These as well: 3257 3356 3491 3356 They probably leaked a hold down route. Ryan Hamel -----Original Message----- From: Christopher Morrow <morrowc.lists@gmail.com> Sent: Wednesday, December 7, 2022 8:48 PM To: ryan@rkhtech.org Cc: nanog@nanog.org Subject: Re: AS3356 Announcing 2000::/12 On Wed, Dec 7, 2022 at 11:25 PM Ryan Hamel <administrator@rkhtech.org> wrote:

AS3356 has been announcing 2000::/12 for about 3 hours now, an aggregate covering over 23K prefixes (just over 25%) of the IPv6 DFZ.

interesting that this is leaking outside supposed RPKI OV boundaries as well. For example: 6762 3356 2914 3356 174 3356 (apologies to 174, I forget if they signed up to the 'doin ov now' plan)

That would be a nice start :-) On Thu, Dec 8, 2022 at 6:45 AM Heasley <heas@shrubbery.net> wrote:

Am 12/7/22 um 22:25 schrieb Don Beal <don@depref.net>:

 How can RPKI / OV prevent such a leak when there is no ROA for 2000::/12,

If all ASes participated, no „unknowns“, unknowns could be dropped, ….

On Thu, Dec 8, 2022 at 9:35 AM Randy Bush <randy@psg.com> wrote:

while i think the announcement is, shall we say, embarrassing, i do not see how it would be damaging. real/correct announcements would be for longer prefixes, yes?

randy

Putting on a probably-overly-paranoid hat for a moment... If I announce 2000::/12, seemingly as an innocent error, it won't break most people's routing, and is likely to be simply chalked up as a copy-paste error, or other human "oops". But if I happen to be running a promiscuous packet capture on a box that the "erroneous" routing table entry ultimately resolves to, I warrant there's a certain amount of legitimate packet streams I could collect here and there, any time a router processes a WITHDRAW update message for a more specific prefix within the range, before a new ANNOUNCE update message is processed. I'm not going to get a great deal of information, as most simple prefix updates happen within the same update message; but during periods of higher internal churn in a network, you may have brief periods during which the more specific route is withdrawn before being re-announced, during which I'd be able to harvest packets destined for other networks. As I said--I'm probably being overly paranoid, but I can't help but wonder what packets such a collector might see, if left to run for a week or two... ^_^; Thanks! Matt

The Internet delivers when we need it the most! :-) https://is2000slash12announcedagain.com/ Props to Ben Cartwright-Cox

On Thu, Dec 8 2022 at 12:38 PM, Job Snijders <nanog@nanog.org> wrote: Hi all,

On Wed, Dec 07, 2022 at 08:24:54PM -0800, Ryan Hamel wrote:

AS3356 has been announcing 2000::/12 for about 3 hours now, an aggregate covering over 23K prefixes (just over 25%) of the IPv6 DFZ.

A few months ago I wrote: "Frequently Asked Questions about 2000::/12 and related routing errors":

https://www.ripe.net/ripe/mail/archives/routing-wg/2022-July/004588.html

Oh, that's a nice write-up. I must admit that it didn't occur to me that e.g 2000::/12 was likely something much more specific, but that someone missed the (probably) 6, 7, or 8 at the end, even though I've done this a few times myself… W

Kind regards,

Job

I know of a few people in a Discord that filter out anything bigger than /16 routes, would this be wise to implement as a best practice?

once upon a time, a very large provider took two /8s and announced as a /7. a vendor who thought a /8 was as short as they would ever see had routers fall over in a receiving large provider. do not hard code social theories. remember 640k. randy