cancel
Showing results for 
Search instead for 
Did you mean: 

Rogers IPv6 Status

foodgodessto
I've Been Here Awhile

Hello,

 

I'm wondering what the current IPv6 status is within Rogers.  A search on the forums only shows 10 topics over the past year that even mention IPv6, and there doesn't appear to be any official communications from Rogers since IPv6 day last year.

 

I know that Rogers (supposedly) supports IPv6 tunneling (although the only person to ask about it did not get any responses).

602 REPLIES 602

Re: Rogers IPv6 Status

JKnott
I Plan to Stick Around

@arnym21 wrote:

Thank you guys for providing interesting comments beyond typical consumer rant. The referenced blog is quite interesting as well, especially its readers comments. Its not practical enough for a home internet user to implement as it doesn't rely on a typical router IPv6 GUI or config options. Hence the router IPv6 config in the modem Gateway mode remains a mystery because Rogers fails to provide IPv6 prefix to downstream equipment in that mode. Furthermore, some folks are so used to such nonsense they defend it as the only possible while it is NOT. It all depends on us Rogers customers to demonstrate the need for improvement.


Gateway mode  does exactly what it's supposed to.  It's an easy to use configuration that's not intended to support downstream devices, other that the end devices such as computer and tablets.  If you want to have downstream devices, you use bridge mode and provide your own equipment, which you can then configure as you want.  For example, I mentioned I run pfsense.  Behind it, I have a Cisco router for which I provide a /64.  Since I don't run DHCPv6-PD on my LAN, though pfsense supports it, I use manual configuration for it.  Please stop creating fantasies about how you think the equipment should work.

 

In addition to my main LAN and the one for the Cisco router, I also have a VLAN for guest WiFi and a separate test LAN.  This is the sort of thing you can do when you use bridge mode but can't with gateway mode.  Pfsense also supports routing protocols, such as OSPF and BGP, which again you can't do in gateway mode.

 

Bottom line, if you want more than a basic network, use bridge mode and a separate router.  There is no other way, no matter what you think.

 

Re: Rogers IPv6 Status

-G-
Resident Expert
Resident Expert

@arnym21 wrote:

Thank you guys for providing interesting comments beyond typical consumer rant. The referenced blog is quite interesting as well, especially its readers comments. Its not practical enough for a home internet user to implement as it doesn't rely on a typical router IPv6 GUI or config options. Hence the router IPv6 config in the modem Gateway mode remains a mystery because Rogers fails to provide IPv6 prefix to downstream equipment in that mode. Furthermore, some folks are so used to such nonsense they defend it as the only possible while it is NOT. It all depends on us Rogers customers to demonstrate the need for improvement.


NAT can be a useful tool.  RFC 5902 documents its primary use cases and was meant to serve as the basis for framing discussions around whether IPv6 NAT should be standardized.

 

Regarding the potential security benefits, large enterprises want to hide details about their internal networks, their topology, number of hosts, etc.

 

However, most residential networks consist of a single subnet with a relatively small number of end systems.

 

Even with NAT, it is still possible to perform device counting, and the devices that we use leave a network fingerprint that is unique enough to allow them to be tracked when they are used on different networks.

 

For residential networks, the remaining question is whether there is any value to making connections coming from 2607:fea8:3333:4444:5555:6666:7777:5678 appear that they are originating from 2607:fea8:3333:4444:5555:6666:7777:1234

 

Maybe...  probably not... and to do this would require the implementation of a stateful NAT, it would break network transparency, and create additional risk because the NAT implementation itself could introduce new security problems.  Furthermore, we have decades of experience with all the problems that NAT has caused in the IPV4 world.

 

The reality is that IPv6 NAT does not provide any significant security or privacy gains, and it's definitely not worth the unnecessary network application breakage that it would cause.

 

If you are still absolutely convinced that you need IPv6 NAT, you can implement it on your own... but you should first reconsider why it has not already been implemented to any extent in any of the network products widely-available today.



Re: Rogers IPv6 Status

JKnott
I Plan to Stick Around

NAT was created to get around the IPv4 address shortage.  Any other use is to fix problems caused by using it for it's intended purpose.  Also, it doesn't do anything for security that a decent firewall can't.

 

Re: Rogers IPv6 Status

arnym21
I Plan to Stick Around

@JKnott wrote:
Bottom line, if you want more than a basic network, use bridge mode and a separate router.  There is no other way, no matter what you think.

You take an existing Rogers service snapshot, and then claim its the only way possible (you know of). Despite even this snapshot was derived based on customers demand, and there are other service models exist as demonstrated by other ISPs, including European ones, as many examples show on OpenWRT forum.  It reminded me "Eyes wide shut" movie. 😁 

 

Speaking of social aspects of Rogers service, its primarily centered around Toronto and suburbs by subscriber numbers. Housing prices skyrocketed in Toronto in the last decade, and near half of its houses rent basements, while many rent rooms. Its a norm now in Toronto to see even pro roommates sharing an apartment or condo. Sharing internet access becomes commonplace in this costly city, whether Rogers likes it or not for profit squeeze.

 

This reality makes your "only possible" solution impractical for many, as a typical house owner would want to have its LAN isolated from tenants, while the tenants also want some network privacy by simple means. Such scenarios are very remote from an IT pro example using pfsense and Cisco router with vlans. Most folks rely on basic downstream router GUI config hooked to the modem remotely via WiFi, if they don't like exposing their devices to nosy neighbors sharing access. Even within one family fast growing kids often expect more online privacy and less oversight. Rogers must account for such big city realities and provide sufficient flexibility of its service model. That includes delegating IPv6 prefix to WiFi connected equipment in the modem Gateway mode.

Re: Rogers IPv6 Status

57
Resident Expert
Resident Expert

@arnym21 wrote:

...near half of its houses rent basements, while many rent rooms. Its a norm now in Toronto to see roommates renting same apartment or condo. Sharing internet access becomes commonplace. 


This is called account splitting and is against the terms of service with any service provider.  Each "household" is required to have their own contract with the provider. Any service provider is quite within their rights to preclude such activity.  It isn't much different from one house having an account and sharing that account with a neighbour. Rental properties must pay for their own accounts/access.  I know that this happens, but it's not legal.  At which point do you draw the line - at one rental, two, three?  The terms of service are clear on that.

 

https://www.rogers.com/cms/pdf/en/Rogers-Terms-of-Service-Acceptable-Use-Policy-and-Privacy-Policy-e...

 

Page 19, several paragraphs, especially paragraph xv.



Re: Rogers IPv6 Status

arnym21
I Plan to Stick Around

When moving to Canada people believe they will leave in decent conditions. The reality is however, in large cities like Toronto and Vancouver unrelated folks broadly share apartments as they can't afford their own, despite an apartment or house are intended for a single family leaving. That includes sharing all amenities, and internet access sharing is no different. Of course any provider would like higher profit squeeze imposed by various "Terms", but the question is whether its customers are prepared to feed such appetite. A company either accounts for reality bits, or goes out of business, or at least drops large share of its customers due to unreasonable demands. Anyway, technical aspects of service offering must be harmonized with customer base social and economic realities.

Re: Rogers IPv6 Status

57
Resident Expert
Resident Expert

Sharing an apartment, which I would call an household, is different from renting out a basement, room or separate apartment, which results in profit for the initial "owner/household".



Re: Rogers IPv6 Status

arnym21
I Plan to Stick Around

No, its the same, since for large building owners its a typical way now to rent empty apartments inventory while charging double-triple rent for the same service compare to a decade ago. Anyway, a shared "household" still needs some internet privacy, and an ISP must account for this reality.

Re: Rogers IPv6 Status

Okay, we're getting off-topic here, folks.

 

If you want to talk about apartment/account sharing, please start a post in the Lounge to discuss it.

 

Let's bring the conversation back to IPv6.

 

Regards,

RogersCorey

 

Re: Rogers IPv6 Status

arnym21
I Plan to Stick Around

@RogersCorey wrote:
Let's bring the conversation back to IPv6.

Thanks for the reminder. Speaking of end user IPv6 LAN security in a modem Gateway mode, I was surprised to learn that even some more advanced router firmware like OpenWRT has default firewall settings that treat WAN router ports exposed to the modem as the premises LAN ports. Hence it doesn't block any incoming connections from the modem LAN to the router and devices behind it. I tried to Nmap scan open PC ports behind the router from another device WiFi connected to the gateway modem, and found quite a few PC ports open, with all requests going unobstructed through the router firewall.

 

I assume the default router firewall settings can be harden (in case of OpenWRT, but not necessarily when using factory firmware as most customers do) for WiFi Router Client scenario, but it would require quite a few efforts and knowledge bits from a typical end user. It is much simpler to delegate IPv6 prefix to the router thus enabling the end user to setup NAT6 through its GUI without enormous effort, accounting for use case realities discussed above.

Re: Rogers IPv6 Status

JKnott
I Plan to Stick Around

As I mentioned earlier, I run pfsense for my firewall/router.  By default, it blocks everything from the WAN.  I wish people would forget about NAT.  It's a hack to get around the IPv4 address shortage and should be used for nothing else.  With the enormous IPv6 address space, there is no need for NAT.

 

Re: Rogers IPv6 Status

-G-
Resident Expert
Resident Expert

@arnym21  I don't know how you have your device configured but with OpenWrt, the default WAN-to-LAN rulesets are pretty restrictive.  The default policy is to block all WAN-to-LAN traffic, and there are also a small number traffic rules that enable basic things like ICMP, DHCP and IPSec protocols to work along with ping/traceroute.

 

If you don't know what you are doing when configuring OpenWrt, you can also cause endless problems for yourself.



Re: Rogers IPv6 Status

arnym21
I Plan to Stick Around

@-G- wrote:

The default policy is to block all WAN-to-LAN traffic


Point was of scanning from the modem's LAN (instead of from the internet), and small but important scenario print of the router  being the modem's WiFi Client + AP with own LAN segment. May be one should read this or that, or maybe found by nmap open PC ports were "basic".

 

"The router knows that you're scanning from LAN if you just use its WAN address from the inside." I scanned the router's PC clients  using another PC on the modem's LAN under assumption the router treats it as WAN. OpenWRT firewall options outlined here.

Re: Rogers IPv6 Status

-G-
Resident Expert
Resident Expert

@arnym21 wrote:

@-G- wrote:

The default policy is to block all WAN-to-LAN traffic


Point was of scanning from the modem's LAN (instead of from the internet), and small but important scenario print of the router  being the modem's WiFi Client + AP with own LAN segment. May be one should read this or that, or maybe found by nmap open PC ports were "basic".

 

"The router knows that you're scanning from LAN if you just use its WAN address from the inside." I scanned the router's PC clients  using another PC on the modem's LAN under assumption the router treats it as WAN. OpenWRT firewall options outlined here.


Okay, but if I understand your setup correctly, you are currently trying to use Wi-Fi as a WAN interface and your Ethernet ports as the LAN interface.  In a default OpenWrt configuration, you will have a single port designated as a WAN port (with WAN and WAN6 zones associated with it); the other LAN and Wi-Fi interfaces are bridged together so, in a default config, traffic normally should flow freely.

 

Behaviour changes a bit if you configure WiFi as a Wireless LAN client... but as far as I know, you will still be in a bridged configuration, with no firewall to block traffic to/from the Ethernet LAN ports.

 

We are no longer discussing normal/typical IPv6 issues or configurations that are likely to be of any interest to any other user here, so I won't respond to any further off-topic posts.  I will leave it to Rogers to respond to your specific feature requests.



Re: Rogers IPv6 Status

arnym21
I Plan to Stick Around
with no firewall to block traffic to/from the Ethernet LAN ports

Actually, wwan and wwan6 were suggested and manually added to the OpenWRT router default firewall config blocking rules in the WiFi Client mode. Again, as I said the open PC ports behind the router found by nmap scanning from the modem LAN were possible "basic" as you put it. 😉 However, some documents were in fact stolen from my PC behind the router by a local actor on the modem's LAN in a more elaborate events driven trickery.

 

Another relevant issue I should mention, if one has a 3rd party firewall installed on their PC, its default configured to honor Windows firewall rules as well, so one may periodically check them too for better security, as malicious software might easier manipulate Windows firewall rules rather than 3rd party firewall's due to extra password, which is harder to bypass compare to getting PC Admin rights. 

 

We are no longer discussing normal/typical IPv6 issues or configurations  

This thread is not meant to discuss merely IPv6 issues or configs earlier reported by someone here (I can't even find that was Rogers staff), including security issues. Any topic on this forum is work in progress defined by changing customer needs, which I outlined above. Yet I agree a specific router firewall setup is better to discuss on that router's forum. 😊