AT&T UVERSE Native IPv6, a HOWTO

Special thanks to Alexander from AT&T's "Tier-2" dept, though my suspicion is that that is not where he works, as he seems exceptionally clueful.
Additional thanks to Owen DeLong who finally got me off my ass to actually do this, I'll see you in the sky!

Ok, is this core routing? not really, but it's nice to see a major clue injection over at AT&T Uverse. I'm using this to document the MASSIVE bureaucratic PITA which is getting native IPv6 on uverse. You'll start from the default service on a 2wire "modem" (for values of modem that equate to profanity). If you have the Motorola NVG589, count yourself lucky and skip most of these steps.

  Abandon all hope ye who enter here....

Step 1: contact AT&T Uverse support and complain that you need IPv6 (because we all need it, I in fact do for work).
Step 2: general confusion as the level 1 droid doesn't know what IPv6 is, politely request to be transferred to tier 2
step 3: you will be told that tier 2 is a paid service, invoke the almighty FCC and ask to speak with a supervisor, expect a long hold here.
step 4: you arrive at tier 2, mention that IPv6 won't work on your 2wire and that AT&T has broken your protocol 41 tunnel with <insert tunnel broker here, usually HE>
step 5: you'll need to get your 2wire replaced with a Motorola NVG589. Again you will be threatened with a cost to upgrade, mine was waived due to the work requirement. I'd guess some additional complaining and escalation will get this fee waived. My recollection was it was $100. The new modem is good news for quite a few reasons, the 2wire sucks, the Motorola sucks significantly less, and has a built in battery backup, but mine lacked the battery.
step 6: you'll receive the motorola by mail, or have a tech install it, they actually had a tech in my area and I had an AT&T tech at my door in less than 20 minutes from when I got off the phone with tier-2 (I about died from the shock).
step 7: configure the motorola (192.168.1.254) for passthrough, DHCPS-dynamic, disable the firewall, the "advanced" firewall, hpna, wireless, etc.
Step 8: reboot to push the public IP to your real router.
step 9: head over to the Motorola's home network tab, and in the status window you'll see:

    IPv6

Status Available
Global IPv6 Address 2602:306:cddd:xxxx::1/64
Link-local IPv6 Address fe80::923e:abff:xxxx:7e40
Router Advertisement Prefix 2602:306:cddd:xxxx::/64
IPV6 Delegated LAN Prefix 2602:306:cddd:xxxx::
2602:306:cddd:xxxx::

In reality additional poking leads me to believe AT&T gives you a rather generous /60, but how to use it?
step 10: set up dhcpv6, example for mikrotik follows (but should be easily convertible to nearly any router):

/ipv6> export
# dec/31/2001 20:26:03 by RouterOS 6.6
# software id = 5F2Y-X73L

Yay! Thank you very much.

You should write up something to their support forums!

Mehmet

Now if Time Warner Cable would get their act together in Ohio (looks at
them )

I don't believe this is native IPv6; it's probably still their 6rd,
which has, in fact, been live since at least February 2012, i.e. for
close to two years at this point.

http://tu.cnst.su/post/16958139578/at-t-u-verse-6rd-in-santa-clara-county
http://www.tunnelbroker.net/forums/index.php?topic=2293.0

And, yes, AT&T is probably still keeping this whole thing a secret.

C.

Are you actually getting a /60 in your IPv6 pool in routerOS?

I haven't seen it work and Comcast claims a /60 via DHCP-PD is available
everywhere now.

# nov/23/2013 07:09:08 by RouterOS 6.6
/ipv6 address
add address=2601:b:beXX:XXX::1 from-pool=comcastv6-pd
interface=ether2-master-local
/ipv6 dhcp-client
add add-default-route=yes interface=ether1-wan pool-name=comcastv6-pd
use-peer-dns=no
/ipv6 nd
set [ find default=yes ] disabled=yes
add hop-limit=64 interface=ether2-master-local reachable-time=5m
[admin@MikroTik] /ipv6> pool print
Flags: D - dynamic
# NAME
PREFIX PREFIX-LENGTH
EXPIRES-AFTER
0 D comcastv6-pd
2601:b:beXX:XXX::/64 64 3d23h54m48s

I wonder if we can use this to get around their broken SIP-ALG...

Jared Mauch

With comcast you can check on everything at comcast6.net. It will tell you if your CMTS is enabled.

Jared Mauch

I've it working with TWC with a Motorola SB6141 and a RB450G router
board running MikroTik RouterOS

I had to replace the old modem which didn't have DOCSIS 3 and upgrade
the RouterOS 6.3.

So far from both Windoze and Linux machines have now full IPv6 connectivity.

One gizmo app that became very handy is the ipvfoo extension or the
chrome browser that adds an icon on the status bar showing it the
contents for the page arrived via IPv6/4 or both. I believe there is
now a port for firefox.

I'm getting a /64 from TWC, seems to work reliably well.

-Jorge

I'm going to answer two posts here. First you're correct this appears to be a 6rd, and it is a /60

    IPv6

Status Available
Global Unicast IPv6 Address 2602:306:cddd:1c50::/60
Border Relay IPv4 Address 12.83.49.81

Does it still work? Are you *SURE*? Better go check...

IPv6 on Uverse was working for me until this evening. Now it's broken again.

I almost gave up on Uverse in disgust last month when AT&T pushed down
that software update to the 2WIRE/Pace 3801 that broke all IPv6 tunnels.

Then I read on the forums about the new "Power" service tier that
requires pair bonding and the NVG589, so I signed up more to get the 589
than for the higher speed.

Sure enough, the NVG589 is a *V A S T* improvement over the 3801. It
even provides native IPv6! (Well, "native" in that the box emits IPv6
router advertisements on my LAN; I know it's still implemented with 6rd.)

Until tonight.

Now my NVG589 won't even respond to pings to its own local IPv6 address.
Attempts to ping6 machines on my LAN from the 589's diagnostic page gave
"unreachable network" errors even though the 589 was still emitting IPv6
router advertisements for my /64 subnet.

Restarting the box didn't help. Now its status page says that IPv6 is
"unavailable". At least it's no longer emitting router advertisements
for a service it can't provide.

I had also been able to use AT&T's 6rd gateway with one of my static
IPv4 addresses, but that's also broken now.

I think it's time to dump Uverse and switch to cable. The only drawback
is that AT&T gives me a /29 IPv4 address block for $15/mo while Time
Warner makes static IP addressing available only with their "business
class" service costing several hundred/month.

But Hurricane Electric's IPv6 tunnels work so well that I'm not sure
static IPv4 even matters anymore. I only use them to reach my systems
myself from the outside, I'm not running any public services that really
need them.

--Phil

Andrew D Kirch wrote:

Was I the only one who thought that everything about this was great
apart from this comment:

In reality additional poking leads me to believe AT&T gives you a

rather

generous /60

Is a /60 what is considered generous these days? I thought a /48 was
considered normal and a /56 was considered a bit tight. What prefix
lengths are residential access providers handing out by default these
days?

Regards,

Leo

Remember, this is just 6rd. With 6rd, a /60 does sound quite generous indeed.

And it's a /60 for each IPv4 you have, e.g. if you have a static IP
allocation with AT&T U-verse, say, a /27, then you're effectively
getting a /55 (plus also an additional /60 for the DHCP address in a
shared subnet to which your /27 is routed to).

That said, I wholeheartedly agree with your comment otherwise.

C.

> Andrew D Kirch wrote:
>
> Was I the only one who thought that everything about this was great
> apart from this comment:
>
>> In reality additional poking leads me to believe AT&T gives you a
> rather
>> generous /60
>
> Is a /60 what is considered generous these days? I thought a /48 was
> considered normal and a /56 was considered a bit tight. What prefix
> lengths are residential access providers handing out by default these
> days?

Remember, this is just 6rd. With 6rd, a /60 does sound quite generous indeed
.

You can hand out /48 as easily with 6rd as you can natively.

It's only when the ISP is lazy and encodes the entire IPv4 address
space into 6rd thereby wasting most of the IPv6 address space being
used for 6rd that a /60 appears to be generous.

You can do a 6rd domain per IPv4 allocation. This is a one time
operation that doesn't need to be updated as you move IPv4 address
space around.

> Andrew D Kirch wrote:
>
> Was I the only one who thought that everything about this was great
> apart from this comment:
>
>> In reality additional poking leads me to believe AT&T gives you a
> rather
>> generous /60
>
> Is a /60 what is considered generous these days? I thought a /48 was
> considered normal and a /56 was considered a bit tight. What prefix
> lengths are residential access providers handing out by default these
> days?

Remember, this is just 6rd. With 6rd, a /60 does sound quite generous indeed
.

You can hand out /48 as easily with 6rd as you can natively.

It's only when the ISP is lazy and encodes the entire IPv4 address
space into 6rd thereby wasting most of the IPv6 address space being
used for 6rd that a /60 appears to be generous.

You can do a 6rd domain per IPv4 allocation. This is a one time
operation that doesn't need to be updated as you move IPv4 address
space around.

This might be true with smaller ISPs, but someone like AT&T probably
already has too many distinct IPv4 allocations for such an encoding to
be practically manageable.

Free, who has pioneered 6rd, and is a major ISP in France, seems to
have gone with a similar 6rd allocation policy, giving out /60 through
6rd for each IPv4, out of a /28 IPv6. Seems quite reasonable.

    http://ripe58.ripe.net/content/presentations/ipv6-free.pdf

(So, AT&T simply copied the French here, it would appear.)

C.

>
>> > Andrew D Kirch wrote:
>> >
>> > Was I the only one who thought that everything about this was great
>> > apart from this comment:
>> >
>> >> In reality additional poking leads me to believe AT&T gives you a
>> > rather
>> >> generous /60
>> >
>> > Is a /60 what is considered generous these days? I thought a /48 was
>> > considered normal and a /56 was considered a bit tight. What prefix
>> > lengths are residential access providers handing out by default these
>> > days?
>>
>> Remember, this is just 6rd. With 6rd, a /60 does sound quite generous indeed
>> .
>
> You can hand out /48 as easily with 6rd as you can natively.
>
> It's only when the ISP is lazy and encodes the entire IPv4 address
> space into 6rd thereby wasting most of the IPv6 address space being
> used for 6rd that a /60 appears to be generous.
>
> You can do a 6rd domain per IPv4 allocation. This is a one time
> operation that doesn't need to be updated as you move IPv4 address
> space around.

This might be true with smaller ISPs, but someone like AT&T probably
already has too many distinct IPv4 allocations for such an encoding to
be practically manageable.

Garbage.

If you are going with /48's

For each IPv4 /8 they have been allocated they carve out a IPv6 /24 for it.
For each IPv4 /22 they have been allocated they carve out a IPv6 /38 for it.

If you are going with /56's

For each IPv4 /8 they have been allocated they carve out a IPv6 /32 for it.
For each IPv4 /22 they have been allocated they carve out a IPv6 /46 for it.

Carving out smaller blocks from bigger blocks is what ISP's do all
the time when allocating space for customers and unlike customers
this doesn't have to be done over and over again. It is a once off
when they receive the address block regardless of how they later
split up and move around the IPv4 address block.

Free, who has pioneered 6rd, and is a major ISP in France, seems to
have gone with a similar 6rd allocation policy, giving out /60 through
6rd for each IPv4, out of a /28 IPv6. Seems quite reasonable.

    http://ripe58.ripe.net/content/presentations/ipv6-free.pdf

(So, AT&T simply copied the French here, it would appear.)

C.

Just because someone does one way it doesn't make them right or
correct. It just means they did it that way. This is saying "my
customers will *never* have more that 16 subnets" which is possible
true in the short term for home users but not for companies. Think
how many vlans companies use today. Each of those vlans should be
getting a /64.

It is short sighted decisions like this which force companies into
using NATs whether they want to or not.

Mark

You're contradicting yourself here. Yes, you're right about the technical solution, but it's not as easy (you need backend systems). Also, not all products support the variability of subnet lengths that the standard allows.

So if you're not mapping the entire space (actually some products only allow /32 IPv6 space) 1-1 you're making the whole solution harder due to complexity in your backend system plus you're limiting the amount of customer gear that will support the solution.

> You can hand out /48 as easily with 6rd as you can natively.
>
> It's only when the ISP is lazy and encodes the entire IPv4 address
> space into 6rd thereby wasting most of the IPv6 address space being
> used for 6rd that a /60 appears to be generous.

You're contradicting yourself here.

What contradiction? You need to break up the IPv6 address allocation
for both PD and 6rd. I would say PD is slightly more complicated
than 6rd as you also want to optimise routing more with PD. With
6rd you do the optimisation using the IPv4 addresses.

Yes, you're right about the technical
solution, but it's not as easy (you need backend systems). Also, not all
products support the variability of subnet lengths that the standard
allows.

So who is shipping cr*p that claims to support RFC 5969 yet doesn't
all arbitary size 6rd domains?

The point of have a standard is so equipement from different
manufactures can work together. A CPE device that can't accept all
legal values should be thrown in the bin.

So if you're not mapping the entire space (actually some products only
allow /32 IPv6 space) 1-1 you're making the whole solution harder due to
complexity in your backend system plus you're limiting the amount of
customer gear that will support the solution.

I claim bovine excrement on customer gear. Show me where the
6rdPrefixLen is defined to be 32? Even with RFC 5569 it was up to
32 and the IPv4MaskLen is 0.

"As easily". It's easier to either hand out /64 by means of 1:1 mapping IPv4 and IPv6, or (if ability exists) hand out /48 or /56 using PD, than to get into the whole backend mess of having multiple 6RD domains with multiple configs per IPv4 subnet etc.

I agree with you theoretically, but in practice I disagree.

Agreed… Unforutnately, the big guys (Comcast, AT&T) in America seem to like victimizing their customers with undersized assignments, limiting choice of proper prefix sizes to only their business class customers. I’m not sure why they are doing this. I know when I’ve had conversations with them, they haven’t exactly given a reason so much as just said that they thought a /48 was ridiculous.

Of course, if AT&T is blocking protocol 41, that’s even worse, because at least so long as that isn’t blocked, you can still get an HE tunnel and get a /48 if you need it anyway.

Owen

I'd like to call everyone's attention to ARIN's policy on IPv6
transition space https://www.arin.net/policy/nrpm.html#six531 which
was created specifically in response to the standardization of 6rd.

The discussion at the time that this policy was under consideration
was that encoding the [m,n] in a non-overlapping fashion when one has
a bajillion allocations due to slow start was a pain in the butt and
that, in practice, everyone would just encode 32 bits of IPv4 into 6rd.

Note that it's possible to get a /24 of IPv6 space (huge!). Yes, it's
from space that is "tainted" as being marked as transition space.
Yes, you have to recertify that you're using it for the intended
purpose every three years.

Of course, 24 + 32 = 56. This is not an accident. It was our sense
at the time that /56 was bad enough and that there was no reason to
codify giving people an even more parsimonious slice of IPv6 space.

So there really is no excuse on AT&T's part for the /60s on uverse 6rd...

-r