2degrees - IPv6 overview

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › 2degrees - IPv6 overview - How we do it

NickMack

962 posts

Ultimate Geek

Trusted

Lifetime subscriber

#240157 23-Aug-2018 15:04

Update below on IPV6 Address Space allocation - 10th October 2018.

Hi All,

With the introduction of BYOD (some customers choosing not to use a 2degrees supplied Fritzbox), we've had a bunch of queries about ipv6, how we provision it, what technologies we use etc. In order to assist you with troubleshooting any other equipment you may use, the team (Thanks Aaron) have pulled together the following information.

2degrees uses Juniper equipment to terminate subscribers, checkout the following links for more information on the architecture used and the implementation overview - Basic Architecture of a Subscriber Access Dual-Stack Network and Overview of Using DHCPv6 Prefix Delegation.

2degrees uses DHCPv6 Prefix Delegation to assign IPv6 prefixes to customer CPE, the only requirement this puts on the CPE is identification and choosing a prefix for delegation.

DHCPv6 prefix delegation process

The BNG provides IPv6 prefixes available for delegation. In the case of dynamic customers this is provided by a local address-assignment pool, and for static IPv6 customers the BNG is informed of the /56 prefix to use via our RADIUS server. Even though it’s a static assignment the BNG will still delegate the prefix to the CPE using DHCPv6.
The CPE requests one or more prefixes from the delegating router. The standard is a /64 allocation per LAN segment.
The BNG chooses the prefixes for delegation, and responds to the CPE.
The CPE is then responsible for the delegated prefixes.

CPE WAN link

Below are the methods we support:

Link-local IPv6 address – The link-local address is provisioned by the appending the interface identifier negotiated by IPv6CP with the IPv6 link-local prefix (fe80::/10).
DHCPv6 prefix delegation – The CPE can use the prefix it receives from the BNG to assign an IPv6 address to the interface between the CPE and BNG. A Fritzbox modem uses this method by default.

Fritz configuration example (in lab environment)

This is the default setup and will establish a native IPv6 connection, the below configuration would be more specific

Here you can see the IPv6 address assigned to the CPE-BNG interface and the prefix that was delegated.
The Fritz in its default setup will assign the first available /64 to the LAN segment.
We allocate a /56 address space

Nick.

https://nick.mackechnie.co.nz | NZ ISP latency monitoring - https://smokeping.thenet.gen.nz

1 | 2

meow
13262 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2078025 23-Aug-2018 16:03

Made this sticky.

Thanks very much for these guides - they're excellent!

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

xlinknz

1128 posts

Uber Geek

Trusted

#2111304 20-Oct-2018 10:05

@NickMack

Good to see 2D post this information

I was curious as to why 2D does not have their web accessible as IPv6 i.e. AAAA record etc

NickMack

962 posts

Ultimate Geek

Trusted

Lifetime subscriber

#2111362 20-Oct-2018 12:01

xlinknz:
@NickMack

Good to see 2D post this information

I was curious as to why 2D does not have their web accessible as IPv6 i.e. AAAA record etc

Great question - not sure, I'll ask - Website is done by 3rd party.

Nick

https://nick.mackechnie.co.nz | NZ ISP latency monitoring - https://smokeping.thenet.gen.nz

antoniosk

2358 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2111363 20-Oct-2018 12:06

If only the other ISP's were so transparent and forthcoming - good to see.

________

Antoniosk

xlinknz

1128 posts

Uber Geek

Trusted

#2111371 20-Oct-2018 12:47

NickMack:
xlinknz:

@NickMack

Good to see 2D post this information

I was curious as to why 2D does not have their web accessible as IPv6 i.e. AAAA record etc

Great question - not sure, I'll ask - Website is done by 3rd party.

Nick

Thank you for the reply

I see it is presented via the Redshield Cloud WAF, check whether that that can act as a IPv6 proxy even if the host provider cannot dual stack

antoniosk:

If only the other ISP's were so transparent and forthcoming - good to see.

I agree!

ObidiahSlope

260 posts

Ultimate Geek

#2111436 20-Oct-2018 16:00

A related question. I am 2D customer with a Fritz box(1)

The DNS server in the Fritz box will resolve hosts on the LAN with a fully qualified domain name in the style $hostname.fritz.box

I have enabled IPv6. A dig query returns an ipv4 IP address but an AAAA query for an IPv6 address does not resolve. Have I missed a setting or is the Fritz box unable to do an AAAA for a local hostname?

1. Model: 7490 OS Version: 06.80

Obsequious hypocrite

NickMack

962 posts

Ultimate Geek

Trusted

Lifetime subscriber

#2111763 21-Oct-2018 08:52

ObidiahSlope:
A related question. I am 2D customer with a Fritz box(1)

The DNS server in the Fritz box will resolve hosts on the LAN with a fully qualified domain name in the style $hostname.fritz.box

I have enabled IPv6. A dig query returns an ipv4 IP address but an AAAA query for an IPv6 address does not resolve. Have I missed a setting or is the Fritz box unable to do an AAAA for a local hostname?

1. Model: 7490 OS Version: 06.80

Not something I've looked at before on default Frtiz config, I suspect 99% of residential customers would care less ;-) (I use DNS from my Windows Active Directory, so this resolves fine). I'll have a look at this after the long weekend (camping at the mo) ;-)

Nick

Ps - theres a new version on Fritz OS you can upgrade to.

https://nick.mackechnie.co.nz | NZ ISP latency monitoring - https://smokeping.thenet.gen.nz

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

NickMack

962 posts

Ultimate Geek

Trusted

Lifetime subscriber

#2112585 23-Oct-2018 08:57

NickMack:
xlinknz:

@NickMack

Good to see 2D post this information

I was curious as to why 2D does not have their web accessible as IPv6 i.e. AAAA record etc

Great question - not sure, I'll ask - Website is done by 3rd party.

Nick

Website hosted by 3rd party in AWS. I've asked if they can investigate.

Update - should be resolved in the coming weeks.

https://nick.mackechnie.co.nz | NZ ISP latency monitoring - https://smokeping.thenet.gen.nz

NickMack

962 posts

Ultimate Geek

Trusted

Lifetime subscriber

#2113177 24-Oct-2018 11:52

NickMack:
ObidiahSlope:

A related question. I am 2D customer with a Fritz box(1)

The DNS server in the Fritz box will resolve hosts on the LAN with a fully qualified domain name in the style $hostname.fritz.box

I have enabled IPv6. A dig query returns an ipv4 IP address but an AAAA query for an IPv6 address does not resolve. Have I missed a setting or is the Fritz box unable to do an AAAA for a local hostname?

1. Model: 7490 OS Version: 06.80

Not something I've looked at before on default Frtiz config, I suspect 99% of residential customers would care less ;-) (I use DNS from my Windows Active Directory, so this resolves fine). I'll have a look at this after the long weekend (camping at the mo) ;-)

Nick

Ps - theres a new version on Fritz OS you can upgrade to.

Hiya,

It looks like AVM haven’t included this feature/functionality - We have fired off a request to have this considered/added in future releases.

Tested on the following hardware and firmware - Model 7490: v06.84, v07.01.

2degreess-MBP:~ 2degreesengineering$ dig 2degreess-MBP.fritz.box

; <<>> DiG 9.10.6 <<>> 2degreess-MBP.fritz.box
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6578
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; QUESTION SECTION:
;2degreess-MBP.fritz.box.   IN A

;; ANSWER SECTION:
2degreess-MBP.fritz.box. 9 IN A   192.168.178.22

;; AUTHORITY SECTION:
2degreess-MBP.fritz.box. 9 IN NS fritz.box.

;; ADDITIONAL SECTION:
fritz.box.      9   IN A   192.168.178.1
fritz.box.      9   IN AAAA    fd00::c225:6ff:fef2:e1a2
fritz.box.      9   IN AAAA    2406:e001:2:5401:c225:6ff:fef2:e1a2

;; Query time: 0 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Wed Oct 24 11:43:11 NZDT 2018
;; MSG SIZE rcvd: 143

2degreess-MBP:~ 2degreesengineering$ dig -t "AAAA" 2degreess-MBP.fritz.box

; <<>> DiG 9.10.6 <<>> -t AAAA 2degreess-MBP.fritz.box
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24633
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;2degreess-MBP.fritz.box.   IN AAAA

;; AUTHORITY SECTION:
fritz.box.      9   IN SOA fritz.box. admin.fritz.box. 1540334593 21600 1800 43200 10

;; Query time: 0 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Wed Oct 24 11:43:13 NZDT 2018
;; MSG SIZE rcvd: 83

Nick.

https://nick.mackechnie.co.nz | NZ ISP latency monitoring - https://smokeping.thenet.gen.nz

SomeoneSomewhere

1804 posts

Uber Geek

Lifetime subscriber

#2121711 7-Nov-2018 17:13

Works for me, and has for years...

$ dig fritz.box ANY

; <<>> DiG 9.9.5-3ubuntu0.18-Ubuntu <<>> fritz.box ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8239
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 1, ADDITIONAL: 3

;; QUESTION SECTION:
;fritz.box. IN ANY

;; ANSWER SECTION:
fritz.box. 9 IN SOA fritz.box. admin.fritz.box. 1 21600 1800 43200 10
fritz.box. 9 IN NS fritz.box.
fritz.box. 9 IN A 192.168.1.1
fritz.box. 9 IN AAAA fd00::c225:######
fritz.box. 9 IN AAAA 2406:e006:######

;; AUTHORITY SECTION:
fritz.box. 9 IN NS fritz.box.

;; ADDITIONAL SECTION:
fritz.box. 9 IN A 192.168.1.1
fritz.box. 9 IN AAAA fd00::c225:######
fritz.box. 9 IN AAAA 2406:e006:######

;; Query time: 1 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Nov 07 17:11:56 NZDT 2018
;; MSG SIZE rcvd: 268

Works for other internal hosts too.

Eitsop

583 posts

Ultimate Geek

ID Verified

#2130934 21-Nov-2018 11:20

Nick, is there any other parameters that 2degrees need to negotiate? eg MTU

NickMack

962 posts

Ultimate Geek

Trusted

Lifetime subscriber

#2130935 21-Nov-2018 11:22

attewell:

Nick, is there any other parameters that 2degrees need to negotiate? eg MTU

Nope, it should negotiate.

Nick.

https://nick.mackechnie.co.nz | NZ ISP latency monitoring - https://smokeping.thenet.gen.nz

greven

30 posts

Geek

#2175810 10-Feb-2019 12:00

Does this mean by default, every IPV6 compatible device on the network will be publicly accessible over IPV6?

michaelmurfy

meow
13262 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2175816 10-Feb-2019 12:23

greven:

Does this mean by default, every IPV6 compatible device on the network will be publicly accessible over IPV6?

No, it is firewalled off.

vulcannz

436 posts

Ultimate Geek
Inactive user

#2175928 10-Feb-2019 13:33

michaelmurfy:

greven:

Does this mean by default, every IPV6 compatible device on the network will be publicly accessible over IPV6?

No, it is firewalled off.

You mean "No, it SHOULD be firewalled off".

However, because there is no NAT you must make sure your firewall policies are correct.

An erroneous firewall policy could easily open those devices up to be publicly accessible.

It is also worth noting just because a device supports a feature under IPv4, on that same device the feature is automatically present under IPv4. If you are rolling out IPv6, double check your inbound firewall rules, and double check your device specs (maybe firmware specs) what features are available under IPv6.

1 | 2