• Home   /  
  • Archive by category "1"

Twc Ipv6 Prefix Assignment

For years, I have been happily using a Hurricane Electric IPv6 tunnel for my IPv6 at home. I have had it on five different ISPs and it has “just worked” (with the notable exception of U-Verse[1]) for 5+ years. However, my tunnel terminated in LA, and latency has been an issue of recent. I don’t blame HE, I picked where the tunnel terminated and I live in Austin TX now. So, I decided to finally drop the tunnel and switch to native IPv6 from my ISP (Time Warner Cable) instead. I’ve deployed IPv6 in data centers, written blog posts, and built two in production products that use IPv6 almost exclusively. I figured this would be a cake walk!

Boy, was I wrong.

Getting an IP address using IPv6

For 90% of the world, most people deploy SLAAC. This is a stateless system where the router to your network sends out a multi-cast message every 30s or so (called a Router Advertisement) that says something to the effect of “Hello [2001:DB8:472:101::/64] I am [2001:DB8:472:101::1] and I’ll be your router” at which point your system generates a EUI64 host address (which is based on your MAC and if privacy extensions are on is hashed for your protection), suffixes it to the [2001:DB8:472:101::/64] subnet yeilding an address like [2001:DB8:472:101:1910:4202:cf43:9b2e]. That address is assigned to the interface, the default route is set to the router address, and we all move on with life.

Important side note: your IPv6 interface would have 2 IPs (at least) assigned to it. One starts with fe80:: and has your MAC address with a few extra characters in it. This is your link local address, it can only talk to other link local addresses on the same Layer 2 (LAN or VLAN) segment. It is NOT publicly addressable outside your local Layer 2 segment. This becomes important in a moment.

However, ISPs don’t like this. It’s stateless by design, but that means any number of devices could be attached to your modem and ask for an address! “That’s madness! We charge by machine!” they say. Right. Whatever. So, they need a more stateful system. Also, SLAAC doesn’t provide any DNS information which can be a problem.

Enter DHCPv6

DHCPv6, as the name implies, is the IPv6 version of DHCP. It’s similar in concept, and wildly different in execution. DHCP in the IPv4 world sends a broadcast message asking for a DHCP lease. The response comes back from any server saying something to the effect of “Hello MAC 52:54:00:e4:5a:3c, take address 203.0.113.8424, use router 203.0.113.1, use DNS servers 8.8.8.8 and 8.8.4.4, and set your domain name to example.com”. At which point you would be configured and move on with life.

In the IPv6 world, DHCP has a lot more options and request types than IPv4 did. So, the default out-of-the-box DHCPv6 client simply asks for an address. It does this by sending a message to the DHCP multi-cast address [ff02::1:2] using the link-local address on the interface. Then some random node will send you back a response like “Hello [fe80::5054:ff:fee4:5a3c] take address [2001:DB8:472:101:da3:9b97:960a:edf4/128]“. Well, at least that’s what the TWC DHCPv6 servers do. No router, no DNS, nothing else.

However, this is a SINGLE IPv6 address. Not really useful for a router. Unlike IPv4 THERE IS NO SNAT/PAT. Anyone who says otherwise is LYING! Everything, and I mean EVERYTHING gets a real routable IPv6 address. There is no equivelant to the IPv4 standbys of 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 so don’t ask. So, how does this work? You need what is called a “prefix delegation”, this allows for you to ask for one or more /64 netblocks for use behind your router.

So, we enable the “prefix delegation” flag and retry DHCPv6. The response back was not what I expected: ”Hello [fe80::5054:ff:fee4:5a3c] take prefix delegation [2001:DB8:fec:4acd::/64]“. So now my public interface has no routable address, and I have a prefix delegation. Great. Turns out you have to ask for a prefix delegation (IA_PD), a non-temporary address assignment (IA_NA), and while you are at it you might as well ask for your DNS severs and domain name. Added bonus for Comcast customers: the Prefix Delegation comes from a different DHCPv6 server so it may take a while to show up. At that point you get back almost everything you need. Almost.

Where is the router?

DHCPv6 typically does not provide an router for you. You are supposed to ask for one yourself using the “Router Solicitation” mechanism of IPv6. In FreeBSD (what my router at home runs) There is a lovely process that does this for you: “rtsold”. (Linux seems to do this automagically for you and doesn’t need a process.) Great. Now I have all the pieces I need. Or so I thought.

All the IPv6 client tools suck

My router at home is a box I built myself running FreeBSD. Why FreeBSD? Because I like “pf” and the conntrack code in Linux is..sub optimal. I hear it’s much better than it was when I moved my routers to FreeBSD or OpenBSD 10 years ago, but I’ve not done extensive testing of recent. Lots of things deploy NAT with conntrack in production using Linux so it can’t be as bad as it was when my poor home router was falling over every time we fired up Counter-Strike which made 60k connections right off the bat. I also like to use my stuff at home as a test bed for bigger stuff in place at “work”.

So, the ISC DHCP client on FreeBSD will assign your IA_NA to the interface, write the IA_PD to syslog, and fire off a script with the DNS information. Not super useful. The KAME DHCP client on FreeBSD will assign your IA_NA to the interface, assign your IA_PD to a different interface, and fire off a script for DNS information. Better.

However, the version of rtsold which ships with FreeBSD 10 only ever logs the router address. Sure, it will call a script when one is seen, but how to find what the new router address should be is an exercise left to the reader.

On top of this, my prefix delegation changes from TWC whenever they feel like. I have a reasonable number of IPv6 rules in pf, and I need to re-run that with the new prefix information every time that happens..and that is also an exercise left up to the reader.

I give up

At this point, I considered moving the router to Linux. So, I did some research. The DHCP client situation seems to be better, but you still have a lot of “magic” that needs to be done in with scripts when your prefix changes, and all that magic is still an exercise left up to the reader. So, I decided to switch to a pfSense install instead. It took a little extra work, but everything I want is (mostly) working. The native IPv6 stuff “just works”. The rest of the monitoring and remote access stuff was a bit more clicky than I wanted but seems to be working. I couldn’t run Asterisk on my router any longer, so that’s behind the firewall and port-forwarded. Took a little while to work through all the magic that requires, but it’s all working now as well.

TL;DR Manual sucked, used pfSense

It’s super simple to get working, and the interface is reasonable. Has OpenVPN built in, works on just about any hardware, has all the pf goodness baked in, and has many dynamic DNS clients so you can setup a OpenVPN server easily. Other good choices are mikrotik and m0n0wall, but I don’t know if m0n0wall does IPv6 yet.

Moving Forward

I’m still using FreeBSD for my data center routers, but those all have static IPv6 addressing or SLAAC so that works fine. I may yet switch my home router over to Linux, and get the lay of the land there. I will probably go full crazy and implement nftables instead of iptables & ip6tables and find many, many bugs. I may just start by doing that on an lab router and cutting my teeth there. The TWC support staff don’t speak IPv6, and won’t help you if you call. At least that was my experience, so if your router doesn’t do it for you, good luck.

I’m also investigating better ways for people to be able to reach IPv6 enabled services that don’t have native IPv6 on their desktop. It’s not really a problem for me (I have VPNs and whatnot I can use), but for users of the things I have built / are building it can help. Suggestions/feedback welcome.

[1]Notes on U-Verse

When I moved back to Austin, I decided to get Internet access from U-Verse instead of TWC right off the bat. The reasoning was that I wanted a static IP if I could get it, and I knew from past experience of myself and friends that the only difference between TWC “consumer” and “business class” was the price you pay. Turns out, basically the same thing for U-Verse. Ports 80 and 25 were still blocked, I could not get native IPv6, and I couldn’t use my HE tunnel because passing IP-GRE traffic through the U-Verse modems causes a buffer overflow (known issue for 3+ years) so they just drop all GRE traffic because their vendors haven’t (yet) been able to provide a fix. Also, U-Verse in my area is terrible and TWC is tolerable so I switched. YMMV.

Posted by edolnx

On spinning rustI don't think VR is going to be a flop, a rebuttal to RPS

Time Warner has gradually rolled out IPv6 connectivity to their Road Runner customers over the past couple of years and it started appearing on my home network earlier this year.  I had some issues getting the leases to renew properly after they expired (TWC’s default lease length appears to be seven days) and there were some routing problems that cropped up occasionally.  However, over the past month, things seem to have settled down on TWC’s San Antonio network.

Do you have IPv6 yet?

Before you make any adjustments to your network, I’d recommend connecting your computer directly to the cable modem briefly to see if you can get an IPv6 address via stateless autoconfiguration (SLAAC).  You’ll only get one IPv6 address via SLAAC, but we can get a bigger network block later on (keep reading).  Check your computer’s network status to see if you received an IPv6 address.  If you have one, try accessing ipv6.google.com.  You can always check ipv6.icanhazip.com or ipv6.icanhaztraceroute.com as well.

There’s a chance your computer didn’t get an IPv6 address while directly connected to the cable modem.  Here are some possible solutions:

  • Power off the cable modem for 30 seconds, then plug it back in and see if your computer gets an address
  • Ensure you have one of TWC’s approved modems. (Bear in mind that not all of these modems support IPv6.)
  • Verify that your computer has IPv6 enabled. (Instructions for Windows, Mac and Linux are available.)

But I want more addresses

If you were able to get an IPv6 address, it’s now time to allocate a network block for yourself and begin using it!  We will request an allocation via DHCPv6.  Every router is a little different, but the overall concept is the same.  Your router will request an allocation on the network and receive that allocation from Time Warner’s network.  From there, your router will assign that block to an interface (most likely your LAN, more on that in a moment) and begin handing our IPv6 addresses to devices in your home.

By default, TWC hands out /64 allocations regardless of what you request via DHCPv6.  See the last section of this post on how to get a /56 allocation.  Splitting /64’s into smaller subnets is a bad idea.

Let’s talk security

IPv6 eliminates the need for network address translation (NAT).  This means that by the time you finish this howto, each device in your network with have a publicly accessible internet address.  Also, bear in mind that with almost all network devices, firewall rules and ACL’s that are configured with IPv4 will have no effect on IPv6.  This means that you’ll end up with devices on your network with all of their ports exposed to the internet.

In Linux, be sure to use ip6tables (via firewalld, if applicable).  For other network devices, review their firewall configuration settings to see how you can filter IPv6 traffic.  This is a critical step.  Please don’t skip it.

On my Mikrotik device, I have a separate IPv6 firewall interface that I can configure.  Here is my default ruleset:

The first five rules ensure that only related or established connections can make it to my internal LAN. I allow UDP 546 for DHCPv6 connectivity and I’m allowing all ICMPv6 traffic to the router and internal devices. Finally, I allow all of my devices inside the network to talk to the internet and block the remainder of the unmatched traffic.

Configuring the router

It’s no secret that I’m a big fan of Mikrotik devices and I’ll guide you through the setup of IPv6 on the Mikrotik in this post.  Before starting this step, ensure that your firewall is configured (see previous section).

On the Mikrotik, just add a simple DHCPv6 configuration. I’ll call mine ‘twc’:

After that, you should see an allocation pop up within a few seconds (run ):

Check that a new address pool was allocated by running :

You can now assign that address pool to an interface. Be sure to assign the block to your LAN interface. In my case, that’s called lanbridge:

By default, the Mikrotik device will now begin announcing that network allocation on your internal network. Some of your devices may already be picking up IPv6 addresses via SLAAC! Try accessing the Google or icanhazip IPv6 addresses from earlier in the post.

Checking a Linux machine for IPv6 connectivity is easy. Here’s an example from a Fedora 20 server I have at home:

If you only see an address that starts with fe80, that’s your link local address. It’s not an address that can be accessed from the internet.

Troubleshooting

If you run into some problems or your router can’t pull an allocation via DHCPv6, try the troubleshooting steps from the first section of this post.

Getting assistance from Time Warner is a real challenge. Everyone I’ve contacted via phone or Twitter has not been able to help and many of them don’t even know what IPv6 is. I was even told “we have plenty of regular IPv4 addresses left, don’t worry” when I asked for help. Even my unusual methods haven’t worked:

@TWC_Help I'll buy one of your engineers a six pack of beer if they can enable IPv6 for my internet connection. ;)

— Major Hayden (@majorhayden) August 9, 2014

My old SBG6580 that was issued by Time Warner wouldn’t ever do IPv6 reliably. I ended up buying a SB6121 and I was able to get IPv6 connectivity fairly easily. The SB6121 only does 172mb/sec down — I’ll be upgrading it if TWC MAXX shows up in San Antonio.

Get a /56

You can get a /56 block of IP addresses from Time Warner by adding onto your IPv6 dhcp client configuration. You’ll need to carve out some /64 subnets on your own for your internal network and that’s outside the scope of this post. The prefix hint configuration isn’t available in the graphical interface or on the web (at the time of this post’s writing).

addchain=inputconnection-state=related
addchain=inputconnection-state=established
addchain=forwardconnection-state=established
addchain=inputin-interface=lanbridge
addchain=forwardconnection-state=related
addchain=inputdst-port=546protocol=udp
addchain=inputprotocol=icmpv6
addchain=forwardprotocol=icmpv6
addchain=forwardout-interface=ether1-gateway
addaction=dropchain=input
addaction=dropchain=forward
addadd-default-route=yesinterface=ether1-gatewaypool-name=twc
#    INTERFACE     STATUS        PREFIX                                      EXPIRES-AFTER
0    ether1-gat...bound         2605:xxxx:xxxx:xxxx::/64                    6d9h15m45s
#   NAME      PREFIX                                      PREFIX-LENGTHEXPIRES-AFTER
0Dtwc       2605:xxxx:xxxx:xxxx::/64                               646d9h13m33s
addaddress=2605:xxxx:xxxx:xxxx::from-pool=twcinterface=lanbridge
2:em1:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qlen1000
    inet62605:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64scopeglobalmngtmpaddrdynamic
       valid_lft2591998secpreferred_lft604798sec
    inet62605:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64scopeglobaldeprecatedmngtmpaddrdynamic
       valid_lft1871064secpreferred_lft0sec

Tagged With: fedora, ipv6, mikrotik, network, networking

One thought on “Twc Ipv6 Prefix Assignment

Leave a comment

L'indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *