dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
18683
share rss forum feed


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 edit
reply to voiptalk

Re: [IPv6] Comcast IPv6 Address Assignment/Delegation

said by voiptalk:

On that D-Link DIR-655, you may want to verify that the IPv6 firewall ("IPv6 Simple Security" enabled) is working properly in FW 2.10.

I tested that router with 2.08 Beta01 and it worked properly .. all ports were blocked on a port scan. I upgraded to 2.10 and it was no longer working. Downgraded to 2.08 Beta01 and it functioned again. So, it looks like firewall is broken.

This is a followup to my previous reply. Your post prompted me to take another look at the firmware version 2.10 IPv6 firewall settings. I found that the problems I originally saw were caused by using both the "IPv6 Simple Security" settings and the manual IPv6 firewall settings at the same time (and I had originally not created a default outbound rule since that is typically a built-in default for most router based firewalls). With the setup below, the IPv6 firewall rules in my DIR655 with firmware version 2.10 work properly, and I can now control my IPv6 firewall rules in a central place (which was one of my reasons for purchasing the DIR655). My primary problem with the DIR655 is its brain dead requirement to reboot the router after even the most innocuous change in order to have the change activated (and that has always been a D-Link quirk).



--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


MikeBalt

@comcast.net
reply to jjmb
I'm trying to retrieve a /60 via DHCP-PD, but when I set my SLA-Len to 4 I'm receiving a /64. If I try any other value I just don't learn a prefix. Any ideas?...


EG
The wings of love
Premium
join:2006-11-18
Union, NJ
kudos:10
said by MikeBalt :

I'm trying to retrieve a /60 via DHCP-PD, but when I set my SLA-Len to 4 I'm receiving a /64. If I try any other value I just don't learn a prefix. Any ideas?...

That's what they currently supply to the LAN. A /64.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
They will supply /60 to LAN on routers that will take it. See:

»Re: [IPv6] Comcast IPv6 Address Assignment/Delegation


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
said by graysonf:

They will supply /60 to LAN on routers that will take it. See:

»Re: [IPv6] Comcast IPv6 Address Assignment/Delegation

And it appears to be a coin toss whether or not Comcast (and/or the router) decides if your router will take it.

When I was running my DIR655 with its IPv6 firewall disabled, I got a /60 network assignment:




After I enabled the IPv6 firewall, I now get a /64 assignment (and a different WAN IPv6 address, and a different LAN PD prefix):




Enabling the IPv6 firewall is the only thing that changed on my side. The rest of the DIR655's IPv6 setup is the same, and the firmware is the same. Fortunately, I don't need (and wasn't depending on) the /60 assignment; but if I had been using it, I would have been pissed that something as simple (and normal) as enabling the IPv6 firewall would cause such a major change in my IPv6 addressing.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


EG
The wings of love
Premium
join:2006-11-18
Union, NJ
kudos:10
reply to graysonf
said by graysonf:

They will supply /60 to LAN on routers that will take it. See:

»Re: [IPv6] Comcast IPv6 Address Assignment/Delegation

Apparantly that is quite current and not what I learned from Comcast Tuska recently.

Siobhan

join:2008-03-30
Houston, TX
reply to amwdrizz
A /60 would be really nice, but even better would be any IPv6 address space from Comcast instead of still having to tunnel to he.net.

Happy new year, Comcast IPv6 team! Any updates on when us poor Cisco-CMTS people will be getting our dual-stack?

If you want a CMTS to test it out, I recommend starting with ten01.strack.tx.houston...


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:81
reply to derekivey
said by derekivey:

Any updates on when the IPv6 trials for the Business Class customers will start? I emailed NetDog back in December and he put us down on the list.

Hate to say working on it.. But working on it.. Soon..


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:81
reply to EG
said by EG:

said by graysonf:

They will supply /60 to LAN on routers that will take it. See:

»Re: [IPv6] Comcast IPv6 Address Assignment/Delegation

Apparantly that is quite current and not what I learned from Comcast Tuska recently.

EG.. I pinged you on this one.. If you request anything smaller then a /64 you could have issues..


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:81
reply to NetFixer
said by NetFixer:

said by graysonf:

They will supply /60 to LAN on routers that will take it. See:

»Re: [IPv6] Comcast IPv6 Address Assignment/Delegation

Enabling the IPv6 firewall is the only thing that changed on my side. The rest of the DIR655's IPv6 setup is the same, and the firmware is the same. Fortunately, I don't need (and wasn't depending on) the /60 assignment; but if I had been using it, I would have been pissed that something as simple (and normal) as enabling the IPv6 firewall would cause such a major change in my IPv6 addressing.

This is not a Comcast issue but a router issue, if your router doesn't support more then one LAN or network behind the WAN why would you need more then one /64?

My home router is a 3845, I have 5 LAN's off of it so yes I would request a /61 so I can enabled all my LAN's for native IPv6.

So the next question is why would I ask for a /60 (16 networks) when I don't need a /60 but a /61 (8 networks). This is just me but I would only ask for that I need..

/60 (16 Network)
/61 (8 Network)
/62 (4 Network)
/63 (2 Network)
/64 (1 Network)


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:81
reply to Siobhan
said by Siobhan:

A /60 would be really nice, but even better would be any IPv6 address space from Comcast instead of still having to tunnel to he.net.

Happy new year, Comcast IPv6 team! Any updates on when us poor Cisco-CMTS people will be getting our dual-stack?

If you want a CMTS to test it out, I recommend starting with ten01.strack.tx.houston...

Really close, we have some Cisco CMTS's testing in the field now..


EG
The wings of love
Premium
join:2006-11-18
Union, NJ
kudos:10
reply to NetDog
said by NetDog:

EG.. I pinged you on this one.. If you request anything smaller then a /64 you could have issues..

Got it. Thank you sir !


camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
Reviews:
·Comcast
reply to jjmb
said by jjmb:

I run the IPv6 program at Comcast and can answer your questions.... [a bunch of excellent info snipped]

 
jjmb, many thanks for your informative answer.


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to NetDog
said by NetDog:

said by NetFixer:

said by graysonf:

They will supply /60 to LAN on routers that will take it. See:

»Re: [IPv6] Comcast IPv6 Address Assignment/Delegation

Enabling the IPv6 firewall is the only thing that changed on my side. The rest of the DIR655's IPv6 setup is the same, and the firmware is the same. Fortunately, I don't need (and wasn't depending on) the /60 assignment; but if I had been using it, I would have been pissed that something as simple (and normal) as enabling the IPv6 firewall would cause such a major change in my IPv6 addressing.

This is not a Comcast issue but a router issue, if your router doesn't support more then one LAN or network behind the WAN why would you need more then one /64?

My home router is a 3845, I have 5 LAN's off of it so yes I would request a /61 so I can enabled all my LAN's for native IPv6.

So the next question is why would I ask for a /60 (16 networks) when I don't need a /60 but a /61 (8 networks). This is just me but I would only ask for that I need..

/60 (16 Network)
/61 (8 Network)
/62 (4 Network)
/63 (2 Network)
/64 (1 Network)

It would seem to me to be a Comcast issue when the router does support multiple IPv6 networks (I previously tested with my guest network behind it), and it used to get the /60 allocation but now it does not get it.

Comcast definitely used to supply the requested /60, but that suddenly stopped, and that is illustrated in the screen shots I previously posted. It is perhaps a total coincidence, but it happened after /60 vs /64 allocations were initially discussed in this forum in which I posted that I was getting a /60 assignment.

I had initially thought that perhaps enabling the IPv6 firewall in the router had caused this change, but I have since temporarily disabled the IPv6 firewall and rebooted the router, but I still only got the /64.

FWIW, "I" wasn't explicitly requesting a /60 allocation, the router was just getting it by default (I only have the option to enable/disable DHCP-PD). I don't currently need it (since I have a business class "c05" config file, my guest network can have its own totally isolated IPv4 and /64 IPv6 network), but I just thought that it was interesting that I used to automatically get the /60 allocation, but suddenly that stopped (for no reason that is apparent to me).
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:81
said by NetFixer:

It would seem to me to be a Comcast issue when the router does support multiple IPv6 networks (I previously tested with my guest network behind it), and it used to get the /60 allocation but now it does not get it.

Comcast definitely used to supply the requested /60, but that suddenly stopped, and that is illustrated in the screen shots I previously posted. It is perhaps a total coincidence, but it happened after /60 vs /64 allocations were initially discussed in this forum in which I posted that I was getting a /60 assignment.

I PMed you my work email, send me your info like the DUID of your router and cable modem MAC..

But we are accepting anything up to a /60 via DHCP, but the route injection will not work on some CMTS's. I have tested this and I am using it so I know this works and doesn't work in some cases.

My config looks like this:

on My WAN
ipv6 dhcp client pd hint ::/61
ipv6 dhcp client pd prefix-from-Comcast

On my LAN's
ipv6 address prefix-from-Comcast ::1/64

ipv6 address prefix-from-Comcast ::1:0:0:0:1/64

ipv6 address prefix-from-Comcast ::2:0:0:0:1/64

and so on...

bigjoesmith

join:2000-11-21
Peoria, IL

1 recommendation

reply to NetDog
said by NetDog:

said by Siobhan:

A /60 would be really nice, but even better would be any IPv6 address space from Comcast instead of still having to tunnel to he.net.

Happy new year, Comcast IPv6 team! Any updates on when us poor Cisco-CMTS people will be getting our dual-stack?

If you want a CMTS to test it out, I recommend starting with ten01.strack.tx.houston...

Really close, we have some Cisco CMTS's testing in the field now..

I'm glad to hear that the Cisco CMTSs are close. However, I suspect Seattle needs the IPv6 goodness before Houston

AVonGauss
Premium
join:2007-11-01
Boynton Beach, FL
Nah, I'm fairly certain Boynton Beach needs IPv6 before Seattle and Texas. Oh, did I mention its in the 70s out? Maybe the engineers should personally come down and make sure the CMTS is upgraded correctly.


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:81
said by AVonGauss:

Nah, I'm fairly certain Boynton Beach needs IPv6 before Seattle and Texas. Oh, did I mention its in the 70s out? Maybe the engineers should personally come down and make sure the CMTS is upgraded correctly.

Ok that is funny.. Because in March I will be in Orlando for IETF 86, March 10-15.. Denver Cold.. Orlando Warm.. Oh yes..

AVonGauss
Premium
join:2007-11-01
Boynton Beach, FL
Boynton Beach, two hours south of Orlando - 45 minutes north of Miami - and one very neglected Cisco CMTS needing attention. It doesn't even have upstream bonding yet, it might take a week on-site to get in to shape - or at least that's what I'd put on the travel requisition.

magamiako

join:2006-01-14
Halethorpe, MD

2 edits
reply to NetDog
Okay,

Rephrasing here.

Whenever I configure my juniper to request ::/60 ; I'll receive a /64 back from Comcast.

If I create another IAPD-ID, say, 1, and put another preference for ::/60, I'll get another /64 back, but all routing then stops for the original /64 I received. I assume because it's overwriting the route entry on the ISP end with the new /64.

** So I think I found my problem **

It seems the SSG5 is not passing the IA_PD Prefix option aloing with the IA_PD Option. Which would explain why I'm getting a /64, because the DHCP server is defaulting to a /64 when no request for a larger prefix comes through.

I've sent my flow logs off to Juniper to see if they can figure it out and give me an answer.


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:81
said by magamiako:

I've sent my flow logs off to Juniper to see if they can figure it out and give me an answer.

PM me the Juniper case number and I will troubleshoot this on my end as well. PM me your model number as well.


mackey
Premium
join:2007-08-20
kudos:13
reply to magamiako
said by magamiako:

Whenever I configure my juniper to request ::/60 ; I'll receive a /64 back from Comcast.

If I create another IAPD-ID, say, 1, and put another preference for ::/60, I'll get another /64 back, but all routing then stops for the original /64 I received. I assume because it's overwriting the route entry on the ISP end with the new /64.

I'm seeing something similar using WIDE-DHCPv6 on a Linux (CentOS) box.

If I request ::/60 I just get a /64 back. However, if I request 2 IA_PD's in the same request using different ID's, the server happily obliges. (The packet looks something like "Req IA_NA, ID 0; Req IA_PD, ID 1; Req IA_PD, ID 2"). Both of the returned /64's work fine after a several seconds/minute delay (I'm assuming the routes are propagating during this time).

/M


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:81

1 edit
said by mackey:

said by magamiako:

Whenever I configure my juniper to request ::/60 ; I'll receive a /64 back from Comcast.

If I create another IAPD-ID, say, 1, and put another preference for ::/60, I'll get another /64 back, but all routing then stops for the original /64 I received. I assume because it's overwriting the route entry on the ISP end with the new /64.

I'm seeing something similar using WIDE-DHCPv6 on a Linux (CentOS) box.

If I request ::/60 I just get a /64 back. However, if I request 2 IA_PD's in the same request using different ID's, the server happily obliges. (The packet looks something like "Req IA_NA, ID 0; Req IA_PD, ID 1; Req IA_PD, ID 2"). Both of the returned /64's work fine after a several seconds/minute delay (I'm assuming the routes are propagating during this time).

/M

Does your CentOS Box have more then one VLAN or LAN behind the WAN? If not there is no point in asking for anything less then /64? Do you really need that may networks that a /60 will give you? Just asking...


mackey
Premium
join:2007-08-20
kudos:13
said by NetDog:

Does your CentOS Box have more then one VLAN or LAN behind the WAN? If not there is no point in asking for anything less then /64? Do you really need that may networks that a /60 will give you? Just asking...

I thought this thread was about the current state of getting something larger then a /64 on Comcasts' network, not justifying the need for something larger. My bad.

RFC 6177 says ISPs should issue something significantly larger then a /64 and "the default assignment size should take into consideration the likelihood that an end site will have need for multiple subnets in the future and avoid the IPv4 practice of having frequent and continual justification for obtaining small amounts of additional space."

I need more then a single /64. I shouldn't need to justify requesting something as tiny as a /60. Back on page 1 jjmb See Profile said the default size later this year will be a /60. Why are you guys even thinking about doing that if you feel no one has a valid reason for getting anything larger then a /64?

/M


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
said by mackey:

I need more then a single /64. I shouldn't need to justify requesting something as tiny as a /60. Back on page 1 jjmb See Profile said the default size later this year will be a /60. Why are you guys even thinking about doing that if you feel no one has a valid reason for getting anything larger then a /64?

It's called the left hand vs right hand syndrome. It is a common malady in many (if not most) large organizations.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:81
reply to mackey
This is me just asking a question, trying to understand what people are thinking. Yes I have read that RFC, and a lot of others on IPv6 as well. I was thinking we could have a dialogue about this subject but I guess not.

So I will leave topic with this "Comcast will change the default to a /60 at a later date, but today it is /64. If your device supports requesting a smaller prefix up till a /60 you can request it."


Mike Wolf

join:2009-05-24
Beachwood, NJ
kudos:4
How do I know if my Linksys router supports these different things? Is there a way for Comcast to check?

biomesh
Premium
join:2006-07-08
Tomball, TX
reply to NetDog
My guess is that users will setup guest vlans or networks. This could also be used for vpn configurations in order to isolate their 'business network' from their 'home network'.

AVonGauss
Premium
join:2007-11-01
Boynton Beach, FL
reply to mackey
said by mackey:

RFC 6177 says ISPs should issue something significantly larger then a /64 and "the default assignment size should take into consideration the likelihood that an end site will have need for multiple subnets in the future and avoid the IPv4 practice of having frequent and continual justification for obtaining small amounts of additional space."

I need more then a single /64. I shouldn't need to justify requesting something as tiny as a /60. Back on page 1 jjmb See Profile said the default size later this year will be a /60. Why are you guys even thinking about doing that if you feel no one has a valid reason for getting anything larger then a /64?

/M

A bit of an over reaction, no? It was simply a question asked, not a demand for justification on how or for what purpose are you planning on using it - a fair question. I'd be willing to bet if we really took a look at it, this would fall more under the "I want to tinker" category, which is alright, but lets not masquerade it as something which it is not.


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:81

1 edit
reply to Mike Wolf
said by Mike Wolf:

How do I know if my Linksys router supports these different things? Is there a way for Comcast to check?

Ok back to a dialogue???

Tell you the truth I only know two routers that support the a smaller prefix hint. Cisco IOS and a Cisco RV042G, other then that I have not tried other devices. But if you request a smaller prefix the DHCP server will grant to your device but depending on the CMTS your on will depend on if your route will get injected. It is safe at this time to just stick with the /64.

I will post when it is safe to request a smaller prefix.