2002::/16 [6to4] & abuse

• Previous message (by thread): 2002::/16 [6to4] & abuse
• Next message (by thread): update
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2014-09-24 20:09, William Herrin wrote:
> Hi David,
> 
> 6to4 is a stateless tunnel network. The tunnel entry node advertises
> 2002::/16 into the native IPv6 network and relays received IPv6
> packets inside an IPv4 packet. The tunnel exit node's IPv4 address is
> encoded in the 6to4 IPv6 destination address.
> 
> No IPv6 addresses are changed in the transmission of the packet, so
> unless someone is incorrectly advertising more-specifics for
> 2002::/16, 2002:af2c:785::af2c:785 is the host that connected to your
> customer and that host is connected to af.2c.07.85, i.e. 175.44.7.133.
> 
> Going the other way (towards the native IPv6 network), 175.44.7.133
> encapsulates the IPv6 packet into an IPv4 packet addressed to the
> standard anycast IPv4 address for a 6to4 exit node. This packet finds
> its way to the nearest 6to4 exit node on the IPv6 native network where
> it is decapsulated back to an plain IPv6 packet.
> 
> Repeating af2c:785 in the address is just like saying 10.11.10.11.
> Don't expect it to mean anything.
> 
> Regards,
> Bill Herrin
> 
> On Wed, Sep 24, 2014 at 12:42 PM, David Hubbard
> <dhubbard at dino.hostasaurus.com> wrote:
>> Curious if anyone can tell me, or point me to a link, on how 2002::/16
>> is actually implemented for 6to4?  Strictly for curiosity.
>> 
>> We had a customer ask about blocking spam from their wordpress blog 
>> that
>> we host and the spammer was using 2002:af2c:785::af2c:785, which was 
>> the
>> first time I'd seen wordpress spam coming from IPv6.  Per RFC3964, I'm
>> guessing the 175.44.120.5 is just a relay router, not surprisingly, on
>> the China Net network and the spammer was native v6?
>> 
>> I see that net advertised from 6939 (HE) and 1103 (SURFnet 
>> Netherlands)
>> from the perspective of my feeds, so that just got me more confused.
>> 
>> Thanks,
>> 
>> David

Was gonna say if the customer is complaining that there is wordpress 
spam (in the apache logs) of an ipv6 address then the customer probably 
has an ipv6 address that he/she doesn't know about. Most people don't 
even know about ip6tables vs iptables. Usually apache won't serve the 
request unless the request includes the hostname of the vhost to server 
unless its all setup in /var/www/localhost or something, getting back to 
wordpress kind of makes me wonder how that RBL service (kismet? I think 
its called?) that they have is going to keep up with ipv6... theres a 
lot of them.

-- 
GPG: 0x0d5d2688 (keys.gnupg.net)

• Previous message (by thread): 2002::/16 [6to4] & abuse
• Next message (by thread): update
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]