Hello, folks! Tere from your customer FastVPS Eesti OU/AS198068! :)
On Mon, Dec 22, 2014 at 6:27 PM, Tarko Tikan <ta...@lanparty.ee> wrote: > hey, > > Some time ago, many people noticed rapid IPv6 deployment growth in Estonia > (from 0% to 5% in 4 weeks). We at 3249/Elion/Estonian Telecom were behind > this, other operators don't have any serious IPv6 deployments at the moment. > We rolled out v6 to everyone (both business and residential customers) with > last-gen CPE, there was no hop-in our hop-out program - aim was to do it > perfectly and without customers even noticing. I'm happy to say that we > achieved this goal :) > > To satisfy general interest, I promised small (somehow it turned out longer > than I expected) technical writeup how we enabled v6 for our subscribers. If > you have any other questions, feel free to ask and I do my best to answer > them. You can also skip the technical content and there are some statistics > below. > > > Our access network is mix of DSL/GPON/wimax/p2p-ETH and broadband service is > deployed in shared service vlans. IPv6 traffic shares vlan with IPv4. > > Service vlans are transported over MPLS metro network using pseudowires and > terminated in geo-clustered Alcatel 7750 BNG routers. > > Each subscriber is allocated up to 4 mixed v4 and v6 IP hosts. For v4 we are > using the usual DHCP, for IPv6 we are using DHCPv6 with IA_PD only, no IA_NA > is provided. Unfortunately DHCPv6 provides no way to signal IPv6 > default-route thus we have to fall back to RA for default-route. RA does not > include any on-link prefixes or DNS information. RAs are L2 unicasted to CPE > MAC so no other CPE in service vlan picks up those RAs. To ensure rapid > switchover between BNG routers, we are signalling virtual link-local address > as default-route. > > We are using ALU internal DHCP/DHCPv6 servers to allocate leases but we also > signal IP information from radius (in such case BNG "fakes" DHCP server) for > static IP customers. Provided IPv6 prefix is always /56 and we keep the old > lease for 24h even if the CPE is turned off (actual lease time is 30min). > > Unfortunately, IPv6 LDRA is not available on most of our access platforms so > we have to rely on IPv4 session information for authentication. This linking > is done in the radius server during subscriber authentication (excellent > radiator + quite awful SQL queries :) - if subscriber has IPv4 session (that > has been authenticated using DHCP opt82), same MAC address is allowed to > have IPv6 session on exactly the same virtual BNG port. IPv4 and v6 session > are both tied to same subscriber and share shapers, QOS etc. > > We were able to enable IPv6 only on our last-gen Inteno CPEs. They run > modified OpenWrt and because it's linux - everything is possible :) > > In CPE, /56 is divided up to /64s, first one is currently reserved but we > will configure it on loopback interface and use it for CPE management. > Second /64 is configured on LAN and third is configured on public wifi SSID > (if you choose to enable this option). > > In the LAN, IPv6 config is provided by RAs, we also support RDNSS and > stateless DHCPv6 for DNS. There is also ingress IPv6 firewall in the CPE and > configuration is modifiable by user. > > To make deployment as smooth as possible, we rolled out IPv6 capable CPE > software first. Then, during the BNG platform refresh, we deployed L2 ACLs > that dropped all IPv6 traffic based on 0x86dd ethertype. We then deployed > IPv6 config to all BNGs and could verify everything before single v6 lease > was handed out to the subscribers. > > Then, interface by interface, we replaced L2 ACL with one that only allowed > 0x86dd for certain, supported, OUIs. This is the current situation and we > are investigating ways to support 3rd party CPEs - main problem is > unreliable IPv6 config in CPEs. Many don't enable DHCPv6 (or enable NA but > no PD) but still pick up default-route from RA and happily signal it to LAN. > Some others hammer our BNGs with NA request every 0.1 seconds etc. > > > As statistics go, there are 30000+ active IPv6 subscribers (almost 15% of > our customer base, based on our public numbers), 81% of them have have at > least one IPv6 enabled device in the LAN, 70% have more than one. Most IPv6 > traffic is generated by Google+Youtube, Facebook and Akamai. Not bad for a > country with 1.3M people. > > Next up: mobile network :) > > -- > tarko -- Sincerely yours, Pavel Odintsov