nanog mailing list archives
Re: 2002::/16 [6to4] & abuse
From: TJ <trejrco () gmail com>
Date: Wed, 24 Sep 2014 12:56:03 -0400
2002::/16 would be advertised by anyone *still *operating a 6to4 relay. A host w/ only IPv4 connectivity could use 6to4 to get access to an IPv6-only resource, thanks to automatic IPv6-in-IPv4 encapsulation (Protocol41) and with a helping hand from publicly operated relays. Someone with (only?) native IPv6 would not, normally / unintentionally, use a 6to4 address. In this case, af2c:785 being on both sides means it is (if everyone is playing nicely / by the rules) a host at that v4 address doing this automagically. Pure supposition: a compromised host that happens to have, and prefer, 6to4. /TJ On Wed, Sep 24, 2014 at 12:42 PM, David Hubbard < dhubbard () dino hostasaurus com> wrote:
Curious if anyone can tell me, or point me to a link, on how 2002::/16 is actually implemented for 6to4? Strictly for curiosity. We had a customer ask about blocking spam from their wordpress blog that we host and the spammer was using 2002:af2c:785::af2c:785, which was the first time I'd seen wordpress spam coming from IPv6. Per RFC3964, I'm guessing the 175.44.120.5 is just a relay router, not surprisingly, on the China Net network and the spammer was native v6? I see that net advertised from 6939 (HE) and 1103 (SURFnet Netherlands) from the perspective of my feeds, so that just got me more confused. Thanks, David
Current thread:
- 2002::/16 [6to4] & abuse David Hubbard (Sep 24)
- Re: 2002::/16 [6to4] & abuse TJ (Sep 24)
- Re: 2002::/16 [6to4] & abuse William Herrin (Sep 24)
- Re: 2002::/16 [6to4] & abuse Paige Thompson (Sep 24)
- Message not available
- RE: 2002::/16 [6to4] & abuse David Hubbard (Sep 24)