Re: AS3356 Announcing 2000::/12

[Job Snijders via NANOG]

The Internet delivers when we need it the most! :-)

https://is2000slash12announcedagain.com/

Props to Ben Cartwright-Cox

Re: AS3356 Announcing 2000::/12

[Geoff Huston]

> On 10 Dec 2022, at 11:24 am, Matthew Petach  wrote:
> 
> 
> 
> As I said--I'm probably being overly paranoid, but I can't help but 
> wonder what packets such a collector might see, if left to run for a 
> week or two... ^_^;
> 


A decade ago it looked like this…

https://www.potaroo.net/presentations/2012-05-15-ipv6-background-radiation.pdf

Geoff

Re: AS3356 Announcing 2000::/12

[Matthew Petach]

On Thu, Dec 8, 2022 at 9:35 AM Randy Bush  wrote:

> while i think the announcement is, shall we say, embarrassing, i do not
> see how it would be damaging.  real/correct announcements would be for
> longer prefixes, yes?
>
> randy
>


 Putting on a probably-overly-paranoid hat for a moment...

If I announce 2000::/12, seemingly as an innocent error,
it won't break most people's routing, and is likely to be simply
chalked up as a copy-paste error, or other human "oops".

But if I happen to be running a promiscuous packet capture
on a box that the "erroneous" routing table entry ultimately
resolves to, I warrant there's a certain amount of legitimate
packet streams I could collect here and there, any time a
router processes a WITHDRAW update message for a more
specific prefix within the range, before a new ANNOUNCE
update message is processed.

I'm not going to get a great deal of information, as most
simple prefix updates happen within the same update
message; but during periods of higher internal churn in a
network, you may have brief periods during which the more
specific route is withdrawn before being re-announced, during
which I'd be able to harvest packets destined for other networks.

As I said--I'm probably being overly paranoid, but I can't help but
wonder what packets such a collector might see, if left to run for a
week or two... ^_^;

Thanks!

Matt

Re: AS3356 Announcing 2000::/12

[Randy Bush]

> I know of a few people in a Discord that filter out anything bigger
> than /16 routes, would this be wise to implement as a best practice?

once upon a time, a very large provider took two /8s and announced as a
/7.  a vendor who thought a /8 was as short as they would ever see had
routers fall over in a receiving large provider.

do not hard code social theories.  remember 640k.

randy

RE: AS3356 Announcing 2000::/12

[Ryan Hamel]

I know of a few people in a Discord that filter out anything bigger than /16 
routes, would this be wise to implement as a best practice?

 

From: Warren Kumari  
Sent: Friday, December 9, 2022 9:13 AM
To: Job Snijders 
Cc: r...@rkhtech.org; North American Network Operators' Group 
Subject: Re: AS3356 Announcing 2000::/12

 

 

 

 

 

On Thu, Dec 8 2022 at 12:38 PM, Job Snijders mailto:nanog@nanog.org> > wrote: 

 

Hi all,

On Wed, Dec 07, 2022 at 08:24:54PM -0800, Ryan Hamel wrote:

AS3356 has been announcing 2000::/12 for about 3 hours now, an aggregate 
covering over 23K prefixes (just over 25%) of the IPv6 DFZ.

A few months ago I wrote: "Frequently Asked Questions about 2000::/12 and 
related routing errors":

https://www.ripe.net/ripe/mail/archives/routing-wg/2022-July/004588.html

 

Oh, that's a nice write-up. I must admit that it didn't occur to me that e.g 
2000::/12 was likely something much more specific, but that someone missed the 
(probably) 6, 7, or 8 at the end, even though I've done this a few times myself…

 

W

 

 

 

 

Kind regards,

Job

 

Re: AS3356 Announcing 2000::/12

[Warren Kumari]

On Thu, Dec 8 2022 at 12:38 PM, Job Snijders  wrote:

Hi all,
>
> On Wed, Dec 07, 2022 at 08:24:54PM -0800, Ryan Hamel wrote:
>
> AS3356 has been announcing 2000::/12 for about 3 hours now, an aggregate
> covering over 23K prefixes (just over 25%) of the IPv6 DFZ.
>
> A few months ago I wrote: "Frequently Asked Questions about 2000::/12 and
> related routing errors":
>
> https://www.ripe.net/ripe/mail/archives/routing-wg/2022-July/004588.html
>

Oh, that's a nice write-up. I must admit that it didn't occur to me that
e.g 2000::/12 was likely something much more specific, but that someone
missed the (probably) 6, 7, or 8 at the end, even though I've done this a
few times myself…

W




> Kind regards,
>
> Job
>

Re: AS3356 Announcing 2000::/12

[Job Snijders via NANOG]

Hi all,

On Wed, Dec 07, 2022 at 08:24:54PM -0800, Ryan Hamel wrote:
> AS3356 has been announcing 2000::/12 for about 3 hours now, an aggregate
> covering over 23K prefixes (just over 25%) of the IPv6 DFZ.

A few months ago I wrote: "Frequently Asked Questions about 2000::/12
and related routing errors":

https://www.ripe.net/ripe/mail/archives/routing-wg/2022-July/004588.html

Kind regards,

Job

Re: AS3356 Announcing 2000::/12

[Randy Bush]

while i think the announcement is, shall we say, embarrassing, i do not
see how it would be damaging.  real/correct announcements would be for
longer prefixes, yes?

randy

Re: AS3356 Announcing 2000::/12

[Don Beal]

That would be a nice start :-)

On Thu, Dec 8, 2022 at 6:45 AM Heasley  wrote:

>
>
> Am 12/7/22 um 22:25 schrieb Don Beal :
>
> 
> How can RPKI / OV prevent such a leak when there is no ROA for 2000::/12,
>
>
> If all ASes participated, no „unknowns“, unknowns could be dropped, ….
>

Re: AS3356 Announcing 2000::/12

[Christopher Morrow]

On Thu, Dec 8, 2022 at 1:45 AM Heasley  wrote:
>
>
>
> Am 12/7/22 um 22:25 schrieb Don Beal :
>
> 
> How can RPKI / OV prevent such a leak when there is no ROA for 2000::/12,
>
>
> If all ASes participated, no „unknowns“, unknowns could be dropped, ….
>

yea that might be a tad dangerous today :(
and don's right :( unknown is hard today :( (darn you don for being
practical! :) )

crud.. but iRR filters! :)


> what would 6762|2914|174|* invalidate against? Until a future where 
> everything is 'valid', RPKI is unable to pare out less-specific conflicts.
>
> It does look like 3356 pulled the announcement, which is good.
>
>
> On Thu, Dec 8, 2022 at 4:48 AM Christopher Morrow  
> wrote:
>>
>> On Wed, Dec 7, 2022 at 11:25 PM Ryan Hamel  wrote:
>> >
>> > AS3356 has been announcing 2000::/12 for about 3 hours now, an aggregate 
>> > covering over 23K prefixes (just over 25%) of the IPv6 DFZ.
>> >
>> >
>>
>> interesting that this is leaking outside supposed RPKI OV boundaries as well.
>> For example:
>>   6762 3356
>>   2914 3356
>>   174 3356 (apologies to 174, I forget if they signed up to the 'doin
>> ov now' plan)

Re: AS3356 Announcing 2000::/12

[Heasley]

Am 12/7/22 um 22:25 schrieb Don Beal :How can RPKI / OV prevent such a leak when there is no ROA for 2000::/12,If all ASes participated, no „unknowns“, unknowns could be dropped, …. what would 6762|2914|174|* invalidate against? Until a future where everything is 'valid', RPKI is unable to pare out less-specific conflicts.It does look like 3356 pulled the announcement, which is good.On Thu, Dec 8, 2022 at 4:48 AM Christopher Morrow  wrote:On Wed, Dec 7, 2022 at 11:25 PM Ryan Hamel  wrote:
>
> AS3356 has been announcing 2000::/12 for about 3 hours now, an aggregate covering over 23K prefixes (just over 25%) of the IPv6 DFZ.
>
>

interesting that this is leaking outside supposed RPKI OV boundaries as well.
For example:
  6762 3356
  2914 3356
  174 3356 (apologies to 174, I forget if they signed up to the 'doin
ov now' plan)

Re: AS3356 Announcing 2000::/12

[Don Beal]

How can RPKI / OV prevent such a leak when there is no ROA for 2000::/12,
what would 6762|2914|174|* invalidate against? Until a future where
everything is 'valid', RPKI is unable to pare out less-specific conflicts.

It does look like 3356 pulled the announcement, which is good.


On Thu, Dec 8, 2022 at 4:48 AM Christopher Morrow 
wrote:

> On Wed, Dec 7, 2022 at 11:25 PM Ryan Hamel 
> wrote:
> >
> > AS3356 has been announcing 2000::/12 for about 3 hours now, an aggregate
> covering over 23K prefixes (just over 25%) of the IPv6 DFZ.
> >
> >
>
> interesting that this is leaking outside supposed RPKI OV boundaries as
> well.
> For example:
>   6762 3356
>   2914 3356
>   174 3356 (apologies to 174, I forget if they signed up to the 'doin
> ov now' plan)
>

RE: AS3356 Announcing 2000::/12

[Ryan Hamel]

These as well:

3257 3356
3491 3356

They probably leaked a hold down route.

Ryan Hamel

-Original Message-
From: Christopher Morrow  
Sent: Wednesday, December 7, 2022 8:48 PM
To: r...@rkhtech.org
Cc: nanog@nanog.org
Subject: Re: AS3356 Announcing 2000::/12

On Wed, Dec 7, 2022 at 11:25 PM Ryan Hamel  wrote:
>
> AS3356 has been announcing 2000::/12 for about 3 hours now, an aggregate 
> covering over 23K prefixes (just over 25%) of the IPv6 DFZ.
>
>

interesting that this is leaking outside supposed RPKI OV boundaries as well.
For example:
  6762 3356
  2914 3356
  174 3356 (apologies to 174, I forget if they signed up to the 'doin ov now' 
plan)

Re: AS3356 Announcing 2000::/12

[Christopher Morrow]

On Wed, Dec 7, 2022 at 11:25 PM Ryan Hamel  wrote:
>
> AS3356 has been announcing 2000::/12 for about 3 hours now, an aggregate 
> covering over 23K prefixes (just over 25%) of the IPv6 DFZ.
>
>

interesting that this is leaking outside supposed RPKI OV boundaries as well.
For example:
  6762 3356
  2914 3356
  174 3356 (apologies to 174, I forget if they signed up to the 'doin
ov now' plan)