v6 proof of life

Paul_Vixie1 · June 6, 2011, 11:56pm

it's been a while since i looked at the query stream still hitting
{rbl,dul}.maps.vix.com. this was the world's first RBL but it was
renamed from maps.vix.com to mail-abuse.org back in Y2K or so. i
have not sent anything but NXDOMAIN in response to one of these
queries for at least ten years, yet the queries just keep coming.

here's a histogram of source-ip. feel free to remove yourself :-).
it's just a half hour sample. i'll put this up on a web page soon.

importantly and happily, there's a great deal of IPv6 happening here.

re:

524 200.59.134.164
492 2001:288:8201:1::14
455 209.177.144.50
418 193.124.83.73
392 140.144.32.205
360 143.54.204.171
355 208.76.170.121
282 2403:2c00:1::5
262 2001:1a80:103:5::2
225 2001:288:8201:1::2
195 2604:3500::ad:1
186 2001:288:8201:1::10
174 209.157.254.10
167 2001:b30:1:100::100
158 12.47.198.68
142 2001:288:0:2::60
125 2002:d58e:8901::d58e:8901
118 77.72.136.2
115 140.118.31.99
113 66.240.198.100
102 2001:9b0:1:601:230:48ff:fe8a:c7f4
100 2001:888:0:24:194:109:20:107
  99 212.73.100.132
  92 2405:d000:0:100::214
  86 202.177.26.107
  83 2405:d000:0:100::228
  82 195.101.253.253
  77 210.175.244.210
  77 2001:558:1014:f:69:252:96:24
  76 64.168.228.129
  76 2001:2c0:11:1::c02
  71 2001:b30:1::190
  68 2001:558:1014:f:68:87:76:185
  68 2001:4dd0:100:1020:53:2:0:1
  67 2001:558:1014:f:69:252:96:22
  67 2001:558:1014:f:68:87:76:189
  63 2001:558:1014:f:69:252:96:25
  57 2607:f758:6000:13::e4
  56 2001:558:1014:f:68:87:76:181
  55 212.234.229.242
  52 2607:f758:e000:13::e4
  51 2607:fdb8:0:b:2::2
  51 208.188.98.249
  51 2001:558:1014:f:68:87:76:190
  49 66.192.109.211
  45 2001:558:1014:f:69:252:96:23
  44 2001:db8::230:48ff:fef2:f340
  44 2001:db8::230:48ff:fef0:1de
  42 213.171.61.117
  41 201.116.43.232
  40 2607:fdb8:0:b:1::2
  40 2001:470:1f0a:c1b::2
  40 190.82.65.243
  38 190.169.30.2
  36 2605:d400:0:27::3
  35 2001:d10:2:3::1:2
  31 2605:d400:0:27::7
  30 220.110.24.250
  28 84.55.220.139
  28 2a00:1db0:16:2::347:2
  23 2607:f2e0::1:3:2
  23 2001:15c8:8::2:1
  22 218.44.167.26
  22 2001:6c8:2:100::53
  22 2001:6b0:1::201
  21 193.169.45.5
  20 2607:f470:1003::3:3
  19 2a01:8c00:ff60:2:230:48ff:fe85:d47e
  19 221.133.36.229
  19 213.178.66.2
  19 202.169.240.10
  19 2001:c28:1:1:dad3:85ff:fee1:30ec
  19 163.29.248.1
  18 195.58.224.34
  17 2a02:460:4:0:250:56ff:fea7:23d
  17 221.245.76.99
  17 2001:c28:1:1:dad3:85ff:fee0:4f68
  16 2001:630:200:8120::d:1
  15 2a01:1b8::1
  15 218.44.236.98
  15 2001:ad0::
  15 2001:41d8:1:8028::54
  14 2a00:1b50::2:2
  14 192.149.202.9
  13 200.74.222.140
  12 98.130.2.250
  12 2a00:1eb8:0:1::1
  12 2600:c00:0:1::301
  12 2001:c28:1:1:dad3:85ff:fee0:3f20
  12 2001:380:124::4
  12 2001:218:4c0:1:2e0:81ff:fe55:a018
  12 2001:12d0::3
  12 195.228.156.150
  12 194.42.134.132
  11 66.111.66.240
  11 2607:f010:3fe:100:0:ff:fe00:1
  11 211.25.195.236
  11 210.162.229.210
  11 2001:c28:1:1:dad3:85ff:fee0:be80
  11 2001:a10:1:ffff::2:c918

Wes_Hardaker1 · June 7, 2011, 3:47am

Which is reaffirming what many have said for a while: it'll be the
server-to-server traffic that will first peak. It's just going to take
the client-server relationships years to catch up. Every time I look at
my maillogs I've found there is quite a bit of v6 happening. But the
web logs show almost nothing.

Jared_Mauch · June 7, 2011, 3:50am

There was some additional research done by Geoff Houston indicating that if you exposed tunnel capable hosts (that were able to reach IPv6 literals) you had something closer to 20% IPv6 connectivity.

I'm already excited about traffic levels and patterns in less than 24 hours. Will be interesting to observe.

- Jared

See if you can reach this even if you don't have native IPv6…

http://[2001:418:3f4::5]/

George_Bonser · June 7, 2011, 5:47am

There was some additional research done by Geoff Houston indicating
that if you exposed tunnel capable hosts (that were able to reach IPv6
literals) you had something closer to 20% IPv6 connectivity.

I'm already excited about traffic levels and patterns in less than 24
hours. Will be interesting to observe.

- Jared

See if you can reach this even if you don't have native IPv6...

http://[2001:418:3f4::5]/

I am seeing about 33% of our DNS traffic from one server over v6 but
admittedly a lot of this is to the root servers that return A records
for various domains. But the number of domains with v6 capable DNS
servers is rising.

Tim_Chown · June 7, 2011, 7:02am

Other way around here... pushing 2% external web traffic by IPv6, but only about 0.2% of mail traffic, and that would be lower if some of our users weren't on various IETF mail lists.

Tim

Denis_F · June 7, 2011, 8:13am

Le 07/06/2011 01:56, Paul Vixie a �crit :

44 2001:db8::230:48ff:fef2:f340
44 2001:db8::230:48ff:fef0:1de

How can 2001:db8::/32 reach your machines ?

Denis

Arturo_Servin1 · June 7, 2011, 11:47am

Sometimes more than 25% of the traffic in our webserver is v6

http://lacnic.net/v6stat/hour_access_log_counter.png

http://lacnic.net/v6stat/hour_access_log_counter.txt

Haven't time to check the details about URLs, countries, user-agents but I am working on it.

Regards,
.as

Jima · June 7, 2011, 1:30pm

Lack of ingress filtering on Mr. Vixie's part, and lack of egress filtering on whoever-owns-those-Supermicro-board's part.
That's not to say there's a route back, by any means.

Jima

Paul_Vixie1 · June 7, 2011, 4:33pm

Jima <nanog@jima.tk> writes:

44 2001:db8::230:48ff:fef2:f340
44 2001:db8::230:48ff:fef0:1de

How can 2001:db8::/32 reach your machines ?

Lack of ingress filtering on Mr. Vixie's part, ...

indeed. i had no idea.

and lack of egress
filtering on whoever-owns-those-Supermicro-board's part.
That's not to say there's a route back, by any means.

i'll bet i'm not alone in seeing traffic from this prefix. as a rootop
i can tell you that we see plenty of queries from ipv4 rfc1918 as well.