Fwd: Estonian IPv6 deployment report
An example from far away...
-------- Original Message --------
Subject: Estonian IPv6 deployment report
Date: Mon, 22 Dec 2014 17:27:23 +0200
From: Tarko Tikan
Nice little write up and very similar to what we (AS5607) are doing. PD only using link local on the WAN iface, which saves us host resources on the BNG. We do have the luxury of in-house CPE devs so we've got them to utilise the first :1 on the CPE as a "loopback", which helps make up for the unnumbered WAN iface. We're also using 7750s, and a note on the mentioned IPoE linking feature to get around the lack of LDRA by gluing DHCPv4 and v6 together, it only copies circuit-id over, not remote-id. So we're having to upgrade to R12 to make use of the added python functionality to create a state table that'll allow us to use remote-id for authentication/accounting. (it sounds worse than it is, promise.) Our migration path was a little different, we've pushed the config to the BNGs and have updated all of our capable CPE firmware already, but are controlling if a subscriber is IPv6 enabled or not by the presence or lack of the Framed-IPv6-Pool in the RADIUS Access-Accept. This allows us a slow rollout initially across the entire country, but also the ability to scale up quickly when we're happy. -Richard On Mon, Dec 22, 2014 at 7:00 PM, Brian E Carpenter < brian.e.carpenter(a)gmail.com> wrote:
An example from far away...
-------- Original Message -------- Subject: Estonian IPv6 deployment report Date: Mon, 22 Dec 2014 17:27:23 +0200 From: Tarko Tikan
To: IPv6 Ops list hey,
Some time ago, many people noticed rapid IPv6 deployment growth in Estonia (from 0% to 5% in 4 weeks). We at 3249/Elion/Estonian Telecom were behind this, other operators don't have any serious IPv6 deployments at the moment. We rolled out v6 to everyone (both business and residential customers) with last-gen CPE, there was no hop-in our hop-out program - aim was to do it perfectly and without customers even noticing. I'm happy to say that we achieved this goal :)
To satisfy general interest, I promised small (somehow it turned out longer than I expected) technical writeup how we enabled v6 for our subscribers. If you have any other questions, feel free to ask and I do my best to answer them. You can also skip the technical content and there are some statistics below.
Our access network is mix of DSL/GPON/wimax/p2p-ETH and broadband service is deployed in shared service vlans. IPv6 traffic shares vlan with IPv4.
Service vlans are transported over MPLS metro network using pseudowires and terminated in geo-clustered Alcatel 7750 BNG routers.
Each subscriber is allocated up to 4 mixed v4 and v6 IP hosts. For v4 we are using the usual DHCP, for IPv6 we are using DHCPv6 with IA_PD only, no IA_NA is provided. Unfortunately DHCPv6 provides no way to signal IPv6 default-route thus we have to fall back to RA for default-route. RA does not include any on-link prefixes or DNS information. RAs are L2 unicasted to CPE MAC so no other CPE in service vlan picks up those RAs. To ensure rapid switchover between BNG routers, we are signalling virtual link-local address as default-route.
We are using ALU internal DHCP/DHCPv6 servers to allocate leases but we also signal IP information from radius (in such case BNG "fakes" DHCP server) for static IP customers. Provided IPv6 prefix is always /56 and we keep the old lease for 24h even if the CPE is turned off (actual lease time is 30min).
Unfortunately, IPv6 LDRA is not available on most of our access platforms so we have to rely on IPv4 session information for authentication. This linking is done in the radius server during subscriber authentication (excellent radiator + quite awful SQL queries :) - if subscriber has IPv4 session (that has been authenticated using DHCP opt82), same MAC address is allowed to have IPv6 session on exactly the same virtual BNG port. IPv4 and v6 session are both tied to same subscriber and share shapers, QOS etc.
We were able to enable IPv6 only on our last-gen Inteno CPEs. They run modified OpenWrt and because it's linux - everything is possible :)
In CPE, /56 is divided up to /64s, first one is currently reserved but we will configure it on loopback interface and use it for CPE management. Second /64 is configured on LAN and third is configured on public wifi SSID (if you choose to enable this option).
In the LAN, IPv6 config is provided by RAs, we also support RDNSS and stateless DHCPv6 for DNS. There is also ingress IPv6 firewall in the CPE and configuration is modifiable by user.
To make deployment as smooth as possible, we rolled out IPv6 capable CPE software first. Then, during the BNG platform refresh, we deployed L2 ACLs that dropped all IPv6 traffic based on 0x86dd ethertype. We then deployed IPv6 config to all BNGs and could verify everything before single v6 lease was handed out to the subscribers.
Then, interface by interface, we replaced L2 ACL with one that only allowed 0x86dd for certain, supported, OUIs. This is the current situation and we are investigating ways to support 3rd party CPEs - main problem is unreliable IPv6 config in CPEs. Many don't enable DHCPv6 (or enable NA but no PD) but still pick up default-route from RA and happily signal it to LAN. Some others hammer our BNGs with NA request every 0.1 seconds etc.
As statistics go, there are 30000+ active IPv6 subscribers (almost 15% of our customer base, based on our public numbers), 81% of them have have at least one IPv6 enabled device in the LAN, 70% have more than one. Most IPv6 traffic is generated by Google+Youtube, Facebook and Akamai. Not bad for a country with 1.3M people.
Next up: mobile network :)
-- tarko
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
participants (2)
-
Brian E Carpenter
-
Richard Patterson