SubnetRouter Anycast: Finding 80% More Routers

Targeting Subnet-Router Anycast addresses uncovers 80% more router interfaces than direct unicast probing. This method sidesteps the ICMPv6 rate limits that strangle traditional brute-force scans. IPv6's sheer address volume makes random sampling impractical, and standard traceroute measurements often fail when routers suppress ICMP Address Unreachable messages. Maynard Koch's June 2026 research proves that hitting the SRA address of a subnet forces compliant routers to reply with their specific interface addresses via ICMP Echo Reply packets. This technique avoids the error thresholds that typically halt high-speed discovery, stabilizing the mapping of active subnets.

Network operators can partition the roughly 200,000 IPv6 prefixes currently announced in BGP to generate targeted SRA probe lists. Shifting to these bandwidth-efficient frameworks reveals vulnerable devices and deployment topologies invisible to conventional tools.

The Critical Role of Subnet-Router Anycast in Modern IPv6 Discovery

RFC 4291 Definition of Subnet-Router Anycast Syntax

RFC 4291 formally defines the Subnet-Router Anycast address as a unicast address where the host portion consists entirely of zero bits following an n-bit subnet prefix. (RFC's draft smith 6man form func anycast addresses 02) This syntax, which evolved from RFC 1884 through RFC 2526, mandates that for a prefix like 2001:db8:1::/48, the specific anycast target becomes 2001:db8:1::0. Unlike standard unicast assignments, this structure lets applications reach a router without knowing its specific interface identifier.

The operational value lies in the response type. Targeting this structured address elicits an ICMP Echo Reply rather than triggering the ICMP error messages that activate rate limiting on non-existent hosts.

Random probing triggers ICMP Address Unreachable responses when hitting inactive hosts, causing routers to drop subsequent packets due to rate limiting. This suppression creates blind spots in topology maps. SRA probing avoids this failure mode by targeting a stable anycast endpoint that routers are required to answer. The mechanism yields a measurable 10% increase in discovered router addresses compared to random methods.

Precision defines the operational trade-off. Generating targets from broad BGP announcements often misses internal, more specific subnets hidden behind aggregation points. Deepening the scan to /64 granularity reveals these concealed routers but risks higher noise if the address space is unassigned. Unlike direct targeting, SRA discovery rates jump by 80% when shifting from unicast guesses to anycast structural knowledge.

ICMPv6 rate limiting protects infrastructure but obscures visibility during standard audits. Relying solely on random sampling leaves significant portions of the routing fabric unmapped. Deploying SRA-based measurement tools allows for aggressive scanning frequencies without triggering the very defenses designed to stop floods. This approach transforms the subnet prefix from a routing entry into a reliable discovery handle.

Subnet-Router Anycast addresses enable router communication without specific interface knowledge, yet operational adoption remains confined to research contexts. Originally set to enable connectivity when actual router addresses are unknown, the mechanism sees minimal use in production traffic flows outside of active measurement campaigns. While the technique successfully identifies hidden infrastructure by targeting the zero-host-bit suffix of a prefix, few applications use this capability for routine network management. The primary value proposition exists within structured discovery rather than daily operations. Researchers apply hitlists derived from BGP announcements to map the internet, revealing deployment depth that standard views miss.

Mechanics of Partitioning IPv6 Space to Bypass Rate Limiting

Three-Stage Partitioning of BGP Announced Prefixes

Scanning the SRA address for each of the roughly 200k IPv6 prefixes currently announced in BGP fails to reveal internal, more specific subnets hidden behind aggregate routes. This limitation necessitates a deeper partitioning strategy to bypass the inefficiency of blind probing. The methodology expands the target surface by manipulating the first n-bit block where n=48-[prefix length], effectively generating 15 billion potential targets from the original routable space. This aggressive expansion addresses the coverage gap where random probing misses active infrastructure residing on unannounced, finer-grained subnets.

The process executes in three distinct mechanical stages to balance scan traffic volume against discovery probability:

1. Query the SRA address of every announced prefix with the input bits unchanged.
2. Partition the space into /48 subnets and scan all bit combinations of the following n-bit block.
3. Further partition /48 announcements into /64 subnets by varying the subsequent 16-bit block.

While this approach drastically increases the candidate pool, it introduces a significant operational trade-off: generating targets for subnets not actually assigned to router interfaces triggers high volumes of ICMP error messages. Consequently, discovery rates for these artificially deep scans often remain below 1%, creating noise that can obscure valid responses if not filtered aggressively.

Triggering ICMP Echo Reply Instead of Unreachable Errors

Targeting the Subnet-Router Anycast address forces routers to generate ICMP Echo Reply messages, bypassing the error-message suppression that cripples random scans. Standard probing hits inactive hosts and triggers ICMP Address Unreachable responses. This suppression creates blind spots in topology maps where active infrastructure remains hidden. The mechanism yields a measurable increase in discovered router addresses compared to random methods. Researchers using the TU Munich Hitlist confirm that structured discovery reveals significantly more infrastructure than brute-force attempts. Constraints specifically throttle negative responses, not positive acknowledgments.

Operational data indicates that scan stability improves significantly when discarding random generation in favor of prefix-derived anycast targets. The cost of random probing manifests as wasted bandwidth on unreachable hosts, whereas SRA directs traffic exclusively to known subnet boundaries. Random methods often miss internal, more specific subnets that reside behind aggregate BGP announcements, leaving significant infrastructure unmapped. SRA probing recovers these hidden nodes by targeting the anycast address of the prefix itself rather than guessing host bits.

The limitation remains that SRA requires the target subnet to be routable or inferable from existing BGP data. Operators relying solely on top-level aggregates may still overlook finer granularity without deeper partitioning. Ultimately, the choice depends on whether the goal is broad statistical sampling or precise topology mapping of active infrastructure.

Generating Target Lists from BGP Prefixes and IRR Route Objects

Constructing SRA Targets from IRR Route Objects and Hitlists

Route(6) objects from IRR databases predominantly contain /48 prefixes, enabling the generation of structured target lists beyond BGP announcements. Operators extract these prefixes to create random /64 Subnet-Router Anycast addresses, a process that can yield up to billions of potential targets from nearly one million route objects. This method expands the scan surface significantly compared to relying solely on global routing tables. However, the sheer volume of generated addresses introduces noise, as many constructed subnets may not exist in the physical topology.

Processing the TU Munich Hitlist involves taking the first 64 bits. This technique uses known active prefixes to form valid SRA candidates without guessing. The limitation remains that hitlists reflect historical activity rather than real-time state, potentially including deprecated ranges. Network engineers must therefore treat these lists as flexible inputs requiring regular updates to maintain accuracy.

1. Parse IRR Route(6) objects to isolate /48 prefixes.
2. Generate random /64 suffixes for each prefix to create SRA targets.
3. Normalize TU Munich Hitlist entries by zeroing host bits.
4. Merge datasets and remove duplicates before probing.

Implementation: Executing Three-Stage Partitioning on BGP Announced Prefixes

Partitioning the routable space into three stages balances scan traffic while targeting the SRA address of each prefix. Direct queries against announced prefixes with unchanged bits often miss internal, more specific subnets hidden behind aggregate routes. This coverage gap necessitates a structured expansion strategy rather than blind probing.

The execution follows a strict mechanical sequence to maximize hitlist density:

1. Query the SRA address for every announced prefix, leaving all input prefix bits unchanged.
2. Partition the space into /48 subnets, creating bit combinations for the n-bit block where n=48 minus prefix length.
3. Split all /48 announcements further into /64 subnets by generating combinations for the first 16-bit block.

Measurable Gains in Router Discovery Using Structured Probing

Defining SRA Probing Efficiency Metrics

Response rates fluctuate notably across input sets, ranging from 3.2% for broad scans up to 20% for targeted BGP /48 partitions. Probing deeper into /64 subnets often targets unassigned space, triggering ICMP error messages that suppress further visibility. Structured SRA approaches maintain stream continuity by targeting stable anycast endpoints, unlike random strategies that suffer from ICMP rate limitation. BGP partitioning uncovers a vast number of router addresses, while the hitlist method proves more efficient per probe by avoiding empty subnets.

SRA Discovery Overlap with Public IPv6 Datasets

SRA probing reveals negligible address-level duplication, with less than 5% overlap against public traceroute measurements, yet captures infrastructure others miss. This divergence confirms the technique targets distinct router interfaces rather than recycling known host addresses from legacy hitlists. Validation requires cross-referencing discovered endpoints with established datasets to prove utility beyond artifact generation.

The data shows near-total alignment at the Autonomous System level where more than 99% of identified ASNs exist in public records despite the low address overlap. SRA finds real routers within known networks that random scanning ignores due to sparse allocation. Relying solely on the TU Munich Hitlist leaves gaps; SRA complements existing maps by filling coverage gaps in the routing layer rather than the host layer. Standard measurement tools leave the router interface population largely unmapped if they ignore this structured approach.