Re: Estonian IPv6 deployment report

[Pavel Odintsov <pavel.odintsov () gmail com>]

Hello, folks!

Tere from your customer FastVPS Eesti OU/AS198068! :)

On Mon, Dec 22, 2014 at 6:27 PM, Tarko Tikan <tarko () lanparty ee> wrote:
> hey,
>
> Some time ago, many people noticed rapid IPv6 deployment growth in Estonia
> (from 0% to 5% in 4 weeks). We at 3249/Elion/Estonian Telecom were behind
> this, other operators don't have any serious IPv6 deployments at the moment.
> We rolled out v6 to everyone (both business and residential customers) with
> last-gen CPE, there was no hop-in our hop-out program - aim was to do it
> perfectly and without customers even noticing. I'm happy to say that we
> achieved this goal :)
>
> To satisfy general interest, I promised small (somehow it turned out longer
> than I expected) technical writeup how we enabled v6 for our subscribers. If
> you have any other questions, feel free to ask and I do my best to answer
> them. You can also skip the technical content and there are some statistics
> below.
>
>
> Our access network is mix of DSL/GPON/wimax/p2p-ETH and broadband service is
> deployed in shared service vlans. IPv6 traffic shares vlan with IPv4.
>
> Service vlans are transported over MPLS metro network using pseudowires and
> terminated in geo-clustered Alcatel 7750 BNG routers.
>
> Each subscriber is allocated up to 4 mixed v4 and v6 IP hosts. For v4 we are
> using the usual DHCP, for IPv6 we are using DHCPv6 with IA_PD only, no IA_NA
> is provided. Unfortunately DHCPv6 provides no way to signal IPv6
> default-route thus we have to fall back to RA for default-route. RA does not
> include any on-link prefixes or DNS information. RAs are L2 unicasted to CPE
> MAC so no other CPE in service vlan picks up those RAs. To ensure rapid
> switchover between BNG routers, we are signalling virtual link-local address
> as default-route.
>
> We are using ALU internal DHCP/DHCPv6 servers to allocate leases but we also
> signal IP information from radius (in such case BNG "fakes" DHCP server) for
> static IP customers. Provided IPv6 prefix is always /56 and we keep the old
> lease for 24h even if the CPE is turned off (actual lease time is 30min).
>
> Unfortunately, IPv6 LDRA is not available on most of our access platforms so
> we have to rely on IPv4 session information for authentication. This linking
> is done in the radius server during subscriber authentication (excellent
> radiator + quite awful SQL queries :) - if subscriber has IPv4 session (that
> has been authenticated using DHCP opt82), same MAC address is allowed to
> have IPv6 session on exactly the same virtual BNG port. IPv4 and v6 session
> are both tied to same subscriber and share shapers, QOS etc.
>
> We were able to enable IPv6 only on our last-gen Inteno CPEs. They run
> modified OpenWrt and because it's linux - everything is possible :)
>
> In CPE, /56 is divided up to /64s, first one is currently reserved but we
> will configure it on loopback interface and use it for CPE management.
> Second /64 is configured on LAN and third is configured on public wifi SSID
> (if you choose to enable this option).
>
> In the LAN, IPv6 config is provided by RAs, we also support RDNSS and
> stateless DHCPv6 for DNS. There is also ingress IPv6 firewall in the CPE and
> configuration is modifiable by user.
>
> To make deployment as smooth as possible, we rolled out IPv6 capable CPE
> software first. Then, during the BNG platform refresh, we deployed L2 ACLs
> that dropped all IPv6 traffic based on 0x86dd ethertype. We then deployed
> IPv6 config to all BNGs and could verify everything before single v6 lease
> was handed out to the subscribers.
>
> Then, interface by interface, we replaced L2 ACL with one that only allowed
> 0x86dd for certain, supported, OUIs. This is the current situation and we
> are investigating ways to support 3rd party CPEs - main problem is
> unreliable IPv6 config in CPEs. Many don't enable DHCPv6 (or enable NA but
> no PD) but still pick up default-route from RA and happily signal it to LAN.
> Some others hammer our BNGs with NA request every 0.1 seconds etc.
>
>
> As statistics go, there are 30000+ active IPv6 subscribers (almost 15% of
> our customer base, based on our public numbers), 81% of them have have at
> least one IPv6 enabled device in the LAN, 70% have more than one. Most IPv6
> traffic is generated by Google+Youtube, Facebook and Akamai. Not bad for a
> country with 1.3M people.
>
> Next up: mobile network :)
>
> --
> tarko



-- 
Sincerely yours, Pavel Odintsov