Vodafone in Germany provides Cable Internet at high speeds (formerly Kabel Deutschland). Currently at Docsis 3.0 (working towards 3.1) with 100, 200 and 400 Mbps data rates. Unless DSL providers go with FTTH, there is no DSL technology available to match those speeds. See the speedtest arrow going up well over 150 Mbps (on a 200Mbps plan) in a downtown Berlin location is pretty cool.

Vodafone have implemented Dual-Stack Lite (aka DS-lite). DS-Lite is a way to provide the CPE with an ipv4 address when on an all ipv6 (access) network. Since ipv4 address are somewhat limited in availability (…) this is a good choice for ISPs. The Address Family Transition Router (AFTR) does the NAT for the ipv4 addresses the are used on the CPE and connects to the ipv4 internet. So basically the NAT functionality is removed from the CPE and centralized on the AFTR. Furthermore the access network between the CPE and AFTR is all ipv6. For this to work, ipv4 packets are encapsulated in ipv6 when being transported on the access network. As a result, the ipv4 MTU at the CPE is 1460 due to the ipv6 encapsulation (40 byte ipv6 header) and the fact that the access network (ipv6) MTU is 1500.

So Houston, is this a problem? Unfortunately yes. As ever, the problem is a result of bad implementations, so it is not really Vodafone’s fault. When trying to send a ipv4 packet that’s large and has DF=1 the CPE  (or AFTR ?) replies with an ICMP stating that the MTU is 1460 and thus your data is dropped since it cannot be fragmented. When properly implemented, the application should handle this and creates a new smaller packet. Or even better, the ipv4 stack adjusts the MTU to 1460 for this interface. Run Fusion on OSX, and your VPN on the client stops working since the “Achtung MTU ist 1460!” message does not reach the client OS. In another case, openvpn crashed when I tried a SSH login with port forwarding, the client being on the MTU=1460 network. Native ipv6 VPN connections run on MTU=1500, so the “problem” diminishes over time…

Can this be solved? Luckily yes, and I must admit, the solution chosen by Vodafone (but most likely it’s technology provider) is rather elegant. You can set your CPE to Bridge mode through the Vodafone website. This gives you a single public ipv4 address on one of the ethernet ports of the CPE. No DS-Lite involved anymore, and thus no ipv6 address. Hook up your own router and you’ll have your 1500 MTU and port forwarding functionalities back. You can even have ipv6 addresses on your LAN by using the 6to4 relay (RFC3056) that Vodafone provides through anycast address (this works with an Apple Airport router with ipv6 set to Automatically). I know that 6in4 are not ‘real’ ipv6 address and your ipv6 MTU is now 1480, but anyway, you cannot have it all….

Leave a Reply

Your email address will not be published. Required fields are marked *

16 + = 20