Maynard Koch

Discovery of IPv6 Router Addresses Using Subnet-Router Anycast

Author image
Maynard Koch(community contributor)

9 min read

2
Article lead image

Brute-force IPv6 scanning doesn't scale, and ICMPv6 rate limiting can undermine topology measurements. Maynard Koch and colleagues show how Subnet-Router Anycast (SRA) probing discovers more router addresses, delivers more stable results, and expands the IPv6 measurement toolbox.


Identifying active IPv6 addresses is a challenging task, but it’s also an important one. As researchers and network operators, it helps us understand the current deployment, identify weak spots that need strengthening, and detect vulnerable devices for disclosure.

A major challenge is selecting the right target addresses for probing. Brute-force scans are infeasible due to the vast number of IPv6 addresses. What’s more, topology measurements based on traceroute are constrained by ICMPv6 error message rate limiting, making high-speed probing difficult.

To fix this problem, we update the IPv6 measurement toolbox with Subnet-Router anycast (SRA) probing - an approach that drops the need for prior knowledge of address allocation in active networks and is significantly less affected by ICMPv6 error message rate limiting. This provides more stable measurement results than random probing, and allows for higher probing rates.

What are SRA addresses, and how do they work?

SRA addresses were introduced to the IPv6 addressing architecture (RFC 1884) as a way to enable applications to communicate with a router of the subnet, without knowing the actual IPv6 router address. Since then, few use cases for SRA addresses have been found.

Syntactically, SRA addresses are unicast addresses. They represent the subnet, in that the host part of the IPv6 address is set to 0. For example, for the subnet 2001:db8:1::/48 the SRA address is 2001:db8:1::0. Each router is required to support an SRA address if it has an interface to this subnet. Routers receiving a packet targeting an SRA address of one of its subnets should reply with their own full source address.

For example, a router:

  • With the two interfaces 2001:db8:1::2/48 and 2001:db8:10::2/48
  • That receives a packet to 2001:db8:1::0 via its interface 2001:db8:10::2/48
  • Will reply with the source address 2001:db8:10::2.

Notably, implementations differ in their behaviour.

SRA addresses and IPv6 address space probing

SRA probing bypasses ICMP error message rate limiting at R1 (see Figure 1(a)), in contrast to random probing (see Figure 1(b)), allowing us to discover more router addresses.

Figure 1: IPv6 Scanning based on different probing methods. Random probing leads to ICMP error message rate limiting (at R3), therefore we discover more router IP addresses with SRA probing because SRA elicits ICMP Echo replies instead of ICMP error messages.

To successfully deploy our probing, we need to partition the IPv6 address space such that each partition represents an active subnet. Let’s take a look at how we can use SRA addresses to explore new active subnets and new IPv6 router addresses.

Partitioning the IPv6 address space announced in BGP to create SRA addresses.

At the time of writing, approximately 200k IPv6 prefixes are announced in BGP.

Probing the Subnet-Router anycast address of each routable prefix as it is announced in BGP misses internal, more specific subnets. To balance scan traffic and increase the chance of discovering new addresses, we partition the routable address space into three stages. We employ this multi-stage approach to determine which input set is most suitable for SRA probing.

Figure 2 shows an example address for each stage given the input prefix 2001:db8::/32.

  1. We start by querying the SRA address of each announced prefix. All bits of the given input prefix are left unchanged in target generation.
  2. Then, we partition the routable address space into /48 subnets and scan the SRA address of each subnet, by creating all bit combinations of the first n-bit block that follows the original subnet prefix where n=48-[prefix length]. This step results in 15 billion potential targets.
  3. Finally, we partition all /48 announcements in BGP (≈100k) further into /64 subnets. We create all bit combinations of the first 16-bit block that follows the original subnet prefix
Figure 2: Example construction of a single SRA address for every target subnet given a single input prefix.

Creating SRA addresses using other input sources.

BGP announcements reflect intended reachability. There are, however, other sources containing more specific subnet assignments, which can be used to increase the effectiveness of our method. In addition to BGP announcements, we consider two input sources to create SRA addresses.

First, we collect route(6) objects from IRR databases, which predominantly contain /48 prefixes. For each of the nearly 1M prefixes, we create up to 10k random /64 SRA addresses, adding up to 10B targets.

Second, we construct a target set from the TU Munich Hitlist (2.5B addresses) by taking the first 64 bits of each host address and set the remaining 64 bits to zero, which results in 700M distinct targets.

Response rates among different input sources

We observe widely varying response rates per scan, ranging from 3.2% up to 20%. The ratio between newly discovered routers and probed IP addresses strongly depends on the input source (see Table 1). Importantly, these differences reflect two factors:

  • How deeply we probe into subnets (for example, probing /64s).
  • Whether the probed address space is known to be active.

Probing more deeply into subnets (/64)

Generating more specific subnets based on BGP (or Route(6)) input data usually leads to subnets that are not assigned to any router interface, triggering many ICMP error messages when probed. As a result, the discovery rate remains below 1% for most scans, although the unmodified BGP prefix scan shows a somewhat higher reply rate in relative terms. With only 28k IPv6 router addresses discovered and an overlap of >90% with the other scans, the effect of probing these more specific, artificially generated subnets is negligible.

However, exploring announced BGP prefixes in more depth by probing the SRA address of all /64 subnets of the announced /48 prefixes reveals 45M IPv6 router addresses. Although the number of subnets to probe is high, the method does not require prior knowledge of the active address space, making it a valuable input set for SRA probing.

Probing address space that is known to be active (hitlists, unique /64s)

In contrast, the /64 subnets resulting from the TU Munich Hitlist are not artificially generated but cut off from the host address of an (at least at some point in the past) active host. Therefore, it is much more likely that the probed subnet is active and assigned to a periphery router, which does not return an error message but instead responds with an ICMPv6 Echo reply. Consequently, when using the full TU Munich Hitlist (unique /64s), 72M unique IPv6 router addresses can be discovered by sending only 700M requests, yielding a discovery rate exceeding 10%.

Table 1: Comparison of different input sets to probe Subnet-Router anycast addresses and their effectiveness for SRA probing. The hitlist input reveals the most router IP addresses while probing only 700M SRA addresses.

Subnet-Router anycast probing avoids ICMP errors when re-probing active subnets

SRA probing is most effective when re-probing active subnets. The chance of hitting an active device at all using a random IPv6 address is almost zero. Random probing triggers ICMP error messages (‘Address Unreachable’) when a successfully probed random address changes in the future, and too many error messages will be suppressed.

Sending probes to an enabled SRA address will trigger an ICMP Echo reply message, independently whether the IPv6 router address changes or not, and avoid common ICMP error message rate limiting.

Figure 3 shows the total number of discovered IPv6 router addresses based on SRA and random probing for a measurement series using the TU Munich Hitlist /64 subnets. Per scan campaign, we find about 10% more IPv6 router addresses with SRA probing. The number of IPv6 router addresses that respond with an Echo reply message remains stable, which clearly shows that our SRA scans are far less affected by ICMP rate limiting. We also find ≈ 9M IPv6 router addresses exclusively with SRA probing, which strengthens the use of SRA probing.

Figure 3: Comparison of SRA vs. random probing of all /64s from the TU Munich Hitlist. With SRA probing, we observe ≈10% more addresses than with random probing. While the total number of replies varies, the number of Echo replies remains stable.

Comparing SRA probing with other public datasets

We compare our measurement results with multiple datasets of different characteristics. These datasets are (i) publicly available IPv6 traceroute measurements, and (ii) a popular public hitlist of active hosts.

We observe little overlap in terms of IPv6 addresses (< 5%). Each datasource represents a unique view of the IPv6 address space.

Considering all ASNs, however, shows that more than 99% of the ASNs found through SRA probing are also present in the other datasets, indicating that the number of discovered router addresses is not an artifact of probing unexplored networks but a result of the probing technique itself.

In a nutshell

SRA probing is an important addition to the IPv6 measurement toolbox, serves as a complementary source for IPv6 router addresses, and may improve the stability of results significantly.

Rate limiting is a key reason for instability of detected IPv6 addresses. We showed that probing the SRA address of a target subnet provides more stable results than random probing, because SRA probing circumvents rate limiting of ICMPv6 error messages.

Weekly SRA measurements

We provide a weekly updated dataset of IPv6 router addresses. This data set includes the replying router address, and whether the router would reply when targeted directly. It is available on https://ipv6-sra.realmv6.org.

More details are available in our article Scanning the IPv6 Internet Using Subnet-Router Anycast Probing presented at ACM CoNEXT 2025 and published in the Proceedings of the ACM on Networking.

2

You may also like

View more

About the author

Author image
Maynard Koch Based in Dresden, Germany

I am a PhD student and research associate at the Chair of Distributed and Networked Systems at TU Dresden, supervised by Prof. Dr. Matthias Wählisch. Before joining TU Dresden, I graduated with a BSc and MSc in Computer Science from Freie Universität Berlin. My research focuses on Internet measurements to improve network security. I'm particularly interested in DNS and scalable IPv6 scanning.

Comments 2

Profile picture

Stéphane Bortzmeyer

"They represent the subnet, in that the host part of the IPv6 address is set to 0" It is not always a router. What about servers using this all-zero addresses, such as the public DNS resolvers at 2a09:: and 2a11::?

Profile picture

Maynard Koch

We only accept responses where the sender's address differs from the originally requested IPv6 address. How do we know which IPv6 address we requested? We encode it in the ICMP payload, which is then reflected in the response… a neat feature of ICMP :) So, in your example, we would discard any response coming from 2a09:: or 2a11::. However, if a router has configured the all-zero address as its primary address, we would actually miss that router. We consider this limitation a reasonable trade-off, though, since it also eliminates the need to deal with aliased networks that respond to every address.