2002::/16 [6to4] & abuse
paigeadele at gmail.com
Wed Sep 24 20:16:25 UTC 2014
On 2014-09-24 20:09, William Herrin wrote:
> Hi David,
> 6to4 is a stateless tunnel network. The tunnel entry node advertises
> 2002::/16 into the native IPv6 network and relays received IPv6
> packets inside an IPv4 packet. The tunnel exit node's IPv4 address is
> encoded in the 6to4 IPv6 destination address.
> No IPv6 addresses are changed in the transmission of the packet, so
> unless someone is incorrectly advertising more-specifics for
> 2002::/16, 2002:af2c:785::af2c:785 is the host that connected to your
> customer and that host is connected to af.2c.07.85, i.e. 18.104.22.168.
> Going the other way (towards the native IPv6 network), 22.214.171.124
> encapsulates the IPv6 packet into an IPv4 packet addressed to the
> standard anycast IPv4 address for a 6to4 exit node. This packet finds
> its way to the nearest 6to4 exit node on the IPv6 native network where
> it is decapsulated back to an plain IPv6 packet.
> Repeating af2c:785 in the address is just like saying 10.11.10.11.
> Don't expect it to mean anything.
> Bill Herrin
> On Wed, Sep 24, 2014 at 12:42 PM, David Hubbard
> <dhubbard at dino.hostasaurus.com> wrote:
>> Curious if anyone can tell me, or point me to a link, on how 2002::/16
>> is actually implemented for 6to4? Strictly for curiosity.
>> We had a customer ask about blocking spam from their wordpress blog
>> we host and the spammer was using 2002:af2c:785::af2c:785, which was
>> first time I'd seen wordpress spam coming from IPv6. Per RFC3964, I'm
>> guessing the 126.96.36.199 is just a relay router, not surprisingly, on
>> the China Net network and the spammer was native v6?
>> I see that net advertised from 6939 (HE) and 1103 (SURFnet
>> from the perspective of my feeds, so that just got me more confused.
Was gonna say if the customer is complaining that there is wordpress
spam (in the apache logs) of an ipv6 address then the customer probably
has an ipv6 address that he/she doesn't know about. Most people don't
even know about ip6tables vs iptables. Usually apache won't serve the
request unless the request includes the hostname of the vhost to server
unless its all setup in /var/www/localhost or something, getting back to
wordpress kind of makes me wonder how that RBL service (kismet? I think
its called?) that they have is going to keep up with ipv6... theres a
lot of them.
GPG: 0x0d5d2688 (keys.gnupg.net)
More information about the NANOG