Joined: 01 Dec 2021 Posts: 289 Location: Maryland, United States
Posted: Fri Apr 28, 2023 20:14 Post subject: Comcast's Response For Use of a 64 Prefix for IPv6
I asked Comcast's Chief Technical Officer why they use a 64 prefix for IPv6. This is the response I got:
"Hi Paul – Elad asked me to reach out to you about this. A /64 is likely the default that your router gets but you can ask for a /60 (a ‘prefix delegation request’, PD). I don’t know what the Netgear config pages look like but you should be able to request a /60 prefix and then you’ll have 16 /64 prefixes for subnetting on your LAN (one of which could be assigned to the R7000P)."
I did try this, but DD-WRT did not recognize this, and I did not get a WAN IPv6 address (both with and without the Firewall modification that works with the 64 prefix).
I then asked Google Bard "Why does Comcast use a 64 prefix for IPv6" and this is the response I got:
"Comcast uses a /64 prefix for IPv6 because it is the smallest prefix that can be used to create multiple subnets. A /64 prefix is equivalent to 2^64 possible addresses, which is more than enough addresses for most home networks. In addition, using a /64 prefix allows Comcast to easily segment their network and improve performance and security.
Here are some of the benefits of using a /64 prefix for IPv6:
More IPv6 addresses available to customers
More flexibility for Comcast's network
Improved network performance and security
Easy to set up for customers
If you are a Comcast customer and you are not using IPv6, I encourage you to set it up. It is the future of the internet and it is a great way to improve your network security and performance.
However, Comcast does allow customers to request a larger prefix if they need it. For example, a business with a large number of devices may need a larger prefix to avoid running out of addresses. To request a larger prefix, customers can contact Comcast customer support."
2. If you want use ddwrt to ask for /60 from your ISP you must use custom dhcp6c configuration... don't use GUI Prefix Length field, because it is designed for dhcp6c that changed in meanwile... I think (but I am not sure) that ddwrt uses dhcp6c within busybox so you must find man page of busybox dhcp6c and find how to ask /60
3. radvd works only with /64 so I would use dnsmasq because If you get /64 from your ISP on your br0 than all other interfaces will get /128 which is not enough for radvd to work correctly...
Joined: 24 Feb 2013 Posts: 1634 Location: Belgrade
Posted: Sat Apr 29, 2023 4:23 Post subject:
And to add something... in other post you are saying that ddwrt worked last year with comcast... you can easily check this by reverting to older build that has old firewall...if you suspect that it has somthing to do with ddwrt and its firewall... just reset to defaults... this way you will exclude either comcast or ddwrt... you will know where the problem is... but /64 is very odd... and I don't think that comcast has only one admin from tech support and same setups in all cities... try openwrt or similar... you have so many options... but let us know your findings I am really courious...
Joined: 01 Dec 2021 Posts: 289 Location: Maryland, United States
Posted: Sat Apr 29, 2023 17:39 Post subject:
I went back and tried builds from July and October 2022 (I did a reset) both were not sucessful in obtaining IPv6 from Comcast. I know it did work at the time so either Comcast changed something or there were values in nvram from previous time that did not get erased from when I needed modifications to get Comcast to work. I remember that Comcast IPv6 failed to work after I did a reset to do a clean install.
I believe DD-WRT is the only non OEM firmware that works with my R7000P. I use Verizon FiOS on this router and just try Comcast for testing purposes. My technical skills with Dnsmasq are very limited so I asked Google Bard for the Dnsmasq modification needed to try the 60 prefix. It gave me this which I put inot the startup commands (it did not work):
vram set dnsmasq_enable="1"
nvram set dnsmasq_interface="eth0"
nvram set dnsmasq_no_hosts="1"
nvram set dnsmasq_addn_hosts="/etc/dnsmasq.addnhosts"
nvram set dnsmasq_ipv6="1"
nvram set dnsmasq_dhcpv6_prefix="2001:db8::/60"
One additional comment, when I did a reset and enabled IPv6 the default prefix shown is 64 so DD-WRT does work with vendors that use a 64 prefix.
Joined: 24 Feb 2013 Posts: 1634 Location: Belgrade
Posted: Tue May 02, 2023 6:03 Post subject:
You are ddwrt user, so I would say that you are already "advanced" user, not a standard home user. So, try to understand what you are doing. And read. You must read a lot.
Clients listens for DHCPv6 messages on UDP port 546. Servers and relay agents listen for DHCPv6 messages on UDP port 547. Similar to ipv4 (The server listens on UDP port number 67, and the client listens on UDP port number 68 )
So, your firewall "patch" is redudant IMHO. We already have needed rule but it is more restrictive. If you ssh to your router and do:
Code:
ip6tables -S
you will see in INPUT chain (traffic coming to WAN interface - from outside our network) this rule:
but only with ipv6 link-local adress as source adress and only destined to our ipv6 link-local adress (about link-local adresses read https://datatracker.ietf.org/doc/html/rfc4291):
Code:
-s fe80::/10 -d fe80::/10
and only protocol udp from source port 547 destined to port 546:
Code:
-p udp -m udp --sport 547 --dport 546
your patch, again IMHO, has a great security issue and I wouldn't use it. You ACCEPT all udp traffic coming to your 546 port from all ipv6 adresses not just your ISPs link-local ipv6. Don't forget there is no NAT in ipv6...
So, either your is ISP doing something unusuall again or our ddwrt rule has some problems (typo or multiple commands doesn't work sometimes). To convince BS to change firewall that works for 99% of ddwrt users, including himself, you must provide some "proofs". So, ask your ISP do they use 547 port for dhcpv6 and link-local fe80:: prefix for dhcpv6... and lets hope that someone with more knowledge will jump in and say something too... but doubt because you are wining with this ipv6 stuff for quite some time...
Joined: 24 Feb 2013 Posts: 1634 Location: Belgrade
Posted: Tue May 02, 2023 6:31 Post subject:
egc wrote:
Your analysis is spot on.
The rule of the OP is a security risk.
We should not lower our security because of a bad implementation.
In case of a bad implementation it is up to the user to decide what to do and if he wants to lower his security.
Others already tried to convey that messages but the OP keeps coming back.
HI egc you are right but I am realy courious about his ISPs implementation of dhcpv6...
and maybe we are missing something... I never saw traffic on that rule in my firewall output... and knowing who did recent firewall6 changes:))))) dev and his associate forum member...
lets try to resolve this once for all... ddwrt always tried to work on all configs..
Joined: 01 Dec 2021 Posts: 289 Location: Maryland, United States
Posted: Wed May 03, 2023 16:46 Post subject:
Mile-Lile, I sent you a PM with the email address of a head engineer at Comcast. He has the ability to make changes to help resolve the firewall issue with DD-WRT.
Joined: 24 Feb 2013 Posts: 1634 Location: Belgrade
Posted: Wed May 03, 2023 20:36 Post subject:
yes, I undestand you but I am just a forum member like you. I am not educated IT specialist. I just like to read and learn new things. I don't think it's a good idea that I contact Comcast engineer... I suggest you to contact Sebastian directly and to elaborate your problem to him... you can link this thread... maybe he is willing to do some firewall changes if it helps all Comcast users...
Joined: 01 Dec 2021 Posts: 289 Location: Maryland, United States
Posted: Thu May 04, 2023 14:54 Post subject:
Mile-Lile wrote:
yes, I undestand you but I am just a forum member like you. I am not educated IT specialist. I just like to read and learn new things. I don't think it's a good idea that I contact Comcast engineer... I suggest you to contact Sebastian directly and to elaborate your problem to him... you can link this thread... maybe he is willing to do some firewall changes if it helps all Comcast users...
I am trying to understand how you can customize DD-WRT to adopt it for different functions, but your knowledge far exceeds mine. I will contact the Comcast engineer and tell him about the firewall problem. I will post any progress here.
I have the same problem actually. And I was the one who found the possible solution in an old bug report on the DD-WRT bug tracker. We could have simply continued the thread in the last one but it was locked for some reason...
It is okay if there is not a global DD-WRT patch if it's a Comcast flaw on their end, but are we saying if that is indeed the solution to get IPv6 working with Comcast, that every other modern router on the US market is similarly misconfigured, since they tend to work out of the box? That seems alarming if true. Not necessarily surprising, but alarming none the less.
I will test Mile-Lile's settings in a bit to see if I can get things working on my end since I am a fellow Comcast user.