 NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro
 ·Comcast Business..
 ·Vonage
 ·Cingular Wireless
·Comcast
1 edit | reply to voiptalk
Re: [IPv6] Comcast IPv6 Address Assignment/Delegation said by voiptalk:On that D-Link DIR-655, you may want to verify that the IPv6 firewall ("IPv6 Simple Security" enabled) is working properly in FW 2.10.
I tested that router with 2.08 Beta01 and it worked properly .. all ports were blocked on a port scan. I upgraded to 2.10 and it was no longer working. Downgraded to 2.08 Beta01 and it functioned again. So, it looks like firewall is broken.
This is a followup to my previous reply. Your post prompted me to take another look at the firmware version 2.10 IPv6 firewall settings. I found that the problems I originally saw were caused by using both the "IPv6 Simple Security" settings and the manual IPv6 firewall settings at the same time (and I had originally not created a default outbound rule since that is typically a built-in default for most router based firewalls). With the setup below, the IPv6 firewall rules in my DIR655 with firmware version 2.10 work properly, and I can now control my IPv6 firewall rules in a central place (which was one of my reasons for purchasing the DIR655). My primary problem with the DIR655 is its brain dead requirement to reboot the router after even the most innocuous change in order to have the change activated (and that has always been a D-Link quirk).
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
When governments fear people, there is liberty. When the people fear the government, there is tyranny. |
|
| reply to jjmb
I'm trying to retrieve a /60 via DHCP-PD, but when I set my SLA-Len to 4 I'm receiving a /64. If I try any other value I just don't learn a prefix. Any ideas?... |
|
 EGThe wings of lovePremium
join:2006-11-18
Union, NJ
kudos:9 | said by MikeBalt :I'm trying to retrieve a /60 via DHCP-PD, but when I set my SLA-Len to 4 I'm receiving a /64. If I try any other value I just don't learn a prefix. Any ideas?...
That's what they currently supply to the LAN. A /64. |
|
 graysonfPremium,MVM
join:1999-07-16
Fort Lauderdale, FL | They will supply /60 to LAN on routers that will take it. See:
»Re: [IPv6] Comcast IPv6 Address Assignment/Delegation |
|
NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro Reviews:
·Comcast Business..
·Vonage
·Cingular Wireless
·Comcast
| And it appears to be a coin toss whether or not Comcast (and/or the router) decides if your router will take it.
When I was running my DIR655 with its IPv6 firewall disabled, I got a /60 network assignment:
After I enabled the IPv6 firewall, I now get a /64 assignment (and a different WAN IPv6 address, and a different LAN PD prefix):
Enabling the IPv6 firewall is the only thing that changed on my side. The rest of the DIR655's IPv6 setup is the same, and the firmware is the same. Fortunately, I don't need (and wasn't depending on) the /60 assignment; but if I had been using it, I would have been pissed that something as simple (and normal) as enabling the IPv6 firewall would cause such a major change in my IPv6 addressing.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
When governments fear people, there is liberty. When the people fear the government, there is tyranny. |
|
EGThe wings of lovePremium
join:2006-11-18
Union, NJ
kudos:9 | reply to graysonf
Apparantly that is quite current and not what I learned from Comcast Tuska recently. |
|
| reply to amwdrizz
A /60 would be really nice, but even better would be any IPv6 address space from Comcast instead of still having to tunnel to he.net.
Happy new year, Comcast IPv6 team! Any updates on when us poor Cisco-CMTS people will be getting our dual-stack?
If you want a CMTS to test it out, I recommend starting with ten01.strack.tx.houston...  |
|
 NetDogPremium,VIP
join:2002-03-04
Parker, CO
kudos:4
·Comcast
| reply to derekivey
said by derekivey:Any updates on when the IPv6 trials for the Business Class customers will start? I emailed NetDog back in December and he put us down on the list.
Hate to say working on it.. But working on it..  Soon.. |
|
|
|
NetDogPremium,VIP
join:2002-03-04
Parker, CO
kudos:4 Reviews:
·Comcast
| reply to EG
said by EG:Apparantly that is quite current and not what I learned from Comcast Tuska recently. EG.. I pinged you on this one.. If you request anything smaller then a /64 you could have issues.. |
|
NetDogPremium,VIP
join:2002-03-04
Parker, CO
kudos:4 Reviews:
·Comcast
| reply to NetFixer
said by NetFixer:Enabling the IPv6 firewall is the only thing that changed on my side. The rest of the DIR655's IPv6 setup is the same, and the firmware is the same. Fortunately, I don't need (and wasn't depending on) the /60 assignment; but if I had been using it, I would have been pissed that something as simple (and normal) as enabling the IPv6 firewall would cause such a major change in my IPv6 addressing. This is not a Comcast issue but a router issue, if your router doesn't support more then one LAN or network behind the WAN why would you need more then one /64?
My home router is a 3845, I have 5 LAN's off of it so yes I would request a /61 so I can enabled all my LAN's for native IPv6.
So the next question is why would I ask for a /60 (16 networks) when I don't need a /60 but a /61 (8 networks). This is just me but I would only ask for that I need..
/60 (16 Network)
/61 (8 Network)
/62 (4 Network)
/63 (2 Network)
/64 (1 Network) |
|
NetDogPremium,VIP
join:2002-03-04
Parker, CO
kudos:4 Reviews:
·Comcast
| reply to Siobhan
said by Siobhan:A /60 would be really nice, but even better would be any IPv6 address space from Comcast instead of still having to tunnel to he.net.
Happy new year, Comcast IPv6 team! Any updates on when us poor Cisco-CMTS people will be getting our dual-stack?
If you want a CMTS to test it out, I recommend starting with ten01.strack.tx.houston...
Really close, we have some Cisco CMTS's testing in the field now.. |
|
EGThe wings of lovePremium
join:2006-11-18
Union, NJ
kudos:9 | reply to NetDog
said by NetDog:EG.. I pinged you on this one.. If you request anything smaller then a /64 you could have issues..
Got it. Thank you sir ! |
|
 camperPremium
join:2010-03-21
Bethel, CT
·Comcast
| reply to jjmb
said by jjmb:I run the IPv6 program at Comcast and can answer your questions.... [a bunch of excellent info snipped]
jjmb, many thanks for your informative answer. |
|
NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro Reviews:
·Comcast Business..
·Vonage
·Cingular Wireless
·Comcast
| reply to NetDog
said by NetDog:said by NetFixer:Enabling the IPv6 firewall is the only thing that changed on my side. The rest of the DIR655's IPv6 setup is the same, and the firmware is the same. Fortunately, I don't need (and wasn't depending on) the /60 assignment; but if I had been using it, I would have been pissed that something as simple (and normal) as enabling the IPv6 firewall would cause such a major change in my IPv6 addressing. This is not a Comcast issue but a router issue, if your router doesn't support more then one LAN or network behind the WAN why would you need more then one /64? My home router is a 3845, I have 5 LAN's off of it so yes I would request a /61 so I can enabled all my LAN's for native IPv6. So the next question is why would I ask for a /60 (16 networks) when I don't need a /60 but a /61 (8 networks). This is just me but I would only ask for that I need.. /60 (16 Network) /61 (8 Network) /62 (4 Network) /63 (2 Network) /64 (1 Network) It would seem to me to be a Comcast issue when the router does support multiple IPv6 networks (I previously tested with my guest network behind it), and it used to get the /60 allocation but now it does not get it.
Comcast definitely used to supply the requested /60, but that suddenly stopped, and that is illustrated in the screen shots I previously posted. It is perhaps a total coincidence, but it happened after /60 vs /64 allocations were initially discussed in this forum in which I posted that I was getting a /60 assignment.
I had initially thought that perhaps enabling the IPv6 firewall in the router had caused this change, but I have since temporarily disabled the IPv6 firewall and rebooted the router, but I still only got the /64.
FWIW, "I" wasn't explicitly requesting a /60 allocation, the router was just getting it by default (I only have the option to enable/disable DHCP-PD). I don't currently need it (since I have a business class "c05" config file, my guest network can have its own totally isolated IPv4 and /64 IPv6 network), but I just thought that it was interesting that I used to automatically get the /60 allocation, but suddenly that stopped (for no reason that is apparent to me).
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
When governments fear people, there is liberty. When the people fear the government, there is tyranny. |
|
NetDogPremium,VIP
join:2002-03-04
Parker, CO
kudos:4 Reviews:
·Comcast
| said by NetFixer:It would seem to me to be a Comcast issue when the router does support multiple IPv6 networks (I previously tested with my guest network behind it), and it used to get the /60 allocation but now it does not get it.
Comcast definitely used to supply the requested /60, but that suddenly stopped, and that is illustrated in the screen shots I previously posted. It is perhaps a total coincidence, but it happened after /60 vs /64 allocations were initially discussed in this forum in which I posted that I was getting a /60 assignment.
I PMed you my work email, send me your info like the DUID of your router and cable modem MAC..
But we are accepting anything up to a /60 via DHCP, but the route injection will not work on some CMTS's. I have tested this and I am using it so I know this works and doesn't work in some cases.
My config looks like this:
on My WAN
ipv6 dhcp client pd hint ::/61
ipv6 dhcp client pd prefix-from-Comcast
On my LAN's
ipv6 address prefix-from-Comcast ::1/64
ipv6 address prefix-from-Comcast ::1:0:0:0:1/64
ipv6 address prefix-from-Comcast ::2:0:0:0:1/64
and so on... |
|
| reply to NetDog
said by NetDog:said by Siobhan:A /60 would be really nice, but even better would be any IPv6 address space from Comcast instead of still having to tunnel to he.net.
Happy new year, Comcast IPv6 team! Any updates on when us poor Cisco-CMTS people will be getting our dual-stack?
If you want a CMTS to test it out, I recommend starting with ten01.strack.tx.houston...
Really close, we have some Cisco CMTS's testing in the field now.. I'm glad to hear that the Cisco CMTSs are close. However, I suspect Seattle needs the IPv6 goodness before Houston |
|
AVonGaussPremium
join:2007-11-01
Boynton Beach, FL | Nah, I'm fairly certain Boynton Beach needs IPv6 before Seattle and Texas. Oh, did I mention its in the 70s out? Maybe the engineers should personally come down and make sure the CMTS is upgraded correctly. |
|
NetDogPremium,VIP
join:2002-03-04
Parker, CO
kudos:4 Reviews:
·Comcast
| said by AVonGauss:Nah, I'm fairly certain Boynton Beach needs IPv6 before Seattle and Texas. Oh, did I mention its in the 70s out? Maybe the engineers should personally come down and make sure the CMTS is upgraded correctly.
Ok that is funny.. Because in March I will be in Orlando for IETF 86, March 10-15.. Denver Cold.. Orlando Warm.. Oh yes.. |
|
AVonGaussPremium
join:2007-11-01
Boynton Beach, FL | Boynton Beach, two hours south of Orlando - 45 minutes north of Miami - and one very neglected Cisco CMTS needing attention. It doesn't even have upstream bonding yet, it might take a week on-site to get in to shape - or at least that's what I'd put on the travel requisition. |
|
2 edits | reply to NetDog
Okay,
Rephrasing here.
Whenever I configure my juniper to request ::/60 ; I'll receive a /64 back from Comcast.
If I create another IAPD-ID, say, 1, and put another preference for ::/60, I'll get another /64 back, but all routing then stops for the original /64 I received. I assume because it's overwriting the route entry on the ISP end with the new /64.
** So I think I found my problem **
It seems the SSG5 is not passing the IA_PD Prefix option aloing with the IA_PD Option. Which would explain why I'm getting a /64, because the DHCP server is defaulting to a /64 when no request for a larger prefix comes through.
I've sent my flow logs off to Juniper to see if they can figure it out and give me an answer. |
|
