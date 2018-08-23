Geekzone: technology news, blogs, forums
2degrees - IPv6 overview - How we do it


2degrees

# 240157 23-Aug-2018 15:04
Update below on IPV6 Address Space allocation - 10th October 2018.

 

Hi All,

 

With the introduction of BYOD (some customers choosing not to use a 2degrees supplied Fritzbox), we've had a bunch of queries about ipv6, how we provision it, what technologies we use etc. In order to assist you with troubleshooting any other equipment you may use, the team (Thanks Aaron) have pulled together the following information.

 

2degrees uses Juniper equipment to terminate subscribers, checkout the following links for more information on the architecture used and the implementation overview - Basic Architecture of a Subscriber Access Dual-Stack Network and Overview of Using DHCPv6 Prefix Delegation.

 

2degrees uses DHCPv6 Prefix Delegation to assign IPv6 prefixes to customer CPE, the only requirement this puts on the CPE is identification and choosing a prefix for delegation. 

 

DHCPv6 prefix delegation process

 

     

  1. The BNG provides IPv6 prefixes available for delegation.  In the case of dynamic customers this is provided by a local address-assignment pool, and for static IPv6 customers the BNG is informed of the /56 prefix to use via our RADIUS server.  Even though it’s a static assignment the BNG will still delegate the prefix to the CPE using DHCPv6.
  2. The CPE requests one or more prefixes from the delegating router.  The standard is a /64 allocation per LAN segment.
  3. The BNG chooses the prefixes for delegation, and responds to the CPE.
  4. The CPE is then responsible for the delegated prefixes.

 

CPE WAN link

 

Below are the methods we support:

 

     

  1. Link-local IPv6 address – The link-local address is provisioned by the appending the interface identifier negotiated by IPv6CP with the IPv6 link-local prefix (fe80::/10).
  2. DHCPv6 prefix delegation – The CPE can use the prefix it receives from the BNG to assign an IPv6 address to the interface between the CPE and BNG.  A Fritzbox modem uses this method by default.

 

Fritz configuration example (in lab environment)

 

 

  • This is the default setup and will establish a native IPv6 connection, the below configuration would be more specific

 

 

  • Here you can see the IPv6 address assigned to the CPE-BNG interface and the prefix that was delegated.
  • The Fritz in its default setup will assign the first available /64 to the LAN segment.
  • For our dynamic subscribers we allocate a /48 or /56 address space depending on the version of code they are running (due to our currently upgrades in progress), for static customers we allocate a /56 address space. Upgrades are planned to be completed in the first week of November 2018 which will see us standardise on /56 for all subscribers.

Moderator
  # 2078025 23-Aug-2018 16:03
  # 2111304 20-Oct-2018 10:05
@NickMack

 

Good to see 2D post this information

 

I was curious as to why 2D does not have their web accessible as IPv6 i.e. AAAA record etc

 

 

 
 
 
 




2degrees

  # 2111362 20-Oct-2018 12:01
Great question - not sure, I'll ask - Website is done by 3rd party.

Nick




Subscriber

  # 2111363 20-Oct-2018 12:06
If only the other ISP's were so transparent and forthcoming - good to see.




  # 2111371 20-Oct-2018 12:47
Thank you for the reply

 

I see it is presented via the Redshield Cloud WAF, check whether that that can act as a IPv6 proxy even if the host provider cannot dual stack

 

I agree!

  # 2111436 20-Oct-2018 16:00
A related question. I am 2D customer with a Fritz box(1)

 

The DNS server in the Fritz box will resolve hosts on the LAN with a fully qualified domain name in the style $hostname.fritz.box

 

I have enabled IPv6. A dig query returns an ipv4 IP address but an AAAA query for an IPv6 address does not resolve. Have I missed a setting or is the Fritz box unable to do an AAAA for a local hostname?

 

 

 

1. Model:   7490    OS Version:   06.80




2degrees

  # 2111763 21-Oct-2018 08:52
Not something I've looked at before on default Frtiz config, I suspect 99% of residential customers would care less ;-) (I use DNS from my Windows Active Directory, so this resolves fine). I'll have a look at this after the long weekend (camping at the mo) ;-)

Nick

Ps - theres a new version on Fritz OS you can upgrade to.




2degrees

  # 2112585 23-Oct-2018 08:57
Website hosted by 3rd party in AWS. I've asked if they can investigate.

 

Update - should be resolved in the coming weeks.




2degrees

  # 2113177 24-Oct-2018 11:52
Hiya,

 

It looks like AVM haven’t included this feature/functionality - We have fired off a request to have this considered/added in future releases.

 

Tested on the following hardware and firmware - Model  7490: v06.84, v07.01.

 

2degreess-MBP:~ 2degreesengineering$ dig 2degreess-MBP.fritz.box
 
; <<>> DiG 9.10.6 <<>> 2degreess-MBP.fritz.box
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6578
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
 
;; QUESTION SECTION:
;2degreess-MBP.fritz.box.   IN  A
 
;; ANSWER SECTION:
2degreess-MBP.fritz.box. 9  IN  A   192.168.178.22
 
;; AUTHORITY SECTION:
2degreess-MBP.fritz.box. 9  IN  NS  fritz.box.
 
;; ADDITIONAL SECTION:
fritz.box.      9   IN  A   192.168.178.1
fritz.box.      9   IN  AAAA    fd00::c225:6ff:fef2:e1a2
fritz.box.      9   IN  AAAA    2406:e001:2:5401:c225:6ff:fef2:e1a2
 
;; Query time: 0 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Wed Oct 24 11:43:11 NZDT 2018
;; MSG SIZE  rcvd: 143
 
2degreess-MBP:~ 2degreesengineering$ dig -t "AAAA" 2degreess-MBP.fritz.box
 
; <<>> DiG 9.10.6 <<>> -t AAAA 2degreess-MBP.fritz.box
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24633
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
 
;; QUESTION SECTION:
;2degreess-MBP.fritz.box.   IN  AAAA
 
;; AUTHORITY SECTION:
fritz.box.      9   IN  SOA fritz.box. admin.fritz.box. 1540334593 21600 1800 43200 10
 
;; Query time: 0 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Wed Oct 24 11:43:13 NZDT 2018
;; MSG SIZE  rcvd: 83

 

Nick.




  # 2121711 7-Nov-2018 17:13
Works for me, and has for years...

 

 

$ dig fritz.box ANY

 

; <<>> DiG 9.9.5-3ubuntu0.18-Ubuntu <<>> fritz.box ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8239
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 1, ADDITIONAL: 3

 

;; QUESTION SECTION:
;fritz.box. IN ANY

 

;; ANSWER SECTION:
fritz.box. 9 IN SOA fritz.box. admin.fritz.box. 1 21600 1800 43200 10
fritz.box. 9 IN NS fritz.box.
fritz.box. 9 IN A 192.168.1.1
fritz.box. 9 IN AAAA fd00::c225:######
fritz.box. 9 IN AAAA 2406:e006:######

 

;; AUTHORITY SECTION:
fritz.box. 9 IN NS fritz.box.

 

;; ADDITIONAL SECTION:
fritz.box. 9 IN A 192.168.1.1
fritz.box. 9 IN AAAA fd00::c225:######
fritz.box. 9 IN AAAA 2406:e006:######

 

;; Query time: 1 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Nov 07 17:11:56 NZDT 2018
;; MSG SIZE rcvd: 268

 

 

 

Works for other internal hosts too.

  # 2130934 21-Nov-2018 11:20
Nick, is there any other parameters that 2degrees need to negotiate? eg MTU



2degrees

  # 2130935 21-Nov-2018 11:22
Nope, it should negotiate.

 

Nick.




  # 2175810 10-Feb-2019 12:00
Does this mean by default, every IPV6 compatible device on the network will be publicly accessible over IPV6?

Moderator
  # 2175816 10-Feb-2019 12:23
No, it is firewalled off.




  # 2175928 10-Feb-2019 13:33
You mean "No, it SHOULD be firewalled off".

 

However, because there is no NAT you must make sure your firewall policies are correct.

 

An erroneous firewall policy could easily open those devices up to be publicly accessible.

 

It is also worth noting just because a device supports a feature under IPv4, on that same device the feature is automatically present under IPv4. If you are rolling out IPv6, double check your inbound firewall rules, and double check your device specs (maybe firmware specs) what features are available under IPv6.

