Comcast's Response For Use of a 64 Prefix for IPv6

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3, 4  Next
Author Message
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States

PostPosted: Fri Apr 28, 2023 20:14    Post subject: Comcast's Response For Use of a 64 Prefix for IPv6 Reply with quote
I asked Comcast's Chief Technical Officer why they use a 64 prefix for IPv6. This is the response I got:

"Hi Paul – Elad asked me to reach out to you about this. A /64 is likely the default that your router gets but you can ask for a /60 (a ‘prefix delegation request’, PD). I don’t know what the Netgear config pages look like but you should be able to request a /60 prefix and then you’ll have 16 /64 prefixes for subnetting on your LAN (one of which could be assigned to the R7000P)."

I did try this, but DD-WRT did not recognize this, and I did not get a WAN IPv6 address (both with and without the Firewall modification that works with the 64 prefix).

I then asked Google Bard "Why does Comcast use a 64 prefix for IPv6" and this is the response I got:

"Comcast uses a /64 prefix for IPv6 because it is the smallest prefix that can be used to create multiple subnets. A /64 prefix is equivalent to 2^64 possible addresses, which is more than enough addresses for most home networks. In addition, using a /64 prefix allows Comcast to easily segment their network and improve performance and security.

Here are some of the benefits of using a /64 prefix for IPv6:

More IPv6 addresses available to customers
More flexibility for Comcast's network
Improved network performance and security
Easy to set up for customers

If you are a Comcast customer and you are not using IPv6, I encourage you to set it up. It is the future of the internet and it is a great way to improve your network security and performance.

However, Comcast does allow customers to request a larger prefix if they need it. For example, a business with a large number of devices may need a larger prefix to avoid running out of addresses. To request a larger prefix, customers can contact Comcast customer support."
Sponsor
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Sat Apr 29, 2023 4:13    Post subject: Reply with quote
Some interesting facts if you have time to read, but I am not claiming they are 100% true because I am just a ddwrt user as you are...

1. giving /64 to end users is strongly discouraged by RIPE, IANA and others https://www.ripe.net/publications/docs/ripe-690

2. If you want use ddwrt to ask for /60 from your ISP you must use custom dhcp6c configuration... don't use GUI Prefix Length field, because it is designed for dhcp6c that changed in meanwile... I think (but I am not sure) that ddwrt uses dhcp6c within busybox so you must find man page of busybox dhcp6c and find how to ask /60

3. radvd works only with /64 so I would use dnsmasq because If you get /64 from your ISP on your br0 than all other interfaces will get /128 which is not enough for radvd to work correctly...
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Sat Apr 29, 2023 4:23    Post subject: Reply with quote
And to add something... in other post you are saying that ddwrt worked last year with comcast... you can easily check this by reverting to older build that has old firewall...if you suspect that it has somthing to do with ddwrt and its firewall... just reset to defaults... this way you will exclude either comcast or ddwrt... you will know where the problem is... but /64 is very odd... and I don't think that comcast has only one admin from tech support and same setups in all cities... try openwrt or similar... you have so many options... but let us know your findings I am really courious...
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States

PostPosted: Sat Apr 29, 2023 17:39    Post subject: Reply with quote
I went back and tried builds from July and October 2022 (I did a reset) both were not sucessful in obtaining IPv6 from Comcast. I know it did work at the time so either Comcast changed something or there were values in nvram from previous time that did not get erased from when I needed modifications to get Comcast to work. I remember that Comcast IPv6 failed to work after I did a reset to do a clean install.

I believe DD-WRT is the only non OEM firmware that works with my R7000P. I use Verizon FiOS on this router and just try Comcast for testing purposes. My technical skills with Dnsmasq are very limited so I asked Google Bard for the Dnsmasq modification needed to try the 60 prefix. It gave me this which I put inot the startup commands (it did not work):


vram set dnsmasq_enable="1"
nvram set dnsmasq_interface="eth0"
nvram set dnsmasq_no_hosts="1"
nvram set dnsmasq_addn_hosts="/etc/dnsmasq.addnhosts"
nvram set dnsmasq_ipv6="1"
nvram set dnsmasq_dhcpv6_prefix="2001:db8::/60"

One additional comment, when I did a reset and enabled IPv6 the default prefix shown is 64 so DD-WRT does work with vendors that use a 64 prefix.
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Sat Apr 29, 2023 18:53    Post subject: Reply with quote
1. Flash latest ddwrt
2. Reset to defaults/erase nvram
3. Enable Ipv6
4. Choose DHCPv6 with PD from drop-down menu and don't change prefix lenght!

6. Enable DHCPv6 Client Daemon/Custom Configuration and paste this code:

Code:

interface vlan2 {
 send ia-pd 0;
 send rapid-commit;
 request domain-name-servers;
 script "/sbin/dhcp6c-state";
};
id-assoc pd 0 {
 prefix ::/60 infinity;
 prefix-interface br0 {
  sla-id 0;
  sla-len 4;
 };
};
id-assoc na 0 { };


7. Disable radvd
8. Save/Apply and wait until you get WAN ipv6 adress in upper right corner of ddwrt GUI


9. Go to Services tab/dnsmasq section and in Additional Options paste this code:

Code:

enable-ra
ra-param=br0,10,300
dhcp-range=::,constructor:br0,ra-names,5m
dhcp-option=option6:dns-server,[::],[fe80::]


10. Save/Apply and after fiew minutes try https://ipv6-test.com/
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States

PostPosted: Mon May 01, 2023 21:08    Post subject: Reply with quote
Mile-Lile - Thank you! I did what you suggest, and now Comcast IPv6 works with the 60 prefix. I did change the prefix from 64 to 60.

I still need the firewall patch:

ip6tables -I INPUT 2 -m udp -p udp --dport 546 -j ACCEPT
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Tue May 02, 2023 6:03    Post subject: Reply with quote
You are ddwrt user, so I would say that you are already "advanced" user, not a standard home user. So, try to understand what you are doing. And read. You must read a lot.

According to RFC 8415
https://www.rfc-editor.org/rfc/rfc8415.html

Clients listens for DHCPv6 messages on UDP port 546. Servers and relay agents listen for DHCPv6 messages on UDP port 547. Similar to ipv4 (The server listens on UDP port number 67, and the client listens on UDP port number 68 )

So, your firewall "patch" is redudant IMHO. We already have needed rule but it is more restrictive. If you ssh to your router and do:

Code:

ip6tables -S


you will see in INPUT chain (traffic coming to WAN interface - from outside our network) this rule:

Code:

ip6tables -A INPUT -s fe80::/10 -d fe80::/10 -p udp -m udp --sport 547 --dport 546 -m conntrack --ctstate NEW -j ACCEPT


and in my understanding this rule stands for:

accept only new connections:
Code:

-m conntrack --ctstate NEW -j ACCEPT


coming from outside ours network:
Code:

ip6tables -A INPUT


but only with ipv6 link-local adress as source adress and only destined to our ipv6 link-local adress (about link-local adresses read https://datatracker.ietf.org/doc/html/rfc4291):
Code:

-s fe80::/10 -d fe80::/10


and only protocol udp from source port 547 destined to port 546:
Code:

-p udp -m udp --sport 547 --dport 546



your patch, again IMHO, has a great security issue and I wouldn't use it. You ACCEPT all udp traffic coming to your 546 port from all ipv6 adresses not just your ISPs link-local ipv6. Don't forget there is no NAT in ipv6...

So, either your is ISP doing something unusuall again or our ddwrt rule has some problems (typo or multiple commands doesn't work sometimes). To convince BS to change firewall that works for 99% of ddwrt users, including himself, you must provide some "proofs". So, ask your ISP do they use 547 port for dhcpv6 and link-local fe80:: prefix for dhcpv6... and lets hope that someone with more knowledge will jump in and say something too... but doubt because you are wining with this ipv6 stuff for quite some time...
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue May 02, 2023 6:24    Post subject: Reply with quote
Your analysis is spot on.

The rule of the OP is a security risk.

We should not lower our security because of a bad implementation.

In case of a bad implementation it is up to the user to decide what to do and if he wants to lower his security.

Others already tried to convey that messages but the OP keeps coming back.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Tue May 02, 2023 6:24    Post subject: Reply with quote
Can you try this? Save this firewall script as your startup script.

Code:

# Define chain to allow particular source link-local addresses and ports for dhcpv6 on ddwrt:
ip6tables -D INPUT -s fe80::/10 -d fe80::/10 -p udp -m udp --sport 547 --dport 546 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -N COMCAST
ip6tables -A COMCAST -s fe80::/10 -d fe80::/10 -j ACCEPT
ip6tables -A COMCAST -p udp -m udp --sport 547 --dport 546 -j ACCEPT
ip6tables -A COMCAST -p udp -m udp --sport 546 --dport 547 -j ACCEPT
ip6tables -A COMCAST -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A COMCAST -j DROP


reboot your unit, and after couple of minutes ssh to unit and copy-paste output of:

Code:

ip6tables -n -v -L COMCAST
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Tue May 02, 2023 6:31    Post subject: Reply with quote
egc wrote:
Your analysis is spot on.

The rule of the OP is a security risk.

We should not lower our security because of a bad implementation.

In case of a bad implementation it is up to the user to decide what to do and if he wants to lower his security.

Others already tried to convey that messages but the OP keeps coming back.


HI egc Smile you are right but I am realy courious about his ISPs implementation of dhcpv6...
and maybe we are missing something... I never saw traffic on that rule in my firewall output... and knowing who did recent firewall6 changes:))))) dev and his associate forum member...
lets try to resolve this once for all... ddwrt always tried to work on all configs..
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States

PostPosted: Wed May 03, 2023 16:46    Post subject: Reply with quote
Mile-Lile, I sent you a PM with the email address of a head engineer at Comcast. He has the ability to make changes to help resolve the firewall issue with DD-WRT.
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Wed May 03, 2023 20:36    Post subject: Reply with quote
yes, I undestand you but I am just a forum member like you. I am not educated IT specialist. I just like to read and learn new things. I don't think it's a good idea that I contact Comcast engineer... I suggest you to contact Sebastian directly and to elaborate your problem to him... you can link this thread... maybe he is willing to do some firewall changes if it helps all Comcast users...
PaulGo
DD-WRT User


Joined: 01 Dec 2021
Posts: 289
Location: Maryland, United States

PostPosted: Thu May 04, 2023 14:54    Post subject: Reply with quote
Mile-Lile wrote:
yes, I undestand you but I am just a forum member like you. I am not educated IT specialist. I just like to read and learn new things. I don't think it's a good idea that I contact Comcast engineer... I suggest you to contact Sebastian directly and to elaborate your problem to him... you can link this thread... maybe he is willing to do some firewall changes if it helps all Comcast users...


I am trying to understand how you can customize DD-WRT to adopt it for different functions, but your knowledge far exceeds mine. I will contact the Comcast engineer and tell him about the firewall problem. I will post any progress here.
silvarios
DD-WRT Novice


Joined: 23 Apr 2018
Posts: 23

PostPosted: Thu May 04, 2023 23:47    Post subject: Reply with quote
I have the same problem actually. And I was the one who found the possible solution in an old bug report on the DD-WRT bug tracker. We could have simply continued the thread in the last one but it was locked for some reason...

It is okay if there is not a global DD-WRT patch if it's a Comcast flaw on their end, but are we saying if that is indeed the solution to get IPv6 working with Comcast, that every other modern router on the US market is similarly misconfigured, since they tend to work out of the box? That seems alarming if true. Not necessarily surprising, but alarming none the less.

I will test Mile-Lile's settings in a bit to see if I can get things working on my end since I am a fellow Comcast user.
silvarios
DD-WRT Novice


Joined: 23 Apr 2018
Posts: 23

PostPosted: Fri May 05, 2023 1:40    Post subject: Reply with quote
Waiting 11 minutes after reboot with firewall rules added as suggested.
ip6tables -n -v -L COMCAST
Code:
Chain COMCAST (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      *      *       fe80::/10            fe80::/10           
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 udp spt:547 dpt:546
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 udp spt:546 dpt:547
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 ctstate NEW
    0     0 DROP       all      *      *       ::/0                 ::/0
Goto page 1, 2, 3, 4  Next Display posts from previous:    Page 1 of 4
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum