Visitor
•
6 Messages
Xfinity Advertising IPv6 ULA Prefixes to me
Hello,
I currently have an Xfinity home Internet connection. On said connection, Xfinity is advertising IPv6 ULA routes as evidenced in the output below (mac address filtered to protect the innocent. Note that ens9 is the interface on my router facing Xfinity):
$ sudo tcpdump -i ens9 -v multicast and not broadcast
dropped privs to tcpdump
tcpdump: listening on ens9, link-type EN10MB (Ethernet), capture size 262144 bytes
11:08:48.743825 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 288) _gateway > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 288
hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 90000ms, retrans timer 1000ms
source link-address option (1), length 8 (1): ab:cd:ef:ab:cd:ef
mtu option (5), length 8 (1): 9192
prefix info option (3), length 32 (4): fd00:0:d:2::/64, Flags [onlink], valid time 2592000s, pref. time 604800s
prefix info option (3), length 32 (4): fd00:0:101:21::/64, Flags [onlink], valid time 2592000s, pref. time 604800s
prefix info option (3), length 32 (4): fd00:0:101:23::/64, Flags [onlink], valid time 2592000s, pref. time 604800s
prefix info option (3), length 32 (4): fd00:0:101:24::/64, Flags [onlink], valid time 2592000s, pref. time 604800s
prefix info option (3), length 32 (4): fd00:0:101:22::/64, Flags [onlink], valid time 2592000s, pref. time 604800s
prefix info option (3), length 32 (4): fd00:0:101:26::/64, Flags [onlink], valid time 2592000s, pref. time 604800s
prefix info option (3), length 32 (4): fd00:0:101:25::/64, Flags [onlink], valid time 2592000s, pref. time 604800s
Can someone from the Xfinity network team help explain why IPv6 ULA routes are being advertised? ULA prefixes should NOT be visible to customers as if they were publicly route-able and seems like a not-so-great violation of https://www.rfc-editor.org/rfc/rfc4193
Could also be a security risk if I accept and delegate assignment of those prefixes to hosts within my network. If there are access controls on the router(s) advertising those prefixes to allow remote access for instance.
Accepted Solution
user_bne324
Visitor
•
6 Messages
2 years ago
I spoke with a representative who, I believe, was proxying for an L3 engineer. My understanding of the response I was given is that the IPv6 ULA ranges are advertised for "certain devices" that need them. I'm going to go out on a limb and guess that these ranges are advertised to some gear Xfinity supports that require a ULA IPv6 assignment for "reasons" (maybe they don't support DHCPv6). It's still a little weird because I'm getting a GLA advertisement as well, so maybe those "special" devices need ULA+GLA to work properly? No idea.
Anyway, if that's how Xfinity does things that's fine. Sounds like it's not a security concern and I'll have to see if I can filter out those ULA prefixes on the off chance DHCPv6 fails.
1
0
CCAaron1
Problem Solver
•
954 Messages
2 years ago
Hello @user_bne324. It has been a couple of days since you posted this. Are you still having issues, or were you able to get this resolved?
2
0