nanog mailing list archives

Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me

From: Matthew Petach via NANOG <nanog () lists nanog org>
Date: Sat, 30 Aug 2025 13:35:22 -0700

I suspect what is happening here is not as uncommon as some might think.

At one point in time, I was working for a network that was concerned about
table size growth on some of its older routers.
To alleviate those concerns, large aggregate routes were installed
internally sending regionalized prefix blocks towards their respective
portions of the planet.
IE, APNIC allocated ranges from IANA were pointed towards the APAC portion
of the network, RIPE allocations were pointed towards Europe, and then more
specifics were filtered out from iBGP at the cross-continental route
reflectors.  This worked fairly well for filtering out smaller prefixes
while still more or less keeping routes flowing in the right directions.

Then we started feeding routes to a routing intelligence platform; they
wanted a full feed of all our routes, not just our normal export list of
our customer cone.
So, we gave them a full feed of everything--which included the internal
traffic engineering super-aggregates that were used to steer traffic
internally.

The prefixes in question were never used for anything other than general
steering of traffic at trans-oceanic crossings, and were never announced
externally (other than to the routing intelligence platform), and thus were
never in a position to 'hijack' any traffic.  But they did indeed show up
when people dug through prefix information on the routing intelligence
platform.

You might be seeing similar artifacts here; internal traffic engineering
routes that aren't announced externally on any data-carrying links, but
that are being exported to a RIB-monitoring service only.

I wouldn't worry too much; unless there's a Pakistan/Youtube or AS7007
level leakage from the network in question, your traffic won't ever be
impacted by those RIB entries.

Matt

On Sat, Aug 30, 2025 at 7:34 AM Ties de Kock via NANOG <
nanog () lists nanog org> wrote:

I looked at some RIS (and routeviews) MRT data.

First I looked at BGP updates:
* There were no BGP updates captured by RIPE RIS between
2025-08-12..2025-08-26
 for 2400::/12.
* The largest prefix in 2400::/12 for which updates/withdraws were seen in
that
 period was 2400:2000::/20.

When I look at the combined RIS+routeviews RIBS at 08:00 UTC on 2025-08-30,
these are the largest prefixes in 2400::/12 and their visibility:

┌────────────────┬────────────┐
│     prefix     │ visibility │
│                │   (peers)  │
├────────────────┼────────────┤
│ 2400:2000::/20 │        689 │
│ 2400:4000::/22 │        690 │
│ 2400:6280::/30 │        268 │
│ 2400:7b80::/30 │        799 │
│ 2400:a840::/31 │        795 │
│ 2400:a842::/31 │        795 │
│ 2400:a844::/31 │        795 │
│ 2400:a846::/31 │        795 │
│ 2400:a848::/31 │        795 │
│ 2400:a84a::/31 │        795 │
│ 2400:a84c::/31 │        795 │
│ 2400:a84e::/31 │        795 │
│ 2400:a980::/29 │        777 │
│ 2400:ca00::/28 │        792 │
│ 2400:d800::/30 │        780 │
│ 2400:d800::/31 │        780 │
│ 2400:dd00::/28 │        693 │

If 2400::/12 was widely visible, it indicates a gap in the coverage of
routeviews and RIS. I can’t speak for routeviews, but as RIS project we
would
be very happy to add peers that cover such a blindspot.

We want to make data analysis like I just did easier. We have a prototype
for a
new way to search in MRT data. It started as an internal research/debugging
aid,
but we want to start releasing pre-processed data soon.

If things work out I will do a talk on this at the next RIPE and NANOG
meetings
on this way to search in BGP data - the talk is about to be submitted.

Kind regards,

Ties

On Sat, 30 Aug 2025 at 14:56, Tom Beecher via NANOG <nanog () lists nanog org

wrote:

According to RIPEStat, 2400::/12 hasn't been seen since Oct 2023, from
AS13030 (Init7).

I also cannot seem to see any recent announcement of that anywhere in the
usual sources, or my internal data. I would say this was an error on
Qrator's part.

In that case, what more do I must do?


Although it didn't seem to happen here, best practice is to always

announce

100% of your allocated IPs at all times.  This provides protection

against

someone announcing an umbrella and pulling traffic for any uncovered

space.

It's not perfect , but protects against general stupid.

On Sat, Aug 30, 2025 at 2:59 AM Pirawat WATANAPONGSE via NANOG <
nanog () lists nanog org> wrote:

Dear Gurus,


Radar tool by Qrator [Reference: https://radar.qrator.net ] claims

that

Zenlayer Inc. [AS4229] is “umbrella-ing” me by announcing ‘2400::/12’

on

top of my more-specific address block.
The tool classifies it as a type of hijacking.
[Disclaimer: apologies to Zenlayer if you didn’t do it; but that’s the
information I received]
My neighboring organization also has a more-specific block that falls

under

The Umbrella too.

However, other tools (https://stat.ripe.net ,
https://irrexplorer.nlnog.net
, https://bgp.he.net , etc.) seem unable to see that particular
announcement.

Questions:
1. Is Qrator claim true? (because I have already tried but cannot

verify)

2. If so, should I be concerned?
Even though I already ROA-ed *and* IRR-ed my own block, but if “the

other

end” doesn’t validate, it won’t do any good, correct?
(Oh, yeah, the other end also has to somehow “not see” my

longer-prefix.

But that can happen as well, no?)
3. In that case, what more do I must do?

I would extremely appreciate someone helping me out on this matter.


Best Regards,

Pirawat.
_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/GT2M54NGQQHRE7IU63ECEOMVTGH7FRIW/

_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/47LPGUEA2E2LV3RIRZGEF35KC6SPQ53L/
_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/FCMDVDY6D3WVWQC4GYNZIBTTNOHDIGHD/

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/AL3VTHRLCHAXEPF5HSYIM27XF6PXMYIE/

Current thread:

Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Pirawat WATANAPONGSE via NANOG (Aug 29)
- Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Marco Moock via NANOG (Aug 30)
- Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Tom Beecher via NANOG (Aug 30)
  - Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Mel Beckman via NANOG (Aug 30)
  - Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Ties de Kock via NANOG (Aug 30)
    - Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Matthew Petach via NANOG (Aug 30)
- Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me nanog--- via NANOG (Aug 30)
  - Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Marco Moock via NANOG (Aug 30)
  - Re: Newbie Needs Help: someone is announcing less-specific IPv6 (BGP) route on top of me Tom Beecher via NANOG (Aug 30)