Comcast business IPv6 vs rbldnsd & PSBL

Rik_van_Riel · November 28, 2016, 6:46pm

First of all, kudos to Comcast for trying to roll out IPv6 across
their entire network. Static IPv6 netblocks seem to be available
for Comcast business users, and IPv6 is enabled unconditionally
in the CPE routers used by Comcast business class internet.

Unfortunately, the software in the two available CPE routers
(SMC & Cisco) is horribly broken when it comes to IPv6.

The TL;DR summary: even when IPv6 firewalling is disabled in
the configuration, the router still tracks every IPv6 "connection",
which causes every single DNS lookup to fill up a slot in its
connection tracking table.

The router's logs say it blocks tens of thousands of IPv6
connections every day, despite firewalling being "disabled" on
the router.

Once the connection tracking table fills up, both IPv6 and IPv4
start having trouble, with packet loss on ICMP, high ping times
to the local router (and the internet), and new connections not
establishing. The router randomly crashes and reboots too,
sometimes multiple times a day.

This ends up breaking both IPv6 and IPv4.

It only takes about 300kbit/s of DNS traffic to trigger the bug,
in both the SMC and the Cisco routers.

Are there any Comcast NOC or other technical people present who
could help?

I am interested both in helping resolve the firmware issues in
the routers (there will no doubt be other customers who hit this
in the future, as IPv6 becomes ore common) or, if that is not an
option, finding some way to avoid the issue.

http://forums.businesshelp.comcast.com/t5/Equipment-Modems-Gateways/Cis
co-DPC3941B-slows-to-a-crawl-and-crashes-several-times-a-day/td-p/30807

Livingood_Jason1 · November 29, 2016, 5:45pm

I can send it along to folks here at Comcast.

- Jason

Bryan_Holloway1 · November 29, 2016, 6:28pm

I concur with the kudos bit, but I'll also concur that the CPE support appears to be limited. Another example: IPv6 prefix delegation is broken on the SMCD3G-CCR, and according to the following threads:

http://www.gossamer-threads.com/lists/nsp/ipv6/54761 (scroll down to the IPv6 OPERATIONS - BUSINESS section)

http://forums.businesshelp.comcast.com/t5/IPV6/Dual-Stack-on-SMC-D3GCCR-and-Cisco-DPC3939B/td-p/20504

... others have the same issue and there isn't much of an incentive to fix it.

When I asked if I could use my own CPE, I was told no, because I'm a "business customer", which is a requirement if you want static v4 IPs.

Anyone have any success with a different model CPE and Comcast v6? I love that they hand out a /56 by default, but it's not of much use if I can only use a single /64.

- bryan

Jared_Mauch · November 29, 2016, 6:34pm

Folks at Comcast have told me to ask for the SMC gateway to be replaced with either the netgear or Cisco to solve that issue.

Jared Mauch

Rik_van_Riel · November 29, 2016, 7:13pm

Over the past year and a bit, I have had all three
of the Comcast business routers in my network.

The Netgear only stayed for one day - after about
10-15 minutes of "heavy" (~300kbit/s) DNS lookups
coming in from the outside, it was almost impossible
to make new TCP connections across the router, either
IPv4 or IPv6.

The SMC D3G-CCR mostly worked, except at some point
during the year, the fraction of traffic going over
IPv6 went high enough to wreck the D3G, causing it to
crash and reboot several times a day, without having
enough diagnostics for me to figure out what was going
on.

The Cisco DPC3941B seems to fail in pretty much the
same way as the SMC D3G-CCR, but it has enough
diagnostics that I could finally figure out what was
happening. With "Gateway Smart Packet Detection" disabled,
and the "Firewall completely disabled", the logs are
still showing tens of thousands of dropped IPv6 connections
every day.

In other words, the config options that supposedly disable
the firewall completely, do not in fact disable the firewall
code, and I am still hitting connection tracking limits.

DNS lookups coming from randomized port numbers (to avoid
spoofing issues) mean every DNS query takes up another slot
in the connection tracking table.

Once the table is full, the router will search for a
re-usable slot before routing a packet. This can cause
ping times to 10.1.10.1 (the router) to go as high as
800ms. This is from a system sitting 5ft from the router.

If the router does not find any re-usable slot in the
connection tracking table, packets can get lost.

This leads to the "fun" scenario where pinging the router
from a system directly connected to it shows 30% packet
loss, while streaming video over an already established
TCP stream continues at full speed!

Not a symptom I ever expected to see...

Bandy_Rush1 · November 29, 2016, 7:40pm

i am running my own (why rent at silly costs) dpc3008 and wfm.

randy

Mikael_Abrahamsson · November 29, 2016, 7:43pm

It's pretty obvious that the CPEs being sold for this "business service" isn't meant for the kind of service you run.

They're probably doing connection tracking for ACK optimization, this should not be done for UDP but it's still being done. They probably have a connection limit of a few thousand connections (not uncommon for these kinds of devices) and it's not possible to turn off what you need to turn off to make them work correctly.

Do you have any other options in your area for other ISPs that can offer a better service for you?

Otherwise you might hack around it by running an IPSEC/UDP tunnel to somewhere else where there isn't this kind of connection limit.

Luke_Guillory · November 29, 2016, 7:48pm

Because if you want static IPs from them you must rent one of the following.

Cisco DPC3939B or DPC3941B
Netgear CG3000DCR
SMC Networks SMCD3G

Luke Guillory
Network Operations Manager

Tel: 985.536.1212
Fax: 985.536.0300
Email: lguillory@reservetele.com

Reserve Telecommunications
100 RTC Dr
Reserve, LA 70084

Bryan_Holloway1 · November 29, 2016, 7:58pm

Not to mention that they "raised my rent" a few months ago by $5/mo, which is pretty ludicrous considering that a) it doesn't actually work as advertised, and b) it probably cost them $20-30 to purchase those SMCs wholesale in the first place. They've made their money on my CPE many many times over.

But that's just the way it is.

Jared_Mauch · November 29, 2016, 8:07pm

Can't do that with the business service. Oh well, to have choices.

Jared Mauch

Robert_Webb · November 29, 2016, 9:18pm

To clarify, you cannot rent AND have static IP's.

You can rent your own modem ofr business service when using dynamic IP's.

Robert Webb

TARDIS42 · December 3, 2016, 6:29pm

That's true - I had one of the SMC routers for many years when I had static
Business HSI service, and switched earlier this year to using a off the
shelf Arris (ex Motorola) Surfboard modems and dynamic IP on my BHSI
service... my IPv6 service has never been better.

Unless you have a static IP configuration - As long as it's on Comcast's
approved modem list they don't care what modem you use even if it's on
their business class service.

Best Wishes - Peter