Dear all, Last night many people received "Resource Certification (RPKI)" alerts, which in turn caused my phone to light up with questions! :-) In the below message I'll attempt to provide an analysis of what happend and answer frequently asked questions. * What happened? * Has this happened before? * Why didn't RPKI Route Origin Validation (ROV) stop this? What happened? ============== As reported in the media (https://twitter.com/DougMadory/status/1544862409336184832) one Internet Service Provider announced to the world - through the BGP protocol - that all Internet Protocol addresses contained within 2000::/12 were reachable via them. This was a routing error, an error condition which triggered various monitoring systems around the globe. Background: The BGP Default-Free Zone is composed of ~ 150,000 IPv6 networks originated from ~ 24,000 Autonomous Systems (ASes). The totality of this is what forms the IPv6 Internet. The majority of these networks have a prefix length in the range of /32 up to /48. Currently the world's largest IPv6 assignments (of which there are very few) are clocking in at /19. So, a /12 ("slash twelve") BGP announcement covers an exceptionally large number of IP addresses! This night's /12 BGP announcement covered such a large block of address space, it happened to overlap with about 21,292 existing networks originated by 3,697 ASes. For roughly 69% (14,695) of those networks RPKI ROAs had been created. About 10% (2,176) of those "RPKI ROA covered existing networks" is IPv6 space managed under the RIPE NCC umbrella. I imagine a few hundred operators received alerts from RIPE NCC with a suggestion to considering creating corresponding ROAs to make the 2000::/12 announcement valid; however no ISP can create such a ROA, because no single ISP is authoritative for the entirety of that block. :) Has this happened before? ========================= Yes. This type of routing error happens almost annually. Some time ago Tom Strickx reported an incident involving 2400::/12, a block which nowadays overlaps with more than 40,000 networks! (source: https://twitter.com/Jerome_UZ/status/1145136294835523584) If my memory serves me right, back in 2016 AS 1299 originated both 2000::/6 and 2000::/12, later that year AS 10026 also originated 2000::/12 for a bit. So... how exactly can this happen? I believe it is a mixture of user-interfaces with really sharp edges and permissive EBGP filters. Many router-to-router linknets are assigned a /127 [RFC 6164] or a /64 [RFC 7421], and loopback addresses generally are assigned a /128 (a single address). It's not hard to imagine that when copy+pasting or typing by hand, an operator fails to input the last digit (respectively a 7 in the case of /127, the 4 in /64, or the 8 in /128), resulting in a configuration with a /12 or a /6 as the prefix length. See these Cisco & Juniper terminal transcript examples for a demonstration of failing to correctly enter the last digit of "2001:67c:208c::/128" : https://chloe.sobornost.net/~job/slash-twelve.txt Why didn't RPKI ROV stop this? ============================== Creating RPKI ROAs and performing Route Origin Validation (ROV) on received BGP route announcements helps protect against mishaps with unauthorized "same-length" and "more-specific" announcements. ROV (by design) does nothing against unauthorized "larger overlapping" route announcements (such as 2000::/12). This is because the Internet's global routing system is based on the Longest Prefix Match (LPM) algorithm (see https://en.wikipedia.org/wiki/Longest_prefix_match) LPM means that as long as your certified address space is in the global routing table, a less-specific announcement (such as 2000::/12) is not very likely to draw IP traffic away from your network. In incidents like these the major impact seems to be that monitoring systems are triggered (which is appropriate!). I suspect there is virtually no impact to business operations (fortunately!). Questions welcome! Kind regards, Job