Comcast business IPv6 vs rbldnsd & PSBL

Livingood, Jason Jason_Livingood at
Tue Nov 29 17:45:39 UTC 2016

I can send it along to folks here at Comcast.

- Jason

On 11/28/16, 1:46 PM, "NANOG on behalf of Rik van Riel" <nanog-bounces at on behalf of riel at> wrote:

    First of all, kudos to Comcast for trying to roll out IPv6 across
    their entire network. Static IPv6 netblocks seem to be available
    for Comcast business users, and IPv6 is enabled unconditionally
    in the CPE routers used by Comcast business class internet.
    Unfortunately, the software in the two available CPE routers
    (SMC & Cisco) is horribly broken when it comes to IPv6.
    The TL;DR summary: even when IPv6 firewalling is disabled in
    the configuration, the router still tracks every IPv6 "connection",
    which causes every single DNS lookup to fill up a slot in its
    connection tracking table.
    The router's logs say it blocks tens of thousands of IPv6
    connections every day, despite firewalling being "disabled" on
    the router.
    Once the connection tracking table fills up, both IPv6 and IPv4
    start having trouble, with packet loss on ICMP, high ping times
    to the local router (and the internet), and new connections not
    establishing. The router randomly crashes and reboots too,
    sometimes multiple times a day.
    This ends up breaking both IPv6 and IPv4.
    It only takes about 300kbit/s of DNS traffic to trigger the bug,
    in both the SMC and the Cisco routers.
    Are there any Comcast NOC or other technical people present who
    could help?
    I am interested both in helping resolve the firmware issues in
    the routers (there will no doubt be other customers who hit this
    in the future, as IPv6 becomes ore common) or, if that is not an
    option, finding some way to avoid the issue.
    All Rights Reversed.

More information about the NANOG mailing list