Investigation Of Suspect Routes
A problem was recently reported to us regarding a suspicious route object that perhaps should not have been in the RIPE Database.
What was the problem?
There was a bug in the authorisation code for checking route creations. The first check is for an exact match route.
If there is one we check if it has a mnt-routes. If it does we use this mntner for the authorisation.
If there is no mnt-routes we use the mnt-by of the exact match route.
If there is no exact match route we next look for a less specific route. If there is one we check if it has a mnt-routes or mnt-lower. If it does we use this mntner for the authorisation. If there is no mnt-routes or mnt-lower we use the mnt-by of the less specific route.
The bug was that we were not doing the check against the mnt-by in either of the cases above. So if there was either an exact match or less specific route, and this did not have either mnt-lower or mnt-routes, then authorisation was passed. This allowed some routes to be created that should have failed when checked against the mnt-by.
This bug has now been fixed, but there may be a number of route objects in the RIPE Database now that should not be there.
How have we analysed this situation?
We have taken all route creation updates messages from Apr 23 2001 and re-run them on a snapshot of the RIPE Database. We ran them in reverse date order, ie taking the most recent creation first. The object was deleted from the snapshot, then the update message was run and we tested for sucessful creation. Then we deleted the object from the snapshot again so it would not influence the earlier creations. We worked back through all the route creations and built up a list of suspect routes that failed to be re-created.
We call these suspect routes and not illegal routes as we do not know at this stage if there are valid routes or were created as a result of the bug.
We selected a handful at random and manually investigated the reason why the creation failed. Some of them did fail because of the bug and these route objects should not be in the RIPE Database. Others, however, had good reasons why they failed and are in fact perfectly valid route objects. I won't go through all the reasons we found for a valid route failing, but will give just one example.
A route creation could have failed because it no longer passes the authorisation of the maintainer used to protect the origin AS object. Looking through the history of the AS object and it's maintainer we could see that the authorisation method in use at the time of the original route creation woul