We all know that scanning the IPv4 address space is almost trivially easy; exhaustively scanning IPv6 space is not so feasible if you expect to complete the job in any reasonable timeframe. Heuristics to reduce the space such as SLAAC addressing and common static IPv6 addressing schemes are well-known.
One common approach I take to find my way around other people’s IPv6 infrastructure is to check out whether they have reverse DNS set up for a given IPv4 address. If they do, I’ll perform a AAAA lookup on the resulting domain name; for some networks, this can be surprisingly reliable. But sometimes it doesn’t work; it really depends on how the network is administered. Last year, I was curious to know how well this approach would work across the full IPv4 space.
So I ran a measurement study that attempted to answer precisely that question. I went a step further and attempted to guesstimate when the resulting IP addresses belonged to the same host/router, and from there determine whether firewalls or services were configured differently in the IPv4 world versus the IPv6 world. There are all sorts of optimisations to this work for sure, but the exhaustive approach was useful to evaluate the approach, and was not time-consuming.
In short, this approach found 965k IPv6 addresses (of varying quality) across 5.5k ASNs. The active scanning found that found that over half of those are responsive in some way, and there were many cases where IPv4 was more responsive than IPv6; in some cases (TCP ports 53 and 443 for example), it was more likely that IPv6 was quietly dropped by the network.
This was submitted to IMC, admittedly a high-bar. While the reviews were reasonably positive, the paper didn’t make the cut.
Continued study of the IPv6 space is interesting. For openness, the full copy can be found here.
The abstract is as follows:
The IPv4 address space is small enough to allow exhaustive active measurement, permitting important insight into Internet growth, policy, and evolution. The IPv6 address space, on the other hand, presents the problem that we can no longer perform exhaustive measurements in the same way, inhibiting our ability to continue studying Internet growth. Access to private datasets (e.g., HTTP access logs on content servers, flow data in ISP networks, or passive DNS traces) solves some problems but may not be feasible or desirable. This paper describes IPv6 address collection by exhaustively sweeping the reverse DNS domain for the IPv4 address space and performing AAAA queries on the results. Subsequent ICMP and TCP measurements are conducted to measure the responsiveness of the resulting set. Key outcomes include: the PTR sweep discovers 965,304 unique, globally routable IPv6 addresses originating from 5,531 ASNs. 56% of the addresses are responsive, across 4,571 ASNs. Upon inferring pairs of IPv4 and IPv6 addresses that are likely associated with the same device, the data indicates a trend toward IPv4 addresses being more responsive than their IPv6 counterparts, with a higher incidence rate of TCP connections being refused, and wide disparity on where TCP connections or ICMP echo requests fail silently when comparing IPv4 and IPv6. The disparity in IPv4 and IPv6 responsiveness is highly variable, and indicative of distinct host configuration and network policies across the two networks, presenting potential policy or security gaps as the IPv6 network matures.