link network. Comcast will then assign you a routed block (/64 for now, could be /60 or /56 in the future). The routed block will be routed to your on-link network address.

For your personal network, you could implement the same firewall policy as NAT has (SPI firewall, blocking incoming traffic unless there is an associated state entry). I know D-Link support this a pre-set configuration option. I haven't had experience with other consumer routers as of late.

The different with v4 is you eliminate overloading (the broken part of NAT), as everything is assigned a global unique address.

amwdrizz

join:2013-01-16
Winchendon, MA

1 recommendation

reply to Kearnstd
said by Kearnstd:

so a question then. If I went IPV6 I can use a router then? and instead of the router assigning IPs instead Comcast does the DHCP even for LAN clients?

More I am curious how does this effect SAMBA shares and does it still keep the public internet from seeing them.

You will still use a 'router' on your end. Instead of handling NAT it will act as a router should. It will route the connections from your LAN devices to the /128 on the WAN side. You will still need (And this will be handled by most routers) DHCP & DHCPv6/Radvd for both IPv4 and IPv6 addressing. You will also still use a DNS forwarder (again handled by the router).

The key thing here, is that the router will not offer any perceived concept of security through NAT on IPv6 Connections. NAT was a kludge fix in the first place in my opinion. But you will be able to set a global firewall policy on the router for IPv6 that will in essence provide a base level of security for IPv6. It is not a replacement for end device security and firewalls.

And with IPv6 there will be no need for Port forwarding (when you have sufficient IPv6 addresses for each device) as the router will route all incoming connections to the correct end device.


jjmb

join:2009-12-01
USA

3 recommendations

reply to amwdrizz
I run the IPv6 program at Comcast and can answer your questions.

We assign an IPv6 address (/128) and a delegated prefix to routers that support IPv6 and are enabled. By default, today, if your router does not offer a hint that it can support more than one IPv6 VLAN (see RFC3633) we by default will delegated a /64. However, for routers that can support more than one VLAN or a shorter than /64 prefix we will today offer up to a /60.

We will be changing the defaults later this year so that /60 is the default. I will post updates on my Comcast blog when we launch these updates. (»blog.comcast.com/author/john-brzozowski/)

For residential broadband we currently do not offer the ability to manage the reverse zone for the delegated prefix nor do I foresee this anytime soon. Most if need or are interested in this are commercial customers, as such we will be offering the ability to manage PTR records for our commercial DOCSIS services.

As I am sure you would agree native is far more superior than tunneled IPv6. We analyzed this closely and chose native IPv6 over tunneled (6rd) as performance and predictability were much better. Further, most tunneled deployments of IPv6 have plans to re-deploy IPv6 natively.

HTH,

John Jason Brzozowski


Mike Wolf

join:2009-05-24
Beachwood, NJ
kudos:4
reply to NetFixer
How do you know if a router supports DHCP6-PD ?


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
said by Mike Wolf:

How do you know if a router supports DHCP6-PD ?

Edit: Correct link, »www.ipv6ready.org/


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 recommendation

reply to Mike Wolf
said by Mike Wolf:

How do you know if a router supports DHCP6-PD ?

That is not necessarily easy to know before making a decision to purchase a particular router. The site that whfsdude See Profile pointed to will give you the specs for what is required to get the "IPv6 Ready" gold logo, but that site does not seem to have a current list of equipment that has passed the qualification tests (at least I could not find such a list).

Basically, you just have to trust that a vendor who displays that logo is entitled to use it. The D-Link DIR655 that I currently use had that logo on the retail box, and I looked for that logo in the product descriptions on several on-line retailers before purchasing it (and FWIW, that particular router is also on Comcast's recommended router list at »mydeviceinfo.comcast.net/?homegateway ).

Interestingly, the "IPv6 Ready" gold logo no longer appears on the web site order page of the retailer I used, or on several other sites I just checked, and the logo is not displayed on D-Link's own web pages for the DIR655 (in fact any mention of IPv6 is limited to indirect references in the firmware download page). I don't know what is going on with that; perhaps D-Link had been using that logo without authorization, and had to withdraw it? I do know that it seems to work just fine with Comcast's native dual stack (as illustrated below).






--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.

voiptalk

join:2010-04-10
Gainesville, VA
On that D-Link DIR-655, you may want to verify that the IPv6 firewall ("IPv6 Simple Security" enabled) is working properly in FW 2.10.

I tested that router with 2.08 Beta01 and it worked properly .. all ports were blocked on a port scan. I upgraded to 2.10 and it was no longer working. Downgraded to 2.08 Beta01 and it functioned again. So, it looks like firewall is broken.

To run an IPv6 port scan: »ipv6.chappell-family.com/ipv6tcptest/


Dan Austin

@phoenix.com
reply to jjmb
It is good to hear that the plan is for a /60 allocation. I've been waiting for the static business plans to receive IPv6 and hoping for a larger allocation since I need to use one subnet to connect
the mandated 'router' to my real router.

Of course that plan still falls apart if the CPE does not let me add static routes to put one or more /64 subnets downstream.


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to voiptalk
said by voiptalk:

On that D-Link DIR-655, you may want to verify that the IPv6 firewall ("IPv6 Simple Security" enabled) is working properly in FW 2.10.

I tested that router with 2.08 Beta01 and it worked properly .. all ports were blocked on a port scan. I upgraded to 2.10 and it was no longer working. Downgraded to 2.08 Beta01 and it functioned again. So, it looks like firewall is broken.

To run an IPv6 port scan: »ipv6.chappell-family.com/ipv6tcptest/

I had noticed some problems with the 2.10 IPv6 firewall too (including that the manual firewall rules don't seem to work as expected). I tried loading the older 2.07 firmware to see if its IPv6 firewall worked properly, but that required a factory default reset, and manually reentering the router config (a PITA since the 2.07 firmware's "reboot later" function did not seem to work properly), so I aborted that and went back to firmware version 2.10 (I started out at firmware release 2.10 because I followed Comcast's advice and did the automatic firmware update from the factory delivered version 2.00 before I configured it the first time). I had already disabled the DIR655 IPv6 firewall (at least until the next firmware release), and my own PEN testing (from outside my LAN) showed that my local firewall rules seem to be blocking all IPv6 inbound traffic except for the services that I have explicitly allowed.

And thanks for that external scan site; I will be putting that in my bookmarks for future use. That test did in fact find an open service that I had overlooked for one PC, and I have now fixed that (it was a service that required authentication, and also logged access attempts, so it was not a big risk, but I had not intended to leave it open to anything other than LAN/VPN access).
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
said by NetFixer:

And thanks for that external scan site; I will be putting that in my bookmarks for future use.

Here's another, nmap based for IPv6, very flexible, you can specify the IP to be scanned.

»nmapv6.packetsize.net/


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
said by graysonf:

said by NetFixer:

And thanks for that external scan site; I will be putting that in my bookmarks for future use.

Here's another, nmap based for IPv6, very flexible, you can specify the IP to be scanned.

»nmapv6.packetsize.net/

Thanks, I just tried it and (as expected) the only open services are the ones that I have explicitly left exposed.

That site likes to live dangerously by allowing outsiders to scan other sites from their server.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Well, like I said, very flexible

I didn't actually try it with IPs that were not mine. I limited it to my router and the machines connected to it.

derekivey

join:2006-03-30
San Jose, CA
kudos:1

1 recommendation

reply to jjmb
Any updates on when the IPv6 trials for the Business Class customers will start? I emailed NetDog back in December and he put us down on the list.


PGHammer

join:2003-06-09
Accokeek, MD

2 recommendations

reply to whfsdude
Please - even a /56 is far more than a Metro Ethernet customer can swallow. The real issue is whether or not Comcast (or any ISP, for that matter) will be able to narrow down a small-enough block for anything short of a carrier-grade router to be able to manage comfortably. Tunnel brokers (not just the more typical ones, such as HE, but even Comcast itself) drop a /64 on any customer as a floor, which is a metric ton worth of overkill. I'd run out of bandwidth WELL before running out of IP addresses - even a Metro Ethernet (business) customer will be in the same pickle (bandwidth will go poof way before IP addresses will). Pretty much except for older routers and equipment that is still IPv6-hostile, the IP dragon is practically dead; it just is not aware yet.


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 edit
reply to voiptalk
said by voiptalk:

On that D-Link DIR-655, you may want to verify that the IPv6 firewall ("IPv6 Simple Security" enabled) is working properly in FW 2.10.

I tested that router with 2.08 Beta01 and it worked properly .. all ports were blocked on a port scan. I upgraded to 2.10 and it was no longer working. Downgraded to 2.08 Beta01 and it functioned again. So, it looks like firewall is broken.

This is a followup to my previous reply. Your post prompted me to take another look at the firmware version 2.10 IPv6 firewall settings. I found that the problems I originally saw were caused by using both the "IPv6 Simple Security" settings and the manual IPv6 firewall settings at the same time (and I had originally not created a default outbound rule since that is typically a built-in default for most router based firewalls). With the setup below, the IPv6 firewall rules in my DIR655 with firmware version 2.10 work properly, and I can now control my IPv6 firewall rules in a central place (which was one of my reasons for purchasing the DIR655). My primary problem with the DIR655 is its brain dead requirement to reboot the router after even the most innocuous change in order to have the change activated (and that has always been a D-Link quirk).



--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


MikeBalt

@comcast.net
reply to jjmb
I'm trying to retrieve a /60 via DHCP-PD, but when I set my SLA-Len to 4 I'm receiving a /64. If I try any other value I just don't learn a prefix. Any ideas?...


EG
The wings of love
Premium
join:2006-11-18
Union, NJ
kudos:10
said by MikeBalt :

I'm trying to retrieve a /60 via DHCP-PD, but when I set my SLA-Len to 4 I'm receiving a /64. If I try any other value I just don't learn a prefix. Any ideas?...

That's what they currently supply to the LAN. A /64.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
They will supply /60 to LAN on routers that will take it. See:

»Re: [IPv6] Comcast IPv6 Address Assignment/Delegation


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
said by graysonf:

They will supply /60 to LAN on routers that will take it. See:

»Re: [IPv6] Comcast IPv6 Address Assignment/Delegation

And it appears to be a coin toss whether or not Comcast (and/or the router) decides if your router will take it.

When I was running my DIR655 with its IPv6 firewall disabled, I got a /60 network assignment:




After I enabled the IPv6 firewall, I now get a /64 assignment (and a different WAN IPv6 address, and a different LAN PD prefix):




Enabling the IPv6 firewall is the only thing that changed on my side. The rest of the DIR655's IPv6 setup is the same, and the firmware is the same. Fortunately, I don't need (and wasn't depending on) the /60 assignment; but if I had been using it, I would have been pissed that something as simple (and normal) as enabling the IPv6 firewall would cause such a major change in my IPv6 addressing.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


EG
The wings of love
Premium
join:2006-11-18
Union, NJ
kudos:10
reply to graysonf
said by graysonf:

They will supply /60 to LAN on routers that will take it. See:

»Re: [IPv6] Comcast IPv6 Address Assignment/Delegation

Apparantly that is quite current and not what I learned from Comcast Tuska recently.

Siobhan

join:2008-03-30
Houston, TX
reply to amwdrizz
A /60 would be really nice, but even better would be any IPv6 address space from Comcast instead of still having to tunnel to he.net.

Happy new year, Comcast IPv6 team! Any updates on when us poor Cisco-CMTS people will be getting our dual-stack?

If you want a CMTS to test it out, I recommend starting with ten01.strack.tx.houston...


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:79
reply to derekivey
said by derekivey:

Any updates on when the IPv6 trials for the Business Class customers will start? I emailed NetDog back in December and he put us down on the list.

Hate to say working on it.. But working on it.. Soon..


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:79
reply to EG
said by EG:

said by graysonf:

They will supply /60 to LAN on routers that will take it. See:

»Re: [IPv6] Comcast IPv6 Address Assignment/Delegation

Apparantly that is quite current and not what I learned from Comcast Tuska recently.

EG.. I pinged you on this one.. If you request anything smaller then a /64 you could have issues..


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:79
reply to NetFixer
said by NetFixer:

said by graysonf:

They will supply /60 to LAN on routers that will take it. See:

»Re: [IPv6] Comcast IPv6 Address Assignment/Delegation

Enabling the IPv6 firewall is the only thing that changed on my side. The rest of the DIR655's IPv6 setup is the same, and the firmware is the same. Fortunately, I don't need (and wasn't depending on) the /60 assignment; but if I had been using it, I would have been pissed that something as simple (and normal) as enabling the IPv6 firewall would cause such a major change in my IPv6 addressing.

This is not a Comcast issue but a router issue, if your router doesn't support more then one LAN or network behind the WAN why would you need more then one /64?

My home router is a 3845, I have 5 LAN's off of it so yes I would request a /61 so I can enabled all my LAN's for native IPv6.

So the next question is why would I ask for a /60 (16 networks) when I don't need a /60 but a /61 (8 networks). This is just me but I would only ask for that I need..

/60 (16 Network)
/61 (8 Network)
/62 (4 Network)
/63 (2 Network)
/64 (1 Network)