For clarity sake...
On Thu, 2017-05-18 at 07:20 -0700, Michael Fox - N6MEF wrote:
I have been told that comcast-provided CPE doesn't allow protocol 4 through it unless it is placed in raw bridge mode.
Comcast Business cable modems *do* allow protocol 4. I can't speak to the consumer service.
Comcast as a corporate policy does not have a filter on ip protocol 4 by default. While there are a good number of things they do filter, ip protocol 4 blocking is a byproduct of their socket watchdog timer... and it affects inbound only. Outbound is fine pending you're able to receive RIP. Unfortunately, there's no user menu control to disable this in their devices so one fix would be to place the Comcast CPE into bridge mode and supply your own device in which you have the ability to shut off the watchdog timers.
I wrote up documentation about this after spending a good part of this past saturday night working on some end point issues with BK. You may find it, and some tests, at https://n1uro.ampr.org/linuxconf/amprcable.html
One site in particular who was hit by this is 44.60.0.1 who after selecting the hardware solution mentioned in my document should now be reachable from the ipip mesh. Prior to this he was not.
Some of you may recall I experienced a similar issue a few years back. Fortunately I was able to get some information via an old friend of 44/8 who's one of their chief engineers in the Boston area to find solutions to this. While the effect appears that they filter ipencap/gre/etc they do not... it's the watchdog timers that do and it affects inbound traffic only.
While there may be many reasons for keeping these on and not allowing the end user to disable them, one logical one I can think of would be to allow the CPE to keep stale/old NAT sessions flushed so they're not hogging up ram resources unnecessarily. After all these aren't high end cisco or juniper devices.