RE: Court orders for blocking of streaming services

[Philip Loenneker]

I'm not very clear on the laws around much of this discussion, but I've been 
following this with interest.

I have a tongue-in-cheek question... if the documentation provided by the 
plaintiff to the court, and/or the court documentation including the final 
ruling, includes the specific URLs to the websites to block, does that 
constitute transmitting links to illegal content? They could not argue they 
didn't know the legal issues surrounding said links.

-Original Message-
From: NANOG  On 
Behalf Of Masataka Ohta
Sent: Monday, 9 May 2022 11:55 AM
To: nanog@nanog.org
Subject: Re: Court orders for blocking of streaming services

Mel Beckman wrote:

You are confusing "illegal" and "guilty".

The first party publicly transmitting illegal contents or links to the contents 
are guilty, which means the links themselves are illegal.

But, DMCA makes some third party providers providing illegal contents or 
illegal links guilty only if some condition of DMCA is met.

Same for civil liability.

> You're incorrect about the DMCA when you say "DMCA treats 'linking' 
> to illegal contents as illegal as the contents themselves". 

See above.

> You > must knowingly link to works that clearly infringe somebody's 
> copyright.

Same is true if you are transmitting not links but the contents themselves.

 > A link to the Israel.TV websites themselves is not to a specific  > work, so 
 > it's not covered by DMCA. So first, as long as you don't  > know that a work 
 > is infringing someone's copyright,

You totally miss the point of the order, though I wrote:

: As the order is to those "having actual knowledge of this Default
: Judgment and Permanent Injunction Order",

Masataka Ohta

RE: ISP data collection from home routers

[Philip Loenneker]

It sounds like the kind of data you can retrieve through TR-069. 

To be able to use it, you have to either log on to the router and set the 
TR-069 server, or push out the setting via DHCP, which means you need to have 
layer 2 access to the device. This limits the ability to apply/change the 
setting.

Yes, there is a scary amount of data you can collect, including the wifi name 
and password. You can also push out settings to the devices, which is the main 
purpose. If a customer calls up and says their wifi isn't working, you can 
reset the password for them and get them to try again rather than trying to 
talk them through how to do it themselves.


-Original Message-
From: NANOG  On 
Behalf Of Giovane C. M. Moura via NANOG
Sent: Thursday, 24 March 2022 9:44 PM
To: North American Network Operators' Group 
Subject: ISP data collection from home routers

Hello there,

Several years ago, a friend of mine was working for a large telco and his job 
was to detect which clients had the worst networking experience.

To do that, the telco had this hadoop cluster, where it collected _tons_ of 
data from home users routers, and his job was to use ML to tell the signal from 
the noise.

  I remember seeing a sample csv from this data, which contained _thousands_ of 
data fields (features) from each client.

I was _shocked_ by the amount of (meta)data they are able to pull from home 
routers. These even included your wifi network name _and_ password!
(it's been several years since then).

And home users are _completely_ unaware of this.

So my question to you folks is:

- What's the policy regulations on this? I don't remember the features
(thousands) but I'm pretty sure you could some profiling with it.

- Is anyone aware of any public discussion on this? I have never seen it.

Thanks,

Giovane Moura

RE: (Free)RADIUS Front-End

[Philip Loenneker]

Splynx is a commercial product designed to be an entire package for running an 
ISP, including billing etc. It uses FreeRadius in the backend which chains into 
their own RADIUS system. Integration for MikroTik routers is very extensive, 
but we have had it working with a variety of other BNGs too including Cisco and 
Linux-based systems. You can add in RADIUS dictionaries and customise the 
router profiles via the GUI to send whatever VSAs you require, including for 
COA. The APIs on it are extensive, making automation of service provisioning 
relatively easy. The IPAM in it is fairly basic, primarily ensuring that you 
don't re-use IPs between multiple services. IPv6 support is included, but 
primarily for IPv6-PD rather than interface IPs, however I have managed to get 
a BNG to assign an IPv4 address, an IPv6 interface address and IPv6-PD all from 
the Splynx profile. The accounting is ok, allowing you to apply bandwidth caps 
on users if required, including different speeds for different times of day. 

www.splynx.com

-Original Message-
From: NANOG  On 
Behalf Of Mark Tinka
Sent: Saturday, 18 September 2021 10:09 PM
To: Tyler Conrad ; n...@shrug.pw
Cc: NANOG list 
Subject: Re: (Free)RADIUS Front-End



On 9/17/21 19:26, Tyler Conrad wrote:
> +1 for Packetfence, was just typing up a reply about it. I've used it 
> for both standard dot1x as well as guest wired/wireless.

Thanks, Tyler.

My use-case is really for broadband subscriber management. Let me ping 
them and see what we can work out.

Mark.

RE: BGP and The zero window edge

[Philip Loenneker]

I'm not sure if this is helpful to this discussion or not, but I recently 
became aware of a bug in a virtual router using DPDK+VPP which sounds like it 
could possibly produce a similar issue to what is being described, without the 
TCP window being a factor.

The system used the same process to read and process the messages coming in to 
the netlink socket. When a large BGP update was being processed it was possible 
that the netlink buffer was being filled while previous updates were being 
processed. This caused some route updates to not be processed, not applied to 
the VPP FIB, and so they became stuck. The particular vendor I spoke to about 
this issue resolved this by giving priority to reading and storing the messages 
for processing, and asynchronously processing those messages in batches. 

I can share additional details off-list if anyone thinks this could be related 
to the problem.

-Original Message-
From: NANOG  On 
Behalf Of Job Snijders via NANOG
Sent: Thursday, 22 April 2021 9:25 AM
To: Jakob Heitz (jheitz) 
Cc: nanog@nanog.org
Subject: Re: BGP and The zero window edge

On Wed, Apr 21, 2021 at 09:22:57PM +, Jakob Heitz (jheitz) wrote:
> I'd like to get some data on what actually happened in the real cases 
> and analyze it.
>
> [snip]
> 
> TCP zero window is possible, but many other things could cause it too.

Indeed. There could be a number of reasons that caused it.

Switchings away from TCP win=0 towards "Zombie Routes":

*RIGHT NOW* (at the moment of writing), there are a number of zombie route 
visible in the IPv6 Default-Free Zone:

One example is 
https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flg.ring.nlnog.net%2Fprefix_detail%2Flg01%2Fipv6%3Fq%3D2a0b%3A6b86%3Ad15%3A%3A%2F48data=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7C054f1c15d7534f2e671c08d9051d4626%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637546445559391894%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=ckoULXFPBZnMqFWIwq87PwXJAPhevmIhIbk0ywq2ZMM%3Dreserved=0

2a0b:6b86:d15::/48 via:
BGP.as_path: 204092 57199 35280 6939 42615 42615 212232
BGP.as_path: 208627 207910 57199 35280 6939 42615 42615 212232
BGP.as_path: 208627 207910 57199 35280 6939 42615 42615 212232
(first announced April 15th, last withdrawn April 15th, 2021)

Another one is 
https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flg.ring.nlnog.net%2Fprefix_detail%2Flg01%2Fipv6%3Fq%3D2a0b%3A6b86%3Ad24%3A%3A%2F48data=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7C054f1c15d7534f2e671c08d9051d4626%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637546445559391894%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=E8gIINgqG6J5NO2VQQ9ledvXKJeUWzRc42EgUt9fm4k%3Dreserved=0

2a0b:6b86:d24::/48 via:
BGP.as_path: 201701 9002 6939 42615 212232
BGP.as_path: 34927 9002 6939 42615 212232
BGP.as_path: 207960 34927 9002 6939 42615 212232
BGP.as_path: 44103 50673 9002 6939 42615 212232
BGP.as_path: 208627 207910 34927 9002 6939 42615 212232
BGP.as_path: 3280 34927 9002 6939 42615 212232
BGP.as_path: 206628 34927 9002 6939 42615 212232
BGP.as_path: 208627 207910 34927 9002 6939 42615 212232
(first announced March 24th, last withdrawn March 24th, 2021)

Just now, I literally rebooted the BGP speaker behind lg.ring.nlnog.net to make 
ensure that those routes are not stuck in the BGP looking glass itself. 

2a0b:6b86:d24::/48 was first announced on March 24th, 2021, and withdrawn at 
the end of March 24th, 2021 by the originator, and now almost a month later, 
this prefix still is visible in the default-free zone despite WITHDRAW messages 
having been sent and the AS 212232 operator confirming they are not announcing 
that IP prefix anywhere.

I checked the AS 6939 Looking glass, but the d24::/48 route is not visible in 
the 
https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flg.he.net%2Fdata=04%7C01%7Cphilip.loenneker%40tasmanet.com.au%7C054f1c15d7534f2e671c08d9051d4626%7Cb53dc580ab7847208b30536f36d398ac%7C0%7C0%7C637546445559391894%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=igVISlzWFPJK43%2FZtu%2FalxmtabPDq8d2H16JYmGyp6c%3Dreserved=0
 web interface. This leads me to believe the the route got stuck somewhere 
along way in either of 201701, 204092, 206628, 207910, 207960, 208627, 3280, 
34927, 35280, 44103, 50673, 57199, and/or 9002.

This implies indeed might be multiple reasons a BGP route gets stuck ('stuck' 
as in - a WITHDRAW was not generated, or ignored). Perhaps on any one of these 
edges there is a very high Out Queue for one reason or
another:

34927 9002
206628 34927
44103 50673
207960 34927
3280 34927
9002 6939
201701 9002
208627 207910

I'm not sure all the these sightings of stuck routes can be pinpointed to 

RE: cheap MPLS router recommendations

[Philip Loenneker]

While I like MikroTik, I don’t recommend anyone uses it for MPLS.
There are problems with the way they handle labels that causes random 
connectivity issues, and can crash MPLS devices from other vendors. That’s from 
experience.
As an example, check out this post which was started back in 2013 and is still 
an issue in 2020:
https://forum.mikrotik.com/viewtopic.php?t=73820

Regards,
Philip

From: NANOG  On 
Behalf Of Tony Wicks
Sent: Thursday, 22 October 2020 8:19 AM
To: adamv0...@netconsultings.com
Cc: 'NANOG' 
Subject: RE: cheap MPLS router recommendations

Right, well in that price/performance range you either “roll your own” or this 
is your best option IMHO - 
https://mikrotik.com/product/CCR1072-1G-8Splus
  and I’d pick the Mikrotik every time.



From: NANOG 
mailto:nanog-bounces+tony=wicks.co...@nanog.org>>
 On Behalf Of adamv0...@netconsultings.com
Sent: Thursday, 22 October 2020 9:28 am
To: 'Colton Conor' mailto:colton.co...@gmail.com>>; 
t...@pelican.org
Cc: 'NANOG' mailto:nanog@nanog.org>>
Subject: RE: cheap MPLS router recommendations

Just to clarify what cheap means, ideally  -$2000 to $4000 new
-new is preferred as buying used kit on second hand market one is at the mercy 
of the price fluctuations and availability.

And the likes of the M2400 looks good 4x10G plus some 1G, unfortunately there 
are no details on the webpage (and the datasheet can’t be downloaded… )

Are there more folks out there bundling open NOS and white-box HW along with 
the support for the whole thing?


adam

RE: Linux router network cards

[Philip Loenneker]

Hi Micah,

Take a look at the Mellanox ConnectX 5 series of cards. They handle DPDK, 
PVRDMA (basically SR-IOV that allows live migration between hosts), and can 
even process packets within the NIC for some models. They did a fantastic 
presentation at AusNOG 2019 which showed off a lot of the features. We tried 
some out with Vmware and could get 20Gbps throughput (limited by the 2x 10G 
NICs we had configured) to a VM running Linux with DPDK+VPP.

The slidedeck for the presentation is here:
https://www.ausnog.net/sites/default/files/ausnog-2019/presentations/1.9_Rhod_Brown_AusNOG2019.pdf

It's heavily targeting virtualised workloads but some of the feature sets apply 
to bare-metal uses too.

Regards,
Philip Loenneker | Senior Network Engineer | TasmaNet

-Original Message-
From: NANOG  On 
Behalf Of micah anderson
Sent: Wednesday, 21 October 2020 2:37 PM
To: nanog@nanog.org
Subject: Linux router network cards


I'm looking around for networking cards to build a linux based router. It needs 
to be able to do XDP, multiqueues, have good in-kernel driver support and be 
able to handle 10Gbe with good offloading for dealing with high packets per 
second.

What features should I be looking for to really optimize things for a three 
transit setup, with full tables.

Something like the Intel XL710-QDA2 card maybe?

-- 
micah

RE: MAP-E

[Philip Loenneker]

Moving away from the discussion around what technology people may choose to go 
with, and instead what CPEs may be suitable...

I know this is 464XLAT rather than MAP-E that was originally requested, but 
recent versions of D-Link firmware, eg for the DVA-2800, include the CLAT 
functionality. My testing in November last year showed that it only partially 
worked, with the traceroutes to 64:ff9b::1.1.1.1 working, but it would not 
automatically translate a traceroute to 1.1.1.1 to the IPv6 version. There have 
been a few new revisions since then and it is on my to-do list to re-test 
things, but I haven't had the time. 

It is also worth noting that, in the original firmware revision I tested, I had 
to manually enter the URL for the CLAT configuration screen. It simply wasn't 
on the menu. On another version, it had a link to DS-Lite configuration, and 
from there you get a link to the CLAT options. It is possible that other 
devices and/or vendors also have this option, or options for similar 
technologies such as MAP-E, but they just don't have a link to it in the 
interface.

-Original Message-
From: NANOG  On Behalf Of Masataka Ohta
Sent: Monday, 5 August 2019 11:07 AM
To: nanog@nanog.org
Subject: Re: MAP-E

Baldur Norddahl wrote:

> Or the case of Playstation network. Yes they WILL blacklist your CGN 
> just the same as they can blacklist a shared MAP ip address. Except it 
> affects more users.

If IP address sharing by blocks of ports becomes common and there is typical 
block size (say, 1024), blacklisting will be done block-wise.

Masataka Ohta

RE: Network Speed Testing and Monitoring Platform

[Philip Loenneker]

Hi Colton,

Sorry for getting your name switched around last time, I only just noticed that!

A specific TR-069 implementation that I know has the speed test function is UMP 
Cloud, however I’m not sure exactly how it does it. You can see their spiel 
here:
https://www.avsystem.com/products/cloud-ump/

That said, TR-143 includes a time-based throughput test, so that you can test 
for defined number of seconds instead of a particular file size. That should 
allow you to suitably test any speed service. Refer to section 4.3 in the 
following document:
https://www.broadband-forum.org/technical/download/TR-143.pdf

Regards,
Philip Loenneker | Network Engineer | TasmaNet


From: Colton Conor 
Sent: Saturday, 19 January 2019 1:34 AM
To: Philip Loenneker 
Cc: NANOG 
Subject: Re: Network Speed Testing and Monitoring Platform

Philip,

Which TR-069 tools are you referring to? I looked at TR-143, but its my 
understanding it downloads a small file (like 50MB) from the TR-069 server to 
the CPE's ram. Then uploads the file back. Unfortunately I couldn't see how 
this would reliability test 1Gbps connections. Can you increase the file size? 
Most of these modems have like 128MB ram right now?

On Thu, Jan 17, 2019 at 5:07 PM Philip Loenneker 
mailto:philip.loenne...@tasmanet.com.au>> 
wrote:
Connor,

If you use the Traffic Generator tool instead of the Bandwidth Test tool built 
into MikroTik, you can definitely flood a 1Gbps link. However it requires the 
device to receive the packets that it has sent out, so it’s only viable for 
links with the same up/down speed.

We have been investigating some TR-069 platforms, and several of those offer 
speed test functionality built in. This means our helpdesk guys can just click 
a few buttons to trigger it, it only talks to the CPE (nothing on customer 
LAN), and people don’t need to know how to configure the test other than “click 
here”. TR-069 also has a lot of other advantages which you can easily discover 
with a quick search.

Regards,
Philip Loenneker | Network Engineer | TasmaNet

From: NANOG mailto:nanog-boun...@nanog.org>> On Behalf 
Of Colton Conor
Sent: Friday, 18 January 2019 12:17 AM
To: James Bensley mailto:jwbens...@gmail.com>>
Cc: NANOG mailto:nanog@nanog.org>>
Subject: Re: Network Speed Testing and Monitoring Platform

All, thanks for the recommendations both on and off list.

It has been brought to my attention that a Mikrotik has a bandwidth speed test 
tool built into their operating system. Someone recommended a 
https://mikrotik.com/product/hap_ac2 for MSRP of $69. The release notes of the 
newest version say:

!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP 
and UDP download, upload speed measurements (CLI only);
*) btest - added multithreading support for both UDP and TCP tests;

Do you think this device can push a full 1Gbps connection? It does have a quad 
core qualcom processor.

Besides mikrotik, I haven't found anything that doesn't require me to build a 
solution. Like OpenWRT with ipef3, or something like that.

Seems like a commercial solution would exist for this.  I though CAF providers 
have to test bandwidth for the FCC randomly to get funding?

On Thu, Jan 17, 2019 at 2:59 AM James Bensley 
mailto:jwbens...@gmail.com>> wrote:
On Wed, 16 Jan 2019 at 16:54, Colton Conor 
mailto:colton.co...@gmail.com>> wrote:
>
> As an internet service provider with many small business and residential 
> customers, our most common tech support calls are speed related. Customers 
> complaining on slow speeds, slowdowns, etc.
>
> We have a SNMP and ping monitoring platform today, but that mainly tells us 
> up-time and if data is flowing across the interface. We can of course see the 
> link speed, but customer call in saying the are not getting that speed.
>
> We are looking for a way to remotely test customers internet connections 
> besides telling the customer to go to speedtest.net<http://speedtest.net>, or 
> worse sending a tech out with a laptop to do the same thing.
>
> What opensource and commercial options are out there?

Hi Colton,

In the past I have used CPEs which support remote loopback. When the
customer complains we enable remote loopback, send the traffic to that
customers connection (rather than requiring a CPE that can generate
the traffic or having an on site device) and measuring what comes
back.

Cheers,
James.

RE: Network Speed Testing and Monitoring Platform

[Philip Loenneker]

Connor,

If you use the Traffic Generator tool instead of the Bandwidth Test tool built 
into MikroTik, you can definitely flood a 1Gbps link. However it requires the 
device to receive the packets that it has sent out, so it’s only viable for 
links with the same up/down speed.

We have been investigating some TR-069 platforms, and several of those offer 
speed test functionality built in. This means our helpdesk guys can just click 
a few buttons to trigger it, it only talks to the CPE (nothing on customer 
LAN), and people don’t need to know how to configure the test other than “click 
here”. TR-069 also has a lot of other advantages which you can easily discover 
with a quick search.

Regards,
Philip Loenneker | Network Engineer | TasmaNet

From: NANOG  On Behalf Of Colton Conor
Sent: Friday, 18 January 2019 12:17 AM
To: James Bensley 
Cc: NANOG 
Subject: Re: Network Speed Testing and Monitoring Platform

All, thanks for the recommendations both on and off list.

It has been brought to my attention that a Mikrotik has a bandwidth speed test 
tool built into their operating system. Someone recommended a 
https://mikrotik.com/product/hap_ac2 for MSRP of $69. The release notes of the 
newest version say:

!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP 
and UDP download, upload speed measurements (CLI only);
*) btest - added multithreading support for both UDP and TCP tests;

Do you think this device can push a full 1Gbps connection? It does have a quad 
core qualcom processor.

Besides mikrotik, I haven't found anything that doesn't require me to build a 
solution. Like OpenWRT with ipef3, or something like that.

Seems like a commercial solution would exist for this.  I though CAF providers 
have to test bandwidth for the FCC randomly to get funding?

On Thu, Jan 17, 2019 at 2:59 AM James Bensley 
mailto:jwbens...@gmail.com>> wrote:
On Wed, 16 Jan 2019 at 16:54, Colton Conor 
mailto:colton.co...@gmail.com>> wrote:
>
> As an internet service provider with many small business and residential 
> customers, our most common tech support calls are speed related. Customers 
> complaining on slow speeds, slowdowns, etc.
>
> We have a SNMP and ping monitoring platform today, but that mainly tells us 
> up-time and if data is flowing across the interface. We can of course see the 
> link speed, but customer call in saying the are not getting that speed.
>
> We are looking for a way to remotely test customers internet connections 
> besides telling the customer to go to speedtest.net<http://speedtest.net>, or 
> worse sending a tech out with a laptop to do the same thing.
>
> What opensource and commercial options are out there?

Hi Colton,

In the past I have used CPEs which support remote loopback. When the
customer complains we enable remote loopback, send the traffic to that
customers connection (rather than requiring a CPE that can generate
the traffic or having an on site device) and measuring what comes
back.

Cheers,
James.

RE: Stupid Question maybe?

[Philip Loenneker]

I had a heck of a time a few years back trying to troubleshoot an issue where 
an upstream provider had an ACL with an incorrect mask along the lines of 
255.252.255.0. That was really interesting to talk about once we discovered it, 
though it caused some loss of hair beforehand...

-Original Message-
From: NANOG  On 
Behalf Of Grant Taylor via NANOG
Sent: Wednesday, 19 December 2018 10:27 AM
To: nanog@nanog.org
Subject: Re: Stupid Question maybe?

On 12/18/2018 03:12 PM, David Edelman wrote:
> I seem to remember that before the advent of VLSM and CIDR there was 
> no requirement for the 1 bits in the netmask to be contiguous with no 
> intervening 0 bits and there was always someone who tested it out on a 
> production network just to prove a point (usually only once)

I would love to hear some confirmation of this, or even first hand 
experience.

/Mainly/ for historical / trivial purposes.  (Don't ask, don't tell.)



-- 
Grant. . . .
unix || die

RE: new(ish) ipv6 transition tech status on CPE

[Philip Loenneker]

Hi Tom,

CGNAT is the most supported by the technology available in pretty much every 
device. Even keeping an audit trail of IP/port mappings is relatively easy 
(look into deterministic NAT – it will save you a lot of headache). You can 
likely lab it up with gear you already have, unlike the newer transition 
technologies that we’ve been discussing.

However, from my experience, the customer impact of going through 2 layers of 
NAT (NAT44) causes a lot of unhappy customers. I enabled it on my home 
connection for a few weeks to see how it went, and I was surprised that a lot 
of things just worked… Youtube, Netflix, etc had no issues. But there were key 
things such as Facebook Messenger voice and video calls that broke, which 
caused my family to get rather upset with me. Console gaming is also a common 
area of problems. For these types of Internet services, the profit margin can 
get eaten up quickly by the helpdesk calls.

As a side note, from internal discussions here (ie speculation, no real 
evidence to back it up), home users are likely to be impacted far more than 
business users, due to the difference in usage.

Regards,
Philip

From: NANOG  On Behalf Of Tom Ammon
Sent: Friday, 12 October 2018 2:39 PM
To: NANOG 
Subject: Re: new(ish) ipv6 transition tech status on CPE


On Wed, Oct 10, 2018 at 3:08 PM Brock Tice 
mailto:br...@bmwl.co>> wrote:
On 10/09/2018 06:24 PM, Philip Loenneker wrote:
> I have asked several vendors we deal with about the newer technologies
> such as 464XLAT, and have had some responses indicating they will
> investigate internally, however we have not made much progress yet. One
> vendor suggested their device supports NAT46 and NAT64 so may support
> 464XLAT, but since it is incidental rather than an official feature, it
> may not support the full CLAT requirements. I have been meaning to do
> some tests but haven’t had a chance yet. It is also a higher price point
> than our current CPEs.
>
>
>
> I have spoken to people who have looked into options such as OpenWRT
> (which supports several of these technolgoies), however the R and
> ongoing support is a significant roadblock to overcome.
>

We looked into this somewhat intently ~6 months ago and had not much
luck from vendors. Barely on their radar if at all.

We used our own custom OpenWRT build on a few select, tested consumer
routers to do 464XLAT. In the end we went to dual-stack with CGN on
IPv4. I wrote up some documentation on how we did it on my blog, but in
the end I can't recommend the setup we used.

I would love RouterOS and (various mfgr) CPE support for 464XLAT, then I
would be ready to give it another shot.

It sounds like I am where you were 6 months ago. We've been looking at NAT64, 
MAP-T, potentially 464XLAT, and then dual stack with CGN on the v4 side. What 
did you experience with the dual-stack/CGN approach that keeps you from 
recommending it? Academically, that setup seems the least fraught with problems 
among all of the options.




--
-
Tom Ammon
M: (801) 784-2628
thomasam...@gmail.com<mailto:thomasam...@gmail.com>
-

RE: new(ish) ipv6 transition tech status on CPE

[Philip Loenneker]

Hi Tom,

This article is now 11 months old, but may be of interest to you:
https://blog.apnic.net/2017/11/09/ce-vendors-share-thoughts-ipv6-support/

Some quotes:

  *   The major issue is the lack of support provided by CE vendors for both 
older (DS-Lite, lw4o6), and newer (464XLAT, MAP T/E) transition mechanisms. 
Some vendors provide it ‘on-demand’ for big customers, but small and medium 
ISPs don’t have the same purchasing capability, creating a big issue for 
deployment.
  *   All panellists said their service providers’ products supported lw4o6, 
MAP-E/T, and 464XLAT, but because of the lack of support for these mechanisms 
in RFC7084, it is not standard in retail CE.
  *   There are no new hardware requirements that will exclude vendors 
supporting all these transitions mechanisms — it is really a matter of very few 
kilobytes.
  *   The panel agreed that minimum orders were not considered when 
implementing these mechanisms. For them, the fact is that IPv6 needs to be 
implemented, and there is a need to support new transition mechanisms and 
support service providers and retail users. Also, there is a need for products 
to pass some certification requirements (again the idea of RFC7084-bis is 
strongly supported by the panellists).

Telstra did a presentation as AusNOG back in September discussing their IPv6 
implementation which was really great to see. They have their own branded CPEs 
with 464XLAT. Unfortunately I don’t think there is a video of it, only a rather 
short slide deck. You can see it here:
https://www.ausnog.net/sites/default/files/ausnog-2018/presentations/2.8_David_Woolley_AusNOG2018.pdf

I have asked several vendors we deal with about the newer technologies such as 
464XLAT, and have had some responses indicating they will investigate 
internally, however we have not made much progress yet. One vendor suggested 
their device supports NAT46 and NAT64 so may support 464XLAT, but since it is 
incidental rather than an official feature, it may not support the full CLAT 
requirements. I have been meaning to do some tests but haven’t had a chance 
yet. It is also a higher price point than our current CPEs.

I have spoken to people who have looked into options such as OpenWRT (which 
supports several of these technolgoies), however the R and ongoing support is 
a significant roadblock to overcome.

I would like to hear how others are implementing these transition technologies.

Regards,
Philip


From: NANOG  On Behalf Of Tom Ammon
Sent: Sunday, 7 October 2018 12:59 PM
To: NANOG 
Subject: new(ish) ipv6 transition tech status on CPE

Are there any CPE vendors providing MAP-T features yet? I'm working on rolling 
v6 to residential subscribers and am trying to understand what the landscape 
looks like on the CPE side, for MAP-T specifically.

What about 464XLAT on a CPE - is that a thing? I know that 464XLAT has been 
running for a while on some mobile provider networks, but are there any vendors 
out there with a decent/mature CLAT implementation in a CPE product that is 
ready to buy right now?

Thanks,
Tom

--
-
Tom Ammon
M: (801) 784-2628
thomasam...@gmail.com
-