[routing-wg] Frequently Asked Questions about 2000::/12 and related routing errors

Dear all,

Last night many people received "Resource Certification (RPKI)" alerts,
which in turn caused my phone to light up with questions! :-) In the
below message I'll attempt to provide an analysis of what happend and
answer frequently asked questions.

* What happened?
* Has this happened before?
* Why didn't RPKI Route Origin Validation (ROV) stop this?

What happened?
==============

As reported in the media (https://twitter.com/DougMadory/status/1544862409336184832) 
one Internet Service Provider announced to the world - through the BGP
protocol - that all Internet Protocol addresses contained within
2000::/12 were reachable via them. This was a routing error, an error
condition which triggered various monitoring systems around the globe.

Background: The BGP Default-Free Zone is composed of ~ 150,000 IPv6
networks originated from ~ 24,000 Autonomous Systems (ASes). The
totality of this is what forms the IPv6 Internet. The majority of these
networks have a prefix length in the range of /32 up to /48. Currently
the world's largest IPv6 assignments (of which there are very few) are
clocking in at /19. So, a /12 ("slash twelve") BGP announcement covers
an exceptionally large number of IP addresses!

This night's /12 BGP announcement covered such a large block of address
space, it happened to overlap with about 21,292 existing networks
originated by 3,697 ASes. For roughly 69% (14,695) of those networks
RPKI ROAs had been created. About 10% (2,176) of those "RPKI ROA covered
existing networks" is IPv6 space managed under the RIPE NCC umbrella.

I imagine a few hundred operators received alerts from RIPE NCC with a
suggestion to considering creating corresponding ROAs to make the
2000::/12 announcement valid; however no ISP can create such a ROA,
because no single ISP is authoritative for the entirety of that block. :)

Has this happened before?
=========================

Yes. This type of routing error happens almost annually. Some time ago
Tom Strickx reported an incident involving 2400::/12, a block which
nowadays overlaps with more than 40,000 networks! (source:
https://twitter.com/Jerome_UZ/status/1145136294835523584)
If my memory serves me right, back in 2016 AS 1299 originated both
2000::/6 and 2000::/12, later that year AS 10026 also originated
2000::/12 for a bit.

So... how exactly can this happen? 

I believe it is a mixture of user-interfaces with really sharp edges and
permissive EBGP filters.

Many router-to-router linknets are assigned a /127 [RFC 6164] or a /64
[RFC 7421], and loopback addresses generally are assigned a /128 (a
single address).

It's not hard to imagine that when copy+pasting or typing by hand, an
operator fails to input the last digit (respectively a 7 in the case of
/127, the 4 in /64, or the 8 in /128), resulting in a configuration with
a /12 or a /6 as the prefix length.

See these Cisco & Juniper terminal transcript examples for a
demonstration of failing to correctly enter the last digit of
"2001:67c:208c::/128" :

	https://chloe.sobornost.net/~job/slash-twelve.txt

Why didn't RPKI ROV stop this?
==============================

Creating RPKI ROAs and performing Route Origin Validation (ROV) on
received BGP route announcements helps protect against mishaps with
unauthorized "same-length" and "more-specific" announcements.

ROV (by design) does nothing against unauthorized "larger overlapping"
route announcements (such as 2000::/12). This is because the Internet's
global routing system is based on the Longest Prefix Match (LPM)
algorithm (see https://en.wikipedia.org/wiki/Longest_prefix_match)

LPM means that as long as your certified address space is in the global
routing table, a less-specific announcement (such as 2000::/12) is not
very likely to draw IP traffic away from your network.

In incidents like these the major impact seems to be that monitoring
systems are triggered (which is appropriate!). I suspect there is
virtually no impact to business operations (fortunately!).

Questions welcome!

Kind regards,

Job