nanog mailing list archives

Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me

From: Ties de Kock via NANOG <nanog () lists nanog org>
Date: Sat, 30 Aug 2025 16:34:17 +0200

I looked at some RIS (and routeviews) MRT data.

First I looked at BGP updates:
* There were no BGP updates captured by RIPE RIS between
2025-08-12..2025-08-26
 for 2400::/12.
* The largest prefix in 2400::/12 for which updates/withdraws were seen in
that
 period was 2400:2000::/20.

When I look at the combined RIS+routeviews RIBS at 08:00 UTC on 2025-08-30,
these are the largest prefixes in 2400::/12 and their visibility:

┌────────────────┬────────────┐
│     prefix     │ visibility │
│                │   (peers)  │
├────────────────┼────────────┤
│ 2400:2000::/20 │        689 │
│ 2400:4000::/22 │        690 │
│ 2400:6280::/30 │        268 │
│ 2400:7b80::/30 │        799 │
│ 2400:a840::/31 │        795 │
│ 2400:a842::/31 │        795 │
│ 2400:a844::/31 │        795 │
│ 2400:a846::/31 │        795 │
│ 2400:a848::/31 │        795 │
│ 2400:a84a::/31 │        795 │
│ 2400:a84c::/31 │        795 │
│ 2400:a84e::/31 │        795 │
│ 2400:a980::/29 │        777 │
│ 2400:ca00::/28 │        792 │
│ 2400:d800::/30 │        780 │
│ 2400:d800::/31 │        780 │
│ 2400:dd00::/28 │        693 │

If 2400::/12 was widely visible, it indicates a gap in the coverage of
routeviews and RIS. I can’t speak for routeviews, but as RIS project we
would
be very happy to add peers that cover such a blindspot.

We want to make data analysis like I just did easier. We have a prototype
for a
new way to search in MRT data. It started as an internal research/debugging
aid,
but we want to start releasing pre-processed data soon.

If things work out I will do a talk on this at the next RIPE and NANOG
meetings
on this way to search in BGP data - the talk is about to be submitted.

Kind regards,

Ties

On Sat, 30 Aug 2025 at 14:56, Tom Beecher via NANOG <nanog () lists nanog org>
wrote:

According to RIPEStat, 2400::/12 hasn't been seen since Oct 2023, from
AS13030 (Init7).

I also cannot seem to see any recent announcement of that anywhere in the
usual sources, or my internal data. I would say this was an error on
Qrator's part.

In that case, what more do I must do?


Although it didn't seem to happen here, best practice is to always announce
100% of your allocated IPs at all times.  This provides protection against
someone announcing an umbrella and pulling traffic for any uncovered space.
It's not perfect , but protects against general stupid.

On Sat, Aug 30, 2025 at 2:59 AM Pirawat WATANAPONGSE via NANOG <
nanog () lists nanog org> wrote:

Dear Gurus,


Radar tool by Qrator [Reference: https://radar.qrator.net ] claims that
Zenlayer Inc. [AS4229] is “umbrella-ing” me by announcing ‘2400::/12’ on
top of my more-specific address block.
The tool classifies it as a type of hijacking.
[Disclaimer: apologies to Zenlayer if you didn’t do it; but that’s the
information I received]
My neighboring organization also has a more-specific block that falls

under

The Umbrella too.

However, other tools (https://stat.ripe.net ,
https://irrexplorer.nlnog.net
, https://bgp.he.net , etc.) seem unable to see that particular
announcement.

Questions:
1. Is Qrator claim true? (because I have already tried but cannot verify)
2. If so, should I be concerned?
Even though I already ROA-ed *and* IRR-ed my own block, but if “the other
end” doesn’t validate, it won’t do any good, correct?
(Oh, yeah, the other end also has to somehow “not see” my longer-prefix.
But that can happen as well, no?)
3. In that case, what more do I must do?

I would extremely appreciate someone helping me out on this matter.


Best Regards,

Pirawat.
_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/GT2M54NGQQHRE7IU63ECEOMVTGH7FRIW/
_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/47LPGUEA2E2LV3RIRZGEF35KC6SPQ53L/

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/FCMDVDY6D3WVWQC4GYNZIBTTNOHDIGHD/

Current thread:

Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Pirawat WATANAPONGSE via NANOG (Aug 29)
- Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Marco Moock via NANOG (Aug 30)
- Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Tom Beecher via NANOG (Aug 30)
  - Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Mel Beckman via NANOG (Aug 30)
  - Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Ties de Kock via NANOG (Aug 30)
    - Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Matthew Petach via NANOG (Aug 30)
- Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me nanog--- via NANOG (Aug 30)
  - Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Marco Moock via NANOG (Aug 30)
  - Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Tom Beecher via NANOG (Aug 30)