This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[routing-wg] Subject: RPKI ROA Deletion: Post-mortem

Previous message (by thread): [routing-wg] Subject: RPKI ROA Deletion: Post-mortem
Next message (by thread): [routing-wg] Subject: RPKI ROA Deletion: Post-mortem

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Clement Cavadore clement at cavadore.net
Mon Apr 6 11:15:35 CEST 2020

Dear Job, all,

First, thanks fo you and Andree for that e-mail and for those
informations.

On Sun, 2020-04-05 at 18:29 +0000, Job Snijders wrote:
> 
> (...)
> If we take the intersection of Andree's list with the list of missing
> VRPs, we have the IP addresses that were affected by both the RIPE
> NCC RPKI Deletion incident and the Rostelecom BGP incident. The
> following 12 prefixes (4352 IP addresses):
> 
>     peer_count    start_time  alert_type          base_prefix     base_as  announced_prefix  src_AS Affected_ASname   example_ASPath
>     49  2020-04-01  19:30:34  more_spec_by_other  91.195.240.0/23   47846  91.195.240.0/24   12389  SEDO-AS,      DE  24751 20764 12389
>     12  2020-04-01  19:29:55  more_spec_by_other  62.122.168.0/21   50245  62.122.170.0/24   12389  SERVEREL-AS,  NL  18356 38794 4651 4651 20764 12389
>     11  2020-04-01  19:30:34  more_spec_by_other  91.203.184.0/22   41064  91.203.187.0/24   12389  SKYROCK,      FR  29430 13030 20764 12389
> 
> (...)

It seems that I know at least one of those prefixes, as 91.203.187.0/24
is part of one of my customer's network. 

That specific /24 out of all their allocation is the one having the
most of my customer's production (a french MF Radio, which has its own
streaming produced indoor, and some other related online applications).

I would be quite surprised that it would have some significant traffic
within RU networks, but if we assume it's yet another bgp optimizer
leak, and since all those "BGP Optimizer blackbox" algorithms are quite
obscure, we cannot say. 

But, it wouldn't surprise me much if they would optimize that specific
one out of all AS41064's announcements.

> If we assume the generation & propagation of these hijacks was the
> result of operator error, I imagine the change could've been reverted
> almost immediately but we'd still see a bit of sloshing for a few
> minutes through the routing system. Or perhaps the 'waves' we can see
> in Oracle's 3D rendering of the incident are the effects of Maximum
> Prefix limits kicking in and various timers firing off at different
> times.
> 
> Were these prefixes just unlucky because some BGP optimiser algorithm
> had chosen them for the purpose of traffc engineering? Was this the
> result of sophisticated planning? In any case, I can't judge the
> impact this routing incident had on the three above listed ASNs. I
> don't know what the victim IPs are used for.

As I said earlier: We didn't really notice any drop within AS41064's
network statistics. But since it's mostly FR and not RU traffic, this
could have been completely invisible for us. Fortunately the leak was
quite brief... it's just bad luck, indeed :(


Kind regards,

-- 
Clément Cavadore

Previous message (by thread): [routing-wg] Subject: RPKI ROA Deletion: Post-mortem
Next message (by thread): [routing-wg] Subject: RPKI ROA Deletion: Post-mortem

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ routing-wg Archives ]