Investigation Of Suspect Routes
A problem was recently reported to us regarding a suspicious route object that perhaps should not have been in the RIPE Database.
What was the problem?
There was a bug in the authorisation code for checking route creations. The first check is for an exact match route.
If there is one we check if it has a mnt-routes. If it does we use this mntner for the authorisation.
If there is no mnt-routes we use the mnt-by of the exact match route.
If there is no exact match route we next look for a less specific route. If there is one we check if it has a mnt-routes or mnt-lower. If it does we use this mntner for the authorisation. If there is no mnt-routes or mnt-lower we use the mnt-by of the less specific route.
The bug was that we were not doing the check against the mnt-by in either of the cases above. So if there was either an exact match or less specific route, and this did not have either mnt-lower or mnt-routes, then authorisation was passed. This allowed some routes to be created that should have failed when checked against the mnt-by.
This bug has now been fixed, but there may be a number of route objects in the RIPE Database now that should not be there.
How have we analysed this situation?
We have taken all route creation updates messages from Apr 23 2001 and re-run them on a snapshot of the RIPE Database. We ran them in reverse date order, ie taking the most recent creation first. The object was deleted from the snapshot, then the update message was run and we tested for sucessful creation. Then we deleted the object from the snapshot again so it would not influence the earlier creations. We worked back through all the route creations and built up a list of suspect routes that failed to be re-created.
We call these suspect routes and not illegal routes as we do not know at this stage if there are valid routes or were created as a result of the bug.
We selected a handful at random and manually investigated the reason why the creation failed. Some of them did fail because of the bug and these route objects should not be in the RIPE Database. Others, however, had good reasons why they failed and are in fact perfectly valid route objects. I won't go through all the reasons we found for a valid route failing, but will give just one example.
A route creation could have failed because it no longer passes the authorisation of the maintainer used to protect the origin AS object. Looking through the history of the AS object and it's maintainer we could see that the authorisation method in use at the time of the original route creation would have authorised this creation. But this authorisation has been changed in the AS object's maintainer AFTER the route was created. So AT THE TIME of the original route creation it was valid. But as we have simply re-run the original update message which contained the earlier authorisation, it now failed.
There are too many of these suspect routes for us to check them all manually. We therefore need your help to find the actual invalid routes.
What information have we sent to you?
We have analysed all the suspect routes and grouped them into lists that can be more easily checked by you. We have looked for the encompassing object for each of the suspect routes. This may be a less specific route, or an exact match or less specific inetnum object . We then found the maintainers in each of these encompassing objects (mnt-by, mnt-lower and mnt-routes). The suspect routes have been grouped under each of these maintainers. If you are listed as a contact in one of these maintainers, we have sent to you a list of suspect routes, together with a list of encompassing objects for these suspect routes that are maintained by this maintainer.
We apologise if you have received multiple mailings, but separate lists have been compiled for maintainers listed as mnt-by, mnt-lower and mnt-routes. The lists in each of these cases may not be exactly the same. If you received more than one email please check each list.
What do we want you to do with this imformation?
We would like you to check the list(s) of suspect routes that we sent to you and determine if you believe any of them should not be in the RIPE Database. If you find any that you believe should not be in the RIPE Database and you are able to delete them yourself, then please delete them. If they are not maintained by yourselves, then please ask your downstream customers to delete them. If you are not able to delete them you will need to contact RIPE Database Administration for assistance.
What action will we take after you reply to us?
You may require our assistance to remove some of these routes. Send a list to RIPE Database Administration of the routes that you believe should not be in the RIPE Database but you are not able to delete because of the protection on the route objects. As the replies come back to us we will be able to asses the scale of the problem and determine what appropriate action we need to take.