Curious if anyone can tell me, or point me to a link, on how 2002::/16 is actually implemented for 6to4? Strictly for curiosity. We had a customer ask about blocking spam from their wordpress blog that we host and the spammer was using 2002:af2c:785::af2c:785, which was the first time I'd seen wordpress spam coming from IPv6. Per RFC3964, I'm guessing the 175.44.120.5 is just a relay router, not surprisingly, on the China Net network and the spammer was native v6? I see that net advertised from 6939 (HE) and 1103 (SURFnet Netherlands) from the perspective of my feeds, so that just got me more confused. Thanks, David
2002::/16 would be advertised by anyone *still *operating a 6to4 relay. A host w/ only IPv4 connectivity could use 6to4 to get access to an IPv6-only resource, thanks to automatic IPv6-in-IPv4 encapsulation (Protocol41) and with a helping hand from publicly operated relays. Someone with (only?) native IPv6 would not, normally / unintentionally, use a 6to4 address. In this case, af2c:785 being on both sides means it is (if everyone is playing nicely / by the rules) a host at that v4 address doing this automagically. Pure supposition: a compromised host that happens to have, and prefer, 6to4. /TJ On Wed, Sep 24, 2014 at 12:42 PM, David Hubbard < dhubbard@dino.hostasaurus.com> wrote:
Curious if anyone can tell me, or point me to a link, on how 2002::/16 is actually implemented for 6to4? Strictly for curiosity.
We had a customer ask about blocking spam from their wordpress blog that we host and the spammer was using 2002:af2c:785::af2c:785, which was the first time I'd seen wordpress spam coming from IPv6. Per RFC3964, I'm guessing the 175.44.120.5 is just a relay router, not surprisingly, on the China Net network and the spammer was native v6?
I see that net advertised from 6939 (HE) and 1103 (SURFnet Netherlands) from the perspective of my feeds, so that just got me more confused.
Thanks,
David
Hi David, 6to4 is a stateless tunnel network. The tunnel entry node advertises 2002::/16 into the native IPv6 network and relays received IPv6 packets inside an IPv4 packet. The tunnel exit node's IPv4 address is encoded in the 6to4 IPv6 destination address. No IPv6 addresses are changed in the transmission of the packet, so unless someone is incorrectly advertising more-specifics for 2002::/16, 2002:af2c:785::af2c:785 is the host that connected to your customer and that host is connected to af.2c.07.85, i.e. 175.44.7.133. Going the other way (towards the native IPv6 network), 175.44.7.133 encapsulates the IPv6 packet into an IPv4 packet addressed to the standard anycast IPv4 address for a 6to4 exit node. This packet finds its way to the nearest 6to4 exit node on the IPv6 native network where it is decapsulated back to an plain IPv6 packet. Repeating af2c:785 in the address is just like saying 10.11.10.11. Don't expect it to mean anything. Regards, Bill Herrin On Wed, Sep 24, 2014 at 12:42 PM, David Hubbard <dhubbard@dino.hostasaurus.com> wrote:
Curious if anyone can tell me, or point me to a link, on how 2002::/16 is actually implemented for 6to4? Strictly for curiosity.
We had a customer ask about blocking spam from their wordpress blog that we host and the spammer was using 2002:af2c:785::af2c:785, which was the first time I'd seen wordpress spam coming from IPv6. Per RFC3964, I'm guessing the 175.44.120.5 is just a relay router, not surprisingly, on the China Net network and the spammer was native v6?
I see that net advertised from 6939 (HE) and 1103 (SURFnet Netherlands) from the perspective of my feeds, so that just got me more confused.
Thanks,
David
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/> Can I solve your unusual networking challenges?
On 2014-09-24 20:09, William Herrin wrote:
Hi David,
6to4 is a stateless tunnel network. The tunnel entry node advertises 2002::/16 into the native IPv6 network and relays received IPv6 packets inside an IPv4 packet. The tunnel exit node's IPv4 address is encoded in the 6to4 IPv6 destination address.
No IPv6 addresses are changed in the transmission of the packet, so unless someone is incorrectly advertising more-specifics for 2002::/16, 2002:af2c:785::af2c:785 is the host that connected to your customer and that host is connected to af.2c.07.85, i.e. 175.44.7.133.
Going the other way (towards the native IPv6 network), 175.44.7.133 encapsulates the IPv6 packet into an IPv4 packet addressed to the standard anycast IPv4 address for a 6to4 exit node. This packet finds its way to the nearest 6to4 exit node on the IPv6 native network where it is decapsulated back to an plain IPv6 packet.
Repeating af2c:785 in the address is just like saying 10.11.10.11. Don't expect it to mean anything.
Regards, Bill Herrin
On Wed, Sep 24, 2014 at 12:42 PM, David Hubbard <dhubbard@dino.hostasaurus.com> wrote:
Curious if anyone can tell me, or point me to a link, on how 2002::/16 is actually implemented for 6to4? Strictly for curiosity.
We had a customer ask about blocking spam from their wordpress blog that we host and the spammer was using 2002:af2c:785::af2c:785, which was the first time I'd seen wordpress spam coming from IPv6. Per RFC3964, I'm guessing the 175.44.120.5 is just a relay router, not surprisingly, on the China Net network and the spammer was native v6?
I see that net advertised from 6939 (HE) and 1103 (SURFnet Netherlands) from the perspective of my feeds, so that just got me more confused.
Thanks,
David
Was gonna say if the customer is complaining that there is wordpress spam (in the apache logs) of an ipv6 address then the customer probably has an ipv6 address that he/she doesn't know about. Most people don't even know about ip6tables vs iptables. Usually apache won't serve the request unless the request includes the hostname of the vhost to server unless its all setup in /var/www/localhost or something, getting back to wordpress kind of makes me wonder how that RBL service (kismet? I think its called?) that they have is going to keep up with ipv6... theres a lot of them. -- GPG: 0x0d5d2688 (keys.gnupg.net)
participants (4)
-
David Hubbard -
Paige Thompson -
TJ -
William Herrin