How did they pull this off? (TMOUS Hotspot)
I did a little research on how T-Mobile US deploy their IPv6 in their mobile hotspot.
When my laptop connects to the hotspot, these are the IP addresses it got:
$ ip a
2: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 qdisc noqueue state UP group default qlen 1000
link/ether 90:2e:1c:71:ee:86 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.248/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp1s0
valid_lft 6828sec preferred_lft 6828sec
inet6 2607:fb90:fa26:937c:7336:2811:7657:394/64 scope global temporary dynamic
valid_lft 602348sec preferred_lft 83516sec
inet6 2607:fb90:fa26:937c:15fc:57f7:3229:d608/64 scope global mngtmpaddr noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::6ab2:11e2:fdf6:239d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Traceroute to dns.google:
$ traceroute -6 dns.google
traceroute to dns.google (2001:4860:4860::8844), 30 hops max, 80 byte packets
1 mobile.hotspot (2607:fb90:fa26:937c:200a:218:bc08:7f90) 0.839 ms 0.882 ms 0.915 ms
2 fc00:10:6:122::254 (fc00:10:6:122::254) 196.567 ms 196.565 ms fc00:10:5:122::254 (fc00:10:5:122::254) 197.957 ms
3 fc00:10:6:122::254 (fc00:10:6:122::254) 197.934 ms 197.949 ms 203.421 ms
4 fd01:976a:0:1::d5 (fd01:976a:0:1::d5) 203.481 ms * *
5 * * ::ffff:10.169.6.125 (::ffff:10.169.6.125) 203.012 ms
6 ::ffff:10.169.6.125 (::ffff:10.169.6.125) 206.137 ms 201.722 ms 2001:4860:1:1::1018 (2001:4860:1:1::1018) 201.825 ms
7 2607:f8b0:8069::1 (2607:f8b0:8069::1) 201.605 ms 54.054 ms 2001:4860:1:1::1018 (2001:4860:1:1::1018) 70.645 ms
8 2607:f8b0:8311::1 (2607:f8b0:8311::1) 58.428 ms dns.google (2001:4860:4860::8844) 65.929 ms 2607:f8b0:831d::1 (2607:f8b0:831d::1) 63.735 ms
Wait a minute... first hop's IP address is in the same /64 as the laptop IP?
The mobile hotspot acts as a router/gateway, right?
$ ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2607:fb90:fa26:937c::/64 dev wlp1s0 proto ra metric 600 pref medium
fe80::/64 dev wlp1s0 proto kernel metric 1024 pref medium
default via fe80::3138:15d9:a817:28e9 dev wlp1s0 proto ra metric 600 pref medium
NDP-proxy?
I wish there is a way to ssh into the box. There isn't much resources out there about this topic.
So what say you about how the CPE is configured?
The all seeing eye sees everything...
Comments
Websites have ads, I have ad-blocker.
More digging:
and
ff02::1:ff57:394
seems to come out of nowhere.The all seeing eye sees everything...
if i had the hardware i probably could have found a way inside it
did the same with my ISPs router, the way it manages to handle voip and internet while also spying on us is wonderfully executed
youtube.com/watch?v=k1BneeJTDcU
Probably true but no ways to verify for sure:
2607:fb90:fa26:937c::/64
is assigned to the user facing interface and interfaces of the user's end use devices.I have no way of knowing it to be absolutely true but traceroute shows that they use ULAs for all internal equipment.
The all seeing eye sees everything...
I had an openwrt router with t-mobile/at&t but returned it yesterday to get another new model. Sadly won't have it for 2-3 weeks. If you want me to test something lmk.
ExtraVM
In wired networks, this would be the effect of DHCPv6 Prefix Delegation.
Verizon FiOS delegates a /56 prefix to my home router.
My home router gives a /64 prefix to each internal interface.
Devices on an internal interface are assigned addresses from that /64 prefix.
The link between my home router and Verizon equipment has only link-local address.
In cellular networks, it's somewhat different.
When the UE registers with the cellular network, the SMF allocates a /64 prefix to the UE, and instructs the data network (UPFs) to route this prefix to the UE.
The UE i.e. mobile hotspot can then put this /64 on its DHCPv6 server and assigns addresses to the connected devices.
The link between the mobile hotspot and the core network is not an IP interface and does not need IP addressing.
Accepting submissions for IPv6 less than /64 Hall of Incompetence.
What model is that?
Ah mystery solved!
The all seeing eye sees everything...
https://www.gl-inet.com/products/gl-x3000/
However I pre-ordered the xe3000 which is the same, just with a battery, as I use cell routers when travelling.
ExtraVM
GL.iNet has good stuff. Really filling in a niche.
The all seeing eye sees everything...
I would love to hear more on this.
Why?
they scan the nearby aps, the dns is obviously obliterated by the isp, the router also runs a weird redirection service which redirects you from websites to this seemingly non existent webpage which keeps loading until its timed out
if you wanna know more you can just get the firmware or go to https://github.com/JFC-Group/JF-Customisation
however the spying part isnt mentioned there very well, we recently got the ap scan thing sorted
another fishy thing is if you change the dns on the router it will always default to jio's dns after a reboot, we found a sftp server of Jio that held VoIP server logs of many, many people
stuff.
youtube.com/watch?v=k1BneeJTDcU
Seems to imply you have access to their servers.
The all seeing eye sees everything...
I read the thread title as HUMOUS.
It's a type of multicast address:
https://www.rfc-editor.org/rfc/rfc4291.html#section-2.7.1
Daniel15 | https://d.sb/. List of all my VPSes: https://d.sb/servers
dnstools.ws - DNS lookups, pings, and traceroutes from 30 locations worldwide.
I love hummus!
Yep, I too love humerus. Very tasty
Websites have ads, I have ad-blocker.
Everyone should. It's delicious, versatile, and you can spread it on spotty arse cheeks for an hour and it'll clear those pimples right up!