Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Scanning the IPv6 Internet Using Subnet-Router Anycast Probing

Maynard Koch, Raphael Hiesgen, Marcin Nawrocki, Thomas C. Schmidt, Matthias Wählisch

TL;DR

IPv6 measurement is hampered by the vast address space and ICMP rate limiting. The paper evaluates Subnet-Router anycast (SRA) probing as a scalable active measurement technique, detailing how to partition the routable space, generate targets from multiple inputs, and capture router responses. It provides quantitative evidence that SRA increases router discovery by approximately 10% over random probing and 80% over direct router-target probing, while offering more stable results and lower sensitivity to rate limiting; it also analyzes aliasing, stability, and cross-dataset comparisons. The work highlights operational risks such as routing loops and amplification, demonstrates responsible disclosure with operator collaboration, and argues that SRA is a valuable addition to the IPv6 measurement toolkit, though a complete view of the IPv6 Internet remains challenging.

Abstract

Identifying active IPv6 addresses is challenging. Various methods emerged to master the measurement challenge in this huge address space, including hitlists, new probing techniques, and AI-generated target lists. In this paper, we apply active Subnet-Router anycast (SRA) probing, a commonly unused method to explore the IPv6 address space. We compare our results with lists of active IPv6 nodes obtained from prior methods and with random probing. Our findings indicate that probing an SRA address reveals on average 10% more router IP addresses than random probing and is far less affected by ICMP rate limiting. Compared to targeting router addresses directly, SRA probing discovers 80% more addresses. We conclude that SRA probing is an important addition to the IPv6 measurement toolbox and may improve the stability of results significantly. We also find evidence that some active scans can cause harmful conditions in current IPv6 deployments, which we started to fix in collaboration with network operators.

Scanning the IPv6 Internet Using Subnet-Router Anycast Probing

TL;DR

IPv6 measurement is hampered by the vast address space and ICMP rate limiting. The paper evaluates Subnet-Router anycast (SRA) probing as a scalable active measurement technique, detailing how to partition the routable space, generate targets from multiple inputs, and capture router responses. It provides quantitative evidence that SRA increases router discovery by approximately 10% over random probing and 80% over direct router-target probing, while offering more stable results and lower sensitivity to rate limiting; it also analyzes aliasing, stability, and cross-dataset comparisons. The work highlights operational risks such as routing loops and amplification, demonstrates responsible disclosure with operator collaboration, and argues that SRA is a valuable addition to the IPv6 measurement toolkit, though a complete view of the IPv6 Internet remains challenging.

Abstract

Identifying active IPv6 addresses is challenging. Various methods emerged to master the measurement challenge in this huge address space, including hitlists, new probing techniques, and AI-generated target lists. In this paper, we apply active Subnet-Router anycast (SRA) probing, a commonly unused method to explore the IPv6 address space. We compare our results with lists of active IPv6 nodes obtained from prior methods and with random probing. Our findings indicate that probing an SRA address reveals on average 10% more router IP addresses than random probing and is far less affected by ICMP rate limiting. Compared to targeting router addresses directly, SRA probing discovers 80% more addresses. We conclude that SRA probing is an important addition to the IPv6 measurement toolbox and may improve the stability of results significantly. We also find evidence that some active scans can cause harmful conditions in current IPv6 deployments, which we started to fix in collaboration with network operators.

Paper Structure

This paper contains 43 sections, 10 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Subnet-Router anycast addresses
  4. Active measurements
  5. Challenges in active measurements
  6. Passive measurements
  7. Measurement Method and Setup
  8. Subnet-Router Anycast Probing
  9. Partitioning the address space announced in BGP to create SRA addresses
  10. Creating SRA addresses using other input sources
  11. IPv6 Alias Resolution
  12. Capturing replies
  13. Activity of router addresses
  14. Stability of SRA probing
  15. Measurement Setup
  16. ...and 28 more sections

Figures (10)

  • Figure 1: IPv6 Scanning based on different probing methods. Random probing leads to ICMP error message rate limiting (at $R_3$), therefore we discover more router IP addresses with SRA probing because SRA elicits ICMP Echo replies instead of ICMP error messages.
  • Figure 2: Example construction of a single SRA address for every target subnet given a single input prefix.
  • Figure 3: World-wide distribution of router IP addresses found with SRA probing.
  • Figure 4: Relative ratio of ICMP replies, grouped into Echo replies, error messages, and ambiguous values for router IP addresses that sent error messages for some probed subnets and ICMPv6 Echo replies for others.
  • Figure 5: Comparison of SRA vs. random probing of all /64s from the TUM Hitlist. With SRA probing, we observe $\approx 10\%$ more addresses than with random probing. While the total number of replies varies, the number of Echo replies remains stable.
  • ...and 5 more figures