dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3765
dwhess
join:2015-06-26
United State

dwhess

Member

AT&T U-Verse Protocol 41/IPv6 Net Neutrality Complaint with FCC

Since the FCC is now taking net neutrality complaints, I filed one about AT&T U-Verse blocking protocol 41. It only took a couple days for AT&T to get back to me and start the process of trying to figure out what is going on but it all came to naught.

I ended up spending a couple of days on the phone with AT&T technical support and we were unable to resolve the issue. They even managed to confuse "port 41" with "protocol 41". Their final position is that there are no official AT&T documents about blocking protocol 41 and there is nothing more they can do to help me. Somehow they considered this congruent with "we are not blocking it because you could always setup a VPN to tunnel protocol 41" and "we have to block protocol 41 because of law enforcement requirements" which are excuses given at various times during our conversations.

Just to confirm my sanity, I verified that it is still being blocked.

TestBoy
Premium Member
join:2009-10-13
Irmo, SC

TestBoy

Premium Member

said by dwhess:

"we have to block protocol 41 because of law enforcement requirements"

BULLSHIT.

I would file the complaint again.... make them keep working until they sort it.
dwhess
join:2015-06-26
United State

dwhess

Member

I took that to mean that their equipment cannot meet the CALEA requirements when dealing with protocol 41 but then why do their NVG589 pass protocol 41? I assume they do anyway.

j1349705
Premium Member
join:2006-04-15
Holly Springs, NC

2 recommendations

j1349705 to dwhess

Premium Member

to dwhess
I'm guessing you're trying to use a 6in4 tunnel, such as Hurricane Electric's Tunnelbroker service.

AT&T have been using this kind of "security" excuse for a while, despite the fact that other VPNs are allowed.

I'm sure you know this, but for the benefit of people who aren't familiar with this topic, these 6in4 tunnels are not encrypted so they can be easily monitored if law enforcement really wants to.

Is anyone familiar with any other ISP that breaks 6in4 tunnels, aside from ones using carrier grade NAT?

I know this started out on the Pace/2wire gateways after a firmware update... it also has been broken on other equipment (possibly even being dropped within the AT&T network begore reaching the CPE), but not sure if it still impacts everything or just some equipment now.

See: »forums.att.com/t5/Reside ··· /3896665
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

2 recommendations

cramer to dwhess

Premium Member

to dwhess
As I've explained (repeatedly), the issue is either explicit blocking of protocol 41 inbound at the border of the Uverse network (possible, but unlikely), or some seriously fucked up configuration of their stupid 6rd crap (very likely since that's when it broke.)

P:41 outbound works just fine. Inbound stops at the border. Protocol 47 (GRE) works just fine. If there were a "law enforcement" reason for a block (a) it would be in both directions, and (b) they'd have to block GRE, too. (translation: the CSR is repeating Pure Bullshit(tm) to get you off the phone.)

*** The only people with any hint of clue, or ability to even look into it, are the network engineers. You will never get to speak to one of them. ***

For reference, the issue with the Pace gateway was a coding / configuration bug where it was always terminating P:41 traffic. Given how poorly everything else worked on those things, the way 6rd was coded on them shouldn't be a surprise.
dwhess
join:2015-06-26
United State

2 recommendations

dwhess

Member

I am somewhat familiar with the history behind this having lived it in all of its stages but it is nice to get confirmation.

Originally I had a 6in4 tunnel through SIXXS and it worked great for a long time. Then AT&T apparently blocked protocol 41 at their border but switching to using the multicast gateway or AT&T's gateway solved that until the firmware update to the 2wire modems further blocked protocol 41.

I tried the FCC network neutrality complaint process to see if that would yield any positive results.
brianlan
join:2009-10-12
Garner, NC

brianlan to dwhess

Member

to dwhess
I'm just curious as to why you think that AT&T is required to support protocol 41 to begin with? Its not a requirement for anything other than a third-party service.

If you really want to use HE.net, just VPN to a VPS provider and tunnel over that.
Paralel
join:2011-03-24
Michigan, US

3 recommendations

Paralel

Member

ATT has to support it because otherwise it is in violation of the new Net Neutrality rules. They aren't allow to intentionally block anything unless they can cite reasonable network management reasons. So, they are indeed required, by federal regulations, to allow Protocol 41 uninhibited across their network to end users.
brianlan
join:2009-10-12
Garner, NC

1 recommendation

brianlan

Member

Wrong, not on a residential connection. They are not providing a metro-e service to the residential customers. They are fully within their rights to block ports/protocols as they wish as long as they tell you they are doing it, which they have, the reason is irrelevant. Then its up to you as the consumer to keep paying for that service after understanding the level of service being provided.

Take me for example, I have the gigapower 1gbps service. If I was totally unhappy with the fact that AT&T cant peer more than 20-75Mbps to most of the planet I would be within my right to cancel.

Also, that PoS NVG5xx device is another major limitation on the AT&T Uverse system. I have simply removed the need to use it post-boot. I do that and now the session limitation is a thing of the past.

The best question is why do you want to use HE.net or alternative services for IPv6 connectivity when AT&T gives it to you already for free and unrestricted?
Paralel
join:2011-03-24
Michigan, US

2 recommendations

Paralel

Member

Actually, yes, on a residential connection, according to the new rules.
brianlan
join:2009-10-12
Garner, NC

brianlan

Member

Show us the rules you speak of...
Paralel
join:2011-03-24
Michigan, US

1 recommendation

Paralel

Member

Is your Google broken? They're easy to find.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

1 edit

1 recommendation

cramer to brianlan

Premium Member

to brianlan
IP is IP is IP. The protocol under IP (tcp, udp, sctp, gre, etc) DOES. NOT. MATTER. They are interfering with a specific set of traffic. If intentionally, then it's a network neutrality issue. If by accident, then it's something they need to fix. (to date, they've simple ignored it. which suggests it's intentional)

dahan
join:2000-10-25
Leander, TX

1 recommendation

dahan to brianlan

Member

to brianlan
said by brianlan:

The best question is why do you want to use HE.net or alternative services for IPv6 connectivity when AT&T gives it to you already for free and unrestricted?

Because their RG is broken and doesn't actually work properly? In particular, the 3800HGV-B does not currently support DHCPv6 prefix delegation--there's a "DHCPv6 Enabled" checkbox in the web UI, which presumably enables DHCPv6 PD, but the checkbox is disabled and cannot be checked. So, you can't put your own router behind the RG if you want IPv6.

But if you let the RG handle all the IPv6 stuff, how do you modify the firewall settings to enable incoming IPv6 traffic to a device? Admittedly, I haven't looked too closely, but I didn't spot any IPv6 firewall settings, only v4.

TestBoy
Premium Member
join:2009-10-13
Irmo, SC

1 recommendation

TestBoy to Paralel

Premium Member

to Paralel
said by Paralel:

Is your Google broken? They're easy to find.

Let's be a LITTLE understanding... if he is asking for citation best just give it.

That said.....

Page 7 of FCC 15-24:

A person engaged in the provision of broadband Internet access service, insofar as such person is so engaged, shall not block lawful content, applications, services, or nonharmful devices, subject to reasonable network management.

Seems that protocol 41 could be a service or application.
Without it you ARE denying lawful content.

We could spin it a lot of ways but in my eyes - it's not very clear as to what this really is.
brianlan
join:2009-10-12
Garner, NC

2 recommendations

brianlan to cramer

Member

to cramer
Good luck folks, I believe they are telling you the truth in the fact that the feds wont allow them to openly support the tunneled IPv6 services. After all AT&T was the number 1 company to allow into the huts to sniff traffic.

Another reason to not use their NVG5xx shit, never know how much NSA shit thats in there.

TestBoy
Premium Member
join:2009-10-13
Irmo, SC

1 recommendation

TestBoy

Premium Member

said by brianlan:

I believe they are telling you the truth in the fact that the feds wont allow them to openly support the tunneled IPv6 services.

That I really think is nonsense.
Why does everyone else?
We are getting into tin foil hat territory suggesting that the feds are saying only AT&T is not allowed to do tunnels.
brianlan
join:2009-10-12
Garner, NC

brianlan

Member

Cause when your in bed with the gov, you have to play their games.

I would believe that they will eventually play the purpose card, showing that VPN's have a purpose besides bypassing their tunnel killer. But only p41 is used for IPv6 avoidance which they deem not-allowed on the Uverse network. Therefore not allowed.

TestBoy
Premium Member
join:2009-10-13
Irmo, SC

2 recommendations

TestBoy

Premium Member

said by brianlan:

But only p41 is used for IPv6 avoidance which they deem not-allowed on the Uverse network. Therefore not allowed.

Okay... but we have 3 rules here in this 400 page document in the section they call "clear, bright-line rules"

A person engaged in the provision of broadband Internet access service, insofar as such person is so engaged, shall not block lawful content, applications, services, or nonharmful devices, subject to reasonable network management.


And..

A person engaged in the provision of broadband Internet access service, insofar as such person is so engaged, shall not impair or degrade lawful Internet traffic on the basis of Internet content, application, or service, or use of a non-harmful device, subject to reasonable network management.


And..

A person engaged in the provision of broadband Internet access service, insofar as such person is so engaged, shall not engage in paid prioritization.


I see nothing in these 3 rules that would allow them to say that IPv6 is something that is 'not allowed' on uverse. In fact these rules seem to protect IPv6 and related protocols from exactly what they are doing: blocking a lawful service.

I would like to see Hurricane Electric file this as a complaint. They provide this as a lawful service!
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

1 recommendation

cramer to brianlan

Premium Member

to brianlan
said by brianlan:

Good luck folks, I believe they are telling you the truth ...

I think not. If that were the reason, P:41 would be blocked on the legacy DSL network as well. It isn't.

It's IP traffic, and in general, not encrypted. There is absolutely nothing preventing it's interception and inspection. tcpdump and wireshark have been able to unwrap it for many years now. If the feds cannot make sense of it, they're morons.

j1349705
Premium Member
join:2006-04-15
Holly Springs, NC

j1349705 to brianlan

Premium Member

to brianlan
said by brianlan:

Cause when your in bed with the gov, you have to play their games.

If that were the case, they would try to block other VPN traffic that is actually encrypted.

You can't hide anything in a 6in4 tunnel if the feds really want to know, unless you are using encrypted protocols - the same ones you can use with IPv4.

Not really sure if this is incompetence on AT&T's part, or if they just don't care. Guessing that they just don't care.

In any case, it would be damn hard to prove that this is "reasonable network management."

ipv6movement
@pppoe.ca

1 recommendation

ipv6movement to cramer

Anon

to cramer
said by cramer:

IP is IP is IP. The protocol under IP (tcp, udp, sctp, gre, etc) DOES. NOT. MATTER. They are interfering with a specific set of traffic. If intentionally, then it's a network neutrality issue. If by accident, then it's something they need to fix. (to date, they've simple ignored it. which suggests it's intentional)

ding ding ding. This works fine on all other ISPs. The reason provided is a lie and nothing more.

TestBoy
Premium Member
join:2009-10-13
Irmo, SC

TestBoy to brianlan

Premium Member

to brianlan
said by brianlan:

Another reason to not use their NVG5xx shit, never know how much NSA shit thats in there.

This too.
Never liked their gateways.... so we do agree on something

ipv6movement
@pppoe.ca

2 recommendations

ipv6movement to brianlan

Anon

to brianlan
said by brianlan:

The best question is why do you want to use HE.net or alternative services for IPv6 connectivity when AT&T gives it to you already for free and unrestricted?

No, that is the most irrelevant question. It doesn't matter. They have no reason or justification for limiting this particular protocol and on top of it they lie to their customers about why they have done so. That is even worse than the fact that they have done so.
ipv6movement

ipv6movement to brianlan

Anon

to brianlan
said by brianlan:

Good luck folks, I believe they are telling you the truth in the fact that the feds wont allow them to openly support the tunneled IPv6 services.

*shakes head* Way too gullible. That's why it works fine for all other ISPs? AT&T is the special exception eh.
dwhess
join:2015-06-26
United State

1 recommendation

dwhess to brianlan

Member

to brianlan
said by brianlan:

I'm just curious as to why you think that AT&T is required to support protocol 41 to begin with? Its not a requirement for anything other than a third-party service.

AT&T also suggested that I purchase equipment upgrades so that protocol 41 might work. Back when they first started blocking protocol 41, they were selling IPv6 as an upgrade. That is exactly the kind of conflict which network neutrality is suppose to address.
said by brianlan:

If you really want to use HE.net, just VPN to a VPS provider and tunnel over that.

They suggested that as well in the same session where they mentioned the law enforcement issue. If they cannot intercept protocol 41 to meet CALEA requirements, then how can they do so while allowing a VPN to operate?
dwhess

dwhess to dahan

Member

to dahan
said by dahan:

Because their RG is broken and doesn't actually work properly? In particular, the 3800HGV-B does not currently support DHCPv6 prefix delegation--there's a "DHCPv6 Enabled" checkbox in the web UI, which presumably enables DHCPv6 PD, but the checkbox is disabled and cannot be checked. So, you can't put your own router behind the RG if you want IPv6.

The 2wire 3600HGV has the same problem. I gather that the NVG589 works correctly and either passes protocol 41 or has working prefix delegation but AT&T wanted to charge me a one time fee and a continuing monthly rental fee to fix something which should not be broken.
dwhess

dwhess to cramer

Member

to cramer
said by cramer:

IP is IP is IP. The protocol under IP (tcp, udp, sctp, gre, etc) DOES. NOT. MATTER.

I made this same argument while on the phone with them. When AT&T's technician called me back, she managed to confuse protocol number with port number and tried to convince me that opening UDP port 41 would allow protocol 41 to pass through.
dwhess

dwhess to brianlan

Member

to brianlan
said by brianlan:

The best question is why do you want to use HE.net or alternative services for IPv6 connectivity when AT&T gives it to you already for free and unrestricted?

AT&T is *not* providing IPv6 connectivity to me. Further on the systems where they do, they apparently block all incoming ports.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

1 edit

1 recommendation

cramer to dwhess

Premium Member

to dwhess
Like I said, you're never going to get anyone on the phone that knows anything. The frontline people (i.e. the ones that talk to customers) can't even spell IPv6, much less understand how anything about IP (any version) works.

[EDIT] They may have fixed this. I'm seeing "-P 41" traceroutes getting beyond the border. I, personally, no longer have any uverse accounts from which to test.