[192836] in North American Network Operators' Group
Comcast business IPv6 vs rbldnsd & PSBL
daemon@ATHENA.MIT.EDU (Rik van Riel)
Mon Nov 28 19:49:15 2016
X-Original-To: nanog@nanog.org
From: Rik van Riel <riel@surriel.com>
To: nanog@nanog.org
Date: Mon, 28 Nov 2016 13:46:19 -0500
Errors-To: nanog-bounces@nanog.org
--=-VLAWjLzGbw5n9dZWByDk
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
First of all, kudos to Comcast for trying to roll out IPv6 across
their entire network. Static IPv6 netblocks seem to be available
for Comcast business users, and IPv6 is enabled unconditionally
in the CPE routers used by Comcast business class internet.
Unfortunately, the software in the two available CPE routers
(SMC & Cisco) is horribly broken when it comes to IPv6.
The TL;DR summary: even when IPv6 firewalling is disabled in
the configuration, the router still tracks every IPv6 "connection",
which causes every single DNS lookup to fill up a slot in its
connection tracking table.
The router's logs say it blocks tens of thousands of IPv6
connections every day, despite firewalling being "disabled" on
the router.
Once the connection tracking table fills up, both IPv6 and IPv4
start having trouble, with packet loss on ICMP, high ping times
to the local router (and the internet), and new connections not
establishing. The router randomly crashes and reboots too,
sometimes multiple times a day.
This ends up breaking both IPv6 and IPv4.
It only takes about 300kbit/s of DNS traffic to trigger the bug,
in both the SMC and the Cisco routers.
Are there any Comcast NOC or other technical people present who
could help?
I am interested both in helping resolve the firmware issues in
the routers (there will no doubt be other customers who hit this
in the future, as IPv6 becomes ore common) or, if that is not an
option, finding some way to avoid the issue.
http://forums.businesshelp.comcast.com/t5/Equipment-Modems-Gateways/Cis
co-DPC3941B-slows-to-a-crawl-and-crashes-several-times-a-day/td-p/30807
--=20
All Rights Reversed.
--=-VLAWjLzGbw5n9dZWByDk
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAABCAAGBQJYPHt7AAoJEM553pKExN6DZ+YH/3Jvilyo5Se4XgKf4J8Gzkzs
uzHFDesRF/tW9vobic5Hm+hkurc6KxbJ/7J4kFWTFWtmQ0fSHoW3GP/Hag50prx3
MHJkm2fSLkudabFkm6HJXi4XDhG2XaEprPgWfSC8uEYyHSLYoKwPsX+ALXm+Kjj7
jZEPAmNMoN2ZTEKFKO8Vk3XsynrSBifSwNBb0YtkLagelLjErsWmI3uxNbZexvfN
PmmDZZ5RKndLMqjdxR3PCPj3u+zszAyd7FU1pHL9jM/4cK4DO/pZzZNHUK5nUoLe
6vlN5yYR9ozyoNNGDjL8XUgCdqcgOxzM2WtqednMxXcUuQyre8Bmg9x8frxx4wI=
=sYDM
-----END PGP SIGNATURE-----
--=-VLAWjLzGbw5n9dZWByDk--
