IPv6 Darknet Experiment

Mirjam Kühne — Nov 01, 2012 04:40 PM
Contributors: Daniel Karrenberg
Filed under: ,
Similar to an experiment done for IPv4 address space, Merit is now performing a darknet experiment with the IPv6 ranges that have been allocated to the RIRs. This also includes prefixes allocated to the RIPE NCC.

16 November 2012: Responding to concerns from IPv6 address space users, we have requested Merit to replace the 2A00::/12 announcement with announcements for currently unallocated address space: 2a04::/14 and 2a08::/13.

 

Similar to the darknet experiment Merit performed for various IPv4 ranges allocated to the RIRs (see First Impressions of Pollution in Two RIPE NCC Darknets), MERIT is now performing a darknet experiment for the IPv6 ranges allocated to the RIRs. The RIPE NCC has authorised Merit to temporarily use and announce 2a00::/12 which was allocated to the RIPE NCC by the IANA.

As part of this experiment, MERIT will announce every /12 allocated to each RIR first sequentially and then together. These announcements will each last one week starting on 1 November 2012. You can find more information about this experiment on the Merit web site.

This effort is a follow-up of the work performed by Geoff Huston, Chief Scientist at APNIC for different regions in order to understand any regional variations that might exist (see Traffic in Network 14.0.0.0/8 and 223.0.0.0/8 and Traffic in 1.0.0.0/8). The goal is to collect any unwanted traffic in the darknet of the experiment.

Together with MERIT and Geoff Huston, the RIPE NCC will analyse the data and results will be published here on RIPE Labs. We will also have access to the data in case further analysis is warranted.

3 Comments

Mirjam Kühne
Mirjam Kühne says:
Nov 09, 2012 10:53 AM
We received reports from people getting alert emails from the Resource Certification (RPKI) service. The alerting system can warn you if some of your certified address space has the RPKI validity "Unknown" or "Invalid".

The warning will look something like this:

> There are alerts about BGP announcements with your certified address
> space in the Resource Certification (RPKI) service.
>
> These are BGP announcements with your certified address space that have
> the status Unknown. You should create a ROA for each authorised
> announcement to make them Valid:
>
> AS Number Prefix
> AS237 2a00::/12
>
> You are able to fix and ignore reported issues, change your alert
> settings, or unsubscribe by visiting http://certification.ripe.net/.

In this case, the alert is triggered for LIRs who hold an IPv6 address block, but do not announce (all of) it. The *unannounced* address space is being "hijacked" by MERIT as part of its darknet experiment.

If you have received the alert, your certified, unannounced IPv6 prefix is hijacked by AS237 because 2a00::/12 is the most specific announcement that overlaps with it. There are two things you can do:

1. Announce *all* of the IPv6 address space you hold. This way AS237 cannot hijack your prefix with a less specific announcement.
2. Suppress the alert for the announcement from AS237 in the Resource Certification (RPKI) system in the LIR Portal.

Please note that the RPKI alerting system uses the RIPE NCC Route Collectors to trigger the errors, so there may be slight differences between what they see and what you actually do.
Luci Stanescu
Luci Stanescu says:
Nov 14, 2012 05:44 PM
Hi Mirjam,

After receiving the RPKI alerts and e-mailing Merit, I was pointed to this page. Unfortunately, I don't see the 2a00::/12 announcement in the RPKI interface, so I can't suppress the alerts.
Alex Band
Alex Band says:
Nov 15, 2012 10:17 AM
According to RIPE Stat, Merit stopped announcing the prefix:


https://stat.ripe.net/widget/routing-status#w[resource]=2a00%3A%3A%2F12

"It was last seen on 2012-11-13 16:00:00Z, announced by AS237."

That would be the reason you can no longer see it in the RPKI interface. You also shouldn't be getting an alert email tonight.
Add comment

You can add a comment by filling out the form below. Only plain text is possible. Web and email addresses will be transformed into clickable links. Comments are moderated so they won't appear immediately.

Navigation
Related Items
Modifications to the IP Analyser to Reflect New Policy

We are in the process of implementing the policy regarding Post Depletion Adjustment of Procedures ...

Report on IPv6 Security Test Methodology

The Dutch Institute for Applied Scientific Research (TNO) and a number of Dutch security companies ...

Visualising Bandwidth Capacity and Network Activity in RIPEstat Using M-Lab Data

As a result of the cooperation between the RIPE NCC and Measurement Lab (M-Lab), you can now ...

The Assisted Registry Check - Let Us Help You!

The Assisted Registry Check is the new name for the RIPE NCC’s audit activities that have been ...

IPv6 RIPEness - Implementing the Fifth Star

In this article we present the first publicly available beta version of the fifth IPv6 RIPEness ...