Monitoring and Classification of Active IPv6 Addresses
January 2016 • Presentation
In this presentation, the author introduces IP address classification methods and how IPv6 addresses are more than just larger IP addresses.
There is a striking volume of activity on IPv6 today. One large content distribution network (CDN) observes over 500 million unique IPv6 client addresses per day and over 10 billion unique IPv6 addresses per month. Address counts, however, obscure the number of hosts with IPv6 connectivity to the global Internet. There are numerous address assignment and subnetting practices in use; privacy addresses and dynamic subnet pools significantly inflate the number of active IPv6 addresses. As the IPv6 address space is vast, it is infeasible to comprehensively probe every possible unicast IPv6 address. Thus, to survey the characteristics of IPv6 addressing, we perform a multi-year passive measurement study, analyzing the IPv6 addresses gleaned from activity logs for all clients accessing a global CDN. In this presentation, we introduce the IP address classification methods motivated both by that measurement study and the fact that IPv6 addresses are clearly more than just larger IP addresses; they are different in kind. (Details are available in this research paper: Temporal and Spatial Classification of Active IPv6 Addresses.) We visually tour the active IPv6 Internet and highlight how address classification can inform IP geolocation, host reputation, access control, abuse mitigation, and network forensics.