Estonian IPv6 deployment report
Tarko Tikan
tarko at lanparty.ee
Mon Dec 22 16:27:23 CET 2014
hey,
Some time ago, many people noticed rapid IPv6 deployment growth in
Estonia (from 0% to 5% in 4 weeks). We at 3249/Elion/Estonian Telecom
were behind this, other operators don't have any serious IPv6
deployments at the moment. We rolled out v6 to everyone (both business
and residential customers) with last-gen CPE, there was no hop-in our
hop-out program - aim was to do it perfectly and without customers even
noticing. I'm happy to say that we achieved this goal :)
To satisfy general interest, I promised small (somehow it turned out
longer than I expected) technical writeup how we enabled v6 for our
subscribers. If you have any other questions, feel free to ask and I do
my best to answer them. You can also skip the technical content and
there are some statistics below.
Our access network is mix of DSL/GPON/wimax/p2p-ETH and broadband
service is deployed in shared service vlans. IPv6 traffic shares vlan
with IPv4.
Service vlans are transported over MPLS metro network using pseudowires
and terminated in geo-clustered Alcatel 7750 BNG routers.
Each subscriber is allocated up to 4 mixed v4 and v6 IP hosts. For v4 we
are using the usual DHCP, for IPv6 we are using DHCPv6 with IA_PD only,
no IA_NA is provided. Unfortunately DHCPv6 provides no way to signal
IPv6 default-route thus we have to fall back to RA for default-route. RA
does not include any on-link prefixes or DNS information. RAs are L2
unicasted to CPE MAC so no other CPE in service vlan picks up those RAs.
To ensure rapid switchover between BNG routers, we are signalling
virtual link-local address as default-route.
We are using ALU internal DHCP/DHCPv6 servers to allocate leases but we
also signal IP information from radius (in such case BNG "fakes" DHCP
server) for static IP customers. Provided IPv6 prefix is always /56 and
we keep the old lease for 24h even if the CPE is turned off (actual
lease time is 30min).
Unfortunately, IPv6 LDRA is not available on most of our access
platforms so we have to rely on IPv4 session information for
authentication. This linking is done in the radius server during
subscriber authentication (excellent radiator + quite awful SQL queries
:) - if subscriber has IPv4 session (that has been authenticated using
DHCP opt82), same MAC address is allowed to have IPv6 session on exactly
the same virtual BNG port. IPv4 and v6 session are both tied to same
subscriber and share shapers, QOS etc.
We were able to enable IPv6 only on our last-gen Inteno CPEs. They run
modified OpenWrt and because it's linux - everything is possible :)
In CPE, /56 is divided up to /64s, first one is currently reserved but
we will configure it on loopback interface and use it for CPE
management. Second /64 is configured on LAN and third is configured on
public wifi SSID (if you choose to enable this option).
In the LAN, IPv6 config is provided by RAs, we also support RDNSS and
stateless DHCPv6 for DNS. There is also ingress IPv6 firewall in the CPE
and configuration is modifiable by user.
To make deployment as smooth as possible, we rolled out IPv6 capable CPE
software first. Then, during the BNG platform refresh, we deployed L2
ACLs that dropped all IPv6 traffic based on 0x86dd ethertype. We then
deployed IPv6 config to all BNGs and could verify everything before
single v6 lease was handed out to the subscribers.
Then, interface by interface, we replaced L2 ACL with one that only
allowed 0x86dd for certain, supported, OUIs. This is the current
situation and we are investigating ways to support 3rd party CPEs - main
problem is unreliable IPv6 config in CPEs. Many don't enable DHCPv6 (or
enable NA but no PD) but still pick up default-route from RA and happily
signal it to LAN. Some others hammer our BNGs with NA request every 0.1
seconds etc.
As statistics go, there are 30000+ active IPv6 subscribers (almost 15%
of our customer base, based on our public numbers), 81% of them have
have at least one IPv6 enabled device in the LAN, 70% have more than
one. Most IPv6 traffic is generated by Google+Youtube, Facebook and
Akamai. Not bad for a country with 1.3M people.
Next up: mobile network :)
--
tarko
More information about the ipv6-ops
mailing list