Last week, Cloudflare Radar reported that nearly all of Iran’s IPv6 address space vanished from the global routing table, dropping the country’s IPv6 adoption rate from 15—20% to 2%.
Iran’s Internet has been in flux for some time, with most activity centering on its censorship efforts. Unsure if this was a result of these activities, either intentionally or mistakenly, we decided to investigate.
Why IPv6 adoption matters
Every second on the Internet, more than 100K Google searches are conducted, 50K YouTube videos are viewed, and 3.8M emails are sent! It’s a testament to the foundation and architecture of the Internet and the Web that these activities can happen easily and without fault.
One critical aspect of this architecture is Internet Protocol (IP) addresses, unique identifiers that allow computers and other connected devices to recognize and communicate with one another. The original version of IP (IPv4) only had four billion addresses, so a new version was developed (IPv6) that has 340 trillion, trillion, trillion addresses, enough to connect all the future things.
Internet Society Pulse presents measurements of IPv6 adoption to raise awareness of the uptake of IPv6 globally and in different countries and networks. IPv6 adoption provides insight into the future sustainability and resilience of the Internet. Currently, the global adoption of IPv6 is 38%, with India leading the way at 72%!
Like the graph above, the adoption rates for most countries have been constant, up and to the right, with some significant increases along the way, thanks to large operators in countries making IPv6 active on their networks. Sometimes, though, we witness substantial drops, like those in Iran, which consistently capture our attention and get us thinking, why?
Before we Jump to Conclusions
First, let’s go back a few days and check where things were before the issue.
According to RIPEstat, before the incident, around 300 IPv6 routes originated from networks with country code IR (IRAN).
Based on Routeview MRT dumps from 19 May 2024 at 8:00 UTC, 293 unique IPv6 routes originated from 123 networks (Autonomous System Numbers, ASNs) based in Iran.
If we build a relationship between these networks, we see that some of the networks are more dominant in providing transit services over IPv6 to these networks.
| ASN | Company name | Number of transit connections it provides over IPv6 |
| 43754 | ASIATECH | 30 |
| 42337 | RESPINA-AS | 20 |
| 49100 | IR-THR-PTE | 13 |
| 49666 | TIC-GW-AS | 10 |
| 31549 | RASANA | 8 |
This lack of diversity is captured in Iran’s Pulse Internet Resiliency Index profile (Figure 3), where ‘Uprestream redundancy’ is at 7%.
When most routes disappeared on 19 May, the routes listed in Table 1 remained in the global routing table. The situation remained this way for almost 48 hours before more routes returned.
| ASN | Prefix | AS Description (TeamCymru) |
| 6736 | 2001:14e8:1::/48 | IRANET-IPM Institute for Research in Fundamental Sciences IPM, IR |
| 6736 | 2001:14e8::/32 | IRANET-IPM Institute for Research in Fundamental Sciences IPM, IR |
| 6736 | 2001:678:b0::/46 | IRANET-IPM Institute for Research in Fundamental Sciences IPM, IR |
| 39200 | 2001:678:b0::/48 | IRNICANYCAST-AS, IR |
| 35285 | 2001:678:b1::/48 | IRNIC-AS, IR |
| 60423 | 2a04:2f00:d::/48 | DERAK-CLOUD-PJSC, IR |
| 60423 | 2a04:2f00:e::/48 | DERAK-CLOUD-PJSC, IR |
| 60423 | 2a04:2f00:ff01::/48 | DERAK-CLOUD-PJSC, IR |
| 60423 | 2a04:2f00:ff02::/48 | DERAK-CLOUD-PJSC, IR |
| 60423 | 2a04:2f00:ff06::/48 | DERAK-CLOUD-PJSC, IR |
| 60423 | 2a04:2f00:ff08::/48 | DERAK-CLOUD-PJSC, IR |
| 60423 | 2a04:2f00:ff09::/48 | DERAK-CLOUD-PJSC, IR |
| 58192 | 2a05:2580::/30 | DDOS-PROTECTION-GAJNET, IR |
| 201691 | 2a05:cd00::/32 | WEIDE, IR |
| 205415 | 2a0a:3c44::/32 | HOSSEINASHRAFSEMNANI, IR |
| 216110 | 2a0e:97c1:8a27::/48 | SOREN, IR |
| 215154 | 2a0f:85c1:3b1::/48 | FARDINNETWORK, IR |
| 212248 | 2a10:ccc1:108::/48 | AB, IR |
| 200436 | 2a10:ccc1:109::/48 | TEHRANGAMING-COM, IR |
| 58192 | 2a13:5e40::/29 | DDOS-PROTECTION-GAJNET, IR |
| 58192 | 2a13:6340::/29 | DDOS-PROTECTION-GAJNET, IR |
| 58192 | 2a13:6fc0::/29 | DDOS-PROTECTION-GAJNET, IR |
Note that none of the top five connectivity ASNs from Table 1 are listed, which means those with higher connections disappeared, and the ones above were never impacted.
Why were these not stopped?
The answer is not entirely clear. However, according to Hurricane Electric’s Domain Name System (DNS) report for .ir country code top-level domain (ccTLD), the name server (NS) of nic.ir is on one of these networks.
These DNS servers are still resolving their correct AAAA (IPv6) entries:
% dig +short b.nic.ir aaaa
2001:678:b1:0:193:189:122:83
% dig +short b.nic.ir aaaa
2001:678:b1:0:193:189:122:83
% dig +short d.nic.ir aaaa
2001:14e8:c:0:194:225:70:83It is clear that these routes were allowed to ensure that the .ir DNS server works properly.
According to Tranco’s top 1 million domains (websites) list, approximately 16,000 domains belong to the .ir ccTLD. WHOIS lookup results indicate that none of these domains have AAAA records, meaning they are not associated with IPv6 addresses. This contrasts the Hurrican Electric Domain Name System (DNS) report, which shows more than 38,000 AAAA entries but only covers some of the country’s most visited websites.
Figure 6 shows Iran’s top five networks (ASes) based on Internet traffic.
If we look at the IPv6 measurement done by APNIC Labs (Figure 7), most samples are from AS197207.
AS197207 announced 21 IPv6 routes until around 19 May 15:30 UTC, when they all stopped and remained missing from the global routing table for more than 48 hours. The drop in IPv6 traffic from this network is very visible via both APNIC Labs (Figure 8) and Cloudflare Radar (Figure 9) measurements.
It’s also interesting that AS197207 has only one upstream provider for IPv6 traffic — AS49666 (Telecommunication Infrastructure Company). Just before it stopped advertising its IPv6 routes, AS49666 started prepending its own AS multiple times for AS197207 announcements, as shown in Figure 10, which shows route dumps from route views.
There’s nothing suspicious about this, and AS49666 used to do it with many other downstream networks as well, as visible from the route-view dumps below from 18 May 2024 (Figure 11).
Since seemingly recovering from its IPv6 outage, AS49666 hasn’t done any prepend to any of its downstream customers. This could be a benign change in operational practice.
Even though AS197207 has resumed advertising all the IPv6 routes it was announcing before 19 May, other networks have not yet restored their IPv6 routes. Additionally, traffic patterns reported by Cloudflare Radar indicate that AS197207 still prefers IPv4 over IPv6, with 100% of traffic favoring IPv4. The total count of IPv6 routes originating from Iran is three times lower than before 19 May. Currently, only 78 IPv6 routes are visible in the global routing table.
The Answer is Still Unclear
It remains to be seen why IPv6 routes were abruptly withdrawn from most networks in the country, leaving only a few selected routes untouched. After a few days, some of these routes reappeared, but not all.
Speculation about potential censorship arises, but there is no apparent correlation with Open Observatory of Network Interference (OONI) data. Although the country’s IPv6 adoption rate is low, it has doubled in the last two months.
This rapid increase might have triggered issues related to censorship or content filtering, practices that have been aggressively implemented in Iran in the past. However, this remains speculative without concrete information.
Read: Iran is Losing More than USD $1M GDP Daily from Blocking Internet and VPN Services
It’s important to note that IPv6, in the absence of sufficient IPv4 address space, is fundamental for the growth of the Internet globally. Restricting the growth of any protocol, including IPv6, ultimately hinders the expansion and development of the Internet in the country.
If you have more insights or details, please share them with us [email protected]