[neilalexander]

In the case of Openreach in the UK, the majority of subscriber lines carry PPPoE traffic over VLAN 101 which is bridged on the modem to the consumer equipment.

There's also an additional VLAN 301 for TR069 management traffic, which is used by the HG612 modems (and possibly others) that Openreach used to enjoy flinging at all VDSL subscribers. The modem itself claims an IP address in this VLAN.

Although usually hidden from the end-user, it's actually surprisingly easy to drop yourself onto VLAN 301 even with the HG612 and get an IP address on that management network. I imagine that this is the kind of way that modem exploits become dangerous if they are indeed routable on networks like this.