2002::/16 [6to4] & abuse

William Herrin bill at herrin.us
Wed Sep 24 17:09:27 UTC 2014

Hi David,

6to4 is a stateless tunnel network. The tunnel entry node advertises
2002::/16 into the native IPv6 network and relays received IPv6
packets inside an IPv4 packet. The tunnel exit node's IPv4 address is
encoded in the 6to4 IPv6 destination address.

No IPv6 addresses are changed in the transmission of the packet, so
unless someone is incorrectly advertising more-specifics for
2002::/16, 2002:af2c:785::af2c:785 is the host that connected to your
customer and that host is connected to af.2c.07.85, i.e.

Going the other way (towards the native IPv6 network),
encapsulates the IPv6 packet into an IPv4 packet addressed to the
standard anycast IPv4 address for a 6to4 exit node. This packet finds
its way to the nearest 6to4 exit node on the IPv6 native network where
it is decapsulated back to an plain IPv6 packet.

Repeating af2c:785 in the address is just like saying
Don't expect it to mean anything.

Bill Herrin

On Wed, Sep 24, 2014 at 12:42 PM, David Hubbard
<dhubbard at dino.hostasaurus.com> wrote:
> Curious if anyone can tell me, or point me to a link, on how 2002::/16
> is actually implemented for 6to4?  Strictly for curiosity.
> We had a customer ask about blocking spam from their wordpress blog that
> we host and the spammer was using 2002:af2c:785::af2c:785, which was the
> first time I'd seen wordpress spam coming from IPv6.  Per RFC3964, I'm
> guessing the is just a relay router, not surprisingly, on
> the China Net network and the spammer was native v6?
> I see that net advertised from 6939 (HE) and 1103 (SURFnet Netherlands)
> from the perspective of my feeds, so that just got me more confused.
> Thanks,
> David

William Herrin ................ herrin at dirtside.com  bill at herrin.us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
Can I solve your unusual networking challenges?

More information about the NANOG mailing list