IPv6 Native with Telstra, Australia
-
@derelict said in IPv6 Native with Telstra, Australia:
@randomaustralian said in IPv6 Native with Telstra, Australia:
I was considering paying for a Netgate support subscription to get the results i was after.
With an uncooperative ISP who needs special sauce there is probably not a lot we could have done. Paying a local consultant who is familiar with Telstra would have probably been a better bet.
I think that's a little unfair. Telstra wasn't uncooperative, and the theory I posted above turned out to be accurate. The system tuneables changes address the ICMPv6 flow neighbor solicit. And part of my theory was built on information supplied by Telstra and the other part built on packet captures. Telstra didn't need to give me that information, but the guy did. It's just that I didn't pay enough attention to it at the time and I (amongst others) got hung up on one UDP packet rather than looking at the bigger picture.
-
@larrikin For you perhaps. Sounds like you have a special friend that is not what everyone's experience is.
-
Telstra chose to be different and refuse to document that difference.
-
@derelict said in IPv6 Native with Telstra, Australia:
@larrikin For you perhaps. Sounds like you have a special friend that is not what everyone's experience is.
Well, again, to defend Telstra... I simply posted a problem once I was having in a public forum. A back of house Telstra person personally reached out to me in a private chat message providing his work email address and fixed the issue. He gave me his mobile number and we also spoke on the phone.
He also asked not to be named publicly at the time for that, he was just happy to resolve it. That's how he became my contact. Because of his initiative.
Reading his posts, I'm not the only one he has helped.
-
If you search this forum for
net.inet6.icmp6.nd6_onlink_ns_rfc4861you will find this thread.No other ISP in the world is known to require that default be changed.
-
@derelict the problem with Telstra in my experience has always been that there's two sides to their company - there's some great people there who are extremely knowledgeable on the business side as @Larrikin proves through his contact (and I've got similar contacts at Telstra too).
But the Consumer side of Telstra and especially the Level 1 Support are more than often terrible and to @randomaustralian's point as soon as you tell them you're not using the supplied Gateway as that point they are completely off-script and completely useless.
-
@derelict said in IPv6 Native with Telstra, Australia:
Telstra chose to be different and refuse to document that difference.
Different to what? My issue with IPv6 is that it's incredibly complex compared to IPv4, and there are many ways to implement it and still be compliant to the standard.
I agree it would be nice for Telstra to document how they run IPv6, but they have made a commercial decision that if you sign up with them, you use their router. Everything that has been done has been unofficial. If we don't like it, then we find another ISP. I'm not arguing that Telstra is right in their approach, it's just the decision they have taken.
They are by far the largest ISP in Australia - they own the market. And that means most people are standard "mums and dads" who just want an end to end service supported - so Telstra can support the router as well given that they control it.
Anyhow, I guess in summary, in part I agree with you in that I'd like them to publish this information, but the moment they do, they are creating a rod for their own back for then getting sucked into supporting third party routers which goes against the grain of the company's position.
I also keep coming back to IPv6 is a very complex beast. Even if they did publish more info on it, each vendor has different ways to configure it, so what then?
-
That is true for all ISPs. It is particularly problematic when an ISP chooses to deploy something that requires special treatment and is silent about what that special treatment is.
-
Giving people the information necessary to configure their own routers is not stabbing themselves in the back.
They can still say "use our router or we're going to hang up on you."
-
@derelict said in IPv6 Native with Telstra, Australia:
If you search this forum for
net.inet6.icmp6.nd6_onlink_ns_rfc4861you will find this thread.No other ISP in the world is known to require that default be changed.
Goes to show you how good @Bigmaccius is in finding that particular tunable and getting it working :). I'd rather focus on the positive. This thread started asking the community for help. And it delivered (along with a contact at Telstra). Now we have a publicly available Wiki that shows exactly how to get it working.
To me, that is the true story here.
For future, as IPv6 gets further deployed (and its accelerating now) this situation is going to happen time and time again with other ISP's around the world. If I were netgate (for the thousandth time), I'd be documenting all of these wikis, put them all in one place so as the community works out how each ISP works, they can go to a netgate page and look up their ISP.
If their ISP is missing, that's a commercial opportunity for netgate to monetise helping people sort these things out.
-
And zero burden placed on the ISPs who, in the vast majority of cases, is the one actually getting paid $$
-
@derelict said in IPv6 Native with Telstra, Australia:
Giving people the information necessary to configure their own routers is not stabbing themselves in the back.
They can still say "use our router or we're going to hang up on you."
But my issue is still that each vendor configures things differently. The thing is, we actually got the information from Telstra. It just didn't register to any of us the importance of it at the time. Why? Because we didn't know that it directly aligned us to the system tuneables section did it? As you said yourself, it's an obscure setting. Is that Telstra or PFsense? Why does Ubuntu work straight out of the box?
The reality is its a combination of everything and bringing it all together to make it work. That took time and patience, further packet captures to work how how that specifically applied to FreeBSD and PFsense.
I'm not sure that had Telstra provided us any more info, we would have gotten here any faster.
This is complex. Pfsense is complex. IPv6 is complex. Other vendors configure IPv6 differently due to complexity.
-
@derelict said in IPv6 Native with Telstra, Australia:
And zero burden placed on the ISPs who, in the vast majority of cases, is the one actually getting paid $$
I don't know how many times to say the same thing. Netgate has an opportunity to make money here. Ethically, fairly, and appropriately. It should productise an IPv6 consulting service separate to its support contract.
If Netgate choose not to do that, then it's a lost opportunity for Netgate to make money too.
-
Thanks @Larrikin - the interesting thing for me with this security fix in FreeBSD that is controlled by the
net.inet6.icmp6.nd6_onlink_ns_rfc4861option is that it (as stated by the authors of the fix here) "causes IPv6 Neighbor Discovery
Neighbor Solicitation messages from non-neighbors to be ignored"To understand this we need to understand what is a "neighbour" and what is a "non-neighbour" - as far as I can tell any host with a link-local address (starting with fe80::) is a neighbour (since those addresses are not-routable), and therefore anything else can be considered a non-neighbour.
So back when we were trying to get pfSense talking to Telstra, we kept seeing this type of solicitation (from a non link-local address on Telstra's side):
22:15:10.179879 IP6 2001:8003:0:bdf:f0:3:9:0 > ff02::1:ffe7:b52f: ICMP6, neighbor solicitation, who has fe80::20c:29ff:fee7:b52f, length 32The question for Telstra could be here, why are you sending a neighbour solicitation from a non link-local address? Could this be a simple case that they have not configured the source IPv6 addressing properly?
And even better if FreeBSD is the only OS to have limited solicitations from non-neighbours does this mean that all the other OS's and platforms are allowing this security vulnerability?
Food for thought.
-
Exactly.
-
@bigmaccius said in IPv6 Native with Telstra, Australia:
The question for Telstra could be here, why are you sending a neighbour solicitation from a non link-local address? Could this be a simple case that they have not configured the source IPv6 addressing properly?
And even better if FreeBSD is the only OS to have limited solicitations from non-neighbours does this mean that all the other OS's and platforms are allowing this security vulnerability?
Food for thought.
You raise some excellent points. I'll chat to my Telstra contact in the next couple of days on the phone and ask him specifically about that. See what he says. I may or may not be able to disclose the substance of that conversation depending if there is actually a security vulnerability that they need to address. If there is, I'll email you privately about it.
If I have permission to disclose whatever we speak about, I'll also post here.
-
@larrikin to be honest i had a similar experience with someone on the crowd forums who provided me with the ports to forward to make the Telstra provided router function behind my 3rd party gateway...
i was referring to most of Telstra staff
-
@randomaustralian said in IPv6 Native with Telstra, Australia:
@larrikin to be honest i had a similar experience with someone on the crowd forums who provided me with the ports to forward to make the Telstra provided router function behind my 3rd party gateway...
i was referring to most of Telstra staff
Oh, I agree with you.
The thing is though, what I am trying to avoid here is ISP bashing on a topic such as this (not saying you are doing that either - I'm more just saying that in general).
The reality is as I've posted, that there are a number of complexities involved in getting IPv6 working, one of them is FreeBSD / PFSense and the multitude of variables that are available to configure it, another is the ISP, another is the knowledge a person has doing the troubleshooting, another is the complexity of IPv6 itself. It a gross over-simplification for anyone to focus on any one of those things in particular, single them out, and apportion blame as to why it's not working.
That's more my point in this. I'm not trying to defend Telstra - I'm actually more trying to make the point to people to stop trying to find someone or something to blame. The only thing I'd blame (if someone is determined to blame something) is the complexity of IPv6 itself. That's the reason we are all in this thread. It's not because of stupidity of people, decisions, or any one thing in particular.
Again, what I've written above isn't directed at you. It's directed at everyone :)
-
Could this have to do with why there are weirdsettings about allowing local only communication?
pfSense reports that my wan_dhcp6 is a local IPv6 address even though i have internet rout-able addresses on my interfaces and my local network.
maybe Telstra are using local local link addresses on their internal network to distribute internet addresses? would that not be a thing?
2 x UP board, 4GB RAM + 64 GB eMMC w/ vesa case (http://up-shop.org/)
1x UP^2 Pentium Quad Core, 8GB RAM, 128GB eMMC w/ vesa case (pfSense)
1x UP Core Plus E3950, 8GB RAM, 64GB EMMC+ Net Plus i210-IT
1x Dell Power Edge R510
2x Dell Power Edge R610 -
@randomaustralian said in IPv6 Native with Telstra, Australia:
maybe Telstra are using local local link addresses on their internal network to distribute internet addresses? would that not be a thing?
That's entirely normal with IPv6. Routing is usually done with link local addresses. If there's a routeable address on an interface, it's only there for testing, management, etc. It plays no part in routing.
Here's what mine shows:
Internet6:
Destination Gateway Flags Netif Expire
default fe80::217:10ff:fe9 UG re0PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
