What can we learn about the way IPv6 is being used and configured on today's Internet from logfiles that we already have lying around? Is the use of privacy addressing commonplace? What kinds of transition mechanisms are still being employed by users and ISPs? Some simple analysis using newly released tools shows us that privacy addressing is now extremely common being by far the most typical type of IPv6 address configuration in use on the network. Transition mechanisms of all kinds are now very little used.
IPv6 addresses come in a variety of forms. Examining the bit-patterns of an IPv6 address can tell us, or give a strong indication, about the way that it was generated. In early work on the subject, Dave Malone explains, "IPv6 addresses are longer than IPv4 addresses, and are so capable of greater expression. Given an IPv6 address, conventions and standards allow us to draw conclusions about how IPv6 is being used on the node with that address."
At the recent Internet Engineering Protocol Group (IEPG) meeting in Orlando, Florida, Fernando Gont presented his work on Scanning the IPv6 Internet: theory & practice. The much larger address space of IPv6 makes crude brute-force network scans unfeasible. In his presentation Fernando talked about the ways in which IPv6 changes the network reconnaissance game because of this and he also presented the IPv6 Toolkit suite of IPv6 security and troubleshooting tools that he has developed.
Gont has built on Malone's earlier work by providing a tool (address6) to analyse large numbers of IPv6 addresses and classify them into various categories depending on whether they appear to be auto-generated, randomised privacy addresses, manually configured low-byte or IPv4-based addresses and so on. These categories are described in more detail in the IETF Operational Security Capabilities for IP Network Infrastructure (opsec) Working Group document, "Network Reconnaissance in IPv6 Networks."
Malone's results are presented in Figure 1. As the opsec WG document observes, '[Malone's] are the most comprehensive address-measurement results that have so far been made publicly available', and, 'evolution of IPv6 implementations, changes in the IPv6 address selection policy, etc. since [Malone2008] was published might limit (or even obsolete) the validity of these results.'
[Figure 1 - Results from Malone2008]
Given some webserver logs and Gont's address6 tool it is fairly trivial to explore whether the ratios of client address types have in fact changed since 2008. Using the last 12 months worth of webserver logs for the Internet Society's website, comprising over 50,000 unique IPv6 addresses, the following results were obtained.
Less than 2% of connections used the 6to4 transition technology while the remainder were native IPv6 connections, a mark of the growing maturity of the IPv6 Internet. This result is mirrored in the IPv6 statistics produced by Google that show that the use of transition technology has been declining since 2010 and now less than 1% of users that access Google over IPv6 are using a transition technology. It's also probably worth noting that we saw no Teredo connections in the period.
Figure 2 shows a more detailed analysis of the interface identifiers in the sample. This is very strikingly different to Malone's results from 2008 and clearly shows the impact of changes to IPv6 implementations in the intervening period. The vast majority (nearly 70%) of addresses are now classified as 'Randomized', while the auto-configured addresses that previously comprised 50% of the sample are now less than 8%. IPv4-based addresses are still a significant proportion (nearly 14%) and the manually-generated 'low-byte' addresses are just over 6%, similar to Malone's result.
[Figure 2 - IPv6 Interface ID analysis]
These measurement results update the public understanding of IPv6 address types in use today and show us that randomized interface identifiers are far more prevalent than they used to be. It is also notable that transition technologies (Teredo and 6to4) are either non-existent or very little used on the IPv6 Internet of 2013.
Acknowledgements: Thanks to Peter Godwin at the Internet Society for providing access to the webserver logs necessary for this analysis.