2002::/16 would be advertised by anyone *still *operating a 6to4 relay. A host w/ only IPv4 connectivity could use 6to4 to get access to an IPv6-only resource, thanks to automatic IPv6-in-IPv4 encapsulation (Protocol41) and with a helping hand from publicly operated relays. Someone with (only?) native IPv6 would not, normally / unintentionally, use a 6to4 address. In this case, af2c:785 being on both sides means it is (if everyone is playing nicely / by the rules) a host at that v4 address doing this automagically. Pure supposition: a compromised host that happens to have, and prefer, 6to4. /TJ On Wed, Sep 24, 2014 at 12:42 PM, David Hubbard < dhubbard@dino.hostasaurus.com> wrote:
Curious if anyone can tell me, or point me to a link, on how 2002::/16 is actually implemented for 6to4? Strictly for curiosity.
We had a customer ask about blocking spam from their wordpress blog that we host and the spammer was using 2002:af2c:785::af2c:785, which was the first time I'd seen wordpress spam coming from IPv6. Per RFC3964, I'm guessing the 175.44.120.5 is just a relay router, not surprisingly, on the China Net network and the spammer was native v6?
I see that net advertised from 6939 (HE) and 1103 (SURFnet Netherlands) from the perspective of my feeds, so that just got me more confused.
Thanks,
David