[174648] in North American Network Operators' Group
Re: 2002::/16 [6to4] & abuse
daemon@ATHENA.MIT.EDU (TJ)
Wed Sep 24 12:58:35 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <FCD26398C5EDE746BFC47F43EA52A17305EEFA@dino.ad.hostasaurus.com>
From: TJ <trejrco@gmail.com>
Date: Wed, 24 Sep 2014 12:56:03 -0400
To: David Hubbard <dhubbard@dino.hostasaurus.com>
Cc: NANOG <nanog@nanog.org>
Reply-To: trejrco@gmail.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
2002::/16 would be advertised by anyone *still *operating a 6to4 relay.
A host w/ only IPv4 connectivity could use 6to4 to get access to an
IPv6-only resource, thanks to automatic IPv6-in-IPv4 encapsulation
(Protocol41) and with a helping hand from publicly operated relays.
Someone with (only?) native IPv6 would not, normally / unintentionally, use
a 6to4 address. In this case, af2c:785 being on both sides means it is (if
everyone is playing nicely / by the rules) a host at that v4 address doing
this automagically.
Pure supposition: a compromised host that happens to have, and prefer,
6to4.
/TJ
On Wed, Sep 24, 2014 at 12:42 PM, David Hubbard <
dhubbard@dino.hostasaurus.com> wrote:
> Curious if anyone can tell me, or point me to a link, on how 2002::/16
> is actually implemented for 6to4? Strictly for curiosity.
>
> We had a customer ask about blocking spam from their wordpress blog that
> we host and the spammer was using 2002:af2c:785::af2c:785, which was the
> first time I'd seen wordpress spam coming from IPv6. Per RFC3964, I'm
> guessing the 175.44.120.5 is just a relay router, not surprisingly, on
> the China Net network and the spammer was native v6?
>
> I see that net advertised from 6939 (HE) and 1103 (SURFnet Netherlands)
> from the perspective of my feeds, so that just got me more confused.
>
> Thanks,
>
> David
>
