Friday, November 9, 2018

Verizon FiOS Infrastructure - Residential to Provider

For those who have Verizon FiOS and are curious about the "backend" of their ISP.

Overview

Components, as listed in network order from your PC to the Internet:




Home Network

Your home network can be connected in one of three ways:
  1. Ethernet by ONT direct Cat-5 (preferred)
  2. Ethernet via Modem Router MoCA coaxial (common)
  3. Ethernet via Set-Top Box's MoCA coaxial (rare)

Ethernet via ONT direct Cat-5 (preferred)


  1. Personal Computer
  2. Cat-5E cabling for 802.3/1000Base-T
  3. Your firewall (you do do have a firewall?)
  4. Cat-5E cabling for 802.3/1000Base-T
  5. ActionTec MI424WR, 4-port wireless broadband modem router, 2-channel MoCA,.
  6. Cat-5E cabling for 802.3/1000Base-T; no PPP, no PPPoE, no PPTP. Straight TCP/IP.
  7. ONT, Motorola 1400, via Ethernet RJ-45 connector

Ethernet via Modem Router MoCA coaxial (common)

or most commonly used method by Verizon installer is:
  1. Personal Computer
  2. Cat-5E cabling for 802.3/1000Base-T
  3. Your firewall
  4. Cat-5E cabling for 802.3/1000Base-T
  5. ActionTec MI424WR, 4-port wireless broadband router, 2-channel MoCA
  6. RG-6 cabling, with F-connectors, MoCA protocol
  7. ONT, Motorola 1400, coaxial, via F-connector

Ethernet via Set-Top Box's MoCA coaxial (rare)

or that rarely used Ethernet port behind the Set-Top Box
  1. Personal Computer
  2. Cat-5E cabling for 802.3/1000Base-T
  3. Your firewall
  4. Cat-5E cabling for 802.3/1000Base-T
  5. Cable Set-Top Box (STB), IP-STB1 cable media gateway (MAC Arris/ResiNet, aka DOCSIS Gateway w/ MoCA, aka Digital STB)
  6. RG-6 cabling, with F-connectors, MoCA protocol
  7. ONT, Motorola 1400, coaxial, via F-connector

ISP Network

Then to the ISP Network

then
  1. Motorola ONT 1400 Single Family Unit (SFU) is an ITU G.984-compliant GPON intelligent optical network terminal (ONT)
  2. Fiber cable, Single-Mode (SM), SC connector
  3. MTP/MTO optical splitter, 4:1, on telephone poles
  4. Optical Nodes
  5. Trunk Fiber cable, Single-Mode (SM)
  6. Head-End

Head-End

Head-End comprises of the following:
  1. Trunk Fiber cable, Single-Mode (SM)
  2. EQAM
  3. Juniper EX3300, 24-Port PoE+ GE/4-Port SFP+ AC Switch 
  4. Hybrid Fiber Coaxial (HFC) network
  5. CMTS
  6. CATV

= Technical Evolution =


DOCSIS RELEASE MAX DOWNLOAD MAX UPLOAD DATE RELEASED
DOCSIS 1 40 Mbps 10 Mbps
DOCSIS 1.1 40 Mbps 10 Mbps
DOCSIS 2 40 Mbps 30 Mbps
DOCSIS 2.5 - -- Discontinued use of RG-59 cable
DOCSIS 3 1.2 Gbps 200 Mbps
DOCSIS 3.1 10 Gbps 1 Gbps
DOCSIS 3.1 Full Duplex 10 Gbps 10 Gbps 2015

Equipments

ONT
  • SFH ONT 612AZ
  • Motorola ONT 140
Legend:
  • SFU Exterior (ONT Outside of Home): An ONT is installed outside. The battery backup unit (BBU) and power supply (PS) are installed inside. The PS must be within 6 feet of a grounded outlet. The PS can be up to 50 feet from the BBU. SFU Exterior installs are now only done if an SFU Interior is not feasible.
  • SFU Interior (ONT Wall-Mounted Inside of Home): An All-In-One ONT is usually used on house interior installs. The ONT, BBU (if applicable) and PS are in a single enclosure. SFU Interior is the most common type of install.
  • SFU Desktop (ONT Self-Standing Inside of Home): A small ONT is placed inside the house, not wall mounted. This setup is used if wall space is limited. Desktop ONTs can also be wall mounted inside or outside, in an enclosure. This makes them the most versatile, and therefore most common type of ONT used.
  • SOHO Exterior (ONT Outside of Office): Same as SFU Exterior, except the ONT has extra Ethernet and Telephone ports for the Office/Small Business.
Manufacturer Model Type Style MoCA/Coax Ethernet/VDSL2 POTS
Alcatel I-211M-L SFU Interior Desktop
Exterior
1: MoCA 1: 10/100/1G Ethernet 2
Alcatel O-24121G-A MDU Shared 12 12: 10/100/1G Ethernet 24
Alcatel O-24121V-A MDU Shared 12 12: VDSL2 24
Alcatel O-821M-A SOHO Exterior 1: MoCA 2: 10/100/1G Ethernet 8
Motorola 1000-GI4 SFU Interior 1: MoCA 1: 10/100/1G Ethernet 2
Motorola 1000-GJ4 SFU Interior 1: MoCA 1: 10/100/1G Ethernet 2
Motorola 1000-GT4 SFU Exterior 1: MoCA 1: 10/100/1G Ethernet 2
Motorola 14842 SOHO Exterior 1: MoCA 5: 10/100/1G Ethernet 8
Motorola 6000-GET MDU Shared 1: MoCA 12: 10/100/1G Ethernet 24
Motorola 6000-GVT MDU Shared 1: MoCA 12: VDSL2 24

 Phased out:
  • MDU Shared (ONT in Shared Location for Apartments and Condos): A shared ONT is placed in the apartment or condo building. Speeds are limited to anywhere from 15/5 to 75/75, depending on the ONT, and FiOS Digital Voice is not available. There is, however, FiOS Freedom Essentials, which isn't VoIP.

Modem Router

DOCSIS 3.0 MoCA Modem Routers:

Set-Top Box

  • Motorola QIP2500 (S-video, composite [RCA], Coax)
  • Motorola 7232-P2, Multi-Room DVR
  • Motorola 7216, HD DVR
  • Motorola 7100-P2 HD Set-top Box
  • Motorola 7100-P1 HD Set-top Box
  • Cisco CHS 435 HD DVR
  • Cisco CHS 335 HD Set-top Box

Terminologies

  • CMTS - Cable Modem Termination System
  • Directional Coupler - Similar to a splitter but with a different attenuation between output ports.  Generally there is one main output that has little attenuation and a second output that has more attenuation.
  • DOCSIS - Data Over Cable System Interface Specification, Cable TV's data protocol
  • Node - any device that connects to the MoCA network
  • ONT - Optical Network Termination
  • STB - Set-Top Box - Any device that feeds audio and video signals to a television.  These are generally cable, satellite, or IP inputs.
  • Telco - Telephone Company Service Provider
  • WECB - Wi-Fi Ethernet Coax Bridge - a bridge which converts between Wi-Fi, Ethernet, and/or MoCA in any combination.

References


  1. https://www.cablelabs.com/specs/ 
  2. https://www3.nd.edu/~cpoellab/teaching/cse40815/Chapter6.pdf 
  3. http://www.lightreading.com/cable-video/docsis/docsis-31-targets-10-gig-downstream/d/d-id/699136 
  4. https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-6A1.pdf 
  5. http://www.klonex.com.pl/media/produkty/pdf/motorola-ont1400gt.pdf 

Tuesday, October 16, 2018

dhclient and systemd

I must be one of the surviving user that uses both ISC dhclient and systemd.

Primarily because systemd DHCP cannot handle DHCP-Options (not options, but Options).  The ones that Juniper JunOS DHCP server requires for Verizon FiOS.

So, here begins the long saga of a blog (that I might break up in several blogs)...

First thing, first.

Analysis of systemd dependencies.

I executed:

systemd-analyze dot --order nginx.service network-pre.target network-online.target network.target system-dhclient.slice sys-subsystem-net-devices-eth1.device networking.service nss-lookup.target shorewall.service bind9.service dhclient@eth1.service  ddclient.service resolvconf.service system-dhclient.slice  > /tmp/custom.gv

dot -Tsvg < /tmp/custom.gv > /tmp/custom.svg

firefox /tmp/custom.svg
 As one can see that most people don't have dhclient@eth0.service systemd unit file.

We are going to create a .gv file and convert it to SVG as shown below:


ISC DHCP CLient


And I finally got my very own Linux gateway to be hooked up to the Verizon HFC network, instead of using ActionTek wireless broadband router.

Details in here:  https://github.com/egberts/systemd-dhclient






Saturday, January 27, 2018

Ports used by Verizon FiOS Broadband Modem

I've got a Verizon residential cable setup where I placed a personal Linux router directly to the Verizon white box via Ethernet 10Base-1000 and CAT-5 cable.  And I need to relocate this Actiontec media gateway router somewhere within my new home subnet and no longer in front of my personal router.

Why would I do such a convoluted setup like this?  Because, I like full control of my home network which is full of 802.1X devices, Bro IDS and various other pet projects related to network security. 

In order to do this, a complete remapping out the Verizon home network topology is necessary, complete with TCP/UDP, IP and Ethernet layer.

I attached a 10-BaseT Ethernet --> HUB <-- so that WireShark can be captured in its entirety and unchanged from default Verizon setup.

In order to cut out the marketspeak to mere labels for this article, I use the following terms:
  • cable router - Actiontec broadband gateway router, provided by Verizon
  • personal router - Your beefy brand-new Linux gateway box 

I used IP subnets used throughout the home (listed in ingress to egress order):
  • 192.168.1.100 - Verizon Settop box, first
  • 192.168.1.0/24 - Cable subnet, not changeable by cable router
  • 192.168.1.1 - gateway for cable subnet; provided by cable router
  • 192.168.6.233 - egress IP of cable router; IP provided by your personal gateway router
  • 192.168.6.0/24 - Declared by personal router for home-wide uses.

When a broadband router boots up, it access the following ports to communicate with various Verizon infrastructure servers:

DHCP Client - Verizon HFC network

First the cable router issues a DHCP request to Verizon FiOS DHCP server using the following IP ports:
  • Port 67/UDP - egress
  • Port 68/UDP - ingress

Then the DHCP-REQUEST options sent by your cable router looks like:

User Datagram Protocol, Src Port: 68, Dst Port: 67
Bootstrap Protocol (Request)
    Message type: Boot Request (1)
    Hardware type: Ethernet (0x01)
    Bootp flags: 0x0000 (Unicast)
        0... .... .... .... = Broadcast flag: Unicast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 172.32.1.132
    Your (client) IP address: 0.0.0.0
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: -f8:e4:XX:XX:XX:XX
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Request)
        Length: 1
        DHCP: Request (3)
    Option: (60) Vendor class identifier
        Length: 25
        Vendor class identifier: Wireless Broadband Router
    Option: (12) Host Name
        Length: 25
        Host Name: Wireless_Broadband_Router
    Option: (15) Domain Name
        Length: 4
        Domain Name: home
    Option: (55) Parameter Request List
        Length: 18
        Parameter Request List Item: (1) Subnet Mask
        Parameter Request List Item: (28) Broadcast Address
        Parameter Request List Item: (2) Time Offset
        Parameter Request List Item: (3) Router
        Parameter Request List Item: (15) Domain Name
        Parameter Request List Item: (6) Domain Name Server
        Parameter Request List Item: (4) Time Server
        Parameter Request List Item: (7) Log Server
        Parameter Request List Item: (23) Default IP Time-to-Live
        Parameter Request List Item: (26) Interface MTU
        Parameter Request List Item: (43) Vendor-Specific Informatio
        Parameter Request List Item: (50) Requested IP Address
        Parameter Request List Item: (51) IP Address Lease Time
        Parameter Request List Item: (54) DHCP Server Identifier
        Parameter Request List Item: (55) Parameter Request List
        Parameter Request List Item: (60) Vendor class identifier
        Parameter Request List Item: (61) Client identifier
        Parameter Request List Item: (72) Default WWW Server
    Option: (255) End
        Option End: 255


To deal with that Juniper DHCP server request, my copy of ISC DHCP client configuration for personal router is (also given at GitHub https://github.com/egberts/systemd-dhclient/etc/dhcp/dhclient.conf).

If your personal gateway router is going to be directly attached to the ONT (Optical Network Terminator, a white box) like I hooked mine up, then that gateway's ingress DHCP server is required to serve additional DHCP specialized options toward the cable router's dhclient.

# Configuration file for /sbin/dhclient.
#
# Customized for Verizon FiOS Juniper DHCP server
#
# This is a sample configuration file for dhclient. See dhclient.conf's
# man page for more information about the syntax of this file
# and a more comprehensive list of the parameters understood by
# dhclient.
#
# Normally, if the DHCP server provides reasonable information and does
# not leave anything out (like the domain name, for example), then
# few changes must be made to this file, if any.
#

send host-name = "Wireless_Broadband_Router";
send domain-name "home";
request subnet-mask, broadcast-address, time-offset, routers,
 domain-name, domain-name-servers, time-servers, log-servers,
        default-ip-ttl, dhcp-requested-address, dhcp-lease-time,
        dhcp-server-identifier,dhcp-parameter-request-list,
        vendor-class-identifier,dhcp-client-identifier,
        www-server,
 dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
 interface-mtu,
 ntp-servers;

timeout 60;
retry 60;
reboot 10;

Verizon uses Juniper routers and their DHCP server is ... quirky.


Internet Protocol Version 4, Src: 192.168.6.1, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 67, Dst Port: 68
Bootstrap Protocol (NAK)
    Message type: Boot Reply (2)
    Hardware type: Ethernet (0x01)
    Bootp flags: 0x8000, Broadcast flag (Broadcast)
        1... .... .... .... = Broadcast flag: Broadcast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0
    Your (client) IP address: 0.0.0.0
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: -f8:e4:XX:XX:XX:XX
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (NAK)
        Length: 1
        DHCP: NAK (6)
    Option: (54) DHCP Server Identifier
        Length: 4
        DHCP Server Identifier: 192.168.6.1
    Option: (56) Message
        Length: 30
        Message: requested address is incorrect
    Option: (255) End
        Option End: 255
    Padding: 000000000000000000000000000000000000

DHCP Server - Home Network

For the home network, my DHCP server has the following options.

# shared-network
#   subnet
#      group
#      pool

shared-network "dmz2" {

  # deny bootp;
  deny duplicates;
  # deny booting;

  subnet 192.168.6.0 netmask 255.255.255.0
  {
    # SERVER CONTROL
    # authoritative - Tells the DHCP server that it is to act as the one 
    # true DHCP server for the scopes it's configured to understand, by 
    # sending out DHCPNAK (DHCP-no-acknowledge) packets to 
    # misconfigured DHCP clients.

    server-identifier 192.168.6.1;
    server-name dhcp-server-192-168;

    # CLIENT CONTROL

    # 'allow unknown-clients' - Tells the DHCP server to assign 
    # addresses to clients without static host declarations, 
    # which is almost certainly something you want to do. 
    #
    # Otherwise, only clients you've manually given addresses to 
    # later in the file will get DHCP assignments.
    deny unknown-clients;
    ignore client-updates;

    # do not use option domain-search in DMZ
    # do not use option domain-name in DMZ

    # NETWORK COMPONENTS

    option log-servers 192.168.6.1;
    option subnet-mask 255.255.255.0;
    option routers 192.168.6.1;
    option ntp-servers 192.168.6.1;
    option www-server 192.168.6.1;

    option domain-name "verizon.net";

    # domain-name-servers may be a standalone DHCP config file
    # that gets updated by resolvd daemon and loaded by DHCPD
    # via 'include' statement.
          #
    # Here, it's copied manually from personal gateway's /etc/resolv.conf

    option domain-name-servers XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX;

    # log-facility local7;
    option broadcast-address 192.168.6.255;

    # on release { }

    # on expiry { }
    on commit {
            set clip = binary-to-ascii(10, 8, ".", leased-address);
            set clhw = binary-to-ascii(16, 8, ":", substring(hardware, 1, 6));
            execute("/usr/local/sbin/dhcpevent", "commit", clip, clhw, host-decl-name);
        }
  }
}


Of course, I include the following line in the main DHCP server configuration file, usually /etc/dhcp/dhcpd.conf.

    include "/etc/dhcp/dhcpd.conf.192.168.6.dmz"

The objective of the above DHCP configuration sub-settings is to emulate the following egress packet from your new DHCP server or your home devices are NOT going to get an IP address.  


Ports Used



Then the following Verizon infrastructure servers are consulted next:

  • 53/udp DNS (nsphil01.verizon.net, 71.242.0.12)
  • 53/udp DNS (nsrest01.verizon.net, ns5.verizon.net, 71.252.0.12)
  • 443/tcp HTTPS (cpe-ems2333.verizon.com, 206.46.32.32) Edgecast Server
  • 443/tcp HTTPS (cpe-ems2214.verizon.com, 206.46.32.28) Edgecast Server
  • 80/tcp HTTP (www.verizon.com, mercuryipg.FALDMDFLD00.fiostv.verizon.net, 71.246.255.44) main web site
  • 443/tcp HTTPS (cpe-ems2214.verizon.com, 206.46.32.28) Edgecast Server
  • 80/tcp HTTP (71.245.255.44)
  • 80/tcp HTTP (www.verizon.com, 71.242.0.12)
Note: Verizon uses CMTS's own time servers via DOCSIS protocol (which is not an NTP protocol) to keep their customer premise equipment's real clock in sync.