2002::/16 [6to4] & abuse

Curious if anyone can tell me, or point me to a link, on how 2002::/16
is actually implemented for 6to4? Strictly for curiosity.

We had a customer ask about blocking spam from their wordpress blog that
we host and the spammer was using 2002:af2c:785::af2c:785, which was the
first time I'd seen wordpress spam coming from IPv6. Per RFC3964, I'm
guessing the is just a relay router, not surprisingly, on
the China Net network and the spammer was native v6?

I see that net advertised from 6939 (HE) and 1103 (SURFnet Netherlands)
from the perspective of my feeds, so that just got me more confused.



2002::/16 would be advertised by anyone *still *operating a 6to4 relay.

A host w/ only IPv4 connectivity could use 6to4 to get access to an
IPv6-only resource, thanks to automatic IPv6-in-IPv4 encapsulation
(Protocol41) and with a helping hand from publicly operated relays.
Someone with (only?) native IPv6 would not, normally / unintentionally, use
a 6to4 address. In this case, af2c:785 being on both sides means it is (if
everyone is playing nicely / by the rules) a host at that v4 address doing
this automagically.

Pure supposition: a compromised host that happens to have, and prefer,


Hi David,

6to4 is a stateless tunnel network. The tunnel entry node advertises
2002::/16 into the native IPv6 network and relays received IPv6
packets inside an IPv4 packet. The tunnel exit node's IPv4 address is
encoded in the 6to4 IPv6 destination address.

No IPv6 addresses are changed in the transmission of the packet, so
unless someone is incorrectly advertising more-specifics for
2002::/16, 2002:af2c:785::af2c:785 is the host that connected to your
customer and that host is connected to af.2c.07.85, i.e.

Going the other way (towards the native IPv6 network),
encapsulates the IPv6 packet into an IPv4 packet addressed to the
standard anycast IPv4 address for a 6to4 exit node. This packet finds
its way to the nearest 6to4 exit node on the IPv6 native network where
it is decapsulated back to an plain IPv6 packet.

Repeating af2c:785 in the address is just like saying
Don't expect it to mean anything.

Bill Herrin

Thanks Bill, TJ and Owen; it's much clearer now.


Was gonna say if the customer is complaining that there is wordpress spam (in the apache logs) of an ipv6 address then the customer probably has an ipv6 address that he/she doesn't know about. Most people don't even know about ip6tables vs iptables. Usually apache won't serve the request unless the request includes the hostname of the vhost to server unless its all setup in /var/www/localhost or something, getting back to wordpress kind of makes me wonder how that RBL service (kismet? I think its called?) that they have is going to keep up with ipv6... theres a lot of them.