This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/routing-wg@ripe.net/
[routing-wg] Frequently Asked Questions about 2000::/12 and related routing errors
- Previous message (by thread): [routing-wg] Weekly Global IPv4 Routing Table Report
- Next message (by thread): [routing-wg] Frequently Asked Questions about 2000::/12 and related routing errors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Job Snijders
job at fastly.com
Thu Jul 7 12:36:55 CEST 2022
Dear all, Last night many people received "Resource Certification (RPKI)" alerts, which in turn caused my phone to light up with questions! :-) In the below message I'll attempt to provide an analysis of what happend and answer frequently asked questions. * What happened? * Has this happened before? * Why didn't RPKI Route Origin Validation (ROV) stop this? What happened? ============== As reported in the media (https://twitter.com/DougMadory/status/1544862409336184832) one Internet Service Provider announced to the world - through the BGP protocol - that all Internet Protocol addresses contained within 2000::/12 were reachable via them. This was a routing error, an error condition which triggered various monitoring systems around the globe. Background: The BGP Default-Free Zone is composed of ~ 150,000 IPv6 networks originated from ~ 24,000 Autonomous Systems (ASes). The totality of this is what forms the IPv6 Internet. The majority of these networks have a prefix length in the range of /32 up to /48. Currently the world's largest IPv6 assignments (of which there are very few) are clocking in at /19. So, a /12 ("slash twelve") BGP announcement covers an exceptionally large number of IP addresses! This night's /12 BGP announcement covered such a large block of address space, it happened to overlap with about 21,292 existing networks originated by 3,697 ASes. For roughly 69% (14,695) of those networks RPKI ROAs had been created. About 10% (2,176) of those "RPKI ROA covered existing networks" is IPv6 space managed under the RIPE NCC umbrella. I imagine a few hundred operators received alerts from RIPE NCC with a suggestion to considering creating corresponding ROAs to make the 2000::/12 announcement valid; however no ISP can create such a ROA, because no single ISP is authoritative for the entirety of that block. :) Has this happened before? ========================= Yes. This type of routing error happens almost annually. Some time ago Tom Strickx reported an incident involving 2400::/12, a block which nowadays overlaps with more than 40,000 networks! (source: https://twitter.com/Jerome_UZ/status/1145136294835523584) If my memory serves me right, back in 2016 AS 1299 originated both 2000::/6 and 2000::/12, later that year AS 10026 also originated 2000::/12 for a bit. So... how exactly can this happen? I believe it is a mixture of user-interfaces with really sharp edges and permissive EBGP filters. Many router-to-router linknets are assigned a /127 [RFC 6164] or a /64 [RFC 7421], and loopback addresses generally are assigned a /128 (a single address). It's not hard to imagine that when copy+pasting or typing by hand, an operator fails to input the last digit (respectively a 7 in the case of /127, the 4 in /64, or the 8 in /128), resulting in a configuration with a /12 or a /6 as the prefix length. See these Cisco & Juniper terminal transcript examples for a demonstration of failing to correctly enter the last digit of "2001:67c:208c::/128" : https://chloe.sobornost.net/~job/slash-twelve.txt Why didn't RPKI ROV stop this? ============================== Creating RPKI ROAs and performing Route Origin Validation (ROV) on received BGP route announcements helps protect against mishaps with unauthorized "same-length" and "more-specific" announcements. ROV (by design) does nothing against unauthorized "larger overlapping" route announcements (such as 2000::/12). This is because the Internet's global routing system is based on the Longest Prefix Match (LPM) algorithm (see https://en.wikipedia.org/wiki/Longest_prefix_match) LPM means that as long as your certified address space is in the global routing table, a less-specific announcement (such as 2000::/12) is not very likely to draw IP traffic away from your network. In incidents like these the major impact seems to be that monitoring systems are triggered (which is appropriate!). I suspect there is virtually no impact to business operations (fortunately!). Questions welcome! Kind regards, Job
- Previous message (by thread): [routing-wg] Weekly Global IPv4 Routing Table Report
- Next message (by thread): [routing-wg] Frequently Asked Questions about 2000::/12 and related routing errors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]