You are here: Home > Publications > RIPE Labs > Mirjam Kühne > IPv6 Darknet Experiment

IPv6 Darknet Experiment

Mirjam Kühne — 01 Nov 2012
Contributors: Daniel Karrenberg
Similar to an experiment done for IPv4 address space, Merit is now performing a darknet experiment with the IPv6 ranges that have been allocated to the RIRs. This also includes prefixes allocated to the RIPE NCC.

16 November 2012: Responding to concerns from IPv6 address space users, we have requested Merit to replace the 2A00::/12 announcement with announcements for currently unallocated address space: 2a04::/14 and 2a08::/13.


Similar to the darknet experiment Merit performed for various IPv4 ranges allocated to the RIRs (see First Impressions of Pollution in Two RIPE NCC Darknets ), MERIT is now performing a darknet experiment for the IPv6 ranges allocated to the RIRs. The RIPE NCC has authorised Merit to temporarily use and announce 2a00::/12 which was allocated to the RIPE NCC by the IANA.

As part of this experiment, MERIT will announce every /12 allocated to each RIR first sequentially and then together. These announcements will each last one week starting on 1 November 2012. You can find more information about this experiment on the Merit web site .

This effort is a follow-up of the work performed by Geoff Huston, Chief Scientist at APNIC for different regions in order to understand any regional variations that might exist (see Traffic in Network and and Traffic in ). The goal is to collect any unwanted traffic in the darknet of the experiment.

Together with MERIT and Geoff Huston, the RIPE NCC will analyse the data and results will be published here on RIPE Labs. We will also have access to the data in case further analysis is warranted.


Mirjam Kühne says:
09 Nov, 2012 10:53 AM
We received reports from people getting alert emails from the Resource Certification (RPKI) service. The alerting system can warn you if some of your certified address space has the RPKI validity "Unknown" or "Invalid".

The warning will look something like this:

> There are alerts about BGP announcements with your certified address
> space in the Resource Certification (RPKI) service.
> These are BGP announcements with your certified address space that have
> the status Unknown. You should create a ROA for each authorised
> announcement to make them Valid:
> AS Number Prefix
> AS237 2a00::/12
> You are able to fix and ignore reported issues, change your alert
> settings, or unsubscribe by visiting

In this case, the alert is triggered for LIRs who hold an IPv6 address block, but do not announce (all of) it. The *unannounced* address space is being "hijacked" by MERIT as part of its darknet experiment.

If you have received the alert, your certified, unannounced IPv6 prefix is hijacked by AS237 because 2a00::/12 is the most specific announcement that overlaps with it. There are two things you can do:

1. Announce *all* of the IPv6 address space you hold. This way AS237 cannot hijack your prefix with a less specific announcement.
2. Suppress the alert for the announcement from AS237 in the Resource Certification (RPKI) system in the LIR Portal.

Please note that the RPKI alerting system uses the RIPE NCC Route Collectors to trigger the errors, so there may be slight differences between what they see and what you actually do.
Luci Stanescu says:
14 Nov, 2012 05:44 PM
Hi Mirjam,

After receiving the RPKI alerts and e-mailing Merit, I was pointed to this page. Unfortunately, I don't see the 2a00::/12 announcement in the RPKI interface, so I can't suppress the alerts.
Alex Band says:
15 Nov, 2012 10:17 AM
According to RIPE Stat, Merit stopped announcing the prefix:[resource]=2a00%3A%3A%2F12

"It was last seen on 2012-11-13 16:00:00Z, announced by AS237."

That would be the reason you can no longer see it in the RPKI interface. You also shouldn't be getting an alert email tonight.
Add comment

You can add a comment by filling out the form below. Comments are moderated so they won't appear immediately. If you have a RIPE NCC Access account, we would like you to log in.