cancel
Showing results for 
Search instead for 
Did you mean: 

CODA-4582 - Open Issues for Investigation

RogersDave
Retired Support
Retired Support

*** This post was last edited May 2, 2017 ***

 

Good morning Community,

 

As I mentioned in a post two days ago, we have received the next firmware 2.0.10.20 from Hitron. We are currently running initial testing on this version and will push it out to participants in the firmware trial program as soon as it passes initial testing.

 

However, while running these tests, we discovered abnormal behavior with ICMP and are awaiting feedback from Hitron today to asses how this will be addressed. As soon as I this is confirmed, I’ll update the change log with the correct version information and start pushing it out.

 

In parallel, we are still working on the following high priority items. In some cases below, I requested affected customers to reach out to me via private message. If you do so, please include your modem MAC address in the subject line (even if we exchange messages daily) as there are a lot of you reaching out to me daily 🙂

 

UDP Packet Loss

The investigation for what has been reported as UDP packet loss is still ongoing. We have deployed a probe at one fellow forum member on both a CODA-4582 and a CGNM-3552 to collect additional data. We are actively working with Hitron and Intel on the results observed.

 

Based on what we know so far, in most instances UDP packet loss is coupled with higher uplink usage in the area. Although the impact is noticeable in specific logs (League of Legends), the root cause for the perceivable impact (while playing) is likely related to bufferbloat (see next issue).

 

 

Bufferbloat

When comparing the performance of a CODA-4582 to a CGNM-3552 in the same network conditions, the CODA-4582 consistently reports higher bufferbloat when tested on DSLReports.

 

Update April 12: The solution for this problem will come in two folds. It will require a change in software which will possibly be included in 2.0.10.27 but more likely in 2.0.10.28 and a change in network configuration.

 

The network configuration change is not compatible with the current firmware so this change will only come after a vast majority of the modems are running the new code. We are however looking at a way to make the change only for specific modems to support testing in the community.

 

Update April 22: This problem seems resolved in firmware 2.0.10.27

 

 

5 GHz WiFi Low range for channels 36 to 48

Lower WiFi channels on the modem have a much smaller range. This is due in part to the limit imposed by Industry Canada to maximum transmit power.

 

Furthermore, the current automatic channel selection (auto mode) tends to select the lower channels when in similar load conditions.

 

Workaround: manually select higher channels (149-153-157-161)

 

Update April 22: The channel selection algorithm has been improved in firmware 2.0.10.27

 

 

Loss of OFDM Channel Lock

Under some RF conditions, the modem fails to lock properly on the OFDM channel. This typically result in variable performance.

 

Update April 12: This problem is resolved in 2.0.10.26T2

 

 

List of connected device does not get fully populated

This is a known issue that has been tracked since firmware 2.0.10.13. We are making improvements at every firmware but it is not a perfect system.

 

The situation is worst after a reboot or firmware upgrade as the list gets reset and must be repopulated as devices renew their DHCP lease.

 

 

NAT Loopback not working for wired clients

When setting up port forwarding to an internal server, it is possible for a client on WiFi to reach the server using the external IP/port. If the client is on a wired interface, it doesn't work.

 

Update April 12: This problem is resolved in 2.0.10.26T2 (not confirmed)

 

 

LAN Counters not working

Some customers reported that LAN counters (especially in bridge mode) are reporting inaccurate values.

 

This problem has been reported to Hitron for investigation.

 

 

Unexpected modem reboot

Some customers reported their modem reboots unexpectedly. We have also seen this behavior in our lab.

 

Update April 12: This problem is resolved in 2.0.10.26T2

 

 

Missing SC-QAM Channels

After a reboot, some modems are missing SC-QAM channels. A fix has been implemented in 2.0.10.26T2 to address this behavior but it has not corrected all scenarios.

 

Investigation continues with Hitron.

 

 

WiFi Survey

The WiFi Survey functionality in firmware 2.0.10.26T2 (and possibly before) reports incorrect SSID names.

 

 

Guest Network

When connecting to the Guest Network, an error message is displayed "only allow DHCP client to use this wireless".  This has been reported in firmware 2.0.10.26T2.

 

Update April 22: This issue has been resolved in firmware 2.0.10.27

Update May 2: It seems this issue is not fully resolved and still experienced by some users


 

Future Planned Improvements

The following are items that we are working on in parallel of the above.

  • Improvement in WiFi speeds
  • Improvement in latency / bufferbloat

 

 

Dave

 

*Edited Labels*

2,620 REPLIES 2,620

Re: CODA-4582 - Open Issues for Investigation

Jeffj
I plan to stick around

@J04DAN1 wrote:

@Jeffj

 

Unfortunately all this does is assign a static local IP address the same as DHCP reservation. This doesn't prevent the modem from issuing an IPv6 address as well. 


Aside from asking rogers if suppport can disable it on your modems backend, Connecting your own router or microsoft inplimenting a way to shut it off per console. Looks like you will have to wait to see if the feature will be added to them modem. 

I suppose you could try setting a static IPV6 address on the console but damage the gateway address so it cannot find a route out. Thus hard failing over to the IPV4. Not sure how the console will react to that though. 

Re: CODA-4582 - Open Issues for Investigation

Jeffj
I plan to stick around

@Telek wrote:

@J04DAN1 wrote:

@JohnBeaudin

 

The fix actually quite easy. Just give us an option in the firmware of CODA modems to disable IPv6


This.

 

I'm actually very upset that Rogers is forcing IPV6 on us, especially considering the massive security implications.


Curious what you mean by massive security implications.

Re: CODA-4582 - Open Issues for Investigation

J04DAN1
I plan to stick around

Can't manually enter IPv6 addresses. Unfortunately. 

Re: CODA-4582 - Open Issues for Investigation

Mythen
I plan to stick around
You are going to have to let go of the fact of trying to get ipv6 disabled. It's not going anywhere. It was designed for a reason. Time to look elsewhere for your issues

Re: CODA-4582 - Open Issues for Investigation

J04DAN1
I plan to stick around
@Mythen

There are plenty of 3rd party routers that allow IPv6 to be disabled so it is very much possible and something Rogers needs to implement for customer satisfaction.

Re: CODA-4582 - Open Issues for Investigation

Telek
I plan to stick around

@Jeffj wrote:

@Telek wrote:

@J04DAN1 wrote:

@JohnBeaudin

 

The fix actually quite easy. Just give us an option in the firmware of CODA modems to disable IPv6


This.

 

I'm actually very upset that Rogers is forcing IPV6 on us, especially considering the massive security implications.


Curious what you mean by massive security implications.


Directly placing devices connected to the internet with the swiss-cheese "security" that the router implements?

 

Device manufacturers have already proven, time and time again, that they do not care what so ever about security. They put minimal effort into ostensibly providing a login based approach, but do absolutely no pentesting.  Yet they're sold by the millions and people who use them equally have zero concept of the security risks of using them.  This isn't even including the intentional backdoors and malware installed on many devices.

 

If you thought IoT-based botnets and hacking was bad on IPV4, just imagine what it'll be like now.  At least before we had NAT which, although not a perfect security mechanism, isolated a lot of these devices from direct external access.

Re: CODA-4582 - Open Issues for Investigation

Jeffj
I plan to stick around

Although there is concern on how some of it is implemented currently, a lot of the attacks used based on how ipv4 work would just plainly take too long to yield results on ipv6 for example scanning 18,446,744,073,709,551,616 unique addressee possibilities your modem can provide would take longer then the device is leased on the network for sure, and what attacker is going to devote that much time and resources to a single user, unless you have something worth to steal and the attacker has a backend behind them that makes it worthwhile like gov hacking.   

IPV6 also implements some features that ipv4 doesn’t have that makes things more secure. like forced IPSEC.  

So the most plausible entry point for consumer end users  is physical access or visiting or installing malicious sites or software, in which case it doesn’t really mater what stack your using if your compromised from the inside out which is how 99.98% of home user get compromised.  With IPV6 being so loosly implimented world wide I'd be impressed if the attackers have even bothered making botnets and worms IPV6 ready as the protocol its self makes them highly less effective and ecinomical time/resource wise for the attacker, when simply duping the uninformed into installing garbage and letting you in is much easier. Local acces always wins. 


As of .24 the modem is RFC 6092 compliant and according to dave more improves are to come.  Below was a post from dave regarding ipv6 concerns.  

With that said, there is zero reason on a local network why you MUST assign your devices a public  ipv6 address directly (unledd its the xbox console aparently this was overlooked), untill they stop handing out public ipv4 addresses or force dhcp ipv6 wan or tunnel.

All in all IPV6 is going to be better all around, although some arguments of issues it has are valid a lot of these tinfoil hat posts are just that.  


@RogersDave wrote:

Good morning Community,

 

You are absolutely right in your observations regarding the operation of IPv6 in our gateway. It is the normal practice for major ISPs and carriers around the world and carriers around the world.

 

Each modem is allocated a 64 bits prefix out of a 128 bits address space. This means that each modem has 18,446,744,073,709,551,616 IPv6 addresses to allocate to the local network and a computer or device gets a single one out of this pool, randomly allocated. For an attacker, it would require them to scan all the possible addresses in that space to find a target and this would take a very long time (longer than the address is valid for). Furthermore, most modern operating system implement security at the host level.

 

That being said, we have heard concerns from our customers and have started implementing IPv6 firewalls in accordance to RFC 6092 (https://tools.ietf.org/html/rfc6092). There is a first version of this firewall available in firmware version 2.0.10.24 of the CODA-4582. This version provides filtering but limited flexibility for user control. The full scale of RFC6092 should be implemented in a subsequent firmware release.

 

We are also working with Hitron to implement the same changes in all other Hitron modems in the next firmware release which should be available in the March / April timeframe this year.

 

Dave

Re: CODA-4582 - Open Issues for Investigation

Telek
I plan to stick around

@Jeffj wrote:

Although there is concern on how some of it is implemented currently, a lot of the attacks used based on how ipv4 work would just plainly take too long to yield results on ipv6

...
As of .24 the modem is RFC 6092 compliant and according to dave more improves are to come.  Below was a post from dave regarding ipv6 concerns.  

With that said, there is zero reason on a local network why you MUST assign your devices a public  ipv6 address directly (unledd its the xbox console aparently this was overlooked), untill they stop handing out public ipv4 addresses or force dhcp ipv6 wan or tunnel.

All in all IPV6 is going to be better all around, although some arguments of issues it has are valid a lot of these tinfoil hat posts are just that.  

Granted, but I'm not talking about probing attacks.

 

When major financial institutions are frequently attacked and broken into, do you expect that the WebCamRemote server that you use for your discount MyHomeCam device which you bought on eBay for $20 has any reasonable amount of security?  So attackers use a 150 day known SQL injection attack and grab their database of all currently connected devices.  100,000 cameras with their IPV6 addresses, and since they know the vulerabilities of these devices already, they've just owned all of those devices in a matter of minutes.  There's no need to hack into that server and hijack the control system, no need to scan 18 quintillion addresses -- you've now got a direct line into the devices.

 

This wasn't possible in NAT'd IPV4.

 

This isn't tin-foil-hatting.  Saying so is dismissive. Security isn't about "it's good enough" or "we'll do it later" -- the rule is simple: You do not release something until it is secure and controlable.  Releasing a half baked system (for no reason I might add) it with no consumer ability to control is pretty much the worst possible thing that you could do.

 

What was the rush? Why did they have to turn on IPV6 right now before the firewall was properly implemented and tested?

 

Saying "oh yeah, we're working on that, and [maybe] in a later firmware release we'll actually implement the security properly" is exactly what leads to Mirai, Leet, and the things that lead to massive DDOS attacks or took down half of the internet.  This is the position that we're in right now.

 

Just think, those recent attacks happened before it was as easy as I just mentioned.  That attack surface is only one of hundreds of different ways that a listing of devices could be obtained, or attacks could be launched over insecure IPV6 setups.

 

Anyway, I'll get off my soapbox now.  The issue isn't me personally, it's the 99.99% of consumers who have no clue and just blindly use their devices, not knowing that their attack surface has been increased.

Re: CODA-4582 - Open Issues for Investigation

Double_K
I'm a reliable contributor

This is why users should not be reliant on the Rogers gateway for firewall security, and in fact, should be using their own firewall solution that they control.

Rogers, in its Terms & Conditions, is very clear that the user is responsible for their own security, and that Rogers is not responsible for security.

 

Re: CODA-4582 - Open Issues for Investigation

BS
I'm a senior advisor

@Telek  I do not support Rogers in general, I just accept that they are a provision of Internet services amongst many other things.  Rogers is not forcing IPv6, the industry and the reality that IPv4 is running out of address - if you are old enough you will remember Ontario licences plates going from dedicated letter set by regional area, to 6 characters numbers, then letters, then letters and numbers, and then going to 4 letters and 3 numbers, and eventually, will go to numbers first and letters, and then add additional characters to 7, then 8, drop the space.  Each additional digit makes an exponential increase in combinations.  Similiar to adding more and more area codes.

 

Ipv6 with its number of characters is unlimited - I can't comment on security risks, I know lots will talk about NAT, which is an IPv4 model of producing 255 addresses within a single IPv4 address set of the range of what are known as open address assignments, but is not what really provides us the security, it is stateful firewalls that prevent addresses from coming through the router that have not been requested on its way out. 

 

I will agree with the position, if you want true high level security, you get a dedicated router with a dedicated firewall between the gateway/modem and your network router.  At a higher level, you will have a firewall device and router device, but very few home users need to go to that level - that level is used for monitoring what users do on their devices and to allocate usage and restrictions.

 

So if one is concerned about security, get a security consultant to come in and train you and set up a solution appropriate for you unless you know how to do it yourself.  It is not really Roger's or any ISP's responsibility, it is the user (similiar to what kind of door lock do you put on your door) -the best security company in the world isn't going to help much if you don't lock your door.

 

The gateways are providing limited routing capabilities, and limited security firewall capabilities, and WI FI capabilities, saving the cost of a router - but to be quite honest, I prefer a router/firewall/wifi solution of my choice, and just give me a modem.  The third party companies all provide modems only, and purchase of routers - no support for the router.

 

So let's not blame Rogers for forcing this change on us - it is the reality of the industry change that has been planned for about 10 years now and is officially rolling out.  IPv4 will soon be legacy and will be kept in place for a while anyway as some networking devices don't support IPv6.

 

Just my two cents.

 

Bruce

Re: CODA-4582 - Open Issues for Investigation

BS
I'm a senior advisor

Anyone remember when people plugged their computers directly into a modem with no NAT, nothing inbetween. Security will always be an ongoing process - if you want dedicated IPv4, then buy your own router.  I would rather see what Dave described as Hitron now currently implementing basic security firewalls, with next coming more control by the user.  The standards that Hitron is working with and Rogers is rolling out is based upon agreed standards that also have standards around security - I can't explain the possible theoretical security holes of IPv6, nor could I fully do the same with IPv4 - as for the webcam example, yes, that is a risk, but easily dealt with by adequately configuring your firewall.  That is not the fault of Rogers, it is not their responsibility to ensure security of those devices, that is ours.  And even Ipv4 is not their responsibility, it is provided by them by the industry standards and provider companies, and Rogers has their own engineers that consider the security issues, how to make them work best.  They are not an internet security company, they do provide a basic firewall/antivirus software for us to use (I wouldn't use it personally and don't, I choose and configure my own - and they do provide the current industry standards whether at IPv4, or IPv6, and move with the industry.  I personally am not concerned, but like I said, if you don't want IPv6 open, then get your own router with those capabilities and turn them off - but while you are at it, learn how to best use your router for security, its routing capabilities, its firewall capabilities - Rogers from my perspective gives us just what we get (a very low price, industry standard solution).

 

Bruce

Re: CODA-4582 - Open Issues for Investigation

coder_1990
I plan to stick around

Regarding getting .26 firmware, if I don't have it, but I have factory reset weeks ago, does that still cause the .24 block on the modem to be wiped? 

Any help is appreciated.

Thanks

 

Re: CODA-4582 - Open Issues for Investigation

Telek
I plan to stick around

@BS wrote:

So let's not blame Rogers for forcing this change on us - it is the reality of the industry change that has been planned for about 10 years now and is officially rolling out.  IPv4 will soon be legacy and will be kept in place for a while anyway as some networking devices don't support IPv6.


I'm not blaming Rogers for planning a move to IPV6, I'm blaming them for rushing the switch and not giving us an option to opt-out.  Big difference.

 

I know that IPV6 is the way of the future, and we have to go there whether we like it or not.

 

But you've seen the posts -- Hitron has fully admitted to only partially enabling the firewall. Why would you force a rollout on something when your security is only half built and give me no way to turn it off?

 

Either one individually is frustrating. Both of them combined is incomprehensible.

 


@BS wrote:

I will agree with the position, if you want true high level security, you get a dedicated router with a dedicated firewall between the gateway/modem and your network router.


And what about the 99.99% of people that have no clue, don't care, and just want to use their devices as is?

 

The problem is Mirai. That is what happens when you do things exactly. like. this.

Re: CODA-4582 - Open Issues for Investigation

how can rogers say these speeds are good with sky rocket jitter and high ping on ignite 250

 

Host Name IP Address Hop Ping Time Ping Avg % Loss Pkts r/s Ping best/worst
* Unknown Host * 192.168.0.1 1 0ms 0ms 0% 2530 / 2530 0ms / 8ms
* Unknown Host * 2 10ms 16ms 0% 2529 / 2529 7ms / 252ms - Max latency always high on hop 2 ?

 

Untitledrogersmarch23.png

 

 Untitledrogers231.png

Re: CODA-4582 - Open Issues for Investigation

Double_K
I'm a reliable contributor

@Telek wrote:

The problem is Mirai. That is what happens when you do things exactly. like. this.


 Not sure why you're bringing up a malware that is easily addressed by changing the default password on the Linux device when you first set it up.

Re: CODA-4582 - Open Issues for Investigation

Alex4161
I'm a senior contributor

Would kaspersky Internet security be an adequate firewall application in light of the Hitron IP6 fiasco?

Re: CODA-4582 - Open Issues for Investigation

Mythen
I plan to stick around
Looks like Docsis 3.1 was enabled in my area overnight. Will see how this goes

Re: CODA-4582 - Open Issues for Investigation

Double_K
I'm a reliable contributor

What Hitron IPv6 fiasco?  IPv6 is just an address.  A security mechanism applies whether it's an IPv4 or an IPv6 address.

 

Security is all about layers of protection.  The firewall on your network is one layer.  The firewall on your PC is another layer.  KIS (Kaspersky Internet Security) is an example of a firewall on your PC - it only protects that one PC.  Note that, with any security layer, it's only as adequate as you set it up to be.

 

Here's some layers to think about / protect;

Application Security (password strength, 2FA)

Data Storage Security (HDD/SSD Encryption)

OS Security (PC Firewall - like KIS, Android phone firewall, iOS phone firewall)

Transport Security (VPN, HTTPS, AES, etc.)

Network Security (Network Firewall, Intrusion Detection)

Physical Security (theft, physical access)

 

Re: CODA-4582 - Open Issues for Investigation

Alex4161
I'm a senior contributor
Thanks for the info.

I agree there is security in different fronts. The fact that we get IP6 turned on with no way of turning it off, and having a poorly configured firewall (an issue that IP4 configs do not seem to have) is, in my opinion, bad implementation.




Re: CODA-4582 - Open Issues for Investigation

Double_K
I'm a reliable contributor

Or, another way to look at it;

You get IPv4 turned on automatically as well - and the only way to control IPv4 & IPv6 addressing being turned on or off is to put the modem in bridge mode and run your own router.

 

As for the firewall....it gets to those layers of security.  Just like the choice between using the built-in Windows firewall vs Kaspersky Internet Security for your PC, you can have basic security for no additional cost, or you can have more security for more cost (ie. your own firewall that only you have access to & control).

 

 

Re: CODA-4582 - Open Issues for Investigation

Telek
I plan to stick around

@Double_K wrote:

@Telek wrote:

The problem is Mirai. That is what happens when you do things exactly. like. this.


 Not sure why you're bringing up a malware that is easily addressed by changing the default password on the Linux device when you first set it up.


Because, as I've been trying to point out, the problem isn't me and you. We're fine. We can disable IPV6 via DHCP, add our own firewalls, and secure our things..

 

Mirai wasn't a problem because of people like us.

 

Mirai was a problem becuase 99.9% of people just buy devices and plug them in and never touch them after.